diff options
author | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2021-10-12 12:29:13 +0530 |
---|---|---|
committer | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2021-10-20 08:33:31 +0530 |
commit | e938c02748402c50f60ba0eb983273e7b52937d1 (patch) | |
tree | 5784cd55dd66558fbdef877150dac886b1b09e5d /libio | |
parent | 46baeb61e16511f26db1b255e19dc9163f590367 (diff) | |
download | glibc-e938c02748402c50f60ba0eb983273e7b52937d1.tar.gz glibc-e938c02748402c50f60ba0eb983273e7b52937d1.tar.xz glibc-e938c02748402c50f60ba0eb983273e7b52937d1.zip |
Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the size of an object pointed to by one parameter is another parameter. This doesn't make sense for the fortified versions of the functions since that's the bit it's trying to validate. This is harmless with __builtin_object_size since it has fairly simple semantics when it comes to objects passed as function parameters. With __builtin_dynamic_object_size we could (as my patchset for gcc[1] already does) use the access attribute to determine the object size in the general case but it misleads the fortified functions. Basically the problem occurs when access attributes are present on regular functions that have inline fortified definitions to generate _chk variants; the attributes get inherited by these definitions, causing problems when analyzing them. For example with poll(fds, nfds, timeout), nfds is hinted using the __attr_access as being the size of fds. Now, when analyzing the inline function definition in bits/poll2.h, the compiler sees that nfds is the size of fds and tries to use that information in the function body. In _FORTIFY_SOURCE=3 case, where the object size could be a non-constant expression, this information results in the conclusion that nfds is the size of fds, which defeats the purpose of the implementation because we're trying to check here if nfds does indeed represent the size of fds. Hence for this case, it is best to not have the access attribute. With the attributes gone, the expression evaluation should get delayed until the function is actually inlined into its destinations. Disable the access attribute for fortified function inline functions when building at _FORTIFY_SOURCE=3 to make this work better. The access attributes remain for the _chk variants since they can be used by the compiler to warn when the caller is passing invalid arguments. [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diffstat (limited to 'libio')
-rw-r--r-- | libio/bits/stdio2.h | 4 | ||||
-rw-r--r-- | libio/stdio.h | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/libio/bits/stdio2.h b/libio/bits/stdio2.h index 3f0cab1254..4f016a5638 100644 --- a/libio/bits/stdio2.h +++ b/libio/bits/stdio2.h @@ -258,7 +258,7 @@ extern char *__REDIRECT (__fgets_chk_warn, __wur __warnattr ("fgets called with bigger size than length " "of destination buffer"); -__fortify_function __wur __attr_access ((__write_only__, 1, 2)) char * +__fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) char * fgets (char *__restrict __s, int __n, FILE *__restrict __stream) { if (__glibc_objsize (__s) != (size_t) -1) @@ -320,7 +320,7 @@ extern char *__REDIRECT (__fgets_unlocked_chk_warn, __wur __warnattr ("fgets_unlocked called with bigger size than length " "of destination buffer"); -__fortify_function __wur __attr_access ((__write_only__, 1, 2)) char * +__fortify_function __wur __fortified_attr_access (__write_only__, 1, 2) char * fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) { if (__glibc_objsize (__s) != (size_t) -1) diff --git a/libio/stdio.h b/libio/stdio.h index 0a5c76b552..f208f5ef79 100644 --- a/libio/stdio.h +++ b/libio/stdio.h @@ -590,7 +590,7 @@ extern int putw (int __w, FILE *__stream); This function is a possible cancellation point and therefore not marked with __THROW. */ extern char *fgets (char *__restrict __s, int __n, FILE *__restrict __stream) - __wur __attr_access ((__write_only__, 1, 2)); + __wur __fortified_attr_access (__write_only__, 1, 2); #if __GLIBC_USE (DEPRECATED_GETS) /* Get a newline-terminated string from stdin, removing the newline. @@ -614,7 +614,7 @@ extern char *gets (char *__s) __wur __attribute_deprecated__; therefore not marked with __THROW. */ extern char *fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) __wur - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); #endif |