about summary refs log tree commit diff
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* Remove set-hooks.h from generic includesAdhemerval Zanella Netto2023-03-271-96/+0
| | | | | | | | | | | | | | The hooks mechanism uses symbol sets for running lists of functions, which requires either extra linker directives to provide any hardening (such as RELRO) or additional code (such as pointer obfuscation via mangling with random value). Currently only hurd uses set-hooks.h so we remove it from the generic includes. The generic implementation uses direct function calls which provide hardening and good code generation, observability and debugging without the need for extra linking options or special code handling. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* libio: Remove the usage of __libc_IO_vtablesAdhemerval Zanella Netto2023-03-271-6/+12
| | | | | | | | | | | | | | Instead of using a special ELF section along with a linker script directive to put the IO vtables within the RELRO section, the libio vtables are all moved to an array marked as data.relro (so linker will place in the RELRO segment without the need of extra directives). To avoid static linking namespace issues and including all vtable referenced objects, all required function pointers are set to weak alias. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functionsAdhemerval Zanella Netto2023-03-272-73/+142
| | | | | | | | | | | | | | | | | | | | They are both used by __libc_freeres to free all library malloc allocated resources to help tooling like mtrace or valgrind with memory leak tracking. The current scheme uses assembly markers and linker script entries to consolidate the free routine function pointers in the RELRO segment and to be freed buffers in BSS. This patch changes it to use specific free functions for libc_freeres_ptrs buffers and call the function pointer array directly with call_function_static_weak. It allows the removal of both the internal macros and the linker script sections. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* C2x scanf binary constant handlingJoseph Myers2023-03-022-2/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | C2x adds binary integer constants starting with 0b or 0B, and supports those constants for the %i scanf format (in addition to the %b format, which isn't yet implemented for scanf in glibc). Implement that scanf support for glibc. As with the strtol support, this is incompatible with previous C standard versions, in that such an input string starting with 0b or 0B was previously required to be parsed as 0 (with the rest of the input potentially matching subsequent parts of the scanf format string). Thus this patch adds 12 new __isoc23_* functions per long double format (12, 24 or 36 depending on how many long double formats the glibc configuration supports), with appropriate header redirection support (generally very closely following that for the __isoc99_* scanf functions - note that __GLIBC_USE (DEPRECATED_SCANF) takes precedence over __GLIBC_USE (C2X_STRTOL), so the case of GNU extensions to C89 continues to get old-style GNU %a and does not get this new feature). The function names would remain as __isoc23_* even if C2x ends up published in 2024 rather than 2023. When scanf %b support is added, I think it will be appropriate for all versions of scanf to follow C2x rules for inputs to the %b format (given that there are no compatibility concerns for a new format). Tested for x86_64 (full glibc testsuite). The first version was also tested for powerpc (32-bit) and powerpc64le (stdio-common/ and wcsmbs/ tests), and with build-many-glibcs.py.
* string: Remove string_private.hAdhemerval Zanella2023-02-171-3/+0
| | | | | | Now that _STRING_ARCH_unaligned is not used anymore. Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
* resolv: Remove _STRING_ARCH_unaligned usageAdhemerval Zanella2023-02-171-36/+0
| | | | | | | | GCC with default implementation already generates optimized code. Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
