These were supposed to match the visibility of the system's declaration,
but this one was overlooked. Fix it now so that `rsize_t` can be hidden
appropriately.
Reported by: Shawn Webb (and now others)
The definitions in _stdint.h has some complications around visibility
that _limits.h does not have. Switch to __SIZE_T_MAX to avoid those.
This fixes the devel/gperf, devel/glib20 and math/mpfr builds with
_FORTIFY_SOURCE enabled to unlock a large fraction of the ports tree to
build.
Reported by: Shawn Webb (HardenedBSD)
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
This mirrors ppoll's visibility in sys/poll.h and fixes a build issue
with some _POSIX_C_SOURCE requests due to missing the sigset_t typedef.
Reported by: eduardo
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
This was missed in b8730c11a3 ("include: ssp: fix the build [...]"),
but <ssp/wchar.h> also had a bare `inline` in use. Swap it over to
__ssp_inline as well.
Reported by: netchild
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
GCC emits a warning about shadowing a builtin with our mempcpy
declaration, so switch it to using the same model as memcpy() and
use the apparently-existing __builtin___mempcpy_chk().
Reviewed by: kib (earlier version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45976
`inline` isn't always a keyword, so we should be using __ssp_inline
as we do everywhere else in the _FORTIFY_SOURCE support. Variable
declarations in a loop initializer are also not always supported, so
declare any loop vars in advance.
Reviewed by: kib (earlier version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45976
The entire recv*() implementation set is ripe for opportunities to
validate, so do what we can with what we have.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45686
Check both the buffer size of the iov object itself, as well as that
of each indidvidually io base.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45684
That is to say, fortify getrandom(2).
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45683
This includes all of the w*() equivalents to str*()/mem*() implemented
in more or less the same way. For these ones, we'll just use
header-only implementations from the start to stop further cluttering
the libc symbol table.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45682
The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45681
For poll/ppoll we just need to bounds-check the poll array that we're
about to write out to.
Reviewed by: kib, markj (earlier version)
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45680
ssp/ssp.h needed some improvements:
- `len` isn't always a size_t, it may need casted
- In some cases we may want to use a len that isn't specified as a
parameter (e.g., L_ctermid), so __ssp_redirect() should be more
flexible.
- In other cases we may want additional checking, so pull all of the
declaration bits out of __ssp_redirect_raw() so that some functions
can implement the body themselves.
strlcat/strlcpy should be the last of the fortified functions that get
their own __*_chk symbols, and these cases are only done to be
consistent with the rest of the str*() set.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45679
Switch away from pointer arithmetic to provide more obvious semantics
for checking overlap on pointer ranges. This lets us remove some casts
that need not exist and removes some possible fragility in its use.
While we're here, check for overflow just in case; sometimes we use a
caller-supplied size if __builtin_object_size(3) can't deduce the buffer
size, and we should fail the check if the size is nonsensical for the
provided buffers.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
We'll be using it in some upcoming definitions in headers, so move it
back now but slap a warning on it. Our upcoming uses will all be inside
of inline functions, so we're not overly concerned about double
evaluation immediately.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45677
It's a stupid warning, but some ports enable it by default and were
already defining _FORTIFY_SOURCE, thus exposing the new macros
immediately. This at least fixes the libfido2 build, perhaps others as
well.
While we're here, fix a fresh build of stand w/ FORTIFY_SOURCE enabled
by not pulling in the ssp headers if _STANDALONE is defined. We do not
have runtime support in libsa as of the time of writing.
Reported by: netchild
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Most of these were fixed when rebasing the patch forward, but this one
seems to have been missed.
Reported by: marck
Fixes: be04fec426 ("Import _FORTIFY_SOURCE implementation [...]")
Notably:
- libc needs to #undef some of the macros from ssp/* for underlying
implementations
- ssp/* wants a __RENAME() macro (snatched more or less from NetBSD)
There's some extra hinkiness included for read(), since libc spells it
as "_read" while the rest of the world spells it "read."
Reviewed by: imp, ngie
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32307
This is a mostly-unmodified copy of the various *_chk implementations
and headers from NetBSD, without yet modifying system headers to start
actually including them. A future commit will also apply the needed
bits to fix ssp/unistd.h.
Reviewed by: imp, pauamma_gundo.com (both previous versions), kib
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32306
