[PATCH] cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

[PATCH] cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

[Siddhesh Poyarekar]

When passed a pointer to a zero-sized struct, the access attribute
without the third argument misleads -Wstringop-overflow diagnostics to
think that a function is writing 1 byte into the zero-sized structs.
The attribute doesn't add that much value in this context, so drop it
completely for _FORTIFY_SOURCE=3.

Resolves: BZ #31383
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
Tested on x86_64

 io/Makefile        |  1 +
 io/tst-read-zero.c | 35 +++++++++++++++++++++++++++++++++++
 misc/sys/cdefs.h   |  6 +++---
 3 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 io/tst-read-zero.c

diff --git a/io/Makefile b/io/Makefile
index 54d950d51f..2a52b66255 100644
--- a/io/Makefile
+++ b/io/Makefile
@@ -215,6 +215,7 @@ tests := \
   tst-openat \
   tst-posix_fallocate \
   tst-posix_fallocate64 \
+  tst-read-zero \
   tst-readlinkat \
   tst-renameat \
   tst-stat \
diff --git a/io/tst-read-zero.c b/io/tst-read-zero.c
new file mode 100644
index 0000000000..b7657837e2
--- /dev/null
+++ b/io/tst-read-zero.c
@@ -0,0 +1,35 @@
+/* read smoke test for 0-sized structures.
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Zero-sized structures should not result in any overflow warnings or
+   errors when fortification is enabled.  */
+#define _FORTIFY_SOURCE 3
+#include <stdio.h>
+#include <unistd.h>
+#include <support/check.h>
+
+int
+do_test (void)
+{
+  struct test_st {} test_info[16];
+
+  TEST_VERIFY_EXIT (read (0, test_info, sizeof(test_info)) == 0);
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 520231dbea..800c44640f 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -683,10 +683,10 @@ _Static_assert (0, "IEEE 128-bits long double requires redirection on this platf
 #  define __attr_access(x) __attribute__ ((__access__ x))
 /* For _FORTIFY_SOURCE == 3 we use __builtin_dynamic_object_size, which may
    use the access attribute to get object sizes from function definition
-   arguments, so we can't use them on functions we fortify.  Drop the object
-   size hints for such functions.  */
+   arguments, so we can't use them on functions we fortify.  Drop the access
+   attribute for such functions.  */
 #  if __USE_FORTIFY_LEVEL == 3
-#    define __fortified_attr_access(a, o, s) __attribute__ ((__access__ (a, o)))
+#    define __fortified_attr_access(a, o, s)
 #  else
 #    define __fortified_attr_access(a, o, s) __attr_access ((a, o, s))
 #  endif
-- 
2.43.0

[PATCH v2] cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

[Siddhesh Poyarekar]

When passed a pointer to a zero-sized struct, the access attribute
without the third argument misleads -Wstringop-overflow diagnostics to
think that a function is writing 1 byte into the zero-sized structs.
The attribute doesn't add that much value in this context, so drop it
completely for _FORTIFY_SOURCE=3.

Resolves: BZ #31383
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
Changes from v1:
- Adjust test to read from /dev/zero

 io/Makefile        |  1 +
 io/tst-read-zero.c | 40 ++++++++++++++++++++++++++++++++++++++++
 misc/sys/cdefs.h   |  6 +++---
 3 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 io/tst-read-zero.c

