Default to _FORTIFY_SOURCE=2 if SSP is enabled, otherwise default to
_FORTIFY_SOURCE=0. include/*.h include their ssp/*.h equivalents as
needed based on the knob. Programs and users are allowed to override
FORTIFY_SOURCE in their Makefiles or src.conf/make.conf to force it off.
Details
- Reviewers
imp markj des - Group Reviewers
Klara - Commits
- rG9bfd3b4076a7: Add a build knob for _FORTIFY_SOURCE
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 57553 Build 54441: arc lint + arc unit
Event Timeline
I think rtld must never be built with this thing enabled. In particular, if it references some libc symbol, then just that symbol should be used, without any wrappers.
Also I think that libthr should avoid it, but might be it is not as important as for rtld. In particular, did you checked that e.g. cancellation for read(2) still works as intended?
rtld was already not building with it by virtue of MK_SSP=no, but I've applied the FORTIFY_SOURCE=0 hammer as well to ensure that one can't turn it on manually when building with something like WITHOUT_SSP=yes FORTIFY_SOURCE=2.
libthr is in the same boat, but turning it on and this primitive test still seems to cancel at the beginning of the read:
#include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <unistd.h> #define BUFSIZE 512 int main(int argc, char *argv[]) { char buf[BUFSIZE]; ssize_t rd; pthread_cancel(pthread_self()); rd = read(STDIN_FILENO, buf, sizeof(buf)); pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); write(STDOUT_FILENO, buf, rd); printf("done\n"); exit(1); }
(assuming the anticipated failure mode would have been interposing failed and read() was libc-read, so the cancel would fail and maybe cancel at write() thus disabling cancellation just before it)
That said, I don't feel particularly compelled to leave it to the whim of a user-knob that nobody working on libthr is going to test, so I'll force it off in the next version as it will be in rtld.
This one is OK as is, just one question...
include/unistd.h | ||
---|---|---|
360 | isn't there a _FORTIFY_SOURCE_read or something that this could be done for? Or is the order wrong for that? |
Drop read() declaration avoidance; whatever was causing problems before, I
cannot reproduce it today.
include/stdio.h | ||
---|---|---|
533 |
do we have user-facing documentation? maybe just expanding WITHOUT_SSP's description?
share/mk/bsd.sys.mk | ||
---|---|---|
303 | Do you perhaps want to force it to zero here? It can't work without SSP, can it? |
share/mk/bsd.sys.mk | ||
---|---|---|
303 | I don't believe it's inherently reliant on SSP (__builtin_object_size should work without SSP enabled) so one could turn it on and it'll DTRT; I'm mostly treating it as an extension of SSP here for convenience. |
I wonder if it makes sense to add a section on stack overflow detection to security(7) would make sense
I wonder if it makes sense to add a section on stack overflow detection to security(7) would make sense
Yeah that sounds good
I think that'd be useful, and it'd be good to describe/summarize FORTIFY_SOURCE there as well. Then the src.conf entry for WITH_SSP can refer to it.
share/man/man7/security.7 | ||
---|---|---|
944 | Stack Smashing Protector ? |
lib/libthr/Makefile | ||
---|---|---|
16 | Out of curiosity, what exactly goes wrong when libthr is compiled with SSP on? | |
share/man/man7/security.7 | ||
948 | It is maybe worth noting here or somewhere that this option applies to the kernel as well. There it uses a global canary. And, on arm64 there is a PERTHREAD_SSP option which enables a per-thread canary. | |
975 | Maybe mention some example functions here, just to give the reader a bit more context. |
Mention what happens to the kernel when SSP is enabled
Enumerate the functions with bounds checking in a fancy table
lib/libthr/Makefile | ||
---|---|---|
16 | I'm not sure; I can play around with it a bit later after this set of stuff goes in and figure out to what extent we really need to be disabling libthr protections. |
share/man/man7/security.7 | ||
---|---|---|
953 |
share/mk/bsd.sys.mk | ||
---|---|---|
298 | I'm going to commit this soon; thinking more on it, I'm going to leave the current structure in place but flip this one to 0 for the time being with an XXX to switch it on in after a transition period just to ease bisection and get people to test in the interim with it manually turned on. |
share/mk/bsd.sys.mk | ||
---|---|---|
298 | That seems like a good idea. Is it possible to quantify the overhead of FORTIFY_SOURCE in general? |
share/mk/bsd.sys.mk | ||
---|---|---|
298 | We can do some benchmarking -- the more commonly performance critical areas (string ops) are supposed to optimize out the indirection through __*_chk() if the destination size can't be calculated (e.g., heap allocations), so the impact is probably not quite as bad as one might think. |