From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: Frederic Berat <fberat@redhat.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH v3 02/16] Exclude routines from fortification
Date: Tue, 4 Jul 2023 12:04:01 -0400 [thread overview]
Message-ID: <782060ba-5277-8f91-a89f-40c1d87f5365@gotplt.org> (raw)
In-Reply-To: <CAObJKZr=b7Uycip5so-M0CJKMtnO=BC-=uZ7O4t+_1K+oQEM+A@mail.gmail.com>
On 2023-07-03 11:16, Frederic Berat wrote:
>
>
> On Fri, Jun 30, 2023 at 4:55 PM Siddhesh Poyarekar <siddhesh@gotplt.org
> <mailto:siddhesh@gotplt.org>> wrote:
>
> On 2023-06-28 04:42, Frédéric Bérat wrote:
> > Since the _FORTIFY_SOURCE feature uses some routines of Glibc,
> they need to
> > be excluded from the fortification.
> >
> > On top of that:
> > - some tests explicitly verify that some level of fortification
> works
> > appropriately, we therefore shouldn't modify the level set
> for them.
> > - some objects need to be build with optimization disabled, which
> > prevents _FORTIFY_SOURCE to be used for them.
> >
> > Assembler files that implement architecture specific versions of the
> > fortified routines were not excluded from _FORTIFY_SOURCE as
> there is no
> > C header included that would impact their behavior.
> > ---
> > debug/Makefile | 12 +--
> > io/Makefile | 16 ++++
> > libio/Makefile | 21 +++++-
> > login/Makefile | 6 ++
> > misc/Makefile | 7 ++
> > posix/Makefile | 11 +++
> > rt/Makefile | 5 ++
> > setjmp/Makefile | 9 +++
> > socket/Makefile | 6 ++
> > stdio-common/Makefile | 15 +++-
> > stdlib/Makefile | 7 ++
> > string/Makefile | 17 +++++
> > sysdeps/ieee754/ldbl-128ibm-compat/Makefile | 81
> +++++++++++++++++----
> > sysdeps/ieee754/ldbl-opt/Makefile | 29 ++++++++
> > sysdeps/pthread/Makefile | 4 +
> > sysdeps/unix/sysv/linux/Makefile | 3 +
> > wcsmbs/Makefile | 23 +++++-
> > 17 files changed, 247 insertions(+), 25 deletions(-)
> >
> > diff --git a/debug/Makefile b/debug/Makefile
> > index 9d658e3002..434e52f780 100644
> > --- a/debug/Makefile
> > +++ b/debug/Makefile
> > @@ -171,13 +171,13 @@ CFLAGS-recvfrom_chk.c += -fexceptions
> -fasynchronous-unwind-tables
> > # set up for us, so keep the CFLAGS/CPPFLAGS split logical as
> the order is:
> > # <user CFLAGS> <test CFLAGS> <user CPPFLAGS> <test CPPFLAGS>
> > CFLAGS-tst-longjmp_chk.c += -fexceptions
> -fasynchronous-unwind-tables
> > -CPPFLAGS-tst-longjmp_chk.c += -D_FORTIFY_SOURCE=1
> > +CPPFLAGS-tst-longjmp_chk.c +=
> $(no-fortify-source),-D_FORTIFY_SOURCE=1
> > CFLAGS-tst-longjmp_chk2.c += -fexceptions
> -fasynchronous-unwind-tables
> > -CPPFLAGS-tst-longjmp_chk2.c += -D_FORTIFY_SOURCE=1
> > +CPPFLAGS-tst-longjmp_chk2.c +=
> $(no-fortify-source),-D_FORTIFY_SOURCE=1
> > CFLAGS-tst-longjmp_chk3.c += -fexceptions
> -fasynchronous-unwind-tables
> > -CPPFLAGS-tst-longjmp_chk3.c += -D_FORTIFY_SOURCE=1
> > -CPPFLAGS-tst-realpath-chk.c += -D_FORTIFY_SOURCE=2
> > -CPPFLAGS-tst-chk-cancel.c += -D_FORTIFY_SOURCE=2
> > +CPPFLAGS-tst-longjmp_chk3.c +=
> $(no-fortify-source),-D_FORTIFY_SOURCE=1
> > +CPPFLAGS-tst-realpath-chk.c +=
> $(no-fortify-source),-D_FORTIFY_SOURCE=2
> > +CPPFLAGS-tst-chk-cancel.c +=
> $(no-fortify-source),-D_FORTIFY_SOURCE=2
> >
> > # _FORTIFY_SOURCE tests.
