Date: Sat, 18 May 2024 19:07:15 +0000 (UTC) From: Pedro Giffuni <pfg@freebsd.org> To: "src-committers@freebsd.org" <src-committers@freebsd.org>, "dev-commits-src-all@freebsd.org" <dev-commits-src-all@freebsd.org>, "dev-commits-src-main@freebsd.org" <dev-commits-src-main@freebsd.org>, Kyle Evans <kevans@freebsd.org> Subject: Re: git: 9bfd3b4076a7 - main - Add a build knob for _FORTIFY_SOURCE Message-ID: <220172210.1591640.1716059235914@mail.yahoo.com> In-Reply-To: <202405130524.44D5OBT1084367@gitrepo.freebsd.org> References: <202405130524.44D5OBT1084367@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_1591639_634665037.1716059235908
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Sorry for noticing so late ... I was unaware this was being worked on and =
=C2=A0I was very busy with since my dad passed away recently.
The static checker component of Fortify source only works well on GCC, for =
clang this lacks the support that was added by Google on Android's libc (wh=
ich is not bery useful either).
We already had some stubs for the ssp functions but we never used them and =
this just adds bloat to our libc.
I suggest reverting. Again sorry.
Pedro.
On Monday, May 13, 2024 at 12:24:16 AM GMT-5, Kyle Evans <kevans@freebs=
d.org> wrote: =20
=20
The branch main has been updated by kevans:
URL: https://cgit.FreeBSD.org/src/commit/?id=3D9bfd3b4076a7b0dfd27ab22318e5=
113dc84fea28
commit 9bfd3b4076a7b0dfd27ab22318e5113dc84fea28
Author:=C2=A0 =C2=A0 Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2024-05-13 05:23:50 +0000
Commit:=C2=A0 =C2=A0 Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2024-05-13 05:23:50 +0000
=C2=A0 =C2=A0 Add a build knob for _FORTIFY_SOURCE
=C2=A0 =C2=A0=20
=C2=A0 =C2=A0 In the future, we will Default to _FORTIFY_SOURCE=3D2 if SSP =
is enabled,
=C2=A0 =C2=A0 otherwise default to _FORTIFY_SOURCE=3D0.=C2=A0 For now we de=
fault it to 0
=C2=A0 =C2=A0 unconditionally to ease bisect across older versions without =
the new
=C2=A0 =C2=A0 symbols, and we'll put out a call for testing.
=C2=A0 =C2=A0=20
=C2=A0 =C2=A0 include/*.h include their ssp/*.h equivalents as needed based=
on the
=C2=A0 =C2=A0 knob. Programs and users are allowed to override FORTIFY_SOUR=
CE in their
=C2=A0 =C2=A0 Makefiles or src.conf/make.conf to force it off.
=C2=A0 =C2=A0=20
=C2=A0 =C2=A0 Reviewed by:=C2=A0 =C2=A0 des, markj
=C2=A0 =C2=A0 Relnotes:=C2=A0 =C2=A0 =C2=A0 yes
=C2=A0 =C2=A0 Sponsored by:=C2=A0 Stormshield
=C2=A0 =C2=A0 Sponsored by:=C2=A0 Klara, Inc.
=C2=A0 =C2=A0 Differential Revision:=C2=A0 https://reviews.freebsd.org/D323=
08
---
include/stdio.h=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |=
=C2=A0 3 ++
include/string.h=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |=
=C2=A0 3 ++
include/strings.h=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |=C2=A0 =
3 ++
include/unistd.h=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |=
=C2=A0 4 +++
lib/libthr/Makefile=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |=C2=A0 3 ++
libexec/rtld-elf/Makefile=C2=A0 =C2=A0 =C2=A0 |=C2=A0 4 +++
share/man/man7/security.7=C2=A0 =C2=A0 =C2=A0 | 75 +++++++++++++++++++++++=
++++++++++++++++++
share/mk/bsd.sys.mk=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |=C2=A0 7 +++=
+
tools/build/options/WITHOUT_SSP |=C2=A0 3 ++
tools/build/options/WITH_SSP=C2=A0 =C2=A0 |=C2=A0 3 ++
10 files changed, 108 insertions(+)
diff --git a/include/stdio.h b/include/stdio.h
index fe7a6f7d6f82..30bc638082d8 100644
--- a/include/stdio.h
+++ b/include/stdio.h
@@ -530,4 +530,7 @@ extern int __isthreaded;
__END_DECLS
__NULLABILITY_PRAGMA_POP
=20
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/stdio.h>
