Re: [RFC PATCH] malloc_usable_size.3: Warn about _FORTIFY_SOURCE interaction

[Alejandro Colomar <alx.manpages@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 2520 bytes --]

Hi Mingye,

On 4/4/23 07:52, Mingye Wang wrote:
> Hi all,
> 
> In (somewhat) recent discussions about _FORTIFY_SOURCE level 3, a
> common snag to hit seems to be abuse of malloc_usable_size(). The
> attached patch is my attempt at making the situation easier to sort
> through.
> 
> See siddhesh's comment on GitHub.[0] I wonder if the language needs to
> be stronger.
>   [0]: https://github.com/systemd/systemd/issues/22801#issuecomment-1343041481
> 
> Best,
> Mingye Wang (Artoria2e5)


> From f061522764ec417e80622db557853c2d7493bbb7 Mon Sep 17 00:00:00 2001
> From: Mingye Wang <arthur200126@gmail.com>
> Date: Tue, 4 Apr 2023 13:43:39 +0800
> Subject: [PATCH] malloc_usable_size.3: Warn about _FORTIFY_SOURCE interaction
> 
> Abuse of malloc_usable_size() is common enough to snap up Redhat's
> trials of -D_FORTIFY_SOURCE=3.  Warn against this to ease debugging.
> 
> Signed-Off-by: Mingye Wang <arthur200126@gmail.com>
> ---
>  man3/malloc_usable_size.3 | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/man3/malloc_usable_size.3 b/man3/malloc_usable_size.3
> index 754b255de..1361e6f1e 100644
> --- a/man3/malloc_usable_size.3
> +++ b/man3/malloc_usable_size.3
> @@ -62,5 +62,14 @@ the number of excess bytes in an allocation depends on
>  the underlying implementation.
>  .PP
>  The main use of this function is for debugging and introspection.
> +.PP
> +.BR Warning :
> +Some programs abuse
> +.BR malloc_usable_size ()
> +to reduce the number of calls to
> +.BR realloc (3).
> +Such use will confuse
> +.BR _FORTIFY_SOURCE
> +level 3, as it only keeps track of the original requested size.

This is much milder than what I read in the linked discussions.
I would go ahead with something much stronger as suggested there,
or did you change your mind?

How about using DJ's suggestion in a CAVEATS section (I cut the
clause in the paragraph)?

    The value returned by malloc_usable_size() may be greater than the
    requested size of the allocation because of various internal
    implementation details, none of which the programmer should rely on.
    This function is intended to only be used for diagnostics and
    statistics; writing to the excess memory without first calling
    realloc() to resize the allocation is not supported.  The returned
    value is only valid at the time of the call.

Cheers,
Alex

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]