[illumos-gate merge]release-20201119

commit 5a0af8165ce9590e7a18f1ef4f9badc4dd72c6e6
    13274 enable -fstack-protector-strong by default in user land
commit 6a817834d81cc75ce12d0d393320837b1fec1e85
    5788 Want support for GCC's stack protector in libc
commit 350ffdd54baf880f440ddf9697666e283894ded1
    13273 want upanic(2)
commit 7fdea60d55a95f0e46066fd021c4ef1b1321bafc
    13300 mlxcx_cq_setup() doesn't take required locks for ASSERTs

Merge notes:
- Manifest changes to match package changes (including shipping libssp_ns.a)
- Modified lx_vdso tools to not include SSP, to match other build-only tools.

10 files changed, 150 insertions, 23 deletions

diff --git a/usr/src/lib/libc/amd64/Makefile b/usr/src/lib/libc/amd64/Makefile
index d8919e9201..710a72e87e 100644
--- a/usr/src/lib/libc/amd64/Makefile
+++ b/usr/src/lib/libc/amd64/Makefile
@@ -267,6 +267,7 @@ COMSYSOBJS=			\
 	sigprocmsk.o		\
 	sigsendset.o		\
 	sigsuspend.o		\
+	ssp.o			\
 	statfs.o		\
 	statvfs.o		\
 	stty.o			\
@@ -279,6 +280,7 @@ COMSYSOBJS=			\
 	ulimit.o		\
 	umask.o			\
 	umount2.o		\
+	upanic.o		\
 	utssys.o		\
 	uucopy.o		\
 	vhangup.o		\
@@ -1201,6 +1203,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 pics/__clock_gettime.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 pics/gettimeofday.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/i386/Makefile.com b/usr/src/lib/libc/i386/Makefile.com
index 293014892a..a074accf08 100644
--- a/usr/src/lib/libc/i386/Makefile.com
+++ b/usr/src/lib/libc/i386/Makefile.com
@@ -306,6 +306,7 @@ COMSYSOBJS=			\
 	ulimit.o		\
 	umask.o			\
 	umount2.o		\
+	upanic.o		\
 	utssys.o		\
 	uucopy.o		\
 	vhangup.o		\
@@ -574,6 +575,7 @@ PORTGEN=			\
 	sigsend.o		\
 	sigsetops.o		\
 	ssignal.o		\
+	ssp.o			\
 	stack.o			\
 	stpcpy.o		\
 	stpncpy.o		\
@@ -1266,6 +1268,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 pics/__clock_gettime.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 pics/gettimeofday.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/inc/thr_uberdata.h b/usr/src/lib/libc/inc/thr_uberdata.h
index 7f08a0b8c4..65d73f9db7 100644
--- a/usr/src/lib/libc/inc/thr_uberdata.h
+++ b/usr/src/lib/libc/inc/thr_uberdata.h
@@ -1323,6 +1323,7 @@ extern	void	_flush_windows(void);
 #define	_flush_windows()
 #endif
 extern	void	set_curthread(void *);
+extern	void	ssp_init(void);
 
 /*
  * Utility function used when waking up many threads (more than MAXLWPS)
diff --git a/usr/src/lib/libc/port/gen/ssp.c b/usr/src/lib/libc/port/gen/ssp.c
new file mode 100644
index 0000000000..81d93829ea
--- /dev/null
+++ b/usr/src/lib/libc/port/gen/ssp.c
@@ -0,0 +1,67 @@
+/*
+ * This file and its contents are supplied under the terms of the
+ * Common Development and Distribution License ("CDDL"), version 1.0.
+ * You may only use this file in accordance with the terms of version
+ * 1.0 of the CDDL.
+ *
+ * A full copy of the text of the CDDL should have accompanied this
+ * source.  A copy of the CDDL is also available via the Internet at
+ * http://www.illumos.org/license/CDDL.
+ */
+
+/*
+ * Copyright 2020 Oxide Computer Company
+ */
+
+#include <upanic.h>
+#include <sys/random.h>
+
+/*
+ * This provides an implementation of the stack protector functions that are
+ * expected by gcc's ssp implementation.
+ *
+ * We attempt to initialize the stack guard with random data, which is our best
+ * protection. If that fails, we'd like to have a guard that is still meaningful
+ * and not totally predictable. The original StackGuard paper suggests using a
+ * terminator canary. To make this a little more difficult, we also use a
+ * portion of the data from gethrtime().
+ *
+ * In a 32-bit environment, we only have four bytes worth of data. We use the
+ * lower two bytes of the gethrtime() value and then use pieces of the
+ * terminator canary, '\n\0'. In a 64-bit environment we use the full four byte
+ * terminator canary and then four bytes of gethrtime.
+ */
+
+/*
+ * Use an array here so it's easier to get the length at compile time.
+ */
+static const char ssp_msg[] = "*** stack smashing detected";
+
+uintptr_t __stack_chk_guard;
+
+void
+ssp_init(void)
+{
+	if (getrandom(&__stack_chk_guard, sizeof (__stack_chk_guard), 0) !=
+	    sizeof (__stack_chk_guard)) {
+		/*
+		 * This failed, attempt to get some data that might let us get
+		 * off the ground.
+		 */
+		hrtime_t t = gethrtime();
+#ifdef	_LP32
+		const uint16_t guard = '\n' << 8 | '\0';
+		__stack_chk_guard = guard  << 16 | (uint16_t)t;
+#else
+		const uint32_t guard = '\r' << 24 | '\n' << 16 | '\0' << 8 |
+		    '\xff';
+		__stack_chk_guard = (uint64_t)guard << 32 | (uint32_t)t;
+#endif
+	}
+}
+
+void
+__stack_chk_fail(void)
+{
+	upanic(ssp_msg, sizeof (ssp_msg));
+}
diff --git a/usr/src/lib/libc/port/mapfile-vers b/usr/src/lib/libc/port/mapfile-vers
index 92a58825d4..0dec599cf6 100644
--- a/usr/src/lib/libc/port/mapfile-vers
+++ b/usr/src/lib/libc/port/mapfile-vers
@@ -78,6 +78,18 @@ $if _x86 && _ELF64
 $add amd64
 $endif
 
