mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-13 05:41:26 +01:00
include: ssp: fortify <stdlib.h>
The immediately obvious and attractive targets from <stdlib.h> are arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal much else of interest. Reviewed by: markj Sponsored by: Klara, Inc. Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D45681
This commit is contained in:
parent
88276dfbf1
commit
d0b7445904
@ -1,4 +1,4 @@
|
||||
INCS= poll.h ssp.h stdio.h string.h strings.h unistd.h
|
||||
INCS= poll.h ssp.h stdio.h stdlib.h string.h strings.h unistd.h
|
||||
INCSDIR= ${INCLUDEDIR}/ssp
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
53
include/ssp/stdlib.h
Normal file
53
include/ssp/stdlib.h
Normal file
@ -0,0 +1,53 @@
|
||||
/*-
|
||||
* SPDX-License-Identifier: BSD-2-Clause
|
||||
*
|
||||
* Copyright (c) 2024, Klara, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#ifndef _SSP_STDLIB_H_
|
||||
#define _SSP_STDLIB_H_
|
||||
|
||||
#include <ssp/ssp.h>
|
||||
|
||||
#if __SSP_FORTIFY_LEVEL > 0
|
||||
|
||||
#include <limits.h>
|
||||
|
||||
__BEGIN_DECLS
|
||||
|
||||
__ssp_redirect(void, arc4random_buf, (void *__buf, size_t __len),
|
||||
(__buf, __len));
|
||||
|
||||
__ssp_redirect_raw_impl(char *, realpath, realpath,
|
||||
(const char *__restrict path, char *__restrict buf))
|
||||
{
|
||||
if (__ssp_bos(buf) < PATH_MAX)
|
||||
__chk_fail();
|
||||
|
||||
return (__ssp_real(realpath)(path, buf));
|
||||
}
|
||||
|
||||
__END_DECLS
|
||||
|
||||
#endif /* __SSP_FORTIFY_LEVEL > 0 */
|
||||
#endif /* _SSP_STDLIB_H_ */
|
@ -69,6 +69,10 @@ typedef struct {
|
||||
*/
|
||||
#define RAND_MAX 0x7fffffff
|
||||
|
||||
#if !defined(_STANDALONE) && defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0
|
||||
#include <ssp/stdlib.h>
|
||||
#endif
|
||||
|
||||
__BEGIN_DECLS
|
||||
#ifdef _XLOCALE_H_
|
||||
#include <xlocale/_stdlib.h>
|
||||
|
@ -35,6 +35,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <ssp/ssp.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
|
||||
@ -243,7 +244,7 @@ arc4random(void)
|
||||
}
|
||||
|
||||
void
|
||||
arc4random_buf(void *buf, size_t n)
|
||||
__ssp_real(arc4random_buf)(void *buf, size_t n)
|
||||
{
|
||||
_ARC4_LOCK();
|
||||
_rs_random_buf(buf, n);
|
||||
|
@ -37,6 +37,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <ssp/ssp.h>
|
||||
#include "un-namespace.h"
|
||||
#include "libc_private.h"
|
||||
|
||||
@ -203,7 +204,7 @@ realpath1(const char *path, char *resolved)
|
||||
}
|
||||
|
||||
char *
|
||||
realpath(const char * __restrict path, char * __restrict resolved)
|
||||
__ssp_real(realpath)(const char * __restrict path, char * __restrict resolved)
|
||||
{
|
||||
char *m, *res;
|
||||
|
||||
|
@ -3,6 +3,7 @@
|
||||
TESTSDIR:= ${TESTSBASE}/${RELDIR:C/libc\/tests/libc/}
|
||||
|
||||
FORTIFY_TCATS+= poll
|
||||