* C2x strtol binary constant handlingJoseph Myers2023-02-163-7/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | C2x adds binary integer constants starting with 0b or 0B, and supports those constants in strtol-family functions when the base passed is 0 or 2. Implement that strtol support for glibc. As discussed at <https://sourceware.org/pipermail/libc-alpha/2020-December/120414.html>, this is incompatible with previous C standard versions, in that such an input string starting with 0b or 0B was previously required to be parsed as 0 (with the rest of the string unprocessed). Thus, as proposed there, this patch adds 20 new __isoc23_* functions with appropriate header redirection support. This patch does *not* do anything about scanf %i (which will need 12 new functions per long double variant, so 12, 24 or 36 depending on the glibc configuration), instead leaving that for a future patch. The function names would remain as __isoc23_* even if C2x ends up published in 2024 rather than 2023. Making this change leads to the question of what should happen to internal uses of these functions in glibc and its tests. The header redirection (which applies for _GNU_SOURCE or any other feature test macros enabling C2x features) has the effect of redirecting internal uses but without those uses then ending up at a hidden alias (see the comment in include/stdio.h about interaction with libc_hidden_proto). It seems desirable for the default for internal uses to be the same versions used by normal code using _GNU_SOURCE, so rather than doing anything to disable that redirection, similar macro definitions to those in include/stdio.h are added to the include/ headers for the new functions. Given that the default for uses in glibc is for the redirections to apply, the next question is whether the C2x semantics are correct for all those uses. Uses with the base fixed to 10, 16 or any other value other than 0 or 2 can be ignored. I think this leaves the following internal uses to consider (an important consideration for review of this patch will be both whether this list is complete and whether my conclusions on all entries in it are correct): benchtests/bench-malloc-simple.c benchtests/bench-string.h elf/sotruss-lib.c math/libm-test-support.c nptl/perf.c nscd/nscd_conf.c nss/nss_files/files-parse.c posix/tst-fnmatch.c posix/wordexp.c resolv/inet_addr.c rt/tst-mqueue7.c soft-fp/testit.c stdlib/fmtmsg.c support/support_test_main.c support/test-container.c sysdeps/pthread/tst-mutex10.c I think all of these places are OK with the new semantics, except for resolv/inet_addr.c, where the POSIX semantics of inet_addr do not allow for binary constants; thus, I changed that file (to use __strtoul_internal, whose semantics are unchanged) and added a test for this case. In the case of posix/wordexp.c I think accepting binary constants is OK since POSIX explicitly allows additional forms of shell arithmetic expressions, and in stdlib/fmtmsg.c SEV_LEVEL is not in POSIX so again I think accepting binary constants is OK. Functions such as __strtol_internal, which are only exported for compatibility with old binaries from when those were used in inline functions in headers, have unchanged semantics; the __*_l_internal versions (purely internal to libc and not exported) have a new argument to specify whether to accept binary constants. As well as for the standard functions, the header redirection also applies to the *_l versions (GNU extensions), and to legacy functions such as strtoq, to avoid confusing inconsistency (the *q functions redirect to __isoc23_*ll rather than needing their own __isoc23_* entry points). For the functions that are only declared with _GNU_SOURCE, this means the old versions are no longer available for normal user programs at all. An internal __GLIBC_USE_C2X_STRTOL macro is used to control the redirections in the headers, and cases in glibc that wish to avoid the redirections - the function implementations themselves and the tests of the old versions of the GNU functions - then undefine and redefine that macro to allow the old versions to be accessed. (There would of course be greater complexity should we wish to make any of the old versions into compat symbols / avoid them being defined at all for new glibc ABIs.) strtol_l.c has some similarity to strtol.c in gnulib, but has already diverged some way (and isn't listed at all at https://sourceware.org/glibc/wiki/SharedSourceFiles unlike strtoll.c and strtoul.c); I haven't made any attempts at gnulib compatibility in the changes to that file. I note incidentally that inttypes.h and wchar.h are missing the __nonnull present on declarations of this family of functions in stdlib.h; I didn't make any changes in that regard for the new declarations added.
