about summary refs log tree commit diff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* fix missing bss handling in FDPIC ELF loaderRich Felker2015-10-281-0/+13
| | | | | | | | when a library being loaded has bss (i.e. data segment with p_memsz>p_filesz), this region needs to be zeroed with a combination of memset and/or mmap. the regular ELF loader always did this but the FDPIC code path omitted it, leading to objects in bss having uninitialized/junk contents.
* getnameinfo: make size check not fail for bigger sizesHauke Mehrtens2015-10-261-2/+2
| | | | | | | | | | | | | | | | getnameinfo() compares the size of the given struct sockaddr with sizeof(struct sockaddr_in) and sizeof(struct sockaddr_in6) depending on the net family. When you add a sockaddr of size sizeof(struct sockaddr_storage) this function will fail because the size of the sockaddr is too big. Change the check that it only fails if the size is too small, but make it work when it is too big for example when someone calls this function with a struct sockaddr_storage and its size. This fixes a problem with IoTivity 1.0.0 and musl. glibc and bionic are only failing if it is smaller, net/freebsd implemented the != check. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* safely handle failure to open hosts, services, resolv.conf filesRich Felker2015-10-263-4/+29
| | | | | | | | | | | | | | | | | | | | previously, transient failures like fd exhaustion or other resource-related errors were treated the same as non-existence of these files, leading to fallbacks or false-negative results. in particular: - failure to open hosts resulted in fallback to dns, possibly yielding EAI_NONAME for a hostname that should be defined locally, or an unwanted result from dns that the hosts file was intended to replace. - failure to open services resulted in EAI_SERVICE. - failure to open resolv.conf resulted in querying localhost rather than the configured nameservers. now, only permanent errors trigger the fallback behaviors above; all other errors are reportable to the caller as EAI_SYSTEM.
* fix single-byte overflow of malloc'd buffer in getdelimRich Felker2015-10-241-1/+1
| | | | | | | | | | the buffer enlargement logic here accounted for the terminating null byte, but not for the possibility of hitting the delimiter in the buffer-refill code path that uses getc_unlocked, in which case two additional bytes (the delimiter and the null termination) are written without another chance to enlarge the buffer. this patch and the corresponding bug report are by Felix Janda.
* declare fpu usage to the assembler in arm hard-float asm filesSzabolcs Nagy2015-10-195-0/+6
| | | | | | | Some armhf gcc toolchains (built with --with-float=hard but without --with-fpu=vfp*) do not pass -mfpu=vfp to the assembler and then binutils rejects the UAL mnemonics for VFP unless there is an .fpu vfp directive in the asm source.
* add missing memory barrier to pthread_joinBobby Bingham2015-10-151-0/+1
| | | | | | | POSIX requires pthread_join to synchronize memory on success. The futex wait inside __timedwait_cp cannot handle this because it's not called in all cases. Also, in the case of a spurious wake, tid can become zero between the wake and when the joining thread checks it.
* fix dladdr treatment of function descriptors for fdpicRich Felker2015-10-151-9/+22
| | | | | | | | | | | | | | when determining which module an address belongs to, all function descriptor ranges must be checked first, in case the allocated memory falls inside another module's memory range. dladdr itself must also check addresses against function descriptors before doing a best-match search against the symbol table. even when doing the latter (e.g. for code addresses obtained from mcontext_t), also check whether the best-match was a function, and if so, replace the result with a function descriptor address. which is the nominal "base address" of the function and which the caller needs if it intends to subsequently call the matching function.
* fix visibility mismatch in dynamic linker stage 2 function definitionRich Felker2015-10-151-0/+1
| | | | | | | | | | | | | | | since commits 2907afb8dbd4c1d34825c3c9bd2b41564baca210 and 6fc30c2493fcfedec89e45088bea87766a1e3286, __dls2 is no longer called via symbol lookup, but instead uses relative addressing that needs to be resolved at link time. on some linker versions, and/or if -Bsymbolic-functions is not used, the linker may leave behind a dynamic relocation, which is not suitable for bootstrapping the dynamic linker, if the reference to __dls2 is marked hidden but the definition is not actually hidden. correcting the definition to use hidden visibility fixes the problem. the static-PIE entry point rcrt1 was likewise affected and is also fixed by this patch.
