about summary refs log tree commit diff
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* Linux: optimize clone3 internal usage azanella/posix_spawn-clone3Adhemerval Zanella2022-11-291-0/+5
| | | | | | | | | | | | Now that clone3 is used on more architectures, add an optimization to avoid calling when glibc detects that it is no supported by the kernel. It also adds __ASSUME_CLONE3, which allows skip this optimization and issue clone3 syscall directly. It does not handle the the small window between 5.3 and 5.5 for posix_spawn (CLONE_CLEAR_SIGHAND was added in 5.5). Checked on x86_64-linux-gnu.
* linux: Add clone3 CLONE_CLEAR_SIGHAND optimization to posix_spawnAdhemerval Zanella2022-11-291-0/+5
| | | | | | | | | | | | | | | | | The clone3 flag resets all signal handlers of the child not set to SIG_IGN to SIG_DFL. It allows to skip most of the sigaction calls to setup child signal handling, where previously a posix_spawn has to issue 2 times NSIG sigaction calls (one to obtain the current disposition and another to set either SIG_DFL or SIG_IGN). The expection is POSIX_SPAWN_SETSIGDEF the child still setup the signal for the case the disposition is SIG_IGN. It also need to handle the fallback where clone3 is not available, to set the fallback in child. This is done by splitting of __clone_internal_fallback from __clone_internal. Checked on x86_64-linux-gnu.
* Linux: Do not align the stack for __clone3Adhemerval Zanella2022-11-291-0/+5
| | | | | | | | | | | | | | Adjusting the stack on child thread is not async-signal safe, since kernel does not enforce stack alignmnet. Although, all the internal usage of __clone_internal are done with all signal masked, removing stack alignment of __clone3 is still a net gain: is simplifies the function contract detail (mask/unmarsk signals) and simplifies the arch-specific code. The internal users are responsible for correct stack alignment. If glibc ever exports a clone3 wrapper, it should adjust stack alignment. Checked on x86_64-linux-gnu.
* linux: Extend internal clone3 documentationAdhemerval Zanella2022-11-291-5/+19
| | | | | | | | | | | Different than kernel, clone3 returns EINVAL for NULL struct clone_args or function pointer. This is similar to clone interface that return EINVAL for NULL function argument. It also clean up the Linux clone3.h interface, since it not currently exported. Checked on x86_64-linux-gnu.
* Define in_int32_t_range to check if the 64 bit time_t syscall should be usedYunQiang Su2022-11-171-1/+9
| | | | | | | | | | | | | | | | | Currently glibc uses in_time_t_range to detects time_t overflow, and if it occurs fallbacks to 64 bit syscall version. The function name is confusing because internally time_t might be either 32 bits or 64 bits (depending on __TIMESIZE). This patch refactors the in_time_t_range by replacing it with in_int32_t_range for the case to check if the 64 bit time_t syscall should be used. The in_time_t range is used to detect overflow of the syscall return value. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Linux: Add ppoll fortify symbol for 64 bit time_t (BZ# 29746)Adhemerval Zanella2022-11-081-1/+4
| | | | | | | | | | | | | | | | | | | | Similar to ppoll, the poll.h header needs to redirect the poll call to a proper fortified ppoll with 64 bit time_t support. The implementation is straightforward, just need to add a similar check as __poll_chk and call the 64 bit time_t ppoll version. The debug fortify tests are also extended to cover 64 bit time_t for affected ABIs. Unfortunately it requires an aditional symbol, which makes backport tricky. One possibility is to add a static inline version if compiler supports is and call abort instead of __chk_fail, so fortified version will call __poll64 in the end. Another possibility is to just remove the fortify support for _TIME_BITS=64. Checked on i686-linux-gnu.
