| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With copy relocation, address of protected data defined in the shared
library may be external. Compiler shouldn't asssume protected data will
be local. But due to
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65248
__attribute__((visibility("protected"))) doesn't work correctly, we need
to use asm (".protected xxx") instead.
Cherry-pick from master: e0ed2fb40a0e29c43cf60addc74741dab15f2e05
* elf/ifuncdep2.c (global): Replace
__attribute__((visibility("protected"))) with
asm (".protected global").
* elf/ifuncmod1.c (global): Likewise.
* elf/ifuncmod5.c (global): Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linkers in some versions of binutils 2.25 and 2.26 don't support protected
data symbol with error messsage like:
/usr/bin/ld: copy reloc against protected `bar' is invalid
/usr/bin/ld: failed to set dynamic section sizes: Bad value
We check if linker supports copy reloc against protected data symbol to
avoid running the test if linker is broken.
Cherry-pick from master: 83569fb894050db7430047da2219ca50c68f882a
[BZ #17711]
* config.make.in (have-protected-data): New.
* configure.ac: Check linker support for protected data symbol.
* configure: Regenerated.
* elf/Makefile (modules-names): Add tst-protected1moda and
tst-protected1modb if $(have-protected-data) is yes.
(tests): Add tst-protected1a and tst-protected1b if
$(have-protected-data) is yes.
($(objpfx)tst-protected1a): New.
($(objpfx)tst-protected1b): Likewise.
(tst-protected1modb.so-no-z-defs): Likewise.
* elf/tst-protected1a.c: New file.
* elf/tst-protected1b.c: Likewise.
* elf/tst-protected1mod.h: Likewise.
* elf/tst-protected1moda.c: Likewise.
* elf/tst-protected1modb.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With copy relocation, address of protected data defined in the shared
library may be external. When there is a relocation against the
protected data symbol within the shared library, we need to check if we
should skip the definition in the executable copied from the protected
data. This patch adds ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA and defines
it for x86. If ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA isn't 0, do_lookup_x
will skip the data definition in the executable from copy reloc.
Cherry-pick from master: 62da1e3b00b51383ffa7efc89d8addda0502e107
[BZ #17711]
* elf/dl-lookup.c (do_lookup_x): When UNDEF_MAP is NULL, which
indicates it is called from do_lookup_x on relocation against
protected data, skip the data definion in the executable from
copy reloc.
(_dl_lookup_symbol_x): Pass ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA,
instead of ELF_RTYPE_CLASS_PLT, to do_lookup_x for
EXTERN_PROTECTED_DATA relocation against STT_OBJECT symbol.
* sysdeps/generic/ldsodefs.h * (ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA):
New. Defined to 4 if DL_EXTERN_PROTECTED_DATA is defined,
otherwise to 0.
* sysdeps/i386/dl-lookupcfg.h (DL_EXTERN_PROTECTED_DATA): New.
* sysdeps/i386/dl-machine.h (elf_machine_type_class): Set class
to ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA for R_386_GLOB_DAT.
* sysdeps/x86_64/dl-lookupcfg.h (DL_EXTERN_PROTECTED_DATA): New.
* sysdeps/x86_64/dl-machine.h (elf_machine_type_class): Set class
to ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA for R_X86_64_GLOB_DAT.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BZ #16618
Under certain conditions wscanf can allocate too little memory for the
to-be-scanned arguments and overflow the allocated buffer. The
implementation now correctly computes the required buffer size when
using malloc.
A regression test was added to tst-sscanf.
(cherry picked from commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06)
Conflicts:
ChangeLog
NEWS
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memcpy with unaligned 256-bit AVX register loads/stores are slow on older
processorsl like Sandy Bridge. This patch adds bit_AVX_Fast_Unaligned_Load
and sets it only when AVX2 is available.
[BZ #17801]
* sysdeps/x86_64/multiarch/init-arch.c (__init_cpu_features):
Set the bit_AVX_Fast_Unaligned_Load bit for AVX2.
* sysdeps/x86_64/multiarch/init-arch.h (bit_AVX_Fast_Unaligned_Load):
New.
(index_AVX_Fast_Unaligned_Load): Likewise.
(HAS_AVX_FAST_UNALIGNED_LOAD): Likewise.
* sysdeps/x86_64/multiarch/memcpy.S (__new_memcpy): Check the
bit_AVX_Fast_Unaligned_Load bit instead of the bit_AVX_Usable bit.