* fix strftime handling of out-of-range struct tm fieldsRich Felker2015-10-141-8/+12
| | | | | | | | | | strftime results are unspecified in this case, but should not invoke undefined behaviour. tm_wday, tm_yday, tm_mon and tm_year fields were used in signed int arithmetic that could overflow. based on patch by Szabolcs Nagy.
* fix integer overflows in time_t/struct tm conversion codeRich Felker2015-10-081-3/+3
| | | | | | | | | | as found and reported by Brian Mastenbrook, the expressions 400*qc_cycles and years+100 in __secs_to_tm were both subject to integer overflow for extreme values of the input t. this patch by Szabolcs Nagy fixes the code by switching to larger types, and matches the original intent I had in mind when writing this code.
* fix open_[w]memstream behavior when no writes take placeRich Felker2015-10-082-4/+18
| | | | | | | | | | | | | the specification for these functions requires that the buffer/size exposed to the caller be valid after any successful call to fflush or fclose on the stream. the implementation's approach is to update them only at flush time, but that misses the case where fflush or fclose is called without any writes having taken place, in which case the write flushing callback will not be called. to fix both the observable bug and the desired invariant, setup empty buffers at open time and fail the open operation if no memory is available.
* make nl_langinfo(CODESET) always return "ASCII" in byte-based C localeRich Felker2015-10-011-1/+1
| | | | | | | | | | | | | | | | | | | | | commit 844212d94f582c4e3c5055e0a1524931e89ebe76, which did not make it into any releases, changed nl_langinfo(CODESET) to always return "UTF-8", even in the byte-based C locale. this was problematic because application software was found to use the string match for "UTF-8" to activate its own UTF-8 processing. this both undermines the byte-based functionality of the C locale, and if mixed with with calls to the standard multibyte functions, which happened in practice, could result in severe mis-handling of input. the motive for the previous change was that, to avoid widespread compatibility problems, the string returned by nl_langinfo(CODESET) needs to be accepted by iconv and by third-party character conversion code. thus, the only remaining choice is "ASCII". this choice accurately represents the intent that high bytes do not have individual meaning in the C locale, but it does mean that iconv, when passed nl_langinfo(CODESET) in the C locale, will produce errors in cases where mbrtowc would have succeeded. for reference, glibc behaves similarly in this regard, so I don't think it will be a problem.
* fix mips fesetround failure to write back resulting modeRich Felker2015-10-011-0/+1
| | | | patch by Anand Takale.
* eliminate protected-visibility data in libc.so with vis.h preincludeRich Felker2015-09-291-0/+3
| | | | | | | | | | | | | | | some newer binutils versions print scary warnings about protected data because most gcc versions fail to produce the right address references/relocations for such data that might be subject to copy relocations. originally vis.h explicitly assigned default visibility to all public data symbols to avoid this issue, but commit b8dda24fe1caa901a99580f7a52defb95aedb67c removed this treatment for stdin/out/err to work around a gcc 3.x bug, and since they don't actually need it (because taking their addresses is not valid C). instead, a check for the gcc 3.x bug is added to the configure check for vis.h preinclude support; this feature will simply be disabled when using a buggy version of gcc.
* avoid attempting to lookup IP literals as hostnamesRich Felker2015-09-251-27/+32
| | | | | | | | | | | | | | | | previously, __lookup_ipliteral only checked its argument against the requested address family, so IPv4 literals passed through to __lookup_name if the caller asked for only IPv6 results, and likewise for IPv6 literals when the caller asked for only IPv4. this resulted in spurious DNS lookups that reportedly even succeeded with some nameservers. now, __lookup_ipliteral attempts to parse its argument as both IPv4 and IPv6, and returns an error (to stop further search) rather than 0 (no results yet) if the form of the argument mismatches the requested address family. based on patch by Julien Ramseier.
