https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116016

--- Comment #47 from Kees Cook <kees at outflux dot net> ---
Yes, the counter must be manually set until Linux minimum compiler versions are
raised to include counted_by support, but this is about making the transition
to using counted_by easier and less prone to bugs.

If the allocator is setting the counter (via the new builtin), then it will
always be correct for compilers that support counted_by. There will be a later
open-coded assignment as well, but that will be optimized away in most cases.

Basically, the situation is that when counted_by is added to a struct, all
allocations must be identified and corrected manually right now to avoid the
sanitizer tripping at runtime. When the allocator can do the setting, this "bad
code pattern" goes away. i.e. using counted_by currently introduces a new bad
code pattern that is only present for compilers that support counted_by. So if
we can solve it in the allocator, the problem goes away.

e.g. this code pattern is valid today:

p = alloc(count);
for (i = 0; i < count; i++)
  fill(&p->array[i]);
p->counter = count;

Adding counted_by(counter) to "array" means that suddenly the sanitizer will
trip at "fill". While obvious cases where we need to move "p->counter = count"
to immediate after the alloc can be found and changed at the time counted_by is
added, Linux has a lot of complicated corner cases where allocation and array
usage are distant or obfuscated.

So, with the builtin being used within the allocator to set counter, now the
old code pattern still works (as counter has been initialized early enough),
and the duplicate store to p->counter doesn't matter (and may even get
optimized away).

Reply via email to