Enable GCC stack protection (aka Propolice) for userland:

- It is opt-out for now so as to give it maximum testing, but it may be turned opt-in for stable branches depending on the consensus. You can turn it off with WITHOUT_SSP. - WITHOUT_SSP was previously used to disable the build of GNU libssp. It is harmless to steal the knob as SSP symbols have been provided by libc for a long time, GNU libssp should not have been much used. - SSP is disabled in a few corners such as system bootstrap programs (sys/boot), process bootstrap code (rtld, csu) and SSP symbols themselves. - It should be safe to use -fstack-protector-all to build world, however libc will be automatically downgraded to -fstack-protector because it breaks rtld otherwise. - This option is unavailable on ia64. Enable GCC stack protection (aka Propolice) for kernel: - It is opt-out for now so as to give it maximum testing. - Do not compile your kernel with -fstack-protector-all, it won't work. Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
2008-06-25 21:33:28 +00:00 · 2008-06-25 21:33:28 +00:00 · 042df2e2da
commit 042df2e2da
parent 0d9e99b6ca
37 changed files with 126 additions and 22 deletions
--- a/Makefile.inc1
+++ b/Makefile.inc1
@ -225,6 +225,7 @@ BMAKE=		MAKEOBJDIRPREFIX=${WORLDTMP} \
 		${BMAKEENV} ${MAKE} -f Makefile.inc1 \
 		DESTDIR= \
 		BOOTSTRAPPING=${OSRELDATE} \
+		-DWITHOUT_SSP \
 		-DWITHOUT_HTML -DWITHOUT_INFO -DNO_LINT -DWITHOUT_MAN \
 		-DWITHOUT_NLS -DNO_PIC -DWITHOUT_PROFILE -DNO_SHARED \
 		-DNO_CPU_CFLAGS -DNO_WARNS -DNO_CTF
@ -235,7 +236,7 @@ TMAKE=		MAKEOBJDIRPREFIX=${OBJTREE} \
 		TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH} \
 		DESTDIR= \
 		BOOTSTRAPPING=${OSRELDATE} -DNO_LINT -DNO_CPU_CFLAGS \
-		-DNO_WARNS -DNO_CTF
+		-DNO_WARNS -DNO_CTF -DWITHOUT_SSP

 # cross-tools stage
 XMAKE=		TOOLS_PREFIX=${WORLDTMP} ${BMAKE} \
@ -452,7 +453,7 @@ build32:
 .if ${MK_KERBEROS} != "no"
 .for _t in obj depend all
 	cd ${.CURDIR}/kerberos5/tools; \
-	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} DESTDIR= ${_t}
+	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} -DWITHOUT_SSP DESTDIR= ${_t}
 .endfor
 .endif
 .for _t in obj includes
@ -474,7 +475,7 @@ build32:
 .endfor
 .for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic
 	cd ${.CURDIR}/${_dir}; \
-	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} DESTDIR= build-tools
+	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} -DWITHOUT_SSP DESTDIR= build-tools
 .endfor
 	cd ${.CURDIR}; \
 	    ${LIB32WMAKE} -f Makefile.inc1 libraries
@ -760,14 +761,14 @@ buildkernel:
 	@echo "--------------------------------------------------------------"
 	cd ${KRNLOBJDIR}/${_kernel}; \
 	    MAKESRCPATH=${KERNSRCDIR}/dev/aic7xxx/aicasm \
-	    ${MAKE} -DNO_CPU_CFLAGS -DNO_CTF \
+	    ${MAKE} -DWITHOUT_SSP -DNO_CPU_CFLAGS -DNO_CTF \
 	    -f ${KERNSRCDIR}/dev/aic7xxx/aicasm/Makefile
 # XXX - Gratuitously builds aicasm in the ``makeoptions NO_MODULES'' case.
 .if !defined(MODULES_WITH_WORLD) && !defined(NO_MODULES) && exists(${KERNSRCDIR}/modules)
 .for target in obj depend all
 	cd ${KERNSRCDIR}/modules/aic7xxx/aicasm; \
 	    MAKEOBJDIRPREFIX=${KRNLOBJDIR}/${_kernel}/modules \
-	    ${MAKE} -DNO_CPU_CFLAGS -DNO_CTF ${target}
+	    ${MAKE} -DWITHOUT_SSP -DNO_CPU_CFLAGS -DNO_CTF ${target}
 .endfor
 .endif
 .if !defined(NO_KERNELDEPEND)
--- a/gnu/lib/Makefile
+++ b/gnu/lib/Makefile
@ -2,7 +2,7 @@

