• blacklist sys/boot/mips/beri/loader/ too

Another for the blacklist:

op@opn secure> git shortlog HEAD~1..
Oliver Pinter (1):

FBSD FORTIFY: guard with !has_builtin(va_arg_pack) too the __builting_va_arg_pack usage

op@opn opBSD.git> git shortlog HEAD~4..
Oliver Pinter (4):

FBSD FORTIFY: blacklist sys/boot/powerpc/kboot
FBSD FORTIFY: try to disable build error with rtsol
FBSD FORTIFY: move to the righ place the rindex and guard them
FBSD FORTIFY: readd check against lint

In D3043#62639, @pfg wrote:

Some more notes:

...

• You need to blacklist sys/boot/powerpc/kboot for the powerpc build.

Some more notes:

• add fallback case to st{p,r}ncpy and and some style improvements, this fixes login failure
• blacklist usr.sbin/ppp
• fix typos - FORITFY -> FORTIFY

• a lot of copy pasted typo fix

• Revert "FBSD FORTIFY: constify second parameter of __FD_ISSET_chk"

• blacklist sys/boot/zfs from FORTIFIED build
• try to fix build warning in contrib/sqlite3/sqlite3.c
• constify second parameter of __FD_ISSET_chk
• blacklist sys/boot/i386/libi386/

• globally enable the FORTIFY SOURCE - added MK_FORTIFY
• disable mostly from boot and rescue related stuffs
• dirty hack to disable from libstand
• typo fixes

• converted the variables and parameters to "private"
• added MK_FORTIFY knob
• blacklist some program and lib from fortification (mostly which use libstand)

After fixing the last two issues (shadow warnings) at least the bootstrap tool build completes.
On ARM64, I see:
...

>>> stage 4.2: building libraries

> gnu/lib/libssp/libssp_nonshared (obj,depend,all,install)

> gnu/lib/libgcc (obj,depend,all,install)

> lib/libcompiler_rt (obj,depend,all,install)

> gnu/lib/csu (obj,depend,all,install)

> lib/csu (obj,depend,all,install)

> lib/csu/aarch64 (obj)

> lib/csu/aarch64 (depend)

> lib/csu/aarch64 (all)

> lib/csu/aarch64 (install)

> lib/libcompiler_rt (obj,depend,all,install)

> lib/libc (obj,depend,all,install)

gets_chk.So: In function `gets_chk':
/scratch/tmp/pfg/head/lib/libc/secure/__gets_chk.c:(.text+0x84): warning: warning: this program uses gets(), which is unsafe.
cc: error: linker command failed with exit code 1 (use -v to see invocation)

• libc.so.7 ---
• [libc.so.7] Error code 1

...

• removed redundant redeclaration of '__snprintf_real'
• removed redundant redeclaration of '__vsnprintf_real'
• removed redundant redeclaration of '__gets_real'
• fix c++ related - error: no member named '__sprintf_chk' in namespace 'std'; did you mean

both gcc and clang are complaining about redundant declarations.

• remove broken __builtin_ prefix from s{,n}printf

• drop bionic's bcopy and bzero implementation, and rewrite them from scratch
• added __dead2 to secure_common.c to fix build

• typo fixes
• reworked sprintf and snprintf

• include sys/_null.h in _socket.h - this should fix the build error was found by Pedro on PPC64

status update

• fix memchr

status update

• remove builtins where possible
• fixed comments
• fixed guards

(small things to check)

Hi again Oliver;

Some more gcc version specifics.

Updated status.

• fixed rename src -> s
• added sys/limits.h to get SSIZE_MAX
• "added" GNUC_PREREQ(4, 3) around __builtin_va_arg_pack

A tinderbox build is finding a lot of issues in the fortify_source headers.

• fixed typo in comment
• fixed sprintf and snprintf in clang case
• updated test plan

Updated patch:

• fixed the place of __restricted in _socket.h