* make getaddrinfo return error if both host and service name are nullRich Felker2015-09-251-0/+2
| | | | | | this case is specified as a mandatory ("shall fail") error. based on patch by Julien Ramseier.
* fix localeconv field value for unavailable valuesRich Felker2015-09-241-14/+15
| | | | | | | per ISO C, CHAR_MAX, not -1, is the value used to indicate that a char field in struct lconv is unavailable. patch by Julien Ramseier.
* avoid reading uninitialized memory in __map_fileSzabolcs Nagy2015-09-241-2/+3
| | | | | | | The value of *size is not relevant in case of failure, but it's better not to copy garbage from the stack into it. (The compiler cannot see through the syscall, so optimization was not affected by the unspecified value).
* regcomp: propagate allocation failuresSzabolcs Nagy2015-09-241-1/+2
| | | | The error code of an allocating function was not checked in tre_add_tag.
* fix signal return for sh/fdpicRich Felker2015-09-233-4/+2
| | | | | | | | | | | | | | | | the restorer function pointer provided in the kernel sigaction structure is interpreted by the kernel as a raw code address, not a function descriptor. this commit moves the declarations of the __restore and __restore_rt symbols to ksigaction.h so that arch versions of the file can override them, and introduces a version for sh which declares them as objects rather than functions. an alternate solution would have been defining SA_RESTORER to 0 so that the functions are not used, but this both requires executable stack (since the sh kernel does not have a vdso page with permanent restorer functions) and crashes on qemu user-level emulation.
* fix dlsym RTLD_NEXT behavior for fdpicRich Felker2015-09-221-4/+28
| | | | | | | | | | | | | | lookup the dso an address falls in based on the loadmap and not just a base/length. fix the main app's fake loadmap used when loaded by a non-fdpic-aware loader so that it does not cover the whole memory space. function descriptor addresses are also matched for future use by dladdr, but reverse lookups of function descriptors via dladdr have not been implemented yet. some revisions may be needed in the future once reclaim_gaps supports fdpic, so that function descriptors allocated in reclaimed heap space do not get detected as belonging to the module whose gaps they were allocated in.
* fix dlsym lookup of function symbols on fdpicRich Felker2015-09-221-0/+6
| | | | | | | | | | | | | | previously these resolved to the code address rather than the address of the function descriptor. the conditions for accepting or rejecting symbols are quite inconsistent between the different points in the dynamic linker code where such decisions are made. this commit attempts to be at least as correct as anything already there, but does not improve consistency. it has been tested to correctly avoid symbols that are merely references to functions defined in other modules, at least in simple usage, but at some point all symbol lookup logic should be reviewed and refactored/unified.
* move calls to application init functions after crt1 entry pointRich Felker2015-09-222-1/+8
| | | | | | | | | | | | | | this change is needed to be compatible with fdpic, where some of the main application's relocations may be performed as part of the crt1 entry point. if we call init functions before passing control, these relocations will not yet have been performed, and the init code will potentially make use of invalid pointers. conceptually, no code provided by the application or third-party libraries should run before the application entry point. the difference is not observable to programs using the crt1 we provide, but it could come into play if custom entry point code is used, so it's better to be doing this right anyway.
* fix breakage in non-fdpic dynamic linker init/fini processingRich Felker2015-09-221-1/+1
| | | | | a mistaken #ifdef instead of #if caused conversion of code addresses to function descriptors to be performed even on non-fdpic.
* fix resolving interp string address on fdpic ldd commandRich Felker2015-09-221-2/+1
|
* add real fdpic loading of shared librariesRich Felker2015-09-222-9/+58
| | | | | | previously, the normal ELF library loading code was used even for fdpic, so only the kernel-loaded dynamic linker and main app could benefit from separate placement of segments and shared text.
