1<html lang="en"> 2<head> 3<title>Object Size Checking - Using the GNU Compiler Collection (GCC)</title> 4<meta http-equiv="Content-Type" content="text/html"> 5<meta name="description" content="Using the GNU Compiler Collection (GCC)"> 6<meta name="generator" content="makeinfo 4.13"> 7<link title="Top" rel="start" href="index.html#Top"> 8<link rel="up" href="C-Extensions.html#C-Extensions" title="C Extensions"> 9<link rel="prev" href="x86-specific-memory-model-extensions-for-transactional-memory.html#x86-specific-memory-model-extensions-for-transactional-memory" title="x86 specific memory model extensions for transactional memory"> 10<link rel="next" href="Other-Builtins.html#Other-Builtins" title="Other Builtins"> 11<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage"> 12<!-- 13Copyright (C) 1988-2013 Free Software Foundation, Inc. 14 15Permission is granted to copy, distribute and/or modify this document 16under the terms of the GNU Free Documentation License, Version 1.3 or 17any later version published by the Free Software Foundation; with the 18Invariant Sections being ``Funding Free Software'', the Front-Cover 19Texts being (a) (see below), and with the Back-Cover Texts being (b) 20(see below). A copy of the license is included in the section entitled 21``GNU Free Documentation License''. 22 23(a) The FSF's Front-Cover Text is: 24 25 A GNU Manual 26 27(b) The FSF's Back-Cover Text is: 28 29 You have freedom to copy and modify this GNU Manual, like GNU 30 software. Copies published by the Free Software Foundation raise 31 funds for GNU development.--> 32<meta http-equiv="Content-Style-Type" content="text/css"> 33<style type="text/css"><!-- 34 pre.display { font-family:inherit } 35 pre.format { font-family:inherit } 36 pre.smalldisplay { font-family:inherit; font-size:smaller } 37 pre.smallformat { font-family:inherit; font-size:smaller } 38 pre.smallexample { font-size:smaller } 39 pre.smalllisp { font-size:smaller } 40 span.sc { font-variant:small-caps } 41 span.roman { font-family:serif; font-weight:normal; } 42 span.sansserif { font-family:sans-serif; font-weight:normal; } 43--></style> 44<link rel="stylesheet" type="text/css" href="../cs.css"> 45</head> 46<body> 47<div class="node"> 48<a name="Object-Size-Checking"></a> 49<p> 50Next: <a rel="next" accesskey="n" href="Other-Builtins.html#Other-Builtins">Other Builtins</a>, 51Previous: <a rel="previous" accesskey="p" href="x86-specific-memory-model-extensions-for-transactional-memory.html#x86-specific-memory-model-extensions-for-transactional-memory">x86 specific memory model extensions for transactional memory</a>, 52Up: <a rel="up" accesskey="u" href="C-Extensions.html#C-Extensions">C Extensions</a> 53<hr> 54</div> 55 56<h3 class="section">6.54 Object Size Checking Built-in Functions</h3> 57 58<p><a name="index-g_t_005f_005fbuiltin_005fobject_005fsize-2953"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmemcpy_005fchk-2954"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmempcpy_005fchk-2955"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmemmove_005fchk-2956"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmemset_005fchk-2957"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrcpy_005fchk-2958"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstpcpy_005fchk-2959"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrncpy_005fchk-2960"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrcat_005fchk-2961"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrncat_005fchk-2962"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fsprintf_005fchk-2963"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fsnprintf_005fchk-2964"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvsprintf_005fchk-2965"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvsnprintf_005fchk-2966"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fprintf_005fchk-2967"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvprintf_005fchk-2968"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005ffprintf_005fchk-2969"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvfprintf_005fchk-2970"></a> 59GCC implements a limited buffer overflow protection mechanism 60that can prevent some buffer overflow attacks. 61 62<div class="defun"> 63— Built-in Function: size_t <b>__builtin_object_size</b> (<var>void * ptr, int type</var>)<var><a name="index-g_t_005f_005fbuiltin_005fobject_005fsize-2971"></a></var><br> 64<blockquote><p>is a built-in construct that returns a constant number of bytes from 65<var>ptr</var> to the end of the object <var>ptr</var> pointer points to 66(if known at compile time). <code>__builtin_object_size</code> never evaluates 67its arguments for side-effects. If there are any side-effects in them, it 68returns <code>(size_t) -1</code> for <var>type</var> 0 or 1 and <code>(size_t) 0</code> 69for <var>type</var> 2 or 3. If there are multiple objects <var>ptr</var> can 70point to and all of them are known at compile time, the returned number 71is the maximum of remaining byte counts in those objects if <var>type</var> & 2 is 720 and minimum if nonzero. If it is not possible to determine which objects 73<var>ptr</var> points to at compile time, <code>__builtin_object_size</code> should 74return <code>(size_t) -1</code> for <var>type</var> 0 or 1 and <code>(size_t) 0</code> 75for <var>type</var> 2 or 3. 