Commit Graph

1103 Commits

Author SHA1 Message Date
Andreas Schwab
69239bd7a2 stdlib: fix grouping verification with multi-byte thousands separator (bug 30964)
The grouping verification only worked for a single-byte thousands
separator.  With a multi-byte separator it returned as if no separators
were present.  The actual parsing in str_to_mpn will then go wrong when
there are multiple adjacent multi-byte separators in the number.
2023-10-12 11:42:22 +02:00
Samuel Thibault
6333a6014f __call_tls_dtors: Use call_function_static_weak 2023-09-04 20:03:37 +02:00
Samuel Thibault
cbf4aa422c tst-realpath-toolong: return "unsupported" when PATH_MAX is undefined
When PATH_MAX is undefined, realpath cannot ever ENAMETOOLONG, so
this test is unsupported.
2023-08-03 22:43:27 +02:00
Florian Weimer
510fc20d73 stdlib: Improve tst-realpath compatibility with source fortification
On GCC before 11, IPA can make the fortified realpath aware that the
buffer size is not large enough (8 bytes instead of PATH_MAX bytes).
Fix this by using a buffer that is large enough.
2023-08-01 10:27:15 +02:00
Frédéric Bérat
20c894d21e Exclude routines from fortification
Since the _FORTIFY_SOURCE feature uses some routines of Glibc, they need to
be excluded from the fortification.

On top of that:
 - some tests explicitly verify that some level of fortification works
   appropriately, we therefore shouldn't modify the level set for them.
 - some objects need to be build with optimization disabled, which
   prevents _FORTIFY_SOURCE to be used for them.

Assembler files that implement architecture specific versions of the
fortified routines were not excluded from _FORTIFY_SOURCE as there is no
C header included that would impact their behavior.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05 16:59:48 +02:00
Joe Simmons-Talbott
9401024e5e setenv.c: Get rid of alloca.
Use malloc rather than alloca to avoid potential stack overflow.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-06-30 14:31:45 +00:00
Joseph Myers
2d88df5411 C2x scanf %b support
ISO C2x defines scanf %b for input of binary integers (with an
optional 0b or 0B prefix).  Implement such support, along with the
corresponding SCNb* macros in <inttypes.h>.  Unlike the support for
binary integers with 0b or 0B prefix with scanf %i, this is supported
in all versions of scanf (independent of the standards mode used for
compilation), because there are no backwards compatibility concerns
(%b wasn't previously a supported format) the way there were for %i.

Tested for x86_64 and x86.
2023-06-19 19:40:34 +00:00
Adhemerval Zanella Netto
e6ce346d07 stdlib: Tune down fork arc4random tests
There is no fork detection on current arc4random implementation, so
use lower subprocess on fork tests.  The tests now run on 0.1s
instead of 8s on a Ryzen9 5900X.

Checked on x86_64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-06-12 14:45:16 -03:00
Frédéric Bérat
f6a532fbd0 tests: Replace various function calls with their x variant
With fortification enabled, few function calls return result need to be
checked, has they get the __wur macro enabled.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-06 08:23:53 -04:00
Paul Pluzhnikov
2cbeda847b Fix a few more typos I missed in previous round -- BZ 25337 2023-06-02 23:46:32 +00:00
Paul Pluzhnikov
7f0d9e61f4 Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
Frédéric Bérat
29e25f6f13 tests: fix warn unused results
With fortification enabled, few function calls return result need to be
checked, has they get the __wur macro enabled.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-01 13:01:32 -04:00
Adhemerval Zanella
95c9a6e806 Fix special case for C2x strtol binary constant handling (BZ# 30371)
When the base is 0 or 2 and the first two characters are '0' and 'b',
but the rest are no binary digits.  In this case this is no error,
and strtol must return 0 and ENDPTR points to the 'x' or 'b'.

Checked on x86_64-linux-gnu and i686-linux-gnu.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-05-25 09:28:23 -03:00
Florian Weimer
10a81dd4cf stdlib: Avoid undefined behavior in stdlib/tst-labs
The last loop could attempt to overflow beyond INT_MAX on 32-bit
architectures.

Also switch to GNU style.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-05-17 08:23:59 +02:00
Florian Weimer
8812b9900e stdlib: Use long long int in stdlib/tst-llabs
And adjust for GNU style.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-05-17 08:23:45 +02:00
Joe Simmons-Talbott
d877b52d58 stdlib: Add testcases for llabs(). (BZ #30263)
Test minimum and maximum long long values, zero, 32bit crossover points, and
part of the range of long long values.  Use '-fno-builtin' to ensure we are
testing the implementation.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>
2023-05-16 14:38:20 -04:00
Joe Simmons-Talbott
b11db301e1 stdlib: Add testcases for labs(). (BZ #30263)
Test minimum and maximum long values, zero, and part of the range
of long values.  Use '-fno-builtin' to ensure we are testing the
implementation.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>
2023-05-16 14:38:17 -04:00
Joe Simmons-Talbott
0d21b3783f stdlib: Add testcases for abs(). (BZ #30263)
Test minimum and maximum int values, zero, and part of the range
of int values.  Use '-fno-builtin' to ensure we are testing the
implementation.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>
2023-05-16 14:38:07 -04:00
Carlos O'Donell
91f33a300c stdlib: Reformat Makefile.
Reflow Makefile.
Sort using scripts/sort-makefile-lines.py.