+#endif
#endif /* !_STDIO_H_ */
diff --git a/include/string.h b/include/string.h
index 597308020cdb..a595f6e3e260 100644
--- a/include/string.h
+++ b/include/string.h
@@ -168,4 +168,7 @@ errno_t memset_s(void *, rsize_t, int, rsize_t);
#endif /* __EXT1_VISIBLE */
__END_DECLS
=20
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/string.h>
+#endif
#endif /* _STRING_H_ */
diff --git a/include/strings.h b/include/strings.h
index fde007186e04..6fe6a09e7dd3 100644
--- a/include/strings.h
+++ b/include/strings.h
@@ -68,4 +68,7 @@ int=C2=A0=C2=A0=C2=A0 strncasecmp(const char *, const cha=
r *, size_t) __pure;
#endif
__END_DECLS
=20
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/strings.h>
+#endif
#endif /* _STRINGS_H_ */
diff --git a/include/unistd.h b/include/unistd.h
index e4e5c62fbb67..59738cbf6e68 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -37,6 +37,10 @@
#include <sys/_null.h>
#include <sys/_types.h>
=20
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
+#include <ssp/unistd.h>
+#endif
+
#ifndef _GID_T_DECLARED
typedef=C2=A0=C2=A0=C2=A0 __gid_t=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 gid=
_t;
#define=C2=A0=C2=A0=C2=A0 _GID_T_DECLARED
diff --git a/lib/libthr/Makefile b/lib/libthr/Makefile
index a5bf5da44170..85c028f521a1 100644
--- a/lib/libthr/Makefile
+++ b/lib/libthr/Makefile
@@ -11,6 +11,9 @@ LDFLAGS+=3D=C2=A0=C2=A0=C2=A0 -Wl,--rpath=3D/usr/lib${COM=
PAT_libcompat}
=20
.include <src.opts.mk>
MK_SSP=3D=C2=A0=C2=A0=C2=A0 no
+# SSP forced off already implies FORTIFY_SOURCE=3D0, but we must make sure=
that
+# one cannot turn it back on.
+FORTIFY_SOURCE=3D=C2=A0=C2=A0=C2=A0 0
=20
LIB=3Dthr
SHLIB_MAJOR=3D 3
diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile
index 37c3840538d5..864448ad782a 100644
--- a/libexec/rtld-elf/Makefile
+++ b/libexec/rtld-elf/Makefile
@@ -15,6 +15,10 @@ MK_UBSAN=3D=C2=A0=C2=A0=C2=A0 no
=20
.include <bsd.compat.pre.mk>
=20
+# SSP forced off already implies FORTIFY_SOURCE=3D0, but we must make sure=
that
+# one cannot turn it back on.
+FORTIFY_SOURCE=3D=C2=A0=C2=A0=C2=A0 0
+
.if !defined(NEED_COMPAT)
CONFS=3D=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 libmap.conf
.endif
diff --git a/share/man/man7/security.7 b/share/man/man7/security.7
index ccbeeb4575ce..2e690e35d534 100644
--- a/share/man/man7/security.7
+++ b/share/man/man7/security.7
@@ -939,6 +939,81 @@ option that SSH allows in its
.Pa authorized_keys
file to make the key only usable to entities logging in from specific
machines.
+.Sh STACK OVERFLOW PROTECTION
+.Fx
+supports stack overflow protection using the Stack Smashing Protector
+.Pq SSP
+compiler feature.
+In userland, SSP adds a per-process randomized canary at the end of every =
stack
+frame which is checked for corruption upon return from the function.
+In the kernel, a single randomized canary is used globally except on aarch=
64,
+which has a
+.Dv PERTHREAD_SSP
+.Xr config 8
+option to enable per-thread randomized canaries.
+If stack corruption is detected, then the process aborts to avoid potentia=
lly
+malicious execution as a result of the corruption.
+SSP may be enabled or disabled when building
+.Fx
+base with the
+.Xr src.conf 5
+SSP knob.
+.Pp
+When
+.Va WITH_SSP
+is enabled, which is the default, world is built with the
+.Fl fstack-protector-strong
+compiler option.
+The kernel is built with the
+.Fl fstack-protector
+option.
+.Pp
+In addition to SSP, a
+.Dq FORTIFY_SOURCE
+implementation is supported up to level 2 by defining
+.Va _FORTIFY_SOURCE
+to
+.Dv 1
+or
+.Dv 2
+before including any
+.Fx
+headers.
+.Fx
+world builds can set
+.Va FORTIFY_SOURCE
+to provide a default value for
+.Va _FORTIFY_SOURCE .
