It improve fortify checks for read, pread, pread64, readlink,
readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r,
gethostname, and getdomainname. The compile and runtime checks have
similar coverage as with GCC.
Checked on aarch64, armhf, x86_64, and i686.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
This change is similar to what was done for bits/wchar2.h.
Routines declaration are moved into a dedicated bits/unistd-decl.h file
which is then included into the bits/unistd.h file.
This will allow to adapt the files so that PLT entries are not created when
_FORTIFY_SOURCE is enabled.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Some functions (e.g. stpcpy, pread64, etc.) had moved to POSIX in the
main headers as they got incorporated into the standard, but their
fortified variants remained under __USE_GNU. As a result, these
functions did not get fortified when _GNU_SOURCE was not defined.
Add test wrappers that check all functions tested in tst-chk0 at all
levels with _GNU_SOURCE undefined and then use the failures to (1)
exclude checks for _GNU_SOURCE functions in these tests and (2) Fix
feature macro guards in the fortified function headers so that they're
the same as the ones in the main headers.
This fixes BZ #28746.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.
I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah. I don't
know why I run into these diagnostics whereas others evidently do not.
remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead. Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of. The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.
Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:
- Either the size is unknown (-1) or we know at compile time that the
operation length is less than the object size. We can call the
original function in this case. It could be that either the length,
object size or both are non-constant, but the compiler, through
range analysis, is able to fold the *comparison* to a constant.
- The size and length are known and the compiler can see at compile
time that operation length > object size. This is valid grounds for
a warning at compile time, followed by emitting the _chk variant.
For everything else, emit the _chk variant.
This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
There is a GNU extension that allows to call getcwd(NULL, >0). It is
described in the documentation, but also directly in the unistd.h
header, just above the declaration.
Therefore the attribute access mode added in commit 06febd8c67
is not correct. Drop it.
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
Adds the access attribute newly introduced in GCC 10 to the subset of
function declarations that are already covered by _FORTIFY_SOURCE and
that don't have corresponding GCC built-in equivalents.
Reviewed-by: DJ Delorie <dj@redhat.com>
For many years, the only effect of these macros has been to make
unistd.h declare getlogin_r. _POSIX_C_SOURCE >= 199506L also causes
this function to be declared. However, people who don't carefully
read all the headers might be confused into thinking they need to
define _REENTRANT for any threaded code (as was indeed the case a long
time ago).
Therefore, remove __USE_REENTRANT, and make _REENTRANT and _THREAD_SAFE
into synonyms for _POSIX_C_SOURCE=199506L. This will only affect
programs that don't select a higher conformance level some other way.
For instance, -std=c89 -D_REENTRANT will see a change in visible
declarations, but -std=c99 -D_POSIX_C_SOURCE=200809L -D_REENTRANT won't,
and -D_REENTRANT all by itself also won't, because _DEFAULT_SOURCE
implies _POSIX_C_SOURCE > 199506.
* include/features.h: Remove __USE_REENTRANT. Treat _REENTRANT
and _THREAD_SAFE the same as _POSIX_C_SOURCE=199506L, if a higher
POSIX conformance level has not been selected by other macros.
* NEWS, manual/creature.texi: Document this change.
* posix/unistd.h, posix/bits/unistd.h: Don't check __USE_REENTRANT.
* include/libc-symbols.h: Don't define _REENTRANT.
* scripts/check-installed-headers.sh: Don't undefine _REENTRANT.
with __warning__/__error__ attributes.
(__warnattr): Define.
* stdlib/bits/stdlib.h (__realpath_chk_warn, __ptsname_r_chk_warn,
__mbstowcs_chk_warn, __wcstombs_chk_warn): New aliases with
__warnattr.
(realpath, ptsname_r, mbstowcs, wcstombs): Call __*_chk_warn instead
of __*_chk if compile time detectable overflow is found.
* libio/bits/stdio2.h (__fgets_chk_warn, __fread_chk_warn,
__fgets_unlocked_chk_warn, __fread_unlocked_chk_warn): New aliases
with __warnattr.
