| Age | Commit message (Collapse) | Author |
|---|
|
a little pointer-sized gap before the return value. This protects
from common off-by-one type of bugs and costs nothing: the attacker
won't be able to overwrite return pointer. Developed at m2k14,
thanks for the hackathon!
|
|
This will make the environment more hostile and help detect bugs
that depend on overrunning one variable into another, with almost
no performance cost.
Discussed with Theo at m2k14 hackathon. "oh god yes" tedu@, "oh nice" djm@
|
|
16byte boundary. However, GCC 16-byte aligns arrays of >=16 BITS,
not BYTES.
This diff improves bug detectability for code which has local arrays
of [16 .. 127] bits: in those cases SSP will now detect even 1-byte
overflows.
OK kettenis@. Tested in snaps for a week.
|
|
additional functions --- those that have local array definitions,
or have references to local frame addresses.
Note that upstream uses -fstack-protector-strong and misleads people:
-fstack-protector, -fstack-protector-all, -fstack-protector-strong
can you tell which one is safe?
Luckily, OpenBSD has its own compiler and is able to do the right
thing for security: this is enabled by default, and called
-fstack-protector.
OK deraadt@, miod@. Tested for 3 months.
|
|
|
|
ok deraadt@
|
|
which operates on element counts rather than buffer sizes. I'll start
annotating headers in a few weeks, after the hackathon. OK millert@.
|
|
additional functions to be protected --- those that have local array
definitions, or have references to local frame addresses.
Note 1: Han explicitly licensed this under GPLv2 for us.
Note 2: Do *not* use this anywhere in "src" Makefiles, as the other
GCC doesn't have this option yet (but I'm working on it).
|
|
size almost always has security implications. I think this quote
from Theo summarizes the situation best:
Which is why it is important to have at least one unforgiving
platform in the ecosystem which properly labels shit shit.
That's OpenBSD. If anyone can't handle that, they can go to platforms
which hide the reality.
|
|
stpcpy, strcat, strcpy. Also don't simplify some safe builtins
into unsafe ones, otherwise we'll hit the linker with the bogus
warning. OK miod@, millert@.
|
|
|
|
sprintf, vsprintf, stpcpy, strcat, strcpy. We're hitting the linker
again, therefore the warning will show up now.
|
|
Kernel, base and ports seem happy with this change, and there's no
reason for collect2 to be less useful on these machines. Offending
lines in gcc/config found by Miod, thanks.
Let's commit the right file this time. ok kettenis@ miod@ mpi@
|
|
|
|
Kernel, base and ports seem happy with this change, and there's no
reason for collect2 to be less useful on these machines. Offending
lines in gcc/config found by Miod, thanks! ok kettenis@ miod@ mpi@
|
|
matches the behaviour of gcc >= 4.3 and clang
ok miod@
|
|
|
|
From Joerg Wunsch in GCC PR 23479, under the GPLv2.
This is required to build the i965 backend with newer versions of mesa.
ok kettenis@ espie@ miod@
|
|
this also adds support in gcc 4.x kprintf format checks
ok kettenis@
|
|
The PR comes with a real fix, but it is covered by the GPL v3, and is
neither trivial nor straightforward, so use a hammer and disable the
unreliable code.
Verified to fix bogus code generation on macppc.
|
|
instruction, before testing whether it can be built with `or.u'; this
allows further optimization.
condition_value(): handle ORDERED and UNORDERED condition codes.
print_operand(): remove support for no longer used `w' qualifier.
|
|
inline assembly, tb/tbnd instructions.
Don't use `r' qualifier for "register_operand", it's redundant.
|
|
linking against -lgcov.
|
|
|
|
|
|
* arm.md (negscc): Match the correct operand for optimized LT0 test.
Remove optimization for GT.
|
|
Main features:
- md constraints rewritten in RTL
- md predicaties rewritten in RTL
- md va_arg switched to gimple
- abort() calls replaced with gcc_assert() or gcc_unreachable() for better
diagnostics
- support for non-ELF systems completely removed
Missing:
- conversion of the pipeline information from define_function_unit to
define_automata not done yet (thus pipeline information currently removed)
Known regressions against 3.3.6 so far:
- no stack protector support yet
- __builtin_setjmp doesn't restore the frame pointer correctly upon return
from __builtin_longjmp
- at least one case of optimization error when delay slots are not disabled.
