The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
The generated header is compiled with `-ffreestanding' to avoid any
circular dependencies against the installed implementation headers.
Such a dependency would require the implementation header to be
installed before the generated header could be built (See bug 15711).
In current practice the generated header dependencies do not include
any of the implementation headers removed by the use of `-ffreestanding'.
---
2013-07-15 Carlos O'Donell <carlos@redhat.com>
[BZ #15711]
* sysdeps/unix/sysv/linux/Makefile ($(objpfx)bits/syscall%h):
Avoid system header dependency with -ffreestanding.
($(objpfx)bits/syscall%d): Likewise.
This change creates a link map in static executables to serve as the
global search list for dlopen. It fixes a problem with the inability
to access the global symbol object and a crash on an attempt to map a
DSO into the global scope. Some code that has become dead after the
addition of this link map is removed too and test cases are provided.
Many Linux arches require fixed mmaps to be aligned higher than pagesize,
so use the SHMLBA define as it represents this quantity exactly.
This fixes spurious errors seen on those arches like:
cannot map archive header: Invalid argument
URL: http://sourceware.org/bugzilla/show_bug.cgi?id=10283
Reported-by: CHIKAMA Masaki <masaki.chikama@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Static applications that call pthread_exit on the main
thread segfault. This is because after a thread terminates
__libc_start_main decrements __nptl_nthreads which is only
defined in pthread_create. Therefore the right solution is
to add a requirement to pthread_create from pthread_exit.
~~~
nptl/
2013-06-24 Vladimir Nikulichev <v.nikulichev@gmail.com>
[BZ #12310]
* pthread_exit.c: Add reference to pthread_create.
This patch introduces two new convenience functions to set the default
thread attributes used for creating threads. This allows a programmer
to set the default thread attributes just once in a process and then
run pthread_create without additional attributes.
Resolves BZ #15618.
pthread_attr_getaffinity_np may write beyond bounds of the input
cpuset buffer if the size of the input buffer is smaller than the
buffer present in the input pthread attributes. Fix is to copy to the
extent of the minimum of the source and the destination.
In 128-bit IBM long double the precision of the type
decreases as you approach subnormal numbers, equaling
that of a double for subnormal numbers. Therefore
adjust the computation in ulp to use 2^(MIN_EXP - MANT_DIG)
which is correct for FP_SUBNORMAL for all types.
Resolves: #15465
The program name may be unavailable if the user application tampers
with argc and argv[]. Some parts of the dynamic linker caters for
this while others don't, so this patch consolidates the check and
fallback into a single macro and updates all users.
Fixes 15381.
Using wide character function is on byte oriented memstream is undefined
behaviour. This behaviour was masked by not initializing wide struct
info. We now initialize it to cause a predictable crash.
This patch fixes two issues, and perhaps should be two distinct commits,
but I present it here as one for the sake of completeness.
Commit 006dd86111 fails to check malloc's
return in intl/dcigettext.c (_nl_find_msg):
~~~
freemem_size = INITIAL_BLOCK_SIZE;
newmem = (transmem_block_t *) malloc (freemem_size);
...
newmem->next = transmem_list;
transmem_list = newmem;
~~~
If malloc fails then newmem is NULL then newmem->next results in a
fault.
The fix is easy enough, check for newmem != NULL, and fall through to
the error condition below which returns (char *) -1 e.g. resource error.
The problem is that returning (char *) -1 will break all sorts of other
code, so while what we did is correct, the real failure case fix is
slightly broader.
There are 4 other places where _nl_find_msg is called, one is OK, the
other three are fixed to handle -1 error return value.
No regressions on x86-64 or x86.
However, no regressions isn't really a useful metric for this code.
The change was tested as documented here:
http://sourceware.org/glibc/wiki/Testing/WhiteBox
using SystemTap for fault injection to simulate malloc failure.
---
2013-05-03 Carlos O'Donell <carlos at redhat.com>
[BZ #15441]
* intl/dcigettext.c (DCIGETTEXT): Skip translating if _nl_find_msg
returns -1.
