From patchwork Thu Dec 10 18:13:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 41356 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 5E55C3972449; Thu, 10 Dec 2020 18:13:56 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5E55C3972449 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1607624036; bh=AKe8bulD8yxxTPyqIzVfM7VtSjWOYRNGoR6rA4aiw44=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=xLBh2I8YNnApZaGPENkFGjcSPujHuPEe3F0D8ERGfbW/MutP0V2Y7dRN3lUyybH7F HVfoQGntoM2GOnZ0hYLOgML8Hpw7MGmba4tL7obDk6TgjP+Ox2ntK1gbxZrlCoImij S9o5PTBFTawvwvlxDs4yg4qDUF1J1Z/x1G9HBk7U= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from crocodile.elm.relay.mailchannels.net (crocodile.elm.relay.mailchannels.net [23.83.212.45]) by sourceware.org (Postfix) with ESMTPS id 68AE03861802 for ; Thu, 10 Dec 2020 18:13:52 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 68AE03861802 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id B22FE321545; Thu, 10 Dec 2020 18:13:50 +0000 (UTC) Received: from pdx1-sub0-mail-a49.g.dreamhost.com (100-96-22-168.trex.outbound.svc.cluster.local [100.96.22.168]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 275AF320656; Thu, 10 Dec 2020 18:13:50 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a49.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.11); Thu, 10 Dec 2020 18:13:50 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Trail-Wiry: 13bc2d696d0a1b63_1607624030579_1883626284 X-MC-Loop-Signature: 1607624030579:517322177 X-MC-Ingress-Time: 1607624030578 Received: from pdx1-sub0-mail-a49.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTP id C3E60864A4; Thu, 10 Dec 2020 10:13:49 -0800 (PST) Received: from rhbox.intra.reserved-bit.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTPSA id 4361D7FBB8; Thu, 10 Dec 2020 10:13:46 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a49 To: libc-alpha@sourceware.org Subject: [PATCH 0/2] _FORTIFY_SOURCE=3 Date: Thu, 10 Dec 2020 23:43:25 +0530 Message-Id: <20201210181327.1577769-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-Spam-Status: No, score=2.6 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_NUMSUBJECT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL, SUBJ_ALL_CAPS, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Cc: jakub@redhat.com, fweimer@redhat.com Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" This patchset implements a new fortification level, _FORTIFY_SOURCE=3. This level allows allows more computationally expensive fortifications, as is the case when size information is dynamic. In this patchset it uses the __builtin_dynamic_object_size builtin available in clang to expand coverage of fortifications at the expense of some performance. Patch 1/2 implements the base support and support for functions that have builtins of string functions. Additionally, the patch also describes the use case and tradeoffs. Patch 2/2 adds support for non-string functions that are already forfified for levels 1 and 2. These use a specific idiom that is currently suboptimal in llvm. Documentation ------------- The _FORTIFY_SOURCE documentation is not explicit about the technology used to implement checks and in that spirit, I have kept the description for _FORTIFY_SOURCE=3 broad as well, without mentioning __builtin_dynamic_object_size. Essentially, 3 is where we want to add computationally expensive checks and so that's the only thing that gets mentioned along with the fact that it is compiler-specific. Testing ------- The glibc testsuite doesn't directly support clang at the moment, so having tests in the glibc source tree is pointless as long as gcc does not have support for __builtin_dynamic_object_size. I will write the tests when I work on the gcc builtin next year. In the meantime there is a separate project on GitHub, fortify-test-suite[1], that houses fortification tests and is capable of testing multiple levels of fortification with multiple compilers. I have proposed a PR[2] to add support for _FORTIFY_SOURCE=3 and have verified my changes with those tests. Those tests run clean for clang when run with these changes and PR[2] and they fail at level 3 for gcc, as expected. [1] https://github.com/serge-sans-paille/fortify-test-suite [2] https://github.com/serge-sans-paille/fortify-test-suite/pull/9 Siddhesh Poyarekar (2): string: _FORTIFY_SOURCE=3 using __builtin_dynamic_object_size nonstring: _FORTIFY_SOURCE=3 using __builtin_dynamic_object_size NEWS | 4 + include/features.h | 6 +- include/string.h | 5 +- io/bits/poll2.h | 16 ++-- libio/bits/stdio.h | 2 +- libio/bits/stdio2.h | 53 ++++++------- manual/creature.texi | 3 +- misc/sys/cdefs.h | 9 +++ posix/bits/unistd.h | 112 ++++++++++++++------------- socket/bits/socket2.h | 18 ++--- stdlib/bits/stdlib.h | 37 ++++----- string/bits/string_fortified.h | 22 +++--- string/bits/strings_fortified.h | 4 +- wcsmbs/bits/wchar2.h | 131 ++++++++++++++++---------------- 14 files changed, 223 insertions(+), 199 deletions(-)