Commit Graph

32051 Commits

Author SHA1 Message Date
H.J. Lu
0bd4b39247 x86-64: Properly align La_x86_64_retval to VEC_SIZE [BZ #22715]
_dl_runtime_profile calls _dl_call_pltexit, passing a pointer to
La_x86_64_retval which is allocated on stack.  The lrv_vector0
field in La_x86_64_retval must be aligned to size of vector register.
When allocating stack space for La_x86_64_retval, we need to make sure
that the address of La_x86_64_retval + RV_VECTOR0_OFFSET is aligned to
VEC_SIZE.  This patch checks the alignment of the lrv_vector0 field
and pads the stack space if needed.

Tested with x32 and x86-64 on SSE4, AVX and AVX512 machines.  It fixed

FAIL: elf/tst-audit10
FAIL: elf/tst-audit4
FAIL: elf/tst-audit5
FAIL: elf/tst-audit6
FAIL: elf/tst-audit7

on x32 AVX512 machine.

(cherry picked from commit 207a72e298)

	[BZ #22715]
	* sysdeps/x86_64/dl-trampoline.h (_dl_runtime_profile): Properly
	align La_x86_64_retval to VEC_SIZE.
2018-01-19 09:41:51 -08:00
Florian Weimer
de51f431ed nptl/tst-thread-exit-clobber: Run with any C++ compiler
We do not need thread_local support in the C++11 comiler, and the
minimum GCC version for glibc has C++11 support (if it has C++ support).

(cherry picked from commit 10d200dbac)
2018-01-17 10:32:14 +01:00
Florian Weimer
6311c54e3a nptl/tst-minstack-throw: Compile in C++11 mode with GNU extensions
(cherry picked from commit b725132d2b)
2018-01-16 08:08:38 +01:00
Florian Weimer
247c1ddd30 nptl: Add PTHREAD_MIN_STACK C++ throw test [BZ #22636]
(cherry picked from commit 860b0240a5)
2018-01-15 16:06:36 +01:00
Florian Weimer
3feefa1cc8 nptl: Add tst-minstack-cancel, tst-minstack-exit [BZ #22636]
I verified that without the guard accounting change in commit
630f4cc3aa (Fix stack guard size
accounting) and RTLD_NOW for libgcc_s introduced by commit
f993b87540 (nptl: Open libgcc.so with
RTLD_NOW during pthread_cancel), the tst-minstack-cancel test fails on
an AVX-512F machine.  tst-minstack-exit still passes, and either of
the mentioned commit by itself frees sufficient stack space to make
tst-minstack-cancel pass, too.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit d8b778907e)
2018-01-15 16:06:35 +01:00
Florian Weimer
89d6a65833 nptl: Open libgcc.so with RTLD_NOW during pthread_cancel [BZ #22636]
Disabling lazy binding reduces stack usage during unwinding.

Note that RTLD_NOW only makes a difference if libgcc.so has not
already been loaded, so this is only a partial fix.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit f993b87540)
2018-01-15 16:06:35 +01:00
Szabolcs Nagy
0b5cdd80c1 [BZ #22637] Fix stack guard size accounting
Previously if user requested S stack and G guard when creating a
thread, the total mapping was S and the actual available stack was
S - G - static_tls, which is not what the user requested.

This patch fixes the guard size accounting by pretending the user
requested S+G stack.  This way all later logic works out except
when reporting the user requested stack size (pthread_getattr_np)
or when computing the minimal stack size (__pthread_get_minstack).

Normally this will increase thread stack allocations by one page.
TLS accounting is not affected, that will require a separate fix.

	[BZ #22637]
	* nptl/descr.h (stackblock, stackblock_size): Update comments.
	* nptl/allocatestack.c (allocate_stack): Add guardsize to stacksize.
	* nptl/nptl-init.c (__pthread_get_minstack): Remove guardsize from
	stacksize.
	* nptl/pthread_getattr_np.c (pthread_getattr_np): Likewise.

