From patchwork Thu Feb 8 18:46:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85476 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 277373858002 for ; Thu, 8 Feb 2024 18:48:02 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oo1-xc2a.google.com (mail-oo1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) by sourceware.org (Postfix) with ESMTPS id 10A0F3858C35 for ; Thu, 8 Feb 2024 18:46:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 10A0F3858C35 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 10A0F3858C35 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::c2a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417994; cv=none; b=WA8mgm/11wLBIKdRNH0LTMKD3VkwjdWepnGpoFAP47OuQ2QhfqFF8ZUU/9sY9C+OOFM422+5oTvFgK1kLZ2galj6F0RLKv1ih+wCCLxZVIl05hGlCziV5Qij63qG7noSWdMmogw1rn5us59+tDCZhP0SW9We0867YOFTRHsDCHQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417994; c=relaxed/simple; bh=OIKpXEvFULD2NWx8DJ7HCu55dEd3Vlj7+ZWGZqXC+Jw=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=ILeLOenFyDtu6k7QW7y4UtEyK0un0E8lb1nMQfrcssR4xXLFdVCIEOvFU/6JpqBHGgJzC/79DKt1pVQdQqIsbtsAKQxXp8pNMPUBS145vD7qiw0l7KesoI6bYBFZZJ0/COatc64fCPzZj/YM5s3NmEWT9nviSKsKwf8lmRPdWqA= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oo1-xc2a.google.com with SMTP id 006d021491bc7-5986d902ae6so74551eaf.3 for ; Thu, 08 Feb 2024 10:46:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707417989; x=1708022789; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7dpXNmXpYSiA2Bj//iAvQ5vHtm1JSWSGNdHy1Th3iQo=; b=Hh1q09oqlKQz/1R6dMkk4LgiK+vFGnKsde4IPRMgF5/qmjAKbIU+DE0/2nK/7jXFPn vC98p7w1ze5QnZjTU7DfPezAgmLWePt99WKbesrgAFvflrYmWaOJMImFW1hBzxbI2PPX faeWEkCWjcBPITsjQXlzerKhaCh515XzeH37qk7CETGFHFv0YXuVSi+0bUtC7UYcZgcn +iE0tI82IG0+xe01pY/4qBMpPp6jEx2yVqEPYtCQ4EsT/aWIApX11kW1KXFLluvDqjOr CHXVioadrGc/bDT5xko+aRHGS6ny/Vd0S6YsINS7TRkYECo98k+ME6xMWjeQqxfwV2kg 1lNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707417989; x=1708022789; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7dpXNmXpYSiA2Bj//iAvQ5vHtm1JSWSGNdHy1Th3iQo=; b=uNv8wWKImE2SHBE7ZZ24qU9s2nK6Gbg3oUkAeDqVeDiX9jNNiTct/5pCTAdUh9V2wD g++J+PnKfQjNU0U4elkIYy72JkKLuU/SAYcKpY2aakJ6Aa+sn2AW0a7Bs7DnKqYRzIpT PD4nFQ2NB3OiHtK9jPPwP0MJ4F4LymRMnGWt/gQNhubNk6xwyXrj7BfxV8bYf492h/ry sQ3F+0lAZrgfbagaPq36/ZT/EMDBm/KS4s6fiV54fYRYgGgCouU4g+afHYS7OsJwskjp eiI/zWwpD5HMhM+c2aNYcVef6/+BjN9M9kvNEjKJBSZnWoTijZp5uT4RCCTDO4bAJt44 cAQQ== X-Gm-Message-State: AOJu0YxoFS85OgKU3tLWHNKZXyNj3F1BCi/RsrsZzgddRZJ0maoy6K33 jMm7vBGdsOF0+CwSePq61X5R3IQJ+aJNeQezKWNwYS5VuuTNxJoYWpom5G5YzA64zDeXHb2CgnF h X-Google-Smtp-Source: AGHT+IHhSRHjP645Ymd0NJpRx2ldOTK+zHt/xCX07/9Fi274aemMRrzmTQt9cncKAlZM01VppBcOhQ== X-Received: by 2002:a05:6359:4588:b0:178:94bc:731e with SMTP id no8-20020a056359458800b0017894bc731emr13774rwb.8.1707417989265; Thu, 08 Feb 2024 10:46:29 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:28 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 01/10] cdefs.h: Add clang fortify directives Date: Thu, 8 Feb 2024 15:46:13 -0300 Message-Id: <20240208184622.332678-2-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org For instance, the read wrapper is currently expanded as: extern __inline __attribute__((__always_inline__)) __attribute__((__artificial__)) __attribute__((__warn_unused_result__)) ssize_t read (int __fd, void *__buf, size_t __nbytes) { return __glibc_safe_or_unknown_len (__nbytes, sizeof (char), __glibc_objsize0 (__buf)) ? __read_alias (__fd, __buf, __nbytes) : __glibc_unsafe_len (__nbytes, sizeof (char), __glibc_objsize0 (__buf)) ? __read_chk_warn (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)) : __read_chk (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)); } The wrapper relies on __builtin_object_size call lowers to a constant at compile-time and many other operations in the wrapper depends on having a single, known value for parameters. Because this is impossible to have for function parameters, the wrapper depends heavily on inlining to work and While this is an entirely viable approach on GCC, it is not fully reliable on clang. This is because by the time llvm gets to inlining and optimizing, there is a minimal reliable source and type-level information available (more information on a more deep explanation on how to fortify wrapper works on clang [1]). To allow the wrapper to work reliably and with the same functionality as with GCC, clang requires a different approach: * __attribute__((diagnose_if(c, “str”, “warning”))) which is a function level attribute; if the compiler can determine that 'c' is true at compile-time, it will emit a warning with the text 'str1'. If it would be better to emit an error, the wrapper can use "error" instead of "warning". * __attribute__((overloadable)) which is also a function-level attribute; and it allows C++-style overloading to occur on C functions. * __attribute__((pass_object_size(n))) which is a parameter-level attribute; and it makes the compiler evaluate __builtin_object_size(param, n) at each call site of the function that has the parameter, and passes it in as a hidden parameter. This attribute has two side-effects that are key to how FORTIFY works: 1. It can overload solely on pass_object_size (e.g. there are two overloads of foo in void foo(char * __attribute__((pass_object_size(0))) c); void foo(char *); (The one with pass_object_size attribute has precende over the default one). 2. A function with at least one pass_object_size parameter can never have its address taken (and overload resolution respects this). Thus the read wrapper can be implemented as follows, without hindering any fortify coverage compile and runtime: extern __inline __attribute__((__always_inline__)) __attribute__((__artificial__)) __attribute__((__overloadable__)) __attribute__((__warn_unused_result__)) ssize_t read (int __fd, void *const __attribute__((pass_object_size (0))) __buf, size_t __nbytes) __attribute__((__diagnose_if__ ((((__builtin_object_size (__buf, 0)) != -1ULL && (__nbytes) > (__builtin_object_size (__buf, 0)) / (1))), "read called with bigger length than size of the destination buffer", "warning"))) { return (__builtin_object_size (__buf, 0) == (size_t) -1) ? __read_alias (__fd, __buf, __nbytes) : __read_chk (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)); } To avoid changing the current semantic for GCC, a set of macros is defined to enable the clang required attributes, along with some changes on internal macros to avoid the need to issue the symbol_chk symbols (which are done through the __diagnose_if__ attribute for clang). The read wrapper is simplified as: __fortify_function __attribute_overloadable__ __wur ssize_t read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, "read called with bigger length than " "size of the destination buffer") { return __glibc_fortify (read, __nbytes, sizeof (char), __glibc_objsize0 (__buf), __fd, __buf, __nbytes); } There is no expected semantic or code change when using GCC. Also, clang does not support __va_arg_pack, so variadic functions are expanded to call va_arg implementations. The error function must not have bodies (address takes are expanded to nonfortified calls), and with the __fortify_function compiler might still create a body with the C++ mangling name (due to the overload attribute). In this case, the function is defined with __fortify_function_error_function macro instead. [1] https://docs.google.com/document/d/1DFfZDICTbL7RqS74wJVIJ-YnjQOj1SaoqfhbgddFYSM/edit Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- misc/sys/cdefs.h | 151 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 149 insertions(+), 2 deletions(-) diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index 520231dbea..62507044c8 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -145,6 +145,14 @@ #endif +/* The overloadable attribute was added on clang 2.6. */ +#if defined __clang_major__ \ + && (__clang_major__ + (__clang_minor__ >= 6) > 2) +# define __attribute_overloadable__ __attribute__((__overloadable__)) +#else +# define __attribute_overloadable__ +#endif + /* Fortify support. */ #define __bos(ptr) __builtin_object_size (ptr, __USE_FORTIFY_LEVEL > 1) #define __bos0(ptr) __builtin_object_size (ptr, 0) @@ -187,27 +195,166 @@ __s, __osz)) \ && !__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz)) +/* To correctly instrument the fortify wrapper clang requires the + pass_object_size attribute, and the attribute has the restriction that the + argument needs to be 'const'. Furthermore, to make it usable with C + interfaces, clang provides the overload attribute, which provides a C++ + like function overload support. The overloaded fortify wrapper with the + pass_object_size attribute has precedence over the default symbol. + + Also, clang does not support __va_arg_pack, so variadic functions are + expanded to issue va_arg implementations. The error function must not have + bodies (address takes are expanded to nonfortified calls), and with + __fortify_function compiler might still create a body with the C++ + mangling name (due to the overload attribute). In this case, the function + is defined with __fortify_function_error_function macro instead. + + The argument size check is also done with a clang-only attribute, + __attribute__ ((__diagnose_if__ (...))), different than gcc which calls + symbol_chk_warn alias with uses __warnattr attribute. + + The pass_object_size was added on clang 4.0, __diagnose_if__ on 5.0, + and pass_dynamic_object_size on 9.0. */ +#if defined __clang_major__ && __clang_major__ >= 5 +# define __fortify_use_clang 1 + +# define __fortify_function_error_function static __attribute__((__unused__)) + +# define __fortify_clang_pass_object_size_n(n) \ + __attribute__ ((__pass_object_size__ (n))) +# define __fortify_clang_pass_object_size0 \ + __fortify_clang_pass_object_size_n (0) +# define __fortify_clang_pass_object_size \ + __fortify_clang_pass_object_size_n (__USE_FORTIFY_LEVEL > 1) + +# if __clang_major__ >= 9 +# define __fortify_clang_pass_dynamic_object_size_n(n) \ + __attribute__ ((__pass_dynamic_object_size__ (n))) +# define __fortify_clang_pass_dynamic_object_size0 \ + __fortify_clang_pass_dynamic_object_size_n (0) +# define __fortify_clang_pass_dynamic_object_size \ + __fortify_clang_pass_dynamic_object_size_n (1) +# else +# define __fortify_clang_pass_dynamic_object_size_n(n) +# define __fortify_clang_pass_dynamic_object_size0 +# define __fortify_clang_pass_dynamic_object_size +# endif + +# define __fortify_clang_bos_static_lt_impl(bos_val, n, s) \ + ((bos_val) != -1ULL && (n) > (bos_val) / (s)) +# define __fortify_clang_bos_static_lt2(__n, __e, __s) \ + __fortify_clang_bos_static_lt_impl (__bos (__e), __n, __s) +# define __fortify_clang_bos_static_lt(__n, __e) \ + __fortify_clang_bos_static_lt2 (__n, __e, 1) +# define __fortify_clang_bos0_static_lt2(__n, __e, __s) \ + __fortify_clang_bos_static_lt_impl (__bos0 (__e), __n, __s) +# define __fortify_clang_bos0_static_lt(__n, __e) \ + __fortify_clang_bos0_static_lt2 (__n, __e, 1) + +# define __fortify_clang_bosn_args(bos_fn, n, buf, div, complaint) \ + (__fortify_clang_bos_static_lt_impl (bos_fn (buf), n, div)), (complaint), \ + "warning" + +# define __fortify_clang_warning(__c, __msg) \ + __attribute__ ((__diagnose_if__ ((__c), (__msg), "warning"))) +# define __fortify_clang_warning_only_if_bos0_lt(n, buf, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos0, n, buf, 1, complaint)))) +# define __fortify_clang_warning_only_if_bos0_lt2(n, buf, div, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos0, n, buf, div, complaint)))) +# define __fortify_clang_warning_only_if_bos_lt(n, buf, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos, n, buf, 1, complaint)))) +# define __fortify_clang_warning_only_if_bos_lt2(n, buf, div, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos, n, buf, div, complaint)))) + +# if __USE_FORTIFY_LEVEL == 3 +# define __fortify_clang_overload_arg(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_dynamic_object_size __name +# define __fortify_clang_overload_arg0(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_dynamic_object_size0 __name +# else +# define __fortify_clang_overload_arg(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_object_size __name +# define __fortify_clang_overload_arg0(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_object_size0 __name +# endif + +# define __fortify_clang_mul_may_overflow(size, n) \ + ((size | n) >= (((size_t)1) << (8 * sizeof (size_t) / 2))) + +# define __fortify_clang_size_too_small(__bos, __dest, __len) \ + (__bos (__dest) != (size_t) -1 && __bos (__dest) < __len) +# define __fortify_clang_warn_if_src_too_large(__dest, __src) \ + __fortify_clang_warning (__fortify_clang_size_too_small (__glibc_objsize, \ + __dest, \ + __builtin_strlen (__src) + 1), \ + "destination buffer will always be overflown by source") +# define __fortify_clang_warn_if_dest_too_small(__dest, __len) \ + __fortify_clang_warning (__fortify_clang_size_too_small (__glibc_objsize, \ + __dest, \ + __len), \ + "function called with bigger length than the destination buffer") +# define __fortify_clang_warn_if_dest_too_small0(__dest, __len) \ + __fortify_clang_warning (__fortify_clang_size_too_small (__glibc_objsize0, \ + __dest, \ + __len), \ + "function called with bigger length than the destination buffer") +#else +# define __fortify_use_clang 0 +# define __fortify_clang_warning(__c, __msg) +# define __fortify_clang_warning_only_if_bos0_lt(__n, __buf, __complaint) +# define __fortify_clang_warning_only_if_bos0_lt2(__n, __buf, __div, complaint) +# define __fortify_clang_warning_only_if_bos_lt(__n, __buf, __complaint) +# define __fortify_clang_warning_only_if_bos_lt2(__n, __buf, div, __complaint) +# define __fortify_clang_overload_arg(__type, __attr, __name) \ + __type __attr __name +# define __fortify_clang_overload_arg0(__type, __attr, __name) \ + __fortify_clang_overload_arg (__type, __attr, __name) +# define __fortify_clang_warn_if_src_too_large(__dest, __src) +# define __fortify_clang_warn_if_dest_too_small(__dest, __len) +# define __fortify_clang_warn_if_dest_too_small0(__dest, __len) +#endif + + /* Fortify function f. __f_alias, __f_chk and __f_chk_warn must be declared. */ -#define __glibc_fortify(f, __l, __s, __osz, ...) \ +#if !__fortify_use_clang +# define __glibc_fortify(f, __l, __s, __osz, ...) \ (__glibc_safe_or_unknown_len (__l, __s, __osz) \ ? __ ## f ## _alias (__VA_ARGS__) \ : (__glibc_unsafe_len (__l, __s, __osz) \ ? __ ## f ## _chk_warn (__VA_ARGS__, __osz) \ : __ ## f ## _chk (__VA_ARGS__, __osz))) +#else +# define __glibc_fortify(f, __l, __s, __osz, ...) \ + (__osz == (__SIZE_TYPE__) -1) \ + ? __ ## f ## _alias (__VA_ARGS__) \ + : __ ## f ## _chk (__VA_ARGS__, __osz) +#endif /* Fortify function f, where object size argument passed to f is the number of elements and not total size. */ -#define __glibc_fortify_n(f, __l, __s, __osz, ...) \ +#if !__fortify_use_clang +# define __glibc_fortify_n(f, __l, __s, __osz, ...) \ (__glibc_safe_or_unknown_len (__l, __s, __osz) \ ? __ ## f ## _alias (__VA_ARGS__) \ : (__glibc_unsafe_len (__l, __s, __osz) \ ? __ ## f ## _chk_warn (__VA_ARGS__, (__osz) / (__s)) \ : __ ## f ## _chk (__VA_ARGS__, (__osz) / (__s)))) +# else +# define __glibc_fortify_n(f, __l, __s, __osz, ...) \ + (__osz == (__SIZE_TYPE__) -1) \ + ? __ ## f ## _alias (__VA_ARGS__) \ + : __ ## f ## _chk (__VA_ARGS__, (__osz) / (__s)) #endif +#endif /* __USE_FORTIFY_LEVEL > 0 */ + #if __GNUC_PREREQ (4,3) # define __warnattr(msg) __attribute__((__warning__ (msg))) # define __errordecl(name, msg) \ From patchwork Thu Feb 8 18:46:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85479 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 4A3DE385841C for ; Thu, 8 Feb 2024 18:48:47 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) by sourceware.org (Postfix) with ESMTPS id E9F783858C78 for ; Thu, 8 Feb 2024 18:46:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E9F783858C78 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E9F783858C78 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::22b ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417995; cv=none; b=GREyr17yp9z+RUwiNjhVpRWPVumMIvjXs1F6yPSVdzGedHBSFWOMoH2EB5MssL3R2qjzgUA98MeP0P7mLMrq7jN9Xag8lxgg/NWPneASY2Ivcnstetxx3p1CmM7jTzOYBPVpItsAgzEQIhfpKxqdbg21MIeqv45ZjrG6nyO2K88= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417995; c=relaxed/simple; bh=UW2Rm8qycmoPh/CPPT/OvEin5JYSSRrqTF2T32u+AeA=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=oVPpocZcZSZRW6xS+Pc9mae8gAYaWQklR6CE3fGrd6/8enGgKVoniz8deUUtpkzXgiF3CmT/a7z/9epR8IQk77XTIXof+sVUolOqbtQyIK54nCzRU77ob4YOhO3ybJZUn3A/ZIXSOAxecgc40YpabvQkSDNlaEoIbIH3ghW0bv8= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oi1-x22b.google.com with SMTP id 5614622812f47-3bfdbac32b3so34814b6e.0 for ; Thu, 08 Feb 2024 10:46:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707417991; x=1708022791; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qKbDKACVNAJOvvfZ+/vbTcF+L69TWgVj8h9FrpzXxDo=; b=pxFnny1U7Xe/+vIVeKL3zmCvFFofSM0e6ma2Yvt6o85qFHjIAfUzE4mEX+dpV63E4K BFB7dFsG7DTlkzuWLc32K8rTZN/LnOeR97VQUqO0Z5lqJoKXS2g5QOknkJlb1MZ2YLAl rTYCkI7ulzMUVtciV/zMEVI0shUG0eVcMeje5mA733oHEli93evT9GTTzpbex5Mj6bWT 0eB82+KoW5MhLIUff0SjDa4urPPac5YDv035aKzU8EuV61MjGTY/ue4f9ewdftA6d9rU R2jry/GYIrqDG3oUhPaJit6a60KtU6dcFkX5eYV6BUpMoP+itjJk//u5BBF5ft9gRDRS VeMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707417991; x=1708022791; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qKbDKACVNAJOvvfZ+/vbTcF+L69TWgVj8h9FrpzXxDo=; b=XWVLMNPmu111k/+13Fqe9rmPRTxFRHkHTYxoe+hPYnT2EUDDAe5XyTRQgyJkfPkJSC j3MI+WR0TN13puq+kRoAQqVzuRqH/uFF9azMiEW0eKCBnxJzPQ0Pw/Nve55SL/cxMEYL Hy5DwPS68aHZAX4shluJm6nEgI2HrXYtPM8dI3SilB4tgGAgArc0jdfZ+gdHrX0z9W1j xo7VvQuZRkeJQaaDhGrYwViU/CEp+rimV+xovY01a9jiuf5+7IcTAWXbbHbblXj6IhtW xiipNoUfpXPwdDuOmZ8Iowheblq9lglmmL3NYlPtuV0sQyptzndTmh+WMjsc7cpizy2n 5HOQ== X-Gm-Message-State: AOJu0YwdPmNrw8SCm9BllP1wDNTZoxQbOOjrAE8+0wRyaqcvyrzkd7Di wl6LkdExWv+XMpCtGUq2qMC5sClOzgxFqP9S8cFSyoxoFahxhEHMuTWHkwKsIYk+FrEex+CoE9V V X-Google-Smtp-Source: AGHT+IGsmlNoG0UuHk3aZYKBx6QtLIqR0vB5o1S3EeUnuFS0pT8DesLnequ7KDCrefoBkkNS/0qKhg== X-Received: by 2002:a05:6358:3a0b:b0:179:246f:6918 with SMTP id g11-20020a0563583a0b00b00179246f6918mr17510rwe.5.1707417991403; Thu, 08 Feb 2024 10:46:31 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:30 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 02/10] libio: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:14 -0300 Message-Id: <20240208184622.332678-3-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve fortify checks for sprintf, vsprintf, vsnsprintf, fprintf, dprintf, asprintf, __asprintf, obstack_printf, gets, fgets, fgets_unlocked, fread, and fread_unlocked. The runtime checks have similar support coverage as with GCC. For function with variadic argument (sprintf, snprintf, fprintf, printf, dprintf, asprintf, __asprintf, obstack_printf) the fortify wrapper calls the va_arg version since clang does not support __va_arg_pack. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- libio/bits/stdio2.h | 173 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 153 insertions(+), 20 deletions(-) diff --git a/libio/bits/stdio2.h b/libio/bits/stdio2.h index f9e8d37610..91a80dd7c6 100644 --- a/libio/bits/stdio2.h +++ b/libio/bits/stdio2.h @@ -31,15 +31,29 @@ __NTH (sprintf (char *__restrict __s, const char *__restrict __fmt, ...)) __glibc_objsize (__s), __fmt, __va_arg_pack ()); } +#elif __fortify_use_clang +/* clang does not have __va_arg_pack, so defer to va_arg version. */ +__fortify_function_error_function __attribute_overloadable__ int +__NTH (sprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vsprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, + __glibc_objsize (__s), __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} #elif !defined __cplusplus # define sprintf(str, ...) \ __builtin___sprintf_chk (str, __USE_FORTIFY_LEVEL - 1, \ __glibc_objsize (str), __VA_ARGS__) #endif -__fortify_function int -__NTH (vsprintf (char *__restrict __s, const char *__restrict __fmt, - __gnuc_va_list __ap)) +__fortify_function __attribute_overloadable__ int +__NTH (vsprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + const char *__restrict __fmt, __gnuc_va_list __ap)) { return __builtin___vsprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, __glibc_objsize (__s), __fmt, __ap); @@ -55,15 +69,33 @@ __NTH (snprintf (char *__restrict __s, size_t __n, __glibc_objsize (__s), __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +/* clang does not have __va_arg_pack, so defer to va_arg version. */ +__fortify_function_error_function __attribute_overloadable__ int +__NTH (snprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + size_t __n, const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, + __glibc_objsize (__s), __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define snprintf(str, len, ...) \ __builtin___snprintf_chk (str, len, __USE_FORTIFY_LEVEL - 1, \ __glibc_objsize (str), __VA_ARGS__) # endif -__fortify_function int -__NTH (vsnprintf (char *__restrict __s, size_t __n, - const char *__restrict __fmt, __gnuc_va_list __ap)) +__fortify_function __attribute_overloadable__ int +__NTH (vsnprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + size_t __n, const char *__restrict __fmt, + __gnuc_va_list __ap)) + __fortify_clang_warning (__fortify_clang_bos_static_lt (__n, __s), + "call to vsnprintf may overflow the destination " + "buffer") { return __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, __glibc_objsize (__s), __fmt, __ap); @@ -85,6 +117,30 @@ printf (const char *__restrict __fmt, ...) { return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +/* clang does not have __va_arg_pack, so defer to va_arg version. */ +__fortify_function_error_function __attribute_overloadable__ __nonnull ((1)) int +fprintf (__fortify_clang_overload_arg (FILE *, __restrict, __stream), + const char *__restrict __fmt, ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vfprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, + __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} + +__fortify_function_error_function __attribute_overloadable__ int +printf (__fortify_clang_overload_arg (const char *, __restrict, __fmt), ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vprintf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define printf(...) \ __printf_chk (__USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -92,8 +148,9 @@ printf (const char *__restrict __fmt, ...) __fprintf_chk (stream, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) # endif -__fortify_function int -vprintf (const char *__restrict __fmt, __gnuc_va_list __ap) +__fortify_function __attribute_overloadable__ int +vprintf (__fortify_clang_overload_arg (const char *, __restrict, __fmt), + __gnuc_va_list __ap) { #ifdef __USE_EXTERN_INLINES return __vfprintf_chk (stdout, __USE_FORTIFY_LEVEL - 1, __fmt, __ap); @@ -117,6 +174,18 @@ dprintf (int __fd, const char *__restrict __fmt, ...) return __dprintf_chk (__fd, __USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +dprintf (int __fd, __fortify_clang_overload_arg (const char *, __restrict, + __fmt), ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __vdprintf_chk (__fd, __USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define dprintf(fd, ...) \ __dprintf_chk (fd, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -153,6 +222,43 @@ __NTH (obstack_printf (struct obstack *__restrict __obstack, return __obstack_printf_chk (__obstack, __USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +__NTH (asprintf (__fortify_clang_overload_arg (char **, __restrict, __ptr), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __vasprintf_chk (__ptr, __USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} + +__fortify_function_error_function __attribute_overloadable__ int +__NTH (__asprintf (__fortify_clang_overload_arg (char **, __restrict, __ptr), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __vasprintf_chk (__ptr, __USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} + +__fortify_function_error_function __attribute_overloadable__ int +__NTH (obstack_printf (__fortify_clang_overload_arg (struct obstack *, + __restrict, __obstack), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __obstack_vprintf_chk (__obstack, __USE_FORTIFY_LEVEL - 1, + __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define asprintf(ptr, ...) \ __asprintf_chk (ptr, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -182,8 +288,11 @@ __NTH (obstack_vprintf (struct obstack *__restrict __obstack, #endif #if __GLIBC_USE (DEPRECATED_GETS) -__fortify_function __wur char * -gets (char *__str) +__fortify_function __wur __attribute_overloadable__ char * +gets (__fortify_clang_overload_arg (char *, , __str)) + __fortify_clang_warning (__glibc_objsize (__str) == (size_t) -1, + "please use fgets or getline instead, gets " + "can not specify buffer size") { if (__glibc_objsize (__str) != (size_t) -1) return __gets_chk (__str, __glibc_objsize (__str)); @@ -192,48 +301,70 @@ gets (char *__str) #endif __fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) -__nonnull ((3)) char * -fgets (char *__restrict __s, int __n, FILE *__restrict __stream) +__nonnull ((3)) __attribute_overloadable__ char * +fgets (__fortify_clang_overload_arg (char *, __restrict, __s), int __n, + FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos_static_lt (__n, __s) && __n > 0, + "fgets called with bigger size than length of " + "destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __fgets_alias (__s, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __fgets_chk_warn (__s, sz, __n, __stream); +#endif return __fgets_chk (__s, sz, __n, __stream); } -__fortify_function __wur __nonnull ((4)) size_t -fread (void *__restrict __ptr, size_t __size, size_t __n, - FILE *__restrict __stream) +__fortify_function __wur __nonnull ((4)) __attribute_overloadable__ size_t +fread (__fortify_clang_overload_arg (void *, __restrict, __ptr), + size_t __size, size_t __n, FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos0_static_lt (__size * __n, __ptr) + && !__fortify_clang_mul_may_overflow (__size, __n), + "fread called with bigger size * n than length " + "of destination buffer") { size_t sz = __glibc_objsize0 (__ptr); if (__glibc_safe_or_unknown_len (__n, __size, sz)) return __fread_alias (__ptr, __size, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, __size, sz)) return __fread_chk_warn (__ptr, sz, __size, __n, __stream); +#endif return __fread_chk (__ptr, sz, __size, __n, __stream); } #ifdef __USE_GNU __fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) -__nonnull ((3)) char * -fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) +__nonnull ((3)) __attribute_overloadable__ char * +fgets_unlocked (__fortify_clang_overload_arg (char *, __restrict, __s), + int __n, FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos_static_lt (__n, __s) && __n > 0, + "fgets called with bigger size than length of " + "destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __fgets_unlocked_alias (__s, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __fgets_unlocked_chk_warn (__s, sz, __n, __stream); +#endif return __fgets_unlocked_chk (__s, sz, __n, __stream); } #endif #ifdef __USE_MISC # undef fread_unlocked -__fortify_function __wur __nonnull ((4)) size_t -fread_unlocked (void *__restrict __ptr, size_t __size, size_t __n, - FILE *__restrict __stream) +__fortify_function __wur __nonnull ((4)) __attribute_overloadable__ size_t +fread_unlocked (__fortify_clang_overload_arg0 (void *, __restrict, __ptr), + size_t __size, size_t __n, FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos0_static_lt (__size * __n, __ptr) + && !__fortify_clang_mul_may_overflow (__size, __n), + "fread_unlocked called with bigger size * n than " + "length of destination buffer") { size_t sz = __glibc_objsize0 (__ptr); if (__glibc_safe_or_unknown_len (__n, __size, sz)) @@ -261,8 +392,10 @@ fread_unlocked (void *__restrict __ptr, size_t __size, size_t __n, # endif return __fread_unlocked_alias (__ptr, __size, __n, __stream); } +# if !__fortify_use_clang if (__glibc_unsafe_len (__n, __size, sz)) return __fread_unlocked_chk_warn (__ptr, sz, __size, __n, __stream); +# endif return __fread_unlocked_chk (__ptr, sz, __size, __n, __stream); } From patchwork Thu Feb 8 18:46:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85482 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0BE1938582B1 for ; Thu, 8 Feb 2024 18:49:28 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) by sourceware.org (Postfix) with ESMTPS id BFED3385828E for ; Thu, 8 Feb 2024 18:46:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BFED3385828E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org BFED3385828E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:4860:4864:20::31 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417997; cv=none; b=LgWAf0bL/RvxrrmTtnPR/F++V6oRa0uUcM7T3WOD+xZQsr5p8ft+BFd9Bhhkvj/CxzPFiJqNA2NdRAXMdWMoFNW9LXTjiKYmfu69lCz8VDyE3t7zGO+z3h6BKr4sQqO7eYB/rOuXavoLbchaEPA3nDWYlu7XhLli/mFugp4OJfc= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417997; c=relaxed/simple; bh=nEqEFrACg8WteZxdPTGXS7NrEkDvv+loPEsi1nicD4Y=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=Fmqw7jHJ6nw7HBgcbQUR3cRBaZlay2h2/qTnaXitLUfDy/+mC99l2iCXmxD3wW91bglWwuTKNRkMy5YBTAzkVdcGv66uKoPVa8kfzTwywxMcZfi3ovz+Hu+tsMOfG96F6/1ZGVEY9xKthyLKHki6RXJVyJ9ZLyXdGoAqmg1bg4o= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-21946b0f3f1so37247fac.0 for ; Thu, 08 Feb 2024 10:46:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707417993; x=1708022793; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LdzLlBNJeCkEbeYKXcEkks6OKTNX0VMqX1CCzbSF0So=; b=qQgFEeq2rV4z6/CXVoeRcNlYVZBtUmQVfiCTNINvT8UF6eeMww31itZAU8kqY9Pmun PLTXSHHE+J2qyRbdbhDFxjbPtwHyn4D6GwcBwFAXzAh7nR4HMMn/RdXZuiEkTRCP/jbc Sx1aD/8Bt2ZAxawPjoWtVQwdW+18iTJnQIpGJZVb6abqyoy9FHpvGS0eL1gxr5ngPTLg Mu1LpiZfUh2OkXbVyDfT+4jVXTq6KEYctHhInC4dJH9AxrlPnmUOSKzIiT0uFaM3DD/V igWUbz+oM6+wAuF9OOoH916VVJg4PBxI72t29wVSFsSzpSlomsTMiBG5P0B/9UNQ5AiP kg1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707417993; x=1708022793; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LdzLlBNJeCkEbeYKXcEkks6OKTNX0VMqX1CCzbSF0So=; b=ftaHiNmATbpTjhUD2f/ZbmP17tY3Dtjku+h0RRhbU3L7RwYmV5doU13BvNbUCNY53J WGtuFudnapHj7YtEU0xubCgvSmXJ/RzSXEuNaIwuu6TvKQMOGLZFKqj+2VWufyHaIw1A G5q62GxEiwmYV6yEgajzLeGOXmktCZT26dgoVPTIMr8Hx06iForvVYfnS0eXm+uCcjc2 uF0HW+O8x1EgCr7owru79ZZjIXdnf9Dmvwm6STvzIfm+psbyJsU92SZwiZ4CM1IgdoSc Cw7yrmmbVWOqFea0JwJ7WbsZIHsM3Xcp/bPJpXfBHW+APRyBAbKmv5cSt5Q4dXdvYI2x 63DA== X-Gm-Message-State: AOJu0Yxgg2jTPFHETsFuKq2REXcXqBO7+mGsj+cTplJBw6Rz9KE6i2Zm Xub9jiroDfX+uuYF26VkVnXOJXgbhGVL072tl/udIJaGM80diXjbMPZsH2kA6cfxraVkWiHwEjw e X-Google-Smtp-Source: AGHT+IFczv63Jt5gTjsStqhS59cfuW45vhbNXcf93BDDAjN6IWrPtvC4igysuUAl+BwK5QPW4U98Yg== X-Received: by 2002:a05:6870:8a14:b0:219:8c2a:9ec3 with SMTP id p20-20020a0568708a1400b002198c2a9ec3mr329157oaq.31.1707417993242; Thu, 08 Feb 2024 10:46:33 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:32 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 03/10] string: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:15 -0300 Message-Id: <20240208184622.332678-4-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve fortify checks for strcpy, stpcpy, strncpy, stpncpy, strcat, strncat, strlcpy, and strlcat. The runtime and compile checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- string/bits/string_fortified.h | 56 +++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/string/bits/string_fortified.h b/string/bits/string_fortified.h index e0714f794c..5c93dd677d 100644 --- a/string/bits/string_fortified.h +++ b/string/bits/string_fortified.h @@ -73,24 +73,29 @@ __NTH (explicit_bzero (void *__dest, size_t __len)) } #endif -__fortify_function char * -__NTH (strcpy (char *__restrict __dest, const char *__restrict __src)) +__fortify_function __attribute_overloadable__ char * +__NTH (strcpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___strcpy_chk (__dest, __src, __glibc_objsize (__dest)); } #ifdef __USE_XOPEN2K8 -__fortify_function char * -__NTH (stpcpy (char *__restrict __dest, const char *__restrict __src)) +__fortify_function __attribute_overloadable__ char * +__NTH (stpcpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___stpcpy_chk (__dest, __src, __glibc_objsize (__dest)); } #endif -__fortify_function char * -__NTH (strncpy (char *__restrict __dest, const char *__restrict __src, - size_t __len)) +__fortify_function __attribute_overloadable__ char * +__NTH (strncpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __len)) + __fortify_clang_warn_if_dest_too_small (__dest, __len) { return __builtin___strncpy_chk (__dest, __src, __len, __glibc_objsize (__dest)); @@ -98,8 +103,10 @@ __NTH (strncpy (char *__restrict __dest, const char *__restrict __src, #ifdef __USE_XOPEN2K8 # if __GNUC_PREREQ (4, 7) || __glibc_clang_prereq (2, 6) -__fortify_function char * -__NTH (stpncpy (char *__dest, const char *__src, size_t __n)) +__fortify_function __attribute_overloadable__ char * +__NTH (stpncpy (__fortify_clang_overload_arg (char *, ,__dest), + const char *__src, size_t __n)) + __fortify_clang_warn_if_dest_too_small (__dest, __n) { return __builtin___stpncpy_chk (__dest, __src, __n, __glibc_objsize (__dest)); @@ -112,8 +119,9 @@ extern char *__stpncpy_chk (char *__dest, const char *__src, size_t __n, extern char *__REDIRECT_NTH (__stpncpy_alias, (char *__dest, const char *__src, size_t __n), stpncpy); -__fortify_function char * -__NTH (stpncpy (char *__dest, const char *__src, size_t __n)) +__fortify_function __attribute_overloadable__ char * +__NTH (stpncpy (__fortify_clang_overload_arg (char *, ,__dest), + const char *__src, size_t __n)) { if (__bos (__dest) != (size_t) -1 && (!