From patchwork Wed Aug 17 17:19:16 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zack Weinberg X-Patchwork-Id: 14713 Received: (qmail 82598 invoked by alias); 17 Aug 2016 17:19:21 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 82580 invoked by uid 89); 17 Aug 2016 17:19:21 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 spammy=sk:__glibc, 16010, cooperate X-HELO: mailbackend.panix.com From: Zack Weinberg To: libc-alpha@sourceware.org Cc: fweimer@redhat.com Subject: [PATCH 3/4] Add fortification support for explicit_bzero. Date: Wed, 17 Aug 2016 13:19:16 -0400 Message-Id: <0e28fadfa43506167d2dfaea7bd2c03d99a9aea7.1471452664.git.zackw@panix.com> MIME-Version: 1.0 In-Reply-To: References: The __glibc_read_memory approach means that this is very easy - it can be defined in terms of __memset_chk, which was not possible in the previous iteration. * string/bits/string3.h: Fortify explicit_bzero. * string/bits/string2.h: Cooperate with this. * debug/tst-chk1.c: Test fortification of explicit_bzero. --- debug/tst-chk1.c | 28 ++++++++++++++++++++++++++++ string/bits/string2.h | 2 +- string/bits/string3.h | 7 +++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/debug/tst-chk1.c b/debug/tst-chk1.c index 478c2fb..e87a279 100644 --- a/debug/tst-chk1.c +++ b/debug/tst-chk1.c @@ -160,6 +160,10 @@ do_test (void) if (memcmp (buf, "aabcdabc\0\0", 10)) FAIL (); + explicit_bzero (buf + 6, 4); + if (memcmp (buf, "aabcda\0\0\0\0", 10)) + FAIL (); + strcpy (buf + 4, "EDCBA"); if (memcmp (buf, "aabcEDCBA", 10)) FAIL (); @@ -201,6 +205,10 @@ do_test (void) if (memcmp (buf, "aabcdabc\0\0", 10)) FAIL (); + explicit_bzero (buf + 6, l0 + 4); + if (memcmp (buf, "aabcda\0\0\0\0", 10)) + FAIL (); + strcpy (buf + 4, str1 + 5); if (memcmp (buf, "aabcEDCBA", 10)) FAIL (); @@ -256,6 +264,10 @@ do_test (void) if (memcmp (a.buf1, "aabcdabc\0\0", 10)) FAIL (); + explicit_bzero (a.buf1 + 6, l0 + 4); + if (memcmp (a.buf1, "aabcda\0\0\0\0", 10)) + FAIL (); + #if __USE_FORTIFY_LEVEL < 2 /* The following tests are supposed to crash with -D_FORTIFY_SOURCE=2 and sufficient GCC support, as the string operations overflow @@ -345,6 +357,14 @@ do_test (void) bzero (buf + 9, l0 + 2); CHK_FAIL_END + CHK_FAIL_START + explicit_bzero (buf + 9, 2); + CHK_FAIL_END + + CHK_FAIL_START + explicit_bzero (buf + 9, l0 + 2); + CHK_FAIL_END + CHK_FAIL_START strcpy (buf + 5, str1 + 5); CHK_FAIL_END @@ -454,6 +474,14 @@ do_test (void) bzero (a.buf1 + 9, l0 + 2); CHK_FAIL_END + CHK_FAIL_START + explicit_bzero (a.buf1 + 9, 2); + CHK_FAIL_END + + CHK_FAIL_START + explicit_bzero (a.buf1 + 9, l0 + 2); + CHK_FAIL_END + # if __USE_FORTIFY_LEVEL >= 2 # define O 0 # else diff --git a/string/bits/string2.h b/string/bits/string2.h index f890585..f7fc866 100644 --- a/string/bits/string2.h +++ b/string/bits/string2.h @@ -57,7 +57,7 @@ # define __bzero(s, n) __builtin_memset (s, '\0', n) #endif -#ifdef __USE_MISC +#if defined __USE_MISC && !defined __fortify_function /* As bzero, but the compiler will not delete a call to this function, even if S is dead after the call. Note: this function has its own implementation file and should not be slurped into diff --git a/string/bits/string3.h b/string/bits/string3.h index dd8db68..d340bef 100644 --- a/string/bits/string3.h +++ b/string/bits/string3.h @@ -102,6 +102,13 @@ __NTH (bzero (void *__dest, size_t __len)) { (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest)); } + +__fortify_function void +__NTH (explicit_bzero (void *__dest, size_t __len)) +{ + (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest)); + __glibc_read_memory (__dest, __len); +} #endif __fortify_function char *