(cherry picked from commit 630f4cc3aa)
2018-01-15 16:06:32 +01:00
Florian Weimer
477cd2b183 nptl: Add test for callee-saved register restore in pthread_exit
GCC PR 83641 results in a miscompilation of libpthread, which
causes pthread_exit not to restore callee-saved registers before
running destructors for objects on the stack.  This test detects
this situation:

info: unsigned int, direct pthread_exit call
tst-thread-exit-clobber.cc:80: numeric comparison failure
   left: 4148288912 (0xf741dd90); from: value
  right: 1600833940 (0x5f6ac994); from: magic_values.v2
info: double, direct pthread_exit call
info: unsigned int, indirect pthread_exit call
info: double, indirect pthread_exit call
error: 1 test failures

(cherry picked from commit 579396ee08)
2018-01-15 15:24:38 +01:00
Florian Weimer
c247c53665 Synchronize support/ infrastructure with master
This commit updates the support/ subdirectory to
commit 1a51e46e4a
on the master branch.
2018-01-15 15:23:35 +01:00
Dmitry V. Levin
fabef2edbc linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.

This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".

This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).

Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT.  The error code is chosen for consistency
with the case when the current directory is unlinked.

[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* io/tst-getcwd-abspath.c: New test.
* io/Makefile (tests): Add tst-getcwd-abspath.

(cherry picked from commit 52a713fdd0)
2018-01-12 14:49:49 +00:00
Florian Weimer
7d2672a47b Add missing reference to bug 20532 2018-01-12 13:32:51 +01:00
Adhemerval Zanella
268bd5f053 ia64: Fix memchr for large input sizes (BZ #22603)
Current optimized ia64 memchr uses a strategy to check for last address
by adding the input one with expected size.  However it does not take
care for possible overflow.

It was triggered by 3038145ca2 where default rawmemchr now uses memchr
(p, c, (size_t)-1).

This patch fixes it by implement a satured addition where overflows
sets the maximum pointer size to UINTPTR_MAX.

Checked on ia64-linux-gnu where it fixes both stratcliff and
test-rawmemchr failures.

	Adhemerval Zanella  <adhemerval.zanella@linaro.org>
	James Clarke <jrtc27@jrtc27.com>

	[BZ #22603]
	* sysdeps/ia64/memchr.S (__memchr): Avoid overflow in pointer
	addition.

(cherry picked from commit 3bb1ef58b9)
2018-01-10 21:56:05 +01:00
Dmitry V. Levin
989f59db39 tst-ttyname: skip the test when /dev/ptmx is not available
* sysdeps/unix/sysv/linux/tst-ttyname.c (do_in_chroot_1): Skip the
test instead of failing in case of ENOENT returned by posix_openpt.

(cherry picked from commit d7ff3f11b6)
2018-01-08 22:02:53 +00:00
Florian Weimer
bfda785841 Mention CVE-2017-16997 in ChangeLog 2018-01-04 13:41:27 +01:00
Aurelien Jarno
7a64940a59 tst-realloc: do not check for errno on success [BZ #22611]
POSIX explicitly says that applications should check errno only after
failure, so the errno value can be clobbered on success as long as it
is not set to zero.

Changelog:
	[BZ #22611]
	* malloc/tst-realloc.c (do_test): Remove the test checking that errno
	is unchanged on success.
(cherry picked from commit f8aa69be44)
2017-12-31 21:21:27 +01:00
Aurelien Jarno
4ebd0c4191 elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).

Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.

The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.

