Commit Graph

30 Commits

Author SHA1 Message Date
Siddhesh Poyarekar
a643f60c53 Make sure that the fortified function conditionals are constant
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead.  Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of.  The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.

Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:

- Either the size is unknown (-1) or we know at compile time that the
  operation length is less than the object size.  We can call the
  original function in this case.  It could be that either the length,
  object size or both are non-constant, but the compiler, through
  range analysis, is able to fold the *comparison* to a constant.

- The size and length are known and the compiler can see at compile
  time that operation length > object size.  This is valid grounds for
  a warning at compile time, followed by emitting the _chk variant.

For everything else, emit the _chk variant.

This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-10-20 18:12:41 +05:30
Siddhesh Poyarekar
e938c02748 Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the
size of an object pointed to by one parameter is another parameter.
This doesn't make sense for the fortified versions of the functions
since that's the bit it's trying to validate.

This is harmless with __builtin_object_size since it has fairly simple
semantics when it comes to objects passed as function parameters.
With __builtin_dynamic_object_size we could (as my patchset for gcc[1]
already does) use the access attribute to determine the object size in
the general case but it misleads the fortified functions.

Basically the problem occurs when access attributes are present on
regular functions that have inline fortified definitions to generate
_chk variants; the attributes get inherited by these definitions,
causing problems when analyzing them.  For example with poll(fds, nfds,
timeout), nfds is hinted using the __attr_access as being the size of
fds.

Now, when analyzing the inline function definition in bits/poll2.h, the
compiler sees that nfds is the size of fds and tries to use that
information in the function body.  In _FORTIFY_SOURCE=3 case, where the
object size could be a non-constant expression, this information results
in the conclusion that nfds is the size of fds, which defeats the
purpose of the implementation because we're trying to check here if nfds
does indeed represent the size of fds.  Hence for this case, it is best
to not have the access attribute.

With the attributes gone, the expression evaluation should get delayed
until the function is actually inlined into its destinations.

Disable the access attribute for fortified function inline functions
when building at _FORTIFY_SOURCE=3 to make this work better.  The
access attributes remain for the _chk variants since they can be used
by the compiler to warn when the caller is passing invalid arguments.

[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-10-20 08:33:31 +05:30
Martin Sebor
26492c0a14 Annotate additional APIs with GCC attribute access.
This change continues the improvements to compile-time out of bounds
checking by decorating more APIs with either attribute access, or by
explicitly providing the array bound in APIs such as tmpnam() that
expect arrays of some minimum size as arguments.  (The latter feature
is new in GCC 11.)

The only effects of the attribute and/or the array bound is to check
and diagnose calls to the functions that fail to provide a sufficient
number of elements, and the definitions of the functions that access
elements outside the specified bounds.  (There is no interplay with
_FORTIFY_SOURCE here yet.)

Tested with GCC 7 through 11 on x86_64-linux.
2021-05-06 11:01:05 -06:00
Joseph Myers
1c426b1d59 Update STATX_ATTR_DAX value from Linux 5.10.
This patch updates the value of STATX_ATTR_DAX in bits/statx-generic.h
for a change made in Linux 5.10.  (As with previous such changes, this
only does anything if glibc is being used with old kernel headers.)

Tested for x86_64.
2021-01-11 14:57:08 +00:00
Paul Eggert
2b778ceb40 Update copyright dates with scripts/update-copyrights
I used these shell commands:

../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")

and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
2021-01-02 12:17:34 -08:00
Siddhesh Poyarekar
f9de8bfe1a nonstring: Enable __FORTIFY_LEVEL=3
Use __builtin_dynamic_object_size in the remaining functions that
don't have compiler builtins as is the case for string functions.
2020-12-31 16:55:21 +05:30
Joseph Myers
88a2cf6c4b Add new STATX_* constants from Linux 5.8 to bits/statx-generic.h.
This patch adds the new STATX_MNT_ID, STATX_ATTR_MOUNT_ROOT and
STATX_ATTR_DAX macros from Linux 5.8 to glibc's bits/statx-generic.h.
(As with previous such changes, this only does anything if glibc is
being used with old kernel headers.)

