[Bug libc/31383] New: _FORTIFY_SOURCE==3 and __fortified_attr_access vs size of 0 and zero size types

[Bug libc/31383] New: _FORTIFY_SOURCE==3 and __fortified_attr_access vs size of 0 and zero size types

[pinskia at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

            Bug ID: 31383
           Summary: _FORTIFY_SOURCE==3 and __fortified_attr_access vs size
                    of 0 and zero size types
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: pinskia at gcc dot gnu.org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

__fortified_attr_access seems to be defined incorrectly for _FORTIFY_SOURCE==3.
The documentation for the size-index of access attribute
(https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-access-function-attribute)
has the following:
```
When no size-index argument is specified, the pointer argument must be either
null or point to a space that is suitably aligned and large for __at least one
object__ of the referenced type (this implies that a past-the-end pointer is
not a valid argument).
```

Notice the __at least__ part here. That means the definition of
__fortified_attr_access is wrong when _FORTIFY_SOURCE==3, when passing around 0
size structs.

An example is:
```

#include <stdio.h>
#include <unistd.h>

int main(void) {
    struct test_st {};
    int fd = 0;
    int count = 0;

    struct test_st test_info[16];

    count = read(fd, test_info, sizeof(test_info));
    return(0);
}
```

With _FORTIFY_SOURCE==3 we get:
 __attribute__ ((__access__ (__write_only__, 2)))

Which means the size has to be at least 1 but test_info has size of 0 and we
are passing a size of 0 to read even.

This is moved from GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113922
.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE==3 and __fortified_attr_access vs size of 0 and zero size types

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE==3 and __fortified_attr_access vs size of 0 and zero size types

[sergiodj at sergiodj dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Sergio Durigan Junior <sergiodj at sergiodj dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sergiodj at sergiodj dot net

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE==3 and __fortified_attr_access vs size of 0 and zero size types

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |siddhesh at sourceware dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|_FORTIFY_SOURCE==3 and      |_FORTIFY_SOURCE=3 and
                   |__fortified_attr_access vs  |__fortified_attr_access vs
                   |size of 0 and zero size     |size of 0 and zero size
                   |types                       |types

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[andreas at canonical dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Andreas Hasenack <andreas at canonical dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andreas at canonical dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

--- Comment #1 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
```
When no size-index argument is specified, the pointer argument must be either
null or point to a space that is suitably aligned and large for __at least one
object__ of the referenced type (this implies that a past-the-end pointer is
not a valid argument).
```

Well technically, the pointer argument *is* suitably aligned and large for 16
objects of 0 size, but the implication that it is hence not a past-the-end
pointer is invalid.  I'll drop the access attribute (since the additional value
from having it is not really significant enough) but IMO -Wstringop-overflow
needs to be fixed to handle pointers to zero-sized structs, i.e. it needs to
ignore them and not conjure up an access size of 1 out of nowhere.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at sourceware dot org   |siddhesh at sourceware dot org

--- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Patch posted:
https://patchwork.sourceware.org/project/glibc/patch/20240215171506.3154505-1-siddhesh@sourceware.org/

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
(In reply to Siddhesh Poyarekar from comment #1)
> ```
> When no size-index argument is specified, the pointer argument must be
> either null or point to a space that is suitably aligned and large for __at
> least one object__ of the referenced type (this implies that a past-the-end
> pointer is not a valid argument).
> ```
> 
> Well technically, the pointer argument *is* suitably aligned and large for
> 16 objects of 0 size, but the implication that it is hence not a
> past-the-end pointer is invalid.  I'll drop the access attribute (since the
> additional value from having it is not really significant enough) but IMO
> -Wstringop-overflow needs to be fixed to handle pointers to zero-sized
> structs, i.e. it needs to ignore them and not conjure up an access size of 1
> out of nowhere.

Actually, no, I was wrong. The referenced type is void*, which is why the
warning is 'correct'.  Maybe there's scope for better wording, but it does make
sense to warn in such cases:

extern void f2 (void *) __attribute__ ((__access__ (__write_only__, 1)));

void
f1 (void)
{
  struct A {} a[16];

  f2 (a);
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

--- Comment #4 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bf9688e623262c5fa9f91e4de0e84db45025076f

commit bf9688e623262c5fa9f91e4de0e84db45025076f
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Thu Feb 15 07:40:56 2024 -0500

    cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

    When passed a pointer to a zero-sized struct, the access attribute
    without the third argument misleads -Wstringop-overflow diagnostics to
    think that a function is writing 1 byte into the zero-sized structs.
    The attribute doesn't add that much value in this context, so drop it
    completely for _FORTIFY_SOURCE=3.

    Resolves: BZ #31383
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #5 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Done.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31383] _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of 0 and zero size types

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31383

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.40

-- 
You are receiving this mail because:
You are on the CC list for the bug.