Commit Graph

33892 Commits

Author SHA1 Message Date
DJ Delorie
b8dd0f4278 malloc: tcache double free check
* malloc/malloc.c (tcache_entry): Add key field.
(tcache_put): Set it.
(tcache_get): Likewise.
(_int_free): Check for double free in tcache.
* malloc/tst-tcfree1.c: New.
* malloc/tst-tcfree2.c: New.
* malloc/Makefile: Run the new tests.
* manual/probes.texi: Document memory_tcache_double_free probe.

* dlfcn/dlerror.c (check_free): Prevent double frees.

(cherry picked from commit bcdaad21d4)

malloc: tcache: Validate tc_idx before checking for double-frees [BZ #23907]

The previous check could read beyond the end of the tcache entry
array.  If the e->key == tcache cookie check happened to pass, this
would result in crashes.

(cherry picked from commit affec03b71)
2018-11-28 15:45:42 -05:00
Florian Weimer
ce6ba630db CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927]
(cherry picked from commit d527c860f5)
2018-11-27 18:40:56 +01:00
Florian Weimer
f5cc21eaee Revert "malloc: tcache double free check" [BZ #23907]
This reverts commit 481a6cf0c2, the
backport of commit bcdaad21d4 on the
master branch.
2018-11-22 22:05:57 +01:00
DJ Delorie
481a6cf0c2 malloc: tcache double free check
* malloc/malloc.c (tcache_entry): Add key field.
(tcache_put): Set it.
(tcache_get): Likewise.
(_int_free): Check for double free in tcache.
* malloc/tst-tcfree1.c: New.
* malloc/tst-tcfree2.c: New.
* malloc/Makefile: Run the new tests.
* manual/probes.texi: Document memory_tcache_double_free probe.

* dlfcn/dlerror.c (check_free): Prevent double frees.
2018-11-20 14:01:18 -05:00
Florian Weimer
2c7078bfb9 support: Print timestamps in timeout handler
This is sometimes useful to determine if a test truly got stuck, or if
it was making progress (logging information to standard output) and
was merely slow to finish.

(cherry picked from commit 35e3fbc451)
2018-11-19 15:42:03 +01:00
Szabolcs Nagy
10f1519f6a Increase timeout of libio/tst-readline
Increase timeout from the default 20s to 100s. This test makes close to
20 million syscalls with distribution:

12327675 read
 4143204 lseek
  929475 close
  929471 openat
   92817 fstat
    1431 write
...

The default timeout assumes each can finish in 1us on average which
is not true on slow machines.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

	* libio/tst-readline.c (TIMEOUT): Define.

(cherry picked from commit ed643089cd)
2018-11-19 14:21:24 +01:00
Joseph Myers
f44c2ca5ea Update kernel version in syscall-names.list to 4.19.
Linux 4.19 does not add any new syscalls (some existing ones are added
to more architectures); this patch updates the version number in
syscall-names.list to reflect that it's still current for 4.19.

Tested with build-many-glibcs.py.

	* sysdeps/unix/sysv/linux/syscall-names.list: Update kernel
	version to 4.19.

(cherry picked from commit 029ad711b8)
2018-11-09 10:17:19 -05:00
Paul Eggert
e7388e5134 Fix tzfile low-memory assertion failure
[BZ #21716]
* time/tzfile.c (__tzfile_read): Check for memory exhaustion
when registering time zone abbreviations.

(cherry picked from commit e4e4fde51a)
2018-11-09 10:17:13 -05:00
Paul Pluzhnikov
9071be6b3f [BZ #20271] Add newlines in __libc_fatal calls.
(cherry picked from commit a6e8926f8d)
2018-11-09 10:17:07 -05:00
Florian Weimer
7d174f5353 nscd: Fix use-after-free in addgetnetgrentX [BZ #23520]
addinnetgrX may use the heap-allocated buffer, so free the buffer
in this function.

