about summary refs log tree commit diff
Commit message (Collapse)AuthorAgeFilesLines
...
* sys/mman.h: add MAP_HUGE_16KB from linux v5.10Szabolcs Nagy2021-02-151-0/+1
| | | | | | | see linux commit e47168f3d1b14af5281cf50c59561d59d28201f9 powerpc/8xx: Support 16k hugepages with 4k pages
* sys/mount.h: add MS_NOSYMFOLLOW from linux v5.10Szabolcs Nagy2021-02-151-0/+1
| | | | | | | | path resolution does not follow symlinks on nosymfollow mounts (but readlink still does), see linux commit dab741e0e02bd3c4f5e2e97be74b39df2523fc6e Add a "nosymfollow" mount option.
* sys/membarrier.h: add new constants from linux v5.10Szabolcs Nagy2021-02-151-0/+4
| | | | | | | | can cause rseq restart on another cpu to synchronize with global memory access from rseq critical sections, see linux commit 2a36ab717e8fe678d98f81c14a0b124712719840 rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ
* bits/syscall.h: add process_madvise from linux v5.10Szabolcs Nagy2021-02-1516-0/+16
| | | | | | | | | mainly added to linux to allow a central process management service in android to give MADV_COLD|PAGEOUT hints for other processes, see linux commit ecb8ac8b1f146915aa6b96449b66dd48984caacc mm/madvise: introduce process_madvise() syscall: an external memory hinting API
* fix error return value for cuseridRich Felker2021-02-131-2/+3
| | | | | | | the historical function was specified to return an empty string in the caller-provided buffer, not a null pointer, to indicate error when the argument is non-null. only when the argument is null should it return a null pointer on error.
* fix misuse of getpwuid_r in cuseridRich Felker2021-02-131-1/+2
| | | | | | getpwuid_r can return 0 but without a result in the case where there was no error but no record exists. in that case cuserid was treating it as success and copying junk out of pw.pw_name to the output buffer.
* cuserid: don't return truncated resultsRich Felker2021-02-131-1/+5
| | | | checking the length also drops the need to pull in snprintf.
* cuserid: support invocation with a null pointer argumentSören Tempel2021-02-131-0/+2
| | | | | | this function was removed from the standard in 2001 but appeared in SUSv2 with an obligation to support calls with a null pointer argument, using a static buffer.
* riscv64: define ELF_NFPREGKhem Raj2021-02-121-0/+1
| | | | ELF_NFPREG is used by some userspace applications like gdb
* math: fix expm1f overflow thresholdSzabolcs Nagy2021-02-101-2/+1
| | | | | | | | | the threshold was wrong so expm1f overflowed to inf a bit too early and on most targets uint32_t compare is faster than float compare so use that. this also fixes sinhf incorrectly returning nan for some values where the internal expm1f overflowed.
* math: fix acoshf for negative inputsSzabolcs Nagy2021-02-101-4/+4
| | | | | | | | | | | | | | | | | | | | on some negative inputs (e.g. -0x1.1e6ae8p+5) acoshf failed to return nan. ensure that negative inputs result nan without introducing new branches. this was tried before in commit 101e6012856918440b5d7474739c3fc22a8d3b85 math: fix acoshf on negative values but that fix was wrong. there are 3 formulas used: log1p(x-1 + sqrt((x-1)*(x-1)+2*(x-1))) log(2*x - 1/(x+sqrt(x*x-1))) log(x) + 0.693147180559945309417232121458176568 the first fails on large negative inputs (may compute log1p(0) or log1p(inf)), the second one fails on some mid range or large negative inputs (may compute log(large) or log(inf)) and the last one fails on -0 (returns -inf).
* fix possible fd leak via missing O_CLOEXEC in pthread_setname_npÉrico Rolim2021-01-301-1/+1
| | | | | the omission of the flag here seems to have been an oversight when the function was added in 8fb28b0b3e7a5e958fb844722a4b2ef9bc244af1
* oldmalloc: preserve errno across freeRich Felker2021-01-301-0/+4
| | | | | | | | as an outcome of Austin Group issue #385, future versions of the standard will require free not to alter the value of errno. save and restore it individually around the calls to madvise and munmap so that the cost is not imposed on calls to free that do not result in any syscall.
* fix build regression in oldmallocRich Felker2021-01-301-1/+1
| | | | | | commit 8d37958d58cf36f53d5fcc7a8aa6d633da6071b2 inadvertently broke oldmalloc by having it implement __libc_malloc rather than __libc_malloc_impl.
