All binaries use TLS and thus need a properly set up TCB, so we can
simply return its address directly, instead of forwarding to the
libpthread implementation from libc.
For versioned symbols, the dynamic linker checks that the soname matches
the name supplied by the link editor, so a compatibility symbol in
libpthread is needed.
To avoid linking against the libpthread function in all cases, we would
have to bump the symbol version of libpthread in libc.so and supply a
compat symbol. This commit does not do that because the function
implementation is so small, so the overhead by two active copies of the
same function might well be smaller than the increase in symbol table
size.
In C++ mode, __MATH_TG cannot be used for defining iseqsig, because
__MATH_TG relies on __builtin_types_compatible_p, which is a C-only
builtin. This is true when float128 is provided as an ABI-distinct type
from long double.
Moreover, the comparison macros from ISO C take two floating-point
arguments, which need not have the same type. Choosing what underlying
function to call requires evaluating the formats of the arguments, then
selecting which is wider. The macro __MATH_EVAL_FMT2 provides this
information, however, only the type of the macro expansion is relevant
(actually evaluating the expression would be incorrect).
This patch provides a C++ version of iseqsig, in which only the type of
__MATH_EVAL_FMT2 (__typeof or decltype) is used as a template parameter
for __iseqsig_type. This function calls the appropriate underlying
function.
Tested for powerpc64le and x86_64.
[BZ #22377]
* math/Makefile [C++] (tests): Add test for iseqsig.
* math/math.h [C++] (iseqsig): New implementation, which does
not rely on __MATH_TG/__builtin_types_compatible_p.
* math/test-math-iseqsig.cc: New file.
* sysdeps/powerpc/powerpc64le/Makefile
(CFLAGS-test-math-iseqsig.cc): New variable.
There are just two users of fillin_rpath: one is decompose_rpath that
sets check_trusted argument to 0, another one is _dl_init_paths that
sets check_trusted argument to __libc_enable_secure and invokes
fillin_rpath only when LD_LIBRARY_PATH is non-empty.
Starting with commit
glibc-2.25.90-512-gf6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d,
LD_LIBRARY_PATH is ignored for __libc_enable_secure executables,
so check_trusted argument of fillin_rpath is always zero.
* elf/dl-load.c (is_trusted_path): Remove.
(fillin_rpath): Remove check_trusted argument and its use,
all callers changed.
After
commit 9d7a3741c9
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Fri Dec 15 16:59:33 2017 -0800
Add --enable-static-pie configure option to build static PIE [BZ #19574]
and
commit 00c714df39
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Dec 18 12:24:26 2017 -0800
Pass -no-pie to GCC only if GCC defaults to PIE [BZ #22614]
$(no-pie-ldflag) is no longer effective since no-pie-ldflag is defined
to -no-pie only if GCC defaults to PIE. When --enable-static-pie is
used to configure glibc build and GCC doesn't default to PIE. no-pie-ldflag
is undefined and these tests:
elf/Makefile:LDFLAGS-tst-dlopen-aout = $(no-pie-ldflag)
elf/Makefile:LDFLAGS-tst-prelink = $(no-pie-ldflag)
elf/Makefile:LDFLAGS-tst-main1 = $(no-pie-ldflag)
gmon/Makefile:LDFLAGS-tst-gmon := $(no-pie-ldflag)
may fail to link. This patch replaces "-pie" with
$(if $($(@F)-no-pie),$(no-pie-ldflag),-pie)
and repleces
LDFLAGS-* = $(no-pie-ldflag)
with
tst-*-no-pie = yes
so that tst-dlopen-aout, tst-prelink, tst-main1 and tst-gmon are always
built as non-PIE, with and without --enable-static-pie, regardless if
GCC defaults to PIE or non-PIE.
Tested with build-many-glibcs.py without --enable-static-pie as well as
with --enable-static-pie for x86_64, x32 and i686.
[BZ #22630]
* Makeconfig (link-pie-before-libc): Replace -pie with
$(if $($(@F)-no-pie),$(no-pie-ldflag),-pie).
* elf/Makefile (LDFLAGS-tst-dlopen-aout): Removed.
(tst-dlopen-aout-no-pie): New.
(LDFLAGS-tst-prelink): Removed.
(tst-prelink-no-pie): New.
(LDFLAGS-tst-main1): Removed.
(tst-main1-no-pie): New.
* gmon/Makefile (LDFLAGS-tst-gmon): Removed.
(tst-gmon-no-pie): New.
To build static PIE, all .o files are compiled with -fPIE. Since
--enable-static-pie is designed to provide additional security hardening
benefits, it also implies that glibc programs and tests are created as
dynamic position independent executables (PIE) by default for better
security hardening.
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
* manual/install.texi: Document that --enable-static-pie
implies PIE.
* INSTALL: Regenerated.
As noted in bug 21309, dbl-64/e_pow.c contains signed int shifts that,
although the shift count is in the range [0, 31], shift bits into and
beyond the sign bit and so are undefined in ISO C. Although this is
defined in GNU C, this patch from the bug cleans up the code to avoid
those shifts.
Tested for x86_64.
[BZ #21309]
* sysdeps/ieee754/dbl-64/e_pow.c (checkint): Make m and n
unsigned.
Sync with gnulib 0e14f025d2.
Checked on x86_64-linux-gnu.
* lib/glob.c (glob): Use a 'char *', not a 'void *', in pointer
arithmetic.
Signed-off-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Problem reported by Tim Rühsen [1]. Sync with gnulib 0e14f025d2.
[1] https://lists.gnu.org/archive/html/bug-gnulib/2017-10/msg00054.html
Checked on x86_64-linux-gnu.
* lib/glob.c (glob): Do not pass NULL to mempcpy.
Signed-off-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
These changes will be active for all platforms that don't provide
their own exp() routines. They will also be active for ieee754
versions of ccos, ccosh, cosh, csin, csinh, sinh, exp10, gamma, and
erf.
