about summary refs log tree commit diff
Commit message (Collapse)AuthorAgeFilesLines
...
* hurd: Fix buildSamuel Thibault2023-12-031-1/+1
| | | | | | | 7e23b3c2c008 ("Update code to handle the new ABI for sending inlined port rights.") was missing a cast. Fixes 7e23b3c2c008e0b9b5da055e675d40cc27bb10ef
* Update code to handle the new ABI for sending inlined port rights.Flavio Cruz2023-12-032-5/+33
| | | | | | For i686, this change is no op but for x86_64 it forces all inlined port rights to be 8 bytes long. Message-ID: <20231124213041.952886-2-flaviocruz@gmail.com>
* hurd: [!__USE_MISC] Do not #undef BSD macros in ioctlsSamuel Thibault2023-12-021-0/+2
| | | | | When e.g. including termios.h first and then sys/ioctl.h, without e.g. _BSD_SOURCE, the latter would #undef e.g. ECHO, without defining it.
* linux: Make fdopendir fail with O_PATH (BZ 30373)Adhemerval Zanella2023-11-303-1/+56
| | | | | | | | | It is not strictly required by the POSIX, since O_PATH is a Linux extension, but it is QoI to fail early instead of at readdir. Also the check is free, since fdopendir already checks if the file descriptor is opened for read. Checked on x86_64-linux-gnu.
* Avoid padding in _init and _fini. [BZ #31042]Stefan Liebler2023-11-302-3/+1
| | | | | | | | | | | | | | | | | | | | | The linker just concatenates the .init and .fini sections which results in the complete _init and _fini functions. If needed the linker adds padding bytes due to an alignment. GNU ld is adding NOPs, which is fine. But e.g. mold is adding traps which results in broken _init and _fini functions. Thus this patch removes the alignment in .init and .fini sections in crtn.S files. We keep the 4 byte function alignment in crti.S files. As the assembler now also outputs the start of _init and _fini functions as multiples of 4 byte, it perhaps has to fill it. Although GNU as is using NOPs here, to be sure, we just keep the alignment with 0x07 (=NOPs) at the end of crti.S. In order to avoid an obvious NOP slide in _fini, this patch also uses an lg instead of lgr instruction. Then the emitted instructions needs a multiple of 4 bytes.
* aarch64: Improve special-case handling in AdvSIMD double-precision libmvec ↵Joe Ramsay2023-11-291-1/+7
| | | | | | | routines Avoids emitting many saves/restores of vector registers, reduces the amount of code generated around the scalar fallback.
* malloc: Improve MAP_HUGETLB with glibc.malloc.hugetlb=2Adhemerval Zanella2023-11-291-3/+10
| | | | | | | | | | | | | | | | Even for explicit large page support, allocation might use mmap without the hugepage bit set if the requested size is smaller than mmap_threshold. For this case where mmap is issued, MAP_HUGETLB is set iff the allocation size is larger than the used large page. To force such allocations to use large pages, also tune the mmap_threhold (if it is not explicit set by a tunable). This forces allocation to follow the sbrk path, which will fall back to mmap (which will try large pages before galling back to default mmap). Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org>
* elf: Add a way to check if tunable is set (BZ 27069)Adhemerval Zanella2023-11-296-2/+73
| | | | | | | | | | | The patch adds two new macros, TUNABLE_GET_DEFAULT and TUNABLE_IS_INITIALIZED, here the former get the default value with a signature similar to TUNABLE_GET, while the later returns whether the tunable was set by the environment variable. Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org>
* x86: Only align destination to 1x VEC_SIZE in memset 4x loopNoah Goldstein2023-11-281-1/+1
| | | | | | | | | Current code aligns to 2x VEC_SIZE. Aligning to 2x has no affect on performance other than potentially resulting in an additional iteration of the loop. 1x maintains aligned stores (the only reason to align in this case) and doesn't incur any unnecessary loop iterations. Reviewed-by: Sunil K Pandey <skpgkp2@gmail.com>
