From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) by sourceware.org (Postfix) with ESMTPS id 129603858C35 for ; Tue, 20 Feb 2024 13:17:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 129603858C35 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 129603858C35 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708435069; cv=none; b=Uw+CI+w6o0kyntfjN70FZQ1TbMcjvH26+16vxJu4pMpJwjKelvgw5p9cS6yR7GW7I0xyhzjyljHlMVv6jwnds/EyXHIxLWoIgPNkqfOjYXr+yj9IJGoyYJiw+zGRnL1gPGczMOg/o/M2envVLorLageq3nAhwymBPWEDuDiknPo= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708435069; c=relaxed/simple; bh=1M5D/hDYYejlgSGGWN5b4zKrkoie3/2rtTjvNOFgDmI=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:From:To; b=e1uk7YElAPe5m54s887ra/Yu4+3yJoLYTnlWxNtbcUwwV8vIPZ0H08ahyu/8DBLfEH52RvGQNXPDzAhu4ZRV+panUfNySwfSKlgah3SYhVYnBmZV7rpVEYcimpHQGlkAiIcgRP7uX0ceWw4sbnyTT7rWhQNCAH3AxzwYpxs44Gg= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-6e37e6dae45so1334966b3a.1 for ; Tue, 20 Feb 2024 05:17:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1708435063; x=1709039863; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:organization:references:cc:to :from:content-language:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=dfEI0ROsKqqYf/c6pHf01RNh0z4grqPuIoXr/nyOiWQ=; b=g8tzkc+9/UzzMbvlhKed6JFyjMGfqETwhc0s9GS7waZQOOhANubbPsyMy6UnxhGpBS fg+WJE3n23UJbD9+vqVtIsbpLuk2NmCK+Lmj+mMD0BVxv8iyFzHYrYza/nceNU2LBv+b p670WV3bnMIqng3NbqfHYNVKsOsRDpU7BdVbu0cdq0ZdUccS4vXLeD5WKQD6UDFIyThY 7iwUtFoyUItWYcD+JAdSytsT6qXSkJLhkNaHLtTx67dUPhUdGdxUB1XWVGDHHvevvYF6 pUvd9CdK9lwbmbE8UiJcKo1roNDqO0pThBYdRdbVfgc3CCxZFs4TiYWOY18PVKuR1Hg/ stiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708435063; x=1709039863; h=content-transfer-encoding:in-reply-to:organization:references:cc:to :from:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dfEI0ROsKqqYf/c6pHf01RNh0z4grqPuIoXr/nyOiWQ=; b=W7c/Yr7IIuZjT8ZA16RrGTGcmRCdGVsLbrATOkqVGFcu2y11HzOeCg6QxtgcZUTLFU Nc07Wfes5e+6JmCVABqvmA8vi2+wzpwcEwH1yATtmgka8BdhkL12O0LDVOkacSFeQAJE YHf5wocLUisHc4BUO7x+Sxn5+W3VNXQQ3tcGTHo0Ch+PhpRtpnUyUOcnP8CwMnrMdnoW rCpwtCSAZpfgaldjVehZ+1QW0/nGwyqVFmAsedkr3XZnMeoUsjBY0ENEnYRayy6u48He nH7I+MkSJl6po+PJz9ysaJxnNOcRecL7dwZWA1uJ6UiwzZAq2aZZccXL4dMpK21EjLwM wlaw== X-Gm-Message-State: AOJu0YxYEnxNsyssCACXohn8HyXAPTsAGRLrmVo7VCDzmVj+4dowbGJt /WESRzrE7LQ0LxIQTXUYBJKbgRhkI7FRfFZbPQDdn55/X9vPrvZRsfxUEIg2hKlAXu2nCOj3Njj f X-Google-Smtp-Source: AGHT+IEouJEE8mrI8UpbGH3mCU+Kl9sTxKsxMTN+tYIOsjPrukPGpO1HbqW7E8nISFG06O+pHsxClw== X-Received: by 2002:a05:6a20:93a8:b0:1a0:8578:fa86 with SMTP id x40-20020a056a2093a800b001a08578fa86mr13733231pzh.57.1708435063124; Tue, 20 Feb 2024 05:17:43 -0800 (PST) Received: from ?IPV6:2804:1b3:a7c0:8177:94f3:b846:f4ad:67a9? ([2804:1b3:a7c0:8177:94f3:b846:f4ad:67a9]) by smtp.gmail.com with ESMTPSA id c25-20020aa78c19000000b006e45cffab54sm4515256pfd.49.2024.02.20.05.17.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Feb 2024 05:17:42 -0800 (PST) Message-ID: Date: Tue, 20 Feb 2024 10:17:41 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 00/10] Improve fortify support with clang Content-Language: en-US From: Adhemerval Zanella Netto To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar References: <20240208184622.332678-1-adhemerval.zanella@linaro.org> Organization: Linaro In-Reply-To: <20240208184622.332678-1-adhemerval.zanella@linaro.