Commit 38765ab68f moved the bzero, bcopy, and explicit_bzero
fortified macros to a common header (strings_fortified.h). However
the side effect is a fortified explicit_bzero is defined when including
only strings.h.
This patch moves back the fortified explicit_bzero definition to
strings3.h header.
Checked on x86_64-linux-gnu.
* string/bits/strings_fortified.h (explicit_bzero): Move back to ..
* string/bits/string3.h: ... here.
As described in BZ#20558, bzero and bcopy declaration can only benefit
from fortified macros when decl came from string.h and when __USE_MISC
is defined (default behaviour).
This is due no standard includes those functions in string.h, so they
are only declared if __USE_MISC is defined (as pointed out in comment 4).
However fortification should be orthogona to other features test macros,
i.e, any function should be fortified if that function is declared.
To fix this behavior, the patch moved the bzero, bcopy, and
__explicit_bzero_chk to a common header (string/bits/strings_fortified.h)
and explicit fortified inclusion macros similar to string.h is added
on strings.h. This allows to get fortified declarions by only including
strings.h.
Checked on x86_64-linux-gnu and along on a bootstrap installation to check
if the fortified are correctly triggered with example from bug report.
[BZ #20558]
* string/bits/string3.h [__USE_MISC] (bcopy): Move to
strings_fortified.h.
[__USE_MISC] (bzero): Likewise.
[__USE_MISC] (explicit_bzero): Likewise.
* string/strings.h: Include strings_fortified.h.
* string/Makefile (headers): Add strings_fortified.h.
* string/bits/strings_fortified.h: New file.
* include/bits/strings_fortified.h: Likewise.
explicit_bzero(s, n) is the same as memset(s, 0, n), except that the
compiler is not allowed to delete a call to explicit_bzero even if the
memory pointed to by 's' is dead after the call. Right now, this effect
is achieved externally by having explicit_bzero be a function whose
semantics are unknown to the compiler, and internally, with a no-op
asm statement that clobbers memory. This does mean that small
explicit_bzero operations cannot be expanded inline as small memset
operations can, but on the other hand, small memset operations do get
deleted by the compiler. Hopefully full compiler support for
explicit_bzero will happen relatively soon.
There are two new tests: test-explicit_bzero.c verifies the
visible semantics in the same way as the existing test-bzero.c,
and tst-xbzero-opt.c verifies the not-being-optimized-out property.
The latter is conceptually based on a test written by Matthew Dempsky
for the OpenBSD regression suite.
The crypt() implementation has an immediate use for this new feature.
We avoid having to add a GLIBC_PRIVATE alias for explicit_bzero
by running all of libcrypt's calls through the fortified variant,
__explicit_bzero_chk, which is in the impl namespace anyway. Currently
I'm not aware of anything in libc proper that needs this, but the
glue is all in place if it does become necessary. The legacy DES
implementation wasn't bothering to clear its buffers, so I added that,
mostly for consistency's sake.
* string/explicit_bzero.c: New routine.
* string/test-explicit_bzero.c, string/tst-xbzero-opt.c: New tests.
* string/Makefile (routines, strop-tests, tests): Add them.
* string/test-memset.c: Add ifdeffage for testing explicit_bzero.
* string/string.h [__USE_MISC]: Declare explicit_bzero.
* debug/explicit_bzero_chk.c: New routine.
* debug/Makefile (routines): Add it.
* debug/tst-chk1.c: Test fortification of explicit_bzero.
* string/bits/string3.h: Fortify explicit_bzero.
* manual/string.texi: Document explicit_bzero.
* NEWS: Mention addition of explicit_bzero.
* crypt/crypt-entry.c (__crypt_r): Clear key-dependent intermediate
data before returning, using explicit_bzero.
* crypt/md5-crypt.c (__md5_crypt_r): Likewise.
* crypt/sha256-crypt.c (__sha256_crypt_r): Likewise.
* crypt/sha512-crypt.c (__sha512_crypt_r): Likewise.
* include/string.h: Redirect internal uses of explicit_bzero
to __explicit_bzero_chk[_internal].