diff --git a/io/Makefile b/io/Makefile
index 54d950d51f..2a52b66255 100644
--- a/io/Makefile
+++ b/io/Makefile
@@ -215,6 +215,7 @@ tests := \
   tst-openat \
   tst-posix_fallocate \
   tst-posix_fallocate64 \
+  tst-read-zero \
   tst-readlinkat \
   tst-renameat \
   tst-stat \
diff --git a/io/tst-read-zero.c b/io/tst-read-zero.c
new file mode 100644
index 0000000000..9442f94e5d
--- /dev/null
+++ b/io/tst-read-zero.c
@@ -0,0 +1,40 @@
+/* read smoke test for 0-sized structures.
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Zero-sized structures should not result in any overflow warnings or
+   errors when fortification is enabled.  */
+#define _FORTIFY_SOURCE 3
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <support/check.h>
+
+int
+do_test (void)
+{
+  struct test_st {} test_info[16];
+  int fd = open ("/dev/zero", O_RDONLY, 0);
+
+  if (fd == -1)
+    FAIL_UNSUPPORTED ("Unable to open /dev/zero: %m");
+
+  TEST_VERIFY_EXIT (read (fd, test_info, sizeof(test_info)) == 0);
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 520231dbea..800c44640f 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -683,10 +683,10 @@ _Static_assert (0, "IEEE 128-bits long double requires redirection on this platf
 #  define __attr_access(x) __attribute__ ((__access__ x))
 /* For _FORTIFY_SOURCE == 3 we use __builtin_dynamic_object_size, which may
    use the access attribute to get object sizes from function definition
-   arguments, so we can't use them on functions we fortify.  Drop the object
-   size hints for such functions.  */
+   arguments, so we can't use them on functions we fortify.  Drop the access
+   attribute for such functions.  */
 #  if __USE_FORTIFY_LEVEL == 3
-#    define __fortified_attr_access(a, o, s) __attribute__ ((__access__ (a, o)))
+#    define __fortified_attr_access(a, o, s)
 #  else
 #    define __fortified_attr_access(a, o, s) __attr_access ((a, o, s))
 #  endif
-- 
2.43.0

Re: [PATCH v2] cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

[Adhemerval Zanella Netto]

On 16/02/24 13:44, Siddhesh Poyarekar wrote:
> When passed a pointer to a zero-sized struct, the access attribute
> without the third argument misleads -Wstringop-overflow diagnostics to
> think that a function is writing 1 byte into the zero-sized structs.
> The attribute doesn't add that much value in this context, so drop it
> completely for _FORTIFY_SOURCE=3.
> 
> Resolves: BZ #31383
> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

It fails to build with aarch64/armhf buildbot [1]. The bots uses the
ubuntu 22 system compiler (gcc 11.4), and the tests fails:

* with --enable-fortify-source=2

$ make test t=io/tst-read-zero
[...]
tst-read-zero.c:21: error: "_FORTIFY_SOURCE" redefined [-Werror]
   21 | #define _FORTIFY_SOURCE 3
      |
<command-line>: note: this is the location of the previous definition
In file included from ../io/fcntl.h:25,
                 from ../include/fcntl.h:2,
                 from tst-read-zero.c:22:
../include/features.h:434:5: error: #warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform [-Werror=cpp]
  434 | #   warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform
      |     ^~~~~~~
cc1: all warnings being treated as errors

* with --enable-fortify-source=no

In file included from ../io/fcntl.h:25,
                 from ../include/fcntl.h:2,
                 from tst-read-zero.c:22:
../include/features.h:434:5: error: #warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform [-Werror=cpp]
  434 | #   warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform
      |     ^~~~~~~
cc1: all warnings being treated as errors

https://patchwork.sourceware.org/project/glibc/patch/20240216164401.3184063-1-siddhesh@sourceware.org/