(cherry picked from commit 745664bd79)
2018-11-09 10:17:00 -05:00
Istvan Kurucsai
53a7e59405 malloc: Additional checks for unsorted bin integrity I.
On Thu, Jan 11, 2018 at 3:50 PM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/07/2017 04:27 PM, Istvan Kurucsai wrote:
>>
>> +          next = chunk_at_offset (victim, size);
>
>
> For new code, we prefer declarations with initializers.

Noted.

>> +          if (__glibc_unlikely (chunksize_nomask (victim) <= 2 * SIZE_SZ)
>> +              || __glibc_unlikely (chunksize_nomask (victim) >
>> av->system_mem))
>> +            malloc_printerr("malloc(): invalid size (unsorted)");
>> +          if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ)
>> +              || __glibc_unlikely (chunksize_nomask (next) >
>> av->system_mem))
>> +            malloc_printerr("malloc(): invalid next size (unsorted)");
>> +          if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) !=
>> size))
>> +            malloc_printerr("malloc(): mismatching next->prev_size
>> (unsorted)");
>
>
> I think this check is redundant because prev_size (next) and chunksize
> (victim) are loaded from the same memory location.

I'm fairly certain that it compares mchunk_size of victim against
mchunk_prev_size of the next chunk, i.e. the size of victim in its
header and footer.

>> +          if (__glibc_unlikely (bck->fd != victim)
>> +              || __glibc_unlikely (victim->fd != unsorted_chunks (av)))
>> +            malloc_printerr("malloc(): unsorted double linked list
>> corrupted");
>> +          if (__glibc_unlikely (prev_inuse(next)))
>> +            malloc_printerr("malloc(): invalid next->prev_inuse
>> (unsorted)");
>
>
> There's a missing space after malloc_printerr.

Noted.

> Why do you keep using chunksize_nomask?  We never investigated why the
> original code uses it.  It may have been an accident.

You are right, I don't think it makes a difference in these checks. So
the size local can be reused for the checks against victim. For next,
leaving it as such avoids the masking operation.

> Again, for non-main arenas, the checks against av->system_mem could be made
> tighter (against the heap size).  Maybe you could put the condition into a
> separate inline function?

We could also do a chunk boundary check similar to what I proposed in
the thread for the first patch in the series to be even more strict.
I'll gladly try to implement either but believe that refining these
checks would bring less benefits than in the case of the top chunk.
Intra-arena or intra-heap overlaps would still be doable here with
unsorted chunks and I don't see any way to counter that besides more
generic measures like randomizing allocations and your metadata
encoding patches.

I've attached a revised version with the above comments incorporated
but without the refined checks.

Thanks,
Istvan

From a12d5d40fd7aed5fa10fc444dcb819947b72b315 Mon Sep 17 00:00:00 2001
From: Istvan Kurucsai <pistukem@gmail.com>
Date: Tue, 16 Jan 2018 14:48:16 +0100
Subject: [PATCH v2 1/1] malloc: Additional checks for unsorted bin integrity
 I.

Ensure the following properties of chunks encountered during binning:
- victim chunk has reasonable size
- next chunk has reasonable size
- next->prev_size == victim->size
- valid double linked list
- PREV_INUSE of next chunk is unset

    * malloc/malloc.c (_int_malloc): Additional binning code checks.

(cherry picked from commit b90ddd08f6)
2018-11-09 10:16:51 -05:00
Moritz Eckert
7e40c3f804 malloc: Mitigate null-byte overflow attacks
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.

(cherry picked from commit d6db68e66d)
2018-11-09 10:16:43 -05:00
Pochang Chen
510a25f2d2 malloc: Verify size of top chunk.
The House of Force is a well-known technique to exploit heap
overflow. In essence, this exploit takes three steps:
1. Overwrite the size of top chunk with very large value (e.g. -1).
2. Request x bytes from top chunk. As the size of top chunk
   is corrupted, x can be arbitrarily large and top chunk will
   still be offset by x.
3. The next allocation from top chunk will thus be controllable.