No code generation changes observed in binary artifacts.
No regressions on x86_64 and i686.
2023-05-16 07:19:31 -04:00
наб
cea74a4a24 testsuite: stdlib/isomac.c: fix REQUIREMENTS
All of the mentioned variables are gone. gcc is just the default and
argv[1] can be used instead. /usr/include isn't hard-coded and you can
pass argv[2] with -I... to adjust.

Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-05-08 09:59:45 -04:00
Joe Simmons-Talbott
868506eb42 system: Add "--" after "-c" for sh (BZ #28519)
Prevent sh from interpreting a user string as shell options if it
starts with '-' or '+'.  Since the version of /bin/sh used for testing
system() is different from the full-fledged system /bin/sh add support
to it for handling "--" after "-c".  Add a testcase to ensure the
expected behavior.

Signed-off-by: Joe Simmons-Talbott <josimmon@redhat.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-03-28 10:12:30 -03:00
Adhemerval Zanella Netto
88677348b4 Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions
They are both used by __libc_freeres to free all library malloc
allocated resources to help tooling like mtrace or valgrind with
memory leak tracking.

The current scheme uses assembly markers and linker script entries
to consolidate the free routine function pointers in the RELRO segment
and to be freed buffers in BSS.

This patch changes it to use specific free functions for
libc_freeres_ptrs buffers and call the function pointer array directly
with call_function_static_weak.

It allows the removal of both the internal macros and the linker
script sections.

Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-03-27 13:57:55 -03:00
Joseph Myers
2d4728e606 Update printf %b/%B C2x support
WG14 recently accepted two additions to the printf/scanf %b/%B
support: there are now PRIb* and SCNb* macros in <inttypes.h>, and
printf %B is now an optional feature defined in normative text,
instead of recommended practice, with corresponding PRIB* macros that
can also be used to test whether that optional feature is supported.
See N3072 items 14 and 15 for details (those changes were accepted,
some other changes in that paper weren't).

Add the corresponding PRI* macros to glibc and update one place in the
manual referring to %B as recommended.  (SCNb* should naturally be
added at the same time as the corresponding scanf %b support.)

Tested for x86_64 and x86.
2023-03-14 16:58:35 +00:00
Adam Yi
d03094649d hurd: fix build of tst-system.c
We made tst-system.c depend on pthread, but that requires linking with
$(shared-thread-library). It does not fail under Linux because the
variable expands to nothing under Linux, but it fails for Hurd.

I tested verified via cross-compiling that "make check" now works
for Hurd.

Signed-off-by: Adam Yi <ayi@janestreet.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-03-08 08:49:54 -03:00
Adam Yi
436a604b7d posix: Fix system blocks SIGCHLD erroneously [BZ #30163]
Fix bug that SIGCHLD is erroneously blocked forever in the following
scenario:

1. Thread A calls system but hasn't returned yet
2. Thread B calls another system but returns

SIGCHLD would be blocked forever in thread B after its system() returns,
even after the system() in thread A returns.

Although POSIX does not require, glibc system implementation aims to be
thread and cancellation safe. This bug was introduced in
5fb7fc9635 when we moved reverting signal
mask to happen when the last concurrently running system returns,
despite that signal mask is per thread. This commit reverts this logic
and adds a test.

Signed-off-by: Adam Yi <ayi@janestreet.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-03-07 09:54:50 -03:00
Vitaly Buka
fd78cfa72e stdlib: Undo post review change to 16adc58e73 [BZ #27749]
Post review removal of "goto restart" from
https://sourceware.org/pipermail/libc-alpha/2021-April/125470.html
introduced a bug when some atexit handers skipped.

Signed-off-by: Vitaly Buka <vitalybuka@google.com>

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-02-20 09:32:43 -03:00
Qihao Chencao
cc4d6614b5 Use uintptr_t instead of performing pointer subtraction with a null pointer
Signed-off-by: Qihao Chencao <twose@qq.com>

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-02-17 17:07:44 -03:00
Adhemerval Zanella
a6ccce23af stdlib: Simplify getenv
And remove _STRING_ARCH_unaligned usage.

