diff options
author | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2021-10-12 12:29:13 +0530 |
---|---|---|
committer | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2021-10-20 08:33:31 +0530 |
commit | e938c02748402c50f60ba0eb983273e7b52937d1 (patch) | |
tree | 5784cd55dd66558fbdef877150dac886b1b09e5d /string | |
parent | glibcextract.py: Place un-assemblable @@@ in a comment (diff) | |
download | glibc-e938c02748402c50f60ba0eb983273e7b52937d1.tar.gz glibc-e938c02748402c50f60ba0eb983273e7b52937d1.tar.bz2 glibc-e938c02748402c50f60ba0eb983273e7b52937d1.zip |
Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the
size of an object pointed to by one parameter is another parameter.
This doesn't make sense for the fortified versions of the functions
since that's the bit it's trying to validate.
This is harmless with __builtin_object_size since it has fairly simple
semantics when it comes to objects passed as function parameters.
With __builtin_dynamic_object_size we could (as my patchset for gcc[1]
already does) use the access attribute to determine the object size in
the general case but it misleads the fortified functions.
Basically the problem occurs when access attributes are present on
regular functions that have inline fortified definitions to generate
_chk variants; the attributes get inherited by these definitions,
causing problems when analyzing them. For example with poll(fds, nfds,
timeout), nfds is hinted using the __attr_access as being the size of
fds.
Now, when analyzing the inline function definition in bits/poll2.h, the
compiler sees that nfds is the size of fds and tries to use that
information in the function body. In _FORTIFY_SOURCE=3 case, where the
object size could be a non-constant expression, this information results
in the conclusion that nfds is the size of fds, which defeats the
purpose of the implementation because we're trying to check here if nfds
does indeed represent the size of fds. Hence for this case, it is best
to not have the access attribute.
With the attributes gone, the expression evaluation should get delayed
until the function is actually inlined into its destinations.
Disable the access attribute for fortified function inline functions
when building at _FORTIFY_SOURCE=3 to make this work better. The
access attributes remain for the _chk variants since they can be used
by the compiler to warn when the caller is passing invalid arguments.
[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diffstat (limited to 'string')
-rw-r--r-- | string/bits/string_fortified.h | 5 | ||||
-rw-r--r-- | string/string.h | 2 |
2 files changed, 4 insertions, 3 deletions
diff --git a/string/bits/string_fortified.h b/string/bits/string_fortified.h index 67ae2c6b50..5731274848 100644 --- a/string/bits/string_fortified.h +++ b/string/bits/string_fortified.h @@ -64,7 +64,7 @@ __NTH (memset (void *__dest, int __ch, size_t __len)) # include <bits/strings_fortified.h> void __explicit_bzero_chk (void *__dest, size_t __len, size_t __destlen) - __THROW __nonnull ((1)) __attr_access ((__write_only__, 1, 2)); + __THROW __nonnull ((1)) __fortified_attr_access (__write_only__, 1, 2); __fortify_function void __NTH (explicit_bzero (void *__dest, size_t __len)) @@ -106,7 +106,8 @@ __NTH (stpncpy (char *__dest, const char *__src, size_t __n)) #else extern char *__stpncpy_chk (char *__dest, const char *__src, size_t __n, size_t __destlen) __THROW - __attr_access ((__write_only__, 1, 3)) __attr_access ((__read_only__, 2)); + __fortified_attr_access ((__write_only__, 1, 3)) + __attr_access ((__read_only__, 2)); extern char *__REDIRECT_NTH (__stpncpy_alias, (char *__dest, const char *__src, size_t __n), stpncpy); diff --git a/string/string.h b/string/string.h index 04e1b7067d..8dcafb4ac4 100644 --- a/string/string.h +++ b/string/string.h @@ -448,7 +448,7 @@ extern char *strerror_l (int __errnum, locale_t __l) __THROW; /* Set N bytes of S to 0. The compiler will not delete a call to this function, even if S is dead after the call. */ extern void explicit_bzero (void *__s, size_t __n) __THROW __nonnull ((1)) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); /* Return the next DELIM-delimited token from *STRINGP, terminating it with a '\0', and update *STRINGP to point past it. */ |