From patchwork Wed Nov 1 04:52:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yaakov Selkowitz X-Patchwork-Id: 117669 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp421876qgn; Tue, 31 Oct 2017 21:53:15 -0700 (PDT) X-Google-Smtp-Source: ABhQp+RmOgVaxGKVQKuPp4Z8WJmrGSNP1wk74C0ypWVMOzNt/gudXA82KOY52LfaI9Fy4Tx/nWXm X-Received: by 10.98.201.87 with SMTP id k84mr5080866pfg.109.1509511995527; Tue, 31 Oct 2017 21:53:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509511995; cv=none; d=google.com; s=arc-20160816; b=lAUSdPOkGNVPClsf2AKKTCna74YpSIXz2BldyQ0mxsTj0e21HwcYE0cPb66RHid2Ai xAy1AaKsvLfMRxN6RPupge/Uas48cTLIeFTBlIlan3qCfNQAdAVBIrdU77hkxsPi8ZK2 GsG+EC756UhmHvnh0zqQne3N0ZSJj+sIymZ9cgxHuxmVFDcTX3fRCHhyMpFn0/f9zfXp eo64U0MNYMGZYjIQO7e/PUnvXq8Qqrboz96MZ5ZH1CPjLk+AQQsYaew/Op1GD4GilrdM BeuXM4gG2XYC3kcuilBH2yHJqXDq01BX5kxRj1ivcHkNE7xBJHikzh5hPLCJzQKlACit WQhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:to:from:dmarc-filter:delivered-to:sender :list-help:list-post:list-archive:list-subscribe:list-unsubscribe :list-id:precedence:mailing-list:dkim-signature:domainkey-signature :arc-authentication-results; bh=zmXsvi5T8q1K9xyx0Ubx5tOQNmRRwhdIZ6/GvupcyeU=; b=O/lg3aYPJShUlPeeGBbuQ43vLG4x5QBmnXk7QRVNrDhWVpMlagsZhSvnojE/tVPM2J 53UwyjcRm/2U9kN+G2cmi5ragE4GlpBjlFin451128WMlME/a2xb19OjIr4dx/Diuxnm 1Cd9tdpBMaDLKAa4Jpy81iGk4y8KGxvn2tkYqknLH/Ky1e9nEefXxUVpSolVUg1g7SHl dSDOBZK4jMT4WTb0W9O2HZOAySc4VonV5kWd8k08919SSgGt4zkwLkAIlMwaPLzPS8WO 2MOEZatfCqnEYxefniY5vkCfyxcAnumCAOvOIf/ObjFOt5zPQvi9o2AUVnp1HbTp0/lL B/7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b=a0gzHMM0; spf=pass (google.com: domain of newlib-return-15295-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=newlib-return-15295-patch=linaro.org@sourceware.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id p19si3663556pfj.19.2017.10.31.21.53.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Oct 2017 21:53:15 -0700 (PDT) Received-SPF: pass (google.com: domain of newlib-return-15295-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b=a0gzHMM0; spf=pass (google.com: domain of newlib-return-15295-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=newlib-return-15295-patch=linaro.org@sourceware.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id; q=dns; s= default; b=CsDwMKusRAD2sah/Rzr9zOyH0tHylkJeiK4xHibv4yn6G2I/fNAeA yg2Bg9IxG/Iecbmw91oXnmmFmTlndR8Q2cTtz8JqYLGXKeYaofK8NfUv1zZ1CctX i06vX1wN4JI8Zz/Aiy/wwgdCKigZ0NoS4Y78dtOKeUT22z0+AWUEKc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id; s=default; bh=FOFcOLtJEnW0gOSWGdzEQzRSYSI=; b=a0gzHMM0ysN4XEO+x/QfLUX35g6v NX5c3azq+GrBU8jFWKEqkGTdfxI1IKp2FSO2hvo2Pf91LcGmU5DYCAqVICvk0G+V RLXPEP6x2If7kijjz/Tbsx3ORbN9negVg5DrMZeuLRLK47RkhVDXcAN7+SnykxkO el4c09zhFPEwb1A= Received: (qmail 105641 invoked by alias); 1 Nov 2017 04:53:03 -0000 Mailing-List: contact newlib-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: newlib-owner@sourceware.org Delivered-To: mailing list newlib@sourceware.org Received: (qmail 105224 invoked by uid 89); 1 Nov 2017 04:53:02 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-6.9 required=5.0 tests=BAYES_00, GIT_PATCH_3, RP_MATCHES_RCVD, SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=configuring, H*r:sk:newlib@, bare, coverage X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 01 Nov 2017 04:53:00 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5F3F15F73A for ; Wed, 1 Nov 2017 04:52:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5F3F15F73A Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=yselkowi@redhat.com Received: from localhost.localdomain (ovpn-125-104.rdu2.redhat.com [10.10.125.104]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DA12B60605 for ; Wed, 1 Nov 2017 04:52:58 +0000 (UTC) From: Yaakov Selkowitz To: newlib@sourceware.org Subject: [PATCH v1 00/10] Add Stack Smashing Protection and Object Size Checking Date: Tue, 31 Oct 2017 23:52:36 -0500 Message-Id: <20171101045246.16596-1-yselkowi@redhat.com> This is an initial draft; I am using the topic/ssp branch for development of this feature. In the process of overhauling our feature test macros, I