FORTIFY_TCATS+= stdlib
|
||||
FORTIFY_TCATS+= stdio
|
||||
FORTIFY_TCATS+= string
|
||||
FORTIFY_TCATS+= strings
|
||||
|
383
lib/libc/tests/secure/fortify_stdlib_test.c
Normal file
383
lib/libc/tests/secure/fortify_stdlib_test.c
Normal file
@ -0,0 +1,383 @@
|
||||
/* @generated by `generate-fortify-tests.lua "stdlib"` */
|
||||
|
||||
#define _FORTIFY_SOURCE 2
|
||||
#define TMPFILE_SIZE (1024 * 32)
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/resource.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/wait.h>
|
||||
#include <dirent.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <limits.h>
|
||||
#include <poll.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <strings.h>
|
||||
#include <sysexits.h>
|
||||
#include <unistd.h>
|
||||
#include <atf-c.h>
|
||||
|
||||
static FILE * __unused
|
||||
new_fp(size_t __len)
|
||||
{
|
||||
static char fpbuf[LINE_MAX];
|
||||
FILE *fp;
|
||||
|
||||
ATF_REQUIRE(__len <= sizeof(fpbuf));
|
||||
|
||||
memset(fpbuf, 'A', sizeof(fpbuf) - 1);
|
||||
fpbuf[sizeof(fpbuf) - 1] = '\0';
|
||||
|
||||
fp = fmemopen(fpbuf, sizeof(fpbuf), "rb");
|
||||
ATF_REQUIRE(fp != NULL);
|
||||
|
||||
return (fp);
|
||||
}
|
||||
|
||||
/*
|
||||
* Create a new symlink to use for readlink(2) style tests, we'll just use a
|
||||
* random target name to have something interesting to look at.
|
||||
*/
|
||||
static const char * __unused
|
||||
new_symlink(size_t __len)
|
||||
{
|
||||
static const char linkname[] = "link";
|
||||
char target[MAXNAMLEN];
|
||||
int error;
|
||||
|
||||
ATF_REQUIRE(__len <= sizeof(target));
|
||||
|
||||
arc4random_buf(target, sizeof(target));
|
||||
|
||||
error = unlink(linkname);
|
||||
ATF_REQUIRE(error == 0 || errno == ENOENT);
|
||||
|
||||
error = symlink(target, linkname);
|
||||
ATF_REQUIRE(error == 0);
|
||||
|
||||
return (linkname);
|
||||
}
|
||||
|
||||
/*
|
||||
* Constructs a tmpfile that we can use for testing read(2) and friends.
|
||||
*/
|
||||
static int __unused
|
||||
new_tmpfile(void)
|
||||
{
|
||||
char buf[1024];
|
||||
ssize_t rv;
|
||||
size_t written;
|
||||
int fd;
|
||||
|
||||
fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644);
|
||||
ATF_REQUIRE(fd >= 0);
|
||||
|
||||
written = 0;
|
||||
while (written < TMPFILE_SIZE) {
|
||||
rv = write(fd, buf, sizeof(buf));
|
||||
ATF_REQUIRE(rv > 0);
|
||||
|
||||
written += rv;
|
||||
}
|
||||
|
||||
ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET));
|
||||
return (fd);
|
||||
}
|
||||
|
||||
static void
|
||||
disable_coredumps(void)
|
||||
{
|
||||
struct rlimit rl = { 0 };
|
||||
|
||||
if (setrlimit(RLIMIT_CORE, &rl) == -1)
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
|
||||
/*
|
||||
* Replaces stdin with a file that we can actually read from, for tests where
|
||||
* we want a FILE * or fd that we can get data from.
