From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <msebor@gmail.com>
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com
 [IPv6:2607:f8b0:4864:20::835])
 by sourceware.org (Postfix) with ESMTPS id A3A503854819
 for <libc-alpha@sourceware.org>; Mon, 10 May 2021 17:14:03 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org A3A503854819
Received: by mail-qt1-x835.google.com with SMTP id f8so8310242qth.6
 for <libc-alpha@sourceware.org>; Mon, 10 May 2021 10:14:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:cc:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=Fcr/1/Is3uN/9jKlq8D+GuhnOQUS/oErZYA9McGIzkI=;
 b=CtpigSOKY12+OoCgBtWbtsPoTMDQqi0fC5A/9gkR/RzDSD+ZxEwIKxeEbO2AJWT67r
 x8IEqlXHNQ/XXBmVhGCSJo93hRFXd7l0SPOahxf1nP9Byoh+tZUN5rqc8/oALWDU6xVA
 bIGfnJ5u2j8trGaBHaZZ+S5iGhWv4NVvUhYOi7Z12qZWJEAaljIK3NDfFzUzzBbJggLK
 r61ZfYQBTxm29t4Dc7O/mXFX3PsEX45x4Nqap7LduisPD/4XPLUYhT48F/W6Ur+oBgBA
 kwRp7DaGvp5IZJ/OCF0BHoHMFvKUh82Nw8grCvskklN5D8uUaIhfMHaqgTps175zxftq
 ODOg==
X-Gm-Message-State: AOAM530Yz1i85jtgVz8A1l9J8yiwVtIQxu6FaE7NKiM7gfFg66EplQf2
 9S7iXH4Nqh5HhWlgBB+weySN8JQxE9M=
X-Google-Smtp-Source: ABdhPJxQbGLdgbLsRbRinzFlN1E4LzpT80Mw7LsFShcdhyUewhTOahvDT5Z9y06DwXzKi9sZKkXh2Q==
X-Received: by 2002:ac8:6c48:: with SMTP id z8mr22705632qtu.219.1620666843327; 
 Mon, 10 May 2021 10:14:03 -0700 (PDT)
Received: from [192.168.0.41] (71-218-14-121.hlrn.qwest.net. [71.218.14.121])
 by smtp.gmail.com with ESMTPSA id
 189sm12303002qkh.99.2021.05.10.10.14.02
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 10 May 2021 10:14:02 -0700 (PDT)
Subject: Re: [PATCH] more out of bounds checking improvements
To: Florian Weimer <fweimer@redhat.com>,
 Martin Sebor via Libc-alpha <libc-alpha@sourceware.org>
Cc: Joseph Myers <joseph@codesourcery.com>
References: <176ba75f-4299-073f-8319-66dbf9fe3f42@gmail.com>
 <alpine.DEB.2.22.394.2010261556330.102486@digraph.polyomino.org.uk>
 <b8585e45-a133-26c8-200a-eb342364a34f@gmail.com>
 <87k0ot9trs.fsf@oldenburg.str.redhat.com>
 <abe4c8ba-1113-c863-5b69-7b4182f0542d@gmail.com>
 <87v98d6ldm.fsf@oldenburg.str.redhat.com>
 <2a7e377d-60c8-313b-9422-6cd0b4f5224c@gmail.com>
 <e90bac56-0883-c758-4781-58885bfce2fc@gmail.com>
 <87fsyvf04w.fsf@oldenburg.str.redhat.com>
From: Martin Sebor <msebor@gmail.com>
Message-ID: <7da0198c-a478-d877-4b64-da5a50e7e87b@gmail.com>
Date: Mon, 10 May 2021 11:14:01 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <87fsyvf04w.fsf@oldenburg.str.redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-10.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 17:14:05 -0000

On 5/10/21 2:45 AM, Florian Weimer wrote:
> * Martin Sebor via Libc-alpha:
> 
>> diff --git a/nss/makedb.c b/nss/makedb.c
>> index 74edb749cf..9389f6b548 100644
>> --- a/nss/makedb.c
>> +++ b/nss/makedb.c
>> @@ -747,7 +747,8 @@ write_output (int fd)
>>     header->valstrlen = valstrlen;
>>   
>>     size_t filled_dbs = 0;
>> -  struct iovec iov[2 + ndatabases * 3];
>> +  size_t iov_nelts = 2 + ndatabases * 3;
>> +  struct iovec iov[iov_nelts];
>>     iov[0].iov_base = header;
>>     iov[0].iov_len = file_offset;
>>   
>> @@ -791,7 +792,9 @@ write_output (int fd)
>>   			  + nhashentries_total * sizeof (stridx_t)));
>>     header->allocate = file_offset;
>>   
>> -  if (writev (fd, iov, 2 + ndatabases * 3) != keydataoffset)
>> +  /* Help GCC 10 see iov_nelts doesn't overflow the writev argument.  */
>> +  assert (iov_nelts <= INT_MAX);
>> +  if (writev (fd, iov, iov_nelts) != keydataoffset)
>>       {
>>         error (0, errno, gettext ("failed to write new database file"));
>>         return EXIT_FAILURE;
> 
> I don't think you should use assert to suppress compiler warnings
> because we are supposed to have warning-free builds even with -DNDEBUG
> (although it's likely that other problems exist).

So how about the following instead of the assert?

diff --git a/nss/makedb.c b/nss/makedb.c
index 9389f6b548..6551b3cf2a 100644
--- a/nss/makedb.c
+++ b/nss/makedb.c
@@ -792,14 +792,25 @@ write_output (int fd)
                           + nhashentries_total * sizeof (stridx_t)));
    header->allocate = file_offset;

-  /* Help GCC 10 see iov_nelts doesn't overflow the writev argument.  */
    assert (iov_nelts <= INT_MAX);
+
+#if __GNUC_PREREQ (10, 0)
+  DIAG_PUSH_NEEDS_COMMENT;
+  /* Avoid GCC 10 false positice warning: specified size exceeds maximum
+     object size.  */
+  DIAG_IGNORE_NEEDS_COMMENT (10, "-Wstringop-overflow");
+#endif
+
    if (writev (fd, iov, iov_nelts) != keydataoffset)
      {
        error (0, errno, gettext ("failed to write new database file"));
        return EXIT_FAILURE;
      }

+#if __GNUC_PREREQ (10, 0)
+  DIAG_POP_NEEDS_COMMENT;
+#endif
+
    return EXIT_SUCCESS;
  }

Martin