Index: Makefile.inc1 =================================================================== RCS file: /mnt/space/freebsd-cvs/src/Makefile.inc1,v retrieving revision 1.499.2.21 diff -u -p -r1.499.2.21 Makefile.inc1 --- Makefile.inc1 16 May 2007 21:39:44 -0000 1.499.2.21 +++ Makefile.inc1 1 Mar 2008 21:25:33 -0000 @@ -208,6 +208,7 @@ BMAKE= MAKEOBJDIRPREFIX=${WORLDTMP} \ ${BMAKEENV} ${MAKE} -f Makefile.inc1 \ DESTDIR= \ BOOTSTRAPPING=${OSRELDATE} \ + SSP_CFLAGS= \ -DNO_HTML -DNO_INFO -DNO_LINT -DNO_MAN -DNO_NLS -DNO_PIC \ -DNO_PROFILE -DNO_SHARED -DNO_CPU_CFLAGS -DNO_WARNS @@ -216,6 +217,7 @@ TMAKE= MAKEOBJDIRPREFIX=${OBJTREE} \ ${BMAKEENV} ${MAKE} -f Makefile.inc1 \ TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH} \ DESTDIR= \ + SSP_CFLAGS= \ BOOTSTRAPPING=${OSRELDATE} -DNO_LINT -DNO_CPU_CFLAGS -DNO_WARNS # cross-tools stage @@ -427,7 +429,7 @@ build32: .if !defined(NO_KERBEROS) && !defined(NO_CRYPT) && !defined(NO_OPENSSL) .for _t in obj depend all cd ${.CURDIR}/kerberos5/tools; \ - MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} DESTDIR= ${_t} + MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} SSP_CFLAGS= DESTDIR= ${_t} .endfor .endif .for _t in obj includes @@ -446,7 +448,7 @@ build32: .endfor .for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic cd ${.CURDIR}/${_dir}; \ - MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} DESTDIR= build-tools + MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} SSP_CFLAGS= DESTDIR= build-tools .endfor cd ${.CURDIR}; \ ${LIB32WMAKE} -f Makefile.inc1 libraries @@ -686,13 +688,13 @@ buildkernel: @echo "--------------------------------------------------------------" cd ${KRNLOBJDIR}/${_kernel}; \ MAKESRCPATH=${KERNSRCDIR}/dev/aic7xxx/aicasm \ - ${MAKE} -DNO_CPU_CFLAGS -f ${KERNSRCDIR}/dev/aic7xxx/aicasm/Makefile + ${MAKE} SSP_CFLAGS= -DNO_CPU_CFLAGS -f ${KERNSRCDIR}/dev/aic7xxx/aicasm/Makefile # XXX - Gratuitously builds aicasm in the ``makeoptions NO_MODULES'' case. .if !defined(MODULES_WITH_WORLD) && !defined(NO_MODULES) && exists(${KERNSRCDIR}/modules) .for target in obj depend all cd ${KERNSRCDIR}/modules/aic7xxx/aicasm; \ MAKEOBJDIRPREFIX=${KRNLOBJDIR}/${_kernel}/modules \ - ${MAKE} -DNO_CPU_CFLAGS ${target} + ${MAKE} SSP_CFLAGS= -DNO_CPU_CFLAGS ${target} .endfor .endif .if !defined(NO_KERNELDEPEND) Index: gnu/lib/libgcc/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/gnu/lib/libgcc/Makefile,v retrieving revision 1.54.2.1 diff -u -p -r1.54.2.1 Makefile --- gnu/lib/libgcc/Makefile 5 Oct 2006 19:46:06 -0000 1.54.2.1 +++ gnu/lib/libgcc/Makefile 1 Mar 2008 21:25:33 -0000 @@ -37,6 +37,8 @@ CFLAGS+= -DIN_GCC -DIN_LIBGCC2 -D__GCC_F CFLAGS+= -D_PTHREADS -DGTHREAD_USE_WEAK CFLAGS+= -I${.CURDIR}/../../usr.bin/cc/cc_tools \ -I${GCCDIR}/config -I${GCCDIR} -I. +# Do not compile SSP symbols in libgcc. +CFLAGS+= -D_LIBC_PROVIDES_SSP_ OBJS= # added to below in various ways depending on TARGET_ARCH Index: gnu/usr.bin/cc/cc_int/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/gnu/usr.bin/cc/cc_int/Makefile,v retrieving revision 1.45.2.1 diff -u -p -r1.45.2.1 Makefile --- gnu/usr.bin/cc/cc_int/Makefile 29 Sep 2006 01:50:03 -0000 1.45.2.1 +++ gnu/usr.bin/cc/cc_int/Makefile 1 Mar 2008 21:25:33 -0000 @@ -33,7 +33,8 @@ SRCS+= alias.c