about summary refs log tree commit diff
path: root/sysdeps
Commit message (Collapse)AuthorAgeFilesLines
* Remove --enable-obsolete-rpc configure flagPetr Vorel2020-07-131-162/+0
| | | | | | | | | | | | | | | | | | | | | | Sun RPC was removed from glibc. This includes rpcgen program, librpcsvc, and Sun RPC headers. Also test for bug #20790 was removed (test for rpcgen). Backward compatibility for old programs is kept only for architectures and ABIs that have been added in or before version 2.28. libtirpc is mature enough, librpcsvc and rpcgen are provided in rpcsvc-proto project. NOTE: libnsl code depends on Sun RPC (installed libnsl headers use installed Sun RPC headers), thus --enable-obsolete-rpc was a dependency for --enable-obsolete-nsl (removed in a previous commit). The arc ABI list file has to be updated because the port was added with the sunrpc symbols Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* hurd: Fix build-many-glibcs.pyAdhemerval Zanella2020-07-133-0/+3
| | | | | | | | It fixes the issue report by Joseph [1]. Checked with a build-many-glibcs.py build for i686-gnu. [1] https://sourceware.org/pipermail/libc-alpha/2020-July/116134.html
* x86: Support usable check for all CPU featuresH.J. Lu2020-07-1363-732/+854
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support usable check for all CPU features with the following changes: 1. Change struct cpu_features to struct cpuid_features { struct cpuid_registers cpuid; struct cpuid_registers usable; }; struct cpu_features { struct cpu_features_basic basic; struct cpuid_features features[COMMON_CPUID_INDEX_MAX]; unsigned int preferred[PREFERRED_FEATURE_INDEX_MAX]; ... }; so that there is a usable bit for each cpuid bit. 2. After the cpuid bits have been initialized, copy the known bits to the usable bits. EAX/EBX from INDEX_1 and EAX from INDEX_7 aren't used for CPU feature detection. 3. Clear the usable bits which require OS support. 4. If the feature is supported by OS, copy its cpuid bit to its usable bit. 5. Replace HAS_CPU_FEATURE and CPU_FEATURES_CPU_P with CPU_FEATURE_USABLE and CPU_FEATURE_USABLE_P to check if a feature is usable. 6. Add DEPR_FPU_CS_DS for INDEX_7_EBX_13. 7. Unset MPX feature since it has been deprecated. The results are 1. If the feature is known and doesn't requre OS support, its usable bit is copied from the cpuid bit. 2. Otherwise, its usable bit is copied from the cpuid bit only if the feature is known to supported by OS. 3. CPU_FEATURE_USABLE/CPU_FEATURE_USABLE_P are used to check if the feature can be used. 4. HAS_CPU_FEATURE/CPU_FEATURE_CPU_P are used to check if CPU supports the feature.
* x86: Remove __ASSEMBLER__ check in init-arch.hH.J. Lu2020-07-111-5/+1
| | | | | | | | | | | | | Since commit 430388d5dc0e1861b869096f4f5d946d7d74232a Author: H.J. Lu <hjl.tools@gmail.com> Date: Fri Aug 3 08:04:49 2018 -0700 x86: Don't include <init-arch.h> in assembly codes removed all usages of <init-arch.h> from assembly codes, we can remove __ASSEMBLER__ check in init-arch.h.
* x86: Remove the unused __x86_prefetchwH.J. Lu2020-07-115-24/+5
| | | | | | | | | | | | | Since commit c867597bff2562180a18da4b8dba89d24e8b65c4 Author: H.J. Lu <hjl.tools@gmail.com> Date: Wed Jun 8 13:57:50 2016 -0700 X86-64: Remove previous default/SSE2/AVX2 memcpy/memmove removed the only usage of __x86_prefetchw, we can remove the unused __x86_prefetchw.
