about summary refs log tree commit diff
Commit message (Collapse)AuthorAgeFilesLines
* elf: Relocate libc.so early during startup and dlmopen (bug 31083)Florian Weimer2023-11-277-2/+118
| | | | | | | This makes it more likely that objects without dependencies can use IFUNC resolvers in libc.so. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Introduce the _dl_open_relocate_one_object functionFlorian Weimer2023-11-271-39/+47
| | | | | | It is extracted from dl_open_worker_begin. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: In _dl_relocate_object, skip processing if object is relocatedFlorian Weimer2023-11-271-3/+3
| | | | | | | This is just a minor optimization. It also makes it more obvious that _dl_relocate_object can be called multiple times. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Remove __access_noerrnoJoseph Myers2023-11-239-71/+5
| | | | | | | | | | | | | | | | A recent commit, apparently commit 6c6fce572fb8f583f14d898e54fd7d25ae91cf56 "elf: Remove /etc/suid-debug support", resulted in localplt failures for i686-gnu and x86_64-gnu: Missing required PLT reference: ld.so: __access_noerrno After that commit, __access_noerrno is actually no longer used at all. So rather than just removing the localplt expectation for that symbol for Hurd, completely remove all definitions of and references to that symbol. Tested for x86_64, and with build-many-glibcs.py for i686-gnu and x86_64-gnu.
* malloc: Use __get_nprocs on arena_get2 (BZ 30945)Adhemerval Zanella2023-11-225-18/+2
| | | | | | | | | | | | | | | | This restore the 2.33 semantic for arena_get2. It was changed by 11a02b035b46 to avoid arena_get2 call malloc (back when __get_nproc was refactored to use an scratch_buffer - 903bc7dcc2acafc). The __get_nproc was refactored over then and now it also avoid to call malloc. The 11a02b035b46 did not take in consideration any performance implication, which should have been discussed properly. The __get_nprocs_sched is still used as a fallback mechanism if procfs and sysfs is not acessible. Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* aarch64: Fix libmvec benchmarksJoe Ramsay2023-11-222-49/+81
| | | | | | | | These were broken by the new atan2 functions, as they were only set up for univariate functions. Arity is now detected from the input file - this revealed a mistake that the double-precision inputs were being used for both single- and double-precision routines, which is now remedied.
* posix: Revert the removal of the crypt prototype from <unistd.h>Florian Weimer2023-11-222-1/+17
| | | | | | Many applications still rely on this prototype. Rebuilds without this prototype result in an implicit function declaration, which can introduce security vulnerabilities due to 32-bit pointer truncation.
* elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secureAdhemerval Zanella2023-11-211-1/+8
| | | | | To make explicit why __libc_enable_secure is not checked. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for staticAdhemerval Zanella2023-11-211-16/+16
| | | | | | | It mimics the ld.so behavior. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove any_debug from dl_main_stateAdhemerval Zanella2023-11-212-6/+1
| | | | | Its usage can be implied by the GLRO(dl_debug_mask). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove LD_PROFILE for static binariesAdhemerval Zanella2023-11-2139-109/+165
| | | | | | | | | | | The _dl_non_dynamic_init does not parse LD_PROFILE, which does not enable profile for dlopen objects. Since dlopen is deprecated for static objects, it is better to remove the support. It also allows to trim down libc.a of profile support. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore LD_PROFILE for setuid binariesAdhemerval Zanella2023-11-213-6/+17
| | | | | | | | | | | | | | | | | | Loader does not ignore LD_PROFILE in secure-execution mode (different than man-page states [1]), rather it uses a different path (/var/profile) and ignore LD_PROFILE_OUTPUT. Allowing secure-execution profiling is already a non good security boundary, since it enables different code paths and extra OS access by the process. But by ignoring LD_PROFILE_OUTPUT, the resulting profile file might also be acceded in a racy manner since the file name does not use any process-specific information (such as pid, timing, etc.). Another side-effect is it forces lazy binding even on libraries that might be with DF_BIND_NOW. [1] https://man7.org/linux/man-pages/man8/ld.so.8.html Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* s390: Use dl-symbol-redir-ifunc.h on cpu-tunablesAdhemerval Zanella2023-11-212-15/+17
| | | | | | | | | Using the memcmp symbol directly allows the compile to inline the memcmp calls (especially because _dl_tunable_set_hwcaps uses constants values), generating better code. Checked with tst-tunables on s390x-linux-gnu (qemu system). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* x86: Use dl-symbol-redir-ifunc.h on cpu-tunablesAdhemerval Zanella2023-11-214-55/+32
| | | | | | | | | | | | | | | | The dl-symbol-redir-ifunc.h redirects compiler-generated libcalls to arch-specific memory implementations to avoid ifunc calls where it is not yet possible. The memcmp-isa-default-impl.h aims to fix the same issue by calling the specific memset implementation directly. Using the memcmp symbol directly allows the compiler to inline the memset calls (especially because _dl_tunable_set_hwcaps uses constants values), generating better code. Checked on x86_64-linux-gnu. Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Emit warning if tunable is ill-formattedAdhemerval Zanella2023-11-211-0/+6
