manual: Document __wur usage under _FORTIFY_SOURCE
Checks
Context |
Check |
Description |
dj/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
dj/TryBot-32bit |
success
|
Build for i686
|
Commit Message
The __warn_unused_result__ attribute is only enabled when fortification
is enabled. Mention that in the document. The rationale for this is
essentially to mitigate against CWE-252:
[1] https://cwe.mitre.org/data/definitions/252.html
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
manual/maint.texi | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Comments
* Siddhesh Poyarekar via Libc-alpha:
> The __warn_unused_result__ attribute is only enabled when fortification
> is enabled. Mention that in the document. The rationale for this is
> essentially to mitigate against CWE-252:
>
> [1] https://cwe.mitre.org/data/definitions/252.html
>
> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> ---
> manual/maint.texi | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/manual/maint.texi b/manual/maint.texi
> index 76d4a1a147..ae651c2a4a 100644
> --- a/manual/maint.texi
> +++ b/manual/maint.texi
> @@ -206,7 +206,10 @@ to the function call are safe, the call may be replaced by a call to its
> hardened variant that does additional safety checks at runtime. Some
> hardened variants need the size of the buffer to perform access
> validation and this is provided by the @code{__builtin_object_size} or
> -the @code{__builtin_dynamic_object_size} builtin functions.
> +the @code{__builtin_dynamic_object_size} builtin functions. The macro
> +also enables additional compile time diagnostics, such as unchecked
> +return values from some functions, to encourage developers to add error
> +checking for those functions.
Maybe repeat _FORTIFY_SOURCE it's been a while since it's been
mentioned?
Note that now that GCC supports [[nodiscard]] (with the standard way
to suppress it), we could apply that to functions even outside
_FORTIFY_SOURCE, I think. That's a separate matter, of course.
On 2023-03-24 11:15, Florian Weimer wrote:
>> diff --git a/manual/maint.texi b/manual/maint.texi
>> index 76d4a1a147..ae651c2a4a 100644
>> --- a/manual/maint.texi
>> +++ b/manual/maint.texi
>> @@ -206,7 +206,10 @@ to the function call are safe, the call may be replaced by a call to its
>> hardened variant that does additional safety checks at runtime. Some
>> hardened variants need the size of the buffer to perform access
>> validation and this is provided by the @code{__builtin_object_size} or
>> -the @code{__builtin_dynamic_object_size} builtin functions.
>> +the @code{__builtin_dynamic_object_size} builtin functions. The macro
>> +also enables additional compile time diagnostics, such as unchecked
>> +return values from some functions, to encourage developers to add error
>> +checking for those functions.
>
> Maybe repeat _FORTIFY_SOURCE it's been a while since it's been
> mentioned?
Ack, will do.
> Note that now that GCC supports [[nodiscard]] (with the standard way
> to suppress it), we could apply that to functions even outside
> _FORTIFY_SOURCE, I think. That's a separate matter, of course.
Yes, I've wondered that too. I'll start a separate thread about that later.
Thanks,
Sid
@@ -206,7 +206,10 @@ to the function call are safe, the call may be replaced by a call to its
hardened variant that does additional safety checks at runtime. Some
hardened variants need the size of the buffer to perform access
validation and this is provided by the @code{__builtin_object_size} or
-the @code{__builtin_dynamic_object_size} builtin functions.
+the @code{__builtin_dynamic_object_size} builtin functions. The macro
+also enables additional compile time diagnostics, such as unchecked
+return values from some functions, to encourage developers to add error
+checking for those functions.
At runtime, if any of those safety checks fail, the program will
terminate with a @code{SIGABRT} signal. @code{_FORTIFY_SOURCE} may be