* ARC: Build InfrastructureVineet Gupta2020-07-1014-0/+366
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: ABI listsVineet Gupta2020-07-1018-0/+4671
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: Linux Startup and Dynamic LoadingVineet Gupta2020-07-102-0/+116
| | | | | | | | A big shoutout to Cupertino Miranda <cmiranda@synopsys.com> for his valuable contribution in initial bringup and debugging on Linux and later in solving pesky unwinding/cancelation failures in testsuite. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: Linux ABIVineet Gupta2020-07-1013-0/+600
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: Linux Syscall InterfaceVineet Gupta2020-07-1015-0/+941
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: hardware floating point supportVineet Gupta2020-07-1020-0/+711
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: math soft float supportVineet Gupta2020-07-105-0/+203
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: Atomics and Locking primitivesVineet Gupta2020-07-101-0/+69
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: Thread Local Storage supportVineet Gupta2020-07-105-0/+240
| | | | | | This includes all 4 TLS addressing models Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: startup and dynamic linking codeVineet Gupta2020-07-107-0/+591
| | | | | | Code for C runtime startup and dynamic loading including PLT layout. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* ARC: ABI ImplementationVineet Gupta2020-07-1017-0/+547
| | | | | | This code deals with the ARC ABI. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* powerpc64: Fix calls when r2 is not used [BZ #26173]Tulio Magno Quites Machado Filho2020-07-106-4/+49
| | | | | | | | | Teach the linker that __mcount_internal, __sigjmp_save_symbol, __syscall_error and __GI_exit do not use r2, so that it does not need to recover r2 after the call. Test at configure time if the assembler supports @notoc and define USE_PPC64_NOTOC.
* Update i686 libm-test-ulpsPatsy Franklin2020-07-091-21/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without my ULP patch these 18 tests fail on i686: https://koji.fedoraproject.org/koji/taskinfo?taskID=46467301 + cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 85 model name : Intel Xeon Processor (Cascadelake) FAIL: math/test-double-j0 FAIL: math/test-double-y0 FAIL: math/test-float-erfc FAIL: math/test-float-j0 FAIL: math/test-float-j1 FAIL: math/test-float-lgamma FAIL: math/test-float-tgamma FAIL: math/test-float-y0 FAIL: math/test-float32-erfc FAIL: math/test-float32-j0 FAIL: math/test-float32-j1 FAIL: math/test-float32-lgamma FAIL: math/test-float32-tgamma FAIL: math/test-float32-y0 FAIL: math/test-float32x-j0 FAIL: math/test-float32x-y0 FAIL: math/test-float64-j0 FAIL: math/test-float64-y0 With my ULP patch applied these tests now pass: https://koji.fedoraproject.org/koji/taskinfo?taskID=46436310
* linux: Fix syscall list generation instructionsMaciej W. Rozycki2020-07-091-1/+1
| | | | | | | | | | | Make the instructions for syscall list generation match Makefile and refer to `update-syscall-lists'; there has been no `update-arch-syscall' target. Also use single quotes around the command to stick to the ASCII character set. Fixes 4cf0d223052d ("Linux: Add tables with system call numbers"). Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
* sysv: linux: Add 64-bit time_t variant for shmctlAdhemerval Zanella2020-07-0914-49/+330
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To provide a y2038 safe interface a new symbol __shmctl64 is added and __shmctl is change to call it instead (it adds some extra buffer copying for the 32 bit time_t implementation). Two new structures are added: 1. kernel_shmid64_ds: used internally only on 32-bit architectures to issue the syscall. A handful of architectures (hppa, i386, mips, powerpc32, and sparc32) require specific implementations due to their kernel ABI. 2. shmid_ds64: this is only for __TIMESIZE != 64 to use along with the 64-bit shmctl. It is different than the kernel struct because the exported 64-bit time_t might require different alignment depending on the architecture ABI. So the resulting implementation does: 1. For 64-bit architectures it assumes shmid_ds already contains 64-bit time_t fields and will result in just the __shmctl symbol using the __shmctl64 code. The shmid_ds argument is passed as-is to the syscall. 2. For 32-bit architectures with default 64-bit time_t (newer ABIs such riscv32 or arc), it will also result in only one exported symbol but with the required high/low time handling. 3. Finally for 32-bit architecture with both 32-bit and 64-bit time_t support we follow the already set way to provide one symbol with 64-bit time_t support and implement the 32-bit time_t support using of the 64-bit one. The default 32-bit symbol will allocate and copy the shmid_ds over multiple buffers, but this should be deprecated in favor of the __shmctl64 anyway. Checked on i686-linux-gnu and x86_64-linux-gnu. I also did some sniff tests on powerpc, powerpc64, mips, mips64, armhf, sparcv9, and sparc64. Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* sysvipc: Remove the linux shm-pad.h fileAdhemerval Zanella2020-07-0912-172/+198
