Prep .c files for removing the #includes from */archdep.h
* replace #include "archdep.h" with #includes of what is used, pulling in
"syscall.h", "util.h", and "archdep.h" as needed
* delete #include <sys/syscall.h> from syscall.h
* only pull in <sys/stat.h> to the three files that use _dl_fstat(),
forward declare struct stat in syscall.h for the others
* NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c
* <machine/vmparam.h> is only needed on i386; conditionalize it
* stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c)
where necessary
* delete other bogus #includes, order legit per style: <sys/*> then
<*/*>, then <*>, then "*"

dir.c improvement from jsg@
ok and testing assistance deraadt@

make three mib[] arrays const, as was done in libc

Add missing space in stack smash handler error message.
ok kettenis@, deraadt@

On retguard systems, remove the ld.so-local stack-protector handling
functions because retguard uses hard-traps instead.
ok mortimer.

Use a static chacha instance to fill randomdata sections. Avoids looping
over a syscall for randomdata sections larger than 256B.

ok djm@ deraadt@ kettenis@

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

the slimmed down random functions inside ld.so are strict clones of the
libc arc4random API, so call them _dl_{arc4random,arcrandombuf}
ok tedu guenther

use a larger chunk for getentropy() and save some for next time.
coalesces some syscalls instead of one per random number.
ok deraadt

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

If _dl_progname exceeds half the syslog buffer, truncate it with "...",
so that the remaining information is more visible
ok kettenis miod

<sys/param.h> to <limits.h> conversion. Verified binaries
ok millert, thanks to doug for process advice

avoid void arithmetic. from david carlier

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

rm unneeded includes; prompted (partly) by kettenis@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and
fix _dl_strdup to return NULL instead of crash; ok deraadt@

Make _dl_randombuf invoke sysctl KERN_ARND in 256-byte chunks, for this is
(currently) the largest output you can get from it.

ok deraadt@

Move to (slightly stripped) version of libc malloc; ok deraadt@

improve some types

Do not need __guard anymore
Discussion with miod
ok kettenis

prototype & void * math cleanup
ok guenther

Constify the mib argument of sysctl().
ok matthew@ millert@

Cache flush .plt after updating its pointers to .got during the initial
object relocation, if loaded at a different address than the one it was
compiled for; unsurprisingly fixes some spurious crashes.

Add __guard_local as a hidden symbol to ld.so, kernel, and every
executable and DSO (via crtbegin.c/crtbeginS.c). Not used yet, but
needed before GCC can start emitting -fstack-protector code that uses
them instead of __guard.

Change ld.so and libc to use .openbsd.randomdata on ELF platforms for
initializing their __guard values. For the time being, we're leaving
libc's constructor method as a backup to make sure __guard actually
gets initialized and to emit syslog warnings when it's not.

Not really an ABI change, so no shlib bump... "hold on to your butts"

ok deraadt, kettenis

Factor out a _dl_randombuf() method from _dl_random().

fix a 10 year old bug in the memory allocator, which affected only sparc.
sparc has 4 byte long, but needs 8 byte alignment. recently the DIR
struct was changed to contain some off_t, which needs 8 byte alignment.
turns out the allocator calculated the bias for alignment, and then
subtracted out it's private linkage storage afterwards. on hppa this
worked because a 8-byte object can be loaded at a 4-byte boundary; on
all other architectures the situation was either 4/4 or 8/8.
thanks for a bit of help from drahn

Fix mmap() error checking to be correct 64-bit addresses. Consistently
use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of
some local vars for 64-bit safety.

okay millert@ drahn@

readdir buffers should not get a fixed buffer size, but should be dependant
on the block size of the filesystem. Rounded up to page size for efficiency.
similar to change in libc yesterday. Should fix PR 5364.

Make _dl_malloc() deal with allocations > 4096 correctly. Also place
unused memory chunks on the free list when making a large allocation.
OK drahn@ deraadt@

Fix this assumed sizeof(long) == 4 error. Would very occasionally cause
the code to attempt to zero 4 bytes of the next page.

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

knf & ansi; drahn ok

KNF; openbsd@davidkrause.com

typo; ok miod@

Import propolice (http://www.trl.ibm.com/projects/security/ssp), a stack
attack protection scheme, into gcc.