- libgcc is only built -fPIC, instead of static/fpic/fPIC.
|
|
of TR 24732. Emit pedantic warning if the feature is being used.
Requested by jasper@; needed by certain ports. OK miod@.
|
|
and i386.
pointed out by miod@
|
|
i386.
ok pascal@, miod@
|
|
ok miod@
|
|
ok miod@
|
|
Reorganize soft frame pointer so that locals are below it and grow
downwards. Tested by miod@, jasper@. OK miod@.
|
|
Reorganize soft frame pointer so that locals are below it and grow
downwards. Thanks Nick for the access. OK miod@.
|
|
after switching to __guard_local. OK matthew@, miod@.
|
|
The array_size was uninitialized and used to work by accident.
Spotted with SSP on MIPS.
OK miod@. Tested by jasper@.
|
|
the following manner:
([reg:A & -8] << (64 - (((reg:FP+reg:B) & 0x7) << 3))) >> 56
This fails when we're doing loads with the offset from the frame
pointer %8. Since it's aligned, optimizer makes it a zero. The
correct expression is:
([reg:A & -8] << (56 - (((reg:FP+reg:B-1) & 0x7) << 3))) >> 56
This is actually a 13-year-old bug. Checked by Miod; a few files
in the kernel were affected. Spotted with SSP for Alpha.
OK miod@. Tested by naddy@.
|
|
of GCC do.
ok millert@, guenther@, pascal@, deraadt@
|
|
wrapping them with an implicit extern "C" since that breaks the webkit port.
Help from matthew@ and landry@.
ok landry@
|
|
fixup_match_2() on landisk building mysql; gcc PR #28467
help and prodding jsg@, ok kettenis@
|
|
we're default PIE.
allows Theo to build PIE-by-default sparc; ok kettenis@
|
|
to emit -fstack-protector code that doesn't need GOT indirection for
accessing __guard.
Tested on amd64, i386, sparc64, hppa, loongson, and sgi (thanks lteo,
djm, sthen, todd, naddy, kettenis, phessler, jasper, and anyone else
that I'm missing who tested).
|
|
powerpc now gets the right behaviour for -pthread as well.
ok pascal@, krw@, millert@
|
|
Found out the hard way by deraadt@.
ok kettenis@
|
|
(things link now).
|
|
different approach than the one taken in kurt@'s original diff, but deemed
better after discussion and diff exchange with kettenis@ and matthew@.
Lots of feedback by kettenis@ and matthew@, prodding and encouragement by
deraadt@.
ok kettenis@ matthew@
|
|
commit. It breaks make build on arm and generally causes more grief than the
the (small) benefit it is supposed to bring.
ok matthew@
|
|
- Link libpthread.so with -znodlopen. Because libpthread overrides
the weak symbols in libc, we can't allow it to be dynamically
loaded or else libc's weak symbols might have already been
resolved by ld.so. (Also, major bump because this is technically
a backwards incompat change in behavior, although dlopen()ing
libpthread never really worked.)
- Link libc.so with -nodefaultlibs -lgcc. This ensures that libc
doesn't try to link against itself (which ld.so wouldn't like).
- Change GCC 4 to link shared objects with -lpthread and -lc as
appropriate, now that there's no issues with doing so. This means
that it's no longer necessary to patch software to use -pthread
instead of -lpthread. (Ports tree rejoice!)
Also, to preemptively answer this question: No, this does not
eliminate the need for LD_PRELOAD=libpthread.so. That's a separate
issue that won't be resolved until we eliminate libc's weak symbols.
Discussed extensively on email and icb over the past few months.
ok deraadt
|
|
so override gcc's default of long/unsigned long on amd64 like we
do the other LP64 platforms. This lets format checking of %jd/%ju
work correctly there.
ok matthew@ millert@
|
|
_POSIX_THREAD_PRIORITY_SCHEDULING. POSIX 2001 states that they can be
defined to -1 to indicate that the feature is not supported (which is
how we define them), so it's not okay to just check whether or not
they're defined.
Arguably, SUSv2 allows GCC's usage, but we don't special case these
feature flags for SUSv2, and these files need to be compilable in BSD
and POSIX compat modes anyway.
From Brad.
|
