It improve fortify checks for realpath, ptsname_r, wctomb, mbstowcs,
and wcstombs. The runtime and compile checks have similar coverage as
with GCC.
Checked on aarch64, armhf, x86_64, and i686.
Tested-by: Carlos O'Donell <carlos@redhat.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
commit 464d189b96 (origin/master, origin/HEAD)
Author: Noah Goldstein <goldstein.w.n@gmail.com>
Date: Wed Jun 22 08:24:21 2022 -0700
stdlib: Remove attr_write from mbstows if dst is NULL [BZ: 29265]
Incorrectly called `__mbstowcs_chk` in the NULL __dst case which is
incorrect as in the NULL __dst case we are explicitly skipping
the objsize checks.
As well, remove the `__always_inline` attribute which exists in
`__fortify_function`.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
mbstows is defined if dst is NULL and is defined to special cased if
dst is NULL so the fortify objsize check if incorrect in that case.
Tested on x86-64 linux.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.
I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah. I don't
know why I run into these diagnostics whereas others evidently do not.
remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
The length and object size arguments were swapped around for realpath.
Also add a smoke test so that any changes in this area get caught in
future.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead. Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of. The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.
Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:
- Either the size is unknown (-1) or we know at compile time that the
operation length is less than the object size. We can call the
original function in this case. It could be that either the length,
object size or both are non-constant, but the compiler, through
range analysis, is able to fold the *comparison* to a constant.
- The size and length are known and the compiler can see at compile
time that operation length > object size. This is valid grounds for
a warning at compile time, followed by emitting the _chk variant.
For everything else, emit the _chk variant.
This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
Adds the access attribute newly introduced in GCC 10 to the subset of
function declarations that are already covered by _FORTIFY_SOURCE and
that don't have corresponding GCC built-in equivalents.
Reviewed-by: DJ Delorie <dj@redhat.com>
with __warning__/__error__ attributes.
(__warnattr): Define.
* stdlib/bits/stdlib.h (__realpath_chk_warn, __ptsname_r_chk_warn,
__mbstowcs_chk_warn, __wcstombs_chk_warn): New aliases with
__warnattr.
(realpath, ptsname_r, mbstowcs, wcstombs): Call __*_chk_warn instead
of __*_chk if compile time detectable overflow is found.
* libio/bits/stdio2.h (__fgets_chk_warn, __fread_chk_warn,
__fgets_unlocked_chk_warn, __fread_unlocked_chk_warn): New aliases
with __warnattr.
(fgets, fread, fgets_unlocked, fread_unlocked): Call __*_chk_warn
instead of __*_chk if compile time detectable overflow is found.
(__gets_alias): Rename to...
(__gets_warn): ... this. Add __warnattr.
(gets): Call __gets_warn instead of __gets_alias.
* socket/bits/socket2.h (__recv_chk_warn, __recvfrom_chk_warn): New
aliases with __warnattr.
(recv, recvfrom): Call __*_chk_warn instead of __*_chk if compile
time detectable overflow is found.
* posix/bits/unistd.h (__read_chk_warn, __pread_chk_warn,
__pread64_chk_warn, __readlink_chk_warn, __readlinkat_chk_warn,
__getcwd_chk_warn, __confstr_chk_warn, __getgroups_chk_warn,
__ttyname_r_chk_warn, __getlogin_r_chk_warn, __gethostname_chk_warn,
__getdomainname_chk_warn): New aliases with __warnattr.
(read, pread, pread64, readlink, readlinkat, getcwd, confstr,
getgroups, ttyname_r, getlogin_r, gethostname, getdomainname): Call
__*_chk_warn instead of __*_chk if compile time detectable overflow
is found.
(__getgroups_chk): Rename argument to __listlen from listlen.
(__getwd_alias): Rename to...
(__getwd_warn): ... this. Add __warnattr.
(getwd): Call __getwd_warn instead of __getwd_alias.
* wcsmbs/bits/wchar2.h (__wmemcpy_chk_warn, __wmemmove_chk_warn,
__wmempcpy_chk_warn, __wmemset_chk_warn, __wcsncpy_chk_warn,
__wcpncpy_chk_warn, __fgetws_chk_warn, __fgetws_unlocked_chk_warn,
__mbsrtowcs_chk_warn, __wcsrtombs_chk_warn, __mbsnrtowcs_chk_warn,
__wcsnrtombs_chk_warn): New aliases with __warnattr.
(wmemcpy, wmemmove, wmempcpy, wmemset, mbsrtowcs, wcsrtombs,
mbsnrtowcs, wcsnrtombs): Call __*_chk_warn instead of __*_chk if
compile time detectable overflow is found.
(wcsncpy, wcpncpy): Likewise. For constant __n fix check whether
to use __*_chk or not.
(fgetws, fgetws_unlocked): Divide __bos by sizeof (wchar_t), both
in comparisons which function should be called and in __*_chk*
arguments. Call __*_chk_warn instead of __*_chk if compile time
detectable overflow is found.
(swprintf, vswprintf): Divide __bos by sizeof (wchar_t) in
__*_chk argument.
* debug/tst-chk1.c (do_test): Add a few more tests.
sizeof (wchar_t) rather than multiplying __len by sizeof (wchar_t).
Pass __bos (__dst) / sizeof (wchar_t) to the *_chk routine.
* wcsmbs/bits/wchar2.h (mbsrtowcs, mbsnrtowcs): Likewise.
* debug/mbsnrtowcs_chk.c (__mbsnrtowcs_chk): Don't multiply
len by sizeof (wchar_t).
* debug/mbsrtowcs_chk.c (__mbsrtowcs_chk): Likewise.
* debug/mbstowcs_chk.c (__mbstowcs_chk): Likewise.
Fix type of SRC argument. Pass &SRC rather than SRC to
__mbsrtowcs.
* debug/wcstombs_chk.c (__wcstombs_chk): Pass &SRC rather than SRC
to __wcsrtombs.
* debug/tst-chk1.c: Include assert.h.
(do_test): Change enough array from VLA into a fixed size array.
Assert that MB_CUR_MAX is <= sizeof (enough). Use FAIL () macro
instead of print error details. Add several new tests.
Kill some unused variable warnings.
* debug/wcstombs_chk.c: New file.
* debug/Makefile (routines): Add mbstowcs_chk and wcstombs_chk.
* debug/Versions: Add __mbstowcs_chk and __wcstombs_chk.
* stdlib/bits/stdlib.h: Add definitions for mbstowcs and wcstombs.
* wcsmbs/bits/wchar2.h (mbsrtowcs): Pretty printing.
* string/test-memset.c (test_main): Use negative byte value in
* stdlib/stdlib.h: Include <bits/stdlib.h> if fortification is
requested.
* Makefile (headers): Add bits/stdlib.h.
* include/bits/stdlib.h: New file.
* debug/Depend: New file.
* debug/ptsname_r_chk.c: New file.
* debug/realpath_chk.c: New file.
* debug/wctomb_chk.c: New file.
* debug/Makefile (routines): Add ptsname_r_chk, realpath_chk, and
wctomb_chk.
* debug/Versions: Export __ptsname_r_chk, __realpath_chk, and
__wctomb_chk.
* debug/tst-chk1.c: Add tests for __ptsname_r_chk, __realpath_chk, and
__wctomb_chk.
