]> git.baikalelectronics.ru Git - kernel.git/commitdiff
fortify: Provide a memcpy trap door for sharp corners
authorKees Cook <keescook@chromium.org>
Wed, 11 May 2022 02:53:01 +0000 (19:53 -0700)
committerPaolo Abeni <pabeni@redhat.com>
Thu, 12 May 2022 08:49:23 +0000 (10:49 +0200)
As we continue to narrow the scope of what the FORTIFY memcpy() will
accept and build alternative APIs that give the compiler appropriate
visibility into more complex memcpy scenarios, there is a need for
"unfortified" memcpy use in rare cases where combinations of compiler
behaviors, source code layout, etc, result in cases where the stricter
memcpy checks need to be bypassed until appropriate solutions can be
developed (i.e. fix compiler bugs, code refactoring, new API, etc). The
intention is for this to be used only if there's no other reasonable
solution, for its use to include a justification that can be used
to assess future solutions, and for it to be temporary.

Example usage included, based on analysis and discussion from:
https://lore.kernel.org/netdev/CANn89iLS_2cshtuXPyNUGDPaic=sJiYfvTb_wNLgWrZRyBxZ_g@mail.gmail.com

Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Coco Li <lixiaoyan@google.com>
Cc: Tariq Toukan <tariqt@nvidia.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: netdev@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220511025301.3636666-1-keescook@chromium.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
include/linux/fortify-string.h
include/linux/string.h

index 2dc48406cd08d21ff94f665cd61ab9227f351215..5855d8f9c509a5fcf1109e38a4395d46242fe745 100644 (file)
@@ -386,7 +386,13 @@ mlx5e_sq_xmit_wqe(struct mlx5e_txqsq *sq, struct sk_buff *skb,
                        stats->added_vlan_packets++;
                } else {
                        eseg->inline_hdr.sz |= cpu_to_be16(attr->ihs);
-                       memcpy(eseg->inline_hdr.start, skb->data, attr->ihs);
+                       unsafe_memcpy(eseg->inline_hdr.start, skb->data, attr->ihs,
+                               /* This copy has been bounds-checked earlier in
+                                * mlx5i_sq_calc_wqe_attr() and intentionally
+                                * crosses a flex array boundary. Since it is
+                                * performance sensitive, splitting the copy is
+                                * undesirable.
+                                */);
                }
                dseg += wqe_attr->ds_cnt_inl;
        } else if (skb_vlan_tag_present(skb)) {
index 295637a66c46b7bd1d23ae6cd8cfb58e08db25f1..3b401fa0f37462825af2c1d9d371998d52de03ef 100644 (file)
@@ -52,6 +52,22 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size)
 #define __underlying_strncpy   __builtin_strncpy
 #endif
 
+/**
+ * unsafe_memcpy - memcpy implementation with no FORTIFY bounds checking
+ *
+ * @dst: Destination memory address to write to
+ * @src: Source memory address to read from
+ * @bytes: How many bytes to write to @dst from @src
+ * @justification: Free-form text or comment describing why the use is needed
+ *
+ * This should be used for corner cases where the compiler cannot do the
+ * right thing, or during transitions between APIs, etc. It should be used
+ * very rarely, and includes a place for justification detailing where bounds
+ * checking has happened, and why existing solutions cannot be employed.
+ */
+#define unsafe_memcpy(dst, src, bytes, justification)          \
+       __underlying_memcpy(dst, src, bytes)
+
 /*
  * Clang's use of __builtin_object_size() within inlines needs hinting via
  * __pass_object_size(). The preference is to only ever use type 1 (member
index b6572aeca2f50badc1fa3726638067eb2d933ea1..61ec7e4f6311a8c87b2793eb3e8cdc25a7bf5f6e 100644 (file)
@@ -252,6 +252,10 @@ static inline const char *kbasename(const char *path)
 #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
 #include <linux/fortify-string.h>
 #endif
+#ifndef unsafe_memcpy
+#define unsafe_memcpy(dst, src, bytes, justification)          \
+       memcpy(dst, src, bytes)
+#endif
 
 void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
                    int pad);