Fork of glibc for development https://git.zx2c4.com/glibc/atom/string/bits?h=master 2024-02-27T13:52:58Z 2024-02-27T13:52:58Z Adhemerval Zanella adhemerval.zanella@linaro.org 2024-02-08T18:46:15Z urn:sha1:5e9696b26540d02639e0d16532e0f3d53c7e5cd0 It improve fortify checks for strcpy, stpcpy, strncpy, stpncpy, strcat, strncat, strlcpy, and strlcat. The runtime and compile checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com> 2024-01-01T18:53:40Z Paul Eggert eggert@cs.ucla.edu 2024-01-01T18:12:26Z urn:sha1:dff8da6b3e89b986bb7f6b1ec18cf65d5972e307 2023-06-14T16:10:08Z Florian Weimer fweimer@redhat.com 2023-06-14T16:10:08Z urn:sha1:454a20c8756c9c1d55419153255fc7692b3d2199 These functions are about to be added to POSIX, under Austin Group issue 986. The fortified strlcat implementation does not raise SIGABRT if the destination buffer does not contain a null terminator, it just inherits the non-failing regular strlcat behavior. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> 2023-01-06T21:14:39Z Joseph Myers joseph@codesourcery.com 2023-01-06T21:08:04Z urn:sha1:6d7e8eda9b85b08f207a6dc6f187e94e4817270f 2022-05-23T08:26:43Z Sergei Trofimovich slyich@gmail.com 2022-05-23T08:26:43Z urn:sha1:5a5f94af0542f9a35aaa7992c18eb4e2403a29b9 commit e938c0274 "Don't add access size hints to fortifiable functions" converted a few '__attr_access ((...))' into '__fortified_attr_access (...)' calls. But one of conversions had double parentheses of '__fortified_attr_access (...)'. Noticed as a gnat6 build failure: /<<NIX>>-glibc-2.34-210-dev/include/bits/string_fortified.h:110:50: error: macro "__fortified_attr_access" requires 3 arguments, but only 1 given The change fixes parentheses. This is seen when using compilers that do not support __builtin___stpncpy_chk, e.g. gcc older than 4.7, clang older than 2.6 or some compiler not derived from gcc or clang. Signed-off-by: Sergei Trofimovich <slyich@gmail.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> 2022-01-12T18:04:48Z Siddhesh Poyarekar siddhesh@sourceware.org 2022-01-12T18:04:48Z urn:sha1:fcfc9086815bf0d277ad47a90ee3fda4c37acca8 Some functions (e.g. stpcpy, pread64, etc.) had moved to POSIX in the main headers as they got incorporated into the standard, but their fortified variants remained under __USE_GNU. As a result, these functions did not get fortified when _GNU_SOURCE was not defined. Add test wrappers that check all functions tested in tst-chk0 at all levels with _GNU_SOURCE undefined and then use the failures to (1) exclude checks for _GNU_SOURCE functions in these tests and (2) Fix feature macro guards in the fortified function headers so that they're the same as the ones in the main headers. This fixes BZ #28746. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> 2022-01-01T19:40:24Z Paul Eggert eggert@cs.ucla.edu 2022-01-01T18:54:23Z urn:sha1:581c785bf31bc74430320c7856bbfa3875d025fe I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines 2021-10-20T03:03:31Z Siddhesh Poyarekar siddhesh@sourceware.org 2021-10-12T06:59:13Z urn:sha1:e938c02748402c50f60ba0eb983273e7b52937d1 In the context of a function definition, the size hints imply that the size of an object pointed to by one parameter is another parameter. This doesn't make sense for the fortified versions of the functions since that's the bit it's trying to validate. This is harmless with __builtin_object_size since it has fairly simple semantics when it comes to objects passed as function parameters. With __builtin_dynamic_object_size we could (as my patchset for gcc[1] already does) use the access attribute to determine the object size in the general case but it misleads the fortified functions. Basically the problem occurs when access attributes are present on regular functions that have inline fortified definitions to generate _chk variants; the attributes get inherited by these definitions, causing problems when analyzing them. For example with poll(fds, nfds, timeout), nfds is hinted using the __attr_access as being the size of fds. Now, when analyzing the inline function definition in bits/poll2.h, the compiler sees that nfds is the size of fds and tries to use that information in the function body. In _FORTIFY_SOURCE=3 case, where the object size could be a non-constant expression, this information results in the conclusion that nfds is the size of fds, which defeats the purpose of the implementation because we're trying to check here if nfds does indeed represent the size of fds. Hence for this case, it is best to not have the access attribute. With the attributes gone, the expression evaluation should get delayed until the function is actually inlined into its destinations. Disable the access attribute for fortified function inline functions when building at _FORTIFY_SOURCE=3 to make this work better. The access attributes remain for the _chk variants since they can be used by the compiler to warn when the caller is passing invalid arguments. [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> 2021-01-02T20:17:34Z Paul Eggert eggert@cs.ucla.edu 2021-01-02T19:32:25Z urn:sha1:2b778ceb4010c28d70de9b8eab20e8d88eed586b I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 6694 files FOO. I then removed trailing white space from benchtests/bench-pthread-locks.c and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this diagnostic from Savannah: remote: *** pre-commit check failed ... remote: *** error: lines with trailing whitespace found remote: error: hook declined to update refs/heads/master 2020-12-31T11:25:21Z Siddhesh Poyarekar siddhesh@sourceware.org 2020-12-30T05:39:58Z urn:sha1:2a3224c53653214cbba2ec23424702193c80ea3b This change enhances fortified string functions to use __builtin_dynamic_object_size under _FORTIFY_SOURCE=3 whenever the compiler supports it.