Date: Sat, 18 May 2024 19:07:15 +0000 (UTC) From: Pedro Giffuni <pfg@freebsd.org> To: "src-committers@freebsd.org" <src-committers@freebsd.org>, "dev-commits-src-all@freebsd.org" <dev-commits-src-all@freebsd.org>, "dev-commits-src-main@freebsd.org" <dev-commits-src-main@freebsd.org>, Kyle Evans <kevans@freebsd.org> Subject: Re: git: 9bfd3b4076a7 - main - Add a build knob for _FORTIFY_SOURCE Message-ID: <220172210.1591640.1716059235914@mail.yahoo.com> In-Reply-To: <202405130524.44D5OBT1084367@gitrepo.freebsd.org> References: <202405130524.44D5OBT1084367@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Sorry for noticing so late ... I was unaware this was being worked on and I was very busy with since my dad passed away recently.
The static checker component of Fortify source only works well on GCC, for clang this lacks the support that was added by Google on Android's libc (which is not bery useful either).
We already had some stubs for the ssp functions but we never used them and this just adds bloat to our libc.
I suggest reverting. Again sorry.
Pedro.
On Monday, May 13, 2024 at 12:24:16 AM GMT-5, Kyle Evans <kevans@freebsd.org> wrote:
The branch main has been updated by kevans:
URL: https://cgit.FreeBSD.org/src/commit/?id=9bfd3b4076a7b0dfd27ab22318e5113dc84fea28
commit 9bfd3b4076a7b0dfd27ab22318e5113dc84fea28
Author: Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2024-05-13 05:23:50 +0000
Commit: Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2024-05-13 05:23:50 +0000
Add a build knob for _FORTIFY_SOURCE
In the future, we will Default to _FORTIFY_SOURCE=2 if SSP is enabled,
otherwise default to _FORTIFY_SOURCE=0. For now we default it to 0
unconditionally to ease bisect across older versions without the new
symbols, and we'll put out a call for testing.
include/*.h include their ssp/*.h equivalents as needed based on the
knob. Programs and users are allowed to override FORTIFY_SOURCE in their
Makefiles or src.conf/make.conf to force it off.
Reviewed by: des, markj
Relnotes: yes
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32308
---
include/stdio.h | 3 ++
include/string.h | 3 ++
include/strings.h | 3 ++
include/unistd.h | 4 +++
lib/libthr/Makefile | 3 ++
libexec/rtld-elf/Makefile | 4 +++
share/man/man7/security.7 | 75 +++++++++++++++++++++++++++++++++++++++++
share/mk/bsd.sys.mk | 7 ++++
tools/build/options/WITHOUT_SSP | 3 ++
tools/build/options/WITH_SSP | 3 ++
10 files changed, 108 insertions(+)
diff --git a/include/stdio.h b/include/stdio.h
index fe7a6f7d6f82..30bc638082d8 100644
--- a/include/stdio.h
+++ b/include/stdio.h
@@ -530,4 +530,7 @@ extern int __isthreaded;
__END_DECLS
__NULLABILITY_PRAGMA_POP
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/stdio.h>
+#endif
#endif /* !_STDIO_H_ */
diff --git a/include/string.h b/include/string.h
index 597308020cdb..a595f6e3e260 100644
--- a/include/string.h
+++ b/include/string.h
@@ -168,4 +168,7 @@ errno_t memset_s(void *, rsize_t, int, rsize_t);
#endif /* __EXT1_VISIBLE */
__END_DECLS
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/string.h>
+#endif
#endif /* _STRING_H_ */
diff --git a/include/strings.h b/include/strings.h
index fde007186e04..6fe6a09e7dd3 100644
--- a/include/strings.h
+++ b/include/strings.h
@@ -68,4 +68,7 @@ int strncasecmp(const char *, const char *, size_t) __pure;
#endif
__END_DECLS
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/strings.h>
+#endif
#endif /* _STRINGS_H_ */
diff --git a/include/unistd.h b/include/unistd.h
index e4e5c62fbb67..59738cbf6e68 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -37,6 +37,10 @@
#include <sys/_null.h>
#include <sys/_types.h>
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/unistd.h>
+#endif
+
#ifndef _GID_T_DECLARED
typedef __gid_t gid_t;
#define _GID_T_DECLARED
diff --git a/lib/libthr/Makefile b/lib/libthr/Makefile
index a5bf5da44170..85c028f521a1 100644
--- a/lib/libthr/Makefile
+++ b/lib/libthr/Makefile
@@ -11,6 +11,9 @@ LDFLAGS+= -Wl,--rpath=/usr/lib${COMPAT_libcompat}
.include <src.opts.mk>
MK_SSP= no
+# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that
+# one cannot turn it back on.