* add general fdpic support in dynamic linker and arch support for shRich Felker2015-09-223-14/+202
| | | | | | | | | | | | | | | | | | at this point not all functionality is complete. the dynamic linker itself, and main app if it is also loaded by the kernel, take advantage of fdpic and do not need constant displacement between segments, but additional libraries loaded by the dynamic linker follow normal ELF semantics for mapping still. this fully works, but does not admit shared text on nommu. in terms of actual functional correctness, dlsym's results are presently incorrect for function symbols, RTLD_NEXT fails to identify the caller correctly, and dladdr fails almost entirely. with the dynamic linker entry point working, support for static pie is automatically included, but linking the main application as ET_DYN (pie) probably does not make sense for fdpic anyway. ET_EXEC is equally relocatable but more efficient at representing relocations.
* factor symbol counting out of dladdr as its own functionRich Felker2015-09-211-19/+20
| | | | | | | | | | | | | the fdpic code will need to count symbols, and it may be useful elsewhere in the future too. counting is trivial as long as sysv hash is present, but for gnu-hash-only libraries it's complex. the behavior of the count is changed slightly: we now include symbols that are not accessible by the gnu hash table in the count. this may make dladdr slightly slower. if this is a problem, dladdr can subtract out the part that should not be accessible. unlike in the old code, subtracting this out is easy even in the fast path where sysv hash is available too.
* simplify dlstart code by using integer type for base addressRich Felker2015-09-211-8/+7
|
* refactor some more dynamic linker load address computationsRich Felker2015-09-171-7/+7
| | | | these were just missed in the previous commits.
* remove some useless casts in dynamic linkerRich Felker2015-09-171-2/+2
|
* add fdpic structs and reloc types for dynamic linkingRich Felker2015-09-171-0/+16
|
* further refactoring of dynamic linker load address computationsRich Felker2015-09-171-2/+2
| | | | | | | these are in do_relocs. the first one was omitted in commit 301335a80b85f12c018e4acf1a2c28615e119f8d because it slightly changes code (using dso->base rather than cached local var base) and would have prevented easy verification. the other was an oversight.
* begin refactoring load address computations in dynamic linkerRich Felker2015-09-171-19/+22
| | | | | | | | | | | | | for ordinary ELF with fixed segment displacements, load address computation is simply adding the base load address. but for FDPIC, each segment has its own load address, and virtual addresses need to be adjusted according to the segment they fall in. abstracting this computation is the first step to making the dynamic linker ready for FDPIC. for this first commit, a macro is used rather than a function in order to facilitate correctness checking. I have verified that the generated code does not change on my i386 build.
* remove old dlstart stage-2 symbolic lookup code; add new genericRich Felker2015-09-171-14/+8
| | | | | | | | | | | | | | this new generic version of the stage-2 function lookup should work for any arch where static data is accessible via got-relative or pc-relative addressing, using approximately the technique described in the log message for commit 2907afb8dbd4c1d34825c3c9bd2b41564baca210. since all the mips-like archs that need got slots fo access static data have already transitioned to the new stage chaining scheme, the old dynamic symbol lookup code is now removed. aarch64, arm, and sh have not yet transitioned; with this commit, they are now using the new generic code.
