libmd, kern, stand: consolidate md5 implementations (NFC)

Reduce the number of md5c.c between the three of these from two to one
by just reaching into the kernel build for both userland builds. The

libmd, kern, stand: consolidate md5 implementations (NFC)

Reduce the number of md5c.c between the three of these from two to one
by just reaching into the kernel build for both userland builds. The
precedent for this already exists for sha2 in both cases.

_libmd_ symbol privatization bits have been moved to sys/md5.h and
md5.h remains to #include <sys/md5.h> for compatibility.

This stops exporting MD5Pad() in the process because the kernel stopped
exporting it in 502a35d60f4c. soversion is bumped accordingly.

This also renames the libc version of stack_protector.c; it previously
only worked by coincidence because .PATH ordering worked out such that
we got the right one, but this is not the case anymore. Remove the
landmine.

PR: 280784 (exp-run)
Reviewed by: allanjude, delphij
Differential Revision: https://reviews.freebsd.org/D34497

show more ...

libc: Purge unneeded cdefs.h

These sys/cdefs.h are not needed. Purge them. They are mostly left-over
from the $FreeBSD$ removal. A few in libc are still required for macros
that cdefs.h defines. Kee

libc: Purge unneeded cdefs.h

These sys/cdefs.h are not needed. Purge them. They are mostly left-over
from the $FreeBSD$ removal. A few in libc are still required for macros
that cdefs.h defines. Keep those.

Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D42385

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

libc: ssp: remove some GCC 4.2 remnants

With GCC 4.2 out of the tree for a while now and no sign of it
returning, we don't really need to support older versions that don't
allow us to specify a ctor

libc: ssp: remove some GCC 4.2 remnants

With GCC 4.2 out of the tree for a while now and no sign of it
returning, we don't really need to support older versions that don't
allow us to specify a ctor priority anymore.

Noticed by: mjg

show more ...

libc: ssp: sprinkle around some __dead2

This is consistent with, e.g., NetBSD's implementation, which declares
these as noreturn in ssp/ssp.h.

ssp: knock out some trivial warnings that come up with WARNS=6

A future commit will rebuild this as part of libssp. The exact warnings are
fairly trivially fixed:
- No previous declaration for __sta

ssp: knock out some trivial warnings that come up with WARNS=6

A future commit will rebuild this as part of libssp. The exact warnings are
fairly trivially fixed:
- No previous declaration for __stack_chk_guard
- idx is the wrong type, nitems yields a size_t
- Casting away volatile on the tmp_stack_chk_guard directly is a no-no.

Reviewed by: kib, emaste, pfg, Oliver Pinter (earlier version)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D22943

show more ...

ssp: further refine the conditional used for constructor priority

__has_attribute(__constructor__) is a better test for clang than
defined(__clang__). Switch to it instead.

While we're already here

ssp: further refine the conditional used for constructor priority

__has_attribute(__constructor__) is a better test for clang than
defined(__clang__). Switch to it instead.

While we're already here and touching it, pfg@ nailed down when GCC actually
introduced the priority argument -- 4.3. Use that instead of our
hammer-guess of GCC >= 5 for the sake of correctness.

show more ...

ssp: rework the logic to use priority=200 on clang builds

The preproc logic was added at the last minute to appease GCC 4.2, and
kevans@ did clearly not go back and double-check that the logic worke

ssp: rework the logic to use priority=200 on clang builds

The preproc logic was added at the last minute to appease GCC 4.2, and
kevans@ did clearly not go back and double-check that the logic worked out
for clang builds to use the new variant.

It turns out that clang defines __GNUC__ == 4. Flip it around and check
__clang__ as well, leaving a note to remove it later.

