Commit Graph

38520 Commits

Author SHA1 Message Date
Martin Sebor
03ad86880f elf: Fix use-after-free in ldconfig [BZ #26779]
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-01-25 17:37:56 -07:00
Adhemerval Zanella
342cc934a3 posix: Add terminal control setting support for posix_spawn
Currently there is no proper way to set the controlling terminal through
posix_spawn in race free manner [1].  This forces shell implementations
to keep using fork+exec when launching background process groups,
even when using posix_spawn yields better performance.

This patch adds a new GNU extension so the creating process can
configure the created process terminal group.  This is done with a new
flag, POSIX_SPAWN_TCSETPGROUP, along with two new attribute functions:
posix_spawnattr_tcsetpgrp_np, and posix_spawnattr_tcgetpgrp_np.
The function sets a new attribute, spawn-tcgroupfd, that references to
the controlling terminal.

The controlling terminal is set after the spawn-pgroup attribute, and
uses the spawn-tcgroupfd along with current creating process group
(so it is composable with POSIX_SPAWN_SETPGROUP).

To create a process and set the controlling terminal, one can use the
following sequence:

    posix_spawnattr_t attr;
    posix_spawnattr_init (&attr);
    posix_spawnattr_setflags (&attr, POSIX_SPAWN_TCSETPGROUP);
    posix_spawnattr_tcsetpgrp_np (&attr, tcfd);

If the idea is also to create a new process groups:

    posix_spawnattr_t attr;
    posix_spawnattr_init (&attr);
    posix_spawnattr_setflags (&attr, POSIX_SPAWN_TCSETPGROUP
				     | POSIX_SPAWN_SETPGROUP);
    posix_spawnattr_tcsetpgrp_np (&attr, tcfd);
    posix_spawnattr_setpgroup (&attr, 0);

The controlling terminal file descriptor is ignored if the new flag is
not set.

This interface is slight different than the one provided by QNX [2],
which only provides the POSIX_SPAWN_TCSETPGROUP flag.  The QNX
documentation does not specify how the controlling terminal is obtained
nor how it iteracts with POSIX_SPAWN_SETPGROUP.  Since a glibc
implementation is library based, it is more straightforward and avoid
requires additional file descriptor operations to request the caller
to setup the controlling terminal file descriptor (and it also allows
a bit less error handling by posix_spawn).

Checked on x86_64-linux-gnu and i686-linux-gnu.

[1] https://github.com/ksh93/ksh/issues/79
[2] https://www.qnx.com/developers/docs/7.0.0/index.html#com.qnx.doc.neutrino.lib_ref/topic/p/posix_spawn.html

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2022-01-25 14:07:53 -03:00
Florian Weimer
5b8e7980c5 Linux: Detect user namespace support in io/tst-getcwd-smallbuff
Otherwise the test fails with certain container runtimes.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24 18:14:24 +01:00
Andreas Schwab
8442f0d966 Fix handling of unterminated bracket expressions in fnmatch (bug 28792)
When fnmatch processes a bracket expression, and eventually finds it to be
unterminated, it should rescan it, treating the starting bracket as a
normal character.  That didn't happen when a matching character was found
while scanning the bracket expression.
2022-01-24 17:13:33 +01:00
Siddhesh Poyarekar
84d2d0fe20 realpath: Avoid overwriting preexisting error (CVE-2021-3998)
Set errno and failure for paths that are too long only if no other error
occurred earlier.

