In D3043#205126, @ngie wrote:

Is this review still valid?

Is this review still valid?

We will be abandoning this idea altogether:

hmm, apparently this sat in my account unsubmitted. No idea is it still useful.

Hi David;

I did a detailed review, which Phabricator appears to have eaten. I'll try to summarise here, as there was some talk of committing this, and it is a long way away from being ready to go in the tree:

Update comments from regarding man page.
(I will let Oliver answer David's concerns.)

Fix manpage comments. Thanks!

I've done a partial review. This needs a lot more work before it's close to being ready to commit. I stopped after seeing the same logic errors repeated in many functions - there may be new kinds of error, but please fix the ones that are repeated everywhere first.

Updated the manpage according to wblock's feedback.

I suspect I am a man page away from something I can commit ;)..

As always, thanks for the feedback.

Small updates to the manpage: still a long way to go.

Rebase again: underscore attribute name.

Rebase cdefs.h

Some thoughts from a first read through the man page.

Minor cleanups + initial attempt at providing a man page.

Oliver ... please stop opening differential revisions. It doesn't help at all.

Missing the *_chk functions, without them nothing works.

Oliver Pinter (4):

FBSD FORTIFY: fix spelling in WITHOUT_FORTIFY
FBSD FORTIFY: update gcc build script
FBSD FORTIFY: add the ability do disable FORTIFY_SOURCE per compiler
FBSD FORTIFY: blacklist from fortified build in gcc case the libbfd, objdump and libsqlite3

In D3043#70047, @pfg wrote:

Note some of the issues detected by the exp-run:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202311

Note some of the issues detected by the exp-run:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202311

In D3043#69265, @jilles wrote:

In D3043#68914, @kib wrote:

The diff is enormous and it pollutes a lot of unrelated places. E.g. the loader Makefiles changes or the forced undef fortify in libc/strings/stdio, as I understand, to avoid recursion.

Can the pollution be minimized somehow ? Can the patch be split into digestable pieces ?

Partly the boot loader pollution is like the pollution for SSP. I do wonder why FORTIFY conditionals were added to some places that currently do not have SSP conditionals.

I think compilation features that do not work in boot loader environments will continue to exist and grow, so a more general framework for turning them off may be interesting.

In D3043#69481, @op wrote:

...
Can the pollution be minimized somehow ? Can the patch be split into digestable pieces ?

The makefile changes mostly correlate with -ffreestanding. I'm thinking about make the MK_SSP and MK_FORTIRY on freestanding. I plan to factor out all of the CFLAGS+= -freestanding to new "make option".

In D3043#68914, @kib wrote:

The diff is enormous and it pollutes a lot of unrelated places. E.g. the loader Makefiles changes or the forced undef fortify in libc/strings/stdio, as I understand, to avoid recursion.

Can the pollution be minimized somehow ? Can the patch be split into digestable pieces ?

In D3043#69265, @jilles wrote:

Partly the boot loader pollution is like the pollution for SSP. I do wonder why FORTIFY conditionals were added to some places that currently do not have SSP conditionals.

In D3043#68914, @kib wrote:

The diff is enormous and it pollutes a lot of unrelated places. E.g. the loader Makefiles changes or the forced undef fortify in libc/strings/stdio, as I understand, to avoid recursion.

Can the pollution be minimized somehow ? Can the patch be split into digestable pieces ?

In D3043#68914, @kib wrote:

The diff is enormous and it pollutes a lot of unrelated places. E.g. the loader Makefiles changes or the forced undef fortify in libc/strings/stdio, as I understand, to avoid recursion.

The diff is enormous and it pollutes a lot of unrelated places. E.g. the loader Makefiles changes or the forced undef fortify in libc/strings/stdio, as I understand, to avoid recursion.

Add some more reviewers: It is still WIP, and it needs tmore testing with newer GCC but there are many new files and it's easy for minor details to go unnoticed if I am the only reviewer.

• FBSD FORTIFY: fix undefined reference error with gcc-4.2 on MIPS
• FBSD FORTIFY: fix a typo error_attr -> errordecl
• FBSD FORTIFY: fix build failure GNUC_PREREQ -> __GNUC_PREREQ
• rebased against recent HEAD

Committed as r286760.

No objection.

>>> World build completed on Thu Aug 13 21:30:52 UTC 2015

mips.mips64 buildworld completed on Thu Aug 13 21:30:52 UTC 2015
mips.mips buildworld completed on Thu Aug 13 21:30:52 UTC 2015
mips.mipsn32 buildworld completed on Thu Aug 13 21:30:52 UTC 2015
mips.mipsel buildworld completed on Thu Aug 13 21:30:55 UTC 2015

...

• fix a typo error_attr -> errordecl

• fixed style issues
• added fall-back static function to older gcc compilers

This is a no-op, just moving the files, but just want to make sure there are no objections.

Seen on MIPS and POWERPC (gcc-4.2 from base)

> lib/libc/tests/stdio (all)

fmemopen2_test.o: In function `atfu_test_data_length_body':
fmemopen2_test.c:(.text+0xfa4): undefined reference to `__fread_too_big_error'

• fmemopen2_test ---
• [fmemopen2_test] Error code 1

fix the style in sys too

Oliver Pinter (11):

FBSD FORTIFY: blacklist boot/powerpc/uboot from fortified build
FBSD FORTIFY: call the original functions from __vs{,n}printf_chk, and not the __*_real version
FBSD FORTIFY: drop __gets_chk, discussed with Pedro
FBSD FORTIFY: added __getcwd_chk.cpp from bionic
FBSD FORTIFY: adapt __getcwd_chk
FBSD FORTIFY: cleanup _unistd.h
FBSD FORTIFY: take __fread_chk.cpp and __fwrite_chk.cpp from android
FBSD FORTIFY: adapt __f{read,write}_chk
FBSD: fix expression in _stdio.h, this change should be a no-op
FBSD FORTIFY: change ifdef style
FBSD FORTIFY: one more round of style change

In D3043#65675, @ngie wrote:

Also, csh scripts for building HardenedBSD? Ow...

I make it an effort not to install tcsh scripts on my systems. If you need help converting the scripts over, I can assist.

In D3043#65675, @ngie wrote:

Also, csh scripts for building HardenedBSD? Ow...

I make it an effort not to install tcsh scripts on my systems. If you need help converting the scripts over, I can assist.

In D3043#65670, @ngie wrote:

Per bde's comments before on #ifdef foo vs #if defined(foo), (and the !defined(foo) idiom), the shorter versions should be used.

On a more relevant note -- why are the ssp testcases causing issues?

Also, csh scripts for building HardenedBSD? Ow...

Per bde's comments before on #ifdef foo vs #if defined(foo), (and the !defined(foo) idiom), the shorter versions should be used.

Hi Garret;

(Currently testing with gcc ...)

• move the __FORTIFY_UNKNOWN_SIZE case from headers to c files
• many style fixes
• microoptimizations
• possible new typos when you compile with gcc, only tested with clang

op@opn secure> git shortlog 20a3b6ffc28dc163f43ec68a67b904b89e8f82f6..
Oliver Pinter (6):

FBSD FORTIFY: try to fix MIPS's build error
FBSD FORTIFY: drop __FD_*chk functions from the base
FBSD FORTIFY: reenable fortified build of usr.sbin/ppp
FBSD FORTIFY: remove _select.h from include/secure/Makefile
FBSD FORTIFY: fix c++ build
FBSD FORTIFY: guard *_real functions from double declaration