This is a production release to fix three bugs, none of which
affects well formed scripts on FreeBSD:
The first bug is that bc/dc will exit on macOS when the terminal
is resized.
The second bug is that an array, which should only be a function
parameter, was accepted as part of larger expressions.
The third bug is that the value stack for dc was cleared on any error.
However, this is not how other dc behave. To bring dc more in line
with other implementations, this behavior was changed. This change is
why this version is a new major version.
(cherry picked from commit 54d20d67e2af28d948ce2df13feb039fa10900fc)
MFC after: 3 days
The definitions in _stdint.h has some complications around visibility
that _limits.h does not have. Switch to __SIZE_T_MAX to avoid those.
This fixes the devel/gperf, devel/glib20 and math/mpfr builds with
_FORTIFY_SOURCE enabled to unlock a large fraction of the ports tree to
build.
Reported by: Shawn Webb (HardenedBSD)
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
This mirrors ppoll's visibility in sys/poll.h and fixes a build issue
with some _POSIX_C_SOURCE requests due to missing the sigset_t typedef.
Reported by: eduardo
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
This was missed in b8730c11a3 ("include: ssp: fix the build [...]"),
but <ssp/wchar.h> also had a bare `inline` in use. Swap it over to
__ssp_inline as well.
Reported by: netchild
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
GCC emits a warning about shadowing a builtin with our mempcpy
declaration, so switch it to using the same model as memcpy() and
use the apparently-existing __builtin___mempcpy_chk().
Reviewed by: kib (earlier version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45976
`inline` isn't always a keyword, so we should be using __ssp_inline
as we do everywhere else in the _FORTIFY_SOURCE support. Variable
declarations in a loop initializer are also not always supported, so
declare any loop vars in advance.
Reviewed by: kib (earlier version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45976
The entire recv*() implementation set is ripe for opportunities to
validate, so do what we can with what we have.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45686
Check both the buffer size of the iov object itself, as well as that
of each indidvidually io base.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45684
That is to say, fortify getrandom(2).
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45683
This includes all of the w*() equivalents to str*()/mem*() implemented
in more or less the same way. For these ones, we'll just use
header-only implementations from the start to stop further cluttering
the libc symbol table.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45682
The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45681
For poll/ppoll we just need to bounds-check the poll array that we're
about to write out to.
Reviewed by: kib, markj (earlier version)
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45680
ssp/ssp.h needed some improvements:
- `len` isn't always a size_t, it may need casted
- In some cases we may want to use a len that isn't specified as a
parameter (e.g., L_ctermid), so __ssp_redirect() should be more
flexible.
- In other cases we may want additional checking, so pull all of the
declaration bits out of __ssp_redirect_raw() so that some functions
can implement the body themselves.
strlcat/strlcpy should be the last of the fortified functions that get
their own __*_chk symbols, and these cases are only done to be
consistent with the rest of the str*() set.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45679
Switch away from pointer arithmetic to provide more obvious semantics
for checking overlap on pointer ranges. This lets us remove some casts
that need not exist and removes some possible fragility in its use.
While we're here, check for overflow just in case; sometimes we use a
caller-supplied size if __builtin_object_size(3) can't deduce the buffer
size, and we should fail the check if the size is nonsensical for the
provided buffers.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
We'll be using it in some upcoming definitions in headers, so move it
back now but slap a warning on it. Our upcoming uses will all be inside
of inline functions, so we're not overly concerned about double
evaluation immediately.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45677
TinyC doesn't support the .symver assembler directive. Add a generic way
to signal this and use that not to define __sym_() macros that use
it. Only use the __sym_* macros in headers when they are defined (which
currently is only for the qsort_r compat code. Not supporting this for
tcc is fine: It's an edge case for legacy binaries / code anyway which
isn't relevant to tinyc.
Sponsored by: Netflix
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D45651
This non-standard type is unused in the base system (__ct_rune_t or
__rune_t are used instead) and ports. It has been around as long as our
current source repo, but we have avoided using it. In sys/_types.h
where the __*rune_t typedefs are defined, the following appears in a
comment:
NOTE: rune_t is not covered by ANSI nor other standards, and should
not be instantiated outside of lib/libc/locale. Use wchar_t.
The definition of this unused type meant we gratutiously differed from
standards compliant stddef.h/stdlib.h.
PR: 279357 (exp-run by antoine)
Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D45426
It's a stupid warning, but some ports enable it by default and were
already defining _FORTIFY_SOURCE, thus exposing the new macros
immediately. This at least fixes the libfido2 build, perhaps others as
well.
While we're here, fix a fresh build of stand w/ FORTIFY_SOURCE enabled
by not pulling in the ssp headers if _STANDALONE is defined. We do not
have runtime support in libsa as of the time of writing.
Reported by: netchild
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Most of these were fixed when rebasing the patch forward, but this one
seems to have been missed.
Reported by: marck
Fixes: be04fec426 ("Import _FORTIFY_SOURCE implementation [...]")
