From patchwork Tue Oct 12 16:16:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 46138 X-Patchwork-Delegate: azanella@linux.vnet.ibm.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 719683857430 for ; Tue, 12 Oct 2021 16:17:47 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 719683857430 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1634055467; bh=n8Pch/h1oV8u7yHKOhjzPLRIXs4I2CoB0UZk7n9QYug=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=oh6dGyqc3rIIlcdHpfgLUUGPhYecSQ5hZ0ujQU9CRwdNxjDq8s+VfUAgrtPxnjjgA /MMCe6dlQaDrOCcMBCxl4pavWZ0xq2x/q4OKic/kLE/8CW4/RYn0FKPoH4jLZbgF05 cPyM0MvFAHsjFxl5CplSuRTgsyLcozKV1MdM4DKs= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from brown.birch.relay.mailchannels.net (brown.birch.relay.mailchannels.net [23.83.209.23]) by sourceware.org (Postfix) with ESMTPS id CAC9E385743E for ; Tue, 12 Oct 2021 16:16:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org CAC9E385743E X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id BB829542879; Tue, 12 Oct 2021 16:16:43 +0000 (UTC) Received: from pdx1-sub0-mail-a74.g.dreamhost.com (100-96-18-141.trex.outbound.svc.cluster.local [100.96.18.141]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id F12CB5428D5; Tue, 12 Oct 2021 16:16:42 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a74.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.18.141 (trex/6.4.3); Tue, 12 Oct 2021 16:16:43 +0000 X-MC-Relay: Junk X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Wiry-Quick: 6c3a5c6c00222f65_1634055403259_1095060635 X-MC-Loop-Signature: 1634055403259:3193917322 X-MC-Ingress-Time: 1634055403259 Received: from pdx1-sub0-mail-a74.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTP id 7BCA384141; Tue, 12 Oct 2021 09:16:42 -0700 (PDT) Received: from rhbox.redhat.com (unknown [1.186.121.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 325CC7F5CA; Tue, 12 Oct 2021 09:16:39 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a74 To: libc-alpha@sourceware.org Subject: [PATCH 1/3] Don't add access size hints to fortifiable functions Date: Tue, 12 Oct 2021 21:46:27 +0530 Message-Id: <20211012161629.302696-2-siddhesh@sourceware.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211012161629.302696-1-siddhesh@sourceware.org> References: <20211012161629.302696-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-3494.6 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, RCVD_IN_SBL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" In the context of a function definition, the size hints imply that the size of an object pointed to by one parameter is another parameter. This doesn't make sense for the fortified versions of the functions since that's the bit it's trying to validate. This is harmless with __builtin_object_size since it has fairly simple semantics when it comes to objects passed as function parameters. With __builtin_dynamic_object_size we could (as my patchset for gcc[1] already does) use the access attribute to determine the object size in the general case but it misleads the fortified functions. Disable the access attribute for fortified function inline functions when building at _FORTIFY_SOURCE=3 to make this work better. The access attributes remain for the _chk variants since they can be used by the compiler to warn when the caller is passing invalid arguments. Signed-off-by: Siddhesh Poyarekar Reviewed-by: Adhemerval Zanella --- io/bits/poll2.h | 4 ++-- io/sys/poll.h | 6 +++--- libio/bits/stdio2.h | 4 ++-- libio/stdio.h | 4 ++-- misc/sys/cdefs.h | 10 ++++++++++ posix/unistd.h | 28 ++++++++++++++++------------ stdlib/stdlib.h | 5 +++-- string/bits/string_fortified.h | 5 +++-- string/string.h | 2 +- 9 files changed, 42 insertions(+), 26 deletions(-) diff --git a/io/bits/poll2.h b/io/bits/poll2.h index a623678c09..be74d020f2 100644 --- a/io/bits/poll2.h +++ b/io/bits/poll2.h @@ -33,7 +33,7 @@ extern int __REDIRECT (__poll_chk_warn, (struct pollfd *__fds, nfds_t __nfds, __poll_chk) __warnattr ("poll called with fds buffer too small file nfds entries"); -__fortify_function __attr_access ((__write_only__, 1, 2)) int +__fortify_function __fortified_attr_access (__write_only__, 1, 2) int poll (struct pollfd *__fds, nfds_t __nfds, int __timeout) { if (__glibc_objsize (__fds) != (__SIZE_TYPE__) -1) @@ -64,7 +64,7 @@ extern int __REDIRECT (__ppoll_chk_warn, (struct pollfd *__fds, nfds_t __nfds, __ppoll_chk) __warnattr ("ppoll called with fds buffer too small file nfds entries"); -__fortify_function __attr_access ((__write_only__, 1, 2)) int +__fortify_function __fortified_attr_access (__write_only__, 1, 2) int ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, const __sigset_t *__ss) { diff --git a/io/sys/poll.h b/io/sys/poll.h index e640efb2bc..751c7f5f72 100644 --- a/io/sys/poll.h +++ b/io/sys/poll.h @@ -52,7 +52,7 @@ __BEGIN_DECLS This function is a cancellation point and therefore not marked with __THROW. */ extern int poll (struct pollfd *__fds, nfds_t __nfds, int __timeout) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); #ifdef __USE_GNU /* Like poll, but before waiting the threads signal mask is replaced @@ -64,7 +64,7 @@ extern int poll (struct pollfd *__fds, nfds_t __nfds, int __timeout) extern int ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, const __sigset_t *__ss) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); # ifdef __USE_TIME_BITS64 # ifdef __REDIRECT @@ -72,7 +72,7 @@ extern int __REDIRECT (ppoll, (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, const __sigset_t *__ss), __ppoll64) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); # else # define ppoll __ppoll64 # endif diff --git a/libio/bits/stdio2.h b/libio/bits/stdio2.h index 3f0cab1254..4f016a5638 100644 --- a/libio/bits/stdio2.h +++ b/libio/bits/stdio2.h @@ -258,7 +258,7 @@ extern char *__REDIRECT (__fgets_chk_warn, __wur __warnattr ("fgets called with bigger size than length " "of destination buffer"); -__fortify_function __wur __attr_access ((__write_only__, 1, 2)) char * +__fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) char * fgets (char *__restrict __s, int __n, FILE *__restrict __stream) { if (__glibc_objsize (__s) != (size_t) -1) @@ -320,7 +320,7 @@ extern char *__REDIRECT (__fgets_unlocked_chk_warn, __wur __warnattr ("fgets_unlocked called with bigger size than length " "of destination buffer"); -__fortify_function __wur __attr_access ((__write_only__, 1, 2)) char * +__fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) char * fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) { if (__glibc_objsize (__s) != (size_t) -1) diff --git a/libio/stdio.h b/libio/stdio.h index 0a5c76b552..f208f5ef79 100644 --- a/libio/stdio.h +++ b/libio/stdio.h @@ -590,7 +590,7 @@ extern int putw (int __w, FILE *__stream); This function is a possible cancellation point and therefore not marked with __THROW. */ extern char *fgets (char *__restrict __s, int __n, FILE *__restrict __stream) - __wur __attr_access ((__write_only__, 1, 2)); + __wur __fortified_attr_access (__write_only__, 1, 2); #if __GLIBC_USE (DEPRECATED_GETS) /* Get a newline-terminated string from stdin, removing the newline. @@ -614,7 +614,7 @@ extern char *gets (char *__s) __wur __attribute_deprecated__; therefore not marked with __THROW. */ extern char *fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) __wur - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); #endif diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index c8e10aae17..d08c2adfd0 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -606,12 +606,22 @@ _Static_assert (0, "IEEE 128-bits long double requires redirection on this platf size-index is not provided: access (access-mode, [, ]) */ # define __attr_access(x) __attribute__ ((__access__ x)) +/* For _FORTIFY_SOURCE == 3 we use __builtin_dynamic_object_size, which may + use the access attribute to get object sizes from function definition + arguments, so we can't use them on functions we fortify. Drop the object + size hints for such functions. */ +# if __USE_FORTIFY_LEVEL == 3 +# define __fortified_attr_access(a, o, s) __attribute__ ((__access__ (a, o))) +# else +# define __fortified_attr_access(a, o, s) __attr_access ((a, o, s)) +# endif # if __GNUC_PREREQ (11, 0) # define __attr_access_none(argno) __attribute__ ((__access__ (__none__, argno))) # else # define __attr_access_none(argno) # endif #else +# define __fortified_attr_access(a, o, s) # define __attr_access(x) # define __attr_access_none(argno) #endif diff --git a/posix/unistd.h b/posix/unistd.h index 8224c5fbc9..7a61ff5e86 100644 --- a/posix/unistd.h +++ b/posix/unistd.h @@ -369,7 +369,7 @@ extern void closefrom (int __lowfd) __THROW; This function is a cancellation point and therefore not marked with __THROW. */ extern ssize_t read (int __fd, void *__buf, size_t __nbytes) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); /* Write N bytes of BUF to FD. Return the number written, or -1. @@ -388,7 +388,7 @@ extern ssize_t write (int __fd, const void *__buf, size_t __n) __wur __THROW. */ extern ssize_t pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); /* Write N bytes of BUF to FD at the given position OFFSET without changing the file pointer. Return the number written, or -1. @@ -404,7 +404,7 @@ extern ssize_t pwrite (int __fd, const void *__buf, size_t __n, extern ssize_t __REDIRECT (pread, (int __fd, void *__buf, size_t __nbytes, __off64_t __offset), pread64) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); extern ssize_t __REDIRECT (pwrite, (int __fd, const void *__buf, size_t __nbytes, __off64_t __offset), pwrite64) __wur @@ -421,7 +421,7 @@ extern ssize_t __REDIRECT (pwrite, (int __fd, const void *__buf, or 0 for EOF. */ extern ssize_t pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); /* Write N bytes of BUF to FD at the given position OFFSET without changing the file pointer. Return the number written, or -1. */ extern ssize_t pwrite64 (int __fd, const void *__buf, size_t __n, @@ -642,7 +642,7 @@ extern long int sysconf (int __name) __THROW; #ifdef __USE_POSIX2 /* Get the value of the string-valued system variable NAME. */ extern size_t confstr (int __name, char *__buf, size_t __len) __THROW - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); #endif @@ -709,7 +709,7 @@ extern __gid_t getegid (void) __THROW; the calling process is in. Otherwise, fill in the group IDs of its supplementary groups in LIST and return the number written. */ extern int getgroups (int __size, __gid_t __list[]) __THROW __wur - __attr_access ((__write_only__, 2, 1)); + __fortified_attr_access (__write_only__, 2, 1); #ifdef __USE_GNU /* Return nonzero iff the calling process is in group GID. */ extern int group_member (__gid_t __gid) __THROW; @@ -801,7 +801,8 @@ extern char *ttyname (int __fd) __THROW; /* Store at most BUFLEN characters of the pathname of the terminal FD is open on in BUF. Return 0 on success, otherwise an error number. */ extern int ttyname_r (int __fd, char *__buf, size_t __buflen) - __THROW __nonnull ((2)) __wur __attr_access ((__write_only__, 2, 3)); + __THROW __nonnull ((2)) __wur + __fortified_attr_access (__write_only__, 2, 3); /* Return 1 if FD is a valid descriptor associated with a terminal, zero if not. */ @@ -836,7 +837,8 @@ extern int symlink (const char *__from, const char *__to) Returns the number of characters read, or -1 for errors. */ extern ssize_t readlink (const char *__restrict __path, char *__restrict __buf, size_t __len) - __THROW __nonnull ((1, 2)) __wur __attr_access ((__write_only__, 2, 3)); + __THROW __nonnull ((1, 2)) __wur + __fortified_attr_access (__write_only__, 2, 3); #endif /* Use POSIX.1-2001. */ @@ -848,7 +850,8 @@ extern int symlinkat (const char *__from, int __tofd, /* Like readlink but a relative PATH is interpreted relative to FD. */ extern ssize_t readlinkat (int __fd, const char *__restrict __path, char *__restrict __buf, size_t __len) - __THROW __nonnull ((2, 3)) __wur __attr_access ((__write_only__, 3, 4)); + __THROW __nonnull ((2, 3)) __wur + __fortified_attr_access (__write_only__, 3, 4); #endif /* Remove the link NAME. */ @@ -884,7 +887,7 @@ extern char *getlogin (void); This function is a possible cancellation point and therefore not marked with __THROW. */ extern int getlogin_r (char *__name, size_t __name_len) __nonnull ((1)) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); #endif #ifdef __USE_MISC @@ -906,7 +909,7 @@ extern int setlogin (const char *__name) __THROW __nonnull ((1)); The result is null-terminated if LEN is large enough for the full name and the terminator. */ extern int gethostname (char *__name, size_t __len) __THROW __nonnull ((1)) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); #endif @@ -925,7 +928,8 @@ extern int sethostid (long int __id) __THROW __wur; Called just like `gethostname' and `sethostname'. The NIS domain name is usually the empty string when not using NIS. */ extern int getdomainname (char *__name, size_t __len) - __THROW __nonnull ((1)) __wur __attr_access ((__write_only__, 1, 2)); + __THROW __nonnull ((1)) __wur + __fortified_attr_access (__write_only__, 1, 2); extern int setdomainname (const char *__name, size_t __len) __THROW __nonnull ((1)) __wur __attr_access ((__read_only__, 1, 2)); diff --git a/stdlib/stdlib.h b/stdlib/stdlib.h index 0481c12355..74c00eee73 100644 --- a/stdlib/stdlib.h +++ b/stdlib/stdlib.h @@ -943,7 +943,8 @@ extern size_t mbstowcs (wchar_t *__restrict __pwcs, extern size_t wcstombs (char *__restrict __s, const wchar_t *__restrict __pwcs, size_t __n) __THROW - __attr_access ((__write_only__, 1, 3)) __attr_access ((__read_only__, 2)); + __fortified_attr_access (__write_only__, 1, 3) + __attr_access ((__read_only__, 2)); #ifdef __USE_MISC /* Determine whether the string value of RESPONSE matches the affirmation @@ -997,7 +998,7 @@ extern char *ptsname (int __fd) __THROW __wur; terminal associated with the master FD is open on in BUF. Return 0 on success, otherwise an error number. */ extern int ptsname_r (int __fd, char *__buf, size_t __buflen) - __THROW __nonnull ((2)) __attr_access ((__write_only__, 2, 3)); + __THROW __nonnull ((2)) __fortified_attr_access (__write_only__, 2, 3); /* Open a master pseudo terminal and return its file descriptor. */ extern int getpt (void); diff --git a/string/bits/string_fortified.h b/string/bits/string_fortified.h index 67ae2c6b50..5731274848 100644 --- a/string/bits/string_fortified.h +++ b/string/bits/string_fortified.h @@ -64,7 +64,7 @@ __NTH (memset (void *__dest, int __ch, size_t __len)) # include void __explicit_bzero_chk (void *__dest, size_t __len, size_t __destlen) - __THROW __nonnull ((1)) __attr_access ((__write_only__, 1, 2)); + __THROW __nonnull ((1)) __fortified_attr_access (__write_only__, 1, 2); __fortify_function void __NTH (explicit_bzero (void *__dest, size_t __len)) @@ -106,7 +106,8 @@ __NTH (stpncpy (char *__dest, const char *__src, size_t __n)) #else extern char *__stpncpy_chk (char *__dest, const char *__src, size_t __n, size_t __destlen) __THROW - __attr_access ((__write_only__, 1, 3)) __attr_access ((__read_only__, 2)); + __fortified_attr_access ((__write_only__, 1, 3)) + __attr_access ((__read_only__, 2)); extern char *__REDIRECT_NTH (__stpncpy_alias, (char *__dest, const char *__src, size_t __n), stpncpy); diff --git a/string/string.h b/string/string.h index 04e1b7067d..8dcafb4ac4 100644 --- a/string/string.h +++ b/string/string.h @@ -448,7 +448,7 @@ extern char *strerror_l (int __errnum, locale_t __l) __THROW; /* Set N bytes of S to 0. The compiler will not delete a call to this function, even if S is dead after the call. */ extern void explicit_bzero (void *__s, size_t __n) __THROW __nonnull ((1)) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); /* Return the next DELIM-delimited token from *STRINGP, terminating it with a '\0', and update *STRINGP to point past it. */ From patchwork Tue Oct 12 16:16:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 46139 X-Patchwork-Delegate: azanella@linux.vnet.ibm.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 36B573857430 for ; Tue, 12 Oct 2021 16:18:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 36B573857430 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1634055516; bh=fA0YoLoCy9eQyF+i9JqZ9yQMcrO5b/pQlKexwx2A7fs=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=OGrExPM8Re3pxLbuU8xb3RxO0MIh8gr8+NPncFkwX2znmRp4SJh2MrHc4JhUmFxnb mzQeJpe81KsflwyDepjc7EATHRZAhfL7gh0RAR0oBmqkibSJMp1QafOY8HrC2UY3ZV 7LbHAri/dlZ/D6m6Bes21wbRz9JPu5zdj8gCxSas= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from cadetblue.ash.relay.mailchannels.net (cadetblue.ash.relay.mailchannels.net [23.83.222.28]) by sourceware.org (Postfix) with ESMTPS id 0B0BE3857435 for ; Tue, 12 Oct 2021 16:16:53 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0B0BE3857435 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 3029A6818F5; Tue, 12 Oct 2021 16:16:50 +0000 (UTC) Received: from pdx1-sub0-mail-a74.g.dreamhost.com (100-96-11-21.trex.outbound.svc.cluster.local [100.96.11.21]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id B73EE680A7B; Tue, 12 Oct 2021 16:16:49 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a74.