This is the mail archive of the
newlib@sourceware.org
mailing list for the newlib project.
[PATCH v3 2/9] ssp: add Object Size Checking common code
- From: Yaakov Selkowitz <yselkowi at redhat dot com>
- To: newlib at sourceware dot org
- Date: Tue, 28 Nov 2017 02:57:48 -0600
- Subject: [PATCH v3 2/9] ssp: add Object Size Checking common code
- Authentication-results: sourceware.org; auth=none
- References: <20171128085755.5928-1-yselkowi@redhat.com>
The Object Size Checking (-D_FORTIFY_SOURCE=*) functionality provides
wrappers around functions suspectible to buffer overflows. While
independent from Stack Smashing Protection (-fstack-protector*), they
are often used and implemented together.
While GCC also provides an implementation in libssp, it is completely
broken (CVE-2016-4973, RHBZ#1324759) and seemingly unfixable, as there
is no reliable way for a preprocessor macro to trigger a link flag.
Therefore, adding this here is necessary to make it work.
Note that this does require building gcc with --disable-libssp and
gcc_cv_libc_provides_ssp=yes.
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
---
newlib/libc/include/ssp/ssp.h | 72 ++++++++++++++++++++++++++++++++++++++
newlib/libc/include/sys/features.h | 18 +++++++++-
newlib/libc/ssp/chk_fail.c | 13 +++++++
3 files changed, 102 insertions(+), 1 deletion(-)
create mode 100644 newlib/libc/include/ssp/ssp.h
create mode 100644 newlib/libc/ssp/chk_fail.c
diff --git a/newlib/libc/include/ssp/ssp.h b/newlib/libc/include/ssp/ssp.h
new file mode 100644
index 000000000..399cf8962
--- /dev/null
+++ b/newlib/libc/include/ssp/ssp.h
@@ -0,0 +1,72 @@
+/* $NetBSD: ssp.h,v 1.13 2015/09/03 20:43:47 plunky Exp $ */
+
+/*-
+ * Copyright (c) 2006, 2011 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef _SSP_SSP_H_
+#define _SSP_SSP_H_
+
+#include <sys/cdefs.h>
+
+/* __ssp_real is used by the implementation in libc */
+#if __SSP_FORTIFY_LEVEL == 0
+#define __ssp_real_(fun) fun
+#else
+#define __ssp_real_(fun) __ssp_real_ ## fun
+#endif
+#define __ssp_real(fun) __ssp_real_(fun)
+
+#define __ssp_bos(ptr) __builtin_object_size(ptr, __SSP_FORTIFY_LEVEL > 1)
+#define __ssp_bos0(ptr) __builtin_object_size(ptr, 0)
+
+#define __ssp_check(buf, len, bos) \
+ if (bos(buf) != (size_t)-1 && len > bos(buf)) \
+ __chk_fail()
+#define __ssp_redirect_raw(rtype, fun, symbol, args, call, cond, bos) \
+rtype __ssp_real_(fun) args __asm__(__ASMNAME(#symbol)); \
+_ELIDABLE_INLINE rtype fun args __asm__(__ASMNAME("__ssp_protected_" #fun)); \
+_ELIDABLE_INLINE rtype fun args { \
+ if (cond) \
+ __ssp_check(__buf, __len, bos); \
+ return __ssp_real_(fun) call; \
+}
+
+#define __ssp_redirect(rtype, fun, args, call) \
+ __ssp_redirect_raw(rtype, fun, fun, args, call, 1, __ssp_bos)
+#define __ssp_redirect0(rtype, fun, args, call) \
+ __ssp_redirect_raw(rtype, fun, fun, args, call, 1, __ssp_bos0)
+
+#define __ssp_overlap(a, b, l) \
+ (((a) <= (b) && (b) < (a) + (l)) || ((b) <= (a) && (a) < (b) + (l)))
+
+__BEGIN_DECLS
+void __stack_chk_fail(void) __dead2;
+void __chk_fail(void) __dead2;
+__END_DECLS
+
+#endif /* _SSP_SSP_H_ */
diff --git a/newlib/libc/include/sys/features.h b/newlib/libc/include/sys/features.h
index c9133af57..084bf2183 100644
--- a/newlib/libc/include/sys/features.h
+++ b/newlib/libc/include/sys/features.h
@@ -100,6 +100,9 @@ extern "C" {
* _SVID_SOURCE (deprecated by _DEFAULT_SOURCE)
* _DEFAULT_SOURCE (or none of the above)
* POSIX-1.2008 with BSD and SVr4 extensions
+ *
+ * _FORTIFY_SOURCE = 1 or 2
+ * Object Size Checking function wrappers
*/
#ifdef _GNU_SOURCE
@@ -233,9 +236,11 @@ extern "C" {
* __GNU_VISIBLE
* GNU extensions; enabled with _GNU_SOURCE.
*
+ * __SSP_FORTIFY_LEVEL
+ * Object Size Checking; defined to 0 (off), 1, or 2.
+ *
* In all cases above, "enabled by default" means either by defining
* _DEFAULT_SOURCE, or by not defining any of the public feature test macros.
- * Defining _GNU_SOURCE makes all of the above avaliable.
*/
#ifdef _ATFILE_SOURCE
@@ -314,6 +319,17 @@ extern "C" {
#define __XSI_VISIBLE 0
#endif
+#if _FORTIFY_SOURCE > 0 && !defined(__cplusplus) && !defined(__lint__) && \
+ (__OPTIMIZE__ > 0 || defined(__clang__)) && __GNUC_PREREQ__(4, 1)
+# if _FORTIFY_SOURCE > 1
+# define __SSP_FORTIFY_LEVEL 2
+# else
+# define __SSP_FORTIFY_LEVEL 1
+# endif
+#else
+# define __SSP_FORTIFY_LEVEL 0
+#endif
+
/* RTEMS adheres to POSIX -- 1003.1b with some features from annexes. */
#ifdef __rtems__
diff --git a/newlib/libc/ssp/chk_fail.c b/newlib/libc/ssp/chk_fail.c
new file mode 100644
index 000000000..b1f8e42a6
--- /dev/null
+++ b/newlib/libc/ssp/chk_fail.c
@@ -0,0 +1,13 @@
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+
+void
+__attribute__((__noreturn__))
+__chk_fail(void)
+{
+ char msg[] = "*** buffer overflow detected ***: terminated\n";
+ write (2, msg, strlen (msg));
+ raise (SIGABRT);
+ _exit (127);
+}
--
2.15.0