Typical performance gains is typically around 5x when measured on
Sparc s7 for common values between exp(1) and exp(40).
Using the glibc perf tests on sparc,
sparc (nsec) x86 (nsec)
old new old new
max 17629 395 5173 144
min 399 54 15 13
mean 5317 200 1349 23
The extreme max times for the old (ieee754) exp are due to the
multiprecision computation in the old algorithm when the true value is
very near 0.5 ulp away from an value representable in double
precision. The new algorithm does not take special measures for those
cases. The current glibc exp perf tests overrepresent those values.
Informal testing suggests approximately one in 200 cases might
invoke the high cost computation. The performance advantage of the new
algorithm for other values is still large but not as large as indicated
by the chart above.
Glibc correctness tests for exp() and expf() were run. Within the
test suite 3 input values were found to cause 1 bit differences (ulp)
when "FE_TONEAREST" rounding mode is set. No differences in exp() were
seen for the tested values for the other rounding modes.
Typical example:
exp(-0x1.760cd2p+0) (-1.46113312244415283203125)
new code: 2.31973271630014299393707e-01 0x1.db14cd799387ap-3
old code: 2.31973271630014271638132e-01 0x1.db14cd7993879p-3
exp = 2.31973271630014285508337 (high precision)
Old delta: off by 0.49 ulp
New delta: off by 0.51 ulp
In addition, because ieee754_exp() is used by other routines, cexp()
showed test results with very small imaginary input values where the
imaginary portion of the result was off by 3 ulp when in upward
rounding mode, but not in the other rounding modes. For x86, tgamma
showed a few values where the ulp increased to 6 (max ulp for tgamma
is 5). Sparc tgamma did not show these failures. I presume the tgamma
differences are due to compiler optimization differences within the
gamma function.The gamma function is known to be difficult to compute
accurately.
* sysdeps/ieee754/dbl-64/e_exp.c: Include <math-svid-compat.h> and
<errno.h>. Include "eexp.tbl".
(half): New constant.
(one): Likewise.
(__ieee754_exp): Rewrite.
(__slowexp): Remove prototype.
* sysdeps/ieee754/dbl-64/eexp.tbl: New file.
* sysdeps/ieee754/dbl-64/slowexp.c: Remove file.
* sysdeps/i386/fpu/slowexp.c: Likewise.
* sysdeps/ia64/fpu/slowexp.c: Likewise.
* sysdeps/m68k/m680x0/fpu/slowexp.c: Likewise.
* sysdeps/x86_64/fpu/multiarch/slowexp-avx.c: Likewise.
* sysdeps/x86_64/fpu/multiarch/slowexp-fma.c: Likewise.
* sysdeps/x86_64/fpu/multiarch/slowexp-fma4.c: Likewise.
* sysdeps/generic/math_private.h (__slowexp): Remove prototype.
* sysdeps/ieee754/dbl-64/e_pow.c: Remove mention of slowexp.c in
comment.
* sysdeps/powerpc/power4/fpu/Makefile [$(subdir) = math]
(CPPFLAGS-slowexp.c): Remove variable.
* sysdeps/x86_64/fpu/multiarch/Makefile (libm-sysdep_routines):
Remove slowexp-fma, slowexp-fma4 and slowexp-avx.
(CFLAGS-slowexp-fma.c): Remove variable.
(CFLAGS-slowexp-fma4.c): Likewise.
(CFLAGS-slowexp-avx.c): Likewise.
* sysdeps/x86_64/fpu/multiarch/e_exp-avx.c (__slowexp): Do not
define as macro.
* sysdeps/x86_64/fpu/multiarch/e_exp-fma.c (__slowexp): Likewise.
* sysdeps/x86_64/fpu/multiarch/e_exp-fma4.c (__slowexp): Likewise.
* math/Makefile (type-double-routines): Remove slowexp.
* manual/probes.texi (slowexp_p6): Remove.
(slowexp_p32): Likewise.
Current optimized ia64 memchr uses a strategy to check for last address
by adding the input one with expected size. However it does not take
care for possible overflow.
It was triggered by 3038145ca2 where default rawmemchr now uses memchr
(p, c, (size_t)-1).
This patch fixes it by implement a satured addition where overflows
sets the maximum pointer size to UINTPTR_MAX.
Checked on ia64-linux-gnu where it fixes both stratcliff and
test-rawmemchr failures.
Adhemerval Zanella <adhemerval.zanella@linaro.org>
James Clarke <jrtc27@jrtc27.com>
[BZ #22603]
* sysdeps/ia64/memchr.S (__memchr): Avoid overflow in pointer
addition.
Since 3f823e87cc (Call exit directly in clone (BZ #21512)) SH clone
implementation fails to set the exit code resulting in the failures:
FAIL: nptl/tst-align-clone
FAIL: nptl/tst-getpid1
This patch fixes the both testcases.
[BZ #22605]
* sysdeps/unix/sysv/linux/sh/clone.S (__clone): Fix exit return
code.
Signed-off-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
On x86, padding in struct __jmp_buf_tag is used for shadow stack pointer
to support Shadow Stack in Intel Control-flow Enforcemen Technology.
cancel_jmp_buf has been updated to include saved_mask so that it is as
large as struct __jmp_buf_tag. We must suport the old cancel_jmp_buf
in existing binaries. Since symbol versioning doesn't work on
cancel_jmp_buf, feature_1 is added to tcbhead_t so that setjmp and
longjmp can check if shadow stack is enabled. NB: Shadow stack is
enabled only if all modules are shadow stack enabled.
[BZ #22563]
* sysdeps/i386/nptl/tcb-offsets.sym (FEATURE_1_OFFSET): New.
* sysdeps/i386/nptl/tls.h (tcbhead_t): Add feature_1.
* sysdeps/x86_64/nptl/tcb-offsets.sym (FEATURE_1_OFFSET): New.
