path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* fix ESRCH error handling for clock_getcpuclockidEugene Yudin2022-08-011-0/+1
| | | | | | the syscall used to probe availability of the clock fails with EINVAL when the requested pid does not exist, but clock_getcpuclockid is specified to use ESRCH for this purpose.
* aarch64: add vforkSzabolcs Nagy2022-08-011-0/+9
| | | | | | | | | | | | The generic vfork implementation uses clone(SIGCHLD) which has fork semantics. Implement vfork as clone(SIGCHLD|CLONE_VM|CLONE_VFORK, 0) instead which has vfork semantics. (stack == 0 means sp is unchanged in the child.) Some users rely on vfork semantics when memory overcommit is disabled or when the vfork child runs code that synchronizes with the parent process (non-conforming).
* fix mishandling of errno in getaddrinfo AI_ADDRCONFIG logicRich Felker2022-08-011-0/+2
| | | | | | | | | | | | | | | | this code attempts to use the value of errno from failure of socket or connect to infer availability of the requested address family (v4 or v6). however, in the case where connect failed, there is an intervening call to close between connect and the use of errno. close is not required to preserve errno on success, and in fact the __aio_close code, which is called whenever aio is linked and thus always called in dynamic-linked programs, unconditionally clobbers errno. as a result, getaddrinfo fails with EAI_SYSTEM and errno=ENOENT rather than correctly determining that the address family was unavailable. this fix is based on report/patch by Jussi Nieminen, but simplified slightly to avoid breaking the case where socket, not connect, failed.
* avoid limited space of random temp file names if clock resolution is lowRich Felker2022-06-231-1/+1
| | | | | | | this is not an issue that was actually hit, but I noticed it during previous changes to __randname: if the resolution of tv_nsec is too low, the space of temp file names obtainable by a thread could plausibly be exhausted. mixing in tv_sec avoids this.
* remove random filename obfuscation that leaks ASLR informationRich Felker2022-06-031-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | the __randname function is used by various temp file creation interfaces as a backend to produce a name to attempt using. it does not have to produce results that are safe against guessing, and only aims to avoid unintentional collisions. mixing the address of an object on the stack in a reversible manner leaked ASLR information, potentially allowing an attacker who can observe the temp files created and their creation timestamps to narrow down the possible ASLR state of the process that created them. there is no actual value in mixing these addresses in; it was just obfuscation. so don't do it. instead, mix the tid, just to avoid collisions if multiple processes/threads stampede to create temp files at the same moment. even without this measure, they should not collide unless the clock source is very low resolution, but it's a cheap improvement. if/when we have a guaranteed-available userspace csprng, it could be used here instead. even though there is no need for cryptographic entropy here, it would avoid having to reason about clock resolution and such to determine whether the behavior is nice.
* ensure distinct query id for parallel A and AAAA queries in resolverRich Felker2022-06-031-0/+3
| | | | | | | | | | | | | | assuming a reasonable realtime clock, res_mkquery is highly unlikely to generate the same query id twice in a row, but it's possible with a very low-resolution system clock or under extreme delay of forward progress. when it happens, res_msend fails to wait for both answers, and instead stops listening after getting two answers to the same query (A or AAAA). to avoid this, increment one byte of the second query's id if it matches the first query's. don't bother checking if the second byte is also equal, since it doesn't matter; we just need to ensure that at least one byte is distinct.
* mntent: fix potential mishandling of extremely long linesRich Felker2022-05-151-0/+2
| | | | | | | | | | | commit 05973dc3bbc1aca9b3c8347de6879ed72147ab3b made it so that lines longer than INT_MAX can in theory be read, but did not use a suitable type for the positions determined by sscanf. we could change to using size_t, but since the signature for getmntent_r does not admit lines longer than INT_MAX, it does not make sense to support them in the legacy thread-unsafe form either -- the principle here is that there should not be an incentive to use the unsafe function to get added functionality.
* mntent: fix parsing lines with optional fieldsAlyssa Ross2022-05-151-3/+7
| | | | | | | | | | | | | | According to fstab(5), the last two fields are optional, but this wasn't accepted. After this change, only the first field is required, which matches glibc's behaviour. Using sscanf as before, it would have been impossible to differentiate between 0 fields and 4 fields, because sscanf would have returned 0 in both cases due to the use of assignment suppression and %n for the string fields (which is important to avoid copying any strings). So instead, before calling sscanf, initialize every string to the empty string, and then we can check which strings are empty afterwards to know how many fields were matched.
