diff mbox series

[v3,05/10] unistd: Improve fortify with clang

Message ID 20240208184622.332678-6-adhemerval.zanella@linaro.org
State Accepted
Commit ec307a10865a3e43f611b725fec952a93e4d1893
Headers show
Series Improve fortify support with clang | expand

Commit Message

Adhemerval Zanella Feb. 8, 2024, 6:46 p.m. UTC
It improve fortify checks for read, pread, pread64, readlink,
readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r,
gethostname, and getdomainname.  The compile and runtime checks have
similar coverage as with GCC.

Checked on aarch64, armhf, x86_64, and i686.
---
 posix/bits/unistd.h | 110 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 82 insertions(+), 28 deletions(-)

Comments

Carlos O'Donell Feb. 20, 2024, 10:06 p.m. UTC | #1
On 2/8/24 13:46, Adhemerval Zanella wrote:
> It improve fortify checks for read, pread, pread64, readlink,
> readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r,
> gethostname, and getdomainname.  The compile and runtime checks have
> similar coverage as with GCC.


LGTM.

Tested on x86_64 and i686.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>

> 
> Checked on aarch64, armhf, x86_64, and i686.
> ---
>  posix/bits/unistd.h | 110 +++++++++++++++++++++++++++++++++-----------
>  1 file changed, 82 insertions(+), 28 deletions(-)
> 
> diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h
> index bd209ec28e..2757b0619a 100644
> --- a/posix/bits/unistd.h
> +++ b/posix/bits/unistd.h
> @@ -22,8 +22,12 @@
>  
>  # include <bits/unistd-decl.h>
>  
> -__fortify_function __wur ssize_t
> -read (int __fd, void *__buf, size_t __nbytes)
> +__fortify_function __attribute_overloadable__ __wur ssize_t
> +read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes)
> +     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
> +					      "read called with bigger length than "
> +					      "size of the destination buffer")
> +
>  {
>    return __glibc_fortify (read, __nbytes, sizeof (char),
>  			  __glibc_objsize0 (__buf),
> @@ -32,16 +36,24 @@ read (int __fd, void *__buf, size_t __nbytes)
>  
>  #if defined __USE_UNIX98 || defined __USE_XOPEN2K8
>  # ifndef __USE_FILE_OFFSET64
> -__fortify_function __wur ssize_t
> -pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset)
> +__fortify_function __attribute_overloadable__ __wur ssize_t
> +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf),
> +       size_t __nbytes, __off_t __offset)
> +     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
> +					      "pread called with bigger length than "
> +					      "size of the destination buffer")

OK.

