| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
ldso->l_mach.gcs may not be set up, just assume ldso is GCS compatible.
|
|
|
|
| |
Allows using the same function for static exe.
|
| |
|
|
|
|
| |
Allows using the same function for static exe.
|
|
|
|
|
|
|
|
|
|
| |
policy sets how gcs tunable and gcs marking turns into gcs state:
0: state = tunable
1: state = marking ? tunable : (tunable && dlopen ? err : 0)
2: state = marking ? tunable : (tunable ? err : 0)
TODO: state lock
|
|
|
|
|
|
|
|
|
| |
Use the dynamic linker start code to enable GCS in the dynamic linked
case after _dl_start returns and before _dl_start_user which marks
the point after which user code may run.
Like in the static linked case this ensures that GCS is enabled on a
top level stack frame.
|
|
|
|
|
|
|
| |
Use the ARCH_SETUP_TLS hook to enable GCS in the static linked case.
The system call must be inlined and then GCS is enabled on a top
level stack frame that does not return and has no exception handlers
above it.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This tunable is for controlling the GCS status. It is the argument to
the PR_SET_SHADOW_STACK_STATUS prctl, by default 0, so GCS is disabled.
The status is stored into GL(dl_aarch64_gcs) early and only applied
later, since enabling GCS is tricky: it must happen on a top level
stack frame. (Using GL instead of GLRO because it may need updates
depending on loaded libraries that happen after readonly protection
is applied, however library marking based GCS setting is not yet
implemented.)
|
|
|
|
|
|
|
|
|
|
| |
Free GCS after a makecontext start func returns and at thread exit, so
assume makecontext cannot outlive the thread where it was created.
This is an attempt to bound the lifetime of the GCS allocated for
makecontext, but it is still possible to have significant GCS leaks,
new GCS aware APIs could solve that, but that would not allow using
GCS with existing code transparently.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed the makecontext logic: previously the first setcontext jumped
straight to the user callback function and the return address is set
to __startcontext. This does not work when GCS is enabled as the
integrity of the return address is protected, so instead the context
is setup such that setcontext jumps to __startcontext which calls the
user callback (passed in x20).
The map_shadow_stack syscall is used to allocate a suitably sized GCS
(which includes some reserved area to account for altstack signal
handlers and otherwise supports maximum number of 16 byte aligned
stack frames on the given stack) however the GCS is never freed as
the lifetime of ucontext and related stack is user managed.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Userspace ucontext needs to store GCSPR, it does not have to be
compatible with the kernel ucontext. For now we use the linux
struct gcs_context layout but only use the gcspr field from it.
Similar implementation to the longjmp code, supports switching GCS
if the target GCS is capped, and unwinding a continous GCS to a
previous state.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This implementations ensures that longjmp across different stacks
works: it scans for GCS cap token and switches GCS if necessary
then the target GCSPR is restored with a GCSPOPM loop once the
current GCSPR is on the same GCS.
This makes longjmp linear time in the number of jumped over stack
frames when GCS is enabled.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The target specific internal __longjmp is called with a __jmp_buf
argument which has its size exposed in the ABI. On aarch64 this has
no space left, so GCSPR cannot be restored in longjmp in the usual
way, which is needed for the Guarded Control Stack (GCS) extension.
setjmp is implemented via __sigsetjmp which has a jmp_buf argument
however it is also called with __pthread_unwind_buf_t argument cast
to jmp_buf (in cancellation cleanup code built with -fno-exception).
The two types, jmp_buf and __pthread_unwind_buf_t, have common bits
beyond the __jmp_buf field and there is unused space there which we
can use for saving GCSPR.
For this to work some bits of those two generic types have to be
reserved for target specific use and the generic code in glibc has
to ensure that __longjmp is always called with a __jmp_buf that is
embedded into one of those two types. Morally __longjmp should be
changed to take jmp_buf as argument, but that is an intrusive change
across targets.
Note: longjmp is never called with __pthread_unwind_buf_t from user
code, only the internal __libc_longjmp is called with that type and
thus the two types could have separate longjmp implementations on a
target. We don't rely on this now (but migh in the future given that
cancellation unwind does not need to restore GCSPR).
Given the above this patch finds an unused slot for GCSPR. This
placement is not exposed in the ABI so it may change in the future.
This is also very target ABI specific so the generic types cannot
be easily changed to clearly mark the reserved fields.
|
|
|
|
|
| |
TODO: binutils config check
TODO: build attributes instead of gnu property
|
| |
|
|
|
|
|
|
| |
The Guarded Control Stack instructions can be present even if the
hardware does not support the extension (runtime checked feature),
so the asm code should be backward compatible with old assemblers.
|
| |
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Starting with commits
- 7ea510127e2067efa07865158ac92c330c379950
string: Add libc_hidden_proto for strchrnul
- 22999b2f0fb62eed1af4095d062bd1272d6afeb1
string: Add libc_hidden_proto for memrchr
building glibc on s390x with --disable-multi-arch fails if only
the C-variant of strchrnul / memrchr is used. This is the case
if gcc uses -march < z13.
The build fails with:
../sysdeps/s390/strchrnul-c.c:28:49: error: ‘__strchrnul_c’ undeclared here (not in a function); did you mean ‘__strchrnul’?