* fix constraint violation in qsort wrapper around qsort_rRich Felker2022-05-061-1/+1
| | | | | function pointer types do not implicitly convert to void *. a cast is required here.
* use __fstat instead of __fstatat with AT_EMPTY_PATH in __map_fileRich Felker2022-05-041-2/+1
| | | | | this isolates knowledge of the nonstandard AT_EMPTY_PATH extension to one place and returns __map_file to its prior simplicity.
* provide an internal namespace-safe __fstatRich Felker2022-05-042-2/+5
| | | | | | this avoids the need for implementation-internal callers to depend on the nonstandard AT_EMPTY_PATH extension to use __fstatat and isolates knowledge of that extension to the implementation of __fstat.
* only use fstatat and others legacy stat syscalls if they existRich Felker2022-05-011-1/+9
| | | | riscv32 and future architectures only provide statx.
* drop direct use of stat syscalls in internal __map_fileRich Felker2022-05-011-3/+3
| | | | | | this function is used to implement some baseline ISO C interfaces, so it cannot call any of the stat functions by their public names. use the namespace-safe __fstatat instead.
* provide an internal namespace-safe __fstatatRich Felker2022-05-012-1/+11
| | | | | this makes it so we can drop direct stat syscall use in interfaces that can't use the POSIX namespace.
* drop direct use of stat syscalls in fchmodatRich Felker2022-05-011-8/+7
| | | | | | | | | | | | | | | | instead, use the fstatat/stat functions, so that the logic for which syscalls are present and usable is all in fstatat. this results in a slight increase in cost for old kernels on 32-bit archs: now statx will be attempted first rather than just using the legacy time32 syscalls, despite us not caring about timestamps. however, it's not even clear that the legacy syscalls *should* succeed if the timestamps are out of range; arguably they should fail with EOVERFLOW. as such, paying a small cost here on old kernels seems well-motivated. with this change, fchmodat itself is no longer blocking ports to new archs that lack the legacy syscalls.
* drop use of stat operation in temporary file name generationRich Felker2022-05-012-10/+6
| | | | | | | | | | | | | | | | | this change serves two purposes: 1. it eliminates one of the few remaining uses of the kernel stat structure which will not be present in future archs, avoiding the need for growing ifdef logic here. 2. it potentially makes the operations less expensive when the candidate exists as a non-symlink by avoiding the need to read the inode (assuming the directory tables suffice to distinguish symlinks). this uses the idiom I discovered while rewriting realpath for commit 29ff7599a448232f2527841c2362643d246cee36 of being able to use the readlink operation as an inexpensive probe for file existence that doesn't following symlinks.
* only fallback to gettimeofday/settimeofday syscalls if they existStefan O'Rear2022-05-011-0/+4
| | | | riscv32 and future architectures only provide the clock_ functions.
* only use getrlimit/setrlimit syscalls if they existStefan O'Rear2022-05-012-1/+11
| | | | riscv32 and future architectures only provide prlimit64.
* don't remap internal-use syscall macros to nonexistent time32 syscallsStefan O'Rear2022-04-271-10/+10
| | | | | | riscv32 and future architectures lack the _time32 variants entirely, so don't try to use their numbers. instead, reflect that they're not present.
* add missing POSIX confstr keys for pthread CFLAGS/LDFLAGSRich Felker2022-04-201-1/+1
| | | | | | | | | | _CS_POSIX_V7_THREADS_CFLAGS and _CS_POSIX_V7_THREADS_LDFLAGS have been missing for a long time, which is a conformance defect. we were waiting on glibc to add them or at least agree on the numeric values they will have so as to keep the numbering aligned. it looks like they will be added to glibc with these numbers, and in any case, this list does not have any significant churn that would result in the numbers getting taken.
* fix incorrect parameter name in internal netlink.h RTA_OK macroOndrej Jirman2022-04-101-1/+1
| | | | the wrong name works only by accident.
* accept null pointer as message argument to gettext functionspsykose2022-03-271-0/+3
| | | | | | | | | | the change to support passing null was rejected in the past on the grounds that GNU gettext documented it as undefined, on an assumption that only glibc accepted it and that the standalone GNU gettext did not. but it turned out that both explicitly accept it. in light of this, since some software assumes null can be passed safely, allow it.