bb-reorder.c bitmap.c bui sibcall.c simplify-rtx.c sreal.c stmt.c stor-layout.c stringpool.c \ targhooks.c timevar.c toplev.c tracer.c tree.c tree-dump.c unroll.c \ varasm.c varray.c version.c vmsdbgout.c xcoffout.c alloc-pool.c \ - et-forest.c cfghooks.c bt-load.c pretty-print.c ggc-page.c web.c + et-forest.c cfghooks.c bt-load.c pretty-print.c ggc-page.c web.c \ + protector.c # Miscellaneous files. SRCS+= hashtable.c tree-inline.c tree-optimize.c cgraph.c cgraphunit.c Index: lib/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/lib/Makefile,v retrieving revision 1.205.2.4 diff -u -p -r1.205.2.4 Makefile --- lib/Makefile 25 Oct 2007 12:45:39 -0000 1.205.2.4 +++ lib/Makefile 1 Mar 2008 21:29:49 -0000 @@ -33,7 +33,7 @@ SUBDIR= ${_csu} libc libbsm libcom_err l libipx libkiconv libmagic libmemstat ${_libmilter} ${_libmp} \ ${_libncp} ${_libngatm} libopie libpam libpcap \ libpmc ${_libpthread} ${_libsdp} ${_libsm} ${_libsmb} ${_libsmdb} \ - ${_libsmutil} libstand libtelnet ${_libthr} ${_libthread_db} libufs \ + ${_libsmutil} libssp libstand libtelnet ${_libthr} ${_libthread_db} libufs \ libugidfw ${_libusbhid} ${_libvgl} libwrap liby libz ${_bind} .if exists(${.CURDIR}/csu/${MACHINE_ARCH}-elf) Index: lib/libc/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/lib/libc/Makefile,v retrieving revision 1.56.2.3 diff -u -p -r1.56.2.3 Makefile --- lib/libc/Makefile 11 Mar 2007 10:15:48 -0000 1.56.2.3 +++ lib/libc/Makefile 1 Mar 2008 21:25:33 -0000 @@ -85,6 +85,10 @@ SRCS+= ${_src} .endfor .endif +# Pull in ProPolice/SSP symbols. +OBJS= ssp.o +ssp.o: ../libssp/ssp.c + KQSRCS= adddi3.c anddi3.c ashldi3.c ashrdi3.c cmpdi2.c divdi3.c iordi3.c \ lshldi3.c lshrdi3.c moddi3.c muldi3.c negdi2.c notdi2.c qdivrem.c \ subdi3.c ucmpdi2.c udivdi3.c umoddi3.c xordi3.c Index: lib/libssp/Makefile =================================================================== RCS file: lib/libssp/Makefile diff -N lib/libssp/Makefile --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ lib/libssp/Makefile 1 Mar 2008 21:25:33 -0000 @@ -0,0 +1,18 @@ +# +# $Id$ +# + +SHLIB_MAJOR= 1 +LIB= ssp +SHLIBDIR?= /lib +SHLIB_MAJOR= 1 + +SRCS= ssp.c +CFLAGS+= -DLIBSSP +LDFLAGS+= -nodefaultlibs +SSP_CFLAGS= + +PRECIOUSLIB= +INSTALL_PIC_ARCHIVE= + +.include Index: lib/libssp/ssp.c =================================================================== RCS file: lib/libssp/ssp.c diff -N lib/libssp/ssp.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ lib/libssp/ssp.c 1 Mar 2008 21:25:33 -0000 @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2002 Hiroaki Etoh, Federico G. Schwindt, and Miodrag Vallat. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + */ + +#if defined(LIBC_SCCS) && !defined(list) +static char rcsid[] = "$FreeBSD$$"; +#endif + +#include +#include +#include +#include +#include +#include +#include + +extern int __sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, + void *newp, size_t newlen); + +long __guard[1] = { 0 }; + +static void __guard_setup(void) __attribute__ ((constructor)); +void __stack_smash_handler(char func[], + int damaged __attribute__((unused))); + +static void +__guard_setup(void) +{ + int mib[2]; + long *guard = __guard; + size_t len; + + if (*guard != 0) + return; + + mib[0] = CTL_KERN; + mib[1] = KERN_ARND; + + len = sizeof(__guard) / sizeof(long); + while (len != 0) { + if (__sysctl(mib, 2, (char *)guard, &len, NULL, 0) == -1) + break; + len--; + } + if (len == 0) + return; + /* + * If a random generator can't be used, the protector switches the + * guard to the "terminator canary" + */ + ((char*)guard)[0] = 0; + ((char*)guard)[1] = 0; + ((char*)guard)[2] = '\n'; + ((char*)guard)[3] = 255; +} + +void +__stack_smash_handler(char func[], int damaged) +{ + static const char message[] = "stack overflow in function %s"; + struct sigaction sa; + sigset_t mask; + + /* Immediately block all signal handlers from running code. */ + sigfillset(&mask); + sigdelset(&mask, SIGABRT); + sigprocmask(SIG_BLOCK, &mask, NULL); + + /* This may fail on a chroot jail, though luck. */ + syslog(LOG_CRIT, message, func); + + bzero(&sa, sizeof(struct sigaction)); + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; + sa.sa_handler = SIG_DFL; + sigaction(SIGABRT, &sa, NULL); + + kill(getpid(), SIGABRT); + + _exit(127); +} Index: lib/libstand/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/lib/libstand/Makefile,v retrieving revision 1.54.2.2 diff -u -p -r1.54.2.2 Makefile --- lib/libstand/Makefile 24 Jan 2008 22:23:20 -0000 1.54.2.2 +++ lib/libstand/Makefile 1 Mar 2008 21:25:33 -0000 @@ -14,6 +14,7 @@ MAN= libstand.3 CFLAGS+= -ffreestanding -Wformat CFLAGS+= -I${.CURDIR} +SSP_CFLAGS= .if ${MACHINE_ARCH} == "alpha" CFLAGS+= -mno-fp-regs Index: share/man/man5/make.conf.5 =================================================================== RCS file: /mnt/space/freebsd-cvs/src/share/man/man5/make.conf.5,v retrieving revision 1.121.2.11 diff -u -p -r1.121.2.11 make.conf.5 --- share/man/man5/make.conf.5 18 Jun 2007 04:35:36 -0000 1.121.2.11 +++ share/man/man5/make.conf.5 1 Mar 2008 21:25:33 -0000 @@ -260,6 +260,24 @@ Set this to not update the doc tree duri .Pq Vt bool Set this to not update the ports tree during .Dq Li "make update" . +.It Va ENABLE_SSP +.Pq Vt bool +Set this to enable ProPolice stack-smashing protection +.Pq for both base system and ports . +.It Va SSP_CFLAGS +.Pq Vt str +Controls the compiler stack protection setting when compiling C code. +You must set +.Va ENABLE_SSP +to get this variable appended to the content of +.Va CFLAGS . +.Em You must not set stack protection setting in CFLAGS +.Em or you will not be able to make buildworld any longer. +This variable is normally empty and defaults to +.Fl fstack-protector +for the base-system when the +.Va ENABLE_SSP +variable is turned on, but you can override it. .It Va PORTSSUPFILE .Pq Vt str The ports Index: share/mk/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/share/mk/Makefile,v retrieving revision 1.46.2.2 diff -u -p -r1.46.2.2 Makefile --- share/mk/Makefile 8 Jun 2007 16:03:38 -0000 1.46.2.2 +++ share/mk/Makefile 1 Mar 2008 21:25:33 -0000 @@ -10,6 +10,7 @@ FILES+= bsd.obj.mk bsd.own.mk FILES+= bsd.port.mk bsd.port.options.mk bsd.port.post.mk FILES+= bsd.port.pre.mk bsd.port.subdir.mk bsd.prog.mk FILES+= bsd.snmpmod.mk bsd.subdir.mk bsd.sys.mk +FILES+= bsd.ssp.mk FILES+= sys.mk NO_OBJ= FILESDIR= ${BINDIR}/mk Index: share/mk/bsd.README =================================================================== RCS file: /mnt/space/freebsd-cvs/src/share/mk/bsd.README,v retrieving revision 1.28.2.1 diff -u -p -r1.28.2.1 bsd.README --- share/mk/bsd.README 26 Jun 2006 13:54:37 -0000 1.28.2.1 +++ share/mk/bsd.README 1 Mar 2008 21:25:33 -0000 @@ -37,6 +37,7 @@ bsd.port.pre.mk - building ports bsd.port.subdir.mk - targets for building subdirectories for ports bsd.prog.mk - building programs from source files bsd.snmpmod.mk - building modules for the SNMP daemon bsnmpd +bsd.ssp.mk - handle ProPolice/SSP settings bsd.subdir.mk - targets for building subdirectories bsd.sys.mk - common settings used for building FreeBSD sources sys.mk - default rules for all makes Index: share/mk/bsd.libnames.mk =================================================================== RCS file: /mnt/space/freebsd-cvs/src/share/mk/bsd.libnames.mk,v retrieving revision 1.94.2.3 diff -u -p -r1.94.2.3 bsd.libnames.mk --- share/mk/bsd.libnames.mk 6 Apr 2007 17:52:06 -0000 1.94.2.3 +++ share/mk/bsd.libnames.mk 1 Mar 2008 21:25:33 -0000 @@ -126,6 +126,7 @@ LIBSDP?= ${DESTDIR}${LIBDIR}/libsdp.a LIBSMB?= ${DESTDIR}${LIBDIR}/libsmb.a LIBSSH?= ${DESTDIR}${LIBDIR}/libssh.a LIBSSL?= ${DESTDIR}${LIBDIR}/libssl.a +LIBSSP?= ${DESTDIR}${LIBDIR}/libssp.a LIBSTAND?= ${DESTDIR}${LIBDIR}/libstand.a LIBSTDCPLUSPLUS?= ${DESTDIR}${LIBDIR}/libstdc++.a LIBTACPLUS?= ${DESTDIR}${LIBDIR}/libtacplus.a Index: share/mk/bsd.port.mk =================================================================== RCS file: /mnt/space/freebsd-cvs/src/share/mk/bsd.port.mk,v retrieving revision 1.307 diff -u -p -r1.307 bsd.port.mk --- share/mk/bsd.port.mk 2 Jul 2004 20:47:18 -0000 1.307 +++ share/mk/bsd.port.mk 1 Mar 2008 21:25:33 -0000 @@ -5,3 +5,10 @@ BSDPORTMK?= ${PORTSDIR}/Mk/bsd.port.mk .include .include "${BSDPORTMK}" + +# XXX This belongs to ports/Mk/bsd.port.mk where it should be documented as +# well, but it is easier to distribute as long as it is a patch. +.if defined(USE_SSP) && ${USE_SSP:L} == "yes" +SSP_CFLAGS ?= -fstack-protector +CFLAGS += ${SSP_CFLAGS} +.endif Index: share/mk/bsd.ssp.mk =================================================================== RCS file: share/mk/bsd.ssp.mk diff -N share/mk/bsd.ssp.mk --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ share/mk/bsd.ssp.mk 1 Mar 2008 21:25:33 -0000 @@ -0,0 +1,9 @@ +# Handle the stack protection flags. + +.if defined(ENABLE_SSP) +SSP_CFLAGS ?= -fstack-protector +CFLAGS += ${SSP_CFLAGS} +. if defined(WARNS) && ${WARNS} >= 7 && !empty(SSP_CFLAGS) +CWARNFLAGS += -Wstack-protector +. endif +.endif Index: share/mk/bsd.sys.mk =================================================================== RCS file: /mnt/space/freebsd-cvs/src/share/mk/bsd.sys.mk,v retrieving revision 1.37.2.1 diff -u -p -r1.37.2.1 bsd.sys.mk --- share/mk/bsd.sys.mk 13 Sep 2006 08:40:40 -0000 1.37.2.1 +++ share/mk/bsd.sys.mk 1 Mar 2008 21:25:33 -0000 @@ -69,3 +69,5 @@ CWARNFLAGS += -Werror # Allow user-specified additional warning flags CFLAGS += ${CWARNFLAGS} + +.include Index: sys/boot/efi/Makefile.inc =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/boot/efi/Makefile.inc,v retrieving revision 1.7 diff -u -p -r1.7 Makefile.inc --- sys/boot/efi/Makefile.inc 12 Feb 2004 08:10:33 -0000 1.7 +++ sys/boot/efi/Makefile.inc 1 Mar 2008 21:25:33 -0000 @@ -5,3 +5,6 @@ BINDIR?