|
||||
*/
|
||||
static void __unused
|
||||
replace_stdin(void)
|
||||
{
|
||||
int fd;
|
||||
|
||||
fd = new_tmpfile();
|
||||
|
||||
(void)dup2(fd, STDIN_FILENO);
|
||||
if (fd != STDIN_FILENO)
|
||||
close(fd);
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(arc4random_buf_before_end);
|
||||
ATF_TC_BODY(arc4random_buf_before_end, tc)
|
||||
{
|
||||
#define BUF &__stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char __buf[42];
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(__stack.__buf);
|
||||
const size_t __len = 42 - 1;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
arc4random_buf(__stack.__buf, __len);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(arc4random_buf_end);
|
||||
ATF_TC_BODY(arc4random_buf_end, tc)
|
||||
{
|
||||
#define BUF &__stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char __buf[42];
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(__stack.__buf);
|
||||
const size_t __len = 42;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
arc4random_buf(__stack.__buf, __len);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(arc4random_buf_heap_before_end);
|
||||
ATF_TC_BODY(arc4random_buf_heap_before_end, tc)
|
||||
{
|
||||
#define BUF __stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char * __buf;
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
|
||||
const size_t __len = 42 - 1;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
__stack.__buf = malloc(__bufsz);
|
||||
|
||||
arc4random_buf(__stack.__buf, __len);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(arc4random_buf_heap_end);
|
||||
ATF_TC_BODY(arc4random_buf_heap_end, tc)
|
||||
{
|
||||
#define BUF __stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char * __buf;
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
|
||||
const size_t __len = 42;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
__stack.__buf = malloc(__bufsz);
|
||||
|
||||
arc4random_buf(__stack.__buf, __len);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(arc4random_buf_heap_after_end);
|
||||
ATF_TC_BODY(arc4random_buf_heap_after_end, tc)
|
||||
{
|
||||
#define BUF __stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char * __buf;
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
|
||||
const size_t __len = 42 + 1;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
pid_t __child;
|
||||
int __status;
|
||||
|
||||
__child = fork();
|
||||
ATF_REQUIRE(__child >= 0);
|
||||
if (__child > 0)
|
||||
goto monitor;
|
||||
|
||||
/* Child */
|
||||
disable_coredumps();
|
||||
__stack.__buf = malloc(__bufsz);
|
||||
|
||||
arc4random_buf(__stack.__buf, __len);
|
||||
_exit(EX_SOFTWARE); /* Should have aborted. */
|
||||
|
||||
monitor:
|
||||
while (waitpid(__child, &__status, 0) != __child) {
|
||||
ATF_REQUIRE_EQ(EINTR, errno);
|
||||
}
|
||||
|
||||
if (!WIFSIGNALED(__status)) {
|
||||
switch (WEXITSTATUS(__status)) {
|
||||
case EX_SOFTWARE:
|
||||
atf_tc_fail("FORTIFY_SOURCE failed to abort");
|
||||
break;
|
||||
case EX_OSERR:
|
||||
atf_tc_fail("setrlimit(2) failed");
|
||||
break;
|
||||
default:
|
||||
atf_tc_fail("child exited with status %d",
|
||||
WEXITSTATUS(__status));
|
||||
}
|
||||
} else {
|
||||
ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
|
||||
}
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(realpath_before_end);
|
||||
ATF_TC_BODY(realpath_before_end, tc)
|
||||
{
|
||||
#define BUF &__stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char __buf[PATH_MAX + 1];
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(__stack.__buf);
|
||||
const size_t __len = PATH_MAX + 1;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
realpath(".", __stack.__buf);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(realpath_end);
|
||||
ATF_TC_BODY(realpath_end, tc)
|
||||
