From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from hedgehog.birch.relay.mailchannels.net
 (hedgehog.birch.relay.mailchannels.net [23.83.209.81])
 by sourceware.org (Postfix) with ESMTPS id 6DC473836C02
 for <libc-alpha@sourceware.org>; Wed, 16 Dec 2020 15:24:33 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 6DC473836C02
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id AE04D121AB9;
 Wed, 16 Dec 2020 15:24:30 +0000 (UTC)
Received: from pdx1-sub0-mail-a30.g.dreamhost.com
 (100-96-87-21.trex.outbound.svc.cluster.local [100.96.87.21])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 3EFEB121BC8;
 Wed, 16 Dec 2020 15:24:30 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from pdx1-sub0-mail-a30.g.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)
 by 0.0.0.0:2500 (trex/5.18.11); Wed, 16 Dec 2020 15:24:30 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Keen-Whistle: 7ea0791f21123bc0_1608132270524_3235177787
X-MC-Loop-Signature: 1608132270524:3710213614
X-MC-Ingress-Time: 1608132270523
Received: from pdx1-sub0-mail-a30.g.dreamhost.com (localhost [127.0.0.1])
 by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTP id E679F7EED5;
 Wed, 16 Dec 2020 07:24:29 -0800 (PST)
Received: from rhbox.redhat.com (unknown [1.186.101.110])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTPSA id A92237EED8;
 Wed, 16 Dec 2020 07:24:26 -0800 (PST)
X-DH-BACKEND: pdx1-sub0-mail-a30
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-alpha@sourceware.org
Cc: jakub@redhat.com,
	fweimer@redhat.com,
	carlos@redhat.com
Subject: [PATCH v5 0/2] _FORTIFY_SOURCE=3
Date: Wed, 16 Dec 2020 20:54:08 +0530
Message-Id: <20201216152410.232149-1-siddhesh@sourceware.org>
X-Mailer: git-send-email 2.29.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=2.1 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL,
 KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_NUMSUBJECT, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL,
 TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 15:24:35 -0000

This patchset implements a new fortification level, _FORTIFY_SOURCE=3D3.
This level allows size information to be dynamic, which may potentially
have a noticeable performance impact.  It uses the
__builtin_dynamic_object_size builtin available in clang to expand
coverage of fortifications at the expense of some performance.

Patch 1/2 implements the base support and support for functions that
have builtins of string functions.  Additionally, the patch also
describes the use case and tradeoffs.

Patch 2/2 adds support for non-string functions that are
fortification-ready for levels 1 and 2.

Testing:

The glibc testsuite doesn't directly support clang at the moment, so
having tests in the glibc source tree is pointless as long as gcc does
not have support for __builtin_dynamic_object_size.  There is a separate
project on GitHub called fortify-test-suite[1] that houses fortification
tests and is capable of testing multiple levels of fortification with
multiple compilers.  I have proposed a PR[2] to add support for
_FORTIFY_SOURCE=3D3 and have verified my changes with those tests.

Those tests run clean for clang when run with these changes and PR[2]
and they fail at level 3 for gcc, as expected.

[1] https://github.com/serge-sans-paille/fortify-test-suite
[2] https://github.com/serge-sans-paille/fortify-test-suite/pull/9

Changes from previous series:

- Updated the _FORTIFY_SOURCE macro soup to warn on invalid values to
  _FORTIFY_SOURCE with an indication of what level was chosen.

Siddhesh Poyarekar (2):
  string: _FORTIFY_SOURCE=3D3 using __builtin_dynamic_object_size
  nonstring: _FORTIFY_SOURCE=3D3 using __builtin_dynamic_object_size

 NEWS                            |   6 ++
 include/features.h              |  11 +++
 include/string.h                |   5 +-
 io/bits/poll2.h                 |  16 ++--
 libio/bits/stdio.h              |   2 +-
 libio/bits/stdio2.h             |  53 ++++++-------
 manual/creature.texi            |   3 +-
 misc/sys/cdefs.h                |   9 +++
 posix/bits/unistd.h             | 112 ++++++++++++++-------------
 socket/bits/socket2.h           |  18 ++---
 stdlib/bits/stdlib.h            |  37 ++++-----
 string/bits/string_fortified.h  |  22 +++---
 string/bits/strings_fortified.h |   4 +-
 wcsmbs/bits/wchar2.h            | 131 ++++++++++++++++----------------
 14 files changed, 233 insertions(+), 196 deletions(-)

--=20
2.29.2