Page MenuHomeFreeBSD
Differential D45976

Collection of fixes for _FORTIFY_SOURCE
ClosedPublic
Actions

Authored by kevans on Jul 15 2024, 3:23 AM.
Tags
None
Referenced Files
F103041592: D45976.diff
Wed, Nov 20, 4:22 AM
Unknown Object (File)
Fri, Nov 8, 4:29 AM
Unknown Object (File)
Thu, Oct 31, 1:01 PM
Unknown Object (File)
Oct 12 2024, 1:59 PM
Unknown Object (File)
Sep 28 2024, 7:22 AM
Unknown Object (File)
Sep 28 2024, 7:22 AM
Unknown Object (File)
Sep 28 2024, 7:21 AM
Unknown Object (File)
Sep 28 2024, 7:21 AM
View All 37 Files
Subscribers
imp
netchild

Details

Reviewers
markj
kib
jhb
ngie
Group Reviewers
Klara
Commits
rGdb3a524c8a96: bsnmpd: FreeBSD has strlcpy(3)
rG4928dcc0ebdb: sys/select.h: const'ify the fd_set that __fdset_idx() takes
rG0c47b9c211ed: include: ssp: don't shadow the mempcpy builtin
rGd5f8270917bf: libc: switch to __weak_symbol for fortified interpose stubs
rGb8730c11a395: include: ssp: fix the build with earlier C standards
rG838b6caababb: openssl: use getrandom(2) instead of probing for getentropy(2)
Summary

I'll likely split this up into multiple commits, but each one is small
enough that I think it's best in a single review.

openssl: use getrandom(2) instead of probing for getentropy(2)

The probing for getentropy(2) relies on re-declaring getentropy(2)
as weak and checking the address, but this is incompatible with
the _FORTIFY_SOURCE symbol renaming scheme.  It's always present on
all supported FreeBSD versions now so we could cut it down to
unconditional use, but there's another segment for getrandom(2)
already that's cleaner to just add us to.

We should upstream this.
  • include: ssp: fix the build with earlier C standards

    inline isn't always a keyword, so we should be using __ssp_inline as we do everywhere else in the _FORTIFY_SOURCE support. Variable declarations in a loop initializer are also not always supported, so declare any loop vars in advance.
  • include: ssp: don't shadow the mempcpy builtin

    GCC emits a warning about shadowing a builtin with our mempcpy declaration, so switch it to using the same model as memcpy() and use the apparently-existing builtin_mempcpy_chk().
  • libc: undefine _FORTIFY_SOURCE for fortified interpose stubs

    GCC doesn't like #pragma weak macro(foo)- there's nothing of value to fortify in these files anyways, so just turn it off individually to fix the build.
  • sys/select.h: const'ify the fd_set that __fdset_idx() takes

    Some callers may be operating on a const fd_set and we don't particularly care, so const'ify it.
  • bsnmpd: FreeBSD has strlcpy(3)

    Fixes the fortified build with GCC

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans created this revision.Jul 15 2024, 3:23 AM
Herald added a subscriber: imp. · View Herald TranscriptJul 15 2024, 3:23 AM
kevans requested review of this revision.Jul 15 2024, 3:23 AM
Harbormaster completed remote builds in B58642: Diff 140887.Jul 15 2024, 3:23 AM
imp added a comment.Jul 15 2024, 3:34 AM

Can you use the __weak_symbol instead of the #pragma weak? I think it's supposed to do the same thing.

kevans added a comment.Jul 15 2024, 5:02 AM
In D45976#1048095, @imp wrote:

Can you use the __weak_symbol instead of the #pragma weak? I think it's supposed to do the same thing.

nm(1) seems to think it's fine and it builds fine under GCC as well, so I'll switch to that. Thanks!

kevans updated this revision to Diff 140888.Jul 15 2024, 5:04 AM

Switch to __weak_symbol

Harbormaster completed remote builds in B58643: Diff 140888.Jul 15 2024, 5:04 AM
kib accepted this revision.Jul 15 2024, 8:18 AM
kib added inline comments.
lib/libc/secure/Makefile.inc
7 ↗(On Diff #140888)

Please order alphabetically.

lib/libc/secure/Symbol.map
10 ↗(On Diff #140888)

Please order alphabetically

lib/libc/secure/mempcpy_chk.c
32 ↗(On Diff #140888)

Do we need cdefs.h? Is it kept to reduce the diff? The file is not in contrib, I think it is better to drop extra include.

