Re: [PATCH] inttostr.h: add compile-time buffer overrun checks

[Jim Meyering]

Bruno Haible wrote:

> Hi Jim,
>
>> +# define inttostr(n, s)                                                 \
>> +   ((void) verify_true (sizeof (s) == sizeof (void *)                   \
>> +                        || INT_BUFSIZE_BOUND (int) <= sizeof (s)),      \
>> +    (inttostr) (n, s))
>
> Nice and clever trick.
>
> Unfortunately, it does not work for variable-length arrays, which are allowed
> in C99 and C++.
>
> Test case:
>
>   void foo (int n)
>   {
>     char buf[10 + (n < 0) + 1];
>     char *result = inttostr (n, buf);
>   }

Good counterexample.

> Yields:
>
>   foo.c: In function ‘foo’:
>   foo.c:38: error: bit-field ‘verify_error_if_negative_size__’ width not an 
> integer constant

That fails because INT_BUFSIZE_BOUND(int) is 12 to accommodate
the negative sign on INT_MIN, yet sizeof(buf) is only 11.

> How to fix this? I tried __builtin_constant_p and __builtin_choose_expr, but
> haven't found the trick.

If there is no better work-around, I will add a comment advising such users
to use INT_BUFSIZE_BOUND(VAR) (hence no need for a variable-length array and
no need to change numbers if you change the type of VAR), or failing that,
to add an "#undef inttostr" in the affected compilation unit, thus disabling
the overrun check.

---------------------------------------------
While looking through gcc's documentation (latest upstream),
I noticed this, which can be put to good use in xalloc.h:

    @item alloc_size
    @cindex @code{alloc_size} attribute
    The @code{alloc_size} attribute is used to tell the compiler that the
    function return value points to memory, where the size is given by
    one or two of the functions parameters.  GCC uses this
    information to improve the correctness of @code{__builtin_object_size}.

    The function parameter(s) denoting the allocated size are specified by
    one or two integer arguments supplied to the attribute.  The allocated size
    is either the value of the single function argument specified or the product
    of the two function arguments specified.  Argument numbering starts at
    one.

    For instance,

    @smallexample
    void* my_calloc(size_t, size_t) __attribute__((alloc_size(1,2)))
    void my_realloc(void*, size_t) __attribute__((alloc_size(2)))
    @end smallexample

    declares that my_calloc will return memory of the size given by
    the product of parameter 1 and 2 and that my_realloc will return memory
    of the size given by parameter 2.

--------------------------------------
Continuing in the same vein, there's even more:

@smallexample
#undef memcpy
#define bos0(dest) __builtin_object_size (dest, 0)
#define memcpy(dest, src, n) \
  __builtin___memcpy_chk (dest, src, n, bos0 (dest))

char *volatile p;
char buf[10];
/* It is unknown what object p points to, so this is optimized
   into plain memcpy - no checking is possible.  */
memcpy (p, "abcde", n);
/* Destination is known and length too.  It is known at compile
   time there will be no overflow.  */
memcpy (&buf[5], "abcde", 5);
/* Destination is known, but the length is not known at compile time.
   This will result in __memcpy_chk call that can check for overflow
   at runtime.  */
memcpy (&buf[5], "abcde", n);
/* Destination is known and it is known at compile time there will
   be overflow.  There will be a warning and __memcpy_chk call that
   will abort the program at runtime.  */
memcpy (&buf[6], "abcde", 5);
@end smallexample

Such built-in functions are provided for @code{memcpy}, @code{mempcpy},
@code{memmove}, @code{memset}, @code{strcpy}, @code{stpcpy}, @code{strncpy},
@code{strcat} and @code{strncat}.

There are also checking built-in functions for formatted output functions.
@smallexample
int __builtin___sprintf_chk (char *s, int flag, size_t os, const char *fmt, 
...);
int __builtin___snprintf_chk (char *s, size_t maxlen, int flag, size_t os,
                              const char *fmt, ...);
int __builtin___vsprintf_chk (char *s, int flag, size_t os, const char *fmt,
                              va_list ap);
int __builtin___vsnprintf_chk (char *s, size_t maxlen, int flag, size_t os,
                               const char *fmt, va_list ap);
@end smallexample

The added @var{flag} argument is passed unchanged to @code{__sprintf_chk}
etc.@: functions and can contain implementation specific flags on what
additional security measures the checking function might take, such as
handling @code{%n} differently.

The @var{os} argument is the object size @var{s} points to, like in the
other built-in functions.  There is a small difference in the behavior
though, if @var{os} is @code{(size_t) -1}, the built-in functions are
optimized into the non-checking functions only if @var{flag} is 0, otherwise
the checking function is called with @var{os} argument set to
@code{(size_t) -1}.

In addition to this, there are checking built-in functions
@code{__builtin___printf_chk}, @code{__builtin___vprintf_chk},
@code{__builtin___fprintf_chk} and @code{__builtin___vfprintf_chk}.
These have just one additional argument, @var{flag}, right before
format string @var{fmt}.  If the compiler is able to optimize them to
@code{fputc} etc.@: functions, it will, otherwise the checking function
should be called and the @var{flag} argument passed to it.