(fgets, fread, fgets_unlocked, fread_unlocked): Call __*_chk_warn
instead of __*_chk if compile time detectable overflow is found.
(__gets_alias): Rename to...
(__gets_warn): ... this. Add __warnattr.
(gets): Call __gets_warn instead of __gets_alias.
* socket/bits/socket2.h (__recv_chk_warn, __recvfrom_chk_warn): New
aliases with __warnattr.
(recv, recvfrom): Call __*_chk_warn instead of __*_chk if compile
time detectable overflow is found.
* posix/bits/unistd.h (__read_chk_warn, __pread_chk_warn,
__pread64_chk_warn, __readlink_chk_warn, __readlinkat_chk_warn,
__getcwd_chk_warn, __confstr_chk_warn, __getgroups_chk_warn,
__ttyname_r_chk_warn, __getlogin_r_chk_warn, __gethostname_chk_warn,
__getdomainname_chk_warn): New aliases with __warnattr.
(read, pread, pread64, readlink, readlinkat, getcwd, confstr,
getgroups, ttyname_r, getlogin_r, gethostname, getdomainname): Call
__*_chk_warn instead of __*_chk if compile time detectable overflow
is found.
(__getgroups_chk): Rename argument to __listlen from listlen.
(__getwd_alias): Rename to...
(__getwd_warn): ... this. Add __warnattr.
(getwd): Call __getwd_warn instead of __getwd_alias.
* wcsmbs/bits/wchar2.h (__wmemcpy_chk_warn, __wmemmove_chk_warn,
__wmempcpy_chk_warn, __wmemset_chk_warn, __wcsncpy_chk_warn,
__wcpncpy_chk_warn, __fgetws_chk_warn, __fgetws_unlocked_chk_warn,
__mbsrtowcs_chk_warn, __wcsrtombs_chk_warn, __mbsnrtowcs_chk_warn,
__wcsnrtombs_chk_warn): New aliases with __warnattr.
(wmemcpy, wmemmove, wmempcpy, wmemset, mbsrtowcs, wcsrtombs,
mbsnrtowcs, wcsnrtombs): Call __*_chk_warn instead of __*_chk if
compile time detectable overflow is found.
(wcsncpy, wcpncpy): Likewise. For constant __n fix check whether
to use __*_chk or not.
(fgetws, fgetws_unlocked): Divide __bos by sizeof (wchar_t), both
in comparisons which function should be called and in __*_chk*
arguments. Call __*_chk_warn instead of __*_chk if compile time
detectable overflow is found.
(swprintf, vswprintf): Divide __bos by sizeof (wchar_t) in
__*_chk argument.
* debug/tst-chk1.c (do_test): Add a few more tests.
(__readlinkat_alias): New alias.
(readlinkat): New inline function.
* include/unistd.h (readlinkat): Add libc_hidden_proto.
* sysdeps/unix/sysv/linux/readlinkat.c (readlinkat): Add
libc_hidden_def.
* io/readlinkat.c (readlinkat): Likewise.
* debug/readlinkat_chk.c: New file.
* debug/Makefile (routines): Add readlinkat_chk.
* debug/Versions (libc): Export __readlinkat_chk@@GLIBC_2.5.
* debug/tst-chk1.c (do_test): Add readlinkat tests.
* nis/nss_nisplus/nisplus-netgrp.c: Cleanups.
code is possible. Move compatibility code in .text.compat section.
over gaih array. There is only one function to call in the moment.
length. Patch by Ivan Gyurdiev <ivg2@cornell.edu>.
* debug/confstr_chk.c: New file.
* debug/getdomainname_chk.c: New file.
* debug/getgroups_chk.c: New file.
* debug/gethostname_chk.c: New file.
* debug/getlogin_r_chk.c: New file.
* debug/ttyname_r_chk.c: New file.
* posix/bits/unistd.h: Add definitions for new debug versions.
* debug/tst-chk1.c: Add tests for new functions.
* debug/Versions: Export new functions.