+When enabled,
+.Dq FORTIFY_SOURCE
+enables extra bounds checking in various functions that accept buffers to =
be
+written into.
+These functions currently have extra bounds checking support:
+.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "rea=
dlink"
+.It bcopy=C2=A0 =C2=A0 Ta bzero=C2=A0 =C2=A0 Ta fgets=C2=A0 =C2=A0 Ta getc=
wd=C2=A0 =C2=A0 Ta gets
+.It memcpy=C2=A0 Ta memmove=C2=A0 Ta memset=C2=A0 =C2=A0 Ta read=C2=A0 =C2=
=A0 =C2=A0 Ta readlink
+.It snprintf Ta sprintf=C2=A0 Ta stpcpy=C2=A0 =C2=A0 Ta stpncpy=C2=A0 Ta s=
trcat
+.It strcpy=C2=A0 Ta strncat=C2=A0 Ta strncpy=C2=A0 Ta vsnprintf Ta vsprint=
f
+.El
+.Pp
+.Dq FORTIFY_SOURCE
+requires compiler support from
+.Xr clang 1
+or
+.Xr gcc 1 ,
+which provide the
+.Xr __builtin_object_size 3
+function that is used to determine the bounds of an object.
+This feature works best at optimization levels
+.Fl O1
+and above, as some object sizes may be less obvious without some data that=
the
+compiler would collect in an optimization pass.
+.Pp
+Similar to SSP, violating the bounds of an object will cause the program t=
o
+abort in an effort to avoid malicious execution.
+This effectively provides finer-grained protection than SSP for some class=
of
+function and system calls, along with some protection for buffers allocate=
d as
+part of the program data.
.Sh KNOBS AND TWEAKS
.Fx
provides several knobs and tweak handles that make some introspection
diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
index de91e00d8cc7..52c3d07746c7 100644
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -294,11 +294,18 @@ CFLAGS.clang+=3D=C2=A0=C2=A0=C2=A0 -Qunused-arguments
# but not yet.
CXXFLAGS.clang+=3D=C2=A0=C2=A0=C2=A0 -Wno-c++11-extensions
=20
+# XXX This should be defaulted to 2 when WITH_SSP is in use after further
+# testing and soak time.
+FORTIFY_SOURCE?=3D=C2=A0=C2=A0=C2=A0 0
.if ${MK_SSP} !=3D "no"
# Don't use -Wstack-protector as it breaks world with -Werror.
SSP_CFLAGS?=3D=C2=A0=C2=A0=C2=A0 -fstack-protector-strong
CFLAGS+=3D=C2=A0=C2=A0=C2=A0 ${SSP_CFLAGS}
.endif # SSP
+.if ${FORTIFY_SOURCE} > 0
+CFLAGS+=3D=C2=A0=C2=A0=C2=A0 -D_FORTIFY_SOURCE=3D${FORTIFY_SOURCE}
+CXXFLAGS+=3D=C2=A0=C2=A0=C2=A0 -D_FORTIFY_SOURCE=3D${FORTIFY_SOURCE}
+.endif
=20
# Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is
# enabled.
diff --git a/tools/build/options/WITHOUT_SSP b/tools/build/options/WITHOUT_=
SSP
index 88162cecf14a..7a773fe1e5aa 100644
--- a/tools/build/options/WITHOUT_SSP
+++ b/tools/build/options/WITHOUT_SSP
@@ -1 +1,4 @@
Do not build world with stack smashing protection.
+See
+.Xr security 7
+for more information.
diff --git a/tools/build/options/WITH_SSP b/tools/build/options/WITH_SSP
index 0088dd133782..4f06a73d4173 100644
--- a/tools/build/options/WITH_SSP
+++ b/tools/build/options/WITH_SSP
@@ -1 +1,4 @@
Build world with stack smashing protection.
+See
+.Xr security 7
+for more information.