* string/Versions [GLIBC_2.25]: Add explicit_bzero.
* debug/Versions [GLIBC_2.25]: Add __explicit_bzero_chk.
* sysdeps/arm/nacl/libc.abilist
* sysdeps/unix/sysv/linux/aarch64/libc.abilist
* sysdeps/unix/sysv/linux/alpha/libc.abilist
* sysdeps/unix/sysv/linux/arm/libc.abilist
* sysdeps/unix/sysv/linux/hppa/libc.abilist
* sysdeps/unix/sysv/linux/i386/libc.abilist
* sysdeps/unix/sysv/linux/ia64/libc.abilist
* sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
* sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
* sysdeps/unix/sysv/linux/microblaze/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
* sysdeps/unix/sysv/linux/nios2/libc.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
* sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
* sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
* sysdeps/unix/sysv/linux/sh/libc.abilist
* sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
* sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
* sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
* sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
* sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
* sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
* sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist:
Add entries for explicit_bzero and __explicit_bzero_chk.
The new check-installed-headers rule check now complains with C++
comment from string3.h with:
../string/bits/string3.h:129:1: error: C++ style comments are not allowed in ISO C90
// XXX We have no corresponding builtin yet.
Let use old C style comment to make compiler happy in old modes.
Tested on x86_64.
* string/bits/string3.h: Remove C++ style comments.
I think the last clause of the conditional,
|| __n <= __bos (__dest)
may be backward. The code should call the runtime-checking function
if __n is not constant, or if __n is known to be LARGER than the size
of the destination.
gcc now warns when the arguments to memset may have been accidentally
transposed (i.e. length set to zero instead of the byte), so we don't
need that bit of the code in glibc headers anymore.
Tested on x86_64. Coe generated by gcc 4.8 is identical with or
without the patch. I also tested gcc master, which does not result in
any new failures. It does fail quite a few FORTIFY_SOURCE tests, but
those failures are not due to this patch.
* misc/bits/syslog.h (syslog): When __va_arg_pack is defined,
implement as __extern_always_inline function.
(vsyslog): Define as __extern_always_inline function unconditionally.
* libio/bits/stdio2.h (sprintf, snprintf, printf, fprintf):
When __va_arg_pack is defined, implement as __extern_always_inline
functions.
(vsprintf, vsnprintf, vprintf, vfprintf): Define as
__extern_always_inline functions unconditionally.
* libio/bits/stdio.h (vprintf): Ifdef out the inline when
bits/stdio2.h will be included.
* wcsmbs/bits/wchar2.h (__swprintf_alias): New redirect.
(swprintf, wprintf, fwprintf): When __va_arg_pack is defined,
implement as __extern_always_inline functions.
(vswprintf, vwprintf, vfwprintf): Define as
__extern_always_inline functions unconditionally.
* debug/tst-chk1.c (do_test): Enable remaining tests for C++.
2007-09-03 Jakub Jelinek <jakub@redhat.com>
* misc/sys/cdefs.h (__extern_inline, __extern_always_inline): Only
define in C++ for GCC 4.3+, in C++ always use __gnu_inline__
attribute.
* include/features.h (__USE_EXTERN_INLINES): Define only when
__extern_inline is defined.
* stdlib/stdlib.h: Include bits/stdlib.h when __extern_always_inline
is defined instead of when not __cplusplus.
* misc/sys/syslog.h: Include bits/syslog.h when __extern_always_inline
is defined instead of when not __cplusplus.
* socket/sys/socket.h: Include bits/socket2.h when
__extern_always_inline is defined instead of when not __cplusplus.
* libio/stdio.h: Include bits/stdio2.h when __extern_always_inline
is defined instead of when not __cplusplus.
* posix/unistd.h: Include bits/unistd.h when __extern_always_inline
is defined instead of when not __cplusplus.
* string/string.h: Include bits/string3.h when __extern_always_inline
is defined instead of when not __cplusplus.
* wcsmbs/wchar.h: Include bits/wchar2.h when __extern_always_inline
is defined instead of when not __cplusplus.
(btowc, wctob): Don't guard the inlines with ifndef __cplusplus.