= /boot # Options used when building app-specific efi components CFLAGS+= -ffreestanding -fshort-wchar -Wformat LDFLAGS+= -nostdlib + +# No need for stack-smashing protection in sys/boot/. +SSP_CFLAGS= Index: sys/boot/ficl/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/boot/ficl/Makefile,v retrieving revision 1.41.2.2 diff -u -p -r1.41.2.2 Makefile --- sys/boot/ficl/Makefile 24 Oct 2007 11:50:07 -0000 1.41.2.2 +++ sys/boot/ficl/Makefile 1 Mar 2008 21:25:33 -0000 @@ -6,6 +6,7 @@ BASE_SRCS= dict.c ficl.c fileaccess.c fl SRCS= ${BASE_SRCS} sysdep.c softcore.c CLEANFILES= softcore.c testmain testmain.o +SSP_CFLAGS= CFLAGS+= -ffreestanding .if ${MACHINE_ARCH} == "alpha" CFLAGS+= -mno-fp-regs -Os Index: sys/boot/i386/Makefile.inc =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/boot/i386/Makefile.inc,v retrieving revision 1.10.2.1 diff -u -p -r1.10.2.1 Makefile.inc --- sys/boot/i386/Makefile.inc 25 Oct 2006 15:03:29 -0000 1.10.2.1 +++ sys/boot/i386/Makefile.inc 1 Mar 2008 21:25:33 -0000 @@ -15,6 +15,9 @@ LDFLAGS+= -m elf_i386_fbsd AFLAGS+= --32 .endif +# No need for stack-smashing protection in sys/boot/. +SSP_CFLAGS= + # BTX components .if exists(${.OBJDIR}/../btx) BTXDIR= ${.OBJDIR}/../btx Index: sys/boot/ofw/libofw/Makefile =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/boot/ofw/libofw/Makefile,v retrieving revision 1.9 diff -u -p -r1.9 Makefile --- sys/boot/ofw/libofw/Makefile 24 Oct 2004 15:32:50 -0000 1.9 +++ sys/boot/ofw/libofw/Makefile 1 Mar 2008 21:25:33 -0000 @@ -17,6 +17,9 @@ CFLAGS+= -ffreestanding CFLAGS+= -msoft-float .endif +# No need for stack-smashing protection in sys/boot/. +SSP_CFLAGS= + .ifdef(BOOT_DISK_DEBUG) # Make the disk code more talkative CFLAGS+= -DDISK_DEBUG Index: sys/boot/sparc64/Makefile.inc =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/boot/sparc64/Makefile.inc,v retrieving revision 1.1 diff -u -p -r1.1 Makefile.inc --- sys/boot/sparc64/Makefile.inc 9 Feb 2004 14:17:02 -0000 1.1 +++ sys/boot/sparc64/Makefile.inc 1 Mar 2008 21:25:33 -0000 @@ -3,3 +3,6 @@ BINDIR?= /boot CFLAGS+= -ffreestanding LDFLAGS+= -nostdlib + +# No need for stack-smashing protection in sys/boot/. +SSP_CFLAGS= Index: sys/conf/NOTES =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/conf/NOTES,v retrieving revision 1.1325.2.38 diff -u -p -r1.1325.2.38 NOTES --- sys/conf/NOTES 14 Sep 2007 22:44:37 -0000 1.1325.2.38 +++ sys/conf/NOTES 1 Mar 2008 21:25:33 -0000 @@ -1236,6 +1236,9 @@ options MSGBUF_SIZE=40960 # Maximum size of a tty or pty input buffer. options TTYHOG=8193 +# This option makes us compile in the symbols required by ProPolice/SSP. +options SSP_SUPPORT + ##################################################################### # HARDWARE DEVICE CONFIGURATION Index: sys/conf/files =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/conf/files,v retrieving revision 1.1031.2.71 diff -u -p -r1.1031.2.71 files --- sys/conf/files 10 Feb 2008 16:02:50 -0000 1.1031.2.71 +++ sys/conf/files 1 Mar 2008 21:25:33 -0000 @@ -1465,6 +1465,7 @@ libkern/random.c standard libkern/rindex.c standard libkern/scanc.c standard libkern/skpc.c standard +libkern/stack_protector.c optional ssp_support libkern/strcasecmp.c standard libkern/strcat.c standard libkern/strcmp.c standard Index: sys/conf/kern.mk =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/conf/kern.mk,v retrieving revision 1.45 diff -u -p -r1.45 kern.mk --- sys/conf/kern.mk 31 Mar 2005 22:53:58 -0000 1.45 +++ sys/conf/kern.mk 1 Mar 2008 21:25:33 -0000 @@ -33,6 +33,10 @@ CWARNFLAGS?