 .include <bsd.own.mk>

-SUBDIR= csu libgcc libgcov libdialog libgomp libregex libreadline
+SUBDIR= csu libgcc libgcov libdialog libgomp libregex libreadline libssp

 # libsupc++ uses libstdc++ headers, although 'make includes' should
 # have taken care of that already.
@ -14,8 +14,4 @@ SUBDIR+= libstdc++ libsupc++
 SUBDIR+= libobjc
 .endif

-.if ${MK_SSP} != "no"
-SUBDIR+= libssp
-.endif
-
 .include <bsd.subdir.mk>
--- a/gnu/lib/csu/Makefile
+++ b/gnu/lib/csu/Makefile
@ -19,6 +19,7 @@ CFLAGS+=	-I${GCCLIB}/include -I${GCCDIR}/config -I${GCCDIR} -I. \
 		-I${CCDIR}/cc_tools
 CRTS_CFLAGS=	-DCRTSTUFFS_O -DSHARED ${PICFLAG}
 MKDEP=		-DCRT_BEGIN
+WITHOUT_SSP=

 .if ${MACHINE_ARCH} == "ia64"
 BEGINSRC=	crtbegin.asm
--- a/gnu/lib/libssp/Makefile
+++ b/gnu/lib/libssp/Makefile
@ -10,6 +10,7 @@ LIB=		ssp
 SHLIB_MAJOR=	0
 SHLIBDIR?=	/lib
 NO_PROFILE=
+WITHOUT_SSP=

 SRCS=	ssp.c gets-chk.c memcpy-chk.c memmove-chk.c mempcpy-chk.c \
 	memset-chk.c snprintf-chk.c sprintf-chk.c stpcpy-chk.c \
--- a/lib/csu/Makefile.inc
+++ b/lib/csu/Makefile.inc
@ -0,0 +1,3 @@
+# $FreeBSD$
+
+WITHOUT_SSP=
--- a/lib/libc/Makefile
+++ b/lib/libc/Makefile
@ -122,3 +122,9 @@ libkern.${MACHINE_ARCH}:: ${KMSRCS}

 # Disable warnings in contributed sources.
 CWARNFLAGS:=	${.IMPSRC:Ngdtoa_*.c:C/^.+$/${CWARNFLAGS}/}
+# XXX For now, we don't allow libc to be compiled with
+# -fstack-protector-all because it breaks rtld.  We may want to make a librtld
+# in the future to circumvent this.
+SSP_CFLAGS:=	${SSP_CFLAGS:S/^-fstack-protector-all$/-fstack-protector/}
+# Disable stack protection for SSP symbols.
+SSP_CFLAGS:=	${.IMPSRC:N*/stack_protector.c:C/^.+$/${SSP_CFLAGS}/}
--- a/lib/libstand/Makefile
+++ b/lib/libstand/Makefile
@ -12,6 +12,7 @@ NO_PIC=
 INCS=		stand.h
 MAN=		libstand.3

+WITHOUT_SSP=
 CFLAGS+= -ffreestanding -Wformat
 CFLAGS+= -I${.CURDIR}

--- a/lib/libthr/Makefile
+++ b/lib/libthr/Makefile
@ -8,6 +8,8 @@
 # (for system call stubs) to CFLAGS below.  -DSYSLIBC_SCCS affects just the
 # system call stubs.

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 .if ${SHLIBDIR} == "/usr/lib"
--- a/libexec/rtld-elf/Makefile
+++ b/libexec/rtld-elf/Makefile
@ -1,5 +1,7 @@
 # $FreeBSD$