* io/fcntl.h: Don't include bits/fcntl2.h if __extern_always_inline
is not defined.
* misc/bits/syslog-ldbl.h: Guard *_chk stuff with
defined __extern_always_inline instead of !defined __cplusplus.
* libio/bits/stdio-ldbl.h: Likewise.
* wcsmbs/bits/wchar-ldbl.h: Likewise.
* misc/bits/syslog.h (syslog): Don't define for C++.
(vsyslog): Use __extern_always_inline function for C++ instead of
a macro.
* libio/bits/stdio.h (__STDIO_INLINE): Define to __extern_inline
whenever that macro is defined.
(vprintf): Don't provide the inline for C++.
(fread_unlocked, fwrite_unlocked): Don't define the macros for C++.
* libio/bits/stdio2.h (sprintf, snprintf, printf, fprintf): Don't
define the macros for C++.
(vsprintf, vsnprintf, vprintf, vfprintf): Define as
__extern_always_inline functions for C++.
* io/sys/stat.h (stat, lstat, fstat, fstatat, mknod, mknodat,
stat64, lstat64, fstat64, fstatat64): Don't define if not
__USE_EXTERN_INLINES.
* wcsmbs/bits/wchar2.h: Fix #error message.
(swprintf, wprintf, fwprintf): Don't define the macros for C++.
(vswprintf, vwprintf, vfwprintf): Define using
__extern_always_inline functions for C++.
* string/bits/string3.h: Don't #undef macros if __cplusplus.
(memcpy, memmove, mempcpy, memset, bcopy, bzero, strcpy, stpcpy,
strncpy, strcat, strncat): Define as __extern_always_inline
functions instead of macros for C++.
* math/bits/cmathcalls.h: Guard __extern_inline routines with
defined __extern_inline.
* sysdeps/alpha/fpu/bits/mathinline.h (__MATH_INLINE): Define
to __extern_inline whenever that macro is defined.
* sysdeps/ia64/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/i386/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/i386/i486/bits/string.h (__STRING_INLINE): Likewise.
* sysdeps/s390/bits/string.h (__STRING_INLINE): Likewise.
* sysdeps/s390/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/powerpc/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/x86_64/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/sparc/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/unix/sysv/linux/sys/sysmacros.h (gnu_dev_major,
gnu_dev_minor, gnu_dev_makedev): Remove __extern_inline from
prototypes. Only provide __extern_inline routines if
__USE_EXTERN_INLINES.
* debug/Makefile: Add rules to build and run tst-{,lfs}chk{4,5,6}
tests.
* debug/tst-chk1.c (do_prepare, do_test): Allow compilation as C++.
For now avoid some *printf tests in C++. Skip all testing
if __USE_FORTIFY_LEVEL is defined, but __extern_always_inline macro
is not.
* debug/tst-chk4.cc: New file.
* debug/tst-chk5.cc: New file.
* debug/tst-chk6.cc: New file.
* debug/tst-lfschk4.cc: New file.
* debug/tst-lfschk5.cc: New file.
* debug/tst-lfschk6.cc: New file.
* include/wchar.h (__vfwprintf_chk, __vswprintf_chk): Avoid
prototypes in C++.
* include/stdio.h (__sprintf_chk, __snprintf_chk, __vsprintf_chk,
__vsnprintf_chk, __printf_chk, __fprintf_chk, __vprintf_chk,
__vfprintf_chk, __fgets_unlocked_chk, __fgets_chk): Likewise.
* include/bits/wchar2.h: New file.
* wcsmbs/wchar.h: Include <bits/wchar2.h> if fortification is
requested.
* wcsmbs/wcsncpy.c: Add __wcsncpy alias.
* string/bits/string3.h: Add fortified stpncpy definitions.
* sysdeps/generic/stpncpy_chk.c: New file.
* libio/vswprintf.c: Move _IO_wstrnfile definition to strfile.h.
Export _IO_wstrn_jumps.
* libio/strfile.h: Define _IO_wstrnfile and declare _IO_wstrn_jumps.
