Commit Graph

36623 Commits

Author SHA1 Message Date
Siddhesh Poyarekar
c43c579612 Introduce _FORTIFY_SOURCE=3
Introduce a new _FORTIFY_SOURCE level of 3 to enable additional
fortifications that may have a noticeable performance impact, allowing
more fortification coverage at the cost of some performance.

With llvm 9.0 or later, this will replace the use of
__builtin_object_size with __builtin_dynamic_object_size.

__builtin_dynamic_object_size
-----------------------------

__builtin_dynamic_object_size is an LLVM builtin that is similar to
__builtin_object_size.  In addition to what __builtin_object_size
does, i.e. replace the builtin call with a constant object size,
__builtin_dynamic_object_size will replace the call site with an
expression that evaluates to the object size, thus expanding its
applicability.  In practice, __builtin_dynamic_object_size evaluates
these expressions through malloc/calloc calls that it can associate
with the object being evaluated.

A simple motivating example is below; -D_FORTIFY_SOURCE=2 would miss
this and emit memcpy, but -D_FORTIFY_SOURCE=3 with the help of
__builtin_dynamic_object_size is able to emit __memcpy_chk with the
allocation size expression passed into the function:

void *copy_obj (const void *src, size_t alloc, size_t copysize)
{
  void *obj = malloc (alloc);
  memcpy (obj, src, copysize);
  return obj;
}

Limitations
-----------

If the object was allocated elsewhere that the compiler cannot see, or
if it was allocated in the function with a function that the compiler
does not recognize as an allocator then __builtin_dynamic_object_size
also returns -1.

Further, the expression used to compute object size may be non-trivial
and may potentially incur a noticeable performance impact.  These
fortifications are hence enabled at a new _FORTIFY_SOURCE level to
allow developers to make a choice on the tradeoff according to their
environment.
2020-12-31 16:55:21 +05:30
Siddhesh Poyarekar
2a08b6e833 Warn on unsupported fortification levels
Make the _FORTIFY_SOURCE macro soup in features.h warn about
unsupported fortification levels.  For example, it will warn about
_FORTIFY_SOURCE=3 and over with an indication of which level has been
selected.

Co-authored-by: Paul Eggert <eggert@cs.ucla.edu>
2020-12-31 16:55:21 +05:30
Matheus Castanho
41f013cef2 powerpc: Use scv instruction on clone when available
clone already uses r31 to temporarily save input arguments before doing the
syscall, so we use a different register to read from the TCB. We can also avoid
allocating another stack frame, which is not needed since we can simply extend
the usage of the red zone.

Tested-by: Lucas A. M. Magalhães <lamm@linux.ibm.com>
Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com>
2020-12-30 18:26:33 -03:00
Matheus Castanho
68ab82f566 powerpc: Runtime selection between sc and scv for syscalls
Linux kernel v5.9 added support for system calls using the scv
instruction for POWER9 and later.  The new codepath provides better
performance (see below) if compared to using sc.  For the
foreseeable future, both sc and scv mechanisms will co-exist, so this
patch enables glibc to do a runtime check and use scv when it is
available.

Before issuing the system call to the kernel, we check hwcap2 in the TCB
for PPC_FEATURE2_SCV to see if scv is supported by the kernel.  If not,
we fallback to sc and keep the old behavior.

The kernel implements a different error return convention for scv, so
when returning from a system call we need to handle the return value
differently depending on the instruction we used to enter the kernel.

For syscalls implemented in ASM, entry and exit are implemented by
different macros (PSEUDO and PSEUDO_RET, resp.), which may be used in
sequence (e.g. for templated syscalls) or with other instructions in
between (e.g. clone).  To avoid accessing the TCB a second time on
PSEUDO_RET to check which instruction we used, the value read from
hwcap2 is cached on a non-volatile register.

This is not needed when using INTERNAL_SYSCALL macro, since entry and
exit are bundled into the same inline asm directive.

The dynamic loader may issue syscalls before the TCB has been setup
so it always uses sc with no extra checks.  For the static case, there
is no compile-time way to determine if we are inside startup code,
so we also check the value of the thread pointer before effectively
accessing the TCB.  For such situations in which the availability of
scv cannot be determined, sc is always used.