Reported by: cem

show more ...

ssp: add a priority to the __stack_chk_guard constructor

First, this commit is a NOP on GCC <= 4.x; this decidedly doesn't work
cleanly on GCC 4.2, and it will be gone soon anyways so I chose not to

ssp: add a priority to the __stack_chk_guard constructor

First, this commit is a NOP on GCC <= 4.x; this decidedly doesn't work
cleanly on GCC 4.2, and it will be gone soon anyways so I chose not to dump
time into figuring out if there's a way to make it work. xtoolchain-gcc,
clocking in as GCC6, can cope with it just fine and later versions are also
generally ok with the syntax. I suspect very few users are running GCC4.2
built worlds and also experiencing potential fallout from the status quo.

For dynamically linked applications, this change also means very little.
rtld will run libc ctors before most others, so the situation is
approximately a NOP for these as well.

The real cause for this change is statically linked applications doing
almost questionable things in their constructors. qemu-user-static, for
instance, creates a thread in a global constructor for their async rcu
callbacks. In general, this works in other places-

- On OpenBSD, __stack_chk_guard is stored in an .openbsd.randomdata section
that's initialized by the kernel in the static case, or ld.so in the
dynamic case
- On Linux, __stack_chk_guard is apparently stored in TLS and such a problem
is circumvented there because the value is presumed stable in the new
thread.

On FreeBSD, the rcu thread creation ctor and __guard_setup are both unmarked
priority. qemu-user-static spins up the rcu thread prior to __guard_setup
which starts making function calls- some of these are sprinkled with the
canary. In the middle of one of these functions, __guard_setup is invoked in
the main thread and __stack_chk_guard changes- qemu-user-static is promptly
terminated for an SSP violation that didn't actually happen.

This is not an all-too-common problem. We circumvent it here by giving the
__stack_chk_guard constructor a solid priority. 200 was chosen because that
gives static applications ample range (down to 101) for working around it
if they really need to. I suspect most applications will "just work" as
expected- the default/non-prioritized flavor of __constructor__ functions
run last, and the canary is generally not expected to change as of this
point at the very least.

This took approximately three weeks of spare time debugging to pin down.

PR: 241905

show more ...

Carefully update stack guard bytes inside __guard_setup().

This is necessary to make sure that functions that can have stack
protection are not used to update the stack guard. If not, the stack
guar

Carefully update stack guard bytes inside __guard_setup().

This is necessary to make sure that functions that can have stack
protection are not used to update the stack guard. If not, the stack
guard check would fail when it shouldn't.

guard_setup() calls elf_aux_info(), which, in turn, calls memcpy() to
update stack_chk_guard. If either elf_aux_info() or memcpy() have
stack protection enabled, __stack_chk_guard will be modified before
returning from them, causing the stack protection check to fail.

This change uses a temporary buffer to delay changing
__stack_chk_guard until elf_aux_info() returns.

Submitted by: Luis Pires
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D15173

show more ...

libc: do not include <sys/types.h> where <sys/param.h> was already included

According to style(9):
> normally, include <sys/types.h> OR <sys/param.h>, but not both.
(<sys/param.h> already includes <

libc: do not include <sys/types.h> where <sys/param.h> was already included

According to style(9):
> normally, include <sys/types.h> OR <sys/param.h>, but not both.
(<sys/param.h> already includes <sys/types.h> when LOCORE is not defined).

show more ...

Move the stack protector to a new "secure" directory

As part of the code refactoring to support FORTIFY_SOURCE we want
a new subdirectory "secure" to keep the files related to security.
Move the sta

Move the stack protector to a new "secure" directory

As part of the code refactoring to support FORTIFY_SOURCE we want
a new subdirectory "secure" to keep the files related to security.
Move the stack protector functions to this new directory.

No functional change.

Differential Review: https://reviews.freebsd.org/D3333

show more ...

NetBSD commit log:
Use a constant array for the MIB. Newer LLVM decided that mib[] warranted
stack protections, with the obvious crash after the setup was done.
As a positive side effect, code

NetBSD commit log:
Use a constant array for the MIB. Newer LLVM decided that mib[] warranted
stack protections, with the obvious crash after the setup was done.
As a positive side effect, code size shrinks a bit.