* include/wchar.h: Declare __wcsncpy and __vswprintf_chk.
* debug/fgetws_chk.c: New file.
* debug/fgetws_u_chk.c: New file.
* debug/fwprintf_chk.c: New file.
* debug/swprintf_chk.c: New file.
* debug/vfwprintf_chk.c: New file.
* debug/vswprintf_chk.c: New file.
* debug/vwprintf_chk.c: New file.
* debug/wcpcpy_chk.c: New file.
* debug/wcpncpy_chk.c: New file.
* debug/wcscat_chk.c: New file.
* debug/wcscpy_chk.c: New file.
* debug/wcsncat_chk.c: New file.
* debug/wcsncpy_chk.c: New file.
* debug/wmemcpy_chk.c: New file.
* debug/wmemmove_chk.c: New file.
* debug/wmempcpy_chk.c: New file.
* debug/wmemset_chk.c: New file.
* debug/wprintf_chk.c: New file.
* debug/tst-chk1.c: Add tests for new functions.
* debug/Versions: Export new functions.
* debug/Makefile (routines): Add new functions.
determine the call will never trigger a failure.
* sysdeps/i386/i686/memset_chk.S: Remove alias and warning.
* sysdeps/x86_64/memset_chk.S: Likewise.
2005-02-24 Roland McGrath <roland@redhat.com>
* debug/Versions (libc: GLIBC_2.4): Remove
__memset_zero_constant_len_parameter.
* sysdeps/generic/memset_chk.c: Remove alias and warning.
* misc/sys/cdefs.h (__warndecl): New macro.
* debug/warning-nop.c: New file.
* string/bits/string3.h (memset): Call __warn_memset_zero_len with no
arguments, instead of calling __memset_zero_constant_len_parameter.
Use __warndecl for __warn_memset_zero_len.
* debug/Makefile (routines): Add $(static-only-routines).
(static-only-routines): New variable.
map if requested.
* debug/chk_fail.c: Request backtrace and memory map dump.
* Versions.def: Add GLIBC_2.4 for libc.
* debug/fgets_chk.c: New file.
* debug/fgets_u_chk.c: New file.
* debug/getcwd_chk.c: New file.
* debug/getwd_chk.c: New file.
* debug/readlink_chk.c: New file.
* debug/read_chk.c: New file.
* debug/pread_chk.c: New file.
* debug/pread64_chk.c: New file.
* debug/recv_chk.c: New file.
* debug/recvfrom_chk.c: New file.
* debug/Versions: Add all new functions with version GLIBC_2.4.
* debug/Makefile (routines): Add fgets_chk, fgets_u_chk, read_chk,
pread_chk, pread64_chk, recv_chk, recvfrom_chk, readlink_chk,
getwd_chk, and getcwd_chk. Plus appropriate CFLAGS definitions.
* debug/tst-chk1.c: Add more tests.
* libio/bits/stdio2.h: Add macros for fgets and fgets_unlocked.
* include/stdio.h: Declare __fgets_chk and __fgets_unlocked_chk.
* posix/unistd.h: Include <bits/unistd.h> for fortification.
* posix/bits/unistd.h: New file.
* posix/Makefile (headers): Add bits/unistd.h.
* socket/sys/socket.h: Include <bits/socket2.h> for fortification.
* socket/bits/socket2.h: New file.
* socket/Makefile (headers): Add bits/socket2.h.
* string/bits/string3.h: Extend memset macro to check for zero 3rd
parameter and use __memset_zero_constant_len_parameter in that case.
* sysdeps/generic/memset_chk.c: Add
__memset_zero_constant_len_parameter alias and linker warning.
* debug/Versions: Add __memset_zero_constant_len_parameter to libc
with version GLIBC_2.4.
* sysdeps/generic/bits/types.h: Don't unnecessarily use __extension__
in __STD_TYPE definition.
2005-02-21 Jakub Jelinek <jakub@redhat.com>
* malloc/malloc.c (malloc_printerr): If MALLOC_CHECK_={5,7}, print
the error message rather than program name.
2005-02-21 Ulrich Drepper <drepper@redhat.com>