From: Sergey Bugaev <bugaevc@gmail.com>
To: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Cc: Florian Weimer <fweimer@redhat.com>, libc-alpha@sourceware.org
Subject: Re: [PATCH v2 3/3] io: Add FORTIFY_SOURCE check for fcntl arguments
Date: Mon, 29 May 2023 22:57:02 +0300 [thread overview]
Message-ID: <CAN9u=HfjNX8ryX7ry=Xj4Hcs8-cAvjsP48iy6WmRMQgVEkKBMg@mail.gmail.com> (raw)
In-Reply-To: <8354c659-cfb0-993a-2764-72a2cd6f6ed4@linaro.org>
On Mon, May 29, 2023 at 9:09 PM Adhemerval Zanella Netto
<adhemerval.zanella@linaro.org> wrote:
> > It's not really required. Apparently even an 'inline' function call is
> > enough to to disarm __builtin_constant_p [0]; I just threw both
> > volatile and noinline in for good measure.>
> > [0] https://godbolt.org/z/v9569KGTT
>
> It is because afaiu 'volatile' does not really match the semantics of what you
> are trying to do here. Maybe if you really need the compile to force lvalue
> evaluation, it should use something similar to math_opt_barrier.
So, an asm block that does nothing, but is said to read and modify the
value? Sounds better indeed, and reminds me of how
std::hint::black_box is implemented.
> Nevermind, you do need to check for __USE_LARGEFILE64 symbols. But
> you can omit the '#if defined", they are always defined.
Uhh that's unfortunate actually. I hoped the test would check the
non-__USE_LARGEFILE64 configuration as well, to catch some
__USE_LARGEFILE64-only definition being used unconditionally, for
example.
> And debugging a bit, it seems that I found another issue. Building
> tst-fortify-c-lfs-1-def.c the post-processed output (-E -dD) for fcntl call is:
>
> res = (0 ? __fcntl_2_inline (0, 2) : !__builtin_constant_p (2) ? __fcntl_alias (0, 2, 0) : (__fcntl_is_int (2) ? __builtin_types_compatible_p (__typeof (0), int) : __fcntl_is_const_uint64_t_ptr (2) ? (__builtin_types_compatible_p (__typeof (0), const __uint64_t *) || __builtin_types_compatible_p (__typeof (0), __uint64_t *)) : __fcntl_is_uint64_t_ptr (2) ? __builtin_types_compatible_p (__typeof (0), __uint64_t *) : __fcntl_is_const_fowner_ex (2) ? (__builtin_types_compatible_p (__typeof (0), const struct f_owner_ex *) || __builtin_types_compatible_p (__typeof (0), struct f_owner_ex *)) : __fcntl_is_fowner_ex (2) ? __builtin_types_compatible_p (__typeof (0), struct f_owner_ex *) : __fcntl_is_const_flock (2, 0) ? (__builtin_types_compatible_p (__typeof (0), const struct flock *) || __builtin_types_compatible_p (__typeof (0), struct flock *)) : __fcntl_is_flock (2, 0) ? __builtin_types_compatible_p (__typeof (0), struct flock *) : __fcntl_is_const_flock64 (2, 0) ? (__builtin_types_compatible_p (__typeof (0), const struct flock64 *) || __builtin_types_compatible_p (__typeof (0), struct flock64 *)) : __fcntl_is_flock64 (2, 0) ? __builtin_types_compatible_p (__typeof (0), struct flock64 *) : 1) ? __fcntl_alias (0, 2, 0) : __fcntl_warn (0, 2, 0));
>
> Which is the non-LFS version.
Hmm, I don't see the issue? And the test passes, doesn't it? :)
(If it passes *despite* the 32-vs-64 confusion, that is a problem in
itself, that'd mean it's not checking what it's supposed to be
checking.)
The fcntl macro will always expand to the same thing (modulo C vs C++
type check differences). But then __fcntl_alias and __fcntl_warn both
reference the same symbol that fcntl would reference had it not been
for the fortification -- which is going to be the 'fcntl64' symbol
with __USE_FILE_OFFSET64.
