From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bird.elm.relay.mailchannels.net (bird.elm.relay.mailchannels.net [23.83.212.17]) by sourceware.org (Postfix) with ESMTPS id 2DD6E3858D1E for ; Thu, 22 Dec 2022 14:19:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 2DD6E3858D1E Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D8952500C1E; Thu, 22 Dec 2022 14:19:30 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 61819501346; Thu, 22 Dec 2022 14:19:30 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1671718770; a=rsa-sha256; cv=none; b=wCTpAy4Gg+OdJFmdYdXWMGZmuRCAJ8/1sN1Ptz8/EvYT2CkJN7tMd3o3kq/1CAG4qoVWbQ uKO0ypme1K3Wxqn5sRuKaLi6WtHkS4RmVI6JIylKd76EKlCA+mNFAM2kduxyNVXWE90AWL NfG2Jv9IaFaL+8J8IG2TIob8i1ECyDfQoTpprfQf591ZJqGTqjUaaEhEP0YQog2Fw8JjQA 8ItT8E5qG6x3nYVXYk6DeksJro5vF3HkXmfZSSuHRZDQn4vCfeoa2fr2Q+TAI9+Pu2oHWN 1gyFuFB7kgUEyBi7GZ4Cfbf91lW4KTKY+/VufeVBsMWMTFFs03LjmRx9kTbEZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1671718770; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kJihEqCdNyWOE4ccYfB6GYiak+7rxbpzLjaEcKCGh1A=; b=AiyMRGe5voSxp2SmvjAB2Mb7nPjfIIjWp32g5nLODSUP6x+Wejgsnjomo98BR5mVulG0rC HhUAXi1t3RoB85BqWCR3SlAssyXa0iTYSuvql8kUuMbHMsfdW8W4qkRSTbOB3B9dyPXF09 b0vAPBo54VKFwPI/tuYFFApf/AHbi0pGLiAA6p3SMeOZgluPqD79Ioa7MZzqbuTiYE6o7u kuS7+tQv3lJVmekdGNk6gDeDlpB7XMA8y+OqTBvWeDPgLe5jyQwIlcOBsMVhQYv3/wVwcA Al+nqzbjV4riQOk08VkbD3sw5D8EgfIZU3TWYGR5AGqmlkaPDBEgyeRsR0/Yow== ARC-Authentication-Results: i=1; rspamd-896578cf5-vmqdp; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Juvenile-Desert: 250ad9a84297cdbf_1671718770632_644231875 X-MC-Loop-Signature: 1671718770632:477159654 X-MC-Ingress-Time: 1671718770632 Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.196.224 (trex/6.7.1); Thu, 22 Dec 2022 14:19:30 +0000 Received: from [192.168.0.182] (bras-base-toroon4834w-grc-23-76-68-24-147.dsl.bell.ca [76.68.24.147]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4NdC9s6R0gzHZ; Thu, 22 Dec 2022 06:19:29 -0800 (PST) Message-ID: <58b6325f-41e0-ce46-c691-10eb792246a4@sourceware.org> Date: Thu, 22 Dec 2022 09:19:28 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: [PATCH] Add _FORTIFY_SOURCE implementation documentation [BZ #28998] Content-Language: en-US To: Florian Weimer Cc: libc-alpha@sourceware.org References: <20221215162506.1802077-1-siddhesh@sourceware.org> <873597o92c.fsf@oldenburg.str.redhat.com> From: Siddhesh Poyarekar In-Reply-To: <873597o92c.fsf@oldenburg.str.redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1166.4 required=5.0 tests=BAYES_00,KAM_DMARC_NONE,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2022-12-22 08:35, Florian Weimer via Libc-alpha wrote: > * Siddhesh Poyarekar: > >> +The @code{_FORTIFY_SOURCE} macro may be defined by users to control >> +hardening of calls into some functions in @theglibc{}. This feature >> +needs a compiler that supports either the @code{__builtin_object_size} >> +or the @code{__builtin_dynamic_object_size} builtin functions. When the >> +macro is defined, it enables code that validates access to buffers that >> +are passed to some functions in @theglibc to determine if they >> +are safe. If the compiler is able to deduce the size of the buffer >> +passed to the function call but the call cannot be determined as safe, >> +it is replaced by a call to its hardened variant that does the access >> +validation at runtime. At runtime, if the access validation check for >> +the buffer fails, the program will terminate with a @code{SIGABRT} >> +signal. > > This doesn't really cover %n checks and the open checks, so it's > slightly misleading. How about the following then; I've mentioned %n in the description for level 2 so I'm only trying to provide a high level summary here: """ If the compiler is able to deduce the size of the buffer passed to the function call but the call cannot be determined as safe, it is replaced by a call to its hardened variant that performs additional safety checks at runtime. At runtime, if those safety checks fail, the program will terminate with a @code{SIGABRT} signal. """ >> +The following functions are fortified in @theglibc{}: >> + >> +@itemize @bullet >> +@item @code{asprintf}: Replaced with @code{__asprintf_chk}. >> + >> +@item @code{confstr}: Replaced with @code{__confstr_chk}. > > Can we auto-generate this? > > It is incomplete. __open_2, __open64_2 and the *at variants are > missing. FD_SET, FD_CLR, FD_ISSET, too. I did auto-generate this list from the entry points in debug/* so it got __fdelt_chk, which is the underlying function for the FD_* macros and not the macros themselves. The open* calls got missed because they're not in debug. We could rearrange these entry points to all be in one place in, e.g. fortify/ instead of debug/ and then auto-generate from there? However maybe that's a good exercise for the next release and for now, hack together the list so that we have documentation. I don't think I can do the refactoring before the freeze. Thanks, Sid