* sysdeps/x86_64/nptl/tls.h (tcbhead_t): Rename __glibc_unused1
to feature_1.
On x86, padding in struct __jmp_buf_tag is used for shadow stack pointer
to support shadow stack in Intel Control-flow Enforcemen Technology.
Since the cancel_jmp_buf array is passed to setjmp and longjmp by
casting it to pointer to struct __jmp_buf_tag, it should be as large
as struct __jmp_buf_tag. Otherwise when shadow stack is enabled,
setjmp and longjmp will write and read beyond cancel_jmp_buf when saving
and restoring shadow stack pointer.
This patch adds bits/types/__cancel_jmp_buf_tag.h to define struct
__cancel_jmp_buf_tag so that Linux/x86 can add saved_mask to
cancel_jmp_buf.
Tested natively on i386, x86_64 and x32. Tested hppa-linux-gnu with
build-many-glibcs.py.
[BZ #22563]
* bits/types/__cancel_jmp_buf_tag.h: New file.
* sysdeps/unix/sysv/linux/x86/bits/types/__cancel_jmp_buf_tag.h
* sysdeps/unix/sysv/linux/x86/pthreaddef.h: Likewise.
* sysdeps/unix/sysv/linux/x86/nptl/pthreadP.h: Likewise.
* nptl/Makefile (headers): Add
bits/types/__cancel_jmp_buf_tag.h.
* nptl/descr.h [NEED_SAVED_MASK_IN_CANCEL_JMP_BUF]
(pthread_unwind_buf): Add saved_mask to cancel_jmp_buf.
* sysdeps/nptl/pthread.h: Include
<bits/types/__cancel_jmp_buf_tag.h>.
(__pthread_unwind_buf_t): Use struct __cancel_jmp_buf_tag with
__cancel_jmp_buf.
* sysdeps/unix/sysv/linux/hppa/pthread.h: Likewise.
Since the default GCC and binutils versions used by build-many-glibcs.py,
which are GCC 7 branch and binutils 2.29 branch, support static PIE on
x86_64, x32 and i686, this patch adds --enable-static-pie glibc variants
to x86_64, x32 and i686 to get some coverage for static PIE.
Tested with build-many-glibcs.py.
* scripts/build-many-glibcs.py (Context.add_all_configs): Add
--enable-static-pie variants to x86_64, x32 and i686.
m68k bits/mathinline.h declares various functions with const
attributes. These are inappropriate for functions that have results
depending on the rounding mode; the machine-independent
bits/mathcalls.h only uses const attributes for a very few functions
with no rounding mode dependence, and the m68k header should do
likewise. GCC uses pure for such functions with -frounding-math,
resulting in GCC mainline warning for conflicts with between the
header and the built-in attributes and glibc failing to build for m68k
with GCC mainline.
This patch fixes the attributes to avoid using const except when
bits/mathcalls.h does so. (There are a few functions where maybe
bits/mathcalls.h could do so but doesn't, but keeping the headers in
sync in this regard seems to be the safe approach.)
Tested compilation with build-many-glibcs.py with GCC mainline.
[BZ #22631]
* sysdeps/m68k/m680x0/fpu/bits/mathinline.h (__m81_defun): Add
argument for attrubutes. All callers changed.
(__inline_mathop1): Likewise. All callers changed.
(__inline_mathop): Likewise. All callers changed.
[__USE_MISC] (scalbn): Use __inline_forward instead of
__inline_forward_c.
[__USE_ISOC99] (scalbln): Likewise.
[__USE_ISOC99] (nearbyint): Likewise.
[__USE_ISOC99] (lrint): Likewise.
[__USE_MISC] (scalbnf): Likewise.
[__USE_ISOC99] (scalblnf): Likewise.
[__USE_ISOC99] (nearbyintf): Likewise.
[__USE_ISOC99] (lrintf): Likewise.
[__USE_MISC] (scalbnl): Likewise.
[__USE_ISOC99] (scalblnl): Likewise.
[__USE_ISOC99] (nearbyintl): Likewise.
[__USE_ISOC99] (lrintl): Likewise.
* sysdeps/m68k/m680x0/fpu/mathimpl.h: All callers of
__inline_mathop and __m81_defun changed.
My fix to make the arm-linux-gnueabihf build-many-glibcs.py builds
actually use the hard-float ABI as intended showed up another issue
when building with mainline GCC: GCC now determines an FPU based on
the selected CPU or architecture and gives an error for
-mfloat-abi=hard when the CPU does not imply a choice of FPU. This
patch fixes all the affected configurations to specify a suitable
--with-cpu, --with-fpu or -mfpu option explicitly to avoid that error
from GCC.
Tested the relevant configurations with build-many-glibcs.py with
mainline GCC.
* scripts/build-many-glibcs.py (Context.add_all_configs): Specify
CPU or FPU for ARM hard-float configurations.
nptl/tst-attr3 fails to build with GCC mainline because of
(deliberate) aliasing between the second (attributes) and fourth
(argument to thread start routine) arguments to pthread_create.
Although both those arguments are restrict-qualified in POSIX,
pthread_create does not actually dereference its fourth argument; it's
an opaque pointer passed to the thread start routine. Thus, the
aliasing is actually valid in this case, and it's deliberate in the
test. So this patch makes the test disable -Wrestrict for the two
pthread_create calls in question. (-Wrestrict was added in GCC 7,
hence the __GNUC_PREREQ conditions, but the particular warning in
question is new in GCC 8.)
Tested compilation with build-many-glibcs.py for aarch64-linux-gnu.
* nptl/tst-attr3.c: Include <libc-diag.h>.
(do_test) [__GNUC_PREREQ (7, 0)]: Ignore -Wrestrict for two tests.