* fix invalid free of duplocale object when malloc has been replacedIsaiah Poston2022-03-161-0/+5
| | | | | | | | | | | | newlocale and freelocale use __libc_malloc and __libc_free, but duplocale used malloc. If malloc was replaced, this resulted in invalid free using the wrong allocator when passing the result of duplocale to freelocale. Instead, use libc-internal malloc for duplocale. This bug was introduced by commit 1e4204d522670a1d8b8ab85f1cfefa960547e8af.
* nice: return EPERM instead of EACCESAlexey Kodanev2022-03-081-1/+8
| | | | | To comply with POSIX, change errno from EACCES to EPERM when the caller did not have the required privilege.
* protect stack canary from leak via read-as-string by zeroing second bytejvoisin2022-03-081-0/+9
| | | | | | | | | This reduces entropy of the canary from 64-bit to 56-bit in exchange for mitigating non-terminated C string overflows by setting the second byte of the canary to nul, so that off-by-one write overflow with a nul byte can still be detected. Idea from GrapheneOS bionic commit 7024d880b51f03a796ff8832f1298f2f1531fd7b
* math: avoid runtime conversions of floating-point constantsSzabolcs Nagy2022-03-082-2/+6
| | | | | | | | | | | | | | | gcc-12 with -frounding-mode will do inexact constant conversions at runtime according to the runtime rounding mode. in the math library we want constants to be rounding mode independent so this patch fixes cases where new runtime conversions happen with gcc-12. fortunately this only affects two minor cases, the fix uses global initializers where rounding mode does not apply. after the patch the same amount of conversions happen with gcc-12 as with gcc-11.
* fix spurious failures by fgetws when buffer ends with partial characterRich Felker2022-02-201-6/+1
| | | | | | | | | | | | | | | | | | | | commit a90d9da1d1b14d81c4f93e1a6d1a686c3312e4ba made fgetws look for changes to errno by fgetwc to detect encoding errors, since ISO C did not allow the implementation to set the stream's error flag in this case, and the fgetwc interface did not admit any other way to detect the error. however, the possibility of fgetwc setting errno to EILSEQ in the success path was overlooked, and in fact this can happen if the buffer ends with a partial character, causing mbtowc to be called with only part of the character available. since that change was made, the C standard was amended to specify that fgetwc set the stream error flag on encoding errors, and commit 511d70738bce11a67219d0132ce725c323d00e4e made it do so. thus, there is no longer any need for fgetws to poke at errno to handle encoding errors. this commit reverts commit a90d9da1d1b14d81c4f93e1a6d1a686c3312e4ba and thereby fixes the problem.
* add missing strerror text for key managementpelco2022-02-191-0/+4
* fix out-of-bound read processing time zone data with distant-past datesRich Felker2022-02-091-14/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this bug goes back to commit 1cc81f5cb0df2b66a795ff0c26d7bbc4d16e13c6 where zoneinfo file support was first added. in scan_trans, which searches for the appropriate local time/dst rule in effect at a given time, times prior to the second transition time caused the -1 slot of the index to be read to determine the previous rule in effect. this memory was always valid (part of another zoneinfo table in the mapped file) but the byte value read was then used to index another table, possibly going outside the bounds of the mmap. most of the time, the result was limited to misinterpretation of the rule in effect at that time (pre-1900s), but it could produce a crash if adjacent memory was not readable. the root cause of the problem, however, was that the logic for this code path was all wrong. as documented in the comment, times before the first transition should be treated as using the lowest-numbered non-dst rule, or rule 0 if no non-dst rules exist. if the argument is in units of local time, however, the rule prior to the first transition is needed to determine if it falls before or after it, and that's where the -1 index was wrongly used. instead, use the documented logic to find out what rule would be in effect before the first transition, and apply it as the offset if the argument was given in local time. the new code has not been heavily tested, but no longer performs potentially out-of-bounds accesses, and successfully handles the 1883 transition from local mean time to central standard time in the test case the error was reported for.
* fix potentially wrong-sign zero in cproj functions at infinityRich Felker2022-01-183-3/+3
| | | | | | these are specified to use the sign of the imaginary part of the input as the sign of zero in the result, but wrongly copied the sign of the real part.
* make fseek detect and produce an error for invalid whence argumentsRich Felker2022-01-091-0/+7
| | | | | | | | this is a POSIX requirement. we previously relied on the underlying fd (or other backend) seek operation to produce the error, but since linux lseek now supports other seek modes (SEEK_DATA and SEEK_HOLE) which do not interact well with stdio buffering, this is insufficient. instead, explicitly check whence before performing any operations.
