Commit cf2f06f7 authored by Kees Cook's avatar Kees Cook
Browse files

lkdtm/fortify: Drop unneeded FORTIFY_STR_OBJECT test 

The str* family of fortified functions all use member-sized limits
for a while now, so the FORTIFY_STR_OBJECT test is redundant to
FORTIFY_STR_MEMBER. While here, replace the strncpy() use with strscpy(),
as strncpy() is being removed.

Link: https://patch.msgid.link/20260324020726.work.624-kees@kernel.org


Signed-off-by: default avatarKees Cook <kees@kernel.org>
parent 00247cbf

drivers/misc/lkdtm/fortify.c

+6 −30
Original line number Diff line number Diff line
@@ -10,30 +10,6 @@ 


static volatile int fortify_scratch_space;



static void lkdtm_FORTIFY_STR_OBJECT(void)

{

	struct target {

		char a[10];

		int foo;

	} target[3] = {};

	/*

	 * Using volatile prevents the compiler from determining the value of

	 * 'size' at compile time. Without that, we would get a compile error

	 * rather than a runtime error.

	 */

	volatile int size = 20;



	pr_info("trying to strcmp() past the end of a struct\n");



	strncpy(target[0].a, target[1].a, size);



	/* Store result to global to prevent the code from being eliminated */

	fortify_scratch_space = target[0].a[3];



	pr_err("FAIL: fortify did not block a strncpy() object write overflow!\n");

	pr_expected_config(CONFIG_FORTIFY_SOURCE);

}



static void lkdtm_FORTIFY_STR_MEMBER(void)

{

	struct target {
@@ -47,22 +23,23 @@ static void lkdtm_FORTIFY_STR_MEMBER(void) 
	if (!src)

		return;



	/* 15 bytes: past end of a[] but not target. */

	strscpy(src, "over ten bytes", size);

	size = strlen(src) + 1;



	pr_info("trying to strncpy() past the end of a struct member...\n");

	pr_info("trying to strscpy() past the end of a struct member...\n");



	/*

	 * strncpy(target.a, src, 20); will hit a compile error because the

	 * compiler knows at build time that target.a < 20 bytes. Use a

	 * strscpy(target.a, src, 15); will hit a compile error because the

	 * compiler knows at build time that target.a < 15 bytes. Use a

	 * volatile to force a runtime error.

	 */

	strncpy(target.a, src, size);

	strscpy(target.a, src, size);



	/* Store result to global to prevent the code from being eliminated */

	fortify_scratch_space = target.a[3];



	pr_err("FAIL: fortify did not block a strncpy() struct member write overflow!\n");

	pr_err("FAIL: fortify did not block a strscpy() struct member write overflow!\n");

	pr_expected_config(CONFIG_FORTIFY_SOURCE);



	kfree(src);
@@ -210,7 +187,6 @@ static void lkdtm_FORTIFY_STRSCPY(void) 
}



static struct crashtype crashtypes[] = {

	CRASHTYPE(FORTIFY_STR_OBJECT),

	CRASHTYPE(FORTIFY_STR_MEMBER),

	CRASHTYPE(FORTIFY_MEM_OBJECT),

	CRASHTYPE(FORTIFY_MEM_MEMBER),

tools/testing/selftests/lkdtm/tests.txt

+0 −1
Original line number Diff line number Diff line
@@ -82,7 +82,6 @@ STACKLEAK_ERASING OK: the rest of the thread stack is properly erased 
CFI_FORWARD_PROTO

CFI_BACKWARD call trace:|ok: control flow unchanged

FORTIFY_STRSCPY detected buffer overflow

FORTIFY_STR_OBJECT detected buffer overflow

FORTIFY_STR_MEMBER detected buffer overflow

FORTIFY_MEM_OBJECT detected buffer overflow

FORTIFY_MEM_MEMBER detected field-spanning write