From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=BxKH=BT=gmail.com=bugaevc@sourceware.org>
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334])
	by sourceware.org (Postfix) with ESMTPS id 8B1DC385773C
	for <libc-alpha@sourceware.org>; Tue, 30 May 2023 11:34:57 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8B1DC385773C
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-ot1-x334.google.com with SMTP id 46e09a7af769-6af8127031cso1719087a34.2
        for <libc-alpha@sourceware.org>; Tue, 30 May 2023 04:34:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1685446497; x=1688038497;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bXyX9numK6DEr63nM+d4D4zHBVxMlNIxuxPYbNsKVQI=;
        b=YagJzXlNnRv5ljXY7QziATDE0hEHLiClBoextPLvHJKDff3CdwuiZX0z7E4efr9T1E
         7GT2H1oz61hdJLW8L3Zr2bvl0b7wdME6r0ekbN9ScpEAnK3NwXWbIzZby3G1MU6Aorjw
         LLiz+LMkQ+FBeyQFris5xZhJq1fAJqB1tM56YsEAA7wntO3xXDkoqyAcmqN1h0heDPsQ
         DCBCoXh0skXpmC1BZh4ZryHnfHLznwL12oyjHd5SS6+4K5FHjq5bZxioRC4n5Sc+JWwO
         Qv3n2WhS9OeHvluQ+egTm/qxiRbg/xWV3CI24HGzCB1KiNNbbbYRKJOnA4lbF5d1oGaT
         w5cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685446497; x=1688038497;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=bXyX9numK6DEr63nM+d4D4zHBVxMlNIxuxPYbNsKVQI=;
        b=a/iGJsUnq40RPIq3hQL5IEqtVOmIBpGaqyR9KzOtJt+6F1oIybTq/dwzDmpb+quTE4
         O2l1KUMTTqNdYpPGi/HerOo14BAex0iYRFSsfu1PN2Qdy8MvKXOYxwRrlBrwJoMKOkPV
         31lZgDGv2srAHKWL3nr3BZQaojvzWI7NV9FpDCxlriwthbT+IyWXTH8MBRs8v7d7DHWZ
         XSzznPPmi+6Fa9OksDNnMMeULQVJq7TU7+vN5pEgZP5U1o16jlE2JtzA8zOc5SiKN58l
         IXAzKLvWQJrW34Nl5/g5TdEcLZhk2CtjFnmEi7WirCeD31rZ8wFb5FVdpzNJn34jcu54
         7YeA==
X-Gm-Message-State: AC+VfDzajAHvWVAhw/6PQ6WEeCIquj2EP1M7PRKzy0V7ttYvmrGk3vw0
	QDFbm3WX8EbDDAzjRPYQFlj5C0BKkNAgE24zH1NUzVfgEf8=
X-Google-Smtp-Source: ACHHUZ5VOwn73yLC59+j0Dbn8tHjpHQNOGAeER6F5GUFRX1X3rnKisUzuMvaxgi0U6ewSuxZhi/EiNDqoXsZiKboHiU=
X-Received: by 2002:a05:6808:1496:b0:398:4336:4342 with SMTP id
 e22-20020a056808149600b0039843364342mr1071284oiw.33.1685446496641; Tue, 30
 May 2023 04:34:56 -0700 (PDT)
MIME-Version: 1.0
References: <20230528172013.73111-1-bugaevc@gmail.com> <87wn0qw88m.fsf@oldenburg.str.redhat.com>
 <CAN9u=HdxGf8neZ=YToRbieNLftBCSMjqKt5faGgKv6GP3CYgUg@mail.gmail.com> <878rd6uleb.fsf@oldenburg.str.redhat.com>
In-Reply-To: <878rd6uleb.fsf@oldenburg.str.redhat.com>
From: Sergey Bugaev <bugaevc@gmail.com>
Date: Tue, 30 May 2023 14:34:45 +0300
Message-ID: <CAN9u=He-FyaPYMyYn+wRaC8O68AwEyPyNSqcrpSNVd5-qPBDEg@mail.gmail.com>
Subject: Re: [PATCH v2 0/3] fcntl fortification
To: Florian Weimer <fweimer@redhat.com>
Cc: Siddhesh Poyarekar <siddhesh@redhat.com>, libc-alpha@sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On Tue, May 30, 2023 at 2:08=E2=80=AFPM Florian Weimer <fweimer@redhat.com>=
 wrote:
> Ahh, maybe that check is implied by doing this for fortification only?

All of this is only happening within the fortification header, yes,
that does not even get #included if the preconditions for including it
fail. The preconditions are currently the same as for the open ()
fortification due to sharing the same header file, but they are going
to be different (in v3) because this now needs __VA_OPT__ and __typeof
but does not need __builtin_va_arg_pack.

> Oh, I'm not sure if the run-time check is really that useful.
>
> There's no vfcntl function, so I expect that we will have accurate type
> information at the callsite in most cases, and the compile-time check
> works.

I see. Well, I copied what the open () fortification was doing, and I
see that many other fortifications have a runtime-checked version in
addition to compile-time checks.

There is no vopen either, but it's not hard to imagine someone doing

open (path, O_WRITE | O_CREAT | (cloexec ? O_CLOEXEC : 0))

and similarly

fcntl (fd, cloexec ? F_DUPFD_CLOEXEC : F_DUPFD)

in both cases __builtin_constant_p will be false, and the user will
miss out on the fortification, and won't notice they forgot the
required 3rd argument.

Sergey