Re: [Doc] Add caveat to __builtin_object_size

[Florian Weimer <fweimer at redhat dot com>]

On 06/04/2012 12:11 PM, Jakub Jelinek wrote:
> On Mon, Jun 04, 2012 at 11:59:59AM +0200, Florian Weimer wrote:
> > What about this?
> >
> > +This protection mechanism is only a last resort.  As a programmer, you
> > +must not rely on its presence, but use explicit buffer length checks
> > +to avoid buffer overflows.  GCC may not be able to determine object
> > +sizes with sufficient precision (that is, the reported sizes can be
> > +larger than what is actually available at run time), and the accuracy
> > +depends on compiler version and options.
>
> That isn't correct.  __builtin_object_size, as documented a few lines below
> what you are editing, is documented to have 4 different possible values of
> second argument, and it can be larger than what is available only for values
> 0 and 1, for values 2 and 3 it must be equal or smaller only, and if you
> want to test whether it is precise, you can compare results of two
> __builtin_object_size calls.

For the explanation why this feature is unreliable and you still need 
manual bounds checks, the upper-bound-is-too-large case is the 
interesting one.  I don't think libc uses __builtin_object_size to 
compute lower bounds.

Hmm.  I'd like to remove the remark in parentheses and explain this in 
the libc documentation.

--
Florian Weimer / Red Hat Product Security Team