Next: Other Builtins,Previous: Atomic Builtins,Up: C Extensions
GCC implements a limited buffer overflow protection mechanismthat can prevent some buffer overflow attacks.
is a built-in construct that returns a constant number of bytes fromptr to the end of the objectptr pointer points to(if known at compile time).
__builtin_object_sizenever evaluatesits arguments for side-effects. If there are any side-effects in them, itreturns(size_t) -1fortype 0 or 1 and(size_t) 0fortype 2 or 3. If there are multiple objectsptr canpoint to and all of them are known at compile time, the returned numberis the maximum of remaining byte counts in those objects iftype & 2 is0 and minimum if nonzero. If it is not possible to determine which objectsptr points to at compile time,__builtin_object_sizeshouldreturn(size_t) -1fortype 0 or 1 and(size_t) 0fortype 2 or 3.type is an integer constant from 0 to 3. If the least significantbit is clear, objects are whole variables, if it is set, a closestsurrounding subobject is considered the object a pointer points to. The second bit determines if maximum or minimum of remaining bytesis computed.
struct V { char buf1[10]; int b; char buf2[10]; } var; char *p = &var.buf1[1], *q = &var.b; /* Here the object p points to is var. */ assert (__builtin_object_size (p, 0) == sizeof (var) - 1); /* The subobject p points to is var.buf1. */ assert (__builtin_object_size (p, 1) == sizeof (var.buf1) - 1); /* The object q points to is var. */ assert (__builtin_object_size (q, 0) == (char *) (&var + 1) - (char *) &var.b); /* The subobject q points to is var.b. */ assert (__builtin_object_size (q, 1) == sizeof (var.b));
There are built-in functions added for many common string operationfunctions, e.g., formemcpy__builtin___memcpy_chkbuilt-in is provided. This built-in has an additional last argument,which is the number of bytes remaining in object thedestargument points to or(size_t) -1 if the size is not known.
The built-in functions are optimized into the normal string functionslikememcpy if the last argument is(size_t) -1 or ifit is known at compile time that the destination object will notbe overflown. If the compiler can determine at compile time theobject will be always overflown, it issues a warning.
The intended use can be e.g.
#undef memcpy #define bos0(dest) __builtin_object_size (dest, 0) #define memcpy(dest, src, n) \ __builtin___memcpy_chk (dest, src, n, bos0 (dest)) char *volatile p; char buf[10]; /* It is unknown what object p points to, so this is optimized into plain memcpy - no checking is possible. */ memcpy (p, "abcde", n); /* Destination is known and length too. It is known at compile time there will be no overflow. */ memcpy (&buf[5], "abcde", 5); /* Destination is known, but the length is not known at compile time. This will result in __memcpy_chk call that can check for overflow at runtime. */ memcpy (&buf[5], "abcde", n); /* Destination is known and it is known at compile time there will be overflow. There will be a warning and __memcpy_chk call that will abort the program at runtime. */ memcpy (&buf[6], "abcde", 5);
Such built-in functions are provided formemcpy,mempcpy,memmove,memset,strcpy,stpcpy,strncpy,strcat andstrncat.
There are also checking built-in functions for formatted output functions.
int __builtin___sprintf_chk (char *s, int flag, size_t os, const char *fmt, ...); int __builtin___snprintf_chk (char *s, size_t maxlen, int flag, size_t os, const char *fmt, ...); int __builtin___vsprintf_chk (char *s, int flag, size_t os, const char *fmt, va_list ap); int __builtin___vsnprintf_chk (char *s, size_t maxlen, int flag, size_t os, const char *fmt, va_list ap);
The addedflag argument is passed unchanged to__sprintf_chketc. functions and can contain implementation specific flags on whatadditional security measures the checking function might take, such ashandling%n differently.
Theos argument is the object sizes points to, like in theother built-in functions. There is a small difference in the behaviorthough, ifos is(size_t) -1, the built-in functions areoptimized into the non-checking functions only ifflag is 0, otherwisethe checking function is called withos argument set to(size_t) -1.
In addition to this, there are checking built-in functions__builtin___printf_chk,__builtin___vprintf_chk,__builtin___fprintf_chk and__builtin___vfprintf_chk. These have just one additional argument,flag, right beforeformat stringfmt. If the compiler is able to optimize them tofputc etc. functions, it will, otherwise the checking functionshould be called and theflag argument passed to it.