This revision is now accepted and ready to land.Jul 15 2024, 8:18 AM
markj added inline comments.Jul 15 2024, 1:44 PM
crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
395–396

Won't this condition take precedence?

kevans added inline comments.Jul 15 2024, 2:26 PM
crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
395–396

Hmm, yeah,; the same is true for NetBSD, so it'll also fallback to the sysctl rather than getrandom(2). NetBSD hasn't removed KERN_ARND either, so maybe just flipping these around wholesale would be fine- I'd hazard a guess that the sysctl often takes more than one trip to fill the buffer on both platforms.

kevans updated this revision to Diff 140970.Jul 15 2024, 3:39 PM
kevans marked 4 inline comments as done.

Address review feedback

  • Proper sorting
  • Needless sys/cdefs.h include removed
  • Ordering of sysctl/getrandom use swapped, FreeBSD removed from the sysctl clause since we'll always have getrandom -- ordering mostly for NetBSD's benefit, then, since it seems hard to imagine they'd prefer the 256-byte at a time interface over the arbitrary buffer size interface.
This revision now requires review to proceed.Jul 15 2024, 3:39 PM
Harbormaster completed remote builds in B58648: Diff 140970.Jul 15 2024, 3:39 PM
markj accepted this revision as: markj.Jul 15 2024, 3:49 PM
markj added inline comments.
crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
398

When upstreaming, I suspect you might want to dig a bit and find a __FreeBSD_version number to check, even though all supported FreeBSD releases have getrandom(). Our implementation hasn't been around all that long in the grand scheme of things, and I think OpenSSL tries harder than most projects to be portable. That said, I'm not sure exactly what their requirements are, so maybe you can just ignore me.

This revision is now accepted and ready to land.Jul 15 2024, 3:49 PM
kevans added inline comments.Jul 15 2024, 4:06 PM
crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
398

*nod* OK, I'll lay out the situation and see how far they care to go

Closed by commit rG838b6caababb: openssl: use getrandom(2) instead of probing for getentropy(2) (authored by kevans). · Explain WhyJul 16 2024, 5:13 AM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rG838b6caababb: openssl: use getrandom(2) instead of probing for getentropy(2).
kevans added a commit: rGb8730c11a395: include: ssp: fix the build with earlier C standards.
kevans added a commit: rGd5f8270917bf: libc: switch to __weak_symbol for fortified interpose stubs.
kevans added a commit: rG0c47b9c211ed: include: ssp: don't shadow the mempcpy builtin.
kevans added a commit: rG4928dcc0ebdb: sys/select.h: const'ify the fd_set that __fdset_idx() takes.
kevans added a commit: rGdb3a524c8a96: bsnmpd: FreeBSD has strlcpy(3).
kevans added inline comments.Jul 16 2024, 6:03 AM
crypto/openssl/providers/implementations/rands/seeding/rand_unix.c
398

Upstreaming here: https://github.com/openssl/openssl/pull/24903 -- I dug out the FreeBSD version for it and left the kern.arandom fallback in place for the earlier versions.

netchild added a subscriber: netchild.Jul 16 2024, 7:21 AM

Revision Contents
Changeset List

PathSize
crypto/
openssl/
providers/
implementations/
rands/
seeding/
9 lines

Diff 141002

View Options

crypto/openssl/providers/implementations/rands/seeding/rand_unix.c

Loading...