From patchwork Sat Dec 19 06:33:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 1418631 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=sourceware.org; envelope-from=libc-alpha-bounces@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=sourceware.org Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=vs+d+EvT; dkim-atps=neutral Received: from sourceware.org (unknown [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CybYP6QlQz9sTg for ; Sat, 19 Dec 2020 17:34:17 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id F33A4393D03D; Sat, 19 Dec 2020 06:34:15 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F33A4393D03D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1608359656; bh=xb4QziWUp3S5Ic93N/hmg7wKqSmkBQmqNpnhC1mTbqA=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=vs+d+EvTT0kfNuMDsTef9HM/iuY7DqtQOHUpq/yU3vN9kz+4jWE31S3olpNPZnMy7 WQN0NYCQRt9luHAoimDwXBWL6Q9kmNVg2nSqRBcqP9uBA3BnPoue/thlzLgggnqYOo uThWlQ4l6CKey+bXk5tqS9/XAGZ7pFqbBcLcYEqY= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from black.elm.relay.mailchannels.net (black.elm.relay.mailchannels.net [23.83.212.19]) by sourceware.org (Postfix) with ESMTPS id 17A9B385801A for ; Sat, 19 Dec 2020 06:34:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 17A9B385801A X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 8BE93361A16; Sat, 19 Dec 2020 06:34:07 +0000 (UTC) Received: from pdx1-sub0-mail-a78.g.dreamhost.com (100-96-9-178.trex.outbound.svc.cluster.local [100.96.9.178]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 0B9C7361A19; Sat, 19 Dec 2020 06:34:07 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a78.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.11); Sat, 19 Dec 2020 06:34:07 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Supply-Spicy: 62716a1a40c9f736_1608359647355_770350119 X-MC-Loop-Signature: 1608359647355:4177590987 X-MC-Ingress-Time: 1608359647355 Received: from pdx1-sub0-mail-a78.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a78.g.dreamhost.com (Postfix) with ESMTP id BA72C7E449; Fri, 18 Dec 2020 22:34:06 -0800 (PST) Received: from rhbox.intra.reserved-bit.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a78.g.dreamhost.com (Postfix) with ESMTPSA id 200117E48F; Fri, 18 Dec 2020 22:34:03 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a78 To: libc-alpha@sourceware.org Subject: [PATCH 1/2] string: _FORTIFY_SOURCE=3 using __builtin_dynamic_object_size Date: Sat, 19 Dec 2020 12:03:13 +0530 Message-Id: <20201219063314.1409576-2-siddhesh@sourceware.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201219063314.1409576-1-siddhesh@sourceware.org> References: <20201219063314.1409576-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-9.4 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Cc: fweimer@redhat.com, jakub@redhat.com Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" Introduce a new _FORTIFY_SOURCE level of 3 to enable additional fortifications that may have a potential performance impact. At the moment this level of fortification involves the use of the __builtin_dynamic_object_size builtin whenever the compiler supports it. This change enhances fortified string functions to use __builtin_dynamic_object_size under _FORTIFY_SOURCE=3 whenever the compiler supports it. __builtin_dynamic_object_size ----------------------------- __builtin_dynamic_object_size is an LLVM builtin that is similar to __builtin_object_size. In addition to what __builtin_object_size does, i.e. replace the builtin call with a constant object size, __builtin_dynamic_object_size will replace the call site with an expression that evaluates to the object size, thus expanding its applicability. In practice, __builtin_dynamic_object_size evaluates these expressions through malloc/calloc calls that it can associate with the object being evaluated. A simple motivating example is below; -D_FORTIFY_SOURCE=2 would miss this and emit memcpy, but -D_FORTIFY_SOURCE=3 with the help of __builtin_dynamic_object_size is able to emit __memcpy_chk with the allocation size expression passed into the function: void *copy_obj (const void *src, size_t alloc, size_t copysize) { void *obj = malloc (alloc); memcpy (obj, src, copysize); return obj; } Limitations ----------- If the object was allocated elsewhere that