* sysdeps/x86_64/multiarch/memcpy_chk.S (__memcpy_chk): Likewise.
* sysdeps/x86_64/multiarch/mempcpy.S (__mempcpy): Likewise.
* sysdeps/x86_64/multiarch/mempcpy_chk.S (__mempcpy_chk): Likewise.
* sysdeps/x86_64/multiarch/memmove.c (__libc_memmove): Replace
HAS_AVX with HAS_AVX_FAST_UNALIGNED_LOAD.
* sysdeps/x86_64/multiarch/memmove_chk.c (__memmove_chk): Likewise.
(cherry picked from commit 5f3d0b78e011d2a72f9e88b0e9ef5bc081d18f97)
Conflicts:
ChangeLog
NEWS
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Modified from the original email by Siddhesh Poyarekar]
This patch solves bug #16009 by implementing an additional path in
strxfrm that does not depend on caching the weight and rule indices.
In detail the following changed:
* The old main loop was factored out of strxfrm_l into the function
do_xfrm_cached to be able to alternativly use the non-caching version
do_xfrm.
* strxfrm_l allocates a a fixed size array on the stack. If this is not
sufficiant to store the weight and rule indices, the non-caching path is
taken. As the cache size is not dependent on the input there can be no
problems with integer overflows or stack allocations greater than
__MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the
definition of strxfrm does not allow an oom errorhandling.
* The uncached path determines the weight and rule index for every char
and for every pass again.
* Passing all the locale data array by array resulted in very long
parameter lists, so I introduced a structure that holds them.
* Checking for zero src string has been moved a bit upwards, it is
before the locale data initialization now.
* To verify that the non-caching path works correct I added a test run
to localedata/sort-test.sh & localedata/xfrm-test.c where all strings
are patched up with spaces so that they are too large for the caching path.
(cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa)
Conflicts:
ChangeLog
NEWS
|
| |
|
|
|
|
|
|
|
| |
Needed in order to backport strxfrm_l security fix cleanly.
(cherry picked from commit 8c0ab919f63dc03a420751172602a52d2bea59a8)
Conflicts:
ChangeLog
|
| |
|
|
|
|
|
|
| |
(cherry picked from commit 11e3417af6e354f1942c68a271ae51e892b2814d)
(cherry picked from commit e54db0ea6a49affac43fa305fd134f3020c41382)
Conflicts:
NEWS
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
(cherry picked from commit a5357b7ce2a2982c5778435704bcdb55ce3667a0)
(cherry picked from commit ae61fc7b33d9d99d2763c16de8275227dc9748ba)
Conflicts:
NEWS
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fix for BZ #17266 (884ddc5081278f488ef8cd49951f41cfdbb480ce)
removed changes that had gone into cdefs.h to make
__extern_always_inline usable with clang++. This patch adds back
support for clang to detect if GNU inlining semantics are available,
this time without breaking the gcc use case. The check put here is
based on the earlier patch and assertion[1] that checking if
__GNUC_STDC_INLINE__ or __GNUC_GNU_INLINE__ is defined is sufficient
to determine that clang++ suports GNU inlining semantics.
Tested with a simple program that builds with __extern_always_inline
with the patch and fails compilation without it.
#include <stdio.h>
#include <sys/cdefs.h>
extern void foo_alias (void) __asm ("foo");
__extern_always_inline void
foo (void)
{
puts ("hi oh world!");
return foo_alias ();
}
void
foo_alias (void)
{
puts ("hell oh world");
}
int
main ()
{
foo ();
}
[1] https://sourceware.org/ml/libc-alpha/2012-12/msg00306.html
[BZ #17266]
* misc/sys/cdefs.h: Define __extern_always_inline for clang
4.2 and newer.
(cherry picked from commit 602f80ec8b966cfad3b61914cbe14ee606cedf6e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
(cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This satisfies a symbol reference created with:
.symver __libc_vfork, vfork@GLIBC_2.0
where `__libc_vfork' has not been defined or referenced. In this case
the `vfork@GLIBC_2.0' reference is supposed to be discarded, however a
bug present in GAS since forever causes an undefined symbol table entry
to be created. This in turn triggers a problem in the linker that can
manifest itself by link errors such as:
ld: libpthread.so: invalid string offset 2765592330 >= 5154 for section `.dynstr'
The GAS and linker bugs need to be resolved, but we can avoid them too
by providing a `__libc_vfork' definition just like our other platforms.
[BZ #17485]
* sysdeps/unix/sysv/linux/mips/vfork.S (__libc_vfork): Define.
