diff options
author | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2021-10-12 12:29:13 +0530 |
---|---|---|
committer | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2021-10-20 08:33:31 +0530 |
commit | e938c02748402c50f60ba0eb983273e7b52937d1 (patch) | |
tree | 5784cd55dd66558fbdef877150dac886b1b09e5d /posix | |
parent | 46baeb61e16511f26db1b255e19dc9163f590367 (diff) | |
download | glibc-e938c02748402c50f60ba0eb983273e7b52937d1.tar.gz glibc-e938c02748402c50f60ba0eb983273e7b52937d1.tar.xz glibc-e938c02748402c50f60ba0eb983273e7b52937d1.zip |
Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the size of an object pointed to by one parameter is another parameter. This doesn't make sense for the fortified versions of the functions since that's the bit it's trying to validate. This is harmless with __builtin_object_size since it has fairly simple semantics when it comes to objects passed as function parameters. With __builtin_dynamic_object_size we could (as my patchset for gcc[1] already does) use the access attribute to determine the object size in the general case but it misleads the fortified functions. Basically the problem occurs when access attributes are present on regular functions that have inline fortified definitions to generate _chk variants; the attributes get inherited by these definitions, causing problems when analyzing them. For example with poll(fds, nfds, timeout), nfds is hinted using the __attr_access as being the size of fds. Now, when analyzing the inline function definition in bits/poll2.h, the compiler sees that nfds is the size of fds and tries to use that information in the function body. In _FORTIFY_SOURCE=3 case, where the object size could be a non-constant expression, this information results in the conclusion that nfds is the size of fds, which defeats the purpose of the implementation because we're trying to check here if nfds does indeed represent the size of fds. Hence for this case, it is best to not have the access attribute. With the attributes gone, the expression evaluation should get delayed until the function is actually inlined into its destinations. Disable the access attribute for fortified function inline functions when building at _FORTIFY_SOURCE=3 to make this work better. The access attributes remain for the _chk variants since they can be used by the compiler to warn when the caller is passing invalid arguments. [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diffstat (limited to 'posix')
-rw-r--r-- | posix/unistd.h | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/posix/unistd.h b/posix/unistd.h index 8224c5fbc9..7a61ff5e86 100644 --- a/posix/unistd.h +++ b/posix/unistd.h @@ -369,7 +369,7 @@ extern void closefrom (int __lowfd) __THROW; This function is a cancellation point and therefore not marked with __THROW. */ extern ssize_t read (int __fd, void *__buf, size_t __nbytes) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); /* Write N bytes of BUF to FD. Return the number written, or -1. @@ -388,7 +388,7 @@ extern ssize_t write (int __fd, const void *__buf, size_t __n) __wur __THROW. */ extern ssize_t pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); /* Write N bytes of BUF to FD at the given position OFFSET without changing the file pointer. Return the number written, or -1. @@ -404,7 +404,7 @@ extern ssize_t pwrite (int __fd, const void *__buf, size_t __n, extern ssize_t __REDIRECT (pread, (int __fd, void *__buf, size_t __nbytes, __off64_t __offset), pread64) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); extern ssize_t __REDIRECT (pwrite, (int __fd, const void *__buf, size_t __nbytes, __off64_t __offset), pwrite64) __wur @@ -421,7 +421,7 @@ extern ssize_t __REDIRECT (pwrite, (int __fd, const void *__buf, or 0 for EOF. */ extern ssize_t pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) __wur - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); /* Write N bytes of BUF to FD at the given position OFFSET without changing the file pointer. Return the number written, or -1. */ extern ssize_t pwrite64 (int __fd, const void *__buf, size_t __n, @@ -642,7 +642,7 @@ extern long int sysconf (int __name) __THROW; #ifdef __USE_POSIX2 /* Get the value of the string-valued system variable NAME. */ extern size_t confstr (int __name, char *__buf, size_t __len) __THROW - __attr_access ((__write_only__, 2, 3)); + __fortified_attr_access (__write_only__, 2, 3); #endif @@ -709,7 +709,7 @@ extern __gid_t getegid (void) __THROW; the calling process is in. Otherwise, fill in the group IDs of its supplementary groups in LIST and return the number written. */ extern int getgroups (int __size, __gid_t __list[]) __THROW __wur - __attr_access ((__write_only__, 2, 1)); + __fortified_attr_access (__write_only__, 2, 1); #ifdef __USE_GNU /* Return nonzero iff the calling process is in group GID. */ extern int group_member (__gid_t __gid) __THROW; @@ -801,7 +801,8 @@ extern char *ttyname (int __fd) __THROW; /* Store at most BUFLEN characters of the pathname of the terminal FD is open on in BUF. Return 0 on success, otherwise an error number. */ extern int ttyname_r (int __fd, char *__buf, size_t __buflen) - __THROW __nonnull ((2)) __wur __attr_access ((__write_only__, 2, 3)); + __THROW __nonnull ((2)) __wur + __fortified_attr_access (__write_only__, 2, 3); /* Return 1 if FD is a valid descriptor associated with a terminal, zero if not. */ @@ -836,7 +837,8 @@ extern int symlink (const char *__from, const char *__to) Returns the number of characters read, or -1 for errors. */ extern ssize_t readlink (const char *__restrict __path, char *__restrict __buf, size_t __len) - __THROW __nonnull ((1, 2)) __wur __attr_access ((__write_only__, 2, 3)); + __THROW __nonnull ((1, 2)) __wur + __fortified_attr_access (__write_only__, 2, 3); #endif /* Use POSIX.1-2001. */ @@ -848,7 +850,8 @@ extern int symlinkat (const char *__from, int __tofd, /* Like readlink but a relative PATH is interpreted relative to FD. */ extern ssize_t readlinkat (int __fd, const char *__restrict __path, char *__restrict __buf, size_t __len) - __THROW __nonnull ((2, 3)) __wur __attr_access ((__write_only__, 3, 4)); + __THROW __nonnull ((2, 3)) __wur + __fortified_attr_access (__write_only__, 3, 4); #endif /* Remove the link NAME. */ @@ -884,7 +887,7 @@ extern char *getlogin (void); This function is a possible cancellation point and therefore not marked with __THROW. */ extern int getlogin_r (char *__name, size_t __name_len) __nonnull ((1)) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); #endif #ifdef __USE_MISC @@ -906,7 +909,7 @@ extern int setlogin (const char *__name) __THROW __nonnull ((1)); The result is null-terminated if LEN is large enough for the full name and the terminator. */ extern int gethostname (char *__name, size_t __len) __THROW __nonnull ((1)) - __attr_access ((__write_only__, 1, 2)); + __fortified_attr_access (__write_only__, 1, 2); #endif @@ -925,7 +928,8 @@ extern int sethostid (long int __id) __THROW __wur; Called just like `gethostname' and `sethostname'. The NIS domain name is usually the empty string when not using NIS. */ extern int getdomainname (char *__name, size_t __len) - __THROW __nonnull ((1)) __wur __attr_access ((__write_only__, 1, 2)); + __THROW __nonnull ((1)) __wur + __fortified_attr_access (__write_only__, 1, 2); extern int setdomainname (const char *__name, size_t __len) __THROW __nonnull ((1)) __wur __attr_access ((__read_only__, 1, 2)); |