| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits. The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.
This pach fixes memchr/wmemchr for x32. Tested on x86-64 and x32. On
x86-64, libc.so is the same with and withou the fix.
[BZ #24097]
CVE-2019-6488
* sysdeps/x86_64/memchr.S: Use RDX_LP for length. Clear the
upper 32 bits of RDX register.
* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memchr.
* sysdeps/x86_64/x32/test-size_t.h: New file.
* sysdeps/x86_64/x32/tst-size_t-memchr.c: Likewise.
(cherry picked from commit 97700a34f36721b11a754cf37a1cc40695ece1fd)
|
| |
|
|
|
|
|
|
|
|
| |
This commit removes the custom memcpy implementation from _int_realloc
for small chunk sizes. The ncopies variable has the wrong type, and
an integer wraparound could cause the existing code to copy too few
elements (leaving the new memory region mostly uninitialized).
Therefore, removing this code fixes bug 24027.
(cherry picked from commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If glibc is built with gcc 8 and -march=z900,
the testcase posix/tst-spawn4-compat crashes with a segfault.
In function maybe_script_execute, the new_argv array is dynamically
initialized on stack with (argc + 1) elements.
The function wants to add _PATH_BSHELL as the first argument
and writes out of bounds of new_argv.
There is an off-by-one because maybe_script_execute fails to count
the terminating NULL when sizing new_argv.
ChangeLog:
* sysdeps/unix/sysv/linux/spawni.c (maybe_script_execute):
Increment size of new_argv by one.
(cherry picked from commit 28669f86f6780a18daca264f32d66b1428c9c6f1)
|
| |
|
|
| |
(cherry picked from commit 99ea93ca31795469d2a1f1570f17a5c39c2eb7e2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tunables framework needs to execute syscall early in process
initialization, before the TCB is available for consumption. This
behavior conflicts with powerpc{|64|64le}'s lock elision code, that
checks the TCB before trying to abort transactions immediately before
executing a syscall.
This patch adds a powerpc-specific implementation of __access_noerrno
that does not abort transactions before the executing syscall.
Tested on powerpc{|64|64le}.
[BZ #22685]
* sysdeps/powerpc/powerpc32/sysdep.h (ABORT_TRANSACTION_IMPL): Renamed
from ABORT_TRANSACTION.
(ABORT_TRANSACTION): Redirect to ABORT_TRANSACTION_IMPL.
* sysdeps/powerpc/powerpc64/sysdep.h (ABORT_TRANSACTION,
ABORT_TRANSACTION_IMPL): Likewise.
* sysdeps/unix/sysv/linux/powerpc/not-errno.h: New file. Reuse
Linux code, but remove the code that aborts transactions.
Signed-off-by: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 4612268a0ad8e3409d8ce2314dd2dd8ee0af5269)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function maybe_enable_malloc_check, which is called by
__tunables_init, calls __access_noerrno. It isn't problem when
symbol is is in ld.so, which has a special version of __access_noerrno
without stack protector. But when glibc is built with stack protector,
maybe_enable_malloc_check in libc.a can't call the regular version of
__access_noerrno with stack protector.
This patch changes how Linux defines the __access_noerrno to be an
inline call instead and thus preventing defining different build
rules for ld/static and shared.
H.J. Lu <hongjiu.lu@intel.com>
Adhemerval Zanella <adhemerval.zanella@linaro.org>
[BZ #21744]
* elf/dl-tunables.c: Include not-errno.h header.
* include/unistd.h (__access_noerrno): Remove definition.
* sysdeps/unix/sysv/linux/access.c (__access_noerrno): Likewise.
* sysdeps/generic/not-errno.h: New file.
* sysdeps/unix/sysv/linux/not-errno.h: Likewise.
(cherry picked from commit 95a73392580761abc62fc9b1386d232cd55878e9)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
and a requested size close to SIZE_MAX, it falls back to malloc code
(because the alignment of a block returned by malloc is sufficient to
satisfy the call). In this case, an integer overflow in _int_malloc leads
to posix_memalign incorrectly returning successfully.