Checked on x86_64-linux-gnu and i686-linux-gnu.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>
2023-02-17 15:56:50 -03:00
Joseph Myers
64924422a9 C2x strtol binary constant handling
C2x adds binary integer constants starting with 0b or 0B, and supports
those constants in strtol-family functions when the base passed is 0
or 2.  Implement that strtol support for glibc.

As discussed at
<https://sourceware.org/pipermail/libc-alpha/2020-December/120414.html>,
this is incompatible with previous C standard versions, in that such
an input string starting with 0b or 0B was previously required to be
parsed as 0 (with the rest of the string unprocessed).  Thus, as
proposed there, this patch adds 20 new __isoc23_* functions with
appropriate header redirection support.  This patch does *not* do
anything about scanf %i (which will need 12 new functions per long
double variant, so 12, 24 or 36 depending on the glibc configuration),
instead leaving that for a future patch.  The function names would
remain as __isoc23_* even if C2x ends up published in 2024 rather than
2023.

Making this change leads to the question of what should happen to
internal uses of these functions in glibc and its tests.  The header
redirection (which applies for _GNU_SOURCE or any other feature test
macros enabling C2x features) has the effect of redirecting internal
uses but without those uses then ending up at a hidden alias (see the
comment in include/stdio.h about interaction with libc_hidden_proto).
It seems desirable for the default for internal uses to be the same
versions used by normal code using _GNU_SOURCE, so rather than doing
anything to disable that redirection, similar macro definitions to
those in include/stdio.h are added to the include/ headers for the new
functions.

Given that the default for uses in glibc is for the redirections to
apply, the next question is whether the C2x semantics are correct for
all those uses.  Uses with the base fixed to 10, 16 or any other value
other than 0 or 2 can be ignored.  I think this leaves the following
internal uses to consider (an important consideration for review of
this patch will be both whether this list is complete and whether my
conclusions on all entries in it are correct):

benchtests/bench-malloc-simple.c
benchtests/bench-string.h
elf/sotruss-lib.c
math/libm-test-support.c
nptl/perf.c
nscd/nscd_conf.c
nss/nss_files/files-parse.c
posix/tst-fnmatch.c
posix/wordexp.c
resolv/inet_addr.c
rt/tst-mqueue7.c
soft-fp/testit.c
stdlib/fmtmsg.c
support/support_test_main.c
support/test-container.c
sysdeps/pthread/tst-mutex10.c

I think all of these places are OK with the new semantics, except for
resolv/inet_addr.c, where the POSIX semantics of inet_addr do not
allow for binary constants; thus, I changed that file (to use
__strtoul_internal, whose semantics are unchanged) and added a test
for this case.  In the case of posix/wordexp.c I think accepting
binary constants is OK since POSIX explicitly allows additional forms
of shell arithmetic expressions, and in stdlib/fmtmsg.c SEV_LEVEL is
not in POSIX so again I think accepting binary constants is OK.

Functions such as __strtol_internal, which are only exported for
compatibility with old binaries from when those were used in inline
functions in headers, have unchanged semantics; the __*_l_internal
versions (purely internal to libc and not exported) have a new
argument to specify whether to accept binary constants.

As well as for the standard functions, the header redirection also
applies to the *_l versions (GNU extensions), and to legacy functions
such as strtoq, to avoid confusing inconsistency (the *q functions
redirect to __isoc23_*ll rather than needing their own __isoc23_*
entry points).  For the functions that are only declared with
_GNU_SOURCE, this means the old versions are no longer available for
normal user programs at all.  An internal __GLIBC_USE_C2X_STRTOL macro
is used to control the redirections in the headers, and cases in glibc
that wish to avoid the redirections - the function implementations
themselves and the tests of the old versions of the GNU functions -
then undefine and redefine that macro to allow the old versions to be
accessed.  (There would of course be greater complexity should we wish
to make any of the old versions into compat symbols / avoid them being
defined at all for new glibc ABIs.)

strtol_l.c has some similarity to strtol.c in gnulib, but has already
diverged some way (and isn't listed at all at
https://sourceware.org/glibc/wiki/SharedSourceFiles unlike strtoll.c
and strtoul.c); I haven't made any attempts at gnulib compatibility in
the changes to that file.