Support for scv in syscalls implemented in their own ASM file (clone and
vfork) will be added later. For now simply use sc as before.

Average performance over 1M calls for each syscall "type":
  - stat: C wrapper calling INTERNAL_SYSCALL
  - getpid: templated ASM syscall
  - syscall: call to gettid using syscall function

  Standard:
     stat : 1.573445 us / ~3619 cycles
   getpid : 0.164986 us / ~379 cycles
  syscall : 0.162743 us / ~374 cycles

  With scv:
     stat : 1.537049 us / ~3535 cycles <~ -84 cycles  / -2.32%
   getpid : 0.109923 us / ~253 cycles  <~ -126 cycles / -33.25%
  syscall : 0.116410 us / ~268 cycles  <~ -106 cycles / -28.34%

Tested on powerpc, powerpc64, powerpc64le (with and without scv)

Tested-by: Lucas A. M. Magalhães <lamm@linux.ibm.com>
Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com>
2020-12-30 18:26:25 -03:00
Adhemerval Zanella
9835632cf4 malloc: preserve errno on mcheck hooks [BZ #17924]
Similar to the fix 69fda43b8d, save and restore errno for the hook
functions used for MALLOC_CHECK_=3.

It fixes the malloc/tst-free-errno-mcheck regression.

Checked on x86_64-linux-gnu.
2020-12-30 10:37:58 -03:00
Siddhesh Poyarekar
38a033ac85 x86 long double: Add tests for pseudo normal numbers
Add some tests for fpclassify, isnan, isinf and issignaling.

Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2020-12-30 10:53:11 +05:30
Siddhesh Poyarekar
7525c1c71d x86 long double: Consider pseudo numbers as signaling
Add support to treat pseudo-numbers specially and implement x86
version to consider all of them as signaling.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2020-12-30 10:52:45 +05:30
Adhemerval Zanella
99468ed45f io: Remove xmknod{at} implementations
With xmknod wrapper functions removed (589260cef8), the mknod functions
are now properly exported, and version is done using symbols versioning
instead of the extra _MKNOD_* argument.

It also allows us to consolidate Linux and Hurd mknod implementation.

Reviewed-by: Lukasz Majewski <lukma@denx.de>
2020-12-29 16:44:16 -03:00
Adhemerval Zanella
4d97cc8cf3 io: Remove xstat implementations
With xstat wrapper functions removed (8ed005daf0), the stat functions
are now properly exported, and version is done using symbols versioning
instead of the extra _STAT_* argument.