=20
------=_Part_1591639_634665037.1716059235908
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<html><head></head><body><div class=3D"ydpdf1fcfc0yahoo-style-wrap" style=
=3D"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px=
;"><div></div>
<div dir=3D"ltr" data-setdir=3D"false">Sorry for noticing so late .=
.. I was unaware this was being worked on and <span><span style=3D"color: r=
gb(0, 0, 0); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; fon=
t-size: 16px;"> I was very busy with since my dad passed away recently=
</span></span>.</div><div dir=3D"ltr" data-setdir=3D"false"><br></div><div =
dir=3D"ltr" data-setdir=3D"false">The static checker component of Fortify s=
ource only works well on GCC, for clang this lacks the support that was add=
ed by Google on Android's libc (which is not bery useful either).</div><div=
dir=3D"ltr" data-setdir=3D"false"><br></div><div dir=3D"ltr" data-setdir=
=3D"false">We already had some stubs for the ssp functions but we never use=
d them and this just adds bloat to our libc.</div><div dir=3D"ltr" data-set=
dir=3D"false"><br></div><div dir=3D"ltr" data-setdir=3D"false"><div><div><d=
iv style=3D"outline: none !important;"><div dir=3D"ltr" data-setdir=3D"fals=
e" style=3D"outline: none !important;">I suggest reverting. Again sorry.</d=
iv><div dir=3D"ltr" data-setdir=3D"false" style=3D"outline: none !important=
;"><br style=3D"color: rgb(0, 0, 0); font-family: Helvetica Neue, Helvetica=
, Arial, sans-serif; font-size: 16px; outline: none !important;"></div></di=
v></div></div>Pedro.</div><div><br></div>
=20
</div><div id=3D"ydpfa74bad8yahoo_quoted_6386811475" class=3D"ydpfa=
74bad8yahoo_quoted">
<div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s=
ans-serif;font-size:13px;color:#26282a;">
=20
<div>
On Monday, May 13, 2024 at 12:24:16 AM GMT-5, Kyle =
Evans <kevans@freebsd.org> wrote:
</div>
<div><br></div>
<div><br></div>
=20
=20
<div><div dir=3D"ltr">The branch main has been updated by k=
evans:<br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">URL: <a href=3D=
"https://cgit.FreeBSD.org/src/commit/?id=3D9bfd3b4076a7b0dfd27ab22318e5113d=
c84fea28" rel=3D"nofollow" target=3D"_blank">https://cgit.FreeBSD.org/src/c=
ommit/?id=3D9bfd3b4076a7b0dfd27ab22318e5113dc84fea28</a><br></div><div dir=
=3D"ltr"><br></div><div dir=3D"ltr">commit 9bfd3b4076a7b0dfd27ab22318e5113d=
c84fea28<br></div><div dir=3D"ltr">Author: Kyle Evans <<a =
href=3D"mailto:kevans@FreeBSD.org" rel=3D"nofollow" target=3D"_blank">kevan=
s@FreeBSD.org</a>><br></div><div dir=3D"ltr">AuthorDate: 2024-05-13 05:2=
3:50 +0000<br></div><div dir=3D"ltr">Commit: Kyle Evans <<=
a href=3D"mailto:kevans@FreeBSD.org" rel=3D"nofollow" target=3D"_blank">kev=
ans@FreeBSD.org</a>><br></div><div dir=3D"ltr">CommitDate: 2024-05-13 05=
:23:50 +0000<br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr"> &n=
bsp; Add a build knob for _FORTIFY_SOURCE<br></div><div dir=3D"ltr"> =
<br></div><div dir=3D"ltr"> In the future, we will Defa=
ult to _FORTIFY_SOURCE=3D2 if SSP is enabled,<br></div><div dir=3D"ltr">&nb=
sp; otherwise default to _FORTIFY_SOURCE=3D0. For now we defau=
lt it to 0<br></div><div dir=3D"ltr"> unconditionally to ease =
bisect across older versions without the new<br></div><div dir=3D"ltr">&nbs=
p; symbols, and we'll put out a call for testing.<br></div><div dir=
=3D"ltr"> <br></div><div dir=3D"ltr"> include/*.h=
include their ssp/*.h equivalents as needed based on the<br></div><div dir=