* fix wcwidth of hangul combining (vowel/final) lettersRich Felker2021-12-271-58/+60
| | | | | | | | | | these characters combine onto a base character (initial) and therefore need to have width 0. the original binary-search implementation of wcwidth handled them correctly, but a regression was introduced in commit 1b0ce9af6d2aa7b92edaf3e9c631cb635bae22bd by generating the new tables from unicode without noticing that the classification logic in use (unicode character category Mn/Me/Cf) was insufficient to catch these characters.
* fix mismatched signatures for strtod_l familyRich Felker2021-12-092-7/+22
| | | | | | | | | | | | | strtod_l, strtof_l, and strtold_l originally existed only as glibc-ABI-compat symbols. as noted in the commit which added them, 17a60f9d327c6f8b5707a06f9497d846e75c01f2, making them aliases for the non-_l functions was a hack and not appropriate if they ever became public API. unfortunately, commit 35eb1a1a9b97577e113240cd65bf9fc44b8df030 did make them public without undoing the hack. fix that now by moving the the _l functions to their own file as wrappers that just throw away the locale_t argument.
* fix hwcap access in powerpc-sf setjmp/longjmpRich Felker2021-11-292-2/+2
| | | | | | | commit 7be59733d71ada3a32a98622507399253f1d5e48 introduced the hwcap-based branches to support the SPE FPU, but wrongly coded them as bitwise tests on the computed address of __hwcap, not a value loaded from that address. replace the add with indexed load to fix it.
* fix struct layout mismatch in sound ioctl time32 fallback conversionRich Felker2021-10-191-2/+7
| | | | | | | | | | | | | | | | | | | | | | the snd_pcm_mmap_control struct used with SNDRV_PCM_IOCTL_SYNC_PTR was mistakenly defined in the kernel uapi with "before u32" padding both before and after the first u32 member. our conversion between the modern struct and the legacy time32 struct was written without awareness of that mistake, and assumed the time64 version of the struct was the intended form with padding to match the layout on 64-bit archs. as a result, the struct was not converted correctly when running on old kernels, with audio glitches as the likely result. this was discovered thanks to a related bug in the kernel, whereby 32-bit userspace running on a 64-bit kernel also suffered from the types mismatching. the mistaken layout is now the ABI and can't be changed -- or at least making a new ioctl to change it would just result in a worse situation. our conversion here is changed to treat the snd_pcm_mmap_control substruct as two separate substructs at locations dependent on endianness (since the displacement depends on endianness), using the existing conversion framework.
* add qsort_r and make qsort a wrapper around itÉrico Nogueira2021-09-233-17/+35
| | | | | | | | | | | | | we make qsort a wrapper by providing a wrapper_cmp function that uses the extra argument as a function pointer. should be optimized to a tail call on most architectures, as long as it's built with -fomit-frame-pointer, so the performance impact should be minimal. to keep the git history clean, for now qsort_r is implemented in qsort.c and qsort is implemented in qsort_nr.c. qsort.c also received a few trivial cleanups, including replacing (*cmp)() calls with cmp(). qsort_nr.c contains only wrapper_cmp and qsort as a qsort_r wrapper itself.
* add SPE FPU support to powerpc-sfRich Felker2021-09-238-8/+68
| | | | | | | | | | | | | | | | | | | When the soft-float ABI for PowerPC was added in commit 5a92dd95c77cee81755f1a441ae0b71e3ae2bcdb, with Freescale cpus using the alternative SPE FPU as the main use case, it was noted that we could probably support hard float on them, but that it would involve determining some difficult ABI constraints. This commit is the completion of that work. The Power-Arch-32 ABI supplement defines the ABI profiles, and indeed ATR-SPE is built on ATR-SOFT-FLOAT. But setjmp/longjmp compatibility are problematic for the same reason they're problematic on ARM, where optional float-related parts of the register file are "call-saved if present". This requires testing __hwcap, which is now done. In keeping with the existing powerpc-sf subarch definition, which did not have fenv, the fenv macros are not defined for SPE and the SPEFSCR control register is left (and assumed to start in) the default mode.
* fix undefined behavior in getdelim via null pointer arithmetic and memcpyRich Felker2021-09-111-3/+5
| | | | | | | | | both passing a null pointer to memcpy with length 0, and adding 0 to a null pointer, are undefined. in some sense this is 'benign' UB, but having it precludes use of tooling that strictly traps on UB. there may be better ways to fix it, but conditioning the operations which are intended to be no-ops in the k==0 case on k being nonzero is a simple and safe solution.