Changelog:
	[BZ #22625]
	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
	string token expansion. Check for NULL pointer or empty string possibly
	returned by expand_dynamic_string_token.
	(decompose_rpath): Check for empty path after dynamic string
	token expansion.
(cherry picked from commit 3e3c904dae)
2017-12-30 22:07:01 +01:00
Dmitry V. Levin
98f244e245 elf: do not substitute dst in $LD_LIBRARY_PATH twice [BZ #22627]
Starting with commit
glibc-2.18.90-470-g2a939a7e6d81f109d49306bc2e10b4ac9ceed8f9 that
introduced substitution of dynamic string tokens in fillin_rpath,
_dl_init_paths invokes _dl_dst_substitute for $LD_LIBRARY_PATH twice:
the first time it's called directly, the second time the result
is passed on to fillin_rpath which calls expand_dynamic_string_token
which in turn calls _dl_dst_substitute, leading to the following
behaviour:

$ mkdir -p /tmp/'$ORIGIN' && cd /tmp/'$ORIGIN' &&
  echo 'int main(){}' |gcc -xc - &&
  strace -qq -E LD_LIBRARY_PATH='$ORIGIN' -e /open ./a.out
open("/tmp//tmp/$ORIGIN/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

Fix this by removing the direct _dl_dst_substitute invocation.

* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
code and invocation.

(cherry picked from commit bb195224ac)
2017-12-22 14:56:36 +00:00
Florian Weimer
069c3dd05a tst-ttyname: Fix namespace setup for Fedora
On Fedora, the previous initialization sequence did not work and
resulted in failures like:

info:  entering chroot 1
info:    testcase: basic smoketest
info:      ttyname: PASS {name="/dev/pts/5", errno=0}
info:      ttyname_r: PASS {name="/dev/pts/5", ret=0, errno=0}
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
info:  entering chroot 2
error: ../sysdeps/unix/sysv/linux/tst-ttyname.c:122: write (setroups, "deny"): Operation not permitted
error: 2 test failures

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry picked from commit 8db7f48cb7)
2017-12-22 15:28:08 +01:00
Luke Shumaker
89e75d5eda linux ttyname{_r}: Add tests
Add a new tst-ttyname test that includes several named sub-testcases.

This patch is ordered after the patches with the fixes that it tests for (to
avoid breaking `git bisect`), but for reference, here's how each relevant change
so far affected the testcases in this commit, starting with
15e9a4f378:

  |                                 | before  |         | make checks | don't |
  |                                 | 15e9a4f | 15e9a4f | consistent  | bail  |
  |---------------------------------+---------+---------+-------------+-------|
  | basic smoketest                 | PASS    | PASS    | PASS        | PASS  |
  | no conflict, no match           | PASS[1] | PASS    | PASS        | PASS  |
  | no conflict, console            | PASS    | FAIL!   | FAIL        | PASS! |
  | conflict, no match              | FAIL    | PASS!   | PASS        | PASS  |
  | conflict, console               | FAIL    | FAIL    | FAIL        | PASS! |
  | with readlink target            | PASS    | PASS    | PASS        | PASS  |
  | with readlink trap; fallback    | FAIL    | FAIL    | FAIL        | PASS! |
  | with readlink trap; no fallback | FAIL    | PASS!   | PASS        | PASS  |
  | with search-path trap           | FAIL    | FAIL    | PASS!       | PASS  |
  |---------------------------------+---------+---------+-------------+-------|
  |                                 | 4/9     | 5/9     | 6/9         | 9/9   |

  [1]: 15e9a4f introduced a semantic that, under certain failure
       conditions, ttyname sets errno=ENODEV, where previously it didn't
       set errno; it's not quite fair to hold "before 15e9a4f" ttyname to
       those new semantics.  This testcase actually fails, but would have
       passed if we tested for the old the semantics.

Each of the failing tests before 15e9a4f are all essentially the same bug: that
it returns a PTY slave with the correct minor device number, but from the wrong
devpts filesystem instance.

15e9a4f sought to fix this, but missed several of the cases that can cause this
to happen, and also broke the case where both the erroneous PTY and the correct
PTY exist.

Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry picked from commit d9611e3085)
2017-12-22 15:28:07 +01:00
Luke Shumaker
4f987759d1 linux ttyname{_r}: Don't bail prematurely [BZ #22145]
Commit 15e9a4f378 introduced logic for ttyname()
sending back ENODEV to signal that we can't get a name for the TTY because we
inherited it from a different mount namespace.