* Apply asm redirection in gmp.h before first useAdhemerval Zanella2022-11-071-12/+0
| | | | | | | | For clang the redeclaration after the first use, the visibility attribute is silently ignored (symbol is STV_DEFAULT) while the asm label attribute causes an error. Reviewed-by: Fangrui Song <maskray@google.com>
* allocate_once: Apply asm redirection before first useAdhemerval Zanella2022-11-011-4/+3
| | | | | | | Compilers may not be able to apply asm redirections to functions after these functions are used for the first time, e.g. clang 15. Reviewed-by: Fangrui Song <maskray@google.com>
* alloc_buffer: Apply asm redirection before first useAdhemerval Zanella2022-11-011-8/+15
| | | | | | | Compilers may not be able to apply asm redirections to functions after these functions are used for the first time, e.g. clang 15. Reviewed-by: Fangrui Song <maskray@google.com>
* Remove unused scratch_buffer_dupfreeSzabolcs Nagy2022-10-281-16/+0
| | | | | | | | | | | | Turns out scratch_buffer_dupfree internal API was unused since commit ef0700004bf0dccf493a5e8e21f71d9e7972ea9f stdlib: Simplify buffer management in canonicalize And the related test in malloc/tst-scratch_buffer had issues so it's better to remove it completely. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* malloc: Use uintptr_t in alloc_bufferSzabolcs Nagy2022-10-281-5/+5
| | | | | | | The values represnt pointers and not sizes. The members of struct alloc_buffer are already uintptr_t. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* hurd: Factorize at/non-at functionsSamuel Thibault2022-09-173-0/+7
| | | | | | | | | | | | | | | | | | Non-at functions can be implemented by just calling the corresponding at function with AT_FDCWD and zero at_flags. In the linkat case, the at behavior is different (O_NOLINK), so this introduces __linkat_common to pass O_NOLINK as appropriate. lstat functions can also be implemented with fstatat by adding __fstatat64_common which takes a flags parameter in addition to the at_flags parameter, In the end this factorizes chmod, chown, link, lstat64, mkdir, readlink, rename, stat64, symlink, unlink, utimes. This also makes __lstat, __lxstat64, __stat and __xstat64 directly use __fstatat64_common instead of __lstat64 or __stat64.
* Apply asm redirections in wchar.h before first useRaphael Moreira Zinsly2022-08-301-0/+1
| | | | | | | | | | | Similar to d0fa09a770, but for wchar.h. Fixes [BZ #27087] by applying all long double related asm redirections before using functions in bits/wchar2.h. Moves the function declarations from wcsmbs/bits/wchar2.h to a new file wcsmbs/bits/wchar2-decl.h that will be included first in wcsmbs/wchar.h. Tested with build-many-glibcs.py. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* resolv: Add DNS packet parsing helpers geared towards wire formatFlorian Weimer2022-08-301-0/+92
| | | | | | | | | | | | | | | | | | | | The public parser functions around the ns_rr record type produce textual domain names, but usually, this is not what we need while parsing DNS packets within glibc. This commit adds two new helper functions, __ns_rr_cursor_init and __ns_rr_cursor_next, for writing packet parsers, and struct ns_rr_cursor, struct ns_rr_wire as supporting types. In theory, it is possible to avoid copying the owner name into the rname field in __ns_rr_cursor_next, but this would need more functions that work on compressed names. Eventually, __res_context_send could be enhanced to preserve the result of the packet parsing that is necessary for matching the incoming UDP packets, so that this works does not have to be done twice. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* resolv: Add internal __ns_name_length_uncompressed functionFlorian Weimer2022-08-301-0/+8
| | | | | | | This function is useful for checking that the question name is uncompressed (as it should be). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* resolv: Add the __ns_samebinaryname functionFlorian Weimer2022-08-301-0/+6
| | | | | | | | During packet parsing, only the binary name is available. If the name equality check is performed before conversion to text, we can sometimes skip the last step. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* resolv: Add internal __res_binary_hnok functionFlorian Weimer2022-08-301-0/+3
| | | | | | | | During package parsing, only the binary representation is available, and it is convenient to check that directly for conformance with host name requirements. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* assert: Do not use stderr in libc-internal assertFlorian Weimer2022-08-031-3/+9
| | | | | | | | | | | | | | | | | | | | Redirect internal assertion failures to __libc_assert_fail, based on based on __libc_message, which writes directly to STDERR_FILENO and calls abort. Also disable message translation and reword the error message slightly (adjusting stdlib/tst-bz20544 accordingly). As a result of these changes, malloc no longer needs its own redefinition of __assert_fail. __libc_assert_fail needs to be stubbed out during rtld dependency analysis because the rtld rebuilds turn __libc_assert_fail into __assert_fail, which is unconditionally provided by elf/dl-minimal.c. This change is not possible for the public assert macro and its __assert_fail function because POSIX requires that the diagnostic is written to stderr. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio: Clean up __libc_message after unconditional abortFlorian Weimer2022-08-031-8/+1
| | | | | | | | | | | | Since commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83 ("malloc: Abort on heap corruption, without a backtrace [BZ #21754]"), __libc_message always terminates the process. Since commit a289ea09ea843ced6e5277c2f2e63c357bc7f9a3 ("Do not print backtraces on fatal glibc errors"), the backtrace facility has been removed. Therefore, remove enum __libc_message_action and the action argument of __libc_message, and mark __libc_message as _No_return. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Prepare for glibc 2.36 release.Carlos O'Donell2022-07-291-1/+1
| | | | Update version.h, and include/features.h.
