Paths

Table of Contentst

Collection of fixes for _FORTIFY_SOURCE
ClosedPublic
Actions

Authored by kevans on Jul 15 2024, 3:23 AM.

Details

Reviewers

markj
kib
jhb
ngie

Group Reviewers

Klara

Commits

rGdb3a524c8a96: bsnmpd: FreeBSD has strlcpy(3)
rG4928dcc0ebdb: sys/select.h: const'ify the fd_set that __fdset_idx() takes
rG0c47b9c211ed: include: ssp: don't shadow the mempcpy builtin
rGd5f8270917bf: libc: switch to __weak_symbol for fortified interpose stubs
rGb8730c11a395: include: ssp: fix the build with earlier C standards
rG838b6caababb: openssl: use getrandom(2) instead of probing for getentropy(2)

Summary

I'll likely split this up into multiple commits, but each one is small
enough that I think it's best in a single review.

openssl: use getrandom(2) instead of probing for getentropy(2)

The probing for getentropy(2) relies on re-declaring getentropy(2)
as weak and checking the address, but this is incompatible with
the _FORTIFY_SOURCE symbol renaming scheme.  It's always present on
all supported FreeBSD versions now so we could cut it down to
unconditional use, but there's another segment for getrandom(2)
already that's cleaner to just add us to.

We should upstream this.

include: ssp: fix the build with earlier C standards

inline isn't always a keyword, so we should be using __ssp_inline as we do everywhere else in the _FORTIFY_SOURCE support. Variable declarations in a loop initializer are also not always supported, so declare any loop vars in advance.

include: ssp: don't shadow the mempcpy builtin

GCC emits a warning about shadowing a builtin with our mempcpy declaration, so switch it to using the same model as memcpy() and use the apparently-existing builtin_mempcpy_chk().

libc: undefine _FORTIFY_SOURCE for fortified interpose stubs

GCC doesn't like #pragma weak macro(foo)- there's nothing of value to fortify in these files anyways, so just turn it off individually to fix the build.

sys/select.h: const'ify the fd_set that __fdset_idx() takes

Some callers may be operating on a const fd_set and we don't particularly care, so const'ify it.

bsnmpd: FreeBSD has strlcpy(3)

Fixes the fortified build with GCC

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 58643
Build 55531: arc lint + arc unit

Event Timeline

kevans created this revision.Jul 15 2024, 3:23 AM

Herald added a subscriber: imp. · View Herald TranscriptJul 15 2024, 3:23 AM

kevans requested review of this revision.Jul 15 2024, 3:23 AM

Harbormaster completed remote builds in B58642: Diff 140887.Jul 15 2024, 3:23 AM

Can you use the __weak_symbol instead of the #pragma weak? I think it's supposed to do the same thing.

In D45976#1048095, @imp wrote:

Can you use the __weak_symbol instead of the #pragma weak? I think it's supposed to do the same thing.

nm(1) seems to think it's fine and it builds fine under GCC as well, so I'll switch to that. Thanks!

Switch to __weak_symbol

Harbormaster completed remote builds in B58643: Diff 140888.Jul 15 2024, 5:04 AM

kib accepted this revision.Jul 15 2024, 8:18 AM

kib added inline comments.

lib/libc/secure/Makefile.inc
7	Please order alphabetically.
lib/libc/secure/Symbol.map
10	Please order alphabetically
lib/libc/secure/mempcpy_chk.c
32	Do we need cdefs.h? Is it kept to reduce the diff? The file is not in contrib, I think it is better to drop extra include.

This revision is now accepted and ready to land.Jul 15 2024, 8:18 AM

markj added inline comments.Jul 15 2024, 1:44 PM

crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
396	Won't this condition take precedence?

kevans added inline comments.Jul 15 2024, 2:26 PM

crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
396	Hmm, yeah,; the same is true for NetBSD, so it'll also fallback to the sysctl rather than getrandom(2). NetBSD hasn't removed KERN_ARND either, so maybe just flipping these around wholesale would be fine- I'd hazard a guess that the sysctl often takes more than one trip to fill the buffer on both platforms.

Address review feedback

Proper sorting
Needless sys/cdefs.h include removed
Ordering of sysctl/getrandom use swapped, FreeBSD removed from the sysctl clause since we'll always have getrandom -- ordering mostly for NetBSD's benefit, then, since it seems hard to imagine they'd prefer the 256-byte at a time interface over the arbitrary buffer size interface.

This revision now requires review to proceed.Jul 15 2024, 3:39 PM

Harbormaster completed remote builds in B58648: Diff 140970.Jul 15 2024, 3:39 PM

markj accepted this revision as: markj.Jul 15 2024, 3:49 PM

markj added inline comments.

crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
400	When upstreaming, I suspect you might want to dig a bit and find a __FreeBSD_version number to check, even though all supported FreeBSD releases have getrandom(). Our implementation hasn't been around all that long in the grand scheme of things, and I think OpenSSL tries harder than most projects to be portable. That said, I'm not sure exactly what their requirements are, so maybe you can just ignore me.

This revision is now accepted and ready to land.Jul 15 2024, 3:49 PM

kevans added inline comments.Jul 15 2024, 4:06 PM

crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
400	nod OK, I'll lay out the situation and see how far they care to go

Closed by commit rG838b6caababb: openssl: use getrandom(2) instead of probing for getentropy(2) (authored by kevans). · Explain WhyJul 16 2024, 5:13 AM

This revision was automatically updated to reflect the committed changes.

kevans added a commit: rG838b6caababb: openssl: use getrandom(2) instead of probing for getentropy(2).

kevans added a commit: rGb8730c11a395: include: ssp: fix the build with earlier C standards.

kevans added a commit: rGd5f8270917bf: libc: switch to __weak_symbol for fortified interpose stubs.

kevans added a commit: rG0c47b9c211ed: include: ssp: don't shadow the mempcpy builtin.

kevans added a commit: rG4928dcc0ebdb: sys/select.h: const'ify the fd_set that __fdset_idx() takes.

kevans added a commit: rGdb3a524c8a96: bsnmpd: FreeBSD has strlcpy(3).

kevans added inline comments.Jul 16 2024, 6:03 AM

crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
400	Upstreaming here: https://github.com/openssl/openssl/pull/24903 -- I dug out the FreeBSD version for it and left the kern.arandom fallback in place for the earlier versions.