From patchwork Wed Nov 29 09:42:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yaakov Selkowitz X-Patchwork-Id: 119937 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp2831666qgn; Wed, 29 Nov 2017 01:43:38 -0800 (PST) X-Google-Smtp-Source: AGs4zMY/vbsy6Ep/b5I9d9lXwOV5m6teiAnxD6k417rLdt6eUnc8Wz3bIy8lmYYqhsiE8L5VrUi9 X-Received: by 10.98.193.1 with SMTP id i1mr2384896pfg.29.1511948618244; Wed, 29 Nov 2017 01:43:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511948618; cv=none; d=google.com; s=arc-20160816; b=NBsCga54rm1BISQ0Uz2PhHP5gQLDyCJprvVQWIb9GY3Fk2vrOeiyncEHJEHaJRtTxL PrtwTlItBIKfr7vDAJYrIgdYKMk7Q/ORwV4whgyGBWBT1Mj7OG+gWRjSOGVrt4d6pl6V eyFY20w4QjjCirho8bLbwzHXt7/BnX2gQl32Yli7ZmFMt7PM6DtcXimWxht9gXNSS2iL 6Ek+bIYLCrQzAZ7nA1UyNKaa6ypYJj0DCvKRjpb25aTo8OqNM3qaQJp/GI/Jus4XCgGl DWSR/jkAdF6iLmHWp9/sJp/gm5VeI2K3Iqx3ZTR/owvYQT0pZbKeT2JVHDgHuU9GUQcJ 7uvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:to:from:delivered-to :sender:list-help:list-post:list-archive:list-subscribe :list-unsubscribe:list-id:precedence:mailing-list:dkim-signature :domainkey-signature:arc-authentication-results; bh=+fkVnnTziEYeQIByaTmgdiLHXUHZTGjUAJLBefLTKRw=; b=QqTyQlKxmk4MtYnDzaZPkLaoH+lA3ZNd6h9hj4DIwgxeW8iDV5Bv6/256lE+IRiwSC NECEE03cimSeja5NJdAzxdbA3sxU3o4fr5Hr1YJ50csaFDPIhFr2DAfwT7bmOG9TUK30 Y3r8JtKuxFJC0WDW72Ol9P9gu58UMtuBYG680C92IDI9CgENEu04SO8bJkeC1SgTVx2Z RoIAM4sY2gicTlMkuO/r3LZmxsP6YXAJMq2aUxuRiSUZpsCbGyvbsYuAOjoKQ9/0eD0c gauCAR+uFXFlnJIqarxw8Bj6kuCudB90HtDYfE8FOc3ONrKudV0jNfkR9Q5kQHejIBCS YQew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b=IQUpS42t; spf=pass (google.com: domain of newlib-return-15398-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=newlib-return-15398-patch=linaro.org@sourceware.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id i187si1080356pfc.213.2017.11.29.01.43.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Nov 2017 01:43:38 -0800 (PST) Received-SPF: pass (google.com: domain of newlib-return-15398-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b=IQUpS42t; spf=pass (google.com: domain of newlib-return-15398-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=newlib-return-15398-patch=linaro.org@sourceware.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id:in-reply-to :references; q=dns; s=default; b=sLJcFvs9b5AN+kH1c3zKAruG60zue2n Lnq1Lb1fg8ZQAXRo1tdQjpr6rx/TH07NYTKQ3gQrjSNpnHOsY3zdPcHMUeKeDOBn BNsOpOPsk69F/I4AoYcU+K6tldmNZlnFvCoEzroLG0SnPlGd2D1JALJPhKHsm6Ws fe/GeWd82Q6k= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id:in-reply-to :references; s=default; bh=06EGWW2XvIfrLqe9FYOivl6i+zM=; b=IQUpS 42tP6j/XezNXHF0MjSXdzFAUSTVizGaWHz7luqNHQjUbJW4tJhJQM1ZVV3V3Fxnr 5SMp10tUbM4mlUd//AHP1p3xMRvtPu7dxgQBfX8hLWJilgspOKWCJAbzA7f/dWwm IMa2hKnoLPmo3K1HaNlsL6uQrdovruL3Zvda94= Received: (qmail 66353 invoked by alias); 29 Nov 2017 09:43:16 -0000 Mailing-List: contact newlib-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: newlib-owner@sourceware.org Delivered-To: mailing list newlib@sourceware.org Received: (qmail 66324 invoked by uid 89); 29 Nov 2017 09:43:16 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.7 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KB_WAM_FROM_NAME_SINGLEWORD, SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 29 Nov 2017 09:43:14 +0000 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 58C344A6E6 for ; Wed, 29 Nov 2017 09:43:13 +0000 (UTC) Received: from localhost.localdomain (ovpn-120-11.rdu2.redhat.com [10.10.120.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DBAB060C91 for ; Wed, 29 Nov 2017 09:43:12 +0000 (UTC) From: Yaakov Selkowitz To: newlib@sourceware.org Subject: [PATCH v5 02/10] ssp: add Object Size Checking common code Date: Wed, 29 Nov 2017 03:42:52 -0600 Message-Id: <20171129094300.20296-3-yselkowi@redhat.com> In-Reply-To: <20171129094300.20296-1-yselkowi@redhat.com> References: <20171129094300.20296-1-yselkowi@redhat.com> The Object Size Checking (-D_FORTIFY_SOURCE=*) functionality provides wrappers around functions suspectible to buffer overflows. While independent from Stack Smashing Protection (-fstack-protector*), they are often used and implemented together. While GCC also provides an implementation