* elf: Fix TLS modid reuse generation assignment (BZ 29039)Hector Martin2023-11-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | _dl_assign_tls_modid() assigns a slotinfo entry for a new module, but does *not* do anything to the generation counter. The first time this happens, the generation is zero and map_generation() returns the current generation to be used during relocation processing. However, if a slotinfo entry is later reused, it will already have a generation assigned. If this generation has fallen behind the current global max generation, then this causes an obsolete generation to be assigned during relocation processing, as map_generation() returns this generation if nonzero. _dl_add_to_slotinfo() eventually resets the generation, but by then it is too late. This causes DTV updates to be skipped, leading to NULL or broken TLS slot pointers and segfaults. Fix this by resetting the generation to zero in _dl_assign_tls_modid(), so it behaves the same as the first time a slot is assigned. _dl_add_to_slotinfo() will still assign the correct static generation later during module load, but relocation processing will no longer use an obsolete generation. Note that slotinfo entry (aka modid) reuse typically happens after a dlclose and only TLS access via dynamic tlsdesc is affected. Because tlsdesc is optimized to use the optional part of static TLS, dynamic tlsdesc can be avoided by increasing the glibc.rtld.optional_static_tls tunable to a large enough value, or by LD_PRELOAD-ing the affected modules. Fixes bug 29039. Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
* Add TCP_MD5SIG_FLAG_IFINDEX from Linux 5.6 to netinet/tcp.h.Tobias Klauser2023-11-281-1/+2
| | | | | | | | This patch adds the TCP_MD5SIG_FLAG_IFINDEX constant from Linux 5.6 to sysdeps/gnu/netinet/tcp.h and updates struct tcp_md5sig accordingly to contain the device index. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* elf: Relocate libc.so early during startup and dlmopen (bug 31083)Florian Weimer2023-11-277-2/+118
| | | | | | | This makes it more likely that objects without dependencies can use IFUNC resolvers in libc.so. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Introduce the _dl_open_relocate_one_object functionFlorian Weimer2023-11-271-39/+47
| | | | | | It is extracted from dl_open_worker_begin. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: In _dl_relocate_object, skip processing if object is relocatedFlorian Weimer2023-11-271-3/+3
| | | | | | | This is just a minor optimization. It also makes it more obvious that _dl_relocate_object can be called multiple times. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Remove __access_noerrnoJoseph Myers2023-11-239-71/+5
| | | | | | | | | | | | | | | | A recent commit, apparently commit 6c6fce572fb8f583f14d898e54fd7d25ae91cf56 "elf: Remove /etc/suid-debug support", resulted in localplt failures for i686-gnu and x86_64-gnu: Missing required PLT reference: ld.so: __access_noerrno After that commit, __access_noerrno is actually no longer used at all. So rather than just removing the localplt expectation for that symbol for Hurd, completely remove all definitions of and references to that symbol. Tested for x86_64, and with build-many-glibcs.py for i686-gnu and x86_64-gnu.
* malloc: Use __get_nprocs on arena_get2 (BZ 30945)Adhemerval Zanella2023-11-225-18/+2
| | | | | | | | | | | | | | | | This restore the 2.33 semantic for arena_get2. It was changed by 11a02b035b46 to avoid arena_get2 call malloc (back when __get_nproc was refactored to use an scratch_buffer - 903bc7dcc2acafc). The __get_nproc was refactored over then and now it also avoid to call malloc. The 11a02b035b46 did not take in consideration any performance implication, which should have been discussed properly. The __get_nprocs_sched is still used as a fallback mechanism if procfs and sysfs is not acessible. Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* aarch64: Fix libmvec benchmarksJoe Ramsay2023-11-222-49/+81
| | | | | | | | These were broken by the new atan2 functions, as they were only set up for univariate functions. Arity is now detected from the input file - this revealed a mistake that the double-precision inputs were being used for both single- and double-precision routines, which is now remedied.
* posix: Revert the removal of the crypt prototype from <unistd.h>Florian Weimer2023-11-222-1/+17
| | | | | | Many applications still rely on this prototype. Rebuilds without this prototype result in an implicit function declaration, which can introduce security vulnerabilities due to 32-bit pointer truncation.
* elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secureAdhemerval Zanella2023-11-211-1/+8
| | | | | To make explicit why __libc_enable_secure is not checked. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for staticAdhemerval Zanella2023-11-211-16/+16
| | | | | | | It mimics the ld.so behavior. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove any_debug from dl_main_stateAdhemerval Zanella2023-11-212-6/+1
| | | | | Its usage can be implied by the GLRO(dl_debug_mask). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove LD_PROFILE for static binariesAdhemerval Zanella2023-11-2139-109/+165
| | | | | | | | | | | The _dl_non_dynamic_init does not parse LD_PROFILE, which does not enable profile for dlopen objects. Since dlopen is deprecated for static objects, it is better to remove the support. It also allows to trim down libc.a of profile support. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore LD_PROFILE for setuid binariesAdhemerval Zanella2023-11-213-6/+17
| | | | | | | | | | | | | | | | | | Loader does not ignore LD_PROFILE in secure-execution mode (different than man-page states [1]), rather it uses a different path (/var/profile) and ignore LD_PROFILE_OUTPUT. Allowing secure-execution profiling is already a non good security boundary, since it enables different code paths and extra OS access by the process. But by ignoring LD_PROFILE_OUTPUT, the resulting profile file might also be acceded in a racy manner since the file name does not use any process-specific information (such as pid, timing, etc.). Another side-effect is it forces lazy binding even on libraries that might be with DF_BIND_NOW. [1] https://man7.org/linux/man-pages/man8/ld.so.8.html Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* s390: Use dl-symbol-redir-ifunc.h on cpu-tunablesAdhemerval Zanella2023-11-212-15/+17
| | | | | | | | | Using the memcmp symbol directly allows the compile to inline the memcmp calls (especially because _dl_tunable_set_hwcaps uses constants values), generating better code. Checked with tst-tunables on s390x-linux-gnu (qemu system). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* x86: Use dl-symbol-redir-ifunc.h on cpu-tunablesAdhemerval Zanella2023-11-214-55/+32
| | | | | | | | | | | | | | | | The dl-symbol-redir-ifunc.h redirects compiler-generated libcalls to arch-specific memory implementations to avoid ifunc calls where it is not yet possible. The memcmp-isa-default-impl.h aims to fix the same issue by calling the specific memset implementation directly. Using the memcmp symbol directly allows the compiler to inline the memset calls (especially because _dl_tunable_set_hwcaps uses constants values), generating better code. Checked on x86_64-linux-gnu. Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Emit warning if tunable is ill-formattedAdhemerval Zanella2023-11-211-0/+6
| | | | | | | So caller knows that the tunable will be ignored. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Fix _dl_debug_vdprintf to work before self-relocationAdhemerval Zanella2023-11-214-2/+48
| | | | | | | | | | | | | The strlen might trigger and invalid GOT entry if it used before the process is self-relocated (for instance on dl-tunables if any error occurs). For i386, _dl_writev with PIE requires to use the old 'int $0x80' syscall mode because the calling the TLS register (gs) is not yet initialized. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Do not parse ill-formatted stringsAdhemerval Zanella2023-11-212-16/+45
| | | | | | | | | | | Instead of ignoring ill-formatted tunable strings, first, check all the tunable definitions are correct and then set each tunable value. It means that partially invalid strings, like "key1=value1:key2=key2=value' or 'key1=value':key2=value2=value2' do not enable 'key1=value1'. It avoids possible user-defined errors in tunable definitions. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Do not process invalid tunable formatAdhemerval Zanella2023-11-212-7/+21
| | | | | | | | | | | Tunable definitions with more than one '=' on are parsed and enabled, and any subsequent '=' are ignored. It means that tunables in the form 'tunable=tunable=value' or 'tunable=value=value' are handled as 'tunable=value'. These inputs are likely user input errors, which should not be accepted. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Add all malloc tunable to unsecvarsAdhemerval Zanella2023-11-214-58/+86
| | | | | | | | | | | | | | | | | | | | | | | | Some environment variables allow alteration of allocator behavior across setuid boundaries, where a setuid program may ignore the tunable, but its non-setuid child can read it and adjust the memory allocator behavior accordingly. Most library behavior tunings is limited to the current process and does not bleed in scope; so it is unclear how pratical this misfeature is. If behavior change across privilege boundaries is desirable, it would be better done with a wrapper program around the non-setuid child that sets these envvars, instead of using the setuid process as the messenger. The patch as fixes tst-env-setuid, where it fail if any unsecvars is set. It also adds a dynamic test, although it requires --enable-hardcoded-path-in-tests so kernel correctly sets the setuid bit (using the loader command directly would require to set the setuid bit on the loader itself, which is not a usual deployment). Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* elf: Ignore GLIBC_TUNABLES for setuid/setgid binariesAdhemerval Zanella2023-11-219-161/+299
| | | | | | | | | | | | | | | | | | | | The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
* elf: Add GLIBC_TUNABLES to unsecvarsAdhemerval Zanella2023-11-212-28/+5
| | | | | | | | | | | | setuid/setgid process now ignores any glibc tunables, and filters out all environment variables that might changes its behavior. This patch also adds GLIBC_TUNABLES, so any spawned process by setuid/setgid processes should set tunable explicitly. Checked on x86_64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove /etc/suid-debug supportAdhemerval Zanella2023-11-214-24/+3
| | | | | | | | | | | | | | | | Since malloc debug support moved to a different library (libc_malloc_debug.so), the glibc.malloc.check requires preloading the debug library to enable it. It means that suid-debug support has not been working since 2.34. To restore its support, it would require to add additional information and parsing to where to find libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* stdlib: The qsort implementation needs to use heapsort in more casesFlorian Weimer2023-11-213-4/+187
| | | | | | | | | | | | The existing logic avoided internal stack overflow. To avoid a denial-of-service condition with adversarial input, it is necessary to fall over to heapsort if tail-recursing deeply, too, which does not result in a deep stack of pending partitions. The new test stdlib/tst-qsort5 is based on Douglas McIlroy's paper on this subject. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdlib: Handle various corner cases in the fallback heapsort for qsortFlorian Weimer2023-11-213-17/+173
| | | | | | | | | | | | The previous implementation did not consistently apply the rule that the child nodes of node K are at 2 * K + 1 and 2 * K + 2, or that the parent node is at (K - 1) / 2. Add an internal test that targets the heapsort implementation directly. Reported-by: Stepan Golosunov <stepan@golosunov.pp.ru> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdlib: Avoid another self-comparison in qsortFlorian Weimer2023-11-211-1/+1
| | | | | | | | In the insertion phase, we could run off the start of the array if the comparison function never runs zero. In that case, it never finds the initial element that terminates the iteration. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* hurd: fix restarting reauth_dtable on signalSamuel Thibault2023-11-211-12/+23
| | | | | While inside the critical section, RPCs would not be restarted, so we have to handle EINTR errors.
