From: Jakub Jelinek <jakub@redhat.com>
To: Martin Sebor <msebor@gmail.com>, Richard Biener <rguenther@suse.de>
Cc: Gcc Patch List <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] handle function pointers in __builtin_object_size (PR 88372)
Date: Thu, 06 Dec 2018 21:26:00 -0000 [thread overview]
Message-ID: <20181206212626.GY12380@tucnak> (raw)
In-Reply-To: <fad8025b-b1f5-38c6-1c53-a00294ba0bf2@gmail.com>
On Thu, Dec 06, 2018 at 01:21:58PM -0700, Martin Sebor wrote:
> Bug 88372 - alloc_size attribute is ignored on function pointers
> points out that even though the alloc_size attribute is accepted
> on function pointers it doesn't have any effect on Object Size
> Checking. The reporter, who is implementing the feature in Clang,
> wants to know if by exposing it under the same name they won't be
> causing incompatibilities with GCC.
>
> I don't think it's intentional that GCC doesn't take advantage of
> the attribute for Object Size Checking, and certainly not to detect
> the same kinds of issues as with other allocation functions (such
> as excessive or negative size arguments). Rather, it's almost
> certainly an oversight since GCC does make use of function pointer
> attributes in other contexts (e.g., attributes alloc_align and
> noreturn).
>
> As an oversight, I think it's fair to consider it a bug rather
> than a request for an enhancement. Since not handling
> the attribute in Object Size Checking has adverse security
> implications, I also think this bug should be addressed in GCC
> 9. With that, I submit the attached patch to resolve both
> aspects of the problem.
This is because alloc_object_size has been written before we had attributes
like alloc_size. The only thing I'm unsure about is whether we should
prefer gimple_call_fntype or TREE_TYPE (gimple_call_fndecl ()) if it is a
direct call or if we should try to look for alloc_size attribute on both
of those if they are different types. E.g. if somebody does
#include <stdlib.h>
typedef void *(*allocfn) (size_t);
static inline void *
foo (allocfn fn, size_t sz)
{
return fn (sz);
}
static inline void *
bar (size_t sz)
{
return foo (malloc, sz);
}
then I think this patch would no longer treat it as malloc.
As this is security relevant, I'd probably look for alloc_size
attribute in both gimple_call_fntype and, if gimple_call_fndecl is non-NULL,
its TREE_TYPE.
Otherwise, the patch looks reasonable to me.
Jakub
next prev parent reply other threads:[~2018-12-06 21:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-06 20:22 Martin Sebor
2018-12-06 21:26 ` Jakub Jelinek [this message]
2018-12-06 23:01 ` Martin Sebor
2018-12-07 8:06 ` Richard Biener
2018-12-08 17:42 ` Martin Sebor
2018-12-09 9:39 ` Richard Biener
2018-12-14 0:25 ` Jeff Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181206212626.GY12380@tucnak \
--to=jakub@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=msebor@gmail.com \
--cc=rguenther@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).