+FORTIFY_SOURCE= 0
LIB=thr
SHLIB_MAJOR= 3
diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile
index 37c3840538d5..864448ad782a 100644
--- a/libexec/rtld-elf/Makefile
+++ b/libexec/rtld-elf/Makefile
@@ -15,6 +15,10 @@ MK_UBSAN= no
.include <bsd.compat.pre.mk>
+# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that
+# one cannot turn it back on.
+FORTIFY_SOURCE= 0
+
.if !defined(NEED_COMPAT)
CONFS= libmap.conf
.endif
diff --git a/share/man/man7/security.7 b/share/man/man7/security.7
index ccbeeb4575ce..2e690e35d534 100644
--- a/share/man/man7/security.7
+++ b/share/man/man7/security.7
@@ -939,6 +939,81 @@ option that SSH allows in its
.Pa authorized_keys
file to make the key only usable to entities logging in from specific
machines.
+.Sh STACK OVERFLOW PROTECTION
+.Fx
+supports stack overflow protection using the Stack Smashing Protector
+.Pq SSP
+compiler feature.
+In userland, SSP adds a per-process randomized canary at the end of every stack
+frame which is checked for corruption upon return from the function.
+In the kernel, a single randomized canary is used globally except on aarch64,
+which has a
+.Dv PERTHREAD_SSP
+.Xr config 8
+option to enable per-thread randomized canaries.
+If stack corruption is detected, then the process aborts to avoid potentially
+malicious execution as a result of the corruption.
+SSP may be enabled or disabled when building
+.Fx
+base with the
+.Xr src.conf 5
+SSP knob.
+.Pp
+When
+.Va WITH_SSP
+is enabled, which is the default, world is built with the
+.Fl fstack-protector-strong
+compiler option.
+The kernel is built with the
+.Fl fstack-protector
+option.
+.Pp
+In addition to SSP, a
+.Dq FORTIFY_SOURCE
+implementation is supported up to level 2 by defining
+.Va _FORTIFY_SOURCE
+to
+.Dv 1
+or
+.Dv 2
+before including any
+.Fx
+headers.
+.Fx
+world builds can set
+.Va FORTIFY_SOURCE
+to provide a default value for
+.Va _FORTIFY_SOURCE .
+When enabled,
+.Dq FORTIFY_SOURCE
+enables extra bounds checking in various functions that accept buffers to be
+written into.
+These functions currently have extra bounds checking support:
+.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "readlink"
+.It bcopy Ta bzero Ta fgets Ta getcwd Ta gets
+.It memcpy Ta memmove Ta memset Ta read Ta readlink
+.It snprintf Ta sprintf Ta stpcpy Ta stpncpy Ta strcat
+.It strcpy Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf
+.El
+.Pp
+.Dq FORTIFY_SOURCE
+requires compiler support from
+.Xr clang 1
+or
+.Xr gcc 1 ,
+which provide the
+.Xr __builtin_object_size 3
+function that is used to determine the bounds of an object.
+This feature works best at optimization levels
+.Fl O1
+and above, as some object sizes may be less obvious without some data that the
+compiler would collect in an optimization pass.
+.Pp
+Similar to SSP, violating the bounds of an object will cause the program to
+abort in an effort to avoid malicious execution.
