Default to _FORTIFY_SOURCE=2 if SSP is enabled, otherwise default to
_FORTIFY_SOURCE=0. include/*.h include their ssp/*.h equivalents as
needed based on the knob. Programs and users are allowed to override
FORTIFY_SOURCE in their Makefiles or src.conf/make.conf to force it off.
Details
Details
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 57113 Build 54001: arc lint + arc unit
Event Timeline
Comment Actions
I think rtld must never be built with this thing enabled. In particular, if it references some libc symbol, then just that symbol should be used, without any wrappers.
Also I think that libthr should avoid it, but might be it is not as important as for rtld. In particular, did you checked that e.g. cancellation for read(2) still works as intended?
Comment Actions
rtld was already not building with it by virtue of MK_SSP=no, but I've applied the FORTIFY_SOURCE=0 hammer as well to ensure that one can't turn it on manually when building with something like WITHOUT_SSP=yes FORTIFY_SOURCE=2.
libthr is in the same boat, but turning it on and this primitive test still seems to cancel at the beginning of the read:
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <unistd.h>
#define BUFSIZE 512
int
main(int argc, char *argv[])
{
char buf[BUFSIZE];
ssize_t rd;
pthread_cancel(pthread_self());
rd = read(STDIN_FILENO, buf, sizeof(buf));
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
write(STDOUT_FILENO, buf, rd);
printf("done\n");
exit(1);
}(assuming the anticipated failure mode would have been interposing failed and read() was libc-read, so the cancel would fail and maybe cancel at write() thus disabling cancellation just before it)
That said, I don't feel particularly compelled to leave it to the whim of a user-knob that nobody working on libthr is going to test, so I'll force it off in the next version as it will be in rtld.
Comment Actions
This one is OK as is, just one question...
| include/unistd.h | ||
|---|---|---|
| 360 | isn't there a _FORTIFY_SOURCE_read or something that this could be done for? Or is the order wrong for that? | |
Comment Actions
Drop read() declaration avoidance; whatever was causing problems before, I
cannot reproduce it today.
| include/stdio.h | ||
|---|---|---|
| 533 | ||
Comment Actions
do we have user-facing documentation? maybe just expanding WITHOUT_SSP's description?
| share/mk/bsd.sys.mk | ||
|---|---|---|
| 303 | Do you perhaps want to force it to zero here? It can't work without SSP, can it? | |
| share/mk/bsd.sys.mk | ||
|---|---|---|
| 303 | I don't believe it's inherently reliant on SSP (__builtin_object_size should work without SSP enabled) so one could turn it on and it'll DTRT; I'm mostly treating it as an extension of SSP here for convenience. | |
Comment Actions
I wonder if it makes sense to add a section on stack overflow detection to security(7) would make sense
Comment Actions
I wonder if it makes sense to add a section on stack overflow detection to security(7) would make sense
Yeah that sounds good
Comment Actions
I think that'd be useful, and it'd be good to describe/summarize FORTIFY_SOURCE there as well. Then the src.conf entry for WITH_SSP can refer to it.
| share/man/man7/security.7 | ||
|---|---|---|
| 944 ↗ | (On Diff #138034) | Stack Smashing Protector ? |
| lib/libthr/Makefile | ||
|---|---|---|
| 16 | Out of curiosity, what exactly goes wrong when libthr is compiled with SSP on? | |
| share/man/man7/security.7 | ||
| 948 ↗ | (On Diff #138035) | It is maybe worth noting here or somewhere that this option applies to the kernel as well. There it uses a global canary. And, on arm64 there is a PERTHREAD_SSP option which enables a per-thread canary. |
| 975 ↗ | (On Diff #138035) | Maybe mention some example functions here, just to give the reader a bit more context. |
Comment Actions
Mention what happens to the kernel when SSP is enabled
Enumerate the functions with bounds checking in a fancy table
| lib/libthr/Makefile | ||
|---|---|---|
| 16 | I'm not sure; I can play around with it a bit later after this set of stuff goes in and figure out to what extent we really need to be disabling libthr protections. | |
| share/man/man7/security.7 | ||
|---|---|---|
| 953 ↗ | (On Diff #138051) | |