>  {
>    return __glibc_fortify (pread, __nbytes, sizeof (char),
>  			  __glibc_objsize0 (__buf),
>  			  __fd, __buf, __nbytes, __offset);
>  }
>  # else
> -__fortify_function __wur ssize_t
> -pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
> +__fortify_function __attribute_overloadable__ __wur ssize_t
> +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf),
> +       size_t __nbytes, __off64_t __offset)
> +     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
> +					      "pread called with bigger length than "
> +					      "size of the destination buffer")
>  {
>    return __glibc_fortify (pread64, __nbytes, sizeof (char),
>  			  __glibc_objsize0 (__buf),
> @@ -50,8 +62,12 @@ pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
>  # endif
>  
>  # ifdef __USE_LARGEFILE64
> -__fortify_function __wur ssize_t
> -pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
> +__fortify_function __attribute_overloadable__ __wur ssize_t
> +pread64 (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf),
> +	 size_t __nbytes, __off64_t __offset)
> +     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
> +					      "pread64 called with bigger length than "
> +					      "size of the destination buffer")
>  {
>    return __glibc_fortify (pread64, __nbytes, sizeof (char),
>  			  __glibc_objsize0 (__buf),
> @@ -61,9 +77,14 @@ pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
>  #endif
>  
>  #if defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K
> -__fortify_function __nonnull ((1, 2)) __wur ssize_t
> -__NTH (readlink (const char *__restrict __path, char *__restrict __buf,
> +__fortify_function __attribute_overloadable__ __nonnull ((1, 2)) __wur ssize_t
> +__NTH (readlink (const char *__restrict __path,
> +		 __fortify_clang_overload_arg0 (char *, __restrict, __buf),
>  		 size_t __len))
> +     __fortify_clang_warning_only_if_bos_lt (__len, __buf,
> +					     "readlink called with bigger length "
> +					     "than size of destination buffer")
> +
>  {
>    return __glibc_fortify (readlink, __len, sizeof (char),
>  			  __glibc_objsize (__buf),
> @@ -72,9 +93,13 @@ __NTH (readlink (const char *__restrict __path, char *__restrict __buf,
>  #endif
>  
>  #ifdef __USE_ATFILE
> -__fortify_function __nonnull ((2, 3)) __wur ssize_t
> +__fortify_function __attribute_overloadable__ __nonnull ((2, 3)) __wur ssize_t
>  __NTH (readlinkat (int __fd, const char *__restrict __path,
> -		   char *__restrict __buf, size_t __len))
> +		   __fortify_clang_overload_arg0 (char *, __restrict, __buf),
> +		   size_t __len))
> +     __fortify_clang_warning_only_if_bos_lt (__len, __buf,
> +					     "readlinkat called with bigger length "
> +					     "than size of destination buffer")
>  {
>    return __glibc_fortify (readlinkat, __len, sizeof (char),
>  			  __glibc_objsize (__buf),
> @@ -82,8 +107,11 @@ __NTH (readlinkat (int __fd, const char *__restrict __path,
>  }
>  #endif
>  
> -__fortify_function __wur char *
> -__NTH (getcwd (char *__buf, size_t __size))
> +__fortify_function __attribute_overloadable__ __wur char *
> +__NTH (getcwd (__fortify_clang_overload_arg (char *, , __buf), size_t __size))
> +     __fortify_clang_warning_only_if_bos_lt (__size, __buf,
> +					     "getcwd called with bigger length "
> +					     "than size of destination buffer")
>  {
>    return __glibc_fortify (getcwd, __size, sizeof (char),
>  			  __glibc_objsize (__buf),
> @@ -91,8 +119,9 @@ __NTH (getcwd (char *__buf, size_t __size))
>  }
>  
>  #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED
> -__fortify_function __nonnull ((1)) __attribute_deprecated__ __wur char *
> -__NTH (getwd (char *__buf))
> +__fortify_function __attribute_overloadable__ __nonnull ((1))
> +__attribute_deprecated__ __wur char *