(_nl_find_msg): Return -1 if recursive call returned -1. If newmem is
null return -1.
* intl/loadmsgcat.c (_nl_load_domain): If _nl_find_msg returns -1 abort
loading the domain.
Fixes BZ #15339.
NSS_STATUS_UNAVAIL may mean that a necessary input resource is not
available. This could occur in a number of cases including when the
network is down, system runs out of file descriptors, etc. The
correct differentiator in such a case is the h_errno, which gives the
nature of failure. In case of failures other than a simple 'not
found', we set h_errno as NETDB_INTERNAL and let errno be the
identifier for the exact error.
Resolves: #15424
The compiler would optimize the benchmark function call out of the
loop and call it only once, resulting in blazingly fast times for some
benchmarks (notably atan, sin and cos). Mark the inputs as volatile
so that the code is forced to read again from the input for each
iteration.
[BZ #15442] This adds support for the inverse interpretation of the
quiet bit of IEEE 754 floating-point NaN data that some processors
use. This includes in particular MIPS architecture processors; the
payload used for the canonical qNaN encoding is updated accordingly
so as not to interfere with the quiet bit.
The following patch fixes both _FPU_GETCW and
_FPU_SETCW for hppa. The initial implementation was
flawed and not well tested. We failed to set cw,
and passed in the value of a register to fldd.
This patch fixes both of those errors and allows
the libm tests to pass without failure.
Signed-off-by: Guy Martin <gmsoft@tuxicoman.be>
Signed-off-by: Carlos O'Donell <carlos@redhat.com>
---
2013-05-15 Guy Martin <gmsoft@tuxicoman.be>
Carlos O'Donell <carlos@redhat.com>
[BZ# 15000]
* ports/sysdeps/hppa/fpu/fpu_control.h (_FPU_GETCW): Set cw.
(_FPU_SETCW): Pass address to fldd.
Resolves#14888.
This only really manifests itself when there are no spaces between
format specifiers, which is not allowed by POSIX, but is allowed by
the glibc implementation.
Fixes#15346.
The POSIX description of getdate allows for extra spaces in the
getdate input string. __getdate_r uses strptime internally, which
works fine with extra spaces between format strings (and hence within
an input string) but not with leading and trailing spaces. So we trim
off the leading and trailing spaces before we pass it on to strptime.
The seen array was doubled in size recently, but the memset to clear
the array was not adjusted. We adjust the memset to always be correct
regardless of the size of seen.
---
2013-04-06 Carlos O'Donell <carlos@redhat.com>
[BZ #15309]
* elf/dl-open.c (dl_open_worker): memset all of seen array.
This change does two things:
* Treats a target i386-* as if it were i686.
* Fails configure if the user is generating code
for i386.
We no longer support i386 code-generation because the i386
lacks the atomic operations we need in glibc.
You can still configure for i386-*, but you get i686 code.
You can't build with --march=i386, --mtune=i386 or a compiler
that defaults to i386 code-generation.
I've added two i386 entries in the master todo list to discuss
merging and renaming:
http://sourceware.org/glibc/wiki/Development_Todo/Master#i386
The failure modes are fail-safe here. You compile for i386,
get i686, and try to run on i386 and it fails. The configure
log has a warning saying we elided to i686. There is no situation
that I can see where we run into any serious problems.
The patch makes the current state better in that we get less
confused users and we build successfully in more default
configurations.
The next enhancement would be to add --march=i?86
as suggested in #c20 of BZ#10062 for any i?86-* builds, which
would solve the problem of a 32-bit compiler that defaults to
i386 code-gen and glibc configured for i686-* target. Which
previously failed at build time, and now will fail at configure
time (requires adding --march=i686).
Updated NEWS with BZ #10060 and #10062.
No regressions.
---
2013-04-06 Carlos O'Donell <carlos@redhat.com>
[BZ #10060, #10062]
* aclocal.m4 (LIBC_COMPILER_BUILTIN_INLINED): New macro.
* sysdeps/i386/configure.in: Use LIBC_COMPILER_BUILTIN_INLINED and
fail configure if __sync_val_compare_and_swap is not inlined.