The test posix/tst-glob_symlinks.c fails to build with GCC mainline:
tst-glob_symlinks.c: In function 'do_test':
tst-glob_symlinks.c:124:30: error: 'snprintf' output may be truncated before the last format character [-Werror=format-truncation=]
snprintf (buf, sizeof buf, "%s?", dangling_link);
^~~~~
tst-glob_symlinks.c:124:3: note: 'snprintf' output between 2 and 4097 bytes into a destination of size 4096
snprintf (buf, sizeof buf, "%s?", dangling_link);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tst-glob_symlinks.c:128:30: error: 'snprintf' output may be truncated before the last format character [-Werror=format-truncation=]
snprintf (buf, sizeof buf, "%s*", dangling_link);
^~~~~
tst-glob_symlinks.c:128:3: note: 'snprintf' output between 2 and 4097 bytes into a destination of size 4096
snprintf (buf, sizeof buf, "%s*", dangling_link);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This patch fixes the test to avoid such truncation warnings by
increasing the buffer in question by one byte, to ensure it can hold
any possible result of %s? or %s* formats where %s comes from a buffer
of size PATH_MAX.
Tested compilation with build-many-glibcs.py for aarch64-linux-gnu.
* posix/tst-glob_symlinks.c (do_test): Increase size of buf.
Some strncat tests fail to build with GCC 8 because of -Warray-bounds
warnings. These tests are deliberately test over-large size arguments
passed to strncat, and already disable -Wstringop-overflow warnings,
but now the warnings for these tests come under -Warray-bounds so that
option needs disabling for them as well, which this patch does (with
an update on the comments; the DIAG_IGNORE_NEEDS_COMMENT call for
-Warray-bounds doesn't need to be conditional itself, because that
option is supported by all versions of GCC that can build glibc).
Tested compilation with build-many-glibcs.py for aarch64-linux-gnu.
* string/tester.c (test_strncat): Also disable -Warray-bounds
warnings for two tests.
After --enable-static-pie is added to configure, libc_cv_pie_default is
set to yes when either --enable-static-pie is used to configure glibc
or GCC defaults to PIE. We should set no-pie-ldflag to -no-pie, which
is supported on GCC 6 and later, only if GCC defaults to PIE, not when
--enable-static-pie is used to configure glibc.
Tested on x32 with --enable-static-pie using GCC 5 and without
--enable-static-pie using GCC 7.
[BZ #22614]
* Makeconfig (no-pie-ldflag): Set to -no-pie only if
$(cc-pie-default) == yes.
* config.make.in (cc-pie-default): New.
* configure.ac (libc_cv_pie_default): Renamed to ...
(libc_cv_cc_pie_default): This.
(libc_cv_pie_default): Set to $libc_cv_cc_pie_default.
* configure: Regenerated.
GLRO (_rtld_global_ro) is read-only after initialization and can
therefore not be patched at run time, unlike the hook table addresses
and their contents, so this is a desirable hardening feature.
The hooks are only needed if ld.so has not been initialized, and this
happens only after static dlopen (dlmopen uses a single ld.so object
across all namespaces).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Current GCC mainline detects that nscd calls readlink with the same
buffer for both input and output, which is not valid (those arguments
are both restrict-qualified in POSIX). This patch makes it use a
separate buffer for readlink's input (with a size that is sufficient
to avoid truncation, so there should be no problems with warnings
about possible truncation, though not strictly minimal, but much
smaller than the buffer for output) to avoid this problem.
Tested compilation for aarch64-linux-gnu with build-many-glibcs.py.
[BZ #22446]
* nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate
buffers for readlink input and output.
Similar to commit 1ab47db00dfbc0128119e3503d3ed640ffc4830b
("mips64: fix clobbering s0 in setjmp() [BZ #22624]")
as sysdeps/mips/setjmp_aux.c is almost an identical copy
of sysdeps/mips/mips64/setjmp_aux.c.
[BZ #22624]
* sysdeps/mips/setjmp_aux.c (__sigsetjmp_aux): Use
inhibit_stack_protector.
When configured as --enable-stack-protector=all glibc
inserts stack checking canary into every function
including __sigsetjmp_aux(). Stack checking code
ends up using s0 register to temporary hold address
of global canary value.
Unfortunately __sigsetjmp_aux assumes no caller' caller-save
registers should be clobbered as it stores them as-is.
The fix is to disable stack protection of __sigsetjmp_aux.
Tested on the following test:
#include <setjmp.h>
#include <stdio.h>
int main() {
jmp_buf jb;
volatile register long s0 asm ("$s0");
s0 = 1234;
if (setjmp(jb) == 0)
longjmp(jb, 1);
printf ("$s0 = %lu\n", s0);
}
Without the fix:
$ qemu-mipsn32 -L . ./mips-longjmp-bug
$s0 = 1082346228
With the fix:
$ qemu-mipsn32 -L . ./mips-longjmp-bug
$s0 = 1234
[BZ #22624]
* sysdeps/mips/mips64/setjmp_aux.c (__sigsetjmp_aux): Use
inhibit_stack_protector.
Starting with commit
glibc-2.18.90-470-g2a939a7e6d81f109d49306bc2e10b4ac9ceed8f9 that
introduced substitution of dynamic string tokens in fillin_rpath,
_dl_init_paths invokes _dl_dst_substitute for $LD_LIBRARY_PATH twice:
the first time it's called directly, the second time the result
is passed on to fillin_rpath which calls expand_dynamic_string_token
which in turn calls _dl_dst_substitute, leading to the following
behaviour:
$ mkdir -p /tmp/'$ORIGIN' && cd /tmp/'$ORIGIN' &&
echo 'int main(){}' |gcc -xc - &&
strace -qq -E LD_LIBRARY_PATH='$ORIGIN' -e /open ./a.out
open("/tmp//tmp/$ORIGIN/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
Fix this by removing the direct _dl_dst_substitute invocation.
* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
code and invocation.
