Add SSP support.

XXX: This is broken for me right now, because my kernel resets after fxp0
is probed, but it could be some bug in the driver/compiler.

sys/conf/Makefile.kern.inc

@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.kern.inc,v 1.91 2006/10/30 17:56:30 garbled Exp $
+#	$NetBSD: Makefile.kern.inc,v 1.92 2006/11/11 02:12:53 christos Exp $
 #
 # This file contains common `MI' targets and definitions and it is included
 # at the bottom of each `MD' ${MACHINE}/conf/Makefile.${MACHINE}.
@@ -89,6 +89,11 @@ AFLAGS+=	${CPUFLAGS} -D_LOCORE -Wa,-fatal-warnings
 CFLAGS+=	-fno-strict-aliasing
 .endif
 
+.if ${USE_SSP:Uno} == "yes"
+CFLAGS+=-fstack-protector-all -Wstack-protector
+LDFLAGS+=-fstack-protector-all -Wstack-protector
+.endif
+
 # If we want the bpendtsleep: label in kern_synch.c, we need to use
 # -fno-reorder-blocks.  Don't make this a config(1) defflag without
 # making sure this fragment remains valid.
@@ -438,6 +443,16 @@ EXTRA_CLEAN+= .gdbinit
 .endfor
 .endif
 
+# The following files use alloca(3) or variable array allocations.
+# Their full name is noted as documentation.
+VARSTACK=dev/cgd.c kern/uipc_socket.c miscfs/genfs/genfs_vnops.c \
+    nfs/nfs_bio.c ufs/ufs/ufs_inode.c ufs/ufs/ufs_lookup.c uvm/uvm_bio.c \
+    uvm/uvm_pager.c
+
+.for __varstack in ${VARSTACK}
+COPTS.${__varstack:T} += -Wno-stack-protector
+.endfor
+
 AFLAGS+=	${AOPTS.${.IMPSRC:T}}
 CFLAGS+=	${COPTS.${.IMPSRC:T}} ${CPUFLAGS.${.IMPSRC:T}}
 CPPFLAGS+=	${CPPFLAGS.${.IMPSRC:T}}

sys/kern/init_main.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: init_main.c,v 1.279 2006/10/08 04:28:44 thorpej Exp $	*/
+/*	$NetBSD: init_main.c,v 1.280 2006/11/11 02:12:53 christos Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1991, 1992, 1993
@@ -71,7 +71,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.279 2006/10/08 04:28:44 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.280 2006/11/11 02:12:53 christos Exp $");
 
 #include "opt_ipsec.h"
 #include "opt_kcont.h"
@@ -192,6 +192,17 @@ static void check_console(struct lwp *l);
 static void start_init(void *);
 void main(void);
 
+#if defined(__SSP__) || defined(__SSP_ALL__)
+long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+void __stack_chk_fail(void);
+
+void
+__stack_chk_fail(void)
+{
+	panic("stack overflow detected; terminated");
+}
+#endif
+
 /*
  * System startup; initialize the world, create process 0, mount root
  * filesystem, and fork to create init and pagedaemon.  Most of the
@@ -311,6 +322,29 @@ main(void)
 	/* Configure the system hardware.  This will enable interrupts. */
 	configure();
 
+#if defined(__SSP__) || defined(__SSP_ALL__)
+	{
+#ifdef DIAGNOSTIC
+		printf("Initializing SSP:");
+#endif
+		/*
+		 * We initialize ssp here carefully:
+		 *	1. after we got some entropy
+		 *	2. without calling a function
+		 */
+		size_t i;
+		long guard[__arraycount(__stack_chk_guard)];
+
+		arc4randbytes(guard, sizeof(guard));
+		for (i = 0; i < __arraycount(guard); i++)
+			__stack_chk_guard[i] = guard[i];
+#ifdef DIAGNOSTIC
+		for (i = 0; i < __arraycount(guard); i++)
+			printf("%lx ", guard[i]);
+		printf("\n");
+#endif
+	}
+#endif
 	ubc_init();		/* must be after autoconfig */
 
 	/* Lock the kernel on behalf of proc0. */