From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=D8MZ=BM=gmail.com=bugaevc@sourceware.org>
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c])
	by sourceware.org (Postfix) with ESMTPS id 45F073858D37
	for <libc-alpha@sourceware.org>; Tue, 23 May 2023 20:01:35 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 45F073858D37
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-oi1-x22c.google.com with SMTP id 5614622812f47-39831cb47c6so91900b6e.2
        for <libc-alpha@sourceware.org>; Tue, 23 May 2023 13:01:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1684872094; x=1687464094;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=fViMHOvpr3q64katr3zwunINsUrpu7h1RWTncG4TqKk=;
        b=Tgz1H0SMPbYUrdRe+vQDdxpad2x06N1JaWww/h+hykpGnNHU10aRiOQwdLf4jRHo7I
         6z1aTa1h9nHOjafeFIOq7XAsEe6wOUu5OS0G90MqcBTQtB0ko/Dxu9kYtY3Sg1YhSpn4
         kiTmIgzUiGdF71d2yicEFf7JR6OJ4AGskYOoKkvUtPIgojfVcqiRGQCIBvIfzqPuKbNG
         VTMxFRoGcvuHIYZhmGt8id8ZenhSJJoOyBGGH99teipWr4ZzI1rqfzV9u+nLtIIV+aQP
         14+umNiZtUDf/jsl47NuAmhvflKBGc81TJe1Gj5N79RBjlRWbov+DwwjZGXjYA5D4kYg
         Pxhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1684872094; x=1687464094;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=fViMHOvpr3q64katr3zwunINsUrpu7h1RWTncG4TqKk=;
        b=M72k1XX8dzaWDsPF7lYYWoLFdkJH6X7JOexA9taiFsnjyp1CjyIXjehlvFLe27jeQU
         VElvPCkGYU5k1eWHYpbRrvld/nJLddLivhwbQ6xtYFupmykMrvHMtCVqXoIan7VoKVvN
         q4EcjjQmA54b2UKSb8NWa6t2S7DfUY6kdyjh/sNnHrZnaprhAhRr7ZIBXcHfp3VNU8V3
         wVlVbpfDzcB3ZLNEwRqpbOcwHp4Tg+D5ioSuLHNTRpV7ZrRP/bIlNRL7Gwk52zNkiZFM
         FaG/1BjtNsJNlw5OvXRnVzQ+r+MtRaqiUCLEEAByncsw/Zf8yZmoL0vr8Xo+RhHMWTpv
         O4mA==
X-Gm-Message-State: AC+VfDzAH5ohGWCa3YJRdmf0BnUHbyBgUhdIVbID7fr3VBrlfFSQD++1
	OqJdd4WzOnlWQaTpZrMeGx7t/YeuUWwHCvpceFEq6kSh+AU=
X-Google-Smtp-Source: ACHHUZ6UTn3H2g57mTFBUNwIhUnPUmbam+RCwr4J786fvkKP/R5u2BTPzrhXBB1ykHOyPq3P+t0DD07DRScBoiaw7AU=
X-Received: by 2002:a05:6808:1c1:b0:398:412e:fa3f with SMTP id
 x1-20020a05680801c100b00398412efa3fmr948423oic.32.1684872094392; Tue, 23 May
 2023 13:01:34 -0700 (PDT)
MIME-Version: 1.0
References: <20230519213059.3812385-1-bugaevc@gmail.com> <20230519213059.3812385-2-bugaevc@gmail.com>
 <be0c6485-b43a-256e-41f9-71181a0b17b1@gotplt.org>
In-Reply-To: <be0c6485-b43a-256e-41f9-71181a0b17b1@gotplt.org>
From: Sergey Bugaev <bugaevc@gmail.com>
Date: Tue, 23 May 2023 23:01:23 +0300
Message-ID: <CAN9u=HcwrjrTSgrdfON_eDpo0wtPmX1M5OHcHLkV6CUK+3neOw@mail.gmail.com>
Subject: Re: [RFC PATCH 1/1] io: Add FORTIFY_SOURCE check for fcntl arguments
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
Cc: libc-alpha@sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

Hello,

On Tue, May 23, 2023 at 10:15=E2=80=AFPM Siddhesh Poyarekar <siddhesh@gotpl=
t.org> wrote:
> *_chk but I don't want to block this good work on that.  The overall
> direction is good IMO

Yay, thanks!

> - manual/contrib.texi should be updated to mention fcntl

Do you mean manual/maint.texi? manual/contrib.texi seems to contain a
list of contributors.

> - Internal users end up calling __libc_fcntl (see dup2.c or grantpt.c
> for example), which will essentially bypass any fortification.  This is
> not a problem today since we don't build glibc with fortification, but
> Frederic Berat[1] has been experimenting with that and we're hoping to
> get at least a subset of glibc fortified for 2.38.  It would be a shame
> to miss fortifying glibc itself.  This is again not a problem that would
> block this patch, but something to be aware of.

Yes, I've thought of this, but I don't know what I could change in
this patch to make it friendlier to in-glibc fortification. I've
generally done things the same way as the open* fortification does; so
I don't think this would be adding any new complications compared to
what's already in there.

> Given that this will error out at compile time, do we even need this
> __fcntl64_2 call?

Same as for the open* fortification: this call will only fail at
compile time if the cmd is a compile-time constant. If it's not (which
is a rare, but valid case), we need to do the check at runtime. Note
that if cmd _is_ a compile-time constant and does not require the 3rd
arg, this will call the regular fcntl, not the _2 version; the _2
version is only for non-compile-time-const cmd-s.

Sergey