| | | | | | | So caller knows that the tunable will be ignored. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Fix _dl_debug_vdprintf to work before self-relocationAdhemerval Zanella2023-11-214-2/+48
| | | | | | | | | | | | | The strlen might trigger and invalid GOT entry if it used before the process is self-relocated (for instance on dl-tunables if any error occurs). For i386, _dl_writev with PIE requires to use the old 'int $0x80' syscall mode because the calling the TLS register (gs) is not yet initialized. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Do not parse ill-formatted stringsAdhemerval Zanella2023-11-212-16/+45
| | | | | | | | | | | Instead of ignoring ill-formatted tunable strings, first, check all the tunable definitions are correct and then set each tunable value. It means that partially invalid strings, like "key1=value1:key2=key2=value' or 'key1=value':key2=value2=value2' do not enable 'key1=value1'. It avoids possible user-defined errors in tunable definitions. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Do not process invalid tunable formatAdhemerval Zanella2023-11-212-7/+21
| | | | | | | | | | | Tunable definitions with more than one '=' on are parsed and enabled, and any subsequent '=' are ignored. It means that tunables in the form 'tunable=tunable=value' or 'tunable=value=value' are handled as 'tunable=value'. These inputs are likely user input errors, which should not be accepted. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Add all malloc tunable to unsecvarsAdhemerval Zanella2023-11-214-58/+86
| | | | | | | | | | | | | | | | | | | | | | | | Some environment variables allow alteration of allocator behavior across setuid boundaries, where a setuid program may ignore the tunable, but its non-setuid child can read it and adjust the memory allocator behavior accordingly. Most library behavior tunings is limited to the current process and does not bleed in scope; so it is unclear how pratical this misfeature is. If behavior change across privilege boundaries is desirable, it would be better done with a wrapper program around the non-setuid child that sets these envvars, instead of using the setuid process as the messenger. The patch as fixes tst-env-setuid, where it fail if any unsecvars is set. It also adds a dynamic test, although it requires --enable-hardcoded-path-in-tests so kernel correctly sets the setuid bit (using the loader command directly would require to set the setuid bit on the loader itself, which is not a usual deployment). Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* elf: Ignore GLIBC_TUNABLES for setuid/setgid binariesAdhemerval Zanella2023-11-219-161/+299
| | | | | | | | | | | | | | | | | | | | The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
* elf: Add GLIBC_TUNABLES to unsecvarsAdhemerval Zanella2023-11-212-28/+5
| | | | | | | | | | | | setuid/setgid process now ignores any glibc tunables, and filters out all environment variables that might changes its behavior. This patch also adds GLIBC_TUNABLES, so any spawned process by setuid/setgid processes should set tunable explicitly. Checked on x86_64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove /etc/suid-debug supportAdhemerval Zanella2023-11-214-24/+3
| | | | | | | | | | | | | | | | Since malloc debug support moved to a different library (libc_malloc_debug.so), the glibc.malloc.check requires preloading the debug library to enable it. It means that suid-debug support has not been working since 2.34. To restore its support, it would require to add additional information and parsing to where to find libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* stdlib: The qsort implementation needs to use heapsort in more casesFlorian Weimer2023-11-213-4/+187
| | | | | | | | | | | | The existing logic avoided internal stack overflow. To avoid a denial-of-service condition with adversarial input, it is necessary to fall over to heapsort if tail-recursing deeply, too, which does not result in a deep stack of pending partitions. The new test stdlib/tst-qsort5 is based on Douglas McIlroy's paper on this subject. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdlib: Handle various corner cases in the fallback heapsort for qsortFlorian Weimer2023-11-213-17/+173
| | | | | | | | | | | | The previous implementation did not consistently apply the rule that the child nodes of node K are at 2 * K + 1 and 2 * K + 2, or that the parent node is at (K - 1) / 2. Add an internal test that targets the heapsort implementation directly. Reported-by: Stepan Golosunov <stepan@golosunov.pp.ru> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdlib: Avoid another self-comparison in qsortFlorian Weimer2023-11-211-1/+1
| | | | | | | | In the insertion phase, we could run off the start of the array if the comparison function never runs zero. In that case, it never finds the initial element that terminates the iteration. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* hurd: fix restarting reauth_dtable on signalSamuel Thibault2023-11-211-12/+23
| | | | | While inside the critical section, RPCs would not be restarted, so we have to handle EINTR errors.