Upon fixing this and writing a somewhat thorough regression test, it was
discovered that when posix_memalign is called with an alignment larger than
MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
close to SIZE_MAX, a different integer overflow in _int_memalign leads to
posix_memalign incorrectly returning successfully.
Both integer overflows affect other memory allocation functions that use
_int_malloc (one affected malloc in x86) or _int_memalign as well.
This commit fixes both integer overflows. In addition to this, it adds a
regression test to guard against false successful allocations by the
following memory allocation functions when called with too-large allocation
sizes and, where relevant, various valid alignments:
malloc, realloc, calloc, memalign, posix_memalign, aligned_alloc, valloc,
and pvalloc.
(cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
_dl_runtime_profile calls _dl_call_pltexit, passing a pointer to
La_x86_64_retval which is allocated on stack. The lrv_vector0
field in La_x86_64_retval must be aligned to size of vector register.
When allocating stack space for La_x86_64_retval, we need to make sure
that the address of La_x86_64_retval + RV_VECTOR0_OFFSET is aligned to
VEC_SIZE. This patch checks the alignment of the lrv_vector0 field
and pads the stack space if needed.
Tested with x32 and x86-64 on SSE4, AVX and AVX512 machines. It fixed
FAIL: elf/tst-audit10
FAIL: elf/tst-audit4
FAIL: elf/tst-audit5
FAIL: elf/tst-audit6
FAIL: elf/tst-audit7
on x32 AVX512 machine.
(cherry picked from commit 207a72e2988c6d6343f50fe0128eb4fc4edfdd15)
[BZ #22715]
* sysdeps/x86_64/dl-trampoline.h (_dl_runtime_profile): Properly
align La_x86_64_retval to VEC_SIZE.
|
| |
|
|
|
|
|
| |
We do not need thread_local support in the C++11 comiler, and the
minimum GCC version for glibc has C++11 support (if it has C++ support).
(cherry picked from commit 10d200dbace0ea5198006b313f40c3b884c88724)
|
| |
|
|
|
| |
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 08c6e95234c60a5c2f37532d1111acf084f39345)
|
| |
|
|
| |
(cherry picked from commit b725132d2b0aeddf970b1ce3e5a24f8637a7b4c2)
|
| |
|
|
| |
(cherry picked from commit 860b0240a5645edd6490161de3f8d1d1f2786025)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
I verified that without the guard accounting change in commit
630f4cc3aa019ede55976ea561f1a7af2f068639 (Fix stack guard size
accounting) and RTLD_NOW for libgcc_s introduced by commit
f993b8754080ac7572b692870e926d8b493db16c (nptl: Open libgcc.so with
RTLD_NOW during pthread_cancel), the tst-minstack-cancel test fails on
an AVX-512F machine. tst-minstack-exit still passes, and either of
the mentioned commit by itself frees sufficient stack space to make
tst-minstack-cancel pass, too.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit d8b778907e5270fdeb70459842ffbc20bd2ca5e1)
|
| |
|
|
|
|
|
|
|
|
| |
Disabling lazy binding reduces stack usage during unwinding.
Note that RTLD_NOW only makes a difference if libgcc.so has not
already been loaded, so this is only a partial fix.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit f993b8754080ac7572b692870e926d8b493db16c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously if user requested S stack and G guard when creating a
thread, the total mapping was S and the actual available stack was
S - G - static_tls, which is not what the user requested.
This patch fixes the guard size accounting by pretending the user
requested S+G stack. This way all later logic works out except
when reporting the user requested stack size (pthread_getattr_np)
or when computing the minimal stack size (__pthread_get_minstack).
Normally this will increase thread stack allocations by one page.
TLS accounting is not affected, that will require a separate fix.
[BZ #22637]
* nptl/descr.h (stackblock, stackblock_size): Update comments.
* nptl/allocatestack.c (allocate_stack): Add guardsize to stacksize.
* nptl/nptl-init.c (__pthread_get_minstack): Remove guardsize from
stacksize.
* nptl/pthread_getattr_np.c (pthread_getattr_np): Likewise.
