about summary refs log tree commit diff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* fix uninitialized/stale use of alloc (%m modifier) flag in scanfRich Felker2013-07-202-0/+4
| | | | | | | | | for conversion specifiers, alloc is always set when the specifier is parsed. however, if scanf stops due to mismatching literal text, either an uninitialized (if no conversions have been performed yet) or stale (from the previous conversion) of the flag will be used, possibly causing an invalid pointer to be passed to free when the function returns.
* harden realloc/free to detect simple overflowsRich Felker2013-07-191-0/+6
| | | | | | | | | | | the sizes in the header and footer for a chunk should always match. if they don't, the program has definitely invoked undefined behavior, and the most likely cause is a simple overflow, either of a buffer in the block being freed or the one just below it. crashing here should not only improve security of buggy programs, but also aid in debugging, since the crash happens in a context where you have a pointer to the likely-overflowed buffer.
* improve [f]stat[v]fs functions, and possibly work around old kernelsRich Felker2013-07-191-2/+5
| | | | | | | | | | | | | | | | | the main aim of this patch is to ensure that if not all fields are filled in, they contain zeros, so as not to confuse applications. reportedly some older kernels, including commonly used openvz kernels, lack the f_flags field, resulting in applications reading random junk as the mount flags; the common symptom seems to be wrongly considering the filesystem to be mounted read-only and refusing to operate. glibc has some amazingly ugly fallback code to get the mount flags for old kernels, but having them really is not that important anyway; what matters most is not presenting incorrect flags to the application. I have also aimed to fill in some fields of statvfs that were previously missing, and added code to explicitly zero the reserved space at the end of the structure, which will make things easier in the future if this space someday needs to be used.
* change uid_t, gid_t, and id_t to unsigned typesRich Felker2013-07-192-6/+20
| | | | | | | | | this change is both to fix one of the remaining type (and thus C++ ABI) mismatches with glibc/LSB and to allow use of the full range of uid and gid values, if so desired. passwd/group access functions were not prepared to deal with unsigned values, so they too have been fixed with this commit.
* make the dynamic linker find its path file relative to its own locationRich Felker2013-07-181-1/+20
| | | | | | | | | | | | | | | | | | | prior to this change, using a non-default syslibdir was impractical on systems where the ordinary library paths contain musl-incompatible library files. the file containing search paths was always taken from /etc, which would either correspond to a system-wide musl installation, or fail to exist at all, resulting in searching of the default library path. the new search strategy is safe even for suid programs because the pathname used comes from the PT_INTERP header of the program being run, rather than any external input. as part of this change, I have also begun differentiating the names of arch variants that differ by endianness or floating point calling convention. the corresponding changes in the build system and and gcc wrapper script (to use an alternate dynamic linker name) for these configurations have not yet been made.
* fix off-by-one error in checks for implementation-internal signal numbersRich Felker2013-07-183-3/+3
|
* make posix_spawn (and functions that use it) use CLONE_VFORK flagRich Felker2013-07-171-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | this is both a minor scheduling optimization and a workaround for a difficult-to-fix bug in qemu app-level emulation. from the scheduling standpoint, it makes no sense to schedule the parent thread again until the child has exec'd or exited, since the parent will immediately block again waiting for it. on the qemu side, as regular application code running on an underlying libc, qemu cannot make arbitrary clone syscalls itself without confusing the underlying implementation. instead, it breaks them down into either fork-like or pthread_create-like cases. it was treating the code in posix_spawn as pthread_create-like, due to CLONE_VM, which caused horribly wrong behavior: CLONE_FILES broke the synchronization mechanism, CLONE_SIGHAND broke the parent's signals, and CLONE_THREAD caused the child's exec to end the parent -- if it hadn't already crashed. however, qemu special-cases CLONE_VFORK and emulates that with fork, even when CLONE_VM is also specified. this also gives incorrect semantics for code that really needs the memory sharing, but posix_spawn does not make use of the vm sharing except to avoid momentary double commit charge. programs using posix_spawn (including via popen) should now work correctly under qemu app-level emulation.
* fix missing argument in variadic syscall macrosRich Felker2013-07-171-1/+1
| | | | | | for 0-argument syscalls (1 argument to the macro, the syscall number), the __SYSCALL_NARGS_X macro's ... argument was not satisfied. newer compilers seem to care about this.
