From patchwork Mon Jan  8 20:21:43 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adhemerval Zanella <adhemerval.zanella@linaro.org>
X-Patchwork-Id: 83564
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id A8BE43860763
	for <patchwork@sourceware.org>; Mon,  8 Jan 2024 20:23:54 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com
 [IPv6:2607:f8b0:4864:20::52f])
 by sourceware.org (Postfix) with ESMTPS id 06C75385841C
 for <libc-alpha@sourceware.org>; Mon,  8 Jan 2024 20:22:03 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 06C75385841C
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 06C75385841C
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::52f
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745326; cv=none;
 b=lv/3nVwyCLXKWJD8MnejXIYuIbdv8eagCBrVA0/UQdyjyeSa+P5/K/McT82mT/jT/vU//q3jI1lLdBSktNdtE5A9DSfl+feyiQQxE0G41cvAIoMPAizrRyCyPYXMeaCb/t7XYaxld3v9D3OUdrwWRzxIUtF+m6kFEyGhUTPoOFA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1704745326; c=relaxed/simple;
 bh=OTPmzdHBOsudJ6xQcqbMDPwk+Nt/p4p2uBRap4E9/sI=;
 h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version;
 b=kpL+fztNcfWmi3tnKxMFNtPikkCfoyXhToU28LIbGYrL4Ko2w0ET1UBrfifiUCpsOfMW/cpA2ce+Qx4Orxmgiz4Gi+lSDf54rFeUv8Q/xYULCydvhesFy5QGBklFpOJvw0QJWxMU8QSZx/KU2Zsc0dWGddG2fDPYam2OJyEVAjQ=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-pg1-x52f.google.com with SMTP id
 41be03b00d2f7-5ce9555d42eso1716008a12.2
 for <libc-alpha@sourceware.org>; Mon, 08 Jan 2024 12:22:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1704745321; x=1705350121; darn=sourceware.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=ZswzWeOlBH/+xmo74OsDUhqf+d/Qk51d0fscqhJwgns=;
 b=xIQS+s6mpk7Ve7TUuk6jGVGIKCwFl3KjDMtz9MomxYoC1UV3+AFHEMgLKRrqgowlZz
 Kaj34GT1hfiC+tnTVEg3fn5wtIUOqXO0gfqW9R0v3fRKvrM0Z0ssbzK6vE0cBqf8WqTJ
 1/9rO2V0UKeKJCVW7NKKsAvjVFsjzd+EbE+fdOPV+3U1sfP2ZIHdY208CPWF3CS2zDnW
 lqk291B/Kix1EKyufgWsP3Ba1ES82x4FSegKXl6N4Sa23yugadrPNog0zpP9f8KDCDmY
 mkdx+CCEaFsuieoHMP5av8M754lfiBAMa8/wJsIKTQYEGKiV4qkYXT8x4/kajCv3NdGw
 YxAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1704745321; x=1705350121;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=ZswzWeOlBH/+xmo74OsDUhqf+d/Qk51d0fscqhJwgns=;
 b=vpCB8+Jz4ueX78eCV5mH8RLmLJw7q590mtXu5xB5GQeQ0FvP2GcL9+Bw0L75WjjlJH
 Vn2FyPRNIQ5oW0hiS9yW5/O4vmVIMsTE9h9KtM34yRsOIn2j2CwCIXFjj9WuyHrzy1lp
 lGjNm8OUOiUzE3NghUeYZQ+ic9kYEUvBQyTtd6BaBCJZKYjZep0XFUR3EHpcdWuxFmRq
 Gd3iRo7FwMFmJ5/CnU/4PRXbhzrS0UXXwOzEwdQCyteOJcmQqceqjdd9Yv1vXcQkPjJS
 77S4z887pDTDbUh+/vuiHizX+nj2OL3chvxde8vcKPecq9rqAXqcr04XthAfCxm1rYKQ
 KPnA==
X-Gm-Message-State: AOJu0YzHU2cdqZ7TdlTCb/UhHghZIzx+uh4JQ9QoJ7XDj33U3JxPQ/kE
 VkDqqV7wWbBsAOj5DL5uQEbINUcG3nchOauvQk0AG7BY3dA=
X-Google-Smtp-Source: 
 AGHT+IGD2XVIPmRzFFCsqHK7mWhQmUMeezCo8z/5eKkLoWvSRqv86M5wCpC0n8tKye8xrfOsMDg+/Q==
X-Received: by 2002:a05:6a20:96d5:b0:199:e05b:8bbc with SMTP id
 hq21-20020a056a2096d500b00199e05b8bbcmr619480pzc.77.1704745321127;
 Mon, 08 Jan 2024 12:22:01 -0800 (PST)
Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e])
 by smtp.gmail.com with ESMTPSA id
 z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.21.59
 for <libc-alpha@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 08 Jan 2024 12:22:00 -0800 (PST)
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Subject: [PATCH v2 04/10] stdlib: Improve fortify with clang
Date: Mon,  8 Jan 2024 17:21:43 -0300
Message-Id: <20240108202149.335305-5-adhemerval.zanella@linaro.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org>
References: <20240108202149.335305-1-adhemerval.zanella@linaro.org>
MIME-Version: 1.0
X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE,
 SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org

It improve fortify checks for realpath, ptsname_r, wctomb, mbstowcs,
and wcstombs.  The runtime and compile checks have similar coverage as
with GCC.