> +__NTH (getwd (__fortify_clang_overload_arg (char *,, __buf)))
>  {
>    if (__glibc_objsize (__buf) != (size_t) -1)
>      return __getwd_chk (__buf, __glibc_objsize (__buf));
> @@ -100,8 +129,12 @@ __NTH (getwd (char *__buf))
>  }
>  #endif
>  
> -__fortify_function size_t
> -__NTH (confstr (int __name, char *__buf, size_t __len))
> +__fortify_function __attribute_overloadable__ size_t
> +__NTH (confstr (int __name, __fortify_clang_overload_arg (char *, ,__buf),
> +		size_t __len))
> +     __fortify_clang_warning_only_if_bos_lt (__len, __buf,
> +					     "confstr called with bigger length than "
> +					     "size of destination buffer")
>  {
>    return __glibc_fortify (confstr, __len, sizeof (char),
>  			  __glibc_objsize (__buf),
> @@ -109,8 +142,13 @@ __NTH (confstr (int __name, char *__buf, size_t __len))
>  }
>  
>  
> -__fortify_function int
> -__NTH (getgroups (int __size, __gid_t __list[]))
> +__fortify_function __attribute_overloadable__ int
> +__NTH (getgroups (int __size,
> +		  __fortify_clang_overload_arg (__gid_t *, ,  __list)))
> +     __fortify_clang_warning_only_if_bos_lt (__size * sizeof (__gid_t), __list,
> +					     "getgroups called with bigger group "
> +					     "count than what can fit into "
> +					     "destination buffer")
>  {
>    return __glibc_fortify (getgroups, __size, sizeof (__gid_t),
>  			  __glibc_objsize (__list),
> @@ -118,8 +156,13 @@ __NTH (getgroups (int __size, __gid_t __list[]))
>  }
>  
>  
> -__fortify_function int
> -__NTH (ttyname_r (int __fd, char *__buf, size_t __buflen))
> +__fortify_function __attribute_overloadable__ int
> +__NTH (ttyname_r (int __fd,
> +		 __fortify_clang_overload_arg (char *, ,__buf),
> +		 size_t __buflen))
> +     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
> +					     "ttyname_r called with bigger buflen "
> +					     "than size of destination buffer")
>  {
>    return __glibc_fortify (ttyname_r, __buflen, sizeof (char),
>  			  __glibc_objsize (__buf),
> @@ -128,8 +171,11 @@ __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen))
>  
>  
>  #ifdef __USE_POSIX199506
> -__fortify_function int
> -getlogin_r (char *__buf, size_t __buflen)
> +__fortify_function __attribute_overloadable__ int
> +getlogin_r (__fortify_clang_overload_arg (char *, ,__buf), size_t __buflen)
> +     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
> +					     "getlogin_r called with bigger buflen "
> +					     "than size of destination buffer")
>  {
>    return __glibc_fortify (getlogin_r, __buflen, sizeof (char),
>  			  __glibc_objsize (__buf),
> @@ -139,8 +185,12 @@ getlogin_r (char *__buf, size_t __buflen)
>  
>  
>  #if defined __USE_MISC || defined __USE_UNIX98
> -__fortify_function int
> -__NTH (gethostname (char *__buf, size_t __buflen))
> +__fortify_function __attribute_overloadable__ int
> +__NTH (gethostname (__fortify_clang_overload_arg (char *, ,__buf),
> +		    size_t __buflen))
> +     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
> +					     "gethostname called with bigger buflen "
> +					     "than size of destination buffer")
>  {
>    return __glibc_fortify (gethostname, __buflen, sizeof (char),
>  			  __glibc_objsize (__buf),
> @@ -150,8 +200,12 @@ __NTH (gethostname (char *__buf, size_t __buflen))
>  
>  
>  #if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_UNIX98)
> -__fortify_function int
> -__NTH (getdomainname (char *__buf, size_t __buflen))
> +__fortify_function __attribute_overloadable__ int
> +__NTH (getdomainname (__fortify_clang_overload_arg (char *, ,__buf),
> +		      size_t __buflen))
> +     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
> +					     "getdomainname called with bigger "
> +					     "buflen than size of destination buffer")