If we verify the size of top chunk at step 2, we can stop such attack.

(cherry picked from commit 30a17d8c95)
2018-11-09 10:16:35 -05:00
Joseph Myers
168035056e Update syscall-names.list for Linux 4.18.
This patch updates sysdeps/unix/sysv/linux/syscall-names.list for
Linux 4.18.  The io_pgetevents and rseq syscalls are added to the
kernel on various architectures, so need to be mentioned in this file.

Tested with build-many-glibcs.py.

	* sysdeps/unix/sysv/linux/syscall-names.list: Update kernel
	version to 4.18.
	(io_pgetevents): New syscall.
	(rseq): Likewise.

(cherry picked from commit 17b26500f9)
2018-11-09 10:16:19 -05:00
Alexandra Hájková
b21abc069f Add an additional test to resolv/tst-resolv-network.c
Test for the infinite loop in getnetbyname, bug #17630.

(cherry picked from commit ac8060265b)
2018-11-09 14:38:21 +01:00
H.J. Lu
3e8d8dd5af Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]
Linkers group input note sections with the same name into one output
note section with the same name.  One output note section is placed in
one PT_NOTE segment.  Since new linkers merge input .note.gnu.property
sections into one output .note.gnu.property section, there is only
one NT_GNU_PROPERTY_TYPE_0 note in one PT_NOTE segment with new linkers.
Since older linkers treat input .note.gnu.property section as a generic
note section and just concatenate all input .note.gnu.property sections
into one output .note.gnu.property section without merging them, we may
see multiple NT_GNU_PROPERTY_TYPE_0 notes in one PT_NOTE segment with
older linkers.

When an older linker is used to created the program on CET-enabled OS,
the linker output has a single .note.gnu.property section with multiple
NT_GNU_PROPERTY_TYPE_0 notes, some of which have IBT and SHSTK enable
bits set even if the program isn't CET enabled.  Such programs will
crash on CET-enabled machines.  This patch updates the note parser:

1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.

	[BZ #23509]
	* sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
	note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
	Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
	Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
	* sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
	lc_unknown.

(cherry picked from commit d524fa6c35)
2018-11-08 10:52:32 -08:00
Andreas Schwab
fc0e3393ff libanl: properly cleanup if first helper thread creation failed (bug 22927)
(cherry picked from commit bd3b0fbae3)
2018-11-06 16:12:07 +01:00
Adhemerval Zanella
65010329f2 x86: Fix Haswell CPU string flags (BZ#23709)
Th commit 'Disable TSX on some Haswell processors.' (2702856bf4) changed the
default flags for Haswell models.  Previously, new models were handled by the
default switch path, which assumed a Core i3/i5/i7 if AVX is available. After
the patch, Haswell models (0x3f, 0x3c, 0x45, 0x46) do not set the flags
Fast_Rep_String, Fast_Unaligned_Load, Fast_Unaligned_Copy, and
Prefer_PMINUB_for_stringop (only the TSX one).

This patch fixes it by disentangle the TSX flag handling from the memory
optimization ones.  The strstr case cited on patch now selects the
__strstr_sse2_unaligned as expected for the Haswell cpu.

Checked on x86_64-linux-gnu.

	[BZ #23709]
	* sysdeps/x86/cpu-features.c (init_cpu_features): Set TSX bits
	independently of other flags.

(cherry picked from commit c3d8dc45c9)
2018-11-02 10:56:00 +01:00
Florian Weimer
e1af1df694 stdlib/tst-strtod-overflow: Switch to support_blob_repeat
This is another test with an avoidable large memory allocation.

(cherry picked from commit 07da99aad9)
2018-11-02 10:47:16 +01:00
Florian Weimer
6c2b6e9e27 support_blob_repeat: Call mkstemp directory for the backing file
This avoids a warning during post-test cleanup.