However, just because we inherited it from a different mount namespace and it
isn't available at its original path, doesn't mean that its name is unknowable;
we can still try to find it by allowing the normal fall back on iterating
through devices.

An example scenario where this happens is with "/dev/console" in containers.
It's a common practice among container managers to allocate a PTY master/slave
pair in the host's mount namespace (the slave having a path like "/dev/pty/$X"),
bind mount the slave to "/dev/console" in the container's mount namespace, and
send the slave FD to a process in the container. Inside of the
container, the slave-end isn't available at its original path ("/dev/pts/$X"),
since the container mount namespace has a separate devpts instance from the host
(that path may or may not exist in the container; if it does exist, it's not the
 same PTY slave device). Currently ttyname{_r} sees that the file at the
original "/dev/pts/$X" path doesn't match the FD passed to it, and fails early
and gives up, even though if it kept searching it would find the TTY at
"/dev/console". Fix that; don't have the ENODEV path force an early return
inhibiting the fall-back search.

This change is based on the previous patch that adds use of is_mytty in
getttyname and getttyname_r. Without that change, this effectively reverts
15e9a4f, which made us disregard the false similarity of file pointed to by
"/proc/self/fd/$Y", because if it doesn't bail prematurely then that file
("/dev/pts/$X") will just come up again anyway in the fall-back search.

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry picked from commit a09dfc19ed)
2017-12-22 15:28:07 +01:00
Luke Shumaker
f43ead291c linux ttyname{_r}: Make tty checks consistent
In the ttyname and ttyname_r routines on Linux, at several points it needs to
check if a given TTY is the TTY we are looking for. It used to be that this
check was (to see if `maybe` is `mytty`):

       __xstat64(_STAT_VER, maybe_filename, &maybe) == 0
    #ifdef _STATBUF_ST_RDEV
       && S_ISCHR(maybe.st_mode) && maybe.st_rdev == mytty.st_rdev
    #else
       && maybe.st_ino == mytty.st_ino && maybe.st_dev == mytty.st_dev
    #endif

This check appears in several places.

Then, one of the changes made in commit 15e9a4f378
was to change that check to:

       __xstat64(_STAT_VER, maybe_filename, &maybe) == 0
    #ifdef _STATBUF_ST_RDEV
       && S_ISCHR(maybe.st_mode) && maybe.st_rdev == mytty.st_rdev
    #endif
       && maybe.st_ino == mytty.st_ino && maybe.st_dev == mytty.st_dev

That is, it made the st_ino and st_dev parts of the check happen even if we have
the st_rdev member. This is an important change, because the kernel allows
multiple devpts filesystem instances to be created; a device file in one devpts
instance may share the same st_rdev with a file in another devpts instance, but
they aren't the same file.

This check appears twice in each file (ttyname.c and ttyname_r.c), once (in
ttyname and __ttyname_r) to check if a candidate file found by inspecting /proc
is the desired TTY, and once (in getttyname and getttyname_r) to check if a
candidate file found by searching /dev is the desired TTY. However, 15e9a4f
only updated the checks for files found via /proc; but the concern about
collisions between devpts instances is just as valid for files found via /dev.

So, update all 4 occurrences the check to be consistent with the version of the
check introduced in 15e9a4f. Make it easy to keep all 4 occurrences of the
check consistent by pulling it in to a static inline function, is_mytty.

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry picked from commit 2fbce9c203)
2017-12-22 15:27:57 +01:00
Luke Shumaker
bd81a9d1e9 linux ttyname: Change return type of is_pty from int to bool
is_pty returning a bool is fine since there's no possible outcome other than
true or false, and bool is used throughout the codebase.

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry picked from commit d10d6cab16)
2017-12-22 15:23:52 +01:00
Luke Shumaker
1f0ba053ed linux ttyname: Update a reference to kernel docs for kernel 4.10
Linux 4.10 moved many of the documentation files around.

4.10 came out between the time the patch adding the comment (commit
15e9a4f378) was submitted and the time
it was applied (in February, January, and March 2017; respectively).

