[Bug general/29141] New: _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[Bug general/29141] New: _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[ptr@void-ptr.info]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

            Bug ID: 29141
           Summary: _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: general
          Assignee: unassigned at sourceware dot org
          Reporter: ptr@void-ptr.info
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Hi,

_FORTIFY_SOURCE=3 fail to compile with gcc 12/glibc 2.35.

Used:
  (GCC) 12.0.1 20220504 (prerelease)
  glibc ec5b79aac768 (release/2.35/master)

<snip>
In file included from ..../x86_64-unknown-linux-gnu/usr/include/features.h:490,
                 from .../x86_64-unknown-linux-gnu/usr/include/assert.h:35,
                 from elf_getarsym.c:34:
In function ‘pread’,
    inlined from ‘pread_retry’ at ../lib/system.h:188:21,
    inlined from ‘read_number_entries’ at elf_getarsym.c:63:21,
    inlined from ‘elf_getarsym’ at elf_getarsym.c:172:11:
..../x86_64-unknown-linux-gnu/usr/include/bits/unistd.h:74:10: error:
‘__pread_alias’ specified size between 9223372036854775813 and
18446744073709551615 exceeds maximum object size 9223372036854775807
[-Werror=stringop-overflow=]
   74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
      |          ^~~~~~~~~~~~~~~
elf_getarsym.c: In function ‘elf_getarsym’:
elf_getarsym.c:56:5: note: destination object allocated here
   56 |   } u;
      |     ^
..../x86_64-unknown-linux-gnu/usr/include/bits/unistd.h:50:16: note: in a call
to function ‘__pread_alias’ declared with attribute ‘access (write_only, 2, 3)’
   50 | extern ssize_t __REDIRECT (__pread_alias,
      |                ^~~~~~~~~~


In file included from ..../x86_64-unknown-linux-gnu/usr/include/features.h:490,
                 from ..../x86_64-unknown-linux-gnu/usr/include/assert.h:35,
                 from elf_getarsym.c:34:
In function ‘pread’,
    inlined from ‘pread_retry’ at ../lib/system.h:188:21,
    inlined from ‘read_number_entries’ at elf_getarsym.c:63:21,
    inlined from ‘elf_getarsym’ at elf_getarsym.c:172:11:
.../x86_64-unknown-linux-gnu/usr/include/bits/unistd.h:74:10: error:
‘__pread_alias’ specified size between 9223372036854775813 and
18446744073709551615 exceeds maximum object size 9223372036854775807
[-Werror=stringop-overflow=]
   74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
      |          ^~~~~~~~~~~~~~~
elf_getarsym.c: In function ‘elf_getarsym’:
elf_getarsym.c:56:5: note: destination object allocated here
   56 |   } u;
      |     ^
.../x86_64-unknown-linux-gnu/usr/include/bits/unistd.h:50:16: note: in a call
to function ‘__pread_alias’ declared with attribute ‘access (write_only, 2, 3)’
   50 | extern ssize_t __REDIRECT (__pread_alias,
</snip>

Lower level (_FORTIFY_SOURCE=2) compiled fine.

Tricks similar to suggested in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91397
not help: warning disappear only when I set wrong condition

  if (w >= sizeof(u))
    __builtin_unreachable();

(should be w > sizeof(u)).

--

   - ptr

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug general/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark at klomp dot org,
                   |                            |siddhesh at sourceware dot org

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
This is interesting. I recently fixed a similar warning in gdb (also for
-Werror=stringop-overflow, but not _FORTIFY_SOURCE related):
https://sourceware.org/pipermail/gdb-patches/2022-May/188694.html

I have added Siddhesh to the CC who might have seen this earlier.
Background is that in elfutils we are trying to use _FORTIFY_SOURCE=3 when it
is available using this configure snippet:

# See if we can add -D_FORTIFY_SOURCE=2 or =3. Don't do it if it is already
# (differently) defined or if it generates warnings/errors because we
# don't use the right optimisation level (string.h will warn about that).
AC_MSG_CHECKING([whether to add -D_FORTIFY_SOURCE=2 or =3 to CFLAGS])
case "$CFLAGS" in
  *-D_FORTIFY_SOURCE=*)
    AC_MSG_RESULT([no, already there])
    ;;
  *)
    save_CFLAGS="$CFLAGS"
    # Try 3 first.
    CFLAGS="-D_FORTIFY_SOURCE=3 $save_CFLAGS -Werror"
    fortified_cflags=""
    AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
      #include <string.h>
      int main() { return 0; }
    ]])], [ AC_MSG_RESULT([yes -D_FORTIFY_SOURCE=3])
            fortified_cflags="-D_FORTIFY_SOURCE=3" ], [])

    # If that didn't work, try 2.
    if test -z "$fortified_cflags"; then
      CFLAGS="-D_FORTIFY_SOURCE=2 $save_CFLAGS -Werror"
      AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
        #include <string.h>
        int main() { return 0; }
      ]])], [ AC_MSG_RESULT([yes -D_FORTIFY_SOURCE=2])
              fortified_cflags="-D_FORTIFY_SOURCE=2" ],
              [ AC_MSG_RESULT([no, cannot be used])])
    fi
    CFLAGS="$fortified_cflags $save_CFLAGS"
    CXXFLAGS="$fortified_cflags $CXXFLAGS"
    ;;
esac


But it seems to produce gcc warnings like the above, so either our configure
foo is bad or we simply have to always use _FORTIFY_SOURCE=2.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug general/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

--- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
I can see that it happens with the latest glibc snapshot in rawhide too.  For
some reason the fortified function doesn't get simplified (i.e. choose between
__pread_alias and __pread_chk at compile time, not just emit both) with
_FORTIFY_SOURCE=3 and I need to figure out why.  I'll dig into this.  Please
keep it with elfutils for now.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|unspecified                 |2.36
            Product|elfutils                    |glibc
           Assignee|unassigned at sourceware dot org   |siddhesh at sourceware dot org
   Last reconfirmed|                            |2022-05-12
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED
                 CC|                            |drepper.fsp at gmail dot com
          Component|general                     |libc

--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
OK my __glibc_fortify macro isn't explicit enough; it must check if __osz is
constant while checking for -1 so that the condition collapses correctly.

The following single line change in glibc fixes it and I was able to build
elfutils to completion on my Fedora rawhide box.

However, could you tell me what system you're doing this build on?  The glibc
should need this fix for it to stumble on this issue.  I had backported it to
the 2.35 branch a while back, but I haven't tracked which distros synced up
with this.  Fedora seems to have got it only yesterday.

commit c8ee1c85c07b3c9eaef46355cb1095300855e8fa
Author: Joan Bruguera <joanbrugueram@gmail.com>
Date:   Mon Apr 11 19:49:56 2022 +0200

    misc: Fix rare fortify crash on wchar funcs. [BZ 29030]



diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index f1faf8292c..1c2b044a0d 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -164,7 +164,7 @@
 /* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
    condition can be folded to a constant and if it is true, or unknown (-1) */
 #define __glibc_safe_or_unknown_len(__l, __s, __osz) \
-  ((__osz) == (__SIZE_TYPE__) -1                                             \
+  ((__builtin_constant_p (__osz) && (__osz) == (__SIZE_TYPE__) -1)           \
    || (__glibc_unsigned_or_positive (__l)                                    \
        && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l),
\
                                                       (__s), (__osz)))       \

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[ptr@void-ptr.info]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

Petr Ovtchenkov <ptr@void-ptr.info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.36                        |2.35

--- Comment #4 from Petr Ovtchenkov <ptr@void-ptr.info> ---
The glibc in this issue is ec5b79aac768, so c8ee1c85c07b already here.