A comment in the Linux kernel headers indicates that STATX_ALL is
deliberately not being changed.

Tested for x86_64.
2020-08-19 13:47:37 +00:00
Joseph Myers
fe7df8eb5e Add STATX_ATTR_VERITY from Linux 5.5 to bits/statx-generic.h.
This patch adds the new STATX_ATTR_VERITY macro from Linux 5.5 to
glibc's bits/statx-generic.h.  (This only does anything if glibc is
being used with old kernel headers.)

Tested for x86_64.
2020-02-13 21:59:59 +00:00
Joseph Myers
d614a75396 Update copyright dates with scripts/update-copyrights. 2020-01-01 00:14:33 +00:00
Paul Eggert
5a82c74822 Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:

sed -ri '
  s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
  s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
  $(find $(git ls-files) -prune -type f \
      ! -name '*.po' \
      ! -name 'ChangeLog*' \
      ! -path COPYING ! -path COPYING.LIB \
      ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
      ! -path manual/texinfo.tex ! -path scripts/config.guess \
      ! -path scripts/config.sub ! -path scripts/install-sh \
      ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
      ! -path INSTALL ! -path  locale/programs/charmap-kw.h \
      ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
      ! '(' -name configure \
            -execdir test -f configure.ac -o -f configure.in ';' ')' \
      ! '(' -name preconfigure \
            -execdir test -f preconfigure.ac ';' ')' \
      -print)

and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:

  chmod a+x sysdeps/unix/sysv/linux/riscv/configure
  # Omit irrelevant whitespace and comment-only changes,
  # perhaps from a slightly-different Autoconf version.
  git checkout -f \
    sysdeps/csky/configure \
    sysdeps/hppa/configure \
    sysdeps/riscv/configure \
    sysdeps/unix/sysv/linux/csky/configure
  # Omit changes that caused a pre-commit check to fail like this:
  # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
  git checkout -f \
    sysdeps/powerpc/powerpc64/ppc-mcount.S \
    sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
  # Omit change that caused a pre-commit check to fail like this:
  # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
  git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 02:43:31 -07:00
Florian Weimer
5dad6ffbb2 <sys/stat.h>: Use Linux UAPI header for statx if available and useful
This will automatically import new STATX_* constants.  It also avoids
a conflict between <sys/stat.h> and <linux/stat.h>.
2019-06-12 13:04:43 +02:00
Joseph Myers
04277e02d7 Update copyright dates with scripts/update-copyrights.
* All files with FSF copyright notices: Update copyright dates
	using scripts/update-copyrights.
	* locale/programs/charmap-kw.h: Regenerated.
	* locale/programs/locfile-kw.h: Likewise.
2019-01-01 00:11:28 +00:00
Florian Weimer
fd70af4552 Add the statx function 2018-07-10 16:14:45 +02:00
Joseph Myers
688903eb3e Update copyright dates with scripts/update-copyrights.
* All files with FSF copyright notices: Update copyright dates
	using scripts/update-copyrights.
	* locale/programs/charmap-kw.h: Regenerated.
	* locale/programs/locfile-kw.h: Likewise.
2018-01-01 00:32:25 +00:00
Joseph Myers
bfff8b1bec Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
Joseph Myers
f7a9f785e5 Update copyright dates with scripts/update-copyrights. 2016-01-04 16:05:18 +00:00
Eric Rannaud
65f6f938cd linux: open and openat ignore 'mode' with O_TMPFILE in flags
Both open and openat load their last argument 'mode' lazily, using
va_arg() only if O_CREAT is found in oflag. This is wrong, mode is also
necessary if O_TMPFILE is in oflag.

By chance on x86_64, the problem wasn't evident when using O_TMPFILE
with open, as the 3rd argument of open, even when not loaded with
va_arg, is left untouched in RDX, where the syscall expects it.

However, openat was not so lucky, and O_TMPFILE couldn't be used: mode
is the 4th argument, in RCX, but the syscall expects its 4th argument in
a different register than the glibc wrapper, in R10.