> > # Auto-generate tests for _FORTIFY_SOURCE for different levels,
> compilers and
> > @@ -215,7 +215,7 @@ src-chk-nongnu = \#undef _GNU_SOURCE
> > # cannot be disabled via pragmas, so require -Wno-error to be used.
> > define gen-chk-test
> > tests-$(1)-$(4)-chk += tst-fortify-$(1)-$(2)-$(3)-$(4)
> > -CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) +=
> -D_FORTIFY_SOURCE=$(3) -Wno-format \
> > +CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) +=
> $(no-fortify-source),-D_FORTIFY_SOURCE=$(3) -Wno-format \
> >
> -Wno-deprecated-declarations \
> > -Wno-error
> > $(eval $(call cflags-$(2),$(1),$(3),$(4)))
> > diff --git a/io/Makefile b/io/Makefile
> > index d573064ecc..6ccc0e8691 100644
> > --- a/io/Makefile
> > +++ b/io/Makefile
> > @@ -149,6 +149,22 @@ routines := \
> > write \
> > # routines
> >
> > +# Exclude fortified routines from being built with _FORTIFY_SOURCE
> > +routines_no_fortify += \
> > + getcwd \
> > + getwd \
> > + open \
> > + open64 \
> > + openat \
> > + openat64 \
> > + poll \
> > + ppoll \
> > + read \
> > + readlink \
> > + readlinkat \
> > + ttyname_r \
> > + # routines_no_fortify
> > +
> > others := \
> > pwd \
> > # others
> > diff --git a/libio/Makefile b/libio/Makefile
> > index 2877fec484..f5c487d9f5 100644
> > --- a/libio/Makefile
> > +++ b/libio/Makefile
> > @@ -53,6 +53,21 @@ routines :=
> \
> >
> > gen-as-const-headers += libio-macros.sym
> >
> > +# Exclude fortified routines from being built with _FORTIFY_SOURCE
> > +routines_no_fortify += \
> > + fwprintf \
> > + iofgets \
> > + iofgets_u \
> > + iofgetws \
> > + iofgetws_u \
> > + swprintf \
> > + vasprintf \
> > + vsnprintf \
> > + vswprintf \
> > + vwprintf \
> > + wprintf \
> > + # routines_no_fortify
> > +
> > tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf
> tst_getwc tst_putwc \
> > tst_wprintf2 tst-widetext test-fmemopen tst-ext tst-ext2 \
> > tst-fgetws tst-ungetwc1 tst-ungetwc2 tst-swscanf
> tst-sscanf \
> > @@ -165,11 +180,15 @@ CFLAGS-iofgets_u.c +=
> $(config-cflags-wno-ignored-attributes)
> > CFLAGS-iofputs_u.c += $(config-cflags-wno-ignored-attributes)
> > # XXX Do we need filedoalloc and wfiledoalloc? Others?
> >
> > +# Prevent fortification as these are built with -O0
> > +CFLAGS-tst-bz24051.c += $(no-fortify-source)
> > +CFLAGS-tst-bz24153.c += $(no-fortify-source)
> > +
> > CFLAGS-tst_putwc.c += -DOBJPFX=\"$(objpfx)\"
> >
> > # These test cases intentionally use overlapping arguments
> > CFLAGS-tst-sprintf-ub.c += -Wno-restrict
>
> This should also be built without fortification because the test
> specifically tries to validate the sprintf entry point; the
> __sprintf_chk entry point ought to get checked by the
> tst-sprintf-chk-ub.c test.
>
> In fact, I wonder if *all* tests should be built without fortification
> by default regardless of whether glibc is built with fortification. We
> have specific tests in debug/ to test the _chk entry points and it
> seems
> like the tests should stick to validating only the regular entry points
> unless otherwise specified.
>
> I'm not so sure. The fact that fortification is enabled doesn't
> diminish the validity of the tests, at the very end fortified function
> shouldn't modify the behavior of these routines (modulo the additional
> tests on input parameters).
> Unless the test breaks because of fortification (like when tests
> voluntarily mess with input parameters in a way that the test aborts on
> chk routines), I don't see the need to undefine _FORTIFY_SOURCE.
>
> Thus, by having fortification enabled during the tests, I could catch
> errors in the tests (e.g. Incorrect maxlen parameter for swprintf
> 427dbaee86bcec31ba2fe9a42f32842cf17c4e77).