* introduce new symbol-lookup-free rcrt1/dlstart stage chainingRich Felker2015-09-171-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | previously, the call into stage 2 was made by looking up the symbol name "__dls2" (which was chosen short to be easy to look up) from the dynamic symbol table. this was no problem for the dynamic linker, since it always exports all its symbols. in the case of the static pie entry point, however, the dynamic symbol table does not contain the necessary symbol unless -rdynamic/-E was used when linking. this linking requirement is a major obstacle both to practical use of static-pie as a nommu binary format (since it greatly enlarges the file) and to upstream toolchain support for static-pie (adding -E to default linking specs is not reasonable). this patch replaces the runtime symbolic lookup with a link-time lookup via an inline asm fragment, which reloc.h is responsible for providing. in this initial commit, the asm is provided only for i386, and the old lookup code is left in place as a fallback for archs that have not yet transitioned. modifying crt_arch.h to pass the stage-2 function pointer as an argument was considered as an alternative, but such an approach would not be compatible with fdpic, where it's impossible to compute function pointers without already having performed relocations. it was also deemed desirable to keep crt_arch.h as simple/minimal as possible. in principle, archs with pc-relative or got-relative addressing of static variables could instead load the stage-2 function pointer from a static volatile object. that does not work for fdpic, and is not safe against reordering on mips-like archs that use got slots even for static functions, but it's a valid on i386 and many others, and could provide a reasonable default implementation in the future.
* provide arch-generic fdpic self-relocation code for crt1 to useRich Felker2015-09-121-0/+28
| | | | | this file is intended to be included by crt_arch.h on fdpic-based targets and needs to be called from the entry point asm.
* make sh clone asm fdpic-compatibleRich Felker2015-09-121-3/+9
| | | | | | | | | | | clone calls back to a function pointer provided by the caller, which will actually be a pointer to a function descriptor on fdpic. the obvious solution is to have a separate version of clone for fdpic, but I have taken a simpler approach to go around the problem. instead of calling the pointed-to function from asm, a direct call is made to an internal C function which then calls the pointed-to function. this lets the C compiler generate the appropriate calling convention for an indirect call with no need for ABI-specific assembly.
* fix uninitialized scopeid in lookups from hosts file and ip literalsTimo Teräs2015-09-111-2/+2
|
* remove unused (and invalid) C version of sigsetjmpRich Felker2015-09-091-17/+0
| | | | | | | | | originally, the comment in this code was correct and it would likely work if the compiler generated a tail call to setjmp. however, commit 583e55122e767b1586286a0d9c35e2a4027998ab redesigned sigsetjmp and siglongjmp such that the old C implementation (which was not intended to be used) is not even conceptually correct. remove it in the interest of avoiding confusion when porting to new archs.
* fix breakage in nl_langinfo from previous commitRich Felker2015-09-091-1/+1
|
* make nl_langinfo(CODESET) always return "UTF-8"Rich Felker2015-09-091-2/+1
| | | | | | | | | | | | | | | | | | | | | | | this restores the original behavior prior to the addition of the byte-based C locale and fixes what is effectively a regression in musl's property of always providing working UTF-8 support. commit 1507ebf837334e9e07cfab1ca1c2e88449069a80 introduced the codeset name "UTF-8-CODE-UNITS" for the byte-based C locale to represent that the semantic content is UTF-8 but that it is being processed as code units (bytes) rather than whole multibyte characters. however, many programs assume that the codeset name is usable with iconv and/or comes from a set of standard/widely-used names known to the application. such programs are likely to produce warnings or errors, run with reduced functionality, or mangle character data when run explicitly in the C locale. the standard places basically no requirements for the string returned by nl_langinfo(CODESET) and how it interacts with other interfaces, so returning "UTF-8" is permissible. moreover, it seems like the right thing to do, since the identity of the character encoding as "UTF-8" is independent of whether it is being processed as bytes of characters by the standard library functions.
* fix fclose of permanent (stdin/out/err) streamsRich Felker2015-09-091-2/+3
| | | | | | | | | | | | | | | | this fixes a bug reported by Nuno Gonçalves. previously, calling fclose on stdin or stdout resulted in deadlock at exit time, since __stdio_exit attempts to lock these streams to flush/seek them, and has no easy way of knowing that they were closed. conceptually, leaving a FILE stream locked on fclose is valid since, in the abstract machine, it ceases to exist. but to satisfy the implementation-internal assumption in __stdio_exit that it can access these streams unconditionally, we need to unlock them. it's also necessary that fclose leaves permanent streams in a state where __stdio_exit will not attempt any further operations on them. fortunately, the call to fflush already yields this property.