+SYMBOL_VERSION ILLUMOS_0.37 {
+   global:
+	__stack_chk_guard;
+   protected:
+	__stack_chk_fail;
+} ILLUMOS_0.36;
+
+SYMBOL_VERSION ILLUMOS_0.36 {
+    protected:
+	upanic;
+} ILLUMOS_0.35;
+
 SYMBOL_VERSION ILLUMOS_0.35 {
     protected:
 	qsort_r;
diff --git a/usr/src/lib/libc/port/sys/upanic.c b/usr/src/lib/libc/port/sys/upanic.c
new file mode 100644
index 0000000000..2edfe4c4ff
--- /dev/null
+++ b/usr/src/lib/libc/port/sys/upanic.c
@@ -0,0 +1,23 @@
+/*
+ * This file and its contents are supplied under the terms of the
+ * Common Development and Distribution License ("CDDL"), version 1.0.
+ * You may only use this file in accordance with the terms of version
+ * 1.0 of the CDDL.
+ *
+ * A full copy of the text of the CDDL should have accompanied this
+ * source.  A copy of the CDDL is also available via the Internet at
+ * http://www.illumos.org/license/CDDL.
+ */
+
+/*
+ * Copyright 2020 Oxide Computer Company
+ */
+
+#include <sys/types.h>
+#include <sys/syscall.h>
+
+void
+upanic(const void *buf, size_t len)
+{
+	(void) syscall(SYS_upanic, buf, len);
+}
diff --git a/usr/src/lib/libc/port/threads/assfail.c b/usr/src/lib/libc/port/threads/assfail.c
index 1c032d8ea7..4af2fc5664 100644
--- a/usr/src/lib/libc/port/threads/assfail.c
+++ b/usr/src/lib/libc/port/threads/assfail.c
@@ -26,10 +26,12 @@
 /*
  * Copyright (c) 2012, 2014 by Delphix. All rights reserved.
  * Copyright 2015 Joyent, Inc.
+ * Copyright 2020 Oxide Computer Company
  */
 
 #include "lint.h"
 #include "thr_uberdata.h"
+#include <upanic.h>
 
 const char *panicstr;
 ulwp_t *panic_thread;
@@ -60,35 +62,19 @@ grab_assert_lock()
 }
 
 static void
-Abort(const char *msg)
+Abort(const char *msg, size_t buflen)
 {
 	ulwp_t *self;
 	struct sigaction act;
 	sigset_t sigmask;
-	lwpid_t lwpid;
 
 	/* to help with core file debugging */
 	panicstr = msg;
 	if ((self = __curthread()) != NULL) {
 		panic_thread = self;
-		lwpid = self->ul_lwpid;
-	} else {
-		lwpid = _lwp_self();
 	}
 
-	/* set SIGABRT signal handler to SIG_DFL w/o grabbing any locks */
-	(void) memset(&act, 0, sizeof (act));
-	act.sa_sigaction = SIG_DFL;
-	(void) __sigaction(SIGABRT, &act, NULL);
-
-	/* delete SIGABRT from the signal mask */
-	(void) sigemptyset(&sigmask);
-	(void) sigaddset(&sigmask, SIGABRT);
-	(void) __lwp_sigmask(SIG_UNBLOCK, &sigmask);
-
-	(void) _lwp_kill(lwpid, SIGABRT);	/* never returns */
-	(void) kill(getpid(), SIGABRT);	/* if it does, try harder */
-	_exit(127);
+	upanic(msg, buflen);
 }
 