* arc4random: simplify design for better safetyJason A. Donenfeld2022-07-271-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than buffering 16 MiB of entropy in userspace (by way of chacha20), simply call getrandom() every time. This approach is doubtlessly slower, for now, but trying to prematurely optimize arc4random appears to be leading toward all sorts of nasty properties and gotchas. Instead, this patch takes a much more conservative approach. The interface is added as a basic loop wrapper around getrandom(), and then later, the kernel and libc together can work together on optimizing that. This prevents numerous issues in which userspace is unaware of when it really must throw away its buffer, since we avoid buffering all together. Future improvements may include userspace learning more from the kernel about when to do that, which might make these sorts of chacha20-based optimizations more possible. The current heuristic of 16 MiB is meaningless garbage that doesn't correspond to anything the kernel might know about. So for now, let's just do something conservative that we know is correct and won't lead to cryptographic issues for users of this function. This patch might be considered along the lines of, "optimization is the root of all evil," in that the much more complex implementation it replaces moves too fast without considering security implications, whereas the incremental approach done here is a much safer way of going about things. Once this lands, we can take our time in optimizing this properly using new interplay between the kernel and userspace. getrandom(0) is used, since that's the one that ensures the bytes returned are cryptographically secure. But on systems without it, we fallback to using /dev/urandom. This is unfortunate because it means opening a file descriptor, but there's not much of a choice. Secondly, as part of the fallback, in order to get more or less the same properties of getrandom(0), we poll on /dev/random, and if the poll succeeds at least once, then we assume the RNG is initialized. This is a rough approximation, as the ancient "non-blocking pool" initialized after the "blocking pool", not before, and it may not port back to all ancient kernels, though it does to all kernels supported by glibc (≥3.2), so generally it's the best approximation we can do. The motivation for including arc4random, in the first place, is to have source-level compatibility with existing code. That means this patch doesn't attempt to litigate the interface itself. It does, however, choose a conservative approach for implementing it. Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org> Cc: Florian Weimer <fweimer@redhat.com> Cc: Cristian Rodríguez <crrodriguez@opensuse.org> Cc: Paul Eggert <eggert@cs.ucla.edu> Cc: Mark Harris <mark.hsj@gmail.com> Cc: Eric Biggers <ebiggers@kernel.org> Cc: linux-crypto@vger.kernel.org Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdlib: Add arc4random, arc4random_buf, and arc4random_uniform (BZ #4417)Adhemerval Zanella Netto2022-07-221-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The implementation is based on scalar Chacha20 with per-thread cache. It uses getrandom or /dev/urandom as fallback to get the initial entropy, and reseeds the internal state on every 16MB of consumed buffer. To improve performance and lower memory consumption the per-thread cache is allocated lazily on first arc4random functions call, and if the memory allocation fails getentropy or /dev/urandom is used as fallback. The cache is also cleared on thread exit iff it was initialized (so if arc4random is not called it is not touched). Although it is lock-free, arc4random is still not async-signal-safe (the per thread state is not updated atomically). The ChaCha20 implementation is based on RFC8439 [1], omitting the final XOR of the keystream with the plaintext because the plaintext is a stream of zeros. This strategy is similar to what OpenBSD arc4random does. The arc4random_uniform is based on previous work by Florian Weimer, where the algorithm is based on Jérémie Lumbroso paper Optimal Discrete Uniform Generation from Coin Flips, and Applications (2013) [2], who credits Donald E. Knuth and Andrew C. Yao, The complexity of nonuniform random number generation (1976), for solving the general case. The main advantage of this method is the that the unit of randomness is not the uniform random variable (uint32_t), but a random bit. It optimizes the internal buffer sampling by initially consuming a 32-bit random variable and then sampling byte per byte. Depending of the upper bound requested, it might lead to better CPU utilization. Checked on x86_64-linux-gnu, aarch64-linux, and powerpc64le-linux-gnu. Co-authored-by: Florian Weimer <fweimer@redhat.com> Reviewed-by: Yann Droneaud <ydroneaud@opteya.com> [1] https://datatracker.ietf.org/doc/html/rfc8439 [2] https://arxiv.org/pdf/1304.1916.pdf