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.11.21 (trex/6.4.3); Tue, 12 Oct 2021 16:16:50 +0000 X-MC-Relay: Junk X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Lonely-Rock: 0545621f5c04fc7e_1634055410066_1047388341 X-MC-Loop-Signature: 1634055410066:3334704999 X-MC-Ingress-Time: 1634055410065 Received: from pdx1-sub0-mail-a74.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTP id 935BE84149; Tue, 12 Oct 2021 09:16:48 -0700 (PDT) Received: from rhbox.redhat.com (unknown [1.186.121.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 127FC7F5CA; Tue, 12 Oct 2021 09:16:42 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a74 To: libc-alpha@sourceware.org Subject: [PATCH 2/3] Make sure that the fortified function conditionals are constant Date: Tue, 12 Oct 2021 21:46:28 +0530 Message-Id: <20211012161629.302696-3-siddhesh@sourceware.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211012161629.302696-1-siddhesh@sourceware.org> References: <20211012161629.302696-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-3494.6 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, RCVD_IN_SBL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" In _FORTIFY_SOURCE=3, the size expression may be non-constant, resulting in branches in the inline functions remaining intact and causing a tiny overhead. Clang (and in future, gcc) make sure that the -1 case is always safe, i.e. any comparison of the generated expression with (size_t)-1 is always false so that bit is taken care of. The rest is avoidable since we want the _chk variant whenever we have a size expression and it's not -1. Rework the conditionals in a uniform way to clearly indicate two conditions at compile time: - Either the size is unknown (-1) or we know at compile time that the operation length is less than the object size. We can call the original function in this case. It could be that either the length, object size or both are non-constant, but the compiler, through range analysis, is able to fold the *comparison* to a constant. - The size and length are known and the compiler can see at compile time that operation length > object size. This is valid grounds for a warning at compile time, followed by emitting the _chk variant. For everything else, emit the _chk variant. This simplifies most of the fortified function implementations and at the same time, ensures that only one call from _chk or the regular function is emitted. Signed-off-by: Siddhesh Poyarekar --- io/bits/poll2.h | 27 ++---- libio/bits/stdio2.h | 106 +++++++++----------- misc/sys/cdefs.h | 61 ++++++++++++ posix/bits/unistd.h | 174 ++++++++------------------------- socket/bits/socket2.h | 34 +++---- stdlib/bits/stdlib.h | 57 ++++------- wcsmbs/bits/wchar2.h | 219 ++++++++++++------------------------------ 7 files changed, 240 insertions(+), 438 deletions(-) diff --git a/io/bits/poll2.h b/io/bits/poll2.h index be74d020f2..91cdcaf66a 100644 --- a/io/bits/poll2.h +++ b/io/bits/poll2.h @@ -36,16 +36,9 @@ extern int __REDIRECT (__poll_chk_warn, (struct pollfd *__fds, nfds_t __nfds, __fortify_function __fortified_attr_access (__write_only__, 1, 2) int poll (struct pollfd *__fds, nfds_t __nfds, int __timeout) { - if (__glibc_objsize (__fds) != (__SIZE_TYPE__) -1) - { - if (! __builtin_constant_p (__nfds)) - return __poll_chk (__fds, __nfds, __timeout, __glibc_objsize (__fds)); - else if (__glibc_objsize (__fds) / sizeof (*__fds) < __nfds) - return __poll_chk_warn (__fds, __nfds, __timeout, - __glibc_objsize (__fds)); - } - - return __poll_alias (__fds, __nfds, __timeout); + return __glibc_fortify (poll, __nfds, sizeof (*__fds), + __glibc_objsize (__fds), + __fds, __nfds, __timeout); } @@ -68,17 +61,9 @@ __fortify_function __fortified_attr_access (__write_only__, 1, 2) int ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, const __sigset_t *__ss) { - if (__glibc_objsize (__fds) != (__SIZE_TYPE__) -1) - { - if (! __builtin_constant_p (__nfds)) - return __ppoll_chk (__fds, __nfds, __timeout, __ss, - __glibc_objsize (__fds)); - else if (__glibc_objsize (__fds) / sizeof (*__fds) < __nfds) - return __ppoll_chk_warn (__fds, __nfds, __timeout, __ss, - __glibc_objsize (__fds)); - } - - return __ppoll_alias (__fds, __nfds, __timeout, __ss); + return __glibc_fortify (ppoll, __nfds, sizeof (*__fds), + __glibc_objsize (__fds), + __fds, __nfds, __timeout, __ss); } #endif diff --git a/libio/bits/stdio2.h b/libio/bits/stdio2.h index 4f016a5638..c111d13320 100644 --- a/libio/bits/stdio2.h +++ b/libio/bits/stdio2.h @@ -261,15 +261,12 @@ extern char *__REDIRECT (__fgets_chk_warn, __fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) char * fgets (char *__restrict __s, int __n, FILE *__restrict __stream) { - if (__glibc_objsize (__s) != (size_t) -1) - { - if (!__builtin_constant_p (__n) || __n <= 0) - return __fgets_chk (__s, __glibc_objsize (__s), __n, __stream); - - if ((size_t) __n > __glibc_objsize (__s)) - return __fgets_chk_warn (__s, __glibc_objsize (__s), __n, __stream); - } - return __fgets_alias (__s, __n, __stream); + size_t sz = __glibc_objsize (__s); + if (__glibc_safe_or_unknown_len_signed (__n, sizeof (char), sz)) + return __fgets_alias (__s, __n, __stream); + if (__glibc_unsafe_len_signed (__n, sizeof (char), sz)) + return __fgets_chk_warn (__s, sz, __n, __stream); + return __fgets_chk (__s, sz, __n, __stream); } extern size_t __fread_chk (void *__restrict __ptr, size_t __ptrlen, @@ -291,19 +288,12 @@ __fortify_function __wur size_t fread (void *__restrict __ptr, size_t __size, size_t __n, FILE *__restrict __stream) { - if (__glibc_objsize0 (__ptr) != (size_t) -1) - { - if (!__builtin_constant_p (__size) - || !__builtin_constant_p (__n) - || (__size | __n) >= (((size_t) 1) << (8 * sizeof (size_t) / 2))) - return __fread_chk (__ptr, __glibc_objsize0 (__ptr), __size, __n, - __stream); - - if (__size * __n > __glibc_objsize0 (__ptr)) - return __fread_chk_warn (__ptr, __glibc_objsize0 (__ptr), __size, __n, - __stream); - } - return __fread_alias (__ptr, __size, __n, __stream); + size_t sz = __glibc_objsize0 (__ptr); + if (__glibc_safe_or_unknown_len (__n, __size, sz)) + return __fread_alias (__ptr, __size, __n, __stream); + if (__glibc_unsafe_len (__n, __size, sz)) + return __fread_chk_warn (__ptr, sz, __size, __n, __stream); + return __fread_chk (__ptr, sz, __size, __n, __stream); } #ifdef __USE_GNU @@ -323,17 +313,12 @@ extern char *__REDIRECT (__fgets_unlocked_chk_warn, __fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) char * fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) { - if (__glibc_objsize (__s) != (size_t) -1) - { - if (!__builtin_constant_p (__n) || __n <= 0) - return __fgets_unlocked_chk (__s, __glibc_objsize (__s), __n, - __stream); - - if ((size_t) __n > __glibc_objsize (__s)) - return __fgets_unlocked_chk_warn (__s, __glibc_objsize (__s), __n, - __stream); - } - return __fgets_unlocked_alias (__s, __n, __stream); + size_t sz = __glibc_objsize (__s); + if (__glibc_safe_or_unknown_len_signed (__n, sizeof (char), sz)) + return __fgets_unlocked_alias (__s, __n, __stream); + if (__glibc_unsafe_len_signed (__n, sizeof (char), sz)) + return __fgets_unlocked_chk_warn (__s, sz, __n, __stream); + return __fgets_unlocked_chk (__s, sz, __n, __stream); } #endif @@ -358,41 +343,36 @@ __fortify_function __wur size_t fread_unlocked (void *__restrict __ptr, size_t __size, size_t __n, FILE *__restrict __stream) { - if (__glibc_objsize0 (__ptr) != (size_t) -1) + size_t sz = __glibc_objsize0 (__ptr); + if (__glibc_safe_or_unknown_len (__n, __size, sz)) { - if (!__builtin_constant_p (__size) - || !