From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 6AECF3861028; Wed, 14 Feb 2024 21:06:26 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6AECF3861028
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1707944786;
	bh=UKa8zvqSDYkpb+AE2fGqvBfXkP0fQc6WHF5NbHGPoc0=;
	h=From:To:Subject:Date:From;
	b=RBtX/hu5JGZswspQgte0G5TNC8D1nw5EIYjfG5aQ028NPu/lo0LPp7FKjh4RnXjy2
	 ER3jbHAedswUE0J4Ym7FDm8VU5V+Oq9n2V8X94/2bUmGSUtePok8cR/zbKGYG8c/fR
	 /kxbxVBs4i8dkN/HvksbqVsiJLiVoB77gspkD2nA=
From: "pinskia at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/31383] New: _FORTIFY_SOURCE==3 and __fortified_attr_access
 vs size of 0 and zero size types
Date: Wed, 14 Feb 2024 21:06:25 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: pinskia at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-31383-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <glibc-bugs.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D31383

            Bug ID: 31383
           Summary: _FORTIFY_SOURCE=3D=3D3 and __fortified_attr_access vs s=
ize
                    of 0 and zero size types
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: pinskia at gcc dot gnu.org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

__fortified_attr_access seems to be defined incorrectly for _FORTIFY_SOURCE=
=3D=3D3.
The documentation for the size-index of access attribute
(https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-a=
ccess-function-attribute)
has the following:
```
When no size-index argument is specified, the pointer argument must be eith=
er
null or point to a space that is suitably aligned and large for __at least =
one
object__ of the referenced type (this implies that a past-the-end pointer is
not a valid argument).
```

Notice the __at least__ part here. That means the definition of
__fortified_attr_access is wrong when _FORTIFY_SOURCE=3D=3D3, when passing =
around 0
size structs.

An example is:
```

#include <stdio.h>
#include <unistd.h>

int main(void) {
    struct test_st {};
    int fd =3D 0;
    int count =3D 0;

    struct test_st test_info[16];

    count =3D read(fd, test_info, sizeof(test_info));
    return(0);
}
```

With _FORTIFY_SOURCE=3D=3D3 we get:
 __attribute__ ((__access__ (__write_only__, 2)))

Which means the size has to be at least 1 but test_info has size of 0 and we
are passing a size of 0 to read even.

This is moved from GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D=
113922
.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=