From: Florian Weimer <fweimer@redhat.com>
To: Sergey Bugaev <bugaevc@gmail.com>
Cc: Siddhesh Poyarekar <siddhesh@redhat.com>, libc-alpha@sourceware.org
Subject: Re: [PATCH v2 0/3] fcntl fortification
Date: Tue, 30 May 2023 13:50:26 +0200 [thread overview]
Message-ID: <87zg5mt4vx.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <CAN9u=He-FyaPYMyYn+wRaC8O68AwEyPyNSqcrpSNVd5-qPBDEg@mail.gmail.com> (Sergey Bugaev's message of "Tue, 30 May 2023 14:34:45 +0300")
* Sergey Bugaev:
>> Oh, I'm not sure if the run-time check is really that useful.
>>
>> There's no vfcntl function, so I expect that we will have accurate type
>> information at the callsite in most cases, and the compile-time check
>> works.
>
> I see. Well, I copied what the open () fortification was doing, and I
> see that many other fortifications have a runtime-checked version in
> addition to compile-time checks.
>
> There is no vopen either, but it's not hard to imagine someone doing
>
> open (path, O_WRITE | O_CREAT | (cloexec ? O_CLOEXEC : 0))
>
> and similarly
>
> fcntl (fd, cloexec ? F_DUPFD_CLOEXEC : F_DUPFD)
>
> in both cases __builtin_constant_p will be false, and the user will
> miss out on the fortification, and won't notice they forgot the
> required 3rd argument.
That suggests that we should apply __builtin_constant_p to the result of
the cmd check, and not the cmd value. So something like
(__builtin_constant_p ((cmd) == F_DUPFD || (cmd) == F_DUPFD_CLOEXEC)
&& ((cmd) == F_DUPFD || (cmd) == F_DUPFD_CLOEXEC))
with a potential guard against evaluating cmd multiple times.
Thanks,
Florian
next prev parent reply other threads:[~2023-05-30 11:50 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-28 17:20 Sergey Bugaev
2023-05-28 17:20 ` [PATCH v2 1/3] support: Add support_fcntl_support_ofd_locks () Sergey Bugaev
2023-05-29 13:18 ` Adhemerval Zanella Netto
2023-05-28 17:20 ` [PATCH v2 2/3] cdefs.h: Define __glibc_warn_system_headers_{begin,end} Sergey Bugaev
2023-05-29 14:50 ` [PATCH v2 2/3] cdefs.h: Define __glibc_warn_system_headers_{begin, end} Adhemerval Zanella Netto
2023-05-28 17:20 ` [PATCH v2 3/3] io: Add FORTIFY_SOURCE check for fcntl arguments Sergey Bugaev
2023-05-29 16:54 ` Adhemerval Zanella Netto
2023-05-29 17:31 ` Sergey Bugaev
2023-05-29 18:09 ` Adhemerval Zanella Netto
2023-05-29 19:57 ` Sergey Bugaev
2023-05-29 20:14 ` Adhemerval Zanella Netto
2023-05-29 20:49 ` Sergey Bugaev
2023-05-29 21:09 ` Adhemerval Zanella Netto
2023-05-29 21:59 ` Sergey Bugaev
2023-05-30 11:34 ` Adhemerval Zanella Netto
2023-05-30 7:41 ` Florian Weimer
2023-05-30 9:07 ` Sergey Bugaev
2023-05-30 9:50 ` Florian Weimer
2023-05-30 11:35 ` Adhemerval Zanella Netto
2023-05-30 8:09 ` [PATCH v2 0/3] fcntl fortification Florian Weimer
2023-05-30 10:46 ` Sergey Bugaev
2023-05-30 11:08 ` Florian Weimer
2023-05-30 11:34 ` Sergey Bugaev
2023-05-30 11:50 ` Florian Weimer [this message]
2023-05-30 11:51 ` Florian Weimer
2023-05-30 12:15 ` Sergey Bugaev
2023-05-30 12:26 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zg5mt4vx.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=bugaevc@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).