7 files changed, 283 insertions, 141 deletions

diff --git a/lib/libssp/Makefile b/lib/libssp/Makefile
index b5e2841ba391..d4038b705acb 100644
--- a/lib/libssp/Makefile
+++ b/lib/libssp/Makefile
@@ -1,9 +1,24 @@
-
 PACKAGE=	clibs
 SHLIBDIR?=	/lib
 SHLIB=		ssp
 SHLIB_MAJOR=	0
 
+SSP_SRCS=	fgets_chk.c memcpy_chk.c memmove_chk.c memset_chk.c \
+		snprintf_chk.c sprintf_chk.c stpcpy_chk.c stpncpy_chk.c \
+		strcat_chk.c strcpy_chk.c strncat_chk.c strncpy_chk.c \
+		vsnprintf_chk.c vsprintf_chk.c
+
+.for i in ${SSP_SRCS}
+SRCS+=${i}
+.endfor
+
+CFLAGS.snprintf_chk.c+=	-Wno-unused-parameter
+CFLAGS.sprintf_chk.c+=	-Wno-unused-parameter
+CFLAGS.vsnprintf_chk.c+=	-Wno-unused-parameter
+CFLAGS.vsprintf_chk.c+=	-Wno-unused-parameter
+
+MAN+=	ssp.3 __builtin_object_size.3
+
 VERSION_DEF=	${.CURDIR}/Versions.def
 SYMBOL_MAPS=	${.CURDIR}/Symbol.map
 
@@ -12,9 +27,7 @@ CFLAGS+=	-I${SRCTOP}/lib/libc/include
 # _elf_aux_info is exported from libc as elf_aux_info(3), so just that for the
 # libssp build instead.
 CFLAGS+=	-D_elf_aux_info=elf_aux_info
-SRCS=		stack_protector.c fortify_stubs.c
-
-CFLAGS.fortify_stubs.c=	-Wno-unused-parameter
+SRCS+=		libc_stack_protector.c
 
 # Stack protection on libssp symbols should be considered harmful, as we may
 # be talking about, for example, the guard setup constructor.
diff --git a/lib/libssp/Makefile.depend b/lib/libssp/Makefile.depend
index e69de29bb2d1..9e22de8ed182 100644
--- a/lib/libssp/Makefile.depend
+++ b/lib/libssp/Makefile.depend
@@ -0,0 +1,17 @@
+# Autogenerated - do NOT edit!
+
+DIRDEPS = \
+	include \
+	include/ssp \
+	include/xlocale \
+	lib/${CSU_DIR} \
+	lib/libc \
+	lib/libcompiler_rt \
+	lib/libsys \
+
+
+.include <dirdeps.mk>
+
+.if ${DEP_RELDIR} == ${_DEP_RELDIR}
+# local dependencies - needed for -jN in clean tree
+.endif
diff --git a/lib/libssp/Symbol.map b/lib/libssp/Symbol.map
index 5c2e089c6ab8..e401bf9293e2 100644
--- a/lib/libssp/Symbol.map
+++ b/lib/libssp/Symbol.map
@@ -6,11 +6,6 @@ LIBSSP_1.0 {
 	__stack_chk_fail;
 	__stack_chk_guard;
 
-	/*
-	 * Currently unsupported: _FORTIFY_SOURCE symbols.  It is believed
-	 * that these have never been used on FreeBSD, as our headers lack the
-	 * support that would have generated references to them.
-	 */
 	__memcpy_chk;
 	__memset_chk;
 	__snprintf_chk;
@@ -23,3 +18,9 @@ LIBSSP_1.0 {
 	__vsnprintf_chk;
 	__vsprintf_chk;
 };
+
+LIBSSP_1.1 {
+	__fgets_chk;
+	__memmove_chk;
+	__stpncpy_chk;
+};
diff --git a/lib/libssp/Versions.def b/lib/libssp/Versions.def
index be9d9874947b..85682c88a3e0 100644
--- a/lib/libssp/Versions.def
+++ b/lib/libssp/Versions.def
@@ -1,3 +1,8 @@
 