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 PROG?=		ld-elf.so.1
--- a/release/Makefile
+++ b/release/Makefile
@ -680,7 +680,7 @@ release.6:
 	@rm -rf ${RD}/dists/ports/ports*
 	@mkdir -p ${RD}/dists/ports
 	@echo rolling ports/ports tarball
-	@tar --exclude CVS --exclude 'ports/distfiles/*' \
+	@tar --exclude CVS --exclude .svn --exclude 'ports/distfiles/*' \
 	  -czf ${RD}/dists/ports/ports.tgz -C /usr ports
 	@cp ${.CURDIR}/scripts/ports-install.sh ${RD}/dists/ports/install.sh
 	@(cd ${RD}/dists/ports; \
@ -779,7 +779,8 @@ release.8:
 .if ${TARGET} == "i386" || ${TARGET_ARCH} == "amd64"
 	@cp ${RD}/trees/base/boot/mbr ${RD}/mfsfd/boot
 .endif
-	@tar --exclude CVS -cf - -C ${.CURDIR}/../usr.sbin/sysinstall help | \
+	@tar --exclude CVS --exclude .svn -cf - \
+		-C ${.CURDIR}/../usr.sbin/sysinstall help | \
 		tar xf - -C ${RD}/mfsfd/stand
 	@mkdir -p ${RD}/mfsroot
 	sh -e ${DOFS_SH} ${RD}/mfsroot/mfsroot ${RD} ${MNT} \
@ -1098,7 +1099,7 @@ doTARBALL:
 	@( cd ${SD} && \
 		tn=`echo ${TN} | tr 'A-Z' 'a-z'` && \
 		echo rolling ${TD}/$$tn tarball &&\
-		tar --exclude CVS --exclude obj --exclude BOOTMFS -cf - ${ARG} | \
+		tar --exclude CVS --exclude .svn --exclude obj --exclude BOOTMFS -cf - ${ARG} | \
 		${ZIPNSPLIT} ${RD}/dists/${TD}/$$tn. && \
 		sh ${.CURDIR}/scripts/info.sh ${RD}/dists/${TD}/$$tn \
 		    > ${RD}/dists/${TD}/$$tn.inf && \
--- a/release/picobsd/build/picobsd
+++ b/release/picobsd/build/picobsd
@ -495,14 +495,15 @@ populate_floppy_fs() {		# OK
    else
 	excl=""
    fi
-    (cd ${PICO_TREE}/floppy.tree ; tar -cf - --exclude CVS ${excl} . ) | \
+    (cd ${PICO_TREE}/floppy.tree ; tar -cf - --exclude CVS --exclude .svn \
+    		${excl} . ) | \
 		(cd ${dst} ; tar x${o_tarv}f - )
    log "Copied from generic floppy-tree `echo; ls -laR ${dst}`"

    srcdir=${MY_TREE}/floppy.tree
    if [ -d ${srcdir} ] ; then
 	log "update with type-specific files:"
-	(cd ${srcdir} ; tar -cf - --exclude CVS . ) | \
+	(cd ${srcdir} ; tar -cf - --exclude CVS --exclude .svn . ) | \
 	    (cd ${dst} ; tar x${o_tarv}f - )
 	log "Copied from type floppy-tree `echo; ls -laR ${dst}`"
    else
@ -510,7 +511,7 @@ populate_floppy_fs() {		# OK
    fi
    if [ -d ${srcdir}.${SITE} ] ; then
 	log "Update with site-specific (${SITE}) files:"
-	(cd ${srcdir}.${SITE} ; tar -cf - --exclude CVS . ) | \
+	(cd ${srcdir}.${SITE} ; tar -cf - --exclude CVS --exclude .svn . ) | \
 	    (cd ${dst} ; tar x${o_tarv}f - )
 	log "Copied from site floppy-tree `echo; ls -laR ${dst}`"
    else
@ -593,7 +594,7 @@ populate_mfs_tree() {
    for MFS_TREE in ${PICO_TREE}/mfs_tree ${MY_TREE}/mfs_tree ; do
 	if [ -d ${MFS_TREE} ] ; then
 	    log "Copy ${MFS_TREE} ..."
-	    (cd ${MFS_TREE} ; tar -cf - --exclude CVS . ) | \
+	    (cd ${MFS_TREE} ; tar -cf - --exclude CVS --exclude .svn . ) | \
 		    (cd ${dst} ; tar x${o_tarv}f - )
 	fi
    done
--- a/rescue/librescue/Makefile
+++ b/rescue/librescue/Makefile
@ -2,6 +2,8 @@
 # $FreeBSD$
 #

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 # Certain library entries have hard-coded references to
--- a/rescue/rescue/Makefile
+++ b/rescue/rescue/Makefile
@ -2,6 +2,7 @@
 #	@(#)Makefile	8.1 (Berkeley) 6/2/93

