Re: [PATCH 2/3] fortify: cosmetic cleanups to __compiletime_strlen

From: Kees Cook
Date: Wed Aug 31 2022 - 15:06:35 EST


On Tue, Aug 30, 2022 at 01:53:08PM -0700, Nick Desaulniers wrote:
> Two things I noticed in __compiletime_strlen:

Four? :)

> 1. A temporary, __p, is created+used to avoid repeated side effects from
> multiple evaluation of the macro parameter, but the macro parameter
> was being used accidentally in __builtin_object_size.

__builtin_object_size(), like sizeof() but unlike __builtin_strlen(),
will not evaluate side-effects: https://godbolt.org/z/Yaa1z7YvK
And using bos on __p will sometimes mask the actual object, so p needs to
stay the argument.

> 2. The temporary has a curious signedness and const-less qualification.
> Just use __auto_type.

__auto_type is pretty rare in the kernel, but does provide the removal
of "const". Even though the kernel builds with -Wno-pointer-sign, the
explicit case does fix a potential warnings about signedness differences,
not just const differences, for __builtin_strlen() which requires "const
char *", but many arguments are "unsigned char *", "u8 *", etc.

Is __auto_type more readable than the explicit cast? It does seem to
work fine.

> 3. (size_t)-1 is perhaps more readable as -1UL.

That's true, though I kind of prefer (size_t)-1, though yes, it appears
to be the extreme minority in the kernel.

> 4. __p_size == -1UL when __builtin_object_size can't evaluate the
> object size at compile time. We could just reuse __ret and use one
> less variable here.

This seems to get entire optimized away by the compiler? I think it's
more readable to keep the explicit variable.

-Kees

>
> Signed-off-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
> ---
> include/linux/fortify-string.h | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> index c5adad596a3f..aaf73575050f 100644
> --- a/include/linux/fortify-string.h
> +++ b/include/linux/fortify-string.h
> @@ -22,11 +22,10 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
>
> #define __compiletime_strlen(p) \
> ({ \
> - unsigned char *__p = (unsigned char *)(p); \
> - size_t __ret = (size_t)-1; \
> - size_t __p_size = __object_size(p, 1); \
> - if (__p_size != (size_t)-1) { \
> - size_t __p_len = __p_size - 1; \
> + __auto_type __p = (p); \
> + size_t __ret = __object_size(__p, 1); \
> + if (__ret != -1UL) { \
> + size_t __p_len = __ret - 1; \
> if (__builtin_constant_p(__p[__p_len]) && \
> __p[__p_len] == '\0') \
> __ret = __builtin_strlen(__p); \
> --
> 2.37.2.672.g94769d06f0-goog
>

--
Kees Cook