(cherry picked from commit 630f4cc3aa019ede55976ea561f1a7af2f068639)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GCC PR 83641 results in a miscompilation of libpthread, which
causes pthread_exit not to restore callee-saved registers before
running destructors for objects on the stack. This test detects
this situation:
info: unsigned int, direct pthread_exit call
tst-thread-exit-clobber.cc:80: numeric comparison failure
left: 4148288912 (0xf741dd90); from: value
right: 1600833940 (0x5f6ac994); from: magic_values.v2
info: double, direct pthread_exit call
info: unsigned int, indirect pthread_exit call
info: double, indirect pthread_exit call
error: 1 test failures
(cherry picked from commit 579396ee082565ab5f42ff166a264891223b7b82)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".
This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).
Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT. The error code is chosen for consistency
with the case when the current directory is unlinked.
[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* io/tst-getcwd-abspath.c: New test.
* io/Makefile (tests): Add tst-getcwd-abspath.
(cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)
|
| |
|
|
|
|
| |
This commit updates the support/ subdirectory to
commit 1a51e46e4a87e1cd9528ac5e5656011636e4086b
on the master branch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests-unsupported has to be defined before the inclusion of Rules in a
subdirectory Makefile; otherwise it is ineffective. This patch fixes
the ordering in assert/Makefile, where a recent test addition put
tests-unsupported too late (resulting in build failures when the C++
compiler was missing or broken, and thereby showing up the unrelated
bug 21987).
Incidentally, I don't see why these tests depend on
$(have-cxx-thread_local) rather than just a working C++ compiler.
Tested in such a configuration (broken compiler/libstdc++) with
build-many-glibcs.py.
* assert/Makefile [$(have-cxx-thread_local)]: Move conditional
variable definitions above inclusion of ../Rules.
(cherry picked from commit 75dfe623df945db7dd3c12a206d743c45c16b5ed)
|
| |
|
|
|
|
|
| |
The previous implementation had at least a quadratic space
requirement in the number of host addresses and aliases.
(cherry picked from commit d8425e116cdd954fea0c04c0f406179b5daebbb3)
|
| |
|
|
| |
(cherry picked from commit 78e806fd8cd8c918d3bbe1bcdf9091ab365e4a69)
|
| |
|
|
|
|
| |
This is in preparation of further cleanup work.
(cherry picked from commit 8ed70de2faceb4bd7b35bbdc2b7e8c83d9a297ba)
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit adds fixed-size allocation buffers. The primary use
case is in NSS modules, where dynamically sized data is stored
in a fixed-size buffer provided by the caller.
Other uses include a replacement of mempcpy cascades (which is
safer due to the size checking inherent to allocation buffers).
(cherry picked from commit 4dd8e7c0ce5ecc7f65e33e60ad2f717b31de32ec)
|
| |
|
|
|
|
|
| |
Before, arrays of small elements received a starting allocation size of
8, not 16.
(cherry picked from commit ab5ac271e6210fa0af11cf3ca525ce573bc47c48)
|
| |
|
|
|
|
|
| |
This allows the caller to return directly on such an error, with an
appropriate errno value.
(cherry picked from commit 5898f4548efdcd7c0fd437a74eeb80facc51a117)
|
| |
|
|
| |
(cherry picked from commit f8bf87face3304f216bcd838081fa33bb4976ac6)
|
| |
|
|
|
|
|
|
| |
This is intended as a type-safe alternative to obstacks and
hand-written realloc constructs. The implementation avoids
writing function pointers to the heap.
(cherry picked from commit 91b6eb1140eda6bab324821ee3785e5d0ca155b8)
|
| |
|
|
| |
Backported from commit 2e0bbbfbf95fc9e22692e93658a6fbdd2d4554da.
|
| | |
|
| |
|
|
|
|
|
|
| |
The old code uses errno as the primary indicator for success or
failure. This is wrong because errno is only set for specific
combinations of the status return value and the h_errno variable.