(cherry picked from commit b5af9297d51a43f96c5be1bafab032184690dd6f)
Conflicts:
NEWS
|
| |
|
|
|
|
|
| |
(cherry picked from commit c763c5d27112be055920c46f3be8d05bc8b669da)
Conflicts:
NEWS
|
| |
|
|
| |
(cherry picked from commit b6dcfe8c2408958be246dd61f1c5415ed7667a2a)
|
| |
|
|
| |
(cherry picked from commit 545583d664b64ff234b99aca0d85e99c8a55808f)
|
| |
|
|
|
|
|
| |
(cherry picked from commit 984c0ea97f649c869130a1ff099098e2b6f70aad)
Conflicts:
NEWS
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The check for only __GNUC_STDC_INLINE__ and __GNUC_GNU_INLINE__ may
not be sufficient since those flags were added during initial support
for C99 inlining semantics. There is also a problem with always
defining __extern_inline and __extern_always_inline, since it enables
inline wrapper functions even when GNU inlining semantics are not
guaranteed. This, along with the possibility of such wrappers using
redirection (btowc for example) could result in compiler generating an
infinitely recusrive call to the function.
In fact it was such a recursion that led to this code being written
the way it was; see:
https://bugzilla.redhat.com/show_bug.cgi?id=186410
The initial change was to fix bugs 14530 and 13741, but they can be
resolved by checking if __fortify_function and/or
__extern_always_inline are defined, as it has been done in this patch.
In addition, I have audited uses of __extern_always_inline to make
sure that none of the uses result in compilation errors.
There is however a regression in this patch for llvm, since it reverts
the llvm expectation that __GNUC_STDC_INLINE__ or __GNUC_GNU_INLINE__
definition imply proper extern inline semantics.
2014-09-16 Siddhesh Poyarekar <siddhesh@redhat.com>
Jakub Jelinek <jakub@redhat.com>
[BZ #17266]
* libio/stdio.h: Check definition of __fortify_function
instead of __extern_always_inline to include bits/stdio2.h.
* math/bits/math-finite.h [__USE_XOPEN || __USE_ISOC99]: Also
check if __extern_always_inline is defined.
[__USE_MISC || __USE_XOPEN]: Likewise.
[__USE_ISOC99] Likewise.
* misc/sys/cdefs.h (__fortify_function): Define only if
__extern_always_inline is defined.
[!__cplusplus || __GNUC_PREREQ (4,3)]: Revert to defining
__extern_always_inline and __extern_inline only for g++-4.3
and newer or a compatible gcc.
|
| |
|
|
|
|
|
| |
(cherry picked from commit a7b872687073decdcc7effc2289877d69058aca9)
Conflicts:
NEWS
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the new constants UDP_NO_CHECK6_TX and
UDP_NO_CHECK6_RX from Linux 3.16 to sysdeps/gnu/netinet/udp.h. (I
believe the existing constants there are already Linux-specific,
possibly with the intention that other OSes should adopt the same
values if possible if adopting the features in question.)
Tested on x86_64.
* sysdeps/gnu/netinet/udp.h (UDP_NO_CHECK6_TX): New macro.
(UDP_NO_CHECK6_RX): Likewise.
(cherry picked from commit 0bd72468030947254e7de183cac1014dac884475)
|
| |
|
|
| |
(cherry picked from commit d8f879ee3e4131542c2ac3d1d9db4cf12cb86729)
|
| | |
|
| |
|
|
| |
Add entries for Wilco Dijkstra and Stefan Liebler.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some types of relocations technically need to be signed rather than
unsigned: in particular ones that are used with moveli or movei,
or for jump and branch. This is almost never a problem. Jump and
branch opcodes are pretty much uniformly resolved by the static linker
(unless you omit -fpic for a shared library, which is not recommended).
The moveli and movei opcodes that need to be sign-extended generally
are for positive displacements, like the construction of the address of
main() from _start(). However, tst-pie1 ends up with main below _start
(in a different module) and the test failed due to signedness issues in
relocation handling.
This commit treats the value as signed when shifting (to preserve the
high bit) and also sign-extends the value generated from the updated
bundle when comparing with the desired bundle, which we do to make sure
no overflow occurred. As a result, the tst-pie1 test now passes.
|
| |
|
|
|
| |
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
|
| |
|
|
|
|
|
|
|
|
|
| |
generic HAVE_RM_CTX implementation which is used for ppc/e500 as well
has introduced calls to fegetenv which should be resolved internally
with in libm
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* sysdeps/powerpc/powerpc32/e500/nofpu/fegetenv.c (fegetenv): Add
libm_hidden_ver.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
If e.g. a signal is being received while we are running fork(), the signal
thread may be having our SS lock when we make the space copy, and thus in the
child we can not take the SS lock any more.
