On 06/04/2012 12:11 PM, Jakub Jelinek wrote:
On Mon, Jun 04, 2012 at 11:59:59AM +0200, Florian Weimer wrote:
What about this?
+This protection mechanism is only a last resort. As a programmer, you
+must not rely on its presence, but use explicit buffer length checks
+to avoid buffer overflows. GCC may not be able to determine object
+sizes with sufficient precision (that is, the reported sizes can be
+larger than what is actually available at run time), and the accuracy
+depends on compiler version and options.
That isn't correct. __builtin_object_size, as documented a few lines below
what you are editing, is documented to have 4 different possible values of
second argument, and it can be larger than what is available only for values
0 and 1, for values 2 and 3 it must be equal or smaller only, and if you
want to test whether it is precise, you can compare results of two
__builtin_object_size calls.
For the explanation why this feature is unreliable and you still need
manual bounds checks, the upper-bound-is-too-large case is the
interesting one. I don't think libc uses __builtin_object_size to
compute lower bounds.
Hmm. I'd like to remove the remark in parentheses and explain this in
the libc documentation.
--
Florian Weimer / Red Hat Product Security Team