From patchwork Thu Dec 22 15:32:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 62268 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 2A5C7385B515 for ; Thu, 22 Dec 2022 15:33:14 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2A5C7385B515 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1671723194; bh=cT+BT16z0qL4TQAFs1qwqFqOPhD6ezUhDNTZw/UpAsw=; h=To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=PKfJ3ySO/hMoVxNnywmMKLNxhcnOkeajWJs5brYswo0pU+6cJNHl+ZrdM3J3ncDPh mX2ytwtMPMU7VfGVAjG2i7cEs2MT0BHH13THZbQtKA2O7g3lc+zLgNOpJXWmiBAOQ1 AE7VbNnOdly4YbHI+kwljJIgA4270V/VszaSswV0= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from coral.ash.relay.mailchannels.net (coral.ash.relay.mailchannels.net [23.83.222.39]) by sourceware.org (Postfix) with ESMTPS id 7F5F83858281 for ; Thu, 22 Dec 2022 15:32:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7F5F83858281 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 3B43E341E86; Thu, 22 Dec 2022 15:32:46 +0000 (UTC) Received: from pdx1-sub0-mail-a304.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A99A9341BB2; Thu, 22 Dec 2022 15:32:45 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1671723165; a=rsa-sha256; cv=none; b=2fu2LOiH92PAQTLYaHg2XejvOk/EGGQzGGQo/xMMua0enMFHAxk/27pCCpIAIc2agHJfYx ucbj2sEOOUTBbGwJj5NHxzBQwo0CNJhf+GncA2iNmsMecpOkqQMwDxT0NIcW3SjyIgAHlS ahWr0NbWQP2EDFoFcUHZ86F8ZIYNpsXu5AcTnAaPtlyAg+3PLmQNuncva7oHEevYLBTo0V ASJsXZajQk2VHQbNKP4BnixYf1mmKI2lY90pBCzGXCdHp6bPw7gLdchIPlw7+7QD+aFiRM idpCc6fY8FCHYFxKCpi7j4dWgLO9d7EZ4Y7nqhRJyDRAnlhkRdPDmTa+7lSyBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1671723165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cT+BT16z0qL4TQAFs1qwqFqOPhD6ezUhDNTZw/UpAsw=; b=lJnKC1OUlCb7ZNbV8nx3qKYV8Vyz7k48gX+RiYNbs0f0wP5hAhM9v9xrygRhtuKeXDRhhb J+1dC0c2ApzqyAPhzzk4PMaMqOMb/QtXDKcIIa78vAK4l19EhCZGwz8yasBIfuc0q2J1m6 vMmKXiVuGdaQwVop0la4AgEDu2ixBrjNTwafkZFC3WLVOiR9nscwRMMR+Pb/AKuWNpDlLF QXaZapeCFRUTwZ+JLOCuSLsjUCHwQQHudKRs6s6Ocy0R8VW/5AkZZo9h4+hK5uLMNf/ZlR wVRhB9wENcMdlCVXbdEHPYEgtNVW/b3M4vgDoSqTryABe1U8mnSkxYYNX2g4+w== ARC-Authentication-Results: i=1; rspamd-698c4479bb-lzcfw; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Cellar-Bitter: 4916a22c2be12729_1671723165942_4071266003 X-MC-Loop-Signature: 1671723165942:2624713437 X-MC-Ingress-Time: 1671723165942 Received: from pdx1-sub0-mail-a304.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.126.30.43 (trex/6.7.1); Thu, 22 Dec 2022 15:32:45 +0000 Received: from fedora.redhat.com (bras-base-toroon4834w-grc-23-76-68-24-147.dsl.bell.ca [76.68.24.147]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a304.dreamhost.com (Postfix) with ESMTPSA id 4NdDpP10J2z3f; Thu, 22 Dec 2022 07:32:45 -0800 (PST) To: libc-alpha@sourceware.org Cc: fweimer@redhat.com Subject: [PATCH v2] Add _FORTIFY_SOURCE implementation documentation [BZ #28998] Date: Thu, 22 Dec 2022 10:32:40 -0500 Message-Id: <20221222153240.4150636-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221215162506.1802077-1-siddhesh@sourceware.org> References: <20221215162506.1802077-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1172.0 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" There have been multiple requests to provide more detail on how the _FORTIFY_SOURCE macro works, so this patch adds a new node in the Library Maintenance section that does this. A lot of the description is implementation detail, which is why I put this in the appendix and not in the main documentation. Resolves: BZ #28998. Signed-off-by: Siddhesh Poyarekar --- Changes from v1: - Adjust wording to cover the non-buffer-overflow validation - Update function list - remove redundant 'See' manual/creature.texi | 2 + manual/maint.texi | 218 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 220 insertions(+) diff --git a/manual/creature.texi b/manual/creature.texi index 530a02398e..47d1fc4607 100644 --- a/manual/creature.texi +++ b/manual/creature.texi @@ -306,6 +306,8 @@ If this macro is defined to @math{1}, security hardening is added to various library functions. If defined to @math{2}, even stricter checks are applied. If defined to @math{3}, @theglibc{} may