+This effectively provides finer-grained protection than SSP for some class of
+function and system calls, along with some protection for buffers allocated as
+part of the program data.
.Sh KNOBS AND TWEAKS
.Fx
provides several knobs and tweak handles that make some introspection
diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
index de91e00d8cc7..52c3d07746c7 100644
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -294,11 +294,18 @@ CFLAGS.clang+= -Qunused-arguments
# but not yet.
CXXFLAGS.clang+= -Wno-c++11-extensions
+# XXX This should be defaulted to 2 when WITH_SSP is in use after further
+# testing and soak time.
+FORTIFY_SOURCE?= 0
.if ${MK_SSP} != "no"
# Don't use -Wstack-protector as it breaks world with -Werror.
SSP_CFLAGS?= -fstack-protector-strong
CFLAGS+= ${SSP_CFLAGS}
.endif # SSP
+.if ${FORTIFY_SOURCE} > 0
+CFLAGS+= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+CXXFLAGS+= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+.endif
# Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is
# enabled.
diff --git a/tools/build/options/WITHOUT_SSP b/tools/build/options/WITHOUT_SSP
index 88162cecf14a..7a773fe1e5aa 100644
--- a/tools/build/options/WITHOUT_SSP
+++ b/tools/build/options/WITHOUT_SSP
@@ -1 +1,4 @@
Do not build world with stack smashing protection.
+See
+.Xr security 7
+for more information.
diff --git a/tools/build/options/WITH_SSP b/tools/build/options/WITH_SSP
index 0088dd133782..4f06a73d4173 100644
--- a/tools/build/options/WITH_SSP
+++ b/tools/build/options/WITH_SSP
@@ -1 +1,4 @@
Build world with stack smashing protection.
+See
+.Xr security 7
+for more information.
[-- Attachment #2 --]
<html><head></head><body><div class="ydpdf1fcfc0yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr" data-setdir="false">Sorry for noticing so late ... I was unaware this was being worked on and <span><span style="color: rgb(0, 0, 0); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 16px;"> I was very busy with since my dad passed away recently</span></span>.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">The static checker component of Fortify source only works well on GCC, for clang this lacks the support that was added by Google on Android's libc (which is not bery useful either).</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">We already had some stubs for the ssp functions but we never used them and this just adds bloat to our libc.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div><div><div style="outline: none !important;"><div dir="ltr" data-setdir="false" style="outline: none !important;">I suggest reverting. Again sorry.</div><div dir="ltr" data-setdir="false" style="outline: none !important;"><br style="color: rgb(0, 0, 0); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 16px; outline: none !important;"></div></div></div></div>Pedro.</div><div><br></div>
</div><div id="ydpfa74bad8yahoo_quoted_6386811475" class="ydpfa74bad8yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Monday, May 13, 2024 at 12:24:16 AM GMT-5, Kyle Evans <kevans@freebsd.org> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">The branch main has been updated by kevans:<br></div><div dir="ltr"><br></div><div dir="ltr">URL: <a href="https://cgit.FreeBSD.org/src/commit/?id=9bfd3b4076a7b0dfd27ab22318e5113dc84fea28" rel="nofollow" target="_blank">https://cgit.FreeBSD.org/src/commit/?id=9bfd3b4076a7b0dfd27ab22318e5113dc84fea28</a><br></div><div