(cherry picked from commit a91e9301c4)
2018-11-02 10:47:16 +01:00
Florian Weimer
69dcd992a0 stdlib/test-bz22786: Avoid memory leaks in the test itself
(cherry picked from commit 6070803053)
2018-11-02 10:47:16 +01:00
Florian Weimer
dcd52b94bf stdlib/test-bz22786: Avoid spurious test failures using alias mappings
On systems without enough random-access memory, stdlib/test-bz22786
will go deeply into swap and time out, even with a substantial
TIMEOUTFACTOR.  This commit adds a facility to construct repeating
strings with alias mappings, so that the requirement for physical
memory, and uses it in stdlib/test-bz22786.

(cherry picked from commit f5e7e95921)
2018-11-02 10:47:16 +01:00
Stefan Liebler
d0b6db4acf Test stdlib/test-bz22786 exits now with unsupported if malloc fails.
The test tries to allocate more than 2^31 bytes which will always fail on s390
as it has maximum 2^31bit of memory.
Before commit 6c3a8a9d86, this test returned
unsupported if malloc fails.  This patch re enables this behaviour.

Furthermore support_delete_temp_files() failed to remove the temp directory
in this case as it is not empty due to the created symlink.
Thus the creation of the symlink is moved behind malloc.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

ChangeLog:

	* stdlib/test-bz22786.c (do_test): Return EXIT_UNSUPPORTED
	if malloc fails.

(cherry picked from commit 3bad2358d6)
2018-11-02 10:47:16 +01:00
Paul Pluzhnikov
df11de9193 Fix BZ#23400 (creating temporary files in source tree), and undefined behavior in test.
(cherry picked from commit 6c3a8a9d86)
2018-11-02 10:47:07 +01:00
Szabolcs Nagy
5256ffc51e i64: fix missing exp2f, log2f and powf symbols in libm.a [BZ #23822]
When new symbol versions were introduced without SVID compatible
error handling the exp2f, log2f and powf symbols were accidentally
removed from the ia64 lim.a.  The regression was introduced by
the commits

f5f0f52651
New expf and exp2f version without SVID compat wrapper

72d3d28108
New symbol version for logf, log2f and powf without SVID compat

With WEAK_LIBM_ENTRY(foo), there is a hidden __foo and weak foo
symbol definition in both SHARED and !SHARED build.

	[BZ #23822]
	* sysdeps/ia64/fpu/e_exp2f.S (exp2f): Use WEAK_LIBM_ENTRY.
	* sysdeps/ia64/fpu/e_log2f.S (log2f): Likewise.
	* sysdeps/ia64/fpu/e_exp2f.S (powf): Likewise.

(cherry picked from commit ba5b14c761)
2018-10-26 15:49:30 +01:00
Florian Weimer
aff9b37712 conform: XFAIL siginfo_t si_band test on sparc64
We can use long int on sparcv9, but on sparc64, we must match the int
type used by the kernel (and not long int, as in POSIX).

(cherry picked from commit 7c5e34d7f1)
2018-10-26 09:19:40 +02:00
Ilya Yu. Malakhov
69d1e73d99 signal: Use correct type for si_band in siginfo_t [BZ #23562]
(cherry picked from commit f997b4be18)
2018-10-22 13:03:57 +02:00
Stefan Liebler
314e181dc9 Fix race in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP [BZ #23275]
The race leads either to pthread_mutex_destroy returning EBUSY
or triggering an assertion (See description in bugzilla).

This patch is fixing the race by ensuring that the elision path is
used in all cases if elision is enabled by the GLIBC_TUNABLES framework.

The __kind variable in struct __pthread_mutex_s is accessed concurrently.
Therefore we are now using the atomic macros.

The new testcase tst-mutex10 is triggering the race on s390x and intel.
Presumably also on power, but I don't have access to a power machine
with lock-elision. At least the code for power is the same as on the other
two architectures.

