From patchwork Wed Aug 17 17:19:16 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zack Weinberg X-Patchwork-Id: 660202 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3sDwvN3dKXz9t24 for ; Thu, 18 Aug 2016 03:19:28 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=WayP1QVB; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:in-reply-to:references:content-transfer-encoding; q=dns; s=default; b=sLqNi7c4rt5J8j36oDq7CMx1DERKLyMebU+h+LrgF3S CGikNJpR2OWJ9ks0KHw4RlFENrssnooz7N57naGvNaKfl3BDWV3VV6dw+9aDS1Ah U7yyU1f4uKZeURGh1weooTU4EFssMDOE/RnksWuzmxTs9BhhxnbQn1CgoTnxy+b0 = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:in-reply-to:references:content-transfer-encoding; s=default; bh=eoJrbfQ3VfmdpDtvBu4m7nLevCs=; b=WayP1QVBtVnV5Y/Zx DG1mJj20nDe7zuQPsUOylYsU1frb+Bs3ffb6joMYuz8iNmm889+Hz9LFeFdei80g 8Fb0W2EHh81XHv8s7PGA4t202hexNIMvgVCyr1fmhWqRB8fmehv5smgthjjX9b1J COqSEAuIMC0MziTxKAgDrvpnvI= Received: (qmail 82598 invoked by alias); 17 Aug 2016 17:19:21 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 82580 invoked by uid 89); 17 Aug 2016 17:19:21 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 spammy=sk:__glibc, 16010, cooperate X-HELO: mailbackend.panix.com From: Zack Weinberg To: libc-alpha@sourceware.org Cc: fweimer@redhat.com Subject: [PATCH 3/4] Add fortification support for explicit_bzero. Date: Wed, 17 Aug 2016 13:19:16 -0400 Message-Id: <0e28fadfa43506167d2dfaea7bd2c03d99a9aea7.1471452664.git.zackw@panix.com> MIME-Version: 1.0 In-Reply-To: References: The __glibc_read_memory approach means that this is very easy - it can be defined in terms of __memset_chk, which was not possible in the previous iteration. * string/bits/string3.h: Fortify explicit_bzero. * string/bits/string2.h: Cooperate with this. * debug/tst-chk1.c: Test fortification of explicit_bzero. --- debug/tst-chk1.c | 28 ++++++++++++++++++++++++++++ string/bits/string2.h | 2 +- string/bits/string3.h | 7 +++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/debug/tst-chk1.c b/debug/tst-chk1.c index 478c2fb..e87a279 100644 --- a/debug/tst-chk1.c +++ b/debug/tst-chk1.c @@ -160,6 +160,10 @@ do_test (void) if (memcmp (buf, "aabcdabc\0\0", 10)) FAIL (); + explicit_bzero (buf + 6, 4); + if (memcmp (buf, "aabcda\0\0\0\0", 10)) + FAIL (); + strcpy (buf + 4, "EDCBA"); if (memcmp (buf, "aabcEDCBA", 10)) FAIL (); @@ -201,6 +205,10 @@ do_test (void) if (memcmp (buf, "aabcdabc\0\0", 10)) FAIL (); + explicit_bzero (buf + 6, l0 + 4); + if (memcmp (buf, "aabcda\0\0\0\0", 10)) + FAIL (); + strcpy (buf + 4, str1 + 5); if (memcmp (buf, "aabcEDCBA", 10)) FAIL (); @@ -256,6 +264,10 @@ do_test (void) if (memcmp (a.buf1, "aabcdabc\0\0", 10)) FAIL (); + explicit_bzero (a.buf1 + 6, l0 + 4); + if (memcmp (a.buf1, "aabcda\0\0\0\0", 10)) + FAIL (); + #if __USE_FORTIFY_LEVEL < 2 /* The following tests are supposed to crash with -D_FORTIFY_SOURCE=2 and sufficient GCC support, as the string operations overflow @@ -345,6 +357,14 @@ do_test (void) bzero (buf + 9, l0 + 2); CHK_FAIL_END + CHK_FAIL_START + explicit_bzero (buf + 9, 2); + CHK_FAIL_END + + CHK_FAIL_START + explicit_bzero (buf + 9, l0 + 2); + CHK_FAIL_END + CHK_FAIL_START strcpy (buf + 5, str1 + 5); CHK_FAIL_END @@ -454,6 +474,14 @@ do_test (void) bzero (a.buf1 + 9, l0 + 2); CHK_FAIL_END + CHK_FAIL_START + explicit_bzero (a.buf1 + 9, 2); + CHK_FAIL_END + + CHK_FAIL_START + explicit_bzero (a.buf1 + 9, l0 + 2); + CHK_FAIL_END + # if __USE_FORTIFY_LEVEL >= 2 # define O 0 # else diff --git a/string/bits/string2.h b/string/bits/string2.h index f890585..f7fc866 100644 --- a/string/bits/string2.h +++ b/string/bits/string2.h @@ -57,7 +57,7 @@ # define __bzero(s, n) __builtin_memset (s, '\0', n) #endif -#ifdef __USE_MISC +#if defined __USE_MISC && !defined __fortify_function /* As bzero, but the compiler will not delete a call to this function, even if S is dead after the call. Note: this function has its own implementation file and should not be slurped into diff --git a/string/bits/string3.h b/string/bits/string3.h index dd8db68..d340bef 100644 --- a/string/bits/string3.h +++ b/string/bits/string3.h @@ -102,6 +102,13 @@ __NTH (bzero (void *__dest, size_t __len)) { (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest)); } + +__fortify_function void +__NTH (explicit_bzero (void *__dest, size_t __len)) +{ + (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest)); + __glibc_read_memory (__dest, __len); +} #endif __fortify_function char *