* preserve errno across freeRich Felker2021-01-301-2/+10
| | | | | | | | as an outcome of Austin Group issue #385, future versions of the standard will require free not to alter the value of errno. save and restore it individually around the calls to madvise and munmap so that the cost is not imposed on calls to free that do not result in any syscall.
* fix inconsistent signature of __libc_start_mainRich Felker2021-01-301-1/+2
| | | | | | | | | | | | | | | | | | | | | | | commit 7586360badcae6e73f04eb1b8189ce630281c4b2 removed the unused arguments from the definition of __libc_start_main, making it incompatible with the declaration at the point of call, which still passed 6 arguments. calls with mismatched function type have undefined behavior, breaking LTO and any other tooling that checks for function signature mismatch. removing the extra arguments from the point of call (crt1) is not an option for fixing this, since that would be a change in ABI surface between application and libc. adding back the extra arguments requires some care. on archs that pass arguments on the stack or that reserve argument spill space for the callee on the stack, it imposes an ABI requirement on the caller to provide such space. the modern crt1.c entry point provides such space, but originally there was arch-specific asm for the call to __libc_start_main. the last of this asm was removed in commit 6fef8cafbd0f6f185897bc87feb1ff66e2e204e1, and manual review of the code removed and its prior history was performed to check that all archs/variants passed the legacy init/fini/ldso_fini arguments.
* fail posix_spawn file_actions operations with negative fdsRich Felker2021-01-304-0/+4
| | | | | | | | | | | these functions are specified to fail with EBADF on negative fd arguments. apart from close, they are also specified to fail if the value exceeds OPEN_MAX, but as written it is not clear that this imposes any requirement when OPEN_MAX is not defined, and it's undesirable to impose a dynamic limit (via setrlimit) here since the limit at the time of posix_spawn may be different from the limit at the time of setting up the file actions. this may require revisiting later.
* release 1.2.2 v1.2.2Rich Felker2021-01-142-1/+52
|
* fix VIDIOC_DQEVENT (v4l2) ioctl fallback for pre-5.6 kernelsRich Felker2020-12-141-1/+9
| | | | | | | | | | | | commit 2412638bb39eb799b2600393bbd71cca8ae96bb2 got the size of struct v4l2_event wrong and failed to account for the fact that the old struct might be either 120 bytes with time misaligned mod 8, or 128 bytes with time aligned mod 8, due to the contained union having 64-bit members whose alignment is arch-dependent. rather than adding new logic to handle the differences, use an actual stripped-down version of the structure in question to derive the ioctl number, size, and offsets.
* fix v4l2 buffer ioctl fallbacks for pre-5.6 kernelsArnd Bergmann2020-12-141-4/+4
| | | | | | | | commit 2412638bb39eb799b2600393bbd71cca8ae96bb2 got the size of struct v4l2_buffer wrong and omitted the tv_usec member slot from the offset list, so the ioctl numbers never matched and fallback code path was never taken. this caused the affected ioctls to fail with ENOTTY on kernels not new enough to have the native time64 ioctls.
* sh: fix incorrect mcontext_t member namingAriadne Conill2020-12-122-4/+13
| | | | | while the layouts match, the member member naming expected by software using mcontext_t omits the sc_ prefix.
* use libc-internal malloc for newlocale/freelocaleRich Felker2020-12-092-0/+10
| | | | | | | this is necessary for MT-fork correctness now that the code runs under locale lock. it would not be hard to avoid, but __get_locale is already using libc-internal malloc anyway. this can be reconsidered during locale overhaul later if needed.
* drop use of pthread_once in newlocaleRich Felker2020-12-091-9/+7
| | | | | | | in general, pthread_once is not compatible with MT-fork constraints (commit 167390f05564e0a4d3fcb4329377fd7743267560). here it actually no longer matters, because it's now called with a lock held, but since the lock is held it's pointless to use pthread_once.
* lift locale lock out of internal __get_localeRich Felker2020-12-094-18/+19
| | | | | | this allows the lock to be shared with setlocale, eliminates repeated per-category lock/unlock in newlocale, and will allow the use of pthread_once in newlocale to be dropped (to be done separately).
* fix misleading comment in strstrRich Felker2020-12-091-1/+1
| | | | | | | | the intent here is just to scan at least l bytes forward for the end of the haystack and at least some decent minimum to avoid doing it over and over if the needle is short, with no need to be precise. the comment erroneously stated this as an estimate for MIN when it's actually an estimate for MAX.
