From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3451415808E for ; Thu, 28 Apr 2022 01:26:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 29060E0863; Thu, 28 Apr 2022 01:26:48 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E3C2BE0863 for ; Thu, 28 Apr 2022 01:26:47 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 61155340FE4 for ; Thu, 28 Apr 2022 01:26:46 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id CFBAC3BE for ; Thu, 28 Apr 2022 01:26:44 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1651109194.94948c9cb994f123f6ae59b50e400eb6e617c46f.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/, sys-apps/systemd/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-apps/systemd/files/250.4-fortify-source-3-malloc.patch sys-apps/systemd/systemd-250.4-r1.ebuild X-VCS-Directories: sys-apps/systemd/files/ sys-apps/systemd/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 94948c9cb994f123f6ae59b50e400eb6e617c46f X-VCS-Branch: master Date: Thu, 28 Apr 2022 01:26:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 463b1f7f-7902-4959-a59b-39a3993c5e00 X-Archives-Hash: 0a691b0d99e790f461ae5d73c827b827 commit: 94948c9cb994f123f6ae59b50e400eb6e617c46f Author: Sam James gentoo org> AuthorDate: Thu Apr 28 01:25:20 2022 +0000 Commit: Sam James gentoo org> CommitDate: Thu Apr 28 01:26:34 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94948c9c sys-apps/systemd: backport -D_FORTIFY_SOURCE=3 patch Notably not bothering to revbump for now because this manifests during self-execution during build and FORTIFY_SOURCE=3 is only available in GCC 12 which isn't even released yet, let alone exposed or enabled by default in Gentoo. It's far more likely that systemd 251 will be released (or at least another RC for it) before we're even close to unleashing FORTIFY_SOURCE=3 on Gentoo Hardened users by default. Bug: https://github.com/systemd/systemd/issues/22801 Signed-off-by: Sam James gentoo.org> .../files/250.4-fortify-source-3-malloc.patch | 42 ++++++++++++++++++++++ sys-apps/systemd/systemd-250.4-r1.ebuild | 1 + 2 files changed, 43 insertions(+) diff --git a/sys-apps/systemd/files/250.4-fortify-source-3-malloc.patch b/sys-apps/systemd/files/250.4-fortify-source-3-malloc.patch new file mode 100644 index 000000000000..ed9eb80f21fa --- /dev/null +++ b/sys-apps/systemd/files/250.4-fortify-source-3-malloc.patch @@ -0,0 +1,42 @@ +https://github.com/systemd/systemd/commit/0bd292567a543d124cd303f7dd61169a209cae64 + +From 0bd292567a543d124cd303f7dd61169a209cae64 Mon Sep 17 00:00:00 2001 +From: Martin Liska +Date: Thu, 31 Mar 2022 10:27:45 +0200 +Subject: [PATCH] Support -D_FORTIFY_SOURCE=3 by using + __builtin_dynamic_object_size. + +As explained in the issue, -D_FORTIFY_SOURCE=3 requires usage +of __builtin_dynamic_object_size in MALLOC_SIZEOF_SAFE macro. + +Fixes: #22801 +--- a/src/basic/alloc-util.h ++++ b/src/basic/alloc-util.h +@@ -174,13 +174,23 @@ void* greedy_realloc0(void **p, size_t need, size_t size); + * is compatible with _FORTIFY_SOURCES. If _FORTIFY_SOURCES is used many memory operations will take the + * object size as returned by __builtin_object_size() into account. Hence, let's return the smaller size of + * malloc_usable_size() and __builtin_object_size() here, so that we definitely operate in safe territory by +- * both the compiler's and libc's standards. Note that __builtin_object_size() evaluates to SIZE_MAX if the +- * size cannot be determined, hence the MIN() expression should be safe with dynamically sized memory, +- * too. Moreover, when NULL is passed malloc_usable_size() is documented to return zero, and ++ * both the compiler's and libc's standards. Note that _FORTIFY_SOURCES=3 handles also dynamically allocated ++ * objects and thus it's safer using __builtin_dynamic_object_size if _FORTIFY_SOURCES=3 is used (#22801). ++ * Moreover, when NULL is passed malloc_usable_size() is documented to return zero, and + * __builtin_object_size() returns SIZE_MAX too, hence we also return a sensible value of 0 in this corner + * case. */ ++ ++#if defined __has_builtin ++# if __has_builtin(__builtin_dynamic_object_size) ++# define MALLOC_SIZEOF_SAFE(x) \ ++ MIN(malloc_usable_size(x), __builtin_dynamic_object_size(x, 0)) ++# endif ++#endif ++ ++#ifndef MALLOC_SIZEOF_SAFE + #define MALLOC_SIZEOF_SAFE(x) \ + MIN(malloc_usable_size(x), __builtin_object_size(x, 0)) ++#endif + + /* Inspired by ELEMENTSOF() but operates on malloc()'ed memory areas: typesafely returns the number of items + * that fit into the specified memory block */ + diff --git a/sys-apps/systemd/systemd-250.4-r1.ebuild b/sys-apps/systemd/systemd-250.4-r1.ebuild index 0a50c49d2cc6..949d0d02e69c 100644 --- a/sys-apps/systemd/systemd-250.4-r1.ebuild +++ b/sys-apps/systemd/systemd-250.4-r1.ebuild @@ -244,6 +244,7 @@ src_prepare() { # Add local patches here PATCHES+=( "${FILESDIR}/250.4-random-seed-hash.patch" + "${FILESDIR}/250.4-fortify-source-3-malloc.patch" ) if ! use vanilla; then