OK.

>  {
>    return __glibc_fortify (getdomainname, __buflen, sizeof (char),
>  			  __glibc_objsize (__buf),
diff mbox series

Patch

diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h
index bd209ec28e..2757b0619a 100644
--- a/posix/bits/unistd.h
+++ b/posix/bits/unistd.h
@@ -22,8 +22,12 @@ 
 
 # include <bits/unistd-decl.h>
 
-__fortify_function __wur ssize_t
-read (int __fd, void *__buf, size_t __nbytes)
+__fortify_function __attribute_overloadable__ __wur ssize_t
+read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes)
+     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
+					      "read called with bigger length than "
+					      "size of the destination buffer")
+
 {
   return __glibc_fortify (read, __nbytes, sizeof (char),
 			  __glibc_objsize0 (__buf),
@@ -32,16 +36,24 @@  read (int __fd, void *__buf, size_t __nbytes)
 
 #if defined __USE_UNIX98 || defined __USE_XOPEN2K8
 # ifndef __USE_FILE_OFFSET64
-__fortify_function __wur ssize_t
-pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset)
+__fortify_function __attribute_overloadable__ __wur ssize_t
+pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf),
+       size_t __nbytes, __off_t __offset)
+     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
+					      "pread called with bigger length than "
+					      "size of the destination buffer")
 {
   return __glibc_fortify (pread, __nbytes, sizeof (char),
 			  __glibc_objsize0 (__buf),
 			  __fd, __buf, __nbytes, __offset);
 }
 # else
-__fortify_function __wur ssize_t
-pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
+__fortify_function __attribute_overloadable__ __wur ssize_t
+pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf),
+       size_t __nbytes, __off64_t __offset)
+     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
+					      "pread called with bigger length than "
+					      "size of the destination buffer")
 {
   return __glibc_fortify (pread64, __nbytes, sizeof (char),
 			  __glibc_objsize0 (__buf),
@@ -50,8 +62,12 @@  pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
 # endif
 
 # ifdef __USE_LARGEFILE64
-__fortify_function __wur ssize_t
-pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
+__fortify_function __attribute_overloadable__ __wur ssize_t
+pread64 (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf),
+	 size_t __nbytes, __off64_t __offset)
+     __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf,
+					      "pread64 called with bigger length than "
+					      "size of the destination buffer")
 {
   return __glibc_fortify (pread64, __nbytes, sizeof (char),
 			  __glibc_objsize0 (__buf),
@@ -61,9 +77,14 @@  pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset)
 #endif
 
 #if defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K
-__fortify_function __nonnull ((1, 2)) __wur ssize_t
-__NTH (readlink (const char *__restrict __path, char *__restrict __buf,
+__fortify_function __attribute_overloadable__ __nonnull ((1, 2)) __wur ssize_t
+__NTH (readlink (const char *__restrict __path,
+		 __fortify_clang_overload_arg0 (char *, __restrict, __buf),
 		 size_t __len))
+     __fortify_clang_warning_only_if_bos_lt (__len, __buf,
+					     "readlink called with bigger length "
+					     "than size of destination buffer")
+
 {
   return __glibc_fortify (readlink, __len, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -72,9 +93,13 @@  __NTH (readlink (const char *__restrict __path, char *__restrict __buf,
 #endif
 
 #ifdef __USE_ATFILE
-__fortify_function __nonnull ((2, 3)) __wur ssize_t
+__fortify_function __attribute_overloadable__ __nonnull ((2, 3)) __wur ssize_t
 __NTH (readlinkat (int __fd, const char *__restrict __path,
-		   char *__restrict __buf, size_t __len))
+		   __fortify_clang_overload_arg0 (char *, __restrict, __buf),
+		   size_t __len))
+     __fortify_clang_warning_only_if_bos_lt (__len, __buf,
+					     "readlinkat called with bigger length "
+					     "than size of destination buffer")
 {
   return __glibc_fortify (readlinkat, __len, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -82,8 +107,11 @@  __NTH (readlinkat (int __fd, const char *__restrict __path,
 }
 #endif
 
-__fortify_function __wur char *
-__NTH (getcwd (char *__buf, size_t __size))
+__fortify_function __attribute_overloadable__ __wur char *
+__NTH (getcwd (__fortify_clang_overload_arg (char *, , __buf), size_t __size))
+     __fortify_clang_warning_only_if_bos_lt (__size, __buf,
+					     "getcwd called with bigger length "
+					     "than size of destination buffer")
 {
   return __glibc_fortify (getcwd, __size, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -91,8 +119,9 @@  __NTH (getcwd (char *__buf, size_t __size))
 }
 