=3D"ltr"> knob. Programs and users are allowed to override FOR=
TIFY_SOURCE in their<br></div><div dir=3D"ltr"> Makefiles or s=
rc.conf/make.conf to force it off.<br></div><div dir=3D"ltr"> =
<br></div><div dir=3D"ltr"> Reviewed by: des, mar=
kj<br></div><div dir=3D"ltr"> Relnotes: y=
es<br></div><div dir=3D"ltr"> Sponsored by: Stormshield=
<br></div><div dir=3D"ltr"> Sponsored by: Klara, Inc.<b=
r></div><div dir=3D"ltr"> Differential Revision: <a href=
=3D"https://reviews.freebsd.org/D32308" rel=3D"nofollow" target=3D"_blank">=
https://reviews.freebsd.org/D32308</a><br></div><div dir=3D"ltr">---<br></d=
iv><div dir=3D"ltr"> include/stdio.h &nbs=
p; | 3 ++<br></div><div dir=3D"ltr"> include/string.h&=
nbsp; | 3 ++<br></di=
v><div dir=3D"ltr"> include/strings.h &nb=
sp; | 3 ++<br></div><div dir=3D"ltr"> include/unistd.h =
| 4 +++<br></div><di=
v dir=3D"ltr"> lib/libthr/Makefile =
| 3 ++<br></div><div dir=3D"ltr"> libexec/rtld-elf/Makefile &=
nbsp; | 4 +++<br></div><div dir=3D"ltr"> share/man/man7/secur=
ity.7 | 75 +++++++++++++++++++++++++++++++++++++++++<b=
r></div><div dir=3D"ltr"> share/mk/bsd.sys.mk &n=
bsp; | 7 ++++<br></div><div dir=3D"ltr"> tools/build/options/=
WITHOUT_SSP | 3 ++<br></div><div dir=3D"ltr"> tools/build/options/WIT=
H_SSP | 3 ++<br></div><div dir=3D"ltr"> 10 files changed=
, 108 insertions(+)<br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">di=
ff --git a/include/stdio.h b/include/stdio.h<br></div><div dir=3D"ltr">inde=
x fe7a6f7d6f82..30bc638082d8 100644<br></div><div dir=3D"ltr">--- a/include=
/stdio.h<br></div><div dir=3D"ltr">+++ b/include/stdio.h<br></div><div dir=
=3D"ltr">@@ -530,4 +530,7 @@ extern int __isthreaded;<br></div><div dir=3D"=
ltr"> __END_DECLS<br></div><div dir=3D"ltr"> __NULLABILITY_PRAGMA_POP<br></=
div><div dir=3D"ltr"> <br></div><div dir=3D"ltr">+#if defined(_FORTIFY_SOUR=
CE) && _FORTIFY_SOURCE > 0<br></div><div dir=3D"ltr">+#include &=
lt;ssp/stdio.h><br></div><div dir=3D"ltr">+#endif<br></div><div dir=3D"l=
tr"> #endif /* !_STDIO_H_ */<br></div><div dir=3D"ltr">diff --git a/include=
/string.h b/include/string.h<br></div><div dir=3D"ltr">index 597308020cdb..=
a595f6e3e260 100644<br></div><div dir=3D"ltr">--- a/include/string.h<br></d=
iv><div dir=3D"ltr">+++ b/include/string.h<br></div><div dir=3D"ltr">@@ -16=
8,4 +168,7 @@ errno_t memset_s(void *, rsize_t, int, rsize_t);<br></div><di=
v dir=3D"ltr"> #endif /* __EXT1_VISIBLE */<br></div><div dir=3D"ltr"> __END=
_DECLS<br></div><div dir=3D"ltr"> <br></div><div dir=3D"ltr">+#if defined(_=
FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0<br></div><div dir=3D"ltr"=
>+#include <ssp/string.h><br></div><div dir=3D"ltr">+#endif<br></div>=
<div dir=3D"ltr"> #endif /* _STRING_H_ */<br></div><div dir=3D"ltr">diff --=
git a/include/strings.h b/include/strings.h<br></div><div dir=3D"ltr">index=
fde007186e04..6fe6a09e7dd3 100644<br></div><div dir=3D"ltr">--- a/include/=
strings.h<br></div><div dir=3D"ltr">+++ b/include/strings.h<br></div><div d=
ir=3D"ltr">@@ -68,4 +68,7 @@ int strncasecmp(const char =
*, const char *, size_t) __pure;<br></div><div dir=3D"ltr"> #endif<br></div=
><div dir=3D"ltr"> __END_DECLS<br></div><div dir=3D"ltr"> <br></div><div di=
r=3D"ltr">+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0<b=
r></div><div dir=3D"ltr">+#include <ssp/strings.h><br></div><div dir=
=3D"ltr">+#endif<br></div><div dir=3D"ltr"> #endif /* _STRINGS_H_ */<br></d=
