From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from zimbra.cs.ucla.edu (zimbra.cs.ucla.edu [131.179.128.68]) by sourceware.org (Postfix) with ESMTPS id 57B25385842B for ; Fri, 8 Apr 2022 02:26:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 57B25385842B Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=cs.ucla.edu Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=cs.ucla.edu Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 652B216004F; Thu, 7 Apr 2022 19:26:46 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id OFSMbyV_wj_P; Thu, 7 Apr 2022 19:26:45 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id A31EE160051; Thu, 7 Apr 2022 19:26:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1Og0kErUMA7M; Thu, 7 Apr 2022 19:26:45 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 7BD5A16004F; Thu, 7 Apr 2022 19:26:45 -0700 (PDT) Message-ID: <2f468367-7e1f-7c11-0417-1baf790efdd4@cs.ucla.edu> Date: Thu, 7 Apr 2022 19:26:41 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [RFC] _FORTIFY_SOURCE strictness Content-Language: en-US To: Siddhesh Poyarekar Cc: Florian Weimer , Jakub Jelinek , Andreas Schwab , libc-alpha@sourceware.org References: From: Paul Eggert Organization: UCLA Computer Science Department In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-5.2 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2022 02:26:48 -0000 On 4/6/22 23:26, Siddhesh Poyarekar wrote: > Thoughts?=C2=A0 Maybe an Option 3 that's less worse than the above two = options? Perhaps we could use Option 1 (do nothing) for functions like snprintf,=20 and Option 2 (abort only on actual overflows) for functions like strncpy. For snprintf Option 1 is arguably allowed by the C standard, which says=20 "If a function argument is described as being an array, the pointer=20 actually passed to the function shall have a value such that all address=20 computations and accesses to objects (that would be valid if the pointer=20 did point to the first element of such an array) are in fact valid." In=20 other words, if you call snprintf (a, n, ...) the implementation is=20 allowed compute &a[0] through &a[n] even if it doesn't store into every=20 byte in 'a' - and this means Option 1 is allowed. For strncpy the situation is murkier and arguably something like Option=20 2 would be needed, due to the funky way that the standard words the=20 strncpy spec. However, this is not that important, since strncpy is (or=20 at least should be) rarely used nowadays, so it's not that=20 performance-relevant. If we're lucky, most of the affected functions are more like snprintf=20 than like strcpy, which means we can use Option 1 (do nothing) for most=20 of the affected functions.