I note incidentally that inttypes.h and wchar.h are missing the
__nonnull present on declarations of this family of functions in
stdlib.h; I didn't make any changes in that regard for the new
declarations added.
2023-02-16 23:02:40 +00:00
Wilco Dijkstra
32c7acd464 Replace rawmemchr (s, '\0') with strchr
Almost all uses of rawmemchr find the end of a string.  Since most targets use
a generic implementation, replacing it with strchr is better since that is
optimized by compilers into strlen (s) + s.  Also fix the generic rawmemchr
implementation to use a cast to unsigned char in the if statement.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-02-06 16:16:19 +00:00
Sam James
35bcb08eaa stdlib: tests: don't double-define _FORTIFY_SOURCE
If using -D_FORITFY_SOURCE=3 (in my case, I've patched GCC to add
=3 instead of =2 (we've done =2 for years in Gentoo)), building
glibc tests will fail on testmb like:
```
<command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
<built-in>: note: this is the location of the previous definition
cc1: all warnings being treated as errors
make[2]: *** [../o-iterator.mk:9: /var/tmp/portage/sys-libs/glibc-2.36/work/build-x86-x86_64-pc-linux-gnu-nptl/stdlib/testmb.o] Error 1
make[2]: *** Waiting for unfinished jobs....
```

It's just because we're always setting -D_FORTIFY_SOURCE=2
rather than unsetting it first. If F_S is already 2, it's harmless,
but if it's another value (say, 1, or 3), the compiler will bawk.

(I'm not aware of a reason this couldn't be tested with =3,
but the toolchain support is limited for that (too new), and we want
to run the tests everywhere possible.)

Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-02-02 23:00:58 -05:00
Joseph Myers
6d7e8eda9b Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
Joseph Myers
728ada505a Remove trailing whitespace in gmp.h 2023-01-06 21:14:15 +00:00
Florian Weimer
e88b9f0e5c stdio-common: Convert vfprintf and related functions to buffers
vfprintf is entangled with vfwprintf (of course), __printf_fp,
__printf_fphex, __vstrfmon_l_internal, and the strfrom family of
functions.  The latter use the internal snprintf functionality,
so vsnprintf is converted as well.

The simples conversion is __printf_fphex, followed by
__vstrfmon_l_internal and __printf_fp, and finally
__vfprintf_internal and __vfwprintf_internal.  __vsnprintf_internal
and strfrom* are mostly consuming the new interfaces, so they
are comparatively simple.

__printf_fp is a public symbol, so the FILE *-based interface
had to preserved.

The __printf_fp rewrite does not change the actual binary-to-decimal
conversion algorithm, and digits are still not emitted directly to
the target buffer.  However, the staging buffer now uses bytes
instead of wide characters, and one buffer copy is eliminated.

The changes are at least performance-neutral in my testing.
Floating point printing and snprintf improved measurably, so that
this Lua script

  for i=1,5000000 do
      print(i, i * math.pi)
  end

runs about 5% faster for me.  To preserve fprintf performance for
a simple "%d" format, this commit has some logic changes under
LABEL (unsigned_number) to avoid additional function calls.  There
are certainly some very easy performance improvements here: binary,
octal and hexadecimal formatting can easily avoid the temporary work
buffer (the number of digits can be computed ahead-of-time using one
of the __builtin_clz* built-ins). Decimal formatting can use a
specialized version of _itoa_word for base 10.

The existing (inconsistent) width handling between strfmon and printf
is preserved here.  __print_fp_buffer_1 would have to use
__translated_number_width to achieve ISO conformance for printf.

Test expectations in libio/tst-vtables-common.c are adjusted because
the internal staging buffer merges all virtual function calls into
one.

In general, stack buffer usage is greatly reduced, particularly for
unbuffered input streams.  __printf_fp can still use a large buffer
in binary128 mode for %g, though.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-12-19 18:56:54 +01:00
Adhemerval Zanella
5dcd2d0ad0 stdlib: Move _IO_cleanup to call_function_static_weak
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-12-12 09:53:23 -03:00
Adhemerval Zanella
8d291eabd5 Apply asm redirection in gmp.h before first use
For clang the redeclaration after the first use, the visibility attribute
is silently ignored (symbol is STV_DEFAULT) while the asm label attribute
causes an error.

Reviewed-by: Fangrui Song <maskray@google.com>
2022-11-07 10:40:21 -03:00
Szabolcs Nagy
17bfe5954b Fix OOB read in stdlib thousand grouping parsing [BZ #29727]
__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.

This affects scanf formats like %'d, %'f and the internal but
exposed __strto{l,ul,f,d,..}_internal with grouping flag set
and an LC_NUMERIC locale where thousands_len > 1.

Avoid OOB access by considering thousands_len when initializing cp.
This fixes bug 29727.

Found by the morello port with strict bounds checking where

FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i

crashed using a locale with thousands_len==3.
2022-11-02 15:42:27 +00:00
Adhemerval Zanella
8d98c7c00f configure: Use -Wno-ignored-attributes if compiler warns about multiple aliases
clang emits an warning when a double alias redirection is used, to warn
the the original symbol will be used even when weak definition is
overridden.  However, this is a common pattern for weak_alias, where
multiple alias are set to same symbol.