>
> On top of that in the current configuration, assuming
> "--enable-fortify-source" is **not** set, and the _FORTIFY_SOURCE macro
> is **not** set through the environment neither, these are still tested
> without fortification.
> In one sense, having the glibc CI testing the entry points directly,
> while the community will probably test with fortification, may help
> catch unwanted behavioral changes (if that ever happens) due to
> incorrect check routines implementation.
>
> All of that said, we may need to reconsider the tests like
> tst-sprintf-chk-ub.c though, considering the capability to enable
> fortification from configure.
>
> What do you think ?
OK that's fine, just that we'd need to do further fixups to tests in
future where we're testing fortified and unfortified variants.
Sid
next prev parent reply other threads:[~2023-07-04 16:04 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-28 8:42 [PATCH v3 00/16] Allow glibc to be built with _FORTIFY_SOURCE Frédéric Bérat
2023-06-28 8:42 ` [PATCH v3 01/16] " Frédéric Bérat
2023-06-28 14:48 ` Joseph Myers
2023-06-28 8:42 ` [PATCH v3 02/16] Exclude routines from fortification Frédéric Bérat
2023-06-30 14:55 ` Siddhesh Poyarekar
2023-07-03 15:16 ` Frederic Berat
2023-07-04 16:04 ` Siddhesh Poyarekar [this message]
2023-06-28 8:42 ` [PATCH v3 03/16] sysdeps: Ensure ieee128*_chk routines to be properly named Frédéric Bérat
2023-06-30 14:58 ` Siddhesh Poyarekar
2023-06-30 15:55 ` Paul E Murphy
2023-06-30 15:57 ` Frederic Berat
2023-06-28 8:42 ` [PATCH v3 04/16] string: Ensure *_chk routines have their hidden builtin definition available Frédéric Bérat
2023-06-30 15:06 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 05/16] stdio: " Frédéric Bérat
2023-06-30 15:09 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 06/16] asprintf_chk: Ensure compatibility for both s390x and ppc64le Frédéric Bérat
2023-06-30 15:11 ` Siddhesh Poyarekar
2023-06-30 16:08 ` Rajalakshmi Srinivasaraghavan
2023-06-30 17:51 ` Paul E Murphy
2023-07-03 5:35 ` Frederic Berat
2023-06-28 8:42 ` [PATCH v3 07/16] misc/sys/cdefs.h: Create FORTIFY redirects for internal calls Frédéric Bérat
2023-06-30 15:13 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 08/16] wchar: Avoid PLT entries with _FORTIFY_SOURCE Frédéric Bérat
2023-06-30 15:17 ` Siddhesh Poyarekar
2023-06-30 15:26 ` Frederic Berat
2023-06-28 8:42 ` [PATCH v3 09/16] posix/bits/unistd.h: Clearly separate declaration from definitions Frédéric Bérat
2023-06-30 15:19 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 10/16] unistd: Avoid PLT entries with _FORTIFY_SOURCE Frédéric Bérat
2023-06-30 15:25 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 11/16] misc/bits/select2.h: Clearly separate declaration from definitions Frédéric Bérat
2023-06-30 15:26 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 12/16] misc/bits/syslog.h: Clearly separate declaration from definition Frédéric Bérat
2023-06-30 15:28 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 13/16] libio/bits/stdio2.h: Clearly separate declaration from definitions Frédéric Bérat
2023-06-30 15:29 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 14/16] libio/bits/stdio2-decl.h: Avoid PLT entries with _FORTIFY_SOURCE Frédéric Bérat
2023-06-30 15:30 ` Siddhesh Poyarekar
2023-06-30 15:38 ` Frederic Berat
2023-06-30 15:48 ` Siddhesh Poyarekar
2023-06-30 17:08 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 15/16] sysdeps/ieee754/ldbl-128ibm-compat: Fix warn unused result Frédéric Bérat
2023-06-30 15:33 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 16/16] Add --enable-fortify-source option Frédéric Bérat
2023-06-30 13:51 ` Siddhesh Poyarekar
2023-07-03 8:50 ` Andreas Schwab
2023-07-03 12:51 ` Adhemerval Zanella Netto
2023-07-04 12:40 ` Frederic Berat
2023-07-04 15:59 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=782060ba-5277-8f91-a89f-40c1d87f5365@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=fberat@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).