+# This version was first added to 13.0-current.
 LIBSSP_1.0 {
 };
+
+# This version was first added to 15.0-current.
+LIBSSP_1.1 {
+} LIBSSP_1.0;
diff --git a/lib/libssp/__builtin_object_size.3 b/lib/libssp/__builtin_object_size.3
new file mode 100644
index 000000000000..23d74792918b
--- /dev/null
+++ b/lib/libssp/__builtin_object_size.3
@@ -0,0 +1,110 @@
+.\"	$NetBSD: __builtin_object_size.3,v 1.11 2017/07/03 21:32:49 wiz Exp $
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2007 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Christos Zoulas.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\"
+.Dd April 27, 2024
+.Dt __BUILTIN_OBJECT_SIZE 3
+.Os
+.Sh NAME
+.Nm __builtin_object_size
+.Nd return the size of the given object
+.Sh SYNOPSIS
+.Ft size_t
+.Fn __builtin_object_size "void *ptr" "int type"
+.Sh DESCRIPTION
+The
+.Fn __builtin_object_size
+function is a
+.Xr clang 1
+and
+.Xr gcc 1
+built-in function that returns the size of the object referenced by
+.Fa ptr
+if known at compile time.
+If the
+.Fa ptr
+expression has any side effects, then they will not be evaluated.
+.Sh RETURN VALUES
+If the size of the object is not known or the
+.Fa ptr
+expression has side effects, the
+.Fn __builtin_object_size
+function returns:
+.Bl -tag -width (size_t)\-1 -offset indent
+.It Dv (size_t)\-1
+for
+.Fa type
+.Dv 0
+and
+.Dv 1 .
+.It Dv (size_t)0
+for
+.Fa type
+.Dv 2
+and
+.Dv 3 .
+.El
+.Pp
+If the size of the object is known, then the
+.Fn __builtin_object_size
+function returns the maximum size of all the objects that the compiler
+knows can be pointed to by
+.Fa ptr
+when
+.Fa type
+.Dv & 2 == 0 ,
+and the minimum size when
+.Fa type
+.Dv & 2 != 0 .
+.Sh SEE ALSO
+.Xr clang 1 ,
+.Xr gcc 1 ,
+.Xr __builtin_return_address 3 ,
+.Xr attribute 3 ,
+.Xr ssp 3
+.Sh HISTORY
+The
+.Fn __builtin_object_size
+appeared in
+.Tn GCC 4.1 .
+.Sh CAVEATS
+This is a non-standard, compiler-specific extension.
+.Pp
+Note that currently the object size calculation pass is only done at -O1
+or above, meaning that this function always returns \-1 when the optimizer
+is off.
+.Pp
+There are some discussions about always doing the object size pass, but
+the issue is that without the optimization pass data sizes are not going
+to be correct.
+.Pp
+For that reason code fortification (size-checked replacement
+functions) is currently disabled when optimization is off.
diff --git a/lib/libssp/fortify_stubs.c b/lib/libssp/fortify_stubs.c
deleted file mode 100644
index a500a1405aaf..000000000000
--- a/lib/libssp/fortify_stubs.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/*-
- * SPDX-License-Identifier: BSD-2-Clause
- *
- * Copyright (c) 2019 Kyle Evans <kevans@FreeBSD.org>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdlib.h>
-
-/* Signatures grabbed from LSB Core Specification 4.1 */
-void	*__memcpy_chk(void *dst, const void *src, size_t len,
-    size_t dstlen);
-void	*__memset_chk(void *dst, int c, size_t len, size_t dstlen);
-int	__snprintf_chk(char *str, size_t maxlen, int flag, size_t strlen,
-    const char *fmt, ...);
-int	__sprintf_chk(char *str, int flag, size_t strlen, const char *fmt, ...);
-char	*__stpcpy_chk(char *dst, const char *src, size_t dstlen);
-char	*__strcat_chk(char *dst, const char *src, size_t dstlen);
-char	*__strcpy_chk(char *dst, const char *src, size_t dstlen);
-char	*__strncat_chk(char *dst, const char *src, size_t len, size_t dstlen);
-char	*__strncpy_chk(char *dst, const char *src, size_t len, size_t dstlen);
-int	__vsnprintf_chk(char *str, size_t size, int flags, size_t len,
-    const char *format, va_list ap);
-int	__vsprintf_chk(char *str, int flag, size_t slen, const char *format,
-    va_list ap);
-
-#define	ABORT()	abort2("_FORTIFY_SOURCE not supported", 0, NULL)
-
-void *
-__memcpy_chk(void *dst, const void *src, size_t len,