__builtin_constant_p (__n) - || (__size | __n) >= (((size_t) 1) << (8 * sizeof (size_t) / 2))) - return __fread_unlocked_chk (__ptr, __glibc_objsize0 (__ptr), __size, - __n, __stream); - - if (__size * __n > __glibc_objsize0 (__ptr)) - return __fread_unlocked_chk_warn (__ptr, __glibc_objsize0 (__ptr), - __size, __n, __stream); - } - # ifdef __USE_EXTERN_INLINES - if (__builtin_constant_p (__size) - && __builtin_constant_p (__n) - && (__size | __n) < (((size_t) 1) << (8 * sizeof (size_t) / 2)) - && __size * __n <= 8) - { - size_t __cnt = __size * __n; - char *__cptr = (char *) __ptr; - if (__cnt == 0) - return 0; - - for (; __cnt > 0; --__cnt) + if (__builtin_constant_p (__size) + && __builtin_constant_p (__n) + && (__size | __n) < (((size_t) 1) << (8 * sizeof (size_t) / 2)) + && __size * __n <= 8) { - int __c = getc_unlocked (__stream); - if (__c == EOF) - break; - *__cptr++ = __c; + size_t __cnt = __size * __n; + char *__cptr = (char *) __ptr; + if (__cnt == 0) + return 0; + + for (; __cnt > 0; --__cnt) + { + int __c = getc_unlocked (__stream); + if (__c == EOF) + break; + *__cptr++ = __c; + } + return (__cptr - (char *) __ptr) / __size; } - return (__cptr - (char *) __ptr) / __size; - } # endif - return __fread_unlocked_alias (__ptr, __size, __n, __stream); + return __fread_unlocked_alias (__ptr, __size, __n, __stream); + } + if (__glibc_unsafe_len (__n, __size, sz)) + return __fread_unlocked_chk_warn (__ptr, sz, __size, __n, __stream); + return __fread_unlocked_chk (__ptr, sz, __size, __n, __stream); + } #endif diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index d08c2adfd0..22062ffaa8 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -151,6 +151,67 @@ # define __glibc_objsize(__o) __bos (__o) #endif +/* Compile time conditions to choose between the regular, _chk and _chk_warn + variants. These conditions should get evaluated to constant and optimized + away. */ + +#define __glibc_safe_len_cond(__l, __s, __osz) ((__l) <= (__osz) / (__s)) + +/* Length is known to be safe at compile time if the __L * __S <= __OBJSZ + condition can be folded to a constant and if it is true. The -1 check is + redundant because since it implies that __glibc_safe_len_cond is true. */ +#define __glibc_safe_or_unknown_len(__l, __s, __osz) \ + (__builtin_constant_p (__glibc_safe_len_cond (__l, __s, __osz)) \ + && __glibc_safe_len_cond (__l, __s, __osz)) + +/* Same as above, but add a sign check. */ + +#define __glibc_safe_or_unknown_len_signed(__l, __s, __osz) \ + (__builtin_constant_p (__l) && (__l) > 0 \ + && __glibc_safe_or_unknown_len ((__SIZE_TYPE__) (__l), (__s), (__osz))) + +/* Conversely, we know at compile time that the length is safe if the + __L * __S <= __OBJSZ condition can be folded to a constant and if it is + false. */ +#define __glibc_unsafe_len(__l, __s, __osz) \ + (__builtin_constant_p (__glibc_safe_len_cond (__l, __s, __osz)) \ + && !__glibc_safe_len_cond (__l, __s, __osz)) + +/* Same as above, but add a sign check. */ + +#define __glibc_unsafe_len_signed(__l, __s, __osz) \ + (__builtin_constant_p (__l) && (__l) > 0 \ + && __glibc_unsafe_len ((__SIZE_TYPE__) (__l), (__s), (__osz))) + +/* Fortify function f. __f_alias, __f_chk and __f_chk_warn must be + declared. */ + +#define __glibc_fortify(f, __l, __s, __osz, ...) \ + (__glibc_safe_or_unknown_len (__l, __s, __osz) \ + ? __ ## f ## _alias (__VA_ARGS__) \ + : (__glibc_unsafe_len (__l, __s, __osz) \ + ? __ ## f ## _chk_warn (__VA_ARGS__, __osz) \ + : __ ## f ## _chk (__VA_ARGS__, __osz))) \ + +/* Fortify function f, with signed length __l. */ + +#define __glibc_fortify_signed(f, __l, __s, __osz, ...) \ + (__glibc_safe_or_unknown_len_signed (__l, __s, __osz) \ + ? __ ## f ## _alias (__VA_ARGS__) \ + : (__glibc_unsafe_len_signed (__l, __s, __osz) \ + ? __ ## f ## _chk_warn (__VA_ARGS__, __osz) \ + : __ ## f ## _chk (__VA_ARGS__, __osz))) \ + +/* Fortify function f, where object size argument passed to f is the number of + elements and not total size. */ + +#define __glibc_fortify_n(f, __l, __s, __osz, ...) \ + (__glibc_safe_or_unknown_len (__l, __s, __osz) \ + ? __ ## f ## _alias (__VA_ARGS__) \ + : (__glibc_unsafe_len (__l, __s, __osz) \ + ? __ ## f ## _chk_warn (__VA_ARGS__, (__osz) / (__s)) \ + : __ ## f ## _chk (__VA_ARGS__, (__osz) / (__s)))) \ + #if __GNUC_PREREQ (4,3) # define __warnattr(msg) __attribute__((__warning__ (msg))) # define __errordecl(name, msg) \ diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h index 622adeb2b2..dd8d71d83c 100644 --- a/posix/bits/unistd.h +++ b/posix/bits/unistd.h @@ -35,16 +35,9 @@ extern ssize_t __REDIRECT (__read_chk_warn, __fortify_function __wur ssize_t read (int __fd, void *__buf, size_t __nbytes) { - if (__glibc_objsize0 (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__nbytes)) - return __read_chk (__fd, __buf, __nbytes, __glibc_objsize0 (__buf)); - - if (__nbytes > __glibc_objsize0 (__buf)) - return __read_chk_warn (__fd, __buf, __nbytes, - __glibc_objsize0 (__buf)); - } - return __read_alias (__fd, __buf, __nbytes); + return __glibc_fortify (read, __nbytes, sizeof (char), + __glibc_objsize0 (__buf), + __fd, __buf, __nbytes); } #ifdef __USE_UNIX98 @@ -78,34 +71,17 @@ extern ssize_t __REDIRECT (__pread64_chk_warn, __fortify_function __wur ssize_t pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) { - if (__glibc_objsize0 (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__nbytes)) - return __pread_chk (__fd, __buf, __nbytes, __offset, - __glibc_objsize0 (__buf)); - - if ( __nbytes > __glibc_objsize0 (__buf)) - return __pread_chk_warn (__fd, __buf, __nbytes, __offset, - __glibc_objsize0 (__buf)); - } - return __pread_alias (__fd, __buf, __nbytes, __offset); + return __glibc_fortify (pread, __nbytes, sizeof (char), + __glibc_objsize0 (__buf), + __fd, __buf, __nbytes, __offset); } # else __fortify_function __wur ssize_t pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) { - if (__glibc_objsize0 (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__nbytes)) - return __pread64_chk (__fd, __buf, __nbytes, __offset, - __glibc_objsize0 (__buf)); - - if ( __nbytes > __glibc_objsize0 (__buf)) - return __pread64_chk_warn (__fd, __buf, __nbytes, __offset, - __glibc_objsize0 (__buf)); - } - - return __pread64_alias (__fd, __buf, __nbytes, __offset); + return __glibc_fortify (pread64, __nbytes, sizeof (char), + __glibc_objsize0 (__buf), + __fd, __buf, __nbytes, __offset); } # endif @@ -113,18 +89,9 @@ pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) __fortify_function __wur ssize_t pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) { - if (__glibc_objsize0 (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__nbytes)) - return __pread64_chk (__fd, __buf, __nbytes, __offset, - __glibc_objsize0 (__buf)); - - if ( __nbytes > __glibc_objsize0 (__buf)) - return __pread64_chk_warn (__fd, __buf, __nbytes, __offset, - __glibc_objsize0 (__buf)); - } - - return __pread64_alias (__fd, __buf, __nbytes, __offset); + return __glibc_fortify (pread64, __nbytes, sizeof (char), + __glibc_objsize0 (__buf), + __fd, __buf, __nbytes, __offset); } # endif #endif @@ -149,16 +116,9 @@ __fortify_function __nonnull ((1, 2)) __wur ssize_t __NTH (readlink (const char *__restrict __path, char *__restrict __buf, size_t __len)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __readlink_chk (__path, __buf, __len, __glibc_objsize (__buf)); - - if ( __len > __glibc_objsize (__buf)) - return __readlink_chk_warn (__path, __buf, __len, - __glibc_objsize (__buf)); - } - return __readlink_alias (__path, __buf, __len); + return __glibc_fortify (readlink, __len, sizeof (char), + __glibc_objsize (__buf), + __path, __buf, __len); } #endif @@ -184,17 +144,9 @@ __fortify_function __nonnull ((2, 3)) __wur ssize_t __NTH (readlinkat (int __fd, const char *__restrict __path, char *__restrict __buf, size_t __len)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __readlinkat_chk (__fd, __path, __buf, __len, - __glibc_objsize (__buf)); - - if (__len > __glibc_objsize (__buf)) - return __readlinkat_chk_warn (__fd, __path, __buf, __len, - __glibc_objsize (__buf)); - } - return __readlinkat_alias (__fd, __path, __buf, __len); + return __glibc_fortify (readlinkat, __len, sizeof (char), + __glibc_objsize (__buf), + __fd, __path, __buf, __len); } #endif @@ -211,15 +163,9 @@ extern char *__REDIRECT_NTH (__getcwd_chk_warn, __fortify_function __wur char * __NTH (getcwd (char *__buf, size_t __size)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__size)) - return __getcwd_chk (__buf, __size, __glibc_objsize (__buf)); - - if (__size > __glibc_objsize (__buf)) - return __getcwd_chk_warn (__buf, __size, __glibc_objsize (__buf)); - } - return __getcwd_alias (__buf, __size); + return __glibc_fortify (getcwd, __size, sizeof (char), + __glibc_objsize (__buf), + __buf, __size); } #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED @@ -253,16 +199,9 @@ extern size_t __REDIRECT_NTH (__confstr_chk_warn, __fortify_function size_t __NTH (confstr (int __name, char *__buf, size_t __len)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __confstr_chk (__name, __buf, __len, __glibc_objsize (__buf)); - - if (__glibc_objsize (__buf) < __len) - return __confstr_chk_warn (__name, __buf, __len, - __glibc_objsize (__buf)); - } - return __confstr_alias (__name, __buf, __len); + return __glibc_fortify (confstr, __len, sizeof (char), + __glibc_objsize (__buf), + __name, __buf, __len); } @@ -279,15 +218,9 @@ extern int __REDIRECT_NTH (__getgroups_chk_warn, __fortify_function int __NTH (getgroups (int __size, __gid_t __list[])) { - if (__glibc_objsize (__list) != (size_t) -1) - { - if (!