Skip to content

Commit 6ee149f

Browse files
keeskees
committed
kunit/fortify: Replace "volatile" with OPTIMIZER_HIDE_VAR()
It does seem that using "volatile" isn't going to be sane compared to using OPTIMIZER_HIDE_VAR() going forward. Some strange interactions[1] with the sanitizers have been observed in the self-test code, so replace the logic. Reported-by: Nathan Chancellor <nathan@kernel.org> Closes: ClangBuiltLinux#2075 [1] Link: https://lore.kernel.org/r/20250312000439.work.112-kees@kernel.org Signed-off-by: Kees Cook <kees@kernel.org>
1 parent 416cf1f commit 6ee149f

1 file changed

Lines changed: 77 additions & 62 deletions

File tree

lib/tests/fortify_kunit.c

Lines changed: 77 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -411,8 +411,6 @@ struct fortify_padding {
411411
char buf[32];
412412
unsigned long bytes_after;
413413
};
414-
/* Force compiler into not being able to resolve size at compile-time. */
415-
static volatile int unconst;
416414

417415
static void fortify_test_strlen(struct kunit *test)
418416
{
@@ -537,57 +535,56 @@ static void fortify_test_strncpy(struct kunit *test)
537535
{
538536
struct fortify_padding pad = { };
539537
char src[] = "Copy me fully into a small buffer and I will overflow!";
538+
size_t sizeof_buf = sizeof(pad.buf);
539+
540+
OPTIMIZER_HIDE_VAR(sizeof_buf);
540541

541542
/* Destination is %NUL-filled to start with. */
542543
KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
543-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
544-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
545-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
544+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
545+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0');
546+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 3], '\0');
546547
KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
547548

548549
/* Legitimate strncpy() 1 less than of max size. */
549-
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
550-
sizeof(pad.buf) + unconst - 1)
550+
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf - 1)
551551
== pad.buf);
552552
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
553553
/* Only last byte should be %NUL */
554-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
555-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
556-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
554+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
555+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
556+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 3], '\0');
557557

558558
/* Legitimate (though unterminated) max-size strncpy. */
559-
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
560-
sizeof(pad.buf) + unconst)
559+
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf)
561560
== pad.buf);
562561
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
563562
/* No trailing %NUL -- thanks strncpy API. */
564-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
565-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
566-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
563+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0');
564+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
565+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
567566
/* But we will not have gone beyond. */
568567
KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
569568

570569
/* Now verify that FORTIFY is working... */
571-
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
572-
sizeof(pad.buf) + unconst + 1)
570+
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf + 1)
573571
== pad.buf);
574572
/* Should catch the overflow. */
575573
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
576-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
577-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
578-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
574+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0');
575+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
576+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
579577
/* And we will not have gone beyond. */
580578
KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
581579

582580
/* And further... */
583-
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
584-
sizeof(pad.buf) + unconst + 2)
581+
KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf + 2)
585582
== pad.buf);
586583
/* Should catch the overflow. */
587584
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
588-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
589-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
590-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
585+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0');
586+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
587+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
591588
/* And we will not have gone beyond. */
592589
KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
593590
}
@@ -596,55 +593,56 @@ static void fortify_test_strscpy(struct kunit *test)
596593
{
597594
struct fortify_padding pad = { };
598595
char src[] = "Copy me fully into a small buffer and I will overflow!";
596+
size_t sizeof_buf = sizeof(pad.buf);
597+
size_t sizeof_src = sizeof(src);
598+
599+
OPTIMIZER_HIDE_VAR(sizeof_buf);
600+
OPTIMIZER_HIDE_VAR(sizeof_src);
599601

600602
/* Destination is %NUL-filled to start with. */
601603
KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
602-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
603-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
604-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
604+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
605+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0');
606+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 3], '\0');
605607
KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
606608

607609
/* Legitimate strscpy() 1 less than of max size. */
608-
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
609-
sizeof(pad.buf) + unconst - 1),
610+
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf - 1),
610611
-E2BIG);
611612
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
612613
/* Keeping space for %NUL, last two bytes should be %NUL */
613-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
614-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
615-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
614+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
615+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0');
616+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 3], '\0');
616617

617618
/* Legitimate max-size strscpy. */
618-
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
619-
sizeof(pad.buf) + unconst),
619+
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf),
620620
-E2BIG);
621621
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
622622
/* A trailing %NUL will exist. */
623-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
624-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
625-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
623+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
624+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
625+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
626626

627627
/* Now verify that FORTIFY is working... */
628-
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
629-
sizeof(pad.buf) + unconst + 1),
628+
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf + 1),
630629
-E2BIG);
631630
/* Should catch the overflow. */
632631
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
633-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
634-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
635-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
632+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
633+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
634+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
636635
/* And we will not have gone beyond. */
637636
KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
638637

639638
/* And much further... */
640-
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
641-
sizeof(src) * 2 + unconst),
639+
KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_src * 2),
642640
-E2BIG);
643641
/* Should catch the overflow. */
644642
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
645-
KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
646-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
647-
KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
643+
KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
644+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
645+
KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
648646
/* And we will not have gone beyond. */
649647
KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
650648
}
@@ -784,7 +782,9 @@ static void fortify_test_strlcat(struct kunit *test)
784782
struct fortify_padding pad = { };
785783
char src[sizeof(pad.buf)] = { };
786784
int i, partial;
787-
int len = sizeof(pad.buf) + unconst;
785+
int len = sizeof(pad.buf);
786+
787+
OPTIMIZER_HIDE_VAR(len);
788788