Reviewed-by: Lukasz Majewski <lukma@denx.de>
2020-12-29 16:44:05 -03:00
Paul Eggert
69fda43b8d free: preserve errno [BZ#17924]
In the next release of POSIX, free must preserve errno
<https://www.austingroupbugs.net/view.php?id=385>.
Modify __libc_free to save and restore errno, so that
any internal munmap etc. syscalls do not disturb the caller's errno.
Add a test malloc/tst-free-errno.c (almost all by Bruno Haible),
and document that free preserves errno.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2020-12-29 00:46:46 -08:00
Samuel Thibault
016c64236d hurd: Accept including hurd/version.h
We need it to get the RPC API version.
2020-12-29 03:26:12 +01:00
Samuel Thibault
f6abd97028 hurd: Add WSTOPPED/WCONTINUED/WEXITED/WNOWAIT support [BZ #23091]
The new __proc_waitid RPC now expects WEXITED to be passed, allowing to
properly implement waitid, and thus define the missing W* macros
(according to FreeBSD values).
2020-12-28 23:37:04 +01:00
Samuel Thibault
f9c3cf2864 support: Make support_process_state_wait wait less
Tests such as posix/tst-waitid.c make heavy use of
support_process_state_wait, and thus on non-Linux where it falls back
to sleeping, a 2s sleep makes such test time out, while 1s remains
fine enough.
2020-12-28 23:17:56 +01:00
Samuel Thibault
e42efa01c9 hurd: set sigaction for signal preemptors in arch-independent file
Instead of having the arch-specific trampoline setup code detect whether
preemption happened or not, we'd rather pass it the sigaction. In the
future, this may also allow to change sa_flags from post_signal().
2020-12-26 18:03:31 +01:00
Samuel Thibault
a39b95b975 hurd: Fix spawni SPAWN_XFLAGS_TRY_SHELL with empty argv
When argv is empty, we need to add the original script to be run on the
shell command line.
2020-12-26 16:39:40 +01:00
Samuel Thibault
13adfa34af hurd: Try shell in posix_spawn* only in compat mode
Reported by Bruno Haible <bruno@clisp.org>
2020-12-26 15:12:04 +01:00
H.J. Lu
f380868f6d Remove _ISOMAC check from <cpu-features.h>
Remove _ISOMAC check from <cpu-features.h> since it isn't an installer
header file.
2020-12-24 15:43:34 -08:00
H.J. Lu
45dcd1af09 x86: Remove the duplicated CPU_FEATURE_CPU_P
CPU_FEATURE_CPU_P is defined in sysdeps/x86/sys/platform/x86.h.  Remove
the duplicated CPU_FEATURE_CPU_P in sysdeps/x86/include/cpu-features.h.
2020-12-24 04:39:08 -08:00
Siddhesh Poyarekar
41290b6e84 Partially revert 681900d296
Do not attempt to fix the significand top bit in long double input
received in printf.  The code should never reach here because isnan
should now detect unnormals as NaN.  This is already a NOP for glibc
since it uses the gcc __builtin_isnan, which detects unnormals as NaN.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2020-12-24 06:05:46 +05:30
Siddhesh Poyarekar
94547d9209 x86 long double: Support pseudo numbers in isnanl
This syncs up isnanl behaviour with gcc.  Also move the isnanl
implementation to sysdeps/x86 and remove the sysdeps/x86_64 version.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2020-12-24 06:05:40 +05:30
Siddhesh Poyarekar
b7f8815617 x86 long double: Support pseudo numbers in fpclassifyl
Also move sysdeps/i386/fpu/s_fpclassifyl.c to
sysdeps/x86/fpu/s_fpclassifyl.c and remove
sysdeps/x86_64/fpu/s_fpclassifyl.c

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2020-12-24 06:05:26 +05:30
Siddhesh Poyarekar
84c202246b MTE: Do not pad size in realloc_check
The MTE patch to add malloc support incorrectly padded the size passed
to _int_realloc by SIZE_SZ when it ought to have sent just the
chunksize.  Revert that bit of the change so that realloc works
correctly with MALLOC_CHECK_ set.

This also brings the realloc_check implementation back in sync with
libc_realloc.
2020-12-24 06:02:05 +05:30
Siddhesh Poyarekar
4f969166ce tests-mcheck: New variable to run tests with MALLOC_CHECK_=3
This new variable allows various subsystems in glibc to run all or
some of their tests with MALLOC_CHECK_=3.  This patch adds
infrastructure support for this variable as well as an implementation
in malloc/Makefile to allow running some of the tests with
MALLOC_CHECK_=3.

At present some tests in malloc/ have been excluded from the mcheck
tests either because they're specifically testing MALLOC_CHECK_ or
they are failing in master even without the Memory Tagging patches
that prompted this work.  Some tests were reviewed and found to need
specific error points that MALLOC_CHECK_ defeats by terminating early
but a thorough review of all tests is needed to bring them into mcheck
coverage.

The following failures are seen in current master:

FAIL: malloc/tst-malloc-fork-deadlock-mcheck
FAIL: malloc/tst-malloc-stats-cancellation-mcheck
FAIL: malloc/tst-malloc-thread-fail-mcheck
FAIL: malloc/tst-realloc-mcheck
FAIL: malloc/tst-reallocarray-mcheck