__builtin_constant_p (__size) || __size < 0) - return __getgroups_chk (__size, __list, __glibc_objsize (__list)); - - if (__size * sizeof (__gid_t) > __glibc_objsize (__list)) - return __getgroups_chk_warn (__size, __list, __glibc_objsize (__list)); - } - return __getgroups_alias (__size, __list); + return __glibc_fortify_signed (getgroups, __size, sizeof (__gid_t), + __glibc_objsize (__list), + __size, __list); } @@ -306,17 +239,9 @@ extern int __REDIRECT_NTH (__ttyname_r_chk_warn, __fortify_function int __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__buflen)) - return __ttyname_r_chk (__fd, __buf, __buflen, - __glibc_objsize (__buf)); - - if (__buflen > __glibc_objsize (__buf)) - return __ttyname_r_chk_warn (__fd, __buf, __buflen, - __glibc_objsize (__buf)); - } - return __ttyname_r_alias (__fd, __buf, __buflen); + return __glibc_fortify (ttyname_r, __buflen, sizeof (char), + __glibc_objsize (__buf), + __fd, __buf, __buflen); } @@ -334,16 +259,9 @@ extern int __REDIRECT (__getlogin_r_chk_warn, __fortify_function int getlogin_r (char *__buf, size_t __buflen) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__buflen)) - return __getlogin_r_chk (__buf, __buflen, __glibc_objsize (__buf)); - - if (__buflen > __glibc_objsize (__buf)) - return __getlogin_r_chk_warn (__buf, __buflen, - __glibc_objsize (__buf)); - } - return __getlogin_r_alias (__buf, __buflen); + return __glibc_fortify (getlogin_r, __buflen, sizeof (char), + __glibc_objsize (__buf), + __buf, __buflen); } #endif @@ -363,16 +281,9 @@ extern int __REDIRECT_NTH (__gethostname_chk_warn, __fortify_function int __NTH (gethostname (char *__buf, size_t __buflen)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__buflen)) - return __gethostname_chk (__buf, __buflen, __glibc_objsize (__buf)); - - if (__buflen > __glibc_objsize (__buf)) - return __gethostname_chk_warn (__buf, __buflen, - __glibc_objsize (__buf)); - } - return __gethostname_alias (__buf, __buflen); + return __glibc_fortify (gethostname, __buflen, sizeof (char), + __glibc_objsize (__buf), + __buf, __buflen); } #endif @@ -394,15 +305,8 @@ extern int __REDIRECT_NTH (__getdomainname_chk_warn, __fortify_function int __NTH (getdomainname (char *__buf, size_t __buflen)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__buflen)) - return __getdomainname_chk (__buf, __buflen, __glibc_objsize (__buf)); - - if (__buflen > __glibc_objsize (__buf)) - return __getdomainname_chk_warn (__buf, __buflen, - __glibc_objsize (__buf)); - } - return __getdomainname_alias (__buf, __buflen); + return __glibc_fortify (getdomainname, __buflen, sizeof (char), + __glibc_objsize (__buf), + __buf, __buflen); } #endif diff --git a/socket/bits/socket2.h b/socket/bits/socket2.h index 9c8ac69624..b28cde55f3 100644 --- a/socket/bits/socket2.h +++ b/socket/bits/socket2.h @@ -33,17 +33,12 @@ extern ssize_t __REDIRECT (__recv_chk_warn, __fortify_function ssize_t recv (int __fd, void *__buf, size_t __n, int __flags) { - if (__glibc_objsize0 (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __recv_chk (__fd, __buf, __n, __glibc_objsize0 (__buf), - __flags); - - if (__n > __glibc_objsize0 (__buf)) - return __recv_chk_warn (__fd, __buf, __n, __glibc_objsize0 (__buf), - __flags); - } - return __recv_alias (__fd, __buf, __n, __flags); + size_t sz = __glibc_objsize0 (__buf); + if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) + return __recv_alias (__fd, __buf, __n, __flags); + if (__glibc_unsafe_len (__n, sizeof (char), sz)) + return __recv_chk_warn (__fd, __buf, __n, sz, __flags); + return __recv_chk (__fd, __buf, __n, sz, __flags); } extern ssize_t __recvfrom_chk (int __fd, void *__restrict __buf, size_t __n, @@ -66,14 +61,11 @@ __fortify_function ssize_t recvfrom (int __fd, void *__restrict __buf, size_t __n, int __flags, __SOCKADDR_ARG __addr, socklen_t *__restrict __addr_len) { - if (__glibc_objsize0 (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __recvfrom_chk (__fd, __buf, __n, __glibc_objsize0 (__buf), - __flags, __addr, __addr_len); - if (__n > __glibc_objsize0 (__buf)) - return __recvfrom_chk_warn (__fd, __buf, __n, __glibc_objsize0 (__buf), - __flags, __addr, __addr_len); - } - return __recvfrom_alias (__fd, __buf, __n, __flags, __addr, __addr_len); + size_t sz = __glibc_objsize0 (__buf); + if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) + return __recvfrom_alias (__fd, __buf, __n, __flags, __addr, __addr_len); + if (__glibc_unsafe_len (__n, sizeof (char), sz)) + return __recvfrom_chk_warn (__fd, __buf, __n, sz, __flags, __addr, + __addr_len); + return __recvfrom_chk (__fd, __buf, __n, sz, __flags, __addr, __addr_len); } diff --git a/stdlib/bits/stdlib.h b/stdlib/bits/stdlib.h index eae31b38f0..067115eeca 100644 --- a/stdlib/bits/stdlib.h +++ b/stdlib/bits/stdlib.h @@ -36,17 +36,16 @@ extern char *__REDIRECT_NTH (__realpath_chk_warn, __fortify_function __wur char * __NTH (realpath (const char *__restrict __name, char *__restrict __resolved)) { - if (__glibc_objsize (__resolved) != (size_t) -1) - { + size_t sz = __glibc_objsize (__resolved); + + if (sz == (size_t) -1) + return __realpath_alias (__name, __resolved); + #if defined _LIBC_LIMITS_H_ && defined PATH_MAX - if (__glibc_objsize (__resolved) < PATH_MAX) - return __realpath_chk_warn (__name, __resolved, - __glibc_objsize (__resolved)); + if (__glibc_unsafe_len (sz, sizeof (char), PATH_MAX)) + return __realpath_chk_warn (__name, __resolved, sz); #endif - return __realpath_chk (__name, __resolved, __glibc_objsize (__resolved)); - } - - return __realpath_alias (__name, __resolved); + return __realpath_chk (__name, __resolved, sz); } @@ -65,16 +64,9 @@ extern int __REDIRECT_NTH (__ptsname_r_chk_warn, __fortify_function int __NTH (ptsname_r (int __fd, char *__buf, size_t __buflen)) { - if (__glibc_objsize (__buf) != (size_t) -1) - { - if (!__builtin_constant_p (__buflen)) - return __ptsname_r_chk (__fd, __buf, __buflen, - __glibc_objsize (__buf)); - if (__buflen > __glibc_objsize (__buf)) - return __ptsname_r_chk_warn (__fd, __buf, __buflen, - __glibc_objsize (__buf)); - } - return __ptsname_r_alias (__fd, __buf, __buflen); + return __glibc_fortify (ptsname_r, __buflen, sizeof (char), + __glibc_objsize (__buf), + __fd, __buf, __buflen); } @@ -120,18 +112,9 @@ __fortify_function size_t __NTH (mbstowcs (wchar_t *__restrict __dst, const char *__restrict __src, size_t __len)) { - if (__glibc_objsize (__dst) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __mbstowcs_chk (__dst, __src, __len, - __glibc_objsize (__dst) / sizeof (wchar_t)); - - if (__len > __glibc_objsize (__dst) / sizeof (wchar_t)) - return __mbstowcs_chk_warn (__dst, __src, __len, - (__glibc_objsize (__dst) - / sizeof (wchar_t))); - } - return __mbstowcs_alias (__dst, __src, __len); + return __glibc_fortify_n (mbstowcs, __len, sizeof (wchar_t), + __glibc_objsize (__dst), + __dst, __src, __len); } @@ -154,13 +137,7 @@ __fortify_function size_t __NTH (wcstombs (char *__restrict __dst, const wchar_t *__restrict __src, size_t __len)) { - if (__glibc_objsize (__dst) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __wcstombs_chk (__dst, __src, __len, __glibc_objsize (__dst)); - if (__len > __glibc_objsize (__dst)) - return __wcstombs_chk_warn (__dst, __src, __len, - __glibc_objsize (__dst)); - } - return __wcstombs_alias (__dst, __src, __len); + return __glibc_fortify (wcstombs, __len, sizeof (char), + __glibc_objsize (__dst), + __dst, __src, __len); } diff --git a/wcsmbs/bits/wchar2.h b/wcsmbs/bits/wchar2.h index ea2518dc72..2f42fdcc64 100644 --- a/wcsmbs/bits/wchar2.h +++ b/wcsmbs/bits/wchar2.h @@ -39,17 +39,9 @@ __fortify_function wchar_t * __NTH (wmemcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, size_t __n)) { - if (__glibc_objsize0 (__s1) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __wmemcpy_chk (__s1, __s2, __n, - __glibc_objsize0 (__s1) / sizeof (wchar_t)); - - if (__n > __glibc_objsize0 (__s1) / sizeof (wchar_t)) - return __wmemcpy_chk_warn (__s1, __s2, __n, - __glibc_objsize0 (__s1) / sizeof (wchar_t)); - } - return __wmemcpy_alias (__s1, __s2, __n); + return __glibc_fortify_n (wmemcpy, __n, sizeof (wchar_t), + __glibc_objsize0 (__s1), + __s1, __s2, __n); } @@ -67,18 +59,9 @@ extern wchar_t *__REDIRECT_NTH (__wmemmove_chk_warn, __fortify_function wchar_t * __NTH (wmemmove (wchar_t *__s1, const wchar_t *__s2, size_t __n)) { - if (__glibc_objsize0 (__s1) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __wmemmove_chk (__s1, __s2, __n, - __glibc_objsize0 (__s1) / sizeof (wchar_t)); - - if (__n > __glibc_objsize0 (__s1) / sizeof (wchar_t)) - return __wmemmove_chk_warn (__s1, __s2, __n, - (__glibc_objsize0 (__s1) - / sizeof (wchar_t))); - } - return __wmemmove_alias (__s1, __s2, __n); + return __glibc_fortify_n (wmemmove, __n, sizeof (wchar_t), + __glibc_objsize0 (__s1), + __s1, __s2, __n); } @@ -101,18 +84,9 @@ __fortify_function wchar_t * __NTH (wmempcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, size_t __n)) { - if (__glibc_objsize0 (__s1) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __wmempcpy_chk (__s1, __s2, __n, - __glibc_objsize0 (__s1) / sizeof (wchar_t)); - - if (__n > __glibc_objsize0 (__s1) / sizeof (wchar_t)) - return __wmempcpy_chk_warn (__s1, __s2, __n, - (__glibc_objsize0 (__s1) - / sizeof (wchar_t))); - } - return __wmempcpy_alias (__s1, __s2, __n); + return __glibc_fortify_n (wmempcpy, __n, sizeof (wchar_t), + __glibc_objsize0 (__s1), + __s1, __s2, __n); } #endif @@ -130,17 +104,9 @@ extern wchar_t *__REDIRECT_NTH (__wmemset_chk_warn, __fortify_function wchar_t * __NTH (wmemset (wchar_t *__s, wchar_t __c, size_t __n)) { - if (__glibc_objsize0 (__s) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __wmemset_chk (__s, __c, __n, - __glibc_objsize0 (__s) / sizeof (wchar_t)); - - if (__n > __glibc_objsize0 (__s) / sizeof (wchar_t)) - return __wmemset_chk_warn (__s, __c, __n, - __glibc_objsize0 (__s) / sizeof (wchar_t)); - } - return __wmemset_alias (__s, __c, __n); + return __glibc_fortify_n (wmemset, __n, sizeof (wchar_t), + __glibc_objsize0 (__s), + __s, __c, __n); } @@ -154,9 +120,9 @@ extern wchar_t *__REDIRECT_NTH (__wcscpy_alias, __fortify_function wchar_t * __NTH (wcscpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) { - if (__glibc_objsize (__dest) != (size_t) -1) - return __wcscpy_chk (__dest, __src, - __glibc_objsize (__dest) / sizeof (wchar_t)); + size_t sz = __glibc_objsize (__dest); + if (sz != (size_t) -1) + return __wcscpy_chk (__dest, __src, sz / sizeof (wchar_t)); return __wcscpy_alias (__dest, __src); } @@ -171,9 +137,9 @@ extern wchar_t *__REDIRECT_NTH (__wcpcpy_alias, __fortify_function wchar_t * __NTH (wcpcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) { - if (__glibc_objsize (__dest) != (size_t) -1) - return __wcpcpy_chk (__dest, __src, - __glibc_objsize (__dest) / sizeof (wchar_t)); + size_t sz = __glibc_objsize (__dest); + if (sz != (size_t) -1) + return __wcpcpy_chk (__dest, __src, sz / sizeof (wchar_t)); return __wcpcpy_alias (__dest, __src); } @@ -196,17 +162,9 @@ __fortify_function wchar_t * __NTH (wcsncpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, size_t __n)) { - if (__glibc_objsize (__dest) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __wcsncpy_chk (__dest, __src, __n, - __glibc_objsize (__dest) / sizeof (wchar_t)); - if (__n > __glibc_objsize (__dest) / sizeof (wchar_t)) - return __wcsncpy_chk_warn (__dest, __src, __n, - (__glibc_objsize (__dest) - / sizeof (wchar_t))); - } - return __wcsncpy_alias (__dest, __src, __n); + return __glibc_fortify_n (wcsncpy, __n, sizeof (wchar_t), + __glibc_objsize (__dest), + __dest, __src, __n); } @@ -228,17 +186,9 @@ __fortify_function wchar_t * __NTH (wcpncpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, size_t __n)) { - if (__glibc_objsize (__dest) != (size_t) -1) - { - if (!__builtin_constant_p (__n)) - return __wcpncpy_chk (__dest, __src, __n, - __glibc_objsize (__dest) / sizeof (wchar_t)); - if (__n > __glibc_objsize (__dest) / sizeof (wchar_t)) - return __wcpncpy_chk_warn (__dest, __src, __n, - (__glibc_objsize (__dest) - / sizeof (wchar_t))); - } - return __wcpncpy_alias (__dest, __src, __n); + return __glibc_fortify_n (wcpncpy, __n, sizeof (wchar_t), + __glibc_objsize (__dest), + __dest, __src, __n); } @@ -252,9 +202,9 @@ extern wchar_t *__REDIRECT_NTH (__wcscat_alias, __fortify_function wchar_t * __NTH (wcscat (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) { - if (__glibc_objsize (__dest) != (size_t) -1) - return __wcscat_chk (__dest, __src, - __glibc_objsize (__dest) / sizeof (wchar_t)); + size_t sz = __glibc_objsize (__dest); + if (sz != (size_t) -1) + return __wcscat_chk (__dest, __src, sz / sizeof (wchar_t)); return __wcscat_alias (__dest, __src); } @@ -271,9 +221,9 @@ __fortify_function wchar_t * __NTH (wcsncat (wchar_t *__restrict __dest, const wchar_t *__restrict __src, size_t __n)) { - if (__glibc_objsize (__dest) != (size_t) -1) - return __wcsncat_chk (__dest, __src, __n, - __glibc_objsize (__dest) / sizeof (wchar_t)); + size_t sz = __glibc_objsize (__dest); + if (sz != (size_t) -1) + return __wcsncat_chk (__dest, __src, __n, sz / sizeof (wchar_t)); return __wcsncat_alias (__dest, __src, __n); } @@ -293,10 +243,10 @@ __fortify_function int __NTH (swprintf (wchar_t *__restrict __s, size_t __n, const wchar_t *__restrict __fmt, ...)) { - if (__glibc_objsize (__s) != (size_t) -1 || __USE_FORTIFY_LEVEL > 1) + size_t sz = __glibc_objsize (__s); + if (sz != (size_t) -1 || __USE_FORTIFY_LEVEL > 1) return __swprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, - __glibc_objsize (__s) / sizeof (wchar_t), - __fmt, __va_arg_pack ()); + sz / sizeof (wchar_t), __fmt, __va_arg_pack ()); return __swprintf_alias (__s, __n, __fmt, __va_arg_pack ()); } #elif !defined __cplusplus @@ -323,10 +273,10 @@ __fortify_function int __NTH (vswprintf (wchar_t *__restrict __s, size_t __n, const wchar_t *__restrict __fmt, __gnuc_va_list __ap)) { - if (__glibc_objsize (__s) != (size_t) -1 || __USE_FORTIFY_LEVEL > 1) + size_t sz = __glibc_objsize (__s); + if (sz != (size_t) -1 || __USE_FORTIFY_LEVEL > 1) return __vswprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, - __glibc_objsize (__s) / sizeof (wchar_t), __fmt, - __ap); + sz / sizeof (wchar_t), __fmt, __ap); return __vswprintf_alias (__s, __n, __fmt, __ap); } @@ -392,18 +342,12 @@ extern wchar_t *__REDIRECT (__fgetws_chk_warn, __fortify_function __wur wchar_t * fgetws (wchar_t *__restrict __s, int __n, __FILE *__restrict __stream) { - if (__glibc_objsize (__s) != (size_t) -1) - { - if (!__builtin_constant_p (__n) || __n <= 0) - return __fgetws_chk (__s, __glibc_objsize (__s) / sizeof (wchar_t), - __n, __stream); - - if ((size_t) __n > __glibc_objsize (__s) / sizeof (wchar_t)) - return __fgetws_chk_warn (__s, - __glibc_objsize (__s) / sizeof (wchar_t), - __n, __stream); - } - return __fgetws_alias (__s, __n, __stream); + size_t sz = __glibc_objsize (__s); + if (__glibc_safe_or_unknown_len_signed (__n, sizeof (wchar_t), sz)) + return __fgetws_alias (__s, __n, __stream); + if (__glibc_unsafe_len_signed (__n, sizeof (wchar_t), sz)) + return __fgetws_chk_warn (__s, sz / sizeof (wchar_t), __n, __stream); + return __fgetws_chk (__s, sz / sizeof (wchar_t), __n, __stream); } #ifdef __USE_GNU @@ -424,20 +368,13 @@ extern wchar_t *__REDIRECT (__fgetws_unlocked_chk_warn, __fortify_function __wur wchar_t * fgetws_unlocked (wchar_t *__restrict __s, int __n, __FILE *__restrict __stream) { - if (__glibc_objsize (__s) != (size_t) -1) - { - if (!