safeclib 3.3 v03032018 released
- Added compile-time and run-time object_size checks (BOS), resulting
in EOVERFLOW error codes. Compilers only do this reliably with static
arrays, less so with literal strings. With known static allocation size
you can bypass RSIZE_MAX_* limits. BOS even knows about malloc sizes
on some platforms.
Renamed all functions to _*_chk, with the API as macros. (GH #40)
- Added run-time libmpx pointer boundary checks if supported. (GH #49)
gcc-5+ (optional), icc-15+
- Improved performance of mem_prim_set/mem_prim_move on 64bit machines by factor 2
by using 64bit ops, not 32bit. With clang-4+ memcpy_s is now as fast as
memcpy native, with gcc only 77% slower.
Added more benchmarks and improved the timing.
- Made the unsafe functions snprintf_s, vsnprintf_s, snwprintf_s, vsnwprintf_s
safe by guaranteeing null termination. Only tmpnam_s remains unsafe. (GH #52)
- Added strnatcmp_s, strnatcasecmp_s, wcsnatcmp_s, wcsnaticmp_s
- Add --disable-constraint-handler option. undef the run-time
invoke_safe_{str,mem}_constraint_handler function calls
in safe_config.h to avoid the large errormsg strings. No run-time
performance improvements, as those calls only happen in the error cases.
- Added --enable-warn-dmax option to warn when dmax != sizeof(dest),
and fatalized via --enable-error-dmax.
- Fixed wrong count max check in memmove32_s
- Fully tested against other secure libc extensions, the native msvcrt 7.0 (Win8)
and the msvcrt under wine-2.0.4 and wine-3.0.
- Fixed --disable-shared for Windows.
- Optimized null-slack clearing of dest, unrolling the memset loop with
small dest buffers.
- truncating funcs {v,}sn{w,}printf_s: clear dest on errors after printing to it
- Fixed compilation of the linux kernel module (PR #43, Fabrice Fontaine)
- Fixed c++ strictness when !c99 (e.g. g++ 4.3)
- Changed retval of sprintf_s/vsprintf_s on all errors from 0 to -1,
deviating from the standard. The original -1 retval was changed with
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1141.pdf by Microsoft
to keep count += sprintf(buf + count, format_string, args) working,
where all errors simply returned 0. Later Microsoft and all others
changed the error return value back to -1, to be consistent with other
sprintf functions. So do we. (GH #45)
- Removed errno of sprintf_s/vsprintf_s, return the negative ES error code.
- sprintf_s/vsprintf_s on Windows use now the native vsnprintf_s function
to reject illegal format specifiers.
- More hardening with gcc-7.3/clang-7: Probe for -Wl,-z,textonly and
-Wl,-z,retpolineplt, currently only with lld-7
- Fixed wcsnorm_compose_s >RSIZE_MAX_WSTR integer overflow
- Fixed overlap checks to be C11 conformant, cast to uintptr_t. (GH #51)
- add strnatcmp_s, add strcmp_s src overflow checks,
ESUNTERM for src to avoid overflows
- Reworked C11 compatibility to closer align with the existing Windows+BSD
sec_api's, esp. with slen=0 cases of the cpy and move functions, while still
following the spec. (GH #39)
There's no seperate logic if the library was compiled with a C11 compiler
anymore. See the testcases for the remaining discrepances.
clang-5+ is highly recommended over gcc, for detecting errors at compile-time during development, run-time safety via retpoline and vastly better performance.
CC="clang-7 -march=native -fstrict-aliasing" ./configure or even
CC="clang-7 -flto -march=native -fstrict-aliasing" AR=llvm-ar-7 ./configure
See https://github.com/rurban/safeclib/blob/master/ChangeLog and https://rurban.github.io/safeclib/
54b25c2b4738a80404a493c7091bf16ecd5de32a libsafec-03032018.0-g570fa5.tar.bz2
8f6e3fafdfd3599def9c1b6773575ed89018a435 libsafec-03032018.0-g570fa5.tar.gz
0395d52b0929007becfeddfbe58d1cb39762a014 libsafec-03032018.0-g570fa5.tar.xz