There are three flavors of the crt startup code:
1) crt1.o used for non-pie,
2) Scrt1.o used for dynamic linked pie (dynamic linker relocates),
3) rcrt1.o used for static linked pie (self relocation is needed)
In the --enable-static-pie case crt1.o is built with -DPIC and in case
of static linking it interposes _dl_relocate_static_pie in libc to
avoid self relocation.
Scrt1.o is built with -DPIC -DSHARED and it relies on GOT entries that
the static linker cannot relax and thus need relocation before the
start code is executed, so rcrt1.o needs separate implementation.
This implementation does not work for .text > 4G position independent
executables, which is fine since the toolchain does not support
-mcmodel=large with -fPIE.
Tests pass with ld/22269 and ld/22263 binutils bugs fixed.
* sysdeps/aarch64/start.S (_start): Handle PIC && !SHARED case.
ldconfig supports `include' directives and use the glob function to
process them. The glob function sort entries according to the LC_COLLATE
category. When using a standard "include /etc/ld.so.conf.d/*.conf" entry
in /etc/ld.so.conf, the order therefore depends on the locale used to
run ldconfig. A few examples of locale specific order that might be
disturbing in that context compared to the C locale:
- The cs_CZ and sk_SK locales sort the digits after the letters.
- The et_EE locale sorts the 'z' between 's' and 't'.
This patch fixes that by setting LC_COLLATE to C in order to process
files in deterministic order, independently of the locale used to launch
ldconfig.
NOTE: This should NOT be backported to older release branches.
Changelog:
[BZ #22505]
* elf/ldconfig.c (main): Call setlocale to force LC_COLLATE to C.
The test tst-leaks1 exercises calling dlopen with a $ORIGIN DST.
This results in a theoretical leak e.g.
Memory not freed:
-----------------
Address Size Caller
0x0000000001d766c0 0x21 at 0x7fb1bd8bf4ab
Or as seen via valgrind:
==27582== 33 bytes in 1 blocks are still reachable in loss record 1 of 1
==27582== at 0x4C2CB6B: malloc (vg_replace_malloc.c:299)
==27582== by 0x40124AA: _dl_get_origin (dl-origin.c:50)
==27582== by 0x4007DB9: expand_dynamic_string_token (dl-load.c:382)
==27582== by 0x400899C: _dl_map_object (dl-load.c:2160)
==27582== by 0x4013020: dl_open_worker (dl-open.c:224)
==27582== by 0x5166F9B: _dl_catch_exception (dl-error-skeleton.c:198)
==27582== by 0x4012BD9: _dl_open (dl-open.c:594)
==27582== by 0x4E39EF5: dlopen_doit (dlopen.c:66)
==27582== by 0x5166F9B: _dl_catch_exception (dl-error-skeleton.c:198)
==27582== by 0x516700E: _dl_catch_error (dl-error-skeleton.c:217)
==27582== by 0x4E3A514: _dlerror_run (dlerror.c:162)
==27582== by 0x4E39F70: dlopen@@GLIBC_2.2.5 (dlopen.c:87)
There is no real leak.
The calling link map (the executable's link map) has it's l_origin
expanded for future use as part of _dl_get_origin, and that results
in the main executable link map having a N-byte allocation for
l->l_origin that is never freed since the executable's link map is
just a part of the process.
To take this into account we do one dlopen with $ORIGIN before
calling mtrace to force the initialization of the executable link
map.
Signed-off-by: Carlos O'Donell <carlos@redhat.com>
Static PIE extends address space layout randomization to static
executables. It provides additional security hardening benefits at
the cost of some memory and performance.
Dynamic linker, ld.so, is a standalone program which can be loaded at
any address. This patch adds a configure option, --enable-static-pie,
to embed the part of ld.so in static executable to create static position
independent executable (static PIE). A static PIE is similar to static
executable, but can be loaded at any address without help from a dynamic
linker. When --enable-static-pie is used to configure glibc, libc.a is
built as PIE and all static executables, including tests, are built as
static PIE. The resulting libc.a can be used together with GCC 8 or
above to build static PIE with the compiler option, -static-pie. But
GCC 8 isn't required to build glibc with --enable-static-pie. Only GCC
with PIE support is needed. When an older GCC is used to build glibc
with --enable-static-pie, proper input files are passed to linker to
create static executables as static PIE, together with "-z text" to
prevent dynamic relocations in read-only segments, which are not allowed
in static PIE.
The following changes are made for static PIE:
1. Add a new function, _dl_relocate_static_pie, to:
a. Get the run-time load address.
b. Read the dynamic section.
c. Perform dynamic relocations.
Dynamic linker also performs these steps. But static PIE doesn't load
any shared objects.
2. Call _dl_relocate_static_pie at entrance of LIBC_START_MAIN in
libc.a. crt1.o, which is used to create dynamic and non-PIE static
executables, is updated to include a dummy _dl_relocate_static_pie.
rcrt1.o is added to create static PIE, which will link in the real
_dl_relocate_static_pie. grcrt1.o is also added to create static PIE
with -pg. GCC 8 has been updated to support rcrt1.o and grcrt1.o for
static PIE.
Static PIE can work on all architectures which support PIE, provided:
1. Target must support accessing of local functions without dynamic
relocations, which is needed in start.S to call __libc_start_main with
function addresses of __libc_csu_init, __libc_csu_fini and main. All
functions in static PIE are local functions. If PIE start.S can't reach
main () defined in a shared object, the code sequence:
pass address of local_main to __libc_start_main
...
local_main:
tail call to main via PLT
can be used.
2. start.S is updated to check PIC instead SHARED for PIC code path and
avoid dynamic relocation, when PIC is defined and SHARED isn't defined,
to support static PIE.
3. All assembly codes are updated check PIC instead SHARED for PIC code
path to avoid dynamic relocations in read-only sections.
4. All assembly codes are updated check SHARED instead PIC for static
symbol name.