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry picked from commit 9b5a87502d)
2017-12-22 15:23:41 +01:00
Luke Shumaker
58a63062a0 manual: Update to mention ENODEV for ttyname and ttyname_r
Commit 15e9a4f378 introduced ENODEV as a possible
error condition for ttyname and ttyname_r. Update the manual to mention this GNU
extension.

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry picked from commit 495a56fdeb)
2017-12-22 15:23:29 +01:00
Florian Weimer
5da0de4de5 Synchronize support/ infrastructure with master
This commit updates the support/ subdirectory to
commit bad7a0c81f
on the master branch.
2017-12-22 15:22:17 +01:00
Florian Weimer
633e2f7f3d elf: Count components of the expanded path in _dl_init_path [BZ #22607]
(cherry picked from commit 3ff3dfa5af)
2017-12-16 12:58:10 +01:00
Florian Weimer
43b3cb59b2 elf: Compute correct array size in _dl_init_paths [BZ #22606]
(cherry picked from commit 8a0b17e48b)
2017-12-16 12:58:02 +01:00
Florian Weimer
bda48606ee <array_length.h>: New array_length and array_end macros
(cherry picked from commit c94a5688fb)
2017-12-16 12:57:38 +01:00
H.J. Lu
5a2779f9bc i386: Regenerate libm-test-ulps for for gcc 7
Regenerate libm-test-ulps for gcc 7 with "-m32 -O2 -march=i586".

	* sysdeps/i386/fpu/libm-test-ulps: Regenerated for GCC 7 with
	"-O2 -march=i586".

(cherry picked from commit 63d3b468c1)
2017-12-14 13:46:39 +01:00
Adhemerval Zanella
828efe7842 Update IA64 libm-test-ulps
Ran on Itanium Processor 9020, GCC 7.2.1.

	* sysdeps/ia64/fpu/libm-test-ulps: Update.

Signed-off-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2017-12-13 08:52:36 -02:00
Adhemerval Zanella
3a0b7d09db ia64: Fix thread stack allocation permission set (BZ #21672)
This patch fixes ia64 failures on thread exit by madvise the required
area taking in consideration its disjoing stacks
(NEED_SEPARATE_REGISTER_STACK).  Also the snippet that setup the
madvise call to advertise kernel the area won't be used anymore in
near future is reallocated in allocatestack.c (for consistency to
put all stack management function in one place).

Checked on x86_64-linux-gnu and i686-linux-gnu for sanity (since
it is not expected code changes for architecture that do not
define NEED_SEPARATE_REGISTER_STACK) and also got a report that
it fixes ia64-linux-gnu failures from Sergei Trofimovich
<slyfox@gentoo.org>.

	[BZ #21672]
	* nptl/allocatestack.c [_STACK_GROWS_DOWN] (setup_stack_prot):
	Set to use !NEED_SEPARATE_REGISTER_STACK as well.
	(advise_stack_range): New function.
	* nptl/pthread_create.c (START_THREAD_DEFN): Move logic to mark
	stack non required to advise_stack_range at allocatestack.c

(cherry pick from commit 01b87c656f)
2017-12-13 08:52:34 -02:00
Adhemerval Zanella
d8b79b0eb1 posix: Fix mmap for m68k and ia64 (BZ#21908)
Default semantic for mmap2 syscall is to take the offset in 4096-byte
units.  However m68k and ia64 mmap2 implementation take in the
configured pageunit units and for both architecture it can be
different values.

This patch fixes the m68k runtime discover of mmap2 offset unit
and adds the ia64 definition to find it at runtime.

Checked the basic tst-mmap and tst-mmap-offset on m68k (the system
is configured with 4k, so current code is already passing on this
system) and a sanity check on x86_64-linux-gnu (which should not be
affected by this change).  Sergei also states that ia64 loader now
work correctly with this change.