* drop use of pthread_once for aio thread stack size initRich Felker2020-12-081-10/+8
| | | | | | | | | | | | | pthread_once is not compatible with MT-fork constraints (commit 167390f05564e0a4d3fcb4329377fd7743267560) and is not needed here anyway; we already have a lock suitable for initialization. while changing this, fix a corner case where AT_MINSIGSTKSZ gives a value that's more than MINSIGSTKSZ but by a margin of less than 2048, thereby causing the size to be reduced. it shouldn't matter but the intent was to be the larger of a 2048-byte margin over the legacy fixed minimum stack requirement or a 512-byte margin over the minimum the kernel reports at runtime.
* fix omission of non-stub pthread_mutexattr_getprotocolRich Felker2020-12-071-1/+1
| | | | | | | this change should have been made when priority inheritance mutex support was added. if priority protection is also added at some point the implementation will need to change and will probably no longer be a simple bit shuffling.
* riscv64: fix inconsistent ucontext_t struct tagDrew DeVault2020-12-061-2/+2
| | | | | | ucontext.h depends on the internal struct tag name for namespacing reasons, and the intent was always for it to be consistent across archs anyway.
* fix failure to preserve r6 in s390x asm; per ABI it is call-savedRich Felker2020-12-042-0/+8
| | | | | | | | | | | | | | | | | | both __clone and __syscall_cp_asm failed to restore the original value of r6 after using it as a syscall argument register. the extent of breakage is not known, and in some cases may be mitigated by the only callers being internal to libc; if they used r6 but no longer needed its value after the call, they may not have noticed the problem. however at least posix_spawn (which uses __clone) was observed returning to the application with the wrong value in r6, leading to crash. since the call frame ABI already provides a place to spill registers, fixing this is just a matter of using it. in __clone, we also spuriously restore r6 in the child, since the parent branch directly returns to the caller. this takes the value from an uninitialized slot of the child's stack, but is harmless since there is no caller to return to in the child.
* s390x: derive float_t from compiler or default to floatMarius Hillenbrand2020-12-032-1/+9
| | | | | | | | | | | | | | | | | | | float_t should represent the type that is used to evaluate float expressions internally. On s390x, float_t is currently set to double. In contrast, the isa supports single-precision float operations and compilers by default evaluate float in single precision, which violates the C standard (sections 5.2.4.2.2 and 7.12 in C11/C17, to be precise). With -fexcess-precision=standard, gcc evaluates float in double precision, which aligns with the standard yet at the cost of added conversion instructions. gcc-11 will drop the special case to retrofit double precision behavior for -fexcess-precision=standard so that __FLT_EVAL_METHOD__ will be 0 on s390x in any scenario. To improve standards compliance and compatibility with future compiler direction, this patch changes the definition of float_t to be derived from the compiler's __FLT_EVAL_METHOD__.
* implement reallocarrayAriadne Conill2020-11-302-0/+14
| | | | | | | | reallocarray is an extension introduced by OpenBSD, which introduces calloc overflow checking to realloc. glibc 2.28 introduced support for this function behind _GNU_SOURCE, while glibc 2.29 allows its usage in _DEFAULT_SOURCE.
* implement realpath directly instead of using procfs readlinkRich Felker2020-11-301-23/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | inability to use realpath in chroot/container without procfs access and at early boot prior to mount of /proc has been an ongoing issue, and it turns out realpath was one of the last remaining interfaces that needed procfs for its core functionality. during investigation while reimplementing, it was determined that there were also serious problems with the procfs-based implementation. most seriously it was unsafe on pre-O_PATH kernels, and unlike other places where O_PATH was used, the unsafety was hard or impossible to fix because O_NOFOLLOW can't be used (since the whole purpose was to follow symlinks). the new implementation is a direct one, performing readlink on each path component to resolve it. an explicit stack, as opposed to recursion, is used to represent the remaining components to be processed. the stack starts out holding just the input string, and reading a link pushes the link contents onto the stack. unlike many other implementations, this one does not call getcwd initially for relative pathnames. instead it accumulates initial .. components to be applied to the working directory if the result is still a relative path. this avoids calling getcwd (which may fail) at all when symlink traversal will eventually yield an absolute path. it also doesn't use any form of stat operation; instead it arranges for readlink to tell it when a non-directory is used in a context where a directory is needed. this minimizes the number of syscalls needed, avoids accessing inodes when the directory table suffices, and reduces the amount of code pulled in for static linking.
* fix mallocng regression in malloc_usable_size with null argumentDominic Chen2020-11-291-0/+1
| | | | | commit d1507646975cbf6c3e511ba07b193f27f032d108 added support for null argument in oldmalloc and was overlooked when switching to mallocng.
* configure: do not use obsolescent form of test -a|oIssam E. Maghni2020-11-291-3/+3
| | | | The -a and -o operators are obsolescent and not in baseline POSIX.