-    size_t dstlen)
-{
-
-	ABORT();
-}
-
-void *
-__memset_chk(void *dst, int c, size_t len, size_t dstlen)
-{
-
-	ABORT();
-}
-
-int
-__snprintf_chk(char *str, size_t maxlen, int flag, size_t strlen,
-    const char *fmt, ...)
-{
-
-	ABORT();
-}
-
-int
-__sprintf_chk(char *str, int flag, size_t strlen, const char *fmt, ...)
-{
-
-	ABORT();
-}
-
-char *
-__stpcpy_chk(char *dst, const char *src, size_t dstlen)
-{
-
-	ABORT();
-}
-
-char *
-__strcat_chk(char *dst, const char *src, size_t dstlen)
-{
-
-	ABORT();
-}
-
-char *
-__strcpy_chk(char *dst, const char *src, size_t dstlen)
-{
-
-	ABORT();
-}
-
-char *
-__strncat_chk(char *dst, const char *src, size_t len, size_t dstlen)
-{
-
-	ABORT();
-}
-
-char *
-__strncpy_chk(char *dst, const char *src, size_t len, size_t dstlen)
-{
-
-	ABORT();
-}
-
-int
-__vsnprintf_chk(char *str, size_t size, int flags, size_t len,
-    const char *format, va_list ap)
-{
-
-	ABORT();
-}
-
-int
-__vsprintf_chk(char *str, int flag, size_t slen, const char *format,
-    va_list ap)
-{
-
-	ABORT();
-}
diff --git a/lib/libssp/ssp.3 b/lib/libssp/ssp.3
new file mode 100644
index 000000000000..5b00fe53f9fc
--- /dev/null
+++ b/lib/libssp/ssp.3
@@ -0,0 +1,128 @@
+.\"	$NetBSD: ssp.3,v 1.9 2015/12/03 13:11:45 christos Exp $
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2007 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Christos Zoulas.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\"
+.Dd December 3, 2015
+.Dt SSP 3
+.Os
+.Sh NAME
+.Nm ssp
+.Nd bounds checked libc functions
+.Sh LIBRARY
+.Lb libssp
+.Sh SYNOPSIS
+.In ssp/stdio.h
+.Ft int
+.Fn sprintf "char *str" "const char *fmt" "..."
+.Ft int
+.Fn vsprintf "char *str" "const char *fmt" "va_list ap"
+.Ft int
+.Fn snprintf "char *str" "size_t len" "const char *fmt" "..."
+.Ft int
+.Fn vsnprintf "char *str" "size_t len" "const char *fmt" "va_list ap"
+.Ft char *
+.Fn fgets "char *str" "int len" "FILE *fp"
+.In ssp/string.h
+.Ft void *
+.Fn memcpy "void *str" "const void *ptr" "size_t len"
+.Ft void *
+.Fn memmove "void *str" "const void *ptr" "size_t len"
+.Ft void *
+.Fn memset "void *str" "int val" "size_t len"
+.Ft char *
+.Fn stpcpy "char *str" "const char *ptr"
+.Ft char *
+.Fn strcpy "char *str" "const char *ptr"
+.Ft char *
+.Fn strcat "char *str" "const char *ptr"
+.Ft char *
+.Fn strncpy "char *str" "const char *ptr" "size_t len"
+.Ft char *
+.Fn strncat "char *str" "const char *ptr" "size_t len"
+.In ssp/strings.h
+.Ft void *
+.Fn bcopy "const void *ptr" "void *str" "size_t len"
+.Ft void *
+.Fn bzero "void *str" "size_t len"
+.In ssp/unistd.h
+.Ft ssize_t
+.Fn read "int fd" "void *str" "size_t len"
+.Ft int
+.Fn readlink "const char * restrict path" "char * restrict str" "size_t len"
+.Ft int
+.Fn getcwd "char *str" "size_t len"
+.Sh DESCRIPTION
+When
+.Dv _FORTIFY_SOURCE
+bounds checking is enabled as described below, the above functions get
+overwritten to use the
+.Xr __builtin_object_size 3
+function to compute the size of
+.Fa str ,
+if known at compile time,
+and perform bounds check on it in order
+to avoid data buffer or stack buffer overflows.
+If an overflow is detected, the routines will call
+.Xr abort 3 .
+.Pp
+To enable these function overrides the following should be added to the
+.Xr clang 1
+or
+.Xr gcc 1
+command line:
+.Dq \-D_FORTIFY_SOURCE=1
+or
+.Dq \-D_FORTIFY_SOURCE=2 .
+.Pp
+If
+.Dv _FORTIFY_SOURCE is set to
+.Dv 1
+the code will compute the maximum possible buffer size for
+.Fa str ,
+and if set to
+.Dv 2
+it will compute the minimum buffer size.
+.Sh SEE ALSO
+.Xr clang 1 ,
+.Xr gcc 1 ,
+.Xr __builtin_object_size 3 ,
+.Xr stdio 3 ,
+.Xr string 3 ,
+.Xr security 7
+.Sh HISTORY
+The
+.Nm
+library appeared in
+.Nx 4.0 .
+This version of the
+.Nm
+library replaced the GNU library of the same name in
+.Fx 12.2 .