iv><div dir=3D"ltr">diff --git a/include/unistd.h b/include/unistd.h<br></d=
iv><div dir=3D"ltr">index e4e5c62fbb67..59738cbf6e68 100644<br></div><div d=
ir=3D"ltr">--- a/include/unistd.h<br></div><div dir=3D"ltr">+++ b/include/u=
nistd.h<br></div><div dir=3D"ltr">@@ -37,6 +37,10 @@<br></div><div dir=3D"l=
tr"> #include <sys/_null.h><br></div><div dir=3D"ltr"> #include <s=
ys/_types.h><br></div><div dir=3D"ltr"> <br></div><div dir=3D"ltr">+#if =
defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0<br></div><div di=
r=3D"ltr">+#include <ssp/unistd.h><br></div><div dir=3D"ltr">+#endif<=
br></div><div dir=3D"ltr">+<br></div><div dir=3D"ltr"> #ifndef _GID_T_DECLA=
RED<br></div><div dir=3D"ltr"> typedef __gid_t  =
; gid_t;<br></div><div dir=3D"ltr"> #define &=
nbsp; _GID_T_DECLARED<br></div><div dir=3D"ltr">diff --git a/lib/libt=
hr/Makefile b/lib/libthr/Makefile<br></div><div dir=3D"ltr">index a5bf5da44=
170..85c028f521a1 100644<br></div><div dir=3D"ltr">--- a/lib/libthr/Makefil=
e<br></div><div dir=3D"ltr">+++ b/lib/libthr/Makefile<br></div><div dir=3D"=
ltr">@@ -11,6 +11,9 @@ LDFLAGS+=3D -Wl,--rpath=3D/usr/lib=
${COMPAT_libcompat}<br></div><div dir=3D"ltr"> <br></div><div dir=3D"ltr"> =
.include <src.opts.mk><br></div><div dir=3D"ltr"> MK_SSP=3D &nbs=
p; no<br></div><div dir=3D"ltr">+# SSP forced off already implies FOR=
TIFY_SOURCE=3D0, but we must make sure that<br></div><div dir=3D"ltr">+# on=
e cannot turn it back on.<br></div><div dir=3D"ltr">+FORTIFY_SOURCE=3D =
; 0<br></div><div dir=3D"ltr"> <br></div><div dir=3D"ltr"> LIB=
=3Dthr<br></div><div dir=3D"ltr"> SHLIB_MAJOR=3D 3<br></div><div dir=3D"ltr=
">diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile<br></d=
iv><div dir=3D"ltr">index 37c3840538d5..864448ad782a 100644<br></div><div d=
ir=3D"ltr">--- a/libexec/rtld-elf/Makefile<br></div><div dir=3D"ltr">+++ b/=
libexec/rtld-elf/Makefile<br></div><div dir=3D"ltr">@@ -15,6 +15,10 @@ MK_U=
BSAN=3D no<br></div><div dir=3D"ltr"> <br></div><div dir=
=3D"ltr"> .include <bsd.compat.pre.mk><br></div><div dir=3D"ltr"> <br=
></div><div dir=3D"ltr">+# SSP forced off already implies FORTIFY_SOURCE=3D=
0, but we must make sure that<br></div><div dir=3D"ltr">+# one cannot turn =
it back on.<br></div><div dir=3D"ltr">+FORTIFY_SOURCE=3D =
0<br></div><div dir=3D"ltr">+<br></div><div dir=3D"ltr"> .if !defined(NEED_=
COMPAT)<br></div><div dir=3D"ltr"> CONFS=3D &=
nbsp; libmap.conf<br></div><div dir=3D"ltr"> .endif<br></div><div dir=3D"lt=
r">diff --git a/share/man/man7/security.7 b/share/man/man7/security.7<br></=
div><div dir=3D"ltr">index ccbeeb4575ce..2e690e35d534 100644<br></div><div =
dir=3D"ltr">--- a/share/man/man7/security.7<br></div><div dir=3D"ltr">+++ b=
/share/man/man7/security.7<br></div><div dir=3D"ltr">@@ -939,6 +939,81 @@ o=
ption that SSH allows in its<br></div><div dir=3D"ltr"> .Pa authorized_keys=
<br></div><div dir=3D"ltr"> file to make the key only usable to entities lo=
gging in from specific<br></div><div dir=3D"ltr"> machines.<br></div><div d=
ir=3D"ltr">+.Sh STACK OVERFLOW PROTECTION<br></div><div dir=3D"ltr">+.Fx<br=
></div><div dir=3D"ltr">+supports stack overflow protection using the Stack=
Smashing Protector<br></div><div dir=3D"ltr">+.Pq SSP<br></div><div dir=3D=
"ltr">+compiler feature.<br></div><div dir=3D"ltr">+In userland, SSP adds a=
per-process randomized canary at the end of every stack<br></div><div dir=
