From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from beige.elm.relay.mailchannels.net (beige.elm.relay.mailchannels.net [23.83.212.16]) by sourceware.org (Postfix) with ESMTPS id 9E8FE3836C02 for ; Wed, 16 Dec 2020 15:24:35 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9E8FE3836C02 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 12B7621CAF; Wed, 16 Dec 2020 15:24:34 +0000 (UTC) Received: from pdx1-sub0-mail-a30.g.dreamhost.com (100-98-64-116.trex.outbound.svc.cluster.local [100.98.64.116]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 7645B21BD4; Wed, 16 Dec 2020 15:24:33 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a30.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.11); Wed, 16 Dec 2020 15:24:34 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Wide-Eyed-Bottle: 75afe4dc19c26393_1608132273761_3127423587 X-MC-Loop-Signature: 1608132273760:3020520213 X-MC-Ingress-Time: 1608132273760 Received: from pdx1-sub0-mail-a30.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTP id 3F3137EED5; Wed, 16 Dec 2020 07:24:33 -0800 (PST) Received: from rhbox.redhat.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTPSA id C96017EED8; Wed, 16 Dec 2020 07:24:30 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a30 From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: jakub@redhat.com, fweimer@redhat.com, carlos@redhat.com Subject: [PATCH v5 1/2] string: _FORTIFY_SOURCE=3 using __builtin_dynamic_object_size Date: Wed, 16 Dec 2020 20:54:09 +0530 Message-Id: <20201216152410.232149-2-siddhesh@sourceware.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201216152410.232149-1-siddhesh@sourceware.org> References: <20201216152410.232149-1-siddhesh@sourceware.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 15:24:37 -0000 Introduce a new _FORTIFY_SOURCE level of 3 to enable additional fortifications that may have a potential performance impact. At the moment this level of fortification involves the use of the __builtin_dynamic_object_size builtin whenever the compiler supports it. This change enhances fortified string functions to use __builtin_dynamic_object_size under _FORTIFY_SOURCE=3D3 whenever the compiler supports it. __builtin_dynamic_object_size ----------------------------- __builtin_dynamic_object_size is an LLVM builtin that is similar to __builtin_object_size. In addition to what __builtin_object_size does, i.e. replace the builtin call with a constant object size, __builtin_dynamic_object_size will replace the call site with an expression that evaluates to the object size, thus expanding its applicability. In practice, __builtin_dynamic_object_size evaluates these expressions through malloc/calloc calls that it can associate with the object being evaluated. A simple motivating example is below; -D_FORTIFY_SOURCE=3D2 would miss this and emit memcpy, but -D_FORTIFY_SOURCE=3D3 with the help of __builtin_dynamic_object_size is able to emit __memcpy_chk with the allocation size expression passed into the function: void *copy_obj (const void *src, size_t alloc, size_t copysize) { void *obj =3D malloc (alloc); memcpy (obj, src, copysize); return obj; } Limitations ----------- If the object was allocated elsewhere that the compiler cannot see, or if it was allocated in the function with a function that the compiler does not recognize as an allocator then __builtin_dynamic_object_size also returns -1. Further, the expression used to compute object size may be non-trivial and may potentially incur a noticeable performance impact. These fortifications are hence enabled at a new _FORTIFY_SOURCE level to allow developers to make a choice on the tradeoff according to their environment. Other Changes ------------- The _FORTIFY_SOURCE macro soup in features.h now warns about unsupported fortification levels. For example, it will warn about _FORTIFY_SOURCE=3D3 and over for llvm older than 9.0 and for gcc and _FORTIFY_SOURCE=3D4 will result in a warning on all compilers with an indication of which level has been selected. --- NEWS | 6 ++++++ include/features.h | 11 +++++++++++ include/string.h | 5 +++-- manual/creature.texi | 3 ++- misc/sys/cdefs.h | 9 +++++++++ string/bits/string_fortified.h | 22 +++++++++++----------- string/bits/strings_fortified.h | 4 ++-- 7 files changed, 44 insertions(+), 16 deletions(-) diff --git a/NEWS b/NEWS index 0820984547..df46560878 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,12 @@ Major new features: The 32-bit RISC-V port requires at least Linux 5.4, GCC 7.1 and binuti= ls 2.28. =20 +* A new fortification level _FORTIFY_SOURCE=3D3 is available. At this l= evel, + glibc may use additional checks that may have an additional performanc= e + overhead. At present these checks are available only on LLVM 9 and la= ter. + The latest GCC available at this time (10.2) does not support this lev= el of + fortification. + Deprecated and removed features, and other changes affecting compatibili= ty: =20 * The mallinfo function is marked deprecated. Callers should call diff --git a/include/features.h b/include/features.h index f3e62d3362..d6b69b7d97 100644 --- a/include/features.h +++ b/include/features.h @@ -397,6 +397,17 @@ # warning _FORTIFY_SOURCE requires compiling with optimization (-O) # elif !__GNUC_PREREQ (4, 1) # warning _FORTIFY_SOURCE requires GCC 4.1 or later +# elif _FORTIFY_SOURCE > 3 && __glibc_clang_prereq(9, 0) +# warning _FORTIFY_SOURCE > 3 unsupported falling back to 3 +# define __USE_FORTIFY_LEVEL 3 +# elif _FORTIFY_SOURCE > 3 +# warning _FORTIFY_SOURCE > 3 unsupported falling back to 2 +# define __USE_FORTIFY_LEVEL 2 +# elif _FORTIFY_SOURCE > 2 && !__glibc_clang_prereq(9, 0) +# warning _FORTIFY_SOURCE=3D3 requires LLVM 9.0 or later, falling back = to 2 +# define __USE_FORTIFY_LEVEL 2 +# elif _FORTIFY_SOURCE > 2 +# define __USE_FORTIFY_LEVEL 3 # elif _FORTIFY_SOURCE > 1 # define __USE_FORTIFY_LEVEL 2 # else diff --git a/include/string.h b/include/string.h index 7d344d77d4..841ee05a1d 100644 --- a/include/string.h +++ b/include/string.h @@ -123,10 +123,11 @@ libc_hidden_proto (__strerror_l) void __explicit_bzero_chk_internal (void *, size_t, size_t) __THROW __nonnull ((1)) attribute_hidden; # define explicit_bzero(buf, len) \ - __explicit_bzero_chk_internal (buf, len, __bos0 (buf)) + __explicit_bzero_chk_internal (buf, len, __objsize0 (buf)) #elif !IS_IN (nonlib) void __explicit_bzero_chk (void *, size_t, size_t) __THROW __nonnull ((1= )); -# define explicit_bzero(buf, len) __explicit_bzero_chk (buf, len, __bos0= (buf)) +# define explicit_bzero(buf, len) __explicit_bzero_chk (buf, len, = \ + __objsize0 (buf)) #endif =20 libc_hidden_builtin_proto (memchr) diff --git a/manual/creature.texi b/manual/creature.texi index be5050468b..31208ccb2b 100644 --- a/manual/creature.texi +++ b/manual/creature.texi @@ -254,7 +254,8 @@ included. @standards{GNU, (none)} If this macro is defined to @math{1}, security hardening is added to various library functions. If defined to @math{2}, even stricter -checks are applied. +checks are applied. If defined to @math{3}, @theglibc{} may also use +checks that may have an additional performance overhead. @end defvr =20 @defvr Macro _REENTRANT diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index a06f1cfd91..ca51a5c3ad 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -127,6 +127,15 @@ #define __bos(ptr) __builtin_object_size (ptr, __USE_FORTIFY_LEVEL > 1) #define __bos0(ptr) __builtin_object_size (ptr, 0) =20 +/* Use __builtin_dynamic_object_size at _FORTIFY_SOURCE=3D3 when availab= le. */ +#if __USE_FORTIFY_LEVEL =3D=3D 3 && __glibc_clang_prereq (9, 0) +# define __objsize0(__o) __builtin_dynamic_object_size (__o, 0) +# define __objsize(__o) __builtin_dynamic_object_size (__o, 1) +#else +# define __objsize0(__o) __bos0 (__o) +# define __objsize(__o) __bos (__o) +#endif + #if __GNUC_PREREQ (4,3) # define __warnattr(msg) __attribute__((__warning__ (msg))) # define __errordecl(name, msg) \ diff --git a/string/bits/string_fortified.h b/string/bits/string_fortifie= d.h index 4c1aeb45f1..c9f9197aef 100644 --- a/string/bits/string_fortified.h +++ b/string/bits/string_fortified.h @@ -26,13 +26,13 @@ __fortify_function void * __NTH (memcpy (void *__restrict __dest, const void *__restrict __src, size_t __len)) { - return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); + return __builtin___memcpy_chk (__dest, __src, __len, __objsize0 (__des= t)); } =20 __fortify_function void * __NTH (memmove (void *__dest, const void *__src, size_t __len)) { - return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest))= ; + return __builtin___memmove_chk (__dest, __src, __len, __objsize0 (__de= st)); } =20 #ifdef __USE_GNU @@ -40,7 +40,7 @@ __fortify_function void * __NTH (mempcpy (void *__restrict __dest, const void *__restrict __src, size_t __len)) { - return __builtin___mempcpy_chk (__dest, __src, __len, __bos0 (__dest))= ; + return __builtin___mempcpy_chk (__dest, __src, __len, __objsize0 (__de= st)); } #endif =20 @@ -53,7 +53,7 @@ __NTH (mempcpy (void *__restrict __dest, const void *__= restrict __src, __fortify_function void * __NTH (memset (void *__dest, int __ch, size_t __len)) { - return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest)); + return __builtin___memset_chk (__dest, __ch, __len, __objsize0 (__dest= )); } =20 #ifdef __USE_MISC @@ -65,21 +65,21 @@ void __explicit_bzero_chk (void *__dest, size_t __len= , size_t __destlen) __fortify_function void __NTH (explicit_bzero (void *__dest, size_t __len)) { - __explicit_bzero_chk (__dest, __len, __bos0 (__dest)); + __explicit_bzero_chk (__dest, __len, __objsize0 (__dest)); } #endif =20 __fortify_function char * __NTH (strcpy (char *__restrict __dest, const char *__restrict __src)) { - return __builtin___strcpy_chk (__dest, __src, __bos (__dest)); + return __builtin___strcpy_chk (__dest, __src, __objsize (__dest)); } =20 #ifdef __USE_GNU __fortify_function char * __NTH (stpcpy (char *__restrict __dest, const char *__restrict __src)) { - return __builtin___stpcpy_chk (__dest, __src, __bos (__dest)); + return __builtin___stpcpy_chk (__dest, __src, __objsize (__dest)); } #endif =20 @@ -88,14 +88,14 @@ __fortify_function char * __NTH (strncpy (char *__restrict __dest, const char *__restrict __src, size_t __len)) { - return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); + return __builtin___strncpy_chk (__dest, __src, __len, __objsize (__des= t)); } =20 #if __GNUC_PREREQ (4, 7) || __glibc_clang_prereq (2, 6) __fortify_function char * __NTH (stpncpy (char *__dest, const char *__src, size_t __n)) { - return __builtin___stpncpy_chk (__dest, __src, __n, __bos (__dest)); + return __builtin___stpncpy_chk (__dest, __src, __n, __objsize (__dest)= ); } #else extern char *__stpncpy_chk (char *__dest, const char *__src, size_t __n, @@ -118,7 +118,7 @@ __NTH (stpncpy (char *__dest, const char *__src, size= _t __n)) __fortify_function char * __NTH (strcat (char *__restrict __dest, const char *__restrict __src)) { - return __builtin___strcat_chk (__dest, __src, __bos (__dest)); + return __builtin___strcat_chk (__dest, __src, __objsize (__dest)); } =20 =20 @@ -126,7 +126,7 @@ __fortify_function char * __NTH (strncat (char *__restrict __dest, const char *__restrict __src, size_t __len)) { - return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); + return __builtin___strncat_chk (__dest, __src, __len, __objsize (__des= t)); } =20 #endif /* bits/string_fortified.h */ diff --git a/string/bits/strings_fortified.h b/string/bits/strings_fortif= ied.h index d4091f4f69..122199e036 100644 --- a/string/bits/strings_fortified.h +++ b/string/bits/strings_fortified.h @@ -22,13 +22,13 @@ __fortify_function void __NTH (bcopy (const void *__src, void *__dest, size_t __len)) { - (void) __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest))= ; + (void) __builtin___memmove_chk (__dest, __src, __len, __objsize0 (__de= st)); } =20 __fortify_function void __NTH (bzero (void *__dest, size_t __len)) { - (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest)); + (void) __builtin___memset_chk (__dest, '\0', __len, __objsize0 (__dest= )); } =20 #endif --=20 2.29.2