| | | | | | | | | | | | | | Each architecture overrides the struct msqid_ds which its required kernel ABI one. Checked on x86_64-linux-gnu and some bases sysvipc tests on hppa, mips, mipsle, mips64, mips64le, sparc64, sparcv9, powerpc64le, powerpc64, and powerpc. Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* sysvipc: Split out linux struct shmid_dsAdhemerval Zanella2020-07-093-33/+59
| | | | | | | | | | | | This will allow us to have architectures specify their own version. Not semantic changes expected. Checked with a build against the all affected ABIs. Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* sysv: linux: Add 64-bit time_t variant for msgctlAdhemerval Zanella2020-07-0914-52/+349
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To provide a y2038 safe interface a new symbol __msgctl64 is added and __msgctl is change to call it instead (it adds some extra buffer coping for the 32 bit time_t implementation). Two new structures are added: 1. kernel_msqid64_ds: used internally only on 32-bit architectures to issue the syscall. A handful of architectures (hppa, i386, mips, powerpc32, and sparc32) require specific implementations due to their kernel ABI. 2. msqid_ds64: this is only for __TIMESIZE != 64 to use along with the 64-bit msgctl. It is different than the kernel struct because the exported 64-bit time_t might require different alignment depending on the architecture ABI. So the resulting implementation does: 1. For 64-bit architectures it assumes msqid_ds already contains 64-bit time_t fields and will result in just the __msgctl symbol using the __msgctl64 code. The msgid_ds argument is passed as-is to the syscall. 2. For 32-bit architectures with default 64-bit time_t (newer ABIs such riscv32 or arc), it will also result in only one exported symbol but with the required high/low time handling. 3. Finally for 32-bit architecture with both 32-bit and 64-bit time_t support we follow the already set way to provide one symbol with 64-bit time_t support and implement the 32-bit time_t support using the 64-bit time_t. The default 32-bit symbol will allocate and copy the msqid_ds over multiple buffers, but this should be deprecated in favor of the __msgctl64 anyway. Checked on i686-linux-gnu and x86_64-linux-gnu. I also did some sniff tests on powerpc, powerpc64, mips, mips64, armhf, sparcv9, and sparc64. Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Alistair Francis <alistair.francis@wdc.com>
* sysvipc: Remove the linux msq-pad.h fileAdhemerval Zanella2020-07-0911-157/+210
| | | | | | | | | | | | | | Each architecture overrides the struct msqid_ds which its required kernel ABI one. Checked on x86_64-linux-gnu and some bases sysvipc tests on hppa, mips, mipsle, mips64, mips64le, sparc64, sparcv9, powerpc64le, powerpc64, and powerpc. Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Alistair Francis <alistair.francis@wdc.com>
* sysvipc: Split out linux struct semid_dsAdhemerval Zanella2020-07-093-33/+58
| | | | | | | | | | | | This will allow us to have architectures specify their own version. Not semantic changes expected. Checked with a build against the all affected ABIs. Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
* sysv: linux: Add 64-bit time_t variant for semctlAdhemerval Zanella2020-07-0916-64/+372
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Different than others 64-bit time_t syscalls, the SysIPC interface does not provide a new set of syscall for y2038 safeness. Instead it uses unused fields in semid_ds structure to return the high bits for the timestamps. To provide a y2038 safe interface a new symbol __semctl64 is added and __semctl is change to call it instead (it adds some extra buffer copying for the 32 bit time_t implementation). Two new structures are added: 1. kernel_semid64_ds: used internally only on 32-bit architectures to issue the syscall. A handful of architectures (hppa, i386, mips, powerpc32, sparc32) require specific implementations due their kernel ABI. 2. semid_ds64: this is only for __TIMESIZE != 64 to use along with the 64-bit semctl. It is different than the kernel struct because the exported 64-bit time_t might require different alignment depending on the architecture ABI. So the resulting implementation does: 1. For 64-bit architectures it assumes semid_ds already contains 64-bit time_t fields and will result in just the __semctl symbol using the __semctl64 code. The semid_ds argument is passed as-is to the syscall. 2. For 32-bit architectures with default 64-bit time_t (newer ABIs such riscv32 or arc), it will also result in only one exported symbol but with the required high/low handling. It might be possible to optimize it further to avoid the kernel_semid64_ds to semun transformation if the exported ABI for the architectures matches the expected kernel ABI, but the implementation is already complex enough and don't think this should be a hotspot in any case. 3. Finally for 32-bit architecture with both 32-bit and 64-bit time_t support we follow the already set way to provide one symbol with 64-bit time_t support and implement the 32-bit time_t support using the 64-bit one. The default 32-bit symbol will allocate and copy the semid_ds over multiple buffers, but this should be deprecated in favor of the __semctl64 anyway. Checked on i686-linux-gnu and x86_64-linux-gnu. I also did some sniff tests on powerpc, powerpc64, mips, mips64, armhf, sparcv9, and sparc64. Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Vineet Gupta <vgupta@synopsys.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
