The str* family of fortified functions all use member-sized limits for a while now, so the FORTIFY_STR_OBJECT test is redundant to FORTIFY_STR_MEMBER. While here, replace the strncpy() use with strscpy(), as strncpy() is being removed.
Signed-off-by: Kees Cook <[email protected]> --- Cc: Arnd Bergmann <[email protected]> Cc: Greg Kroah-Hartman <[email protected]> --- drivers/misc/lkdtm/fortify.c | 36 +++++-------------------- tools/testing/selftests/lkdtm/tests.txt | 1 - 2 files changed, 6 insertions(+), 31 deletions(-) diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c index 00ed2147113e..7615a02dfc47 100644 --- a/drivers/misc/lkdtm/fortify.c +++ b/drivers/misc/lkdtm/fortify.c @@ -10,30 +10,6 @@ static volatile int fortify_scratch_space; -static void lkdtm_FORTIFY_STR_OBJECT(void) -{ - struct target { - char a[10]; - int foo; - } target[3] = {}; - /* - * Using volatile prevents the compiler from determining the value of - * 'size' at compile time. Without that, we would get a compile error - * rather than a runtime error. - */ - volatile int size = 20; - - pr_info("trying to strcmp() past the end of a struct\n"); - - strncpy(target[0].a, target[1].a, size); - - /* Store result to global to prevent the code from being eliminated */ - fortify_scratch_space = target[0].a[3]; - - pr_err("FAIL: fortify did not block a strncpy() object write overflow!\n"); - pr_expected_config(CONFIG_FORTIFY_SOURCE); -} - static void lkdtm_FORTIFY_STR_MEMBER(void) { struct target { @@ -47,22 +23,23 @@ static void lkdtm_FORTIFY_STR_MEMBER(void) if (!src) return; + /* 15 bytes: past end of a[] but not target. */ strscpy(src, "over ten bytes", size); size = strlen(src) + 1; - pr_info("trying to strncpy() past the end of a struct member...\n"); + pr_info("trying to strscpy() past the end of a struct member...\n"); /* - * strncpy(target.a, src, 20); will hit a compile error because the - * compiler knows at build time that target.a < 20 bytes. Use a + * strscpy(target.a, src, 15); will hit a compile error because the + * compiler knows at build time that target.a < 15 bytes. Use a * volatile to force a runtime error. */ - strncpy(target.a, src, size); + strscpy(target.a, src, size); /* Store result to global to prevent the code from being eliminated */ fortify_scratch_space = target.a[3]; - pr_err("FAIL: fortify did not block a strncpy() struct member write overflow!\n"); + pr_err("FAIL: fortify did not block a strscpy() struct member write overflow!\n"); pr_expected_config(CONFIG_FORTIFY_SOURCE); kfree(src); @@ -210,7 +187,6 @@ static void lkdtm_FORTIFY_STRSCPY(void) } static struct crashtype crashtypes[] = { - CRASHTYPE(FORTIFY_STR_OBJECT), CRASHTYPE(FORTIFY_STR_MEMBER), CRASHTYPE(FORTIFY_MEM_OBJECT), CRASHTYPE(FORTIFY_MEM_MEMBER), diff --git a/tools/testing/selftests/lkdtm/tests.txt b/tools/testing/selftests/lkdtm/tests.txt index e62b85b591be..3245032db34d 100644 --- a/tools/testing/selftests/lkdtm/tests.txt +++ b/tools/testing/selftests/lkdtm/tests.txt @@ -82,7 +82,6 @@ STACKLEAK_ERASING OK: the rest of the thread stack is properly erased CFI_FORWARD_PROTO CFI_BACKWARD call trace:|ok: control flow unchanged FORTIFY_STRSCPY detected buffer overflow -FORTIFY_STR_OBJECT detected buffer overflow FORTIFY_STR_MEMBER detected buffer overflow FORTIFY_MEM_OBJECT detected buffer overflow FORTIFY_MEM_MEMBER detected field-spanning write -- 2.34.1