28 | __hidden_ver1 (__strchrnul_c, __GI___strchrnul, __strchrnul_c);
With --disable-multi-arch, __strchrnul_c is not available as string/strchrnul.c
is just included without defining STRCHRNUL and thus we also don't have to create
the internal hidden symbol.
Tested-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Reviewed-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify the advisory format by dropping the -Backport tags and instead
stick to using just the -Commit tags. To identify backports, put a
substring of git-describe into the release version in the brackets next
to the commit ref. This way, it not only identifies that the fix (or
regression) is on the release/2.YY/master branch, it also disambiguates
regressions/fixes in the branch from those in the tarball.
Add a README to make it easier for consumers to understand the format.
Additionally, the Release wiki needs to be updated to inform the release
manager to:
1. Generate a NEWS snipped from the advisories directory
AND
2. on release/2.YY/master, replace the advisories directory with a text
file pointing to the advisories directory in master so that we don't
have to update multiple locations.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
This commit adds "advisories" entries for the above three CVEs.
|
|
|
|
|
|
|
|
|
| |
__vsyslog_internal calculated a buffer size by adding two integers, but
did not first check if the addition would overflow. This commit fixes
that.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
__vsyslog_internal used the return value of snprintf/vsnprintf to
calculate buffer sizes for memory allocation. If these functions (for
any reason) failed and returned -1, the resulting buffer would be too
small to hold output. This commit fixes that.
All snprintf/vsnprintf calls are checked for negative return values and
the function silently returns upon encountering them.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap. This commit fixes that. It also adds a new regression test
that uses glibc.malloc.check.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
|
|
|
|
|
|
|
| |
This patch makes build-many-glibcs.py use binutils 2.42 branch.
Tested with build-many-glibcs.py (host-libraries, compilers and glibcs
builds).
|
|
|
|
| |
Fixes: 6628c742b2 ("elf: Remove prelink support")
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change relicenses the IBM portions of resolv/base64.c and
resolv/res_debug.c to a new license that does not have use-limited
patent language. The top-level LICENSE file is updated with the
license.
The relicensing was approved by IBM.
Signed-off-by: Brad Topol, IBM Director of Open Technologies <btopol@us.ibm.com>
Signed-off-by: Richard Fontana <rfontana@redhat.com>
Signed-off-by: Carlos O'Donell <carlos@redhat.com>
|
|
|
|
|
|
| |
Resolves: BZ # 31205
Adapt test cases in test-grouping_iterator.c
|
|
|
|
|
|
|
| |
On the summary page the order of the function arguments was reversed, but it is
in correct order in the other places of the manual.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
|
|
|
|
|
|
|
| |
The increased malloc subsystem usage is a side effect of
commit d2123d68275acc0f061e73d5f86ca504e0d5a344 ("elf: Fix slow tls
access after dlopen [BZ #19924]").
Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
|
|
|
|
|
|
|
|
|
| |
Fixes commit 2aa0974d2573441bffd596b07bff8698b1f2f18c ("elf: ldconfig
should skip temporary files created by package managers") and
commit cfb5a97a93ea656e3b2263e42142a4032986d9ba ("ldconfig: Fixes for
skipping temporary files.").
Reported-by: Guillem Jover <guillem@debian.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
|
|
|
| |
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
For ports that use the default memset, the compiler might generate early
calls before the stack protector is initialized (for instance, riscv
with -fstack-protector-all on _dl_aux_init).
Checked on riscv64-linux-gnu-rv64imafdc-lp64d.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In qsort_r we allocate a buffer sized QSORT_STACK_SIZE (1024) on stack
and we intend to use it if all elements can fit into it. But there is a
typo:
if (total_size < sizeof buf)
buf = tmp;
else
/* allocate a buffer on heap and use it ... */
Here "buf" is a pointer, thus sizeof buf is just 4 or 8, instead of
1024. There is also a minor issue that we should use "<=" instead of
"<".
This bug is detected debugging some strange heap corruption running the
Ruby-3.3.0 test suite (on an experimental Linux From Scratch build using
Binutils-2.41.90 and Glibc trunk, and also Fedora Rawhide [1]). It
seems Ruby is doing some wild "optimization" by jumping into somewhere
in qsort_r instead of calling it normally, resulting in a double free of
buf if we allocate it on heap. The issue can be reproduced
deterministically with:
LD_PRELOAD=/usr/lib/libc_malloc_debug.so MALLOC_CHECK_=3 \
LD_LIBRARY_PATH=. ./ruby test/runner.rb test/ruby/test_enum.rb
in Ruby-3.3.0 tree after building it. This change would hide the issue
for Ruby, but Ruby is likely still buggy (if using this "optimization"
sorting larger arrays).
[1]:https://kojipkgs.fedoraproject.org/work/tasks/9729/111889729/build.log
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
|
|
|
|
|
| |
In order to support static PIE the startup code must avoid relocations
before __libc_start_main is called.
|
|
|
|
|
|
|
| |
For static the internal symbols should not be prepended with the
internal __GI_.
Checked with a make check for sh4-linux-gnu.
|
|
|
|
|
|
|
|
| |
The small counts copy bytes comparsion should be unsigned (as the
memmove size argument). It fixes string/tst-memmove-overflow on
sparcv9, where the input size triggers an invalid code path.
Checked on sparc64-linux-gnu and sparcv9-linux-gnu.
|