* Apply asm redirections in stdio.h before first use [BZ #27087]Tulio Magno Quites Machado Filho2022-07-141-0/+1
| | | | | | | | | | | | | | | | | | | Compilers may not be able to apply asm redirections to functions after these functions are used for the first time, e.g. clang 13. Fix [BZ #27087] by applying all long double-related asm redirections before using functions in bits/stdio.h. However, as these asm redirections depend on the declarations provided by libio/bits/stdio2.h, this header was split in 2: - libio/bits/stdio2-decl.h contains all function declarations; - libio/bits/stdio2.h remains with the remaining contents, including redirections. This also adds the access attribute to __vsnprintf_chk that was missing. Tested with build-many-glibcs.py. Reviewed-by: Paul E. Murphy <murphyp@linux.ibm.com>
* libc-symbols.h: remove unused macrosFangrui Song2022-07-041-169/+0
| | | | | | | | | Beside weak_hidden_alias/declare_symbol_alias/hidden_data_ver, many *_hidden_* macros are removed. If there is a rare need to use one, one may write something like `#if IS_IN (libm)\nhidden_def (...)\n#endif` instead. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* misc: Optimize internal usage of __libc_single_threadedAdhemerval Zanella2022-06-242-0/+33
| | | | | | | | | | | | | | | By adding an internal alias to avoid the GOT indirection. On some architecture, __libc_single_thread may be accessed through copy relocations and thus it requires to update also the copies default copy. This is done by adding a new internal macro, libc_hidden_data_{proto,def}, which has an addition argument that specifies the alias name (instead of default __GI_ one). Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Fangrui Song <maskray@google.com>
* Add bounds check to __libc_ifunc_impl_listWilco Dijkstra2022-06-101-4/+4
| | | | | | | | | | | | Add a proper bounds check to __libc_ifunc_impl_list. This makes MAX_IFUNC redundant and fixes several targets that will write outside the array. To avoid unnecessary large diffs, pass the maximum in the argument 'i' to IFUNC_IMPL_ADD - 'max' can be used in new ifunc definitions and existing ones can be updated if desired. Passes buildmanyglibc. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Fix deadlock when pthread_atfork handler calls pthread_atfork or dlcloseArjun Shankar2022-05-251-13/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In multi-threaded programs, registering via pthread_atfork, de-registering implicitly via dlclose, or running pthread_atfork handlers during fork was protected by an internal lock. This meant that a pthread_atfork handler attempting to register another handler or dlclose a dynamically loaded library would lead to a deadlock. This commit fixes the deadlock in the following way: During the execution of handlers at fork time, the atfork lock is released prior to the execution of each handler and taken again upon its return. Any handler registrations or de-registrations that occurred during the execution of the handler are accounted for before proceeding with further handler execution. If a handler that hasn't been executed yet gets de-registered by another handler during fork, it will not be executed. If a handler gets registered by another handler during fork, it will not be executed during that particular fork. The possibility that handlers may now be registered or deregistered during handler execution means that identifying the next handler to be run after a given handler may register/de-register others requires some bookkeeping. The fork_handler struct has an additional field, 'id', which is assigned sequentially during registration. Thus, handlers are executed in ascending order of 'id' during 'prepare', and descending order of 'id' during parent/child handler execution after the fork. Two tests are included: * tst-atfork3: Adhemerval Zanella <adhemerval.zanella@linaro.org> This test exercises calling dlclose from prepare, parent, and child handlers. * tst-atfork4: This test exercises calling pthread_atfork and dlclose from the prepare handler. [BZ #24595, BZ #27054] Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio-common: Move union printf_arg int <printf.h>Florian Weimer2022-05-241-0/+21
| | | | | | | The type does not depend on wide vs narrow preprocessor macros, so it does not need to be customized in stdio-common/printf-parse.h. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio-common: Add printf specifier registry to <printf.h>Florian Weimer2022-05-241-0/+8
| | | | | | Add __printf_arginfo_table, __printf_function_table, __printf_va_arg_table, __register_printf_specifier to include/printf.h.