* hurd: Prevent the final file_exec_paths call from signalsSamuel Thibault2023-11-202-1/+27
| | | | | | | Otherwise if the exec server started thrashing the old task, we won't be able to restart the exec. This notably fixes building ghc.
* manual: Fix termios.c example. (Bug 31078)Carlos O'Donell2023-11-201-2/+1
| | | | | | | | | | | | Remove the unused 'char *name;' from the example. Use write instead of putchar to write input as it is read. Example tested on x86_64 by compiling and running the example. Tested by building the manual pdf and reviewing the results. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* aarch64: Add vector implementations of expm1 routinesJoe Ramsay2023-11-2015-108/+570
| | | | May discard sign of 0 - auto tests for -0 and -0x1p-10000 updated accordingly.
* linux: Use fchmodat2 on fchmod for flags different than 0 (BZ 26401)Adhemerval Zanella2023-11-203-55/+77
| | | | | | | | | | | | | | | | | | Linux 6.6 (09da082b07bbae1c) added support for fchmodat2, which has similar semantics as fchmodat with an extra flag argument. This allows fchmodat to implement AT_SYMLINK_NOFOLLOW and AT_EMPTY_PATH without the need for procfs. The syscall is registered on all architectures (with value of 452 except on alpha which is 562, commit 78252deb023cf087). The tst-lchmod.c requires a small fix where fchmodat checks two contradictory assertions ('(st.st_mode & 0777) == 2' and '(st.st_mode & 0777) == 3'). Checked on x86_64-linux-gnu on a 6.6 kernel. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* intl: Add test case for bug 16621Florian Weimer2023-11-202-1/+42
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* resolv: free only initialized items from gai poolJan Palus2023-11-201-1/+2
| | | | | | | | | pool_max_size denotes total allocated rows in pool but possibly not yet initialized. it's pool_size that represents number of actually occupied rows hence use it when freeing pool to avoid freeing random addresses. Signed-off-by: Jan Palus <jpalus@fastmail.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>
* ldconfig: Fixes for skipping temporary files.Florian Weimer2023-11-201-4/+15
| | | | | | | | | | | Arguments to a memchr call were swapped, causing incorrect skipping of files. Files related to dpkg have different names: they actually end in .dpkg-new and .dpkg-tmp, not .tmp as I mistakenly assumed. Fixes commit 2aa0974d2573441bffd59 ("elf: ldconfig should skip temporary files created by package managers").
* nptl: Link tst-execstack-threads-mod.so with -z execstackFlorian Weimer2023-11-201-0/+1
| | | | | | | This ensures that the test still links with a linker that refuses to create an executable stack marker automatically. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nptl: Rename tst-execstack to tst-execstack-threadsFlorian Weimer2023-11-204-6/+11
| | | | | | | So that the test is harder to confuse with elf/tst-execstack (although the tests are supposed to be the same). Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Remove untyped mach RPC code.Flavio Cruz2023-11-194-141/+0
| | | | | | Existing MiG does not support untyped messages and the Hurd will continue to use typed messages for the foreseeable future. Message-ID: <ZVmYX6j4pYNUfqn4@jupiter.tail36e24.ts.net>
* _hurd_intr_rpc_mach_msg: handle message iteration correctly.Flavio Cruz2023-11-191-12/+12
| | | | | | | | | The `ty` pointer is only set at the end of the loop so that `msgtl_header.msgt_inline` and `msgtl_header.msgt_deallocate` remain valid. Also, when deallocating memory, we use the length from the message directly rather than hard coding mach_port_t since we want to deallocate any kind of OOL data. Message-ID: <ZVlGVD6eEN-dXsOr@jupiter.tail36e24.ts.net>
* localedata: Convert oc_FR locale to UTF-8Mike FABIAN2023-11-161-15/+15
|
* localedata: Add information for OccitanMike FABIAN2023-11-161-4/+6
| | | | Resolves: BZ # 28787