	Adhemerval Zanella  <adhemerval.zanella@linaro.org>
	Sergei Trofimovich  <slyfox@inbox.ru>

	* sysdeps/unix/sysv/linux/m68k/mmap_internal.h (MMAP2_PAGE_SHIFT):
	Rename to MMAP2_PAGE_UNIT.
	* sysdeps/unix/sysv/linux/mmap.c: Include mmap_internal iff
	__OFF_T_MATCHES_OFF64_T is not defined.
	* sysdeps/unix/sysv/linux/mmap_internal.h (page_unit): Declare as
	uint64_t.
	(MMAP2_PAGE_UNIT) [MMAP2_PAGE_UNIT == -1]: Redefine to page_unit.
	(page_unit) [MMAP2_PAGE_UNIT != -1]: Remove definition.

(cherry picked from commit 1f14d0c3dd)
2017-12-13 08:52:32 -02:00
James Clarke
c48e2e558e ia64: Add ipc_priv.h header to set __IPC_64 to zero
When running strace, IPC_64 was set in the command, but ia64 is
an architecture where CONFIG_ARCH_WANT_IPC_PARSE_VERSION *isn't* set
in the kernel, so ipc_parse_version just returns IPC_64 without
clearing the IPC_64 bit in the command.

	* sysdeps/unix/sysv/linux/ia64/ipc_priv.h: New file defining
	__IPC_64 to 0 to avoid IPC_64 being set.

Signed-off-by: James Clarke <jrtc27@jrtc27.com>

(cherry picked from commit 89bd8016b3)
2017-12-12 19:43:00 +01:00
H.J. Lu
73a9236361 Silence -O3 -Wall warning in malloc/hooks.c with GCC 7 [BZ #22052]
realloc_check has

  unsigned char *magic_p;
...
  __libc_lock_lock (main_arena.mutex);
  const mchunkptr oldp = mem2chunk_check (oldmem, &magic_p);
  __libc_lock_unlock (main_arena.mutex);
  if (!oldp)
    malloc_printerr ("realloc(): invalid pointer");
...
  if (newmem == NULL)
    *magic_p ^= 0xFF;

with

static void malloc_printerr(const char *str) __attribute__ ((noreturn));

GCC 7 -O3 warns

hooks.c: In function ‘realloc_check’:
hooks.c:352:14: error: ‘magic_p’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
     *magic_p ^= 0xFF;

due to the GCC bug:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82090

This patch silences GCC 7 by using DIAG_IGNORE_NEEDS_COMMENT.

	[BZ #22052]
	* malloc/hooks.c (realloc_check): Use DIAG_IGNORE_NEEDS_COMMENT
	to silence -O3 -Wall warning with GCC 7.

(cherry picked from commit 8e57c9432a)
2017-12-06 16:15:47 +01:00
Arjun Shankar
df8c219cb9 Fix integer overflow in malloc when tcache is enabled [BZ #22375]
When the per-thread cache is enabled, __libc_malloc uses request2size (which
does not perform an overflow check) to calculate the chunk size from the
requested allocation size. This leads to an integer overflow causing malloc
to incorrectly return the last successfully allocated block when called with
a very large size argument (close to SIZE_MAX).

This commit uses checked_request2size instead, removing the overflow.

(cherry picked from commit 34697694e8)
2017-12-06 07:44:51 +01:00
Aurelien Jarno
0890d5379c Update NEWS to add CVE-2017-15804 entry
(cherry picked from commit 15e84c63c0)
2017-12-01 21:56:32 +01:00
Florian Weimer
a9f35ac127 posix/tst-glob-tilde.c: Add test for bug 22332
(cherry picked from commit 2fac6a6cd5)
2017-12-01 21:56:24 +01:00
Paul Eggert
f1cf98b583 glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
(cherry picked from commit a159b53fa0)
2017-12-01 21:51:27 +01:00
Florian Weimer
6f9f307b5d Update NEWS and ChangeLog for CVE-2017-15671
(cherry picked from commit 914c9994d2)
2017-12-01 21:50:09 +01:00
Wilco Dijkstra
f312f235d5 Add single-threaded path to _int_malloc
This patch adds single-threaded fast paths to _int_malloc.

