From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=BU+U=BN=redhat.com=fweimer@sourceware.org>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by sourceware.org (Postfix) with ESMTPS id 3711D3857712
	for <libc-alpha@sourceware.org>; Wed, 24 May 2023 11:18:16 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3711D3857712
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1684927095;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=PLcioRGvjDYC6lGLIXyaddV6ZeiPIKrkJUDfG6ttq2M=;
	b=DXXmUwkLsLpXKrrKeJ/TurZJ5P/xUACJhoNNqNWV07n4djfGgWliV+58r8Hg3z7glJclub
	Kmr+glyK4YMIMb6vGZxESdo+b1XTOupGUd8L9ETfbpGyq68TDnd8oaLgfnQD/iWZLon8YU
	QgxICPlQlqZn9XvxVjwFncEteFJ870Y=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-605-5_PV65CJP-qkyoE1-v3bkA-1; Wed, 24 May 2023 07:18:14 -0400
X-MC-Unique: 5_PV65CJP-qkyoE1-v3bkA-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 76DDE811E7F;
	Wed, 24 May 2023 11:18:14 +0000 (UTC)
Received: from oldenburg.str.redhat.com (unknown [10.2.16.16])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id DF1267AE4;
	Wed, 24 May 2023 11:18:13 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: Sergey Bugaev <bugaevc@gmail.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [RFC PATCH 1/1] io: Add FORTIFY_SOURCE check for fcntl arguments
References: <20230519213059.3812385-1-bugaevc@gmail.com>
	<20230519213059.3812385-2-bugaevc@gmail.com>
	<871qj6202r.fsf@mid.deneb.enyo.de>
	<CAN9u=HfgLaRZfmHvA1-G2Vytm_Kwr5PuXma3zRDri6ZSBjFBzw@mail.gmail.com>
	<87fs7myvxm.fsf@oldenburg.str.redhat.com>
	<CAN9u=HfZn5Ld2W1LfFAWUshcRr=ZxE_MBjHkwkQSkkKaD+rcPg@mail.gmail.com>
Date: Wed, 24 May 2023 13:18:12 +0200
In-Reply-To: <CAN9u=HfZn5Ld2W1LfFAWUshcRr=ZxE_MBjHkwkQSkkKaD+rcPg@mail.gmail.com>
	(Sergey Bugaev's message of "Wed, 24 May 2023 13:51:15 +0300")
Message-ID: <87zg5uvuyz.fsf@oldenburg.str.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

* Sergey Bugaev:

> On Wed, May 24, 2023 at 11:29=E2=80=AFAM Florian Weimer <fweimer@redhat.c=
om> wrote:>
>> I'm attaching my broken patch.  It's based on commit ef4f97648dc9584
>> (from 2016).
>
> Thank you, that's helpful.
>
> A couple more issues with your patch (I understand that it's WIP and brok=
en):
>
> 1. You're doing
>
> int __fcntl_chk (int, int, ...);
> int __REDIRECT (__fcntl_int, (int, int, int __arg), __fcntl_chk);
>
> This is not OK, the ABI may be different between vararg- and
> non-vararg functions.

Right, I planned to make __fcntl_chk non-variadic in its implementation.
We unconditionally read the argument already.

Variadic calls to non-variadic functions are okay for our ABIs, we need
that for K&R compatibility anyway.

> 2. It doesn't do the runtime check if called with 2 args and
> non-c-t-const cmd.

That's possible, I don't remember.

>> IIRC, it doesn't quite work because __builtin_choose_expression only
>> suppresses errors, but not warnings, in the branch that wasn't chosen. 8=
-(
>>
>> Maybe this is something that could be fixed with _Generic, using
>> __builtin_choose_expression for the __fcntl_is_void check only.
>
> Yes -- I've sketched something up using _Generic and it appears to
> work great: https://godbolt.org/z/8zdzo3T5Y
>
> It does do preprocessor trickery ("friendship ended with
> __builtin_va_arg_pack_len, now __VA_OPT__ is my best friend") and does
> not use __builtin_choose_expr at all, so should be C++-compatible too
> (try with -xc++).

Right, it doesn't look too bad actually.

> This, too, is obviously a prototype, and does not do runtime _2
> checking nor 64-bit handling and so on.
>
> What do you think? Is this direction worth pursuing?

I think so, yes.

Thanks,
Florian