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Ping. On 08/02/24 15:46, Adhemerval Zanella wrote: > When using clang, the fortify wrappers show less coverage on both > compile and runtime. For instance, a snippet from tst-fortify.c: > > $ cat t.c > #include > #include > > const char *str1 = "JIHGFEDCBA"; > > int main (int argc, char *argv[]) > { > #define O 0 > struct A { char buf1[9]; char buf2[1]; } a; > strcpy (a.buf1 + (O + 4), str1 + 5); > > return 0; > } > $ gcc -O2 t.c -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2 -o t > $ ./t > *** buffer overflow detected ***: terminated > Aborted (core dumped) > $ clang -O2 t.c -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2 -o t > $ ./t > $ > > Although clang does support __builtin___strcpy_chk (which correctly > lowers to __strcpy_chk), the __builtin_object_size passed as third > the argument is not fully correct and thus limits the possible runtime > checks. > > This limitation was already being raised some years ago [1], but the > work has been staled. However, a similar patch has been used for > ChromeOS for some time [2]. Bionic libc also uses a similar approach to > enable fortified wrappers. > > Improve its support with clang, requires defining the fortified wrapper > differently. For instance, the read wrapper is currently expanded as: > > extern __inline > __attribute__((__always_inline__)) > __attribute__((__artificial__)) > __attribute__((__warn_unused_result__)) > ssize_t read (int __fd, void *__buf, size_t __nbytes) > { > return __glibc_safe_or_unknown_len (__nbytes, > sizeof (char), > __glibc_objsize0 (__buf)) > ? __read_alias (__fd, __buf, __nbytes) > : __glibc_unsafe_len (__nbytes, > sizeof (char), > __glibc_objsize0 (__buf)) > ? __read_chk_warn (__fd, > __buf, > __nbytes, > __builtin_object_size (__buf, 0)) > : __read_chk (__fd, > __buf, > __nbytes, > __builtin_object_size (__buf, 0)); > } > > The wrapper relies on __builtin_object_size call lowers to a constant at > Compile time and many other operations in the wrapper depend on > having a single, known value for parameters. Because this is > impossible to have for function parameters, the wrapper depends heavily > on inlining to work and While this is an entirely viable approach on > GCC is not fully reliable on clang. This is because by the time llvm > gets to inlining and optimizing, there is a minimal reliable source and > type-level information available (more information on a more deep > explanation on how to fortify wrapper works on clang [4]). > > To allow the wrapper to work reliably and with the same functionality as > with GCC, clang requires a different approach: > > * __attribute__((diagnose_if(c, “str”, “warning”))) which is a > * function > level attribute; if the compiler can determine that 'c' is true at > compile-time, it will emit a warning with the text 'str1'. If it > would be better to emit an error, the wrapper can use "error" > instead of "warning". > > * __attribute__((overloadable)) which is also a function-level > attribute; and it allows C++-style overloading to occur on C > functions. > > * __attribute__((pass_object_size(n))) which is a parameter-level > attribute; and it makes the compiler evaluate > __builtin_object_size(param, n) at each call site of the function > that has the parameter and passes it in as a hidden parameter. > > This attribute has two side effects that are key to how FORTIFY > works: > > 1. It can overload solely on pass_object_size (e.g. there are two > overloads of foo in > > void foo(char * __attribute__((pass_object_size(0))) c); > void foo(char *); > > (The one with pass_object_size attribute has preceded the > default one). > > 2. A function with at least one pass_object_size parameter can never > have its address taken (and overload resolution respects this). > > Thus the read wrapper can be implemented as follows, without > hindering any fortify coverage compile and runtime: > > Thus the read wrapper can be implemented as follows, without > hindering any fortify coverage compile and runtime: > > extern __inline > __attribute__((__always_inline__)) > __attribute__((__artificial__)) > __attribute__((__overloadable__)) > __attribute__((__warn_unused_result__)) > ssize_t read (int __fd, > void *const __attribute__((pass_object_size (0))) __buf, > size_t __nbytes) > __attribute__((__diagnose_if__ ((((__builtin_object_size (__buf, > 0)) != -1ULL > && (__nbytes) > > (__builtin_object_size (__buf, 0)) / (1))), > "read called with bigger length > than the size of the destination buffer", > "warning"))) > { > return (__builtin_object_size (__buf, 0) == (size_t) -1) > ? __read_alias (__fd, > __buf, > __nbytes) > : __read_chk (__fd, > __buf, > __nbytes, > __builtin_object_size (__buf, 0)); > } > > To avoid changing the current semantic for GCC, a set of macros is > defined to enable the clang required attributes, along with some changes > on internal macros to avoid the need to issue the symbol_chk symbols > (which are done through the __diagnose_if__ attribute for clang). > The read wrapper can be simplified as: > > __fortify_function __attribute_overloadable__ __wur > ssize_t read (int __fd, > __fortify_clang_overload_arg0 (void *, ,__buf), > size_t __nbytes) > __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, > "read called with bigger > length than " > "size of the destination > buffer") > > { > return __glibc_fortify (read, __nbytes, sizeof (char), > __glibc_objsize0 (__buf), > __fd, __buf, __nbytes); > } > > There is no expected semantic or code change when using GCC. > > Also, clang does not support __va_arg_pack, so variadic functions are > expanded to call va_arg implementations. The error function must not > have bodies (address takes are expanded to nonfortified calls), and > with the __fortify_function compiler might still create a body with the > C++ mangling name (due to the overload attribute). In this case, the > function is defined with __fortify_function_error_function macro > instead. > > To fully test it, I used my clang branch [4] which allowed me to fully > build all fortify tests with clang. With this patchset, there is no > regressions anymore. > > [1] https://sourceware.org/legacy-ml/libc-alpha/2017-09/msg00434.html > [2] https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/main/sys-libs/glibc/files/local/glibc-2.35/0006-glibc-add-clang-style-FORTIFY.patch > [3] https://docs.google.com/document/d/1DFfZDICTbL7RqS74wJVIJ-YnjQOj1SaoqfhbgddFYSM/edit > [4] https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/azanella/clang > > Changes from v2: > - Fixed open/open64/openat/openat64 three argument variant overload. > > Changes from v1: > - Use implementation-namespace identifiers pass_object_size and > pass_dynamic_object_size. > - Simplify the clang macros and enable it iff for clang 5.0 > (that supports __diagnose_if__). > > Adhemerval Zanella (10): > cdefs.h: Add clang fortify directives > libio: Improve fortify with clang > string: Improve fortify with clang > stdlib: Improve fortify with clang > unistd: Improve fortify with clang > socket: Improve fortify with clang > syslog: Improve fortify with clang > wcsmbs: Improve fortify with clang > debug: Improve fcntl.h fortify warnings with clang > debug: Improve mqueue.h fortify warnings with clang > > io/bits/fcntl2.h | 92 ++++++++++++++++++ > io/bits/poll2.h | 29 ++++-- > io/fcntl.h | 3 +- > libio/bits/stdio2.h | 173 +++++++++++++++++++++++++++++---- > misc/bits/syslog.h | 14 ++- > misc/sys/cdefs.h | 158 +++++++++++++++++++++++++++++- > posix/bits/unistd.h | 110 +++++++++++++++------ > rt/bits/mqueue2.h | 29 ++++++ > rt/mqueue.h | 3 +- > socket/bits/socket2.h | 20 +++- > stdlib/bits/stdlib.h | 40 +++++--- > string/bits/string_fortified.h | 56 ++++++----- > wcsmbs/bits/wchar2.h | 167 ++++++++++++++++++++++--------- > 13 files changed, 745 insertions(+), 149 deletions(-) >