On Mon, Jan 24, 2022 at 05:07:44PM +0100, Marco Elver wrote: > With CONFIG_FORTIFY_SOURCE enabled, string functions will also perform > dynamic checks using __builtin_object_size(ptr), which when failed will > panic the kernel. > > Because the KASAN test deliberately performs out-of-bounds operations, > the kernel panics with FORITY_SOURCE, for example: > > | kernel BUG at lib/string_helpers.c:910! > | invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI > | CPU: 1 PID: 137 Comm: kunit_try_catch Tainted: G B 5.16.0-rc3+ #3 > | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 > | RIP: 0010:fortify_panic+0x19/0x1b > | ... > | Call Trace: > | <TASK> > | kmalloc_oob_in_memset.cold+0x16/0x16 > | ... > > Fix it by also hiding `ptr` from the optimizer, which will ensure that > __builtin_object_size() does not return a valid size, preventing > fortified string functions from panicking. > > Reported-by: Nico Pache <npache@xxxxxxxxxx> > Signed-off-by: Marco Elver <elver@xxxxxxxxxx> Yup, more good fixes. Thanks! Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
