From patchwork Thu Feb 8 18:46:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 770869 Delivered-To: patch@linaro.org Received: by 2002:adf:9dca:0:b0:33b:4db1:f5b3 with SMTP id q10csp479232wre; Thu, 8 Feb 2024 10:48:29 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUd60T1ySV58c/KKleeG9P406eqUHhNtLkACdquzCqphlvz1vSWWH44Y4zBNsOGUrqukWSkIgQip2L/zFZC80R7 X-Google-Smtp-Source: AGHT+IHWExHsKjRyAcdv9w2PmXD1WLy/zXGF4mVjkA/gKYTtYFXZY91/6TPLioHHFkfvOn5bHzE9 X-Received: by 2002:a05:690c:2a90:b0:5ff:9676:3658 with SMTP id ek16-20020a05690c2a9000b005ff96763658mr212765ywb.48.1707418108926; Thu, 08 Feb 2024 10:48:28 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707418108; cv=pass; d=google.com; s=arc-20160816; b=zyGdLhzT5/mEbTf502mkzenxOCQ87kQ/TFYn95dx0bFynMZN2xLF9s3zcGNdj5OxBc yMswtxKZeMtmsInvaJmCwjx7wxpRZmQzMDLwXZ2zjEuB31TSO/c6sAt7no+pk/VfvvD/ K3zEwWXEKNL/EB6Qxcw3cBftXjeIdCUhOio7sFy8wjGKo1Mjx9CV1w71NkjLfm5Ex/Ls VlXe1rVMsbShHr627FrUxxvpQJELiNY3JZMHZCB9jo5qb6jHW77a86POEEntaydiyKHj bf3X9Uj36S15tcD/F2pa4jrh2IPng04qL9skvXdp/VxMYNDi+Dhy1HAeaZIz6aDD8Zha j16g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature:arc-filter:dmarc-filter:delivered-to; bh=7eWbYtfxbaMRlBWmlOCmG6Abb/A3/FkjpLUJwBlSjUk=; fh=tuqihaFl3KCuEqT7BxPdeZktI+W03faef0wJ8fbKzY4=; b=O3Roqw4Okkb232/ehrp6RDMyWmYVp0i8oU7EloDBkq7XpPZtnIpkDF7xmWtwgsWhJ1 y9fVmCj51bE5WC5lkNXaambEdD0evgFh+gK8R0MD8je0jU8qqpb99+iiG8CpBkyJPcrc BwQS69oKajRYxYBbaVibwXWYS0lG4t3DJuhsa9qYW2fex9GlAUbkZSW0pbJ6e/f0afhN BwVrP4ymwvZVIY+GehHgCH8GrdPtKkgyivEhWatqmb7cYKRCVc5/warXPFjJzMVFpCTs yzG2FO80LQa/w7rGYAydoPJeUe/lzP6A2D/a1QxT2ySjDvWkvgzYvzZ4ECU2fBLriQEm mShw==; darn=linaro.org ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=G0ngeoDs; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org X-Forwarded-Encrypted: i=2; AJvYcCV8hDrFrTQgUrgOGow+gHP27BEqvTHTlb/5cRTMX3Vm0r+qonfl/DsZbl+JtxJyNODNJ1hDJ77NO9/3CafW0D5s Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id y9-20020a37e309000000b007855ef6e1b6si169072qki.205.2024.02.08.10.48.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:48:28 -0800 (PST) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=G0ngeoDs; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8E24D3858012 for ; Thu, 8 Feb 2024 18:48:28 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oa1-x30.google.com (mail-oa1-x30.google.com [IPv6:2001:4860:4864:20::30]) by sourceware.org (Postfix) with ESMTPS id D3CFA385841F for ; Thu, 8 Feb 2024 18:46:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D3CFA385841F Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D3CFA385841F Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:4860:4864:20::30 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418002; cv=none; b=KKPZtX1JXHVK46vEcJWeDhMMQWpYAtXVpL0kPW2Ry8LeioGr5iAXoWus3GFOLe3khKtZnEuDaFMQZ+uOiL2K17V0ssvyDTYHq0Z8UABhQaqk/92BE6QndDmM9ZJNPsBMN1JPzVf2451HeXbUuFmUgU/OJhzJZUAoFbp8fOqXF3o= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707418002; c=relaxed/simple; bh=X11qCrE7STf5aZWOUYOEeJdX9n6vFuLR7yWICR+i2mM=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=bsf4UQhfhjFmzi5dnO69D6EtbSQ6Dxy2BfNuFbu6QSFPcNJbpv4j6ODPiCX1uq4VdZ6WlqdVsOHwqFK2DSIo2diDIDXwlOsPgfl0LZSK9sjZJ5yVCg+nTxtPWpwWXaNDLaaOheMkGzb5sd0HZxNlO8/Bq2aUIvY8QMDfk/U/2YU= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-2184133da88so48144fac.0 for ; Thu, 08 Feb 2024 10:46:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707417998; x=1708022798; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7eWbYtfxbaMRlBWmlOCmG6Abb/A3/FkjpLUJwBlSjUk=; b=G0ngeoDs8ollLLgW2kUWYu+HC+SkdJxrzHbTgSx/eRalkU5W+JtABJ9P/c4wpnaCS7 yeuXDyOO1qS8l+3h+vfC0NfQp/r99vlC7UeNZvdgaIJ+RP3/TA8oB2AAD0WTPeUNxyYY wc6COV10ekoTEOwyLLefOvlrh5oWxSZ7BPgdoMPkBFcb0GAEhof9gk/oTLzWmZ+Jwj2C WVQo2WTmOg/Xp/F2nLInU4/xhOROYlgLKrxtMykf0ErOaHgWeGxLV35/MrACYZVLqZ8p EzhLJwW5xbgF1uwFNraCRWCmjwgfeYzifYmLHa0OkdL6wj4KEdifIdnUexk4DZd0B4M+ vjXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707417998; x=1708022798; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7eWbYtfxbaMRlBWmlOCmG6Abb/A3/FkjpLUJwBlSjUk=; b=b1BlVjkDPbBYlzdForXj4KWQWGi2X8gKo8DP9dYOfJIkauyatAToetnz5EiOqfLIV1 tTC8u9uKf71TvPpsn3bpbmaq7lNIMTt9Hv8Zw0jzJVJ1iGh+Pk0xCPvw0MyGBV5yFNKN 8lVQ3E2rg3b8nQEGzNDCInotqtvf6Ws/XAm5fHa8YjoU3pA665D116pRp1vRJKvayt+w 3L1j5602dr7ovz3qdC34K+cZ4vFa9zX29WHkrKytEvBXeZf+EkjBQ/2kH7xvNjVQeeAT D7v0z/7UnLKh0aVxRw+Rl59F0WNQZ79Bei16LjpTg+caAxqRfXgrJk91beKqidepGDuA wkSw== X-Gm-Message-State: AOJu0Yy9U61qU/D9lEVdJe0h0/3lfdJlG9kgDL4vDWTn/kHe5DjEphpf hKMiSVeGB5AwCf8FThTSJ58OYv/kz63pjFGly6NS+HsF0Ko7MHbWy2qHmwv4BiHprOOGrjmjHOC H X-Received: by 2002:a05:6870:7013:b0:219:ae65:12b8 with SMTP id u19-20020a056870701300b00219ae6512b8mr394693oae.21.1707417996911; Thu, 08 Feb 2024 10:46:36 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:378:6793:1dc3:1346:d6d6]) by smtp.gmail.com with ESMTPSA id n26-20020a638f1a000000b005d7994a08dcsm156408pgd.36.2024.02.08.10.46.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 10:46:36 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [PATCH v3 05/10] unistd: Improve fortify with clang Date: Thu, 8 Feb 2024 15:46:17 -0300 Message-Id: <20240208184622.332678-6-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org It improve fortify checks for read, pread, pread64, readlink, readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r, gethostname, and getdomainname. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell --- posix/bits/unistd.h | 110 +++++++++++++++++++++++++++++++++----------- 1 file changed, 82 insertions(+), 28 deletions(-) diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h index bd209ec28e..2757b0619a 100644 --- a/posix/bits/unistd.h +++ b/posix/bits/unistd.h @@ -22,8 +22,12 @@ # include -__fortify_function __wur ssize_t -read (int __fd, void *__buf, size_t __nbytes) +__fortify_function __attribute_overloadable__ __wur ssize_t +read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "read called with bigger length than " + "size of the destination buffer") + { return __glibc_fortify (read, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -32,16 +36,24 @@ read (int __fd, void *__buf, size_t __nbytes) #if defined __USE_UNIX98 || defined __USE_XOPEN2K8 # ifndef __USE_FILE_OFFSET64 -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread, __nbytes, sizeof (char), __glibc_objsize0 (__buf), __fd, __buf, __nbytes, __offset); } # else -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -50,8 +62,12 @@ pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) # endif # ifdef __USE_LARGEFILE64 -__fortify_function __wur ssize_t -pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread64 (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread64 called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -61,9 +77,14 @@ pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) #endif #if defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K -__fortify_function __nonnull ((1, 2)) __wur ssize_t -__NTH (readlink (const char *__restrict __path, char *__restrict __buf, +__fortify_function __attribute_overloadable__ __nonnull ((1, 2)) __wur ssize_t +__NTH (readlink (const char *__restrict __path, + __fortify_clang_overload_arg0 (char *, __restrict, __buf), size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlink called with bigger length " + "than size of destination buffer") + { return __glibc_fortify (readlink, __len, sizeof (char), __glibc_objsize (__buf), @@ -72,9 +93,13 @@ __NTH (readlink (const char *__restrict __path, char *__restrict __buf, #endif #ifdef __USE_ATFILE -__fortify_function __nonnull ((2, 3)) __wur ssize_t +__fortify_function __attribute_overloadable__ __nonnull ((2, 3)) __wur ssize_t __NTH (readlinkat (int __fd, const char *__restrict __path, - char *__restrict __buf, size_t __len)) + __fortify_clang_overload_arg0 (char *, __restrict, __buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlinkat called with bigger length " + "than size of destination buffer") { return __glibc_fortify (readlinkat, __len, sizeof (char), __glibc_objsize (__buf), @@ -82,8 +107,11 @@ __NTH (readlinkat (int __fd, const char *__restrict __path, } #endif -__fortify_function __wur char * -__NTH (getcwd (char *__buf, size_t __size)) +__fortify_function __attribute_overloadable__ __wur char * +__NTH (getcwd (__fortify_clang_overload_arg (char *, , __buf), size_t __size)) + __fortify_clang_warning_only_if_bos_lt (__size, __buf, + "getcwd called with bigger length " + "than size of destination buffer") { return __glibc_fortify (getcwd, __size, sizeof (char), __glibc_objsize (__buf), @@ -91,8 +119,9 @@ __NTH (getcwd (char *__buf, size_t __size)) } #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED -__fortify_function __nonnull ((1)) __attribute_deprecated__ __wur char * -__NTH (getwd (char *__buf)) +__fortify_function __attribute_overloadable__ __nonnull ((1)) +__attribute_deprecated__ __wur char * +__NTH (getwd (__fortify_clang_overload_arg (char *,, __buf))) { if (__glibc_objsize (__buf) != (size_t) -1) return __getwd_chk (__buf, __glibc_objsize (__buf)); @@ -100,8 +129,12 @@ __NTH (getwd (char *__buf)) } #endif -__fortify_function size_t -__NTH (confstr (int __name, char *__buf, size_t __len)) +__fortify_function __attribute_overloadable__ size_t +__NTH (confstr (int __name, __fortify_clang_overload_arg (char *, ,__buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "confstr called with bigger length than " + "size of destination buffer") { return __glibc_fortify (confstr, __len, sizeof (char), __glibc_objsize (__buf), @@ -109,8 +142,13 @@ __NTH (confstr (int __name, char *__buf, size_t __len)) } -__fortify_function int -__NTH (getgroups (int __size, __gid_t __list[])) +__fortify_function __attribute_overloadable__ int +__NTH (getgroups (int __size, + __fortify_clang_overload_arg (__gid_t *, , __list))) + __fortify_clang_warning_only_if_bos_lt (__size * sizeof (__gid_t), __list, + "getgroups called with bigger group " + "count than what can fit into " + "destination buffer") { return __glibc_fortify (getgroups, __size, sizeof (__gid_t), __glibc_objsize (__list), @@ -118,8 +156,13 @@ __NTH (getgroups (int __size, __gid_t __list[])) } -__fortify_function int -__NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (ttyname_r (int __fd, + __fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "ttyname_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (ttyname_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -128,8 +171,11 @@ __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) #ifdef __USE_POSIX199506 -__fortify_function int -getlogin_r (char *__buf, size_t __buflen) +__fortify_function __attribute_overloadable__ int +getlogin_r (__fortify_clang_overload_arg (char *, ,__buf), size_t __buflen) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getlogin_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (getlogin_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -139,8 +185,12 @@ getlogin_r (char *__buf, size_t __buflen) #if defined __USE_MISC || defined __USE_UNIX98 -__fortify_function int -__NTH (gethostname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (gethostname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "gethostname called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (gethostname, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -150,8 +200,12 @@ __NTH (gethostname (char *__buf, size_t __buflen)) #if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_UNIX98) -__fortify_function int -__NTH (getdomainname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (getdomainname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getdomainname called with bigger " + "buflen than size of destination buffer") { return __glibc_fortify (getdomainname, __buflen, sizeof (char), __glibc_objsize (__buf),