This protection is enabled by default. It can be turned off by using the
-fno-stack-protector flag.

Code by Hiroaki Etoh (etoh at jp dot ibm dot com); work on openbsd-specific
integration by fgsch@, deraadt@ and myself; tests by fgsch@, naddy@ and
myself; beer drinking by myself.

Please note that system upgrades with this new code will require a new
libc and ld.so to be build and installed before the propolice-enabled
compiler can be installed.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

typos/grammar/better words
in comments.

more KNF

Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.

various KNF

Add the Copyrights from the respective files the code came from. ok deraadt@

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

make three mib[] arrays const, as was done in libc

Add missing space in stack smash handler error message.
ok kettenis@, deraadt@

On retguard systems, remove the ld.so-local stack-protector handling
functions because retguard uses hard-traps instead.
ok mortimer.

Use a static chacha instance to fill randomdata sections. Avoids looping
over a syscall for randomdata sections larger than 256B.

ok djm@ deraadt@ kettenis@

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

the slimmed down random functions inside ld.so are strict clones of the
libc arc4random API, so call them _dl_{arc4random,arcrandombuf}
ok tedu guenther

use a larger chunk for getentropy() and save some for next time.
coalesces some syscalls instead of one per random number.
ok deraadt

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

If _dl_progname exceeds half the syslog buffer, truncate it with "...",
so that the remaining information is more visible
ok kettenis miod

<sys/param.h> to <limits.h> conversion. Verified binaries
ok millert, thanks to doug for process advice

avoid void arithmetic. from david carlier

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

rm unneeded includes; prompted (partly) by kettenis@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and
fix _dl_strdup to return NULL instead of crash; ok deraadt@

Make _dl_randombuf invoke sysctl KERN_ARND in 256-byte chunks, for this is
(currently) the largest output you can get from it.

ok deraadt@

Move to (slightly stripped) version of libc malloc; ok deraadt@

improve some types

Do not need __guard anymore
Discussion with miod
ok kettenis

prototype & void * math cleanup
ok guenther

Constify the mib argument of sysctl().
ok matthew@ millert@

Cache flush .plt after updating its pointers to .got during the initial
object relocation, if loaded at a different address than the one it was
compiled for; unsurprisingly fixes some spurious crashes.

Add __guard_local as a hidden symbol to ld.so, kernel, and every
executable and DSO (via crtbegin.c/crtbeginS.c). Not used yet, but
needed before GCC can start emitting -fstack-protector code that uses
them instead of __guard.

Change ld.so and libc to use .openbsd.randomdata on ELF platforms for
initializing their __guard values. For the time being, we're leaving
libc's constructor method as a backup to make sure __guard actually
gets initialized and to emit syslog warnings when it's not.

Not really an ABI change, so no shlib bump... "hold on to your butts"

ok deraadt, kettenis

Factor out a _dl_randombuf() method from _dl_random().

fix a 10 year old bug in the memory allocator, which affected only sparc.
sparc has 4 byte long, but needs 8 byte alignment. recently the DIR
struct was changed to contain some off_t, which needs 8 byte alignment.
turns out the allocator calculated the bias for alignment, and then
subtracted out it's private linkage storage afterwards. on hppa this
worked because a 8-byte object can be loaded at a 4-byte boundary; on
all other architectures the situation was either 4/4 or 8/8.
thanks for a bit of help from drahn

Fix mmap() error checking to be correct 64-bit addresses. Consistently
use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of
some local vars for 64-bit safety.

okay millert@ drahn@

readdir buffers should not get a fixed buffer size, but should be dependant
on the block size of the filesystem. Rounded up to page size for efficiency.
similar to change in libc yesterday. Should fix PR 5364.

Make _dl_malloc() deal with allocations > 4096 correctly. Also place
unused memory chunks on the free list when making a large allocation.
OK drahn@ deraadt@

Fix this assumed sizeof(long) == 4 error. Would very occasionally cause
the code to attempt to zero 4 bytes of the next page.

