string.h: Validate memtostr*()/strtomem*() arguments more carefully

Since these functions handle moving between C strings and non-C strings,
they should check for the appropriate presence/lack of the nonstring
attribute on arguments.

Signed-off-by: Kees Cook <kees@kernel.org>

diff --git a/include/linux/string.h b/include/linux/string.h
index f8e21e80942f106b2c9805cf8fae5aa70bf0e164..0403a4ca4c116a4b243170350061959671a3c7a5 100644 (file)
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -415,8 +415,10 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
  */
 #define strtomem_pad(dest, src, pad)   do {                            \
        const size_t _dest_len = __must_be_byte_array(dest) +           \
+                                __must_be_noncstr(dest) +              \
                                 ARRAY_SIZE(dest);                      \
-       const size_t _src_len = __builtin_object_size(src, 1);          \
+       const size_t _src_len = __must_be_cstr(src) +                   \
+                               __builtin_object_size(src, 1);          \
                                                                        \
        BUILD_BUG_ON(!__builtin_constant_p(_dest_len) ||                \
                     _dest_len == (size_t)-1);                          \
@@ -439,8 +441,10 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
  */
 #define strtomem(dest, src)    do {                                    \
        const size_t _dest_len = __must_be_byte_array(dest) +           \
+                                __must_be_noncstr(dest) +              \
                                 ARRAY_SIZE(dest);                      \
-       const size_t _src_len = __builtin_object_size(src, 1);          \
+       const size_t _src_len = __must_be_cstr(src) +                   \
+                               __builtin_object_size(src, 1);          \
                                                                        \
        BUILD_BUG_ON(!__builtin_constant_p(_dest_len) ||                \
                     _dest_len == (size_t)-1);                          \
@@ -459,8 +463,10 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
  */
 #define memtostr(dest, src)    do {                                    \
        const size_t _dest_len = __must_be_byte_array(dest) +           \
+                                __must_be_cstr(dest) +                 \
                                 ARRAY_SIZE(dest);                      \
-       const size_t _src_len = __builtin_object_size(src, 1);          \
+       const size_t _src_len = __must_be_noncstr(src) +                \
+                               __builtin_object_size(src, 1);          \
        const size_t _src_chars = strnlen(src, _src_len);               \
        const size_t _copy_len = min(_dest_len - 1, _src_chars);        \
                                                                        \
@@ -485,8 +491,10 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
  */
 #define memtostr_pad(dest, src)                do {                            \
        const size_t _dest_len = __must_be_byte_array(dest) +           \
+                                __must_be_cstr(dest) +                 \
                                 ARRAY_SIZE(dest);                      \
-       const size_t _src_len = __builtin_object_size(src, 1);          \
+       const size_t _src_len = __must_be_noncstr(src) +                \
+                               __builtin_object_size(src, 1);          \
        const size_t _src_chars = strnlen(src, _src_len);               \
        const size_t _copy_len = min(_dest_len - 1, _src_chars);        \
                                                                        \