diff options
| author |   Kees Cook <keescook@chromium.org> | 2022-10-02 09:17:03 -0700 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2022-11-01 10:04:52 -0700 |
| commit | 62e1cbfc5d795381a0f237ae7ee229a92d51cf9e (patch) | |
| tree | cf730cfe96c528feef173c9e5ae642485ac84f44 /include/linux/fortify-string.h | |
| parent | string: Convert strscpy() self-test to KUnit (diff) | |
| download | wireguard-linux-62e1cbfc5d795381a0f237ae7ee229a92d51cf9e.tar.xz wireguard-linux-62e1cbfc5d795381a0f237ae7ee229a92d51cf9e.zip | |
fortify: Short-circuit known-safe calls to strscpy()
Replacing compile-time safe calls of strcpy()-related functions with
strscpy() was always calling the full strscpy() logic when a builtin
would be better. For example:
char buf[16];
strcpy(buf, "yes");
would reduce to __builtin_memcpy(buf, "yes", 4), but not if it was:
strscpy(buf, yes, sizeof(buf));
Fix this by checking if all sizes are known at compile-time.
Cc: linux-hardening@vger.kernel.org
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'include/linux/fortify-string.h')
| -rw-r--r-- | include/linux/fortify-string.h | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 49782f63f015..32a66d4b30ca 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -314,6 +314,16 @@ __FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const POS q, s if (__compiletime_lessthan(p_size, size)) __write_overflow(); + /* Short-circuit for compile-time known-safe lengths. */ + if (__compiletime_lessthan(p_size, SIZE_MAX)) { + len = __compiletime_strlen(q); + + if (len < SIZE_MAX && __compiletime_lessthan(len, size)) { + __underlying_memcpy(p, q, len + 1); + return len; + } + } + /* * This call protects from read overflow, because len will default to q * length if it smaller than size. |