76 77 <p><var>type</var> is an integer constant from 0 to 3. If the least significant 78bit is clear, objects are whole variables, if it is set, a closest 79surrounding subobject is considered the object a pointer points to. 80The second bit determines if maximum or minimum of remaining bytes 81is computed. 82 83 <pre class="smallexample"> struct V { char buf1[10]; int b; char buf2[10]; } var; 84 char *p = &var.buf1[1], *q = &var.b; 85 86 /* Here the object p points to is var. */ 87 assert (__builtin_object_size (p, 0) == sizeof (var) - 1); 88 /* The subobject p points to is var.buf1. */ 89 assert (__builtin_object_size (p, 1) == sizeof (var.buf1) - 1); 90 /* The object q points to is var. */ 91 assert (__builtin_object_size (q, 0) 92 == (char *) (&var + 1) - (char *) &var.b); 93 /* The subobject q points to is var.b. */ 94 assert (__builtin_object_size (q, 1) == sizeof (var.b)); 95</pre> 96 </blockquote></div> 97 98 <p>There are built-in functions added for many common string operation 99functions, e.g., for <code>memcpy</code> <code>__builtin___memcpy_chk</code> 100built-in is provided. This built-in has an additional last argument, 101which is the number of bytes remaining in object the <var>dest</var> 102argument points to or <code>(size_t) -1</code> if the size is not known. 103 104 <p>The built-in functions are optimized into the normal string functions 105like <code>memcpy</code> if the last argument is <code>(size_t) -1</code> or if 106it is known at compile time that the destination object will not 107be overflown. If the compiler can determine at compile time the 108object will be always overflown, it issues a warning. 109 110 <p>The intended use can be e.g. 111 112<pre class="smallexample"> #undef memcpy 113 #define bos0(dest) __builtin_object_size (dest, 0) 114 #define memcpy(dest, src, n) \ 115 __builtin___memcpy_chk (dest, src, n, bos0 (dest)) 116 117 char *volatile p; 118 char buf[10]; 119 /* It is unknown what object p points to, so this is optimized 120 into plain memcpy - no checking is possible. */ 121 memcpy (p, "abcde", n); 122 /* Destination is known and length too. It is known at compile 123 time there will be no overflow. */ 124 memcpy (&buf[5], "abcde", 5); 125 /* Destination is known, but the length is not known at compile time. 126 This will result in __memcpy_chk call that can check for overflow 127 at run time. */ 128 memcpy (&buf[5], "abcde", n); 129 /* Destination is known and it is known at compile time there will 130 be overflow. There will be a warning and __memcpy_chk call that 131 will abort the program at run time. */ 132 memcpy (&buf[6], "abcde", 5); 133</pre> 134 <p>Such built-in functions are provided for <code>memcpy</code>, <code>mempcpy</code>, 135<code>memmove</code>, <code>memset</code>, <code>strcpy</code>, <code>stpcpy</code>, <code>strncpy</code>, 136<code>strcat</code> and <code>strncat</code>. 137 138 <p>There are also checking built-in functions for formatted output functions. 139<pre class="smallexample"> int __builtin___sprintf_chk (char *s, int flag, size_t os, const char *fmt, ...); 140 int __builtin___snprintf_chk (char *s, size_t maxlen, int flag, size_t os, 141 const char *fmt, ...); 142 int __builtin___vsprintf_chk (char *s, int flag, size_t os, const char *fmt, 143 va_list ap); 144 int __builtin___vsnprintf_chk (char *s, size_t maxlen, int flag, size_t os, 145 const char *fmt, va_list ap); 146</pre> 147 <p>The added <var>flag</var> argument is passed unchanged to <code>__sprintf_chk</code> 148etc. functions and can contain implementation specific flags on what 149additional security measures the checking function might take, such as 150handling <code>%n</code> differently. 151 152 <p>The <var>os</var> argument is the object size <var>s</var> points to, like in the 153other built-in functions. There is a small difference in the behavior 154though, if <var>os</var> is <code>(size_t) -1</code>, the built-in functions are 155optimized into the non-checking functions only if <var>flag</var> is 0, otherwise 156the checking function is called with <var>os</var> argument set to 157<code>(size_t) -1</code>. 158 159 <p>In addition to this, there are checking built-in functions 160<code>__builtin___printf_chk</code>, <code>__builtin___vprintf_chk</code>, 161<code>__builtin___fprintf_chk</code> and <code>__builtin___vfprintf_chk</code>. 162These have just one additional argument, <var>flag</var>, right before 163format string <var>fmt</var>. If the compiler is able to optimize them to 164<code>fputc</code> etc. functions, it does, otherwise the checking function 165is called and the <var>flag</var> argument passed to it. 166 167 </body></html> 168 169