> ---
> Changes from v1:
> - Adjust test to read from /dev/zero
> 
>  io/Makefile        |  1 +
>  io/tst-read-zero.c | 40 ++++++++++++++++++++++++++++++++++++++++
>  misc/sys/cdefs.h   |  6 +++---
>  3 files changed, 44 insertions(+), 3 deletions(-)
>  create mode 100644 io/tst-read-zero.c
> 
> diff --git a/io/Makefile b/io/Makefile
> index 54d950d51f..2a52b66255 100644
> --- a/io/Makefile
> +++ b/io/Makefile
> @@ -215,6 +215,7 @@ tests := \
>    tst-openat \
>    tst-posix_fallocate \
>    tst-posix_fallocate64 \
> +  tst-read-zero \
>    tst-readlinkat \
>    tst-renameat \
>    tst-stat \
> diff --git a/io/tst-read-zero.c b/io/tst-read-zero.c
> new file mode 100644
> index 0000000000..9442f94e5d
> --- /dev/null
> +++ b/io/tst-read-zero.c
> @@ -0,0 +1,40 @@
> +/* read smoke test for 0-sized structures.
> +   Copyright The GNU Toolchain Authors.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +/* Zero-sized structures should not result in any overflow warnings or
> +   errors when fortification is enabled.  */
> +#define _FORTIFY_SOURCE 3
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <unistd.h>
> +#include <support/check.h>
> +
> +int
> +do_test (void)
> +{
> +  struct test_st {} test_info[16];
> +  int fd = open ("/dev/zero", O_RDONLY, 0);
> +
> +  if (fd == -1)
> +    FAIL_UNSUPPORTED ("Unable to open /dev/zero: %m");
> +
> +  TEST_VERIFY_EXIT (read (fd, test_info, sizeof(test_info)) == 0);
> +  return 0;
> +}
> +
> +#include <support/test-driver.c>
> diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
> index 520231dbea..800c44640f 100644
> --- a/misc/sys/cdefs.h
> +++ b/misc/sys/cdefs.h
> @@ -683,10 +683,10 @@ _Static_assert (0, "IEEE 128-bits long double requires redirection on this platf
>  #  define __attr_access(x) __attribute__ ((__access__ x))
>  /* For _FORTIFY_SOURCE == 3 we use __builtin_dynamic_object_size, which may
>     use the access attribute to get object sizes from function definition
> -   arguments, so we can't use them on functions we fortify.  Drop the object
> -   size hints for such functions.  */
> +   arguments, so we can't use them on functions we fortify.  Drop the access
> +   attribute for such functions.  */
>  #  if __USE_FORTIFY_LEVEL == 3
> -#    define __fortified_attr_access(a, o, s) __attribute__ ((__access__ (a, o)))
> +#    define __fortified_attr_access(a, o, s)
>  #  else
>  #    define __fortified_attr_access(a, o, s) __attr_access ((a, o, s))
>  #  endif

Re: [PATCH v2] cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

[Siddhesh Poyarekar]

On 2024-02-20 09:44, Adhemerval Zanella Netto wrote:
> 
> 
> On 16/02/24 13:44, Siddhesh Poyarekar wrote:
>> When passed a pointer to a zero-sized struct, the access attribute
>> without the third argument misleads -Wstringop-overflow diagnostics to
>> think that a function is writing 1 byte into the zero-sized structs.
>> The attribute doesn't add that much value in this context, so drop it
>> completely for _FORTIFY_SOURCE=3.
>>
>> Resolves: BZ #31383
>> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> 
> It fails to build with aarch64/armhf buildbot [1]. The bots uses the
> ubuntu 22 system compiler (gcc 11.4), and the tests fails:
> 
> * with --enable-fortify-source=2

Ah, I see.  I'll fix this; I've hard-coded _FORTIFY_SOURCE=3 in there 
and maybe I should set it only to the maximum supported fortification 
level.  I'll send an updated patch.