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

knf & ansi; drahn ok

KNF; openbsd@davidkrause.com

typo; ok miod@

Import propolice (http://www.trl.ibm.com/projects/security/ssp), a stack
attack protection scheme, into gcc.

This protection is enabled by default. It can be turned off by using the
-fno-stack-protector flag.

Code by Hiroaki Etoh (etoh at jp dot ibm dot com); work on openbsd-specific
integration by fgsch@, deraadt@ and myself; tests by fgsch@, naddy@ and
myself; beer drinking by myself.

Please note that system upgrades with this new code will require a new
libc and ld.so to be build and installed before the propolice-enabled
compiler can be installed.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

typos/grammar/better words
in comments.

more KNF

Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.

various KNF

Add the Copyrights from the respective files the code came from. ok deraadt@

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

Add missing space in stack smash handler error message.
ok kettenis@, deraadt@

On retguard systems, remove the ld.so-local stack-protector handling
functions because retguard uses hard-traps instead.
ok mortimer.

Use a static chacha instance to fill randomdata sections. Avoids looping
over a syscall for randomdata sections larger than 256B.

ok djm@ deraadt@ kettenis@

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

the slimmed down random functions inside ld.so are strict clones of the
libc arc4random API, so call them _dl_{arc4random,arcrandombuf}
ok tedu guenther

use a larger chunk for getentropy() and save some for next time.
coalesces some syscalls instead of one per random number.
ok deraadt

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

If _dl_progname exceeds half the syslog buffer, truncate it with "...",
so that the remaining information is more visible
ok kettenis miod

<sys/param.h> to <limits.h> conversion. Verified binaries
ok millert, thanks to doug for process advice

avoid void arithmetic. from david carlier

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

rm unneeded includes; prompted (partly) by kettenis@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and
fix _dl_strdup to return NULL instead of crash; ok deraadt@

Make _dl_randombuf invoke sysctl KERN_ARND in 256-byte chunks, for this is
(currently) the largest output you can get from it.

ok deraadt@

Move to (slightly stripped) version of libc malloc; ok deraadt@

improve some types

Do not need __guard anymore
Discussion with miod
ok kettenis

prototype & void * math cleanup
ok guenther

Constify the mib argument of sysctl().
ok matthew@ millert@

Cache flush .plt after updating its pointers to .got during the initial
object relocation, if loaded at a different address than the one it was
compiled for; unsurprisingly fixes some spurious crashes.

Add __guard_local as a hidden symbol to ld.so, kernel, and every
executable and DSO (via crtbegin.c/crtbeginS.c). Not used yet, but
needed before GCC can start emitting -fstack-protector code that uses
them instead of __guard.

Change ld.so and libc to use .openbsd.randomdata on ELF platforms for
initializing their __guard values. For the time being, we're leaving
libc's constructor method as a backup to make sure __guard actually
gets initialized and to emit syslog warnings when it's not.

Not really an ABI change, so no shlib bump... "hold on to your butts"

ok deraadt, kettenis

Factor out a _dl_randombuf() method from _dl_random().

fix a 10 year old bug in the memory allocator, which affected only sparc.
sparc has 4 byte long, but needs 8 byte alignment. recently the DIR
struct was changed to contain some off_t, which needs 8 byte alignment.
turns out the allocator calculated the bias for alignment, and then
subtracted out it's private linkage storage afterwards. on hppa this
worked because a 8-byte object can be loaded at a 4-byte boundary; on
all other architectures the situation was either 4/4 or 8/8.
thanks for a bit of help from drahn

Fix mmap() error checking to be correct 64-bit addresses. Consistently
use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of
some local vars for 64-bit safety.

okay millert@ drahn@

readdir buffers should not get a fixed buffer size, but should be dependant
on the block size of the filesystem. Rounded up to page size for efficiency.
similar to change in libc yesterday. Should fix PR 5364.

Make _dl_malloc() deal with allocations > 4096 correctly. Also place
unused memory chunks on the free list when making a large allocation.
OK drahn@ deraadt@

Fix this assumed sizeof(long) == 4 error. Would very occasionally cause
the code to attempt to zero 4 bytes of the next page.