Reviewed-by: Fangrui Song <maskray@google.com>
2022-11-01 09:51:06 -03:00
Letu Ren
0cc0033ef1 stdlib/strfrom: Add copysign to fix NAN issue on riscv (BZ #29501)
According to the specification of ISO/IEC TS 18661-1:2014,

The strfromd, strfromf, and strfroml functions are equivalent to
snprintf(s, n, format, fp) (7.21.6.5), except the format string contains only
the character %, an optional precision that does not contain an asterisk *, and
one of the conversion specifiers a, A, e, E, f, F, g, or G, which applies to
the type (double, float, or long double) indicated by the function suffix
(rather than  by a length modifier). Use of these functions with any other 20
format string results in undefined behavior.

strfromf will convert the arguement with type float to double first.

According to the latest version of IEEE754 which is published in 2019,

Conversion of a quiet NaN from a narrower format to a wider format in the same
radix, and then back to the same narrower format, should not change the quiet
NaN payload in any way except to make it canonical.

When either an input or result is a NaN, this standard does not interpret the
sign of a NaN. However, operations on bit strings—copy, negate, abs,
copySign—specify the sign bit of a NaN result, sometimes based upon the sign
bit of a NaN operand. The logical predicates totalOrder and isSignMinus are
also affected by the sign bit of a NaN operand. For all other operations, this
standard does not specify the sign bit of a NaN result, even when there is only
one input NaN, or when the NaN is produced from an invalid operation.

converting NAN or -NAN with type float to double doesn't need to keep
the signbit. As a result, this test case isn't mandatory.

The problem is that according to RISC-V ISA manual in chapter 11.3 of
riscv-isa-20191213,

Except when otherwise stated, if the result of a floating-point operation is
NaN, it is the canonical NaN. The canonical NaN has a positive sign and all
significand bits clear except the MSB, a.k.a. the quiet bit. For
single-precision floating-point, this corresponds to the pattern 0x7fc00000.

which means that conversion -NAN from float to double won't keep the signbit.

Since glibc ought to be consistent here between types and architectures, this
patch adds copysign to fix this problem if the string is NAN. This patch
adds two different functions under sysdeps directory to work around the
issue.

This patch has been tested on x86_64 and riscv64.

Resolves: BZ #29501

v2: Change from macros to different inline functions.
v3: Add unlikely check to isnan.
v4: Fix wrong commit message header.
v5: Fix style: add space before parentheses.
v6: Add copyright.
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-10-28 11:35:20 -03:00
Xi Ruoyao
37db2657c9 longlong.h: update from GCC for LoongArch clz/ctz support
Update longlong.h to GCC r13-3269.  Keep our local change (prefer https
for gnu.org URL).
2022-10-28 15:02:53 +08:00
Florian Weimer
58548b9d68 Use PTR_MANGLE and PTR_DEMANGLE unconditionally in C sources
In the future, this will result in a compilation failure if the
macros are unexpectedly undefined (due to header inclusion ordering
or header inclusion missing altogether).

Assembler sources are more difficult to convert.  In many cases,
they are hand-optimized for the mangling and no-mangling variants,
which is why they are not converted.

sysdeps/s390/s390-32/__longjmp.c and sysdeps/s390/s390-64/__longjmp.c
are special: These are C sources, but most of the implementation is
in assembler, so the PTR_DEMANGLE macro has to be undefined in some
cases, to match the assembler style.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-10-18 17:04:10 +02:00
Florian Weimer
88f4b6929c Introduce <pointer_guard.h>, extracted from <sysdep.h>
This allows us to define a generic no-op version of PTR_MANGLE and
PTR_DEMANGLE.  In the future, we can use PTR_MANGLE and PTR_DEMANGLE
unconditionally in C sources, avoiding an unintended loss of hardening
due to missing include files or unlucky header inclusion ordering.

In i386 and x86_64, we can avoid a <tls.h> dependency in the C
code by using the computed constant from <tcb-offsets.h>.  <sysdep.h>
no longer includes these definitions, so there is no cyclic dependency
anymore when computing the <tcb-offsets.h> constants.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-10-18 17:03:55 +02:00
Adhemerval Zanella
609c9d0951 malloc: Do not clobber errno on __getrandom_nocancel (BZ #29624)
Use INTERNAL_SYSCALL_CALL instead of INLINE_SYSCALL_CALL.  This
requires emulate the semantic for hurd call (so __arc4random_buf
uses the fallback).

Checked on x86_64-linux-gnu.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>
2022-09-30 15:25:15 -03:00
Adhemerval Zanella
13db9ee2cb stdlib: Fix __getrandom_nocancel type and arc4random usage (BZ #29638)
Using an unsigned type prevents the fallback to be used if kernel
does not support getrandom syscall.