(cherry picked from commit f4a6be2582b8dfe8adfa68da3dd8decf566b3983)
|
| |
|
|
| |
(cherry picked from commit 5f8340f583fe3d4f5734bd2371c5a45ecff2db0d)
|
| |
|
|
|
|
|
| |
h_errno is not set for NSS_STATUS_SUCCESS, so its value might not be
accurate at this point.
(cherry picked from commit a2881ef01450295782b065f2f850f340d5c12c14)
|
| |
|
|
| |
(cherry picked from commit ad816a5e00ce891a2cea8187638fa0e00f83aaf6)
|
| |
|
|
|
|
|
|
| |
This simplifies the code because it is not necessary to propagate the
temporary h_errno value to the thread-local variable. It also increases
compatibility with NSS modules which update only one of the two places.
(cherry picked from commit 53250a21b81474ef4e78090a4a9a63d8471e1091)
|
| |
|
|
|
|
|
| |
Similar code in nss/getXXbyYY_r.c is already using &errno as the
argument.
(cherry picked from commit 924b121c5978689001ae28cf1c8497371dad4f71)
|
| |
|
|
| |
(cherry picked from commit 0df595b23a829c9169ec418a19eef9006b4ae801)
|
| |
|
|
| |
(cherry picked from commit 513a71a420e74270a6a9702ec916e807be51350a)
|
| |
|
|
| |
(cherry picked from commit 5cf88a83f27b0cd2d5a83511930e40d716c939eb)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The address family splitting via format_ai_family made unpredictable
the place where the canonname field was printed. This commit adjusts
the implementation so that the ai_flags is checked for consistency
across the list, and ai_canonname must only be present on the first
list element.
Tests for AI_CANONNAME are added to resolv/tst-resolv-basic.
(cherry picked from commit 8ec69bb7ecf3ca5edde5b7d9d7d5d3a5f8b6c405)
|
| |
|
|
|
|
|
|
|
| |
This bug did not affect name resolution because those functions
indirectly call ns_name_pack with a buffer which is always larger
than the generated query packet, even in the case of the
longest-possible domain name.
(cherry picked from commit c803cb9b24c6cea15698768e4301e963b98e742c)
|
| |
|
|
| |
(cherry picked from commit 07d6f1a3ca990e0e4f93b010605d4d87a3abdf24)
|
| |
|
|
| |
(cherry picked from commit 76b8266f990a2912f42d1b7050840e8c7f14f2c2)
|
| |
|
|
| |
(cherry picked from commit 60149b28590be28051f99d0a343d7fbe002f2a8c)
|
| |
|
|
|
|
| |
Generated machine code is identical on x86-64.
(cherry picked from commit d53b8652880ba42913f66e7eee0567ce4cfe7791)
|
| |
|
|
| |
(cherry picked from commit 363911ce1313a246b7d33f0983a09e7ab2525b3a)
|
| |
|
|
| |
(cherry picked from commit 6257fcfd58479f6b7ae0fdde045b9ff144d543da)
|
| |
|
|
|
|
|
|
|
| |
A further simplification could eliminate the canon variable in
gaih_inet and replace it with canonbuf. However, canonbuf is
used as a flag in the nscd code, which makes this somewhat
non-straightforward.
(cherry picked from commit 673cb072a4710bd4bf6029a062d2867cca929c43)
|
| |
|
|
|
|
|
| |
getaddrinfo has to call malloc eventually anyway, so the complexity
of avoiding malloc calls is not worth potential savings.
(cherry picked from commit 46ce8881ade788db56079622f47f648d4aaa003b)
|
| |
|
|
|
|
|
|
|
| |
Update libm-test-ulps for AVX512 mathvec tests by running
“make regen-ulps” on Intel Xeon processor with AVX512.
* sysdeps/x86_64/fpu/libm-test-ulps: Regenerated.
(cherry picked from commit fcaaca412fecb6097c902acd1260f585819b8b7e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).
Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.
The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.
Changelog:
[BZ #22625]
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
string token expansion. Check for NULL pointer or empty string possibly
returned by expand_dynamic_string_token.
(decompose_rpath): Check for empty path after dynamic string
token expansion.
(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
|
