From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by sourceware.org (Postfix) with ESMTPS id E5A613858004 for ; Mon, 5 Feb 2024 13:26:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E5A613858004 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E5A613858004 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::62a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707139595; cv=none; b=Rs/tFuGy4ed3i7cTbijQrm0D7o8i3Skn08Qj+CiZHI8J2AbM3yClf95CkcP6C6dIvYg16uvK4GPahKW+tD1IBCZtz+RJ4oRr/nlO5PcUFdnWdlwwjOjT6Vcbio8JjhLI1SNp9AVVBX+xmoU8aXDXqy+6TLbWChiQhoKQ4qZ0BMU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707139595; c=relaxed/simple; bh=meQjif9FxwrSprWu7PT2MlXx1CT/28uKdo5VomH9Vb4=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:From:To; b=FuX+Xe0OfkMtG3h/nzvuVwyzPRi3KjTExG7xkaa150hZiLzQloP5jR9EvTCmSyikDLlf4/+6TqYitRhm5CKow787EJXywAlee9Ah7MXUPWQXbYuqgRHXDd5mE9xyHnl6eJ9qie1+tfnx7zvZ7ZhBqV3Pp8d5Rd3+5bZrVBbCJ1E= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1d7232dcb3eso31990425ad.2 for ; Mon, 05 Feb 2024 05:26:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1707139590; x=1707744390; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:organization:references:to :from:content-language:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=4fey/boYzt0ezNO/fDermYpAvUOa/9SmbPOIO+wG8cE=; b=fAqUtMkKbkuvc2MJT5S5wl7uxA3LHZCrR1PFhGwEHNzaJXrzT9f9vXSt4502ycEdzO 4q5MKNeDDNUci6IHnyMBvfJApIzJ7nYsqJRB7ir3Mg43gi9fTlkL1HpzLhtSIKj7KVRA HClBUv/ljsl76ouDr9TN6tvp5FgWFK3G0cY1Xs4loNKH14Au69xvfxF3jtroCh2ZAMLl 5NvRYL1LZ8/pKJLRkEEL7TGO8BYViDJrYrpqFrQzAbZ31Rdl15dHWLkdoWAroCow82Pw 8f2hA3+CEdGyUgdkODGac2HInGiLGYyF2jb6eqATyKt0iRpwqci2a75O9J4+bLmBqxtn +KAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707139590; x=1707744390; h=content-transfer-encoding:in-reply-to:organization:references:to :from:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4fey/boYzt0ezNO/fDermYpAvUOa/9SmbPOIO+wG8cE=; b=sZC6XUA9tzfmq9DtyOFdc7W+bOsUXauHiDeMlWXAsf7Iw1giqWLBHI6J7IVZL/I+/b sCA97BMY/MNkbv14Z/le3/+FuvZ92iS95yJlmRhaYzSc+wpJR7AWVFwgmsVQhHf51qFA XTd8UM5Ths3eDhegodyw61/62I5zCOTaqg2QcaurHtTtAncMtz/i6ZrFwEvZpibxon8c mQmHtsrUfZ5osRGgudU0Qv44iIvOXKUzXcUOiUPFaFY/Obn4ShbVgwTBV+ul9ssdlPh+ GUF5/yXond5r7sQb1P2njKn4+gTye/4Y5mmymKTMFRotGVkIRJsAgwvSx6i5xcZuFcoh rJtw== X-Gm-Message-State: AOJu0Ywcw0QHCEi/SG65HKo5R40EJdLvJDdM4x2zuVakPE1GFzk9XNwI 9FtFp/CsJg8rgr+Kjnlseh6telpwTKrr44MCS/TscaY+PdpuSGqMe5mv7QmrwYw1Tz0m35WJJJU z X-Google-Smtp-Source: AGHT+IFurZDtrAJsaAyTmlRFh/2vB0Cmk3zdODpIyITXX6kRaGfG8F/LDhfcWRKceyzVzhG9zmgxkw== X-Received: by 2002:a17:902:d386:b0:1d9:427a:99b with SMTP id e6-20020a170902d38600b001d9427a099bmr8838490pld.32.1707139589139; Mon, 05 Feb 2024 05:26:29 -0800 (PST) Received: from ?IPV6:2804:1b3:a7c3:574b:f1c3:db83:b701:fe0f? ([2804:1b3:a7c3:574b:f1c3:db83:b701:fe0f]) by smtp.gmail.com with ESMTPSA id t6-20020a170902a5c600b001d956ec291fsm6237445plq.44.2024.02.05.05.26.27 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 05 Feb 2024 05:26:28 -0800 (PST) Message-ID: Date: Mon, 5 Feb 2024 10:26:26 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 00/10] Improve fortify support with clang Content-Language: en-US From: Adhemerval Zanella Netto To: libc-alpha@sourceware.org References: <20240108202149.335305-1-adhemerval.zanella@linaro.org> Organization: Linaro In-Reply-To: <20240108202149.335305-1-adhemerval.zanella@linaro.