On 2017-11-06 13:21, Wilco Dijkstra wrote:
>> In the process of overhauling our feature test macros, I discovered that
>> GCC's libssp implementation of Object Size Checking (-D_FORTIFY_SOURCE=*) is
>> completely broken and possibly unfixable (CVE-2016-4973).  Therefore, it
>> seems the only way to make this work is to integrate it to Newlib itself like
>> other libc's.
> 
> Wouldn't be better to implement a working -ffortify-string-functions feature
> in GCC/LLVM so that the compiler can insert the correct checks?

I have neither the time nor the interest in creating new
compiler/language extensions; I am simply trying to get the ones that
already exist working properly on our targets.

> Hacking all C libraries in the world still won't make the checks work -
> as long as they rely on the broken __builtin_object_size implementation,
> many cases won't be checked even when they should be

PTC?

> The _chk variants also seem unnecessary, I don't understand their purpose.

The __builtin__*_chk builtins (which are limited to the string.h and
basic stdio.h functions) expect corresponding __*_chk functions to be
present.  Also, some __*_chk functions are more extensive than others.

> All you want is to tell GCC to insert runtime checks when it detects the destination
> is an array. You obviously want those checks to be inlined and optimized for
> performance reasons.

Most of the dozens of other functions which have size-checking
implementations in glibc could be handled inline, as those for unistd.h
imported from NetBSD are.  I am already working on some of these
additions, but would like to get the basics into master first.

-- 
Yaakov