In the future, we will Default to _FORTIFY_SOURCE=2 if SSP is enabled,
otherwise default to _FORTIFY_SOURCE=0. For now we default it to 0
unconditionally to ease bisect across older versions without the new
symbols, and we'll put out a call for testing.
include/*.h include their ssp/*.h equivalents as needed based on the
knob. Programs and users are allowed to override FORTIFY_SOURCE in their
Makefiles or src.conf/make.conf to force it off.
Reviewed by: des, markj
Relnotes: yes
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32308
Notably:
- libc needs to #undef some of the macros from ssp/* for underlying
implementations
- ssp/* wants a __RENAME() macro (snatched more or less from NetBSD)
There's some extra hinkiness included for read(), since libc spells it
as "_read" while the rest of the world spells it "read."
Reviewed by: imp, ngie
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32307
This is a mostly-unmodified copy of the various *_chk implementations
and headers from NetBSD, without yet modifying system headers to start
actually including them. A future commit will also apply the needed
bits to fix ssp/unistd.h.
Reviewed by: imp, pauamma_gundo.com (both previous versions), kib
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32306
<sysexits.h> was deprecated in the base system in a1432b4 for FreeBSD
8.0 and is retained only for backwards compatibility. Make that clear,
since sysexits(3) suggested using it since it was in style(9) prior
to this.
MFC after: 1 week
Co-authored-by: imp
Fixes: a1432b4
Reviewed by: imp, pauamma (previous version)
Pull Request https://github.com/freebsd/freebsd-src/pull/1195
The Draft Posix Issue 8 standard requires that these be defined. Define
them in the usual way that lets multiple headers define them. Opted to
not just use #include <stdint.h>, allowed by the draft, to be
conservative. Add notes about how we comply with Issue 8, and that we've
opted to define these only as macros, though the standard allows
functions, macros or both.
Sponsored by: Netflix
There is a conflict between bsm/audit.h and security/audit/audit.h due
to the way that staging is being set up using .PATH to point to the
full directory and the leaf files being specified in the list. Due to
this, the bsm/audit.h was getting staged as both bsm/audit.h and
security/audit/audit.h since the sys/bsm directory is listed first in
the .PATH list.
Use sys/security in the .PATH instead of sys/security/audit and specify
the audit header files as audit/<name>.h. This ensures that we get the
correct audit.h stanged for security/audit/audit.h.
Reviewed by: sjg
Obtained from: Juniper Networks, Inc.
The old timezone(3) function has long since been obsolete and has a
fatally flawed interface. Retain this function for compatibility
purposes, but shift to providing the offset from UTC in the timezone
variable, whether or not the timezone observes summer time in the
'daylight' variable. Document the tzname variable that's already been
set. Also make _tztab() static. It's not used in libc (or anywhere in
the tree) and it's not exported as a public dynamic symbol.
Sponsored by: Netflix
Reviewed by: brooks, kib
Differential Revision: https://reviews.freebsd.org/D44281
similar to Apple _POSIX_SPAWN_DISABLE_ASLR
Reviewed by: emaste, kevans
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D44195
quick_exit() can call other functions, and we don't guarantee it calls
std::terminate should those other functions throw exceptions. And to
make it do so has ABI complications for libc. Until that's sorted out,
revert this noexcept (but leave a comment behind so people will find
this commit message)
Requested by: kib
Sponsored by: Netflix
The noexcept specifier is required on these functions in C++:
_Exit(), atexit(), quick_exit(), at_quick_exit(), abort().
MFC after: 2 weeks
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1085
Unlike Linux, we do provide libc wrapper. All definitions and
prototypes are available from <unistd.h>
Tested by: manu
Reviewed by: brooks, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D43518
Add a required include to resolv.h for sockaddr_in. This should reduce
patching required when porting code written with Linux or NetBSD in mind.
PR: 182466
MFC after: 1 week
We already implemented execvpe internally with an _ prefix in libc so
go ahead and expose it for compatibility with Linux.
This reverts c605eea952.
Bump __FreeBSD_version for the addition and add definitions to supress
compat shims in libzfs (zfs changes were merged from upstream).
PR: 275370 (request and exp-run (thanks antoine!))
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42846
Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.
Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/
Sponsored by: Netflix
For the uncommon items: Go through the tree and remove sccs tags that
didn't fit any nice pattern. If in the neighborhood, other SCM tags were
removed when they were detritis of long-ago CVS somehow in the early
mists of the project. Some adjacent copyrights stringswere removed (they
duplicated the copyright notices in the file). This also removed
non-standard formations of omission of SCCS tags (usually by adding an
extra #if 0 somewhere.
After this commit, a number of strings tagged with the 'what' @(#)
prefix remain, but they are primarily copyright notices.
Sponsored by: Netflix
Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.
Sponsored by: Netflix
This saves oodles of memory, especially when "ulimit -n" is large. It
also prevents a buffer overflow if getrlimit should fail.
Also replace per-fd condvars with mutexes to simplify the code.
PR: 274968
MFC after: 2 weeks
Sponsored by: Axcient
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D42597
