On Thu, Oct 17, 2024 at 10:48:04AM -0400, Paul Moore wrote:
> I'm not sure why the kernel test robot only sent this to me, but this
> looks to be a strscpy() issue rather than an audit specific issue.
>
> ---------- Forwarded message ---------
> From: kernel test robot <[email protected]>
> Date: Thu, Oct 17, 2024 at 2:29 AM
> Subject: [linux-next:master 4380/4439]
> include/linux/fortify-string.h:293:17: error: call to
> '__write_overflow' declared with attribute error: detected write
> beyond size of object (1st parameter)
> To: Paul Moore <[email protected]>
> Cc: <[email protected]>
>
>
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> master
> head: 15e7d45e786a62a211dd0098fee7c57f84f8c681
> commit: dfdb07df2ab66ff4fd2f82039e871e7ab922dc81 [4380/4439] Merge
> branch 'next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
> config: x86_64-randconfig-005-20241017
> (https://download.01.org/0day-ci/archive/20241017/[email protected]/config)
> compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
> reproduce (this is a W=1 build):
> (https://download.01.org/0day-ci/archive/20241017/[email protected]/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version
> of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <[email protected]>
> | Closes:
> https://lore.kernel.org/oe-kbuild-all/[email protected]/
>
> All errors (new ones prefixed by >>):
>
> In file included from include/linux/string.h:390,
> from include/linux/bitmap.h:13,
> from include/linux/cpumask.h:12,
> from include/linux/smp.h:13,
> from include/linux/lockdep.h:14,
> from include/linux/spinlock.h:63,
> from include/linux/wait.h:9,
> from include/linux/wait_bit.h:8,
> from include/linux/fs.h:6,
> from kernel/auditsc.c:37:
> In function 'sized_strscpy',
> inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2:
> >> include/linux/fortify-string.h:293:17: error: call to '__write_overflow'
> >> declared with attribute error: detected write beyond size of object (1st
> >> parameter)
> 293 | __write_overflow();
> | ^~~~~~~~~~~~~~~~~~
This is a compile-time bounds check. Let's take a look:
void __audit_ptrace(struct task_struct *t)
{
struct audit_context *context = audit_context();
...
strscpy(context->target_comm, t->comm);
struct audit_context {
...
char target_comm[TASK_COMM_LEN];
struct task_struct {
...
char comm[TASK_COMM_LEN];
So this should be impossible, since the strscpy() check is:
#define __member_size(p) __builtin_object_size(p, 1)
...
#define __compiletime_lessthan(bounds, length) ( \
__builtin_constant_p((bounds) < (length)) && \
(bounds) < (length) \
)
...
const size_t p_size = __member_size(p);
...
if (__compiletime_lessthan(p_size, size))
__write_overflow();
This test should resolve to:
if (TASK_COMM_LEN < TASK_COMM_LEN)
__write_overflow();
I can reproduce this with the randconfig linked above, but not with
allmodconfig nor defconfig+CONFIG_FORTIFY_SOURCE.
Something in the .config is causing the error. (!?) I will start a
CONFIG bisect...
--
Kees Cook
