Re: Initial implementation of _FORTIFY_SOURCE

Reply: Kyle Evans : "Re: Initial implementation of _FORTIFY_SOURCE"
In reply to: Shawn Webb : "Re: Initial implementation of _FORTIFY_SOURCE"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Tomoaki AOKI <junchoon_at_dec.sakura.ne.jp>
Date: Mon, 13 May 2024 23:05:17 UTC

On Mon, 13 May 2024 18:57:26 +0000
Shawn Webb <shawn.webb@hardenedbsd.org> wrote:

> On Mon, May 13, 2024 at 11:09:24AM -0700, Cy Schubert wrote:
> > In message <f8000e6b-226b-45f3-a751-aca790f4f8c8@FreeBSD.org>, Kyle Evans 
> > write
> > s:
> > > Hi,
> > >
> > > As of 9bfd3b407 ("Add a build knob for _FORTIFY_SOURCE"), I've imported 
> > > an initial version of FORTIFY_SOURCE from FreeBSD.  FORTIFY_SOURCE is an 
> > > improvement over classical SSP, doing compiler-aided checking of stack 
> > > object sizes to detect more fine-grained stack overflow without relying 
> > > on the randomized stack canary just past the stack frame.
> > >
> > > This implementation is not yet complete, but we've done a review of 
> > > useful functions and syscalls to add checked variants of and intend to 
> > > complete the implementation over the next month or so.
> > >
> > > Please test _FORTIFY_SOURCE out now by setting FORTIFY_SOURCE=2 in the 
> > > buildworld env -- I intend to flip the default to 2 when WITH_SSP is set 
> > > in the next month if nobody complains about serious breakage.  I've 
> > > personally been rolling with FORTIFY_SOURCE=2 for the last three years 
> > > that this has been sitting in a local branch, so I don't really 
> > > anticipate any super-fundamental breakage.
> > 
> > Should this trigger a __FreeBSD_version bump?
> 
> I would encourage that so to help the ports tree determine
> availability of the import.

If it can be enabled/disabled with sysctls/tunables on runtime/boottime,
bump should be preferred. Maybe this isn't yet the case here, IIUC.

But if it could be done only on build time with WITH_ or WITHOUT_ knob
ad not yet enabled by default for now, now ins't the time to bump.
Bump should be done when it becomes to be built by default.

Bump for non-default build time knob should force poudriere[-devel]
users massive unneeded rebuilds. So should be avoided, if it still
cannot switch on boot or runtime.


> Additionally, I've enabled _FORTIFY_SOURCE in HardenedBSD base[1] and
> ports[2]. For base, it's only set (and to 2 by default) when MK_SSP is
> set to yes. In ports, it's set by default except for ports that have
> "kmod" in their USES.
> 
> Are there any plans to support _FORTIFY_SOURCE in the kernel?
> 
> [1]:
> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/927fd28755da27c5dd2b1b0d0396c93db585f933
> [2]:
> https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/3d7dcd284ce3083103edd6b28b3d232abbfeaa63
> 
> Thanks,
> 
> -- 
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
> 
> Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
> https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc


-- 
Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>