From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Y7aI=D3=redhat.com=jakub@sourceware.org>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by sourceware.org (Postfix) with ESMTPS id 114ED3858D32
	for <gcc-patches@gcc.gnu.org>; Thu, 10 Aug 2023 14:42:39 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 114ED3858D32
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1691678558;
	h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:  references:references;
	bh=tsns918QidaBOFn0noCj0EUXGJyP24tkUvH2XeyjNSM=;
	b=RI71a31oBvlbYTpOAcmQ0btj/+ZxAKY0yysvxn+BFrV+J4vG5pdVRN5me46KbouER7Dvl1
	saLt5STnf6LMOQkBpONpBpIMs2hIkNTD8v0YTqreKMM4beuzysx0F9XqsWwzxtvP67ZnNX
	BZPeRX4X3hzg22s/wHhtCq2s0mRHujc=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-346-M0f1wGrsMCCYK_iJR0w9xA-1; Thu, 10 Aug 2023 10:42:35 -0400
X-MC-Unique: M0f1wGrsMCCYK_iJR0w9xA-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C7E97185A78B;
	Thu, 10 Aug 2023 14:42:33 +0000 (UTC)
Received: from tucnak.zalov.cz (unknown [10.45.225.169])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7D40B2166B27;
	Thu, 10 Aug 2023 14:42:33 +0000 (UTC)
Received: from tucnak.zalov.cz (localhost [127.0.0.1])
	by tucnak.zalov.cz (8.17.1/8.17.1) with ESMTPS id 37AEgTLN483233
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);
	Thu, 10 Aug 2023 16:42:30 +0200
Received: (from jakub@localhost)
	by tucnak.zalov.cz (8.17.1/8.17.1/Submit) id 37AEgRVA479410;
	Thu, 10 Aug 2023 16:42:27 +0200
Date: Thu, 10 Aug 2023 16:42:27 +0200
From: Jakub Jelinek <jakub@redhat.com>
To: Martin Uecker <muecker@gwdg.de>
Cc: Qing Zhao <qing.zhao@oracle.com>, Michael Matz <matz@suse.de>,
        Kees Cook <keescook@chromium.org>,
        Joseph Myers <joseph@codesourcery.com>,
        Richard Biener <richard.guenther@gmail.com>,
        Qing Zhao via Gcc-patches <gcc-patches@gcc.gnu.org>,
        Siddhesh Poyarekar <siddhesh@gotplt.org>,
        "isanbard@gmail.com" <isanbard@gmail.com>
Subject: Re: [V2][PATCH 0/3] New attribute "counted_by" to annotate bounds
 for C99 FAM(PR108896)
Message-ID: <ZNT3Ux/yXSsf79oc@tucnak>
Reply-To: Jakub Jelinek <jakub@redhat.com>
References: <20230804194431.993958-1-qing.zhao@oracle.com>
 <202308070858.D2FB43E@keescook>
 <5f76638c8cfca7611e955ef9fadacfd7f8dca0fb.camel@tugraz.at>
 <9E6E0BBA-A97F-4C94-B188-8E4A620B36DB@oracle.com>
 <alpine.LSU.2.20.2308091606510.25429@wotan.suse.de>
 <A98EAAAD-213F-4483-A670-244EABA5EC9F@oracle.com>
 <f3c91abdfb56c40021e11e268a800b1a2a139f6a.camel@gwdg.de>
 <3D502A20-7723-456B-8A29-3A4D1502CE74@oracle.com>
 <09e2fa3a43d3c0f909d4c8d455a9d2ccbac79fef.camel@gwdg.de>
MIME-Version: 1.0
In-Reply-To: <09e2fa3a43d3c0f909d4c8d455a9d2ccbac79fef.camel@gwdg.de>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

On Thu, Aug 10, 2023 at 04:38:21PM +0200, Martin Uecker wrote:
> Am Donnerstag, dem 10.08.2023 um 13:59 +0000 schrieb Qing Zhao:
> > 
> > > On Aug 10, 2023, at 2:58 AM, Martin Uecker <muecker@gwdg.de> wrote:
> > > 
> > > Am Mittwoch, dem 09.08.2023 um 20:10 +0000 schrieb Qing Zhao:
> > > > 
> > > > > On Aug 9, 2023, at 12:21 PM, Michael Matz <matz@suse.de> wrote:
> > > 
> 
> > > I am not sure for the reason given above. The following
> > > code would not work:
> > > 
> > > struct foo_flex { int a; short b; char t[]; } x;
> > > x.a = 1;
> > > struct foo_flex *p = malloc(sizeof(x) + x.a);
> > > if (!p) abort();
> > > memcpy(p, &x, sizeof(x)); // initialize struct
> > > 
> > Okay. 
> > Then, the user still should use the sizeof(struct foo_flex) + N * sizeof(foo->t) for the allocation, even though this might allocate more bytes than necessary. (But this is safe)
> > 
> > Let me know if I still miss anything.
> 
> The question is not only what the user should use to
> allocate, but also what BDOS should return.  In my
> example the user uses the sizeof() + N * sizeof
> formula and the memcpy is safe, but it would be flagged
> as a buffer overrun if BDOS uses the offsetof formula.

BDOS/BOS (at least the 0 level) should return what is actually
allocated for the var, what size was passed to malloc and if it
is a var with flex array member with initialization what is actually the
size on the stack or in .data/.rodata etc.
And for 1 level the same unless it is just access to some element, then
it should be capped by the size of that element.

	Jakub