Index: etc/mtree/BSD.include.dist =================================================================== --- etc/mtree/BSD.include.dist (revision 286760) +++ etc/mtree/BSD.include.dist (working copy) @@ -321,6 +321,8 @@ mac_partition .. .. + secure + .. ssp .. sys Index: gnu/usr.bin/binutils/libbfd/Makefile =================================================================== --- gnu/usr.bin/binutils/libbfd/Makefile (revision 286760) +++ gnu/usr.bin/binutils/libbfd/Makefile (working copy) @@ -2,6 +2,8 @@ .include "../Makefile.inc0" +MK_FORTIFY= no + .PATH: ${SRCDIR}/bfd ${SRCDIR}/opcodes LIB= bfd Index: gnu/usr.bin/binutils/objdump/Makefile =================================================================== --- gnu/usr.bin/binutils/objdump/Makefile (revision 286760) +++ gnu/usr.bin/binutils/objdump/Makefile (working copy) @@ -4,6 +4,8 @@ .PATH: ${SRCDIR}/binutils ${SRCDIR}/binutils/doc +MK_FORTIFY= no + PROG= objdump SRCS= objdump.c prdbg.c CFLAGS+= -D_GNU_SOURCE Index: include/Makefile =================================================================== --- include/Makefile (revision 286760) +++ include/Makefile (working copy) @@ -6,7 +6,7 @@ .include CLEANFILES= osreldate.h version vers.c -SUBDIR= arpa protocols rpcsvc rpc xlocale +SUBDIR= arpa protocols rpcsvc rpc secure xlocale INCS= a.out.h ar.h assert.h bitstring.h complex.h cpio.h _ctype.h ctype.h \ db.h \ dirent.h dlfcn.h elf.h elf-hints.h err.h fmtmsg.h fnmatch.h fstab.h \ Index: include/secure/Makefile =================================================================== --- include/secure/Makefile (revision 0) +++ include/secure/Makefile (working copy) @@ -0,0 +1,6 @@ +# $FreeBSD$ + +INCS= security.h _poll.h _socket.h _stat.h _stdio.h _string.h _strings.h _unistd.h +INCSDIR= ${INCLUDEDIR}/secure + +.include Index: include/secure/_poll.h =================================================================== --- include/secure/_poll.h (revision 0) +++ include/secure/_poll.h (working copy) @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2008 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: eeb9f5e41662828989f3913d81ec23229a668434 + * + * $FreeBSD$ + */ + +#ifndef _SYS_POLL_H_ +#error "You should not use directly; include instead." +#endif + +#ifndef _SECURE_POLL_H_ +#define _SECURE_POLL_H_ + +#include + +__BEGIN_DECLS + +int __poll_chk(struct pollfd *, nfds_t, int, size_t); +int __poll_real(struct pollfd *, nfds_t, int) __RENAME(poll); +__errordecl(__poll_too_small_error, "poll: pollfd array smaller than fd count"); + +int __ppoll_chk(struct pollfd *, nfds_t, const struct timespec *, const sigset_t *, size_t); +int __ppoll_real(struct pollfd *, nfds_t, const struct timespec *, const sigset_t *) __RENAME(ppoll); +__errordecl(__ppoll_too_small_error, "ppoll: pollfd array smaller than fd count"); + +#ifdef __BSD_FORTIFY + +__FORTIFY_INLINE int +poll(struct pollfd *_fds, nfds_t _fd_count, int _timeout) +{ + size_t _bos = __bos(_fds); + +#ifdef __clang__ + return (__poll_chk(_fds, _fd_count, _timeout, _bos)); +#else + if (_bos != __FORTIFY_UNKNOWN_SIZE) { + if (!__builtin_constant_p(_fd_count)) + return (__poll_chk(_fds, _fd_count, _timeout, _bos)); + else if (_bos / sizeof(*_fds) < _fd_count) + __poll_too_small_error(); + } + return (__poll_real(_fds, _fd_count, _timeout)); +#endif +} + +#if __BSD_VISIBLE +__FORTIFY_INLINE int +ppoll(struct pollfd *_fds, nfds_t _fd_count, const struct timespec *_timeout, const sigset_t *_mask) +{ + size_t _bos = __bos(_fds); + +#ifdef __clang__ + return (__ppoll_chk(_fds, _fd_count, _timeout, _mask, _bos)); +#else + if (_bos != __FORTIFY_UNKNOWN_SIZE) { + if (!__builtin_constant_p(_fd_count)) + return (__ppoll_chk(_fds, _fd_count, _timeout, _mask, _bos)); + else if (_bos / sizeof(*_fds) < _fd_count) + __ppoll_too_small_error(); + } + return (__ppoll_real(_fds, _fd_count, _timeout, _mask)); +#endif +} +#endif + +#endif + +__END_DECLS + +#endif /* !_SECURE_POLL_H_ */ Index: include/secure/_socket.h =================================================================== --- include/secure/_socket.h (revision 0) +++ include/secure/_socket.h (working copy) @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2008 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: a8993c994e45ec2dc00dcef15910560e22d67be9 + * + * $FreeBSD$ + */ + + +#ifndef _SYS_SOCKET_H_ +#error "You should not use directly; include instead." +#endif + +#ifndef _SECURE_SOCKET_H_ +#define _SECURE_SOCKET_H_ + +#include +#include + +__BEGIN_DECLS + +extern ssize_t __recvfrom_chk(int, void *, size_t, size_t, int, struct sockaddr * __restrict, socklen_t * __restrict); +extern ssize_t __recvfrom_real(int, void *, size_t, int, const struct sockaddr *, socklen_t *) __RENAME(recvfrom); +__errordecl(__recvfrom_error, "recvfrom called with size bigger than buffer"); + +#ifdef __BSD_FORTIFY + +__FORTIFY_INLINE ssize_t +recvfrom(int _s, void *_buf, size_t _len, int _flags, struct sockaddr * __restrict _from, socklen_t * __restrict _fromlen) +{ + size_t _bos = __bos0(_buf); + +#ifndef __clang__ + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__recvfrom_real(_s, _buf, _len, _flags, _from, _fromlen)); + + if (__builtin_constant_p(_len) && (_len <= _bos)) + return (__recvfrom_real(_s, _buf, _len, _flags, _from, _fromlen)); + + if (__builtin_constant_p(_len) && (_len > _bos)) + __recvfrom_error(); +#endif + + return (__recvfrom_chk(_s, _buf, _len, _bos, _flags, _from, _fromlen)); +} + + +__FORTIFY_INLINE ssize_t +recv(int _s, void *_buf, size_t _len, int _flags) +{ + + return recvfrom(_s, _buf, _len, _flags, NULL, 0); +} + +#endif /* !__BSD_FORTIFY */ + +__END_DECLS + +#endif /* !_SECURE_SOCKET_H */ Index: include/secure/_stat.h =================================================================== --- include/secure/_stat.h (revision 0) +++ include/secure/_stat.h (working copy) @@ -0,0 +1,70 @@ +/*- + * Copyright (C) 2008 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#ifndef _SYS_STAT_H_ +#error "You should not use directly; include instead." +#endif + +#ifndef _SECURE_STAT_H_ +#define _SECURE_STAT_H_ + +#include + +__BEGIN_DECLS + +extern mode_t __umask_chk(mode_t); +#ifndef __FORTIFY_UMASK_REAL +#define __FORTIFY_UMASK_REAL 1 +extern mode_t __umask_real(mode_t) __RENAME(umask); +#endif +__errordecl(__umask_invalid_mode, "umask called with invalid mode"); + +#ifdef __BSD_FORTIFY + +__FORTIFY_INLINE mode_t +umask(mode_t _mode) +{ +#ifndef __clang__ + if (__builtin_constant_p(_mode)) { + if ((_mode & 0777) != _mode) + __umask_invalid_mode(); + + return (__umask_real(_mode)); + } +#endif + return (__umask_chk(_mode)); +} +#endif /* defined(__BSD_FORTIFY) */ + +__END_DECLS + +#endif /* !_SECURE_STAT_H_ */ Index: include/secure/_stdio.h =================================================================== --- include/secure/_stdio.h (revision 0) +++ include/secure/_stdio.h (working copy) @@ -0,0 +1,240 @@ +/*- + * Copyright (c) 1990 The Regents of the University of California. + * All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Chris Torek. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)stdio.h 5.17 (Berkeley) 6/3/91 + * $OpenBSD: stdio.h,v 1.35 2006/01/13 18:10:09 miod Exp $ + * $NetBSD: stdio.h,v 1.18 1996/04/25 18:29:21 jtc Exp $ + * bionic rev: 6cc98af72b0c48c58b2ab5fdb5f7abb842175299 + * $FreeBSD$ + */ + +#ifndef _STDIO_H_ +#error "You should not use directly; include instead." +#endif + +#ifndef _SECURE_STDIO_H_ +#define _SECURE_STDIO_H_ + +#include +#include + +__BEGIN_DECLS + +extern char *__fgets_chk(char *, int, FILE *, size_t); +extern char *__fgets_real(char *, int, FILE *) __RENAME(fgets); +__errordecl(__fgets_too_big_error, "fgets called with size bigger than buffer"); +__errordecl(__fgets_too_small_error, "fgets called with size less than zero"); +extern size_t __fread_chk(void * __restrict, size_t, size_t, FILE * __restrict, size_t); +extern size_t __fread_real(void * __restrict, size_t, size_t, FILE * __restrict) __RENAME(fread); +__errordecl(__fread_too_big_error, "fread called with size * count bigger than buffer"); +__errordecl(__fread_overflow, "fread called with overflowing size * count"); +extern size_t __fwrite_chk(const void * __restrict, size_t, size_t, FILE * __restrict, size_t); +extern size_t __fwrite_real(const void * __restrict, size_t, size_t, FILE * __restrict) __RENAME(fwrite); +__errordecl(__fwrite_too_big_error, "fwrite called with size * count bigger than buffer"); +__errordecl(__fwrite_overflow, "fwrite called with overflowing size * count"); +extern int __sprintf_chk(char * __restrict, int, size_t, const char * __restrict, ...); +extern int __sprintf_real(char * __restrict, const char * __restrict, ...) __RENAME(sprintf); +extern int __vsprintf_chk(char * __restrict, int, size_t, const char * __restrict, __va_list); +extern int __vsprintf_real(char * __restrict, const char * __restrict, __va_list) __RENAME(vsprintf); + +#if __ISO_C_VISIBLE >= 1999 +extern int __snprintf_chk(char * __restrict, size_t, int, size_t, const char * __restrict, ...); +extern int __snprintf_real(char * __restrict, size_t, const char * __restrict, ...) __RENAME(snprintf) __printflike(3, 4); +extern int __vsnprintf_chk(char * __restrict, size_t, int, size_t, const char * __restrict, __va_list); +extern int __vsnprintf_real(char * __restrict, size_t, const char * __restrict, __va_list) __RENAME(vsnprintf) __printflike(3, 0); +#endif + +#ifdef __BSD_FORTIFY + +#if __ISO_C_VISIBLE >= 1999 +__FORTIFY_INLINE __printflike(3, 0) int +vsnprintf(char *_dest, size_t _size, const char *_format, __va_list _ap) +{ + size_t _bos = __bos(_dest); + +#ifndef __clang__ + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__vsnprintf_real(_dest, _size, _format, _ap)); +#endif + + return (__vsnprintf_chk(_dest, _size, 0, _bos, _format, _ap)); +} +#endif /* __ISO_C_VISIBLE */ + +__FORTIFY_INLINE __printflike(2, 0) int +vsprintf(char *_dest, const char *_format, __va_list _ap) +{ + size_t _bos = __bos(_dest); + +#ifndef __clang__ + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__vsprintf_real(_dest, _format, _ap)); +#endif + + return (__vsprintf_chk(_dest, 0, _bos, _format, _ap)); +} + + +#if __ISO_C_VISIBLE >= 1999 +#if !__has_builtin(__builtin_va_arg_pack) && !__GNUC_PREREQ__(4, 3) /* defined(__clang__) */ +#if !defined(snprintf) && !defined(__cplusplus) +#define __wrap_snprintf(_dest, _size, ...) __snprintf_chk(_dest, _size, 0, __bos(_dest), __VA_ARGS__) +#define snprintf(...) __wrap_snprintf(__VA_ARGS__) +#endif /* !snprintf */ +#else /* __GNUC_PREREQ__(4, 3) */ +__FORTIFY_INLINE __printflike(3, 4) int +snprintf(char *_dest, size_t _size, const char *_format, ...) +{ + size_t _bos = __bos(_dest); + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__snprintf_real(_dest, _size, _format, + __builtin_va_arg_pack())); + + return (__snprintf_chk(_dest, _size, 0, _bos, _format, + __builtin_va_arg_pack())); +} +#endif /* !