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

knf & ansi; drahn ok

KNF; openbsd@davidkrause.com

typo; ok miod@

Import propolice (http://www.trl.ibm.com/projects/security/ssp), a stack
attack protection scheme, into gcc.

This protection is enabled by default. It can be turned off by using the
-fno-stack-protector flag.

Code by Hiroaki Etoh (etoh at jp dot ibm dot com); work on openbsd-specific
integration by fgsch@, deraadt@ and myself; tests by fgsch@, naddy@ and
myself; beer drinking by myself.

Please note that system upgrades with this new code will require a new
libc and ld.so to be build and installed before the propolice-enabled
compiler can be installed.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

typos/grammar/better words
in comments.

more KNF

Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.

various KNF

Add the Copyrights from the respective files the code came from. ok deraadt@

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

On retguard systems, remove the ld.so-local stack-protector handling
functions because retguard uses hard-traps instead.
ok mortimer.

Use a static chacha instance to fill randomdata sections. Avoids looping
over a syscall for randomdata sections larger than 256B.

ok djm@ deraadt@ kettenis@

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

the slimmed down random functions inside ld.so are strict clones of the
libc arc4random API, so call them _dl_{arc4random,arcrandombuf}
ok tedu guenther

use a larger chunk for getentropy() and save some for next time.
coalesces some syscalls instead of one per random number.
ok deraadt

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

If _dl_progname exceeds half the syslog buffer, truncate it with "...",
so that the remaining information is more visible
ok kettenis miod

<sys/param.h> to <limits.h> conversion. Verified binaries
ok millert, thanks to doug for process advice

avoid void arithmetic. from david carlier

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

rm unneeded includes; prompted (partly) by kettenis@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and
fix _dl_strdup to return NULL instead of crash; ok deraadt@

Make _dl_randombuf invoke sysctl KERN_ARND in 256-byte chunks, for this is
(currently) the largest output you can get from it.

ok deraadt@

Move to (slightly stripped) version of libc malloc; ok deraadt@

improve some types

Do not need __guard anymore
Discussion with miod
ok kettenis

prototype & void * math cleanup
ok guenther

Constify the mib argument of sysctl().
ok matthew@ millert@

Cache flush .plt after updating its pointers to .got during the initial
object relocation, if loaded at a different address than the one it was
compiled for; unsurprisingly fixes some spurious crashes.

Add __guard_local as a hidden symbol to ld.so, kernel, and every
executable and DSO (via crtbegin.c/crtbeginS.c). Not used yet, but
needed before GCC can start emitting -fstack-protector code that uses
them instead of __guard.

Change ld.so and libc to use .openbsd.randomdata on ELF platforms for
initializing their __guard values. For the time being, we're leaving
libc's constructor method as a backup to make sure __guard actually
gets initialized and to emit syslog warnings when it's not.

Not really an ABI change, so no shlib bump... "hold on to your butts"

ok deraadt, kettenis

Factor out a _dl_randombuf() method from _dl_random().

fix a 10 year old bug in the memory allocator, which affected only sparc.
sparc has 4 byte long, but needs 8 byte alignment. recently the DIR
struct was changed to contain some off_t, which needs 8 byte alignment.
turns out the allocator calculated the bias for alignment, and then
subtracted out it's private linkage storage afterwards. on hppa this
worked because a 8-byte object can be loaded at a 4-byte boundary; on
all other architectures the situation was either 4/4 or 8/8.
thanks for a bit of help from drahn

Fix mmap() error checking to be correct 64-bit addresses. Consistently
use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of
some local vars for 64-bit safety.

okay millert@ drahn@

readdir buffers should not get a fixed buffer size, but should be dependant
on the block size of the filesystem. Rounded up to page size for efficiency.
similar to change in libc yesterday. Should fix PR 5364.

Make _dl_malloc() deal with allocations > 4096 correctly. Also place
unused memory chunks on the free list when making a large allocation.
OK drahn@ deraadt@

Fix this assumed sizeof(long) == 4 error. Would very occasionally cause
the code to attempt to zero 4 bytes of the next page.

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

knf & ansi; drahn ok

KNF; openbsd@davidkrause.com

typo; ok miod@

Import propolice (http://www.trl.ibm.com/projects/security/ssp), a stack
attack protection scheme, into gcc.

