From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12429 invoked by alias); 1 May 2013 14:42:23 -0000 Mailing-List: contact libc-ports-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: libc-ports-owner@sourceware.org Received: (qmail 12412 invoked by uid 89); 1 May 2013 14:42:23 -0000 X-Spam-SWARE-Status: No, score=-7.2 required=5.0 tests=AWL,BAYES_00,KHOP_THREADED,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.1 X-Spam-User: qpsmtpd, 2 recipients Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.84/v0.84-167-ge50287c) with ESMTP; Wed, 01 May 2013 14:42:22 +0000 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r41EgGKG003933 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 1 May 2013 10:42:16 -0400 Received: from [10.3.113.84] (ovpn-113-84.phx2.redhat.com [10.3.113.84]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r41EgFMB017794; Wed, 1 May 2013 10:42:16 -0400 Message-ID: <518129C7.2020808@redhat.com> Date: Wed, 01 May 2013 14:42:00 -0000 From: "Carlos O'Donell" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130311 Thunderbird/17.0.4 MIME-Version: 1.0 To: KOSAKI Motohiro CC: libc-alpha , "libc-ports@sourceware.org" Subject: Re: [PATCH 2/5] __FD_ELT: Implement correct buffer overflow check References: <1365900451-19026-1-git-send-email-kosaki.motohiro@gmail.com> <1365900451-19026-3-git-send-email-kosaki.motohiro@gmail.com> <518080FD.1090402@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SW-Source: 2013-05/txt/msg00012.txt.bz2 On 05/01/2013 02:28 AM, KOSAKI Motohiro wrote: >>> + ? __fdelt_buffer_warn(__d, __bos0 (s)) \ >> >> Space between function and bracket e.g. foo () not foo(). > > ah, ok. > >> >>> + : __fdelt_buffer_chk(__d, __bos0 (s)) \ >>> + : __d / __NFDBITS; \ >> >> I'm not happy that this isn't very conservative. >> >> If __bos0 fails should we fall back to static FD_SETSIZE checking >> e.g. "__fdelt_buffer_warn (__d, FD_SETSIZE)"? >> >> It seems that that would be better than no checking. > > Hmm.. This doesn't cross my mind. All other buffer boundary checks > of _FORTIFY_SOURCE fall back no checking. compiler may fails to > determine a right buffer size in various reasons. at that time, I don't > want to kill innocent applications. > >> I know why you want to fall back to no check, because that >> way you don't require any kind of new flag to disable the >> check in the event it triggers when you don't want it to >> (when __bos0 fails). > > If you like flag, I'm not putting objection. but if making flag, a lot > of libraries need > to turn on "no check" mode because when a buffer is allocated from applications, > library code can't know a buffer size at least at compile time. > > >> Does compiling ruby (or similar code) with this header >> result in calls to __fdelt_buffer_warn or __fdelt_buffer_chk? > > Unfortunately, No. __builtin_object_size() require compiler know the > buffer size. > In the other words, it doesn't work if an allocate function and > FD_{SET,CLR} functions > doesn't exist in the same place. This is the same limitation with > other string buffer > overflow checks. Then we need a flag, and ruby needs to use the flag to disable the check on Linux. The fundamental truth is that glibc implements POSIX, not "Linux." And in POSIX there is a limit of FD_SETSIZE. The default checking should be for POSIX. We should provide a way to disable _FORTIFY_SOURCE checks that are POSIX-only. I still think your current macro is *better* because if __bos0 works then you have a dynamic check that is better than a static check. Thus the final solution is a combination of your new __bos0 changes and a flag to disable the check in the event that __bos0 fails. What do you think? Cheers, Carlos.