From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dog.elm.relay.mailchannels.net (dog.elm.relay.mailchannels.net [23.83.212.48]) by sourceware.org (Postfix) with ESMTPS id 4E2DB3857805 for ; Wed, 30 Dec 2020 06:44:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 4E2DB3857805 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 5090E1E211D; Wed, 30 Dec 2020 06:44:18 +0000 (UTC) Received: from pdx1-sub0-mail-a94.g.dreamhost.com (100-96-27-97.trex.outbound.svc.cluster.local [100.96.27.97]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id E548A1E1347; Wed, 30 Dec 2020 06:44:17 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a94.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.11); Wed, 30 Dec 2020 06:44:18 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Company-Bottle: 2cd60ab65e4039bf_1609310658187_2750099496 X-MC-Loop-Signature: 1609310658187:3270224698 X-MC-Ingress-Time: 1609310658187 Received: from pdx1-sub0-mail-a94.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a94.g.dreamhost.com (Postfix) with ESMTP id A45467F8F4; Tue, 29 Dec 2020 22:44:17 -0800 (PST) Received: from rhbox.intra.reserved-bit.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a94.g.dreamhost.com (Postfix) with ESMTPSA id C89B980025; Tue, 29 Dec 2020 22:44:15 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a94 From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: adhemerval.zanella@linaro.org, fweimer@redhat.com, jakub@redhat.com Subject: [PATCH v7 2/4] Introduce _FORTIFY_SOURCE=3 Date: Wed, 30 Dec 2020 12:13:46 +0530 Message-Id: <20201230064348.376092-3-siddhesh@sourceware.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201230064348.376092-1-siddhesh@sourceware.org> References: <20201230064348.376092-1-siddhesh@sourceware.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-8.7 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_NUMSUBJECT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2020 06:44:20 -0000 Introduce a new _FORTIFY_SOURCE level of 3 to enable additional fortifications that may have a noticeable performance impact, allowing more fortification coverage at the cost of some performance. With llvm 9.0 or later, this will replace the use of __builtin_object_size with __builtin_dynamic_object_size. __builtin_dynamic_object_size ----------------------------- __builtin_dynamic_object_size is an LLVM builtin that is similar to __builtin_object_size. In addition to what __builtin_object_size does, i.e. replace the builtin call with a constant object size, __builtin_dynamic_object_size will replace the call site with an expression that evaluates to the object size, thus expanding its applicability. In practice, __builtin_dynamic_object_size evaluates these expressions through malloc/calloc calls that it can associate with the object being evaluated. A simple motivating example is below; -D_FORTIFY_SOURCE=3D2 would miss this and emit memcpy, but -D_FORTIFY_SOURCE=3D3 with the help of __builtin_dynamic_object_size is able to emit __memcpy_chk with the allocation size expression passed into the function: void *copy_obj (const void *src, size_t alloc, size_t copysize) { void *obj =3D malloc (alloc); memcpy (obj, src, copysize); return obj; } Limitations ----------- If the object was allocated elsewhere that the compiler cannot see, or if it was allocated in the function with a function that the compiler does not recognize as an allocator then __builtin_dynamic_object_size also returns -1. Further, the expression used to compute object size may be non-trivial and may potentially incur a noticeable performance impact. These fortifications are hence enabled at a new _FORTIFY_SOURCE level to allow developers to make a choice on the tradeoff according to their environment. --- include/features.h | 5 +++++ misc/sys/cdefs.h | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/include/features.h b/include/features.h index 540230b90b..066eb0eecd 100644 --- a/include/features.h +++ b/include/features.h @@ -397,6 +397,11 @@ # warning _FORTIFY_SOURCE requires compiling with optimization (-O) # elif !__GNUC_PREREQ (4, 1) # warning _FORTIFY_SOURCE requires GCC 4.1 or later +# elif _FORTIFY_SOURCE > 2 && __glibc_clang_prereq (9, 0) +# if _FORTIFY_SOURCE > 3 +# warning _FORTIFY_SOURCE > 3 is treated like 3 on this platform +# endif +# define __USE_FORTIFY_LEVEL 3 # elif _FORTIFY_SOURCE > 1 # if _FORTIFY_SOURCE > 2 # warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index a06f1cfd91..5fb6e309be 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -127,6 +127,15 @@ #define __bos(ptr) __builtin_object_size (ptr, __USE_FORTIFY_LEVEL > 1) #define __bos0(ptr) __builtin_object_size (ptr, 0) =20 +/* Use __builtin_dynamic_object_size at _FORTIFY_SOURCE=3D3 when availab= le. */ +#if __USE_FORTIFY_LEVEL =3D=3D 3 && __glibc_clang_prereq (9, 0) +# define __glibc_objsize0(__o) __builtin_dynamic_object_size (__o, 0) +# define __glibc_objsize(__o) __builtin_dynamic_object_size (__o, 1) +#else +# define __glibc_objsize0(__o) __bos0 (__o) +# define __glibc_objsize(__o) __bos (__o) +#endif + #if __GNUC_PREREQ (4,3) # define __warnattr(msg) __attribute__((__warning__ (msg))) # define __errordecl(name, msg) \ --=20 2.29.2