All of these are due to the Memory Tagging patchset and will be fixed
separately.
2020-12-24 06:02:02 +05:30
Florian Weimer
8a30bb4e06 elf: Account for glibc-hwcaps/ prefix in _dl_important_hwcaps 2020-12-23 15:47:22 +01:00
Siddhesh Poyarekar
be37b80705 misc: Use __ferror_unlocked instead of ferror
The ferror results in an unnecessary PLT reference.  Use
__ferror_unlocked instead , which gets inlined.
2020-12-23 07:03:42 +05:30
Florian Weimer
0e981d3524 s390x: Regenerate ulps
For new inputs added in commit cad5ad81d2,
as seen on a z13 system.
2020-12-22 19:27:38 +01:00
Florian Weimer
2aa8ec7dd7 powerpc: Regenerate ulps
For new inputs added in commit cad5ad81d2,
as seen on a POWER8 system.
2020-12-22 19:22:44 +01:00
Siddhesh Poyarekar
9798906a42 addmntent: Remove unbounded alloca usage from getmntent [BZ#27083]
The addmntent function replicates elements of struct mnt on stack
using alloca, which is unsafe.  Put characters directly into the
stream, escaping them as they're being written out.

Also add a test to check all escaped characters with addmntent and
getmntent.
2020-12-22 21:32:55 +05:30
H.J. Lu
a2e5da2cf4 <sys/platform/x86.h>: Add Intel LAM support
Add Intel Linear Address Masking (LAM) support to <sys/platform/x86.h>.
HAS_CPU_FEATURE (LAM) can be used to detect if LAM is enabled in CPU.

LAM modifies the checking that is applied to 64-bit linear addresses,
allowing software to use of the untranslated address bits for metadata.
2020-12-22 03:45:47 -08:00
Florian Weimer
bca0283815 i386: Regenerate ulps
For new inputs added in commit cad5ad81d2.
2020-12-21 18:19:03 +01:00
Szabolcs Nagy
682cdd6e1a aarch64: update ulps.
For new test cases in
commit cad5ad81d2
2020-12-21 16:40:34 +00:00
Richard Earnshaw
d27f0e5d88 aarch64: Add aarch64-specific files for memory tagging support
This final patch provides the architecture-specific implementation of
the memory-tagging support hooks for aarch64.
2020-12-21 15:25:25 +00:00
Richard Earnshaw
bde4949b6b aarch64: Add sysv specific enabling code for memory tagging
Add various defines and stubs for enabling MTE on AArch64 sysv-like
systems such as Linux.  The HWCAP feature bit is copied over in the
same way as other feature bits.  Similarly we add a new wrapper header
for mman.h to define the PROT_MTE flag that can be used with mmap and
related functions.

We add a new field to struct cpu_features that can be used, for
example, to check whether or not certain ifunc'd routines should be
bound to MTE-safe versions.

Finally, if we detect that MTE should be enabled (ie via the glibc
tunable); we enable MTE during startup as required.

Support in the Linux kernel was added in version 5.10.

Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
2020-12-21 15:25:25 +00:00
Richard Earnshaw
0d1bafdcb6 linux: Add compatibility definitions to sys/prctl.h for MTE
Older versions of the Linux kernel headers obviously lack support for
memory tagging, but we still want to be able to build in support when
using those (obviously it can't be enabled on such systems).

The linux kernel extensions are made to the platform-independent
header (linux/prctl.h), so this patch takes a similar approach.
2020-12-21 15:25:25 +00:00
Richard Earnshaw
3784dfc098 malloc: Basic support for memory tagging in the malloc() family
This patch adds the basic support for memory tagging.

Various flavours are supported, particularly being able to turn on
tagged memory at run-time: this allows the same code to be used on
systems where memory tagging support is not present without neededing
a separate build of glibc.  Also, depending on whether the kernel
supports it, the code will use mmap for the default arena if morecore
does not, or cannot support tagged memory (on AArch64 it is not
available).

All the hooks use function pointers to allow this to work without
needing ifuncs.

Reviewed-by: DJ Delorie <dj@redhat.com>
2020-12-21 15:25:25 +00:00
Richard Earnshaw
26450d04d3 elf: Add a tunable to control use of tagged memory
Add a new glibc tunable: mem.tagging.  This is a decimal constant in
the range 0-255 but used as a bit-field.

Bit 0 enables use of tagged memory in the malloc family of functions.
Bit 1 enables precise faulting of tag failure on platforms where this
can be controlled.
Other bits are currently unused, but if set will cause memory tag
checking for the current process to be enabled in the kernel.
2020-12-21 15:25:25 +00:00
Richard Earnshaw
3378408987 config: Allow memory tagging to be enabled when configuring glibc
This patch adds the configuration machinery to allow memory tagging to be
enabled from the command line via the configure option --enable-memory-tagging.

