Commit Graph

1579 Commits

Author SHA1 Message Date
Florian Weimer
a1c12fdf3f _Static_assert needs two arguments for compatibility with GCC before 9
This macro definition enforces two arguments even with newer compilers
that accept the single-argument form, too.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit c9fef4b7d1)
2022-11-29 09:38:22 +01:00
Paul Eggert
86a701a204 regex: copy back from Gnulib
Copy regex-related files back from Gnulib, to fix a problem with
static checking of regex calls noted by Martin Sebor.  This merges the
following changes:

* New macro __attribute_nonnull__ in misc/sys/cdefs.h, for use later
when copying other files back from Gnulib.

* Use __GNULIB_CDEFS instead of __GLIBC__ when deciding
whether to include bits/wordsize.h etc.

* Avoid duplicate entries in epsilon closure table.

* New regex.h macro _REGEX_NELTS to let regexec say that its pmatch
arg should contain nmatch elts.  Use that for regexec, instead of
__attr_access (which is incorrect).

* New regex.h macro _Attr_access_ which is like __attr_access except
portable to non-glibc platforms.

* Add some DEBUG_ASSERTs to pacify gcc -fanalyzer and to catch
recently-fixed performance bugs if they recur.

* Add Gnulib-specific stuff to port the dynarray- and lock-using parts
of regex code to non-glibc platforms.

* Fix glibc bug 11053.

* Avoid some undefined behavior when popping an empty fail stack.

(cherry picked from commit 0b5ca7c3e5)
2022-11-11 16:53:00 +01:00
Florian Weimer
e7c03f4765 resolv: Add DNS packet parsing helpers geared towards wire format
The public parser functions around the ns_rr record type produce
textual domain names, but usually, this is not what we need while
parsing DNS packets within glibc.  This commit adds two new helper
functions, __ns_rr_cursor_init and __ns_rr_cursor_next, for writing
packet parsers, and struct ns_rr_cursor, struct ns_rr_wire as
supporting types.

In theory, it is possible to avoid copying the owner name
into the rname field in __ns_rr_cursor_next, but this would need
more functions that work on compressed names.

Eventually, __res_context_send could be enhanced to preserve the
result of the packet parsing that is necessary for matching the
incoming UDP packets, so that this works does not have to be done
twice.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 857c890d9b)
2022-09-21 19:36:12 +02:00
Florian Weimer
c288e032ae resolv: Add internal __ns_name_length_uncompressed function
This function is useful for checking that the question name is
uncompressed (as it should be).

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 78b1a4f0e4)
2022-09-21 19:36:12 +02:00
Florian Weimer
bb8adbba4f resolv: Add the __ns_samebinaryname function
During packet parsing, only the binary name is available.  If the name
equality check is performed before conversion to text, we can sometimes
skip the last step.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 394085a34d)
2022-09-21 19:36:12 +02:00
Florian Weimer
4d2e67d6e5 resolv: Add internal __res_binary_hnok function
During package parsing, only the binary representation is available,
and it is convenient to check that directly for conformance with host
name requirements.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit c79327bf00)
2022-09-21 19:36:12 +02:00
Raphael Moreira Zinsly
b41c535f46 Apply asm redirections in wchar.h before first use
Similar to d0fa09a770, but for wchar.h.  Fixes [BZ #27087] by applying
all long double related asm redirections before using functions in
bits/wchar2.h.
Moves the function declarations from wcsmbs/bits/wchar2.h to a new file
wcsmbs/bits/wchar2-decl.h that will be included first in wcsmbs/wchar.h.

Tested with build-many-glibcs.py.
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

(cherry picked from commit c7509d49c4)
2022-08-31 10:29:54 +02:00
Tulio Magno Quites Machado Filho
2a44960cbc Apply asm redirections in stdio.h before first use [BZ #27087]
Compilers may not be able to apply asm redirections to functions after
these functions are used for the first time, e.g. clang 13.
Fix [BZ #27087] by applying all long double-related asm redirections
before using functions in bits/stdio.h.
However, as these asm redirections depend on the declarations provided
by libio/bits/stdio2.h, this header was split in 2:

 - libio/bits/stdio2-decl.h contains all function declarations;
 - libio/bits/stdio2.h remains with the remaining contents, including
   redirections.

This also adds the access attribute to __vsnprintf_chk that was missing.

Tested with build-many-glibcs.py.