I'm not sure why this hasn't bitten us yes, but it is certainly possible and
there are no real drawbacks to this change anyway.

Submitted by: pfg
Obtained from: NetBSD
MFC after: 1 week

show more ...

Revert r274772: it is not valid on MIPS

Reported by: sbruno

Use canonical __PIC__ flag

It is automatically set when -fPIC is passed to the compiler.

Reviewed by: dim, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.or

Use canonical __PIC__ flag

It is automatically set when -fPIC is passed to the compiler.

Reviewed by: dim, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D1179

show more ...

Clang related fixes:
* When calling syslog(), pass a format string.
* Define YY_NO_INPUT on nslexer.l

Submitted by: Norberto Lopes <nlopes.ml at gmail.com>

Remove extra FreeBSD tag.

MFC after: 3 days

Move the __stack_chk_fail_local@FBSD_1.0 compat symbol definition into
the separate .o for libc_pic.a. This prevents rtld from making the
symbol global.

Putting the stack_protector_compat.c into the

Move the __stack_chk_fail_local@FBSD_1.0 compat symbol definition into
the separate .o for libc_pic.a. This prevents rtld from making the
symbol global.

Putting the stack_protector_compat.c into the public domain acknowledged
by kan.

Reviewed by: kan
MFC after: 2 weeks

show more ...

Use aux vector to get values for SSP canary, pagesize, pagesizes array,
number of host CPUs and osreldate.

This eliminates the last sysctl(2) calls from the dynamically linked image
startup.

No obj

Use aux vector to get values for SSP canary, pagesize, pagesizes array,
number of host CPUs and osreldate.

This eliminates the last sysctl(2) calls from the dynamically linked image
startup.

No objections from: kan
Tested by: marius (sparc64)
MFC after: 1 month

show more ...

Make libc.a provide __stack_chk_fail_local weak alias. This is
needed to satisfy static libraries that are compiled with -fpic
and linked into static binary afterwards. Several libraries in
gcc are e

Make libc.a provide __stack_chk_fail_local weak alias. This is
needed to satisfy static libraries that are compiled with -fpic
and linked into static binary afterwards. Several libraries in
gcc are examples of such static libs.

show more ...

Second attempt at eliminating .text relocations in shared libraries
compiled with stack protector.

Use libssp_nonshared library to pull __stack_chk_fail_local symbol into
each library that needs it

Second attempt at eliminating .text relocations in shared libraries
compiled with stack protector.

Use libssp_nonshared library to pull __stack_chk_fail_local symbol into
each library that needs it instead of pulling it from libc. GCC
generates local calls to this function which result in absolute
relocations put into position-independent code segment, making dynamic
loader do extra work every time given shared library is being relocated
and making affected text pages non-shareable.

Reviewed by: kib
Approved by: re (kib)

show more ...

Back out previous revision until better tested fix is ready.

Approved by: re (impliciti, by approving previos check-in)

Eliminate .text relocations in shared libraries compiled with stack protector.

Use libssp_nonshared library to pull __stack_chk_fail_local symbol into
each library that needs it instead of pulling i

Eliminate .text relocations in shared libraries compiled with stack protector.

Use libssp_nonshared library to pull __stack_chk_fail_local symbol into
each library that needs it instead of pulling it from libc. GCC generates
local calls to this function which result in absolute relocations put into
position-independent code segment, making dynamic loader do extra work everys
time given shared library is being relocated and making affected text pages
non-shareable.

Reviewed by: kib
Approved by: re (kensmith)

show more ...

Expose __stack_chk_fail_local() so -fstack-protector-all works.

Follow NetBSD, OpenBSD and DragonfyBSD project and add BSD-licensed
SSP functions into FreeBSD libc. Use the same file name and location
for consistency with other projects.