From patchwork Wed Nov 29 00:21:35 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yaakov Selkowitz <yselkowi@redhat.com>
X-Patchwork-Id: 119909
Delivered-To: patch@linaro.org
Received: by 10.140.22.227 with SMTP id 90csp2395671qgn;
 Tue, 28 Nov 2017 16:22:13 -0800 (PST)
X-Google-Smtp-Source: AGs4zMZ8tE50T5IXBTsUI1K+7LrPbhJLieIy7Q+L/s6BJ17Lw/6aLtVGRqMM6L6ftidXhQZJUBuG
X-Received: by 10.159.194.197 with SMTP id u5mr987898plz.448.1511914933866; 
 Tue, 28 Nov 2017 16:22:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511914933; cv=none;
 d=google.com; s=arc-20160816;
 b=u41Di7ycd9ISPmyo7/MrdzfZHo18ssKEd/ydsKxpf8caNSffhG6xMSBkcEu2ohuOIS
 pmMcfUy8/31vxxhTwmAWMTT1eRwJCpCjeJd98WzMB/3m8JaWVStbRMwIiYR5LX8f3Epw
 ULSJnV0ZpzC+TcM3BVlOyukElQTrnv2gfu6iklPekL/o5OjpWeR6QgjrEqYGa8f8O0in
 73e47bznOWpsVbiZxFOnmV0chANndl3SsKA47exrv0Hp8ePiJHl5fzZGDK+v/aevPHXe
 5aBW2cAYreHQnN5lHJv77wI/71p8nRnvDnc0jX86bPBFMr9c93tlCb+NEN72fxdN3aMI
 eTfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=references:in-reply-to:message-id:date:subject:to:from:delivered-to
 :sender:list-help:list-post:list-archive:list-subscribe
 :list-unsubscribe:list-id:precedence:mailing-list:dkim-signature
 :domainkey-signature:arc-authentication-results;
 bh=U8T8Ov84Lng68VrsXgzRPt39gL1aZOV+o6O8VkElBxQ=;
 b=zaMZlKDU5I4nr5zDNVgWsWn/TgaBUTkklG/z6086FFgf4gxvyuOOAhy9FPHAn7hRXZ
 Mb4Mt+pC+t2b3qkXnuv7BS2QrULk+XstDm2Q7u6OFICP9IGHDzXpOKowXWQr6Ry5SLIZ
 2X8Ftncl1jfevY7hDGjlT1LsKqO/mJ4PGlIA8sq7tuf6kSgIsK+XMdKAX2zGUm57sbya
 h3ZvE1NyKKtMU25vj9Ksij15JuMUWB1Cm9qtBF30QlXy0V0IJLjSDRJx1DHExWoZzxuk
 RuxkO3Buo955h7JDTfbAAL0/RPhpl4ssgRW0PvyouDimfVARuq+hos3ryZTWIFvNwziv
 zhyA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@sourceware.org header.s=default header.b=nvBHNiQu;
 spf=pass (google.com: domain of
 newlib-return-15387-patch=linaro.org@sourceware.org
 designates 209.132.180.131 as permitted sender)
 smtp.mailfrom=newlib-return-15387-patch=linaro.org@sourceware.org;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <newlib-return-15387-patch=linaro.org@sourceware.org>
Received: from sourceware.org (server1.sourceware.org. [209.132.180.131])
 by mx.google.com with ESMTPS id
 u14si307228pfh.288.2017.11.28.16.22.13 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 28 Nov 2017 16:22:13 -0800 (PST)
Received-SPF: pass (google.com: domain of
 newlib-return-15387-patch=linaro.org@sourceware.org
 designates 209.132.180.131 as permitted sender)
 client-ip=209.132.180.131; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@sourceware.org header.s=default header.b=nvBHNiQu;
 spf=pass (google.com: domain of
 newlib-return-15387-patch=linaro.org@sourceware.org
 designates 209.132.180.131 as permitted sender)