This protection is enabled by default. It can be turned off by using the
-fno-stack-protector flag.

Code by Hiroaki Etoh (etoh at jp dot ibm dot com); work on openbsd-specific
integration by fgsch@, deraadt@ and myself; tests by fgsch@, naddy@ and
myself; beer drinking by myself.

Please note that system upgrades with this new code will require a new
libc and ld.so to be build and installed before the propolice-enabled
compiler can be installed.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

typos/grammar/better words
in comments.

more KNF

Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.

various KNF

Add the Copyrights from the respective files the code came from. ok deraadt@

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

Use a static chacha instance to fill randomdata sections. Avoids looping
over a syscall for randomdata sections larger than 256B.

ok djm@ deraadt@ kettenis@

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

the slimmed down random functions inside ld.so are strict clones of the
libc arc4random API, so call them _dl_{arc4random,arcrandombuf}
ok tedu guenther

use a larger chunk for getentropy() and save some for next time.
coalesces some syscalls instead of one per random number.
ok deraadt

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

If _dl_progname exceeds half the syslog buffer, truncate it with "...",
so that the remaining information is more visible
ok kettenis miod

<sys/param.h> to <limits.h> conversion. Verified binaries
ok millert, thanks to doug for process advice

avoid void arithmetic. from david carlier

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

rm unneeded includes; prompted (partly) by kettenis@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and
fix _dl_strdup to return NULL instead of crash; ok deraadt@

Make _dl_randombuf invoke sysctl KERN_ARND in 256-byte chunks, for this is
(currently) the largest output you can get from it.

ok deraadt@

Move to (slightly stripped) version of libc malloc; ok deraadt@

improve some types

Do not need __guard anymore
Discussion with miod
ok kettenis

prototype & void * math cleanup
ok guenther

Constify the mib argument of sysctl().
ok matthew@ millert@

Cache flush .plt after updating its pointers to .got during the initial
object relocation, if loaded at a different address than the one it was
compiled for; unsurprisingly fixes some spurious crashes.

Add __guard_local as a hidden symbol to ld.so, kernel, and every
executable and DSO (via crtbegin.c/crtbeginS.c). Not used yet, but
needed before GCC can start emitting -fstack-protector code that uses
them instead of __guard.

Change ld.so and libc to use .openbsd.randomdata on ELF platforms for
initializing their __guard values. For the time being, we're leaving
libc's constructor method as a backup to make sure __guard actually
gets initialized and to emit syslog warnings when it's not.

Not really an ABI change, so no shlib bump... "hold on to your butts"

ok deraadt, kettenis

Factor out a _dl_randombuf() method from _dl_random().

fix a 10 year old bug in the memory allocator, which affected only sparc.
sparc has 4 byte long, but needs 8 byte alignment. recently the DIR
struct was changed to contain some off_t, which needs 8 byte alignment.
turns out the allocator calculated the bias for alignment, and then
subtracted out it's private linkage storage afterwards. on hppa this
worked because a 8-byte object can be loaded at a 4-byte boundary; on
all other architectures the situation was either 4/4 or 8/8.
thanks for a bit of help from drahn

Fix mmap() error checking to be correct 64-bit addresses. Consistently
use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of
some local vars for 64-bit safety.

okay millert@ drahn@

readdir buffers should not get a fixed buffer size, but should be dependant
on the block size of the filesystem. Rounded up to page size for efficiency.
similar to change in libc yesterday. Should fix PR 5364.

Make _dl_malloc() deal with allocations > 4096 correctly. Also place
unused memory chunks on the free list when making a large allocation.
OK drahn@ deraadt@

Fix this assumed sizeof(long) == 4 error. Would very occasionally cause
the code to attempt to zero 4 bytes of the next page.

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

knf & ansi; drahn ok

KNF; openbsd@davidkrause.com

typo; ok miod@

Import propolice (http://www.trl.ibm.com/projects/security/ssp), a stack
attack protection scheme, into gcc.

This protection is enabled by default. It can be turned off by using the
-fno-stack-protector flag.

