From patchwork Mon Jan 8 20:21:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883909 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=UGcJbC0S; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T859W09Jtz1yP3 for ; Tue, 9 Jan 2024 07:23:27 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id F35373860763 for ; Mon, 8 Jan 2024 20:23:24 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by sourceware.org (Postfix) with ESMTPS id B056C3858C42 for ; Mon, 8 Jan 2024 20:21:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B056C3858C42 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B056C3858C42 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745323; cv=none; b=ZDvHbkcNowMfxJjoFFvPgVVaHI0n24IjwZVzrLl8T0JxzabwcHghAww5FQzAgSL3JGzo4X3tgksp/D3+vf0GZEwekUq4lGV92KWWWisTSFHo4LmDvNz4TU1lzYyJnzJRILirKd/pZTMCgSAto7cUSTC/SpH9mZXOa8UrTXg1Jhk= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745323; c=relaxed/simple; bh=OIKpXEvFULD2NWx8DJ7HCu55dEd3Vlj7+ZWGZqXC+Jw=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=qgd7TQYOS6Pd4S5o6gucs1kyP+U6evMjQnBxu8UONHFIeDW2dmU+TWt6fmX1rvdBRvVzGGMIEV7G1ga5F8KPar0SCby3mw/pr+tJ5MOhLgCs1WGL/1gkpvKmVOH7/T+7hotxL6fNJgNXoxitF6E3ZDAnI1JMe1jpllmAl1XTvg4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-6d9b37f4804so2073422b3a.1 for ; Mon, 08 Jan 2024 12:21:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745316; x=1705350116; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7dpXNmXpYSiA2Bj//iAvQ5vHtm1JSWSGNdHy1Th3iQo=; b=UGcJbC0SbODCuFlKwDpdHAOd7HM9YEkf43862EaV6xI3eHTRupRzORsVAddgl0IEes 6cAGiuKSHA6PP1To2dCT6KCv8aedeqVVmwbIuY4q72mi6w6O88N24GZ7aCDBl6/GKP97 GILB+Dycjv+dUN0MLcgEtc7Y2Mw1PDnp76dYaV34NdVerswxzChHoUMT2lpPegQKsN7x +x3L6N/rfviJVSLW/EFvnNlVBI8zLNB1sivY413v8+keB4QGWsqCxAE3dnnIQd6igIs4 z3qZuK3z0mDIVEJ7vF8Uu6x219qclMi86eAOm87MXeygq9Yl9FEseoBex7+xC8OiiEr6 ovQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745316; x=1705350116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7dpXNmXpYSiA2Bj//iAvQ5vHtm1JSWSGNdHy1Th3iQo=; b=Xtati45dKrC4SbQZpSUAdvNF3BIB6Mg/lYAvXducbP553Kb46Kc1Bo1zdVuTma2BAI f5mQ5FKc784kx+9Qz+ZSsbyAGn36Rvd+S7fCEbCI8qeeOyXaOGmhA0vV/ntxLrIXx0fd rsjbT3dO78Znn6z1C8wq1CCGobGzq4+4h8fKk+K2akrTWh9LSunHTGucM0C2gim0C2iI Amspw+lupCUOzKa9sy2r0xXTDXWG+vPfGkvEUgvrTwpm2dIYtKmHKiwtTQb0ZDWsPaII Vbg2tYXKij+efiQnRmzzzPsPFqJ+uja87L41v3nF+b++O6Io+UmkjExG+Yxj9jr56GWx ETBA== X-Gm-Message-State: AOJu0YzaPMEUA+HGUrAWcosrQrZBIMrDpXZwPiimsj8hZ6Glb7OR/ZVz 56BHqjfAgMm4DsKO0sPr3SMYQ7KMUJbaEQR8vhWb+e2xZ3I= X-Google-Smtp-Source: AGHT+IFzRgNZ1UdXD1VT93V5U/cfw00ALU5rzIZVt53ND4f3FSYXalJbE8kraodI/7Rh8DXLJ0QLaQ== X-Received: by 2002:a05:6a00:1d88:b0:6da:1d19:db46 with SMTP id z8-20020a056a001d8800b006da1d19db46mr337926pfw.34.1704745315892; Mon, 08 Jan 2024 12:21:55 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.21.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:21:55 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 01/10] cdefs.h: Add clang fortify directives Date: Mon, 8 Jan 2024 17:21:40 -0300 Message-Id: <20240108202149.335305-2-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org For instance, the read wrapper is currently expanded as: extern __inline __attribute__((__always_inline__)) __attribute__((__artificial__)) __attribute__((__warn_unused_result__)) ssize_t read (int __fd, void *__buf, size_t __nbytes) { return __glibc_safe_or_unknown_len (__nbytes, sizeof (char), __glibc_objsize0 (__buf)) ? __read_alias (__fd, __buf, __nbytes) : __glibc_unsafe_len (__nbytes, sizeof (char), __glibc_objsize0 (__buf)) ? __read_chk_warn (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)) : __read_chk (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)); } The wrapper relies on __builtin_object_size call lowers to a constant at compile-time and many other operations in the wrapper depends on having a single, known value for parameters. Because this is impossible to have for function parameters, the wrapper depends heavily on inlining to work and While this is an entirely viable approach on GCC, it is not fully reliable on clang. This is because by the time llvm gets to inlining and optimizing, there is a minimal reliable source and type-level information available (more information on a more deep explanation on how to fortify wrapper works on clang [1]). To allow the wrapper to work reliably and with the same functionality as with GCC, clang requires a different approach: * __attribute__((diagnose_if(c, “str”, “warning”))) which is a function level attribute; if the compiler can determine that 'c' is true at compile-time, it will emit a warning with the text 'str1'. If it would be better to emit an error, the wrapper can use "error" instead of "warning". * __attribute__((overloadable)) which is also a function-level attribute; and it allows C++-style overloading to occur on C functions. * __attribute__((pass_object_size(n))) which is a parameter-level attribute; and it makes the compiler evaluate __builtin_object_size(param, n) at each call site of the function that has the parameter, and passes it in as a hidden parameter. This attribute has two side-effects that are key to how FORTIFY works: 1. It can overload solely on pass_object_size (e.g. there are two overloads of foo in void foo(char * __attribute__((pass_object_size(0))) c); void foo(char *); (The one with pass_object_size attribute has precende over the default one). 2. A function with at least one pass_object_size parameter can never have its address taken (and overload resolution respects this). Thus the read wrapper can be implemented as follows, without hindering any fortify coverage compile and runtime: extern __inline __attribute__((__always_inline__)) __attribute__((__artificial__)) __attribute__((__overloadable__)) __attribute__((__warn_unused_result__)) ssize_t read (int __fd, void *const __attribute__((pass_object_size (0))) __buf, size_t __nbytes) __attribute__((__diagnose_if__ ((((__builtin_object_size (__buf, 0)) != -1ULL && (__nbytes) > (__builtin_object_size (__buf, 0)) / (1))), "read called with bigger length than size of the destination buffer", "warning"))) { return (__builtin_object_size (__buf, 0) == (size_t) -1) ? __read_alias (__fd, __buf, __nbytes) : __read_chk (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)); } To avoid changing the current semantic for GCC, a set of macros is defined to enable the clang required attributes, along with some changes on internal macros to avoid the need to issue the symbol_chk symbols (which are done through the __diagnose_if__ attribute for clang). The read wrapper is simplified as: __fortify_function __attribute_overloadable__ __wur ssize_t read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, "read called with bigger length than " "size of the destination buffer") { return __glibc_fortify (read, __nbytes, sizeof (char), __glibc_objsize0 (__buf), __fd, __buf, __nbytes); } There is no expected semantic or code change when using GCC. Also, clang does not support __va_arg_pack, so variadic functions are expanded to call va_arg implementations. The error function must not have bodies (address takes are expanded to nonfortified calls), and with the __fortify_function compiler might still create a body with the C++ mangling name (due to the overload attribute). In this case, the function is defined with __fortify_function_error_function macro instead. [1] https://docs.google.com/document/d/1DFfZDICTbL7RqS74wJVIJ-YnjQOj1SaoqfhbgddFYSM/edit Checked on aarch64, armhf, x86_64, and i686. --- misc/sys/cdefs.h | 151 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 149 insertions(+), 2 deletions(-) diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index 520231dbea..62507044c8 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -145,6 +145,14 @@ #endif +/* The overloadable attribute was added on clang 2.6. */ +#if defined __clang_major__ \ + && (__clang_major__ + (__clang_minor__ >= 6) > 2) +# define __attribute_overloadable__ __attribute__((__overloadable__)) +#else +# define __attribute_overloadable__ +#endif + /* Fortify support. */ #define __bos(ptr) __builtin_object_size (ptr, __USE_FORTIFY_LEVEL > 1) #define __bos0(ptr) __builtin_object_size (ptr, 0) @@ -187,27 +195,166 @@ __s, __osz)) \ && !__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz)) +/* To correctly instrument the fortify wrapper clang requires the + pass_object_size attribute, and the attribute has the restriction that the + argument needs to be 'const'. Furthermore, to make it usable with C + interfaces, clang provides the overload attribute, which provides a C++ + like function overload support. The overloaded fortify wrapper with the + pass_object_size attribute has precedence over the default symbol. + + Also, clang does not support __va_arg_pack, so variadic functions are + expanded to issue va_arg implementations. The error function must not have + bodies (address takes are expanded to nonfortified calls), and with + __fortify_function compiler might still create a body with the C++ + mangling name (due to the overload attribute). In this case, the function + is defined with __fortify_function_error_function macro instead. + + The argument size check is also done with a clang-only attribute, + __attribute__ ((__diagnose_if__ (...))), different than gcc which calls + symbol_chk_warn alias with uses __warnattr attribute. + + The pass_object_size was added on clang 4.0, __diagnose_if__ on 5.0, + and pass_dynamic_object_size on 9.0. */ +#if defined __clang_major__ && __clang_major__ >= 5 +# define __fortify_use_clang 1 + +# define __fortify_function_error_function static __attribute__((__unused__)) + +# define __fortify_clang_pass_object_size_n(n) \ + __attribute__ ((__pass_object_size__ (n))) +# define __fortify_clang_pass_object_size0 \ + __fortify_clang_pass_object_size_n (0) +# define __fortify_clang_pass_object_size \ + __fortify_clang_pass_object_size_n (__USE_FORTIFY_LEVEL > 1) + +# if __clang_major__ >= 9 +# define __fortify_clang_pass_dynamic_object_size_n(n) \ + __attribute__ ((__pass_dynamic_object_size__ (n))) +# define __fortify_clang_pass_dynamic_object_size0 \ + __fortify_clang_pass_dynamic_object_size_n (0) +# define __fortify_clang_pass_dynamic_object_size \ + __fortify_clang_pass_dynamic_object_size_n (1) +# else +# define __fortify_clang_pass_dynamic_object_size_n(n) +# define __fortify_clang_pass_dynamic_object_size0 +# define __fortify_clang_pass_dynamic_object_size +# endif + +# define __fortify_clang_bos_static_lt_impl(bos_val, n, s) \ + ((bos_val) != -1ULL && (n) > (bos_val) / (s)) +# define __fortify_clang_bos_static_lt2(__n, __e, __s) \ + __fortify_clang_bos_static_lt_impl (__bos (__e), __n, __s) +# define __fortify_clang_bos_static_lt(__n, __e) \ + __fortify_clang_bos_static_lt2 (__n, __e, 1) +# define __fortify_clang_bos0_static_lt2(__n, __e, __s) \ + __fortify_clang_bos_static_lt_impl (__bos0 (__e), __n, __s) +# define __fortify_clang_bos0_static_lt(__n, __e) \ + __fortify_clang_bos0_static_lt2 (__n, __e, 1) + +# define __fortify_clang_bosn_args(bos_fn, n, buf, div, complaint) \ + (__fortify_clang_bos_static_lt_impl (bos_fn (buf), n, div)), (complaint), \ + "warning" + +# define __fortify_clang_warning(__c, __msg) \ + __attribute__ ((__diagnose_if__ ((__c), (__msg), "warning"))) +# define __fortify_clang_warning_only_if_bos0_lt(n, buf, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos0, n, buf, 1, complaint)))) +# define __fortify_clang_warning_only_if_bos0_lt2(n, buf, div, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos0, n, buf, div, complaint)))) +# define __fortify_clang_warning_only_if_bos_lt(n, buf, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos, n, buf, 1, complaint)))) +# define __fortify_clang_warning_only_if_bos_lt2(n, buf, div, complaint) \ + __attribute__ ((__diagnose_if__ \ + (__fortify_clang_bosn_args (__bos, n, buf, div, complaint)))) + +# if __USE_FORTIFY_LEVEL == 3 +# define __fortify_clang_overload_arg(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_dynamic_object_size __name +# define __fortify_clang_overload_arg0(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_dynamic_object_size0 __name +# else +# define __fortify_clang_overload_arg(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_object_size __name +# define __fortify_clang_overload_arg0(__type, __attr, __name) \ + __type __attr const __fortify_clang_pass_object_size0 __name +# endif + +# define __fortify_clang_mul_may_overflow(size, n) \ + ((size | n) >= (((size_t)1) << (8 * sizeof (size_t) / 2))) + +# define __fortify_clang_size_too_small(__bos, __dest, __len) \ + (__bos (__dest) != (size_t) -1 && __bos (__dest) < __len) +# define __fortify_clang_warn_if_src_too_large(__dest, __src) \ + __fortify_clang_warning (__fortify_clang_size_too_small (__glibc_objsize, \ + __dest, \ + __builtin_strlen (__src) + 1), \ + "destination buffer will always be overflown by source") +# define __fortify_clang_warn_if_dest_too_small(__dest, __len) \ + __fortify_clang_warning (__fortify_clang_size_too_small (__glibc_objsize, \ + __dest, \ + __len), \ + "function called with bigger length than the destination buffer") +# define __fortify_clang_warn_if_dest_too_small0(__dest, __len) \ + __fortify_clang_warning (__fortify_clang_size_too_small (__glibc_objsize0, \ + __dest, \ + __len), \ + "function called with bigger length than the destination buffer") +#else +# define __fortify_use_clang 0 +# define __fortify_clang_warning(__c, __msg) +# define __fortify_clang_warning_only_if_bos0_lt(__n, __buf, __complaint) +# define __fortify_clang_warning_only_if_bos0_lt2(__n, __buf, __div, complaint) +# define __fortify_clang_warning_only_if_bos_lt(__n, __buf, __complaint) +# define __fortify_clang_warning_only_if_bos_lt2(__n, __buf, div, __complaint) +# define __fortify_clang_overload_arg(__type, __attr, __name) \ + __type __attr __name +# define __fortify_clang_overload_arg0(__type, __attr, __name) \ + __fortify_clang_overload_arg (__type, __attr, __name) +# define __fortify_clang_warn_if_src_too_large(__dest, __src) +# define __fortify_clang_warn_if_dest_too_small(__dest, __len) +# define __fortify_clang_warn_if_dest_too_small0(__dest, __len) +#endif + + /* Fortify function f. __f_alias, __f_chk and __f_chk_warn must be declared. */ -#define __glibc_fortify(f, __l, __s, __osz, ...) \ +#if !__fortify_use_clang +# define __glibc_fortify(f, __l, __s, __osz, ...) \ (__glibc_safe_or_unknown_len (__l, __s, __osz) \ ? __ ## f ## _alias (__VA_ARGS__) \ : (__glibc_unsafe_len (__l, __s, __osz) \ ? __ ## f ## _chk_warn (__VA_ARGS__, __osz) \ : __ ## f ## _chk (__VA_ARGS__, __osz))) +#else +# define __glibc_fortify(f, __l, __s, __osz, ...) \ + (__osz == (__SIZE_TYPE__) -1) \ + ? __ ## f ## _alias (__VA_ARGS__) \ + : __ ## f ## _chk (__VA_ARGS__, __osz) +#endif /* Fortify function f, where object size argument passed to f is the number of elements and not total size. */ -#define __glibc_fortify_n(f, __l, __s, __osz, ...) \ +#if !__fortify_use_clang +# define __glibc_fortify_n(f, __l, __s, __osz, ...) \ (__glibc_safe_or_unknown_len (__l, __s, __osz) \ ? __ ## f ## _alias (__VA_ARGS__) \ : (__glibc_unsafe_len (__l, __s, __osz) \ ? __ ## f ## _chk_warn (__VA_ARGS__, (__osz) / (__s)) \ : __ ## f ## _chk (__VA_ARGS__, (__osz) / (__s)))) +# else +# define __glibc_fortify_n(f, __l, __s, __osz, ...) \ + (__osz == (__SIZE_TYPE__) -1) \ + ? __ ## f ## _alias (__VA_ARGS__) \ + : __ ## f ## _chk (__VA_ARGS__, (__osz) / (__s)) #endif +#endif /* __USE_FORTIFY_LEVEL > 0 */ + #if __GNUC_PREREQ (4,3) # define __warnattr(msg) __attribute__((__warning__ (msg))) # define __errordecl(name, msg) \ From patchwork Mon Jan 8 20:21:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883912 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=bRkZdD3D; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T85BP5wkqz1yP3 for ; Tue, 9 Jan 2024 07:24:13 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8B7933861806 for ; Mon, 8 Jan 2024 20:24:11 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by sourceware.org (Postfix) with ESMTPS id 6598C3858C62 for ; Mon, 8 Jan 2024 20:21:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6598C3858C62 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6598C3858C62 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::632 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745323; cv=none; b=n0+1hxCcQrRQHpZyVbbhNXxbYLPlhqgASUTqZ05uln6diwq8PBjYAyczjd+7DUnG5f+O3FE3wvBr5hzVD/eQigkrKu0N6bTv2bIqpOKEjifcSLf1h2/d3xv1kVLL4SHOCgP9NCQPOKHrNPrMWZvniOquZQHK8YjCRaOcvy/99b4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745323; c=relaxed/simple; bh=UW2Rm8qycmoPh/CPPT/OvEin5JYSSRrqTF2T32u+AeA=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=xh8d4xoQRSz+12xd/jz7b2snUp5wPygv13h4id/LBp20eMtNWj/3mk7hxNq95wmlrgrlo/9IZ2U1uOVBQcmSf8yF+MCP9+oBJ+mxrS4w7P3E2XMf/7A45NH8Hvq9tzsMEBMYV7i2kgn3pO2gIQCHPiK0qac+Ytis2vhA4hNf19A= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1d3e2972f65so5463325ad.3 for ; Mon, 08 Jan 2024 12:21:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745318; x=1705350118; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qKbDKACVNAJOvvfZ+/vbTcF+L69TWgVj8h9FrpzXxDo=; b=bRkZdD3DalnYOoiZ+JCxO8Ks6TENhmsPfS+4h/3NrMCB1Nhs+rINrvrsAcsvEAmMTf oiwosN2/vx0CZo7ASoYslgOhhLMPwWPyTYvyVhqkgmRByiMJPtzL6lboYudmNUg/TUiG LkdiABO3jQnum3NY5tD9svZZTNyobAgTo6J0m+wwPF5vULLBz+6tPLev1wnfJHrq+U0Z RI49/shsME83ih7/CY0O71bYTup8M4MWHlNaUhIa0zQiYUD1KpCXGpqzfHf12kh1vk2a v8Wn6dPpaJTsDAjyu+GZcgYq2AjWuGsIV7do6g78hI0ylWiK0Z6xcrybibfZ+I033jac fOiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745318; x=1705350118; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qKbDKACVNAJOvvfZ+/vbTcF+L69TWgVj8h9FrpzXxDo=; b=P34lN9m8fKL30bOSKkTblk1pke1Oxq6R5mTxcIvo7hcI49p2Y4gcFX9W0lAm4LySMU HMb1Nv4MjtVErrgP64mQVL18+xftNXcXAKChiDpJV2J+nFO/6fcccyXYTvOP/1U7Fv2v x4s8t5BmpYrlxWpn8tbkXhtjt5PtXuH2mxkYIgG5lOwl4huAhnDDdSJihf9+sHqU29gk bALgKnDa/U/WmRS+d7vJO9xxv8S7pKtUlwavqBJZkvrvINC7L+H21cYs4j99rOi9iGSK hPCpy9MGr3L5qlguX6LPPfCJmEGGnAlqpB5thTjYXuS0YsrBeFWRu3w0GLa40e8B3Etl y1Rw== X-Gm-Message-State: AOJu0YxHdFostk3hWyT+bAPfTFKr+MztnO8jfETn38srQTbF4PYMsWGU gj3uV6I6ek/TYTgPuQcAR5VWBJCePT+CkjkGTJE0U+Xs85Y= X-Google-Smtp-Source: AGHT+IGeNhkE/y5PX6/8PFOW8VuwsVb9NY9TBXlNCSTwlgVMfNfW2d7JYzZdDqcC33KdecDeaKqHTw== X-Received: by 2002:a17:902:768c:b0:1d4:4a30:1a82 with SMTP id m12-20020a170902768c00b001d44a301a82mr1681377pll.96.1704745317732; Mon, 08 Jan 2024 12:21:57 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.21.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:21:56 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 02/10] libio: Improve fortify with clang Date: Mon, 8 Jan 2024 17:21:41 -0300 Message-Id: <20240108202149.335305-3-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve fortify checks for sprintf, vsprintf, vsnsprintf, fprintf, dprintf, asprintf, __asprintf, obstack_printf, gets, fgets, fgets_unlocked, fread, and fread_unlocked. The runtime checks have similar support coverage as with GCC. For function with variadic argument (sprintf, snprintf, fprintf, printf, dprintf, asprintf, __asprintf, obstack_printf) the fortify wrapper calls the va_arg version since clang does not support __va_arg_pack. Checked on aarch64, armhf, x86_64, and i686. --- libio/bits/stdio2.h | 173 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 153 insertions(+), 20 deletions(-) diff --git a/libio/bits/stdio2.h b/libio/bits/stdio2.h index f9e8d37610..91a80dd7c6 100644 --- a/libio/bits/stdio2.h +++ b/libio/bits/stdio2.h @@ -31,15 +31,29 @@ __NTH (sprintf (char *__restrict __s, const char *__restrict __fmt, ...)) __glibc_objsize (__s), __fmt, __va_arg_pack ()); } +#elif __fortify_use_clang +/* clang does not have __va_arg_pack, so defer to va_arg version. */ +__fortify_function_error_function __attribute_overloadable__ int +__NTH (sprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vsprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, + __glibc_objsize (__s), __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} #elif !defined __cplusplus # define sprintf(str, ...) \ __builtin___sprintf_chk (str, __USE_FORTIFY_LEVEL - 1, \ __glibc_objsize (str), __VA_ARGS__) #endif -__fortify_function int -__NTH (vsprintf (char *__restrict __s, const char *__restrict __fmt, - __gnuc_va_list __ap)) +__fortify_function __attribute_overloadable__ int +__NTH (vsprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + const char *__restrict __fmt, __gnuc_va_list __ap)) { return __builtin___vsprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, __glibc_objsize (__s), __fmt, __ap); @@ -55,15 +69,33 @@ __NTH (snprintf (char *__restrict __s, size_t __n, __glibc_objsize (__s), __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +/* clang does not have __va_arg_pack, so defer to va_arg version. */ +__fortify_function_error_function __attribute_overloadable__ int +__NTH (snprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + size_t __n, const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, + __glibc_objsize (__s), __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define snprintf(str, len, ...) \ __builtin___snprintf_chk (str, len, __USE_FORTIFY_LEVEL - 1, \ __glibc_objsize (str), __VA_ARGS__) # endif -__fortify_function int -__NTH (vsnprintf (char *__restrict __s, size_t __n, - const char *__restrict __fmt, __gnuc_va_list __ap)) +__fortify_function __attribute_overloadable__ int +__NTH (vsnprintf (__fortify_clang_overload_arg (char *, __restrict, __s), + size_t __n, const char *__restrict __fmt, + __gnuc_va_list __ap)) + __fortify_clang_warning (__fortify_clang_bos_static_lt (__n, __s), + "call to vsnprintf may overflow the destination " + "buffer") { return __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, __glibc_objsize (__s), __fmt, __ap); @@ -85,6 +117,30 @@ printf (const char *__restrict __fmt, ...) { return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +/* clang does not have __va_arg_pack, so defer to va_arg version. */ +__fortify_function_error_function __attribute_overloadable__ __nonnull ((1)) int +fprintf (__fortify_clang_overload_arg (FILE *, __restrict, __stream), + const char *__restrict __fmt, ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vfprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, + __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} + +__fortify_function_error_function __attribute_overloadable__ int +printf (__fortify_clang_overload_arg (const char *, __restrict, __fmt), ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __builtin___vprintf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define printf(...) \ __printf_chk (__USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -92,8 +148,9 @@ printf (const char *__restrict __fmt, ...) __fprintf_chk (stream, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) # endif -__fortify_function int -vprintf (const char *__restrict __fmt, __gnuc_va_list __ap) +__fortify_function __attribute_overloadable__ int +vprintf (__fortify_clang_overload_arg (const char *, __restrict, __fmt), + __gnuc_va_list __ap) { #ifdef __USE_EXTERN_INLINES return __vfprintf_chk (stdout, __USE_FORTIFY_LEVEL - 1, __fmt, __ap); @@ -117,6 +174,18 @@ dprintf (int __fd, const char *__restrict __fmt, ...) return __dprintf_chk (__fd, __USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +dprintf (int __fd, __fortify_clang_overload_arg (const char *, __restrict, + __fmt), ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __vdprintf_chk (__fd, __USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define dprintf(fd, ...) \ __dprintf_chk (fd, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -153,6 +222,43 @@ __NTH (obstack_printf (struct obstack *__restrict __obstack, return __obstack_printf_chk (__obstack, __USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +__NTH (asprintf (__fortify_clang_overload_arg (char **, __restrict, __ptr), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __vasprintf_chk (__ptr, __USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} + +__fortify_function_error_function __attribute_overloadable__ int +__NTH (__asprintf (__fortify_clang_overload_arg (char **, __restrict, __ptr), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __vasprintf_chk (__ptr, __USE_FORTIFY_LEVEL - 1, __fmt, + __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} + +__fortify_function_error_function __attribute_overloadable__ int +__NTH (obstack_printf (__fortify_clang_overload_arg (struct obstack *, + __restrict, __obstack), + const char *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r = __obstack_vprintf_chk (__obstack, __USE_FORTIFY_LEVEL - 1, + __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} # elif !defined __cplusplus # define asprintf(ptr, ...) \ __asprintf_chk (ptr, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -182,8 +288,11 @@ __NTH (obstack_vprintf (struct obstack *__restrict __obstack, #endif #if __GLIBC_USE (DEPRECATED_GETS) -__fortify_function __wur char * -gets (char *__str) +__fortify_function __wur __attribute_overloadable__ char * +gets (__fortify_clang_overload_arg (char *, , __str)) + __fortify_clang_warning (__glibc_objsize (__str) == (size_t) -1, + "please use fgets or getline instead, gets " + "can not specify buffer size") { if (__glibc_objsize (__str) != (size_t) -1) return __gets_chk (__str, __glibc_objsize (__str)); @@ -192,48 +301,70 @@ gets (char *__str) #endif __fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) -__nonnull ((3)) char * -fgets (char *__restrict __s, int __n, FILE *__restrict __stream) +__nonnull ((3)) __attribute_overloadable__ char * +fgets (__fortify_clang_overload_arg (char *, __restrict, __s), int __n, + FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos_static_lt (__n, __s) && __n > 0, + "fgets called with bigger size than length of " + "destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __fgets_alias (__s, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __fgets_chk_warn (__s, sz, __n, __stream); +#endif return __fgets_chk (__s, sz, __n, __stream); } -__fortify_function __wur __nonnull ((4)) size_t -fread (void *__restrict __ptr, size_t __size, size_t __n, - FILE *__restrict __stream) +__fortify_function __wur __nonnull ((4)) __attribute_overloadable__ size_t +fread (__fortify_clang_overload_arg (void *, __restrict, __ptr), + size_t __size, size_t __n, FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos0_static_lt (__size * __n, __ptr) + && !__fortify_clang_mul_may_overflow (__size, __n), + "fread called with bigger size * n than length " + "of destination buffer") { size_t sz = __glibc_objsize0 (__ptr); if (__glibc_safe_or_unknown_len (__n, __size, sz)) return __fread_alias (__ptr, __size, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, __size, sz)) return __fread_chk_warn (__ptr, sz, __size, __n, __stream); +#endif return __fread_chk (__ptr, sz, __size, __n, __stream); } #ifdef __USE_GNU __fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) -__nonnull ((3)) char * -fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) +__nonnull ((3)) __attribute_overloadable__ char * +fgets_unlocked (__fortify_clang_overload_arg (char *, __restrict, __s), + int __n, FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos_static_lt (__n, __s) && __n > 0, + "fgets called with bigger size than length of " + "destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __fgets_unlocked_alias (__s, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __fgets_unlocked_chk_warn (__s, sz, __n, __stream); +#endif return __fgets_unlocked_chk (__s, sz, __n, __stream); } #endif #ifdef __USE_MISC # undef fread_unlocked -__fortify_function __wur __nonnull ((4)) size_t -fread_unlocked (void *__restrict __ptr, size_t __size, size_t __n, - FILE *__restrict __stream) +__fortify_function __wur __nonnull ((4)) __attribute_overloadable__ size_t +fread_unlocked (__fortify_clang_overload_arg0 (void *, __restrict, __ptr), + size_t __size, size_t __n, FILE *__restrict __stream) + __fortify_clang_warning (__fortify_clang_bos0_static_lt (__size * __n, __ptr) + && !__fortify_clang_mul_may_overflow (__size, __n), + "fread_unlocked called with bigger size * n than " + "length of destination buffer") { size_t sz = __glibc_objsize0 (__ptr); if (__glibc_safe_or_unknown_len (__n, __size, sz)) @@ -261,8 +392,10 @@ fread_unlocked (void *__restrict __ptr, size_t __size, size_t __n, # endif return __fread_unlocked_alias (__ptr, __size, __n, __stream); } +# if !__fortify_use_clang if (__glibc_unsafe_len (__n, __size, sz)) return __fread_unlocked_chk_warn (__ptr, sz, __size, __n, __stream); +# endif return __fread_unlocked_chk (__ptr, sz, __size, __n, __stream); } From patchwork Mon Jan 8 20:21:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883905 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=CUmeb3La; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T858p0zbCz1yP3 for ; Tue, 9 Jan 2024 07:22:50 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0F142385E446 for ; Mon, 8 Jan 2024 20:22:48 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) by sourceware.org (Postfix) with ESMTPS id 0207C3858C2C for ; Mon, 8 Jan 2024 20:22:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0207C3858C2C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 0207C3858C2C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::431 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745324; cv=none; b=anRU6/kwTzSbvCFQoQ0evz2Ic1EpM+sk10cZcqHiaqr7MOo2q4S12ZhhGXLnGvANxvyXhY6sjbR7B8vCxY36F7+5eiq+xy2QSEoCTsuNOFcD+CLD2TlPlX9rd2YgfropyfegytLwsBy74zOo1oHoXC24Gieg+W7h5QeNDEGo0zU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745324; c=relaxed/simple; bh=Y92yiU0VNaIJHdyTradk6VcH0pN+frH5YWjwm3UveQc=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=r3R55R/Qh8GkEuFM2eTAqe2N7R3pL44Y8ArJ4nQekd0fGw5NdAV2pXL0Ni7Q2UBqWSCjqkb1CH13Dr24xHV7BNjChZVQKR8MOatJQJqRcjogJn+FHkS+ziljzqXd8fPpQ+QV1C+Lk1xl0GS+UGMvq8wXfIgpeuBuXwbiUf71Tp4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-6d9bee259c5so1145071b3a.1 for ; Mon, 08 Jan 2024 12:22:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745319; x=1705350119; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DAbnqmVvxJ2qaueylYzIa9RxY26OjdD8tznagCXqGC4=; b=CUmeb3LaRNRs5gtzrZbp4rwavp3zkhBxbvXPSXgMsWA96VsF+itNAbaCo1KzWTukGy cGuC5bsEFg7YUvWfp/BMQcJJJPp+T4E+ixYaxa0ugcOMw5LzR6Qzi8X97oMBpKSEd1s6 6lADRTfJmqJ4DMk30kdpQRTzfchE72QtgQ1imXRi7cyzd+O0k9xbTxBH9cWPU+G39sd0 MuNNxaMYZYhzYeot2Clk9l2dNwJlW0HIiAQY6vEXlIHjeTVcMNHzttZvhls/efBW4z99 2zIeb1XwI1kjwcO1h8tQ2HNIQQMHoX3QXCC16tzld1YuI7PPhnkcFqtkbeNbyF/qoW1l LpQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745319; x=1705350119; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DAbnqmVvxJ2qaueylYzIa9RxY26OjdD8tznagCXqGC4=; b=fZ0F68YVDOABRjIQxx8FCu7YEyGtidrhgadXpN89jjA/OPyEMDw4CiICWEM3cdE3Ny MdauolrQx7cdjEjYlql4Qb1czQKO1/OVcu8f6kN5JYQBwCm/TwBCruvfDf7LtCpAzt3L VEKlR5xHkdFso0uonZuo8Lv1fVnANhY2uW88RwmVALKAR5UI8G7GXqh+BHZZE55sxmFu Ei4cjL02a5WNbVY96qDj97isHn5TTInRt8sHZpVkj+vS26SDkkDZfi7dShHLwsLdQU/t SiU4CmwaPhi+O2fRZUCHG90O8Lfe8TYvXhT+EIWghMJ0Vm9klIlG3KGP1s0paVseLHng ZiXQ== X-Gm-Message-State: AOJu0YyMXV/g4fItUuZqhvh1p7amTwsxskWomeMAdQflCFOvfsMCjL5h t7PcU5wUXi1RcML5Zi9mEV//vhF25ihOpYuRYShP45ndAYM= X-Google-Smtp-Source: AGHT+IG7AxCYUltrksi4P7dARvjgWdjtDPJWFptTpj10wqokIRssCUji0Kf8REAisEnc4KxcQa8/4A== X-Received: by 2002:aa7:8887:0:b0:6d9:bc39:e5ac with SMTP id z7-20020aa78887000000b006d9bc39e5acmr2103041pfe.6.1704745319545; Mon, 08 Jan 2024 12:21:59 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.21.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:21:58 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 03/10] string: Improve fortify with clang Date: Mon, 8 Jan 2024 17:21:42 -0300 Message-Id: <20240108202149.335305-4-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve fortify checks for strcpy, stpcpy, strncpy, stpncpy, strcat, strncat, strlcpy, and strlcat. The runtime and compile checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. --- string/bits/string_fortified.h | 57 +++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 22 deletions(-) diff --git a/string/bits/string_fortified.h b/string/bits/string_fortified.h index e0714f794c..83b80184a8 100644 --- a/string/bits/string_fortified.h +++ b/string/bits/string_fortified.h @@ -73,24 +73,29 @@ __NTH (explicit_bzero (void *__dest, size_t __len)) } #endif -__fortify_function char * -__NTH (strcpy (char *__restrict __dest, const char *__restrict __src)) +__fortify_function __attribute_overloadable__ char * +__NTH (strcpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___strcpy_chk (__dest, __src, __glibc_objsize (__dest)); } #ifdef __USE_XOPEN2K8 -__fortify_function char * -__NTH (stpcpy (char *__restrict __dest, const char *__restrict __src)) +__fortify_function __attribute_overloadable__ char * +__NTH (stpcpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___stpcpy_chk (__dest, __src, __glibc_objsize (__dest)); } #endif -__fortify_function char * -__NTH (strncpy (char *__restrict __dest, const char *__restrict __src, - size_t __len)) +__fortify_function __attribute_overloadable__ char * +__NTH (strncpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __len)) + __fortify_clang_warn_if_dest_too_small (__dest, __len) { return __builtin___strncpy_chk (__dest, __src, __len, __glibc_objsize (__dest)); @@ -98,8 +103,10 @@ __NTH (strncpy (char *__restrict __dest, const char *__restrict __src, #ifdef __USE_XOPEN2K8 # if __GNUC_PREREQ (4, 7) || __glibc_clang_prereq (2, 6) -__fortify_function char * -__NTH (stpncpy (char *__dest, const char *__src, size_t __n)) +__fortify_function __attribute_overloadable__ char * +__NTH (stpncpy (__fortify_clang_overload_arg (char *, ,__dest), + const char *__src, size_t __n)) + __fortify_clang_warn_if_dest_too_small (__dest, __n) { return __builtin___stpncpy_chk (__dest, __src, __n, __glibc_objsize (__dest)); @@ -112,8 +119,9 @@ extern char *__stpncpy_chk (char *__dest, const char *__src, size_t __n, extern char *__REDIRECT_NTH (__stpncpy_alias, (char *__dest, const char *__src, size_t __n), stpncpy); -__fortify_function char * -__NTH (stpncpy (char *__dest, const char *__src, size_t __n)) +__fortify_function __attribute_overloadable__ char * +__NTH (stpncpy (__fortify_clang_overload_arg (char *, ,__dest), + const char *__src, size_t __n)) { if (__bos (__dest) != (size_t) -1 && (!