Reviewed-by: Paul E. Murphy <murphyp@linux.ibm.com>
(cherry picked from commit d0fa09a770)
2022-08-31 10:29:46 +02:00
Arjun Shankar
ff450cdbde Fix deadlock when pthread_atfork handler calls pthread_atfork or dlclose
In multi-threaded programs, registering via pthread_atfork,
de-registering implicitly via dlclose, or running pthread_atfork
handlers during fork was protected by an internal lock.  This meant
that a pthread_atfork handler attempting to register another handler or
dlclose a dynamically loaded library would lead to a deadlock.

This commit fixes the deadlock in the following way:

During the execution of handlers at fork time, the atfork lock is
released prior to the execution of each handler and taken again upon its
return.  Any handler registrations or de-registrations that occurred
during the execution of the handler are accounted for before proceeding
with further handler execution.

If a handler that hasn't been executed yet gets de-registered by another
handler during fork, it will not be executed.   If a handler gets
registered by another handler during fork, it will not be executed
during that particular fork.

The possibility that handlers may now be registered or deregistered
during handler execution means that identifying the next handler to be
run after a given handler may register/de-register others requires some
bookkeeping.  The fork_handler struct has an additional field, 'id',
which is assigned sequentially during registration.  Thus, handlers are
executed in ascending order of 'id' during 'prepare', and descending
order of 'id' during parent/child handler execution after the fork.

Two tests are included:

* tst-atfork3: Adhemerval Zanella <adhemerval.zanella@linaro.org>
  This test exercises calling dlclose from prepare, parent, and child
  handlers.

* tst-atfork4: This test exercises calling pthread_atfork and dlclose
  from the prepare handler.

[BZ #24595, BZ #27054]

Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 52a103e237)
2022-05-30 12:38:32 +02:00
Fangrui Song
be9240c84c elf: Remove __libc_init_secure
After 73fc4e28b9,
__libc_enable_secure_decided is always 0 and a statically linked
executable may overwrite __libc_enable_secure without considering
AT_SECURE.

The __libc_enable_secure has been correctly initialized in _dl_aux_init,
so just remove __libc_enable_secure_decided and __libc_init_secure.
This allows us to remove some startup_get*id functions from
22b79ed7f4.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 3e9acce8c5)
2022-05-19 12:13:52 +02:00
Adhemerval Zanella
d1b9bee29a elf: Issue audit la_objopen for vDSO
The vDSO is is listed in the link_map chain, but is never the subject of
an la_objopen call.  A new internal flag __RTLD_VDSO is added that
acts as __RTLD_OPENEXEC to allocate the required 'struct auditstate'
extra space for the 'struct link_map'.

The return value from the callback is currently ignored, since there
is no PLT call involved by glibc when using the vDSO, neither the vDSO
are exported directly.

Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit f0e23d34a7)

Resolved conflicts:
	elf/Makefile
2022-04-08 14:18:12 -04:00
Adhemerval Zanella
29496b3103 elf: Avoid unnecessary slowdown from profiling with audit (BZ#15533)
The rtld-audit interfaces introduces a slowdown due to enabling
profiling instrumentation (as if LD_AUDIT implied LD_PROFILE).
However, instrumenting is only necessary if one of audit libraries
provides PLT callbacks (la_pltenter or la_pltexit symbols).  Otherwise,
the slowdown can be avoided.

The following patch adjusts the logic that enables profiling to iterate
over all audit modules and check if any of those provides a PLT hook.
To keep la_symbind to work even without PLT callbacks, _dl_fixup now
calls the audit callback if the modules implements it.

Co-authored-by: Alexander Monakov <amonakov@ispras.ru>

Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 063f9ba220)

Resolved conflicts:
	NEWS
	elf/Makefile
2022-04-08 14:18:12 -04:00
Siddhesh Poyarekar
d6a58bd81d Enable _FORTIFY_SOURCE=3 for gcc 12 and above
gcc 12 now has support for the __builtin_dynamic_object_size builtin.
Adapt the macro checks to enable _FORTIFY_SOURCE=3 on gcc 12 and above.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 86bf0feb0e)
2022-03-11 20:36:24 +05:30
Adhemerval Zanella
489d0b8b32 Linux: Only generate 64 bit timestamps for 64 bit time_t recvmsg/recvmmsg
The timestamps created by __convert_scm_timestamps only make sense for
64 bit time_t programs, 32 bit time_t programs will ignore 64 bit time_t
timestamps since SO_TIMESTAMP will be defined to old values (either by
glibc or kernel headers).