ChangeLog:

	[BZ #23275]
	* nptl/tst-mutex10.c: New File.
	* nptl/Makefile (tests): Add tst-mutex10.
	(tst-mutex10-ENV): New variable.
	* sysdeps/unix/sysv/linux/s390/force-elision.h: (FORCE_ELISION):
	Ensure that elision path is used if elision is available.
	* sysdeps/unix/sysv/linux/powerpc/force-elision.h (FORCE_ELISION):
	Likewise.
	* sysdeps/unix/sysv/linux/x86/force-elision.h: (FORCE_ELISION):
	Likewise.
	* nptl/pthreadP.h (PTHREAD_MUTEX_TYPE, PTHREAD_MUTEX_TYPE_ELISION)
	(PTHREAD_MUTEX_PSHARED): Use atomic_load_relaxed.
	* nptl/pthread_mutex_consistent.c (pthread_mutex_consistent): Likewise.
	* nptl/pthread_mutex_getprioceiling.c (pthread_mutex_getprioceiling):
	Likewise.
	* nptl/pthread_mutex_lock.c (__pthread_mutex_lock_full)
	(__pthread_mutex_cond_lock_adjust): Likewise.
	* nptl/pthread_mutex_setprioceiling.c (pthread_mutex_setprioceiling):
	Likewise.
	* nptl/pthread_mutex_timedlock.c (__pthread_mutex_timedlock): Likewise.
	* nptl/pthread_mutex_trylock.c (__pthread_mutex_trylock): Likewise.
	* nptl/pthread_mutex_unlock.c (__pthread_mutex_unlock_full): Likewise.
	* sysdeps/nptl/bits/thread-shared-types.h (struct __pthread_mutex_s):
	Add comments.
	* nptl/pthread_mutex_destroy.c (__pthread_mutex_destroy):
	Use atomic_load_relaxed and atomic_store_relaxed.
	* nptl/pthread_mutex_init.c (__pthread_mutex_init):
	Use atomic_store_relaxed.

(cherry picked from commit 403b4feb22)
2018-10-18 12:36:15 +02:00
H.J. Lu
5a74abda20 i386: Use _dl_runtime_[resolve|profile]_shstk for SHSTK [BZ #23716]
When elf_machine_runtime_setup is called to set up resolver, it should
use _dl_runtime_resolve_shstk or _dl_runtime_profile_shstk if SHSTK is
enabled by kernel.

Tested on i686 with and without --enable-cet as well as on CET emulator
with --enable-cet.

	[BZ #23716]
	* sysdeps/i386/dl-cet.c: Removed.
	* sysdeps/i386/dl-machine.h (_dl_runtime_resolve_shstk): New
	prototype.
	(_dl_runtime_profile_shstk): Likewise.
	(elf_machine_runtime_setup): Use _dl_runtime_profile_shstk or
	_dl_runtime_resolve_shstk if SHSTK is enabled by kernel.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>

(cherry picked from commit 7b1f940676)
2018-10-09 19:35:50 -07:00
Rafal Luzynski
5473739a7b kl_GL: Fix spelling of Sunday, should be "sapaat" (bug 20209).
Although CLDR says otherwise, it is confirmed by Oqaasileriffik, the
official Greenlandic language regulator, that this change is correct.

	[BZ #20209]
	* localedata/locales/kl_GL: (abday): Fix spelling of Sun (Sunday),
	should be "sap" rather than "sab".
	(day): Fix spelling of Sunday, should be "sapaat" rather than
	"sabaat".

(cherry picked from commit dae3ed958c)
2018-10-09 00:50:20 +02:00
Adhemerval Zanella
044c96f0d5 Fix misreported errno on preadv2/pwritev2 (BZ#23579)
The fallback code of Linux wrapper for preadv2/pwritev2 executes
regardless of the errno code for preadv2, instead of the case where
the syscall is not supported.