5. elf_machine_load_address in dl-machine.h are updated to support static
PIE.
6. __brk works without TLS nor dynamic relocations in read-only section
so that it can be used by __libc_setup_tls to initializes TLS in static
PIE.
NB: When glibc is built with GCC defaulted to PIE, libc.a is compiled
with -fPIE, regardless if --enable-static-pie is used to configure glibc.
When glibc is configured with --enable-static-pie, libc.a is compiled
with -fPIE, regardless whether GCC defaults to PIE or not. The same
libc.a can be used to build both static executable and static PIE.
There is no need for separate PIE copy of libc.a.
On x86-64, the normal static sln:
text data bss dec hex filename
625425 8284 5456 639165 9c0bd elf/sln
the static PIE sln:
text data bss dec hex filename
657626 20636 5392 683654 a6e86 elf/sln
The code size is increased by 5% and the binary size is increased by 7%.
Linker requirements to build glibc with --enable-static-pie:
1. Linker supports --no-dynamic-linker to remove PT_INTERP segment from
static PIE.
2. Linker can create working static PIE. The x86-64 linker needs the
fix for
https://sourceware.org/bugzilla/show_bug.cgi?id=21782
The i386 linker needs to be able to convert "movl main@GOT(%ebx), %eax"
to "leal main@GOTOFF(%ebx), %eax" if main is defined locally.
Binutils 2.29 or above are OK for i686 and x86-64. But linker status for
other targets need to be verified.
3. Linker should resolve undefined weak symbols to 0 in static PIE:
https://sourceware.org/bugzilla/show_bug.cgi?id=22269
4. Many ELF backend linkers incorrectly check bfd_link_pic for TLS
relocations, which should check bfd_link_executable instead:
https://sourceware.org/bugzilla/show_bug.cgi?id=22263
Tested on aarch64, i686 and x86-64.
Using GCC 7 and binutils master branch, build-many-glibcs.py with
--enable-static-pie with all patches for static PIE applied have the
following build successes:
PASS: glibcs-aarch64_be-linux-gnu build
PASS: glibcs-aarch64-linux-gnu build
PASS: glibcs-armeb-linux-gnueabi-be8 build
PASS: glibcs-armeb-linux-gnueabi build
PASS: glibcs-armeb-linux-gnueabihf-be8 build
PASS: glibcs-armeb-linux-gnueabihf build
PASS: glibcs-arm-linux-gnueabi build
PASS: glibcs-arm-linux-gnueabihf build
PASS: glibcs-arm-linux-gnueabihf-v7a build
PASS: glibcs-arm-linux-gnueabihf-v7a-disable-multi-arch build
PASS: glibcs-m68k-linux-gnu build
PASS: glibcs-microblazeel-linux-gnu build
PASS: glibcs-microblaze-linux-gnu build
PASS: glibcs-mips64el-linux-gnu-n32 build
PASS: glibcs-mips64el-linux-gnu-n32-nan2008 build
PASS: glibcs-mips64el-linux-gnu-n32-nan2008-soft build
PASS: glibcs-mips64el-linux-gnu-n32-soft build
PASS: glibcs-mips64el-linux-gnu-n64 build
PASS: glibcs-mips64el-linux-gnu-n64-nan2008 build
PASS: glibcs-mips64el-linux-gnu-n64-nan2008-soft build
PASS: glibcs-mips64el-linux-gnu-n64-soft build
PASS: glibcs-mips64-linux-gnu-n32 build
PASS: glibcs-mips64-linux-gnu-n32-nan2008 build
PASS: glibcs-mips64-linux-gnu-n32-nan2008-soft build
PASS: glibcs-mips64-linux-gnu-n32-soft build
PASS: glibcs-mips64-linux-gnu-n64 build
PASS: glibcs-mips64-linux-gnu-n64-nan2008 build
PASS: glibcs-mips64-linux-gnu-n64-nan2008-soft build
PASS: glibcs-mips64-linux-gnu-n64-soft build
PASS: glibcs-mipsel-linux-gnu build
PASS: glibcs-mipsel-linux-gnu-nan2008 build
PASS: glibcs-mipsel-linux-gnu-nan2008-soft build
PASS: glibcs-mipsel-linux-gnu-soft build
PASS: glibcs-mips-linux-gnu build
PASS: glibcs-mips-linux-gnu-nan2008 build
PASS: glibcs-mips-linux-gnu-nan2008-soft build
PASS: glibcs-mips-linux-gnu-soft build
PASS: glibcs-nios2-linux-gnu build
PASS: glibcs-powerpc64le-linux-gnu build
PASS: glibcs-powerpc64-linux-gnu build
PASS: glibcs-tilegxbe-linux-gnu-32 build
PASS: glibcs-tilegxbe-linux-gnu build
PASS: glibcs-tilegx-linux-gnu-32 build
PASS: glibcs-tilegx-linux-gnu build
PASS: glibcs-tilepro-linux-gnu build
and the following build failures:
FAIL: glibcs-alpha-linux-gnu build
elf/sln is failed to link due to:
assertion fail bfd/elf64-alpha.c:4125
This is caused by linker bug and/or non-PIC code in PIE libc.a.
FAIL: glibcs-hppa-linux-gnu build
elf/sln is failed to link due to:
collect2: fatal error: ld terminated with signal 11 [Segmentation fault]
https://sourceware.org/bugzilla/show_bug.cgi?id=22537
FAIL: glibcs-ia64-linux-gnu build
elf/sln is failed to link due to:
collect2: fatal error: ld terminated with signal 11 [Segmentation fault]
FAIL: glibcs-powerpc-linux-gnu build
FAIL: glibcs-powerpc-linux-gnu-soft build
FAIL: glibcs-powerpc-linux-gnuspe build
FAIL: glibcs-powerpc-linux-gnuspe-e500v1 build
elf/sln is failed to link due to:
ld: read-only segment has dynamic relocations.