also use checks that may have an additional performance overhead. +@xref{Source Fortification,,Fortification of function calls} for more +information. @end defvr @defvr Macro _DYNAMIC_STACK_SIZE_SOURCE diff --git a/manual/maint.texi b/manual/maint.texi index 49510db7bf..be256af030 100644 --- a/manual/maint.texi +++ b/manual/maint.texi @@ -5,6 +5,7 @@ @menu * Source Layout:: How to add new functions or header files to the GNU C Library. +* Source Fortification:: Fortification of function calls. * Symbol handling:: How to handle symbols in the GNU C Library. * Porting:: How to port the GNU C Library to a new machine or operating system. @@ -184,6 +185,223 @@ header file in the machine-specific directory, e.g., @file{sysdeps/powerpc/sys/platform/ppc.h}. +@node Source Fortification +@appendixsec Fortification of function calls + +This section contains implementation details of @theglibc{} and may not +remain stable across releases. + +The @code{_FORTIFY_SOURCE} macro may be defined by users to control +hardening of calls into some functions in @theglibc{}. This feature +needs a compiler that supports either the @code{__builtin_object_size} +or the @code{__builtin_dynamic_object_size} builtin functions. When the +macro is defined, it enables code that validates access to buffers that +are passed to some functions in @theglibc to determine if they +are safe. If the compiler is able to deduce the size of the buffer +passed to the function call but the call cannot be determined as safe, +it is replaced by a call to its hardened variant that does additional +safety checks at runtime. At runtime, if those safety checks fail, the +program will terminate with a @code{SIGABRT} signal. + +@code{_FORTIFY_SOURCE} may be defined to one of the following values: + +@itemize @bullet +@item @math{1}: This enables buffer bounds checking using the value +returned by the @code{__builtin_object_size} compiler builtin function. +If the function returns @code{(size_t) -1}, the function call is left +untouched. Additionally, this level also enables validation of flags to +the @code{open}, @code{open64}, @code{openat} and @code{openat64} +functions. + +@item @math{2}: This behaves like @math{1}, with the addition of some +checks that may trap code that is conforming but unsafe, e.g. accepting +@code{%n} only in read-only format strings. + +@item @math{3}: This enables buffer bounds checking using the value +returned by the @code{__builtin_dynamic_object_size} compiler builtin +function. If the function returns @code{(size_t) -1}, the function call +is left untouched. Fortification at this level may have a impact on +program performance if the function call that is fortified is frequently +encountered and the size expression returned by +@code{__builtin_dynamic_object_size} is complex. +@end itemize + +The following functions are fortified in @theglibc{}: + +@itemize @bullet +@item @code{asprintf}: Replaced with @code{__asprintf_chk}. + +@item @code{confstr}: Replaced with @code{__confstr_chk}. + +@item @code{dprintf}: Replaced with @code{__dprintf_chk}. + +@item @code{explicit_bzero}: Replaced with @code{__explicit_bzero_chk}. + +@item @code{FD_SET}: Replaced with @code{__fdelt_chk}. + +@item @code{FD_CLR}: Replaced with @code{__fdelt_chk}. + +@item @code{FD_ISSET}: Replaced with @code{__fdelt_chk}. + +@item @code{fgets}: Replaced with @code{__fgets_chk}. + +@item @code{fgets_unlocked}: Replaced with @code{__fgets_unlocked_chk}. + +@item @code{fgetws}: Replaced with @code{__fgetws_chk}. + +@item @code{fgetws_unlocked}: Replaced with @code{__fgetws_unlocked_chk}. + +@item @code{fprintf}: Replaced with @code{__fprintf_chk}. + +@item @code{fread}: Replaced with @code{__fread_chk}. + +@item @code{fread_unlocked}: Replaced with @code{__fread_unlocked_chk}. + +@item @code{fwprintf}: Replaced with @code{__fwprintf_chk}. + +@item @code{getcwd}: Replaced with @code{__getcwd_chk}. + +@item @code{getdomainname}: Replaced with @code{__getdomainname_chk}. + +@item @code{getgroups}: Replaced with @code{__getgroups_chk}. + +@item @code{gethostname}: Replaced with @code{__gethostname_chk}. + +@item @code{getlogin_r}: Replaced with @code{__getlogin_r_chk}. + +@item @code{gets}: Replaced with @code{__gets_chk}. + +@item @code{getwd}: Replaced with @code{__getwd_chk}. + +@item @code{longjmp}: Replaced with @code{__longjmp_chk}. + +@item @code{mbsnrtowcs}: Replaced with @code{__mbsnrtowcs_chk}. + +@item @code{mbsrtowcs}: Replaced with @code{__mbsrtowcs_chk}. + +@item @code{mbstowcs}: Replaced with @code{__mbstowcs_chk}. + +@item @code{memcpy}: Replaced with @code{__memcpy_chk}. + +@item @code{memmove}: Replaced with @code{__memmove_chk}. + +@item @code{mempcpy}: Replaced with @code{__mempcpy_chk}. + +@item @code{memset}: Replaced with @code{__memset_chk}. + +@item @code{obstack_printf}: Replaced with @code{__obstack_printf_chk}. + +@item @code{obstack_vprintf}: Replaced with @code{__obstack_vprintf_chk}. + +@item @code{open}: Replaced with @code{__open_2}. + +@item @code{open64}: Replaced with @code{__open64_2}. + +@item @code{openat}: Replaced with @code{__openat_2}. + +@item @code{openat64}: Replaced with @code{__openat64_2}. + +@item @code{poll}: Replaced with @code{__poll_chk}. + +@item @code{ppoll}: Replaced with @code{__ppoll_chk}. + +@item @code{pread}: Replaced with @code{__pread_chk}. + +@item @code{pread64}: Replaced with @code{__pread64_chk}. + +@item @code{printf}: Replaced with @code{__printf_chk}. + +@item @code{ptsname_r}: Replaced with @code{__ptsname_r_chk}. + +@item @code{read}: Replaced with @code{__read_chk}. + +@item @code{readlink}: Replaced with @code{__readlink_chk}. + +@item @code{readlinkat}: Replaced with @code{__readlinkat_chk}. + +@item @code{realpath}: Replaced with @code{__realpath_chk}. + +@item @code{recv}: Replaced with @code{__recv_chk}. + +@item @code{recvfrom}: Replaced with @code{__recvfrom_chk}. + +@item @code{snprintf}: Replaced with @code{__snprintf_chk}. + +@item @code{sprintf}: Replaced with @code{__sprintf_chk}. + +@item @code{stpcpy}: Replaced with @code{__stpcpy_chk}. + +@item @code{stpncpy}: Replaced with @code{__stpncpy_chk}. + +@item @code{strcat}: Replaced with @code{__strcat_chk}. + +@item @code{strcpy}: Replaced with @code{__strcpy_chk}. + +@item @code{strncat}: Replaced with @code{__strncat_chk}. + +@item @code{strncpy}: Replaced with @code{__strncpy_chk}. + +@item @code{swprintf}: Replaced with @code{__swprintf_chk}. + +@item @code{syslog}: Replaced with @code{__syslog_chk}. + +@item @code{ttyname_r}: Replaced with @code{__ttyname_r_chk}. + +@item @code{vasprintf}: Replaced with @code{__vasprintf_chk}. + +@item @code{vdprintf}: Replaced with @code{__vdprintf_chk}. + +@item @code{vfprintf}: Replaced with @code{__vfprintf_chk}. + +@item @code{vfwprintf}: Replaced with @code{__vfwprintf_chk}. + +@item @code{vprintf}: Replaced with @code{__vprintf_chk}. + +@item @code{vsnprintf}: Replaced with @code{__vsnprintf_chk}. + +@item @code{vsprintf}: Replaced with @code{__vsprintf_chk}. + +@item @code{vswprintf}: Replaced with @code{__vswprintf_chk}. + +@item @code{vsyslog}: Replaced with @code{__vsyslog_chk}. + +@item @code{vwprintf}: Replaced with @code{__vwprintf_chk}. + +@item @code{wcpcpy}: Replaced with @code{__wcpcpy_chk}. + +@item @code{wcpncpy}: Replaced with @code{__wcpncpy_chk}. + +@item @code{wcrtomb}: Replaced with @code{__wcrtomb_chk}. + +@item @code{wcscat}: Replaced with @code{__wcscat_chk}. + +@item @code{wcscpy}: Replaced with @code{__wcscpy_chk}. + +@item @code{wcsncat}: Replaced with @code{__wcsncat_chk}. + +@item @code{wcsncpy}: Replaced with @code{__wcsncpy_chk}. + +@item @code{wcsnrtombs}: Replaced with @code{__wcsnrtombs_chk}. + +@item @code{wcsrtombs}: Replaced with @code{__wcsrtombs_chk}. + +@item @code{wcstombs}: Replaced with @code{__wcstombs_chk}. + +@item @code{wctomb}: Replaced with @code{__wctomb_chk}. + +@item @code{wmemcpy}: Replaced with @code{__wmemcpy_chk}. + +@item @code{wmemmove}: Replaced with @code{__wmemmove_chk}. + +@item @code{wmempcpy}: Replaced with @code{__wmempcpy_chk}. + +@item @code{wmemset}: Replaced with @code{__wmemset_chk}. + +@item @code{wprintf}: Replaced with @code{__wprintf_chk}. + +@end itemize + + @node Symbol handling @appendixsec Symbol handling in the GNU C Library