Message ID | 20240208184622.332678-6-adhemerval.zanella@linaro.org |
---|---|
State | Accepted |
Commit | ec307a10865a3e43f611b725fec952a93e4d1893 |
Headers | show |
Series | Improve fortify support with clang | expand |
On 2/8/24 13:46, Adhemerval Zanella wrote: > It improve fortify checks for read, pread, pread64, readlink, > readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r, > gethostname, and getdomainname. The compile and runtime checks have > similar coverage as with GCC. LGTM. Tested on x86_64 and i686. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com> > > Checked on aarch64, armhf, x86_64, and i686. > --- > posix/bits/unistd.h | 110 +++++++++++++++++++++++++++++++++----------- > 1 file changed, 82 insertions(+), 28 deletions(-) > > diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h > index bd209ec28e..2757b0619a 100644 > --- a/posix/bits/unistd.h > +++ b/posix/bits/unistd.h > @@ -22,8 +22,12 @@ > > # include <bits/unistd-decl.h> > > -__fortify_function __wur ssize_t > -read (int __fd, void *__buf, size_t __nbytes) > +__fortify_function __attribute_overloadable__ __wur ssize_t > +read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) > + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, > + "read called with bigger length than " > + "size of the destination buffer") > + > { > return __glibc_fortify (read, __nbytes, sizeof (char), > __glibc_objsize0 (__buf), > @@ -32,16 +36,24 @@ read (int __fd, void *__buf, size_t __nbytes) > > #if defined __USE_UNIX98 || defined __USE_XOPEN2K8 > # ifndef __USE_FILE_OFFSET64 > -__fortify_function __wur ssize_t > -pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) > +__fortify_function __attribute_overloadable__ __wur ssize_t > +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), > + size_t __nbytes, __off_t __offset) > + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, > + "pread called with bigger length than " > + "size of the destination buffer") OK. > { > return __glibc_fortify (pread, __nbytes, sizeof (char), > __glibc_objsize0 (__buf), > __fd, __buf, __nbytes, __offset); > } > # else > -__fortify_function __wur ssize_t > -pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) > +__fortify_function __attribute_overloadable__ __wur ssize_t > +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), > + size_t __nbytes, __off64_t __offset) > + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, > + "pread called with bigger length than " > + "size of the destination buffer") > { > return __glibc_fortify (pread64, __nbytes, sizeof (char), > __glibc_objsize0 (__buf), > @@ -50,8 +62,12 @@ pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) > # endif > > # ifdef __USE_LARGEFILE64 > -__fortify_function __wur ssize_t > -pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) > +__fortify_function __attribute_overloadable__ __wur ssize_t > +pread64 (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), > + size_t __nbytes, __off64_t __offset) > + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, > + "pread64 called with bigger length than " > + "size of the destination buffer") > { > return __glibc_fortify (pread64, __nbytes, sizeof (char), > __glibc_objsize0 (__buf), > @@ -61,9 +77,14 @@ pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) > #endif > > #if defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K > -__fortify_function __nonnull ((1, 2)) __wur ssize_t > -__NTH (readlink (const char *__restrict __path, char *__restrict __buf, > +__fortify_function __attribute_overloadable__ __nonnull ((1, 2)) __wur ssize_t > +__NTH (readlink (const char *__restrict __path, > + __fortify_clang_overload_arg0 (char *, __restrict, __buf), > size_t __len)) > + __fortify_clang_warning_only_if_bos_lt (__len, __buf, > + "readlink called with bigger length " > + "than size of destination buffer") > + > { > return __glibc_fortify (readlink, __len, sizeof (char), > __glibc_objsize (__buf), > @@ -72,9 +93,13 @@ __NTH (readlink (const char *__restrict __path, char *__restrict __buf, > #endif > > #ifdef __USE_ATFILE > -__fortify_function __nonnull ((2, 3)) __wur ssize_t > +__fortify_function __attribute_overloadable__ __nonnull ((2, 3)) __wur ssize_t > __NTH (readlinkat (int __fd, const char *__restrict __path, > - char *__restrict __buf, size_t __len)) > + __fortify_clang_overload_arg0 (char *, __restrict, __buf), > + size_t __len)) > + __fortify_clang_warning_only_if_bos_lt (__len, __buf, > + "readlinkat called with bigger length " > + "than size of destination buffer") > { > return __glibc_fortify (readlinkat, __len, sizeof (char), > __glibc_objsize (__buf), > @@ -82,8 +107,11 @@ __NTH (readlinkat (int __fd, const char *__restrict __path, > } > #endif > > -__fortify_function __wur char * > -__NTH (getcwd (char *__buf, size_t __size)) > +__fortify_function __attribute_overloadable__ __wur char * > +__NTH (getcwd (__fortify_clang_overload_arg (char *, , __buf), size_t __size)) > + __fortify_clang_warning_only_if_bos_lt (__size, __buf, > + "getcwd called with bigger length " > + "than size of destination buffer") > { > return __glibc_fortify (getcwd, __size, sizeof (char), > __glibc_objsize (__buf), > @@ -91,8 +119,9 @@ __NTH (getcwd (char *__buf, size_t __size)) > } > > #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED > -__fortify_function __nonnull ((1)) __attribute_deprecated__ __wur char * > -__NTH (getwd (char *__buf)) > +__fortify_function __attribute_overloadable__ __nonnull ((1)) > +__attribute_deprecated__ __wur char * > +__NTH (getwd (__fortify_clang_overload_arg (char *,, __buf))) > { > if (__glibc_objsize (__buf) != (size_t) -1) > return __getwd_chk (__buf, __glibc_objsize (__buf)); > @@ -100,8 +129,12 @@ __NTH (getwd (char *__buf)) > } > #endif > > -__fortify_function size_t > -__NTH (confstr (int __name, char *__buf, size_t __len)) > +__fortify_function __attribute_overloadable__ size_t > +__NTH (confstr (int __name, __fortify_clang_overload_arg (char *, ,__buf), > + size_t __len)) > + __fortify_clang_warning_only_if_bos_lt (__len, __buf, > + "confstr called with bigger length than " > + "size of destination buffer") > { > return __glibc_fortify (confstr, __len, sizeof (char), > __glibc_objsize (__buf), > @@ -109,8 +142,13 @@ __NTH (confstr (int __name, char *__buf, size_t __len)) > } > > > -__fortify_function int > -__NTH (getgroups (int __size, __gid_t __list[])) > +__fortify_function __attribute_overloadable__ int > +__NTH (getgroups (int __size, > + __fortify_clang_overload_arg (__gid_t *, , __list))) > + __fortify_clang_warning_only_if_bos_lt (__size * sizeof (__gid_t), __list, > + "getgroups called with bigger group " > + "count than what can fit into " > + "destination buffer") > { > return __glibc_fortify (getgroups, __size, sizeof (__gid_t), > __glibc_objsize (__list), > @@ -118,8 +156,13 @@ __NTH (getgroups (int __size, __gid_t __list[])) > } > > > -__fortify_function int > -__NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) > +__fortify_function __attribute_overloadable__ int > +__NTH (ttyname_r (int __fd, > + __fortify_clang_overload_arg (char *, ,__buf), > + size_t __buflen)) > + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, > + "ttyname_r called with bigger buflen " > + "than size of destination buffer") > { > return __glibc_fortify (ttyname_r, __buflen, sizeof (char), > __glibc_objsize (__buf), > @@ -128,8 +171,11 @@ __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) > > > #ifdef __USE_POSIX199506 > -__fortify_function int > -getlogin_r (char *__buf, size_t __buflen) > +__fortify_function __attribute_overloadable__ int > +getlogin_r (__fortify_clang_overload_arg (char *, ,__buf), size_t __buflen) > + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, > + "getlogin_r called with bigger buflen " > + "than size of destination buffer") > { > return __glibc_fortify (getlogin_r, __buflen, sizeof (char), > __glibc_objsize (__buf), > @@ -139,8 +185,12 @@ getlogin_r (char *__buf, size_t __buflen) > > > #if defined __USE_MISC || defined __USE_UNIX98 > -__fortify_function int > -__NTH (gethostname (char *__buf, size_t __buflen)) > +__fortify_function __attribute_overloadable__ int > +__NTH (gethostname (__fortify_clang_overload_arg (char *, ,__buf), > + size_t __buflen)) > + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, > + "gethostname called with bigger buflen " > + "than size of destination buffer") > { > return __glibc_fortify (gethostname, __buflen, sizeof (char), > __glibc_objsize (__buf), > @@ -150,8 +200,12 @@ __NTH (gethostname (char *__buf, size_t __buflen)) > > > #if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_UNIX98) > -__fortify_function int > -__NTH (getdomainname (char *__buf, size_t __buflen)) > +__fortify_function __attribute_overloadable__ int > +__NTH (getdomainname (__fortify_clang_overload_arg (char *, ,__buf), > + size_t __buflen)) > + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, > + "getdomainname called with bigger " > + "buflen than size of destination buffer") OK. > { > return __glibc_fortify (getdomainname, __buflen, sizeof (char), > __glibc_objsize (__buf),
diff --git a/posix/bits/unistd.h b/posix/bits/unistd.h index bd209ec28e..2757b0619a 100644 --- a/posix/bits/unistd.h +++ b/posix/bits/unistd.h @@ -22,8 +22,12 @@ # include <bits/unistd-decl.h> -__fortify_function __wur ssize_t -read (int __fd, void *__buf, size_t __nbytes) +__fortify_function __attribute_overloadable__ __wur ssize_t +read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "read called with bigger length than " + "size of the destination buffer") + { return __glibc_fortify (read, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -32,16 +36,24 @@ read (int __fd, void *__buf, size_t __nbytes) #if defined __USE_UNIX98 || defined __USE_XOPEN2K8 # ifndef __USE_FILE_OFFSET64 -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread, __nbytes, sizeof (char), __glibc_objsize0 (__buf), __fd, __buf, __nbytes, __offset); } # else -__fortify_function __wur ssize_t -pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -50,8 +62,12 @@ pread (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) # endif # ifdef __USE_LARGEFILE64 -__fortify_function __wur ssize_t -pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) +__fortify_function __attribute_overloadable__ __wur ssize_t +pread64 (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), + size_t __nbytes, __off64_t __offset) + __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, + "pread64 called with bigger length than " + "size of the destination buffer") { return __glibc_fortify (pread64, __nbytes, sizeof (char), __glibc_objsize0 (__buf), @@ -61,9 +77,14 @@ pread64 (int __fd, void *__buf, size_t __nbytes, __off64_t __offset) #endif #if defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K -__fortify_function __nonnull ((1, 2)) __wur ssize_t -__NTH (readlink (const char *__restrict __path, char *__restrict __buf, +__fortify_function __attribute_overloadable__ __nonnull ((1, 2)) __wur ssize_t +__NTH (readlink (const char *__restrict __path, + __fortify_clang_overload_arg0 (char *, __restrict, __buf), size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlink called with bigger length " + "than size of destination buffer") + { return __glibc_fortify (readlink, __len, sizeof (char), __glibc_objsize (__buf), @@ -72,9 +93,13 @@ __NTH (readlink (const char *__restrict __path, char *__restrict __buf, #endif #ifdef __USE_ATFILE -__fortify_function __nonnull ((2, 3)) __wur ssize_t +__fortify_function __attribute_overloadable__ __nonnull ((2, 3)) __wur ssize_t __NTH (readlinkat (int __fd, const char *__restrict __path, - char *__restrict __buf, size_t __len)) + __fortify_clang_overload_arg0 (char *, __restrict, __buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "readlinkat called with bigger length " + "than size of destination buffer") { return __glibc_fortify (readlinkat, __len, sizeof (char), __glibc_objsize (__buf), @@ -82,8 +107,11 @@ __NTH (readlinkat (int __fd, const char *__restrict __path, } #endif -__fortify_function __wur char * -__NTH (getcwd (char *__buf, size_t __size)) +__fortify_function __attribute_overloadable__ __wur char * +__NTH (getcwd (__fortify_clang_overload_arg (char *, , __buf), size_t __size)) + __fortify_clang_warning_only_if_bos_lt (__size, __buf, + "getcwd called with bigger length " + "than size of destination buffer") { return __glibc_fortify (getcwd, __size, sizeof (char), __glibc_objsize (__buf), @@ -91,8 +119,9 @@ __NTH (getcwd (char *__buf, size_t __size)) } #if defined __USE_MISC || defined __USE_XOPEN_EXTENDED -__fortify_function __nonnull ((1)) __attribute_deprecated__ __wur char * -__NTH (getwd (char *__buf)) +__fortify_function __attribute_overloadable__ __nonnull ((1)) +__attribute_deprecated__ __wur char * +__NTH (getwd (__fortify_clang_overload_arg (char *,, __buf))) { if (__glibc_objsize (__buf) != (size_t) -1) return __getwd_chk (__buf, __glibc_objsize (__buf)); @@ -100,8 +129,12 @@ __NTH (getwd (char *__buf)) } #endif -__fortify_function size_t -__NTH (confstr (int __name, char *__buf, size_t __len)) +__fortify_function __attribute_overloadable__ size_t +__NTH (confstr (int __name, __fortify_clang_overload_arg (char *, ,__buf), + size_t __len)) + __fortify_clang_warning_only_if_bos_lt (__len, __buf, + "confstr called with bigger length than " + "size of destination buffer") { return __glibc_fortify (confstr, __len, sizeof (char), __glibc_objsize (__buf), @@ -109,8 +142,13 @@ __NTH (confstr (int __name, char *__buf, size_t __len)) } -__fortify_function int -__NTH (getgroups (int __size, __gid_t __list[])) +__fortify_function __attribute_overloadable__ int +__NTH (getgroups (int __size, + __fortify_clang_overload_arg (__gid_t *, , __list))) + __fortify_clang_warning_only_if_bos_lt (__size * sizeof (__gid_t), __list, + "getgroups called with bigger group " + "count than what can fit into " + "destination buffer") { return __glibc_fortify (getgroups, __size, sizeof (__gid_t), __glibc_objsize (__list), @@ -118,8 +156,13 @@ __NTH (getgroups (int __size, __gid_t __list[])) } -__fortify_function int -__NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (ttyname_r (int __fd, + __fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "ttyname_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (ttyname_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -128,8 +171,11 @@ __NTH (ttyname_r (int __fd, char *__buf, size_t __buflen)) #ifdef __USE_POSIX199506 -__fortify_function int -getlogin_r (char *__buf, size_t __buflen) +__fortify_function __attribute_overloadable__ int +getlogin_r (__fortify_clang_overload_arg (char *, ,__buf), size_t __buflen) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getlogin_r called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (getlogin_r, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -139,8 +185,12 @@ getlogin_r (char *__buf, size_t __buflen) #if defined __USE_MISC || defined __USE_UNIX98 -__fortify_function int -__NTH (gethostname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (gethostname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "gethostname called with bigger buflen " + "than size of destination buffer") { return __glibc_fortify (gethostname, __buflen, sizeof (char), __glibc_objsize (__buf), @@ -150,8 +200,12 @@ __NTH (gethostname (char *__buf, size_t __buflen)) #if defined __USE_MISC || (defined __USE_XOPEN && !defined __USE_UNIX98) -__fortify_function int -__NTH (getdomainname (char *__buf, size_t __buflen)) +__fortify_function __attribute_overloadable__ int +__NTH (getdomainname (__fortify_clang_overload_arg (char *, ,__buf), + size_t __buflen)) + __fortify_clang_warning_only_if_bos_lt (__buflen, __buf, + "getdomainname called with bigger " + "buflen than size of destination buffer") { return __glibc_fortify (getdomainname, __buflen, sizeof (char), __glibc_objsize (__buf),