On Thu, Dec 06, 2018 at 01:21:58PM -0700, Martin Sebor wrote:
> Bug 88372 - alloc_size attribute is ignored on function pointers
> points out that even though the alloc_size attribute is accepted
> on function pointers it doesn't have any effect on Object Size
> Checking. The reporter, who is implementing the feature in Clang,
> wants to know if by exposing it under the same name they won't be
> causing incompatibilities with GCC.
>
> I don't think it's intentional that GCC doesn't take advantage of
> the attribute for Object Size Checking, and certainly not to detect
> the same kinds of issues as with other allocation functions (such
> as excessive or negative size arguments). Rather, it's almost
> certainly an oversight since GCC does make use of function pointer
> attributes in other contexts (e.g., attributes alloc_align and
> noreturn).
>
> As an oversight, I think it's fair to consider it a bug rather
> than a request for an enhancement. Since not handling
> the attribute in Object Size Checking has adverse security
> implications, I also think this bug should be addressed in GCC
> 9. With that, I submit the attached patch to resolve both
> aspects of the problem.
This is because alloc_object_size has been written before we had attributes
like alloc_size. The only thing I'm unsure about is whether we should
prefer gimple_call_fntype or TREE_TYPE (gimple_call_fndecl ()) if it is a
direct call or if we should try to look for alloc_size attribute on both
of those if they are different types. E.g. if somebody does
#include <stdlib.h>
typedef void *(*allocfn) (size_t);
static inline void *
foo (allocfn fn, size_t sz)
{
return fn (sz);
}
static inline void *
bar (size_t sz)
{
return foo (malloc, sz);
}
then I think this patch would no longer treat it as malloc.
As this is security relevant, I'd probably look for alloc_size
attribute in both gimple_call_fntype and, if gimple_call_fndecl is non-NULL,
its TREE_TYPE.
Otherwise, the patch looks reasonable to me.
Jakub