Checked on x86_64-linux-gnu.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>
2022-09-30 15:24:49 -03:00
Adhemerval Zanella
6c4ee1aba1 stdlib: Fix macro expansion producing 'defined' has undefined behavior
The FPIOCONST_HAVE_EXTENDED_RANGE is defined as:

  #define FPIOCONST_HAVE_EXTENDED_RANGE \
    ((!defined __NO_LONG_DOUBLE_MATH && __LDBL_MAX_EXP__ > 1024) \
    || __HAVE_DISTINCT_FLOAT128)

Which is undefined behavior accordingly to C Standard (Preprocessing
directives, p4).

Checked on x86_64-linux-gnu.
2022-08-30 08:40:47 -03:00
Florian Weimer
2ed26bca99 inet: Turn __ivaliduser into a compatibility symbol
It is not declared in a header file, and as the comment indicates,
it is not expected to be used.
2022-08-10 08:40:15 +02:00
Florian Weimer
9001cb1102 assert: Do not use stderr in libc-internal assert
Redirect internal assertion failures to __libc_assert_fail, based on
based on __libc_message, which writes directly to STDERR_FILENO
and calls abort.  Also disable message translation and reword the
error message slightly (adjusting stdlib/tst-bz20544 accordingly).

As a result of these changes, malloc no longer needs its own
redefinition of __assert_fail.

__libc_assert_fail needs to be stubbed out during rtld dependency
analysis because the rtld rebuilds turn __libc_assert_fail into
__assert_fail, which is unconditionally provided by elf/dl-minimal.c.

This change is not possible for the public assert macro and its
__assert_fail function because POSIX requires that the diagnostic
is written to stderr.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-08-03 11:43:04 +02:00
Adhemerval Zanella
c622ac1b86 stdlib: Simplify arc4random_uniform
It uses the bitmask with rejection [1], which calculates a mask
being the lowest power of two bounding the request upper bound,
successively queries new random values, and rejects values
outside the requested range.

Performance-wise, there is no much gain in trying to conserve
bits since arc4random is wrapper on getrandom syscall.  It should
be cheaper to just query a uint32_t value.  The algorithm also
avoids modulo and divide operations, which might be costly
depending of the architecture.

[1] https://www.pcg-random.org/posts/bounded-rands.html

Reviewed-by: Yann Droneaud <ydroneaud@opteya.com>
2022-08-01 14:37:24 -03:00
Adhemerval Zanella
35363b53ce stdlib: Tuned down tst-arc4random-thread internal parameters
With new arc4random implementation, the internal parameters might
require a lot of runtime and/or trigger some contention on older
kernels (which might trigger spurious timeout failures).

Also, since we are now testing getrandom entropy instead of an
userspace RNG, there is no much need to extensive testing.

With this change the tst-arc4random-thread goes from about 1m to
5s on a Ryzen 9 with 5.15.0-41-generic.

Checked on x86_64-linux-gnu.

Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
2022-07-29 09:19:00 -03:00
Jason A. Donenfeld
eaad4f9e8f arc4random: simplify design for better safety
Rather than buffering 16 MiB of entropy in userspace (by way of
chacha20), simply call getrandom() every time.

This approach is doubtlessly slower, for now, but trying to prematurely
optimize arc4random appears to be leading toward all sorts of nasty
properties and gotchas. Instead, this patch takes a much more
conservative approach. The interface is added as a basic loop wrapper
around getrandom(), and then later, the kernel and libc together can
work together on optimizing that.

This prevents numerous issues in which userspace is unaware of when it
really must throw away its buffer, since we avoid buffering all
together. Future improvements may include userspace learning more from
the kernel about when to do that, which might make these sorts of
chacha20-based optimizations more possible. The current heuristic of 16
MiB is meaningless garbage that doesn't correspond to anything the
kernel might know about. So for now, let's just do something
conservative that we know is correct and won't lead to cryptographic
issues for users of this function.

This patch might be considered along the lines of, "optimization is the
root of all evil," in that the much more complex implementation it
replaces moves too fast without considering security implications,
whereas the incremental approach done here is a much safer way of going
about things. Once this lands, we can take our time in optimizing this
properly using new interplay between the kernel and userspace.

getrandom(0) is used, since that's the one that ensures the bytes
returned are cryptographically secure. But on systems without it, we
fallback to using /dev/urandom. This is unfortunate because it means
opening a file descriptor, but there's not much of a choice. Secondly,
as part of the fallback, in order to get more or less the same
properties of getrandom(0), we poll on /dev/random, and if the poll
succeeds at least once, then we assume the RNG is initialized. This is a
rough approximation, as the ancient "non-blocking pool" initialized
after the "blocking pool", not before, and it may not port back to all
ancient kernels, though it does to all kernels supported by glibc
(≥3.2), so generally it's the best approximation we can do.