This is caused by linker bug and/or non-PIC code in PIE libc.a. See:
https://sourceware.org/bugzilla/show_bug.cgi?id=22264
FAIL: glibcs-powerpc-linux-gnu-power4 build
elf/sln is failed to link due to:
findlocale.c:96:(.text+0x22c): @local call to ifunc memchr
This is caused by linker bug and/or non-PIC code in PIE libc.a.
FAIL: glibcs-s390-linux-gnu build
elf/sln is failed to link due to:
collect2: fatal error: ld terminated with signal 11 [Segmentation fault], core dumped
assertion fail bfd/elflink.c:14299
This is caused by linker bug and/or non-PIC code in PIE libc.a.
FAIL: glibcs-sh3eb-linux-gnu build
FAIL: glibcs-sh3-linux-gnu build
FAIL: glibcs-sh4eb-linux-gnu build
FAIL: glibcs-sh4eb-linux-gnu-soft build
FAIL: glibcs-sh4-linux-gnu build
FAIL: glibcs-sh4-linux-gnu-soft build
elf/sln is failed to link due to:
ld: read-only segment has dynamic relocations.
This is caused by linker bug and/or non-PIC code in PIE libc.a. See:
https://sourceware.org/bugzilla/show_bug.cgi?id=22263
Also TLS code sequence in SH assembly syscalls in glibc doesn't match TLS
code sequence expected by ld:
https://sourceware.org/bugzilla/show_bug.cgi?id=22270
FAIL: glibcs-sparc64-linux-gnu build
FAIL: glibcs-sparcv9-linux-gnu build
FAIL: glibcs-tilegxbe-linux-gnu build
FAIL: glibcs-tilegxbe-linux-gnu-32 build
FAIL: glibcs-tilegx-linux-gnu build
FAIL: glibcs-tilegx-linux-gnu-32 build
FAIL: glibcs-tilepro-linux-gnu build
elf/sln is failed to link due to:
ld: read-only segment has dynamic relocations.
This is caused by linker bug and/or non-PIC code in PIE libc.a. See:
https://sourceware.org/bugzilla/show_bug.cgi?id=22263
[BZ #19574]
* INSTALL: Regenerated.
* Makeconfig (real-static-start-installed-name): New.
(pic-default): Updated for --enable-static-pie.
(pie-default): New for --enable-static-pie.
(default-pie-ldflag): Likewise.
(+link-static-before-libc): Replace $(DEFAULT-LDFLAGS-$(@F))
with $(if $($(@F)-no-pie),$(no-pie-ldflag),$(default-pie-ldflag)).
Replace $(static-start-installed-name) with
$(real-static-start-installed-name).
(+prectorT): Updated for --enable-static-pie.
(+postctorT): Likewise.
(CFLAGS-.o): Add $(pie-default).
(CFLAGS-.op): Likewise.
* NEWS: Mention --enable-static-pie.
* config.h.in (ENABLE_STATIC_PIE): New.
* configure.ac (--enable-static-pie): New configure option.
(have-no-dynamic-linker): New LIBC_CONFIG_VAR.
(have-static-pie): Likewise.
Enable static PIE if linker supports --no-dynamic-linker.
(ENABLE_STATIC_PIE): New AC_DEFINE.
(enable-static-pie): New LIBC_CONFIG_VAR.
* configure: Regenerated.
* csu/Makefile (omit-deps): Add r$(start-installed-name) and
gr$(start-installed-name) for --enable-static-pie.
(extra-objs): Likewise.
(install-lib): Likewise.
(extra-objs): Add static-reloc.o and static-reloc.os
($(objpfx)$(start-installed-name)): Also depend on
$(objpfx)static-reloc.o.
($(objpfx)r$(start-installed-name)): New.
($(objpfx)g$(start-installed-name)): Also depend on
$(objpfx)static-reloc.os.
($(objpfx)gr$(start-installed-name)): New.
* csu/libc-start.c (LIBC_START_MAIN): Call _dl_relocate_static_pie
in libc.a.
* csu/libc-tls.c (__libc_setup_tls): Add main_map->l_addr to
initimage.
* csu/static-reloc.c: New file.
* elf/Makefile (routines): Add dl-reloc-static-pie.
(elide-routines.os): Likewise.
(DEFAULT-LDFLAGS-tst-tls1-static-non-pie): Removed.
(tst-tls1-static-non-pie-no-pie): New.
* elf/dl-reloc-static-pie.c: New file.
* elf/dl-support.c (_dl_get_dl_main_map): New function.
* elf/dynamic-link.h (ELF_DURING_STARTUP): Also check
STATIC_PIE_BOOTSTRAP.
* elf/get-dynamic-info.h (elf_get_dynamic_info): Likewise.
* gmon/Makefile (tests): Add tst-gmon-static-pie.
(tests-static): Likewise.
(DEFAULT-LDFLAGS-tst-gmon-static): Removed.
(tst-gmon-static-no-pie): New.
(CFLAGS-tst-gmon-static-pie.c): Likewise.
(CRT-tst-gmon-static-pie): Likewise.
(tst-gmon-static-pie-ENV): Likewise.
(tests-special): Likewise.
($(objpfx)tst-gmon-static-pie.out): Likewise.
(clean-tst-gmon-static-pie-data): Likewise.
($(objpfx)tst-gmon-static-pie-gprof.out): Likewise.
* gmon/tst-gmon-static-pie.c: New file.
* manual/install.texi: Document --enable-static-pie.
* sysdeps/generic/ldsodefs.h (_dl_relocate_static_pie): New.
(_dl_get_dl_main_map): Likewise.
* sysdeps/i386/configure.ac: Check if linker supports static PIE.
* sysdeps/x86_64/configure.ac: Likewise.
* sysdeps/i386/configure: Regenerated.
* sysdeps/x86_64/configure: Likewise.
* sysdeps/mips/Makefile (ASFLAGS-.o): Add $(pie-default).