* fix error checking in pthread_getname_npÉrico Nogueira2021-08-061-1/+1
| | | | | | | len is unsigned and can never be smaller than 0. though unlikely, an error in read() would have lead to an out of bounds write to name. Reported-by: Michael Forney <mforney@mforney.org>
* fix libc-internal signal blocking on mips archsRich Felker2021-07-291-2/+2
| | | | | | | | | | | | due to historical reasons, the mips signal set has 128 bits rather than 64 like on every other arch. this was special-cased correctly, at least for 32-bit mips, at one time, but was inadvertently broken in commit 7c440977db9444d7e6b1c3dcb1fdf4ee49ca4158, and seems never to have been right on mips64/n32. as consequenct of this bug, applications making use of high realtime signal numbers on mips may have been able to execute application code in contexts where doing so was unsafe.
* math: fix fmaf not to depend on FE_TOWARDZEROSzabolcs Nagy2021-07-061-11/+10
* fix TZ parsing logic for identifying POSIX-form stringsRich Felker2021-06-231-1/+13
| | | | | | | | | | | | | | | | previously, the contents of the TZ variable were considered a candidate for a file/path name only if they began with a colon or contained a slash before any comma. the latter was very sloppy logic to avoid treating any valid POSIX TZ string as a file name, but it also triggered on values that are not valid POSIX TZ strings, including 3-letter timezone names without any offset. instead, only treat the TZ variable as POSIX form if it begins with a nonzero standard time name followed by +, -, or a digit. also, special case GMT and UTC to always be treated as POSIX form (with implicit zero offset) so that a stray file by the same name cannot break software that depends on setting TZ=GMT or TZ=UTC.
* remove return with expression in void functionMichael Forney2021-04-271-1/+1
* add pthread_getname_np functionÉrico Rolim2021-04-201-0/+25
| | | | based on the pthread_setname_np implementation
* fix popen not to leak pipes from one child to anotherRich Felker2021-04-201-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | POSIX places an obscure requirement on popen which is like a limited version of close-on-exec: "The popen() function shall ensure that any streams from previous popen() calls that remain open in the parent process are closed in the new child process." if the POSIX-future 'e' mode flag is passed, producing a pipe FILE with FD_CLOEXEC on the underlying pipe, this requirement is automatically satisfied. however, for applications which use multiple concurrent popen pipes but don't request close-on-exec, fd leaks from earlier popen calls to later ones could produce deadlock situations where processes are waiting for a pipe EOF that will never happen. to fix this, iterate through all open FILEs and add close actions for those obtained from popen. this requires holding a lock on the open file list across the posix_spawn call so that additional popen FILEs are not created after the list is traversed. note that it's still possible for another popen call to start and create its pipe while the lock is held, but such pipes are created with O_CLOEXEC and only drop close-on-exec status (when 'e' flag is omitted) under control of the lock.
* remove spurious lock in popenRich Felker2021-04-201-2/+0
| | | | | | | the newly allocated FILE * has not yet leaked to the application and is only visible to stdio internals until popen returns. since we do not change any fields of the structure observed by libc internals, only the pipe_pid member, locking is not necessary.
* nscd: fall back gracefully on kernels without AF_UNIX supportJoakim Sindholt2021-04-161-1/+9
* mallocng/aligned_alloc: check for malloc failureDominic Chen2021-04-161-0/+3
| | | | | | With mallocng, calling posix_memalign() or aligned_alloc() will SIGSEGV if the internal malloc() call returns NULL. This does not occur with oldmalloc, which explicitly checks for allocation failure.
* make epoll_[p]wait a cancellation pointRich Felker2021-04-031-2/+2
| | | | | | | | | this is a Linux-specific function and not covered by POSIX's requirements for which interfaces are cancellation points, but glibc makes it one and existing software relies on it being one. at some point a review for similar functions that should be made cancellation points should be done.
* fix dl_iterate_phdr dlpi_tls_data reporting to match specRich Felker2021-03-261-1/+2
| | | | | | | | | | dl_iterate_phdr was wrongly reporting the address of the DSO's PT_TLS image rather than the calling thread's instance of the TLS. the man page, which is essentially normative for a nonstandard function of this sort, clearly specifies the latter. it does not clarify where exactly within/relative-to the image the pointer should point, but the reasonable thing to do is match the ABI's DTP offset, and this seems to be what other implementations do.