* string: Add libc_hidden_proto for memrchrAdhemerval Zanella2023-02-081-0/+1
| | | | | | | Although static linker can optimize it to local call, it follows the internal scheme to provide hidden proto and definitions. Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
* string: Add libc_hidden_proto for strchrnulAdhemerval Zanella2023-02-081-0/+1
| | | | | | | Although static linker can optimize it to local call, it follows the internal scheme to provide hidden proto and definitions. Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
* Linux: optimize clone3 internal usageAdhemerval Zanella Netto2023-02-011-0/+5
| | | | | | | | | | | | Add an optimization to avoid calling clone3 when glibc detects that there is no kernel support. It also adds __ASSUME_CLONE3, which allows skipping this optimization and issuing the clone3 syscall directly. It does not handle the the small window between 5.3 and 5.5 for posix_spawn (CLONE_CLEAR_SIGHAND was added in 5.5). Checked on x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* linux: Add clone3 CLONE_CLEAR_SIGHAND optimization to posix_spawnAdhemerval Zanella Netto2023-02-011-0/+5
| | | | | | | | | | | | | | | | | The clone3 flag resets all signal handlers of the child not set to SIG_IGN to SIG_DFL. It allows to skip most of the sigaction calls to setup child signal handling, where previously a posix_spawn had to issue 2 times NSIG sigaction calls (one to obtain the current disposition and another to set either SIG_DFL or SIG_IGN). With POSIX_SPAWN_SETSIGDEF the child will setup the signal for the case where the disposition is SIG_IGN. The code must handle the fallback where clone3 is not available. This is done by splitting __clone_internal_fallback from __clone_internal. Checked on x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Linux: Do not align the stack for __clone3Adhemerval Zanella Netto2023-02-011-0/+3
| | | | | | | | | | All internal callers of __clone3 should provide an already aligned stack. Removing the stack alignment in __clone3 is a net gain: it simplifies the internal function contract (mask/unmask signals) along with the arch-specific code. Checked on x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* linux: Extend internal clone3 documentationAdhemerval Zanella Netto2023-02-011-5/+19
| | | | | | | | | | | | Different than kernel, clone3 returns EINVAL for NULL struct clone_args or function pointer. This is similar to clone interface that return EINVAL for NULL function argument. It also clean up the Linux clone3.h interface, since it not currently exported. Checked on x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Prepare for glibc 2.37 release.Carlos O'Donell2023-01-311-1/+1
| | | | Update version.h, and include/features.h.
* doc: correct _FORTIFY_SOURCE doc in features.hfanquake2023-01-311-1/+2
|
* stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)Florian Weimer2023-01-251-5/+14
| | | | | | | | | | | | | | | This shows up as an assertion failure when sprintf is called with a specifier like "%.8g" and libquadmath is linked in: Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr <= file->next->write_end Fix this by detecting pointer wraparound in __vsprintf_internal and saturate the addition to the end of the address space instead. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
* Update copyright dates with scripts/update-copyrightsJoseph Myers2023-01-0644-44/+44
|
* libio: Convert __vswprintf_internal to buffers (bug 27857)Florian Weimer2022-12-191-0/+1
| | | | | | | Always null-terminate the buffer and set E2BIG if the buffer is too small. This fixes bug 27857. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* libio: Convert __obstack_vprintf_internal to buffers (bug 27124)Florian Weimer2022-12-191-0/+4
| | | | | | This fixes bug 27124 because the problematic built-in vtable is gone. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* libio: Convert __vdprintf_internal to buffersFlorian Weimer2022-12-191-0/+9
| | | | | | | | | The internal buffer size is set to 2048 bytes. This is less than the original BUFSIZ value used by buffered_vfprintf before the conversion, but it hopefully covers all cases where write boundaries matter. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* libio: Convert __vasprintf_internal to buffersFlorian Weimer2022-12-191-0/+9
| | | | | | | | | | The buffer resizing algorithm is slightly different. The initial buffer is on the stack, and small buffers are directly allocated on the heap using the exact required size. The overhead of the additional copy is compensated by the lowered setup cost for buffers compared to libio streams. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* libio: Convert __vsprintf_internal to buffersFlorian Weimer2022-12-191-0/+2
