about summary refs log tree commit diff
path: root/manual
diff options
context:
space:
mode:
authorSiddhesh Poyarekar <siddhesh@sourceware.org>2020-12-30 11:54:00 +0530
committerSiddhesh Poyarekar <siddhesh@sourceware.org>2020-12-31 16:55:21 +0530
commitc43c5796121bc5bcc0867f02e5536874aa8196c1 (patch)
tree39306f12f031a62b0fe2ca679e656332e70eb388 /manual
parent2a08b6e8331a611dc29325bfa6e29fecc9a3a46e (diff)
downloadglibc-c43c5796121bc5bcc0867f02e5536874aa8196c1.tar.gz
glibc-c43c5796121bc5bcc0867f02e5536874aa8196c1.tar.xz
glibc-c43c5796121bc5bcc0867f02e5536874aa8196c1.zip
Introduce _FORTIFY_SOURCE=3
Introduce a new _FORTIFY_SOURCE level of 3 to enable additional
fortifications that may have a noticeable performance impact, allowing
more fortification coverage at the cost of some performance.

With llvm 9.0 or later, this will replace the use of
__builtin_object_size with __builtin_dynamic_object_size.

__builtin_dynamic_object_size
-----------------------------

__builtin_dynamic_object_size is an LLVM builtin that is similar to
__builtin_object_size.  In addition to what __builtin_object_size
does, i.e. replace the builtin call with a constant object size,
__builtin_dynamic_object_size will replace the call site with an
expression that evaluates to the object size, thus expanding its
applicability.  In practice, __builtin_dynamic_object_size evaluates
these expressions through malloc/calloc calls that it can associate
with the object being evaluated.

A simple motivating example is below; -D_FORTIFY_SOURCE=2 would miss
this and emit memcpy, but -D_FORTIFY_SOURCE=3 with the help of
__builtin_dynamic_object_size is able to emit __memcpy_chk with the
allocation size expression passed into the function:

void *copy_obj (const void *src, size_t alloc, size_t copysize)
{
  void *obj = malloc (alloc);
  memcpy (obj, src, copysize);
  return obj;
}

Limitations
-----------

If the object was allocated elsewhere that the compiler cannot see, or
if it was allocated in the function with a function that the compiler
does not recognize as an allocator then __builtin_dynamic_object_size
also returns -1.

Further, the expression used to compute object size may be non-trivial
and may potentially incur a noticeable performance impact.  These
fortifications are hence enabled at a new _FORTIFY_SOURCE level to
allow developers to make a choice on the tradeoff according to their
environment.
Diffstat (limited to 'manual')
-rw-r--r--manual/creature.texi3
1 files changed, 2 insertions, 1 deletions
diff --git a/manual/creature.texi b/manual/creature.texi
index be5050468b..31208ccb2b 100644
--- a/manual/creature.texi
+++ b/manual/creature.texi
@@ -254,7 +254,8 @@ included.
 @standards{GNU, (none)}
 If this macro is defined to @math{1}, security hardening is added to
 various library functions.  If defined to @math{2}, even stricter
-checks are applied.
+checks are applied. If defined to @math{3}, @theglibc{} may also use
+checks that may have an additional performance overhead.
 @end defvr
 
 @defvr Macro _REENTRANT