 smtp.mailfrom=newlib-return-15387-patch=linaro.org@sourceware.org;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
 :list-unsubscribe:list-subscribe:list-archive:list-post
 :list-help:sender:from:to:subject:date:message-id:in-reply-to
 :references; q=dns; s=default; b=Zsh5RYE5rfg8TrC/ZBGc1O+gBleAIft
 nZ0B+OyrdItSuNZnjXFGSmAf3vr2MbSYMbMKfo3cho2nz/C4AJaQAOuqtVms1QAX
 ZAOFUbkfp+2rduWjEjbfl3E40Who8KeLBf3dc44qmedfSnEzm4aub3hKCQ4cse7o
 VPLHsnhpH1To=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
 :list-unsubscribe:list-subscribe:list-archive:list-post
 :list-help:sender:from:to:subject:date:message-id:in-reply-to
 :references; s=default; bh=gh74MMAT9LF8nRXSMV+9fWn2jRQ=; b=nvBHN
 iQujlvrK1wFCcV598wIo4LiCgyH8SZLPmClV/AbeG4jwoptCv9Yotwcli84sCn2T
 E1zT/jHHYrhzpPmz8TOQpZ86b93/SbYB9/h6GjVYwx9e8YxlYziPMdLbqpS7AYN0
 SYbNth0OAznwC8yNVuV6/2Cvy+mNk+rP2zBGa8=
Received: (qmail 64668 invoked by alias); 29 Nov 2017 00:21:56 -0000
Mailing-List: contact newlib-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <newlib.sourceware.org>
List-Unsubscribe: <mailto:newlib-unsubscribe-patch=linaro.org@sourceware.org>
List-Subscribe: <mailto:newlib-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/newlib/>
List-Post: <mailto:newlib@sourceware.org>
List-Help: <mailto:newlib-help@sourceware.org>,
 <http://sourceware.org/ml/#faqs>
Sender: newlib-owner@sourceware.org
Delivered-To: mailing list newlib@sourceware.org
Received: (qmail 64597 invoked by uid 89); 29 Nov 2017 00:21:56 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.7 required=5.0 tests=BAYES_00, GIT_PATCH_0, 
 GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
 KB_WAM_FROM_NAME_SINGLEWORD, SPF_HELO_PASS,
 T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by
 sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
 Wed, 29 Nov 2017 00:21:54 +0000
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])	(using TLSv1.2 with cipher AECDH-AES256-SHA
 (256/256 bits))	(No client certificate requested)	by
 mx1.redhat.com (Postfix) with ESMTPS id 722CC356D8	for
 <newlib@sourceware.org>; Wed, 29 Nov 2017 00:21:53 +0000 (UTC)
Received: from localhost.localdomain (ovpn-120-11.rdu2.redhat.com
 [10.10.120.11])	by smtp.corp.redhat.com (Postfix) with ESMTPS
 id 0B375600D1	for <newlib@sourceware.org>;
 Wed, 29 Nov 2017 00:21:52 +0000 (UTC)
From: Yaakov Selkowitz <yselkowi@redhat.com>
To: newlib@sourceware.org
Subject: [PATCH v4 02/10] ssp: add Object Size Checking common code
Date: Tue, 28 Nov 2017 18:21:35 -0600
Message-Id: <20171129002143.12500-3-yselkowi@redhat.com>
In-Reply-To: <20171129002143.12500-1-yselkowi@redhat.com>
References: <20171129002143.12500-1-yselkowi@redhat.com>