Related: BZ #28770

Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24 21:40:00 +05:30
H.J. Lu
d8d94863ef elf: Add a test for PT_LOAD segments with invalid p_align [BZ #28688]
Build tst-p_alignmod3.so with 256 byte page size and verify that it is
rejected with a proper error message.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-01-24 06:37:36 -08:00
H.J. Lu
e4c9268d15 elf: Add a test for PT_LOAD segments with p_align == 1 [BZ #28688]
Add tst-p_alignmod2-edit to edit the copy of tst-p_alignmod-base.so to
set p_align of the first PT_LOAD segment to 1 and verify that the shared
library can be loaded normally.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-01-24 06:37:29 -08:00
H.J. Lu
b5237c0746 elf: Add a test for PT_LOAD segments with mixed p_align [BZ #28676]
Add tst-p_alignmod1-edit to edit the copy of tst-p_alignmod-base.so to
reduce p_align of the first PT_LOAD segment by half and verify that the
shared library is mapped with the maximum p_align of all PT_LOAD segments.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-01-24 06:37:15 -08:00
H.J. Lu
114d07fd9a Add and use link-test-modules-rpath-link [BZ #28455]
DT_RUNPATH is only used to find the immediate dependencies of the
executable or shared object containing the DT_RUNPATH entry:

1. Define link-test-modules-rpath-link if $(build-hardcoded-path-in-tests)
is yes.
2. Use $(link-test-modules-rpath-link) in build-module-helper so that
test modules can dlopen modules with DT_RUNPATH.
3. Add a test to show why link-test-modules-rpath-link is needed.

This partially fixes BZ #28455.
2022-01-24 05:11:36 -08:00
Siddhesh Poyarekar
976db046bc tst-realpath-toolong: Fix hurd build
Define PATH_MAX to a constant if it isn't already defined, like in hurd.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24 11:00:23 +05:30
Siddhesh Poyarekar
23e0e8f5f1 getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
No valid path returned by getcwd would fit into 1 byte, so reject the
size early and return NULL with errno set to ERANGE.  This change is
prompted by CVE-2021-3999, which describes a single byte buffer
underflow and overflow when all of the following conditions are met:

- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory

Sequence of events:

- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
  because the linux kernel checks for name length before it checks
  buffer size

- The code falls back to the generic getcwd in sysdeps/posix

- In the generic func, the buf[0] is set to '\0' on line 250

- this while loop on line 262 is bypassed:

    while (!(thisdev == rootdev && thisino == rootino))

  since the rootfs (/) is bind mounted onto the directory and the flow
  goes on to line 449, where it puts a '/' in the byte before the
  buffer.

- Finally on line 458, it moves 2 bytes (the underflowed byte and the
  '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

- buf is returned on line 469 and errno is not set.

This resolves BZ #28769.

Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24 11:00:17 +05:30
Alexandra Hájková
6c2f050dbe Add valgrind smoke test
Check if whether valgrind is available in the test environment.
If not, skip the test. Run smoke tests with valgrind to verify dynamic loader.
First, check if algrind works with the system ld.so in the test
environment. Then run the actual test inside the test environment,
using the just build ld.so and new libraries.

Co-authored-by: Mark Wielaard <mark@klomp.org>
2022-01-22 17:31:16 +01:00
Samuel Thibault
8c86ba4463 htl: Fix cleaning the reply port
If any RPC fails, the reply port will already be deallocated.
__pthread_thread_terminate thus has to defer taking its name until the very last
__thread_terminate_release which doesn't reply a message.  But then we
have to read from the pthread structure.

This introduces __pthread_dealloc_finish() which does the recording of
the thread termination, so the slot can be reused really only just before
the __thread_terminate_release call. Only the real thread can set it, so
let's decouple this from the pthread_state by just removing the
PTHREAD_TERMINATED state and add a terminated field.
2022-01-22 02:17:19 +01:00
H.J. Lu
e22a4557eb elf: Properly align all PT_LOAD segments [BZ #28676]
Linker may set p_align of a PT_LOAD segment larger than p_align of the
first PT_LOAD segment to satisfy a section alignment:

Elf file type is DYN (Shared object file)
Entry point 0x0
There are 10 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000834 0x0000000000000834  R E    0x1000
  LOAD           0x0000000000000e00 0x0000000000001e00 0x0000000000001e00
                 0x0000000000000230 0x0000000000000230  RW     0x1000
  LOAD           0x0000000000400000 0x0000000000400000 0x0000000000400000
                 0x0000000000000004 0x0000000000000008  RW     0x400000
...

