This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFC] [PATCH] Implement -ffortify for C/C++

From: Jakub Jelinek <jakub at redhat dot com>
To: Dirk Mueller <dmuell at gmx dot net>
Cc: gcc-patches at gcc dot gnu dot org
Date: Thu, 1 Feb 2007 05:52:01 -0500
Subject: Re: [RFC] [PATCH] Implement -ffortify for C/C++
References: <200701301643.12230.dmueller@suse.de> <200701301800.41019.dmueller@suse.de> <20070130170555.GQ29911@devserv.devel.redhat.com> <200702010034.22942.dmuell@gmx.net>
Reply-to: Jakub Jelinek <jakub at redhat dot com>

On Thu, Feb 01, 2007 at 12:34:21AM +0100, Dirk Mueller wrote:
> On Tuesday, 30. January 2007 18:05, Jakub Jelinek wrote:
> 
> > > so it produces __builtin_object_size(.., 1) if it is a str*/stp* related
> > > function and fortify level is > 1. This is how I understood it from
> > > reading the glibc header file (I admit it was late and I was drunk).
> > Oops, yeah, your patch is correct, I must have missed the bos && there,
> > sorry.  Still, the *.texi documentation needs fixing to actually describe
> > what the option really does.
> 
> I agree. Which part do you think is missing? the definition of the parameter 
> passed down to the builtin_object_size calls in str*  functions depending on 
> the fortify level compared to the mem* functions?

+@itemx -ffortify=@var{n}
+Instrument a set of string, memory and printf related functions into their
+_chk variants. @var{n} controls the behaviour in detail. A fortify level
+of 1 will produce compile warnings, but expand the _chk variants
+back into the non-checking equivalent, and therefore not introduce any
+run-time overhead in the generated code. A level of 2 will emit calls

The description of level 1 is wrong.  The level has nothing to do with
_chk calls being produced or not.

The difference really is between allowing/rejecting standard conforming,
but dangerous or weird/most probably unintentional code.

Say:
  char fmt[10];
  sprintf (fmt, "%%%c%%n\\n", unsigned ? 'u' : 'd');
  printf (fmt, var, &n);
is standard conforming code, accepted with -D_FORTIFY_SOURCE=1, rejected
with -D_FORTIFY_SOURCE=2.  The reason for that is %n is most often
used in format string exploits, typically by preparing the format string
somewhere on the stack or on the heap and then returning to one of the
*printf family functions.
Or look e.g. at http://sourceware.org/ml/binutils/2005-03/msg00180.html
for another, real-world, code accepted with -D_FORTIFY_SOURCE=1, but
(runtime) rejected with -D_FORTIFY_SOURCE=2.

	Jakub

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]