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio-common: Convert vfprintf and related functions to buffersFlorian Weimer2022-12-192-9/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | vfprintf is entangled with vfwprintf (of course), __printf_fp, __printf_fphex, __vstrfmon_l_internal, and the strfrom family of functions. The latter use the internal snprintf functionality, so vsnprintf is converted as well. The simples conversion is __printf_fphex, followed by __vstrfmon_l_internal and __printf_fp, and finally __vfprintf_internal and __vfwprintf_internal. __vsnprintf_internal and strfrom* are mostly consuming the new interfaces, so they are comparatively simple. __printf_fp is a public symbol, so the FILE *-based interface had to preserved. The __printf_fp rewrite does not change the actual binary-to-decimal conversion algorithm, and digits are still not emitted directly to the target buffer. However, the staging buffer now uses bytes instead of wide characters, and one buffer copy is eliminated. The changes are at least performance-neutral in my testing. Floating point printing and snprintf improved measurably, so that this Lua script for i=1,5000000 do print(i, i * math.pi) end runs about 5% faster for me. To preserve fprintf performance for a simple "%d" format, this commit has some logic changes under LABEL (unsigned_number) to avoid additional function calls. There are certainly some very easy performance improvements here: binary, octal and hexadecimal formatting can easily avoid the temporary work buffer (the number of digits can be computed ahead-of-time using one of the __builtin_clz* built-ins). Decimal formatting can use a specialized version of _itoa_word for base 10. The existing (inconsistent) width handling between strfmon and printf is preserved here. __print_fp_buffer_1 would have to use __translated_number_width to achieve ISO conformance for printf. Test expectations in libio/tst-vtables-common.c are adjusted because the internal staging buffer merges all virtual function calls into one. In general, stack buffer usage is greatly reduced, particularly for unbuffered input streams. __printf_fp can still use a large buffer in binary128 mode for %g, though. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio-common: Add __translated_number_widthFlorian Weimer2022-12-191-1/+12
| | | | | | | This function will be used to compute the width of a number after i18n digit translation. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio-common: Add __printf_function_invokeFlorian Weimer2022-12-191-0/+10
| | | | | | | | | And __wprintf_function_invoke. These functions will be used to to call registered printf specifier callbacks on printf buffers after vfprintf and vfwprintf have been converted to buffers. The new implementation avoids alloca/variable length arrays. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio-common: Introduce buffers for implementing printfFlorian Weimer2022-12-191-0/+291
| | | | | | | | | | | | | | | | | | | | | | | | | | These buffers will eventually be used instead of FILE * objects to implement printf functions. The multibyte buffer is struct __printf_buffer, the wide buffer is struct __wprintf_buffer. To enable writing type-generic code, the header files printf_buffer-char.h and printf_buffer-wchar_t.h define the Xprintf macro differently, enabling Xprintf (buffer) to stand for __printf_buffer and __wprintf_buffer as appropriate. For common cases, macros like Xprintf_buffer are provided as a more syntactically convenient shortcut. Buffer-specific flush callbacks are implemented with a switch statement instead of a function pointer, to avoid hardening issues similar to those of libio vtables. struct __printf_buffer_as_file is needed to support custom printf specifiers because the public interface for that requires passing a FILE *, which is why there is a trapdoor back from these buffers to FILE * streams. Since the immediate user of these interfaces knows when processing has finished, there is no flush callback for the end of processing, only a flush callback for the intermediate buffer flush. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Define in_int32_t_range to check if the 64 bit time_t syscall should be usedYunQiang Su2022-11-171-1/+9
| | | | | | | | | | | | | | | | | Currently glibc uses in_time_t_range to detects time_t overflow, and if it occurs fallbacks to 64 bit syscall version. The function name is confusing because internally time_t might be either 32 bits or 64 bits (depending on __TIMESIZE). This patch refactors the in_time_t_range by replacing it with in_int32_t_range for the case to check if the 64 bit time_t syscall should be used. The in_time_t range is used to detect overflow of the syscall return value. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Linux: Add ppoll fortify symbol for 64 bit time_t (BZ# 29746)Adhemerval Zanella2022-11-081-1/+4
| | | | | | | | | | | | | | | | | | | | Similar to ppoll, the poll.h header needs to redirect the poll call to a proper fortified ppoll with 64 bit time_t support. The implementation is straightforward, just need to add a similar check as __poll_chk and call the 64 bit time_t ppoll version. The debug fortify tests are also extended to cover 64 bit time_t for affected ABIs. Unfortunately it requires an aditional symbol, which makes backport tricky. One possibility is to add a static inline version if compiler supports is and call abort instead of __chk_fail, so fortified version will call __poll64 in the end. Another possibility is to just remove the fortify support for _TIME_BITS=64. Checked on i686-linux-gnu.
