Am Donnerstag, dem 10.08.2023 um 10:58 -0400 schrieb Siddhesh Poyarekar:
> On 2023-08-10 10:47, Martin Uecker wrote:
> > Am Donnerstag, dem 10.08.2023 um 16:42 +0200 schrieb Jakub Jelinek:
> > > On Thu, Aug 10, 2023 at 04:38:21PM +0200, Martin Uecker wrote:
> > > > Am Donnerstag, dem 10.08.2023 um 13:59 +0000 schrieb Qing Zhao:
> > > > >
> > > > > > On Aug 10, 2023, at 2:58 AM, Martin Uecker <muec...@gwdg.de> wrote:
> > > > > >
> > > > > > Am Mittwoch, dem 09.08.2023 um 20:10 +0000 schrieb Qing Zhao:
> > > > > > >
> > > > > > > > On Aug 9, 2023, at 12:21 PM, Michael Matz <m...@suse.de> wrote:
> > > > > >
> > > >
> > > > > > I am not sure for the reason given above. The following
> > > > > > code would not work:
> > > > > >
> > > > > > struct foo_flex { int a; short b; char t[]; } x;
> > > > > > x.a = 1;
> > > > > > struct foo_flex *p = malloc(sizeof(x) + x.a);
> > > > > > if (!p) abort();
> > > > > > memcpy(p, &x, sizeof(x)); // initialize struct
> > > > > >
> > > > > Okay.
> > > > > Then, the user still should use the sizeof(struct foo_flex) + N *
> > > > > sizeof(foo->t) for the allocation, even though this might allocate
> > > > > more bytes than necessary. (But this is safe)
> > > > >
> > > > > Let me know if I still miss anything.
> > > >
> > > > The question is not only what the user should use to
> > > > allocate, but also what BDOS should return. In my
> > > > example the user uses the sizeof() + N * sizeof
> > > > formula and the memcpy is safe, but it would be flagged
> > > > as a buffer overrun if BDOS uses the offsetof formula.
> > >
> > > BDOS/BOS (at least the 0 level) should return what is actually
> > > allocated for the var, what size was passed to malloc and if it
> > > is a var with flex array member with initialization what is actually the
> > > size on the stack or in .data/.rodata etc.
> >
> > Agreed.
> >
> > But what about a struct with FAM with the new "counted_by" attribute
> > if the original allocation is not visible?
>
> There's precedent for this through the __access__ attribute; __bos
> trusts what the attribute says about the allocation.
The access attribute gives the size directly. The counted_by gives
a length for the array which needs to be translated into a size
via a formula. There are different formulas in use. The question
is which formula should bdos trust?
Whatever you pick, if this is not consistent with the actual
allocation or use, then it will cause problems either by
breaking code or not detecting buffer overruns.
So it needs to be consistent with what GCC allocates for a
var with FAM and initialization and also the user needs to
be told what the right choice is so that he can use the right
size for allocation and argument to memcpy / memset etc.
Martin
