From nobody Mon May 13 05:24:11 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vd7Fl64WJz5KGLY; Mon, 13 May 2024 05:24:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Vd7Fl3lG9z4Kfs; Mon, 13 May 2024 05:24:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715577851; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SA2Ma7uuzmT+7Rk9o2IGghFtZMiH7Twv1nzZ9AO3SGI=; b=qaz1B4JeJelQHQuVMy+ZEqIXrxXD/0cvER3Sh6csBlJs6muyf/AhwBw+/j7XgZyKkdPKxc UZSFpddinWnIDQeg2zT7jiTEiAjL/uTrQjkY5quAtdnp9WneRxps7arH8gxNUG51XhXEr6 KqeFSela2umfFqgd7SdpZCFweG0u/FQHPaZimleI0tmyRzUbG7BAEDWZE9wTWRZEMQl/1Y bZICXv2oIw7iVaL9/9V7lrpJdYEVj5VmV1badwT1z/TwdlQJJsEaqRcxonDEICDQ3v6xoP 9Nc6Q9Y0po0aEgre5dmTBtC01dKTcPnzGII66snD/antrRD7cK0zmgJ2BqdmfQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715577851; a=rsa-sha256; cv=none; b=XR15Yq9aQrFM28ki1wfCZOo16ZAu1IO2UIuIDleQSxDMUb2ZUGep4mQv4R/07S4Ptjqjgf r6PNeiYQvZ8oEcFpfgkyIApM87TgoQRKahpZeQNoTzuaxP8qyMhgMFC1uk0y4AM6SxohlF neCUf3b09vHR3leJcVJcKcGRGlgywbfJx/wwpfPwK+X/Kq3fdhuyGCTCblKchi1xb/+AOD +N6jdvuXAx5wwbWz5+Y5PwRy/aQ0pQmojDLJEPozxf9AamxHQtKeFpELqMIc0qYszALzcg +Hi/2GNWOxKmg5sbbufgv84tS9zDAf4Cmu+cGzT1a5Wq4UhJus7QJW+5kofH+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715577851; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SA2Ma7uuzmT+7Rk9o2IGghFtZMiH7Twv1nzZ9AO3SGI=; b=xNEr0w6i3kUoDbKf1p54s6maZQSdu80+Ke/cFcmv90rT140xHJnzT+rrzdmU4Fcod1zMoe xrlfyX8xu+tKqpOonmkhnkN4vCqjTz08hOLCSnmJVCGwCsFjirPBxL2HgvostD+bJU52PR I7P6fydyMF99vxQqnjP/ExcZEFLdOLX67Q3hryEi7zhRgWoJbZmEdsnUeo7aoizzNlnC9Y b47u3+DiIj9bZ1ILuoHxvbuw6K5Kr2n9+3toIvkZRixk6+MDDOnlacCb7JKU+6s68BENBY Xw2lqeF5FImNGwuALwhrKA1O2XlLEDSPZQkdo40FOYv4zg/nwxQO7SY8kgMpMg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Vd7Fl3M1kzbTR; Mon, 13 May 2024 05:24:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44D5OBQl084370; Mon, 13 May 2024 05:24:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44D5OBT1084367; Mon, 13 May 2024 05:24:11 GMT (envelope-from git) Date: Mon, 13 May 2024 05:24:11 GMT Message-Id: <202405130524.44D5OBT1084367@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 9bfd3b4076a7 - main - Add a build knob for _FORTIFY_SOURCE List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9bfd3b4076a7b0dfd27ab22318e5113dc84fea28 Auto-Submitted: auto-generated The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=9bfd3b4076a7b0dfd27ab22318e5113dc84fea28 commit 9bfd3b4076a7b0dfd27ab22318e5113dc84fea28 Author: Kyle Evans AuthorDate: 2024-05-13 05:23:50 +0000 Commit: Kyle Evans CommitDate: 2024-05-13 05:23:50 +0000 Add a build knob for _FORTIFY_SOURCE In the future, we will Default to _FORTIFY_SOURCE=2 if SSP is enabled, otherwise default to _FORTIFY_SOURCE=0. For now we default it to 0 unconditionally to ease bisect across older versions without the new symbols, and we'll put out a call for testing. include/*.h include their ssp/*.h equivalents as needed based on the knob. Programs and users are allowed to override FORTIFY_SOURCE in their Makefiles or src.conf/make.conf to force it off. Reviewed by: des, markj Relnotes: yes Sponsored by: Stormshield Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D32308 --- include/stdio.h | 3 ++ include/string.h | 3 ++ include/strings.h | 3 ++ include/unistd.h | 4 +++ lib/libthr/Makefile | 3 ++ libexec/rtld-elf/Makefile | 4 +++ share/man/man7/security.7 | 75 +++++++++++++++++++++++++++++++++++++++++ share/mk/bsd.sys.mk | 7 ++++ tools/build/options/WITHOUT_SSP | 3 ++ tools/build/options/WITH_SSP | 3 ++ 10 files changed, 108 insertions(+) diff --git a/include/stdio.h b/include/stdio.h index fe7a6f7d6f82..30bc638082d8 100644 --- a/include/stdio.h +++ b/include/stdio.h @@ -530,4 +530,7 @@ extern int __isthreaded; __END_DECLS __NULLABILITY_PRAGMA_POP +#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 +#include +#endif #endif /* !_STDIO_H_ */ diff --git a/include/string.h b/include/string.h index 597308020cdb..a595f6e3e260 100644 --- a/include/string.h +++ b/include/string.h @@ -168,4 +168,7 @@ errno_t memset_s(void *, rsize_t, int, rsize_t); #endif /* __EXT1_VISIBLE */ __END_DECLS +#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 +#include +#endif #endif /* _STRING_H_ */ diff --git a/include/strings.h b/include/strings.h index fde007186e04..6fe6a09e7dd3 100644 --- a/include/strings.h +++ b/include/strings.h @@ -68,4 +68,7 @@ int strncasecmp(const char *, const char *, size_t) __pure; #endif __END_DECLS +#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 +#include +#endif #endif /* _STRINGS_H_ */ diff --git a/include/unistd.h b/include/unistd.h index e4e5c62fbb67..59738cbf6e68 100644 --- a/include/unistd.h +++ b/include/unistd.h @@ -37,6 +37,10 @@ #include #include +#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 +#include +#endif + #ifndef _GID_T_DECLARED typedef __gid_t gid_t; #define _GID_T_DECLARED