From: Evgeny Vereshchagin Date: Fri, 3 Jun 2022 19:06:22 +0000 (+0000) Subject: Revert "Support -D_FORTIFY_SOURCE=3 by using __builtin_dynamic_object_size." X-Git-Tag: v252-rc1~866^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2cfb790391958ada34284290af1f9ab863a515c7;p=thirdparty%2Fsystemd.git Revert "Support -D_FORTIFY_SOURCE=3 by using __builtin_dynamic_object_size." This reverts commit 0bd292567a543d124cd303f7dd61169a209cae64. It isn't guaranteed anywhere that __builtin_dynamic_object_size can always deduce the size of every object passed to it so systemd can end up using either malloc_usable_size or __builtin_dynamic_object_size when pointers are passed around, which in turn can lead to actual segfaults like the one mentioned in https://github.com/systemd/systemd/issues/23619. Apparently __builtin_object_size can return different results for pointers referring to the same memory as well but somehow it hasn't caused any issues yet. Looks like this whole malloc_usable_size/FORTIFY_SOURCE stuff should be revisited. Closes https://github.com/systemd/systemd/issues/23619 and https://github.com/systemd/systemd/issues/23150. Reopens https://github.com/systemd/systemd/issues/22801 --- diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h index 155fbf5f1fa..13dab0304fe 100644 --- a/src/basic/alloc-util.h +++ b/src/basic/alloc-util.h @@ -174,23 +174,13 @@ void* greedy_realloc0(void **p, size_t need, size_t size); * is compatible with _FORTIFY_SOURCES. If _FORTIFY_SOURCES is used many memory operations will take the * object size as returned by __builtin_object_size() into account. Hence, let's return the smaller size of * malloc_usable_size() and __builtin_object_size() here, so that we definitely operate in safe territory by - * both the compiler's and libc's standards. Note that _FORTIFY_SOURCES=3 handles also dynamically allocated - * objects and thus it's safer using __builtin_dynamic_object_size if _FORTIFY_SOURCES=3 is used (#22801). - * Moreover, when NULL is passed malloc_usable_size() is documented to return zero, and + * both the compiler's and libc's standards. Note that __builtin_object_size() evaluates to SIZE_MAX if the + * size cannot be determined, hence the MIN() expression should be safe with dynamically sized memory, + * too. Moreover, when NULL is passed malloc_usable_size() is documented to return zero, and * __builtin_object_size() returns SIZE_MAX too, hence we also return a sensible value of 0 in this corner * case. */ - -#if defined __has_builtin -# if __has_builtin(__builtin_dynamic_object_size) -# define MALLOC_SIZEOF_SAFE(x) \ - MIN(malloc_usable_size(x), __builtin_dynamic_object_size(x, 0)) -# endif -#endif - -#ifndef MALLOC_SIZEOF_SAFE #define MALLOC_SIZEOF_SAFE(x) \ MIN(malloc_usable_size(x), __builtin_object_size(x, 0)) -#endif /* Inspired by ELEMENTSOF() but operates on malloc()'ed memory areas: typesafely returns the number of items * that fit into the specified memory block */