Worse, if the buffer is not suffice MSG_CTRUNC is set to indicate it
(which breaks some programs [1]).

This patch makes only 64 bit time_t recvmsg and recvmmsg to call
__convert_scm_timestamps.  Also, the assumption to called it is changed
from __ASSUME_TIME64_SYSCALLS to __TIMESIZE != 64 since the setsockopt
might be called by libraries built without __TIME_BITS=64.  The
MSG_CTRUNC is only set for the 64 bit symbols, it should happen only
if 64 bit time_t programs run older kernels.

Checked on x86_64-linux-gnu and i686-linux-gnu.

[1] https://github.com/systemd/systemd/pull/20567

Reviewed-by: Florian Weimer <fweimer@redhat.com>

(cherry picked from commit 948ce73b31)
2022-02-01 15:52:41 -03:00
Florian Weimer
5575daae50 socket: Add the __sockaddr_un_set function
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit e368b12f6c)
2022-01-17 11:44:41 +01:00
H.J. Lu
f42373f911 ld.so: Replace DL_RO_DYN_SECTION with dl_relocate_ld [BZ #28340]
We can't relocate entries in dynamic section if it is readonly:

1. Add a l_ld_readonly field to struct link_map to indicate if dynamic
section is readonly and set it based on p_flags of PT_DYNAMIC segment.
2. Replace DL_RO_DYN_SECTION with dl_relocate_ld to decide if dynamic
section should be relocated.
3. Remove DL_RO_DYN_TEMP_CNT.
4. Don't use a static dynamic section to make readonly dynamic section
in vDSO writable.
5. Remove the temp argument from elf_get_dynamic_info.

This fixes BZ #28340.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit b413280cfb)
2021-11-03 07:50:30 +01:00
Adhemerval Zanella
e870aac897 misc: Add __get_nprocs_sched
This is an internal function meant to return the number of avaliable
processor where the process can scheduled, different than the
__get_nprocs which returns a the system available online CPU.

The Linux implementation currently only calls __get_nprocs(), which
in tuns calls sched_getaffinity.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 11a02b035b)
2021-10-01 18:19:09 +02:00
Carlos O'Donell
cdf4cd5e60 Prepare for glibc 2.34 release.
Update version.h, and include/features.h.
2021-08-01 21:24:04 -04:00
Siddhesh Poyarekar
b8e8bb324a xmalloc: Fix warnings with gcc analyzer
Tell the compiler that xmalloc family of allocators always return
non-NULL.  xrealloc in locale/programs also always returns non-NULL,
but that conflicts with default realloc behaviour and that of xrealloc
in libsupport, so keep it as is for now and resolve the differences
later.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2021-07-28 17:45:14 +05:30
Siddhesh Poyarekar
cc35896ea3 Simplify __malloc_initialized
Now that mcheck no longer needs to check __malloc_initialized (and no
other third party hook can since the symbol is not exported), make the
variable boolean and static so that it is used strictly within malloc.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-22 18:38:04 +05:30
Siddhesh Poyarekar
c142eb253f mcheck: Wean away from malloc hooks [BZ #23489]
Split the mcheck implementation into the debugging hooks and API so
that the API can be replicated in libc and libc_malloc_debug.so.  The
libc APIs always result in failure.

The mcheck implementation has also been moved entirely into
libc_malloc_debug.so and with it, all of the hook initialization code
can now be moved into the debug library.  Now the initialization can
be done independently of libc internals.

With this patch, libc_malloc_debug.so can no longer be used with older
libcs, which is not its goal anyway.  tst-vfork3 breaks due to this
since it spawns shell scripts, which in turn execute using the system
glibc.  Move the test to tests-container so that only the built glibc
is used.

This move also fixes bugs in the mcheck version of memalign and
realloc, thus allowing removal of the tests from tests-mcheck
exclusion list.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-22 18:38:02 +05:30
Siddhesh Poyarekar
55a4dd3930 Remove __morecore and __default_morecore
Make the __morecore and __default_morecore symbols compat-only and
remove their declarations from the API.  Also, include morecore.c
directly into malloc.c; this should ideally get merged into malloc in
a future cleanup.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-22 18:37:57 +05:30
Florian Weimer
ee5ed99922 nss: Directly load nss_dns, without going through dlsym/dlopen
This partially fixes static-only NSS support (bug 27959): The dns
module no longer needs dlopen.  Support for disabling dlopen altogher
remains to be added.