dir="ltr"><br></div><div dir="ltr">commit 9bfd3b4076a7b0dfd27ab22318e5113dc84fea28<br></div><div dir="ltr">Author: Kyle Evans <<a href="mailto:kevans@FreeBSD.org" rel="nofollow" target="_blank">kevans@FreeBSD.org</a>><br></div><div dir="ltr">AuthorDate: 2024-05-13 05:23:50 +0000<br></div><div dir="ltr">Commit: Kyle Evans <<a href="mailto:kevans@FreeBSD.org" rel="nofollow" target="_blank">kevans@FreeBSD.org</a>><br></div><div dir="ltr">CommitDate: 2024-05-13 05:23:50 +0000<br></div><div dir="ltr"><br></div><div dir="ltr"> Add a build knob for _FORTIFY_SOURCE<br></div><div dir="ltr"> <br></div><div dir="ltr"> In the future, we will Default to _FORTIFY_SOURCE=2 if SSP is enabled,<br></div><div dir="ltr"> otherwise default to _FORTIFY_SOURCE=0. For now we default it to 0<br></div><div dir="ltr"> unconditionally to ease bisect across older versions without the new<br></div><div dir="ltr"> symbols, and we'll put out a call for testing.<br></div><div dir="ltr"> <br></div><div dir="ltr"> include/*.h include their ssp/*.h equivalents as needed based on the<br></div><div dir="ltr"> knob. Programs and users are allowed to override FORTIFY_SOURCE in their<br></div><div dir="ltr"> Makefiles or src.conf/make.conf to force it off.<br></div><div dir="ltr"> <br></div><div dir="ltr"> Reviewed by: des, markj<br></div><div dir="ltr"> Relnotes: yes<br></div><div dir="ltr"> Sponsored by: Stormshield<br></div><div dir="ltr"> Sponsored by: Klara, Inc.<br></div><div dir="ltr"> Differential Revision: <a href="https://reviews.freebsd.org/D32308" rel="nofollow" target="_blank">https://reviews.freebsd.org/D32308</a><br></div><div dir="ltr">---<br></div><div dir="ltr"> include/stdio.h | 3 ++<br></div><div dir="ltr"> include/string.h | 3 ++<br></div><div dir="ltr"> include/strings.h | 3 ++<br></div><div dir="ltr"> include/unistd.h | 4 +++<br></div><div dir="ltr"> lib/libthr/Makefile | 3 ++<br></div><div dir="ltr"> libexec/rtld-elf/Makefile | 4 +++<br></div><div dir="ltr"> share/man/man7/security.7 | 75 +++++++++++++++++++++++++++++++++++++++++<br></div><div dir="ltr"> share/mk/bsd.sys.mk | 7 ++++<br></div><div dir="ltr"> tools/build/options/WITHOUT_SSP | 3 ++<br></div><div dir="ltr"> tools/build/options/WITH_SSP | 3 ++<br></div><div dir="ltr"> 10 files changed, 108 insertions(+)<br></div><div dir="ltr"><br></div><div dir="ltr">diff --git a/include/stdio.h b/include/stdio.h<br></div><div dir="ltr">index fe7a6f7d6f82..30bc638082d8 100644<br></div><div dir="ltr">--- a/include/stdio.h<br></div><div dir="ltr">+++ b/include/stdio.h<br></div><div dir="ltr">@@ -530,4 +530,7 @@ extern int __isthreaded;<br></div><div dir="ltr"> __END_DECLS<br></div><div dir="ltr"> __NULLABILITY_PRAGMA_POP<br></div><div dir="ltr"> <br></div><div dir="ltr">+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0<br></div><div dir="ltr">+#include <ssp/stdio.h><br></div><div dir="ltr">+#endif<br></div><div dir="ltr"> #endif /* !_STDIO_H_ */<br></div><div dir="ltr">diff --git a/include/string.h b/include/string.h<br></div><div dir="ltr">index 597308020cdb..a595f6e3e260 100644<br></div><div dir="ltr">--- a/include/string.h<br></div><div dir="ltr">+++ b/include/string.h<br></div><div dir="ltr">@@ -168,4 +168,7 @@ errno_t memset_s(void *, rsize_t, int, rsize_t);<br></div><div dir="ltr"> #endif /* __EXT1_VISIBLE */<br></div><div dir="ltr"> __END_DECLS<br></div><div dir="ltr"> <br></div><div dir="ltr">+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0<br></div><div