Code by Hiroaki Etoh (etoh at jp dot ibm dot com); work on openbsd-specific
integration by fgsch@, deraadt@ and myself; tests by fgsch@, naddy@ and
myself; beer drinking by myself.

Please note that system upgrades with this new code will require a new
libc and ld.so to be build and installed before the propolice-enabled
compiler can be installed.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

typos/grammar/better words
in comments.

more KNF

Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.

various KNF

Add the Copyrights from the respective files the code came from. ok deraadt@

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

the slimmed down random functions inside ld.so are strict clones of the
libc arc4random API, so call them _dl_{arc4random,arcrandombuf}
ok tedu guenther

use a larger chunk for getentropy() and save some for next time.
coalesces some syscalls instead of one per random number.
ok deraadt

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

If _dl_progname exceeds half the syslog buffer, truncate it with "...",
so that the remaining information is more visible
ok kettenis miod

<sys/param.h> to <limits.h> conversion. Verified binaries
ok millert, thanks to doug for process advice

avoid void arithmetic. from david carlier

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

rm unneeded includes; prompted (partly) by kettenis@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and
fix _dl_strdup to return NULL instead of crash; ok deraadt@

Make _dl_randombuf invoke sysctl KERN_ARND in 256-byte chunks, for this is
(currently) the largest output you can get from it.

ok deraadt@

Move to (slightly stripped) version of libc malloc; ok deraadt@

improve some types

Do not need __guard anymore
Discussion with miod
ok kettenis

prototype & void * math cleanup
ok guenther

Constify the mib argument of sysctl().
ok matthew@ millert@

Cache flush .plt after updating its pointers to .got during the initial
object relocation, if loaded at a different address than the one it was
compiled for; unsurprisingly fixes some spurious crashes.

Add __guard_local as a hidden symbol to ld.so, kernel, and every
executable and DSO (via crtbegin.c/crtbeginS.c). Not used yet, but
needed before GCC can start emitting -fstack-protector code that uses
them instead of __guard.

Change ld.so and libc to use .openbsd.randomdata on ELF platforms for
initializing their __guard values. For the time being, we're leaving
libc's constructor method as a backup to make sure __guard actually
gets initialized and to emit syslog warnings when it's not.

Not really an ABI change, so no shlib bump... "hold on to your butts"

ok deraadt, kettenis

Factor out a _dl_randombuf() method from _dl_random().

fix a 10 year old bug in the memory allocator, which affected only sparc.
sparc has 4 byte long, but needs 8 byte alignment. recently the DIR
struct was changed to contain some off_t, which needs 8 byte alignment.
turns out the allocator calculated the bias for alignment, and then
subtracted out it's private linkage storage afterwards. on hppa this
worked because a 8-byte object can be loaded at a 4-byte boundary; on
all other architectures the situation was either 4/4 or 8/8.
thanks for a bit of help from drahn

Fix mmap() error checking to be correct 64-bit addresses. Consistently
use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of
some local vars for 64-bit safety.

okay millert@ drahn@

readdir buffers should not get a fixed buffer size, but should be dependant
on the block size of the filesystem. Rounded up to page size for efficiency.
similar to change in libc yesterday. Should fix PR 5364.

Make _dl_malloc() deal with allocations > 4096 correctly. Also place
unused memory chunks on the free list when making a large allocation.
OK drahn@ deraadt@

Fix this assumed sizeof(long) == 4 error. Would very occasionally cause
the code to attempt to zero 4 bytes of the next page.

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

knf & ansi; drahn ok

KNF; openbsd@davidkrause.com

typo; ok miod@

Import propolice (http://www.trl.ibm.com/projects/security/ssp), a stack
attack protection scheme, into gcc.

This protection is enabled by default. It can be turned off by using the
-fno-stack-protector flag.

Code by Hiroaki Etoh (etoh at jp dot ibm dot com); work on openbsd-specific
integration by fgsch@, deraadt@ and myself; tests by fgsch@, naddy@ and
myself; beer drinking by myself.

Please note that system upgrades with this new code will require a new
libc and ld.so to be build and installed before the propolice-enabled
compiler can be installed.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

typos/grammar/better words
in comments.

more KNF

Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.

various KNF

Add the Copyrights from the respective files the code came from. ok deraadt@

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.