* fix error code on time conversion overflowsRich Felker2013-07-174-4/+4
| | | | POSIX mandates EOVERFLOW for this condition.
* fix fd leak in file mapping code used in new zoneinfo supportRich Felker2013-07-171-1/+1
|
* the big time handling overhaulRich Felker2013-07-1718-348/+649
| | | | | | | | | | this commit has two major user-visible parts: zoneinfo-format time zones are now supported, and overflow handling is intended to be complete in the sense that all functions return a correct result if and only if the result fits in the destination type, and otherwise return an error. also, some noticable bugs in the way DST detection and normalization worked have been fixed, and performance may be better than before, but it has not been tested.
* fix omission of dtv setup in static linked programs on TLS variant I archsRich Felker2013-07-131-1/+1
| | | | | | | | | apparently this was never noticed before because the linker normally optimizes dynamic TLS models to non-dynamic ones when static linking, thus eliminating the calls to __tls_get_addr which crash when the dtv is missing. however, some libsupc++ code on ARM was calling __tls_get_addr when static linked and crashing. the reason is unclear to me, but with this issue fixed it should work now anyway.
* fix invalid library phdr pointers passed to callback from dl_iterate_phdrRich Felker2013-07-101-9/+16
| | | | | | | | | | | | map_library was saving pointers to an automatic-storage buffer rather than pointers into the mapping. this should be a fairly simple fix, but the patch here is slightly complicated by two issues: 1. supporting gratuitously obfuscated ELF files where the program headers are not right at the beginning of the file. 2. cleaning up the map_library function so that data isn't clobbered by the time we need it.
* fix a couple misleading/wrong signal descriptions in strsignalRich Felker2013-07-091-2/+2
| | | | | | | there are still several more that are misleading, but SIGFPE (integer division error misdescribed as floating point) and and SIGCHLD (possibly non-exit status change events described as exiting) were the worst offenders.
* add realtime signals to strsignalRich Felker2013-07-091-3/+19
| | | | | the name format RTnn/RTnnn was chosen to minimized bloat while uniquely identifying the signal.
* fix off-by-one array bound in strsignalRich Felker2013-07-091-1/+1
|
* fix bogus lazy allocation in ctermid and missing malloc failure checkRich Felker2013-07-091-10/+7
| | | | | | also clean up, optimize, and simplify the code, removing branches by simply pre-setting the result string to an empty string, which will be preserved if other operations fail.
* fix fd leak on races and cancellation in ctermidRich Felker2013-07-091-2/+3
|
* fix missing SOCK_CLOEXEC in various functions that use sockets internallyRich Felker2013-07-094-4/+4
|
* move core memalign code from aligned_alloc to __memalignRich Felker2013-07-043-49/+55
| | | | | | | | | | | | there are two motivations for this change. one is to avoid gratuitously depending on a C11 symbol for implementing a POSIX function. the other pertains to the documented semantics. C11 does not define any behavior for aligned_alloc when the length argument is not a multiple of the alignment argument. posix_memalign on the other hand places no requirements on the length argument. using __memalign as the implementation of both, rather than trying to implement one in terms of the other when their documented contracts differ, eliminates this confusion.
* move alignment check from aligned_alloc to posix_memalignRich Felker2013-07-042-1/+2
| | | | | | | | C11 has no requirement that the alignment be a multiple of sizeof(void*), and in fact seems to require any "valid alignment supported by the implementation" to work. since the alignment of char is 1 and thus a valid alignment, an alignment argument of 1 should be accepted.
* add stubs for additional legacy ether.h functionsRich Felker2013-07-011-0/+15
| | | | | | these would not be expensive to actually implement, but reading /etc/ethers does not sound like a particularly useful feature, so for now I'm leaving them as stubs.
* fix failure of mbsrtowcs to record stop position when dest is fullRich Felker2013-06-291-1/+4
|
* implement minimal dlinfo functionRich Felker2013-06-292-0/+20
|
* add some comments about the mips ksigaction structure weirdnessRich Felker2013-06-291-0/+3
|
* fix missing synchronization in calls from dynamic linker to global ctorsRich Felker2013-06-291-0/+4
| | | | | | | | | | | | | this change is needed to correctly handle the case where a constructor creates a new thread which calls dlopen. previously, the lock was not held in this case. the reason for the complex logic to avoid locking whenever possible is that, since the mutex is recursive, it will need to inspect the thread pointer to get the current thread's tid, and this requires initializing the thread pointer. we do not want non-multi-threaded programs to attempt to access the thread pointer unnecessarily; doing so could make them crash on ancient kernels that don't support threads but which may otherwise be capable of running the program.