The motivation for including arc4random, in the first place, is to have
source-level compatibility with existing code. That means this patch
doesn't attempt to litigate the interface itself. It does, however,
choose a conservative approach for implementing it.

Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
Cc: Paul Eggert <eggert@cs.ucla.edu>
Cc: Mark Harris <mark.hsj@gmail.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-07-27 08:58:27 -03:00
Adhemerval Zanella Netto
4c128c7823 aarch64: Add optimized chacha20
It adds vectorized ChaCha20 implementation based on libgcrypt
cipher/chacha20-aarch64.S.  It is used as default and only
little-endian is supported (BE uses generic code).

As for generic implementation, the last step that XOR with the
input is omited.  The final state register clearing is also
omitted.

On a virtualized Linux on Apple M1 it shows the following
improvements (using formatted bench-arc4random data):

GENERIC                                    MB/s
-----------------------------------------------
arc4random [single-thread]               380.89
arc4random_buf(16) [single-thread]       500.73
arc4random_buf(32) [single-thread]       552.61
arc4random_buf(48) [single-thread]       566.82
arc4random_buf(64) [single-thread]       574.01
arc4random_buf(80) [single-thread]       581.02
arc4random_buf(96) [single-thread]       591.19
arc4random_buf(112) [single-thread]      592.29
arc4random_buf(128) [single-thread]      596.43
-----------------------------------------------

OPTIMIZED                                  MB/s
-----------------------------------------------
arc4random [single-thread]               569.60
arc4random_buf(16) [single-thread]       825.78
arc4random_buf(32) [single-thread]       987.03
arc4random_buf(48) [single-thread]      1042.39
arc4random_buf(64) [single-thread]      1075.50
arc4random_buf(80) [single-thread]      1094.68
arc4random_buf(96) [single-thread]      1130.16
arc4random_buf(112) [single-thread]     1129.58
arc4random_buf(128) [single-thread]     1137.91
-----------------------------------------------

Checked on aarch64-linux-gnu.
2022-07-22 11:58:27 -03:00
Adhemerval Zanella Netto
8dd890d96f stdlib: Add arc4random tests
The basic tst-arc4random-chacha20.c checks if the output of ChaCha20
implementation matches the reference test vectors from RFC8439.

The tst-arc4random-fork.c check if subprocesses generate distinct
streams of randomness (if fork handling is done correctly).

The tst-arc4random-stats.c is a statistical test to the randomness of
arc4random, arc4random_buf, and arc4random_uniform.

The tst-arc4random-thread.c check if threads generate distinct streams
of randomness (if function are thread-safe).

Checked on x86_64-linux-gnu, aarch64-linux, and powerpc64le-linux-gnu.

Co-authored-by: Florian Weimer <fweimer@redhat.com>

Checked on x86_64-linux-gnu and aarch64-linux-gnu.
2022-07-22 11:58:27 -03:00
Adhemerval Zanella Netto
6f4e0fcfa2 stdlib: Add arc4random, arc4random_buf, and arc4random_uniform (BZ #4417)
The implementation is based on scalar Chacha20 with per-thread cache.
It uses getrandom or /dev/urandom as fallback to get the initial entropy,
and reseeds the internal state on every 16MB of consumed buffer.

To improve performance and lower memory consumption the per-thread cache
is allocated lazily on first arc4random functions call, and if the
memory allocation fails getentropy or /dev/urandom is used as fallback.
The cache is also cleared on thread exit iff it was initialized (so if
arc4random is not called it is not touched).

Although it is lock-free, arc4random is still not async-signal-safe
(the per thread state is not updated atomically).

The ChaCha20 implementation is based on RFC8439 [1], omitting the final
XOR of the keystream with the plaintext because the plaintext is a
stream of zeros.  This strategy is similar to what OpenBSD arc4random
does.

The arc4random_uniform is based on previous work by Florian Weimer,
where the algorithm is based on Jérémie Lumbroso paper Optimal Discrete
Uniform Generation from Coin Flips, and Applications (2013) [2], who
credits Donald E. Knuth and Andrew C. Yao, The complexity of nonuniform
random number generation (1976), for solving the general case.

The main advantage of this method is the that the unit of randomness is not
the uniform random variable (uint32_t), but a random bit.  It optimizes the
internal buffer sampling by initially consuming a 32-bit random variable
and then sampling byte per byte.  Depending of the upper bound requested,
it might lead to better CPU utilization.

Checked on x86_64-linux-gnu, aarch64-linux, and powerpc64le-linux-gnu.