__GNUC_PREREQ__(4, 3) */ +#endif /* __ISO_C_VISIBLE */ + +#if !__has_builtin(__builtin_va_arg_pack) && !__GNUC_PREREQ__(4, 3) /* defined(__clang__) */ +#if !defined(sprintf) && !defined(__cplusplus) +#define __wrap_sprintf(_dest, ...) __sprintf_chk(_dest, 0, __bos(_dest), __VA_ARGS__) +#define sprintf(...) __wrap_sprintf(__VA_ARGS__) +#endif /* !sprintf */ +#else /* __GNUC_PREREQ__(4, 3) */ +__FORTIFY_INLINE __printflike(2, 3) int +sprintf(char *_dest, const char *_format, ...) +{ + size_t _bos = __bos(_dest); + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__sprintf_real(_dest, _format, + __builtin_va_arg_pack())); + + return (__sprintf_chk(_dest, 0, _bos, _format, + __builtin_va_arg_pack())); +} + +#endif /* !__GNUC_PREREQ__(4, 3) */ + +__FORTIFY_INLINE char * +fgets(char *_buf, int _n, FILE *_stream) +{ + size_t _bos = __bos(_buf); + +#ifndef __clang__ + /* + * Compiler can prove, at compile time, that the passed in size + * is always negative. + * Force a compiler error. + */ + if (__builtin_constant_p(_n) && (_n < 0)) + __fgets_too_small_error(); + /* + * Compiler doesn 't know destination size. + * Don' t call __fgets_chk. + */ + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__fgets_real(_buf, _n, _stream)); + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. + * Don 't call __fgets_chk. + */ + if (__builtin_constant_p(_n) && (_n <= (int)_bos)) + return (__fgets_real(_buf, _n, _stream)); + /* + * Compiler can prove, at compile time, that the passed in size + * is always > the actual object size. + * Force a compiler error. + */ + if (__builtin_constant_p(_n) && (_n > (int)_bos)) + __fgets_too_big_error(); +#endif + return (__fgets_chk(_buf, _n, _stream, _bos)); +} + + +__FORTIFY_INLINE size_t +fread(void * __restrict _ptr, size_t _size, size_t _nmemb, FILE * __restrict _stream) +{ + size_t _bos = __bos0(_ptr); +#ifndef __clang__ + size_t _total; + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__fread_real(_ptr, _size, _nmemb, _stream)); + + if (__builtin_constant_p(_size) && __builtin_constant_p(_nmemb)) { + if (__size_mul_overflow(_size, _nmemb, &_total)) + __fread_overflow(); + + if (_total > _bos) + __fread_too_big_error(); + + return (__fread_real(_ptr, _size, _nmemb, _stream)); + } +#endif + + return (__fread_chk(_ptr, _size, _nmemb, _stream, _bos)); +} + + +__FORTIFY_INLINE size_t +fwrite(const void * __restrict _ptr, size_t _size, size_t _nmemb, FILE * __restrict _stream) +{ + size_t _bos = __bos0(_ptr); +#ifndef __clang__ + size_t _total; + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return __fwrite_real(_ptr, _size, _nmemb, _stream); + + if (__builtin_constant_p(_size) && __builtin_constant_p(_nmemb)) { + if (__size_mul_overflow(_size, _nmemb, &_total)) + __fwrite_overflow(); + + if (_total > _bos) + __fwrite_too_big_error(); + + return (__fwrite_real(_ptr, _size, _nmemb, _stream)); + } +#endif + + return (__fwrite_chk(_ptr, _size, _nmemb, _stream, _bos)); +} + +#endif /* defined(__BSD_FORTIFY) */ + +__END_DECLS + +#endif /* !_SECURE_STDIO_H_ */ Index: include/secure/_string.h =================================================================== --- include/secure/_string.h (revision 0) +++ include/secure/_string.h (working copy) @@ -0,0 +1,448 @@ +/*- + * Copyright (c) 2015 Olivér Pintér + * Copyright (C) 2008 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 9ef26a3c4cd2e6d469f771815a07cb820800beb6 + * + * $FreeBSD$ + */ + +#ifndef _STRING_H_ +#error "You should not use directly; include instead." +#endif + +#ifndef _SECURE_STRING_H_ +#define _SECURE_STRING_H_ + +#include + +__BEGIN_DECLS + +extern void *__memccpy_chk(void *, const void *, int, size_t, size_t); +extern void *__memccpy_real(void *, const void *, int, size_t) __RENAME(memccpy); +extern void *__memchr_chk(const void *, int, size_t, size_t); +extern void *__memchr_real(const void *, int, size_t) __RENAME(memchr); +extern void *__memcpy_chk(void *, const void *, size_t, size_t); +extern void *__memcpy_real(void *, const void *, size_t) __RENAME(memcpy); +__errordecl(__memchr_buf_size_error, "memchr called with size bigger than buffer"); +extern void *__memmove_chk(void *, const void *, size_t, size_t); +extern void *__memmove_real(void *, const void *, size_t) __RENAME(memmove); +extern void *__memrchr_chk(const void *, int, size_t, size_t); +extern void *__memrchr_real(const void *, int, size_t) __RENAME(memrchr); +__errordecl(__memrchr_buf_size_error, "memrchr called with size bigger than buffer"); +extern void *__memset_chk(void *, int, size_t, size_t); +extern void *__memset_real(void *, int, size_t) __RENAME(memset); +extern char *__strcat_chk(char *__restrict, const char *__restrict, size_t); +extern char *__strcat_real(char *__restrict, const char *__restrict) __RENAME(strcat); +extern char *__strncat_chk(char *__restrict, const char *__restrict, size_t, size_t); +extern char *__strncat_real(char *__restrict, const char *__restrict, size_t) __RENAME(strncat); +extern char *__stpcpy_chk(char *, const char *, size_t); +extern char *__stpcpy_real(char *, const char *) __RENAME(stpcpy); +extern char *__stpncpy_chk(char * __restrict, const char * __restrict, size_t, size_t); +extern char *__stpncpy_chk2(char * __restrict, const char * __restrict, size_t, size_t, size_t); +extern char *__stpncpy_real(char * __restrict, const char * __restrict, size_t) __RENAME(stpncpy); +extern char *__strcpy_chk(char *, const char *, size_t); +extern char *__strcpy_real(char *, const char *) __RENAME(strcpy); +extern char *__strncpy_chk(char *, const char *, size_t, size_t); +extern char *__strncpy_chk2(char * __restrict, const char * __restrict, size_t, size_t, size_t); +extern char *__strncpy_real(char *, const char *, size_t) __RENAME(strncpy); +extern size_t __strlcpy_chk(char *, const char *, size_t, size_t); +extern size_t __strlcpy_real(char * __restrict, const char * __restrict, size_t) __RENAME(strlcpy); +extern size_t __strlcat_chk(char * __restrict, const char * __restrict, size_t, size_t); +extern size_t __strlcat_real(char * __restrict, const char * __restrict, size_t) __RENAME(strlcat); +extern size_t __strlen_chk(const char *, size_t); +extern size_t __strlen_real(const char *) __RENAME(strlen); +extern char *__strchr_chk(const char *, int, size_t); +extern char *__strchr_real(const char *, int) __RENAME(strchr); +extern char *__strchrnul_chk(const char *, int, size_t); +extern char *__strchrnul_real(const char *, int) __RENAME(strchrnul); +extern char *__strrchr_chk(const char *, int, size_t); +extern char *__strrchr_real(const char *, int) __RENAME(strrchr); + +#ifdef __BSD_FORTIFY + +#if __XSI_VISIBLE >= 600 +__FORTIFY_INLINE void * +memccpy(void * __restrict _d, const void * __restrict _s, int _c, size_t _n) +{ + size_t _bos = __bos0(_d); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__memccpy_real(_d, _s, _c, _n)); +#endif + + return (__memccpy_chk(_d, _s, _c, _n, _bos)); +} +#endif /* __XSI_VISIBLE */ + + +__FORTIFY_INLINE void * +memchr(const void *_s, int _c, size_t _n) +{ + size_t _bos = __bos(_s); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__memchr_real(_s, _c, _n)); + + if (__builtin_constant_p(_n) && (_n > _bos)) + __memchr_buf_size_error(); + + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. Don't call __memchr_chk. + */ + if (__builtin_constant_p(_n) && (_n <= _bos)) + return (__memchr_real(_s, _c, _n)); +#endif + + return (__memchr_chk(_s, _c, _n, _bos)); +} + + +#if __BSD_VISIBLE +__FORTIFY_INLINE void * +memrchr(const void *_s, int _c, size_t _n) +{ + size_t _bos = __bos(_s); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__memrchr_real(_s, _c, _n)); + + if (__builtin_constant_p(_n) && (_n > _bos)) + (__memrchr_buf_size_error()); + + if (__builtin_constant_p(_n) && (_n <= _bos)) + return __memrchr_real(_s, _c, _n); +#endif + + return (__memrchr_chk(_s, _c, _n, _bos)); +} +#endif /* __BSD_VISIBLE */ + + +__FORTIFY_INLINE void * +memcpy(void * __restrict _d, const void * __restrict _s, size_t _n) +{ + size_t _bos = __bos0(_d); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__memcpy_real(_d, _s, _n)); +#endif + + return (__memcpy_chk(_d, _s, _n, _bos)); +} + + +__FORTIFY_INLINE void * +memmove(void *_d, const void *_s, size_t _n) +{ + size_t _bos = __bos0(_d); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__memmove_real(_d, _s, _n)); +#endif + + return (__memmove_chk(_d, _s, _n, _bos)); +} + + +#if __POSIX_VISIBLE >= 200809 +__FORTIFY_INLINE char * +stpcpy(char * __restrict _d, const char * __restrict _s) +{ + size_t _bos = __bos(_d); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__stpcpy_real(_d, _s)); +#endif + + return (__stpcpy_chk(_d, _s, _bos)); +} +#endif /* __POSIX_VISIBLE */ + + +__FORTIFY_INLINE char * +strcpy(char * __restrict _d, const char * __restrict _s) +{ + size_t _bos = __bos(_d); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strcpy_real(_d, _s)); +#endif + + return (__strcpy_chk(_d, _s, _bos)); +} + + +#if __POSIX_VISIBLE >= 200809 +__FORTIFY_INLINE char * +stpncpy(char * __restrict _d, const char * __restrict _s, size_t _n) +{ + size_t _d_bos = __bos(_d); + size_t _s_bos = __bos(_s); +#ifndef __clang__ + size_t _slen; + + if (_d_bos == __FORTIFY_UNKNOWN_SIZE) + return (__stpncpy_real(_d, _s, _n)); + + if (_s_bos == __FORTIFY_UNKNOWN_SIZE) + return (__stpncpy_chk(_d, _s, _n, _d_bos)); + + if (__builtin_constant_p(_n) && (_n <= _s_bos)) + return (__stpncpy_chk(_d, _s, _n, _d_bos)); + + _slen = __builtin_strlen(_s); + if (__builtin_constant_p(_slen)) + return (__stpncpy_chk(_d, _s, _n, _d_bos)); +#endif + + return (__stpncpy_chk2(_d, _s, _n, _d_bos, _s_bos)); +} +#endif /* __POSIX_VISIBLE */ + + +__FORTIFY_INLINE char * +strncpy(char * __restrict _d, const char * __restrict _s, size_t _n) +{ + size_t _d_bos = __bos(_d); + size_t _s_bos = __bos(_s); +#ifndef __clang__ + size_t _slen; + + if (_d_bos == __FORTIFY_UNKNOWN_SIZE) + return (__strncpy_real(_d, _s, _n)); + + if (_s_bos == __FORTIFY_UNKNOWN_SIZE) + return (__strncpy_chk(_d, _s, _n, _d_bos)); + + if (__builtin_constant_p(_n) && (_n <= _s_bos)) + return (__strncpy_chk(_d, _s, _n, _d_bos)); + + _slen = __builtin_strlen(_s); + if (__builtin_constant_p(_slen)) + return (__strncpy_chk(_d, _s, _n, _d_bos)); +#endif + + return (__strncpy_chk2(_d, _s, _n, _d_bos, _s_bos)); +} + + +__FORTIFY_INLINE char * +strcat(char * __restrict _d, const char * __restrict _s) +{ + size_t _bos = __bos(_d); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strcat_real(_d, _s)); +#endif + + return (__strcat_chk(_d, _s, _bos)); +} + + +__FORTIFY_INLINE char * +strncat(char * __restrict _d, const char * __restrict _s, size_t _n) +{ + size_t _bos = __bos(_d); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strncat_real(_d, _s, _n)); +#endif + + return (__strncat_chk(_d, _s, _n, _bos)); +} + + +__FORTIFY_INLINE void * +memset(void *_s, int _c, size_t _n) +{ + size_t _bos = __bos(_s); + +#ifndef __clang__ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__memset_real(_s, _c, _n)); +#endif + + return (__memset_chk(_s, _c, _n, _bos)); +} + + +#if __BSD_VISIBLE +__FORTIFY_INLINE size_t +strlcpy(char * __restrict _d, const char * __restrict _s, size_t _n) +{ + size_t _bos = __bos(_d); + +#ifndef __clang__ + /* Compiler doesn't know destination size. Don't call __strlcpy_chk. */ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strlcpy_real(_d, _s, _n)); + + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. Don't call __strlcpy_chk. + */ + if (__builtin_constant_p(_n) && (_n <= _bos)) + return (__strlcpy_real(_d, _s, _n)); +#endif + + return (__strlcpy_chk(_d, _s, _n, _bos)); +} +#endif /* __BSD_VISIBLE */ + + +#if __BSD_VISIBLE +__FORTIFY_INLINE size_t +strlcat(char * __restrict _d, const char * __restrict _s, size_t _n) +{ + size_t _bos = __bos(_d); + +#ifndef __clang__ + /* Compiler doesn't know destination size. Don't call __strlcat_chk. */ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strlcat_real(_d, _s, _n)); + + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. Don't call __strlcat_chk. + */ + if (__builtin_constant_p(_n) && (_n <= _bos)) + return (__strlcat_real(_d, _s, _n)); +#endif + + return (__strlcat_chk(_d, _s, _n, _bos)); +} +#endif /* __BSD_VISIBLE */ + + +__FORTIFY_INLINE size_t +strlen(const char *_s) +{ + size_t _bos = __bos(_s); +#ifndef __clang__ + size_t _slen; + + /* Compiler doesn't know destination size. Don't call __strlen_chk. */ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strlen_real(_s)); + + _slen = __builtin_strlen(_s); + if (__builtin_constant_p(_slen)) + return (_slen); +#endif + + return (__strlen_chk(_s, _bos)); +} + +__FORTIFY_INLINE char * +strchr(const char *_s, int _c) +{ + size_t _bos = __bos(_s); +#ifndef __clang__ + size_t _slen; + + /* Compiler doesn't know destination size. Don't call __strchr_chk. */ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strchr_real(_s, _c)); + + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. Don't call __strlchr_chk. + */ + _slen = __builtin_strlen(_s); + if (__builtin_constant_p(_slen) && (_slen < _bos)) + return (__strchr_real(_s, _c)); +#endif + + return (__strchr_chk(_s, _c, _bos)); +} + + +#if __BSD_VISIBLE +__FORTIFY_INLINE char * +strchrnul(const char *_s, int _c) +{ + size_t _bos = __bos(_s); +#ifndef __clang__ + size_t _slen; + + /* Compiler doesn't know destination size. Don't call __strchr_chk. */ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strchrnul_real(_s, _c)); + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. Don't call __strlchrnul_chk. + */ + _slen = __builtin_strlen(_s); + if (__builtin_constant_p(_slen) && (_slen < _bos)) + return (__strchrnul_real(_s, _c)); +#endif + + return (__strchrnul_chk(_s, _c, _bos)); +} +#endif + + +__FORTIFY_INLINE char * +strrchr(const char *_s, int _c) +{ + size_t _bos = __bos(_s); +#ifndef __clang__ + size_t _slen; + + /* Compiler doesn't know destination size. Don't call __strrchr_chk. */ + if (__predict_false(_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strrchr_real(_s, _c)); + + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. Don't call __strlen_chk. + */ + _slen = __strlen_real(_s); + if (__builtin_constant_p(_slen) && (_slen < _bos)) + return (__strrchr_real(_s, _c)); +#endif + + return (__strrchr_chk(_s, _c, _bos)); +} + + +#endif /* defined(__BSD_FORTIFY) */ + +__END_DECLS + +#endif /* !_SECURE_STRING_H */ Index: include/secure/_strings.h =================================================================== --- include/secure/_strings.h (revision 0) +++ include/secure/_strings.h (working copy) @@ -0,0 +1,112 @@ +/*- + * Copyright (C) 2015 Olivér Pintér + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _STRINGS_H_ +#error "You should not use directly; include instead." +#endif + +#ifndef _SECURE_STRINGS_H_ +#define _SECURE_STRINGS_H_ + +#include + +__BEGIN_DECLS + +extern void *__bcopy_chk(void *, const void *, size_t, size_t) __RENAME(__memmove_chk); +extern void __bcopy_real(const void *, void *, size_t) __RENAME(bcopy); +extern void *__bzero_chk(void *, int, size_t, size_t) __RENAME(__memset_chk); +extern void __bzero_real(void *, size_t) __RENAME(bzero); +extern char *__rindex_chk(const char *, int, size_t); +extern char *__rindex_real(const char *, int) __RENAME(rindex); + +#ifdef __BSD_FORTIFY +#if __BSD_VISIBLE || __POSIX_VISIBLE <= 200112 +__FORTIFY_INLINE void +bcopy(const void *_s, void *_d, size_t _l) +{ + size_t _bos = __bos0(_d); + +#ifndef __clang__ + if (_bos == __FORTIFY_UNKNOWN_SIZE) + __bcopy_real(_s, _d, _l); +#endif + + (void)(__bcopy_chk(_d, _s, _l, _bos)); +} +#endif + + +#if __BSD_VISIBLE || __POSIX_VISIBLE <= 200112 +__FORTIFY_INLINE void +bzero(void *_s, size_t _n) +{ + size_t _bos = __bos(_s); + +#ifndef __clang__ + if (_bos == __FORTIFY_UNKNOWN_SIZE) + __bzero_real(_s, _n); +#endif + + (void)(__bzero_chk(_s, '\0', _n, _bos)); +} +#endif + + +#if __BSD_VISIBLE || __POSIX_VISIBLE <= 200112 +__FORTIFY_INLINE char * +rindex(const char *_s, int _c) +{ + size_t _bos = __bos(_s); +#ifndef __clang__ + size_t _slen; + + /* Compiler doesn't know destination size. Don't call __strrchr_chk. */ + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__rindex_real(_s, _c)); + + /* + * Compiler can prove, at compile time, that the passed in size + * is always <= the actual object size. Don't call __rindex_chk. + */ + _slen = __builtin_strlen(_s); + if (__builtin_constant_p(_slen) && (_slen < _bos)) + return (__rindex_real(_s, _c)); +#endif + + return (__rindex_chk(_s, _c, _bos)); +} +#endif + + +#endif /* !__BSD_FORTIFY */ + +__END_DECLS + +#endif /* !defined(_SECURE_STRINGS_H_) */ Index: include/secure/_unistd.h =================================================================== --- include/secure/_unistd.h (revision 0) +++ include/secure/_unistd.h (working copy) @@ -0,0 +1,200 @@ +/*- + * Copyright (c) 2015 Olivér Pintér + * Copyright (C) 2008 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * rev: 9ef26a3c4cd2e6d469f771815a07cb820800beb6 + * + * $FreeBSD$ + */ + +#ifndef _UNISTD_H_ +#error "You should not use directly; include instead." +#endif + +#ifndef _SECURE_UNISTD_H_ +#define _SECURE_UNISTD_H_ + +#include +#include + +__BEGIN_DECLS + +extern char *__getcwd_chk(char*, size_t, size_t); +extern char *__getcwd_real(char*, size_t) __RENAME(getcwd); +__errordecl(__getcwd_dest_size_error, "getcwd called with size bigger than destination"); +extern ssize_t __pread_chk(int, void *, size_t, off_t, size_t); +extern ssize_t __pread_real(int, void *, size_t, off_t) __RENAME(pread); +__errordecl(__pread_dest_size_error, "pread called with size bigger than destination"); +__errordecl(__pread_count_toobig_error, "pread called with count > SSIZE_MAX"); +extern ssize_t __read_chk(int, void *, size_t, size_t); +extern ssize_t __read_real(int, void *, size_t) __RENAME(read); +__errordecl(__read_dest_size_error, "read called with size bigger than destination"); +__errordecl(__read_count_toobig_error, "read called with count > SSIZE_MAX"); +extern ssize_t __readlink_chk(const char *, char *, size_t, size_t); +extern ssize_t __readlink_real(const char *, char *, size_t) __RENAME(readlink); +__errordecl(__readlink_dest_size_error, "readlink called with size bigger than destination"); +__errordecl(__readlink_size_toobig_error, "readlink called with size > SSIZE_MAX"); +extern ssize_t __readlinkat_chk(int, const char *, char *, size_t, size_t); +extern ssize_t __readlinkat_real(int, const char *, char *, size_t) __RENAME(readlinkat); +__errordecl(__readlinkat_dest_size_error, "readlinkat called with size bigger than destination"); +__errordecl(__readlinkat_size_toobig_error, "readlinkat called with size > SSIZE_MAX"); + +#ifdef __BSD_FORTIFY + +__FORTIFY_INLINE +char * +getcwd(char *_buf, size_t _size) +{ + size_t _bos = __bos(_buf); + +#ifdef __clang__ + /* + * Work around LLVM's incorrect __builtin_object_size implementation + * here to avoid needing the workaround in the __getcwd_chk ABI + * forever. + * + * https://llvm.org/bugs/show_bug.cgi?id=23277 + */ + if (_buf == NULL) + _bos = __FORTIFY_UNKNOWN_SIZE; +#else + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__getcwd_real(_buf, _size)); + if (__builtin_constant_p(_size) && (_size > _bos)) + __getcwd_dest_size_error(); + if (__builtin_constant_p(_size) && (_size <= _bos)) + return (__getcwd_real(_buf, _size)); +#endif + + return (__getcwd_chk(_buf, _size, _bos)); +} + + +/* 1003.1-2008 */ +#if __POSIX_VISIBLE >= 200809 || __XSI_VISIBLE +__FORTIFY_INLINE ssize_t +pread(int _fd, void *_buf, size_t _count, off_t _offset) +{ + size_t _bos = __bos0(_buf); + +#ifndef __clang__ + if (__builtin_constant_p(_count) && (_count > SSIZE_MAX)) + __pread_count_toobig_error(); + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__pread_real(_fd, _buf, _count, _offset)); + + if (__builtin_constant_p(_count) && (_count > _bos)) + __pread_dest_size_error(); + + if (__builtin_constant_p(_count) && (_count <= _bos)) + return (__pread_real(_fd, _buf, _count, _offset)); +#endif + + return (__pread_chk(_fd, _buf, _count, _offset, _bos)); +} +#endif /* __POSIX_VISIBLE >= 200809 || __XSI_VISIBLE */ + + +__FORTIFY_INLINE ssize_t +read(int _fd, void *_buf, size_t _count) +{ + size_t _bos = __bos0(_buf); + +#ifndef __clang__ + if (__builtin_constant_p(_count) && (_count > SSIZE_MAX)) + __read_count_toobig_error(); + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__read_real(_fd, _buf, _count)); + + if (__builtin_constant_p(_count) && (_count > _bos)) + __read_dest_size_error(); + + if (__builtin_constant_p(_count) && (_count <= _bos)) + return (__read_real(_fd, _buf, _count)); +#endif + + return (__read_chk(_fd, _buf, _count, _bos)); +} + + +/* 1003.1-2001 */ +#if __POSIX_VISIBLE >= 200112 || __XSI_VISIBLE +__FORTIFY_INLINE ssize_t +readlink(const char *_path, char *_buf, size_t _size) +{ + size_t _bos = __bos(_buf); + +#ifndef __clang__ + if (__builtin_constant_p(_size) && (_size > SSIZE_MAX)) + __readlink_size_toobig_error(); + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__readlink_real(_path, _buf, _size)); + + if (__builtin_constant_p(_size) && (_size > _bos)) + __readlink_dest_size_error(); + + if (__builtin_constant_p(_size) && (_size <= _bos)) + return (__readlink_real(_path, _buf, _size)); +#endif + + return (__readlink_chk(_path, _buf, _size, _bos)); +} +#endif /* __POSIX_VISIBLE >= 200112 || __XSI_VISIBLE */ + + +#if __POSIX_VISIBLE >= 200809 +__FORTIFY_INLINE ssize_t +readlinkat(int _dirfd, const char *_path, char *_buf, size_t _size) +{ + size_t _bos = __bos(_buf); + +#ifndef __clang__ + if (__builtin_constant_p(_size) && (_size > SSIZE_MAX)) + (__readlinkat_size_toobig_error()); + + if (_bos == __FORTIFY_UNKNOWN_SIZE) + return (__readlinkat_real(_dirfd, _path, _buf, _size)); + + if (__builtin_constant_p(_size) && (_size > _bos)) + __readlinkat_dest_size_error(); + + if (__builtin_constant_p(_size) && (_size <= _bos)) + return (__readlinkat_real(_dirfd, _path, _buf, _size)); +#endif + + return (__readlinkat_chk(_dirfd, _path, _buf, _size, _bos)); +} +#endif /* __POSIX_VISIBLE >= 200809 */ + +#endif /* defined(__BSD_FORTIFY) */ + +__END_DECLS + +#endif /* !