[Bug network/30293] New: Socket API is not alias safe

[Bug network/30293] New: Socket API is not alias safe

[rouca at debian dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

            Bug ID: 30293
           Summary: Socket API is not alias safe
           Product: glibc
           Version: 2.39
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: rouca at debian dot org
  Target Milestone: ---

Hi,

POSIX was ammended about aliasing in socket API.

Glibc should implement alias safe socket API

https://austingroupbugs.net/view.php?id=1641

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/30293] Socket API is not alias safe

[rouca at debian dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

Bastien Roucariès <rouca at debian dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rouca at debian dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/30293] Socket API is not alias safe

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/30293] Socket API is not alias safe

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx,
                   |                            |eblake at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/30293] Socket API is not alias safe

[eblake at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

--- Comment #1 from Eric Blake <eblake at redhat dot com> ---
In particular, the intent of the POSIX amendment is that user code (such as
this example abridged from 'man 2 bind' on Fedora 37) must compile without
compiler diagnostics about an alias violation under default compiler warning
levels, and must produce the intended semantics without the compiler
mis-optimizing it on the grounds of undefined behavior from an alias violation:

       #include <sys/socket.h>
       #include <sys/un.h>
       #include <stdlib.h>
       #include <stdio.h>
       #include <string.h>

       #define MY_SOCK_PATH "/somepath"
       #define handle_error(msg) \
           do { perror(msg); exit(EXIT_FAILURE); } while (0)

       int
       main(int argc, char *argv[])
       {
           int sfd, cfd;
           struct sockaddr_un my_addr;

           sfd = socket(AF_UNIX, SOCK_STREAM, 0);
           if (sfd == -1)
               handle_error("socket");

           memset(&my_addr, 0, sizeof(my_addr));
           my_addr.sun_family = AF_UNIX;
           strncpy(my_addr.sun_path, MY_SOCK_PATH,
                   sizeof(my_addr.sun_path) - 1);

           if (bind(sfd, (struct sockaddr *) &my_addr,
                   sizeof(my_addr)) == -1)  // compiler must not flag this
               handle_error("bind");
           //...
       }

However, other (bad) user code, such as the following, may still trigger
undefined behavior, even if the compiler is no longer able to diagnose it
because of whatever was done to the structs in order to make the
sockaddr.sa_family/sockaddr_un.sun_family aliasing be well-defined behavior:

    struct sockaddr too_small = { .sa_family = AF_UNIX };
    int sfd = socket(AF_UNIX, SOCK_STREAM, 0);
    bind(sfd, &too_small, sizeof(struct sockaddr_storage)); // BAD - don't do
this; the compiler can't flag this as an aliasing violation, but might be able
to flag it for potential out-of-bounds referencing

Conversely, POSIX does not intend to require that the various sockaddr* types
must be universal aliases (that is, sockaddr* does not have to be synonymous
with void* or char*, if an implementation has a way to fine-tune how much it
can alias):

    struct stat *st;
    struct sockaddr *sa = (struct sockaddr *)st; // BAD - compiler may, but not
must, flag this as an obvious aliasing violation, as it is not one of the casts
required by POSIX to be diagnostic-free

[If the POSIX amendment is itself inaccurate, the Austin Group welcomes
comments on how to improve the wording before Issue 8 is finalized]

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/30293] Socket API is not alias safe

[rouca at debian dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

--- Comment #2 from Bastien Roucariès <rouca at debian dot org> ---
Any news now that POSIX was amended ?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/30293] Socket API is not alias safe

[eblake at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

--- Comment #3 from Eric Blake <eblake at redhat dot com> ---
(In reply to Bastien Roucariès from comment #2)
> Any news now that POSIX was amended ?

Issue 8 is not yet finalized; but the latest POSIX wording looks like it will
be this:
https://austingroupbugs.net/view.php?id=1641#c6290

with the following normative text:
    When a pointer to a sockaddr_storage structure is converted to a pointer to
a sockaddr structure, or vice versa, the ss_family member of the
sockaddr_storage structure shall map onto the sa_family member of the sockaddr
structure. When a pointer to a sockaddr_storage structure is converted to a
pointer to a protocol-specific address structure, or vice versa, the ss_family
member shall map onto a member of that structure that is of type sa_family_t
that identifies the protocol’s address family. When a pointer to a sockaddr
structure is converted to a pointer to a protocol-specific address structure,
or vice versa, the sa_family member shall map onto a member of that structure
that is of type sa_family_t that identifies the protocol’s address family.
Additionally, the structures shall be defined in such a way that the compiler
treats an access to the stored value of the sa_family_t member of any of these
structures, via an lvalue expression whose type involves any other one of these
structures, as permissible, despite the more restrictive expression rules on
stored value access as stated in the ISO C standard. Similarly, when a pointer
to a sockaddr_storage or sockaddr structure is converted to a pointer to a
protocol-specific address structure, the compiler shall treat an access (using
this converted pointer) to the stored value of any member of the
protocol-specific structure as permissible. The application shall ensure that
the protocol-specific address structure corresponds to the family indicated by
the member with type sa_family_t of that structure and the pointed-to object
has sufficient memory for addressing all members of the protocol-specific
structure.

and the following informative rationale text:
Note that defining the sockaddr_storage and sockaddr structures using only
mechanisms defined in early editions of the ISO C standard may produce aliasing
diagnostics when applications use casting between pointers to the various
socket address structures. Because of the large body of existing code utilizing
sockets in a way that could trigger undefined behavior due to strict aliasing
rules, this standard mandates that these structures can alias each other for
accessing the sa_family_t member of the structures (or other members for
protocol-specific structure references), so as to preserve well-defined
semantics. An implementation's header files may need to use anonymous unions,
or even an implementation-specific extension, to comply with the requirements
of this standard.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/30293] Socket API is not alias safe

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=19622

-- 
You are receiving this mail because:
You are on the CC list for the bug.