* stdio: Remove the usage of $(fno-unit-at-a-time) for siglist.cAdhemerval Zanella2022-05-131-4/+2
| | | | | | | | | | | | | | | | | | The siglist.c is built with -fno-toplevel-reorder to avoid compiler to reorder the compat assembly directives due an assembler issue [1] (fixed on 2.39). This patch removes the compiler flags by split the compat symbol generation in two phases. First the __sys_siglist and __sys_sigabbrev without any compat symbol directive is preprocessed to generate an assembly source code. This generate assembly is then used as input on a platform agnostic siglist.S which then creates the compat definitions. This prevents compiler to move any compat directive prior the _sys_errlist definition itself. Checked on a make check run-built-tests=no on all affected ABIs. Reviewed-by: Fangrui Song <maskray@google.com>
* stdio: Remove the usage of $(fno-unit-at-a-time) for errlist.cAdhemerval Zanella2022-05-131-0/+1
| | | | | | | | | | | | | | | | | | The errlist.c is built with -fno-toplevel-reorder to avoid compiler to reorder the compat assembly directives due an assembler issue [1] (fixed on 2.39). This patch removes the compiler flags by split the compat symbol generation in two phases. First the _sys_errlist_internal internal without any compat symbol directive is preprocessed to generate an assembly source code. This generate assembly is then used as input on a platform agnostic errlist-data.S which then creates the compat definitions. This prevents compiler to move any compat directive prior the _sys_errlist_internal definition itself. Checked on a make check run-built-tests=no on all affected ABIs. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=29012
* Add declare_object_symbol_alias for assembly codes (BZ #28128)H.J. Lu2022-05-131-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | There are 2 problems in: #define declare_symbol_alias(symbol, original, type, size) \ declare_symbol_alias_1 (symbol, original, type, size) #ifdef __ASSEMBLER__ # define declare_symbol_alias_1(symbol, original, type, size) \ strong_alias (original, symbol); \ .type C_SYMBOL_NAME (symbol), %##type; \ .size C_SYMBOL_NAME (symbol), size 1. .type and .size are substituted by arguments. 2. %##type is expanded to "% type" due to the GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101613 But assembler doesn't support "% type". Workaround BZ #28128 by 1. Don't define declare_symbol_alias for assembly codes. 2. Define declare_object_symbol_alias for assembly codes. Reviewed-by: Fangrui Song <maskray@google.com>
* wcrtomb: Make behavior POSIX compliantSiddhesh Poyarekar2022-05-131-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The GNU implementation of wcrtomb assumes that there are at least MB_CUR_MAX bytes available in the destination buffer passed to wcrtomb as the first argument. This is not compatible with the POSIX definition, which only requires enough space for the input wide character. This does not break much in practice because when users supply buffers smaller than MB_CUR_MAX (e.g. in ncurses), they compute and dynamically allocate the buffer, which results in enough spare space (thanks to usable_size in malloc and padding in alloca) that no actual buffer overflow occurs. However when the code is built with _FORTIFY_SOURCE, it runs into the hard check against MB_CUR_MAX in __wcrtomb_chk and hence fails. It wasn't evident until now since dynamic allocations would result in wcrtomb not being fortified but since _FORTIFY_SOURCE=3, that limitation is gone, resulting in such code failing. To fix this problem, introduce an internal buffer that is MB_LEN_MAX long and use that to perform the conversion and then copy the resultant bytes into the destination buffer. Also move the fortification check into the main implementation, which checks the result after conversion and aborts if the resultant byte count is greater than the destination buffer size. One complication is that applications that assume the MB_CUR_MAX limitation to be gone may not be able to run