_SECURE_UNISTD_H_ */ Index: include/secure/security.h =================================================================== --- include/secure/security.h (revision 0) +++ include/secure/security.h (working copy) @@ -0,0 +1,86 @@ +/*- + * Copyright (c) 2015 Olivér Pintér + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _SECURE_SECURITY_ +#define _SECURE_SECURITY_ + +#include +#include + +#ifndef __clang__ +#if __GNUC_PREREQ__(4, 3) +#define __errordecl(name, msg) extern void name(void) __error_attr(msg) +#else +#define __errordecl(name, msg) \ +static void name(void) __dead2; \ +static void name(void) \ +{ \ + \ + __fortify_chk_fail(msg); \ +} +#endif /* __GNUC_PREREQ(4, 3) */ +#else /* !__clang__ */ +#define __errordecl(name, msg) +#endif /* !__clang__ */ + +#define __RENAME(x) __asm__(#x) + +#if __has_builtin(__builtin_umul_overflow) || __GNUC_PREREQ__(5, 0) +#if __LP64__ +#define __size_mul_overflow(a, b, result) __builtin_umull_overflow(a, b, result) +#else +#define __size_mul_overflow(a, b, result) __builtin_umul_overflow(a, b, result) +#endif +#else +static __inline __always_inline int +__size_mul_overflow(__SIZE_TYPE__ a, __SIZE_TYPE__ b, __SIZE_TYPE__ *result) +{ + static const __SIZE_TYPE__ mul_no_overflow = 1UL << (sizeof(__SIZE_TYPE__) * 4); + + *result = a * b; + + return (a >= mul_no_overflow || b >= mul_no_overflow) && a > 0 && (__SIZE_TYPE__)-1 / a < b; +} +#endif + +__BEGIN_DECLS + +/* Common fail function. */ +void __secure_fail(const char *msg) __dead2 __nonnull(1); + +/* SSP related fail functions. */ +void __chk_fail(void) __dead2; +void __stack_chk_fail(void) __dead2; + +/* FORTIFY_SOURCE related fail function. */ +void __fortify_chk_fail(const char* msg) __dead2 __nonnull(1); +int __fortify_chk_overlap(const void *a, const void *b, size_t len); + +__END_DECLS + +#endif /* !_SECURE_SECURITY_ */ Index: include/stdio.h =================================================================== --- include/stdio.h (revision 286760) +++ include/stdio.h (working copy) @@ -521,4 +521,9 @@ #endif /* __cplusplus */ __END_DECLS + +#if defined(__BSD_FORTIFY) +#include +#endif + #endif /* !_STDIO_H_ */ Index: include/string.h =================================================================== --- include/string.h (revision 286760) +++ include/string.h (working copy) @@ -141,4 +141,8 @@ #endif __END_DECLS +#if defined(__BSD_FORTIFY) +#include +#endif + #endif /* _STRING_H_ */ Index: include/strings.h =================================================================== --- include/strings.h (revision 286760) +++ include/strings.h (working copy) @@ -68,4 +68,8 @@ #endif __END_DECLS +#if defined(__BSD_FORTIFY) +#include +#endif + #endif /* _STRINGS_H_ */ Index: include/unistd.h =================================================================== --- include/unistd.h (revision 286760) +++ include/unistd.h (working copy) @@ -589,4 +589,8 @@ #endif /* __BSD_VISIBLE */ __END_DECLS +#if defined(__BSD_FORTIFY) +#include +#endif + #endif /* !_UNISTD_H_ */ Index: lib/libc/gen/getcwd.c =================================================================== --- lib/libc/gen/getcwd.c (revision 286760) +++ lib/libc/gen/getcwd.c (working copy) @@ -30,6 +30,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)getcwd.c 8.5 (Berkeley) 2/7/95"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/secure/Makefile.inc =================================================================== --- lib/libc/secure/Makefile.inc (revision 286760) +++ lib/libc/secure/Makefile.inc (working copy) @@ -1,12 +1,52 @@ -# $FreeBSD$ -# -# libc sources related to security - +# secure sources .PATH: ${LIBC_SRCTOP}/secure # Sources common to both syscall interfaces: SRCS+= \ + fortify_source.c \ + secure_common.c \ stack_protector.c \ stack_protector_compat.c +# Sources which contains FORTIFY_SOURCE functions: +SRCS+= \ + __fgets_chk.c \ + __fread_chk.c \ + __fwrite_chk.c \ + __getcwd_chk.c \ + __memccpy_chk.c \ + __memchr_chk.c \ + __memcpy_chk.c \ + __memmove_chk.c \ + __memrchr_chk.c \ + __memset_chk.c \ + __pread_chk.c \ + __read_chk.c \ + __readlink_chk.c \ + __readlinkat_chk.c \ + __stpcpy_chk.c \ + __stpncpy_chk.c \ + __strcat_chk.c \ + __strchr_chk.c \ + __strchrnul_chk.c \ + __strcpy_chk.c \ + __strlcat_chk.c \ + __strlcpy_chk.c \ + __strlen_chk.c \ + __strncat_chk.c \ + __strncpy_chk.c \ + __strrchr_chk.c \ + __vsnprintf_chk.c \ + __vsprintf_chk.c + +# Sources which contains FORTIFY_SOURCE functions, +# but live in .h files under sys/sys +SRCS+= \ + __poll_chk.c \ + __recvfrom_chk.c \ + __umask_chk.c + SYM_MAPS+= ${LIBC_SRCTOP}/secure/Symbol.map + +MAN+= __builtin_object_size.3 + Index: lib/libc/secure/Symbol.map =================================================================== --- lib/libc/secure/Symbol.map (revision 286760) +++ lib/libc/secure/Symbol.map (working copy) @@ -12,3 +12,57 @@ __stack_chk_fail; __stack_chk_guard; }; + +FBSD_1.1 { +}; + +FBSD_1.2 { +}; + +FBSD_1.3 { +}; + +FBSD_1.4 { + __fgets_chk; + __fortify_chk_fail; + __fread_chk; + __fwrite_chk; + __getcwd_chk; + __memccpy_chk; + __memchr_chk; + __memcpy_chk; + __memmove_chk; + __memrchr_chk; + __memset_chk; + __poll_chk; + __ppoll_chk; + __pread_chk; + __read_chk; + __readlink_chk; + __readlinkat_chk; + __recvfrom_chk; + __rindex_chk; + __snprintf_chk; + __sprintf_chk; + __stpcpy_chk; + __stpncpy_chk; + __stpncpy_chk2; + __strcat_chk; + __strchr_chk; + __strchrnul_chk; + __strcpy_chk; + __strlcat_chk; + __strlcpy_chk; + __strlen_chk; + __strncat_chk; + __strncpy_chk; + __strncpy_chk2; + __strrchr_chk; + __umask_chk; + __vsnprintf_chk; + __vsprintf_chk; + __secure_fail; +}; + +FBSDprivate_1.0 { +}; Index: lib/libc/secure/__builtin_object_size.3 =================================================================== --- lib/libc/secure/__builtin_object_size.3 (revision 0) +++ lib/libc/secure/__builtin_object_size.3 (working copy) @@ -0,0 +1,101 @@ +.\" $NetBSD: __builtin_object_size.3,v 1.10 2012/07/19 06:44:12 wiz Exp $ +.\" +.\" Copyright (c) 2007 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Christos Zoulas. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" +.Dd July 18, 2012 +.Dt __BUILTIN_OBJECT_SIZE 3 +.Os +.Sh NAME +.Nm __builtin_object_size +.Nd return the size of the given object +.Sh SYNOPSIS +.Ft size_t +.Fn __builtin_object_size "void *ptr" "int type" +.Sh DESCRIPTION +The +.Fn __builtin_object_size +function is a +.Xr gcc 1 +built-in function that returns the size of the +.Fa ptr +object if known at compile time and the object does not have any side +effects. +.Sh RETURN VALUES +If the size of the object is not known or it has side effects the +.Fn __builtin_object_size +function returns: +.Bl -tag -width (size_t)\-1 -offset indent +.It Dv (size_t)\-1 +for +.Fa type +.Dv 0 +and +.Dv 1 . +.It Dv (size_t)0 +for +.Fa type +.Dv 2 +and +.Dv 3 . +.El +.Pp +If the size of the object is known, then the +.Fn __builtin_object_size +function returns the maximum size of all the objects that the compiler +knows that they can be pointed to by +.Fa ptr +when +.Fa type +.Dv \*[Am] 2 == 0 , +and the minimum size when +.Fa type +.Dv \*[Am] 2 != 0 . +.Sh SEE ALSO +.Xr gcc 1 , +.Xr __builtin_return_address 3 , +.Xr attribute 3 , +.Xr ssp 3 +.Sh HISTORY +The +.Fn __builtin_object_size +appeared in +.Tn GCC 4.1 . +.Sh CAVEATS +This is a non-standard, compiler-specific extension. +.Pp +Note that currently the object size calculation pass is only done at -O1 +or above, meaning that this function always returns \-1 when the optimizer +is off. +.Pp +There are some discussions about always doing the object size pass, but +the issue is that without the optimization pass data sizes are not going +to be correct. +.Pp +For that reason currently code fortification (size-checked replacement +functions) is disabled when optimization is off. Index: lib/libc/secure/__fgets_chk.c =================================================================== --- lib/libc/secure/__fgets_chk.c (revision 0) +++ lib/libc/secure/__fgets_chk.c (working copy) @@ -0,0 +1,56 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 6cc98af72b0c48c58b2ab5fdb5f7abb842175299 + * + * $FreeBSD$ + */ + + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_stdio.h" + +char * +__fgets_chk(char *buf, int n, FILE *stream, size_t bos) +{ + + if (bos == __FORTIFY_UNKNOWN_SIZE) + return (fgets(buf, n, stream)); + + if (n < 0) + __fortify_chk_fail("fgets: buffer size < 0"); + + if (((size_t)n) > bos) + __fortify_chk_fail("fgets: prevented write past end of buffer"); + + return (fgets(buf, n, stream)); +} Index: lib/libc/secure/__fread_chk.c =================================================================== --- lib/libc/secure/__fread_chk.c (revision 0) +++ lib/libc/secure/__fread_chk.c (working copy) @@ -0,0 +1,56 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: fed2659869ec41a93f655be8058568ddab419e01 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_stdio.h" + +size_t +__fread_chk(void *__restrict ptr, size_t size, size_t nmemb, FILE * __restrict stream, size_t bos) +{ + size_t total; + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (fread(ptr, size, nmemb, stream)); + + if (__predict_false(__size_mul_overflow(size, nmemb, &total))) { + //overflow: trigger the error path in fread + return (fread(ptr, size, nmemb, stream)); + } + if (__predict_false(total > bos)) + __fortify_chk_fail("fread: prevented write past end of buffer"); + + return (fread(ptr, size, nmemb, stream)); +} Index: lib/libc/secure/__fwrite_chk.c =================================================================== --- lib/libc/secure/__fwrite_chk.c (revision 0) +++ lib/libc/secure/__fwrite_chk.c (working copy) @@ -0,0 +1,56 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: fed2659869ec41a93f655be8058568ddab419e01 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE +#include +#include +#include +#include "secure/_stdio.h" + +size_t +__fwrite_chk(const void * __restrict ptr, size_t size, size_t nmemb, FILE * __restrict stream, size_t bos) +{ + size_t total; + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (fwrite(ptr, size, nmemb, stream)); + + if (__predict_false(__size_mul_overflow(size, nmemb, &total))) { + // overflow: trigger the error path in fwrite + return (fwrite(ptr, size, nmemb, stream)); + } + + if (__predict_false(total > bos)) + __fortify_chk_fail("fwrite: prevented read past end of buffer"); + + return (fwrite(ptr, size, nmemb, stream)); +} Index: lib/libc/secure/__getcwd_chk.c =================================================================== --- lib/libc/secure/__getcwd_chk.c (revision 0) +++ lib/libc/secure/__getcwd_chk.c (working copy) @@ -0,0 +1,51 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 7e919daeaad62515ebbbf7b06badc77625a14d90 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_unistd.h" + +char * +__getcwd_chk(char* buf, size_t size, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (getcwd(buf, size)); + + if (__predict_false(size > bos)) + __fortify_chk_fail("getcwd: prevented write past end of buffer"); + + return (getcwd(buf, size)); +} Index: lib/libc/secure/__memccpy_chk.c =================================================================== --- lib/libc/secure/__memccpy_chk.c (revision 0) +++ lib/libc/secure/__memccpy_chk.c (working copy) @@ -0,0 +1,66 @@ +/*- + * Copyright (C) 2015 Oliver Pinter + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +void * +__memccpy_chk(void *dest, const void *src, int c, size_t n, size_t bos) +{ + void *ret; + size_t len; + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (memccpy(dest, src, c, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail("memccpy: prevented write past end of buffer"); + + /* + * If n was copied, then return NULL, otherwise + * a pointer to the byte after the copy of c in the string + * dest is returned. + * + * See the memccpy(3) manpage for more details. + */ + ret = memccpy(dest, src, c, n); + if (ret != NULL) + len = ret - dest; + + if (__predict_false(__fortify_chk_overlap(dest, src, len))) + __fortify_chk_fail("memccpy: prevented overlapping strings"); + + return (ret); +} Index: lib/libc/secure/__memchr_chk.c =================================================================== --- lib/libc/secure/__memchr_chk.c (revision 0) +++ lib/libc/secure/__memchr_chk.c (working copy) @@ -0,0 +1,52 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 6cc98af72b0c48c58b2ab5fdb5f7abb842175299 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_string.h" + +void * +__memchr_chk(const void *s, int c, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (memchr(s, c, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail( + "memchr: prevented read past end of buffer"); + + return (memchr(s, c, n)); +} Index: lib/libc/secure/__memcpy_chk.c =================================================================== --- lib/libc/secure/__memcpy_chk.c (revision 0) +++ lib/libc/secure/__memcpy_chk.c (working copy) @@ -0,0 +1,57 @@ +/*- + * Copyright (C) 2015 Oliver Pinter + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 6cc98af72b0c48c58b2ab5fdb5f7abb842175299 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +void * +__memcpy_chk(void *d, const void *s, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (memcpy(d, s, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail("memcpy: prevented write past end of buffer"); + + /* See the memcpy(3) for more details. */ + if (__predict_false(__fortify_chk_overlap(d, s, n))) + __fortify_chk_fail("memcpy: prevented overlaping strings"); + + return (memcpy(d, s, n)); +} Index: lib/libc/secure/__memmove_chk.c =================================================================== --- lib/libc/secure/__memmove_chk.c (revision 0) +++ lib/libc/secure/__memmove_chk.c (working copy) @@ -0,0 +1,56 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 6cc98af72b0c48c58b2ab5fdb5f7abb842175299 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +void * +__memmove_chk(void *d, const void *s, size_t n, size_t bos) +{ + + /* + * Compiler doesn 't know dination size. + * Fallback to the original function. + */ + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (memmove(d, s, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail("memmove: prevented write past end of buffer"); + + return (memmove(d, s, n)); +} Index: lib/libc/secure/__memrchr_chk.c =================================================================== --- lib/libc/secure/__memrchr_chk.c (revision 0) +++ lib/libc/secure/__memrchr_chk.c (working copy) @@ -0,0 +1,51 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 6cc98af72b0c48c58b2ab5fdb5f7abb842175299 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_string.h" + +void * +__memrchr_chk(const void *s, int c, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (memrchr(s, c, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail("memrchr: prevented read past end of buffer"); + + return (memrchr(s, c, n)); +} Index: lib/libc/secure/__memset_chk.c =================================================================== --- lib/libc/secure/__memset_chk.c (revision 0) +++ lib/libc/secure/__memset_chk.c (working copy) @@ -0,0 +1,52 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: 6cc98af72b0c48c58b2ab5fdb5f7abb842175299 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +void * +__memset_chk(void *d, int c, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return memset(d, c, n); + + if (__predict_false(n > bos)) + __fortify_chk_fail("memset: prevented write past end of buffer"); + + return memset(d, c, n); +} Index: lib/libc/secure/__poll_chk.c =================================================================== --- lib/libc/secure/__poll_chk.c (revision 0) +++ lib/libc/secure/__poll_chk.c (working copy) @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: eeb9f5e41662828989f3913d81ec23229a668434 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_poll.h" + +int +__poll_chk(struct pollfd *fds, nfds_t fd_count, int timeout, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (poll(fds, fd_count, timeout)); + + if (__predict_false(bos / sizeof(*fds) < fd_count)) + __fortify_chk_fail("poll: pollfd array smaller than fd count"); + + return (poll(fds, fd_count, timeout)); +} + +int +__ppoll_chk(struct pollfd *fds, nfds_t fd_count, const struct timespec *timeout, const sigset_t *mask, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (ppoll(fds, fd_count, timeout, mask)); + + if (__predict_false(bos / sizeof(*fds) < fd_count)) + __fortify_chk_fail("ppoll: pollfd array smaller than fd count"); + + return (ppoll(fds, fd_count, timeout, mask)); +} Index: lib/libc/secure/__pread_chk.c =================================================================== --- lib/libc/secure/__pread_chk.c (revision 0) +++ lib/libc/secure/__pread_chk.c (working copy) @@ -0,0 +1,55 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: a8993c994e45ec2dc00dcef15910560e22d67be9 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_unistd.h" + +ssize_t +__pread_chk(int fd, void *buf, size_t count, off_t offset, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (pread(fd, buf, count, offset)); + + if (__predict_false(count > bos)) + __fortify_chk_fail("pread: prevented write past end of buffer"); + + if (__predict_false(count > SSIZE_MAX)) + __fortify_chk_fail("pread: count > SSIZE_MAX"); + + return (pread(fd, buf, count, offset)); +} Index: lib/libc/secure/__read_chk.c =================================================================== --- lib/libc/secure/__read_chk.c (revision 0) +++ lib/libc/secure/__read_chk.c (working copy) @@ -0,0 +1,55 @@ +/*- + * Copyright (C) 2013 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * rev: a8993c994e45ec2dc00dcef15910560e22d67be9 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_unistd.h" + +ssize_t +__read_chk(int fd, void *buf, size_t count, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (read(fd, buf, count)); + + if (__predict_false(count > bos)) + __fortify_chk_fail("read: prevented write past end of buffer"); + + if (__predict_false(count > SSIZE_MAX)) + __fortify_chk_fail("read: count > SSIZE_MAX"); + + return (read(fd, buf, count)); +} Index: lib/libc/secure/__readlink_chk.c =================================================================== --- lib/libc/secure/__readlink_chk.c (revision 0) +++ lib/libc/secure/__readlink_chk.c (working copy) @@ -0,0 +1,55 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: a8993c994e45ec2dc00dcef15910560e22d67be9 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_unistd.h" + +ssize_t +__readlink_chk(const char *path, char *buf, size_t size, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (readlink(path, buf, size)); + + if (__predict_false(size > bos)) + __fortify_chk_fail("readlink: prevented write past end of buffer"); + + if (__predict_false(size > SSIZE_MAX)) + __fortify_chk_fail("readlink: size > SSIZE_MAX"); + + return (readlink(path, buf, size)); +} Index: lib/libc/secure/__readlinkat_chk.c =================================================================== --- lib/libc/secure/__readlinkat_chk.c (revision 0) +++ lib/libc/secure/__readlinkat_chk.c (working copy) @@ -0,0 +1,55 @@ +/*- + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: a8993c994e45ec2dc00dcef15910560e22d67be9 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_unistd.h" + +ssize_t +__readlinkat_chk(int dirfd, const char *path, char *buf, size_t size, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (readlinkat(dirfd, path, buf, size)); + + if (__predict_false(size > bos)) + __fortify_chk_fail("readlinkat: prevented write past end of buffer"); + + if (__predict_false(size > SSIZE_MAX)) + __fortify_chk_fail("readlinkat: size > SSIZE_MAX"); + + return (readlinkat(dirfd, path, buf, size)); +} Index: lib/libc/secure/__recvfrom_chk.c =================================================================== --- lib/libc/secure/__recvfrom_chk.c (revision 0) +++ lib/libc/secure/__recvfrom_chk.c (working copy) @@ -0,0 +1,53 @@ +/*- + * Copyright (C) 2013 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: a8993c994e45ec2dc00dcef15910560e22d67be9 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_socket.h" + +ssize_t +__recvfrom_chk(int s, void *buf, size_t len, size_t bos, + int flags, struct sockaddr * __restrict from, + socklen_t * __restrict fromlen) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (recvfrom(s, buf, len, flags, from, fromlen)); + + if (__predict_false(len > bos)) + __fortify_chk_fail("recvfrom: prevented write past end of buffer"); + + return (recvfrom(s, buf, len, flags, from, fromlen)); +} Index: lib/libc/secure/__stpcpy_chk.c =================================================================== --- lib/libc/secure/__stpcpy_chk.c (revision 0) +++ lib/libc/secure/__stpcpy_chk.c (working copy) @@ -0,0 +1,59 @@ +/*- + * Copyright (C) 2014 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +char * +__stpcpy_chk(char *dest, const char *src, size_t bos) +{ + /* TODO:optimize so we don't scan src twice. */ + size_t src_len; + + /* + * Compiler doesn 't know destination size. + * Fallback to the original function. + */ + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (stpcpy(dest, src)); + + src_len = strlen(src) + 1; + if (__predict_false(src_len > bos)) + __fortify_chk_fail("stpcpy: prevented write past end of buffer"); + + return (stpcpy(dest, src)); +} Index: lib/libc/secure/__stpncpy_chk.c =================================================================== --- lib/libc/secure/__stpncpy_chk.c (revision 0) +++ lib/libc/secure/__stpncpy_chk.c (working copy) @@ -0,0 +1,98 @@ +/*- + * Copyright (C) 2014 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +char * +__stpncpy_chk(char *__restrict d, const char *__restrict s, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (stpncpy(d, s, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail("stpncpy: prevented write past end of buffer"); + + return stpncpy(d, s, n); +} + +/* + * __stpncpy_chk2 + * + * This is a variant of __stpncpy_chk, but it also checks to make + * sure we don't read beyond the end of "s". The code for this is + * based on the original version of stpncpy, but modified to check + * how much we read from "s" at the end of the copy operation. + */ +char * +__stpncpy_chk2(char *__restrict d, const char *__restrict s, size_t n, size_t d_bos, size_t s_bos) +{ + char *_d; + const char *_s = s; + size_t s_copy_len ; + + if (__predict_false(d_bos == __FORTIFY_UNKNOWN_SIZE)) + return (stpncpy(d, s, n)); + + if (__predict_false(s_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__stpncpy_chk(d, s, n, d_bos)); + + if (__predict_false(n > d_bos)) + __fortify_chk_fail("stpncpy: prevented write past end of buffer"); + + if (n != 0) { + _d = d; + + do { + if ((*_d++ = *_s++) == 0) { + /* NUL pad the remaining n-1 bytes */ + while (--n != 0) + *_d++ = 0; + break; + } + } while (--n != 0); + + s_copy_len = (size_t)(_s - s); + + if (__predict_false(s_copy_len > s_bos)) + __fortify_chk_fail("stpncpy: prevented read past end of buffer"); + } + + return (d); +} Index: lib/libc/secure/__strcat_chk.c =================================================================== --- lib/libc/secure/__strcat_chk.c (revision 0) +++ lib/libc/secure/__strcat_chk.c (working copy) @@ -0,0 +1,66 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +char * +__strcat_chk(char *__restrict d, const char *__restrict s, size_t bos) +{ + char *save = d; + size_t d_len; + + /* + * Compiler doesn 't know destination size. + * Fallback to the original function. + */ + if (bos == __FORTIFY_UNKNOWN_SIZE) + return (strcat(d, s)); + + d_len = __strlen_chk(d, bos); + + d += d_len; + bos -= d_len; + + while ((*d++ = *s++) != '\0') { + bos--; + if (__predict_false(bos == 0)) + __fortify_chk_fail("strcat: prevented write past end of buffer"); + } + + return (save); +} Index: lib/libc/secure/__strchr_chk.c =================================================================== --- lib/libc/secure/__strchr_chk.c (revision 0) +++ lib/libc/secure/__strchr_chk.c (working copy) @@ -0,0 +1,56 @@ +/*- + * Copyright (c) 1990 The Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_string.h" + +char * +__strchr_chk(const char *p, int ch, size_t bos) +{ + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strchr(p, ch)); + + for (;; ++p, bos--) { + if (__predict_false(bos == 0)) + __fortify_chk_fail("strchr: prevented read past end of buffer"); + if (*p == (char)(ch)) + return ((char *)(p)); + if (*p == '\0') + return (NULL); + } + /* NOTREACHED */ +} Index: lib/libc/secure/__strchrnul_chk.c =================================================================== --- lib/libc/secure/__strchrnul_chk.c (revision 0) +++ lib/libc/secure/__strchrnul_chk.c (working copy) @@ -0,0 +1,59 @@ +/*- + * Copyright (c) 2015 Pinter Oliver + * Copyright (c) 1990 The Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_string.h" + +char * +__strchrnul_chk(const char *p, int ch, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strchrnul(p, ch)); + + for (;; ++p, bos--) { + if (__predict_false(bos == 0)) + __fortify_chk_fail( + "strchrnul: prevented read past end of buffer"); + if (*p == (char)(ch)) + return ((char *)(p)); + if (*p == '\0') + return ((char *)(p)); + } + /* NOTREACHED */ +} Index: lib/libc/secure/__strcpy_chk.c =================================================================== --- lib/libc/secure/__strcpy_chk.c (revision 0) +++ lib/libc/secure/__strcpy_chk.c (working copy) @@ -0,0 +1,59 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +char * +__strcpy_chk(char *d, const char *s, size_t bos) +{ + /* TODO: optimize so we don't scan s twice. */ + size_t s_len; + + /* + * Compiler doesn 't know destination size. + * Fallback to the original function. + */ + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strcpy(d, s)); + + s_len = strlen(s) + 1; + if (__predict_false(s_len > bos)) + __fortify_chk_fail("strcpy: prevented write past end of buffer"); + + return (strcpy(d, s)); +} Index: lib/libc/secure/__strlcat_chk.c =================================================================== --- lib/libc/secure/__strlcat_chk.c (revision 0) +++ lib/libc/secure/__strlcat_chk.c (working copy) @@ -0,0 +1,52 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +size_t +__strlcat_chk(char *d, const char *s, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strlcat(d, s, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail("strlcat: prevented write past end of buffer"); + + return (strlcat(d, s, n)); +} Index: lib/libc/secure/__strlcpy_chk.c =================================================================== --- lib/libc/secure/__strlcpy_chk.c (revision 0) +++ lib/libc/secure/__strlcpy_chk.c (working copy) @@ -0,0 +1,52 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +size_t +__strlcpy_chk(char *d, const char *s, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strlcpy(d, s, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail("strlcpy: prevented write past end of buffer"); + + return (strlcpy(d, s, n)); +} Index: lib/libc/secure/__strlen_chk.c =================================================================== --- lib/libc/secure/__strlen_chk.c (revision 0) +++ lib/libc/secure/__strlen_chk.c (working copy) @@ -0,0 +1,67 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +/* + * This test is designed to detect code such as: + * + * int main() { + * char buf[10]; + * memcpy(buf, "1234567890", sizeof(buf)); + * size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE + * printf("%d\n", len); + * return 0; + * } + * + * or anytime strlen reads beyond an object boundary. + */ +size_t +__strlen_chk(const char *s, size_t bos) +{ + size_t ret; + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strlen(s)); + + ret = strlen(s); + if (__predict_false(ret >= bos)) + __fortify_chk_fail("strlen: prevented read past end of buffer"); + + return (ret); +} Index: lib/libc/secure/__strncat_chk.c =================================================================== --- lib/libc/secure/__strncat_chk.c (revision 0) +++ lib/libc/secure/__strncat_chk.c (working copy) @@ -0,0 +1,70 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +char * +__strncat_chk(char *__restrict d, const char *__restrict s, size_t n, size_t bos) +{ + size_t d_len; + char *_d; + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strncat(d, s, n)); + + if (n == 0) + return (d); + + d_len = __strlen_chk(d, bos); + _d = d + d_len; + bos -= d_len; + + while (*s != '\0') { + *_d++ = *s++; + n--; + bos--; + + if (__predict_false(bos == 0)) + __fortify_chk_fail("strncat: prevented write past end of buffer"); + if (n == 0) + break; + } + *_d = '\0'; + + return (d); +} Index: lib/libc/secure/__strncpy_chk.c =================================================================== --- lib/libc/secure/__strncpy_chk.c (revision 0) +++ lib/libc/secure/__strncpy_chk.c (working copy) @@ -0,0 +1,97 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include "secure/_string.h" + +char * +__strncpy_chk(char *__restrict d, const char *__restrict s, size_t n, size_t bos) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strncpy(d, s, n)); + + if (__predict_false(n > bos)) + __fortify_chk_fail( + "strncpy: prevented write past end of buffer"); + + return (strncpy(d, s, n)); +} + +/* + * __strncpy_chk2 + * + * This is a variant of __strncpy_chk, but it also checks to make + * sure we don't read beyond the end of "src". The code for this is + * based on the original version of strncpy, but modified to check + * how much we read from "src" at the end of the copy operation. + */ +char * +__strncpy_chk2(char *__restrict d, const char *__restrict s, size_t n, size_t d_bos, size_t s_bos) +{ + size_t s_copy_len; + + if (__predict_false(d_bos == __FORTIFY_UNKNOWN_SIZE)) + return (strncpy(d, s, n)); + + if (__predict_false(s_bos == __FORTIFY_UNKNOWN_SIZE)) + return (__strncpy_chk(d, s, n, d_bos)); + + if (__predict_false(n > d_bos)) + __fortify_chk_fail("strncpy: prevented write past end of buffer"); + + if (n != 0) { + char *_d = d; + const char *_s = s; + + do { + if ((*_d++ = *_s++) == 0) { + /* NUL pad the remaining n-1 bytes */ + while (--n != 0) + *_d++ = 0; + break; + } + } while (--n != 0); + + s_copy_len = (size_t)(_s - s); + + if (__predict_false(s_copy_len > s_bos)) + __fortify_chk_fail("strncpy: prevented read past end of buffer"); + } + + return (d); +} Index: lib/libc/secure/__strrchr_chk.c =================================================================== --- lib/libc/secure/__strrchr_chk.c (revision 0) +++ lib/libc/secure/__strrchr_chk.c (working copy) @@ -0,0 +1,62 @@ +/*- + * Copyright (c) 1988 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include "secure/_string.h" + +char * +__strrchr_chk(const char *p, int ch, size_t bos) +{ + char *save; + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (strrchr(p, ch)); + + for (save = NULL;; ++p, bos--) { + if (bos == 0) + __fortify_chk_fail( + "strrchr: prevented read past end of buffer"); + if (*p == (char)ch) + save = (char *)p; + if (!