* sysdeps/i386/configure: Regenerate.
* configure.in: Build for i686 when configured for i386.
* configure: Regenerate.
* README: Remove i386 reference.
Fix BZ #15305.
On kernel versions earlier than 2.6.29, the Linux kernel exported a
sysctl called restrict_chown for xfs, which could be used to allow
chown to users other than the owner. 2.6.29 removed this support,
causing the open_not_cancel_2 to fail and thus modify errno. The fix
is to save and restore errno so that the caller sees it as unmodified.
Additionally, since the code to check the sysctl is not useful on
newer kernels, we add an ifdef so that in future the code block gets
rmeoved completely.
Fixes BZ #15304.
The *initgroups_dyn functions are called with a group argument. This
group gid is usually skipped while populating the grouplist since the
caller adds that group id in advance.
The hesiod initgroups_dyn implementation however adds the group gid to
the list if it does not already exist. While it works fine for the
usual initgroups, it breaks nscd since it calls initgroups_dyn with -1
as the gid (to have all groups included).
The patch increase the high value to check if expl overflows. Current
high mark value is not really correct, the algorithm accepts high values.
It also adds a correct wrapper function to check for overflow and underflow.
Due to a typo repeated several times, this bug hasn't been fixed yet,
despite being marked as resolved in glibc 2.12.
* sysdeps/x86_64/strcmp.S: Replace all occurrences of NOT_IN_lib
with NOT_IN_libc.
BZ#11261 was fixed in the 2.16 release even if we only found out
that it was fixed in the 2.18 release. Testing shows it is fixed
in the 2.16 release so we add it to that NEWS section.
Fixes BZ #12723
The variable pipe buffer size does nothing to the value of PIPE_BUF,
since the number of bytes that are atomically written is still
PIPE_BUF on Linux.
This reverts the change that allows the POSIX Thread default stack size
to be changed by the environment variable
GLIBC_PTHREAD_DEFAULT_STACKSIZE. It has been requested that more
discussion happen before this change goes into 2.18.
That convention requires the instruction immediately preceding SYSCALL
to initialize $v0 with the syscall number. Then if a restart triggers,
$v0 will have been clobbered by the syscall interrupted, and needs to be
reinititalized. The kernel will decrement the PC by 4 before switching
back to the user mode so that $v0 has been reloaded before SYSCALL is
executed again. This implies the place $v0 is loaded from must be
preserved across a syscall, e.g. an immediate, static register, stack
slot, etc.
The restriction was lifted with Linux 2.6.36 kernel release and no
special requirements are placed around the SYSCALL instruction anymore,
however we still support older kernel binaries.
* nscd/grpcache.c (cache_addgr): Rename alloca_used to
dataset_temporary. Track alloca usage into alloca_used.
If dataset is large allocate and release it via malloc/free.
* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
* sunrpc/svc.c: Include time.h.
(__svc_accept_failed): New function.
* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
any reason other than EINTR, call __svc_accept_failed.
* sunrpc/svc_udp.c (svcudp_recv): Similarly.
* sunrpc/svc_unix.c (rendezvous_request): Similarly.
2012-11-21 Chris Leonard <cjl@sugarlabs.org>
[BZ #14863]
* SUPPORTED: Add niu_NU and niu_NZ.
* locales/niu_NU: Add Niuean (Vagahau Niue) locale for Niue,
contributed by Chris Leonard <cjl@sugarlabs.org> and Emani
Fakaotimanava-Lui <emani@niue.nu>.
* locales/niu_NZ: Add Niuean (Vagahau Niue) locale for New
Zealand, contributed by Chris Leonard <cjl@sugarlabs.org> and Emani
Fakaotimanava-Lui <emani@niue.nu>.
protected. It is not safe when in multithread circumstance.
bindresvport() select a port number from the range 512 to 1023, when in
multithread circumstance, the port may be 1024. So the static variables will be
protected.
Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
Reviewed-by: Carlos O'Donell <carlos@systemhalted.org>
[BZ #14368]
* locales/szl_PL: New Silesian Language Locale for Poland.