=3D"ltr">+frame which is checked for corruption upon return from the functi=
on.<br></div><div dir=3D"ltr">+In the kernel, a single randomized canary is=
used globally except on aarch64,<br></div><div dir=3D"ltr">+which has a<br=
></div><div dir=3D"ltr">+.Dv PERTHREAD_SSP<br></div><div dir=3D"ltr">+.Xr c=
onfig 8<br></div><div dir=3D"ltr">+option to enable per-thread randomized c=
anaries.<br></div><div dir=3D"ltr">+If stack corruption is detected, then t=
he process aborts to avoid potentially<br></div><div dir=3D"ltr">+malicious=
execution as a result of the corruption.<br></div><div dir=3D"ltr">+SSP ma=
y be enabled or disabled when building<br></div><div dir=3D"ltr">+.Fx<br></=
div><div dir=3D"ltr">+base with the<br></div><div dir=3D"ltr">+.Xr src.conf=
5<br></div><div dir=3D"ltr">+SSP knob.<br></div><div dir=3D"ltr">+.Pp<br><=
/div><div dir=3D"ltr">+When<br></div><div dir=3D"ltr">+.Va WITH_SSP<br></di=
v><div dir=3D"ltr">+is enabled, which is the default, world is built with t=
he<br></div><div dir=3D"ltr">+.Fl fstack-protector-strong<br></div><div dir=
=3D"ltr">+compiler option.<br></div><div dir=3D"ltr">+The kernel is built w=
ith the<br></div><div dir=3D"ltr">+.Fl fstack-protector<br></div><div dir=
=3D"ltr">+option.<br></div><div dir=3D"ltr">+.Pp<br></div><div dir=3D"ltr">=
+In addition to SSP, a<br></div><div dir=3D"ltr">+.Dq FORTIFY_SOURCE<br></d=
iv><div dir=3D"ltr">+implementation is supported up to level 2 by defining<=
br></div><div dir=3D"ltr">+.Va _FORTIFY_SOURCE<br></div><div dir=3D"ltr">+t=
o<br></div><div dir=3D"ltr">+.Dv 1<br></div><div dir=3D"ltr">+or<br></div><=
div dir=3D"ltr">+.Dv 2<br></div><div dir=3D"ltr">+before including any<br><=
/div><div dir=3D"ltr">+.Fx<br></div><div dir=3D"ltr">+headers.<br></div><di=
v dir=3D"ltr">+.Fx<br></div><div dir=3D"ltr">+world builds can set<br></div=
><div dir=3D"ltr">+.Va FORTIFY_SOURCE<br></div><div dir=3D"ltr">+to provide=
a default value for<br></div><div dir=3D"ltr">+.Va _FORTIFY_SOURCE .<br></=
div><div dir=3D"ltr">+When enabled,<br></div><div dir=3D"ltr">+.Dq FORTIFY_=
SOURCE<br></div><div dir=3D"ltr">+enables extra bounds checking in various =
functions that accept buffers to be<br></div><div dir=3D"ltr">+written into=
.<br></div><div dir=3D"ltr">+These functions currently have extra bounds ch=
ecking support:<br></div><div dir=3D"ltr">+.Bl -column -offset indent "snpr=
intf" "memmove" "strncpy" "vsnprintf" "readlink"<br></div><div dir=3D"ltr">=
+.It bcopy Ta bzero Ta fgets Ta get=
cwd Ta gets<br></div><div dir=3D"ltr">+.It memcpy Ta me=
mmove Ta memset Ta read Ta readlink<=
br></div><div dir=3D"ltr">+.It snprintf Ta sprintf Ta stpcpy &n=
bsp; Ta stpncpy Ta strcat<br></div><div dir=3D"ltr">+.It strcpy =
; Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf<br></div><di=
v dir=3D"ltr">+.El<br></div><div dir=3D"ltr">+.Pp<br></div><div dir=3D"ltr"=
>+.Dq FORTIFY_SOURCE<br></div><div dir=3D"ltr">+requires compiler support f=
rom<br></div><div dir=3D"ltr">+.Xr clang 1<br></div><div dir=3D"ltr">+or<br=
></div><div dir=3D"ltr">+.Xr gcc 1 ,<br></div><div dir=3D"ltr">+which provi=
de the<br></div><div dir=3D"ltr">+.Xr __builtin_object_size 3<br></div><div=
dir=3D"ltr">+function that is used to determine the bounds of an object.<b=
r></div><div dir=3D"ltr">+This feature works best at optimization levels<br=
></div><div dir=3D"ltr">+.Fl O1<br></div><div dir=3D"ltr">+and above, as so=
me object sizes may be less obvious without some data that the<br></div><di=