> So I think this patch should do the same:
>
> #ifndef __USE_FILE_OFFSET64
> # define fcntl(fd, cmd, ...) \
> (__VA_OPT__ (0 ?) __fcntl_2_inline (fd, cmd) \
> __VA_OPT__ (: \
> !__builtin_constant_p (cmd) ? __fcntl_alias (fd, cmd, __VA_ARGS__) \
> : __fcntl_type_check (cmd, __VA_ARGS__, 0) \
> ? __fcntl_alias (fd, cmd, __VA_ARGS__) \
> : __fcntl_warn (fd, cmd, __VA_ARGS__)))
> #else
> # define fcntl(fd, cmd, ...) \
> (__VA_OPT__ (0 ?) __fcntl_2_inline (fd, cmd) \
> __VA_OPT__ (: \
> !__builtin_constant_p (cmd) ? __fcntl64_alias (fd, cmd, __VA_ARGS__) \
> : __fcntl_type_check (cmd, __VA_ARGS__, 0) \
> ? __fcntl64_alias (fd, cmd, __VA_ARGS__) \
> : __fcntl64_warn (fd, cmd, __VA_ARGS__)))
> #endif
What's the point? -- __fcntl_alias and __fcntl64_alias are supposed to
both reference the same thing (fcntl64 or __fcntl_time64) with
__USE_FILE_OFFSET64. Or more generally: do the same thing as the
non-fortified definition does.
Hope this makes sense.
Sergey
next prev parent reply other threads:[~2023-05-29 19:57 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-28 17:20 [PATCH v2 0/3] fcntl fortification Sergey Bugaev
2023-05-28 17:20 ` [PATCH v2 1/3] support: Add support_fcntl_support_ofd_locks () Sergey Bugaev
2023-05-29 13:18 ` Adhemerval Zanella Netto
2023-05-28 17:20 ` [PATCH v2 2/3] cdefs.h: Define __glibc_warn_system_headers_{begin,end} Sergey Bugaev
2023-05-29 14:50 ` [PATCH v2 2/3] cdefs.h: Define __glibc_warn_system_headers_{begin, end} Adhemerval Zanella Netto
2023-05-28 17:20 ` [PATCH v2 3/3] io: Add FORTIFY_SOURCE check for fcntl arguments Sergey Bugaev
2023-05-29 16:54 ` Adhemerval Zanella Netto
2023-05-29 17:31 ` Sergey Bugaev
2023-05-29 18:09 ` Adhemerval Zanella Netto
2023-05-29 19:57 ` Sergey Bugaev [this message]
2023-05-29 20:14 ` Adhemerval Zanella Netto
2023-05-29 20:49 ` Sergey Bugaev
2023-05-29 21:09 ` Adhemerval Zanella Netto
2023-05-29 21:59 ` Sergey Bugaev
2023-05-30 11:34 ` Adhemerval Zanella Netto
2023-05-30 7:41 ` Florian Weimer
2023-05-30 9:07 ` Sergey Bugaev
2023-05-30 9:50 ` Florian Weimer
2023-05-30 11:35 ` Adhemerval Zanella Netto
2023-05-30 8:09 ` [PATCH v2 0/3] fcntl fortification Florian Weimer
2023-05-30 10:46 ` Sergey Bugaev
2023-05-30 11:08 ` Florian Weimer
2023-05-30 11:34 ` Sergey Bugaev
2023-05-30 11:50 ` Florian Weimer
2023-05-30 11:51 ` Florian Weimer
2023-05-30 12:15 ` Sergey Bugaev
2023-05-30 12:26 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN9u=HfjNX8ryX7ry=Xj4Hcs8-cAvjsP48iy6WmRMQgVEkKBMg@mail.gmail.com' \
--to=bugaevc@gmail.com \
--cc=adhemerval.zanella@linaro.org \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).