 /*
@@ -117,7 +103,7 @@ common_panic(const char *head, const char *why)
 	if (msg[len1 - 1] != '\n')
 		msg[len1++] = '\n';
 	(void) __write(2, msg, len1);
-	Abort(msg);
+	Abort(msg, sizeof (msg));
 }
 
 void
@@ -246,7 +232,7 @@ lock_error(const mutex_t *mp, const char *who, void *cv, const char *msg)
 	(void) strcat(buf, "\n\n");
 	(void) __write(2, buf, strlen(buf));
 	if (udp->uberflags.uf_thread_error_detection >= 2)
-		Abort(buf);
+		Abort(buf, sizeof (buf));
 	assert_thread = NULL;
 	(void) _lwp_mutex_unlock(&assert_lock);
 	if (self != NULL)
@@ -335,7 +321,7 @@ rwlock_error(const rwlock_t *rp, const char *who, const char *msg)
 	(void) strcat(buf, "\n\n");
 	(void) __write(2, buf, strlen(buf));
 	if (udp->uberflags.uf_thread_error_detection >= 2)
-		Abort(buf);
+		Abort(buf, sizeof (buf));
 	assert_thread = NULL;
 	(void) _lwp_mutex_unlock(&assert_lock);
 	if (self != NULL)
@@ -383,7 +369,7 @@ thread_error(const char *msg)
 	(void) strcat(buf, "\n\n");
 	(void) __write(2, buf, strlen(buf));
 	if (udp->uberflags.uf_thread_error_detection >= 2)
-		Abort(buf);
+		Abort(buf, sizeof (buf));
 	assert_thread = NULL;
 	(void) _lwp_mutex_unlock(&assert_lock);
 	if (self != NULL)
@@ -455,7 +441,7 @@ __assfail(const char *assertion, const char *filename, int line_num)
 	 *	if (self != NULL)
 	 *		exit_critical(self);
 	 */
-	Abort(buf);
+	Abort(buf, sizeof (buf));
 }
 
 /*
diff --git a/usr/src/lib/libc/port/threads/thr.c b/usr/src/lib/libc/port/threads/thr.c
index 8026ffad9c..66d0e524c2 100644
--- a/usr/src/lib/libc/port/threads/thr.c
+++ b/usr/src/lib/libc/port/threads/thr.c
@@ -1308,6 +1308,11 @@ libc_init(void)
 	 */
 	if (oldself != NULL && (oldself->ul_primarymap || !primary_link_map)) {
 		__tdb_bootstrap = oldself->ul_uberdata->tdb_bootstrap;
+		/*
+		 * Each link map has its own copy of the stack protector guard
+		 * and must always be initialized.
+		 */
+		ssp_init();
 		mutex_setup();
 		atfork_init();	/* every link map needs atfork() processing */
 		init_progname();
@@ -1448,6 +1453,7 @@ libc_init(void)
 		/* tls_size was zero when oldself was allocated */
 		lfree(oldself, sizeof (ulwp_t));
 	}
+	ssp_init();
 	mutex_setup();
 	atfork_init();
 	signal_init();
diff --git a/usr/src/lib/libc/sparc/Makefile.com b/usr/src/lib/libc/sparc/Makefile.com
index da5a4b541a..217cd58dc8 100644
--- a/usr/src/lib/libc/sparc/Makefile.com
+++ b/usr/src/lib/libc/sparc/Makefile.com
@@ -322,6 +322,7 @@ COMSYSOBJS=			\
 	ulimit.o		\
 	umask.o			\
 	umount2.o		\
+	upanic.o		\
 	utssys.o		\
 	uucopy.o		\
 	vhangup.o		\
@@ -601,6 +602,7 @@ PORTGEN=			\
 	sigsend.o		\
 	sigsetops.o		\
 	ssignal.o		\
+	ssp.o			\
 	stack.o			\
 	stpcpy.o		\
 	stpncpy.o		\
@@ -1317,6 +1319,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 # Files which need extra optimization
 pics/getenv.o := sparc_COPTFLAG = -xO4
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/sparcv9/Makefile.com b/usr/src/lib/libc/sparcv9/Makefile.com
index 7f659225d0..7689a5b66e 100644
--- a/usr/src/lib/libc/sparcv9/Makefile.com
+++ b/usr/src/lib/libc/sparcv9/Makefile.com
@@ -304,6 +304,7 @@ COMSYSOBJS=			\
 	ulimit.o		\
 	umask.o			\
 	umount2.o		\
+	upanic.o		\
 	utssys.o		\
 	uucopy.o		\
 	vhangup.o		\
@@ -559,6 +560,7 @@ PORTGEN=			\
 	sigsend.o		\
 	sigsetops.o		\
 	ssignal.o		\
+	ssp.o			\
 	stack.o			\
 	stpcpy.o		\
 	stpncpy.o		\
@@ -1240,6 +1242,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 # Files which need extra optimization
 pics/getenv.o := sparcv9_COPTFLAG = -xO4
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)