* hurd: Prevent the final file_exec_paths call from signalsSamuel Thibault2023-11-202-1/+27
| | | | | | | Otherwise if the exec server started thrashing the old task, we won't be able to restart the exec. This notably fixes building ghc.
* manual: Fix termios.c example. (Bug 31078)Carlos O'Donell2023-11-201-2/+1
| | | | | | | | | | | | Remove the unused 'char *name;' from the example. Use write instead of putchar to write input as it is read. Example tested on x86_64 by compiling and running the example. Tested by building the manual pdf and reviewing the results. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* aarch64: Add vector implementations of expm1 routinesJoe Ramsay2023-11-2015-108/+570
| | | | May discard sign of 0 - auto tests for -0 and -0x1p-10000 updated accordingly.
* linux: Use fchmodat2 on fchmod for flags different than 0 (BZ 26401)Adhemerval Zanella2023-11-203-55/+77
| | | | | | | | | | | | | | | | | | Linux 6.6 (09da082b07bbae1c) added support for fchmodat2, which has similar semantics as fchmodat with an extra flag argument. This allows fchmodat to implement AT_SYMLINK_NOFOLLOW and AT_EMPTY_PATH without the need for procfs. The syscall is registered on all architectures (with value of 452 except on alpha which is 562, commit 78252deb023cf087). The tst-lchmod.c requires a small fix where fchmodat checks two contradictory assertions ('(st.st_mode & 0777) == 2' and '(st.st_mode & 0777) == 3'). Checked on x86_64-linux-gnu on a 6.6 kernel. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* intl: Add test case for bug 16621Florian Weimer2023-11-202-1/+42
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* resolv: free only initialized items from gai poolJan Palus2023-11-201-1/+2
| | | | | | | | | pool_max_size denotes total allocated rows in pool but possibly not yet initialized. it's pool_size that represents number of actually occupied rows hence use it when freeing pool to avoid freeing random addresses. Signed-off-by: Jan Palus <jpalus@fastmail.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>
* ldconfig: Fixes for skipping temporary files.Florian Weimer2023-11-201-4/+15
| | | | | | | | | | | Arguments to a memchr call were swapped, causing incorrect skipping of files. Files related to dpkg have different names: they actually end in .dpkg-new and .dpkg-tmp, not .tmp as I mistakenly assumed. Fixes commit 2aa0974d2573441bffd59 ("elf: ldconfig should skip temporary files created by package managers").
* nptl: Link tst-execstack-threads-mod.so with -z execstackFlorian Weimer2023-11-201-0/+1
| | | | | | | This ensures that the test still links with a linker that refuses to create an executable stack marker automatically. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nptl: Rename tst-execstack to tst-execstack-threadsFlorian Weimer2023-11-204-6/+11
| | | | | | | So that the test is harder to confuse with elf/tst-execstack (although the tests are supposed to be the same). Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Remove untyped mach RPC code.Flavio Cruz2023-11-194-141/+0
| | | | | | Existing MiG does not support untyped messages and the Hurd will continue to use typed messages for the foreseeable future. Message-ID: <ZVmYX6j4pYNUfqn4@jupiter.tail36e24.ts.net>
* _hurd_intr_rpc_mach_msg: handle message iteration correctly.Flavio Cruz2023-11-191-12/+12
| | | | | | | | | The `ty` pointer is only set at the end of the loop so that `msgtl_header.msgt_inline` and `msgtl_header.msgt_deallocate` remain valid. Also, when deallocating memory, we use the length from the message directly rather than hard coding mach_port_t since we want to deallocate any kind of OOL data. Message-ID: <ZVlGVD6eEN-dXsOr@jupiter.tail36e24.ts.net>
* localedata: Convert oc_FR locale to UTF-8Mike FABIAN2023-11-161-15/+15
|
* localedata: Add information for OccitanMike FABIAN2023-11-161-4/+6
| | | | Resolves: BZ # 28787
* elf: Fix force_first handling in dlclose (bug 30981)Florian Weimer2023-11-163-13/+29