Don't worry about distros, VCS is primary source.

glibc is on release/2.35/master, so reference to 2.36 is not correct, IMO.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[ptr@void-ptr.info]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

--- Comment #5 from Petr Ovtchenkov <ptr@void-ptr.info> ---
Hmm. c8ee1c8 not correspond to diff you show above.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

--- Comment #6 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
(In reply to Petr Ovtchenkov from comment #5)
> Hmm. c8ee1c8 not correspond to diff you show above.

Ah, sorry no, they're two different things that I formatted very badly making
it seem like it's one thing.  The commit that introduced the regression:

commit c8ee1c85c07b3c9eaef46355cb1095300855e8fa
Author: Joan Bruguera <joanbrugueram@gmail.com>
Date:   Mon Apr 11 19:49:56 2022 +0200

    misc: Fix rare fortify crash on wchar funcs. [BZ 29030]

and then the one line fix for it that I'm about to post:

diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index f1faf8292c..1c2b044a0d 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -164,7 +164,7 @@
 /* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
    condition can be folded to a constant and if it is true, or unknown (-1) */
 #define __glibc_safe_or_unknown_len(__l, __s, __osz) \
-  ((__osz) == (__SIZE_TYPE__) -1                                             \
+  ((__builtin_constant_p (__osz) && (__osz) == (__SIZE_TYPE__) -1)           \
    || (__glibc_unsigned_or_positive (__l)                                    \
        && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l),
\
                                                       (__s), (__osz)))       \

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=61a87530108ec9181e1b18a9b727ec3cc3ba7532

commit 61a87530108ec9181e1b18a9b727ec3cc3ba7532
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri May 13 10:01:47 2022 +0530

    fortify: Ensure that __glibc_fortify condition is a constant [BZ #29141]

    The fix c8ee1c85 introduced a -1 check for object size without also
    checking that object size is a constant.  Because of this, the tree
    optimizer passes in gcc fail to fold away one of the branches in
    __glibc_fortify and trips on a spurious Wstringop-overflow.  The warning
    itself is incorrect and the branch does go away eventually in DCE in the
    rtl passes in gcc, but the constant check is a helpful hint to simplify
    code early, so add it in.

    Resolves: BZ #29141
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
   Target Milestone|---                         |2.36
         Resolution|---                         |FIXED

--- Comment #8 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.35/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=58947e1fa593cff7b5513d5e8e0c81b0131984b4

commit 58947e1fa593cff7b5513d5e8e0c81b0131984b4
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri May 13 10:01:47 2022 +0530

    fortify: Ensure that __glibc_fortify condition is a constant [BZ #29141]

    The fix c8ee1c85 introduced a -1 check for object size without also
    checking that object size is a constant.  Because of this, the tree
    optimizer passes in gcc fail to fold away one of the branches in
    __glibc_fortify and trips on a spurious Wstringop-overflow.  The warning
    itself is incorrect and the branch does go away eventually in DCE in the
    rtl passes in gcc, but the constant check is a helpful hint to simplify
    code early, so add it in.

    Resolves: BZ #29141
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/29141] _FORTIFY_SOURCE=3 fail for gcc 12/glibc 2.35

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29141

--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.34/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b72bbba23687ed67887d1d18c51cce5cc9c575ca

commit b72bbba23687ed67887d1d18c51cce5cc9c575ca
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri May 13 10:01:47 2022 +0530

    fortify: Ensure that __glibc_fortify condition is a constant [BZ #29141]

    The fix c8ee1c85 introduced a -1 check for object size without also
    checking that object size is a constant.  Because of this, the tree
    optimizer passes in gcc fail to fold away one of the branches in
    __glibc_fortify and trips on a spurious Wstringop-overflow.  The warning
    itself is incorrect and the branch does go away eventually in DCE in the
    rtl passes in gcc, but the constant check is a helpful hint to simplify
    code early, so add it in.

    Resolves: BZ #29141
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit 61a87530108ec9181e1b18a9b727ec3cc3ba7532)

-- 
You are receiving this mail because:
You are on the CC list for the bug.