* Apply asm redirection in gmp.h before first useAdhemerval Zanella2022-11-071-12/+0
| | | | | | | | For clang the redeclaration after the first use, the visibility attribute is silently ignored (symbol is STV_DEFAULT) while the asm label attribute causes an error. Reviewed-by: Fangrui Song <maskray@google.com>
* allocate_once: Apply asm redirection before first useAdhemerval Zanella2022-11-011-4/+3
| | | | | | | Compilers may not be able to apply asm redirections to functions after these functions are used for the first time, e.g. clang 15. Reviewed-by: Fangrui Song <maskray@google.com>
* alloc_buffer: Apply asm redirection before first useAdhemerval Zanella2022-11-011-8/+15
| | | | | | | Compilers may not be able to apply asm redirections to functions after these functions are used for the first time, e.g. clang 15. Reviewed-by: Fangrui Song <maskray@google.com>
* Remove unused scratch_buffer_dupfreeSzabolcs Nagy2022-10-281-16/+0
| | | | | | | | | | | | Turns out scratch_buffer_dupfree internal API was unused since commit ef0700004bf0dccf493a5e8e21f71d9e7972ea9f stdlib: Simplify buffer management in canonicalize And the related test in malloc/tst-scratch_buffer had issues so it's better to remove it completely. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* malloc: Use uintptr_t in alloc_bufferSzabolcs Nagy2022-10-281-5/+5
| | | | | | | The values represnt pointers and not sizes. The members of struct alloc_buffer are already uintptr_t. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* hurd: Factorize at/non-at functionsSamuel Thibault2022-09-173-0/+7
| | | | | | | | | | | | | | | | | | Non-at functions can be implemented by just calling the corresponding at function with AT_FDCWD and zero at_flags. In the linkat case, the at behavior is different (O_NOLINK), so this introduces __linkat_common to pass O_NOLINK as appropriate. lstat functions can also be implemented with fstatat by adding __fstatat64_common which takes a flags parameter in addition to the at_flags parameter, In the end this factorizes chmod, chown, link, lstat64, mkdir, readlink, rename, stat64, symlink, unlink, utimes. This also makes __lstat, __lxstat64, __stat and __xstat64 directly use __fstatat64_common instead of __lstat64 or __stat64.
* Apply asm redirections in wchar.h before first useRaphael Moreira Zinsly2022-08-301-0/+1
| | | | | | | | | | | Similar to d0fa09a770, but for wchar.h. Fixes [BZ #27087] by applying all long double related asm redirections before using functions in bits/wchar2.h. Moves the function declarations from wcsmbs/bits/wchar2.h to a new file wcsmbs/bits/wchar2-decl.h that will be included first in wcsmbs/wchar.h. Tested with build-many-glibcs.py. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* resolv: Add DNS packet parsing helpers geared towards wire formatFlorian Weimer2022-08-301-0/+92
| | | | | | | | | | | | | | | | | | | | The public parser functions around the ns_rr record type produce textual domain names, but usually, this is not what we need while parsing DNS packets within glibc. This commit adds two new helper functions, __ns_rr_cursor_init and __ns_rr_cursor_next, for writing packet parsers, and struct ns_rr_cursor, struct ns_rr_wire as supporting types. In theory, it is possible to avoid copying the owner name into the rname field in __ns_rr_cursor_next, but this would need more functions that work on compressed names. Eventually, __res_context_send could be enhanced to preserve the result of the packet parsing that is necessary for matching the incoming UDP packets, so that this works does not have to be done twice. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* resolv: Add internal __ns_name_length_uncompressed functionFlorian Weimer2022-08-301-0/+8
| | | | | | | This function is useful for checking that the question name is uncompressed (as it should be). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* resolv: Add the __ns_samebinaryname functionFlorian Weimer2022-08-301-0/+6
| | | | | | | | During packet parsing, only the binary name is available. If the name equality check is performed before conversion to text, we can sometimes skip the last step. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* resolv: Add internal __res_binary_hnok functionFlorian Weimer2022-08-301-0/+3
| | | | | | | | During package parsing, only the binary representation is available, and it is convenient to check that directly for conformance with host name requirements. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* assert: Do not use stderr in libc-internal assertFlorian Weimer2022-08-031-3/+9
| | | | | | | | | | | | | | | | | | | | Redirect internal assertion failures to __libc_assert_fail, based on based on __libc_message, which writes directly to STDERR_FILENO and calls abort. Also disable message translation and reword the error message slightly (adjusting stdlib/tst-bz20544 accordingly). As a result of these changes, malloc no longer needs its own redefinition of __assert_fail. __libc_assert_fail needs to be stubbed out during rtld dependency analysis because the rtld rebuilds turn __libc_assert_fail into __assert_fail, which is unconditionally provided by elf/dl-minimal.c. This change is not possible for the public assert macro and its __assert_fail function because POSIX requires that the diagnostic is written to stderr. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio: Clean up __libc_message after unconditional abortFlorian Weimer2022-08-031-8/+1
| | | | | | | | | | | | Since commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83 ("malloc: Abort on heap corruption, without a backtrace [BZ #21754]"), __libc_message always terminates the process. Since commit a289ea09ea843ced6e5277c2f2e63c357bc7f9a3 ("Do not print backtraces on fatal glibc errors"), the backtrace facility has been removed. Therefore, remove enum __libc_message_action and the action argument of __libc_message, and mark __libc_message as _No_return. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Prepare for glibc 2.36 release.Carlos O'Donell2022-07-291-1/+1
| | | | Update version.h, and include/features.h.