__builtin_constant_p (__n) || __n > __bos (__dest))) @@ -124,16 +132,19 @@ __NTH (stpncpy (char *__dest, const char *__src, size_t __n)) #endif -__fortify_function char * -__NTH (strcat (char *__restrict __dest, const char *__restrict __src)) +__fortify_function __attribute_overloadable__ char * +__NTH (strcat (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___strcat_chk (__dest, __src, __glibc_objsize (__dest)); } -__fortify_function char * -__NTH (strncat (char *__restrict __dest, const char *__restrict __src, - size_t __len)) +__fortify_function __attribute_overloadable__ char * +__NTH (strncat (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __len)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { return __builtin___strncat_chk (__dest, __src, __len, __glibc_objsize (__dest)); @@ -146,9 +157,10 @@ extern size_t __REDIRECT_NTH (__strlcpy_alias, (char *__dest, const char *__src, size_t __n), strlcpy); -__fortify_function size_t -__NTH (strlcpy (char *__restrict __dest, const char *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (strlcpy (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __n)) + __fortify_clang_warn_if_dest_too_small (__dest, __n) { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n > __glibc_objsize (__dest)) @@ -163,9 +175,10 @@ extern size_t __REDIRECT_NTH (__strlcat_alias, (char *__dest, const char *__src, size_t __n), strlcat); -__fortify_function size_t -__NTH (strlcat (char *__restrict __dest, const char *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (strlcat (__fortify_clang_overload_arg (char *, __restrict, __dest), + const char *__restrict __src, size_t __n)) + __fortify_clang_warn_if_src_too_large (__dest, __src) { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n > __glibc_objsize (__dest)) From patchwork Mon Jan 8 20:21:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883910 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=xIQS+s6m; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T859w4NKBz1yP3 for ; Tue, 9 Jan 2024 07:23:48 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9EBE5386101B for ; Mon, 8 Jan 2024 20:23:46 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by sourceware.org (Postfix) with ESMTPS id 06C75385841C for ; Mon, 8 Jan 2024 20:22:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 06C75385841C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 06C75385841C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::52f ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745326; cv=none; b=lv/3nVwyCLXKWJD8MnejXIYuIbdv8eagCBrVA0/UQdyjyeSa+P5/K/McT82mT/jT/vU//q3jI1lLdBSktNdtE5A9DSfl+feyiQQxE0G41cvAIoMPAizrRyCyPYXMeaCb/t7XYaxld3v9D3OUdrwWRzxIUtF+m6kFEyGhUTPoOFA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745326; c=relaxed/simple; bh=OTPmzdHBOsudJ6xQcqbMDPwk+Nt/p4p2uBRap4E9/sI=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=kpL+fztNcfWmi3tnKxMFNtPikkCfoyXhToU28LIbGYrL4Ko2w0ET1UBrfifiUCpsOfMW/cpA2ce+Qx4Orxmgiz4Gi+lSDf54rFeUv8Q/xYULCydvhesFy5QGBklFpOJvw0QJWxMU8QSZx/KU2Zsc0dWGddG2fDPYam2OJyEVAjQ= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x52f.google.com with SMTP id 41be03b00d2f7-5ce9555d42eso1716008a12.2 for ; Mon, 08 Jan 2024 12:22:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745321; x=1705350121; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZswzWeOlBH/+xmo74OsDUhqf+d/Qk51d0fscqhJwgns=; b=xIQS+s6mpk7Ve7TUuk6jGVGIKCwFl3KjDMtz9MomxYoC1UV3+AFHEMgLKRrqgowlZz Kaj34GT1hfiC+tnTVEg3fn5wtIUOqXO0gfqW9R0v3fRKvrM0Z0ssbzK6vE0cBqf8WqTJ 1/9rO2V0UKeKJCVW7NKKsAvjVFsjzd+EbE+fdOPV+3U1sfP2ZIHdY208CPWF3CS2zDnW lqk291B/Kix1EKyufgWsP3Ba1ES82x4FSegKXl6N4Sa23yugadrPNog0zpP9f8KDCDmY mkdx+CCEaFsuieoHMP5av8M754lfiBAMa8/wJsIKTQYEGKiV4qkYXT8x4/kajCv3NdGw YxAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745321; x=1705350121; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZswzWeOlBH/+xmo74OsDUhqf+d/Qk51d0fscqhJwgns=; b=vpCB8+Jz4ueX78eCV5mH8RLmLJw7q590mtXu5xB5GQeQ0FvP2GcL9+Bw0L75WjjlJH Vn2FyPRNIQ5oW0hiS9yW5/O4vmVIMsTE9h9KtM34yRsOIn2j2CwCIXFjj9WuyHrzy1lp lGjNm8OUOiUzE3NghUeYZQ+ic9kYEUvBQyTtd6BaBCJZKYjZep0XFUR3EHpcdWuxFmRq Gd3iRo7FwMFmJ5/CnU/4PRXbhzrS0UXXwOzEwdQCyteOJcmQqceqjdd9Yv1vXcQkPjJS 77S4z887pDTDbUh+/vuiHizX+nj2OL3chvxde8vcKPecq9rqAXqcr04XthAfCxm1rYKQ KPnA== X-Gm-Message-State: AOJu0YzHU2cdqZ7TdlTCb/UhHghZIzx+uh4JQ9QoJ7XDj33U3JxPQ/kE VkDqqV7wWbBsAOj5DL5uQEbINUcG3nchOauvQk0AG7BY3dA= X-Google-Smtp-Source: AGHT+IGD2XVIPmRzFFCsqHK7mWhQmUMeezCo8z/5eKkLoWvSRqv86M5wCpC0n8tKye8xrfOsMDg+/Q== X-Received: by 2002:a05:6a20:96d5:b0:199:e05b:8bbc with SMTP id hq21-20020a056a2096d500b00199e05b8bbcmr619480pzc.77.1704745321127; Mon, 08 Jan 2024 12:22:01 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.21.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:22:00 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 04/10] stdlib: Improve fortify with clang Date: Mon, 8 Jan 2024 17:21:43 -0300 Message-Id: <20240108202149.335305-5-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve fortify checks for realpath, ptsname_r, wctomb, mbstowcs, and wcstombs. The runtime and compile checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. --- stdlib/bits/stdlib.h | 40 +++++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/stdlib/bits/stdlib.h b/stdlib/bits/stdlib.h index 1c7191ba57..9e31801e80 100644 --- a/stdlib/bits/stdlib.h +++ b/stdlib/bits/stdlib.h @@ -33,15 +33,22 @@ extern char *__REDIRECT_NTH (__realpath_chk_warn, __warnattr ("second argument of realpath must be either NULL or at " "least PATH_MAX bytes long buffer"); -__fortify_function __wur char * -__NTH (realpath (const char *__restrict __name, char *__restrict __resolved)) +__fortify_function __attribute_overloadable__ __wur char * +__NTH (realpath (const char *__restrict __name, + __fortify_clang_overload_arg (char *, __restrict, __resolved))) +#if defined _LIBC_LIMITS_H_ && defined PATH_MAX + __fortify_clang_warning_only_if_bos_lt (PATH_MAX, __resolved, + "second argument of realpath must be " + "either NULL or at least PATH_MAX " + "bytes long buffer") +#endif { size_t sz = __glibc_objsize (__resolved); if (sz == (size_t) -1) return __realpath_alias (__name, __resolved); -#if defined _LIBC_LIMITS_H_ && defined PATH_MAX +#if !__fortify_use_clang && defined _LIBC_LIMITS_H_ && defined PATH_MAX if (__glibc_unsafe_len (PATH_MAX, sizeof (char), sz)) return __realpath_chk_warn (__name, __resolved, sz); #endif @@ -61,8 +68,13 @@ extern int __REDIRECT_NTH (__ptsname_r_chk_warn, __nonnull ((2)) __warnattr ("ptsname_r called with buflen bigger than " "size of buf"); -__fortify_function int -__NTH (ptsname_r (int __fd, char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (ptsname_r (int __fd, + __fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "ptsname_r called with buflen " + "bigger than size of buf") { return __glibc_fortify (ptsname_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -75,8 +87,8 @@ extern int __wctomb_chk (char *__s, wchar_t __wchar, size_t __buflen) extern int __REDIRECT_NTH (__wctomb_alias, (char *__s, wchar_t __wchar), wctomb) __wur; -__fortify_function __wur int -__NTH (wctomb (char *__s, wchar_t __wchar)) +__fortify_function __attribute_overloadable__ __wur int +__NTH (wctomb (__fortify_clang_overload_arg (char *, ,__s), wchar_t __wchar)) { /* We would have to include to get a definition of MB_LEN_MAX. But this would only disturb the namespace. So we define our own @@ -113,12 +125,17 @@ extern size_t __REDIRECT_NTH (__mbstowcs_chk_warn, __warnattr ("mbstowcs called with dst buffer smaller than len " "* sizeof (wchar_t)"); -__fortify_function size_t -__NTH (mbstowcs (wchar_t *__restrict __dst, const char *__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (mbstowcs (__fortify_clang_overload_arg (wchar_t *, __restrict, __dst), + const char *__restrict __src, size_t __len)) + __fortify_clang_warning_only_if_bos0_lt2 (__len, __dst, sizeof (wchar_t), + "mbstowcs called with dst buffer " + "smaller than len * sizeof (wchar_t)") { if (__builtin_constant_p (__dst == NULL) && __dst == NULL) return __mbstowcs_nulldst (__dst, __src, __len); + else return __glibc_fortify_n (mbstowcs, __len, sizeof (wchar_t), __glibc_objsize (__dst), __dst, __src, __len); @@ -139,8 +156,9 @@ extern size_t __REDIRECT_NTH (__wcstombs_chk_warn, size_t __len, size_t __dstlen), __wcstombs_chk) __warnattr ("wcstombs called with dst buffer smaller than len"); -__fortify_function size_t -__NTH (wcstombs (char *__restrict __dst, const wchar_t *__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (wcstombs (__fortify_clang_overload_arg (char *, __restrict, __dst), + const wchar_t *__restrict __src, size_t __len)) { return __glibc_fortify (wcstombs, __len, sizeof (char), From patchwork Mon Jan 8 20:21:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883906 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=I+o6kiv8; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T85950xvqz1yP3 for ; Tue, 9 Jan 2024 07:23:05 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 86973385E45C for ; Mon, 8 Jan 2024 20:23:00 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by sourceware.org (Postfix) with ESMTPS id 7CA53385842D for ; Mon, 8 Jan 2024 20:22:04 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7CA53385842D Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7CA53385842D Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42f ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745327; cv=none; b=Xwbx8TV5bDSSKgDlfKRqV7v2vOvxAVXJN12B0hTMqRh4LUBGeteUXx5V8jQfijUjFKrQ53FugtDABpobnu1A9dMeHvpCKfzmWHTaJvHOM0GfvHfbR7TznTCFkn6qf5C8UcGwFnwagpNu58YIy04e7E5h2rj/YpucJiOK/BCZteg= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745327; c=relaxed/simple; bh=X11qCrE7STf5aZWOUYOEeJdX9n6vFuLR7yWICR+i2mM=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=HWEvNX1jni2gwbSiiinwVMuVn7UY5sZ4ZHsTeoUufGd6/gMOEpALD7mWeGEWmz/C8F45viit+EVylTQ+wg2Tc4rIcDIYdaXuppVelHPrXq4f3TIeGJ5rtqhDBQhTYTdJy0YjUhEz1j7u5hZuBlpVxqh6iQqGqJJwROswbcPQR3A= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-6d9b5c4f332so802387b3a.3 for ; Mon, 08 Jan 2024 12:22:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745323; x=1705350123; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7eWbYtfxbaMRlBWmlOCmG6Abb/A3/FkjpLUJwBlSjUk=; b=I+o6kiv8Ob5J0XeuCrenkWA4r1c1FNI9XNzDFMWG1XGNQpz0WnDuw72yGX0jxaCKfH 2f7oXyrz7nZnrZNkLPJJ1W1JX23/o/nc2lQLTv5ITkcZaq2ICHPBrgLBjCYOXtz94z9H MQACuSrMxQWGAa6o9SVAGaUq25hoRm3DXWsVavl7Wo2yznpOmmTdHoZEXKkynO41UtsJ uDNxnVR1ip1oDFNeCUWo9AgMPptzJhe1oLChSNjAVDO3JwchMOzD8AjqoZ4D3dZ/p2vx TMYU/aWPnC9CrqHk4Mi2WXgir9rCliAZ+6BRyyI1pI1BDzsA1mQs+OxGAsXtEY5op2Oi targ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745323; x=1705350123; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7eWbYtfxbaMRlBWmlOCmG6Abb/A3/FkjpLUJwBlSjUk=; b=rLmJWyhMJ4J+xVXW6p4Z1t3H94Djt6aSbft5vD3bJuuiabMcZ0aTt60xcaAy7I6udT oFs23g2xyunfjOaGYm8QWS2qGKUWUOk/NlneFAp+6FNwzBnFGD1FXcSJoNwJ4fd8Vqhu s9x9QJGXLWxiN8Pft2Y8kR30OWs3/nBAeumVn/89kOTgUdW4pXSEHQnlfdNdImHLq77B ONrIw976EHv8+SyUupXNmuGnpKaCmTItCCCfs2DGoax6v7pTOxGag9+3t69xLLyc20fX lWkOpTeNO6rZzesR60oSPuZWbL1nRCeOHVkndfWK9SGn4Jyn9+QV81c84XcnQtZSKaAG YWsA== X-Gm-Message-State: AOJu0YxWO+d8yp9CA95aVHkHPH/o4/5pQ4Qa4FP4ej+pkQH5WJ8mhS+7 ++FlD3wrLXtz2/TbF1g7X5Z5sjDgbKTjMNRaiiUkhHi7NwE= X-Google-Smtp-Source: AGHT+IH+SdZ3gol+0KYQL7wPp1hBzgjT6UVNELCFBqn+lJQkX24pmHCopMxHfU24rJOnUmvs1fwtsQ== X-Received: by 2002:aa7:8041:0:b0:6da:55bf:9cbc with SMTP id y1-20020aa78041000000b006da55bf9cbcmr1517506pfm.6.1704745322999; Mon, 08 Jan 2024 12:22:02 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.22.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:22:02 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 05/10] unistd: Improve fortify with clang Date: Mon, 8 Jan 2024 17:21:44 -0300 Message-Id: <20240108202149.335305-6-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve fortify checks for read, pread, pread64, readlink, readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r, gethostname, and getdomainname. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. --- posix/bits/unistd.h | 110 +++++++++++++++++++++++++++++++++----------- 1 file changed, 82 insertions(+), 28 deletions(-) diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h index bd209ec28e..2757b0619a 100644 --- a/posix/bits/unistd.h +++ b/posix/bits/unistd.h @@ -22,8 +22,12 @@ # include -__fortify_function __wur ssize_t -read (int __fd, void *__buf, size_t __nbytes) +__fortify_function __attribute_overloadable__ __wur ssize_t +read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "read called with bigger length than " + "size of the destination buffer") + { return __glibc_fortify (read, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -32,16 +36,24 @@ read (int __fd, void *__buf, size_t __nbytes) #if defined __USE_UNIX98 || defined __USE_XOPEN2K8 # ifndef __USE_FILE_OFFSET64 -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread, __nbytes, sizeof (char), __glibc_objsize0 (__buf), __fd, __buf, __nbytes, __offset); } # else -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -50,8 +62,12 @@ pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) # endif # ifdef __USE_LARGEFILE64 -__fortify_function __wur ssize_t -pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread64 (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread64 called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -61,9 +77,14 @@ pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) #endif #if defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K -__fortify_function __nonnull ((1, 2)) __wur ssize_t -__NTH (readlink (const char *__restrict __path, char *__restrict __buf, +__fortify_function __attribute_overloadable__ __nonnull ((1, 2)) __wur ssize_t +__NTH (readlink (const char *__restrict __path, + __fortify_clang_overload_arg0 (char *, __restrict, __buf), size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlink called with bigger length " + "than size of destination buffer") + { return __glibc_fortify (readlink, __len, sizeof (char), __glibc_objsize (__buf), @@ -72,9 +93,13 @@ __NTH (readlink (const char *__restrict __path, char *__restrict __buf, #endif #ifdef __USE_ATFILE -__fortify_function __nonnull ((2, 3)) __wur ssize_t +__fortify_function __attribute_overloadable__ __nonnull ((2, 3)) __wur ssize_t __NTH (readlinkat (int __fd, const char *__restrict __path, - char *__restrict __buf, size_t __len)) + __fortify_clang_overload_arg0 (char *, __restrict, __buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlinkat called with bigger length " + "than size of destination buffer") { return __glibc_fortify (readlinkat, __len, sizeof (char), __glibc_objsize (__buf), @@ -82,8 +107,11 @@ __NTH (readlinkat (int __fd, const char *__restrict __path, } #endif -__fortify_function __wur char * -__NTH (getcwd (char *__buf, size_t __size)) +__fortify_function __attribute_overloadable__ __wur char * +__NTH (getcwd (__fortify_clang_overload_arg (char *, , __buf), size_t __size)) + __fortify_clang_warning_only_if_bos_lt (__size, __buf, + "getcwd called with bigger length " + "than size of destination buffer") { return __glibc_fortify (getcwd, __size, sizeof (char), __glibc_objsize (__buf), @@ -91,8 +119,9 @@ __NTH (getcwd (char *__buf, size_t __size)) } #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED -__fortify_function __nonnull ((1)) __attribute_deprecated__ __wur char * -__NTH (getwd (char *__buf)) +__fortify_function __attribute_overloadable__ __nonnull ((1)) +__attribute_deprecated__ __wur char * +__NTH (getwd (__fortify_clang_overload_arg (char *,, __buf))) { if (__glibc_objsize (__buf) != (size_t) -1) return __getwd_chk (__buf, __glibc_objsize (__buf)); @@ -100,8 +129,12 @@ __NTH (getwd (char *__buf)) } #endif -__fortify_function size_t -__NTH (confstr (int __name, char *__buf, size_t __len)) +__fortify_function __attribute_overloadable__ size_t +__NTH (confstr (int __name, __fortify_clang_overload_arg (char *, ,__buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "confstr called with bigger length than " + "size of destination buffer") { return __glibc_fortify (confstr, __len, sizeof (char), __glibc_objsize (__buf), @@ -109,8 +142,13 @@ __NTH (confstr (int __name, char *__buf, size_t __len)) } -__fortify_function int -__NTH (getgroups (int __size, __gid_t __list[])) +__fortify_function __attribute_overloadable__ int +__NTH (getgroups (int __size, + __fortify_clang_overload_arg (__gid_t *, , __list))) + __fortify_clang_warning_only_if_bos_lt (__size * sizeof (__gid_t), __list, + "getgroups called with bigger group " + "count than what can fit into " + "destination buffer") { return __glibc_fortify (getgroups, __size, sizeof (__gid_t), __glibc_objsize (__list), @@ -118,8 +156,13 @@ __NTH (getgroups (int __size, __gid_t __list[])) } -__fortify_function int -__NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (ttyname_r (int __fd, + __fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "ttyname_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (ttyname_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -128,8 +171,11 @@ __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) #ifdef __USE_POSIX199506 -__fortify_function int -getlogin_r (char *__buf, size_t __buflen) +__fortify_function __attribute_overloadable__ int +getlogin_r (__fortify_clang_overload_arg (char *, ,__buf), size_t __buflen) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getlogin_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (getlogin_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -139,8 +185,12 @@ getlogin_r (char *__buf, size_t __buflen) #if defined __USE_MISC || defined __USE_UNIX98 -__fortify_function int -__NTH (gethostname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (gethostname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "gethostname called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (gethostname, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -150,8 +200,12 @@ __NTH (gethostname (char *__buf, size_t __buflen)) #if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_UNIX98) -__fortify_function int -__NTH (getdomainname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (getdomainname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getdomainname called with bigger " + "buflen than size of destination buffer") { return __glibc_fortify (getdomainname, __buflen, sizeof (char), __glibc_objsize (__buf), From patchwork Mon Jan 8 20:21:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883907 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=pSuqS0LK; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T859D2C9qz1yP3 for ; Tue, 9 Jan 2024 07:23:12 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 4851D3861801 for ; Mon, 8 Jan 2024 20:23:10 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by sourceware.org (Postfix) with ESMTPS id 3C05F3858417 for ; Mon, 8 Jan 2024 20:22:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3C05F3858417 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3C05F3858417 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::429 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745328; cv=none; b=KQLFFUuUs9Nx78g6hD8g17dcj5mQ6u7U/o/O0crw9H9ncaE7hxlrI9aI6RJNSw7c5KliodWYLTXwGVqEmMD+5HP89UcmFsnF6H7p53z7KFKbuZB8gIoERkNaz2wUVRSb+q1jeOOCrLcse/inmYbyNSnFuD0c2StBy0O/8stx3to= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745328; c=relaxed/simple; bh=okIx+NTh+eMK8CCevULhjvm3YeC/n1evLjmrFQUkvnQ=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=ac1JQUC8vmk5P7X4rTSB6oqqcxN+NW8G+RIm272r9KLC/FEplhUObTvrIKM/gwxW98PbyVkrCeWkiTW3CUKaXrRLaaoKhh9chNS4tA2XBA/8FYhGtm6vQvWncQRYnq2Cx53ntOvgcbtGeCPUzoMKlEZ6n01hwLpwBtb6Qo0MEUg= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-6db05618c1fso519359b3a.1 for ; Mon, 08 Jan 2024 12:22:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745324; x=1705350124; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GgzVWNbxuGa9i5GiEZrgxNuLo7vlKaoDPYjJ99vA8jQ=; b=pSuqS0LKYcFtPXA/zOu8UL1SKB18Qw/PhiXQnojfZLnYRpS1BJrDa8pDQg3sQkLUJ2 iP9qRk7tfrgrwQwBhGc9bU+8Q1YXMqCHdbb4GDO4MnS/Hjw6YyHE8ELbDK1lKwecz5+M DUkkcYP9hp2BV82ypeZOFB8gOkpAltbn7jWVlgq39P2nP+YnfvLB25C4725QuyfebhP1 Te8mzA3PIp+P8yTep1vv6oKhxpmv0oCx7VBdvw/L/3ozWoN6KmWXgqAeyr6a4SFISP2s rdiUcEEFbG4wCK8mggfFkc09zi5Th8rQHGH1/3qM6P7uIVFLohlcGMwbC8QVGC8Br8Lb OIuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745324; x=1705350124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GgzVWNbxuGa9i5GiEZrgxNuLo7vlKaoDPYjJ99vA8jQ=; b=vKoOB+MhhojvzbD+I5K+4bEmn0RRiKjXukAIzk5L9IpCmKARt7QVoNOm7GLFiI2shK eulUNuXbBlOYCl6YTJZnnknjdTOvAna8P/BQqFfpeArd2/OjC4NMJ5mon9iyPjdp6x65 +mfjfexYhS9tf5nVXNUumsfVYjiJgTcRvJrNsM6GEWqtylcTMlEneBl5rg8i7vb6BVFh iswsD4/4TkopnWHiVllLZxLV9yGkCV6ZRd8tLEc0mFhvoGUwJLnMJXEpBDtS/bSz+rmP GASCl5Ic+2PchiffCcif6zrpd+gIVqFYV1P7cCJze9ylgGge6HE1tUCEXMCEJG54JWxb FCYg== X-Gm-Message-State: AOJu0YyThflkzwN/D6gCkTMHsRDRY2mx7q7bocsHW14ibCzZvqIoL9sK LFQqCHJccvHIujFvwfZNVQZ4JicsP6I+KbDrGtITEoY270o= X-Google-Smtp-Source: AGHT+IFS4G0fMxNYqljDFNWGRCQOjczHbHGpxR80cYwytjm8391ulZwyymLITB5Uf5NAFpNKZXKeGw== X-Received: by 2002:aa7:938c:0:b0:6da:d8d5:bd4e with SMTP id t12-20020aa7938c000000b006dad8d5bd4emr4874000pfe.49.1704745324648; Mon, 08 Jan 2024 12:22:04 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.22.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:22:03 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 06/10] socket: Improve fortify with clang Date: Mon, 8 Jan 2024 17:21:45 -0300 Message-Id: <20240108202149.335305-7-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve fortify checks recv, recvfrom, poll, and ppoll. The compile and runtime hecks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. --- io/bits/poll2.h | 29 +++++++++++++++++++++-------- socket/bits/socket2.h | 20 ++++++++++++++++---- 2 files changed, 37 insertions(+), 12 deletions(-) diff --git a/io/bits/poll2.h b/io/bits/poll2.h index 6152a8c5e4..24ec1056eb 100644 --- a/io/bits/poll2.h +++ b/io/bits/poll2.h @@ -33,8 +33,13 @@ extern int __REDIRECT (__poll_chk_warn, (struct pollfd *__fds, nfds_t __nfds, __poll_chk) __warnattr ("poll called with fds buffer too small file nfds entries"); -__fortify_function __fortified_attr_access (__write_only__, 1, 2) int -poll (struct pollfd *__fds, nfds_t __nfds, int __timeout) +__fortify_function __fortified_attr_access (__write_only__, 1, 2) +__attribute_overloadable__ int +poll (__fortify_clang_overload_arg (struct pollfd *, ,__fds), nfds_t __nfds, + int __timeout) + __fortify_clang_warning_only_if_bos_lt2 (__nfds, __fds, sizeof (*__fds), + "poll called with fds buffer " + "too small file nfds entries") { return __glibc_fortify (poll, __nfds, sizeof (*__fds), __glibc_objsize (__fds), @@ -58,9 +63,13 @@ extern int __REDIRECT (__ppoll64_chk_warn, (struct pollfd *__fds, nfds_t __n, __ppoll64_chk) __warnattr ("ppoll called with fds buffer too small file nfds entries"); -__fortify_function __fortified_attr_access (__write_only__, 1, 2) int -ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, - const __sigset_t *__ss) +__fortify_function __fortified_attr_access (__write_only__, 1, 2) +__attribute_overloadable__ int +ppoll (__fortify_clang_overload_arg (struct pollfd *, ,__fds), nfds_t __nfds, + const struct timespec *__timeout, const __sigset_t *__ss) + __fortify_clang_warning_only_if_bos_lt2 (__nfds, __fds, sizeof (*__fds), + "ppoll called with fds buffer " + "too small file nfds entries") { return __glibc_fortify (ppoll64, __nfds, sizeof (*__fds), __glibc_objsize (__fds), @@ -81,9 +90,13 @@ extern int __REDIRECT (__ppoll_chk_warn, (struct pollfd *__fds, nfds_t __nfds, __ppoll_chk) __warnattr ("ppoll called with fds buffer too small file nfds entries"); -__fortify_function __fortified_attr_access (__write_only__, 1, 2) int -ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout, - const __sigset_t *__ss) +__fortify_function __fortified_attr_access (__write_only__, 1, 2) +__attribute_overloadable__ int +ppoll (__fortify_clang_overload_arg (struct pollfd *, ,__fds), nfds_t __nfds, + const struct timespec *__timeout, const __sigset_t *__ss) + __fortify_clang_warning_only_if_bos_lt2 (__nfds, __fds, sizeof (*__fds), + "ppoll called with fds buffer " + "too small file nfds entries") { return __glibc_fortify (ppoll, __nfds, sizeof (*__fds), __glibc_objsize (__fds), diff --git a/socket/bits/socket2.h b/socket/bits/socket2.h index a88cb64370..04780f320e 100644 --- a/socket/bits/socket2.h +++ b/socket/bits/socket2.h @@ -30,14 +30,20 @@ extern ssize_t __REDIRECT (__recv_chk_warn, __warnattr ("recv called with bigger length than size of destination " "buffer"); -__fortify_function ssize_t -recv (int __fd, void *__buf, size_t __n, int __flags) +__fortify_function __attribute_overloadable__ ssize_t +recv (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __n, + int __flags) + __fortify_clang_warning_only_if_bos0_lt (__n, __buf, + "recv called with bigger length than " + "size of destination buffer") { size_t sz = __glibc_objsize0 (__buf); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __recv_alias (__fd, __buf, __n, __flags); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __recv_chk_warn (__fd, __buf, __n, sz, __flags); +#endif return __recv_chk (__fd, __buf, __n, sz, __flags); } @@ -57,15 +63,21 @@ extern ssize_t __REDIRECT (__recvfrom_chk_warn, __warnattr ("recvfrom called with bigger length than size of " "destination buffer"); -__fortify_function ssize_t -recvfrom (int __fd, void *__restrict __buf, size_t __n, int __flags, +__fortify_function __attribute_overloadable__ ssize_t +recvfrom (int __fd, __fortify_clang_overload_arg0 (void *, __restrict, __buf), + size_t __n, int __flags, __SOCKADDR_ARG __addr, socklen_t *__restrict __addr_len) + __fortify_clang_warning_only_if_bos0_lt (__n, __buf, + "recvfrom called with bigger length " + "than size of destination buffer") { size_t sz = __glibc_objsize0 (__buf); if (__glibc_safe_or_unknown_len (__n, sizeof (char), sz)) return __recvfrom_alias (__fd, __buf, __n, __flags, __addr, __addr_len); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (char), sz)) return __recvfrom_chk_warn (__fd, __buf, __n, sz, __flags, __addr, __addr_len); +#endif return __recvfrom_chk (__fd, __buf, __n, sz, __flags, __addr, __addr_len); } From patchwork Mon Jan 8 20:21:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883913 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=wXGwOKlT; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T85Bq3RhRz1yP3 for ; Tue, 9 Jan 2024 07:24:35 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 7EF173857C48 for ; Mon, 8 Jan 2024 20:24:33 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by sourceware.org (Postfix) with ESMTPS id 71A35385841E for ; Mon, 8 Jan 2024 20:22:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 71A35385841E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 71A35385841E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42f ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745329; cv=none; b=cRj44XL+emLkA5zMeMEGtvvKT1v5t2E714y+cgazHal0DSAKlPuA8kdQZAKiLLAShL3zAXK/D64Mv9OqlBznji9+Q6kQkKBzKHonYpz4VwiZ4ks+WuBLsTt2IwbrMBHYa15yWtLtrnXOvKrwIrcaJbtNBU+pjah9i8B7HR1K+lE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745329; c=relaxed/simple; bh=lC3V/8/rcbKOdkq/r5wbAWpNDMHlYBNvhSHufWlznVM=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=LPc27Rq733+2ppX95RlkUTm4gu0OyobRPeOVO0GRjCl21T5Ssnj14LpGSF20Hs5Vyq6M1d6cOxYcK5J+OZfxhYaElTwzMnBoH7KhufGHPsxYTDvGVrdoVu2/1AjQKIX8IHvNR2U5+M1M2R5QDtpDpnss81JMqJQ9Dbj6kGBwFok= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-6daf9d5f111so1001180b3a.0 for ; Mon, 08 Jan 2024 12:22:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745326; x=1705350126; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ahnZUabbQXonvA8kJlBsyIjxa26cMYVFWEsdlWx7+nE=; b=wXGwOKlT26qu7uTDjj8mZdCyDz+ZNtJutPoT8AIxCLbUya4NpzNIj3xCL+ihQxFCS9 tzWA5TS025k0L9xxpy4JeS7Is/Yi0SZEqu2Q43mDkRlL4ZtRLX1EpcezqsuEt4RTjCnU l1t5z/hPDCKJ/XNm9m4FSXdLUImgHSERWOk4kTk4dG/qeDk2wavVKkO95ngtdPfehGMJ P1BtjjLktCslzForiCDEmmNM/H2BkMRe3lkNC1QN5eOITA7dPZqZE+ANyhvr3IlZ7/Cl nHWFZwq4i4HlbDrKEgUlBYs0b41K+Oy27WoxNBou32jxNjyfAnhfe3wWS7/roq0fxVSk Z2TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745326; x=1705350126; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ahnZUabbQXonvA8kJlBsyIjxa26cMYVFWEsdlWx7+nE=; b=ros286/P/a7l2BYGbEFaJnTsahtqfIxDEVKYkKlLCYlMQoEMN+HZDG62hduVhSqpWi T9yElVm79E9szJQEPnnPFeK5/DRPg5XeuQJVQd71JCrp/sgTVR2a3ZJGFPjPoWM/yzuR iD3mU6eoTAvsqu6AeEMw9eNrEHD9NW0jrZ7/C3MrZPm8SuRA6GQf9tVMuR1me5Xw1PFs sfHKkrcLuF3eMneDVeMmF5jH0Gp6O4bh89kKmrWooN71hR86coP+tXSjqiuw+/SvZb2k SqDOAGobuWrdrjZHLYwFEG93m60SDvhDLckShE2hqOTb2hpdhYylA3IvcwgI4sdu/6av Fx9A== X-Gm-Message-State: AOJu0Yyc87ReDjA8NxdlVguVCXdLQXgtGm3p9e2aUMlAxcxAf0Y9iHqz Zqmvz+uzOY0GYwq/sVPvk9Mk2UPA19ggSa2x4UNb2vDyu8w= X-Google-Smtp-Source: AGHT+IF+WDbAkiyfZ8oNK1MM6CNF9Si7OUarAfYQr+tSRnZDWiC7rR1jjyAxkB/p6q4zT218sXslGQ== X-Received: by 2002:a62:aa0e:0:b0:6da:5504:8c6f with SMTP id e14-20020a62aa0e000000b006da55048c6fmr4355562pff.33.1704745326142; Mon, 08 Jan 2024 12:22:06 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.22.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:22:05 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 07/10] syslog: Improve fortify with clang Date: Mon, 8 Jan 2024 17:21:46 -0300 Message-Id: <20240108202149.335305-8-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve fortify checks for syslog and vsyslog. The compile and runtime hecks have similar coverage as with GCC. The syslog fortify wrapper calls the va_arg version, since clang does not support __va_arg_pack. Checked on aarch64, armhf, x86_64, and i686. --- misc/bits/syslog.h | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/misc/bits/syslog.h b/misc/bits/syslog.h index aadcd42000..100b0c78cc 100644 --- a/misc/bits/syslog.h +++ b/misc/bits/syslog.h @@ -36,6 +36,15 @@ syslog (int __pri, const char *__fmt, ...) { __syslog_chk (__pri, __USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); } +#elif __fortify_use_clang && defined __USE_MISC +__fortify_function_error_function __attribute_overloadable__ void +syslog (int __pri, __fortify_clang_overload_arg (const char *, , __fmt), ...) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + __vsyslog_chk (__pri, __USE_FORTIFY_LEVEL - 1, __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); +} #elif !defined __cplusplus # define syslog(pri, ...) \ __syslog_chk (pri, __USE_FORTIFY_LEVEL - 1, __VA_ARGS__) @@ -43,8 +52,9 @@ syslog (int __pri, const char *__fmt, ...) #ifdef __USE_MISC -__fortify_function void -vsyslog (int __pri, const char *__fmt, __gnuc_va_list __ap) +__fortify_function __attribute_overloadable__ void +vsyslog (int __pri, __fortify_clang_overload_arg (const char *, ,__fmt), + __gnuc_va_list __ap) { __vsyslog_chk (__pri, __USE_FORTIFY_LEVEL - 1, __fmt, __ap); } From patchwork Mon Jan 8 20:21:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883908 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=FD8ei4Mz; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T859S277Jz1yP3 for ; Tue, 9 Jan 2024 07:23:22 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 766383861809 for ; Mon, 8 Jan 2024 20:23:20 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by sourceware.org (Postfix) with ESMTPS id 5912538582B5 for ; Mon, 8 Jan 2024 20:22:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5912538582B5 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 5912538582B5 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::52b ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745332; cv=none; b=Vrcd64sPnQcpIwSLA2vBvoFnHq8BchBOtd+XbSKXGjeyns9V4SL2xFwgzS/FUr8Lgm2Bvg/fvuHnLfwhfWSRMfWY2JELdBbCJE4FXFIBqWzGwkFG24IW0Ata4iJ3/D9Uaa3me4J09OmUYK14mYwK6bVrm96y6yKClvR9IfoMajg= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745332; c=relaxed/simple; bh=3Tw1ANE5Ap+uyQ+azACtDNbmkNX0j/6DDIQYKo1x3S8=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=RXy2n3Cdt1MaSg0O11Tyf5RQZv3SFbwtJ5lSNFch0KdMDBtbpTSJJ8kN+e1/FLQSNXAJFc1WVMFAlpdtxzVTMxcF80IaYA4/gVoyEgOW9zCnkMCwF1LeCEUGzuPmdIutSJnWfJAXlX5/m4g78aeahhk0NeOcny4XYcu8eNFkEZ8= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x52b.google.com with SMTP id 41be03b00d2f7-5cddfe0cb64so599665a12.0 for ; Mon, 08 Jan 2024 12:22:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745328; x=1705350128; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LEPnLOP5T1dHkTbtWJgLMoghay1g9wsjy3LYMjKM1OM=; b=FD8ei4MzWoe7WK7ghP7nTEQvBJFJYWniZW+bKTgM5N2RTJxpuQZv6MW6IJp9PAFc3k KVtBXg1tu1AEk53v9s+Kvd4PTXvjQARtLyJlWPmYb29NweyGvQoPmQ6e/ffD5MErJXrH JE5DHeWlnoFe0ADJzJ5R8zDdzr9VkqSnK7TPYAXo5ppgl89WDLIdsYqxmxNGePlSmcWB Ceb2oGau4Ii9gOuOXQD0ibA76/Bcvrs+1CimQfd0+qj6c8YQhKrUmRXNxOll/nL15Dms yzuGSwyTHdL0bK4lC0zipwlzx2zPcZV+2DDwtriTIwa8oRTvmCvsbVAYSrm9/lL2HSmi Ymgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745328; x=1705350128; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LEPnLOP5T1dHkTbtWJgLMoghay1g9wsjy3LYMjKM1OM=; b=SxP10w4XSuZkAKS9edqWuXUntb1nS3hrqHduYvW52htI2RxGxYn7p+e5eoTWMgJbaM xvXV7etZ0Q1oEo9CfsedGCExA3fOH8ekZrZtCNOz5x8F6aRWSHkS8FDSVqHxcNyZjZpP 5v/2LHM47vy8OT//0N38RKFsDAh7QY4qIFu7217GsYRBFJm+agkS5rNmQ/QGsW29oeow kajCBqobK7tc76J9KCYnkSnS47PLA9rTuKqRkgxF3yCVUvTxtfBUL3uBxLreYh+hFJYr JbQMC9HK91jFp9szMSM3aK9lD+no8c2G5zM5d3e9ktykGtjIQR8dSmsxtSexbnpg1e8i 0QGA== X-Gm-Message-State: AOJu0YypKGL0HjylAzVVBiVZYRbuKAnpAm2dWb1ueIYIm5Jj6v+wOW+5 9bPO2gvFdxC+ORyyEZ2XdJsnkHygsId4yubjbR53BxBh4MQ= X-Google-Smtp-Source: AGHT+IFClZpvHnrZZMjvyzHC7ZxyK000pPs2XRH+2ZrctW2yBtvGopgkTRVjbN56GZ3F5WJFpF4r0Q== X-Received: by 2002:a05:6a21:4995:b0:199:e2a8:e6f4 with SMTP id ax21-20020a056a21499500b00199e2a8e6f4mr518000pzc.73.1704745327863; Mon, 08 Jan 2024 12:22:07 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.22.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:22:07 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 08/10] wcsmbs: Improve fortify with clang Date: Mon, 8 Jan 2024 17:21:47 -0300 Message-Id: <20240108202149.335305-9-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve fortify checks for wmemcpy, wmemmove, wmemset, wcscpy, wcpcpy, wcsncpy, wcpncpy, wcscat, wcsncat, wcslcpy, wcslcat, swprintf, fgetws, fgetws_unlocked, wcrtomb, mbsrtowcs, wcsrtombs, mbsnrtowcs, and wcsnrtombs. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. --- wcsmbs/bits/wchar2.h | 167 ++++++++++++++++++++++++++++++------------- 1 file changed, 119 insertions(+), 48 deletions(-) diff --git a/wcsmbs/bits/wchar2.h b/wcsmbs/bits/wchar2.h index 49f19bca19..9fdff47ee2 100644 --- a/wcsmbs/bits/wchar2.h +++ b/wcsmbs/bits/wchar2.h @@ -20,17 +20,24 @@ # error "Never include directly; use instead." #endif -__fortify_function wchar_t * -__NTH (wmemcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmemcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __s1), + const wchar_t *__restrict __s2, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s1, sizeof (wchar_t), + "wmemcpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmemcpy, __n, sizeof (wchar_t), __glibc_objsize0 (__s1), __s1, __s2, __n); } -__fortify_function wchar_t * -__NTH (wmemmove (wchar_t *__s1, const wchar_t *__s2, size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmemmove (__fortify_clang_overload_arg (wchar_t *, ,__s1), + const wchar_t *__s2, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s1, sizeof (wchar_t), + "wmemmove called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmemmove, __n, sizeof (wchar_t), __glibc_objsize0 (__s1), @@ -38,9 +45,12 @@ __NTH (wmemmove (wchar_t *__s1, const wchar_t *__s2, size_t __n)) } #ifdef __USE_GNU -__fortify_function wchar_t * -__NTH (wmempcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmempcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __s1), + const wchar_t *__restrict __s2, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s1, sizeof (wchar_t), + "wmempcpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmempcpy, __n, sizeof (wchar_t), __glibc_objsize0 (__s1), @@ -48,16 +58,21 @@ __NTH (wmempcpy (wchar_t *__restrict __s1, const wchar_t *__restrict __s2, } #endif -__fortify_function wchar_t * -__NTH (wmemset (wchar_t *__s, wchar_t __c, size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wmemset (__fortify_clang_overload_arg (wchar_t *, ,__s), wchar_t __c, + size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __s, sizeof (wchar_t), + "wmemset called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wmemset, __n, sizeof (wchar_t), __glibc_objsize0 (__s), __s, __c, __n); } -__fortify_function wchar_t * -__NTH (wcscpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcscpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -65,8 +80,9 @@ __NTH (wcscpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) return __wcscpy_alias (__dest, __src); } -__fortify_function wchar_t * -__NTH (wcpcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcpcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -74,26 +90,33 @@ __NTH (wcpcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) return __wcpcpy_alias (__dest, __src); } -__fortify_function wchar_t * -__NTH (wcsncpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcsncpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __dest, sizeof (wchar_t), + "wcsncpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wcsncpy, __n, sizeof (wchar_t), __glibc_objsize (__dest), __dest, __src, __n); } -__fortify_function wchar_t * -__NTH (wcpncpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcpncpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __dest, sizeof (wchar_t), + "wcpncpy called with length bigger " + "than size of destination buffer") { return __glibc_fortify_n (wcpncpy, __n, sizeof (wchar_t), __glibc_objsize (__dest), __dest, __src, __n); } -__fortify_function wchar_t * -__NTH (wcscat (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcscat (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -101,9 +124,9 @@ __NTH (wcscat (wchar_t *__restrict __dest, const wchar_t *__restrict __src)) return __wcscat_alias (__dest, __src); } -__fortify_function wchar_t * -__NTH (wcsncat (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ wchar_t * +__NTH (wcsncat (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) { size_t sz = __glibc_objsize (__dest); if (sz != (size_t) -1) @@ -112,9 +135,12 @@ __NTH (wcsncat (wchar_t *__restrict __dest, const wchar_t *__restrict __src, } #ifdef __USE_MISC -__fortify_function size_t -__NTH (wcslcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (wcslcpy (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) + __fortify_clang_warning_only_if_bos0_lt2 (__n, __dest, sizeof (wchar_t), + "wcslcpy called with length bigger " + "than size of destination buffer") { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n @@ -125,9 +151,9 @@ __NTH (wcslcpy (wchar_t *__restrict __dest, const wchar_t *__restrict __src, return __wcslcpy_alias (__dest, __src, __n); } -__fortify_function size_t -__NTH (wcslcat (wchar_t *__restrict __dest, const wchar_t *__restrict __src, - size_t __n)) +__fortify_function __attribute_overloadable__ size_t +__NTH (wcslcat (__fortify_clang_overload_arg (wchar_t *, __restrict, __dest), + const wchar_t *__restrict __src, size_t __n)) { if (__glibc_objsize (__dest) != (size_t) -1 && (!__builtin_constant_p (__n > __glibc_objsize (__dest) @@ -150,6 +176,23 @@ __NTH (swprintf (wchar_t *__restrict __s, size_t __n, sz / sizeof (wchar_t), __fmt, __va_arg_pack ()); return __swprintf_alias (__s, __n, __fmt, __va_arg_pack ()); } +#elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +__NTH (swprintf (__fortify_clang_overload_arg (wchar_t *, __restrict, __s), + size_t __n, const wchar_t *__restrict __fmt, ...)) +{ + __gnuc_va_list __fortify_ap; + __builtin_va_start (__fortify_ap, __fmt); + int __r; + if (__glibc_objsize (__s) != (size_t) -1 || __USE_FORTIFY_LEVEL > 1) + __r = __vswprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, + __glibc_objsize (__s) / sizeof (wchar_t), + __fmt, __fortify_ap); + else + __r = __vswprintf_alias (__s, __n, __fmt, __fortify_ap); + __builtin_va_end (__fortify_ap); + return __r; +} #elif !defined __cplusplus /* XXX We might want to have support in gcc for swprintf. */ # define swprintf(s, n, ...) \ @@ -207,34 +250,46 @@ vfwprintf (__FILE *__restrict __stream, } #endif -__fortify_function __wur wchar_t * -fgetws (wchar_t *__restrict __s, int __n, __FILE *__restrict __stream) +__fortify_function __attribute_overloadable__ __wur wchar_t * +fgetws (__fortify_clang_overload_arg (wchar_t *, __restrict, __s), int __n, + __FILE *__restrict __stream) + __fortify_clang_warning_only_if_bos_lt2 (__n, __s, sizeof (wchar_t), + "fgetws called with length bigger " + "than size of destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (wchar_t), sz)) return __fgetws_alias (__s, __n, __stream); +#if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (wchar_t), sz)) return __fgetws_chk_warn (__s, sz / sizeof (wchar_t), __n, __stream); +#endif return __fgetws_chk (__s, sz / sizeof (wchar_t), __n, __stream); } #ifdef __USE_GNU -__fortify_function __wur wchar_t * -fgetws_unlocked (wchar_t *__restrict __s, int __n, __FILE *__restrict __stream) +__fortify_function __attribute_overloadable__ __wur wchar_t * +fgetws_unlocked (__fortify_clang_overload_arg (wchar_t *, __restrict, __s), + int __n, __FILE *__restrict __stream) + __fortify_clang_warning_only_if_bos_lt2 (__n, __s, sizeof (wchar_t), + "fgetws_unlocked called with length bigger " + "than size of destination buffer") { size_t sz = __glibc_objsize (__s); if (__glibc_safe_or_unknown_len (__n, sizeof (wchar_t), sz)) return __fgetws_unlocked_alias (__s, __n, __stream); +# if !__fortify_use_clang if (__glibc_unsafe_len (__n, sizeof (wchar_t), sz)) return __fgetws_unlocked_chk_warn (__s, sz / sizeof (wchar_t), __n, __stream); +# endif return __fgetws_unlocked_chk (__s, sz / sizeof (wchar_t), __n, __stream); } #endif -__fortify_function __wur size_t -__NTH (wcrtomb (char *__restrict __s, wchar_t __wchar, - mbstate_t *__restrict __ps)) +__fortify_function __attribute_overloadable__ __wur size_t +__NTH (wcrtomb (__fortify_clang_overload_arg (char *, __restrict, __s), + wchar_t __wchar, mbstate_t *__restrict __ps)) { /* We would have to include to get a definition of MB_LEN_MAX. But this would only disturb the namespace. So we define our own @@ -249,18 +304,26 @@ __NTH (wcrtomb (char *__restrict __s, wchar_t __wchar, return __wcrtomb_alias (__s, __wchar, __ps); } -__fortify_function size_t -__NTH (mbsrtowcs (wchar_t *__restrict __dst, const char **__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (mbsrtowcs (__fortify_clang_overload_arg (wchar_t *, __restrict, __dst), + const char **__restrict __src, size_t __len, mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt2 (__len, __dst, sizeof (wchar_t), + "mbsrtowcs called with dst buffer " + "smaller than len * sizeof (wchar_t)") { return __glibc_fortify_n (mbsrtowcs, __len, sizeof (wchar_t), __glibc_objsize (__dst), __dst, __src, __len, __ps); } -__fortify_function size_t -__NTH (wcsrtombs (char *__restrict __dst, const wchar_t **__restrict __src, +__fortify_function __attribute_overloadable__ size_t +__NTH (wcsrtombs (__fortify_clang_overload_arg (char *, __restrict, __dst), + const wchar_t **__restrict __src, size_t __len, mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt (__len, __dst, + "wcsrtombs called with dst buffer " + "smaller than len") { return __glibc_fortify (wcsrtombs, __len, sizeof (char), __glibc_objsize (__dst), @@ -269,18 +332,26 @@ __NTH (wcsrtombs (char *__restrict __dst, const wchar_t **__restrict __src, #ifdef __USE_XOPEN2K8 -__fortify_function size_t -__NTH (mbsnrtowcs (wchar_t *__restrict __dst, const char **__restrict __src, - size_t __nmc, size_t __len, mbstate_t *__restrict __ps)) +__fortify_function __attribute_overloadable__ size_t +__NTH (mbsnrtowcs (__fortify_clang_overload_arg (wchar_t *, __restrict, __dst), + const char **__restrict __src, size_t __nmc, size_t __len, + mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt (sizeof (wchar_t) * __len, __dst, + "mbsnrtowcs called with dst buffer " + "smaller than len * sizeof (wchar_t)") { return __glibc_fortify_n (mbsnrtowcs, __len, sizeof (wchar_t), __glibc_objsize (__dst), __dst, __src, __nmc, __len, __ps); } -__fortify_function size_t -__NTH (wcsnrtombs (char *__restrict __dst, const wchar_t **__restrict __src, - size_t __nwc, size_t __len, mbstate_t *__restrict __ps)) +__fortify_function __attribute_overloadable__ size_t +__NTH (wcsnrtombs (__fortify_clang_overload_arg (char *, __restrict, __dst), + const wchar_t **__restrict __src, size_t __nwc, + size_t __len, mbstate_t *__restrict __ps)) + __fortify_clang_warning_only_if_bos_lt (__len, __dst, + "wcsnrtombs called with dst buffer " + "smaller than len") { return __glibc_fortify (wcsnrtombs, __len, sizeof (char), __glibc_objsize (__dst), From patchwork Mon Jan 8 20:21:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883911 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=nssuDpcC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T85B36Vljz1yP3 for ; Tue, 9 Jan 2024 07:23:55 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id D142C386180E for ; Mon, 8 Jan 2024 20:23:53 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by sourceware.org (Postfix) with ESMTPS id E5C6538582A7 for ; Mon, 8 Jan 2024 20:22:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E5C6538582A7 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E5C6538582A7 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::52b ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745336; cv=none; b=rhEHlzTFhXFy5/UNGQ7pKdSdHZOGwrgWZxNMIA9uKouW9hvzxuxOGAHasWY4yciK8SZ6UpaQNiB5+6flhQgpdIZ+N19IE9GmkCa4wW7s/P2HKmEdEIeo/b+/rRSTVBwq3dpDHyG7344D+OgF/Zp3E0t4olzkkPvF1CPL6I1+Dgs= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745336; c=relaxed/simple; bh=z3hkJQ7+WlzrIARv5+i/THpV8pV7QpFX3VkyYl//n2M=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=ueG5mltkn5k3PORYFFIM8817c9/mIx+B4oJ6h6YTnp6MP3CCz0F0U/EjXIkJZAaj+99aiqvPHVKkoXeWPovw86GFyySS2TqRc+vkK4xg3gG8fZMiCkETxFxZrKLtrlXP3kCcgXLl8K7WEJswPQJfDul1JOklisIUu15dJpvb1Bc= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x52b.google.com with SMTP id 41be03b00d2f7-5c6ce4dffb5so693780a12.0 for ; Mon, 08 Jan 2024 12:22:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745329; x=1705350129; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VFLcMeLaWwMDEL1KF+YkrB6nN27afWxkJZfIoIXJ0kQ=; b=nssuDpcCMbO86J6kxiNwSYko4+tNrMKbOAEF3xlWsl9vsvl4a4x1zOx+d3FRZ3OUWl 5wXGxww6revyCTrxsa0en7kch0A13dqaxP/hiSuWl10Wh6G8sQjIhF8CQY5OltyLxXjL 6lw+UCflAuuc8iabGsq5zu0T0hxUjQKiTm4sTBn/IzKTkaUksuKeQ1BeYj/Z7dKcO6Lv 6fGG/1j6nQTAXfzmr082aObbrUCITPnW+6L8Tf8CWGQwSkQp8l/5m9gLcVyKFzowp52R +Ks45p623B4GsiFUcQOMDyzhDKcPaQkJ61h8yZ6orG3Q9/wWwmpa9t8a/sDMTnMZ2zvd 1htw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745329; x=1705350129; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VFLcMeLaWwMDEL1KF+YkrB6nN27afWxkJZfIoIXJ0kQ=; b=q3GImp5eIHe6ANDg+hK36B/ss0bezyoykQARRwUydWunmpnAxuaxIuWjkJunh6LTFo yORYG+nAguB6yyn7brCTTZFR3C7wW3g5xWo3j7e4XTd74r32IrbpOLhi0PESEFF0uywh B/d3Ri/oeOaXNDPV9CVdT4Ku9yT2o2ly7ySJBUjcv/tNHEf0flMWZVhSP0l5KIRgbHJQ fceHzwf6+ukD/4AabD/od/8h9tOgZOeSyXGTvqjQ4x7hq22A4KjYMH8gqkcfo5N/hT0E GMBfwsqzVZCaFXFue+GLbT+C4UC8hTDswSbYdM78J/X/anNkJXrPFyA4AgntkFBQVky4 gPSw== X-Gm-Message-State: AOJu0Yx8wQDrmJ2uQJuHoMBdO808x3Sj0HLv+BeV2jeGnqYLM4ZVI9xL CB55H7L7wkOo722K2kFlQeNPzkrxlbfvficinPUJ8Ft75S4= X-Google-Smtp-Source: AGHT+IFXHZnEo2TxgBDlengdFd+Fqw6laD9U/1LHKpVb5sPtPIF+hWkLdAL+Parge80jBJFE/1nFdA== X-Received: by 2002:a05:6a21:6d94:b0:199:c912:112a with SMTP id wl20-20020a056a216d9400b00199c912112amr1073559pzb.9.1704745329489; Mon, 08 Jan 2024 12:22:09 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.22.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:22:08 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 09/10] debug: Improve fcntl.h fortify warnings with clang Date: Mon, 8 Jan 2024 17:21:48 -0300 Message-Id: <20240108202149.335305-10-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improves open, open64, openat, and openat64. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. --- io/bits/fcntl2.h | 92 ++++++++++++++++++++++++++++++++++++++++++++++++ io/fcntl.h | 3 +- misc/sys/cdefs.h | 9 ++++- 3 files changed, 101 insertions(+), 3 deletions(-) diff --git a/io/bits/fcntl2.h b/io/bits/fcntl2.h index 34f05d793d..e29f842246 100644 --- a/io/bits/fcntl2.h +++ b/io/bits/fcntl2.h @@ -32,6 +32,8 @@ extern int __REDIRECT (__open_2, (const char *__path, int __oflag), extern int __REDIRECT (__open_alias, (const char *__path, int __oflag, ...), open64) __nonnull ((1)); #endif + +#ifdef __va_arg_pack_len __errordecl (__open_too_many_args, "open can be called either with 2 or 3 arguments, not more"); __errordecl (__open_missing_mode, @@ -58,12 +60,34 @@ open (const char *__path, int __oflag, ...) return __open_alias (__path, __oflag, __va_arg_pack ()); } +#elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +open (const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("open can be called either with 2 or 3 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +open (__fortify_clang_overload_arg (const char *, ,__path), int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "open with O_CREAT or O_TMPFILE in second argument needs 3 arguments") +{ + return __open_2 (__path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +open (__fortify_clang_overload_arg (const char *, ,__path), int __oflag, + mode_t __mode) +{ + return __open_alias (__path, __oflag); +} +#endif #ifdef __USE_LARGEFILE64 extern int __open64_2 (const char *__path, int __oflag) __nonnull ((1)); extern int __REDIRECT (__open64_alias, (const char *__path, int __oflag, ...), open64) __nonnull ((1)); +# ifdef __va_arg_pack_len __errordecl (__open64_too_many_args, "open64 can be called either with 2 or 3 arguments, not more"); __errordecl (__open64_missing_mode, @@ -90,6 +114,27 @@ open64 (const char *__path, int __oflag, ...) return __open64_alias (__path, __oflag, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +open64 (const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("open64 can be called either with 2 or 3 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +open64 (__fortify_clang_overload_arg (const char *, ,__path), int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "open64 with O_CREAT or O_TMPFILE in second argument needs 3 arguments") +{ + return __open64_2 (__path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +open64 (__fortify_clang_overload_arg (const char *, ,__path), int __oflag, + mode_t __mode) +{ + return __open64_alias (__path, __oflag); +} +# endif #endif @@ -108,6 +153,8 @@ extern int __REDIRECT (__openat_alias, (int __fd, const char *__path, int __oflag, ...), openat64) __nonnull ((2)); # endif + +# ifdef __va_arg_pack_len __errordecl (__openat_too_many_args, "openat can be called either with 3 or 4 arguments, not more"); __errordecl (__openat_missing_mode, @@ -134,6 +181,28 @@ openat (int __fd, const char *__path, int __oflag, ...) return __openat_alias (__fd, __path, __oflag, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +openat (int __fd, const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("openat can be called either with 3 or 4 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +openat (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "openat with O_CREAT or O_TMPFILE in third argument needs 4 arguments") +{ + return __openat_2 (__fd, __path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +openat (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag, mode_t __mode) +{ + return __openat_alias (__fd, __path, __oflag); +} +# endif # ifdef __USE_LARGEFILE64 @@ -147,6 +216,7 @@ __errordecl (__openat64_too_many_args, __errordecl (__openat64_missing_mode, "openat64 with O_CREAT or O_TMPFILE in third argument needs 4 arguments"); +# ifdef __va_arg_pack_len __fortify_function int openat64 (int __fd, const char *__path, int __oflag, ...) { @@ -168,5 +238,27 @@ openat64 (int __fd, const char *__path, int __oflag, ...) return __openat64_alias (__fd, __path, __oflag, __va_arg_pack ()); } +# elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ int +openat64 (int __fd, const char *__path, int __oflag, mode_t __mode, ...) + __fortify_clang_unavailable ("openat64 can be called either with 3 or 4 arguments, not more"); + +__fortify_function __attribute_overloadable__ int +openat64 (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag) + __fortify_clang_prefer_this_overload + __fortify_clang_error (__OPEN_NEEDS_MODE (__oflag), + "openat64 with O_CREAT or O_TMPFILE in third argument needs 4 arguments") +{ + return __openat64_2 (__fd, __path, __oflag); +} + +__fortify_function __attribute_overloadable__ int +openat64 (int __fd, __fortify_clang_overload_arg (const char *, ,__path), + int __oflag, mode_t __mode) +{ + return __openat64_alias (__fd, __path, __oflag); +} +# endif # endif #endif diff --git a/io/fcntl.h b/io/fcntl.h index 9cee0b5900..38aa12d7f2 100644 --- a/io/fcntl.h +++ b/io/fcntl.h @@ -337,8 +337,7 @@ extern int posix_fallocate64 (int __fd, off64_t __offset, off64_t __len); /* Define some inlines helping to catch common problems. */ -#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function \ - && defined __va_arg_pack_len +#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function # include #endif diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index 62507044c8..6b03417453 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -257,7 +257,9 @@ # define __fortify_clang_warning(__c, __msg) \ __attribute__ ((__diagnose_if__ ((__c), (__msg), "warning"))) -# define __fortify_clang_warning_only_if_bos0_lt(n, buf, complaint) \ +# define __fortify_clang_error(__c, __msg) \ + __attribute__ ((__diagnose_if__ ((__c), (__msg), "error"))) +# define __fortify_clang_warning_only_if_bos0_lt(n, buf, complaint) \ __attribute__ ((__diagnose_if__ \ (__fortify_clang_bosn_args (__bos0, n, buf, 1, complaint)))) # define __fortify_clang_warning_only_if_bos0_lt2(n, buf, div, complaint) \ @@ -270,6 +272,11 @@ __attribute__ ((__diagnose_if__ \ (__fortify_clang_bosn_args (__bos, n, buf, div, complaint)))) +# define __fortify_clang_prefer_this_overload \ + __attribute__ ((enable_if (1, ""))) +# define __fortify_clang_unavailable(__msg) \ + __attribute__ ((unavailable(__msg))) + # if __USE_FORTIFY_LEVEL == 3 # define __fortify_clang_overload_arg(__type, __attr, __name) \ __type __attr const __fortify_clang_pass_dynamic_object_size __name From patchwork Mon Jan 8 20:21:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1883914 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=yo++BxOF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T85CX5RWNz1yPf for ; Tue, 9 Jan 2024 07:25:12 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9AF4F385843E for ; Mon, 8 Jan 2024 20:25:10 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by sourceware.org (Postfix) with ESMTPS id 9A86F3858415 for ; Mon, 8 Jan 2024 20:22:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9A86F3858415 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9A86F3858415 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42b ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745336; cv=none; b=jD4Qwe31upU8QOBSykVaG8aI+NLLr58P0EWPL8z3WVj3C1a7poNEvLqRsfrpDW6BJIlzDmIPWhLAWCVndIiA/D+1xtY3splvYNsHDrjgi472zTHJCbe4sZgEDczmQhwVRO9J/KwJo0GEFWyZo5XZgoRgJ0QklJ6RKj2maXB4dpI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704745336; c=relaxed/simple; bh=wNEfDapJnYnujUhCBMBO9HlIe30rH4wQGFMbqQzqlEE=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=jNH+IlpjJaEIYZ+JqkMr5Y009LuBI8qrV1Nzpp5qFVVYWXD9YEaAzkqnkUPeoOLdN4tzw4PzDyTbbL2Olz1oEMFMlLaOzX3KFzai36PIZv7ncCs3rdQhM0T+gNAlmqTdpn3se+G1YQ4UKSzli2AdVWxH5GjfWYA7jLr27tHqSew= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-6d99980b2e0so1945063b3a.2 for ; Mon, 08 Jan 2024 12:22:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1704745331; x=1705350131; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+lXNyVmzS19qsCwprnU9lhxbiK68WYoELWDA1qhWWV0=; b=yo++BxOFnj21H1ysTdl097l3QAwAYwp/7HFRTRRSgVsAdLR63M7dkLGQbdZzWLOQZF ErEqwFxq0+226lim03JdudDrtX1UrywHk085pHavse+ro4FjXFtgSi8yDlAkXjm3joqy NaYURNXvmr1rPp8uJjR0peVl8lbAwvyQTsNujzmgsmcSxPWuFt4Exkv2cSSm4MDvDgmD ZUPShyKjU+QFrM/JgR0evngimgz8Dfs832idGGGUQl9lL2PuodyAY6rnCaQUQdiLCxNT 8UYpHmpAnZMv5rWdeSNCnX/Ii2PeDW/Taykd5JxNlTJV9CBp34H6tUcYjGvpNg0shHNr dwmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704745331; x=1705350131; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+lXNyVmzS19qsCwprnU9lhxbiK68WYoELWDA1qhWWV0=; b=eF0x8QkCdhHLtpRS8ShI6IRA6jisqv/teYgZbZICvalB1rWUy0MGS3Tsd5Z6g2S9J5 EOf+lZQscjQkIES+lvkNL0v/8+bziBoToK4UDo+JaLtI88qdAW2YE43MSBOeJ0ShpTRY O9iBTz9kfN1H+3D3A7o5EQaiRURUSeDvUQZAqZe8KePGWxlih4O9mdZv57+6AJyUvgCM SjYH6dHB8a0TzCWYjDfFJLowXCTFqsTuMtU/aGmLw3a0gyCvUEweLGTMVAExhP4Ln0/0 +5p7AmXrsUUDAUcUwLxR6cyDbn6JOFq/wsSJbYwgZ/kIHG2w57rFmYFJ0KPzXjYtayKt C4og== X-Gm-Message-State: AOJu0YyFg7uEgnx3rTVWSiEynuRTRxcLZhp1N01/ggSNnOI/NktZffLQ aQDoA90EkcRPFwJBlDG5I1Hm8J9XvJ9hLKDZac5QNpA4/V4= X-Google-Smtp-Source: AGHT+IF+/4+w/O+ecWR54GL2iJRY0h9aMIsYDTbCp747nIa6rlFMWCPnmXsESUYQ0w064EiktwqfWQ== X-Received: by 2002:aa7:9205:0:b0:6da:23d7:3786 with SMTP id 5-20020aa79205000000b006da23d73786mr3783344pfo.21.1704745331056; Mon, 08 Jan 2024 12:22:11 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:9dd2:7f25:c108:2fff:5f8e]) by smtp.gmail.com with ESMTPSA id z13-20020a62d10d000000b006d9bdc0f765sm287936pfg.53.2024.01.08.12.22.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 12:22:10 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2 10/10] debug: Improve mqueue.h fortify warnings with clang Date: Mon, 8 Jan 2024 17:21:49 -0300 Message-Id: <20240108202149.335305-11-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It improve mq_open. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. --- rt/bits/mqueue2.h | 29 +++++++++++++++++++++++++++++ rt/mqueue.h | 3 +-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/rt/bits/mqueue2.h b/rt/bits/mqueue2.h index 0f9d67966f..d6d2d9012d 100644 --- a/rt/bits/mqueue2.h +++ b/rt/bits/mqueue2.h @@ -29,6 +29,8 @@ extern mqd_t __mq_open_2 (const char *__name, int __oflag) extern mqd_t __REDIRECT_NTH (__mq_open_alias, (const char *__name, int __oflag, ...), mq_open) __nonnull ((1)); + +#ifdef __va_arg_pack_len __errordecl (__mq_open_wrong_number_of_args, "mq_open can be called either with 2 or 4 arguments"); __errordecl (__mq_open_missing_mode_and_attr, @@ -55,3 +57,30 @@ __NTH (mq_open (const char *__name, int __oflag, ...)) return __mq_open_alias (__name, __oflag, __va_arg_pack ()); } +#elif __fortify_use_clang +__fortify_function_error_function __attribute_overloadable__ mqd_t +__NTH (mq_open (const char *__name, int __oflag, mode_t mode)) + __fortify_clang_unavailable ("mq_open can be called either with 2 or 4 arguments"); + +__fortify_function_error_function __attribute_overloadable__ mqd_t +__NTH (mq_open (const char *__name, int __oflag, mode_t mode, + struct mq_attr *attr, ...)) + __fortify_clang_unavailable ("mq_open can be called either with 2 or 4 arguments"); + +__fortify_function __attribute_overloadable__ mqd_t +__NTH (mq_open (__fortify_clang_overload_arg (const char *, ,__name), + int __oflag)) + __fortify_clang_prefer_this_overload + __fortify_clang_error ((__oflag & O_CREAT), + "mq_open with O_CREAT in second argument needs 4 arguments") +{ + return __mq_open_alias (__name, __oflag); +} + +__fortify_function __attribute_overloadable__ mqd_t +__NTH (mq_open (__fortify_clang_overload_arg (const char *, ,__name), + int __oflag, int __mode, struct mq_attr *__attr)) +{ + return __mq_open_alias (__name, __oflag, __mode, __attr); +} +#endif diff --git a/rt/mqueue.h b/rt/mqueue.h index 787cc36df2..d39334ba16 100644 --- a/rt/mqueue.h +++ b/rt/mqueue.h @@ -110,8 +110,7 @@ extern int __REDIRECT (mq_timedsend, (mqd_t __mqdes, #endif /* Define some inlines helping to catch common problems. */ -#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function \ - && defined __va_arg_pack_len +#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function # include #endif