This commit introduces module_load_builtin into nss/nss_module.c, which
handles the common parts of loading the built-in nss_files and nss_dns
modules.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:57 +02:00
Florian Weimer
e1fcf21474 resolv: Move nss_dns into libc
No abilist updates are needed because the symbols were GLIBC_PRIVATE.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:57 +02:00
Florian Weimer
7131727c6b resolv: Move res_queriesmatch to its own file and into libc
And reformat it to GNU style.

The treatment of this function matches res_nameinquery, for the
reasons stated there.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
72a51ac647 resolv: Move res_nameinquery to its own file and into libc
And reformat to GNU style.

This deprecated function is used in the implementation of the stub
resolver (for now).  Keep the public symbol in libresolv for now
(so that no new symbol version is needed), and add a forwarder to
libresolv.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
762a2b2d34 resolv: Move ns_samename into its own file, and into libc
But only as an internal symbol, __libc_ns_samename.  The libresolv
ABI is preserved.  This is because the function is deprecated, and
it does not make sense to add new symbol versions for deprecated
functions.

Also reformat the implementation to GNU style.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
08d4a98070 resolv: Move ns_makecanon into its own file, and into libc
But only as an internal symbol, __libc_ns_makecanon.  The libresolv
ABI is preserved.  This is because the function is deprecated, and
it does not make sense to add new symbol versions for deprecated
functions.

Also reformat the implementation to GNU style.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
17d0407a5c resolv: Move res_isourserver to its own file and reformat to GNU style
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
2fbe5860d3 resolv: Rename res_comp.c to res-name-checking.c and move into libc
This reflects what the remaining functions in the file do.

The __res_dnok, __res_hnok, __res_mailok, __res_ownok were moved
with the script, using --no-new-version, and turned into compat
symbols.  __libc_res_dnok@@GLIBC_PRIVATE and
__libc_res_hnok@@GLIBC_PRIVATE are added for internal use, to avoid
accidentally binding to compatibility symbols.  The new public
symbols res_dnok, res_hnok, res_mailok, res_ownok were added using
make update-all-abi.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
391e02236b resolv: Move dn_skipname to its own file and into libc
And reformat it to GNU style.

dn_skipname is used outside glibc, so do not deprecate it,
and export it as dn_skipname (not __dn_skipname).  Due to internal
users, provide a __libc_dn_skipname alias, and keep __dn_skipname
as a pure compatibility symbol.

__dn_skipname@GLIBC_2.0 was moved using the script, and
dn_skipname@@GLIBC_2.34 was added using make update-all-abi.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
fd8a87c0c1 resolv: Move dn_comp to its own file and into libc
And reformat it to GNU style.

dn_comp is used in various programs, so keep it as a non-deprecated
symbol.  Switch to dn_comp (not __dn_comp) for the ABI name.  There
are no internal users, so interposition is not a problem.

The __dn_comp symbol was moved with scripts/move-symbol-to-libc.py
--no-new-version.  dn_comp@@GLIBC_2.34 was added with
make update-all-abi.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
640bbdf71c resolv: Move dn_expand to its own file and into libc
And reformat to GNU style.

This switches back to the dn_expand name for the ABI symbol and turns
__dn_expand into a compatibility symbol.  With the improved namespace
management in current glibc, it is no longer necessary to use a
private namespace symbol.  To avoid old code binding to a
GLIBC_PRIVATE symbol by accident, use __libc_dn_expand for the
internal symbol name.

The symbols dn_expand, __dnexpand were moved using
scripts/move-symbol-to-libc.py, followed by an adjustment to make
dn_expand the only GLIBC_2.34 symbol.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
13e1f86706 resolv: Move ns_name_compress into its own file and into libc
And reformat to GNU style.

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
7ed1ac6da3 resolv: Move ns_name_pack into its own file and into libc
And reformat to GNU style, and eliminate the labellen function.

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
276e9822b3 resolv: Move ns_name_pton into its own file and into libc
And reformat to GNU style, and eliminate the digits variable.

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
4e1d3db1e8 resolv: Move ns_name_uncompress into its own file and into libc
And reformat to GNU style.  Check for negative error returns
(instead of -1).

