Implement more security stuff

- Support deterministic stacks on OpenBSD
- Support OpenBSD system call origin verification
- Fix overrun by one in chibicc string token allocator
- Get all chibicc tests passing under Address Sanitizer

libc/sysv/calls/msyscall.s

@@ -0,0 +1,2 @@
+.include "o/libc/sysv/macros.internal.inc"
+.scall msyscall 0x0025ffffffffffff globl

libc/sysv/consts.sh

@@ -237,8 +237,9 @@ syscon	mmap	MAP_SHARED				1			1			1			1			1			# forced consensus & faked nt
 syscon	mmap	MAP_PRIVATE				2			2			2			2			2			# forced consensus & faked nt
 syscon	mmap	MAP_FIXED				0x10			0x10			0x10			0x10			0x10			# unix consensus; openbsd appears to forbid; faked nt
 syscon	mmap	MAP_ANONYMOUS				0x20			0x1000			0x1000			0x1000			0x20			# bsd consensus; faked nt
+syscon	mmap	MAP_GROWSDOWN				0x0100			0			0x0400			0x4000			0x100000		# mandatory for OpenBSD stacks; MAP_STACK on Free/OpenBSD; MEM_TOP_DOWN on NT
+syscon	mmap	MAP_CONCEAL				0			0			0x20000			0x8000			0			# omit from core dumps; MAP_NOCORE on FreeBSD
 syscon	mmap	MAP_NORESERVE				0x4000			0x40			0			0			0			# Linux calls it "reserve"; NT calls it "commit"? which is default?
-syscon	mmap	MAP_GROWSDOWN				0x0100			0			0x0400			0x0400			0x100000		# MAP_STACK on BSD; MEM_TOP_DOWN on NT
 syscon	mmap	MAP_HUGETLB				0x040000		0			0			0			0x80000000		# kNtSecLargePages
 syscon	mmap	MAP_HUGE_MASK				63			0			0			0			0
 syscon	mmap	MAP_HUGE_SHIFT				26			0			0			0			0
@@ -246,6 +247,8 @@ syscon	mmap	MAP_LOCKED				0x2000			0			0			0			0
 syscon	mmap	MAP_NONBLOCK				0x10000			0			0			0			0
 syscon	mmap	MAP_POPULATE				0x8000			0			0			0			0			# can avoid madvise(MADV_WILLNEED) on private file mapping
 syscon	mmap	MAP_TYPE				15			0			0			0			0			# what is it
+syscon	compat	MAP_STACK				0x0100			0			0x0400			0x4000			0x100000		# use MAP_GROWSDOWN
+syscon	compat	MAP_NOCORE				0			0			0x20000			0x8000			0			# use MAP_CONCEAL
 syscon	compat	MAP_ANON				0x20			0x1000			0x1000			0x1000			0x20			# bsd consensus; faked nt
 syscon	compat	MAP_STACK				0x020000		0			0x0400			0x4000			0x100000
 syscon	compat	MAP_EXECUTABLE				0x1000			0			0			0			0			# ignored
@@ -3112,6 +3115,7 @@ syscon	nr	__NR_io_uring_setup			0x01a9			-1			-1			-1			-1
 syscon	nr	__NR_io_uring_enter			0x01aa			-1			-1			-1			-1
 syscon	nr	__NR_io_uring_register			0x01ab			-1			-1			-1			-1
 syscon	nr	__NR_pledge				-1			-1			-1			0x006c			-1
+syscon	nr	__NR_msyscall				-1			-1			-1			0x0025			-1
 syscon	nr	__NR_ktrace				-1			-1			0x002d			0x002d			-1
 syscon	nr	__NR_kqueue				-1			0x200016a		0x016a			0x010d			-1
 syscon	nr	__NR_kevent				-1			0x2000171		0x0230			0x0048			-1

libc/sysv/consts/MAP_CONCEAL.s

@@ -0,0 +1,2 @@
+.include "libc/sysv/consts/syscon.inc"
+.syscon mmap MAP_CONCEAL 0 0 0x20000 0x8000 0

libc/sysv/consts/MAP_GROWSDOWN.s

@@ -1,2 +1,2 @@
 .include "libc/sysv/consts/syscon.inc"
-.syscon mmap MAP_GROWSDOWN 0x0100 0 0x0400 0x0400 0x100000
+.syscon mmap MAP_GROWSDOWN 0x0100 0 0x0400 0x4000 0x100000

libc/sysv/consts/MAP_NOCORE.s

@@ -0,0 +1,2 @@
+.include "libc/sysv/consts/syscon.inc"
+.syscon compat MAP_NOCORE 0 0 0x20000 0x8000 0

libc/sysv/consts/__NR_msyscall.s

@@ -0,0 +1,2 @@
+.include "libc/sysv/consts/syscon.inc"
+.syscon nr __NR_msyscall -1 -1 -1 0x0025 -1

libc/sysv/consts/map.h

@@ -21,7 +21,6 @@ hidden extern const long MAP_NORESERVE;
 hidden extern const long MAP_POPULATE;
 hidden extern const long MAP_PRIVATE;
 hidden extern const long MAP_SHARED;
-hidden extern const long MAP_STACK;
 hidden extern const long MAP_TYPE;
 