in libssp, it is completely broken (CVE-2016-4973, RHBZ#1324759) and seemingly unfixable, as there is no reliable way for a preprocessor macro to trigger a link flag. Therefore, adding this here is necessary to make it work. Note that this does require building gcc with --disable-libssp and gcc_cv_libc_provides_ssp=yes. Signed-off-by: Yaakov Selkowitz --- newlib/libc/include/ssp/ssp.h | 77 ++++++++++++++++++++++++++++++++++++++ newlib/libc/include/sys/features.h | 18 ++++++++- newlib/libc/ssp/chk_fail.c | 13 +++++++ 3 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 newlib/libc/include/ssp/ssp.h create mode 100644 newlib/libc/ssp/chk_fail.c -- 2.15.0 diff --git a/newlib/libc/include/ssp/ssp.h b/newlib/libc/include/ssp/ssp.h new file mode 100644 index 000000000..5c65cf4b2 --- /dev/null +++ b/newlib/libc/include/ssp/ssp.h @@ -0,0 +1,77 @@ +/* $NetBSD: ssp.h,v 1.13 2015/09/03 20:43:47 plunky Exp $ */ + +/*- + * Copyright (c) 2006, 2011 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef _SSP_SSP_H_ +#define _SSP_SSP_H_ + +#include + +/* __ssp_real is used by the implementation in libc */ +#if __SSP_FORTIFY_LEVEL == 0 +#define __ssp_real_(fun) fun +#else +#define __ssp_real_(fun) __ssp_real_ ## fun +#endif +#define __ssp_real(fun) __ssp_real_(fun) + +#define __ssp_inline extern __inline__ __attribute__((__always_inline__, __gnu_inline__)) + +#define __ssp_bos(ptr) __builtin_object_size(ptr, __SSP_FORTIFY_LEVEL > 1) +#define __ssp_bos0(ptr) __builtin_object_size(ptr, 0) + +#define __ssp_check(buf, len, bos) \ + if (bos(buf) != (size_t)-1 && len > bos(buf)) \ + __chk_fail() +#define __ssp_decl(rtype, fun, args) \ +rtype __ssp_real_(fun) args __asm__(__ASMNAME(#fun)); \ +__ssp_inline rtype fun args __asm__(__ASMNAME("__ssp_protected_" #fun)); \ +__ssp_inline rtype fun args +#define __ssp_redirect_raw(rtype, fun, args, call, cond, bos) \ +__ssp_decl(rtype, fun, args) \ +{ \ + if (cond) \ + __ssp_check(__buf, __len, bos); \ + return __ssp_real_(fun) call; \ +} + +#define __ssp_redirect(rtype, fun, args, call) \ + __ssp_redirect_raw(rtype, fun, args, call, 1, __ssp_bos) +#define __ssp_redirect0(rtype, fun, args, call) \ + __ssp_redirect_raw(rtype, fun, args, call, 1, __ssp_bos0) + +#define __ssp_overlap(a, b, l) \ + (((a) <= (b) && (b) < (a) + (l)) || ((b) <= (a) && (a) < (b) + (l))) + +__BEGIN_DECLS +void __stack_chk_fail(void) __dead2; +void __chk_fail(void) __dead2; +__END_DECLS + +#endif /* _SSP_SSP_H_ */ diff --git a/newlib/libc/include/sys/features.h b/newlib/libc/include/sys/features.h index 95d20533e..2900b332f 100644 --- a/newlib/libc/include/sys/features.h +++ b/newlib/libc/include/sys/features.h @@ -100,6 +100,9 @@ extern "C" { * _SVID_SOURCE (deprecated by _DEFAULT_SOURCE) * _DEFAULT_SOURCE (or none of the above) * POSIX-1.2008 with BSD and SVr4 extensions + * + * _FORTIFY_SOURCE = 1 or 2 + * Object Size Checking function wrappers */ #ifdef _GNU_SOURCE @@ -233,9 +236,11 @@ extern "C" { * __GNU_VISIBLE * GNU extensions; enabled with _GNU_SOURCE. * + * __SSP_FORTIFY_LEVEL + * Object Size Checking; defined to 0 (off), 1, or 2. + * * In all cases above, "enabled by default" means either by defining * _DEFAULT_SOURCE, or by not defining any of the public feature test macros. - * Defining _GNU_SOURCE makes all of the above avaliable. */ #ifdef _ATFILE_SOURCE @@ -314,6 +319,17 @@ extern "C" { #define __XSI_VISIBLE 0 #endif +#if _FORTIFY_SOURCE > 0 && !defined(__cplusplus) && !defined(__lint__) && \ + (__OPTIMIZE__ > 0 || defined(__clang__)) && __GNUC_PREREQ__(4, 1) +# if _FORTIFY_SOURCE > 1 +# define __SSP_FORTIFY_LEVEL 2 +# else +# define __SSP_FORTIFY_LEVEL 1 +# endif +#else +# define __SSP_FORTIFY_LEVEL 0 +#endif + /* RTEMS adheres to POSIX -- 1003.1b with some features from annexes. */ #ifdef __rtems__ diff --git a/newlib/libc/ssp/chk_fail.c b/newlib/libc/ssp/chk_fail.c new file mode 100644 index 000000000..b1f8e42a6 --- /dev/null +++ b/newlib/libc/ssp/chk_fail.c @@ -0,0 +1,13 @@ +#include +#include +#include + +void +__attribute__((__noreturn__)) +__chk_fail(void) +{ + char msg[] = "*** buffer overflow detected ***: terminated\n"; + write (2, msg, strlen (msg)); + raise (SIGABRT); + _exit (127); +}