Contributed by Przemyslaw Buczkowski <przemub@yahoo.pl>.
* localedata/SUPPORTED (SUPPORTED-LOCALES): Add szl_PL.
[BZ # 14828]
* locales/ayc_PE: Add Aymara locale for Peru
contributed by Chris Leonard <cjl@sugarlabs.org> and
Amos Batto <amosbatto@yahoo.com>.
* SUPPORTED (SUPPORTED-LOCALES): Add ayc_PE.
[BZ #14809]
* sysdeps/unix/sysv/linux/sys/sysctl.h (_UAPI_LINUX_KERNEL_H)
(_UAPI_LINUX_TYPES_H): Starting with Linux 3.7, the include header
guards are changed. Only define if not yet defined, #undef back
after including linux/sysctl.h if defined here.
* elf/Makefile (tests): Remove conditional for have-initfini-array
since this is now always required and the variable does not exist
anymore.
(tests-static): Likewise.
(modules-names): Likewise.
[BZ #14652]
When a thread waiting in pthread_cond_wait with a PI mutex is
cancelled after it has returned successfully from the futex syscall
but just before async cancellation is disabled, it enters its
cancellation handler with the mutex held and simply calling a
mutex_lock again will result in a deadlock. Hence, it is necessary to
see if the thread owns the lock and try to lock it only if it doesn't.
[BZ #14568]
* sysdeps/sparc/tls.h (DB_THREAD_SELF_INCLUDE): Delete.
(DB_THREAD_SELF): Use constants for the register offsets. Correct
the case of a 64-bit debugger with a 32-bit inferior.
[BZ #14417]
A futex call with FUTEX_WAIT_REQUEUE_PI returns with the mutex locked
on success. If such a successful thread is pipped to the cond_lock by
another spuriously woken waiter, it could be sent back to wait on the
futex with the mutex lock held, thus causing a deadlock. So it is
necessary that the thread relinquishes the mutex before going back to
sleep.
[BZ #14477]
Add an additional entry in the exception table to jump to
__condvar_w_cleanup2 instead of __condvar_w_cleanup for PI mutexes
when %ebx contains the address of the futex instead of the condition
variable.
* sysdeps/posix/getaddrinfo.c (default_scopes): Map RFC 1918
* addresses
to global scope.
* posix/tst-rfc3484.c: Verify 10/8, 172.16/12 and 196.128/16
addresses are in the same scope as 192.0.2/24.
* posix/gai.conf: Document new scope table defaults.
[BZ #14543]
Set the internal buffer state correctly whenever the external buffer
state is modified by fseek by either computing the current
_IO_read_ptr/end for the internal buffer based on the new _IO_read_ptr
in the external buffer or converting the content read into the
external buffer, up to the extent of the requested fseek offset.
[BZ #14376]
* sysdeps/sparc/sparc64/dl-machine.h (elf_machine_rela): Do not
pass reloc->r_addend in as the 'high' argument to
sparc64_fixup_plt when handling R_SPARC_JMP_IREL relocations.
Commit glibc-2.14~10 disallowed rtld self loading to avoid a segfault
that used to happen when rtld was loading itself in normal mode.
Unfortunately, that commit disallowed all modes of self loading,
including those that used to work before. This change limits the check
for self loading to normal mode only, so that instruments like ldd could
handle rtld properly.
[BZ #1349]
malloc_usable_size returns the usable size in an allocated chunk,
which may be >= the requested size. In the case of MALLOC_CHECK_ being
exported to > 0 however, only the requested size is usable, since a
magic value is written at the end of the request size to trap writes
beyond request bounds. Hence, when MALLOC_CHECK_ is exported to > 0,
malloc_usable_size() should return the request size.
[BZ #14538]
* sysdeps/x86_64/dl-machine.h (elf_machine_dynamic): Use the
first element of the GOT.
(elf_machine_load_address): Return the difference between
the runtime address of _DYNAMIC and elf_machine_dynamic ().