* sysdeps/mach/hurd/fork.c (__fork): Lock SS->lock around __proc_dostop call.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS_INIT_TP in sysdeps/i386/nptl/tls.h uses some hand written asm to
generate a set_thread_area that might result in exchanging ebx and esp
around the syscall causing introspection tools like valgrind to loose
track of the user stack. Just use INTERNAL_SYSCALL which makes sure
esp isn't changed arbitrarily.
Before the patch the code would generate:
mov $0xf3,%eax
movl $0xfffff,0x8(%esp)
movl $0x51,0xc(%esp)
xchg %esp,%ebx
int $0x80
xchg %esp,%ebx
Using INTERNAL_SYSCALL instead will generate:
movl $0xfffff,0x8(%esp)
movl $0x51,0xc(%esp)
xchg %ecx,%ebx
mov $0xf3,%eax
int $0x80
xchg %ecx,%ebx
Thanks to Florian Weimer for analysing why the original code generated
the bogus esp usage:
_segdescr.desc happens to be at the top of the stack, so its address
is in %esp. The asm statement says that %3 is an input, so its value
will not change, and GCC can use %esp as the input register for the
expression &_segdescr.desc. But the constraints do not fully describe
the asm statement because the %3 register is actually modified, albeit
only temporarily.
[BZ #17319]
* sysdeps/i386/nptl/tls.h (TLS_INIT_TP): Use INTERNAL_SYSCALL
to call set_thread_area instead of hand written asm.
(__NR_set_thread_area): Removed define.
(TLS_FLAG_WRITABLE): Likewise.
(__ASSUME_SET_THREAD_AREA): Remove check.
(TLS_EBX_ARG): Remove define.
(TLS_LOAD_EBX): Likewise.
|
| | |
|
| | |
|
| |
|
|
| |
Using gcc-4.9, i7-2620M, i686 Linux.
|
| | |
|
| |
|
|
|
| |
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
pthread_atfork is already built in an extra-libs context, which gives
it NOT_IN_libc in its CPPFLAGS. Adding the same definition to CFLAGS
is pointless.
Verified that the code is unchanged on x86_64.
|
| |
|
|
|
|
|
|
|
|
| |
These programs get the NOT_IN_libc twice, once through the 'other'
target and another explicitly. Remove the explicitly added CPFLAG.
* catgets/Makefile (CPPFLAGS-gencat): Remove.
* iconv/Makefile (CPPFLAGS-iconv_prog): Likewise.
(CPPFLAGS-iconvconfig): Likewise.
* timezone/Makefile (CPPFLAGS-zic): Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a IS_IN_* macro is defined, then NOT_IN_libc is always defined,
except obviously for IS_IN_libc. There's no need to check for both.
Verified on x86_64 and i686 that the source is unchanged.
* include/libc-symbols.h: Remove unnecessary check for
NOT_IN_libc.
* nptl/pthreadP.h: Likewise.
* sysdeps/aarch64/setjmp.S: Likewise.
* sysdeps/alpha/setjmp.S: Likewise.
* sysdeps/arm/sysdep.h: Likewise.
* sysdeps/i386/setjmp.S: Likewise.
* sysdeps/m68k/setjmp.c: Likewise.
* sysdeps/posix/getcwd.c: Likewise.
* sysdeps/powerpc/powerpc32/setjmp-common.S: Likewise.
* sysdeps/powerpc/powerpc64/setjmp-common.S: Likewise.
* sysdeps/s390/s390-32/setjmp.S: Likewise.
* sysdeps/s390/s390-64/setjmp.S: Likewise.
* sysdeps/sh/sh3/setjmp.S: Likewise.
* sysdeps/sh/sh4/setjmp.S: Likewise.
* sysdeps/unix/alpha/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/aarch64/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/i386/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/ia64/setjmp.S: Likewise.
* sysdeps/unix/sysv/linux/ia64/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/powerpc/powerpc32/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/powerpc/powerpc64/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/s390/s390-32/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/s390/s390-64/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sh/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc32/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/tile/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/x86_64/sysdep.h: Likewise.
* sysdeps/x86_64/setjmp.S: Likewise.
|
