You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Object-Size-Checking.html 12KB

3 年之前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228
  1. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  2. <html>
  3. <!-- Copyright (C) 1988-2020 Free Software Foundation, Inc.
  4. Permission is granted to copy, distribute and/or modify this document
  5. under the terms of the GNU Free Documentation License, Version 1.3 or
  6. any later version published by the Free Software Foundation; with the
  7. Invariant Sections being "Funding Free Software", the Front-Cover
  8. Texts being (a) (see below), and with the Back-Cover Texts being (b)
  9. (see below). A copy of the license is included in the section entitled
  10. "GNU Free Documentation License".
  11. (a) The FSF's Front-Cover Text is:
  12. A GNU Manual
  13. (b) The FSF's Back-Cover Text is:
  14. You have freedom to copy and modify this GNU Manual, like GNU
  15. software. Copies published by the Free Software Foundation raise
  16. funds for GNU development. -->
  17. <!-- Created by GNU Texinfo 6.5, http://www.gnu.org/software/texinfo/ -->
  18. <head>
  19. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  20. <title>Object Size Checking (Using the GNU Compiler Collection (GCC))</title>
  21. <meta name="description" content="Object Size Checking (Using the GNU Compiler Collection (GCC))">
  22. <meta name="keywords" content="Object Size Checking (Using the GNU Compiler Collection (GCC))">
  23. <meta name="resource-type" content="document">
  24. <meta name="distribution" content="global">
  25. <meta name="Generator" content="makeinfo">
  26. <link href="index.html#Top" rel="start" title="Top">
  27. <link href="Option-Index.html#Option-Index" rel="index" title="Option Index">
  28. <link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
  29. <link href="C-Extensions.html#C-Extensions" rel="up" title="C Extensions">
  30. <link href="Other-Builtins.html#Other-Builtins" rel="next" title="Other Builtins">
  31. <link href="x86-specific-memory-model-extensions-for-transactional-memory.html#x86-specific-memory-model-extensions-for-transactional-memory" rel="prev" title="x86 specific memory model extensions for transactional memory">
  32. <style type="text/css">
  33. <!--
  34. a.summary-letter {text-decoration: none}
  35. blockquote.indentedblock {margin-right: 0em}
  36. blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
  37. blockquote.smallquotation {font-size: smaller}
  38. div.display {margin-left: 3.2em}
  39. div.example {margin-left: 3.2em}
  40. div.lisp {margin-left: 3.2em}
  41. div.smalldisplay {margin-left: 3.2em}
  42. div.smallexample {margin-left: 3.2em}
  43. div.smalllisp {margin-left: 3.2em}
  44. kbd {font-style: oblique}
  45. pre.display {font-family: inherit}
  46. pre.format {font-family: inherit}
  47. pre.menu-comment {font-family: serif}
  48. pre.menu-preformatted {font-family: serif}
  49. pre.smalldisplay {font-family: inherit; font-size: smaller}
  50. pre.smallexample {font-size: smaller}
  51. pre.smallformat {font-family: inherit; font-size: smaller}
  52. pre.smalllisp {font-size: smaller}
  53. span.nolinebreak {white-space: nowrap}
  54. span.roman {font-family: initial; font-weight: normal}
  55. span.sansserif {font-family: sans-serif; font-weight: normal}
  56. ul.no-bullet {list-style: none}
  57. -->
  58. </style>
  59. </head>
  60. <body lang="en">
  61. <a name="Object-Size-Checking"></a>
  62. <div class="header">
  63. <p>
  64. Next: <a href="Other-Builtins.html#Other-Builtins" accesskey="n" rel="next">Other Builtins</a>, Previous: <a href="x86-specific-memory-model-extensions-for-transactional-memory.html#x86-specific-memory-model-extensions-for-transactional-memory" accesskey="p" rel="prev">x86 specific memory model extensions for transactional memory</a>, Up: <a href="C-Extensions.html#C-Extensions" accesskey="u" rel="up">C Extensions</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Option-Index.html#Option-Index" title="Index" rel="index">Index</a>]</p>
  65. </div>
  66. <hr>
  67. <a name="Object-Size-Checking-Built_002din-Functions"></a>
  68. <h3 class="section">6.58 Object Size Checking Built-in Functions</h3>
  69. <a name="index-_005f_005fbuiltin_005fobject_005fsize"></a>
  70. <a name="index-_005f_005fbuiltin_005f_005f_005fmemcpy_005fchk"></a>
  71. <a name="index-_005f_005fbuiltin_005f_005f_005fmempcpy_005fchk"></a>
  72. <a name="index-_005f_005fbuiltin_005f_005f_005fmemmove_005fchk"></a>
  73. <a name="index-_005f_005fbuiltin_005f_005f_005fmemset_005fchk"></a>