This fixes it by calling the fallback code iff errno is ENOSYS. The
patch also adds tests for both invalid file descriptor and invalid
iov_len and vector count.

The only discrepancy between preadv2 and fallback code regarding
error reporting is when an invalid flags are used.  The fallback code
bails out earlier with ENOTSUP instead of EINVAL/EBADF when the syscall
is used.

Checked on x86_64-linux-gnu on a 4.4.0 and 4.15.0 kernel.

	[BZ #23579]
	* misc/tst-preadvwritev2-common.c (do_test_with_invalid_fd): New
	test.
	* misc/tst-preadvwritev2.c, misc/tst-preadvwritev64v2.c (do_test):
	Call do_test_with_invalid_fd.
	* sysdeps/unix/sysv/linux/preadv2.c (preadv2): Use fallback code iff
	errno is ENOSYS.
	* sysdeps/unix/sysv/linux/preadv64v2.c (preadv64v2): Likewise.
	* sysdeps/unix/sysv/linux/pwritev2.c (pwritev2): Likewise.
	* sysdeps/unix/sysv/linux/pwritev64v2.c (pwritev64v2): Likewise.

(cherry picked from commit 7a16bdbb9f)
2018-09-28 15:32:43 -03:00
Andreas Schwab
3a67c72c15 Fix stack overflow in tst-setcontext9 (bug 23717)
The function f1a, executed on a stack of size 32k, allocates an object of
size 32k on the stack.  Make the stack variables static to reduce
excessive stack usage.

(cherry picked from commit f841c97e51)
2018-09-27 12:37:06 +02:00
H.J. Lu
2339d6a55e i386: Use ENTRY and END in start.S [BZ #23606]
Wrapping the _start function with ENTRY and END to insert ENDBR32 at
function entry when CET is enabled.  Since _start now includes CFI,
without "cfi_undefined (eip)", unwinder may not terminate at _start
and we will get

Program received signal SIGSEGV, Segmentation fault.
0xf7dc661e in ?? () from /lib/libgcc_s.so.1
Missing separate debuginfos, use: dnf debuginfo-install libgcc-8.2.1-3.0.fc28.i686
(gdb) bt
 #0  0xf7dc661e in ?? () from /lib/libgcc_s.so.1
 #1  0xf7dc7c18 in _Unwind_Backtrace () from /lib/libgcc_s.so.1
 #2  0xf7f0d809 in __GI___backtrace (array=array@entry=0xffffc7d0,
    size=size@entry=20) at ../sysdeps/i386/backtrace.c:127
 #3  0x08049254 in compare (p1=p1@entry=0xffffcad0, p2=p2@entry=0xffffcad4)
    at backtrace-tst.c:12
 #4  0xf7e2a28c in msort_with_tmp (p=p@entry=0xffffca5c, b=b@entry=0xffffcad0,
    n=n@entry=2) at msort.c:65
 #5  0xf7e29f64 in msort_with_tmp (n=2, b=0xffffcad0, p=0xffffca5c)
    at msort.c:53
 #6  msort_with_tmp (p=p@entry=0xffffca5c, b=b@entry=0xffffcad0, n=n@entry=5)
    at msort.c:53
 #7  0xf7e29f64 in msort_with_tmp (n=5, b=0xffffcad0, p=0xffffca5c)
    at msort.c:53
 #8  msort_with_tmp (p=p@entry=0xffffca5c, b=b@entry=0xffffcad0, n=n@entry=10)
    at msort.c:53
 #9  0xf7e29f64 in msort_with_tmp (n=10, b=0xffffcad0, p=0xffffca5c)
    at msort.c:53
 #10 msort_with_tmp (p=p@entry=0xffffca5c, b=b@entry=0xffffcad0, n=n@entry=20)
    at msort.c:53
 #11 0xf7e2a5b6 in msort_with_tmp (n=20, b=0xffffcad0, p=0xffffca5c)
    at msort.c:297
 #12 __GI___qsort_r (b=b@entry=0xffffcad0, n=n@entry=20, s=s@entry=4,
    cmp=cmp@entry=0x8049230 <compare>, arg=arg@entry=0x0) at msort.c:297
 #13 0xf7e2a84d in __GI_qsort (b=b@entry=0xffffcad0, n=n@entry=20, s=s@entry=4,
    cmp=cmp@entry=0x8049230 <compare>) at msort.c:308
 #14 0x080490f6 in main (argc=2, argv=0xffffcbd4) at backtrace-tst.c:39

