Commit 0d025d27 authored Aug 30, 2016 by Josh Poimboeuf Committed by Linus Torvalds Aug 30, 2016

mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS



There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:

1) "copy_from_user() buffer size is too small" compile warning/error

   This is a static warning which happens when object size and copy size
   are both const, and copy size > object size.  I didn't see any false
   positives for this one.  So the function warning attribute seems to
   be working fine here.

   Note this scenario is always a bug and so I think it should be
   changed to *always* be an error, regardless of
   CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.

2) "copy_from_user() buffer size is not provably correct" compile warning

   This is another static warning which happens when I enable
   __compiletime_object_size() for new compilers (and
   CONFIG_DEBUG_STRICT_USER_COPY_CHECKS).  It happens when object size
   is const, but copy size is *not*.  In this case there's no way to
   compare the two at build time, so it gives the warning.  (Note the
   warning is a byproduct of the fact that gcc has no way of knowing
   whether the overflow function will be called, so the call isn't dead
   code and the warning attribute is activated.)

   So this warning seems to only indicate "this is an unusual pattern,
   maybe you should check it out" rather than "this is a bug".

   I get 102(!) of these warnings with allyesconfig and the
   __compiletime_object_size() gcc check removed.  I don't know if there
   are any real bugs hiding in there, but from looking at a small
   sample, I didn't see any.  According to Kees, it does sometimes find
   real bugs.  But the false positive rate seems high.

3) "Buffer overflow detected" runtime warning

   This is a runtime warning where object size is const, and copy size >
   object size.

All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:

  2fb0815c ("gcc4: disable __compiletime_object_size for GCC 4.6+")

That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size().  But in fact,
__compiletime_object_size() seems to be working fine.  The false
positives were instead triggered by #2 above.  (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)

So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.

Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.

Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent d8dc020c

arch/parisc/Kconfig

+0 −1

Original line number	Diff line number	Diff line
		config PARISC
		def_bool y
		select ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
		select ARCH_MIGHT_HAVE_PC_PARPORT
		select HAVE_IDE
		select HAVE_OPROFILE

arch/parisc/configs/c8000_defconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -245,7 +245,6 @@ CONFIG_DEBUG_RT_MUTEXES=y
		CONFIG_PROVE_RCU_DELAY=y
		CONFIG_DEBUG_BLOCK_EXT_DEVT=y
		CONFIG_LATENCYTOP=y
		CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y
		CONFIG_KEYS=y
		# CONFIG_CRYPTO_HW is not set
		CONFIG_FONTS=y

arch/parisc/configs/generic-64bit_defconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -291,7 +291,6 @@ CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
		CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
		# CONFIG_SCHED_DEBUG is not set
		CONFIG_TIMER_STATS=y
		CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y
		CONFIG_CRYPTO_MANAGER=y
		CONFIG_CRYPTO_ECB=m
		CONFIG_CRYPTO_PCBC=m

arch/parisc/include/asm/uaccess.h

+12 −10

Original line number	Diff line number	Diff line
		@@ -208,13 +208,13 @@ unsigned long copy_in_user(void __user dst, const void __user src, unsigned lo
		#define __copy_to_user_inatomic __copy_to_user
		#define __copy_from_user_inatomic __copy_from_user

		extern void copy_from_user_overflow(void)
		#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
		__compiletime_error("copy_from_user() buffer size is not provably correct")
		#else
		__compiletime_warning("copy_from_user() buffer size is not provably correct")
		#endif
		;
		extern void __compiletime_error("usercopy buffer size is too small")
		__bad_copy_user(void);

		static inline void copy_user_overflow(int size, unsigned long count)
		{
		WARN(1, "Buffer overflow detected (%d < %lu)!\n", size, count);
		}

		static inline unsigned long __must_check copy_from_user(void *to,
		const void __user *from,
		@@ -223,10 +223,12 @@ static inline unsigned long __must_check copy_from_user(void *to,
		int sz = __compiletime_object_size(to);
		int ret = -EFAULT;

		if (likely(sz == -1 \|\| !__builtin_constant_p(n) \|\| sz >= n))
		if (likely(sz == -1 \|\| sz >= n))
		ret = __copy_from_user(to, from, n);
		else if (!__builtin_constant_p(n))
		copy_user_overflow(sz, n);
		else
		copy_from_user_overflow();
		__bad_copy_user();

		return ret;
		}

arch/s390/Kconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -68,7 +68,6 @@ config DEBUG_RODATA
		config S390
		def_bool y
		select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
		select ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
		select ARCH_HAS_DEVMEM_IS_ALLOWED
		select ARCH_HAS_ELF_RANDOMIZE
		select ARCH_HAS_GCOV_PROFILE_ALL