This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Refactor debug routines.

From: Mike Frysinger <vapier at gentoo dot org>
To: libc-alpha at sourceware dot org
Cc: OndÅej BÃlka <neleai at seznam dot cz>
Date: Sat, 30 Nov 2013 02:24:12 -0500
Subject: Re: [PATCH] Refactor debug routines.
Authentication-results: sourceware.org; auth=none
References: <20131022231556 dot GA5840 at domone dot podge>

On Tuesday 22 October 2013 19:15:56 OndÅej BÃlka wrote:

random thought.  is there a reason we don't have routines check for overlaps ?  
e.g. memcpy spec says the regions must not overlap, so why don't we enforce 
that ?  seems better to have the code abort on arches even when it's safe to 
get better coverage when things happen to change ...

> --- a/debug/memcpy_chk.c
> +++ b/debug/memcpy_chk.c

OK

> --- a/debug/memmove_chk.c
> +++ b/debug/memmove_chk.c

OK

> --- a/debug/mempcpy_chk.c
> +++ b/debug/mempcpy_chk.c

OK

> --- a/debug/memset_chk.c
> +++ b/debug/memset_chk.c

OK

> --- a/debug/stpcpy_chk.c
> +++ b/debug/stpcpy_chk.c
> @@ -29,16 +29,7 @@ __stpcpy_chk (dest, src, destlen)
>       const char *src;
>       size_t destlen;
>  {
> -  char *d = dest;
> -  const char *s = src;
> -
> -  do
> -    {
> -      if (__builtin_expect (destlen-- == 0, 0))
> -	__chk_fail ();
> -      *d++ = *s;
> -    }
> -  while (*s++ != '\0');
> -
> -  return d - 1;
> +  size_t len = strlen (src) + 1;
> +  __memcpy_chk (dest, src, len, destlen);
> +  return dest + len - 1;
>  }

that strlen means you can scan the entire source string twice.  seems like 
this overall change might win in some cases, but lose in others.

i think it's safe to assume that the xxx_chk variants are becoming more common 
(i think all the major distros use it by default now) which means we need to 
be concerned with their performance.

that means if an arch wants this to perform, then they should implement it 
which includes the destlen check.

> --- a/debug/stpncpy_chk.c
> +++ b/debug/stpncpy_chk.c

OK

> --- a/debug/strcat_chk.c
> +++ b/debug/strcat_chk.c
> @@ -21,37 +21,16 @@
> 
>  /* Append SRC on the end of DEST.  */
>  char *
> -__strcat_chk (dest, src, destlen)
> +__strcat_chk (dest, src, totallen)
>       char *dest;
>       const char *src;
> -     size_t destlen;
> +     size_t totallen;

we should fix all these prototypes at some point ...

>  {
> -  char *s1 = dest;
> -  const char *s2 = src;
> -  char c;
> -
> -  /* Find the end of the string.  */
> -  do
> -    {
> -      if (__builtin_expect (destlen-- == 0, 0))
> -	__chk_fail ();
> -      c = *s1++;
> -    }
> -  while (c != '\0');
> ...
> +  size_t destlen = strlen (dest);

the dest strlen scan makes sense as we have to do that anyways (find the 
terminating NUL).  however, you'll notice that this new version lost a check 
the old one had -- what if dest string lacks a NUL within its bounds ?  yes, 
you would catch it below in your single check, but it might be too late by 
that point -- you might have scanned off into invalid memory and simply 
crashed.  i think you should use strnlen (dest, totalen) instead and check the 
return value explicitly.

> -  /* Make S1 point before the next character, so we can increment
> -     it while memory is read (wins on pipelined cpus).  */
> -  ++destlen;
> -  s1 -= 2;
> -
> -  do
> -    {
> -      if (__builtin_expect (destlen-- == 0, 0))
> -	__chk_fail ();
> -      c = *s2++;
> -      *++s1 = c;
> -    }
> -  while (c != '\0');
> +  size_t srclen = strlen (src) + 1;
> +  if (__builtin_expect (totallen < destlen + srclen, 0))
> +	  __chk_fail ();

doesn't this suffer from possible wrap around ?  unlikely, but possible, unlike 
the previous code.  although, if you go with the suggestion below, this is a 
non-issue.

> +  memcpy (dest + destlen, src, srclen);
>    return dest;
>  }

we agree that you have to do strlen on the dest.  at that point, can't you 
call strcpy_chk to do the rest of the work ?  it avoids the 2nd strlen and the 
funky (overflowable) math.
	strcpy_chk(dest + destlen, src, totalen - destlen);
	return dest;

> --- a/debug/strcpy_chk.c
> +++ b/debug/strcpy_chk.c

same feedback as stpcpy_chk

> --- a/debug/strncat_chk.c
> +++ b/debug/strncat_chk.c

same feedback as strcat_chk, but this time use strncpy_chk:
	strncpy_chk(s1 + destlen, s2, n, s1len - destlen);
	return s1;

be nice to change the var names to "src" and "dest" and such like the existing 
strcat_chk func.

> --- a/debug/strncpy_chk.c
> +++ b/debug/strncpy_chk.c

OK

no comments about the x86_64 code
-mike

Attachment: signature.asc
Description: This is a digitally signed message part.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]