Thanks,
Sid

> 
> $ make test t=io/tst-read-zero
> [...]
> tst-read-zero.c:21: error: "_FORTIFY_SOURCE" redefined [-Werror]
>     21 | #define _FORTIFY_SOURCE 3
>        |
> <command-line>: note: this is the location of the previous definition
> In file included from ../io/fcntl.h:25,
>                   from ../include/fcntl.h:2,
>                   from tst-read-zero.c:22:
> ../include/features.h:434:5: error: #warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform [-Werror=cpp]
>    434 | #   warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform
>        |     ^~~~~~~
> cc1: all warnings being treated as errors
> 
> * with --enable-fortify-source=no
> 
> In file included from ../io/fcntl.h:25,
>                   from ../include/fcntl.h:2,
>                   from tst-read-zero.c:22:
> ../include/features.h:434:5: error: #warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform [-Werror=cpp]
>    434 | #   warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform
>        |     ^~~~~~~
> cc1: all warnings being treated as errors
> 
> https://patchwork.sourceware.org/project/glibc/patch/20240216164401.3184063-1-siddhesh@sourceware.org/
> 
>> ---
>> Changes from v1:
>> - Adjust test to read from /dev/zero
>>
>>   io/Makefile        |  1 +
>>   io/tst-read-zero.c | 40 ++++++++++++++++++++++++++++++++++++++++
>>   misc/sys/cdefs.h   |  6 +++---
>>   3 files changed, 44 insertions(+), 3 deletions(-)
>>   create mode 100644 io/tst-read-zero.c
>>
>> diff --git a/io/Makefile b/io/Makefile
>> index 54d950d51f..2a52b66255 100644
>> --- a/io/Makefile
>> +++ b/io/Makefile
>> @@ -215,6 +215,7 @@ tests := \
>>     tst-openat \
>>     tst-posix_fallocate \
>>     tst-posix_fallocate64 \
>> +  tst-read-zero \
>>     tst-readlinkat \
>>     tst-renameat \
>>     tst-stat \
>> diff --git a/io/tst-read-zero.c b/io/tst-read-zero.c
>> new file mode 100644
>> index 0000000000..9442f94e5d
>> --- /dev/null
>> +++ b/io/tst-read-zero.c
>> @@ -0,0 +1,40 @@
>> +/* read smoke test for 0-sized structures.
>> +   Copyright The GNU Toolchain Authors.
>> +   This file is part of the GNU C Library.
>> +
>> +   The GNU C Library is free software; you can redistribute it and/or
>> +   modify it under the terms of the GNU Lesser General Public
>> +   License as published by the Free Software Foundation; either
>> +   version 2.1 of the License, or (at your option) any later version.
>> +
>> +   The GNU C Library is distributed in the hope that it will be useful,
>> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +   Lesser General Public License for more details.
>> +
>> +   You should have received a copy of the GNU Lesser General Public
>> +   License along with the GNU C Library; if not, see
>> +   <https://www.gnu.org/licenses/>.  */
>> +
>> +/* Zero-sized structures should not result in any overflow warnings or
>> +   errors when fortification is enabled.  */
>> +#define _FORTIFY_SOURCE 3
>> +#include <fcntl.h>
>> +#include <stdio.h>
>> +#include <unistd.h>
>> +#include <support/check.h>
>> +
>> +int
>> +do_test (void)
>> +{
>> +  struct test_st {} test_info[16];
>> +  int fd = open ("/dev/zero", O_RDONLY, 0);
>> +
>> +  if (fd == -1)
>> +    FAIL_UNSUPPORTED ("Unable to open /dev/zero: %m");
>> +
>> +  TEST_VERIFY_EXIT (read (fd, test_info, sizeof(test_info)) == 0);
>> +  return 0;
>> +}
>> +
>> +#include <support/test-driver.c>
>> diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
>> index 520231dbea..800c44640f 100644
>> --- a/misc/sys/cdefs.h
>> +++ b/misc/sys/cdefs.h
>> @@ -683,10 +683,10 @@ _Static_assert (0, "IEEE 128-bits long double requires redirection on this platf
>>   #  define __attr_access(x) __attribute__ ((__access__ x))
>>   /* For _FORTIFY_SOURCE == 3 we use __builtin_dynamic_object_size, which may
>>      use the access attribute to get object sizes from function definition
>> -   arguments, so we can't use them on functions we fortify.  Drop the object
>> -   size hints for such functions.  */
>> +   arguments, so we can't use them on functions we fortify.  Drop the access
>> +   attribute for such functions.  */
>>   #  if __USE_FORTIFY_LEVEL == 3
>> -#    define __fortified_attr_access(a, o, s) __attribute__ ((__access__ (a, o)))
>> +#    define __fortified_attr_access(a, o, s)
>>   #  else
>>   #    define __fortified_attr_access(a, o, s) __attr_access ((a, o, s))
>>   #  endif
> 

[PATCH v3] cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

[Siddhesh Poyarekar]

When passed a pointer to a zero-sized struct, the access attribute
without the third argument misleads -Wstringop-overflow diagnostics to
think that a function is writing 1 byte into the zero-sized structs.
The attribute doesn't add that much value in this context, so drop it
completely for _FORTIFY_SOURCE=3.