* fix segfault in lutimes when tv argument is NULLÉrico Rolim2020-11-291-5/+7
| | | | | | | calling lutimes with tv=0 is valid if the application wants to set the timestamps to the current time. this commit makes it so the timespec struct is populated with values from tv only if tv != 0 and calls utimensat with times=0 if tv == 0.
* netinet/in.h: add IP_RECVERR_4884 from linux v5.9Szabolcs Nagy2020-11-291-0/+1
| | | | | | | see linux commit eba75c587e811d3249c8bd50d22bb2266ccd3c0f icmp: support rfc 4884
* sys/fanotify.h: add new FAN_* macros from linux v5.9Szabolcs Nagy2020-11-291-0/+4
| | | | | | | | | | | | | | | | | Update fanotify.h, see linux commit 929943b38daf817f2e6d303ea04401651fc3bc05 fanotify: add support for FAN_REPORT_NAME linux commit 83b7a59896dd24015a34b7f00027f0ff3747972f fanotify: add basic support for FAN_REPORT_DIR_FID linux commit 08b95c338e0c5a96e47f4ca314ea1e7580ecb5d7 fanotify: remove event FAN_DIR_MODIFY FAN_DIR_MODIFY that was new in v5.7 is now removed from linux uapi, but kept in musl, so we don't break api, linux cannot reuse the value anyway.
* bits/syscall.h: add __NR_close_range from linux v5.9Szabolcs Nagy2020-11-2916-0/+16
| | | | | | | | | | see linux commit 9b4feb630e8e9801603f3cab3a36369e3c1cf88d arch: wire-up close_range() linux commit 278a5fbaed89dacd04e9d052f4594ffd0e0585de open: add close_range()
* add missing personality valuesWilliam Woodruff2020-11-291-0/+3
| | | | | | | Adds two missing personality(2) personas: UNAME26 and FDPIC_FUNCPTRS. FDPIC_FUNCPTRS was also missing its corresponding PER_LINUX_FDPIC value.
* arm fabs and sqrt: support single-precision-only fpu variantsJinliang Li2020-11-292-2/+2
|
* fix typo in INSTALLÉrico Rolim2020-11-291-1/+1
| | | | "big-engian" should be "big-endian".
* work around linux bug in readlink syscall with zero buffer sizeRich Felker2020-11-232-3/+17
| | | | | | | | | | linux fails with EINVAL when a zero buffer size is passed to the syscall. this is non-conforming because POSIX already defines EINVAL with a significantly different meaning: the target is not a symlink. since the request is semantically valid, patch it up by using a dummy buffer of length one, and truncating the return value to zero if it succeeds.
* parse v3 or future-unknown zoneinfo file versions as v2+Rich Felker2020-11-221-1/+1
| | | | | | | | the v1 zoneinfo format with 32-bit time is deprecated. previously, the v2 parsing code was only used if an exact match for '2' was found in the version field of the header. this was already incorrect for v3 files (trivial differences from v2 that arguably didn't merit a new version number anyway) but also failed to be future-proof.
* explicitly prefer 64-bit/v2 zoneinfo tablesRich Felker2020-11-221-1/+1
| | | | | | | | | since commit 38143339646a4ccce8afe298c34467767c899f51, the condition sizeof(time_t) > 4 is always true, so there is no functional change being made here. but semantically, the 64-bit tables should always be preferred now, because upstream zic (zoneinfo compiler) has quietly switched to emitting empty 32-bit tables by default, and the resulting backwards-incompatible zoneinfo files will be encountered in the wild.
* fix regression in pthread_exitRich Felker2020-11-202-1/+3
| | | | | | | | | | | | | | | commit d26e0774a59bb7245b205bc8e7d8b35cc2037095 moved the detach state transition at exit before the thread list lock was taken. this inadvertently allowed pthread_join to race to take the thread list lock first, and proceed with unmapping of the exiting thread's memory. we could fix this by just revering the offending commit and instead performing __vm_wait unconditionally before taking the thread list lock, but that may be costly. instead, bring back the old DT_EXITING vs DT_EXITED state distinction that was removed in commit 8f11e6127fe93093f81a52b15bb1537edc3fc8af, and don't transition to DT_EXITED (a value of 0, which is what pthread_join waits for) until after the lock has been taken.