 #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED
-__fortify_function __nonnull ((1)) __attribute_deprecated__ __wur char *
-__NTH (getwd (char *__buf))
+__fortify_function __attribute_overloadable__ __nonnull ((1))
+__attribute_deprecated__ __wur char *
+__NTH (getwd (__fortify_clang_overload_arg (char *,, __buf)))
 {
   if (__glibc_objsize (__buf) != (size_t) -1)
     return __getwd_chk (__buf, __glibc_objsize (__buf));
@@ -100,8 +129,12 @@  __NTH (getwd (char *__buf))
 }
 #endif
 
-__fortify_function size_t
-__NTH (confstr (int __name, char *__buf, size_t __len))
+__fortify_function __attribute_overloadable__ size_t
+__NTH (confstr (int __name, __fortify_clang_overload_arg (char *, ,__buf),
+		size_t __len))
+     __fortify_clang_warning_only_if_bos_lt (__len, __buf,
+					     "confstr called with bigger length than "
+					     "size of destination buffer")
 {
   return __glibc_fortify (confstr, __len, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -109,8 +142,13 @@  __NTH (confstr (int __name, char *__buf, size_t __len))
 }
 
 
-__fortify_function int
-__NTH (getgroups (int __size, __gid_t __list[]))
+__fortify_function __attribute_overloadable__ int
+__NTH (getgroups (int __size,
+		  __fortify_clang_overload_arg (__gid_t *, ,  __list)))
+     __fortify_clang_warning_only_if_bos_lt (__size * sizeof (__gid_t), __list,
+					     "getgroups called with bigger group "
+					     "count than what can fit into "
+					     "destination buffer")
 {
   return __glibc_fortify (getgroups, __size, sizeof (__gid_t),
 			  __glibc_objsize (__list),
@@ -118,8 +156,13 @@  __NTH (getgroups (int __size, __gid_t __list[]))
 }
 
 
-__fortify_function int
-__NTH (ttyname_r (int __fd, char *__buf, size_t __buflen))
+__fortify_function __attribute_overloadable__ int
+__NTH (ttyname_r (int __fd,
+		 __fortify_clang_overload_arg (char *, ,__buf),
+		 size_t __buflen))
+     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
+					     "ttyname_r called with bigger buflen "
+					     "than size of destination buffer")
 {
   return __glibc_fortify (ttyname_r, __buflen, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -128,8 +171,11 @@  __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen))
 
 
 #ifdef __USE_POSIX199506
-__fortify_function int
-getlogin_r (char *__buf, size_t __buflen)
+__fortify_function __attribute_overloadable__ int
+getlogin_r (__fortify_clang_overload_arg (char *, ,__buf), size_t __buflen)
+     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
+					     "getlogin_r called with bigger buflen "
+					     "than size of destination buffer")
 {
   return __glibc_fortify (getlogin_r, __buflen, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -139,8 +185,12 @@  getlogin_r (char *__buf, size_t __buflen)
 
 
 #if defined __USE_MISC || defined __USE_UNIX98
-__fortify_function int
-__NTH (gethostname (char *__buf, size_t __buflen))
+__fortify_function __attribute_overloadable__ int
+__NTH (gethostname (__fortify_clang_overload_arg (char *, ,__buf),
+		    size_t __buflen))
+     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
+					     "gethostname called with bigger buflen "
+					     "than size of destination buffer")
 {
   return __glibc_fortify (gethostname, __buflen, sizeof (char),
 			  __glibc_objsize (__buf),
@@ -150,8 +200,12 @@  __NTH (gethostname (char *__buf, size_t __buflen))
 
 
 #if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_UNIX98)
-__fortify_function int
-__NTH (getdomainname (char *__buf, size_t __buflen))
+__fortify_function __attribute_overloadable__ int
+__NTH (getdomainname (__fortify_clang_overload_arg (char *, ,__buf),
+		      size_t __buflen))
+     __fortify_clang_warning_only_if_bos_lt (__buflen, __buf,
+					     "getdomainname called with bigger "
+					     "buflen than size of destination buffer")
 {
   return __glibc_fortify (getdomainname, __buflen, sizeof (char),
 			  __glibc_objsize (__buf),