This status is going to be pretty short. The focus in October has been on the home purchase.
News regarding the home purchase: if things go according to plan, we will take possession of the property towards the end of November 2023 (this month).
In ports:
- Loic F fixed archivers/rpm4
- Loic F fixed graphics/sane-backends
- Shawn Webb fixed lang/perl5.36
- Shawn Webb updated ports-mgmt/pkg to 1.20.8
- Shawn Webb "fixed" audio/pulseaudio by ripping out SIMD support. A more proper fix is needed. If the community can help us re-gain SIMD support for this port, that would be very much appreciated.
I worked on hbsdfw a little bit, figured out some of the issues in building the base OS packages. Now I need to figure out why some ports fail to build.
For November, I'm working on a new malloc.conf(5) option: bool nullonzero, default: false. This malloc.conf(5) option will cause malloc(3)-and-friends to return NULL when a zero size is passed in. This would prevent a class of integer overflow vulnerabilities that can lead to buffer overflows.
For example, in the common OpenSolaris CTF code (used in DTrace), we find the following function:
char *
xstrndup(char *str, size_t len)
{
char *newstr;
/*
* HardenedBSD note:
*
* If len happens to be SIZE_MAX, the size passed to malloc is zero.
*/
if ((newstr = malloc(len + 1)) == NULL)
memory_bailout();
/*
*HardenedBSD note:
*
* malloc(0) happily handed us a non-NULL pointer, sized zero. We now
* copy SIZE_MAX bytes from str to newstr.
*/
(void) strncpy(newstr, str, len);
newstr[len] = '\0';
return (newstr);
}
HardenedBSD would prefer developers get used to providing reasonableness checks regarding size calculations. This xstrndup function could include this defensive coding technique of applying reasonable checks like so:
char *
xstrndup(char *str, size_t len)
{
char *newstr;
if (str == NULL || len + 1 == 0) {
return (NULL);
}
if (len == 0 && str[0] != '\0') {
return (NULL);
}
/*
* If len is still 0, that means we're duplicating an empty string.
* That's fine, since strdup("") is a thing.
*/
if ((newstr = malloc(len + 1)) == NULL)
memory_bailout();
(void) strncpy(newstr, str, len);
newstr[len] = '\0';
return (newstr);
}
These new reasonable checks ensure that sleepy, caffeine-deprived developers have a harder time making understandable mistakes. We want to encourage safe and defensive programming techniques, especially before we launch this feature. I will fix the issues that come up in the base OS. When it lands, this feature will be defaulted to disabled, but the reasonableness checks and fixes will remain in place regardless.
So that's a preview of what's going on. I hope to land this before the end of the month. Perhaps mid-2024 we'll have it enabled by default.
