This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH 3/4] Add fortification support for explicit_bzero.
- From: Zack Weinberg <zackw at panix dot com>
- To: libc-alpha at sourceware dot org
- Cc: fweimer at redhat dot com
- Date: Wed, 17 Aug 2016 13:19:16 -0400
- Subject: [PATCH 3/4] Add fortification support for explicit_bzero.
- Authentication-results: sourceware.org; auth=none
- References: <cover.1471452663.git.zackw@panix.com>
The __glibc_read_memory approach means that this is very easy - it can
be defined in terms of __memset_chk, which was not possible in the previous
iteration.
* string/bits/string3.h: Fortify explicit_bzero.
* string/bits/string2.h: Cooperate with this.
* debug/tst-chk1.c: Test fortification of explicit_bzero.
---
debug/tst-chk1.c | 28 ++++++++++++++++++++++++++++
string/bits/string2.h | 2 +-
string/bits/string3.h | 7 +++++++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/debug/tst-chk1.c b/debug/tst-chk1.c
index 478c2fb..e87a279 100644
--- a/debug/tst-chk1.c
+++ b/debug/tst-chk1.c
@@ -160,6 +160,10 @@ do_test (void)
if (memcmp (buf, "aabcdabc\0\0", 10))
FAIL ();
+ explicit_bzero (buf + 6, 4);
+ if (memcmp (buf, "aabcda\0\0\0\0", 10))
+ FAIL ();
+
strcpy (buf + 4, "EDCBA");
if (memcmp (buf, "aabcEDCBA", 10))
FAIL ();
@@ -201,6 +205,10 @@ do_test (void)
if (memcmp (buf, "aabcdabc\0\0", 10))
FAIL ();
+ explicit_bzero (buf + 6, l0 + 4);
+ if (memcmp (buf, "aabcda\0\0\0\0", 10))
+ FAIL ();
+
strcpy (buf + 4, str1 + 5);
if (memcmp (buf, "aabcEDCBA", 10))
FAIL ();
@@ -256,6 +264,10 @@ do_test (void)
if (memcmp (a.buf1, "aabcdabc\0\0", 10))
FAIL ();
+ explicit_bzero (a.buf1 + 6, l0 + 4);
+ if (memcmp (a.buf1, "aabcda\0\0\0\0", 10))
+ FAIL ();
+
#if __USE_FORTIFY_LEVEL < 2
/* The following tests are supposed to crash with -D_FORTIFY_SOURCE=2
and sufficient GCC support, as the string operations overflow
@@ -345,6 +357,14 @@ do_test (void)
bzero (buf + 9, l0 + 2);
CHK_FAIL_END
+ CHK_FAIL_START
+ explicit_bzero (buf + 9, 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ explicit_bzero (buf + 9, l0 + 2);
+ CHK_FAIL_END
+
CHK_FAIL_START
strcpy (buf + 5, str1 + 5);
CHK_FAIL_END
@@ -454,6 +474,14 @@ do_test (void)
bzero (a.buf1 + 9, l0 + 2);
CHK_FAIL_END
+ CHK_FAIL_START
+ explicit_bzero (a.buf1 + 9, 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ explicit_bzero (a.buf1 + 9, l0 + 2);
+ CHK_FAIL_END
+
# if __USE_FORTIFY_LEVEL >= 2
# define O 0
# else
diff --git a/string/bits/string2.h b/string/bits/string2.h
index f890585..f7fc866 100644
--- a/string/bits/string2.h
+++ b/string/bits/string2.h
@@ -57,7 +57,7 @@
# define __bzero(s, n) __builtin_memset (s, '\0', n)
#endif
-#ifdef __USE_MISC
+#if defined __USE_MISC && !defined __fortify_function
/* As bzero, but the compiler will not delete a call to this
function, even if S is dead after the call. Note: this function
has its own implementation file and should not be slurped into
diff --git a/string/bits/string3.h b/string/bits/string3.h
index dd8db68..d340bef 100644
--- a/string/bits/string3.h
+++ b/string/bits/string3.h
@@ -102,6 +102,13 @@ __NTH (bzero (void *__dest, size_t __len))
{
(void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest));
}
+
+__fortify_function void
+__NTH (explicit_bzero (void *__dest, size_t __len))
+{
+ (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest));
+ __glibc_read_memory (__dest, __len);
+}
#endif
__fortify_function char *
--
2.9.3