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-19 07:56:21 +02:00
Florian Weimer
cff2c78c51 resolv: Move ns_name_skip to its own file and into libc (bug 28091)
And reformat to GNU style.  Avoid out-of-bounds pointer arithmetic.
This also results in a fix of bug 28091 due to the additional packet
length checks.

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@systemhalted.org>
2021-07-19 07:56:13 +02:00
Florian Weimer
820bb23ff0 resolv: Move ns_name_unpack to its own file and into libc
Reformat to GNU style. Avoid out-of-bounds buffer arithmetic.
Eliminate the labellen function.

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-15 09:00:27 +02:00
Florian Weimer
adcc572a29 resolv: Move ns_name_ntop to its own file and into libc
Reformat to GNU style.  Avoid out-of-bounds pointer arithmetic
(e.g., use eom - dn < 2 instead of dn + 1 >= eom).  Inline the
labellen function and fold the compression pointer check into
the length check (l >= 64).  Assume ASCII encoding.

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-15 08:39:31 +02:00
Florian Weimer
b8f889064d socket: Add hidden prototype for setsockopt
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-15 08:35:45 +02:00
H.J. Lu
d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3
The clone3 system call (since Linux 5.3) provides a superset of the
functionality of clone and clone2.  It also provides a number of API
improvements, including the ability to specify the size of the child's
stack area which can be used by kernel to compute the shadow stack size
when allocating the shadow stack.  Add:

extern int __clone_internal (struct clone_args *__cl_args,
			     int (*__func) (void *__arg), void *__arg);

to provide an abstract interface for clone, clone2 and clone3.

1. Simplify stack management for thread creation by passing both stack
base and size to create_thread.
2. Consolidate clone vs clone2 differences into a single file.
3. Call __clone3 if HAVE_CLONE3_WAPPER is defined.  If __clone3 returns
-1 with ENOSYS, fall back to clone or clone2.
4. Use only __clone_internal to clone a thread.  Since the stack size
argument for create_thread is now unconditional, always pass stack size
to create_thread.
5. Enable the public clone3 wrapper in the future after it has been
added to all targets.

NB: Sandbox will return ENOSYS on clone3 in both Chromium:

The following revision refers to this bug:
  218438259d

commit 218438259dd795456f0a48f67cbe5b4e520db88b
Author: Matthew Denton <mpdenton@chromium.org>
Date: Thu Jun 03 20:06:13 2021

Linux sandbox: return ENOSYS for clone3

Because clone3 uses a pointer argument rather than a flags argument, we
cannot examine the contents with seccomp, which is essential to
preventing sandboxed processes from starting other processes. So, we
won't be able to support clone3 in Chromium. This CL modifies the
BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
to clone.

Bug: 1213452
Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#888980}

[modify] https://crrev.com/218438259dd795456f0a48f67cbe5b4e520db88b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

and Firefox:

https://hg.mozilla.org/integration/autoland/rev/ecb4011a0c76

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-07-14 06:33:58 -07:00
Florian Weimer
aaacde11f2 Reduce <limits.h> pollution due to dynamic PTHREAD_STACK_MIN
<limits.h> used to be a header file with no declarations.
GCC's libgomp includes it in a #pragma GCC visibility hidden block.
Including <unistd.h> from <limits.h> (indirectly) declares everything
in <unistd.h> with hidden visibility, resulting in linker failures.

This commit avoids C declarations in assembler mode and only declares
__sysconf in <limits.h> (and not the entire contents of <unistd.h>).
The __sysconf symbol is already part of the ABI.  PTHREAD_STACK_MIN
is no longer defined for __USE_DYNAMIC_STACK_SIZE && __ASSEMBLER__
because there is no possible definition.

Additionally, PTHREAD_STACK_MIN is now defined by <pthread.h> for
__USE_MISC because this is what developers expect based on the macro
name.  It also helps to avoid libgomp linker failures in GCC because
libgomp includes <pthread.h> before its visibility hacks.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-12 18:43:32 +02:00
H.J. Lu
5d98a7dae9 Define PTHREAD_STACK_MIN to sysconf(_SC_THREAD_STACK_MIN)
The constant PTHREAD_STACK_MIN may be too small for some processors.
Rename _SC_SIGSTKSZ_SOURCE to _DYNAMIC_STACK_SIZE_SOURCE.  When
_DYNAMIC_STACK_SIZE_SOURCE or _GNU_SOURCE are defined, define
PTHREAD_STACK_MIN to sysconf(_SC_THREAD_STACK_MIN) which is changed
to MIN (PTHREAD_STACK_MIN, sysconf(_SC_MINSIGSTKSZ)).