the compiler cannot see, or if it was allocated in the function with a function that the compiler does not recognize as an allocator then __builtin_dynamic_object_size also returns -1. Further, the expression used to compute object size may be non-trivial and may potentially incur a noticeable performance impact. These fortifications are hence enabled at a new _FORTIFY_SOURCE level to allow developers to make a choice on the tradeoff according to their environment. Other Changes ------------- The _FORTIFY_SOURCE macro soup in features.h now warns about unsupported fortification levels. For example, it will warn about _FORTIFY_SOURCE=3 and over for llvm older than 9.0 and for gcc and _FORTIFY_SOURCE=4 will result in a warning on all compilers with an indication of which level has been selected. Co-authored-by: Paul Eggert --- NEWS | 6 ++++++ include/features.h | 8 ++++++++ include/string.h | 5 +++-- manual/creature.texi | 3 ++- misc/sys/cdefs.h | 9 +++++++++ string/bits/string_fortified.h | 22 +++++++++++----------- string/bits/strings_fortified.h | 4 ++-- 7 files changed, 41 insertions(+), 16 deletions(-) diff --git a/NEWS b/NEWS index 86e05fb023..8e02dbd0f7 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,12 @@ Major new features: The 32-bit RISC-V port requires at least Linux 5.4, GCC 7.1 and binutils 2.28. +* A new fortification level _FORTIFY_SOURCE=3 is available. At this level, + glibc may use additional checks that may have an additional performance + overhead. At present these checks are available only on LLVM 9 and later. + The latest GCC available at this time (10.2) does not support this level of + fortification. + Deprecated and removed features, and other changes affecting compatibility: * The mallinfo function is marked deprecated. Callers should call diff --git a/include/features.h b/include/features.h index f3e62d3362..066eb0eecd 100644 --- a/include/features.h +++ b/include/features.h @@ -397,7 +397,15 @@ # warning _FORTIFY_SOURCE requires compiling with optimization (-O) # elif !__GNUC_PREREQ (4, 1) # warning _FORTIFY_SOURCE requires GCC 4.1 or later +# elif _FORTIFY_SOURCE > 2 && __glibc_clang_prereq (9, 0) +# if _FORTIFY_SOURCE > 3 +# warning _FORTIFY_SOURCE > 3 is treated like 3 on this platform +# endif +# define __USE_FORTIFY_LEVEL 3 # elif _FORTIFY_SOURCE > 1 +# if _FORTIFY_SOURCE > 2 +# warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform +# endif # define __USE_FORTIFY_LEVEL 2 # else # define __USE_FORTIFY_LEVEL 1 diff --git a/include/string.h b/include/string.h index 7d344d77d4..841ee05a1d 100644 --- a/include/string.h +++ b/include/string.h @@ -123,10 +123,11 @@ libc_hidden_proto (__strerror_l) void __explicit_bzero_chk_internal (void *, size_t, size_t) __THROW __nonnull ((1)) attribute_hidden; # define explicit_bzero(buf, len) \ - __explicit_bzero_chk_internal (buf, len, __bos0 (buf)) + __explicit_bzero_chk_internal (buf, len, __objsize0 (buf)) #elif !IS_IN (nonlib) void __explicit_bzero_chk (void *, size_t, size_t) __THROW __nonnull ((1)); -# define explicit_bzero(buf, len) __explicit_bzero_chk (buf, len, __bos0 (buf)) +# define explicit_bzero(buf, len) __explicit_bzero_chk (buf, len, \ + __objsize0 (buf)) #endif libc_hidden_builtin_proto (memchr) diff --git a/manual/creature.texi b/manual/creature.texi index be5050468b..31208ccb2b 100644 --- a/manual/creature.texi +++ b/manual/creature.texi @@ -254,7 +254,8 @@ included. @standards{GNU, (none)} If this macro is defined to @math{1}, security hardening is added to various library functions. If defined to @math{2}, even stricter -checks are applied. +checks are applied. If defined to @math{3}, @theglibc{} may also use +checks that may have an additional performance overhead. @end defvr @defvr Macro _REENTRANT diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index a06f1cfd91..ca51a5c3ad 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -127,6 +127,15 @@ #define __bos(ptr) __builtin_object_size (ptr, __USE_FORTIFY_LEVEL > 1) #define __bos0(ptr) __builtin_object_size (ptr, 0) +/* Use __builtin_dynamic_object_size at _FORTIFY_SOURCE=3 when available. */ +#if __USE_FORTIFY_LEVEL == 3 && __glibc_clang_prereq (9, 0) +# define __objsize0(__o) __builtin_dynamic_object_size (__o, 0) +# define __objsize(__o) __builtin_dynamic_object_size (__o, 1) +#else +# define __objsize0(__o) __bos0 (__o) +# define __objsize(__o) __bos (__o) +#endif + #if __GNUC_PREREQ (4,3) # define __warnattr(msg) __attribute__((__warning__ (msg))) # define __errordecl(name, msg) \ diff --git a/string/bits/string_fortified.h b/string/bits/string_fortified.h index 4c1aeb45f1..c9f9197aef 100644 --- a/string/bits/string_fortified.h +++ b/string/bits/string_fortified.h @@ -26,13 +26,13 @@ __fortify_function void * __NTH (memcpy (void *__restrict __dest, const void *__restrict __src, size_t __len)) { - return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); + return __builtin___memcpy_chk (__dest, __src, __len, __objsize0 (__dest)); } __fortify_function void * __NTH (memmove (void *__dest, const void *__src, size_t __len)) { - return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest)); + return __builtin___memmove_chk (__dest, __src, __len, __objsize0 (__dest)); } #ifdef __USE_GNU @@ -40,7 +40,7 @@ __fortify_function void * __NTH (mempcpy (void *__restrict __dest, const void *__restrict __src, size_t __len)) { - return __builtin___mempcpy_chk (__dest, __src, __len, __bos0 (__dest)); + return __builtin___mempcpy_chk (__dest, __src, __len, __objsize0 (__dest)); } #endif @@ -53,7 +53,7 @@ __NTH (mempcpy (void *__restrict __dest, const void *__restrict __src, __fortify_function void * __NTH (memset (void *__dest, int __ch, size_t __len)) { - return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest)); + return __builtin___memset_chk (__dest, __ch, __len, __objsize0 (__dest)); } #ifdef __USE_MISC @@ -65,21 +65,21 @@ void __explicit_bzero_chk (void *__dest, size_t __len, size_t __destlen) __fortify_function void __NTH (explicit_bzero (void *__dest, size_t __len)) { - __explicit_bzero_chk (__dest, __len, __bos0 (__dest)); + __explicit_bzero_chk (__dest, __len, __objsize0 (__dest)); } #endif __fortify_function char * __NTH (strcpy (char *__restrict __dest, const char *__restrict __src)) { - return __builtin___strcpy_chk (__dest, __src, __bos (__dest)); + return __builtin___strcpy_chk (__dest, __src, __objsize (__dest)); } #ifdef __USE_GNU __fortify_function char * __NTH (stpcpy (char *__restrict __dest, const char *__restrict __src)) { - return __builtin___stpcpy_chk (__dest, __src, __bos (__dest)); + return __builtin___stpcpy_chk (__dest, __src, __objsize (__dest)); } #endif @@ -88,14 +88,14 @@ __fortify_function char * __NTH (strncpy (char *__restrict __dest, const char *__restrict __src, size_t __len)) { - return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); + return __builtin___strncpy_chk (__dest, __src, __len, __objsize (__dest)); } #if __GNUC_PREREQ (4, 7) || __glibc_clang_prereq (2, 6) __fortify_function char * __NTH (stpncpy (char *__dest, const char *__src, size_t __n)) { - return __builtin___stpncpy_chk (__dest, __src, __n, __bos (__dest)); + return __builtin___stpncpy_chk (__dest, __src, __n, __objsize (__dest)); } #else extern char *__stpncpy_chk (char *__dest, const char *__src, size_t __n, @@ -118,7 +118,7 @@ __NTH (stpncpy (char *__dest, const char *__src, size_t __n)) __fortify_function char * __NTH (strcat (char *__restrict __dest, const char *__restrict __src)) { - return __builtin___strcat_chk (__dest, __src, __bos (__dest)); + return __builtin___strcat_chk (__dest, __src, __objsize (__dest)); } @@ -126,7 +126,7 @@ __fortify_function char * __NTH (strncat (char *__restrict __dest, const char *__restrict __src, size_t __len)) { - return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); + return __builtin___strncat_chk (__dest, __src, __len, __objsize (__dest)); } #endif /* bits/string_fortified.h */ diff --git a/string/bits/strings_fortified.h b/string/bits/strings_fortified.h index d4091f4f69..122199e036 100644 --- a/string/bits/strings_fortified.h +++ b/string/bits/strings_fortified.h @@ -22,13 +22,13 @@ __fortify_function void __NTH (bcopy (const void *__src, void *__dest, size_t __len)) { - (void) __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest)); + (void) __builtin___memmove_chk (__dest, __src, __len, __objsize0 (__dest)); } __fortify_function void __NTH (bzero (void *__dest, size_t __len)) { - (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest)); + (void) __builtin___memset_chk (__dest, '\0', __len, __objsize0 (__dest)); } #endif