* rtld: Avoid using up static TLS surplus for optimizations [BZ #25051]Szabolcs Nagy2020-07-081-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | On some targets static TLS surplus area can be used opportunistically for dynamically loaded modules such that the TLS access then becomes faster (TLSDESC and powerpc TLS optimization). However we don't want all surplus TLS to be used for this optimization because dynamically loaded modules with initial-exec model TLS can only use surplus TLS. The new contract for surplus static TLS use is: - libc.so can have up to 192 bytes of IE TLS, - other system libraries together can have up to 144 bytes of IE TLS. - Some "optional" static TLS is available for opportunistic use. The optional TLS is now tunable: rtld.optional_static_tls, so users can directly affect the allocated static TLS size. (Note that module unloading with dlclose does not reclaim static TLS. After the optional TLS runs out, TLS access is no longer optimized to use static TLS.) The default setting of rtld.optional_static_tls is 512 so the surplus TLS is 3*192 + 4*144 + 512 = 1664 by default, the same as before. Fixes BZ #25051. Tested on aarch64-linux-gnu and x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* rtld: Account static TLS surplus for audit modulesSzabolcs Nagy2020-07-081-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | The new static TLS surplus size computation is surplus_tls = 192 * (nns-1) + 144 * nns + 512 where nns is controlled via the rtld.nns tunable. This commit accounts audit modules too so nns = rtld.nns + audit modules. rtld.nns should only include the namespaces required by the application, namespaces for audit modules are accounted on top of that so audit modules don't use up the static TLS that is reserved for the application. This allows loading many audit modules without tuning rtld.nns or using up static TLS, and it fixes FAIL: elf/tst-auditmany Note that DL_NNS is currently a hard upper limit for nns, and if rtld.nns + audit modules go over the limit that's a fatal error. By default rtld.nns is 4 which allows 12 audit modules. Counting the audit modules is based on existing audit string parsing code, we cannot use GLRO(dl_naudit) before the modules are actually loaded.
* rtld: Add rtld.nns tunable for the number of supported namespacesSzabolcs Nagy2020-07-081-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TLS_STATIC_SURPLUS is 1664 bytes currently which is not enough to support DL_NNS (== 16) number of dynamic link namespaces, if we assume 192 bytes of TLS are reserved for libc use and 144 bytes are reserved for other system libraries that use IE TLS. A new tunable is introduced to control the number of supported namespaces and to adjust the surplus static TLS size as follows: surplus_tls = 192 * (rtld.nns-1) + 144 * rtld.nns + 512 The default is rtld.nns == 4 and then the surplus TLS size is the same as before, so the behaviour is unchanged by default. If an application creates more namespaces than the rtld.nns setting allows, then it is not guaranteed to work, but the limit is not checked. So existing usage will continue to work, but in the future if an application creates more than 4 dynamic link namespaces then the tunable will need to be set. In this patch DL_NNS is a fixed value and provides a maximum to the rtld.nns setting. Static linking used fixed 2048 bytes surplus TLS, this is changed so the same contract is used as for dynamic linking. With static linking DL_NNS == 1 so rtld.nns tunable is forced to 1, so by default the surplus TLS is reduced to 144 + 512 = 656 bytes. This change is not expected to cause problems. Tested on aarch64-linux-gnu and x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Remove --enable-obsolete-nsl configure flagPetr Vorel2020-07-082-4/+0
| | | | | | | | | | | | | | | | | | | this means that *always* libnsl is only built as shared library for backward compatibility and the NSS modules libnss_nis and libnss_nisplus are not built at all, libnsl's headers aren't installed. This compatibility is kept only for architectures and ABIs that have been added in or before version 2.28. Replacement implementations based on TIRPC, which additionally support IPv6, are available from <https://github.com/thkukuk/>. This change does not affect libnss_compat which does not depended on libnsl since 2.27 and thus can be used without NIS. libnsl code depends on Sun RPC, e.g. on --enable-obsolete-rpc (installed libnsl headers use installed Sun RPC headers), which will be removed in the following commit.
