On 2023-08-10 11:18, Martin Uecker wrote:
Am Donnerstag, dem 10.08.2023 um 10:58 -0400 schrieb Siddhesh Poyarekar:
On 2023-08-10 10:47, Martin Uecker wrote:
Am Donnerstag, dem 10.08.2023 um 16:42 +0200 schrieb Jakub Jelinek:
On Thu, Aug 10, 2023 at 04:38:21PM +0200, Martin Uecker wrote:
Am Donnerstag, dem 10.08.2023 um 13:59 +0000 schrieb Qing Zhao:
On Aug 10, 2023, at 2:58 AM, Martin Uecker <muec...@gwdg.de> wrote:
Am Mittwoch, dem 09.08.2023 um 20:10 +0000 schrieb Qing Zhao:
On Aug 9, 2023, at 12:21 PM, Michael Matz <m...@suse.de> wrote:
I am not sure for the reason given above. The following
code would not work:
struct foo_flex { int a; short b; char t[]; } x;
x.a = 1;
struct foo_flex *p = malloc(sizeof(x) + x.a);
if (!p) abort();
memcpy(p, &x, sizeof(x)); // initialize struct
Okay.
Then, the user still should use the sizeof(struct foo_flex) + N *
sizeof(foo->t) for the allocation, even though this might allocate more bytes
than necessary. (But this is safe)
Let me know if I still miss anything.
The question is not only what the user should use to
allocate, but also what BDOS should return. In my
example the user uses the sizeof() + N * sizeof
formula and the memcpy is safe, but it would be flagged
as a buffer overrun if BDOS uses the offsetof formula.
BDOS/BOS (at least the 0 level) should return what is actually
allocated for the var, what size was passed to malloc and if it
is a var with flex array member with initialization what is actually the
size on the stack or in .data/.rodata etc.
Agreed.
But what about a struct with FAM with the new "counted_by" attribute
if the original allocation is not visible?
There's precedent for this through the __access__ attribute; __bos
trusts what the attribute says about the allocation.
The access attribute gives the size directly. The counted_by gives
a length for the array which needs to be translated into a size
via a formula. There are different formulas in use. The question
is which formula should bdos trust?
Whatever you pick, if this is not consistent with the actual
allocation or use, then it will cause problems either by
breaking code or not detecting buffer overruns.
So it needs to be consistent with what GCC allocates for a
var with FAM and initialization and also the user needs to
be told what the right choice is so that he can use the right
size for allocation and argument to memcpy / memset etc.
We'd rather miss overflow to the extent of padding than to try and be
overly aggressive; I doubt if we're missing much protection in practice
by trying to account for the padding.
The definition of __bos/__bdos allows us the freedom to *estimate*
rather than be precise, so I'd go for sizeof(x) + N * sizeof(*x.a) since
it's bound to give the more conservative answer of the two.
Thanks,
Sid