* prevent shmget from allocating objects that overflow ptrdiff_tRich Felker2013-06-291-0/+2
| | | | | | | | | | | rather than returning an error, we have to increase the size argument so high that the kernel will have no choice but to fail. this is because POSIX only permits the EINVAL error for size errors when a new shared memory segment would be created; if it already exists, the size argument must be ignored. unfortunately Linux is non-conforming in this regard, but I want to keep the code correct in userspace anyway so that if/when Linux is fixed, the behavior applications see will be conforming.
* work around wrong kernel type for sem_nsems member of struct semid_dsRich Felker2013-06-281-0/+7
| | | | | | | | | | rejecting invalid values for n is fine even in the case where a new sem will not be created, since the kernel does its range checks on n even in this case as well. by default, the kernel will bound the limit well below USHRT_MAX anyway, but it's presumably possible that an administrator could override this limit and break things.
* implement week-based-year year numbers in strftimeRich Felker2013-06-281-27/+34
| | | | | | in the process, I refactored the week-number code so it can be used by the week-based-year formats to determine year adjustments at the boundary values. this also improves indention/code readability.
* fix breakage in last commit to strftime due to missing INT_MAXRich Felker2013-06-281-0/+1
| | | | | that's what I get for changing a hard-coded threshold to a proper non-magic-number without testing.
* implement week numbers and half of the week-based-year logic for strftimeRich Felker2013-06-281-3/+38
| | | | | | | | | output for plain week numbers (%U and %W) has been sanity-checked, and output for the week-based-year week numbers (%V) has been checked extensively against known-good data for the full non-negative range of 32-bit time_t. year numbers for week-based years (%g and %G) are not yet implemented.
* disallow creation of objects larger than PTRDIFF_MAX via mmapRich Felker2013-06-271-0/+5
| | | | | | | | | | | | | | internally, other parts of the library assume sizes don't overflow ssize_t and/or ptrdiff_t, and the way this assumption is made valid is by preventing creating of such large objects. malloc already does so, but the check was missing from mmap. this is also a quality of implementation issue: even if the implementation internally could handle such objects, applications could inadvertently invoke undefined behavior by subtracting pointers within an object. it is very difficult to guard against this in applications, so a good implementation should simply ensure that it does not happen.
* fix syscall argument bug in pthread_getschedparamRich Felker2013-06-261-1/+1
| | | | | the address of the pointer to the sched param, rather than the pointer, was being passed to the kernel.
* fix temp file leak in sem_open on successful creation of new semaphoreRich Felker2013-06-261-2/+2
|
* fix bug whereby sem_open leaked its own internal slots on failureRich Felker2013-06-261-3/+6
|
* in sem_open, don't leak vm mapping if fstat failsRich Felker2013-06-261-2/+2
| | | | | fstat should not fail under normal circumstances, so this fix is mostly theoretical.
* fix failure of pthread_setschedparam to pass correct param to kernelRich Felker2013-06-261-1/+1
| | | | | the address of the pointer, rather than the pointer, was being passed. this was probably a copy-and-paste error from corresponding get code.
* document in sysconf and unistd.h that per-thread cpu clocks existRich Felker2013-06-261-1/+1
|
* fix iconv conversion to legacy 8bit codepagesRich Felker2013-06-261-2/+2
| | | | | this seems to have been a simple copy-and-paste error from the code for converting from legacy codepages.
* remove useless conditional before free from dynamic linker path codeRich Felker2013-06-261-1/+1
|
* fix dynamic linker handling of empty path file or error reading path fileRich Felker2013-06-261-4/+3
| | | | | | | | | | | | | previously, the path string was being used despite being invalid. with this change, empty path file or error reading the path file is treated as an empty path. this is preferable to falling back to a default path, so that attacks to prevent reading of the path file could not result in loading incorrect and possibly dangerous (outdated or mismatching ABI) libraries from. the code to strip the final newline has also been removed; now that newline is accepted as a delimiter, it's harmless to leave it in place.