Introduce a macro __OPEN_NEEDS_MODE (oflag) to test if either O_CREAT or
O_TMPFILE is set in oflag.

Tested on Linux x86_64.

	[BZ #17523]
	* io/fcntl.h (__OPEN_NEEDS_MODE): New macro.
	* io/bits/fcntl2.h (open): Use it.
	(openat): Likewise.
	* io/open.c (__libc_open): Likewise.
	* io/open64.c (__libc_open64): Likewise.
	* io/open64_2.c (__open64_2): Likewise.
	* io/open_2.c (__open_2): Likewise.
	* io/openat.c (__openat): Likewise.
	* io/openat64.c (__openat64): Likewise.
	* io/openat64_2.c (__openat64_2): Likewise.
	* io/openat_2.c (__openat_2): Likewise.
	* sysdeps/mach/hurd/open.c (__libc_open): Likewise.
	* sysdeps/mach/hurd/openat.c (__openat): Likewise.
	* sysdeps/posix/open64.c (__libc_open64): Likewise.
	* sysdeps/unix/sysv/linux/dl-openat64.c (openat64): Likewise.
	* sysdeps/unix/sysv/linux/generic/open.c (__libc_open): Likewise.
	(__open_nocancel): Likewise.
	* sysdeps/unix/sysv/linux/generic/open64.c (__libc_open64): Likewise.
	* sysdeps/unix/sysv/linux/open64.c (__libc_open64): Likewise.
	* sysdeps/unix/sysv/linux/openat.c (__OPENAT): Likewise.
2015-02-24 13:19:22 +05:30
Joseph Myers
b168057aaa Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
Allan McRae
d4697bc93d Update copyright notices with scripts/update-copyrights 2014-01-01 22:00:23 +10:00
Joseph Myers
568035b787 Update copyright notices with scripts/update-copyrights. 2013-01-02 19:05:09 +00:00
Marek Polacek
5ac3ea17df Fix attributes for fortify functions. 2012-04-29 15:34:20 +02:00
Paul Eggert
59ba27a63a Replace FSF snail mail address with URLs. 2012-02-09 23:18:22 +00:00
Ulrich Drepper
e5f484c622 bits/poll2.h needs __BEGIN/__END_DECLS 2012-01-08 21:57:15 -05:00
Ulrich Drepper
d9a216c037 Add checking versions of poll and ppoll 2012-01-08 11:55:32 -05:00
Ulrich Drepper
a784e50247 Remove pre-ISO C support
No more __const.
2012-01-07 23:57:22 -05:00
Ulrich Drepper
3a50811c2f * rt/Versions (librt): Export __mq_open_2@@GLIBC_2.7.
* rt/Makefile (headers): Add bits/mqueue2.h.
	* rt/mqueue.h: Include bits/mqueue2.h if -D_FORTIFY_SOURCE=2,
	optimizing with GCC and __va_arg_pack_len is defined.
	* rt/bits/mqueue2.h: New file.
	* rt/mq_open.c (__mq_open): Renamed from mq_open.
	(mq_open): New strong_alias.
	(__mq_open_2): New function.
	* sysdeps/unix/sysv/linux/mq_open.c (__mq_open): Renamed from mq_open.
	(mq_open): New strong_alias.
	(__mq_open_2): New function.
	* debug/Versions (libc): Export __fortify_fail@@GLIBC_PRIVATE.
	* Versions.def (librt): Add GLIBC_2.7 version.
	* debug/fortify_fail.c (__fortify_fail): Add libc_hidden_def.
	* include/stdio.h (__fortify_fail): Add libc_hidden_proto.