Resolves: BZ #31383
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
Changes from v2:
- Use supported-fortify to set the right fortification level for the
  compiler.

Changes from v1:
- Adjust test to read from /dev/zero

 io/Makefile        |  2 ++
 io/tst-read-zero.c | 39 +++++++++++++++++++++++++++++++++++++++
 misc/sys/cdefs.h   |  6 +++---
 3 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 io/tst-read-zero.c

diff --git a/io/Makefile b/io/Makefile
index 54d950d51f..19932d50f7 100644
--- a/io/Makefile
+++ b/io/Makefile
@@ -215,6 +215,7 @@ tests := \
   tst-openat \
   tst-posix_fallocate \
   tst-posix_fallocate64 \
+  tst-read-zero \
   tst-readlinkat \
   tst-renameat \
   tst-stat \
@@ -290,6 +291,7 @@ CFLAGS-read.c += -fexceptions -fasynchronous-unwind-tables $(config-cflags-wno-i
 CFLAGS-write.c += -fexceptions -fasynchronous-unwind-tables $(config-cflags-wno-ignored-attributes)
 CFLAGS-close.c += -fexceptions -fasynchronous-unwind-tables
 CFLAGS-lseek64.c += $(config-cflags-wno-ignored-attributes)
+CFLAGS-tst-read-zero.c += $(no-fortify-source),-D_FORTIFY_SOURCE=$(supported-fortify)
 
 CFLAGS-test-stat.c += -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE
 CFLAGS-test-lfs.c += -D_LARGEFILE64_SOURCE
diff --git a/io/tst-read-zero.c b/io/tst-read-zero.c
new file mode 100644
index 0000000000..8d1d30a543
--- /dev/null
+++ b/io/tst-read-zero.c
@@ -0,0 +1,39 @@
+/* read smoke test for 0-sized structures.
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Zero-sized structures should not result in any overflow warnings or
+   errors when fortification is enabled.  */
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <support/check.h>
+
+int
+do_test (void)
+{
+  struct test_st {} test_info[16];
+  int fd = open ("/dev/zero", O_RDONLY, 0);
+
+  if (fd == -1)
+    FAIL_UNSUPPORTED ("Unable to open /dev/zero: %m");
+
+  TEST_VERIFY_EXIT (read (fd, test_info, sizeof(test_info)) == 0);
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 520231dbea..800c44640f 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -683,10 +683,10 @@ _Static_assert (0, "IEEE 128-bits long double requires redirection on this platf
 #  define __attr_access(x) __attribute__ ((__access__ x))
 /* For _FORTIFY_SOURCE == 3 we use __builtin_dynamic_object_size, which may
    use the access attribute to get object sizes from function definition
-   arguments, so we can't use them on functions we fortify.  Drop the object
-   size hints for such functions.  */
+   arguments, so we can't use them on functions we fortify.  Drop the access
+   attribute for such functions.  */
 #  if __USE_FORTIFY_LEVEL == 3
-#    define __fortified_attr_access(a, o, s) __attribute__ ((__access__ (a, o)))
+#    define __fortified_attr_access(a, o, s)
 #  else
 #    define __fortified_attr_access(a, o, s) __attr_access ((a, o, s))
 #  endif
-- 
2.43.0

Re: [PATCH v3] cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)

[Adhemerval Zanella Netto]

On 26/02/24 13:03, Siddhesh Poyarekar wrote:
> When passed a pointer to a zero-sized struct, the access attribute
> without the third argument misleads -Wstringop-overflow diagnostics to
> think that a function is writing 1 byte into the zero-sized structs.
> The attribute doesn't add that much value in this context, so drop it
> completely for _FORTIFY_SOURCE=3.
> 
> Resolves: BZ #31383
> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