safely on older glibcs if they use static destination buffers smaller than MB_CUR_MAX; dynamic allocations will always have enough spare space that no actual overruns will occur. One alternative to fixing this is to bump symbol version to prevent them from running on older glibcs but that seems too strict a constraint. Instead, since these users will only have made this decision on reading the manual, I have put a note in the manual warning them about the pitfalls of having static buffers smaller than MB_CUR_MAX and running them on older glibc. Benchmarking: The wcrtomb microbenchmark shows significant increases in maximum execution time for all locales, ranging from 10x for ar_SA.UTF-8 to 1.5x-2x for nearly everything else. The mean execution time however saw practically no impact, with some results even being quicker, indicating that cache locality has a much bigger role in the overhead. Given that the additional copy uses a temporary buffer inside wcrtomb, it's likely that a hot path will end up putting that buffer (which is responsible for the additional overhead) in a similar place on stack, giving the necessary cache locality to negate the overhead. However in situations where wcrtomb ends up getting called at wildly different spots on the call stack (or is on different call stacks, e.g. with threads or different execution contexts) and is still a hotspot, the performance lag will be visible. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* clock_settime/clock_gettime: Use __nonnull to avoid null pointerXiaoming Ni2022-05-051-2/+2
| | | | | | | | | | | | | clock_settime() clock_settime64() clock_gettime() clock_gettime64() Add __nonnull((2)) to avoid null pointer access. Link: https://sourceware.org/bugzilla/show_bug.cgi?id=27662 Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29084 Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* Add GLIBC_ABI_DT_RELR for DT_RELR supportH.J. Lu2022-04-261-0/+2
| | | | | | | | | | | | | | | | | | | | The EI_ABIVERSION field of the ELF header in executables and shared libraries can be bumped to indicate the minimum ABI requirement on the dynamic linker. However, EI_ABIVERSION in executables isn't checked by the Linux kernel ELF loader nor the existing dynamic linker. Executables will crash mysteriously if the dynamic linker doesn't support the ABI features required by the EI_ABIVERSION field. The dynamic linker should be changed to check EI_ABIVERSION in executables. Add a glibc version, GLIBC_ABI_DT_RELR, to indicate DT_RELR support so that the existing dynamic linkers will issue an error on executables with GLIBC_ABI_DT_RELR dependency. When there is a DT_VERNEED entry with libc.so on DT_NEEDED, issue an error if there is a DT_RELR entry without GLIBC_ABI_DT_RELR dependency. Support __placeholder_only_for_empty_version_map as the placeholder symbol used only for empty version map to generate GLIBC_ABI_DT_RELR without any symbols.
* elf: Remove __libc_init_secureFangrui Song2022-04-192-4/+0
| | | | | | | | | | | | | | After 73fc4e28b9464f0e13edc719a5372839970e7ddb, __libc_enable_secure_decided is always 0 and a statically linked executable may overwrite __libc_enable_secure without considering AT_SECURE. The __libc_enable_secure has been correctly initialized in _dl_aux_init, so just remove __libc_enable_secure_decided and __libc_init_secure. This allows us to remove some startup_get*id functions from 22b79ed7f413cd980a7af0cf258da5bf82b6d5e5. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* elf: Remove prelink supportAdhemerval Zanella2022-02-101-4/+0
| | | | | | | | | | | | | Prelinked binaries and libraries still work, the dynamic tags DT_GNU_PRELINKED, DT_GNU_LIBLIST, DT_GNU_CONFLICT just ignored (meaning the process is reallocated as default). The loader environment variable TRACE_PRELINKING is also removed, since it used solely on prelink. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* Prepare for glibc 2.35 release.Carlos O'Donell2022-02-031-1/+1
| | | | Update version.h, and include/features.h.