The ttyname and ttyname_r functions on Linux now fall back to
searching for the tty file descriptor in /dev/pts or /dev if /proc is
not available. This allows creation of chroots without the procfs
mounted on /proc.
Fixes BZ #14516.
Initially based on the versions found in wcsmbs/* ; these files have
been changed by hand unrolling, and adding some additional variables
to allow some read-ahead to occur, which then relieves some of the
wait-for-increment/wait-for-load/wait-for-compare-results pressure
that was slowing down every iteration through the while-loop.
For 64-bit Power7, These changes give an approx 20% throughput boost
for the wcschr and wcsrchr functions; and approx 40% boost for the
wcscpy function. 32-bit improvements appear to be slightly better
with ~ %30 and ~ %45 respectively. Results for Power6 closely match
those for power7.
2012-08-15 Liubov Dmitrieva <liubov.dmitrieva@gmail.com>
[BZ #14195]
* sysdeps/i386/i686/multiarch/strcmp-sssse3.S: Fix
segmentation fault for a case of two empty input strings.
* string/test-strncasecmp.c (check1): Renamed to...
(bz12205): ...this.
(bz14195): Add new testcase for two empty input strings and N > 0.
(test_main): Call new testcase, adapt for renamed function.
* malloc.c/arena.c (reused_arena): New parameter, avoid_arena.
When avoid_arena is set, don't retry in the that arena. Pick the
next one, whatever it might be.
(arena_get2): New parameter avoid_arena, pass through to reused_arena.
(arena_lock): Pass in new parameter to arena_get2.
* malloc/malloc.c (__libc_memalign): Pass in new parameter to
arena_get2.
(__libc_malloc): Unify retrying after main arena failure with
__libc_memalign version.
(__libc_valloc, __libc_pvalloc, __libc_calloc): Likewise.
Add support for STT_GNU_IFUNC symbols and the new R_390_IRELATIVE
relocation. Provide optimized version of memcpy, memset, and memcmp
for z10 and z196.
[BZ #13579] Do not free l_initfini and allow it to be reused
on subsequent dl_open calls for the same library. This fixes
the invalid memory access in do_lookup_x when the previously
free'd l_initfini was accessed through l_searchlist when a
library had been opened for the second time.
[BZ #13882]
* elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection. Use
uint16_t for elements in the "seen" array to avoid char overflows.
* elf/dl-fini.c (_dl_sort_fini): Likewise.
* elf/dl-open.c (dl_open_worker): Likewise.
[BZ #14134]
When converting IBM930 code with iconv(), if IBM930 code which
includes invalid multibyte character "0xffff" is specified, then
iconv() segfaults. This is easy to see using the following command:
echo '0x0e 0x43 0x8c 0xff 0xff 0x43 0xbd 0x43 0xbd' | xxd -r |
iconv -f IBM930 -t UTF-8
[BZ #13743]
A new class of installed headers has been documented for low-level
platform-specific functionality. PowerPC added the first instance with a
function to provide time base register access (__ppc_get_timebase). This
is required for applications that measure time at high frequencies with
high precision that can't afford a syscall.
As of January 1st 2009, the "new" prefix was removed from the New
Turkish lira, its official name becoming "Turkish lira" again,
abbreviated "TL".
Patch by <gokcen@pardus.org.tr>.
When a stack is marked executable due to loading a DSO that requires
an executable stack, the logic tends to leave out a portion of stack
after the first frame, thus causing a difference in the value returned
by pthread_getattr_np before and after the stack is marked
executable. It ought to be possible to fix this by marking the rest of
the stack as executable too, but in the interest of marking as less of
the stack as executable as possible, the path this fix takes is to
make pthread_getattr_np also look at the first frame as the underflow
end of the stack and compute size and stack top accordingly.
The above happens only for the main process stack. NPTL thread stacks
are not affected by this change.
There is nothing in the POSIX specification to disallow a
single-threaded program from cancelling itself, so we forcibly enable
multiple_threads to allow the next available cancellation point in the
thread to run.
Also added additional tests to cover various cancellation scenarios.