(ASFLAGS-.op): Likewise.
Three tests fail with a read-only source directory because they try to
write into the source directory. None of these write into it in a way
that should actually be problematic for concurrent builds sharing the
same writable source directory, but avoiding any writing into the
source directory (from testing, or from building glibc if the source
timestamps are properly ordered) is still a good idea, as being able
to build with read-only sources helps make sure there isn't anything
that could cause problems for concurrent builds.
This patch changes the tests in question to use either /tmp or the
build directory to write their temporary files (or to test O_TMPFILE,
as applicable).
Tested for x86_64.
* io/Makefile (tst-open-tmpfile-ARGS): New variable.
* posix/tst-mmap-offset.c (fname): Use /tmp.
* stdlib/tst-setcontext3.sh (tempfile): Use ${objpfx}.
The conventional configure triplet for ARM GNU/Linux with hard-float
ABI is arm-*-linux-gnueabihf. However, GCC does not automatically use
the hard-float ABI based on that triplet. This patch fixes
build-many-glibcs.py to pass --with-float=hard so that the
arm-linux-gnueabihf configurations actually build with the intended
ABI.
Tested building the affected configurations with build-many-glibcs.py.
* scripts/build-many-glibcs.py (Context.add_all_configs): Use
--with-float=hard for arm-linux-gnueabihf configurations.
Building and installing glibc leaves .mo files (compiled message
translations) behind in the source directory. Building those files in
the source directory may once have made sense, if they were included
in release tarballs; now that release tarballs are just the output of
"git archive", building any non-checked-in files in the source
directory does not make sense. This patch changes these files to be
built in the build directory instead. The realclean rule is changed
to simply adding the .mo files to the "generated" variable, since once
the files are in the build directory it make no sense to exclude them
from normal cleanup rules.
This is necessary but not sufficient to avoid build-many-glibcs.py
needing to copy the glibc source directory. Its list of files to
touch on checkout to avoid subsequent regeneration (configure,
preconfigure, *-kw.h) is incomplete (missing at least INSTALL,
sysdeps/gnu/errlist.c, posix/testcases.h, posix/ptestcases.h,
locale/C-translit.h, (only regenerated for Hurd builds)
sysdeps/mach/hurd/bits/errno.h, (only regenerated for 32-bit SPARC
builds) sysdeps/sparc/sparc32/{sdiv,udiv,rem,urem}.S) - the existing
list may be sufficient to prevent regeneration that actually changes
the file contents depending on the installed build tools, but not to
ensure there is no regeneration at all - and there might well be other
things writing into the source directory in the course of building and
testing (so needing appropriate testing with read-only source
directories with different timestamp orderings to find and eliminate
all such cases).
Tested for x86_64.
[BZ #14121]
* po/Makefile (generated): Add $(ALL_LINGUAS:%=%.mo).
(%.mo): Change to $(objpfx)%.mo. Use $(make-target-directory).
($(mo-installed)): Use $(objpfx)%.mo.
(realclean): Remove rule.
po/Makefile has both old code for copying .po files from a shared
directory /com/share/ftp/gnu/po/maint/glibc (presumably once present
on some GNU server), and new code for downloading them from the
Translation Project. This patch removes the old code, leading only
the new code.
Tested for x86_64.
* po/Makefile (linguas): Remove rule and dependencies.
(linguas.mo): Likewise.
(.PHONY): Do not depend on linguas and linguas.mo.
(podir): Remove variable.
(pofiles): Likewise.
[$(pofiles)] (%.po): Remove rule.
While working on another patch I noticed that (a)
sysdeps/sparc/sparc32/Makefile is the only place with special
realclean settings, apart from po/, and (b) the generated files with a
rule in that Makefile to generate them (using m4) had been patched
manually so no longer corresponded with the output of the generator -
so if the timestamps were wrong, a build would result in changes to
the files in the source directory. (They also didn't correspond
because of changes in make 3.81 to how make handles whitespace at the
start of a line in a sequence of backslash-newline continuation lines
within a recipe.)
This patch fixes the generation and output files to match. The issue
with make and whitespace at start of continuation lines is fixed by
putting those newlines outside of arguments to echo, so the number of
spaces in the argument matches the number in the existing generated
files. Then divrem.m4 is changed to avoid generating whitespace-only
lines (my fix to the outputs from 2013; this fix to the generator also
changes the indentation of a label in the output files) and to
generate an alias in udiv.S (Adhemerval's fix from March).
build-many-glibcs.py doesn't have a non-v9 SPARC configuration,
because non-v9 32-bit SPARC didn't build when I set up
build-many-glibcs.py but sparcv9 did build. Whether or not non-v9
32-bit SPARC now builds (or indeed whether or not support for it is
obsolete), I tested by removing the sparcv8 and sparcv9 versions of
the four files in question, so forcing the generated files to be built
and used, and the compilation parts of the glibc testsuite passed.
* sysdeps/sparc/sparc32/Makefile
($(divrem:%=$(sysdep_dir)/sparc/sparc32/%.S)): Do not include
start-of-line whitespace in argument of echo.
* sysdeps/sparc/sparc32/divrem.m4: Avoid generating lines starting
with whitespace. Generate __wrap_.udiv alias.
* sysdeps/sparc/sparc32/rem.S: Regenerated.
* sysdeps/sparc/sparc32/sdiv.S: Likewise.
* sysdeps/sparc/sparc32/udiv.S: Likewise.
* sysdeps/sparc/sparc32/urem.S: Likewise.
This patch makes use of vectors for aligned inputs. Improvements
upto 30% seen for larger aligned inputs.
Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
SXID_ERASE is implicit for all environment variables. Avoid
mentioning it in the tunables list; that way only the ones with
SXID_IGNORE remain prominent and mentioned. TODO: we need to audit
each of those cases and drop them to SXID_ERASE wherever possible.