dir="ltr">+#include <ssp/string.h><br></div><div dir="ltr">+#endif<br></div><div dir="ltr"> #endif /* _STRING_H_ */<br></div><div dir="ltr">diff --git a/include/strings.h b/include/strings.h<br></div><div dir="ltr">index fde007186e04..6fe6a09e7dd3 100644<br></div><div dir="ltr">--- a/include/strings.h<br></div><div dir="ltr">+++ b/include/strings.h<br></div><div dir="ltr">@@ -68,4 +68,7 @@ int strncasecmp(const char *, const char *, size_t) __pure;<br></div><div dir="ltr"> #endif<br></div><div dir="ltr"> __END_DECLS<br></div><div dir="ltr"> <br></div><div dir="ltr">+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0<br></div><div dir="ltr">+#include <ssp/strings.h><br></div><div dir="ltr">+#endif<br></div><div dir="ltr"> #endif /* _STRINGS_H_ */<br></div><div dir="ltr">diff --git a/include/unistd.h b/include/unistd.h<br></div><div dir="ltr">index e4e5c62fbb67..59738cbf6e68 100644<br></div><div dir="ltr">--- a/include/unistd.h<br></div><div dir="ltr">+++ b/include/unistd.h<br></div><div dir="ltr">@@ -37,6 +37,10 @@<br></div><div dir="ltr"> #include <sys/_null.h><br></div><div dir="ltr"> #include <sys/_types.h><br></div><div dir="ltr"> <br></div><div dir="ltr">+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0<br></div><div dir="ltr">+#include <ssp/unistd.h><br></div><div dir="ltr">+#endif<br></div><div dir="ltr">+<br></div><div dir="ltr"> #ifndef _GID_T_DECLARED<br></div><div dir="ltr"> typedef __gid_t gid_t;<br></div><div dir="ltr"> #define _GID_T_DECLARED<br></div><div dir="ltr">diff --git a/lib/libthr/Makefile b/lib/libthr/Makefile<br></div><div dir="ltr">index a5bf5da44170..85c028f521a1 100644<br></div><div dir="ltr">--- a/lib/libthr/Makefile<br></div><div dir="ltr">+++ b/lib/libthr/Makefile<br></div><div dir="ltr">@@ -11,6 +11,9 @@ LDFLAGS+= -Wl,--rpath=/usr/lib${COMPAT_libcompat}<br></div><div dir="ltr"> <br></div><div dir="ltr"> .include <src.opts.mk><br></div><div dir="ltr"> MK_SSP= no<br></div><div dir="ltr">+# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that<br></div><div dir="ltr">+# one cannot turn it back on.<br></div><div dir="ltr">+FORTIFY_SOURCE= 0<br></div><div dir="ltr"> <br></div><div dir="ltr"> LIB=thr<br></div><div dir="ltr"> SHLIB_MAJOR= 3<br></div><div dir="ltr">diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile<br></div><div dir="ltr">index 37c3840538d5..864448ad782a 100644<br></div><div dir="ltr">--- a/libexec/rtld-elf/Makefile<br></div><div dir="ltr">+++ b/libexec/rtld-elf/Makefile<br></div><div dir="ltr">@@ -15,6 +15,10 @@ MK_UBSAN= no<br></div><div dir="ltr"> <br></div><div dir="ltr"> .include <bsd.compat.pre.mk><br></div><div dir="ltr"> <br></div><div dir="ltr">+# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that<br></div><div dir="ltr">+# one cannot turn it back on.<br></div><div dir="ltr">+FORTIFY_SOURCE= 0<br></div><div dir="ltr">+<br></div><div dir="ltr"> .if !defined(NEED_COMPAT)<br></div><div dir="ltr"> CONFS= libmap.conf<br></div><div dir="ltr"> .endif<br></div><div dir="ltr">diff --git a/share/man/man7/security.7 b/share/man/man7/security.7<br></div><div dir="ltr">index ccbeeb4575ce..2e690e35d534 100644<br></div><div dir="ltr">--- a/share/man/man7/security.7<br></div><div dir="ltr">+++ b/share/man/man7/security.7<br></div><div dir="ltr">@@ -939,6 +939,81 @@ option that SSH allows in its<br></div><div dir="ltr"> .Pa authorized_keys<br></div><div dir="ltr"> file to make the key only usable to entities logging in from specific<br></div><div dir="ltr"> machines.