* aarch64: redefine RETURN_ADDRESS to strip PACSzabolcs Nagy2020-07-081-0/+7
| | | | | | | | | | | | | | RETURN_ADDRESS is used at several places in glibc to mean a valid code address of the call site, but with pac-ret it may contain a pointer authentication code (PAC), so its definition is adjusted. This is gcc PR target/94891: __builtin_return_address should not expose signed pointers to user code where it can cause ABI issues. In glibc RETURN_ADDRESS is only changed if it is built with pac-ret. There is no detection for the specific gcc issue because it is hard to test and the additional xpac does not cause problems. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: fix pac-ret support in _mcountSzabolcs Nagy2020-07-082-1/+13
| | | | | | | | | | | | | | | | | | | Currently gcc -pg -mbranch-protection=pac-ret passes signed return address to _mcount, so _mcount now has to always strip pac from the frompc since that's from user code that may be built with pac-ret. This is gcc PR target/94791: signed pointers should not escape and get passed across extern call boundaries, since that's an ABI break, but because existing gcc has this issue we work it around in glibc until that is resolved. This is compatible with a fixed gcc and it is a nop on systems without PAuth support. The bug was introduced in gcc-7 with -msign-return-address=non-leaf|all support which in gcc-9 got renamed to -mbranch-protection=pac-ret|pac-ret+leaf|standard. strip_pac uses inline asm instead of __builtin_aarch64_xpaclri since that is not a documented api and not available in all supported gccs. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: Add pac-ret support to assembly filesSzabolcs Nagy2020-07-085-1/+47
| | | | | | | | | | | | Use return address signing in assembly files for functions that save LR when pac-ret is enabled in the compiler. The GNU property note for PAC-RET is not meaningful to the dynamic linker so it is not strictly required, but it may be used to track the security property of binaries. (The PAC-RET property is only set if BTI is set too because BTI implies working GNU property support.) Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: configure check for pac-ret code generationSzabolcs Nagy2020-07-082-0/+60
| | | | | | | | | | | | | Return address signing requires unwinder support, which is present in libgcc since >=gcc-7, however due to bugs the support may be broken in <gcc-10 (and similarly there may be issues in custom unwinders), so pac-ret is not always safe to use. So in assembly code glibc should only use pac-ret if the compiler uses it too. Unfortunately there is no predefined feature macro for it set by the compiler so pac-ret is inferred from the code generation. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: ensure objects are BTI compatibleSzabolcs Nagy2020-07-083-0/+11
| | | | | | | | | | | | | | | | | | | When glibc is built with branch protection (i.e. with a gcc configured with --enable-standard-branch-protection), all glibc binaries should be BTI compatible and marked as such. It is easy to link BTI incompatible objects by accident and this is silent currently which is usually not the expectation, so this is changed into a link error. (There is no linker flag for failing on BTI incompatible inputs so all warnings are turned into fatal errors outside the test system when building glibc with branch protection.) Unfortunately, outlined atomic functions are not BTI compatible in libgcc (PR libgcc/96001), so to build glibc with current gcc use 'CC=gcc -mno-outline-atomics', this should be fixed in libgcc soon and then glibc can be built and tested without such workarounds. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: enable BTI at runtimeSudakshina Das2020-07-088-0/+161
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Binaries can opt-in to using BTI via an ELF object file marking. The dynamic linker has to then mprotect the executable segments with PROT_BTI. In case of static linked executables or in case of the dynamic linker itself, PROT_BTI protection is done by the operating system. On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check the properties of a binary because PT_NOTE can be unreliable with old linkers (old linkers just append the notes of input objects together and add them to the output without checking them for consistency which means multiple incompatible GNU property notes can be present in PT_NOTE). BTI property is handled in the loader even if glibc is not built with BTI support, so in theory user code can be BTI protected independently of glibc. In practice though user binaries are not marked with the BTI property if glibc has no support because the static linked libc objects (crt files, libc_nonshared.a) are unmarked. This patch relies on Linux userspace API that is not yet in a linux release but in v5.8-rc1 so scheduled to be in Linux 5.8. Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: fix RTLD_START for BTISzabolcs Nagy2020-07-081-1/+4
