From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from quail.birch.relay.mailchannels.net
 (quail.birch.relay.mailchannels.net [23.83.209.151])
 by sourceware.org (Postfix) with ESMTPS id 0AF0F385801A
 for <libc-alpha@sourceware.org>; Sat, 19 Dec 2020 06:34:03 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0AF0F385801A
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id DBD08542313;
 Sat, 19 Dec 2020 06:34:02 +0000 (UTC)
Received: from pdx1-sub0-mail-a78.g.dreamhost.com
 (100-98-64-116.trex.outbound.svc.cluster.local [100.98.64.116])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id E2E565422BD;
 Sat, 19 Dec 2020 06:34:01 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from pdx1-sub0-mail-a78.g.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)
 by 0.0.0.0:2500 (trex/5.18.11); Sat, 19 Dec 2020 06:34:02 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Cure-Fearful: 76d2f02465919b86_1608359642199_3135976961
X-MC-Loop-Signature: 1608359642199:921127651
X-MC-Ingress-Time: 1608359642199
Received: from pdx1-sub0-mail-a78.g.dreamhost.com (localhost [127.0.0.1])
 by pdx1-sub0-mail-a78.g.dreamhost.com (Postfix) with ESMTP id 982077E449;
 Fri, 18 Dec 2020 22:34:01 -0800 (PST)
Received: from rhbox.intra.reserved-bit.com (unknown [1.186.101.110])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a78.g.dreamhost.com (Postfix) with ESMTPSA id 3CF287E48E;
 Fri, 18 Dec 2020 22:33:57 -0800 (PST)
X-DH-BACKEND: pdx1-sub0-mail-a78
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-alpha@sourceware.org
Cc: carlos@redhat.com, fweimer@redhat.com, jakub@redhat.com, eggert@cs.ucla.edu
Subject: [PATCH v6 0/2] _FORTIFY_SOURCE=3
Date: Sat, 19 Dec 2020 12:03:12 +0530
Message-Id: <20201219063314.1409576-1-siddhesh@sourceware.org>
X-Mailer: git-send-email 2.29.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=1.9 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL,
 KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_NUMSUBJECT, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL,
 TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2020 06:34:07 -0000

This patchset implements a new fortification level, _FORTIFY_SOURCE=3D3.
This level allows size information to be dynamic, which may potentially
have a noticeable performance impact.  It uses the
__builtin_dynamic_object_size builtin available in clang to expand
coverage of fortifications at the expense of some performance.

Patch 1/2 implements the base support and support for functions that
have builtins of string functions.  Additionally, the patch also
describes the use case and tradeoffs.

Patch 2/2 adds support for non-string functions that are
fortification-ready for levels 1 and 2.

Testing:

The glibc testsuite doesn't directly support clang at the moment, so
having tests in the glibc source tree is pointless as long as gcc does
not have support for __builtin_dynamic_object_size.  There is a separate
project on GitHub called fortify-test-suite[1] that houses fortification
tests and is capable of testing multiple levels of fortification with
multiple compilers.  I have proposed a PR[2] to add support for
_FORTIFY_SOURCE=3D3 and have verified my changes with those tests.

Those tests run clean for clang when run with these changes and PR[2]
and they fail at level 3 for gcc, as expected.

[1] https://github.com/serge-sans-paille/fortify-test-suite
[2] https://github.com/serge-sans-paille/fortify-test-suite/pull/9

Changes from previous series:

- Adopted Paul Eggert's macro soup because it has better texture while
  retaining the flavour.

Siddhesh Poyarekar (2):
  string: _FORTIFY_SOURCE=3D3 using __builtin_dynamic_object_size
  nonstring: _FORTIFY_SOURCE=3D3 using __builtin_dynamic_object_size

 NEWS                            |   6 ++
 include/features.h              |   8 ++
 include/string.h                |   5 +-
 io/bits/poll2.h                 |  16 ++--
 libio/bits/stdio.h              |   2 +-
 libio/bits/stdio2.h             |  53 ++++++-------
 manual/creature.texi            |   3 +-
 misc/sys/cdefs.h                |   9 +++
 posix/bits/unistd.h             | 112 ++++++++++++++-------------
 socket/bits/socket2.h           |  18 ++---
 stdlib/bits/stdlib.h            |  37 ++++-----
 string/bits/string_fortified.h  |  22 +++---
 string/bits/strings_fortified.h |   4 +-
 wcsmbs/bits/wchar2.h            | 131 ++++++++++++++++----------------
 14 files changed, 230 insertions(+), 196 deletions(-)

--=20
2.29.2