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.property .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame
   01     .init_array .fini_array .data.rel.ro .dynamic .got .got.plt
   02     .data .bss

We should align the first PT_LOAD segment to the maximum p_align of all
PT_LOAD segments, similar to the kernel commit:

commit ce81bb256a224259ab686742a6284930cbe4f1fa
Author: Chris Kennelly <ckennelly@google.com>
Date:   Thu Oct 15 20:12:32 2020 -0700

    fs/binfmt_elf: use PT_LOAD p_align values for suitable start address

This fixes BZ #28676.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-01-21 11:18:03 -08:00
Siddhesh Poyarekar
ee8d5e33ad realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]
realpath returns an allocated string when the result exceeds PATH_MAX,
which is unexpected when its second argument is not NULL.  This results
in the second argument (resolved) being uninitialized and also results
in a memory leak since the caller expects resolved to be the same as the
returned value.

Return NULL and set errno to ENAMETOOLONG if the result exceeds
PATH_MAX.  This fixes [BZ #28770], which is CVE-2021-3998.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-21 23:01:30 +05:30
Siddhesh Poyarekar
fb7bff12e8 support: Add helpers to create paths longer than PATH_MAX
Add new helpers support_create_and_chdir_toolong_temp_directory and
support_chdir_toolong_temp_directory to create and descend into
directory trees longer than PATH_MAX.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-21 23:01:27 +05:30
Jangwoong Kim
6b8dbbd03a nptl: Effectively skip CAS in spinlock loop
The commit:
"Add LLL_MUTEX_READ_LOCK [BZ #28537]"
SHA1: d672a98a1a

introduced LLL_MUTEX_READ_LOCK, to skip CAS in spinlock loop
if atomic load fails. But, "continue" inside of do-while loop
does not skip the evaluation of escape expression, thus CAS
is not skipped.

Replace do-while with while and skip LLL_MUTEX_TRYLOCK if
LLL_MUTEX_READ_LOCK fails.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2022-01-20 05:05:09 -08:00
Florian Weimer
f44820821a mips: Move DT_MIPS into <ldsodefs.h>
ELF_MACHINE_XHASH_SETUP in that file needs it.

Fixes commit c90363403b
("elf: Move _dl_setup_hash to its own file").
2022-01-19 20:11:55 +01:00
Sunil K Pandey
3e63b15d43 x86_64: Document libmvec vector functions accuracy [BZ #28766]
Document maximum 4 ulps accuracy for x86_64 libmvec functions.
This fixes BZ #28766.

Reviewed-By: Paul Zimmermann <Paul.Zimmermann@inria.fr>
2022-01-19 07:57:11 -08:00
H.J. Lu
1e000d3d33 x86: Black list more Intel CPUs for TSX [BZ #27398]
Disable TSX and enable RTM_ALWAYS_ABORT for Intel CPUs listed in:

https://www.intel.com/content/www/us/en/support/articles/000059422/processors.html

This fixes BZ #27398.

Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2022-01-18 14:20:09 -08:00
Adhemerval Zanella
716c4027b0 elf: Fix tst-align3
The elf/tst-align3.c declares the function using a wrong prototype.

Checked on aarch64-linux-gnu.
2022-01-18 14:38:15 -03:00
Florian Weimer
c90363403b elf: Move _dl_setup_hash to its own file
And compile it with the early CFLAGS.  _dl_setup_hash is called
very early for the ld.so link map, so it should be compiled
differently.