The current default is off, though in time we may change that once the API
is more stable.
2020-12-21 15:25:25 +00:00
Matt Turner
d552058570 alpha: Remove anonymous union in struct stat [BZ #27042]
This is clever, but it confuses downstream detection in at least zstd
and GNOME's glib. zstd has preprocessor tests for the 'st_mtime' macro,
which is not provided by the path using the anonymous union; glib checks
for the presence of 'st_mtimensec' in struct stat but then tries to
access that field in struct statx (which might be a bug on its own).

Checked with a build for alpha-linux-gnu.
2020-12-21 09:09:43 -03:00
Paul Zimmermann
cad5ad81d2 add inputs to auto-libm-test-in yielding larger errors (binary64, x86_64) 2020-12-21 10:35:20 +05:30
Sergei Trofimovich
6eb7e1da0e m68k: fix clobbering a5 in setjmp() [BZ #24202]
setjmp() uses C code to store current registers into jmp_buf
environment. -fstack-protector-all places canary into setjmp()
prologue and clobbers 'a5' before it gets saved.

The change inhibits stack canary injection to avoid clobber.
2020-12-21 10:24:34 +05:30
liqingqing
756608dbe8 iconv add iconv_close before the function returned with bad value.
add iconv_close before the function returned with bad value.
2020-12-21 09:52:38 +05:30
liqingqing
d4eb814027 iconv: use iconv_close after iconv_open 2020-12-21 09:51:40 +05:30
Andreas Schwab
ee7a3144c9 Fix buffer overrun in EUC-KR conversion module (bz #24973)
The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
area and is not allowed.  The from_euc_kr function used to skip two bytes
when told to skip over the unknown designation, potentially running over
the buffer end.
2020-12-21 09:01:49 +05:30
Samuel Thibault
e0aec6c833 hurd: Make trampoline fill siginfo ss_sp from sc_uesp
Mach actually rather fills the uesp field, not esp.
2020-12-21 03:17:00 +01:00
Richard Braun
5c06743c8a Hurd: make sigstates hold a reference on thread ports
This change is required in order to correctly release per-thread
resources. Directly reusing the threading library reference isn't
possible since the sigstate is also used early in the main thread,
before threading is initialized.

* hurd/hurd/signal.h (_hurd_self_sigstate): Drop thread reference after
calling _hurd_thread_sigstate.
(_hurd_critical_section_lock): Likewise.
* hurd/hurdsig.c (_hurd_thread_sigstate): Add a reference on the thread.
(_hurd_sigstate_delete): Drop thread reference.
2020-12-21 02:10:16 +01:00
Samuel Thibault
53432762ac profil-counter: Add missing SIGINFO case
When SA_SIGINFO is available, sysdeps/posix/s?profil.c use it, so we have to
fix the __profil_counter function accordingly, using sigcontextinfo.h's
sigcontext_get_pc.
2020-12-21 02:08:33 +01:00
Jeremie Koenig
d865ff74ba hurd: implement SA_SIGINFO signal handlers.
SA_SIGINFO is actually just another way of expressing what we were
already passing over with struct sigcontext. This just introduces the
SIGINFO interface and fixes the posix values when that interface is
requested by the application.
2020-12-21 01:44:20 +01:00
Samuel Thibault
407765e9f2 hurd: Fix ELF_MACHINE_USER_ADDRESS_MASK value
x86 binaries are linked at 0x08000000, so we need to let them get mapped
there.
2020-12-20 01:47:47 +01:00
Samuel Thibault
e94b01393e hurd: Note when the vm_map kernel bug was fixed
dl-sysdep has been wanting to use high bits in the vm_map mask for decades,
but that was only implemented lately.
2020-12-20 01:46:11 +01:00
Samuel Thibault
b74233d009 hurd: Also turn KERN_INVALID_ADDRESS to EINVAL
When e.g. mmap is passed an invalid address we would return
KERN_INVALID_ADDRESS, while POSIX applications would expect EINVAL.
2020-12-19 18:57:47 +01:00