* make newline-delimited dynamic linker path file actually workRich Felker2013-06-251-1/+1
| | | | | | | apparently the original commit was never tested properly, since getline was only ever reading one line. the intent was to read the entire file, so use getdelim with the null byte as delimiter as a cheap way to read a whole file into memory.
* implement inet_lnaof, inet_netof, and inet_makeaddrRich Felker2013-06-255-39/+55
| | | | | | | | | also move all legacy inet_* functions into a single file to avoid wasting object file and compile time overhead on them. the added functions are legacy interfaces for working with classful ipv4 network addresses. they have no modern usefulness whatsoever, but some programs unconditionally use them anyway, and they're tiny.
* add ether_aton[_r] and ether_ntoa[_r] functionsRich Felker2013-06-251-0/+43
| | | | | | | based on patch by Strake with minor stylistic changes, and combined into a single file. this patch remained open for a long time due to some question as to whether ether_aton would be better implemented in terms of sscanf, and it's time something was committed, so here it is.
* fix scanf %c conversion wrongly storing a terminating null byteRich Felker2013-06-222-4/+8
| | | | | this seems to have been a regression from the refactoring which added the 'm' modifier.
* fix major scanf breakage with unbuffered streams, fmemopen, etc.Rich Felker2013-06-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | the shgetc api, used internally in scanf and int/float scanning code to handle field width limiting and pushback, was designed assuming that pushback could be achieved via a simple decrement on the file buffer pointer. this only worked by chance for regular FILE streams, due to the linux readv bug workaround in __stdio_read which moves the last requested byte through the buffer rather than directly back to the caller. for unbuffered streams and streams not using __stdio_read but some other underlying read function, the first character read could be completely lost, and replaced by whatever junk happened to be in the unget buffer. to fix this, simply have shgetc, when it performs an underlying read operation on the stream, store the character read at the -1 offset from the read buffer pointer. this is valid even for unbuffered streams, as they have an unget buffer located just below the start of the zero-length buffer. the check to avoid storing the character when it is already there is to handle the possibility of read-only buffers. no application-exposed FILE types are allowed to use read-only buffers, but sscanf and strto* may use them internally when calling functions which use the shgetc api.
* fix invalid access in aio notificationRich Felker2013-06-161-1/+1
| | | | | | | issue found and patch provided by Jens Gustedt. after the atomic store to the error code field of the aiocb, the application is permitted to free or reuse the storage, so further access is invalid. instead, use the local copy that was already made.
* fix uninitialized variable in lio (aio) codeRich Felker2013-06-161-1/+1
|
* improve the quality of output from rand_rRich Felker2013-06-121-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | due to the interface requirement of having the full state contained in a single object of type unsigned int, it is difficult to provide a reasonable-quality implementation; most good PRNGs are immediately ruled out because they need larger state. the old rand_r gave very poor output (very short period) in its lower bits; normally, it's desirable to throw away the low bits (as in rand()) when using a LCG, but this is not possible since the state is only 32 bits and we need 31 bits of output. glibc's rand_r uses the same LCG as musl's, but runs it for 3 iterations and only takes 10-11 bits from each iteration to construct the output value. this partially fixes the period issue, but introduces bias: not all outputs have the same frequency, and many do not appear at all. with such a low period, the bias is likely to be observable. I tried many approaches to "fix" rand_r, and the simplest I found which made it pass the "dieharder" tests was applying this transformation to the output. the "temper" function is taken from mersenne twister, where it seems to have been chosen for some rigorous properties; here, the only formal property I'm using is that it's one-to-one and thus avoids introducing bias. should further deficiencies in rand_r be reported, the obvious "best" solution is applying a 32-bit cryptographic block cipher in CTR mode. I identified several possible ciphers that could be used directly or adapted, but as they would be a lot slower and larger, I do not see a justification for using them unless the current rand_r proves deficient for some real-world use.
* support cputime clocks for processes/threads other than selfRich Felker2013-06-082-3/+7
| | | | | | | apparently these features have been in Linux for a while now, so it makes sense to support them. the bit twiddling seems utterly illogical and wasteful, especially the negation, but that's how the kernel folks chose to encode pids/tids into the clock id.