  74. <a name="index-_005f_005fbuiltin_005f_005f_005fstrcpy_005fchk"></a>
  75. <a name="index-_005f_005fbuiltin_005f_005f_005fstpcpy_005fchk"></a>
  76. <a name="index-_005f_005fbuiltin_005f_005f_005fstrncpy_005fchk"></a>
  77. <a name="index-_005f_005fbuiltin_005f_005f_005fstrcat_005fchk"></a>
  78. <a name="index-_005f_005fbuiltin_005f_005f_005fstrncat_005fchk"></a>
  79. <a name="index-_005f_005fbuiltin_005f_005f_005fsprintf_005fchk"></a>
  80. <a name="index-_005f_005fbuiltin_005f_005f_005fsnprintf_005fchk"></a>
  81. <a name="index-_005f_005fbuiltin_005f_005f_005fvsprintf_005fchk"></a>
  82. <a name="index-_005f_005fbuiltin_005f_005f_005fvsnprintf_005fchk"></a>
  83. <a name="index-_005f_005fbuiltin_005f_005f_005fprintf_005fchk"></a>
  84. <a name="index-_005f_005fbuiltin_005f_005f_005fvprintf_005fchk"></a>
  85. <a name="index-_005f_005fbuiltin_005f_005f_005ffprintf_005fchk"></a>
  86. <a name="index-_005f_005fbuiltin_005f_005f_005fvfprintf_005fchk"></a>
  87. <p>GCC implements a limited buffer overflow protection mechanism that can
  88. prevent some buffer overflow attacks by determining the sizes of objects
  89. into which data is about to be written and preventing the writes when
  90. the size isn&rsquo;t sufficient. The built-in functions described below yield
  91. the best results when used together and when optimization is enabled.
  92. For example, to detect object sizes across function boundaries or to
  93. follow pointer assignments through non-trivial control flow they rely
  94. on various optimization passes enabled with <samp>-O2</samp>. However, to
  95. a limited extent, they can be used without optimization as well.
  96. </p>
  97. <dl>
  98. <dt><a name="index-_005f_005fbuiltin_005fobject_005fsize-1"></a>Built-in Function: <em>size_t</em> <strong>__builtin_object_size</strong> <em>(const void * <var>ptr</var>, int <var>type</var>)</em></dt>
  99. <dd><p>is a built-in construct that returns a constant number of bytes from
  100. <var>ptr</var> to the end of the object <var>ptr</var> pointer points to
  101. (if known at compile time). To determine the sizes of dynamically allocated
  102. objects the function relies on the allocation functions called to obtain
  103. the storage to be declared with the <code>alloc_size</code> attribute (see <a href="Common-Function-Attributes.html#Common-Function-Attributes">Common Function Attributes</a>). <code>__builtin_object_size</code> never evaluates
  104. its arguments for side effects. If there are any side effects in them, it
  105. returns <code>(size_t) -1</code> for <var>type</var> 0 or 1 and <code>(size_t) 0</code>
  106. for <var>type</var> 2 or 3. If there are multiple objects <var>ptr</var> can
  107. point to and all of them are known at compile time, the returned number
  108. is the maximum of remaining byte counts in those objects if <var>type</var> &amp; 2 is
  109. 0 and minimum if nonzero. If it is not possible to determine which objects
  110. <var>ptr</var> points to at compile time, <code>__builtin_object_size</code> should
  111. return <code>(size_t) -1</code> for <var>type</var> 0 or 1 and <code>(size_t) 0</code>
  112. for <var>type</var> 2 or 3.
  113. </p>
  114. <p><var>type</var> is an integer constant from 0 to 3. If the least significant
  115. bit is clear, objects are whole variables, if it is set, a closest
  116. surrounding subobject is considered the object a pointer points to.
  117. The second bit determines if maximum or minimum of remaining bytes
  118. is computed.
  119. </p>
  120. <div class="smallexample">
  121. <pre class="smallexample">struct V { char buf1[10]; int b; char buf2[10]; } var;
  122. char *p = &amp;var.buf1[1], *q = &amp;var.b;
  123. /* Here the object p points to is var. */
  124. assert (__builtin_object_size (p, 0) == sizeof (var) - 1);
  125. /* The subobject p points to is var.buf1. */
  126. assert (__builtin_object_size (p, 1) == sizeof (var.buf1) - 1);
  127. /* The object q points to is var. */
  128. assert (__builtin_object_size (q, 0)
  129. == (char *) (&amp;var + 1) - (char *) &amp;var.b);
  130. /* The subobject q points to is var.b. */
  131. assert (__builtin_object_size (q, 1) == sizeof (var.b));
  132. </pre></div>
  133. </dd></dl>
  134. <p>There are built-in functions added for many common string operation
  135. functions, e.g., for <code>memcpy</code> <code>__builtin___memcpy_chk</code>
  136. built-in is provided. This built-in has an additional last argument,
  137. which is the number of bytes remaining in the object the <var>dest</var>
  138. argument points to or <code>(size_t) -1</code> if the size is not known.
