2012-01-08 16:55:32 +00:00
|
|
|
/* Checking macros for poll functions.
|
2024-01-01 18:12:26 +00:00
|
|
|
Copyright (C) 2012-2024 Free Software Foundation, Inc.
|
2012-01-08 16:55:32 +00:00
|
|
|
This file is part of the GNU C Library.
|
|
|
|
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of the GNU Lesser General Public
|
|
|
|
License as published by the Free Software Foundation; either
|
|
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
2012-02-09 23:18:22 +00:00
|
|
|
License along with the GNU C Library; if not, see
|
Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:
sed -ri '
s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
$(find $(git ls-files) -prune -type f \
! -name '*.po' \
! -name 'ChangeLog*' \
! -path COPYING ! -path COPYING.LIB \
! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
! -path manual/texinfo.tex ! -path scripts/config.guess \
! -path scripts/config.sub ! -path scripts/install-sh \
! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
! -path INSTALL ! -path locale/programs/charmap-kw.h \
! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
! '(' -name configure \
-execdir test -f configure.ac -o -f configure.in ';' ')' \
! '(' -name preconfigure \
-execdir test -f preconfigure.ac ';' ')' \
-print)
and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:
chmod a+x sysdeps/unix/sysv/linux/riscv/configure
# Omit irrelevant whitespace and comment-only changes,
# perhaps from a slightly-different Autoconf version.
git checkout -f \
sysdeps/csky/configure \
sysdeps/hppa/configure \
sysdeps/riscv/configure \
sysdeps/unix/sysv/linux/csky/configure
# Omit changes that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
git checkout -f \
sysdeps/powerpc/powerpc64/ppc-mcount.S \
sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
# Omit change that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 05:40:42 +00:00
|
|
|
<https://www.gnu.org/licenses/>. */
|
2012-01-08 16:55:32 +00:00
|
|
|
|
|
|
|
#ifndef _SYS_POLL_H
|
|
|
|
# error "Never include <bits/poll2.h> directly; use <sys/poll.h> instead."
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
2012-01-09 02:57:15 +00:00
|
|
|
__BEGIN_DECLS
|
|
|
|
|
2012-01-08 16:55:32 +00:00
|
|
|
extern int __REDIRECT (__poll_alias, (struct pollfd *__fds, nfds_t __nfds,
|
|
|
|
int __timeout), poll);
|
|
|
|
extern int __poll_chk (struct pollfd *__fds, nfds_t __nfds, int __timeout,
|
2021-05-06 16:56:25 +00:00
|
|
|
__SIZE_TYPE__ __fdslen)
|
|
|
|
__attr_access ((__write_only__, 1, 2));
|
2012-01-08 16:55:32 +00:00
|
|
|
extern int __REDIRECT (__poll_chk_warn, (struct pollfd *__fds, nfds_t __nfds,
|
|
|
|
int __timeout, __SIZE_TYPE__ __fdslen),
|
|
|
|
__poll_chk)
|
|
|
|
__warnattr ("poll called with fds buffer too small file nfds entries");
|
|
|
|
|
Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the
size of an object pointed to by one parameter is another parameter.
This doesn't make sense for the fortified versions of the functions
since that's the bit it's trying to validate.
This is harmless with __builtin_object_size since it has fairly simple
semantics when it comes to objects passed as function parameters.
With __builtin_dynamic_object_size we could (as my patchset for gcc[1]
already does) use the access attribute to determine the object size in
the general case but it misleads the fortified functions.
Basically the problem occurs when access attributes are present on
regular functions that have inline fortified definitions to generate
_chk variants; the attributes get inherited by these definitions,
causing problems when analyzing them. For example with poll(fds, nfds,
timeout), nfds is hinted using the __attr_access as being the size of
fds.
Now, when analyzing the inline function definition in bits/poll2.h, the
compiler sees that nfds is the size of fds and tries to use that
information in the function body. In _FORTIFY_SOURCE=3 case, where the
object size could be a non-constant expression, this information results
in the conclusion that nfds is the size of fds, which defeats the
purpose of the implementation because we're trying to check here if nfds
does indeed represent the size of fds. Hence for this case, it is best
to not have the access attribute.
With the attributes gone, the expression evaluation should get delayed
until the function is actually inlined into its destinations.
Disable the access attribute for fortified function inline functions
when building at _FORTIFY_SOURCE=3 to make this work better. The
access attributes remain for the _chk variants since they can be used
by the compiler to warn when the caller is passing invalid arguments.
[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-10-12 06:59:13 +00:00
|
|
|
__fortify_function __fortified_attr_access (__write_only__, 1, 2) int
|
2012-01-08 16:55:32 +00:00
|
|
|
poll (struct pollfd *__fds, nfds_t __nfds, int __timeout)
|
|
|
|
{
|
Make sure that the fortified function conditionals are constant
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead. Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of. The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.
Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:
- Either the size is unknown (-1) or we know at compile time that the
operation length is less than the object size. We can call the
original function in this case. It could be that either the length,
object size or both are non-constant, but the compiler, through
range analysis, is able to fold the *comparison* to a constant.
- The size and length are known and the compiler can see at compile
time that operation length > object size. This is valid grounds for
a warning at compile time, followed by emitting the _chk variant.
For everything else, emit the _chk variant.