* getsubopt: don't include leading = in value stringSteven Barth2015-08-211-1/+1
| | | | | | | getsubopt incorrectly returns the delimiting = in the value string, this patch fixes it by increasing the pointer position by one. Signed-off-by: Steven Barth <cyrus@openwrt.org>
* match historical behavior for tm_gmtoff member of struct tmNatanael Copa2015-08-144-12/+12
| | | | | | | | | | | | | | tm_gmtoff is a nonstandard field, but on historical systems which have this field, it stores the offset of the local time zone from GMT or UTC. this is the opposite of the POSIX extern long timezone object and the offsets used in POSIX-form TZ strings, which represent the offset from local time to UTC. previously we were storing these negated offsets in tm_gmtoff too. programs which only used this field indirectly via strftime were not affected since strftime performed the negation for presentation. however, some programs and libraries accesse tm_gmtoff directly and were obtaining negated time zone offsets.
* fix failure of tempnam to null-terminate resultRich Felker2015-08-091-0/+1
| | | | | | | tempnam uses an uninitialized buffer which is filled using memcpy and __randname. It is therefore necessary to explicitly null-terminate it. based on patch by Felix Janda.
* mitigate blow-up of heap size under malloc/free contentionRich Felker2015-08-071-14/+14
| | | | | | | | | | | | | | | | | | | | | | | during calls to free, any free chunks adjacent to the chunk being freed are momentarily held in allocated state for the purpose of merging, possibly leaving little or no available free memory for other threads to allocate. under this condition, other threads will attempt to expand the heap rather than waiting to use memory that will soon be available. the race window where this happens is normally very small, but became huge when free chooses to use madvise to release unused physical memory, causing unbounded heap size growth. this patch drastically shrinks the race window for unwanted heap expansion by performing madvise with the bin lock held and marking the bin non-empty in the binmask before making the expensive madvise syscall. testing by Timo Teräs has shown this approach to be a suitable mitigation. more invasive changes to the synchronization between malloc and free would be needed to completely eliminate the problem. it's not clear whether such changes would improve or worsen typical-case performance, or whether this would be a worthwhile direction to take malloc development.
* fix undefined left-shift of negative values in utf-8 state tableRich Felker2015-07-251-1/+1
|
* fix atexit when it is called from an atexit handlerRich Felker2015-07-241-12/+9
| | | | | | | | | | | | | | | The old code accepted atexit handlers after exit, but did not run them reliably. C11 seems to explicitly allow atexit to fail (and report such failure) in this case, but this situation can easily come up in C++ if a destructor has a local static object with a destructor so it should be handled. Note that the memory usage can grow linearly with the overall number of registered atexit handlers instead of with the worst case list length. (This only matters if atexit handlers keep registering atexit handlers which should not happen in practice). Commit message/rationale based on text by Szabolcs Nagy.
* handle loss of syslog socket connectionRich Felker2015-07-091-7/+11
| | | | | | | | | | | | | | | | | | | | | | | | | when traditional syslogd implementations are restarted, the old server socket ceases to exist and a new unix socket with the same pathname is created. when this happens, the default destination address associated with the client socket via connect is no longer valid, and attempts to send produce errors. this happens despite the socket being datagram type, and is in contrast to the behavior that would be seen with an IP datagram (UDP) socket. in order to avoid a situation where the application is unable to send further syslog messages without calling closelog, this patch makes syslog attempt to reconnect the socket when send returns an error indicating a lost connection. additionally, initial failure to connect the socket no longer results in the socket being closed. this ensures that an application which calls openlog to reserve the socket file descriptor will not run into a situation where transient connection failure (e.g. due to syslogd restart) prevents fd reservation. however, applications which may be unable to connect the socket later (e.g. due to chroot, restricted permissions, seccomp, etc.) will still fail to log if the syslog socket cannot be connected at openlog time or if it has to be reconnected later.