{
|
||||
#define BUF &__stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char __buf[PATH_MAX];
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(__stack.__buf);
|
||||
const size_t __len = PATH_MAX;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
realpath(".", __stack.__buf);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(realpath_heap_before_end);
|
||||
ATF_TC_BODY(realpath_heap_before_end, tc)
|
||||
{
|
||||
#define BUF __stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char * __buf;
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(*__stack.__buf) * (PATH_MAX + 1);
|
||||
const size_t __len = PATH_MAX + 1;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
__stack.__buf = malloc(__bufsz);
|
||||
|
||||
realpath(".", __stack.__buf);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(realpath_heap_end);
|
||||
ATF_TC_BODY(realpath_heap_end, tc)
|
||||
{
|
||||
#define BUF __stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char * __buf;
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(*__stack.__buf) * (PATH_MAX);
|
||||
const size_t __len = PATH_MAX;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
|
||||
__stack.__buf = malloc(__bufsz);
|
||||
|
||||
realpath(".", __stack.__buf);
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TC_WITHOUT_HEAD(realpath_heap_after_end);
|
||||
ATF_TC_BODY(realpath_heap_after_end, tc)
|
||||
{
|
||||
#define BUF __stack.__buf
|
||||
struct {
|
||||
uint8_t padding_l;
|
||||
unsigned char * __buf;
|
||||
uint8_t padding_r;
|
||||
} __stack;
|
||||
const size_t __bufsz __unused = sizeof(*__stack.__buf) * (PATH_MAX - 1);
|
||||
const size_t __len = PATH_MAX - 1;
|
||||
const size_t __idx __unused = __len - 1;
|
||||
pid_t __child;
|
||||
int __status;
|
||||
|
||||
__child = fork();
|
||||
ATF_REQUIRE(__child >= 0);
|
||||
if (__child > 0)
|
||||
goto monitor;
|
||||
|
||||
/* Child */
|
||||
disable_coredumps();
|
||||
__stack.__buf = malloc(__bufsz);
|
||||
|
||||
realpath(".", __stack.__buf);
|
||||
_exit(EX_SOFTWARE); /* Should have aborted. */
|
||||
|
||||
monitor:
|
||||
while (waitpid(__child, &__status, 0) != __child) {
|
||||
ATF_REQUIRE_EQ(EINTR, errno);
|
||||
}
|
||||
|
||||
if (!WIFSIGNALED(__status)) {
|
||||
switch (WEXITSTATUS(__status)) {
|
||||
case EX_SOFTWARE:
|
||||
atf_tc_fail("FORTIFY_SOURCE failed to abort");
|
||||
break;
|
||||
case EX_OSERR:
|
||||
atf_tc_fail("setrlimit(2) failed");
|
||||
break;
|
||||
default:
|
||||
atf_tc_fail("child exited with status %d",
|
||||
WEXITSTATUS(__status));
|
||||
}
|
||||
} else {
|
||||
ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
|
||||
}
|
||||
#undef BUF
|
||||
|
||||
}
|
||||
|
||||
ATF_TP_ADD_TCS(tp)
|
||||
{
|
||||
ATF_TP_ADD_TC(tp, arc4random_buf_before_end);
|
||||
ATF_TP_ADD_TC(tp, arc4random_buf_end);
|
||||
ATF_TP_ADD_TC(tp, arc4random_buf_heap_before_end);
|
||||
ATF_TP_ADD_TC(tp, arc4random_buf_heap_end);
|
||||
ATF_TP_ADD_TC(tp, arc4random_buf_heap_after_end);
|
||||
ATF_TP_ADD_TC(tp, realpath_before_end);
|
||||
ATF_TP_ADD_TC(tp, realpath_end);
|
||||
ATF_TP_ADD_TC(tp, realpath_heap_before_end);
|
||||
ATF_TP_ADD_TC(tp, realpath_heap_end);
|
||||
ATF_TP_ADD_TC(tp, realpath_heap_after_end);
|
||||
return (atf_no_error());
|
||||
}
|
@ -262,6 +262,26 @@ local all_tests = {
|
||||
]],
|
||||
},
|
||||
},
|
||||
stdlib = {
|
||||
-- <stdlib.h>
|
||||
{
|
||||
func = "arc4random_buf",
|
||||
arguments = {
|
||||
"__buf",
|
||||
"__len",
|
||||
},
|
||||
exclude = excludes_stack_overflow,
|
||||
},
|
||||
{
|
||||
func = "realpath",
|
||||
bufsize = "PATH_MAX",
|
||||
arguments = {
|
||||
"\".\"",
|
||||
"__buf",
|
||||
},
|
||||
exclude = excludes_stack_overflow,
|
||||
},
|
||||
},
|
||||
string = {
|
||||
-- <string.h>
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user