<br></div><div dir="ltr">+.Sh STACK OVERFLOW PROTECTION<br></div><div dir="ltr">+.Fx<br></div><div dir="ltr">+supports stack overflow protection using the Stack Smashing Protector<br></div><div dir="ltr">+.Pq SSP<br></div><div dir="ltr">+compiler feature.<br></div><div dir="ltr">+In userland, SSP adds a per-process randomized canary at the end of every stack<br></div><div dir="ltr">+frame which is checked for corruption upon return from the function.<br></div><div dir="ltr">+In the kernel, a single randomized canary is used globally except on aarch64,<br></div><div dir="ltr">+which has a<br></div><div dir="ltr">+.Dv PERTHREAD_SSP<br></div><div dir="ltr">+.Xr config 8<br></div><div dir="ltr">+option to enable per-thread randomized canaries.<br></div><div dir="ltr">+If stack corruption is detected, then the process aborts to avoid potentially<br></div><div dir="ltr">+malicious execution as a result of the corruption.<br></div><div dir="ltr">+SSP may be enabled or disabled when building<br></div><div dir="ltr">+.Fx<br></div><div dir="ltr">+base with the<br></div><div dir="ltr">+.Xr src.conf 5<br></div><div dir="ltr">+SSP knob.<br></div><div dir="ltr">+.Pp<br></div><div dir="ltr">+When<br></div><div dir="ltr">+.Va WITH_SSP<br></div><div dir="ltr">+is enabled, which is the default, world is built with the<br></div><div dir="ltr">+.Fl fstack-protector-strong<br></div><div dir="ltr">+compiler option.<br></div><div dir="ltr">+The kernel is built with the<br></div><div dir="ltr">+.Fl fstack-protector<br></div><div dir="ltr">+option.<br></div><div dir="ltr">+.Pp<br></div><div dir="ltr">+In addition to SSP, a<br></div><div dir="ltr">+.Dq FORTIFY_SOURCE<br></div><div dir="ltr">+implementation is supported up to level 2 by defining<br></div><div dir="ltr">+.Va _FORTIFY_SOURCE<br></div><div dir="ltr">+to<br></div><div dir="ltr">+.Dv 1<br></div><div dir="ltr">+or<br></div><div dir="ltr">+.Dv 2<br></div><div dir="ltr">+before including any<br></div><div dir="ltr">+.Fx<br></div><div dir="ltr">+headers.<br></div><div dir="ltr">+.Fx<br></div><div dir="ltr">+world builds can set<br></div><div dir="ltr">+.Va FORTIFY_SOURCE<br></div><div dir="ltr">+to provide a default value for<br></div><div dir="ltr">+.Va _FORTIFY_SOURCE .<br></div><div dir="ltr">+When enabled,<br></div><div dir="ltr">+.Dq FORTIFY_SOURCE<br></div><div dir="ltr">+enables extra bounds checking in various functions that accept buffers to be<br></div><div dir="ltr">+written into.<br></div><div dir="ltr">+These functions currently have extra bounds checking support:<br></div><div dir="ltr">+.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "readlink"<br></div><div dir="ltr">+.It bcopy Ta bzero Ta fgets Ta getcwd Ta gets<br></div><div dir="ltr">+.It memcpy Ta memmove Ta memset Ta read Ta readlink<br></div><div dir="ltr">+.It snprintf Ta sprintf Ta stpcpy Ta stpncpy Ta strcat<br></div><div dir="ltr">+.It strcpy Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf<br></div><div dir="ltr">+.El<br></div><div dir="ltr">+.Pp<br></div><div dir="ltr">+.Dq FORTIFY_SOURCE<br></div><div dir="ltr">+requires compiler support from<br></div><div dir="ltr">+.Xr clang 1<br></div><div dir="ltr">+or<br></div><div dir="ltr">+.Xr gcc 1 ,<br></div><div dir="ltr">+which provide the<br></div><div dir="ltr">+.Xr __builtin_object_size 3<br></div><div dir="ltr">+function that is used to determine the bounds of an object.