On 31.05.24 г. 19:28 ч., Kees Cook wrote:
On Thu, May 30, 2024 at 09:23:36AM -0700, Jeff Johnson wrote:
On 5/30/2024 8:42 AM, Nikolay Borisov wrote:
On 29.05.24 г. 21:09 ч., Jeff Johnson wrote:
As discussed in [1] add a prototype for __fortify_panic() to fix the
'make W=1 C=1' warning:
arch/x86/boot/compressed/misc.c:535:6: warning: symbol '__fortify_panic' was not declared. Should it be static?
Actually doesn't it make sense to have this defined under ../string.h ?
Actually given that we don't have any string fortification under the
boot/ why have the fortify _* functions at all ?
I'll let Kees answer these questions since I just took guidance from him :)
Ah-ha, I see what's happening. When not built with
CONFIG_FORTIFY_SOURCE, fortify-string.h isn't included. But since misc.c
has the function definition, we get a warning that the function
declaration was never seen. This is likely the better solution:
fortify-strings.h is used in include/linux/string.h. However all the
files in the decompressor are using a local copy of string.h and not the
kernel-wide. When pre-processing misc.c with FORTIFY_SOURCE enabled
here's the status:
$ grep -i fortify arch/x86/boot/compressed/misc.i
void __fortify_panic(const u8 reason, size_t avail, size_t size)
It seems the decompressor is not using fortify-string at all because
it's not using the global string.h ?
diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
index b70e4a21c15f..3f21a5e218f8 100644
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -532,7 +532,9 @@ asmlinkage __visible void *extract_kernel(void *rmode, unsigned char *output)
return output + entry_offset;
}
+#ifdef CONFIG_FORTIFY_SOURCE
void __fortify_panic(const u8 reason, size_t avail, size_t size)
{
error("detected buffer overflow");
}
+#endif
Jeff, can you test this? (I still haven't been able to reproduce the
warning.)