FAIL: debug/backtrace-tst

	[BZ #23606]
	* sysdeps/i386/start.S: Include <sysdep.h>
	(_start): Use ENTRY/END to insert ENDBR32 at entry when CET is
	enabled.  Add cfi_undefined (eip).

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>

(cherry picked from commit 5a274db4ea)
2018-09-21 04:32:22 -07:00
Wilco Dijkstra
0ef2f4400c Fix strstr bug with huge needles (bug 23637)
The generic strstr in GLIBC 2.28 fails to match huge needles.  The optimized
AVAILABLE macro reads ahead a large fixed amount to reduce the overhead of
repeatedly checking for the end of the string.  However if the needle length
is larger than this, two_way_long_needle may confuse this as meaning the end
of the string and return NULL.  This is fixed by adding the needle length to
the amount to read ahead.

	[BZ #23637]
	* string/test-strstr.c (pr23637): New function.
	(test_main): Add tests with longer needles.
	* string/strcasestr.c (AVAILABLE): Fix readahead distance.
	* string/strstr.c (AVAILABLE): Likewise.

    (cherry picked from commit 83a552b0bb)
2018-09-21 12:09:38 +01:00
Carlos O'Donell
a55e109709 Fix tst-setcontext9 for optimized small stacks.
If the compiler reduces the stack usage in function f1 before calling
into function f2, then when we swapcontext back to f1 and continue
execution we may overwrite registers that were spilled to the stack
while f2 was executing.  Later when we return to f2 the corrupt
registers will be reloaded from the stack and the test will crash.  This
was most commonly observed on i686 with __x86.get_pc_thunk.dx and
needing to save and restore $edx.  Overall i686 has few registers and
the spilling to the stack is bound to happen, therefore the solution to
making this test robust is to split function f1 into two parts f1a and
f1b, and allocate f1b it's own stack such that subsequent execution does
not overwrite the stack in use by function f2.

Tested on i686 and x86_64.

Signed-off-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 791b350dc7)
2018-09-20 17:03:28 +02:00
Florian Weimer
307d04334d misc: New test misc/tst-gethostid
The empty /etc/hosts file used to trigger bug 23679.

(cherry picked from commit db9a8ad4ff)
2018-09-20 12:41:17 +02:00
Mingli Yu
e7d22db29c Linux gethostid: Check for NULL value from gethostbyname_r [BZ #23679]
A NULL value can happen with certain gethostbyname_r failures.

(cherry picked from commit 1214ba06e6)
2018-09-20 12:41:13 +02:00
Stefan Liebler
1fe2b9ca8a Fix segfault in maybe_script_execute.
If glibc is built with gcc 8 and -march=z900,
the testcase posix/tst-spawn4-compat crashes with a segfault.

In function maybe_script_execute, the new_argv array is dynamically
initialized on stack with (argc + 1) elements.
The function wants to add _PATH_BSHELL as the first argument
and writes out of bounds of new_argv.
There is an off-by-one because maybe_script_execute fails to count
the terminating NULL when sizing new_argv.

ChangeLog:

	* sysdeps/unix/sysv/linux/spawni.c (maybe_script_execute):
	Increment size of new_argv by one.