The Object Size Checking (-D_FORTIFY_SOURCE=*) functionality provides
wrappers around functions suspectible to buffer overflows.  While
independent from Stack Smashing Protection (-fstack-protector*), they
are often used and implemented together.

While GCC also provides an implementation in libssp, it is completely
broken (CVE-2016-4973, RHBZ#1324759) and seemingly unfixable, as there
is no reliable way for a preprocessor macro to trigger a link flag.
Therefore, adding this here is necessary to make it work.

Note that this does require building gcc with --disable-libssp and
gcc_cv_libc_provides_ssp=yes.

Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
---
 newlib/libc/include/ssp/ssp.h      | 75 ++++++++++++++++++++++++++++++++++++++
 newlib/libc/include/sys/features.h | 18 ++++++++-
 newlib/libc/ssp/chk_fail.c         | 13 +++++++
 3 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 newlib/libc/include/ssp/ssp.h
 create mode 100644 newlib/libc/ssp/chk_fail.c

-- 
2.15.0

diff --git a/newlib/libc/include/ssp/ssp.h b/newlib/libc/include/ssp/ssp.h
new file mode 100644
index 000000000..e3c2728c7
--- /dev/null
+++ b/newlib/libc/include/ssp/ssp.h
@@ -0,0 +1,75 @@
+/*	$NetBSD: ssp.h,v 1.13 2015/09/03 20:43:47 plunky Exp $	*/
+
+/*-
+ * Copyright (c) 2006, 2011 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef _SSP_SSP_H_
+#define _SSP_SSP_H_
+
+#include <sys/cdefs.h>
+
+/* __ssp_real is used by the implementation in libc */
+#if __SSP_FORTIFY_LEVEL == 0
+#define __ssp_real_(fun)	fun
+#else
+#define __ssp_real_(fun)	__ssp_real_ ## fun
+#endif
+#define __ssp_real(fun)		__ssp_real_(fun)
+
+#define __ssp_bos(ptr) __builtin_object_size(ptr, __SSP_FORTIFY_LEVEL > 1)
+#define __ssp_bos0(ptr) __builtin_object_size(ptr, 0)
+
+#define __ssp_check(buf, len, bos) \
+	if (bos(buf) != (size_t)-1 && len > bos(buf)) \
+		__chk_fail()
+#define __ssp_decl(rtype, fun, symbol, args) \
+rtype __ssp_real_(fun) args __asm__(__ASMNAME(#symbol)); \
+_ELIDABLE_INLINE rtype fun args __asm__(__ASMNAME("__ssp_protected_" #fun)); \
+_ELIDABLE_INLINE rtype fun args
+#define __ssp_redirect_raw(rtype, fun, symbol, args, call, cond, bos) \
+__ssp_decl(rtype, fun, symbol, args) \
+{ \
+	if (cond) \
+		__ssp_check(__buf, __len, bos); \
+	return __ssp_real_(fun) call; \
+}
+
+#define __ssp_redirect(rtype, fun, args, call) \
+    __ssp_redirect_raw(rtype, fun, fun, args, call, 1, __ssp_bos)
+#define __ssp_redirect0(rtype, fun, args, call) \
+    __ssp_redirect_raw(rtype, fun, fun, args, call, 1, __ssp_bos0)
+
+#define __ssp_overlap(a, b, l) \
+    (((a) <= (b) && (b) < (a) + (l)) || ((b) <= (a) && (a) < (b) + (l)))
+
+__BEGIN_DECLS
+void __stack_chk_fail(void) __dead2;
+void __chk_fail(void) __dead2;
+__END_DECLS
+
+#endif /* _SSP_SSP_H_ */
diff --git a/newlib/libc/include/sys/features.h b/newlib/libc/include/sys/features.h
index 95d20533e..2900b332f 100644
--- a/newlib/libc/include/sys/features.h
+++ b/newlib/libc/include/sys/features.h
@@ -100,6 +100,9 @@ extern "C" {
  * _SVID_SOURCE (deprecated by _DEFAULT_SOURCE)
  * _DEFAULT_SOURCE (or none of the above)
  * 	POSIX-1.2008 with BSD and SVr4 extensions
+ *
+ * _FORTIFY_SOURCE = 1 or 2
+ * 	Object Size Checking function wrappers
  */
 
 #ifdef _GNU_SOURCE
@@ -233,9 +236,11 @@ extern "C" {
  * __GNU_VISIBLE
  * 	GNU extensions; enabled with _GNU_SOURCE.
  *
+ * __SSP_FORTIFY_LEVEL
+ * 	Object Size Checking; defined to 0 (off), 1, or 2.
+ *
  * In all cases above, "enabled by default" means either by defining
  * _DEFAULT_SOURCE, or by not defining any of the public feature test macros.
- * Defining _GNU_SOURCE makes all of the above avaliable.
  */
 
 #ifdef _ATFILE_SOURCE
@@ -314,6 +319,17 @@ extern "C" {
 #define	__XSI_VISIBLE		0
 #endif
 
+#if _FORTIFY_SOURCE > 0 && !defined(__cplusplus) && !defined(__lint__) && \
+   (__OPTIMIZE__ > 0 || defined(__clang__)) && __GNUC_PREREQ__(4, 1)
+#  if _FORTIFY_SOURCE > 1
+#    define __SSP_FORTIFY_LEVEL 2
+#  else
+#    define __SSP_FORTIFY_LEVEL 1
+#  endif
+#else
+#  define __SSP_FORTIFY_LEVEL 0
+#endif
+
 /* RTEMS adheres to POSIX -- 1003.1b with some features from annexes.  */
 
 #ifdef __rtems__
diff --git a/newlib/libc/ssp/chk_fail.c b/newlib/libc/ssp/chk_fail.c
new file mode 100644
index 000000000..b1f8e42a6
--- /dev/null
+++ b/newlib/libc/ssp/chk_fail.c
@@ -0,0 +1,13 @@
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+
+void
+__attribute__((__noreturn__))
+__chk_fail(void)
+{
+  char msg[] = "*** buffer overflow detected ***: terminated\n";
+  write (2, msg, strlen (msg));
+  raise (SIGABRT);
+  _exit (127);
+}