From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=ng1x=NR=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-18.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 92DA7C4320E
	for <linux-mm@archiver.kernel.org>; Thu, 26 Aug 2021 18:02:54 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 0CCD660EFE
	for <linux-mm@archiver.kernel.org>; Thu, 26 Aug 2021 18:02:54 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0CCD660EFE
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 8CDBF8D0002; Thu, 26 Aug 2021 14:02:53 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 87DAF8D0001; Thu, 26 Aug 2021 14:02:53 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 76C308D0002; Thu, 26 Aug 2021 14:02:53 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0122.hostedemail.com [216.40.44.122])
	by kanga.kvack.org (Postfix) with ESMTP id 5C47B8D0001
	for <linux-mm@kvack.org>; Thu, 26 Aug 2021 14:02:53 -0400 (EDT)
Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id F3C648249980
	for <linux-mm@kvack.org>; Thu, 26 Aug 2021 18:02:52 +0000 (UTC)
X-FDA: 78518002626.06.D1384CF
Received: from mail-lf1-f54.google.com (mail-lf1-f54.google.com [209.85.167.54])
	by imf06.hostedemail.com (Postfix) with ESMTP id B6C0C801AB03
	for <linux-mm@kvack.org>; Thu, 26 Aug 2021 18:02:52 +0000 (UTC)
Received: by mail-lf1-f54.google.com with SMTP id r9so8700801lfn.3
        for <linux-mm@kvack.org>; Thu, 26 Aug 2021 11:02:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=qGw9uJmJ2z6MXuXBnDtwUutt+68P65RWStdJO514qas=;
        b=B2FAnkUl2+kM4yRf/QS/R1JReIq24Hnbr19zmuEDgqYUdNh1gTIoRUaunZdoEJqFfW
         Kh33FdiQdzQWAEG8HKNsdxl5PlvDhJ45LLemem+X5wV7ImqCiEIgGx6pelPUdAFXC4qG
         vVXa/+XI9iYDsbC2aGnmUo4TC/sA+SjLHpyqv4luHppAgRdJ3sDbPcIbUjgpkFVekL+y
         D9MqeMghtWNrlr1j69RCiNGV5dImaH7D1KdGTCLWxwOnJZO2T3sFuIORZeowUqYhzrc5
         foEcu6k2bhymF/OMxZ6UKrGHQi2BnzMsD/uoLW6nt4WkHGJ7C2Ekp9kAy4bpf44YTagP
         koQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=qGw9uJmJ2z6MXuXBnDtwUutt+68P65RWStdJO514qas=;
        b=L6pA3UWhskJx/oCLCGCqaAYYAuCBJOe80GkNtjlXbj3Vly3gf2v0yHFaghSNU6duFk
         9AyUHPq8DROfadjuIgfIPhIVh7a0CZNZbkwXarkU14IBKMwBdTULMfWLfLGwXyl6x96O
         ugn/4dj4wK/zKWaszlWK7z7UKLOjSqt/o92PANKaMRyet74khDK97KmO1UVoseduxeMF
         6NnczjZezZp1z9XxdRFgAFA7fMAv4ClTlJLTHrlwJf3NwNJmoA9aXj4jQ7tvVzn+5Y65
         4kpcH0P16nUnBcxadzdQ/5Fstj//c9SpFyWBWTbYIcfYlPub7uH8qdSpqN7Ag+0qX7l3
         8YrA==
X-Gm-Message-State: AOAM530B17dUgknEohdmNena5hVG1Uwt2rJtoI3cNIost2R8syRqckOh
	DvcAQd5EVc20YBaGLT1SWIiXORsE+ddulPXc2XEflA==
X-Google-Smtp-Source: ABdhPJxWg7MSHSATPwn7TQr1ROw5bTHFIBgE43q2LvF7FWK+dICjFNZW3iN5NwAu/aeOV0mxcLV4RtFONxyUnFKH1Ns=
X-Received: by 2002:a05:6512:3a84:: with SMTP id q4mr3670002lfu.543.1630000970649;
 Thu, 26 Aug 2021 11:02:50 -0700 (PDT)
MIME-Version: 1.0
References: <20210822075122.864511-1-keescook@chromium.org>
 <20210822075122.864511-20-keescook@chromium.org> <CAKwvOdnrO+oagJEiBMmoHrhTJKSRwzb0DK=R_QdVjhiNzb34dg@mail.gmail.com>
 <202108251950.61F7A4CD@keescook>
In-Reply-To: <202108251950.61F7A4CD@keescook>
From: Nick Desaulniers <ndesaulniers@google.com>
Date: Thu, 26 Aug 2021 11:02:39 -0700
Message-ID: <CAKwvOdndEYeQ1MFPPEvn=UWv00o6of1OT3UQ-woqyO-viDkqVw@mail.gmail.com>
Subject: Re: [PATCH for-next 19/25] fortify: Allow strlen() and strnlen() to
 pass compile-time known lengths
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org, Rasmus Villemoes <linux@rasmusvillemoes.dk>, 
	Daniel Micay <danielmicay@gmail.com>, Francis Laniel <laniel_francis@privacyrequired.com>, 
	Bart Van Assche <bvanassche@acm.org>, David Gow <davidgow@google.com>, linux-mm@kvack.org, 
	clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=google.com header.s=20161025 header.b=B2FAnkUl;
	spf=pass (imf06.hostedemail.com: domain of ndesaulniers@google.com designates 209.85.167.54 as permitted sender) smtp.mailfrom=ndesaulniers@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: B6C0C801AB03
X-Stat-Signature: aqrxdko7f6egti3dg9u5y7xsqzkq6kg8
X-HE-Tag: 1630000972-924307
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Aug 25, 2021 at 7:56 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Aug 25, 2021 at 03:05:56PM -0700, Nick Desaulniers wrote:
> > On Sun, Aug 22, 2021 at 12:57 AM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> > > index a3cb1d9aacce..e232a63fd826 100644
> > > --- a/include/linux/fortify-string.h
> > > +++ b/include/linux/fortify-string.h
> > > @@ -10,6 +10,18 @@ void __read_overflow(void) __compiletime_error("detected read beyond size of obj
> > >  void __read_overflow2(void) __compiletime_error("detected read beyond size of object (2nd parameter)");
> > >  void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)");
> > >
> > > +#define __compiletime_strlen(p)        ({              \
> > > +       size_t ret = (size_t)-1;                        \
> > > +       size_t p_size = __builtin_object_size(p, 1);    \
> > > +       if (p_size != (size_t)-1) {                     \
> > > +               size_t p_len = p_size - 1;              \
> > > +               if (__builtin_constant_p(p[p_len]) &&   \
> > > +                   p[p_len] == '\0')                   \
> > > +                       ret = __builtin_strlen(p);      \
> > > +       }                                               \
> > > +       ret;                                            \
> > > +})
> >
> > Can this be a `static inline` function that accepts a `const char *`
> > and returns a `size_t` rather than a statement expression?
>
> No because both __builtin_object_size() and __builtin_strlen() may not
> work. See:
> https://lore.kernel.org/lkml/20210818060533.3569517-64-keescook@chromium.org/

Ah right, then consider adding a comment to encourage others not to
rewrite it as such.

>
> Regardless, it will always collapse to a const value of either -1 or
> the length of the string.

-- 
Thanks,
~Nick Desaulniers