Consolidate <bits/local_lim.h> with <bits/pthread_stack_min.h> to
provide a constant target specific PTHREAD_STACK_MIN value.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-09 15:10:35 -07:00
Florian Weimer
7c241325d6 Force building with -fno-common
As a result, is not necessary to specify __attribute__ ((nocommon))
on individual definitions.

GCC 10 defaults to -fno-common on all architectures except ARC,
but this change is compatible with older GCC versions and ARC, too.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-09 20:09:14 +02:00
Adhemerval Zanella
882d6e17bc posix: Add posix_spawn_file_actions_addclosefrom_np
This patch adds a way to close a range of file descriptors on
posix_spawn as a new file action.  The API is similar to the one
provided by Solaris 11 [1], where the file action causes the all open
file descriptors greater than or equal to input on to be closed when
the new process is spawned.

The function posix_spawn_file_actions_addclosefrom_np is safe to be
implemented by iterating over /proc/self/fd, since the Linux spawni.c
helper process does not use CLONE_FILES, so its has own file descriptor
table and any failure (in /proc operation) aborts the process creation
and returns an error to the caller.

I am aware that this file action might be redundant to the current
approach of POSIX in promoting O_CLOEXEC in more interfaces. However
O_CLOEXEC is still not the default and for some specific usages, the
caller needs to close all possible file descriptors to avoid them
leaking.  Some examples are CPython (discussed in BZ#10353) and OpenJDK
jspawnhelper [2] (where OpenJDK spawns a helper process to exactly
closes all file descriptors).  Most likely any environment which calls
functions that might open file descriptor under the hood and aim to use
posix_spawn might face the same requirement.

Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15.

[1] https://docs.oracle.com/cd/E36784_01/html/E36874/posix-spawn-file-actions-addclosefrom-np-3c.html
[2] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-07-08 14:08:15 -03:00
Adhemerval Zanella
607449506f io: Add closefrom [BZ #10353]
The function closes all open file descriptors greater than or equal to
input argument.  Negative values are clamped to 0, i.e, it will close
all file descriptors.

As indicated by the bug report, this is a common symbol provided by
different systems (Solaris, OpenBSD, NetBSD, FreeBSD) and, although
its has inherent issues with not taking in consideration internal libc
file descriptors (such as syslog), this is also a common feature used
in multiple projects [1][2][3][4][5].

The Linux fallback implementation iterates over /proc and close all
file descriptors sequentially.  Although it was raised the questioning
whether getdents on /proc/self/fd might return disjointed entries
when file descriptor are closed; it does not seems the case on my
testing on multiple kernel (v4.18, v5.4, v5.9) and the same strategy
is used on different projects [1][2][3][5].

Also, the interface is set a fail-safe meaning that a failure in the
fallback results in a process abort.

Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15.

[1] 5238e95759/src/basic/fd-util.c (L217)
[2] ddf4b77e11/src/lxc/start.c (L236)
[3] 9e4f2f3a6b/Modules/_posixsubprocess.c (L220)
[4] 5f47c0613e/src/libstd/sys/unix/process2.rs (L303-L308)
[5] https://github.com/openjdk/jdk/blob/master/src/java.base/unix/native/libjava/childproc.c#L82
2021-07-08 14:08:14 -03:00
Adhemerval Zanella
286286283e linux: Add close_range
It was added on Linux 5.9 (278a5fbaed89) with CLOSE_RANGE_CLOEXEC
added on 5.11 (582f1fb6b721f).  Although FreeBSD has added the same
syscall, this only adds the symbol on Linux ports.  This syscall is
required to provided a fail-safe way to implement the closefrom
symbol (BZ #10353).

Checked on x86_64-linux-gnu and i686-linux-gnu on kernel 5.11 and 4.15.
2021-07-08 14:08:13 -03:00
Florian Weimer
f9c8b11ed7 nss: Access nss_files through direct references
This partially fixes static-only NSS support (bug 27959): The files
module no longer needs dlopen.  Support for the dns module remains
to be added, and also support for disabling dlopen altogether.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-07-07 18:33:52 +02:00
Florian Weimer
6212bb67f4 nss_files: Move into libc
This is the first step towards fixing bug 27959.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-07-07 18:33:52 +02:00