* Linux: Only generate 64 bit timestamps for 64 bit time_t recvmsg/recvmmsgAdhemerval Zanella2022-01-281-2/+8
| | | | | | | | | | | | | | | | | | | | | | | The timestamps created by __convert_scm_timestamps only make sense for 64 bit time_t programs, 32 bit time_t programs will ignore 64 bit time_t timestamps since SO_TIMESTAMP will be defined to old values (either by glibc or kernel headers). Worse, if the buffer is not suffice MSG_CTRUNC is set to indicate it (which breaks some programs [1]). This patch makes only 64 bit time_t recvmsg and recvmmsg to call __convert_scm_timestamps. Also, the assumption to called it is changed from __ASSUME_TIME64_SYSCALLS to __TIMESIZE != 64 since the setsockopt might be called by libraries built without __TIME_BITS=64. The MSG_CTRUNC is only set for the 64 bit symbols, it should happen only if 64 bit time_t programs run older kernels. Checked on x86_64-linux-gnu and i686-linux-gnu. [1] https://github.com/systemd/systemd/pull/20567 Reviewed-by: Florian Weimer <fweimer@redhat.com>
* posix: Add terminal control setting support for posix_spawnAdhemerval Zanella2022-01-251-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently there is no proper way to set the controlling terminal through posix_spawn in race free manner [1]. This forces shell implementations to keep using fork+exec when launching background process groups, even when using posix_spawn yields better performance. This patch adds a new GNU extension so the creating process can configure the created process terminal group. This is done with a new flag, POSIX_SPAWN_TCSETPGROUP, along with two new attribute functions: posix_spawnattr_tcsetpgrp_np, and posix_spawnattr_tcgetpgrp_np. The function sets a new attribute, spawn-tcgroupfd, that references to the controlling terminal. The controlling terminal is set after the spawn-pgroup attribute, and uses the spawn-tcgroupfd along with current creating process group (so it is composable with POSIX_SPAWN_SETPGROUP). To create a process and set the controlling terminal, one can use the following sequence: posix_spawnattr_t attr; posix_spawnattr_init (&attr); posix_spawnattr_setflags (&attr, POSIX_SPAWN_TCSETPGROUP); posix_spawnattr_tcsetpgrp_np (&attr, tcfd); If the idea is also to create a new process groups: posix_spawnattr_t attr; posix_spawnattr_init (&attr); posix_spawnattr_setflags (&attr, POSIX_SPAWN_TCSETPGROUP | POSIX_SPAWN_SETPGROUP); posix_spawnattr_tcsetpgrp_np (&attr, tcfd); posix_spawnattr_setpgroup (&attr, 0); The controlling terminal file descriptor is ignored if the new flag is not set. This interface is slight different than the one provided by QNX [2], which only provides the POSIX_SPAWN_TCSETPGROUP flag. The QNX documentation does not specify how the controlling terminal is obtained nor how it iteracts with POSIX_SPAWN_SETPGROUP. Since a glibc implementation is library based, it is more straightforward and avoid requires additional file descriptor operations to request the caller to setup the controlling terminal file descriptor (and it also allows a bit less error handling by posix_spawn). Checked on x86_64-linux-gnu and i686-linux-gnu. [1] https://github.com/ksh93/ksh/issues/79 [2] https://www.qnx.com/developers/docs/7.0.0/index.html#com.qnx.doc.neutrino.lib_ref/topic/p/posix_spawn.html Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
* Linux: Add epoll_pwait2 (BZ #27359)Adhemerval Zanella2022-01-171-0/+8
| | | | | | | | | | | | | It is similar to epoll_wait, with the difference the timeout has nanosecond resoluting by using struct timespec instead of int. Although Linux interface only provides 64 bit time_t support, old 32 bit interface is also provided (so keep in sync with current practice and to no force opt-in on 64 bit time_t). Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* socket: Add the __sockaddr_un_set functionFlorian Weimer2022-01-171-0/+12
| | | | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* Enable _FORTIFY_SOURCE=3 for gcc 12 and aboveSiddhesh Poyarekar2022-01-121-1/+3
| | | | | | | | gcc 12 now has support for the __builtin_dynamic_object_size builtin. Adapt the macro checks to enable _FORTIFY_SOURCE=3 on gcc 12 and above. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Update copyright dates with scripts/update-copyrightsPaul Eggert2022-01-0143-43/+43
| | | | | | | | | | | | | | | | | | | | | | | I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