 COSMOPOLITAN_C_END_
@@ -34,6 +33,7 @@ COSMOPOLITAN_C_END_
 
 #define MAP_32BIT      SYMBOLIC(MAP_32BIT)
 #define MAP_ANONYMOUS  SYMBOLIC(MAP_ANONYMOUS)
+#define MAP_CONCEAL    SYMBOLIC(MAP_CONCEAL)
 #define MAP_DENYWRITE  SYMBOLIC(MAP_DENYWRITE)
 #define MAP_EXECUTABLE SYMBOLIC(MAP_EXECUTABLE)
 #define MAP_GROWSDOWN  SYMBOLIC(MAP_GROWSDOWN)
@@ -46,7 +46,8 @@ COSMOPOLITAN_C_END_
 #define MAP_POPULATE   SYMBOLIC(MAP_POPULATE)
 #define MAP_TYPE       SYMBOLIC(MAP_TYPE)
 
-#define MAP_ANON  MAP_ANONYMOUS
-#define MAP_STACK MAP_GROWSDOWN
+#define MAP_ANON   MAP_ANONYMOUS
+#define MAP_NOCORE MAP_CONCEAL
+#define MAP_STACK  MAP_GROWSDOWN
 
 #endif /* COSMOPOLITAN_LIBC_SYSV_CONSTS_MAP_H_ */

libc/sysv/consts/nr.h

@@ -332,6 +332,7 @@
 #define __NR_io_uring_enter          SYMBOLIC(__NR_io_uring_enter)
 #define __NR_io_uring_register       SYMBOLIC(__NR_io_uring_register)
 #define __NR_pledge                  SYMBOLIC(__NR_pledge)
+#define __NR_msyscall                SYMBOLIC(__NR_msyscall)
 #define __NR_ktrace                  SYMBOLIC(__NR_ktrace)
 #define __NR_kqueue                  SYMBOLIC(__NR_kqueue)
 #define __NR_kevent                  SYMBOLIC(__NR_kevent)
@@ -1105,6 +1106,7 @@ hidden extern const long __NR_io_uring_setup;
 hidden extern const long __NR_io_uring_enter;
 hidden extern const long __NR_io_uring_register;
 hidden extern const long __NR_pledge;
+hidden extern const long __NR_msyscall;
 hidden extern const long __NR_ktrace;
 hidden extern const long __NR_kqueue;
 hidden extern const long __NR_kevent;

libc/sysv/restorert.S

@@ -17,6 +17,7 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/macros.h"
+.text.syscall
 .source	__FILE__
 
 /	Linux Signal Trampoline (HOLY CODE)

libc/sysv/syscalls.sh

@@ -365,6 +365,7 @@ scall	io_uring_enter		0xffffffffffff01aa	globl
 scall	io_uring_register	0xffffffffffff01ab	globl
 #────────────────────────RHEL CLOUD────────────────────────── # ←┬─ red hat terminates community release of enterprise linux circa 2020
 scall	pledge			0x006cffffffffffff	globl #  └─ online linux services ban the president of united states of america
+scall	msyscall		0x0025ffffffffffff	globl
 
 #	The Fifth Bell System Interface, Community Edition
 #	» besiyata dishmaya

libc/sysv/systemfive.S

@@ -102,6 +102,8 @@ __systemfive:
 	.quad	0
 	.endobj	__systemfive,globl,hidden
 	.previous
+
+	.text.syscall
 .Lanchorpoint:
 systemfive.linux:
 	movswl	%ax,%eax		# gnu/systemd ordinal is first word
@@ -256,11 +258,9 @@ systemfive.init.magnums:
 	pop	%rbx
 /	𝑠𝑙𝑖𝑑𝑒
 #ifndef TINY
-systemfive.init.stack:
+systemfive.init.stack:					# determinism ftw!
 	testb	IsWindows()				# already did this
 	jnz	systemfive.init.done
-	testb	IsOpenbsd()				# todo fix openbsd
-	jnz	systemfive.init.done
 	push	%rdi
 	push	%rsi
 	mov	__NR_mmap,%eax
@@ -269,13 +269,20 @@ systemfive.init.stack:
 	mov	$PROT_READ|PROT_WRITE,%edx
 	mov	$MAP_PRIVATE|MAP_FIXED,%r10d
 	or	MAP_ANONYMOUS,%r10d
-	or	MAP_GROWSDOWN,%r10d
-	or	$-1,%r8
+	or	$-1,%r8d
 	xor	%r9d,%r9d
 	push	%r9					# openbsd:pad
-/	clc
+	push	%r9					# openbsd:align
+	testb	IsOpenbsd()
+	jz	0f
+	syscall						# openbsd:dubstack
+	jc	1f
+	mov	__NR_mmap,%eax
+0:	or	MAP_GROWSDOWN,%r10d			# openbsd:mapstack
+	clc
 	syscall
 	pop	%r9
+	pop	%r9
 	jnc	2f
 1:	mov	%eax,%edi
 	mov	__NR_exit_group,%eax
@@ -295,12 +302,26 @@ systemfive.init.stack:
 	pop	%rdi
 	leave
 	pop	%rcx
-	lea	STACKSIZE(%rax),%rsp
+	lea	STACKSIZE-16(%rax),%rsp			# openbsd:stackbound
 	push	%rcx
 	xor	%ebp,%ebp
 	push	%rbp
 	mov	%rsp,%rbp
 /	𝑠𝑙𝑖𝑑𝑒
+systemfive.init.syscall:
+	mov	__NR_msyscall,%eax			# syscall origin protect
+	test	%eax,%eax				# openbsd is pretty cool
+	js	systemfive.init.done
+	push	%rdi
+	push	%rsi
+	.weak	__text_syscall_addr
+	.weak	__text_syscall_size
+	mov	$__text_syscall_addr,%edi
+	mov	$__text_syscall_size,%esi
+	syscall
+	pop	%rsi
+	pop	%rdi
+/	𝑠𝑙𝑖𝑑𝑒
 #endif /* TINY */
 systemfive.init.done:
 	nop