 NO_MAN=
+WITHOUT_SSP=

 .include <bsd.own.mk>

--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@ -74,5 +74,11 @@ CWARNFLAGS	+=	-Werror
 CWARNFLAGS	+=	-Wno-unknown-pragmas
 .endif

+.if ${MK_SSP} != "no" && ${CC} != "icc" && ${MACHINE_ARCH} != "ia64"
+# Don't use -Wstack-protector as it breaks world with -Werror.
+SSP_CFLAGS	?=	-fstack-protector
+CFLAGS		+=	${SSP_CFLAGS}
+.endif
+
 # Allow user-specified additional warning flags
 CFLAGS		+=	${CWARNFLAGS}
--- a/sys/boot/Makefile.inc
+++ b/sys/boot/Makefile.inc
@ -0,0 +1,3 @@
+# $FreeBSD$
+
+WITHOUT_SSP=
--- a/sys/boot/arm/Makefile.inc
+++ b/sys/boot/arm/Makefile.inc
@ -0,0 +1,3 @@
+# $FreeBSD$
+
+.include "../Makefile.inc"
--- a/sys/boot/arm/at91/Makefile.inc
+++ b/sys/boot/arm/at91/Makefile.inc
@ -53,3 +53,5 @@ MK_FPGA:=no
 .endif

 .endif
+
+.include "../Makefile.inc"
--- a/sys/boot/efi/Makefile.inc
+++ b/sys/boot/efi/Makefile.inc
@ -5,3 +5,5 @@ BINDIR?=	/boot
 # Options used when building app-specific efi components
 CFLAGS+=	-ffreestanding -fshort-wchar -Wformat
 LDFLAGS+=	-nostdlib
+
+.include "../Makefile.inc"
--- a/sys/boot/i386/Makefile.inc
+++ b/sys/boot/i386/Makefile.inc
@ -24,3 +24,5 @@ BTXDIR=		${.CURDIR}/../btx
 BTXLDR=		${BTXDIR}/btxldr/btxldr
 BTXKERN=	${BTXDIR}/btx/btx
 BTXCRT=		${BTXDIR}/lib/crt0.o
+
+.include "../Makefile.inc"
--- a/sys/boot/i386/loader/Makefile
+++ b/sys/boot/i386/loader/Makefile
@ -1,5 +1,7 @@
 # $FreeBSD$

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 PROG=		loader.sym
--- a/sys/boot/ia64/Makefile.inc
+++ b/sys/boot/ia64/Makefile.inc
@ -5,3 +5,5 @@ BINDIR?=	/boot
 # Options used when building standalone components
 CFLAGS+=	-ffreestanding -fshort-wchar -Wformat
 LDFLAGS+=	-nostdlib
+
+.include "../Makefile.inc"
--- a/sys/boot/ia64/common/Makefile
+++ b/sys/boot/ia64/common/Makefile
@ -1,5 +1,7 @@
 # $FreeBSD$

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 LIB=		ia64
--- a/sys/boot/ia64/efi/Makefile
+++ b/sys/boot/ia64/efi/Makefile
@ -1,6 +1,7 @@
 # $FreeBSD$

 NO_MAN=
+WITHOUT_SSP=

 .include <bsd.own.mk>

--- a/sys/boot/ia64/ski/Makefile
+++ b/sys/boot/ia64/ski/Makefile
@ -1,6 +1,7 @@
 # $FreeBSD$

 NO_MAN=
+WITHOUT_SSP=

 .include <bsd.own.mk>

--- a/sys/boot/ofw/Makefile.inc
+++ b/sys/boot/ofw/Makefile.inc
@ -0,0 +1,3 @@
+# $FreeBSD$
+
+.include "../Makefile.inc"
--- a/sys/boot/pc98/Makefile.inc
+++ b/sys/boot/pc98/Makefile.inc
@ -19,3 +19,5 @@ BTXDIR=		${.CURDIR}/../btx
 BTXLDR=		${BTXDIR}/btxldr/btxldr
 BTXKERN=	${BTXDIR}/btx/btx
 BTXCRT=		${BTXDIR}/lib/crt0.o
+
+.include "../Makefile.inc"
--- a/sys/boot/pc98/loader/Makefile
+++ b/sys/boot/pc98/loader/Makefile
@ -1,5 +1,7 @@
 # $FreeBSD$