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Ping. On 08/01/24 17:21, Adhemerval Zanella wrote: > When using clang, the fortify wrappers show less coverage on both > compile and runtime. For instance, a snippet from tst-fortify.c: > > $ cat t.c > #include > #include > > const char *str1 = "JIHGFEDCBA"; > > int main (int argc, char *argv[]) > { > #define O 0 > struct A { char buf1[9]; char buf2[1]; } a; > strcpy (a.buf1 + (O + 4), str1 + 5); > > return 0; > } > $ gcc -O2 t.c -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2 -o t > $ ./t > *** buffer overflow detected ***: terminated > Aborted (core dumped) > $ clang -O2 t.c -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2 -o t > $ ./t > $ > > Although clang does support __builtin___strcpy_chk (which correctly > lowers to __strcpy_chk), the __builtin_object_size passed as third > the argument is not fully correct and thus limits the possible runtime > checks. > > This limitation was already being raised some years ago [1], but the > work has been staled. However, a similar patch has been used for > ChromeOS for some time [2]. Bionic libc also uses a similar approach to > enable fortified wrappers. > > Improve its support with clang, requires defining the fortified wrapper > differently. For instance, the read wrapper is currently expanded as: > > extern __inline > __attribute__((__always_inline__)) > __attribute__((__artificial__)) > __attribute__((__warn_unused_result__)) > ssize_t read (int __fd, void *__buf, size_t __nbytes) > { > return __glibc_safe_or_unknown_len (__nbytes, > sizeof (char), > __glibc_objsize0 (__buf)) > ? __read_alias (__fd, __buf, __nbytes) > : __glibc_unsafe_len (__nbytes, > sizeof (char), > __glibc_objsize0 (__buf)) > ? __read_chk_warn (__fd, > __buf, > __nbytes, > __builtin_object_size (__buf, 0)) > : __read_chk (__fd, > __buf, > __nbytes, > __builtin_object_size (__buf, 0)); > } > > The wrapper relies on __builtin_object_size call lowers to a constant at > Compile time and many other operations in the wrapper depend on > having a single, known value for parameters. Because this is > impossible to have for function parameters, the wrapper depends heavily > on inlining to work and While this is an entirely viable approach on > GCC is not fully reliable on clang. This is because by the time llvm > gets to inlining and optimizing, there is a minimal reliable source and > type-level information available (more information on a more deep > explanation on how to fortify wrapper works on clang [4]). > > To allow the wrapper to work reliably and with the same functionality as > with GCC, clang requires a different approach: > > * __attribute__((diagnose_if(c, “str”, “warning”))) which is a > * function > level attribute; if the compiler can determine that 'c' is true at > compile-time, it will emit a warning with the text 'str1'. If it > would be better to emit an error, the wrapper can use "error" > instead of "warning". > > * __attribute__((overloadable)) which is also a function-level > attribute; and it allows C++-style overloading to occur on C > functions. > > * __attribute__((pass_object_size(n))) which is a parameter-level > attribute; and it makes the compiler evaluate > __builtin_object_size(param, n) at each call site of the function > that has the parameter and passes it in as a hidden parameter. > > This attribute has two side effects that are key to how FORTIFY > works: > > 1. It can overload solely on pass_object_size (e.g. there are two > overloads of foo in > > void foo(char * __attribute__((pass_object_size(0))) c); > void foo(char *); > > (The one with pass_object_size attribute has preceded the > default one). > > 2. A function with at least one pass_object_size parameter can never > have its address taken (and overload resolution respects this). > > Thus the read wrapper can be implemented as follows, without > hindering any fortify coverage compile and runtime: > > Thus the read wrapper can be implemented as follows, without > hindering any fortify coverage compile and runtime: > > extern __inline > __attribute__((__always_inline__)) > __attribute__((__artificial__)) > __attribute__((__overloadable__)) > __attribute__((__warn_unused_result__)) > ssize_t read (int __fd, > void *const __attribute__((pass_object_size (0))) __buf, > size_t __nbytes) > __attribute__((__diagnose_if__ ((((__builtin_object_size (__buf, > 0)) != -1ULL > && (__nbytes) > > (__builtin_object_size (__buf, 0)) / (1))), > "read called with bigger length > than the size of the destination buffer", > "warning"))) > { > return (__builtin_object_size (__buf, 0) == (size_t) -1) > ? __read_alias (__fd, > __buf, > __nbytes) > : __read_chk (__fd, > __buf, > __nbytes, > __builtin_object_size (__buf, 0)); > } > > To avoid changing the current semantic for GCC, a set of macros is > defined to enable the clang required attributes, along with some changes > on internal macros to avoid the need to issue the symbol_chk symbols > (which are done through the __diagnose_if__ attribute for clang). > The read wrapper can be simplified as: > > __fortify_function __attribute_overloadable__ __wur > ssize_t read (int __fd, > __fortify_clang_overload_arg0 (void *, ,__buf), > size_t __nbytes) > __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, > "read called with bigger > length than " > "size of the destination > buffer") > > { > return __glibc_fortify (read, __nbytes, sizeof (char), > __glibc_objsize0 (__buf), > __fd, __buf, __nbytes); > } > > There is no expected semantic or code change when using GCC. > > Also, clang does not support __va_arg_pack, so variadic functions are > expanded to call va_arg implementations. The error function must not > have bodies (address takes are expanded to nonfortified calls), and > with the __fortify_function compiler might still create a body with the > C++ mangling name (due to the overload attribute). In this case, the > function is defined with __fortify_function_error_function macro > instead. > > To fully test it, I used my clang branch [4] which allowed me to fully > build all fortify tests with clang. With this patchset, there is no > regressions anymore. > > [1] https://sourceware.org/legacy-ml/libc-alpha/2017-09/msg00434.html > [2] https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/main/sys-libs/glibc/files/local/glibc-2.35/0006-glibc-add-clang-style-FORTIFY.patch > [3] https://docs.google.com/document/d/1DFfZDICTbL7RqS74wJVIJ-YnjQOj1SaoqfhbgddFYSM/edit > [4] https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/azanella/clang > > Changes from v1: > - Use implementation-namespace identifiers pass_object_size and > pass_dynamic_object_size. > - Simplify the clang macros and enable it iff for clang 5.0 > (that supports __diagnose_if__). > > Adhemerval Zanella (10): > cdefs.h: Add clang fortify directives > libio: Improve fortify with clang > string: Improve fortify with clang > stdlib: Improve fortify with clang > unistd: Improve fortify with clang > socket: Improve fortify with clang > syslog: Improve fortify with clang > wcsmbs: Improve fortify with clang > debug: Improve fcntl.h fortify warnings with clang > debug: Improve mqueue.h fortify warnings with clang > > io/bits/fcntl2.h | 92 ++++++++++++++++++ > io/bits/poll2.h | 29 ++++-- > io/fcntl.h | 3 +- > libio/bits/stdio2.h | 173 +++++++++++++++++++++++++++++---- > misc/bits/syslog.h | 14 ++- > misc/sys/cdefs.h | 158 +++++++++++++++++++++++++++++- > posix/bits/unistd.h | 110 +++++++++++++++------ > rt/bits/mqueue2.h | 29 ++++++ > rt/mqueue.h | 3 +- > socket/bits/socket2.h | 20 +++- > stdlib/bits/stdlib.h | 40 +++++--- > string/bits/string_fortified.h | 57 ++++++----- > wcsmbs/bits/wchar2.h | 167 ++++++++++++++++++++++--------- > 13 files changed, 746 insertions(+), 149 deletions(-) >