The recursive lock used on abort does not synchronize with a new process
creation (either by fork-like interfaces or posix_spawn ones), nor it
is reinitialized after fork().
Also, the SIGABRT unblock before raise() shows another race condition,
where a fork or posix_spawn() call by another thread, just after the
recursive lock release and before the SIGABRT signal, might create
programs with a non-expected signal mask. With the default option
(without POSIX_SPAWN_SETSIGDEF), the process can see SIG_DFL for
SIGABRT, where it should be SIG_IGN.
To fix the AS-safe, raise() does not change the process signal mask,
and an AS-safe lock is used if a SIGABRT is installed or the process
is blocked or ignored. With the signal mask change removal,
there is no need to use a recursive loc. The lock is also taken on
both _Fork() and posix_spawn(), to avoid the spawn process to see the
abort handler as SIG_DFL.
A read-write lock is used to avoid serialize _Fork and posix_spawn
execution. Both sigaction (SIGABRT) and abort() requires to lock
as writer (since both change the disposition).
The fallback is also simplified: there is no need to use a loop of
ABORT_INSTRUCTION after _exit() (if the syscall does not terminate the
process, the system is broken).
The proposed fix changes how setjmp works on a SIGABRT handler, where
glibc does not save the signal mask. So usage like the below will now
always abort.
static volatile int chk_fail_ok;
static jmp_buf chk_fail_buf;
static void
handler (int sig)
{
if (chk_fail_ok)
{
chk_fail_ok = 0;
longjmp (chk_fail_buf, 1);
}
else
_exit (127);
}
[...]
signal (SIGABRT, handler);
[....]
chk_fail_ok = 1;
if (! setjmp (chk_fail_buf))
{
// Something that can calls abort, like a failed fortify function.
chk_fail_ok = 0;
printf ("FAIL\n");
}
Such cases will need to use sigsetjmp instead.
The _dl_start_profile calls sigaction through _profil, and to avoid
pulling abort() on loader the call is replaced with __libc_sigaction.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.
I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah. I don't
know why I run into these diagnostics whereas others evidently do not.
remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
We stopped adding "Contributed by" or similar lines in sources in 2012
in favour of git logs and keeping the Contributors section of the
glibc manual up to date. Removing these lines makes the license
header a bit more consistent across files and also removes the
possibility of error in attribution when license blocks or files are
copied across since the contributed-by lines don't actually reflect
reality in those cases.
Move all "Contributed by" and similar lines (Written by, Test by,
etc.) into a new file CONTRIBUTED-BY to retain record of these
contributions. These contributors are also mentioned in
manual/contrib.texi, so we just maintain this additional record as a
courtesy to the earlier developers.
The following scripts were used to filter a list of files to edit in
place and to clean up the CONTRIBUTED-BY file respectively. These
were not added to the glibc sources because they're not expected to be
of any use in future given that this is a one time task:
https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dchttps://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
We have multiple tests that copy & paste the same logic for disabling the
fortification output. Let's unify this in the test-skeleton instead.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
void **.
* nss/nsswitch.h (service_user): Use void * type for KNOWN field.
* nss/nss_files/files-hosts.c (LINE_PARSER): Cast host_addr to
char * to avoid warning.
* nis/nss_nis/nis-hosts.c (LINE_PARSER): Likewise.
* timezone/Makefile (CFLAGS-zdump.c): Add -fwrapv.
* locale/programs/ld-ctype.c (ctype_finish, set_class_defaults,
allocate_arrays): Cast second argument to charmap_find_symbol
to char * to avoid warnings.
* locale/programs/repertoire.c (repertoire_new_char): Change
from_nr, to_nr and cnt to unsigned long, adjust printf format
string.
* locale/programs/ld-collate.c (insert_value, handle_ellipsis):
Cast second argument to new_element to char * to avoid warnings.
* locale/weightwc.h (findidx): Cast &extra[-i] to const int32_t *.
* intl/gettextP.h (struct loaded_domain): Change plural to const
struct expression *.
* intl/plural-eval.c (plural_eval): Change first argument to
const struct expression *.
* intl/plural-exp.c (EXTRACT_PLURAL_EXPRESSION): Change first
argument to const struct expression **.
* intl/plural-exp.h (EXTRACT_PLURAL_EXPRESSION, plural_eval): Adjust
prototypes.
* intl/loadmsgcat (_nl_unload_domain): Cast away const
in call to __gettext_free_exp.
* posix/fnmatch.c (fnmatch): Rearrange code to avoid maybe
unitialized wstring/wpattern var warnings.
* posix/runtests.c (struct a_test): Make data field const char *.
* stdio-common/tst-sprintf2.c (main): Don't declere u, v and buf
vars if not LDBL_MANT_DIG >= 106.
* stdio-common/Makefile (CFLAGS-vfwprintf.c): Add -Wno-unitialized.
* stdio-common/vfprintf.c (vfprintf): Cast first arugment to
__find_specmb to avoid warning.
* rt/tst-mqueue1.c (do_one_test): Add casts to avoid warnings.
* debug/test-strcpy_chk.c (do_tests, do_random_tests): Add casts
to avoid warnings.
* sysdeps/ieee754/ldbl-96/s_roundl.c (huge): Add L suffix to
initializer.
* sysdeps/unix/clock_gettime.c (clock_gettime): Only define
tv var when it will be actually used.
* sunrpc/rpc_cmsg.c (xdr_callmsg): Cast IXDR_PUT_* to void
to avoid warnings.
2004-11-12 Ulrich Drepper <drepper@redhat.com>
* sysdeps/unix/sysv/linux/libc_fatal.c: Add new function __libc_message
which performs the printing and simple format string handling. The
string is written to tty, stderr, syslog in this order, stopping after
the first successful output.
(__libc_fatal): Call __libc_message.
* include/stdio.h: Declare __libc_message.
* malloc/malloc.c (malloc_printerr): Use __libc_message.
* debug/chk_fail.c: Also print message with __libc_message.
* debug/test-strcpy_chk.c: Ensure that debug messages are not printed
to the terminal or stderr.
* debug/tst-chk1.c: Likewise.
* posix/Makefile: Remove gpl2lgpl variable.