* debug/Makefile (routines): Add new files.
* stdlib/bits/stdlib.h: Fix typo.
* manual/Makefile (libc/index.html): Depend on dir-add.texi.
instead of __off_t for last argument.
* debug/Makefile (tests): Add tst-lfschk{1,2,3}.
* debug/tst-lfschk1.c: New test.
* debug/tst-lfschk2.c: New test.
* debug/tst-lfschk3.c: New test.
2005-02-09 Jakub Jelinek <jakub@redhat.com>
* sysdeps/unix/sysv/linux/bits/termios.h (CMSPAR): Define.
* sysdeps/unix/sysv/linux/sparc/bits/termios.h: Add __USE_MISC
and __USE_XOPEN guards to match linux/bits/termios.h.
* sysdeps/unix/sysv/linux/alpha/bits/termios.h: Likewise.
(CMSPAR): Define.
* sysdeps/unix/sysv/linux/powerpc/bits/termios.h: Likewise.
determine the call will never trigger a failure.
* sysdeps/i386/i686/memset_chk.S: Remove alias and warning.
* sysdeps/x86_64/memset_chk.S: Likewise.
2005-02-24 Roland McGrath <roland@redhat.com>
* debug/Versions (libc: GLIBC_2.4): Remove
__memset_zero_constant_len_parameter.
* sysdeps/generic/memset_chk.c: Remove alias and warning.
* misc/sys/cdefs.h (__warndecl): New macro.
* debug/warning-nop.c: New file.
* string/bits/string3.h (memset): Call __warn_memset_zero_len with no
arguments, instead of calling __memset_zero_constant_len_parameter.
Use __warndecl for __warn_memset_zero_len.
* debug/Makefile (routines): Add $(static-only-routines).
(static-only-routines): New variable.
map if requested.
* debug/chk_fail.c: Request backtrace and memory map dump.
* Versions.def: Add GLIBC_2.4 for libc.
* debug/fgets_chk.c: New file.
* debug/fgets_u_chk.c: New file.
* debug/getcwd_chk.c: New file.
* debug/getwd_chk.c: New file.
* debug/readlink_chk.c: New file.
* debug/read_chk.c: New file.
* debug/pread_chk.c: New file.
* debug/pread64_chk.c: New file.
* debug/recv_chk.c: New file.
* debug/recvfrom_chk.c: New file.
* debug/Versions: Add all new functions with version GLIBC_2.4.
* debug/Makefile (routines): Add fgets_chk, fgets_u_chk, read_chk,
pread_chk, pread64_chk, recv_chk, recvfrom_chk, readlink_chk,
getwd_chk, and getcwd_chk. Plus appropriate CFLAGS definitions.
* debug/tst-chk1.c: Add more tests.
* libio/bits/stdio2.h: Add macros for fgets and fgets_unlocked.
* include/stdio.h: Declare __fgets_chk and __fgets_unlocked_chk.
* posix/unistd.h: Include <bits/unistd.h> for fortification.
* posix/bits/unistd.h: New file.
* posix/Makefile (headers): Add bits/unistd.h.
* socket/sys/socket.h: Include <bits/socket2.h> for fortification.
* socket/bits/socket2.h: New file.
* socket/Makefile (headers): Add bits/socket2.h.
* string/bits/string3.h: Extend memset macro to check for zero 3rd
parameter and use __memset_zero_constant_len_parameter in that case.
* sysdeps/generic/memset_chk.c: Add
__memset_zero_constant_len_parameter alias and linker warning.
* debug/Versions: Add __memset_zero_constant_len_parameter to libc
with version GLIBC_2.4.
* sysdeps/generic/bits/types.h: Don't unnecessarily use __extension__
in __STD_TYPE definition.
2005-02-21 Jakub Jelinek <jakub@redhat.com>
* malloc/malloc.c (malloc_printerr): If MALLOC_CHECK_={5,7}, print
the error message rather than program name.
2005-02-21 Ulrich Drepper <drepper@redhat.com>