discovered that GCC's libssp implementation of Object Size Checking (-D_FORTIFY_SOURCE=*) is completely broken and possibly unfixable (CVE-2016-4973). Therefore, it seems the only way to make this work is to integrate it to Newlib itself like other libc's. I used NetBSD as the basis for much of this. While relatively limited in coverage compared to glibc (which we can't take from), it should provide the foundation needed to add more coverage in the future. This does require some minor changes in configuring GCC because its libssp would conflict with this (as it similarly conflicts with glibc), as noted in the commit messages. There is probably a more portable way of getting a random canary for the benefit of bare metal targets (since arc4random required getentropy), but the terminator canary does work (tested with mmix target). Yaakov Selkowitz (10): ssp: add APIs for Stack Smashing Protection (-fstack-protector*) ssp: add Object Size Checking for basic string functions ssp: add Object Size Checking for bcopy, bzero ssp: add Object Size Checking for basic stdio functions ssp: add Object Size Checking for basic unistd.h functions ssp: document _FORTIFY_SOURCE with the feature test macros ssp: add build infrastructure ssp: install headers cygwin: export SSP functions cygwin: create libssp compatibility import library newlib/Makefile.am | 4 + newlib/Makefile.in | 4 + newlib/libc/Makefile.am | 4 +- newlib/libc/Makefile.in | 15 +- newlib/libc/configure | 3 +- newlib/libc/configure.in | 2 +- newlib/libc/include/ssp/ssp.h | 93 +++++ newlib/libc/include/ssp/stdio.h | 74 ++++ newlib/libc/include/ssp/string.h | 112 ++++++ newlib/libc/include/ssp/strings.h | 48 +++ newlib/libc/include/ssp/unistd.h | 51 +++ newlib/libc/include/stdio.h | 4 + newlib/libc/include/string.h | 4 + newlib/libc/include/strings.h | 4 + newlib/libc/include/sys/features.h | 7 +- newlib/libc/include/sys/unistd.h | 10 + newlib/libc/ssp/Makefile.am | 71 ++++ newlib/libc/ssp/Makefile.in | 714 +++++++++++++++++++++++++++++++++ newlib/libc/ssp/chk_fail.c | 13 + newlib/libc/ssp/fgets_chk.c | 55 +++ newlib/libc/ssp/gets_chk.c | 78 ++++ newlib/libc/ssp/memcpy_chk.c | 54 +++ newlib/libc/ssp/memmove_chk.c | 50 +++ newlib/libc/ssp/mempcpy_chk.c | 21 + newlib/libc/ssp/memset_chk.c | 49 +++ newlib/libc/ssp/snprintf_chk.c | 59 +++ newlib/libc/ssp/sprintf_chk.c | 63 +++ newlib/libc/ssp/stack_protector.c | 46 +++ newlib/libc/ssp/stpcpy_chk.c | 58 +++ newlib/libc/ssp/stpncpy_chk.c | 56 +++ newlib/libc/ssp/strcat_chk.c | 62 +++ newlib/libc/ssp/strcpy_chk.c | 55 +++ newlib/libc/ssp/strncat_chk.c | 73 ++++ newlib/libc/ssp/strncpy_chk.c | 55 +++ newlib/libc/ssp/vsnprintf_chk.c | 51 +++ newlib/libc/ssp/vsprintf_chk.c | 60 +++ winsup/cygwin/Makefile.in | 5 +- winsup/cygwin/common.din | 20 + winsup/cygwin/include/cygwin/version.h | 7 +- 39 files changed, 2202 insertions(+), 12 deletions(-) create mode 100644 newlib/libc/include/ssp/ssp.h create mode 100644 newlib/libc/include/ssp/stdio.h create mode 100644 newlib/libc/include/ssp/string.h create mode 100644 newlib/libc/include/ssp/strings.h create mode 100644 newlib/libc/include/ssp/unistd.h create mode 100644 newlib/libc/ssp/Makefile.am create mode 100644 newlib/libc/ssp/Makefile.in create mode 100644 newlib/libc/ssp/chk_fail.c create mode 100644 newlib/libc/ssp/fgets_chk.c create mode 100644 newlib/libc/ssp/gets_chk.c create mode 100644 newlib/libc/ssp/memcpy_chk.c create mode 100644 newlib/libc/ssp/memmove_chk.c create mode 100644 newlib/libc/ssp/mempcpy_chk.c create mode 100644 newlib/libc/ssp/memset_chk.c create mode 100644 newlib/libc/ssp/snprintf_chk.c create mode 100644 newlib/libc/ssp/sprintf_chk.c create mode 100644 newlib/libc/ssp/stack_protector.c create mode 100644 newlib/libc/ssp/stpcpy_chk.c create mode 100644 newlib/libc/ssp/stpncpy_chk.c create mode 100644 newlib/libc/ssp/strcat_chk.c create mode 100644 newlib/libc/ssp/strcpy_chk.c create mode 100644 newlib/libc/ssp/strncat_chk.c create mode 100644 newlib/libc/ssp/strncpy_chk.c create mode 100644 newlib/libc/ssp/vsnprintf_chk.c create mode 100644 newlib/libc/ssp/vsprintf_chk.c -- 2.14.3