| | | | | | | | | | | | | The force_first parameter was ineffective because the dlclose'd object was not necessarily the first in the maps array. Also enable force_first handling unconditionally, regardless of namespace. The initial object in a namespace should be destructed first, too. The _dl_sort_maps_dfs function had early returns for relocation dependency processing which broke force_first handling, too, and this is fixed in this change as well. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Handle non-directory name in search path (BZ 31035)Adhemerval Zanella2023-11-165-3/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The open_path stops if a relative path in search path contains a component that is a non directory (for instance, if the component is an existing file). For instance: $ cat > lib.c <<EOF > void foo (void) {} > EOF $ gcc -shared -fPIC -o lib.so lib.c $ cat > main.c <<EOF extern void foo (); int main () { foo (); return 0; } EOF $ gcc -o main main.c lib.so $ LD_LIBRARY_PATH=. ./main $ LD_LIBRARY_PATH=non-existing/path:. ./main $ LD_LIBRARY_PATH=$(pwd)/main:. ./main $ LD_LIBRARY_PATH=./main:. ./main ./main: error while loading shared libraries: lib.so: cannot open shared object file: No such file or directory The invalid './main' should be ignored as a non-existent one, instead as a valid but non accessible file. Absolute paths do not trigger this issue because their status are initialized as 'unknown' and open_path check if this is a directory. Checked on x86_64-linux-gnu. Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
* New Zealand locales (en_NZ & mi_NZ) first day of week should be MondayMike FABIAN2023-11-162-0/+2
| | | | Resolves: BZ #29486
* x86: Fix unchecked AVX512-VBMI2 usage in strrchr-evex-base.SNoah Goldstein2023-11-151-24/+51
| | | | | | | | | | | | | strrchr-evex-base used `vpcompress{b|d}` in the page cross logic but was missing the CPU_FEATURE checks for VBMI2 in the ifunc/ifunc-impl-list. The fix is either to add those checks or change the logic to not use `vpcompress{b|d}`. Choosing the latter here so that the strrchr-evex implementation is usable on SKX. New implementation is a bit slower, but this is in a cold path so its probably okay.
* posix: Check pidfd_spawn with tst-spawn7-pidAdhemerval Zanella2023-11-151-1/+1
| | | | | | Without using the macro, posix_spawn is used instead. Checked on x86_64-linux-gnu.
* sparc: Fix broken memset for sparc32 [BZ #31068]Andreas Larsson2023-11-151-2/+2
| | | | | | | | | | | Fixes commit a61933fe27df ("sparc: Remove bzero optimization") that after moving code jumped to the wrong label 4. Verfied by successfully running string/test-memset on sparc32. Signed-off-by: Andreas Larsson <andreas@gaisler.com> Signed-off-by: Ludwig Rydberg <ludwig.rydberg@gaisler.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* y2038: Fix support for 64-bit time on legacy ABIsGaƫl PORTAY2023-11-151-1/+1
| | | | | This fixes a typo. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* hurd: Fix spawni returning allocation errors.Samuel Thibault2023-11-141-2/+8
|
* hurd: Make _hurd_intr_rpc_mach_msg avoid returning MACH_SEND_INTERRUPTEDSamuel Thibault2023-11-141-0/+6
| | | | | | | | | | When the given options do not include MACH_SEND_INTERRUPT, _hurd_intr_rpc_mach_msg (aka mach_msg) is not supposed to return MACH_SEND_INTERRUPTED. In such a case we thus have to retry sending the message. This was observed to fix various occurrences of spurious "(ipc/send) interrupted" errors when running haskell programs.
* AArch64: Remove Falkor memcpyWilco Dijkstra2023-11-138-332/+1
| | | | | | | | | | The latest implementations of memcpy are actually faster than the Falkor implementations [1], so remove the falkor/phecda ifuncs for memcpy and the now unused IS_FALKOR/IS_PHECDA defines. [1] https://sourceware.org/pipermail/libc-alpha/2022-December/144227.html Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* AArch64: Add memset_zva64Wilco Dijkstra2023-11-136-68/+38
| | | | | | | | Add a specialized memset for the common ZVA size of 64 to avoid the overhead of reading the ZVA size. Since the code is identical to __memset_falkor, remove the latter. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>