  139. </p>
  140. <p>The built-in functions are optimized into the normal string functions
  141. like <code>memcpy</code> if the last argument is <code>(size_t) -1</code> or if
  142. it is known at compile time that the destination object will not
  143. be overflowed. If the compiler can determine at compile time that the
  144. object will always be overflowed, it issues a warning.
  145. </p>
  146. <p>The intended use can be e.g.
  147. </p>
  148. <div class="smallexample">
  149. <pre class="smallexample">#undef memcpy
  150. #define bos0(dest) __builtin_object_size (dest, 0)
  151. #define memcpy(dest, src, n) \
  152. __builtin___memcpy_chk (dest, src, n, bos0 (dest))
  153. char *volatile p;
  154. char buf[10];
  155. /* It is unknown what object p points to, so this is optimized
  156. into plain memcpy - no checking is possible. */
  157. memcpy (p, &quot;abcde&quot;, n);
  158. /* Destination is known and length too. It is known at compile
  159. time there will be no overflow. */
  160. memcpy (&amp;buf[5], &quot;abcde&quot;, 5);
  161. /* Destination is known, but the length is not known at compile time.
  162. This will result in __memcpy_chk call that can check for overflow
  163. at run time. */
  164. memcpy (&amp;buf[5], &quot;abcde&quot;, n);
  165. /* Destination is known and it is known at compile time there will
  166. be overflow. There will be a warning and __memcpy_chk call that
  167. will abort the program at run time. */
  168. memcpy (&amp;buf[6], &quot;abcde&quot;, 5);
  169. </pre></div>
  170. <p>Such built-in functions are provided for <code>memcpy</code>, <code>mempcpy</code>,
  171. <code>memmove</code>, <code>memset</code>, <code>strcpy</code>, <code>stpcpy</code>, <code>strncpy</code>,
  172. <code>strcat</code> and <code>strncat</code>.
  173. </p>
  174. <p>There are also checking built-in functions for formatted output functions.
  175. </p><div class="smallexample">
  176. <pre class="smallexample">int __builtin___sprintf_chk (char *s, int flag, size_t os, const char *fmt, ...);
  177. int __builtin___snprintf_chk (char *s, size_t maxlen, int flag, size_t os,
  178. const char *fmt, ...);
  179. int __builtin___vsprintf_chk (char *s, int flag, size_t os, const char *fmt,
  180. va_list ap);
  181. int __builtin___vsnprintf_chk (char *s, size_t maxlen, int flag, size_t os,
  182. const char *fmt, va_list ap);
  183. </pre></div>
  184. <p>The added <var>flag</var> argument is passed unchanged to <code>__sprintf_chk</code>
  185. etc. functions and can contain implementation specific flags on what
  186. additional security measures the checking function might take, such as
  187. handling <code>%n</code> differently.
  188. </p>
  189. <p>The <var>os</var> argument is the object size <var>s</var> points to, like in the
  190. other built-in functions. There is a small difference in the behavior
  191. though, if <var>os</var> is <code>(size_t) -1</code>, the built-in functions are
  192. optimized into the non-checking functions only if <var>flag</var> is 0, otherwise
  193. the checking function is called with <var>os</var> argument set to
  194. <code>(size_t) -1</code>.
  195. </p>
  196. <p>In addition to this, there are checking built-in functions
  197. <code>__builtin___printf_chk</code>, <code>__builtin___vprintf_chk</code>,
  198. <code>__builtin___fprintf_chk</code> and <code>__builtin___vfprintf_chk</code>.
  199. These have just one additional argument, <var>flag</var>, right before
  200. format string <var>fmt</var>. If the compiler is able to optimize them to
  201. <code>fputc</code> etc. functions, it does, otherwise the checking function
  202. is called and the <var>flag</var> argument passed to it.
  203. </p>
  204. <hr>
  205. <div class="header">
  206. <p>
  207. Next: <a href="Other-Builtins.html#Other-Builtins" accesskey="n" rel="next">Other Builtins</a>, Previous: <a href="x86-specific-memory-model-extensions-for-transactional-memory.html#x86-specific-memory-model-extensions-for-transactional-memory" accesskey="p" rel="prev">x86 specific memory model extensions for transactional memory</a>, Up: <a href="C-Extensions.html#C-Extensions" accesskey="u" rel="up">C Extensions</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Option-Index.html#Option-Index" title="Index" rel="index">Index</a>]</p>
  208. </div>
  209. </body>
  210. </html>