= -Wall -Wredundant-decls -Wn CFLAGS+= -mno-align-long-strings -mpreferred-stack-boundary=2 \ -mno-mmx -mno-3dnow -mno-sse -mno-sse2 INLINE_LIMIT?= 8000 +. if defined(ENABLE_SSP) +SSP_CFLAGS?= -fstack-protector +CFLAGS+= ${SSP_CFLAGS} +. endif .endif # Index: sys/conf/options =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/conf/options,v retrieving revision 1.510.2.23 diff -u -p -r1.510.2.23 options --- sys/conf/options 14 Sep 2007 22:44:37 -0000 1.510.2.23 +++ sys/conf/options 1 Mar 2008 21:25:33 -0000 @@ -162,6 +162,7 @@ VFS_AIO VERBOSE_SYSINIT opt_global.h WLCACHE opt_wavelan.h WLDEBUG opt_wavelan.h +SSP_SUPPORT opt_ssp.h # POSIX kernel options P1003_1B_SEMAPHORES opt_posix.h Index: sys/kern/kern_mib.c =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/kern/kern_mib.c,v retrieving revision 1.74.2.2 diff -u -p -r1.74.2.2 kern_mib.c --- sys/kern/kern_mib.c 8 Oct 2005 07:06:49 -0000 1.74.2.2 +++ sys/kern/kern_mib.c 1 Mar 2008 21:25:33 -0000 @@ -150,6 +150,17 @@ SYSCTL_INT(_hw, HW_PAGESIZE, pagesize, C 0, PAGE_SIZE, "System memory page size"); static int +sysctl_kern_arnd(SYSCTL_HANDLER_ARGS) +{ + u_long val; + + val = arc4random(); + return (sysctl_handle_long(oidp, &val, 0, req)); +} + +SYSCTL_PROC(_kern, KERN_ARND, arandom, CTLFLAG_RD, 0, 0, sysctl_kern_arnd, "I", "arc4random"); + +static int sysctl_hw_physmem(SYSCTL_HANDLER_ARGS) { u_long val; Index: sys/libkern/stack_protector.c =================================================================== RCS file: sys/libkern/stack_protector.c diff -N sys/libkern/stack_protector.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/libkern/stack_protector.c 1 Mar 2008 21:25:33 -0000 @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2002 Hiroaki Etoh. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* We can't use because libkern is compiled in userland too. */ +void panic(const char *, ...); + +void __stack_smash_handler(int damaged, char func[]); + +/* force to place __guard in 16-byte boundary */ +char __guard[] __attribute__ ((aligned (16))) = "\0\0\n\377"; + +void +__stack_smash_handler(int damaged, char func[]) +{ + static char *message = "stack overflow in function %s.\n" ; + + panic(message, func); +} Index: sys/sys/sysctl.h =================================================================== RCS file: /mnt/space/freebsd-cvs/src/sys/sys/sysctl.h,v retrieving revision 1.138.2.3 diff -u -p -r1.138.2.3 sysctl.h --- sys/sys/sysctl.h 24 Jul 2006 17:34:12 -0000 1.138.2.3 +++ sys/sys/sysctl.h 1 Mar 2008 21:25:34 -0000 @@ -373,7 +373,8 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_e #define KERN_USRSTACK 33 /* int: address of USRSTACK */ #define KERN_LOGSIGEXIT 34 /* int: do we log sigexit procs? */ #define KERN_IOV_MAX 35 /* int: value of UIO_MAXIOV */ -#define KERN_MAXID 36 /* number of valid kern ids */ +#define KERN_ARND 36 /* int: from arc4random() */ +#define KERN_MAXID 37 /* number of valid kern ids */ #define CTL_KERN_NAMES { \ { 0, 0 }, \