From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from purple.birch.relay.mailchannels.net (purple.birch.relay.mailchannels.net [23.83.209.150]) by sourceware.org (Postfix) with ESMTPS id 160313858D1E; Thu, 22 Dec 2022 14:22:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 160313858D1E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id C33205C1A7F; Thu, 22 Dec 2022 14:22:09 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 365D75C1A82; Thu, 22 Dec 2022 14:22:09 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1671718929; a=rsa-sha256; cv=none; b=K7atGS9ysznyhCbY0Ep/HsHwHK+wPXyuE3ZBvM6fGvsdKVloLe4ncSjzLfRjKb9YSmsBv0 KX6Zuagx3xsj8WmoO0ttusulXG48VvQmNzuO8e6aqKPS/KGrUUO9RJcWAyOs5F+Q6vdxEU B+HlEev2csAf3O2Wr/2SqbcOc8jyOhyNI6ka2ci4vQRDNMtLp/BTEg07LWuxgmJ0BU2b4n xjz922y66n1zFWkM/FpKMHkcpv4dAlZ6xgo7JQYbMpf41Z7tOira8Ml2wgWHX0D1952ThH rfwyFn60CqpiG8T2If2O0gtgXbb0hOo/apwb2dWT8zWQV3T0BJENSagEVlX28Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1671718929; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wAoJqSrAN3IDJg8PanZqH/m71Vtbwb2d7nuuM329dQ4=; b=sumtjHQ1yGD0KmcbtmdV3tiqTz0qK8bSrUee9ox978aWIU3/J5s+p/+hajy0fO9dhJwSeo Kul7R6MCkZI1flDjugWkzJxxohSuHzZsMZWS7eXLJtfqyFhImmXXv/lG5xbBgfYRxwOzHT Re3CgeJTynl+940ox/p1qnxDVXAvTyOktSbPyRzG97OxDScGxwV9ywDKqZJnZMs08mRwA0 ePIZi9rr98UZD3Sk7pet85pN0p0LIqwM1QlgI3MrmKGT41LD4ZeWhuPHLY4j9QyRWXRA4S JyoCEd9I+4OKkIdxmETaBwcY6IsaRN9jwu6wrfaEG60VkywoK1I4IJAg8r40cg== ARC-Authentication-Results: i=1; rspamd-896578cf5-mns28; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Tank-Lyrical: 4313cc307df1cbb0_1671718929471_3078610086 X-MC-Loop-Signature: 1671718929471:3295383374 X-MC-Ingress-Time: 1671718929471 Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.123.200.84 (trex/6.7.1); Thu, 22 Dec 2022 14:22:09 +0000 Received: from [192.168.0.182] (bras-base-toroon4834w-grc-23-76-68-24-147.dsl.bell.ca [76.68.24.147]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4NdCDw3Gr7zK5; Thu, 22 Dec 2022 06:22:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1671718928; bh=wAoJqSrAN3IDJg8PanZqH/m71Vtbwb2d7nuuM329dQ4=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=AJoxNf0jJCVciOwVypkfvm8WxalEMUjLtsnnFPeB1OM19P4j0gvVHpWLBacZaouGU RFMUbrIQzg1eGdFfSio3Evc9jDge3+AtNX2z2pcQyUIic8nTAWHMB0l4TV94/xwMti v/+WUWFZjxaay4V1NbkzxC6jzcXLgjmitqTFKSBZmxGtikLy0qPwpHmYvY2pi7GSnT lXXcZz82+/65WDgfoxKHKLgYd2/0s7bNa27qJ/nutyr9ifvccEPxCf285ITgEfPQ1V 8nNDIQKHCAVCn7Qh/1dNh1PExcQbrNH+OAh9wsodRxvAZy9rXd2eauh9HlfGGe9uyL xMoBuCSae7ibw== Message-ID: Date: Thu, 22 Dec 2022 09:22:07 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: [PATCH] Add _FORTIFY_SOURCE implementation documentation [BZ #28998] Content-Language: en-US To: Siddhesh Poyarekar , Florian Weimer Cc: libc-alpha@sourceware.org References: <20221215162506.1802077-1-siddhesh@sourceware.org> <873597o92c.fsf@oldenburg.str.redhat.com> <58b6325f-41e0-ce46-c691-10eb792246a4@sourceware.org> From: Siddhesh Poyarekar In-Reply-To: <58b6325f-41e0-ce46-c691-10eb792246a4@sourceware.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3031.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2022-12-22 09:19, Siddhesh Poyarekar via Libc-alpha wrote: > On 2022-12-22 08:35, Florian Weimer via Libc-alpha wrote: >> * Siddhesh Poyarekar: >> >>> +The @code{_FORTIFY_SOURCE} macro may be defined by users to control >>> +hardening of calls into some functions in @theglibc{}.  This feature >>> +needs a compiler that supports either the @code{__builtin_object_size} >>> +or the @code{__builtin_dynamic_object_size} builtin functions.  When >>> the >>> +macro is defined, it enables code that validates access to buffers that >>> +are passed to some functions in @theglibc to determine if they >>> +are safe.  If the compiler is able to deduce the size of the buffer >>> +passed to the function call but the call cannot be determined as safe, >>> +it is replaced by a call to its hardened variant that does the access >>> +validation at runtime.  At runtime, if the access validation check for >>> +the buffer fails, the program will terminate with a @code{SIGABRT} >>> +signal. >> >> This doesn't really cover %n checks and the open checks, so it's >> slightly misleading. > > How about the following then; I've mentioned %n in the description for > level 2 so I'm only trying to provide a high level summary here: > > """ > If the compiler is able to deduce the size of the buffer passed to the > function call but the call cannot be determined as safe, it is replaced > by a call to its hardened variant that performs additional safety checks > at runtime.  At runtime, if those safety checks fail, the program will > terminate with a @code{SIGABRT} signal. > """ > Uhmm, I just noticed that the open* checking is enabled at __FORTIFY_LEVEL == 1, so I guess that description needs to change too. Sid