include: de-macro __ssp_overlap(), improve semantics and checking

Switch away from pointer arithmetic to provide more obvious semantics for checking overlap on pointer ranges. This lets us remove some casts that need not exist and removes some possible fragility in its use. While we're here, check for overflow just in case; sometimes we use a caller-supplied size if __builtin_object_size(3) can't deduce the buffer size, and we should fail the check if the size is nonsensical for the provided buffers. Reviewed by: markj Sponsored by: Klara, Inc. Sponsored by: Stormshield
2024-10-18 02:19:39 +00:00 · 2024-07-13 00:16:10 -05:00 · 2024-07-13 00:16:10 -05:00 · c10d567ea0
commit c10d567ea0
parent 020d003c86
2 changed files with 14 additions and 7 deletions
--- a/include/ssp/ssp.h
+++ b/include/ssp/ssp.h
@ -83,12 +83,19 @@ __ssp_inline rtype fun args { \
 #define __ssp_redirect0(rtype, fun, args, call) \
    __ssp_redirect_raw(rtype, fun, fun, args, call, 1, __ssp_bos0)

-/*
- * Take caution when using __ssp_overlap!  Don't use it in contexts where we
- * can end up with double-evaluation of a statement with some side-effects.
- */
-#define __ssp_overlap(a, b, l) \
-    (((a) <= (b) && (b) < (a) + (l)) || ((b) <= (a) && (a) < (b) + (l)))
+#include <machine/_stdint.h>
+
+static inline int
+__ssp_overlap(const void *leftp, const void *rightp, __size_t sz)
+{
+	__uintptr_t left = (__uintptr_t)leftp;
+	__uintptr_t right = (__uintptr_t)rightp;
+
+	if (left <= right)
+		return (SIZE_MAX - sz < left || right < left + sz);
+
+	return (SIZE_MAX - sz < right || left < right + sz);
+}

 __BEGIN_DECLS
 void __stack_chk_fail(void) __dead2;
--- a/lib/libc/secure/memcpy_chk.c
+++ b/lib/libc/secure/memcpy_chk.c
@ -44,7 +44,7 @@ __memcpy_chk(void * __restrict dst, const void * __restrict src, size_t len,
 	if (len > slen)
 		__chk_fail();

-	if (__ssp_overlap((const char *)src, (const char *)dst, len))
+	if (__ssp_overlap(src, dst, len))
 		__chk_fail();

 	return (memcpy(dst, src, len));