This is another attempt at making pthread_once handle throwing exceptions
from the init routine callback. As the new testcases show, just switching
to the cleanup attribute based cleanup does fix the tst-once5 test, but
breaks the new tst-oncey3 test. That is because when throwing exceptions,
only the unwind info registered cleanups (i.e. C++ destructors or cleanup
attribute), when cancelling threads and there has been unwind info from the
cancellation point up to whatever needs cleanup both unwind info registered
cleanups and THREAD_SETMEM (self, cleanup, ...) registered cleanups are
invoked, but once we hit some frame with no unwind info, only the
THREAD_SETMEM (self, cleanup, ...) registered cleanups are invoked.
So, to stay fully backwards compatible (allow init routines without
unwind info which encounter cancellation points) and handle exception throwing
we actually need to register the pthread_once cleanups in both unwind info
and in the THREAD_SETMEM (self, cleanup, ...) way.
If an exception is thrown, only the former will happen and we in that case
need to also unregister the THREAD_SETMEM (self, cleanup, ...) registered
handler, because otherwise after catching the exception the user code could
call deeper into the stack some cancellation point, get cancelled and then
a stale cleanup handler would clobber stack and probably crash.
If a thread calling init routine is cancelled and unwind info ends before
the pthread_once frame, it will be cleaned up through self->cleanup as
before. And if unwind info is present, unwind_stop first calls the
self->cleanup registered handler for the frame, then it will call the
unwind info registered handler but that will already see __do_it == 0
and do nothing.
The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).
Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.
In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
In commit 745664bd79 a use-after-free
was fixed, but this led to an occasional double-free. This patch
tracks the "live" allocation better.
Tested manually by a third party.
Related: RHBZ 1927877
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
There were following problems discovered for tst-timerfd test:
1. Do not set the struct itimerspec's it_interval tv_sec to 2 seconds.
After this change the timerfd will trigger only once (the it_value is
only set in this case).
2. The 'val1' variable (including the call to timerfd_gettime) is not
needed anymore, as it is just enough to read the struct itimerspec
after sleep. As a consequence the 'val2' has been renamed to 'val'.
3. After calling timerfd_gettime, the value of struct itimerspec time,
when timer is running, is the remaining time. In the case of this test
it would be less than 1 second.
As a result the TEST_COMPARE macro logic had to be adjusted.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This patch provides test for utimes. It uses wrapper to read
access and modification times to compare them with ones written by
utimes.
Moreover, access and modification times beyond the Y2038 threshold
date (i.e. 32 bit time_t overflow) are also checked.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This patch provides test for utime. It uses wrapper to read access
and modification times to compare them with ones written by utime.
Moreover, access and modification times beyond the Y2038 threshold
date (i.e. 32 bit time_t overflow) are also checked.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This patch provides test for futimens. It uses wrapper, which
reads access and modification time to compare them with ones
written by futimens.
Moreover, access and modification times beyond the Y2038 threshold
date (i.e. 32 bit time_t overflow) are also checked.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Do not define these macros if they do nothing in a particular
compilation, otherwise they can easily be used accidentally, while
not actually achieving anything.
Temporarily move the arm _Unwind_Resume implementation to the file
used by libpthread. It will be ported to <unwind-link.h> along with
the rest of nptl.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
This will be used to consolidate the libgcc_s access for backtrace
and pthread_cancel.
Unlike the existing backtrace implementations, it provides some
hardening based on pointer mangling.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
An experimental build of GCC 11 with an enhanced -Warray-bounds
reports a bug in IO_wdefault_doallocate where the function forms
an invalid past-the-end pointer to an allocated wchar_t buffer
by failingf to consider the scaling by sizeof (wchar_t).
The fix path below corrects this problem. It keeps the buffer
size the same as opposed to increasing it according to what other
code like it does.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
It turns out the startup code in csu/elf-init.c has a perfect pair of
ROP gadgets (see Marco-Gisbert and Ripoll-Ripoll, "return-to-csu: A
New Method to Bypass 64-bit Linux ASLR"). These functions are not
needed in dynamically-linked binaries because DT_INIT/DT_INIT_ARRAY
are already processed by the dynamic linker. However, the dynamic
linker skipped the main program for some reason. For maximum
backwards compatibility, this is not changed, and instead, the main
map is consulted from __libc_start_main if the init function argument
is a NULL pointer.
For statically linked binaries, the old approach based on linker
symbols is still used because there is nothing else available.
A new symbol version __libc_start_main@@GLIBC_2.34 is introduced because
new binaries running on an old libc would not run their ELF
constructors, leading to difficult-to-debug issues.
Gnulib has added the proposed fix with aed23714d60 (done in 2005), but
recently with a glibc merge with 67306f6 (done in 2020 with sync back)
it has fallback to old semantic to return -1 on in case of failure.
From gnulib developer feedback it was an oversight. Although the full
fix for BZ #14185 would require to rewrite fnmatch implementation to use
mbrtowc instead of mbsrtowcs on the full input, this mitigate the issue
and it has been used by gnulib for a long time.
This patch also removes the alloca usage on the string convertion to
wide characters before calling the internal function.
Checked on x86_64-linux-gnu.
The elision interfaces are closely aligned between the targets that
implement them, so declare them in the generic <lowlevellock.h>
file.
Empty .c stubs are provided, so that fewer makefile updates
under sysdeps are needed. Also simplify initialization via
__libc_early_init.
The symbols __lll_clocklock_elision, __lll_lock_elision,
__lll_trylock_elision, __lll_unlock_elision, __pthread_force_elision
move into libc. For the time being, non-hidden references are used
from libpthread to access them, but once that part of libpthread
is moved into libc, hidden symbols will be used again. (Hidden
references seem desirable to reduce the likelihood of transactions
aborts.)
This moves __futex_abstimed_wait64 and
__futex_abstimed_wait_cancelable64 and exports these functions as
GLIBC_PRIVATE.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
And sort the lines lexicographically. This will make it easier to review
patches which move symbols from libpthread to libc.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This was likely a mistake in the original aarch64 port copied over
from arm: on aarch64 tpidr_el0 register is always available.
The __read_tp symbol is visible with static linking, but it's not
part of the public ABI so it should be safe to remove.