On 2023-08-01 18:57, Kees Cook wrote:
return p;
}
/* in the following function, malloc allocated less space than size of the
struct fix. Then what's the correct behavior we expect
the __builtin_object_size should have for the following?
*/
static struct fix * noinline alloc_buf_less ()
{
struct fix *p;
p = malloc(sizeof (struct fix) - SIZE_BUMP * sizeof (int));
/*when checking the observed access p->array, we have info on both
observered allocation and observed access,
A. from observed allocation (alloc_size): (LENGTH - SIZE_BUMP) * sizeof
(int)
B. from observed access (TYPE): LENGTH * sizeof (int)
*/
/* for MAXIMUM size in the whole object: currently, GCC always used the A. */
expect(__builtin_object_size(p->array, 0), (LENGTH - SIZE_BUMP) *
sizeof(int));
ok: __builtin_object_size(p->array, 0) == 20
My brain just melted a little, as this is now an under-sized instance of
"p", so we have an incomplete allocation. (I would expect -Warray-bounds
to yell very loudly for this.) But, technically, yes, this looks like
the right calculation.
AFAIK, -Warray-bounds will only yell in case of a dereference that the
compiler may potentially see as being beyond that 20 byte bound; it
won't actually see the undersized allocation. An analyzer warning would
be useful for just the undersized allocation regardless of whether the
code actually ends up accessing the object beyond the allocation bounds.
Thanks,
Sid