__builtin_constant_p (__n) || __n <= 0) - return __fgetws_unlocked_chk (__s, - __glibc_objsize (__s) / sizeof (wchar_t), - __n, __stream); - - if ((size_t) __n > __glibc_objsize (__s) / sizeof (wchar_t)) - return __fgetws_unlocked_chk_warn (__s, - (__glibc_objsize (__s) - / sizeof (wchar_t)), - __n, __stream); - } - return __fgetws_unlocked_alias (__s, __n, __stream); + size_t sz = __glibc_objsize (__s); + if (__glibc_safe_or_unknown_len_signed (__n, sizeof (wchar_t), sz)) + return __fgetws_unlocked_alias (__s, __n, __stream); + if (__glibc_unsafe_len_signed (__n, sizeof (wchar_t), sz)) + return __fgetws_unlocked_chk_warn (__s, sz / sizeof (wchar_t), __n, + __stream); + return __fgetws_unlocked_chk (__s, sz / sizeof (wchar_t), __n, __stream); } #endif @@ -488,18 +425,9 @@ __fortify_function size_t __NTH (mbsrtowcs (wchar_t *__restrict __dst, const char **__restrict __src, size_t __len, mbstate_t *__restrict __ps)) { - if (__glibc_objsize (__dst) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __mbsrtowcs_chk (__dst, __src, __len, __ps, - __glibc_objsize (__dst) / sizeof (wchar_t)); - - if (__len > __glibc_objsize (__dst) / sizeof (wchar_t)) - return __mbsrtowcs_chk_warn (__dst, __src, __len, __ps, - (__glibc_objsize (__dst) - / sizeof (wchar_t))); - } - return __mbsrtowcs_alias (__dst, __src, __len, __ps); + return __glibc_fortify_n (mbsrtowcs, __len, sizeof (wchar_t), + __glibc_objsize (__dst), + __dst, __src, __len, __ps); } @@ -523,17 +451,9 @@ __fortify_function size_t __NTH (wcsrtombs (char *__restrict __dst, const wchar_t **__restrict __src, size_t __len, mbstate_t *__restrict __ps)) { - if (__glibc_objsize (__dst) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __wcsrtombs_chk (__dst, __src, __len, __ps, - __glibc_objsize (__dst)); - - if (__len > __glibc_objsize (__dst)) - return __wcsrtombs_chk_warn (__dst, __src, __len, __ps, - __glibc_objsize (__dst)); - } - return __wcsrtombs_alias (__dst, __src, __len, __ps); + return __glibc_fortify (wcsrtombs, __len, sizeof (char), + __glibc_objsize (__dst), + __dst, __src, __len, __ps); } @@ -559,18 +479,9 @@ __fortify_function size_t __NTH (mbsnrtowcs (wchar_t *__restrict __dst, const char **__restrict __src, size_t __nmc, size_t __len, mbstate_t *__restrict __ps)) { - if (__glibc_objsize (__dst) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __mbsnrtowcs_chk (__dst, __src, __nmc, __len, __ps, - __glibc_objsize (__dst) / sizeof (wchar_t)); - - if (__len > __glibc_objsize (__dst) / sizeof (wchar_t)) - return __mbsnrtowcs_chk_warn (__dst, __src, __nmc, __len, __ps, - (__glibc_objsize (__dst) - / sizeof (wchar_t))); - } - return __mbsnrtowcs_alias (__dst, __src, __nmc, __len, __ps); + return __glibc_fortify_n (mbsnrtowcs, __len, sizeof (wchar_t), + __glibc_objsize (__dst), + __dst, __src, __nmc, __len, __ps); } @@ -596,16 +507,8 @@ __fortify_function size_t __NTH (wcsnrtombs (char *__restrict __dst, const wchar_t **__restrict __src, size_t __nwc, size_t __len, mbstate_t *__restrict __ps)) { - if (__glibc_objsize (__dst) != (size_t) -1) - { - if (!__builtin_constant_p (__len)) - return __wcsnrtombs_chk (__dst, __src, __nwc, __len, __ps, - __glibc_objsize (__dst)); - - if (__len > __glibc_objsize (__dst)) - return __wcsnrtombs_chk_warn (__dst, __src, __nwc, __len, __ps, - __glibc_objsize (__dst)); - } - return __wcsnrtombs_alias (__dst, __src, __nwc, __len, __ps); + return __glibc_fortify (wcsnrtombs, __len, sizeof (char), + __glibc_objsize (__dst), + __dst, __src, __nwc, __len, __ps); } #endif From patchwork Tue Oct 12 16:16:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 46140 X-Patchwork-Delegate: azanella@linux.vnet.ibm.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 89573385740E for ; Tue, 12 Oct 2021 16:19:24 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 89573385740E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1634055564; bh=U+fdoHqcjwjNLNZF5VSUZMKa/SHMfpFLeZAlML/zOIg=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=F+xEPImrJprr1DBS2ISQ+X4bDVRNbzM51poeRn+E0c5j2hdeEcCxORNSeu+U95M1H 8UEGfec9u8L+/JiM6lMncLTi5fiKoJT46zF3+dnNjuUzYy5/q7kliDarY7yoG3iajM UCeIQKskSgqHsX7Z+741Unv+t3XElIB7t6cVGufY= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from burlywood.elm.relay.mailchannels.net (burlywood.elm.relay.mailchannels.net [23.83.212.26]) by sourceware.org (Postfix) with ESMTPS id 0C795385743A for ; Tue, 12 Oct 2021 16:16:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0C795385743A X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 41D162200E; Tue, 12 Oct 2021 16:16:56 +0000 (UTC) Received: from pdx1-sub0-mail-a74.g.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 33C4A21C97; Tue, 12 Oct 2021 16:16:55 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a74.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.123.194.20 (trex/6.4.3); Tue, 12 Oct 2021 16:16:56 +0000 X-MC-Relay: Junk X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Dime-Eyes: 351e6f736e324d47_1634055416093_2472785048 X-MC-Loop-Signature: 1634055416093:2123856637 X-MC-Ingress-Time: 1634055416093 Received: from pdx1-sub0-mail-a74.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTP id 1C23D84149; Tue, 12 Oct 2021 09:16:53 -0700 (PDT) Received: from rhbox.redhat.com (unknown [1.186.121.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTPSA id CF0DE7F5CA; Tue, 12 Oct 2021 09:16:48 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a74 To: libc-alpha@sourceware.org Subject: [PATCH 3/3] debug: Add tests for _FORTIFY_SOURCE=3 Date: Tue, 12 Oct 2021 21:46:29 +0530 Message-Id: <20211012161629.302696-4-siddhesh@sourceware.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211012161629.302696-1-siddhesh@sourceware.org> References: <20211012161629.302696-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-3492.2 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_NUMSUBJECT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SBL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Add some testing coverage for _FORTIFY_SOURCE=3. Signed-off-by: Siddhesh Poyarekar --- debug/Makefile | 13 ++++-- debug/tst-chk1.c | 102 +++++++++++++++++++++++++--------------------- debug/tst-chk7.c | 2 + debug/tst-chk8.cc | 2 + 4 files changed, 69 insertions(+), 50 deletions(-) create mode 100644 debug/tst-chk7.c create mode 100644 debug/tst-chk8.cc diff --git a/debug/Makefile b/debug/Makefile index 6893111cbf..357f888246 100644 --- a/debug/Makefile +++ b/debug/Makefile @@ -120,6 +120,8 @@ CFLAGS-tst-chk3.c += -Wno-format -Wno-deprecated-declarations -Wno-error CFLAGS-tst-chk4.cc += -Wno-format -Wno-deprecated-declarations -Wno-error CFLAGS-tst-chk5.cc += -Wno-format -Wno-deprecated-declarations -Wno-error CFLAGS-tst-chk6.cc += -Wno-format -Wno-deprecated-declarations -Wno-error +CFLAGS-tst-chk7.c += -Wno-format -Wno-deprecated-declarations -Wno-error +CFLAGS-tst-chk8.cc += -Wno-format -Wno-deprecated-declarations -Wno-error CFLAGS-tst-lfschk1.c += -Wno-format -Wno-deprecated-declarations -Wno-error CFLAGS-tst-lfschk2.c += -Wno-format -Wno-deprecated-declarations -Wno-error CFLAGS-tst-lfschk3.c += -Wno-format -Wno-deprecated-declarations -Wno-error @@ -129,6 +131,7 @@ CFLAGS-tst-lfschk6.cc += -Wno-format -Wno-deprecated-declarations -Wno-error LDLIBS-tst-chk4 = -lstdc++ LDLIBS-tst-chk5 = -lstdc++ LDLIBS-tst-chk6 = -lstdc++ +LDLIBS-tst-chk8 = -lstdc++ LDLIBS-tst-lfschk4 = -lstdc++ LDLIBS-tst-lfschk5 = -lstdc++ LDLIBS-tst-lfschk6 = -lstdc++ @@ -150,16 +153,16 @@ CFLAGS-tst-ssp-1.c += -fstack-protector-all tests = backtrace-tst tst-longjmp_chk tst-chk1 tst-chk2 tst-chk3 \ tst-lfschk1 tst-lfschk2 tst-lfschk3 test-strcpy_chk test-stpcpy_chk \ - tst-chk4 tst-chk5 tst-chk6 tst-lfschk4 tst-lfschk5 tst-lfschk6 \ - tst-longjmp_chk2 tst-backtrace2 tst-backtrace3 tst-backtrace4 \ - tst-backtrace5 tst-backtrace6 + tst-chk4 tst-chk5 tst-chk6 tst-chk7 tst-chk8 tst-lfschk4 tst-lfschk5 \ + tst-lfschk6 tst-longjmp_chk2 tst-backtrace2 tst-backtrace3 \ + tst-backtrace4 tst-backtrace5 tst-backtrace6 ifeq ($(have-ssp),yes) tests += tst-ssp-1 endif ifeq (,$(CXX)) -tests-unsupported = tst-chk4 tst-chk5 tst-chk6 \ +tests-unsupported = tst-chk4 tst-chk5 tst-chk6 tst-chk8 \ tst-lfschk4 tst-lfschk5 tst-lfschk6 endif @@ -193,6 +196,8 @@ $(objpfx)tst-chk3.out: $(gen-locales) $(objpfx)tst-chk4.out: $(gen-locales) $(objpfx)tst-chk5.out: $(gen-locales) $(objpfx)tst-chk6.out: $(gen-locales) +$(objpfx)tst-chk7.out: $(gen-locales) +$(objpfx)tst-chk8.out: $(gen-locales) $(objpfx)tst-lfschk1.out: $(gen-locales) $(objpfx)tst-lfschk2.out: $(gen-locales) $(objpfx)tst-lfschk3.out: $(gen-locales) diff --git a/debug/tst-chk1.c b/debug/tst-chk1.c index 6712770201..d11e536f87 100644 --- a/debug/tst-chk1.c +++ b/debug/tst-chk1.c @@ -82,8 +82,14 @@ handler (int sig) _exit (127); } +#if __USE_FORTIFY_LEVEL == 3 +volatile size_t buf_size = 10; +#else char buf[10]; wchar_t wbuf[10]; +#define buf_size sizeof (buf) +#endif + volatile size_t l0; volatile char *p; volatile wchar_t *wp; @@ -122,6 +128,10 @@ int num2 = 987654; static int do_test (void) { +#if __USE_FORTIFY_LEVEL == 3 + char *buf = (char *) malloc (buf_size); + wchar_t *wbuf = (wchar_t *) malloc (buf_size * sizeof (wchar_t)); +#endif set_fortify_handler (handler); struct A { char buf1[9]; char buf2[1]; } a; @@ -946,93 +956,93 @@ do_test (void) rewind (stdin); - if (fgets (buf, sizeof (buf), stdin) != buf + if (fgets (buf, buf_size, stdin) != buf || memcmp (buf, "abcdefgh\n", 10)) FAIL (); - if (fgets (buf, sizeof (buf), stdin) != buf || memcmp (buf, "ABCDEFGHI", 10)) + if (fgets (buf, buf_size, stdin) != buf || memcmp (buf, "ABCDEFGHI", 10)) FAIL (); rewind (stdin); - if (fgets (buf, l0 + sizeof (buf), stdin) != buf + if (fgets (buf, l0 + buf_size, stdin) != buf || memcmp (buf, "abcdefgh\n", 10)) FAIL (); #if __USE_FORTIFY_LEVEL >= 1 CHK_FAIL_START - if (fgets (buf, sizeof (buf) + 1, stdin) != buf) + if (fgets (buf, buf_size + 1, stdin) != buf) FAIL (); CHK_FAIL_END CHK_FAIL_START - if (fgets (buf, l0 + sizeof (buf) + 1, stdin) != buf) + if (fgets (buf, l0 + buf_size + 1, stdin) != buf) FAIL (); CHK_FAIL_END #endif rewind (stdin); - if (fgets_unlocked (buf, sizeof (buf), stdin) != buf + if (fgets_unlocked (buf, buf_size, stdin) != buf || memcmp (buf, "abcdefgh\n", 10)) FAIL (); - if (fgets_unlocked (buf, sizeof (buf), stdin) != buf + if (fgets_unlocked (buf, buf_size, stdin) != buf || memcmp (buf, "ABCDEFGHI", 10)) FAIL (); rewind (stdin); - if (fgets_unlocked (buf, l0 + sizeof (buf), stdin) != buf + if (fgets_unlocked (buf, l0 + buf_size, stdin) != buf || memcmp (buf, "abcdefgh\n", 10)) FAIL (); #if __USE_FORTIFY_LEVEL >= 1 CHK_FAIL_START - if (fgets_unlocked (buf, sizeof (buf) + 1, stdin) != buf) + if (fgets_unlocked (buf, buf_size + 1, stdin) != buf) FAIL (); CHK_FAIL_END CHK_FAIL_START - if (fgets_unlocked (buf, l0 + sizeof (buf) + 1, stdin) != buf) + if (fgets_unlocked (buf, l0 + buf_size + 1, stdin) != buf) FAIL (); CHK_FAIL_END #endif rewind (stdin); - if (fread (buf, 1, sizeof (buf), stdin) != sizeof (buf) + if (fread (buf, 1, buf_size, stdin) != buf_size || memcmp (buf, "abcdefgh\nA", 10)) FAIL (); - if (fread (buf, sizeof (buf), 1, stdin) != 1 + if (fread (buf, buf_size, 1, stdin) != 1 || memcmp (buf, "BCDEFGHI\na", 10)) FAIL (); rewind (stdin); - if (fread (buf, l0 + 1, sizeof (buf), stdin) != sizeof (buf) + if (fread (buf, l0 + 1, buf_size, stdin) != buf_size || memcmp (buf, "abcdefgh\nA", 10)) FAIL (); - if (fread (buf, sizeof (buf), l0 + 1, stdin) != 1 + if (fread (buf, buf_size, l0 + 1, stdin) != 1 || memcmp (buf, "BCDEFGHI\na", 10)) FAIL (); #if __USE_FORTIFY_LEVEL >= 1 CHK_FAIL_START - if (fread (buf, 1, sizeof (buf) + 1, stdin) != sizeof (buf) + 1) + if (fread (buf, 1, buf_size + 1, stdin) != buf_size + 1) FAIL (); CHK_FAIL_END CHK_FAIL_START - if (fread (buf, sizeof (buf) + 1, l0 + 1, stdin) != 1) + if (fread (buf, buf_size + 1, l0 + 1, stdin) != 1) FAIL (); CHK_FAIL_END #endif rewind (stdin); - if (fread_unlocked (buf, 1, sizeof (buf), stdin) != sizeof (buf) + if (fread_unlocked (buf, 1, buf_size, stdin) != buf_size || memcmp (buf, "abcdefgh\nA", 10)) FAIL (); - if (fread_unlocked (buf, sizeof (buf), 1, stdin) != 1 + if (fread_unlocked (buf, buf_size, 1, stdin) != 1 || memcmp (buf, "BCDEFGHI\na", 10)) FAIL (); @@ -1047,100 +1057,100 @@ do_test (void) rewind (stdin); - if (fread_unlocked (buf, l0 + 1, sizeof (buf), stdin) != sizeof (buf) + if (fread_unlocked (buf, l0 + 1, buf_size, stdin) != buf_size || memcmp (buf, "abcdefgh\nA", 10)) FAIL (); - if (fread_unlocked (buf, sizeof (buf), l0 + 1, stdin) != 1 + if (fread_unlocked (buf, buf_size, l0 + 1, stdin) != 1 || memcmp (buf, "BCDEFGHI\na", 10)) FAIL (); #if __USE_FORTIFY_LEVEL >= 1 CHK_FAIL_START - if (fread_unlocked (buf, 1, sizeof (buf) + 1, stdin) != sizeof (buf) + 1) + if (fread_unlocked (buf, 1, buf_size + 1, stdin) != buf_size + 1) FAIL (); CHK_FAIL_END CHK_FAIL_START - if (fread_unlocked (buf, sizeof (buf) + 1, l0 + 1, stdin) != 1) + if (fread_unlocked (buf, buf_size + 1, l0 + 1, stdin) != 1) FAIL (); CHK_FAIL_END #endif lseek (fileno (stdin), 0, SEEK_SET); - if (read (fileno (stdin), buf, sizeof (buf) - 1) != sizeof (buf) - 1 + if (read (fileno (stdin), buf, buf_size - 1) != buf_size - 1 || memcmp (buf, "abcdefgh\n", 9)) FAIL (); - if (read (fileno (stdin), buf, sizeof (buf) - 1) != sizeof (buf) - 1 + if (read (fileno (stdin), buf, buf_size - 1) != buf_size - 1 || memcmp (buf, "ABCDEFGHI", 9)) FAIL (); lseek (fileno (stdin), 0, SEEK_SET); - if (read (fileno (stdin), buf, l0 + sizeof (buf) - 1) != sizeof (buf) - 1 + if (read (fileno (stdin), buf, l0 + buf_size - 1) != buf_size - 1 || memcmp (buf, "abcdefgh\n", 9)) FAIL (); #if __USE_FORTIFY_LEVEL >= 1 CHK_FAIL_START - if (read (fileno (stdin), buf, sizeof (buf) + 1) != sizeof (buf) + 1) + if (read (fileno (stdin), buf, buf_size + 1) != buf_size + 1) FAIL (); CHK_FAIL_END CHK_FAIL_START - if (read (fileno (stdin), buf, l0 + sizeof (buf) + 1) != sizeof (buf) + 1) + if (read (fileno (stdin), buf, l0 + buf_size + 1) != buf_size + 1) FAIL (); CHK_FAIL_END #endif - if (pread (fileno (stdin), buf, sizeof (buf) - 1, sizeof (buf) - 2) - != sizeof (buf) - 1 + if (pread (fileno (stdin), buf, buf_size - 1, buf_size - 2) + != buf_size - 1 || memcmp (buf, "\nABCDEFGH", 9)) FAIL (); - if (pread (fileno (stdin), buf, sizeof (buf) - 1, 0) != sizeof (buf) - 1 + if (pread (fileno (stdin), buf, buf_size - 1, 0) != buf_size - 1 || memcmp (buf, "abcdefgh\n", 9)) FAIL (); - if (pread (fileno (stdin), buf, l0 + sizeof (buf) - 1, sizeof (buf) - 3) - != sizeof (buf) - 1 + if (pread (fileno (stdin), buf, l0 + buf_size - 1, buf_size - 3) + != buf_size - 1 || memcmp (buf, "h\nABCDEFG", 9)) FAIL (); #if __USE_FORTIFY_LEVEL >= 1 CHK_FAIL_START - if (pread (fileno (stdin), buf, sizeof (buf) + 1, 2 * sizeof (buf)) - != sizeof (buf) + 1) + if (pread (fileno (stdin), buf, buf_size + 1, 2 * buf_size) + != buf_size + 1) FAIL (); CHK_FAIL_END CHK_FAIL_START - if (pread (fileno (stdin), buf, l0 + sizeof (buf) + 1, 2 * sizeof (buf)) - != sizeof (buf) + 1) + if (pread (fileno (stdin), buf, l0 + buf_size + 1, 2 * buf_size) + != buf_size + 1) FAIL (); CHK_FAIL_END #endif - if (pread64 (fileno (stdin), buf, sizeof (buf) - 1, sizeof (buf) - 2) - != sizeof (buf) - 1 + if (pread64 (fileno (stdin), buf, buf_size - 1, buf_size - 2) + != buf_size - 1 || memcmp (buf, "\nABCDEFGH", 9)) FAIL (); - if (pread64 (fileno (stdin), buf, sizeof (buf) - 1, 0) != sizeof (buf) - 1 + if (pread64 (fileno (stdin), buf, buf_size - 1, 0) != buf_size - 1 || memcmp (buf, "abcdefgh\n", 9)) FAIL (); - if (pread64 (fileno (stdin), buf, l0 + sizeof (buf) - 1, sizeof (buf) - 3) - != sizeof (buf) - 1 + if (pread64 (fileno (stdin), buf, l0 + buf_size - 1, buf_size - 3) + != buf_size - 1 || memcmp (buf, "h\nABCDEFG", 9)) FAIL (); #if __USE_FORTIFY_LEVEL >= 1 CHK_FAIL_START - if (pread64 (fileno (stdin), buf, sizeof (buf) + 1, 2 * sizeof (buf)) - != sizeof (buf) + 1) + if (pread64 (fileno (stdin), buf, buf_size + 1, 2 * buf_size) + != buf_size + 1) FAIL (); CHK_FAIL_END CHK_FAIL_START - if (pread64 (fileno (stdin), buf, l0 + sizeof (buf) + 1, 2 * sizeof (buf)) - != sizeof (buf) + 1) + if (pread64 (fileno (stdin), buf, l0 + buf_size + 1, 2 * buf_size) + != buf_size + 1) FAIL (); CHK_FAIL_END #endif @@ -1178,7 +1188,7 @@ do_test (void) CHK_FAIL2_END CHK_FAIL2_START - snprintf (buf, sizeof (buf), "%3$d\n", 1, 2, 3, 4); + snprintf (buf, buf_size, "%3$d\n", 1, 2, 3, 4); CHK_FAIL2_END int sp[2]; diff --git a/debug/tst-chk7.c b/debug/tst-chk7.c new file mode 100644 index 0000000000..2a7b323812 --- /dev/null +++ b/debug/tst-chk7.c @@ -0,0 +1,2 @@ +#define _FORTIFY_SOURCE 3 +#include "tst-chk1.c" diff --git a/debug/tst-chk8.cc b/debug/tst-chk8.cc new file mode 100644 index 0000000000..2a7b323812 --- /dev/null +++ b/debug/tst-chk8.cc @@ -0,0 +1,2 @@ +#define _FORTIFY_SOURCE 3 +#include "tst-chk1.c"