	* malloc/malloc.c (_int_malloc): Add SINGLE_THREAD_P path.

(cherry-picked 905a7725e9)
2017-11-28 19:16:19 +05:30
Wilco Dijkstra
3664f34346 Add single-threaded path to malloc/realloc/calloc/memalloc
This patch adds a single-threaded fast path to malloc, realloc,
calloc and memalloc.  When we're single-threaded, we can bypass
arena_get (which always locks the arena it returns) and just use
the main arena.  Also avoid retrying a different arena since
there is just the main arena.

	* malloc/malloc.c (__libc_malloc): Add SINGLE_THREAD_P path.
	(__libc_realloc): Likewise.
	(_mid_memalign): Likewise.
	(__libc_calloc): Likewise.

(cherry-picked 3f6bb8a32e)
2017-11-28 19:15:59 +05:30
Wilco Dijkstra
fe161827c5 Fix build issue with SINGLE_THREAD_P
Add sysdep-cancel.h include.

	* malloc/malloc.c (sysdep-cancel.h): Add include.

(cherry-picked 6d43de4b85)
2017-11-28 19:15:13 +05:30
Wilco Dijkstra
e759c32364 Add single-threaded path to _int_free
This patch adds single-threaded fast paths to _int_free.
Bypass the explicit locking for larger allocations.

	* malloc/malloc.c (_int_free): Add SINGLE_THREAD_P fast paths.

(cherry-picked from a15d53e2de)
2017-11-28 19:14:48 +05:30
Wilco Dijkstra
0e24837040 Fix deadlock in _int_free consistency check
This patch fixes a deadlock in the fastbin consistency check.
If we fail the fast check due to concurrent modifications to
the next chunk or system_mem, we should not lock if we already
have the arena lock.  Simplify the check to make it obviously
correct.

	* malloc/malloc.c (_int_free): Fix deadlock bug in consistency check.

(cherry-pick d74e6f6c0d)
2017-11-28 19:13:49 +05:30
Florian Weimer
590b24e6e0 malloc: Resolve compilation failure in NDEBUG mode
In _int_free, the locked variable is not used if NDEBUG is defined.

(cherry-picked from 24cffce736)
2017-11-28 19:12:19 +05:30
Florian Weimer
533afac929 malloc: Change top_check return type to void
After commit ec2c1fcefb,
(malloc: Abort on heap corruption, without a backtrace), the function
always returns 0.

(cherry-picked from 5129873a8e)
2017-11-28 19:11:30 +05:30
Florian Weimer
675e8785dc malloc: Remove corrupt arena flag
This is no longer needed because we now abort immediately
once heap corruption is detected.

(cherry-picked from a9da0bb266)
2017-11-28 19:10:16 +05:30
Florian Weimer
ee717ed23d malloc: Remove check_action variable [BZ #21754]
Clean up calls to malloc_printerr and trim its argument list.

This also removes a few bits of work done before calling
malloc_printerr (such as unlocking operations).

The tunable/environment variable still enables the lightweight
additional malloc checking, but mallopt (M_CHECK_ACTION)
no longer has any effect.

(cherry-picked from ac3ed168d0)
2017-11-28 19:09:25 +05:30
Florian Weimer
8788996793 malloc: Abort on heap corruption, without a backtrace [BZ #21754]
The stack trace printing caused deadlocks and has been itself been
targeted by code execution exploits.

(cherry-picked from ec2c1fcefb)
2017-11-28 19:07:55 +05:30
Tulio Magno Quites Machado Filho
aaa2eb83b8 powerpc: Update AT_HWCAP2 bits
Linux commit ID cba6ac4869e45cc93ac5497024d1d49576e82666 reserved a new
bit for a scenario where transactional memory is available, but the
suspended state is disabled.

	* sysdeps/powerpc/bits/hwcap.h (PPC_FEATURE2_HTM_NO_SUSPEND): New
	macro.

(cherry picked from commit df0c40ee3a)

Signed-off-by: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
2017-11-24 18:30:11 -02:00