https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116984
Kees Cook <kees at outflux dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |UNCONFIRMED
--- Comment #8 from Kees Cook <kees at outflux dot net> ---
(In reply to Jakub Jelinek from comment #6)
> counted_by is just another way how to get the initial whole
> object dynamic size (similarly to fixed size automatic/static vars, malloc
> etc., alloca, VLA definitions, whatever else provides the size of the whole
> object).
I don't understand why the word "initial" is used there. It provides the
_ongoing_ runtime bounds of the given array. Both the bounds sanitizer and
__bdos were extended to make use of that information.
> The rest is __builtin_dynamic_object_size dynamic tracking from that size
> through pointer arithmetics etc. And that doesn't change depending on what
> the whole size has been computed with.
Part of the bounds sanitizer+__bdos work was to make sure that getting the size
of invalidly indexed array element is 0 (and _not_ "don't know", since we *do*
know: there is no element at an invalid location, therefore the size available
at such an "address" is 0 bytes). This is so that the various _FORTIFY_SOURCE=3
implementations can safely reject writes to invalid array elements; if SIZE_MAX
is returned there is effectively no bounds checking happening. This all works
correctly in most constructions, and counted_by users depend on such behavior.
In the PoC included above, though, the sanitizer accidentally continues to
instrument its use within __bdos when it otherwise would not be.