Checked on aarch64, armhf, x86_64, and i686.
---
 stdlib/bits/stdlib.h | 40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/stdlib/bits/stdlib.h b/stdlib/bits/stdlib.h
index 1c7191ba57..9e31801e80 100644
--- a/stdlib/bits/stdlib.h
+++ b/stdlib/bits/stdlib.h
@@ -33,15 +33,22 @@ extern char *__REDIRECT_NTH (__realpath_chk_warn,
      __warnattr ("second argument of realpath must be either NULL or at "
 		 "least PATH_MAX bytes long buffer");
 
-__fortify_function __wur char *
-__NTH (realpath (const char *__restrict __name, char *__restrict __resolved))
+__fortify_function __attribute_overloadable__ __wur char *
+__NTH (realpath (const char *__restrict __name,
+		 __fortify_clang_overload_arg (char *, __restrict, __resolved)))
+#if defined _LIBC_LIMITS_H_ && defined PATH_MAX
+     __fortify_clang_warning_only_if_bos_lt (PATH_MAX, __resolved,
+					     "second argument of realpath must be "
+					     "either NULL or at least PATH_MAX "
+					     "bytes long buffer")
+#endif
 {
   size_t sz = __glibc_objsize (__resolved);
 
   if (sz == (size_t) -1)
     return __realpath_alias (__name, __resolved);
 
-#if defined _LIBC_LIMITS_H_ && defined PATH_MAX
+#if !__fortify_use_clang && defined _LIBC_LIMITS_H_ && defined PATH_MAX
   if (__glibc_unsafe_len (PATH_MAX, sizeof (char), sz))
     return __realpath_chk_warn (__name, __resolved, sz);
 #endif
@@ -61,8 +68,13 @@ extern int __REDIRECT_NTH (__ptsname_r_chk_warn,
      __nonnull ((2)) __warnattr ("ptsname_r called with buflen bigger than "
 				 "size of buf");
 
-__fortify_function int
-__NTH (ptsname_r (int __fd, char *__buf, size_t __buflen))
+__fortify_function __attribute_overloadable__ int
+__NTH (ptsname_r (int __fd,
+		 __fortify_clang_overload_arg (char *, ,__buf),
+		 size_t __buflen))
+     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
+					     "ptsname_r called with buflen "
+					     "bigger than size of buf")
 {
   return __glibc_fortify (ptsname_r, __buflen, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -75,8 +87,8 @@ extern int __wctomb_chk (char *__s, wchar_t __wchar, size_t __buflen)
 extern int __REDIRECT_NTH (__wctomb_alias, (char *__s, wchar_t __wchar),
 			   wctomb) __wur;
 
-__fortify_function __wur int
-__NTH (wctomb (char *__s, wchar_t __wchar))
+__fortify_function __attribute_overloadable__ __wur int
+__NTH (wctomb (__fortify_clang_overload_arg (char *, ,__s), wchar_t __wchar))
 {
   /* We would have to include <limits.h> to get a definition of MB_LEN_MAX.
      But this would only disturb the namespace.  So we define our own
@@ -113,12 +125,17 @@ extern size_t __REDIRECT_NTH (__mbstowcs_chk_warn,
      __warnattr ("mbstowcs called with dst buffer smaller than len "
 		 "* sizeof (wchar_t)");
 
-__fortify_function size_t
-__NTH (mbstowcs (wchar_t *__restrict __dst, const char *__restrict __src,
+__fortify_function __attribute_overloadable__ size_t
+__NTH (mbstowcs (__fortify_clang_overload_arg (wchar_t *, __restrict, __dst),
+		 const char *__restrict __src,
 		 size_t __len))
+     __fortify_clang_warning_only_if_bos0_lt2 (__len, __dst, sizeof (wchar_t),
+					       "mbstowcs called with dst buffer "
+					       "smaller than len * sizeof (wchar_t)")
 {
   if (__builtin_constant_p (__dst == NULL) && __dst == NULL)
     return __mbstowcs_nulldst (__dst, __src, __len);
+
   else
     return __glibc_fortify_n (mbstowcs, __len, sizeof (wchar_t),
 			      __glibc_objsize (__dst), __dst, __src, __len);
@@ -139,8 +156,9 @@ extern size_t __REDIRECT_NTH (__wcstombs_chk_warn,
 			       size_t __len, size_t __dstlen), __wcstombs_chk)
      __warnattr ("wcstombs called with dst buffer smaller than len");
 
-__fortify_function size_t
-__NTH (wcstombs (char *__restrict __dst, const wchar_t *__restrict __src,
+__fortify_function __attribute_overloadable__ size_t
+__NTH (wcstombs (__fortify_clang_overload_arg (char *, __restrict, __dst),
+		 const wchar_t *__restrict __src,
 		 size_t __len))
 {
   return __glibc_fortify (wcstombs, __len, sizeof (char),