| | | | | | | | | | | | | Tailcalls must use x16 or x17 for the indirect branch instruction to be compatible with code that uses BTI c at function entries. (Other forms of indirect branches can only land on BTI j.) Also added a BTI c at the ELF entry point of rtld, this is not strictly necessary since the kernel does not use indirect branch to get there, but it seems safest once building glibc itself with BTI is supported. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: fix swapcontext for BTISzabolcs Nagy2020-07-081-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | setcontext returns to the specified context via an indirect jump, so there should be a BTI j. In case of getcontext (and all other returns_twice functions) the compiler adds BTI j at the call site, but swapcontext is a normal c call that is currently not handled specially by the compiler. So we change swapcontext such that the saved context returns to a local address that has BTI j and then swapcontext returns to the caller via a normal RET. For this we save the original return address in the slot for x1 of the context because x1 need not be preserved by swapcontext but it is restored when the context saved by swapcontext is resumed. The alternative fix (which is done on x86) would make swapcontext special in the compiler so BTI j is emitted at call sites, on x86 there is an indirect_return attribute for this, on AArch64 we would have to use returns_twice. It was decided against because such fix may need user code updates: the attribute has to be added when swapcontext is called via a function pointer and it breaks always_inline functions with swapcontext. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: Add BTI support to assembly filesSudakshina Das2020-07-0810-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | To enable building glibc with branch protection, assembly code needs BTI landing pads and ELF object file markings in the form of a GNU property note. The landing pads are unconditionally added to all functions that may be indirectly called. When the code segment is not mapped with PROT_BTI these instructions are nops. They are kept in the code when BTI is not supported so that the layout of performance critical code is unchanged across configurations. The GNU property notes are only added when there is support for BTI in the toolchain, because old binutils does not handle the notes right. (Does not know how to merge them nor to put them in PT_GNU_PROPERTY segment instead of PT_NOTE, and some versions of binutils emit warnings about the unknown GNU property. In such cases the produced libc binaries would not have valid ELF marking so BTI would not be enabled.) Note: functions using ENTRY or ENTRY_ALIGN now start with an additional BTI c, so alignment of the following code changes, but ENTRY_ALIGN_AND_PAD was fixed so there is no change to the existing code layout. Some string functions may need to be tuned for optimal performance after this commit. Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: Rename place holder .S files to .cSzabolcs Nagy2020-07-083-0/+0
| | | | | | | | The compiler can add required elf markings based on CFLAGS but the assembler cannot, so using C code for empty files creates less of a maintenance problem. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* aarch64: configure test for BTI supportSzabolcs Nagy2020-07-082-0/+61
| | | | | | | | | | | | | Check BTI support in the compiler and linker. The check also requires READELF that understands the BTI GNU property note. It is expected to succeed with gcc >=gcc-9 configured with --enable-standard-branch-protection and binutils >=binutils-2.33. Note: passing -mbranch-protection=bti in CFLAGS when building glibc may not be enough to get a glibc that supports BTI because crtbegin* and crtend* provided by the compiler needs to be BTI compatible too. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Rewrite abi-note.S in C.Szabolcs Nagy2020-07-081-8/+0
| | | | | | | | Using C code allows the compiler to add target specific object file markings based on CFLAGS. The arm specific abi-note.S is removed and similar object file fix up will be avoided on AArch64 with standard branch protection.