*p) + return (save); + } + /* NOTREACHED */ +} + +__weak_reference(__strrchr_chk, __rindex_chk); + Index: lib/libc/secure/__umask_chk.c =================================================================== --- lib/libc/secure/__umask_chk.c (revision 0) +++ lib/libc/secure/__umask_chk.c (working copy) @@ -0,0 +1,53 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include +#include "secure/_stat.h" + +/* + * Validate that umask is called with sane mode. + */ +mode_t +__umask_chk(mode_t mode) +{ + + if (__predict_false((mode & 0777) != mode)) + __fortify_chk_fail("umask: called with invalid mask"); + + return (umask(mode)); +} Index: lib/libc/secure/__vsnprintf_chk.c =================================================================== --- lib/libc/secure/__vsnprintf_chk.c (revision 0) +++ lib/libc/secure/__vsnprintf_chk.c (working copy) @@ -0,0 +1,76 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include +#include "secure/_stdio.h" + +int +__vsnprintf_chk(char *d, size_t n, int flags, size_t bos, const char *fmt, va_list va) +{ + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (vsnprintf(d, n, fmt, va)); + + if (__predict_false(n > bos)) + __fortify_chk_fail( + "vsnprintf: prevented write past end of buffer"); + + return (vsnprintf(d, n, fmt, va)); +} + + +int +__snprintf_chk(char *d, size_t n, int flags, size_t bos, const char *fmt, ...) +{ + va_list va; + int result; + + if (bos == __FORTIFY_UNKNOWN_SIZE) { + va_start(va, fmt); + result = vsnprintf(d, n, fmt, va); + va_end(va); + + return (result); + } + + va_start(va, fmt); + result = __vsnprintf_chk(d, n, flags, bos, fmt, va); + va_end(va); + + return (result); +} Index: lib/libc/secure/__vsprintf_chk.c =================================================================== --- lib/libc/secure/__vsprintf_chk.c (revision 0) +++ lib/libc/secure/__vsprintf_chk.c (working copy) @@ -0,0 +1,78 @@ +/*- + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * bionic rev: d807b9a12d3e49132b095df3d883618452033b51 + * + * $FreeBSD$ + */ + +#undef _FORTIFY_SOURCE + +#include +#include +#include +#include +#include +#include "secure/_stdio.h" + +int +__vsprintf_chk(char * __restrict d, int flags, size_t bos, const char * __restrict fmt, __va_list va) +{ + int result; + + if (__predict_false(bos == __FORTIFY_UNKNOWN_SIZE)) + return (vsprintf(d, fmt, va)); + + result = vsnprintf(d, bos, fmt, va); + if ((size_t)result >= bos) + __fortify_chk_fail( + "vsprintf: prevented write past end of buffer"); + + return (result); +} + + +int +__sprintf_chk(char * __restrict d, int flags, size_t bos, const char * __restrict fmt, ...) +{ + va_list va; + int result; + + if (bos == __FORTIFY_UNKNOWN_SIZE) { + va_start(va, fmt); + result = vsprintf(d, fmt, va); + va_end(va); + + return (result); + } + + va_start(va, fmt); + result = __vsprintf_chk(d, flags, bos, fmt, va); + va_end(va); + + return (result); +} Index: lib/libc/secure/fortify_source.c =================================================================== --- lib/libc/secure/fortify_source.c (revision 0) +++ lib/libc/secure/fortify_source.c (working copy) @@ -0,0 +1,47 @@ +/*- + * Copyright (c) 2015 Olivér Pintér + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include +#include +#include "secure/security.h" + +void +__fortify_chk_fail(const char* msg) +{ + + __secure_fail(msg); +} + +int +__fortify_chk_overlap(const void *a, const void *b, size_t len) +{ + + return ((a <= b && b <= a + len) || (b <= a && a <= b + len)); +} Index: lib/libc/secure/secure_common.c =================================================================== --- lib/libc/secure/secure_common.c (revision 0) +++ lib/libc/secure/secure_common.c (working copy) @@ -0,0 +1,75 @@ +/* $NetBSD: stack_protector.c,v 1.4 2006/11/22 17:23:25 christos Exp $ */ +/* $OpenBSD: stack_protector.c,v 1.10 2006/03/31 05:34:44 deraadt Exp $ */ +/* + * Copyright (c) 2002 Hiroaki Etoh, Federico G. Schwindt, and Miodrag Vallat. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "libc_private.h" + +static void __fail(const char *) __dead2; + +/*ARGSUSED*/ +static void +__fail(const char *msg) +{ + struct sigaction sa; + sigset_t mask; + + /* Immediately block all signal handlers from running code */ + (void)sigfillset(&mask); + (void)sigdelset(&mask, SIGABRT); + (void)sigprocmask(SIG_BLOCK, &mask, NULL); + + /* This may fail on a chroot jail... */ + syslog(LOG_CRIT, "%s", msg); + + (void)memset(&sa, 0, sizeof(sa)); + (void)sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; + sa.sa_handler = SIG_DFL; + (void)sigaction(SIGABRT, &sa, NULL); + (void)kill(getpid(), SIGABRT); + _exit(127); +} + +void +__secure_fail(const char *msg) +{ + + __fail(msg); +} Index: lib/libc/secure/stack_protector.c =================================================================== --- lib/libc/secure/stack_protector.c (revision 286760) +++ lib/libc/secure/stack_protector.c (working copy) @@ -33,12 +33,8 @@ #include #include #include -#include +#include #include -#include -#include -#include -#include #include "libc_private.h" extern int __sysctl(const int *name, u_int namelen, void *oldp, @@ -46,9 +42,7 @@ long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0}; static void __guard_setup(void) __attribute__((__constructor__, __used__)); -static void __fail(const char *); -void __stack_chk_fail(void); -void __chk_fail(void); +void __stack_chk_fail(void) __dead2; /*LINTED used*/ static void @@ -76,40 +70,18 @@ } } -/*ARGSUSED*/ -static void -__fail(const char *msg) -{ - struct sigaction sa; - sigset_t mask; - - /* Immediately block all signal handlers from running code */ - (void)sigfillset(&mask); - (void)sigdelset(&mask, SIGABRT); - (void)sigprocmask(SIG_BLOCK, &mask, NULL); - - /* This may fail on a chroot jail... */ - syslog(LOG_CRIT, "%s", msg); - - (void)memset(&sa, 0, sizeof(sa)); - (void)sigemptyset(&sa.sa_mask); - sa.sa_flags = 0; - sa.sa_handler = SIG_DFL; - (void)sigaction(SIGABRT, &sa, NULL); - (void)kill(getpid(), SIGABRT); - _exit(127); -} - void __stack_chk_fail(void) { - __fail("stack overflow detected; terminated"); + + __secure_fail("stack overflow detected; terminated"); } void __chk_fail(void) { - __fail("buffer overflow detected; terminated"); + + __secure_fail("buffer overflow detected; terminated"); } #ifndef PIC Index: lib/libc/stdio/fgets.c =================================================================== --- lib/libc/stdio/fgets.c (revision 286760) +++ lib/libc/stdio/fgets.c (working copy) @@ -33,6 +33,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)fgets.c 8.2 (Berkeley) 12/22/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/stdio/fread.c =================================================================== --- lib/libc/stdio/fread.c (revision 286760) +++ lib/libc/stdio/fread.c (working copy) @@ -33,6 +33,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)fread.c 8.2 (Berkeley) 12/11/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/stdio/fwrite.c =================================================================== --- lib/libc/stdio/fwrite.c (revision 286760) +++ lib/libc/stdio/fwrite.c (working copy) @@ -33,6 +33,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)fwrite.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/stdio/gets.c =================================================================== --- lib/libc/stdio/gets.c (revision 286760) +++ lib/libc/stdio/gets.c (working copy) @@ -33,6 +33,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)gets.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + #include __FBSDID("$FreeBSD$"); Index: lib/libc/stdio/snprintf.c =================================================================== --- lib/libc/stdio/snprintf.c (revision 286760) +++ lib/libc/stdio/snprintf.c (working copy) @@ -38,6 +38,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)snprintf.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/stdio/sprintf.c =================================================================== --- lib/libc/stdio/sprintf.c (revision 286760) +++ lib/libc/stdio/sprintf.c (working copy) @@ -38,6 +38,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)sprintf.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/stdio/vsnprintf.c =================================================================== --- lib/libc/stdio/vsnprintf.c (revision 286760) +++ lib/libc/stdio/vsnprintf.c (working copy) @@ -38,6 +38,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)vsnprintf.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/bzero.c =================================================================== --- lib/libc/string/bzero.c (revision 286760) +++ lib/libc/string/bzero.c (working copy) @@ -1,3 +1,4 @@ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/memccpy.c =================================================================== --- lib/libc/string/memccpy.c (revision 286760) +++ lib/libc/string/memccpy.c (working copy) @@ -30,6 +30,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)memccpy.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/memchr.c =================================================================== --- lib/libc/string/memchr.c (revision 286760) +++ lib/libc/string/memchr.c (working copy) @@ -33,6 +33,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)memchr.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/memset.c =================================================================== --- lib/libc/string/memset.c (revision 286760) +++ lib/libc/string/memset.c (working copy) @@ -33,6 +33,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)memset.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/stpncpy.c =================================================================== --- lib/libc/string/stpncpy.c (revision 286760) +++ lib/libc/string/stpncpy.c (working copy) @@ -24,6 +24,7 @@ * SUCH DAMAGE. */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/strchr.c =================================================================== --- lib/libc/string/strchr.c (revision 286760) +++ lib/libc/string/strchr.c (working copy) @@ -30,6 +30,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)index.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/strchrnul.c =================================================================== --- lib/libc/string/strchrnul.c (revision 286760) +++ lib/libc/string/strchrnul.c (working copy) @@ -25,6 +25,7 @@ * */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/strlcat.c =================================================================== --- lib/libc/string/strlcat.c (revision 286760) +++ lib/libc/string/strlcat.c (working copy) @@ -16,6 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/strlcpy.c =================================================================== --- lib/libc/string/strlcpy.c (revision 286760) +++ lib/libc/string/strlcpy.c (working copy) @@ -16,6 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/strlen.c =================================================================== --- lib/libc/string/strlen.c (revision 286760) +++ lib/libc/string/strlen.c (working copy) @@ -24,6 +24,7 @@ * SUCH DAMAGE. */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/string/strrchr.c =================================================================== --- lib/libc/string/strrchr.c (revision 286760) +++ lib/libc/string/strrchr.c (working copy) @@ -30,6 +30,8 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)rindex.