<br></div><div dir="ltr">+This feature works best at optimization levels<br></div><div dir="ltr">+.Fl O1<br></div><div dir="ltr">+and above, as some object sizes may be less obvious without some data that the<br></div><div dir="ltr">+compiler would collect in an optimization pass.<br></div><div dir="ltr">+.Pp<br></div><div dir="ltr">+Similar to SSP, violating the bounds of an object will cause the program to<br></div><div dir="ltr">+abort in an effort to avoid malicious execution.<br></div><div dir="ltr">+This effectively provides finer-grained protection than SSP for some class of<br></div><div dir="ltr">+function and system calls, along with some protection for buffers allocated as<br></div><div dir="ltr">+part of the program data.<br></div><div dir="ltr"> .Sh KNOBS AND TWEAKS<br></div><div dir="ltr"> .Fx<br></div><div dir="ltr"> provides several knobs and tweak handles that make some introspection<br></div><div dir="ltr">diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk<br></div><div dir="ltr">index de91e00d8cc7..52c3d07746c7 100644<br></div><div dir="ltr">--- a/share/mk/bsd.sys.mk<br></div><div dir="ltr">+++ b/share/mk/bsd.sys.mk<br></div><div dir="ltr">@@ -294,11 +294,18 @@ CFLAGS.clang+= -Qunused-arguments<br></div><div dir="ltr"> # but not yet.<br></div><div dir="ltr"> CXXFLAGS.clang+= -Wno-c++11-extensions<br></div><div dir="ltr"> <br></div><div dir="ltr">+# XXX This should be defaulted to 2 when WITH_SSP is in use after further<br></div><div dir="ltr">+# testing and soak time.<br></div><div dir="ltr">+FORTIFY_SOURCE?= 0<br></div><div dir="ltr"> .if ${MK_SSP} != "no"<br></div><div dir="ltr"> # Don't use -Wstack-protector as it breaks world with -Werror.<br></div><div dir="ltr"> SSP_CFLAGS?= -fstack-protector-strong<br></div><div dir="ltr"> CFLAGS+= ${SSP_CFLAGS}<br></div><div dir="ltr"> .endif # SSP<br></div><div dir="ltr">+.if ${FORTIFY_SOURCE} > 0<br></div><div dir="ltr">+CFLAGS+= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE}<br></div><div dir="ltr">+CXXFLAGS+= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE}<br></div><div dir="ltr">+.endif<br></div><div dir="ltr"> <br></div><div dir="ltr"> # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is<br></div><div dir="ltr"> # enabled.<br></div><div dir="ltr">diff --git a/tools/build/options/WITHOUT_SSP b/tools/build/options/WITHOUT_SSP<br></div><div dir="ltr">index 88162cecf14a..7a773fe1e5aa 100644<br></div><div dir="ltr">--- a/tools/build/options/WITHOUT_SSP<br></div><div dir="ltr">+++ b/tools/build/options/WITHOUT_SSP<br></div><div dir="ltr">@@ -1 +1,4 @@<br></div><div dir="ltr"> Do not build world with stack smashing protection.<br></div><div dir="ltr">+See<br></div><div dir="ltr">+.Xr security 7<br></div><div dir="ltr">+for more information.<br></div><div dir="ltr">diff --git a/tools/build/options/WITH_SSP b/tools/build/options/WITH_SSP<br></div><div dir="ltr">index 0088dd133782..4f06a73d4173 100644<br></div><div dir="ltr">--- a/tools/build/options/WITH_SSP<br></div><div dir="ltr">+++ b/tools/build/options/WITH_SSP<br></div><div dir="ltr">@@ -1 +1,4 @@<br></div><div dir="ltr"> Build world with stack smashing protection.<br></div><div dir="ltr">+See<br></div><div dir="ltr">+.Xr security 7<br></div><div dir="ltr">+for more information.<br></div></div>
</div>
</div></body></html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?220172210.1591640.1716059235914>