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 PROG=		loader.sym
--- a/sys/boot/powerpc/Makefile.inc
+++ b/sys/boot/powerpc/Makefile.inc
@ -0,0 +1,3 @@
+# $FreeBSD$
+
+.include "../Makefile.inc"
--- a/sys/boot/powerpc/ofw/Makefile
+++ b/sys/boot/powerpc/ofw/Makefile
@ -1,5 +1,7 @@
 # $FreeBSD$

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 PROG=		loader
--- a/sys/boot/sparc64/Makefile.inc
+++ b/sys/boot/sparc64/Makefile.inc
@ -3,3 +3,5 @@
 BINDIR?=	/boot
 CFLAGS+=	-ffreestanding
 LDFLAGS+=	-nostdlib
+
+.include "../Makefile.inc"
--- a/sys/boot/sparc64/loader/Makefile
+++ b/sys/boot/sparc64/loader/Makefile
@ -1,5 +1,7 @@
 # $FreeBSD$

+WITHOUT_SSP=
+
 .include <bsd.own.mk>

 PROG=		loader
--- a/sys/boot/uboot/Makefile.inc
+++ b/sys/boot/uboot/Makefile.inc
@ -0,0 +1,3 @@
+# $FreeBSD$
+
+.include "../Makefile.inc"
--- a/sys/conf/files
+++ b/sys/conf/files
@ -1608,6 +1608,8 @@ kern/posix4_mib.c		standard
 kern/sched_4bsd.c		optional sched_4bsd
 kern/sched_ule.c		optional sched_ule
 kern/serdev_if.m		standard
+kern/stack_protector.c		standard \
+	compile-with "${NORMAL_C:N-fstack-protector*}"
 kern/subr_acl_posix1e.c		standard
 kern/subr_autoconf.c		standard
 kern/subr_blist.c		standard
--- a/sys/conf/kern.mk
+++ b/sys/conf/kern.mk
@ -106,3 +106,10 @@ CFLAGS+=	-ffreestanding
 .if ${CC} == "icc"
 CFLAGS+=	-restrict
 .endif
+
+#
+# GCC SSP support.
+#
+.if ${MK_SSP} != "no" && ${CC} != "icc" && ${MACHINE_ARCH} != "ia64"
+CFLAGS+=	-fstack-protector
+.endif
--- a/sys/conf/kern.pre.mk
+++ b/sys/conf/kern.pre.mk
@ -3,10 +3,7 @@
 # Part of a unified Makefile for building kernels.  This part contains all
 # of the definitions that need to be before %BEFORE_DEPEND.

-SRCCONF?=	/etc/src.conf
-.if exists(${SRCCONF})
-.include "${SRCCONF}"
-.endif
+.include <bsd.own.mk>

 # Can be overridden by makeoptions or /etc/make.conf
 KERNEL_KO?=	kernel
--- a/sys/kern/stack_protector.c
+++ b/sys/kern/stack_protector.c
@ -0,0 +1,35 @@
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/libkern.h>
+
+#if defined(__SSP__) || defined(__SSP_ALL__)
+long __stack_chk_guard[8] = {};
+void __stack_chk_fail(void);
+
+void
+__stack_chk_fail(void)
+{
+
+	panic("stack overflow detected; backtrace may be corrupted");
+}
+
+#define __arraycount(__x)	(sizeof(__x) / sizeof(__x[0]))
+static void
+__stack_chk_init(void *dummy __unused)
+{
+	size_t i;
+	long guard[__arraycount(__stack_chk_guard)];
+
+	arc4rand(guard, sizeof(guard), 0);
+	for (i = 0; i < __arraycount(guard); i++)
+		__stack_chk_guard[i] = guard[i];
+}
+/* SI_SUB_EVENTHANDLER is right after SI_SUB_LOCK used by arc4rand() init. */
+SYSINIT(stack_chk, SI_SUB_EVENTHANDLER, SI_ORDER_ANY, __stack_chk_init, NULL);
+
+#endif
--- a/tools/build/options/WITHOUT_SSP
+++ b/tools/build/options/WITHOUT_SSP
@ -1,2 +1,2 @@
 .\" $FreeBSD$
-Set to not build propolice stack smashing protection library.
+Set to not build world with propolice stack smashing protection.