(cherry picked from commit 28669f86f6)
2018-09-10 14:22:52 +02:00
Florian Weimer
0b79004569 regex: Add test tst-regcomp-truncated [BZ #23578]
(cherry picked from commit 761404b74d)
2018-08-28 21:55:13 +02:00
Paul Eggert
58559f1443 regex: fix uninitialized memory access
I introduced this bug into gnulib in commit
8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17 dated 2006-04-10;
eventually it was merged into glibc.  The bug was found by
project-repo <bugs@feusi.co> and reported here:
https://lists.gnu.org/r/sed-devel/2018-08/msg00017.html
Diagnosis and draft fix reported by Assaf Gordon here:
https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html
https://lists.gnu.org/r/bug-gnulib/2018-08/msg00142.html
* posix/regex_internal.c (build_wcs_upper_buffer):
Fix bug when mbrtowc returns 0.

(cherry picked from commit bc680b3369)
2018-08-28 21:54:28 +02:00
Martin Kuchta
aa8a3e4cde pthread_cond_broadcast: Fix waiters-after-spinning case [BZ #23538]
(cherry picked from commit 99ea93ca31)
2018-08-27 18:54:46 +02:00
DJ Delorie
c87b5bab24 Improve ChangeLog message.
(cherry picked from commit e5721f45f6)
2018-08-22 18:56:05 +02:00
DJ Delorie
66fdfd57fe Regen RISC-V rvd ULPs
* sysdeps/riscv/rv64/rvd/libm-test-ulps: Update.

Note: I regen'd these from scratch, but I'm only committing the
increases, as I only tested on hardware.  There were a few 2->1
decreases that I omitted, possibly "for now".

(cherry picked from commit bb17621ab8)
2018-08-22 18:55:44 +02:00
DJ Delorie
b0aa03dfff RISC-V: Fix rounding save/restore bug.
* sysdeps/riscv/rvf/math_private.h (libc_feholdexcept_setround_riscv):
Fix rounding save-restore bug.

Fixes about a hundred off-by-ULP failures in the math testsuite.

(cherry picked from commit bf41818787)
2018-08-22 18:55:30 +02:00
Florian Weimer
2f498f3d14 nss_files: Fix file stream leak in aliases lookup [BZ #23521]
In order to get a clean test case, it was necessary to fix partially
fixed bug 23522 as well.

(cherry picked from commit e95c6f6192)
2018-08-14 10:57:48 +02:00
Florian Weimer
bfcfa22589 nscd: Deallocate existing user names in file parser
This avoids a theoretical memory leak (theoretical because it depends on
multiple server-user/stat-user directives in the configuration file).

(cherry picked from commit 2d7acfac3e)
2018-08-14 10:57:05 +02:00
Florian Weimer
d05b05d157 error, error_at_line: Add missing va_end calls
(cherry picked from commit b7b52b9dec)
2018-08-14 10:41:04 +02:00
Florian Weimer
4b25485f03 Linux: Rewrite __old_getdents64 [BZ #23497]
Commit 298d0e3129 ("Consolidate Linux
getdents{64} implementation") broke the implementation because it does
not take into account struct offset differences.

The new implementation is close to the old one, before the
consolidation, but has been cleaned up slightly.

(cherry picked from commit 690652882b)
2018-08-10 11:19:26 +02:00
Samuel Thibault
726e1554ce hurd: Avoid PLTs for __pthread_get/setspecific
* sysdeps/htl/pthreadP.h [IS_IN (libpthread)] (__pthread_getspecific,
__pthread_setspecific): Add hidden proto.
* sysdeps/htl/pt-getspecific.c (__pthread_getspecific): Add hidden def.
* sysdeps/htl/pt-setspecific.c (__pthread_setspecific): Add hidden def.
2018-08-09 01:30:13 +02:00
Samuel Thibault
7f11842e74 hurd: Add missing symbols for proper libc_get/setspecific
* htl/Versions (__pthread_getspecific, __pthread_setspecific): Add
	symbols.
2018-08-08 02:17:39 +02:00