	* misc/sys/cdefs.h (__errordecl, __va_arg_pack_len): Define.
	* io/fcntl.h: Include bits/fcntl2.h when __va_arg_pack_len
	is defined rather than when not C++.
	* io/bits/fcntl2.h (__open_alias, __open64_alias, __openat_alias,
	__openat64_alias): New redirects.
	(__open_too_many_args, __open_missing_mode, __open64_too_many_args,
	__open64_missing_mode, __openat_too_many_args, __openat_missing_mode,
	__openat64_too_many_args, __openat64_missing_mode): New __errordecls.
	(open, open64, openat, openat64): Rewrite as __extern_always_inline
	functions instead of function-like macros.
2007-09-15 22:35:27 +00:00
Jakub Jelinek
9accc268ff * io/bits/fcntl2.h (open, open64, openat, openat64): Add
__extension__ around the whole statement expression.
2007-08-04  Jakub Jelinek  <jakub@redhat.com>

	* io/bits/fcntl2.h (open, open64, openat, openat64): Add
	__extension__ around the whole statement expression.
2007-08-04 20:09:21 +00:00
Ulrich Drepper
47ad95ab96 * io/bits/fcntl2.h (__open_2): Add nonnull attribute.
(open): Fix comment typos.  Don't call __open_2 if flags
	is a compile time constant without O_CREAT.
	(__open64_2): Add nonnull attribute.
	(open64): Fix comment typos.  Don't call __open64_2 if flags
	is a compile time constant without O_CREAT.
	(__openat_2): Add nonnull attribute, fix nonnull attribute
	on redirect.
	(openat): Fix comment typos.  Don't call __openat_2 if flags
	is a compile time constant without O_CREAT.
	(__openat64_2): Add nonnull attribute, fix nonnull attribute
	on redirect.
	(openat64): Fix comment typos.  Don't call __openat64_2 if flags
	is a compile time constant without O_CREAT.
2007-05-25 14:41:55 +00:00
Ulrich Drepper
0a54ab53f2 * sysdeps/powerpc/tls.h (tcbhead_t): Add gscope_flag.
(THREAD_GSCOPE_FLAG_UNUSED, THREAD_GSCOPE_FLAG_USED,
	THREAD_GSCOPE_FLAG_WAIT): Define.
	(THREAD_GSCOPE_GET_FLAG, THREAD_GSCOPE_SET_FLAG,
	THREAD_GSCOPE_RESET_FLAG, THREAD_GSCOPE_WAIT): Define.
	* sysdeps/i386/tls.h (THREAD_GSCOPE_WAIT): Don't use
	PTR_DEMANGLE.
	(THREAD_GSCOPE_GET_FLAG): Define.
	* sysdeps/x86_64/tls.h (THREAD_GSCOPE_GET_FLAG): Define.
	* allocatestack.c (__wait_lookup_done): Use THREAD_GSCOPE_GET_FLAG
	instead of ->header.gscope_flag directly.
2007-05-25 05:21:07 +00:00
Ulrich Drepper
ddfd053577 * Makerules (sysd-rules): Define PTW for ptw-* files.
* Versions: Define GLIBC_2.7 for libc.
	* include/stdio.h: Declare __fortify_fail.
	* debug/fortify_fail.c: New file.
	* debug/Makefile (routines): Add fortify_fail.
	* debug/chk_fail.c: Use __fortify_fail.
	* debug/stack_chk_fail.c: Likewise.
	* io/Versions: Export __open_2, __open64_2, __openat_2, and
	__openat64_2 for GLIBC_2.7.
	* io/fcntl.h: When compiling with fortification, include bits/fcntl2.h.
	* io/open.c: Define *_2 variant of function which checks for O_CREAT
	and fails if necessary.
	* io/open64.c: Likewise.
	* io/openat.c: Likewise.
	* io/openat64.c: Likewise.
	* sysdeps/unix/sysv/linux/open64.c: Likewise.
	* sysdeps/unix/sysv/linux/openat.c: Likewise.
	* sysdeps/unix/sysv/linux/openat64.c: Likewise.
	* io/bits/fcntl2.h: New file.
	* include/fcntl.h: Declare __open_2, __open64_2, __openat_2, and
	__openat64_2.
	* include/bits/fcntl2.h: New file.
	* sysdeps/unix/sysv/linux/Makefile [subdir=io] (sysdep_routines):
	Add open_2.
	* sysdeps/unix/sysv/linux/open_2.c: New file.
2007-05-24 23:55:28 +00:00