* rtld: Clean up PT_NOTE and add PT_GNU_PROPERTY handlingSzabolcs Nagy2020-07-083-52/+22
| | | | | | | | | | | | | | | | | | | | | | Add generic code to handle PT_GNU_PROPERTY notes. Invalid content is ignored, _dl_process_pt_gnu_property is always called after PT_LOAD segments are mapped and it has no failure modes. Currently only one NT_GNU_PROPERTY_TYPE_0 note is handled, which contains target specific properties: the _dl_process_gnu_property hook is called for each property. The old _dl_process_pt_note and _rtld_process_pt_note differ in how the program header is read. The old _dl_process_pt_note is called before PT_LOAD segments are mapped and _rtld_process_pt_note is called after PT_LOAD segments are mapped. The old _rtld_process_pt_note is removed and _dl_process_pt_note is always called after PT_LOAD segments are mapped and now it has no failure modes. The program headers are scanned backwards so that PT_NOTE can be skipped if PT_GNU_PROPERTY exists. Co-Authored-By: H.J. Lu <hjl.tools@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* arm: CVE-2020-6096: Fix multiarch memcpy for negative length [BZ #25620]Alexander Anisimov2020-07-081-11/+11
| | | | | | Unsigned branch instructions could be used for r2 to fix the wrong behavior when a negative length is passed to memcpy. This commit fixes the armv7 version.
* arm: CVE-2020-6096: fix memcpy and memmove for negative length [BZ #25620]Evgeny Eremin2020-07-082-28/+20
| | | | | | Unsigned branch instructions could be used for r2 to fix the wrong behavior when a negative length is passed to memcpy and memmove. This commit fixes the generic arm implementation of memcpy amd memmove.
* hurd: Fix strerror not setting errnoSamuel Thibault2020-07-071-5/+11
| | | | | * sysdeps/mach/strerror_l.c: Include <errno.h>. (__strerror_l): Save errno on entry and restore it on exit.
* hurd: Evaluate fd before entering the critical sectionSamuel Thibault2020-07-071-1/+2
| | | | | * sysdeps/hurd/include/hurd/fd.h (HURD_FD_PORT_USE_CANCEL): Evaluate fd before calling _hurd_critical_section_lock.
* string: Add strerrorname_np and strerrordesc_npAdhemerval Zanella2020-07-0732-0/+66
| | | | | | | | | | | | | | | | | The strerrorname_np returns error number name (e.g. "EINVAL" for EINVAL) while strerrordesc_np returns string describing error number (e.g "Invalid argument" for EINVAL). Different than strerror, strerrordesc_np does not attempt to translate the return description, both functions return NULL for an invalid error number. They should be used instead of sys_errlist and sys_nerr, both are thread and async-signal safe. These functions are GNU extensions. Checked on x86-64-linux-gnu, i686-linux-gnu, powerpc64le-linux-gnu, and s390x-linux-gnu. Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* string: Add sigabbrev_np and sigdescr_npAdhemerval Zanella2020-07-0731-0/+62
| | | | | | | | | | | | | | | | | | The sigabbrev_np returns the abbreviated signal name (e.g. "HUP" for SIGHUP) while sigdescr_np returns the string describing the error number (e.g "Hangup" for SIGHUP). Different than strsignal, sigdescr_np does not attempt to translate the return description and both functions return NULL for an invalid signal number. They should be used instead of sys_siglist or sys_sigabbrev and they are both thread and async-signal safe. They are added as GNU extensions on string.h header (same as strsignal). Checked on x86-64-linux-gnu, i686-linux-gnu, powerpc64le-linux-gnu, and s390x-linux-gnu. Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* string: Simplify strerror_rAdhemerval Zanella2020-07-071-62/+5
| | | | | | | | | | | | Use snprintf instead of mempcpy plus itoa_word and remove unused definitions. There is no potential for infinite recursion because snprintf only use strerror_r for the %m specifier. Checked on x86-64-linux-gnu, i686-linux-gnu, powerpc64le-linux-gnu, and s390x-linux-gnu. Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>