Reviewed-by: Stefan Liebler <stli@linux.ibm.com>
Tested-by: Stefan Liebler <stli@linux.ibm.com>
2022-01-18 14:40:21 +01:00
Samuel Thibault
f8b765bec4 htl: Fix build error in annexc
We were getting

../scripts/evaluate-test.sh posix/annexc $? true false > /usr/src/glibc-upstream/build/posix/annexc.test-result
In file included from ../include/pthread.h:1,
                 from <stdin>:1:
../sysdeps/htl/include/pthread.h:7:62: error: missing binary operator before token "("
    7 | # if defined __USE_EXTERN_INLINES && defined _LIBC && !IS_IN (libsupport)
      |                                                              ^
2022-01-17 23:18:27 +00:00
Adhemerval Zanella
3a5aeba87a elf: Reinstate tst-audit17
9926f6e2ee ("elf: Skip tst-auditlogmod-* if the linker doesn't support
--depaudit [BZ #28 151]") dropped the test by mistake.
2022-01-17 17:16:33 -03:00
Aurelien Jarno
c242fcce06 x86: use default cache size if it cannot be determined [BZ #28784]
In some cases (e.g QEMU, non-Intel/AMD CPU) the cache information can
not be retrieved and the corresponding values are set to 0.

Commit 2d651eb926 ("x86: Move x86 processor cache info to
cpu_features") changed the behaviour in such case by defining the
__x86_shared_cache_size and __x86_data_cache_size variables to 0 instead
of using the default values. This cause an issue with the i686 SSE2
optimized bzero/routine which assumes that the cache size is at least
128 bytes, and otherwise tries to zero/set the whole address space minus
128 bytes.

Fix that by restoring the original code to only update
__x86_shared_cache_size and __x86_data_cache_size variables if the
corresponding cache sizes are not zero.

Fixes bug 28784
Fixes commit 2d651eb926

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2022-01-17 19:42:46 +01:00
Samuel Thibault
9702a41cee rt/tst-mqueue*: Return UNSUPPORTED when mq_open fails with ENOSYS
Rather than returning 0 or a failure.
2022-01-17 19:17:41 +01:00
Adhemerval Zanella
5f3a7ebc35 Linux: Add epoll_pwait2 (BZ #27359)
It is similar to epoll_wait, with the difference the timeout has
nanosecond resoluting by using struct timespec instead of int.

Although Linux interface only provides 64 bit time_t support, old
32 bit interface is also provided (so keep in sync with current
practice and to no force opt-in on 64 bit time_t).

Checked on x86_64-linux-gnu and i686-linux-gnu.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-01-17 14:34:54 -03:00
H.J. Lu
ded3aeb202 Properly handle --disable-default-pie [BZ #28780]
When --disable-default-pie is used, all glibc programs and the testsuite
should be built as position dependent executables (non-PIE), regardless
if the build compiler supports PIE or static PIE.

When --disable-default-pie is used, don't build static PIE by default.

This fixes BZ #28780.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-17 07:27:25 -08:00
Adhemerval Zanella
9fe6f63638 elf: Fix 64 time_t support for installed statically binaries
The usage of internal static symbol for statically linked binaries
does not work correctly for objects built with -D_TIME_BITS=64,
since the internal definition does not provide the expected aliases.

This patch makes it to use the default stat functions instead (which
uses the default 64 time_t alias and types).

Checked on i686-linux-gnu.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2022-01-17 10:57:09 -03:00
Adhemerval Zanella
cedd498dbc Revert "elf: Fix 64 time_t support for installed statically binaries"
This reverts commit 0b8e83eb14.
2022-01-17 10:56:58 -03:00
Florian Weimer
f545ad4928 CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
The sunrpc function svcunix_create suffers from a stack-based buffer
overflow with overlong pathname arguments.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-17 10:47:58 +01:00
Martin Sebor
ef972a4c50 sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-17 10:22:07 +01:00
Florian Weimer
226b46770c CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
Processing an overlong pathname in the sunrpc clnt_create function
results in a stack-based buffer overflow.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-17 10:22:00 +01:00
Florian Weimer
e368b12f6c socket: Add the __sockaddr_un_set function
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-17 10:21:53 +01:00
Florian Weimer
06200aac9b elf/tst-dl_find_object: Disable subtests for non-contiguous maps (bug 28732)
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2022-01-17 09:58:27 +01:00
Florian Weimer
8eb2510d38 elf: Set l_contiguous to 1 for the main map in more cases
l_contiguous was not initialized at all for the main map and
always 0.  This commit adds code to check if the LOAD segments
are adjacent to each other, and sets l_contiguous accordingly.
This helps _dl_find_object because it is more efficient if the
main mapping is contiguous.