* arc4random: simplify design for better safetyJason A. Donenfeld2022-07-271-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than buffering 16 MiB of entropy in userspace (by way of chacha20), simply call getrandom() every time. This approach is doubtlessly slower, for now, but trying to prematurely optimize arc4random appears to be leading toward all sorts of nasty properties and gotchas. Instead, this patch takes a much more conservative approach. The interface is added as a basic loop wrapper around getrandom(), and then later, the kernel and libc together can work together on optimizing that. This prevents numerous issues in which userspace is unaware of when it really must throw away its buffer, since we avoid buffering all together. Future improvements may include userspace learning more from the kernel about when to do that, which might make these sorts of chacha20-based optimizations more possible. The current heuristic of 16 MiB is meaningless garbage that doesn't correspond to anything the kernel might know about. So for now, let's just do something conservative that we know is correct and won't lead to cryptographic issues for users of this function. This patch might be considered along the lines of, "optimization is the root of all evil," in that the much more complex implementation it replaces moves too fast without considering security implications, whereas the incremental approach done here is a much safer way of going about things. Once this lands, we can take our time in optimizing this properly using new interplay between the kernel and userspace. getrandom(0) is used, since that's the one that ensures the bytes returned are cryptographically secure. But on systems without it, we fallback to using /dev/urandom. This is unfortunate because it means opening a file descriptor, but there's not much of a choice. Secondly, as part of the fallback, in order to get more or less the same properties of getrandom(0), we poll on /dev/random, and if the poll succeeds at least once, then we assume the RNG is initialized. This is a rough approximation, as the ancient "non-blocking pool" initialized after the "blocking pool", not before, and it may not port back to all ancient kernels, though it does to all kernels supported by glibc (≥3.2), so generally it's the best approximation we can do. The motivation for including arc4random, in the first place, is to have source-level compatibility with existing code. That means this patch doesn't attempt to litigate the interface itself. It does, however, choose a conservative approach for implementing it. Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org> Cc: Florian Weimer <fweimer@redhat.com> Cc: Cristian Rodríguez <crrodriguez@opensuse.org> Cc: Paul Eggert <eggert@cs.ucla.edu> Cc: Mark Harris <mark.hsj@gmail.com> Cc: Eric Biggers <ebiggers@kernel.org> Cc: linux-crypto@vger.kernel.org Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdlib: Add arc4random, arc4random_buf, and arc4random_uniform (BZ #4417)Adhemerval Zanella Netto2022-07-221-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The implementation is based on scalar Chacha20 with per-thread cache. It uses getrandom or /dev/urandom as fallback to get the initial entropy, and reseeds the internal state on every 16MB of consumed buffer. To improve performance and lower memory consumption the per-thread cache is allocated lazily on first arc4random functions call, and if the memory allocation fails getentropy or /dev/urandom is used as fallback. The cache is also cleared on thread exit iff it was initialized (so if arc4random is not called it is not touched). Although it is lock-free, arc4random is still not async-signal-safe (the per thread state is not updated atomically). The ChaCha20 implementation is based on RFC8439 [1], omitting the final XOR of the keystream with the plaintext because the plaintext is a stream of zeros. This strategy is similar to what OpenBSD arc4random does. The arc4random_uniform is based on previous work by Florian Weimer, where the algorithm is based on Jérémie Lumbroso paper Optimal Discrete Uniform Generation from Coin Flips, and Applications (2013) [2], who credits Donald E. Knuth and Andrew C. Yao, The complexity of nonuniform random number generation (1976), for solving the general case. The main advantage of this method is the that the unit of randomness is not the uniform random variable (uint32_t), but a random bit. It optimizes the internal buffer sampling by initially consuming a 32-bit random variable and then sampling byte per byte. Depending of the upper bound requested, it might lead to better CPU utilization. Checked on x86_64-linux-gnu, aarch64-linux, and powerpc64le-linux-gnu. Co-authored-by: Florian Weimer <fweimer@redhat.com> Reviewed-by: Yann Droneaud <ydroneaud@opteya.com> [1] https://datatracker.ietf.org/doc/html/rfc8439 [2] https://arxiv.org/pdf/1304.1916.pdf