LGTM, thanks.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

> ---
> Changes from v2:
> - Use supported-fortify to set the right fortification level for the
>   compiler.
> 
> Changes from v1:
> - Adjust test to read from /dev/zero
> 
>  io/Makefile        |  2 ++
>  io/tst-read-zero.c | 39 +++++++++++++++++++++++++++++++++++++++
>  misc/sys/cdefs.h   |  6 +++---
>  3 files changed, 44 insertions(+), 3 deletions(-)
>  create mode 100644 io/tst-read-zero.c
> 
> diff --git a/io/Makefile b/io/Makefile
> index 54d950d51f..19932d50f7 100644
> --- a/io/Makefile
> +++ b/io/Makefile
> @@ -215,6 +215,7 @@ tests := \
>    tst-openat \
>    tst-posix_fallocate \
>    tst-posix_fallocate64 \
> +  tst-read-zero \
>    tst-readlinkat \
>    tst-renameat \
>    tst-stat \

Maybe it makes more sense to add this test on debug subfolder, but I don't
have a strong preference.

> @@ -290,6 +291,7 @@ CFLAGS-read.c += -fexceptions -fasynchronous-unwind-tables $(config-cflags-wno-i
>  CFLAGS-write.c += -fexceptions -fasynchronous-unwind-tables $(config-cflags-wno-ignored-attributes)
>  CFLAGS-close.c += -fexceptions -fasynchronous-unwind-tables
>  CFLAGS-lseek64.c += $(config-cflags-wno-ignored-attributes)
> +CFLAGS-tst-read-zero.c += $(no-fortify-source),-D_FORTIFY_SOURCE=$(supported-fortify)
>  
>  CFLAGS-test-stat.c += -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE
>  CFLAGS-test-lfs.c += -D_LARGEFILE64_SOURCE
> diff --git a/io/tst-read-zero.c b/io/tst-read-zero.c
> new file mode 100644
> index 0000000000..8d1d30a543
> --- /dev/null
> +++ b/io/tst-read-zero.c
> @@ -0,0 +1,39 @@
> +/* read smoke test for 0-sized structures.
> +   Copyright The GNU Toolchain Authors.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +/* Zero-sized structures should not result in any overflow warnings or
> +   errors when fortification is enabled.  */
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <unistd.h>
> +#include <support/check.h>
> +
> +int
> +do_test (void)
> +{
> +  struct test_st {} test_info[16];
> +  int fd = open ("/dev/zero", O_RDONLY, 0);
> +
> +  if (fd == -1)
> +    FAIL_UNSUPPORTED ("Unable to open /dev/zero: %m");
> +
> +  TEST_VERIFY_EXIT (read (fd, test_info, sizeof(test_info)) == 0);
> +  return 0;
> +}
> +
> +#include <support/test-driver.c>
> diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
> index 520231dbea..800c44640f 100644
> --- a/misc/sys/cdefs.h
> +++ b/misc/sys/cdefs.h
> @@ -683,10 +683,10 @@ _Static_assert (0, "IEEE 128-bits long double requires redirection on this platf
>  #  define __attr_access(x) __attribute__ ((__access__ x))
>  /* For _FORTIFY_SOURCE == 3 we use __builtin_dynamic_object_size, which may
>     use the access attribute to get object sizes from function definition
> -   arguments, so we can't use them on functions we fortify.  Drop the object
> -   size hints for such functions.  */
> +   arguments, so we can't use them on functions we fortify.  Drop the access
> +   attribute for such functions.  */
>  #  if __USE_FORTIFY_LEVEL == 3
> -#    define __fortified_attr_access(a, o, s) __attribute__ ((__access__ (a, o)))
> +#    define __fortified_attr_access(a, o, s)
>  #  else
>  #    define __fortified_attr_access(a, o, s) __attr_access ((a, o, s))
>  #  endif