Note that not all (PIE or non-PIE) binaries are contiguous in this
way because BFD ld creates executables with LOAD holes:

ELF LOAD segments creating holes in the process image on GNU/Linux
https://sourceware.org/pipermail/binutils/2022-January/119082.html
https://sourceware.org/bugzilla/show_bug.cgi?id=28743

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2022-01-17 09:58:27 +01:00
Florian Weimer
b4d4ff8963 elf: Introduce rtld_setup_main_map
This function collects most of the processing needed to initialize
the link map for the main executable.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2022-01-17 09:58:27 +01:00
Samuel Thibault
0eb230ccce hurd: Make RPC input array parameters const
This follows mig's cf4bcc3f1435 ("Also add const qualifiers on server
side")
2022-01-16 18:48:08 +00:00
Samuel Thibault
41a11a5e83 hurd: optimize exec cleanup
When ports are nul we do not need to request their deallocation. It is
also useless to look for them in portnames.
2022-01-16 00:02:16 +01:00
Samuel Thibault
54dda2cdba hurd: Add __rtld_execve
It trivially execs with the same dtable, portarray and intarray, and only
has to take care of deallocating / destroying ports (file, notably).
2022-01-15 23:42:35 +01:00
Samuel Thibault
84a9d5835a hurd: Fix exec() leak on proc_task2proc failure
env is allocated after args, so should be freed before it.
2022-01-15 21:58:39 +01:00
Samuel Thibault
1bd7a06a95 htl: Hide __pthread_attr's __schedparam type [BZ #23088]
The content of the structure is only used internally, so we can make
__pthread_attr_getschedparam and __pthread_attr_setschedparam convert
between the public sched_param type and an internal __sched_param.

This allows to avoid to spuriously expose the sched_param type.

This fixes BZ #23088.
2022-01-15 21:31:08 +01:00
Samuel Thibault
c1105e34ac htl: Clear kernel_thread field before releasing the thread structure
Otherwise this is a use-after-free.
2022-01-15 21:31:08 +01:00
Samuel Thibault
630d2568a1 hurd: drop SA_SIGINFO availability xfail
BZ #23089 was fixed by d865ff74ba ("hurd: implement SA_SIGINFO signal
handlers")
2022-01-15 17:43:07 +01:00
Samuel Thibault
67ca1c5560 hurd: Fix timer/clock_getres crash on NULL res parameter
POSIX allows res to be NULL.
2022-01-15 15:37:03 +01:00
Samuel Thibault
2c040d0b90 hurd: Fix pthread_kill on exiting/ted thread
We have to drop the kernel_thread port from the thread structure, to
avoid pthread_kill's call to _hurd_thread_sigstate trying to reference
it and fail.
2022-01-15 15:11:54 +01:00
Samuel Thibault
dfb204d87f [hurd] Drop spurious #ifdef SHARED
The whole file is already #ifdef SHARED
2022-01-15 14:23:37 +01:00
Samuel Thibault
f05faf5f22 [hurd] Call _dl_sort_maps_init in _dl_sysdep_start
This follows 15a0c5730d ("elf: Fix slow DSO sorting behavior in
dynamic loader (BZ #17645)").
2022-01-15 14:21:53 +01:00
Samuel Thibault
4974c7cd8f elf tst-dl_find_object: Fix typo
mod1 was xdlclose()d a few lines above.
2022-01-15 13:58:56 +01:00
Florian Weimer
f01d482f03 s390x: Use <gcc-macros.h> in early HWCAP check
This is required so that the checks still work if $(early-cflags)
selects a different ISA level.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2022-01-14 20:17:58 +01:00