diff --git a/lib/libthr/Makefile b/lib/libthr/Makefile index a5bf5da44170..85c028f521a1 100644 --- a/lib/libthr/Makefile +++ b/lib/libthr/Makefile @@ -11,6 +11,9 @@ LDFLAGS+= -Wl,--rpath=/usr/lib${COMPAT_libcompat} .include MK_SSP= no +# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that +# one cannot turn it back on. +FORTIFY_SOURCE= 0 LIB=thr SHLIB_MAJOR= 3 diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile index 37c3840538d5..864448ad782a 100644 --- a/libexec/rtld-elf/Makefile +++ b/libexec/rtld-elf/Makefile @@ -15,6 +15,10 @@ MK_UBSAN= no .include +# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that +# one cannot turn it back on. +FORTIFY_SOURCE= 0 + .if !defined(NEED_COMPAT) CONFS= libmap.conf .endif diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index ccbeeb4575ce..2e690e35d534 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -939,6 +939,81 @@ option that SSH allows in its .Pa authorized_keys file to make the key only usable to entities logging in from specific machines. +.Sh STACK OVERFLOW PROTECTION +.Fx +supports stack overflow protection using the Stack Smashing Protector +.Pq SSP +compiler feature. +In userland, SSP adds a per-process randomized canary at the end of every stack +frame which is checked for corruption upon return from the function. +In the kernel, a single randomized canary is used globally except on aarch64, +which has a +.Dv PERTHREAD_SSP +.Xr config 8 +option to enable per-thread randomized canaries. +If stack corruption is detected, then the process aborts to avoid potentially +malicious execution as a result of the corruption. +SSP may be enabled or disabled when building +.Fx +base with the +.Xr src.conf 5 +SSP knob. +.Pp +When +.Va WITH_SSP +is enabled, which is the default, world is built with the +.Fl fstack-protector-strong +compiler option. +The kernel is built with the +.Fl fstack-protector +option. +.Pp +In addition to SSP, a +.Dq FORTIFY_SOURCE +implementation is supported up to level 2 by defining +.Va _FORTIFY_SOURCE +to +.Dv 1 +or +.Dv 2 +before including any +.Fx +headers. +.Fx +world builds can set +.Va FORTIFY_SOURCE +to provide a default value for +.Va _FORTIFY_SOURCE . +When enabled, +.Dq FORTIFY_SOURCE +enables extra bounds checking in various functions that accept buffers to be +written into. +These functions currently have extra bounds checking support: +.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "readlink" +.It bcopy Ta bzero Ta fgets Ta getcwd Ta gets +.It memcpy Ta memmove Ta memset Ta read Ta readlink +.It snprintf Ta sprintf Ta stpcpy Ta stpncpy Ta strcat +.It strcpy Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf +.El +.Pp +.Dq FORTIFY_SOURCE +requires compiler support from +.Xr clang 1 +or +.Xr gcc 1 , +which provide the +.Xr __builtin_object_size 3 +function that is used to determine the bounds of an object. +This feature works best at optimization levels +.Fl O1 +and above, as some object sizes may be less obvious without some data that the +compiler would collect in an optimization pass. +.Pp +Similar to SSP, violating the bounds of an object will cause the program to +abort in an effort to avoid malicious execution. +This effectively provides finer-grained protection than SSP for some class of +function and system calls, along with some protection for buffers allocated as +part of the program data. .Sh KNOBS AND TWEAKS .Fx provides several knobs and tweak handles that make some introspection diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk index de91e00d8cc7..52c3d07746c7 100644 --- a/share/mk/bsd.sys.mk +++ b/share/mk/bsd.sys.mk @@ -294,11 +294,18 @@ CFLAGS.clang+= -Qunused-arguments # but not yet. CXXFLAGS.clang+= -Wno-c++11-extensions +# XXX This should be defaulted to 2 when WITH_SSP is in use after further +# testing and soak time. +FORTIFY_SOURCE?= 0 .if ${MK_SSP} != "no" # Don't use -Wstack-protector as it breaks world with -Werror. SSP_CFLAGS?= -fstack-protector-strong CFLAGS+= ${SSP_CFLAGS} .endif # SSP +.if ${FORTIFY_SOURCE} > 0 +CFLAGS+= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE} +CXXFLAGS+= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE} +.endif # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is # enabled. diff --git a/tools/build/options/WITHOUT_SSP b/tools/build/options/WITHOUT_SSP index 88162cecf14a..7a773fe1e5aa 100644 --- a/tools/build/options/WITHOUT_SSP +++ b/tools/build/options/WITHOUT_SSP @@ -1 +1,4 @@ Do not build world with stack smashing protection. +See +.Xr security 7 +for more information. diff --git a/tools/build/options/WITH_SSP b/tools/build/options/WITH_SSP index 0088dd133782..4f06a73d4173 100644 --- a/tools/build/options/WITH_SSP +++ b/tools/build/options/WITH_SSP @@ -1 +1,4 @@ Build world with stack smashing protection. +See +.Xr security 7 +for more information.