* elf: Add _dl_find_object functionFlorian Weimer2021-12-284-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | It can be used to speed up the libgcc unwinder, and the internal _dl_find_dso_for_object function (which is used for caller identification in dlopen and related functions, and in dladdr). _dl_find_object is in the internal namespace due to bug 28503. If libgcc switches to _dl_find_object, this namespace issue will be fixed. It is located in libc for two reasons: it is necessary to forward the call to the static libc after static dlopen, and there is a link ordering issue with -static-libgcc and libgcc_eh.a because libc.so is not a linker script that includes ld.so in the glibc build tree (so that GCC's internal -lc after libgcc_eh.a does not pick up ld.so). It is necessary to do the i386 customization in the sysdeps/x86/bits/dl_find_object.h header shared with x86-64 because otherwise, multilib installations are broken. The implementation uses software transactional memory, as suggested by Torvald Riegel. Two copies of the supporting data structures are used, also achieving full async-signal-safety. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Issue audit la_objopen for vDSOAdhemerval Zanella2021-12-281-0/+2
| | | | | | | | | | | | | | | The vDSO is is listed in the link_map chain, but is never the subject of an la_objopen call. A new internal flag __RTLD_VDSO is added that acts as __RTLD_OPENEXEC to allocate the required 'struct auditstate' extra space for the 'struct link_map'. The return value from the callback is currently ignored, since there is no PLT call involved by glibc when using the vDSO, neither the vDSO are exported directly. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* elf: Avoid unnecessary slowdown from profiling with audit (BZ#15533)Adhemerval Zanella2021-12-281-0/+2
| | | | | | | | | | | | | | | | | | | The rtld-audit interfaces introduces a slowdown due to enabling profiling instrumentation (as if LD_AUDIT implied LD_PROFILE). However, instrumenting is only necessary if one of audit libraries provides PLT callbacks (la_pltenter or la_pltexit symbols). Otherwise, the slowdown can be avoided. The following patch adjusts the logic that enables profiling to iterate over all audit modules and check if any of those provides a PLT hook. To keep la_symbind to work even without PLT callbacks, _dl_fixup now calls the audit callback if the modules implements it. Co-authored-by: Alexander Monakov <amonakov@ispras.ru> Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* hurd: Fix static-PIE startupSamuel Thibault2021-12-281-0/+25
| | | | | | | | hurd initialization stages use RUN_HOOK to run various initialization functions. That is however using absolute addresses which need to be relocated, which is done later by csu. We can however easily make the linker compute relative addresses which thus don't need a relocation. The new SET_RELHOOK and RUN_RELHOOK macros implement this.
* malloc: Add THP/madvise support for sbrkAdhemerval Zanella2021-12-151-0/+8
| | | | | | | | | | To increase effectiveness with Transparent Huge Page with madvise, the large page size is use instead page size for sbrk increment for the main arena. Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* io: Refactor close_range and closefromAdhemerval Zanella2021-11-241-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | Now that Hurd implementis both close_range and closefrom (f2c996597d), we can make close_range() a base ABI, and make the default closefrom() implementation on top of close_range(). The generic closefrom() implementation based on __getdtablesize() is moved to generic close_range(). On Linux it will be overriden by the auto-generation syscall while on Hurd it will be a system specific implementation. The closefrom() now calls close_range() and __closefrom_fallback(). Since on Hurd close_range() does not fail, __closefrom_fallback() is an empty static inline function set by__ASSUME_CLOSE_RANGE. The __ASSUME_CLOSE_RANGE also allows optimize Linux __closefrom_fallback() implementation when --enable-kernel=5.9 or higher is used. Finally the Linux specific tst-close_range.c is moved to io and enabled as default. The Linuxism and CLOSE_RANGE_UNSHARE are guarded so it can be built for Hurd (I have not actually test it). Checked on x86_64-linux-gnu, i686-linux-gnu, and with a i686-gnu build.