__builtin_constant_p (__n) || __n > __bos (__dest))) @@ -124,16 +132,19 @@ __NTH (stpncpy (char *__dest, const char *__src, size_t __n)) #endif -__fortify_function char * -__NTH (strcat (char *__restrict __dest, const char *__restrict __src)) +__fortify_function __attribute_overloadable__ char * +__NTH (strcat (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___strcat_chk (__dest, __src, __glibc_objsize (__dest)); } -__fortify_function char * -__NTH (strncat (char *__restrict __dest, const char *__restrict __src, - size_t __len)) +__fortify_function __attribute_overloadable__ char * +__NTH (strncat (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __len)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___strncat_chk (__dest, __src, __len, __glibc_objsize (__dest)); @@ -146,9 +157,10 @@ extern size_t __REDIRECT_NTH (__strlcpy_alias, (char *__dest, const char *__src, size_t __n), strlcpy); -__fortify_function size_t -__NTH (strlcpy (char *__restrict __dest, const char *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (strlcpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __n)) + __fortify_clang_warn_if_dest_too_small (__dest, __n) { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n > __glibc_objsize (__dest)) @@ -163,9 +175,9 @@ extern size_t __REDIRECT_NTH (__strlcat_alias, (char *__dest, const char *__src, size_t __n), strlcat); -__fortify_function size_t -__NTH (strlcat (char *__restrict __dest, const char *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (strlcat (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __n)) { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n > __glibc_objsize (__dest)) From patchwork Thu Feb 8 18:46:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85475 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 297AC385800C for ; Thu, 8 Feb 2024 18:47:52 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by sourceware.org (Postfix) with ESMTPS id 6D7CC3858417 for ; Thu, 8 Feb 2024 18:46:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6D7CC3858417 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6D7CC3858417 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::634 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417998; cv=none; b=iKx7xfY5+pwiQ2za9vm1eNHQywj7QgjOSa7F7zmC+aEQ27lzesxXGkFO8LbjSqbVHSiBPd2AsyQQj8rKYkqN8JTqkEQh0w0jF/y1Gb3DgER5XWwvuowsgHvLcinX4kBJhvKNBn9yTJXjGplFbL6FVAebzoEluTvVwBrFOv4LLuc= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707417998; c=relaxed/simple; bh=OTPmzdHBOsudJ6xQcqbMDPwk+Nt/p4p2uBRap4E9/sI=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=D32RIQQyw76016GYyDya4voYUWu37d4l4NfplsoRkbO5izfNQQsdi1Fqd7uNEHap8NQAgIKc1rNgzNcvs7nlLRKIqnaA/WzbP3yZ8c2y8kDlAg1OVh447w1NcaC5xUFs7FRfa6/8xmcW2HZWW0AFk+SIwfoDLvPf6N9q+uGE/TY= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1d958e0d73dso1452755ad.1 for ; Thu, 08 Feb 2024 10:46:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707417995; x=1708022795; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZswzWeOlBH/+xmo74OsDUhqf+d/Qk51d0fscqhJwgns=; b=JNvKTHqbdd/XxkJIyENIZqB6vhHKIZznp09XIS+UBxnzy+k8kySv9xTpNf+fh1bYjN mgjLiqydl7yicb1daS4gVWzM1BdDDI85KnE2r5VSQrdudOWuoPl47Z8f6a4FBBvEEBNO Ai0Ia7XIm8980vVPN4QhaFxaVvGCTTNYCJKZJd3nlsCarninn4pQCMlDH1YBabHFXKsB xFls5jDTzBip08xxGwK+7ZbhUNy6lFYHtXIKTSXXXTmM86eMu4tzj8ePH67nIGYXLBbw jARt7Rm1AydJoSoAwCTGFpYYYsT1UD2vFBSKqHsrOTWFhOihSFlBi+8JgRp7hr/mn/ZM QCWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707417995; x=1708022795; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZswzWeOlBH/+xmo74OsDUhqf+d/Qk51d0fscqhJwgns=; b=gN2zoYmJkCcvfzEqhm1v8dpEGtRwfoAkzDa2j7i4z/xeHFPFbQ/TPRaU2DlF8ryrXr aTKbFE2OO1UayVfmeNBkb0Gnge8f61khF+l5gZaCoPKXBYu8nL2wxJzuORrY9ecDfrp+ BZQfAd2Aph0e+9yI27wmsIqYeFEg0NMiregcBaOwtMSiKH1AYM2PhV2taLJb8vMZWrBM 5qsxgm9sfaL/hcRO5uGwpZaGyK9X7EqOq7ZECF1UfYBpNjtG7v/ZbYG0/ikoRdtw/7Jn uf+zxCADi4K1JSlrdzORqqgl/3CF8ePM7Mx+ViDHKqgkTIKTam6b+J0b8zXSaR+TYeUo oEsA== X-Gm-Message-State: AOJu0YymOgWyA6KhU9yY6QLP9eIwsqKyPIh06L9m0mVj8gfTKw6Td+Fk wx+UL/8YLdhI8bN13NKZu/G+9WytRd4829xsmlbtdbgmUFxbllYkn6Uu8rsqo9+uWgUz5DjZ48p A X-Google-Smtp-Source: AGHT+IHybsmUl/0wtMQgcZyhG2c55qEfkEARlOfiryQJoydpJyqmIaBys1KlLLVBkt5tB8Fkv8Ms/w== X-Received: by 2002:a17:902:d2c6:b0:1d9:ec0a:52b4 with SMTP id n6-20020a170902d2c600b001d9ec0a52b4mr5491800plc.21.1707417995024; Thu, 08 Feb 2024 10:46:35 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:34 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 04/10] stdlib: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:16 -0300 Message-Id: <20240208184622.332678-5-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve fortify checks for realpath, ptsname_r, wctomb, mbstowcs, and wcstombs. The runtime and compile checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Tested-by: Carlos O'Donell Tested-by: Carlos O'Donell Reviewed-by: Carlos O'Donell --- stdlib/bits/stdlib.h | 40 +++++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/stdlib/bits/stdlib.h b/stdlib/bits/stdlib.h index 1c7191ba57..9e31801e80 100644 --- a/stdlib/bits/stdlib.h +++ b/stdlib/bits/stdlib.h @@ -33,15 +33,22 @@ extern char *__REDIRECT_NTH (__realpath_chk_warn, __warnattr ("second argument of realpath must be either NULL or at " "least PATH_MAX bytes long buffer"); -__fortify_function __wur char * -__NTH (realpath (const char *__restrict __name, char *__restrict __resolved)) +__fortify_function __attribute_overloadable__ __wur char * +__NTH (realpath (const char *__restrict __name, + __fortify_clang_overload_arg (char *, __restrict, __resolved))) +#if defined _LIBC_LIMITS_H_ && defined PATH_MAX + __fortify_clang_warning_only_if_bos_lt (PATH_MAX, __resolved, + "second argument of realpath must be " + "either NULL or at least PATH_MAX " + "bytes long buffer") +#endif { size_t sz = __glibc_objsize (__resolved); if (sz == (size_t) -1) return __realpath_alias (__name, __resolved); -#if defined _LIBC_LIMITS_H_ && defined PATH_MAX +#if !__fortify_use_clang && defined _LIBC_LIMITS_H_ && defined PATH_MAX if (__glibc_unsafe_len (PATH_MAX, sizeof (char), sz)) return __realpath_chk_warn (__name, __resolved, sz); #endif @@ -61,8 +68,13 @@ extern int __REDIRECT_NTH (__ptsname_r_chk_warn, __nonnull ((2)) __warnattr ("ptsname_r called with buflen bigger than " "size of buf"); -__fortify_function int -__NTH (ptsname_r (int __fd, char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (ptsname_r (int __fd, + __fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "ptsname_r called with buflen " + "bigger than size of buf") { return __glibc_fortify (ptsname_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -75,8 +87,8 @@ extern int __wctomb_chk (char *__s, wchar_t __wchar, size_t __buflen) extern int __REDIRECT_NTH (__wctomb_alias, (char *__s, wchar_t __wchar), wctomb) __wur; -__fortify_function __wur int -__NTH (wctomb (char *__s, wchar_t __wchar)) +__fortify_function __attribute_overloadable__ __wur int +__NTH (wctomb (__fortify_clang_overload_arg (char *, ,__s), wchar_t __wchar)) { /* We would have to include to get a definition of MB_LEN_MAX. But this would only disturb the namespace. So we define our own @@ -113,12 +125,17 @@ extern size_t __REDIRECT_NTH (__mbstowcs_chk_warn, __warnattr ("mbstowcs called with dst buffer smaller than len " "* sizeof (wchar_t)"); -__fortify_function size_t -__NTH (mbstowcs (wchar_t *__restrict __dst, const char *__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (mbstowcs (__fortify_clang_overload_arg (wchar_t *, __restrict, __dst), + const char *__restrict __src, size_t __len)) + __fortify_clang_warning_only_if_bos0_lt2 (__len, __dst, sizeof (wchar_t), + "mbstowcs called with dst buffer " + "smaller than len * sizeof (wchar_t)") { if (__builtin_constant_p (__dst == NULL) && __dst == NULL) return __mbstowcs_nulldst (__dst, __src, __len); + else return __glibc_fortify_n (mbstowcs, __len, sizeof (wchar_t), __glibc_objsize (__dst), __dst, __src, __len); @@ -139,8 +156,9 @@ extern size_t __REDIRECT_NTH (__wcstombs_chk_warn, size_t __len, size_t __dstlen), __wcstombs_chk) __warnattr ("wcstombs called with dst buffer smaller than len"); -__fortify_function size_t -__NTH (wcstombs (char *__restrict __dst, const wchar_t *__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (wcstombs (__fortify_clang_overload_arg (char *, __restrict, __dst), + const wchar_t *__restrict __src, size_t __len)) { return __glibc_fortify (wcstombs, __len, sizeof (char), From patchwork Thu Feb 8 18:46:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85478 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 10C96385840F for ; Thu, 8 Feb 2024 18:48:42 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oa1-x30.google.com (mail-oa1-x30.google.com [IPv6:2001:4860:4864:20::30]) by sourceware.org (Postfix) with ESMTPS id D3CFA385841F for ; Thu, 8 Feb 2024 18:46:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D3CFA385841F Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D3CFA385841F Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:4860:4864:20::30 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418002; cv=none; b=KKPZtX1JXHVK46vEcJWeDhMMQWpYAtXVpL0kPW2Ry8LeioGr5iAXoWus3GFOLe3khKtZnEuDaFMQZ+uOiL2K17V0ssvyDTYHq0Z8UABhQaqk/92BE6QndDmM9ZJNPsBMN1JPzVf2451HeXbUuFmUgU/OJhzJZUAoFbp8fOqXF3o= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418002; c=relaxed/simple; bh=X11qCrE7STf5aZWOUYOEeJdX9n6vFuLR7yWICR+i2mM=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=bsf4UQhfhjFmzi5dnO69D6EtbSQ6Dxy2BfNuFbu6QSFPcNJbpv4j6ODPiCX1uq4VdZ6WlqdVsOHwqFK2DSIo2diDIDXwlOsPgfl0LZSK9sjZJ5yVCg+nTxtPWpwWXaNDLaaOheMkGzb5sd0HZxNlO8/Bq2aUIvY8QMDfk/U/2YU= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-2184133da88so48144fac.0 for ; Thu, 08 Feb 2024 10:46:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707417998; x=1708022798; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7eWbYtfxbaMRlBWmlOCmG6Abb/A3/FkjpLUJwBlSjUk=; b=G0ngeoDs8ollLLgW2kUWYu+HC+SkdJxrzHbTgSx/eRalkU5W+JtABJ9P/c4wpnaCS7 yeuXDyOO1qS8l+3h+vfC0NfQp/r99vlC7UeNZvdgaIJ+RP3/TA8oB2AAD0WTPeUNxyYY wc6COV10ekoTEOwyLLefOvlrh5oWxSZ7BPgdoMPkBFcb0GAEhof9gk/oTLzWmZ+Jwj2C WVQo2WTmOg/Xp/F2nLInU4/xhOROYlgLKrxtMykf0ErOaHgWeGxLV35/MrACYZVLqZ8p EzhLJwW5xbgF1uwFNraCRWCmjwgfeYzifYmLHa0OkdL6wj4KEdifIdnUexk4DZd0B4M+ vjXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707417998; x=1708022798; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7eWbYtfxbaMRlBWmlOCmG6Abb/A3/FkjpLUJwBlSjUk=; b=b1BlVjkDPbBYlzdForXj4KWQWGi2X8gKo8DP9dYOfJIkauyatAToetnz5EiOqfLIV1 tTC8u9uKf71TvPpsn3bpbmaq7lNIMTt9Hv8Zw0jzJVJ1iGh+Pk0xCPvw0MyGBV5yFNKN 8lVQ3E2rg3b8nQEGzNDCInotqtvf6Ws/XAm5fHa8YjoU3pA665D116pRp1vRJKvayt+w 3L1j5602dr7ovz3qdC34K+cZ4vFa9zX29WHkrKytEvBXeZf+EkjBQ/2kH7xvNjVQeeAT D7v0z/7UnLKh0aVxRw+Rl59F0WNQZ79Bei16LjpTg+caAxqRfXgrJk91beKqidepGDuA wkSw== X-Gm-Message-State: AOJu0Yy9U61qU/D9lEVdJe0h0/3lfdJlG9kgDL4vDWTn/kHe5DjEphpf hKMiSVeGB5AwCf8FThTSJ58OYv/kz63pjFGly6NS+HsF0Ko7MHbWy2qHmwv4BiHprOOGrjmjHOC H X-Google-Smtp-Source: AGHT+IFYB4nMVasSnF83+RWS/vJnGtJveEghhtYAahbzo9J16/T63+s311lMvZ2dg7JFK45LcNvP3A== X-Received: by 2002:a05:6870:7013:b0:219:ae65:12b8 with SMTP id u19-20020a056870701300b00219ae6512b8mr394693oae.21.1707417996911; Thu, 08 Feb 2024 10:46:36 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:36 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 05/10] unistd: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:17 -0300 Message-Id: <20240208184622.332678-6-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve fortify checks for read, pread, pread64, readlink, readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r, gethostname, and getdomainname. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- posix/bits/unistd.h | 110 +++++++++++++++++++++++++++++++++----------- 1 file changed, 82 insertions(+), 28 deletions(-) diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h index bd209ec28e..2757b0619a 100644 --- a/posix/bits/unistd.h +++ b/posix/bits/unistd.h @@ -22,8 +22,12 @@ # include -__fortify_function __wur ssize_t -read (int __fd, void *__buf, size_t __nbytes) +__fortify_function __attribute_overloadable__ __wur ssize_t +read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "read called with bigger length than " + "size of the destination buffer") + { return __glibc_fortify (read, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -32,16 +36,24 @@ read (int __fd, void *__buf, size_t __nbytes) #if defined __USE_UNIX98 || defined __USE_XOPEN2K8 # ifndef __USE_FILE_OFFSET64 -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread, __nbytes, sizeof (char), __glibc_objsize0 (__buf), __fd, __buf, __nbytes, __offset); } # else -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -50,8 +62,12 @@ pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) # endif # ifdef __USE_LARGEFILE64 -__fortify_function __wur ssize_t -pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread64 (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread64 called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -61,9 +77,14 @@ pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) #endif #if defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K -__fortify_function __nonnull ((1, 2)) __wur ssize_t -__NTH (readlink (const char *__restrict __path, char *__restrict __buf, +__fortify_function __attribute_overloadable__ __nonnull ((1, 2)) __wur ssize_t +__NTH (readlink (const char *__restrict __path, + __fortify_clang_overload_arg0 (char *, __restrict, __buf), size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlink called with bigger length " + "than size of destination buffer") + { return __glibc_fortify (readlink, __len, sizeof (char), __glibc_objsize (__buf), @@ -72,9 +93,13 @@ __NTH (readlink (const char *__restrict __path, char *__restrict __buf, #endif #ifdef __USE_ATFILE -__fortify_function __nonnull ((2, 3)) __wur ssize_t +__fortify_function __attribute_overloadable__ __nonnull ((2, 3)) __wur ssize_t __NTH (readlinkat (int __fd, const char *__restrict __path, - char *__restrict __buf, size_t __len)) + __fortify_clang_overload_arg0 (char *, __restrict, __buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlinkat called with bigger length " + "than size of destination buffer") { return __glibc_fortify (readlinkat, __len, sizeof (char), __glibc_objsize (__buf), @@ -82,8 +107,11 @@ __NTH (readlinkat (int __fd, const char *__restrict __path, } #endif -__fortify_function __wur char * -__NTH (getcwd (char *__buf, size_t __size)) +__fortify_function __attribute_overloadable__ __wur char * +__NTH (getcwd (__fortify_clang_overload_arg (char *, , __buf), size_t __size)) + __fortify_clang_warning_only_if_bos_lt (__size, __buf, + "getcwd called with bigger length " + "than size of destination buffer") { return __glibc_fortify (getcwd, __size, sizeof (char), __glibc_objsize (__buf), @@ -91,8 +119,9 @@ __NTH (getcwd (char *__buf, size_t __size)) } #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED -__fortify_function __nonnull ((1)) __attribute_deprecated__ __wur char * -__NTH (getwd (char *__buf)) +__fortify_function __attribute_overloadable__ __nonnull ((1)) +__attribute_deprecated__ __wur char * +__NTH (getwd (__fortify_clang_overload_arg (char *,, __buf))) { if (__glibc_objsize (__buf) != (size_t) -1) return __getwd_chk (__buf, __glibc_objsize (__buf)); @@ -100,8 +129,12 @@ __NTH (getwd (char *__buf)) } #endif -__fortify_function size_t -__NTH (confstr (int __name, char *__buf, size_t __len)) +__fortify_function __attribute_overloadable__ size_t +__NTH (confstr (int __name, __fortify_clang_overload_arg (char *, ,__buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "confstr called with bigger length than " + "size of destination buffer") { return __glibc_fortify (confstr, __len, sizeof (char), __glibc_objsize (__buf), @@ -109,8 +142,13 @@ __NTH (confstr (int __name, char *__buf, size_t __len)) } -__fortify_function int -__NTH (getgroups (int __size, __gid_t __list[])) +__fortify_function __attribute_overloadable__ int +__NTH (getgroups (int __size, + __fortify_clang_overload_arg (__gid_t *, , __list))) + __fortify_clang_warning_only_if_bos_lt (__size * sizeof (__gid_t), __list, + "getgroups called with bigger group " + "count than what can fit into " + "destination buffer") { return __glibc_fortify (getgroups, __size, sizeof (__gid_t), __glibc_objsize (__list), @@ -118,8 +156,13 @@ __NTH (getgroups (int __size, __gid_t __list[])) } -__fortify_function int -__NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (ttyname_r (int __fd, + __fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "ttyname_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (ttyname_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -128,8 +171,11 @@ __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) #ifdef __USE_POSIX199506 -__fortify_function int -getlogin_r (char *__buf, size_t __buflen) +__fortify_function __attribute_overloadable__ int +getlogin_r (__fortify_clang_overload_arg (char *, ,__buf), size_t __buflen) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getlogin_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (getlogin_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -139,8 +185,12 @@ getlogin_r (char *__buf, size_t __buflen) #if defined __USE_MISC || defined __USE_UNIX98 -__fortify_function int -__NTH (gethostname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (gethostname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "gethostname called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (gethostname, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -150,8 +200,12 @@ __NTH (gethostname (char *__buf, size_t __buflen)) #if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_UNIX98) -__fortify_function int -__NTH (getdomainname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (getdomainname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getdomainname called with bigger " + "buflen than size of destination buffer") { return __glibc_fortify (getdomainname, __buflen, sizeof (char), __glibc_objsize (__buf), From patchwork Thu Feb 8 18:46:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85477 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8218A3858283 for ; Thu, 8 Feb 2024 18:48:07 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oo1-xc30.google.com (mail-oo1-xc30.google.com [IPv6:2607:f8b0:4864:20::c30]) by sourceware.org (Postfix) with ESMTPS id 85E0838582A4 for ; Thu, 8 Feb 2024 18:46:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 85E0838582A4 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 85E0838582A4 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::c30 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418003; cv=none; b=tuTpkVDPvDj+S1cGiwByAzS6uHerNv/CR7NIf2j4nIXygxPP0wva+m+nGE+HvKnOEK3+HhsuZToQZuGCqAzuA2xqPENgs6os3IrxanKKR7vOXF3MpA5uJkx1lc0/gGVL48/iDoGj8jybQiNpzYFNchomF5xJX5g2Eu1coEN+lLw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418003; c=relaxed/simple; bh=okIx+NTh+eMK8CCevULhjvm3YeC/n1evLjmrFQUkvnQ=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=QLKoW988yAuHPmlf/qIWEVCzWJHYfmRmnuvGlw60WHy+iEpYMvOnwgxRErg53DZiIF3ERudGq/CdB80vWbR/SWhdrFaZCNyFEGN6HWJYMYE9RjkAbKCaysIlJLbNEi8JX+8bTA9PPCPNYl4MlzvFmtqBFHKKTP8HS6whYDgf1+k= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oo1-xc30.google.com with SMTP id 006d021491bc7-5986d902ae6so74627eaf.3 for ; Thu, 08 Feb 2024 10:46:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707417999; x=1708022799; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GgzVWNbxuGa9i5GiEZrgxNuLo7vlKaoDPYjJ99vA8jQ=; b=xR3zcvtxRs/vIhbyREm7sjPqxwBsWCXPwFGecYpVQl11f0O/LM219HGixRXjySKOIA WZdffzaQ1QlnS5aevw77OIAWx7WDXJYeYTzKLm4ZkJ3VFZKNUrZd4A5EH4SH+kHQDhjz QNc0altC3JRvPTbz1CZQfm1uRqj9qRcuJbacDZV+3Erg0qLcjqAvv+PTbR7eIDmlRhAj zPGRVlgL8U8iQTWlm6vY/XtEYBLobXmHXp8HRK2/B7cgQRxb1cbF1+oKsR0qg+BpQtCb b+bnZauk4Rpd4Zh4upHvnXrGDI7Oa0AXJfims4OnKKECGPLwsXgQ38lisZ5SmjevJ3b3 si/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707417999; x=1708022799; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GgzVWNbxuGa9i5GiEZrgxNuLo7vlKaoDPYjJ99vA8jQ=; b=GzUBGpxIpTTkPqcZtlaQjqaxerI/nWoYJExr0AYQPF+ig2THgX4Bu/2NGFe57YuWAE QMp3/0vQ56Q3q/ejukcpin8b800AHshsAOZCbCtLCorYPNFs9TZVQAEotRhKrymyUHov alkVk36XLoudeDgTGf5eu/iKU66nq47VI/jaWwueIl652l7Q1yhf1Tf+ePvEjMFm017p EcLjmzNjsfiJ7lYD7mdmUqhf/5NalCo8xgLVgrnjUopkyN/PL0Zfq4RuaU9uoCc4dqss CLS7eKYZYPwJ4o5o3pUhBukntT6/xeYFSFRQs5EzBaI/Jq/8lDO50cOrcLRSCJtqBtlb A9TQ== X-Gm-Message-State: AOJu0YyXs6eiRWgYRf8HW2EOy6xfZpKJE4bRQi9wNSoVfSZQ8iNlZMLW SGhn7/IXzqP/mc8ghwVaAHkfEto5730aB/kfBZX8FbsLVu/hwSnAdw+C7iyzJpyzZ4/n5l5pYRx r X-Google-Smtp-Source: AGHT+IENwiupHrey2UaBTfBMAis6TRKlkKUEjvrFXS+YR8JnvAZSVmJQufX2e+e3fpwaJ4Gw3FKTRQ== X-Received: by 2002:a05:6358:2c96:b0:178:a1d9:4a9f with SMTP id l22-20020a0563582c9600b00178a1d94a9fmr6692096rwm.31.1707417999223; Thu, 08 Feb 2024 10:46:39 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:38 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 06/10] socket: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:18 -0300 Message-Id: <20240208184622.332678-7-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve fortify checks recv, recvfrom, poll, and ppoll. The compile and runtime hecks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- io/bits/poll2.h | 29 +++++++++++++++++++++-------- socket/bits/socket2.h | 20 ++++++++++++++++---- 2 files changed, 37 insertions(+), 12 deletions(-) diff --git a/io/bits/poll2.h b/io/bits/poll2.h index 6152a8c5e4..24ec1056eb 100644 --- a/io/bits/poll2.h +++ b/io/bits/poll2.h @@ -33,8 +33,13 @@ extern int __REDIRECT (__poll_chk_warn, (struct pollfd *__fds, nfds_t __nfds, __poll_chk) __warnattr ("poll called with fds buffer too small file nfds entries"); -__fortify_function __fortified_attr_access (__write_only__, 1, 2) int -poll (struct pollfd *__fds, nfds_t __nfds, int __timeout) +__fortify_function __fortified_attr_access (__write_only__, 1, 2) +__attribute_overloadable__ int +poll (__fortify_clang_overload_arg (struct pollfd *, ,__fds), nfds_t __nfds, + int __timeout) + __fortify_clang_warning_only_if_bos_lt2 (__nfds, __fds, sizeof (*__fds), + "poll called with fds buffer " + "too small file nfds entries") { return __glibc_fortify (poll, __nfds, sizeof (*__fds), __glibc_objsize (__fds), @@ -58,9 +63,13 @@ extern int __REDIRECT (__ppoll64_chk_warn, (struct pollfd *__fds, nfds_t __n, __ppoll64_chk) __warnattr ("ppoll called with fds buffer too small file nfds entries"); -__fortify_function __fortified_attr_access (__write_only__, 1, 2) int -ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, - const __sigset_t *__ss) +__fortify_function __fortified_attr_access (__write_only__, 1, 2) +__attribute_overloadable__ int +ppoll (__fortify_clang_overload_arg (struct pollfd *, ,__fds), nfds_t __nfds, + const struct timespec *__timeout, const __sigset_t *__ss) + __fortify_clang_warning_only_if_bos_lt2 (__nfds, __fds, sizeof (*__fds), + "ppoll called with fds buffer " + "too small file nfds entries") { return __glibc_fortify (ppoll64, __nfds, sizeof (*__fds), __glibc_objsize (__fds), @@ -81,9 +90,13 @@ extern int __REDIRECT (__ppoll_chk_warn, (struct pollfd *__fds, nfds_t __nfds, __ppoll_chk) __warnattr ("ppoll called with fds buffer too small file nfds entries"); -__fortify_function __fortified_attr_access (__write_only__, 1, 2) int -ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, - const __sigset_t *__ss) +__fortify_function __fortified_attr_access (__write_only__, 1, 2) +__attribute_overloadable__ int +ppoll (__fortify_clang_overload_arg (struct pollfd *, ,__fds), nfds_t __nfds, + const struct timespec *__timeout, const __sigset_t *__ss) + __fortify_clang_warning_only_if_bos_lt2 (__nfds, __fds, sizeof (*__fds), + "ppoll called with fds buffer " + "too small file nfds entries") { return __glibc_fortify (ppoll, __nfds, sizeof (*__fds), __glibc_objsize (__fds), diff --git a/socket/bits/socket2.h b/socket/bits/socket2.h index a88cb64370..04780f320e 100644 --- a/socket/bits/socket2.h +++ b/socket/bits/socket2.h @@ -30,14 +30,20 @@ extern ssize_t __REDIRECT (__recv_chk_warn, __warnattr ("recv called with bigger length than size of destination " "buffer"); -__fortify_function ssize_t -recv (int __fd, void *__buf, size_t __n, int __flags) +__fortify_function __attribute_overloadable__ ssize_t +recv (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __n, + int __flags) + __fortify_clang_warning_only_if_bos0_lt (__n, __buf, + "recv called with bigger length than " + "size of destination buffer") { size_t sz = __glibc_objsize0 (__buf); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __recv_alias (__fd, __buf, __n, __flags); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __recv_chk_warn (__fd, __buf, __n, sz, __flags); +#endif return __recv_chk (__fd, __buf, __n, sz, __flags); } @@ -57,15 +63,21 @@ extern ssize_t __REDIRECT (__recvfrom_chk_warn, __warnattr ("recvfrom called with bigger length than size of " "destination buffer"); -__fortify_function ssize_t -recvfrom (int __fd, void *__restrict __buf, size_t __n, int __flags, +__fortify_function __attribute_overloadable__ ssize_t +recvfrom (int __fd, __fortify_clang_overload_arg0 (void *, __restrict, __buf), + size_t __n, int __flags, __SOCKADDR_ARG __addr, socklen_t *__restrict __addr_len) + __fortify_clang_warning_only_if_bos0_lt (__n, __buf, + "recvfrom called with bigger length " + "than size of destination buffer") { size_t sz = __glibc_objsize0 (__buf); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __recvfrom_alias (__fd, __buf, __n, __flags, __addr, __addr_len); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __recvfrom_chk_warn (__fd, __buf, __n, sz, __flags, __addr, __addr_len); +#endif return __recvfrom_chk (__fd, __buf, __n, sz, __flags, __addr, __addr_len); } From patchwork Thu Feb 8 18:46:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85484 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id DE7A338582A7 for ; Thu, 8 Feb 2024 18:50:16 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oo1-xc2d.google.com (mail-oo1-xc2d.google.com [IPv6:2607:f8b0:4864:20::c2d]) by sourceware.org (Postfix) with ESMTPS id 59F87385841C for ; Thu, 8 Feb 2024 18:46:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 59F87385841C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 59F87385841C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::c2d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418004; cv=none; b=YO8JloHnDPMl6DWca1/suCH93SN6Zsq1U+KEEZJQe7iqo72d6VRinNaBMszSbLEDUZbR6bhWPgiID9jnFKKwQAL/80H8yne7bZMTQlj9cxqRUUtV5QYa3U5+qWp/lOZeWGBV+Kh3pUiFBepMEhspn3wZeC/rukSAR/c60Mabs2o= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418004; c=relaxed/simple; bh=lC3V/8/rcbKOdkq/r5wbAWpNDMHlYBNvhSHufWlznVM=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=IEyt2SZBepLm5+57LbUuJAmyCoIvw2oNKhPr87ahFARuSGYAlIVWPZWH3Zcnc+Nx8Ek7j8A9TKO1KLFbAAjoKNE/3eJKcU7rb9+Bup7DmPpqQHky3xGTfTeKgxHphtQLAhtGufsXsXbZZUtlEv5DotzySxw4pHI0kAwX7TVMPpg= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oo1-xc2d.google.com with SMTP id 006d021491bc7-59cf4872e1dso73311eaf.1 for ; Thu, 08 Feb 2024 10:46:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707418001; x=1708022801; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ahnZUabbQXonvA8kJlBsyIjxa26cMYVFWEsdlWx7+nE=; b=PfWzn+ca4Ac1TYrsvZjxOvTz7viDixgUcCmXLJK3ORar/A3JivRwC7EOlrm6ASHU9N 6IVe3OwyL8qEtQnBu8DNCzb0OgDhv2jrpNlvf9tZYvKzJPgUhliq2rHp3qgKtxHpy2zr WgINROUX6Mj88PT4xTtn6zGQB5/zTjGMHItlfDp4fovLF01G7d2vbNeYZBBxLjjMI9bh G8J/ZmjZ0oeOtg7+iqQvzPCOD/EDhZkeOy1AJTZNtjaVijZASxfTt0YhuKKnwFpq+GPW bhDbMr4HjzDXZuq7zfQ7naZTGZDT0gsk/Pso/eDW0y3VwKFRUkn6hDAhEToXTy2fpwoJ e9Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707418001; x=1708022801; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ahnZUabbQXonvA8kJlBsyIjxa26cMYVFWEsdlWx7+nE=; b=ch5XojoNhndcQcXYyt1WMzpUQLkHyT/TfGVKJMGzMp2IAVwiZWtiWdKU7LzBrvuqRT hn93iHMJZF5iC84MyHR8LEvd+RSY884fikuPjsaLh/bU7zVrUIDmrUgRQh7c7UMLn2O/ TYqN5BAjOucNce4Z56UL1At5IzI3pZlosce3t9JhOF0c/U6pzcmibM6muvpTiwPXKCFY e4xF5hh9UFMApVus66WDOLqtsAyabZH7j9krNhs28DNdA/jwB4qfPAFvxi9m6tCWE6x9 hrPo/ia8c4HyLQFXHIpJ56hjxwLZNPus6zRDIwLcdvW1GLKUYJ0KMxuvKc8+3LGlKqM3 O9pg== X-Gm-Message-State: AOJu0Yx9SlcLukrdYkuQDXgW+Lxcsyn2MeF5zBMAaiFzW5a6NBlk3Us1 BO4Ltu92nemrj4MSQiOY5+8UvMJlyRKJRNZdeyCWPzhGM0D4G/CGPJBfGyFSg0vBEH4Ui9k6iN/ g X-Google-Smtp-Source: AGHT+IHG5+wQqmFRsymu2KOApadwhyO7jNxYJg0XydIAP3F+dMfVwElYF6Vofg7Q+gLwFe4qrekMpQ== X-Received: by 2002:a05:6359:459f:b0:175:d6b7:b5a9 with SMTP id no31-20020a056359459f00b00175d6b7b5a9mr7231223rwb.23.1707418000894; Thu, 08 Feb 2024 10:46:40 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:40 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 07/10] syslog: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:19 -0300 Message-Id: <20240208184622.332678-8-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve fortify checks for syslog and vsyslog. The compile and runtime hecks have similar coverage as with GCC. The syslog fortify wrapper calls the va_arg version, since clang does not support __va_arg_pack. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- misc/bits/syslog.h | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/misc/bits/syslog.h b/misc/bits/syslog.h index aadcd42000..100b0c78cc 100644 --- a/misc/bits/syslog.h +++ b/misc/bits/syslog.h @@ -36,6 +36,15 @@ syslog (int __pri, const char *__fmt, ...) { __syslog_chk (__pri, __USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +#elif __fortify_use_clang && defined __USE_MISC +__fortify_function_error_function __attribute_overloadable__ void +syslog (int __pri, __fortify_clang_overload_arg (const char *, , __fmt), ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + __vsyslog_chk (__pri, __USE_FORTIFY_LEVEL - 1, __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); +} #elif !defined __cplusplus # define syslog(pri, ...) \ __syslog_chk (pri, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -43,8 +52,9 @@ syslog (int __pri, const char *__fmt, ...) #ifdef __USE_MISC -__fortify_function void -vsyslog (int __pri, const char *__fmt, __gnuc_va_list __ap) +__fortify_function __attribute_overloadable__ void +vsyslog (int __pri, __fortify_clang_overload_arg (const char *, ,__fmt), + __gnuc_va_list __ap) { __vsyslog_chk (__pri, __USE_FORTIFY_LEVEL - 1, __fmt, __ap); } From patchwork Thu Feb 8 18:46:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85481 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id D79F73858009 for ; Thu, 8 Feb 2024 18:49:22 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by sourceware.org (Postfix) with ESMTPS id 6CBBD385843B for ; Thu, 8 Feb 2024 18:46:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6CBBD385843B Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6CBBD385843B Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::432 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418007; cv=none; b=Zfv11lH0ytujKgmmgVU5p4MY4nD+YhliR6nDbM6yMNCYAOhHJWM1Ppuqp4TgZgULRMivHyiSKRVspGlRL7a4ug6Pql56lzkS/Jfya+pe2pEYBm182iYvgOGpq7+YmKP+79nulwC6h7JVPWSATEfmkM1LMcnAWM07/HalJ35g7C8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418007; c=relaxed/simple; bh=3Tw1ANE5Ap+uyQ+azACtDNbmkNX0j/6DDIQYKo1x3S8=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=RiQ7PoUl5hIpXP1jAMLRk0w4HlnEPgJ8pZd+vRrI6/VtTEY4GUGiTrFSlQ1ioFlVY+OHuBeqoiyw1ktAqzqAiGYvsMZ0wleC/lzfPpstErm19CbUnMObvJwGpz6yTl5sfJ2HusNr289DqarKwVL5Bl0eRu2/PwVSFjLCgkFGEtY= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-6e0523fbc27so85008b3a.3 for ; Thu, 08 Feb 2024 10:46:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707418003; x=1708022803; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LEPnLOP5T1dHkTbtWJgLMoghay1g9wsjy3LYMjKM1OM=; b=BA88U1egDdRpFhPI9EOj53PQR+vnrw9gkuJHDgBwMvOXyG37YBxex7JOWzaViat6/K F4w4uQuTe5T7DH1M87hjQqV1MdLwIhxqJtXMdEhSchEyLa7htAQkAQyYTmEBSA+jq8/l +ucvgd/Zx4u9+f1Ss9LK7wXHBDdfUoL4t/q46oCSuAiKnwQYcXbwFcXM/ta9jelnVexH LdPKRx4XCU91R+y2if1NSfsq7vf681aFLYaB1F3MEsEm6y68yV4HNDimGTrRJn1yqdVt zDdlSk7bNvjbAb3AA38pcICe0CMjrYMEK74/I2hLirsvIhl1gLnBg1jSm3znl2PbsReF oN0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707418003; x=1708022803; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LEPnLOP5T1dHkTbtWJgLMoghay1g9wsjy3LYMjKM1OM=; b=KonVisCiDbUubPjx1SKIrYDzE+mfg9Caw73eBx0AEtRdmbmZZfb4tPVIp9YsZdSIqR 6pPkJGlh6GiLzitTduK1RufDOnhez19Zaf3YaHUyGxeqsqxUqRkUGOQGA0X6ruzQOcLs /RJ9Oir31vp0trGPDVjkp9tKjOj8eDcfm9RSXBfyL3IrhxtUnllIW3WiQUiFXv/6bwub K0opBIhfiGcxHu86NbVlhgvvw2JIWSvqvIGQgqKGi1lY36QL9HgcEBFL3oWDINOZroW6 +vm+wKHNAS0Lcg+yvFepv613Ws/XhK/mrv8O+S73iYh308fiFbC4oH+nHGz+3qbl+1YN uBIg== X-Gm-Message-State: AOJu0YwSWA5RU4Ur0acTgkKXdZga0XmpuhSs8bcxYg9wOBbobeFooURs IjnTqVWbtUZSPNjW5wD9dtzuLSEUP1mr3z5xEs2fbq4Zq51T21uplprq3rEQuSKaNaeUESSsEHB 1 X-Google-Smtp-Source: AGHT+IHCGkStyykRsoL14lODRgfHXezQFivZJ8S3fbn/qj+NmNOTUddZ6JPKVyWs69KyT3HMnQmYbg== X-Received: by 2002:aa7:8698:0:b0:6e0:5ebe:89f1 with SMTP id d24-20020aa78698000000b006e05ebe89f1mr108825pfo.13.1707418002542; Thu, 08 Feb 2024 10:46:42 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:42 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 08/10] wcsmbs: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:20 -0300 Message-Id: <20240208184622.332678-9-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve fortify checks for wmemcpy, wmemmove, wmemset, wcscpy, wcpcpy, wcsncpy, wcpncpy, wcscat, wcsncat, wcslcpy, wcslcat, swprintf, fgetws, fgetws_unlocked, wcrtomb, mbsrtowcs, wcsrtombs, mbsnrtowcs, and wcsnrtombs. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- wcsmbs/bits/wchar2.h | 167 ++++++++++++++++++++++++++++++------------- 1 file changed, 119 insertions(+), 48 deletions(-) diff --git a/wcsmbs/bits/wchar2.h b/wcsmbs/bits/wchar2.h index 49f19bca19..9fdff47ee2 100644 --- a/wcsmbs/bits/wchar2.h +++ b/wcsmbs/bits/wchar2.h @@ -20,17 +20,24 @@ # error "Never include directly; use instead." #endif -__fortify_function wchar_t * -__NTH (wmemcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmemcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __s1), + const wchar_t *__restrict __s2, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s1, sizeof (wchar_t), + "wmemcpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmemcpy, __n, sizeof (wchar_t), __glibc_objsize0 (__s1), __s1, __s2, __n); } -__fortify_function wchar_t * -__NTH (wmemmove (wchar_t *__s1, const wchar_t *__s2, size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmemmove (__fortify_clang_overload_arg (wchar_t *, ,__s1), + const wchar_t *__s2, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s1, sizeof (wchar_t), + "wmemmove called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmemmove, __n, sizeof (wchar_t), __glibc_objsize0 (__s1), @@ -38,9 +45,12 @@ __NTH (wmemmove (wchar_t *__s1, const wchar_t *__s2, size_t __n)) } #ifdef __USE_GNU -__fortify_function wchar_t * -__NTH (wmempcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmempcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __s1), + const wchar_t *__restrict __s2, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s1, sizeof (wchar_t), + "wmempcpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmempcpy, __n, sizeof (wchar_t), __glibc_objsize0 (__s1), @@ -48,16 +58,21 @@ __NTH (wmempcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, } #endif -__fortify_function wchar_t * -__NTH (wmemset (wchar_t *__s, wchar_t __c, size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmemset (__fortify_clang_overload_arg (wchar_t *, ,__s), wchar_t __c, + size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s, sizeof (wchar_t), + "wmemset called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmemset, __n, sizeof (wchar_t), __glibc_objsize0 (__s), __s, __c, __n); } -__fortify_function wchar_t * -__NTH (wcscpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcscpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -65,8 +80,9 @@ __NTH (wcscpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) return __wcscpy_alias (__dest, __src); } -__fortify_function wchar_t * -__NTH (wcpcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcpcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -74,26 +90,33 @@ __NTH (wcpcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) return __wcpcpy_alias (__dest, __src); } -__fortify_function wchar_t * -__NTH (wcsncpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcsncpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __dest, sizeof (wchar_t), + "wcsncpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wcsncpy, __n, sizeof (wchar_t), __glibc_objsize (__dest), __dest, __src, __n); } -__fortify_function wchar_t * -__NTH (wcpncpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcpncpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __dest, sizeof (wchar_t), + "wcpncpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wcpncpy, __n, sizeof (wchar_t), __glibc_objsize (__dest), __dest, __src, __n); } -__fortify_function wchar_t * -__NTH (wcscat (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcscat (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -101,9 +124,9 @@ __NTH (wcscat (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) return __wcscat_alias (__dest, __src); } -__fortify_function wchar_t * -__NTH (wcsncat (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcsncat (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -112,9 +135,12 @@ __NTH (wcsncat (wchar_t *__restrict __dest, const wchar_t *__restrict __src, } #ifdef __USE_MISC -__fortify_function size_t -__NTH (wcslcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (wcslcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __dest, sizeof (wchar_t), + "wcslcpy called with length bigger " + "than size of destination buffer") { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n @@ -125,9 +151,9 @@ __NTH (wcslcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, return __wcslcpy_alias (__dest, __src, __n); } -__fortify_function size_t -__NTH (wcslcat (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (wcslcat (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n > __glibc_objsize (__dest) @@ -150,6 +176,23 @@ __NTH (swprintf (wchar_t *__restrict __s, size_t __n, sz / sizeof (wchar_t), __fmt, __va_arg_pack ()); return __swprintf_alias (__s, __n, __fmt, __va_arg_pack ()); } +#elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +__NTH (swprintf (__fortify_clang_overload_arg (wchar_t *, __restrict, __s), + size_t __n, const wchar_t *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r; + if (__glibc_objsize (__s) != (size_t) -1 || __USE_FORTIFY_LEVEL > 1) + __r = __vswprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, + __glibc_objsize (__s) / sizeof (wchar_t), + __fmt, __fortify_ap); + else + __r = __vswprintf_alias (__s, __n, __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} #elif !defined __cplusplus /* XXX We might want to have support in gcc for swprintf. */ # define swprintf(s, n, ...) \ @@ -207,34 +250,46 @@ vfwprintf (__FILE *__restrict __stream, } #endif -__fortify_function __wur wchar_t * -fgetws (wchar_t *__restrict __s, int __n, __FILE *__restrict __stream) +__fortify_function __attribute_overloadable__ __wur wchar_t * +fgetws (__fortify_clang_overload_arg (wchar_t *, __restrict, __s), int __n, + __FILE *__restrict __stream) + __fortify_clang_warning_only_if_bos_lt2 (__n, __s, sizeof (wchar_t), + "fgetws called with length bigger " + "than size of destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (wchar_t), sz)) return __fgetws_alias (__s, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (wchar_t), sz)) return __fgetws_chk_warn (__s, sz / sizeof (wchar_t), __n, __stream); +#endif return __fgetws_chk (__s, sz / sizeof (wchar_t), __n, __stream); } #ifdef __USE_GNU -__fortify_function __wur wchar_t * -fgetws_unlocked (wchar_t *__restrict __s, int __n, __FILE *__restrict __stream) +__fortify_function __attribute_overloadable__ __wur wchar_t * +fgetws_unlocked (__fortify_clang_overload_arg (wchar_t *, __restrict, __s), + int __n, __FILE *__restrict __stream) + __fortify_clang_warning_only_if_bos_lt2 (__n, __s, sizeof (wchar_t), + "fgetws_unlocked called with length bigger " + "than size of destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (wchar_t), sz)) return __fgetws_unlocked_alias (__s, __n, __stream); +# if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (wchar_t), sz)) return __fgetws_unlocked_chk_warn (__s, sz / sizeof (wchar_t), __n, __stream); +# endif return __fgetws_unlocked_chk (__s, sz / sizeof (wchar_t), __n, __stream); } #endif -__fortify_function __wur size_t -__NTH (wcrtomb (char *__restrict __s, wchar_t __wchar, - mbstate_t *__restrict __ps)) +__fortify_function __attribute_overloadable__ __wur size_t +__NTH (wcrtomb (__fortify_clang_overload_arg (char *, __restrict, __s), + wchar_t __wchar, mbstate_t *__restrict __ps)) { /* We would have to include to get a definition of MB_LEN_MAX. But this would only disturb the namespace. So we define our own @@ -249,18 +304,26 @@ __NTH (wcrtomb (char *__restrict __s, wchar_t __wchar, return __wcrtomb_alias (__s, __wchar, __ps); } -__fortify_function size_t -__NTH (mbsrtowcs (wchar_t *__restrict __dst, const char **__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (mbsrtowcs (__fortify_clang_overload_arg (wchar_t *, __restrict, __dst), + const char **__restrict __src, size_t __len, mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt2 (__len, __dst, sizeof (wchar_t), + "mbsrtowcs called with dst buffer " + "smaller than len * sizeof (wchar_t)") { return __glibc_fortify_n (mbsrtowcs, __len, sizeof (wchar_t), __glibc_objsize (__dst), __dst, __src, __len, __ps); } -__fortify_function size_t -__NTH (wcsrtombs (char *__restrict __dst, const wchar_t **__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (wcsrtombs (__fortify_clang_overload_arg (char *, __restrict, __dst), + const wchar_t **__restrict __src, size_t __len, mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt (__len, __dst, + "wcsrtombs called with dst buffer " + "smaller than len") { return __glibc_fortify (wcsrtombs, __len, sizeof (char), __glibc_objsize (__dst), @@ -269,18 +332,26 @@ __NTH (wcsrtombs (char *__restrict __dst, const wchar_t **__restrict __src, #ifdef __USE_XOPEN2K8 -__fortify_function size_t -__NTH (mbsnrtowcs (wchar_t *__restrict __dst, const char **__restrict __src, - size_t __nmc, size_t __len, mbstate_t *__restrict __ps)) +__fortify_function __attribute_overloadable__ size_t +__NTH (mbsnrtowcs (__fortify_clang_overload_arg (wchar_t *, __restrict, __dst), + const char **__restrict __src, size_t __nmc, size_t __len, + mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt (sizeof (wchar_t) * __len, __dst, + "mbsnrtowcs called with dst buffer " + "smaller than len * sizeof (wchar_t)") { return __glibc_fortify_n (mbsnrtowcs, __len, sizeof (wchar_t), __glibc_objsize (__dst), __dst, __src, __nmc, __len, __ps); } -__fortify_function size_t -__NTH (wcsnrtombs (char *__restrict __dst, const wchar_t **__restrict __src, - size_t __nwc, size_t __len, mbstate_t *__restrict __ps)) +__fortify_function __attribute_overloadable__ size_t +__NTH (wcsnrtombs (__fortify_clang_overload_arg (char *, __restrict, __dst), + const wchar_t **__restrict __src, size_t __nwc, + size_t __len, mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt (__len, __dst, + "wcsnrtombs called with dst buffer " + "smaller than len") { return __glibc_fortify (wcsnrtombs, __len, sizeof (char), __glibc_objsize (__dst), From patchwork Thu Feb 8 18:46:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85483 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 19B81385840F for ; Thu, 8 Feb 2024 18:50:10 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) by sourceware.org (Postfix) with ESMTPS id 90396385841D for ; Thu, 8 Feb 2024 18:46:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 90396385841D Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 90396385841D Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::12d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418009; cv=none; b=Cnruch6Z4RexrkMhiVDkWzxtDvF39z61tbXAgpQ+POKdKJiza3w6oNMdSFV4yVbOIJEDHZ/w8kM5Tg8pn04jfk/qKXh7kIqXUmGHR3z8t3j1lMIpxGNkk37ook8373abRhfwM8yCzygZ+bG95QtDugKiz0usOM2NwHXsJB0DmZU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418009; c=relaxed/simple; bh=6rTC3YVp4VG+JNlpUgAOa9MnPejqqsR4lXUav6p4mEI=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=PyaESGZKDsHV9caDlMO8L/5+kyZfZId/5+AeDgrmiya45VRHG3kuP1GTPxA5lDi/5qJuhU9nRZuW4IcfoilubKZEODzVWJioZvAtnVMMoGlat4GCvX1I87/MC9AWNdoLCkcbovVarnRFaMPtvym0mEzyAQ4IaWQEV3eMzxfemx8= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-il1-x12d.google.com with SMTP id e9e14a558f8ab-363c7d490d1so260595ab.0 for ; Thu, 08 Feb 2024 10:46:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707418004; x=1708022804; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7Cl3oL27BPqucO3+dao4jfDbFWfAYinggUI5Ws/+Z0A=; b=Oo00dk8kf4VZNiOLHsWplIlG7qjELdEXQqD7Z9Eg/ScSPlOSaOIrZBmpOeEMLH+jtU jQGy2OVuw44XFVqFWmkN2H8K4RK70slGPVGK1OmqmrCkOUhGg9DoF0zLvhl7WiA5walD 0mmT2/iWzgVxYZNb9secaUulnJCj7kNimXTaLloDRsVp1b8cOr2RbSelELjV+bLmQXAy eYrLrgF63X2tv0nQyRy4K4jHANk0ffUstNtAOa9i8HFSdXj97VSHp4pVr2h8oq+TVa0U /wHHYBnh1OaE2ffmFuSzjNXz1j3QHjzpkv7HjuhxE89+lb3w7gLbwFe9Ps33CshP+IoV 8xOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707418004; x=1708022804; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7Cl3oL27BPqucO3+dao4jfDbFWfAYinggUI5Ws/+Z0A=; b=jDD09ojftG4etON8Ot/j8FYBGQt2x17CH/uBNAnp5Svtx+rlpd3bjvGth1OSvUnpj+ 4aAXXm4Lk8vfhyvRTj7towN+e1xpZLsNiTOnta/kxTCPAFdkJRLBafxYkbU/TeQ9mMkU eUSWab7SozceLBW0B6W/aZTMXrL7nkxwlPBvG7EMRzKEMxWuLb1jmKktkt8/f3FeqQ03 /KnTDYe1/GPYZVAF9KiK0K/g6+XTzyvavyOwHgBwbaEKfqeCSYwVfdWprdQ9NuTQQ5NJ uhJBuaxWrYv9mIKF6y+zOwEdkKQLR1QZ1s4oLsvpMN8ClD8jkBFi/earCeU2XfGUO/SF T9rQ== X-Gm-Message-State: AOJu0YyRfM0HEgH7WEyknP0Nz4si5aE8sUgTrYd2UUCz0ixC+RQChE8k x8LOaec2WLBzLm3vSnrI4a4EgTwD4wHvYeY3TGIf37qQfINN4SWLTQmC3PPOSN4bJ/RP5C31raI i X-Google-Smtp-Source: AGHT+IGwbhgHQUGNZ6wOyy/9YXKzHo72f4LEzAJ0HLVJQMmCKYrKC/revhz0dwQRMCnGa7XTTmGIgw== X-Received: by 2002:a92:d4ce:0:b0:363:b641:cd7f with SMTP id o14-20020a92d4ce000000b00363b641cd7fmr550598ilm.8.1707418004297; Thu, 08 Feb 2024 10:46:44 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:43 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 09/10] debug: Improve fcntl.h fortify warnings with clang Date: Thu, 8 Feb 2024 15:46:21 -0300 Message-Id: <20240208184622.332678-10-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improves open, open64, openat, and openat64. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- io/bits/fcntl2.h | 92 ++++++++++++++++++++++++++++++++++++++++++++++++ io/fcntl.h | 3 +- misc/sys/cdefs.h | 9 ++++- 3 files changed, 101 insertions(+), 3 deletions(-) diff --git a/io/bits/fcntl2.h b/io/bits/fcntl2.h index 34f05d793d..26f1792fd1 100644 --- a/io/bits/fcntl2.h +++ b/io/bits/fcntl2.h @@ -32,6 +32,8 @@ extern int __REDIRECT (__open_2, (const char *__path, int __oflag), extern int __REDIRECT (__open_alias, (const char *__path, int __oflag, ...), open64) __nonnull ((1)); #endif + +#ifdef __va_arg_pack_len __errordecl (__open_too_many_args, "open can be called either with 2 or 3 arguments, not more"); __errordecl (__open_missing_mode, @@ -58,12 +60,34 @@ open (const char *__path, int __oflag, ...) return __open_alias (__path, __oflag, __va_arg_pack ()); } +#elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +open (const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("open can be called either with 2 or 3 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +open (__fortify_clang_overload_arg (const char *, ,__path), int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "open with O_CREAT or O_TMPFILE in second argument needs 3 arguments") +{ + return __open_2 (__path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +open (__fortify_clang_overload_arg (const char *, ,__path), int __oflag, + mode_t __mode) +{ + return __open_alias (__path, __oflag, __mode); +} +#endif #ifdef __USE_LARGEFILE64 extern int __open64_2 (const char *__path, int __oflag) __nonnull ((1)); extern int __REDIRECT (__open64_alias, (const char *__path, int __oflag, ...), open64) __nonnull ((1)); +# ifdef __va_arg_pack_len __errordecl (__open64_too_many_args, "open64 can be called either with 2 or 3 arguments, not more"); __errordecl (__open64_missing_mode, @@ -90,6 +114,27 @@ open64 (const char *__path, int __oflag, ...) return __open64_alias (__path, __oflag, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +open64 (const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("open64 can be called either with 2 or 3 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +open64 (__fortify_clang_overload_arg (const char *, ,__path), int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "open64 with O_CREAT or O_TMPFILE in second argument needs 3 arguments") +{ + return __open64_2 (__path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +open64 (__fortify_clang_overload_arg (const char *, ,__path), int __oflag, + mode_t __mode) +{ + return __open64_alias (__path, __oflag, __mode); +} +# endif #endif @@ -108,6 +153,8 @@ extern int __REDIRECT (__openat_alias, (int __fd, const char *__path, int __oflag, ...), openat64) __nonnull ((2)); # endif + +# ifdef __va_arg_pack_len __errordecl (__openat_too_many_args, "openat can be called either with 3 or 4 arguments, not more"); __errordecl (__openat_missing_mode, @@ -134,6 +181,28 @@ openat (int __fd, const char *__path, int __oflag, ...) return __openat_alias (__fd, __path, __oflag, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +openat (int __fd, const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("openat can be called either with 3 or 4 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +openat (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "openat with O_CREAT or O_TMPFILE in third argument needs 4 arguments") +{ + return __openat_2 (__fd, __path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +openat (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag, mode_t __mode) +{ + return __openat_alias (__fd, __path, __oflag, __mode); +} +# endif # ifdef __USE_LARGEFILE64 @@ -147,6 +216,7 @@ __errordecl (__openat64_too_many_args, __errordecl (__openat64_missing_mode, "openat64 with O_CREAT or O_TMPFILE in third argument needs 4 arguments"); +# ifdef __va_arg_pack_len __fortify_function int openat64 (int __fd, const char *__path, int __oflag, ...) { @@ -168,5 +238,27 @@ openat64 (int __fd, const char *__path, int __oflag, ...) return __openat64_alias (__fd, __path, __oflag, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +openat64 (int __fd, const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("openat64 can be called either with 3 or 4 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +openat64 (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "openat64 with O_CREAT or O_TMPFILE in third argument needs 4 arguments") +{ + return __openat64_2 (__fd, __path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +openat64 (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag, mode_t __mode) +{ + return __openat64_alias (__fd, __path, __oflag, __mode); +} +# endif # endif #endif diff --git a/io/fcntl.h b/io/fcntl.h index 9cee0b5900..38aa12d7f2 100644 --- a/io/fcntl.h +++ b/io/fcntl.h @@ -337,8 +337,7 @@ extern int posix_fallocate64 (int __fd, off64_t __offset, off64_t __len); /* Define some inlines helping to catch common problems. */ -#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function \ - && defined __va_arg_pack_len +#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function # include #endif diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index 62507044c8..6b03417453 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -257,7 +257,9 @@ # define __fortify_clang_warning(__c, __msg) \ __attribute__ ((__diagnose_if__ ((__c), (__msg), "warning"))) -# define __fortify_clang_warning_only_if_bos0_lt(n, buf, complaint) \ +# define __fortify_clang_error(__c, __msg) \ + __attribute__ ((__diagnose_if__ ((__c), (__msg), "error"))) +# define __fortify_clang_warning_only_if_bos0_lt(n, buf, complaint) \ __attribute__ ((__diagnose_if__ \ (__fortify_clang_bosn_args (__bos0, n, buf, 1, complaint)))) # define __fortify_clang_warning_only_if_bos0_lt2(n, buf, div, complaint) \ @@ -270,6 +272,11 @@ __attribute__ ((__diagnose_if__ \ (__fortify_clang_bosn_args (__bos, n, buf, div, complaint)))) +# define __fortify_clang_prefer_this_overload \ + __attribute__ ((enable_if (1, ""))) +# define __fortify_clang_unavailable(__msg) \ + __attribute__ ((unavailable(__msg))) + # if __USE_FORTIFY_LEVEL == 3 # define __fortify_clang_overload_arg(__type, __attr, __name) \ __type __attr const __fortify_clang_pass_dynamic_object_size __name From patchwork Thu Feb 8 18:46:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 85480 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E172C385800B for ; Thu, 8 Feb 2024 18:48:50 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) by sourceware.org (Postfix) with ESMTPS id 2CD89385840F for ; Thu, 8 Feb 2024 18:46:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2CD89385840F Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2CD89385840F Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::22f ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418009; cv=none; b=wmff7Gx/JqrBVm8mrLsWtQQbitMa1qMJcyfBYk422eNr4q8KIBotl8XSpZ4D2q6rwQtJvqPBKuTK81h4yvZttY+Bc4YFoZaz9aC9aYA8jiiMx/9Rxlt6kCeC83fwF8/PWLfmfcTvMwRKjZhfQjNbeFTkVVbGh4NN/fG2RN2dF+Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418009; c=relaxed/simple; bh=wNEfDapJnYnujUhCBMBO9HlIe30rH4wQGFMbqQzqlEE=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=acTFhQLuQoYOyMXAo7WFjAaqbY8Fg5prsm1sDsRSoIyj8Ir3xr8DmtM178K8Hdl1rvB9km4NdISfEfkSWLQk3BzKV+VgO+gkAcPrJlhiRU1VjBJTZNTFQ7tAu3jodFnn4UT65aikOO1EM70aw8/71U/tb9jyIfz3De1IwDWwO1o= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oi1-x22f.google.com with SMTP id 5614622812f47-3bbbc6bcc78so39516b6e.1 for ; Thu, 08 Feb 2024 10:46:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707418006; x=1708022806; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+lXNyVmzS19qsCwprnU9lhxbiK68WYoELWDA1qhWWV0=; b=jrsh/h7W6txqxna7SHShbEI3jKZC3oW5JS/LplcWdqxMjZTdLow8Q3fQyFxUgS47we RypO6YaVwx1FrBvqKxEGO1rozEx4SzKzUPDfObI9jVxFBiH8QKocmKOYg4/iHr0LkSPX SR2tv3sWhf8CC6WYVFgIkBksskvcrBe1bXqyW8TTuDzguxCzsKB3NKobqYXjgso1YJmz HssMb7n0fWwoG46eTJisww8TkOoxdw/NUpQLdLCxjBGRySxdGIyLXBktyqJKMqpaszbK wy7WGtBZD5U+ufO/FVtRR2RX1gPtXjvcg7Efb2KIuU5EGBJ2h53b179AoC9kPQyQHPdc dSmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707418006; x=1708022806; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+lXNyVmzS19qsCwprnU9lhxbiK68WYoELWDA1qhWWV0=; b=QbhiyeETzBVj2a6QFBP4nSLI3sbFeEBYuEiUTpG28MUI+HnVOoZMeLTz/nX6ZM7k2t cJGCxa5SdyW92EMyDSjcE4xfvKFUlKLJjyd4rsbw29gnaKvk4V3fUCYsrmj2d1N0SLJj U/OMO9hqV/1TNqrFUwXGdN5omxqVFl1z4e4jkaQt4PDzOyrUzyfO0DpyArjj/JNut0TD Y4M1m58Pd5b3zpEXBdoBvd1XUmD2xtEeUo6mp9SwAKCKftROqd66xwJ+ff4Qal3atQIA MmxEPRCcVgliPvKLVrpoDPJiR0xJnpyni5X3OQN2h7+oSmv3GFj/M4QS+06Zy7IC/2rg vvHg== X-Gm-Message-State: AOJu0YxTLJJVZ5ny95E4S47qK09ooCPvGZJbAdQbhmbnW/W2L0Kd50UQ KIuybdXkFnyJ5j60dZirlt8jMZtr9X8UwvBk7E6A2cOnjHZGOlt9DdBNXK38USJWPVK7lGkUnC8 z X-Google-Smtp-Source: AGHT+IHaMhg/pRInV+Pug6WZanZ18MxbalOZgIvu9t/YyeCjynwkLIaBk/RzN+aZvmlSZnizcs0QEw== X-Received: by 2002:a05:6359:4290:b0:178:950d:1175 with SMTP id kp16-20020a056359429000b00178950d1175mr14578rwb.13.1707418005968; Thu, 08 Feb 2024 10:46:45 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:45 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 10/10] debug: Improve mqueue.h fortify warnings with clang Date: Thu, 8 Feb 2024 15:46:22 -0300 Message-Id: <20240208184622.332678-11-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org It improve mq_open. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- rt/bits/mqueue2.h | 29 +++++++++++++++++++++++++++++ rt/mqueue.h | 3 +-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/rt/bits/mqueue2.h b/rt/bits/mqueue2.h index 0f9d67966f..d6d2d9012d 100644 --- a/rt/bits/mqueue2.h +++ b/rt/bits/mqueue2.h @@ -29,6 +29,8 @@ extern mqd_t __mq_open_2 (const char *__name, int __oflag) extern mqd_t __REDIRECT_NTH (__mq_open_alias, (const char *__name, int __oflag, ...), mq_open) __nonnull ((1)); + +#ifdef __va_arg_pack_len __errordecl (__mq_open_wrong_number_of_args, "mq_open can be called either with 2 or 4 arguments"); __errordecl (__mq_open_missing_mode_and_attr, @@ -55,3 +57,30 @@ __NTH (mq_open (const char *__name, int __oflag, ...)) return __mq_open_alias (__name, __oflag, __va_arg_pack ()); } +#elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ mqd_t +__NTH (mq_open (const char *__name, int __oflag, mode_t mode)) + __fortify_clang_unavailable ("mq_open can be called either with 2 or 4 arguments"); + +__fortify_function_error_function __attribute_overloadable__ mqd_t +__NTH (mq_open (const char *__name, int __oflag, mode_t mode, + struct mq_attr *attr, ...)) + __fortify_clang_unavailable ("mq_open can be called either with 2 or 4 arguments"); + +__fortify_function __attribute_overloadable__ mqd_t +__NTH (mq_open (__fortify_clang_overload_arg (const char *, ,__name), + int __oflag)) + __fortify_clang_prefer_this_overload + __fortify_clang_error ((__oflag & O_CREAT), + "mq_open with O_CREAT in second argument needs 4 arguments") +{ + return __mq_open_alias (__name, __oflag); +} + +__fortify_function __attribute_overloadable__ mqd_t +__NTH (mq_open (__fortify_clang_overload_arg (const char *, ,__name), + int __oflag, int __mode, struct mq_attr *__attr)) +{ + return __mq_open_alias (__name, __oflag, __mode, __attr); +} +#endif diff --git a/rt/mqueue.h b/rt/mqueue.h index 787cc36df2..d39334ba16 100644 --- a/rt/mqueue.h +++ b/rt/mqueue.h @@ -110,8 +110,7 @@ extern int __REDIRECT (mq_timedsend, (mqd_t __mqdes, #endif /* Define some inlines helping to catch common problems. */ -#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function \ - && defined __va_arg_pack_len +#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function # include #endif