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ + +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/sys/read.c =================================================================== --- lib/libc/sys/read.c (revision 286760) +++ lib/libc/sys/read.c (working copy) @@ -30,6 +30,7 @@ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libc/sys/readv.c =================================================================== --- lib/libc/sys/readv.c (revision 286760) +++ lib/libc/sys/readv.c (working copy) @@ -30,6 +30,7 @@ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#undef _FORTIFY_SOURCE #include __FBSDID("$FreeBSD$"); Index: lib/libsqlite3/Makefile =================================================================== --- lib/libsqlite3/Makefile (revision 286760) +++ lib/libsqlite3/Makefile (working copy) @@ -7,6 +7,8 @@ SRCS= sqlite3.c +MK_FORTIFY= no + SQLITE= ${.CURDIR}/../../contrib/sqlite3 .PATH: ${SQLITE} Index: lib/libstand/Makefile =================================================================== --- lib/libstand/Makefile (revision 286760) +++ lib/libstand/Makefile (working copy) @@ -8,6 +8,7 @@ MK_PROFILE= no MK_SSP= no +MK_FORTIFY= no .include Index: lib/libstand/stand.h =================================================================== --- lib/libstand/stand.h (revision 286760) +++ lib/libstand/stand.h (working copy) @@ -61,6 +61,12 @@ #ifndef STAND_H #define STAND_H +#undef _FORTIFY_SOURCE +/* + * Yes, this second one is a big hack. + */ +#undef __BSD_FORTIFY + #include #include #include Index: lib/libthr/Makefile =================================================================== --- lib/libthr/Makefile (revision 286760) +++ lib/libthr/Makefile (working copy) @@ -12,6 +12,7 @@ .include MK_SSP= no +MK_FORTIFY= no LIB=thr SHLIB_MAJOR= 3 Index: libexec/rtld-elf/Makefile =================================================================== --- libexec/rtld-elf/Makefile (revision 286760) +++ libexec/rtld-elf/Makefile (working copy) @@ -6,6 +6,7 @@ .include MK_SSP= no +MK_FORTIFY= no PROG?= ld-elf.so.1 SRCS= rtld_start.S \ Index: rescue/librescue/Makefile =================================================================== --- rescue/librescue/Makefile (revision 286760) +++ rescue/librescue/Makefile (working copy) @@ -4,6 +4,7 @@ .include MK_SSP= no +MK_FORTIFY= no # Certain library entries have hard-coded references to # /bin, /sbin, etc, that require those entries to be Index: rescue/rescue/Makefile =================================================================== --- rescue/rescue/Makefile (revision 286760) +++ rescue/rescue/Makefile (working copy) @@ -5,6 +5,7 @@ MAN= MK_SSP= no +MK_FORTIFY= no PROG= rescue BINDIR?=/rescue Index: share/mk/bsd.opts.mk =================================================================== --- share/mk/bsd.opts.mk (revision 286760) +++ share/mk/bsd.opts.mk (working copy) @@ -51,6 +51,7 @@ __DEFAULT_YES_OPTIONS = \ ASSERT_DEBUG \ DOCCOMPRESS \ + FORTIFY \ INCLUDES \ INSTALLLIB \ KERBEROS \ Index: share/mk/bsd.sys.mk =================================================================== --- share/mk/bsd.sys.mk (revision 286760) +++ share/mk/bsd.sys.mk (working copy) @@ -153,6 +153,11 @@ CFLAGS+= ${SSP_CFLAGS} .endif # SSP && !ARM && !MIPS +.if ${MK_FORTIFY} != "no" +FORTIFY_CFLAGS?= -D_FORTIFY_SOURCE=1 +CFLAGS+= ${FORTIFY_CFLAGS} +.endif # FORTIFY + # Allow user-specified additional warning flags, plus compiler specific flag overrides. # Unless we've overriden this... .if ${MK_WARNS} != "no" Index: sys/boot/arm/uboot/Makefile =================================================================== --- sys/boot/arm/uboot/Makefile (revision 286760) +++ sys/boot/arm/uboot/Makefile (working copy) @@ -2,6 +2,8 @@ .include +MK_FORTIFY= no + FILES= ubldr ubldr.bin NEWVERSWHAT= "U-Boot loader" ${MACHINE_ARCH} Index: sys/boot/arm64/Makefile =================================================================== --- sys/boot/arm64/Makefile (revision 286760) +++ sys/boot/arm64/Makefile (working copy) @@ -1,3 +1,7 @@ # $FreeBSD$ +.include + +MK_FORTIFY= no + .include Index: sys/boot/common/Makefile =================================================================== --- sys/boot/common/Makefile (revision 286760) +++ sys/boot/common/Makefile (working copy) @@ -2,6 +2,8 @@ .include +MK_FORTIFY= no + MAN+= loader.8 .if ${MK_ZFS} != "no" MAN+= zfsloader.8 Index: sys/boot/efi/boot1/Makefile =================================================================== --- sys/boot/efi/boot1/Makefile (revision 286760) +++ sys/boot/efi/boot1/Makefile (working copy) @@ -8,6 +8,7 @@ .if ${COMPILER_TYPE} != "gcc" MK_SSP= no +MK_FORTIFY= no PROG= loader.sym INTERNALPROG= Index: sys/boot/efi/fdt/Makefile =================================================================== --- sys/boot/efi/fdt/Makefile (revision 286760) +++ sys/boot/efi/fdt/Makefile (working copy) @@ -2,6 +2,8 @@ .include +MK_FORTIFY= no + .PATH: ${.CURDIR}/../../common LIB= efi_fdt Index: sys/boot/efi/libefi/Makefile =================================================================== --- sys/boot/efi/libefi/Makefile (revision 286760) +++ sys/boot/efi/libefi/Makefile (working copy) @@ -1,5 +1,9 @@ # $FreeBSD$ +.include + +MK_FORTIFY= no + LIB= efi INTERNALLIB= Index: sys/boot/efi/loader/Makefile =================================================================== --- sys/boot/efi/loader/Makefile (revision 286760) +++ sys/boot/efi/loader/Makefile (working copy) @@ -8,6 +8,7 @@ .if ${COMPILER_TYPE} != "gcc" MK_SSP= no +MK_FORTIFY= no PROG= loader.sym INTERNALPROG= Index: sys/boot/fdt/Makefile =================================================================== --- sys/boot/fdt/Makefile (revision 286760) +++ sys/boot/fdt/Makefile (working copy) @@ -1,5 +1,9 @@ # $FreeBSD$ +.include + +MK_FORTIFY= no + .PATH: ${.CURDIR}/../../contrib/libfdt/ LIB= fdt Index: sys/boot/ficl/Makefile =================================================================== --- sys/boot/ficl/Makefile (revision 286760) +++ sys/boot/ficl/Makefile (working copy) @@ -1,6 +1,10 @@ # $FreeBSD$ # +.include + +MK_FORTIFY= no + FICLDIR?= ${.CURDIR} .if defined(FICL32) Index: sys/boot/i386/libi386/Makefile =================================================================== --- sys/boot/i386/libi386/Makefile (revision 286760) +++ sys/boot/i386/libi386/Makefile (working copy) @@ -1,5 +1,10 @@ # $FreeBSD$ # + +.include + +MK_FORTIFY= no + LIB= i386 INTERNALLIB= Index: sys/boot/i386/loader/Makefile =================================================================== --- sys/boot/i386/loader/Makefile (revision 286760) +++ sys/boot/i386/loader/Makefile (working copy) @@ -2,6 +2,7 @@ .include MK_SSP= no +MK_FORTIFY= no LOADER?= loader PROG= ${LOADER}.sym Index: sys/boot/libstand32/Makefile =================================================================== --- sys/boot/libstand32/Makefile (revision 286760) +++ sys/boot/libstand32/Makefile (working copy) @@ -10,6 +10,7 @@ .include MK_SSP= no +MK_FORTIFY= no LIBSTAND_SRC= ${.CURDIR}/../../../lib/libstand LIBC_SRC= ${LIBSTAND_SRC}/../libc Index: sys/boot/mips/beri/loader/Makefile =================================================================== --- sys/boot/mips/beri/loader/Makefile (revision 286760) +++ sys/boot/mips/beri/loader/Makefile (working copy) @@ -31,6 +31,7 @@ .include MK_SSP= no +MK_FORTIFY= no MAN= PROG?= loader Index: sys/boot/pc98/loader/Makefile =================================================================== --- sys/boot/pc98/loader/Makefile (revision 286760) +++ sys/boot/pc98/loader/Makefile (working copy) @@ -2,6 +2,7 @@ .include MK_SSP= no +MK_FORTIFY= no MAN= LOADER?= loader Index: sys/boot/powerpc/kboot/Makefile =================================================================== --- sys/boot/powerpc/kboot/Makefile (revision 286760) +++ sys/boot/powerpc/kboot/Makefile (working copy) @@ -2,6 +2,7 @@ .include MK_SSP= no +MK_FORTIFY= no MAN= PROG= loader.kboot Index: sys/boot/powerpc/ofw/Makefile =================================================================== --- sys/boot/powerpc/ofw/Makefile (revision 286760) +++ sys/boot/powerpc/ofw/Makefile (working copy) @@ -2,6 +2,7 @@ .include MK_SSP= no +MK_FORTIFY= no MAN= PROG= loader Index: sys/boot/powerpc/ps3/Makefile =================================================================== --- sys/boot/powerpc/ps3/Makefile (revision 286760) +++ sys/boot/powerpc/ps3/Makefile (working copy) @@ -2,6 +2,7 @@ .include MK_SSP= no +MK_FORTIFY= no MAN= PROG= loader.ps3 Index: sys/boot/powerpc/uboot/Makefile =================================================================== --- sys/boot/powerpc/uboot/Makefile (revision 286760) +++ sys/boot/powerpc/uboot/Makefile (working copy) @@ -1,6 +1,7 @@ # $FreeBSD$ .include +MK_FORTIFY= no PROG= ubldr NEWVERSWHAT= "U-Boot loader" ${MACHINE_ARCH} Index: sys/boot/sparc64/loader/Makefile =================================================================== --- sys/boot/sparc64/loader/Makefile (revision 286760) +++ sys/boot/sparc64/loader/Makefile (working copy) @@ -2,6 +2,7 @@ .include MK_SSP= no +MK_FORTIFY= no MAN= PROG?= loader Index: sys/boot/zfs/Makefile =================================================================== --- sys/boot/zfs/Makefile (revision 286760) +++ sys/boot/zfs/Makefile (working copy) @@ -1,5 +1,9 @@ # $FreeBSD$ +.include + +MK_FORTIFY= no + LIB= zfsboot INTERNALLIB= Index: sys/sys/cdefs.h =================================================================== --- sys/sys/cdefs.h (revision 286760) +++ sys/sys/cdefs.h (working copy) @@ -545,6 +545,26 @@ #define __gnu_inline #endif +#if __has_attribute(error) || __GNUC_PREREQ__(4, 3) +#define __error_attr(msg) __attribute__((__error__(msg))) +#else +#define __error_attr(msg) +#endif + +/* FORTIFY_SOURCE related defines. */ +#if __GNUC_PREREQ__(4, 1) && defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 && \ + defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 && !defined(lint) +#define __BSD_FORTIFY 1 +#if _FORTIFY_SOURCE >= 2 +#define __bos(s) __builtin_object_size((s), 1) +#else +#define __bos(s) __builtin_object_size((s), 0) +#endif +#define __bos0(s) __builtin_object_size((s), 0) +#define __FORTIFY_INLINE extern __inline __always_inline __gnu_inline +#endif /* !_FORTIFY_SOURCE */ +#define __FORTIFY_UNKNOWN_SIZE ((size_t) -1) + /* Compiler-dependent macros that rely on FreeBSD-specific extensions. */ #if defined(__FreeBSD_cc_version) && __FreeBSD_cc_version >= 300001 && \ defined(__GNUC__) && !defined(__INTEL_COMPILER) Index: sys/sys/poll.h =================================================================== --- sys/sys/poll.h (revision 286760) +++ sys/sys/poll.h (working copy) @@ -117,6 +117,10 @@ #endif __END_DECLS +#ifdef __BSD_FORTIFY +#include +#endif + #endif /* !_KERNEL */ #endif /* !_SYS_POLL_H_ */ Index: sys/sys/select.h =================================================================== --- sys/sys/select.h (revision 286760) +++ sys/sys/select.h (working copy) @@ -103,6 +103,7 @@ int select(int, fd_set *, fd_set *, fd_set *, struct timeval *); #endif __END_DECLS + #endif /* !_KERNEL */ #endif /* _SYS_SELECT_H_ */ Index: sys/sys/socket.h =================================================================== --- sys/sys/socket.h (revision 286760) +++ sys/sys/socket.h (working copy) @@ -630,6 +630,10 @@ int socketpair(int, int, int, int *); __END_DECLS +#ifdef __BSD_FORTIFY +#include +#endif + #endif /* !_KERNEL */ #ifdef _KERNEL Index: sys/sys/stat.h =================================================================== --- sys/sys/stat.h (revision 286760) +++ sys/sys/stat.h (working copy) @@ -356,6 +356,11 @@ int mknodat(int, const char *, mode_t, dev_t); #endif __END_DECLS + +#ifdef __BSD_FORTIFY +#include +#endif + #endif /* !_KERNEL */ #endif /* !_SYS_STAT_H_ */