* rewrite wcsnrtombs to fix buffer overflow and other bugsRich Felker2020-11-191-27/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the original wcsnrtombs implementation, which has been largely untouched since 0.5.0, attempted to build input-length-limiting conversion on top of wcsrtombs, which only limits output length. as best I recall, this choice was made out of a mix of disdain over having yet another variant function to implement (added in POSIX 2008; not standard C) and preference not to switch things around and implement the wcsrtombs in terms of the more general new function, probably over namespace issues. the strategy employed was to impose output limits that would ensure the input limit wasn't exceeded, then finish up the tail character-at-a-time. unfortunately, none of that worked correctly. first, the logic in the wcsrtombs loop was wrong in that it could easily get stuck making no forward progress, by imposing an output limit too small to convert even one character. the character-at-a-time loop that followed was even worse. it made no effort to ensure that the converted multibyte character would fit in the remaining output space, only that there was a nonzero amount of output space remaining. it also employed an incorrect interpretation of wcrtomb's interface contract for converting the null character, thereby failing to act on end of input, and remaining space accounting was subject to unsigned wrap-around. together these errors allow unbounded overflow of the destination buffer, controlled by input length limit and input wchar_t string contents. given the extent to which this function was broken, it's plausible that most applications that would have been rendered exploitable were sufficiently broken not to be usable in the first place. however, it's also plausible that common (especially ASCII-only) inputs succeeded in the wcsrtombs loop, which mostly worked, while leaving the wildly erroneous code in the second loop exposed to particular non-ASCII inputs. CVE-2020-28928 has been assigned for this issue.
* protect destruction of process-shared mutexes against robust list racesRich Felker2020-11-191-1/+5
| | | | | | | | | | | | | | | after a non-normal-type process-shared mutex is unlocked, it's immediately available to another thread to lock, unlock, and destroy, but the first unlocking thread may still have a pointer to it in its robust_list pending slot. this means, on async process termination, the kernel may attempt to access and modify the memory that used to contain the mutex -- memory that may have been reused for some other purpose after the mutex was destroyed. setting up for this kind of race to occur is difficult to begin with, requiring dynamic use of shared memory maps, and actually hitting the race is very difficult even with a suitable setup. so this is mostly a theoretical fix, but in any case the cost is very low.
* pthread_exit: don't __vm_wait under thread list lockRich Felker2020-11-191-9/+15
| | | | | | | | | | | | | | | the __vm_wait operation can delay forward progress arbitrarily long if a thread holding the lock is interrupted by a signal. in a worst case this can deadlock. any critical section holding the thread list lock must respect lock ordering contracts and must not take any lock which is not AS-safe. to fix, move the determination of thread joinable/detached state to take place before the killlock and thread list lock are taken. this requires reverting the atomic state transition if we determine that the exiting thread is the last thread and must call exit, but that's easy to do since it's a single-threaded context with application signals blocked.
* lift child restrictions after multi-threaded forkRich Felker2020-11-1117-4/+170
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | as the outcome of Austin Group tracker issue #62, future editions of POSIX have dropped the requirement that fork be AS-safe. this allows but does not require implementations to synchronize fork with internal locks and give forked children of multithreaded parents a partly or fully unrestricted execution environment where they can continue to use the standard library (per POSIX, they can only portably use AS-safe functions). up until recently, taking this allowance did not seem desirable. however, commit 8ed2bd8bfcb4ea6448afb55a941f4b5b2b0398c0 exposed the extent to which applications and libraries are depending on the ability to use malloc and other non-AS-safe interfaces in MT-forked children, by converting latent very-low-probability catastrophic state corruption into predictable deadlock. dealing with the fallout has been a huge burden for users/distros. while it looks like most of the non-portable usage in applications could be fixed given sufficient effort, at least some of it seems to occur in language runtimes which are exposing the ability to run unrestricted code in the child as part of the contract with the programmer. any attempt at fixing such contracts is not just a technical problem but a social one, and is probably not tractable. this patch extends the fork function to take locks for all libc singletons in the parent, and release or reset those locks in the child, so that when the underlying fork operation takes place, the state protected by these locks is consistent and ready for the child to use. locking is skipped in the case where the parent is single-threaded so as not to interfere with legacy AS-safety property of fork in single-threaded programs. lock order is mostly arbitrary, but the malloc locks (including bump allocator in case it's used) must be taken after the locks on any subsystems that might use malloc, and non-AS-safe locks cannot be taken while the thread list lock is held, imposing a requirement that it be taken last.
* convert malloc use under libc-internal locks to use internal allocatorRich Felker2020-11-118-0/+41
| | | | | | | | | | | | | this change lifts undocumented restrictions on calls by replacement mallocs to libc functions that might take these locks, and sets the stage for lifting restrictions on the child execution environment after multithreaded fork. care is taken to #define macros to replace all four functions (malloc, calloc, realloc, free) even if not all of them will be used, using an undefined symbol name for the ones intended not to be used so that any inadvertent future use will be caught at compile time rather than directed to the wrong implementation.