This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-10-20 12:42:41 +00:00
|
|
|
return __glibc_fortify (poll, __nfds, sizeof (*__fds),
|
|
|
|
__glibc_objsize (__fds),
|
|
|
|
__fds, __nfds, __timeout);
|
2012-01-08 16:55:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef __USE_GNU
|
2022-11-04 19:02:52 +00:00
|
|
|
# ifdef __USE_TIME_BITS64
|
|
|
|
extern int __REDIRECT (__ppoll64_alias, (struct pollfd *__fds, nfds_t __nfds,
|
|
|
|
const struct timespec *__timeout,
|
|
|
|
const __sigset_t *__ss), __ppoll64);
|
|
|
|
extern int __ppoll64_chk (struct pollfd *__fds, nfds_t __nfds,
|
|
|
|
const struct timespec *__timeout,
|
|
|
|
const __sigset_t *__ss, __SIZE_TYPE__ __fdslen)
|
|
|
|
__attr_access ((__write_only__, 1, 2));
|
|
|
|
extern int __REDIRECT (__ppoll64_chk_warn, (struct pollfd *__fds, nfds_t __n,
|
|
|
|
const struct timespec *__timeout,
|
|
|
|
const __sigset_t *__ss,
|
|
|
|
__SIZE_TYPE__ __fdslen),
|
|
|
|
__ppoll64_chk)
|
|
|
|
__warnattr ("ppoll called with fds buffer too small file nfds entries");
|
|
|
|
|
|
|
|
__fortify_function __fortified_attr_access (__write_only__, 1, 2) int
|
|
|
|
ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout,
|
|
|
|
const __sigset_t *__ss)
|
|
|
|
{
|
|
|
|
return __glibc_fortify (ppoll64, __nfds, sizeof (*__fds),
|
|
|
|
__glibc_objsize (__fds),
|
|
|
|
__fds, __nfds, __timeout, __ss);
|
|
|
|
}
|
|
|
|
# else
|
2012-01-08 16:55:32 +00:00
|
|
|
extern int __REDIRECT (__ppoll_alias, (struct pollfd *__fds, nfds_t __nfds,
|
|
|
|
const struct timespec *__timeout,
|
|
|
|
const __sigset_t *__ss), ppoll);
|
|
|
|
extern int __ppoll_chk (struct pollfd *__fds, nfds_t __nfds,
|
|
|
|
const struct timespec *__timeout,
|
2021-05-06 16:56:25 +00:00
|
|
|
const __sigset_t *__ss, __SIZE_TYPE__ __fdslen)
|
|
|
|
__attr_access ((__write_only__, 1, 2));
|
2012-01-08 16:55:32 +00:00
|
|
|
extern int __REDIRECT (__ppoll_chk_warn, (struct pollfd *__fds, nfds_t __nfds,
|
|
|
|
const struct timespec *__timeout,
|
|
|
|
const __sigset_t *__ss,
|
|
|
|
__SIZE_TYPE__ __fdslen),
|
|
|
|
__ppoll_chk)
|
|
|
|
__warnattr ("ppoll called with fds buffer too small file nfds entries");
|
|
|
|
|
Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the
size of an object pointed to by one parameter is another parameter.
This doesn't make sense for the fortified versions of the functions
since that's the bit it's trying to validate.
This is harmless with __builtin_object_size since it has fairly simple
semantics when it comes to objects passed as function parameters.
With __builtin_dynamic_object_size we could (as my patchset for gcc[1]
already does) use the access attribute to determine the object size in
the general case but it misleads the fortified functions.
Basically the problem occurs when access attributes are present on
regular functions that have inline fortified definitions to generate
_chk variants; the attributes get inherited by these definitions,
causing problems when analyzing them. For example with poll(fds, nfds,
timeout), nfds is hinted using the __attr_access as being the size of
fds.
Now, when analyzing the inline function definition in bits/poll2.h, the
compiler sees that nfds is the size of fds and tries to use that
information in the function body. In _FORTIFY_SOURCE=3 case, where the
object size could be a non-constant expression, this information results
in the conclusion that nfds is the size of fds, which defeats the
purpose of the implementation because we're trying to check here if nfds
does indeed represent the size of fds. Hence for this case, it is best
to not have the access attribute.
With the attributes gone, the expression evaluation should get delayed
until the function is actually inlined into its destinations.
Disable the access attribute for fortified function inline functions
when building at _FORTIFY_SOURCE=3 to make this work better. The
access attributes remain for the _chk variants since they can be used
by the compiler to warn when the caller is passing invalid arguments.
[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-10-12 06:59:13 +00:00
|
|
|
__fortify_function __fortified_attr_access (__write_only__, 1, 2) int
|
2012-01-08 16:55:32 +00:00
|
|
|
ppoll (struct pollfd *__fds, nfds_t __nfds, const struct timespec *__timeout,
|
|
|
|
const __sigset_t *__ss)
|
|
|
|
{
|
Make sure that the fortified function conditionals are constant
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead. Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of. The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.
Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:
- Either the size is unknown (-1) or we know at compile time that the
operation length is less than the object size. We can call the
original function in this case. It could be that either the length,
object size or both are non-constant, but the compiler, through
range analysis, is able to fold the *comparison* to a constant.
- The size and length are known and the compiler can see at compile
time that operation length > object size. This is valid grounds for
a warning at compile time, followed by emitting the _chk variant.
For everything else, emit the _chk variant.
This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-10-20 12:42:41 +00:00
|
|
|
return __glibc_fortify (ppoll, __nfds, sizeof (*__fds),
|
|
|
|
__glibc_objsize (__fds),
|
|
|
|
__fds, __nfds, __timeout, __ss);
|
2012-01-08 16:55:32 +00:00
|
|
|
}
|
2022-11-04 19:02:52 +00:00
|
|
|
# endif
|
2012-01-08 16:55:32 +00:00
|
|
|
#endif
|
2012-01-09 02:57:15 +00:00
|
|
|
|
|
|
|
__END_DECLS
|