* Apply asm redirections in stdio.h before first use [BZ #27087]Tulio Magno Quites Machado Filho2022-07-141-0/+1
| | | | | | | | | | | | | | | | | | | Compilers may not be able to apply asm redirections to functions after these functions are used for the first time, e.g. clang 13. Fix [BZ #27087] by applying all long double-related asm redirections before using functions in bits/stdio.h. However, as these asm redirections depend on the declarations provided by libio/bits/stdio2.h, this header was split in 2: - libio/bits/stdio2-decl.h contains all function declarations; - libio/bits/stdio2.h remains with the remaining contents, including redirections. This also adds the access attribute to __vsnprintf_chk that was missing. Tested with build-many-glibcs.py. Reviewed-by: Paul E. Murphy <murphyp@linux.ibm.com>
* libc-symbols.h: remove unused macrosFangrui Song2022-07-041-169/+0
| | | | | | | | | Beside weak_hidden_alias/declare_symbol_alias/hidden_data_ver, many *_hidden_* macros are removed. If there is a rare need to use one, one may write something like `#if IS_IN (libm)\nhidden_def (...)\n#endif` instead. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* misc: Optimize internal usage of __libc_single_threadedAdhemerval Zanella2022-06-242-0/+33
| | | | | | | | | | | | | | | By adding an internal alias to avoid the GOT indirection. On some architecture, __libc_single_thread may be accessed through copy relocations and thus it requires to update also the copies default copy. This is done by adding a new internal macro, libc_hidden_data_{proto,def}, which has an addition argument that specifies the alias name (instead of default __GI_ one). Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Fangrui Song <maskray@google.com>
* Add bounds check to __libc_ifunc_impl_listWilco Dijkstra2022-06-101-4/+4
| | | | | | | | | | | | Add a proper bounds check to __libc_ifunc_impl_list. This makes MAX_IFUNC redundant and fixes several targets that will write outside the array. To avoid unnecessary large diffs, pass the maximum in the argument 'i' to IFUNC_IMPL_ADD - 'max' can be used in new ifunc definitions and existing ones can be updated if desired. Passes buildmanyglibc. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Fix deadlock when pthread_atfork handler calls pthread_atfork or dlcloseArjun Shankar2022-05-251-13/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In multi-threaded programs, registering via pthread_atfork, de-registering implicitly via dlclose, or running pthread_atfork handlers during fork was protected by an internal lock. This meant that a pthread_atfork handler attempting to register another handler or dlclose a dynamically loaded library would lead to a deadlock. This commit fixes the deadlock in the following way: During the execution of handlers at fork time, the atfork lock is released prior to the execution of each handler and taken again upon its return. Any handler registrations or de-registrations that occurred during the execution of the handler are accounted for before proceeding with further handler execution. If a handler that hasn't been executed yet gets de-registered by another handler during fork, it will not be executed. If a handler gets registered by another handler during fork, it will not be executed during that particular fork. The possibility that handlers may now be registered or deregistered during handler execution means that identifying the next handler to be run after a given handler may register/de-register others requires some bookkeeping. The fork_handler struct has an additional field, 'id', which is assigned sequentially during registration. Thus, handlers are executed in ascending order of 'id' during 'prepare', and descending order of 'id' during parent/child handler execution after the fork. Two tests are included: * tst-atfork3: Adhemerval Zanella <adhemerval.zanella@linaro.org> This test exercises calling dlclose from prepare, parent, and child handlers. * tst-atfork4: This test exercises calling pthread_atfork and dlclose from the prepare handler. [BZ #24595, BZ #27054] Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* stdio-common: Move union printf_arg int <printf.h>Florian Weimer2022-05-241-0/+21
| | | | | | | The type does not depend on wide vs narrow preprocessor macros, so it does not need to be customized in stdio-common/printf-parse.h. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>