789789
/* Fill 15 bytes with valid characters. */
790790
partial = sizeof(src) / 2 - 1;
@@ -874,28 +874,32 @@ struct fortify_zero_sized {
874874
#define __fortify_test(memfunc) \
875875
static void fortify_test_##memfunc(struct kunit *test) \
876876
{ \
877-
struct fortify_zero_sized zero = { }; \
877+
struct fortify_zero_sized empty = { }; \
878878
struct fortify_padding pad = { }; \
879879
char srcA[sizeof(pad.buf) + 2]; \
880880
char srcB[sizeof(pad.buf) + 2]; \
881-
size_t len = sizeof(pad.buf) + unconst; \
881+
size_t len = sizeof(pad.buf); \
882+
size_t zero = 0; \
883+
\
884+
OPTIMIZER_HIDE_VAR(len); \
885+
OPTIMIZER_HIDE_VAR(zero); \
882886
\
883887
memset(srcA, 'A', sizeof(srcA)); \
884888
KUNIT_ASSERT_EQ(test, srcA[0], 'A'); \
885889
memset(srcB, 'B', sizeof(srcB)); \
886890
KUNIT_ASSERT_EQ(test, srcB[0], 'B'); \
887891
\
888-
memfunc(pad.buf, srcA, 0 + unconst); \
892+
memfunc(pad.buf, srcA, zero); \
889893
KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \
890894
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
891895
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
892-
memfunc(pad.buf + 1, srcB, 1 + unconst); \
896+
memfunc(pad.buf + 1, srcB, zero + 1); \
893897
KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \
894898
KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \
895899
KUNIT_EXPECT_EQ(test, pad.buf[2], '\0'); \
896900
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
897901
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
898-
memfunc(pad.buf, srcA, 1 + unconst); \
902+
memfunc(pad.buf, srcA, zero + 1); \
899903
KUNIT_EXPECT_EQ(test, pad.buf[0], 'A'); \
900904
KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \
901905
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
@@ -921,10 +925,10 @@ static void fortify_test_##memfunc(struct kunit *test) \
921925
/* Reset error counter. */ \
922926
fortify_write_overflows = 0; \
923927
/* Copy nothing into nothing: no errors. */ \
924-
memfunc(zero.buf, srcB, 0 + unconst); \
928+
memfunc(empty.buf, srcB, zero); \
925929
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
926930
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
927-
memfunc(zero.buf, srcB, 1 + unconst); \
931+
memfunc(empty.buf, srcB, zero + 1); \
928932
KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
929933
KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); \
930934
}
@@ -936,7 +940,9 @@ static void fortify_test_memscan(struct kunit *test)
936940
char haystack[] = "Where oh where is my memory range?";
937941
char *mem = haystack + strlen("Where oh where is ");
938942
char needle = 'm';
939-
size_t len = sizeof(haystack) + unconst;
943+
size_t len = sizeof(haystack);
944+
945+
OPTIMIZER_HIDE_VAR(len);
940946

941947
KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len),
942948
mem);
@@ -955,7 +961,9 @@ static void fortify_test_memchr(struct kunit *test)
955961
char haystack[] = "Where oh where is my memory range?";
956962
char *mem = haystack + strlen("Where oh where is ");
957963
char needle = 'm';
958-
size_t len = sizeof(haystack) + unconst;
964+
size_t len = sizeof(haystack);
965+
966+
OPTIMIZER_HIDE_VAR(len);
959967

960968
KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len),
961969
mem);
@@ -974,7 +982,9 @@ static void fortify_test_memchr_inv(struct kunit *test)
974982
char haystack[] = "Where oh where is my memory range?";
975983
char *mem = haystack + 1;
976984
char needle = 'W';
977-
size_t len = sizeof(haystack) + unconst;
985+
size_t len = sizeof(haystack);
986+
987+
OPTIMIZER_HIDE_VAR(len);
978988

979989
/* Normal search is okay. */
980990
KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len),
@@ -993,8 +1003,11 @@ static void fortify_test_memcmp(struct kunit *test)
9931003
{
9941004
char one[] = "My mind is going ...";
9951005
char two[] = "My mind is going ... I can feel it.";
996-
size_t one_len = sizeof(one) + unconst - 1;
997-
size_t two_len = sizeof(two) + unconst - 1;
1006+
size_t one_len = sizeof(one) - 1;
1007+
size_t two_len = sizeof(two) - 1;
1008+
1009+
OPTIMIZER_HIDE_VAR(one_len);
1010+
OPTIMIZER_HIDE_VAR(two_len);
9981011

9991012
/* We match the first string (ignoring the %NUL). */
10001013
KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);
@@ -1015,7 +1028,9 @@ static void fortify_test_kmemdup(struct kunit *test)
10151028
{
10161029
char src[] = "I got Doom running on it!";
10171030
char *copy;
1018-
size_t len = sizeof(src) + unconst;
1031+
size_t len = sizeof(src);
1032+
1033+
OPTIMIZER_HIDE_VAR(len);
10191034

10201035
/* Copy is within bounds. */
10211036
copy = kmemdup(src, len, GFP_KERNEL);

0 commit comments

Comments
 (0)