OpenBSD Journal

Simple static bounds checker in 3.3-current

Contributed by jose on from the code-level-security dept.

Yet another anonymous writes:

From: Anil Madhavapeddy

Date: Thu, 26 Jun 2003 12:30:06 -0600 (MDT)
To: source-changes@cvs.openbsd.org
Subject: CVS: cvs.openbsd.org: src

CVSROOT:        /cvs
Module name:    src
Changes by:     avsm@cvs.openbsd.org    2003/06/26 12:30:05

Modified files:
        gnu/egcs/gcc   : c-common.c c-decl.c c-tree.h c-typeck.c
                         fold-const.c toplev.c tree.h
        gnu/egcs/gcc/cp: call.c cp-tree.h decl2.c typeck.c

Log message:
Introduce a simple static checker for making sure that the bounds
length passed to common functions such as strlcpy/strlcat match the
real length of the buffer.  It also checks to make sure that the bound
length was not incorrectly derived from a sizeof(pointer) operation.

Functions must be marked with the new attribute __bounded__, and warnings
are turned on by -Wbounded.  Specifying -Wformat also enables bounds
checking for scanf(3) bounds to '%s' format variables. -Wall now turns
on -Wbounded also.

The checking is pretty limited right now to constant parameters, and the
buffers must be statically declared, and not inside a record type.  This
simple checking still found hundreds of bugs around the ports tree though,
and there have been no false positive warnings.

10x to niklas@, Richard Sharp and David Scott {rich,dave}@recoil.org for
compiler advice.  deraadt@ ok, miod@ tested on his collection of hardware

You need to recompile gcc now if source upgrading in -current before
doing a make world.

Various people have tested this and the tests have proven themselves. They're certainly liimted, but what they do they do well. Have a look at it, and even play with some non-OpenBSD code with it and learn how it works. Way to go, Anil!

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    So are these modifications something that can be fed back to the GNU compiler people?

    Comments
    1. By Anil () avsm@ on mailto:avsm@

      Eventually, yes ... the gcc2 patch is no use to them, so I'm porting to gcc3 at the moment.

      Comments
      1. By Anonymous Coward () on

        Sweet. This kind of effort should pay big dividends ports-wise in the long haul, while benefitting all free'nix users...

        Comments
        1. By Anil () avsm@ on mailto:avsm@

          I've run it through the ports tree a couple of times - around a hundred or so bugs have been fixed, but the list of warnings I haven't touched yet is still sizable - feel free to do that.

          Also, only system libraries have been marked with __bounded__ so far - looking more closely at applications which define their own bounded functions (apache and bind would be quite likely) could pay dividends as well.

          There's also the open point of doing more analysis (e.g. interval analysis), to find more bugs on more complicated, non-constant functions. If anyone's interested in trying to tackle some of these, feel free to get in touch.

  2. By Anonymous Coward () on

    As a software developer this kind of feature is very useful - great work, and thanks for the effort!

  3. By Ben Johnson () on

    I like it - it understandale, is easy to use, and has a lot of benifits. Thanks for making this!

  4. By Anonymous Coward () on

    Looks like the /usr/include portion was backed out.
    Any idea when this will be put back in ?

    Comments
    1. By Anonymous Coward () on

      a couple of weeks

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]