v dir=3D"ltr">+compiler would collect in an optimization pass.<br></div><di=
v dir=3D"ltr">+.Pp<br></div><div dir=3D"ltr">+Similar to SSP, violating the=
bounds of an object will cause the program to<br></div><div dir=3D"ltr">+a=
bort in an effort to avoid malicious execution.<br></div><div dir=3D"ltr">+=
This effectively provides finer-grained protection than SSP for some class =
of<br></div><div dir=3D"ltr">+function and system calls, along with some pr=
otection for buffers allocated as<br></div><div dir=3D"ltr">+part of the pr=
ogram data.<br></div><div dir=3D"ltr"> .Sh KNOBS AND TWEAKS<br></div><div d=
ir=3D"ltr"> .Fx<br></div><div dir=3D"ltr"> provides several knobs and tweak=
handles that make some introspection<br></div><div dir=3D"ltr">diff --git =
a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk<br></div><div dir=3D"ltr">index=
de91e00d8cc7..52c3d07746c7 100644<br></div><div dir=3D"ltr">--- a/share/mk=
/bsd.sys.mk<br></div><div dir=3D"ltr">+++ b/share/mk/bsd.sys.mk<br></div><d=
iv dir=3D"ltr">@@ -294,11 +294,18 @@ CFLAGS.clang+=3D -Q=
unused-arguments<br></div><div dir=3D"ltr"> # but not yet.<br></div><div di=
r=3D"ltr"> CXXFLAGS.clang+=3D -Wno-c++11-extensions<br><=
/div><div dir=3D"ltr"> <br></div><div dir=3D"ltr">+# XXX This should be def=
aulted to 2 when WITH_SSP is in use after further<br></div><div dir=3D"ltr"=
>+# testing and soak time.<br></div><div dir=3D"ltr">+FORTIFY_SOURCE?=3D&nb=
sp; 0<br></div><div dir=3D"ltr"> .if ${MK_SSP} !=3D "no"<br></d=
iv><div dir=3D"ltr"> # Don't use -Wstack-protector as it breaks world with =
-Werror.<br></div><div dir=3D"ltr"> SSP_CFLAGS?=3D -fstac=
k-protector-strong<br></div><div dir=3D"ltr"> CFLAGS+=3D =
${SSP_CFLAGS}<br></div><div dir=3D"ltr"> .endif # SSP<br></div><div dir=3D"=
ltr">+.if ${FORTIFY_SOURCE} > 0<br></div><div dir=3D"ltr">+CFLAGS+=3D&nb=
sp; -D_FORTIFY_SOURCE=3D${FORTIFY_SOURCE}<br></div><div dir=3D"=
ltr">+CXXFLAGS+=3D -D_FORTIFY_SOURCE=3D${FORTIFY_SOURCE}<=
br></div><div dir=3D"ltr">+.endif<br></div><div dir=3D"ltr"> <br></div><div=
dir=3D"ltr"> # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBU=
G_FILES is<br></div><div dir=3D"ltr"> # enabled.<br></div><div dir=3D"ltr">=
diff --git a/tools/build/options/WITHOUT_SSP b/tools/build/options/WITHOUT_=
SSP<br></div><div dir=3D"ltr">index 88162cecf14a..7a773fe1e5aa 100644<br></=
div><div dir=3D"ltr">--- a/tools/build/options/WITHOUT_SSP<br></div><div di=
r=3D"ltr">+++ b/tools/build/options/WITHOUT_SSP<br></div><div dir=3D"ltr">@=
@ -1 +1,4 @@<br></div><div dir=3D"ltr"> Do not build world with stack smash=
ing protection.<br></div><div dir=3D"ltr">+See<br></div><div dir=3D"ltr">+.=
Xr security 7<br></div><div dir=3D"ltr">+for more information.<br></div><di=
v dir=3D"ltr">diff --git a/tools/build/options/WITH_SSP b/tools/build/optio=
ns/WITH_SSP<br></div><div dir=3D"ltr">index 0088dd133782..4f06a73d4173 1006=
44<br></div><div dir=3D"ltr">--- a/tools/build/options/WITH_SSP<br></div><d=
iv dir=3D"ltr">+++ b/tools/build/options/WITH_SSP<br></div><div dir=3D"ltr"=
>@@ -1 +1,4 @@<br></div><div dir=3D"ltr"> Build world with stack smashing p=
rotection.<br></div><div dir=3D"ltr">+See<br></div><div dir=3D"ltr">+.Xr se=
curity 7<br></div><div dir=3D"ltr">+for more information.<br></div></div>
</div>
</div></body></html>
------=_Part_1591639_634665037.1716059235908--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?220172210.1591640.1716059235914>