Co-authored-by: Florian Weimer <fweimer@redhat.com>
Reviewed-by: Yann Droneaud <ydroneaud@opteya.com>

[1] https://datatracker.ietf.org/doc/html/rfc8439
[2] https://arxiv.org/pdf/1304.1916.pdf
2022-07-22 11:58:27 -03:00
Florian Weimer
ef0700004b stdlib: Simplify buffer management in canonicalize
Move the buffer management from realpath_stk to __realpath.  This
allows returning directly after allocation errors.

Always make a copy of the result buffer using strdup even if it is
already heap-allocated.  (Heap-allocated buffers are somewhat rare.)
This avoids GCC warnings at certain optimization levels.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-07-05 11:04:45 +02:00
Adhemerval Zanella
a1bdd81664 Refactor internal-signals.h
The main drive is to optimize the internal usage and required size
when sigset_t is embedded in other data structures.  On Linux, the
current supported signal set requires up to 8 bytes (16 on mips),
was lower than the user defined sigset_t (128 bytes).

A new internal type internal_sigset_t is added, along with the
functions to operate on it similar to the ones for sigset_t.  The
internal-signals.h is also refactored to remove unused functions

Besides small stack usage on some functions (posix_spawn, abort)
it lower the struct pthread by about 120 bytes (112 on mips).

Checked on x86_64-linux-gnu.

Reviewed-by: Arjun Shankar <arjun@redhat.com>
2022-06-30 14:56:21 -03:00
Noah Goldstein
220b83d83d stdlib: Fixup mbstowcs NULL __dst handling. [BZ #29279]
commit 464d189b96 (origin/master, origin/HEAD)
Author: Noah Goldstein <goldstein.w.n@gmail.com>
Date:   Wed Jun 22 08:24:21 2022 -0700

    stdlib: Remove attr_write from mbstows if dst is NULL [BZ: 29265]

Incorrectly called `__mbstowcs_chk` in the NULL __dst case which is
incorrect as in the NULL __dst case we are explicitly skipping
the objsize checks.

As well, remove the `__always_inline` attribute which exists in
`__fortify_function`.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-06-23 08:26:01 -07:00
Noah Goldstein
464d189b96 stdlib: Remove attr_write from mbstows if dst is NULL [BZ: 29265]
mbstows is defined if dst is NULL and is defined to special cased if
dst is NULL so the fortify objsize check if incorrect in that case.

Tested on x86-64 linux.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-06-22 11:12:33 -07:00
Noah Goldstein
dd06af4f81 stdlib: Remove trailing whitespace from Makefile
This causes precommit tests to fail when pushing commits that modify
this file.
2022-06-22 11:12:25 -07:00
Adhemerval Zanella
d275970ab5 stdlib: Reflow and sort most variable assignments 2022-04-13 16:52:39 -03:00
Siddhesh Poyarekar
b416555431 realpath: Bring back GNU extension on ENOENT and EACCES [BZ #28996]
The GNU extension for realpath states that if the path resolution fails
with ENOENT or EACCES and the resolved buffer is non-NULL, it will
contain part of the path that failed resolution.

commit 949ad78a18 broke this when it
omitted the copy on failure.  Bring it back partially to continue
supporting this GNU extension.

Resolves: BZ #28996

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
2022-03-31 22:00:58 +05:30
Adhemerval Zanella
7f2ddf7400 stdlib: Fix tst-getrandom memcmp call
The idea is to check if the up sizeof (buf) are equal, not only
the first byte.

Checked on x86_64-linux-gnu and i686-linux-gnu.
2022-03-31 09:14:10 -03:00
Adhemerval Zanella
3ff447f7df stdlib: Fix tst-rand48.c printf types
Checked on x86_64-linux-gnu and i686-linux-gnu.
2022-03-31 09:13:14 -03:00
Steve Grubb
590f5992b6 Add some missing access function attributes
This patch adds some missing access function attributes to getrandom /
getentropy and several functions in sys/xattr.h

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-03-10 05:56:33 +05:30
Siddhesh Poyarekar
949ad78a18 realpath: Do not copy result on failure (BZ #28815)
On failure, the contents of the resolved buffer passed in by the caller
to realpath are undefined.  Do not copy any partial resolution to the
buffer and also do not test resolved contents in test-canon.c.

Resolves: BZ #28815

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2022-02-21 08:26:33 +05:30
Martin Sebor
4f20a1dc52 stdlib: Avoid -Wuse-after-free in __add_to_environ [BZ #26779]
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-01-25 17:39:36 -07:00
Siddhesh Poyarekar
84d2d0fe20 realpath: Avoid overwriting preexisting error (CVE-2021-3998)
Set errno and failure for paths that are too long only if no other error
occurred earlier.

Related: BZ #28770

Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24 21:40:00 +05:30
Siddhesh Poyarekar
976db046bc tst-realpath-toolong: Fix hurd build
Define PATH_MAX to a constant if it isn't already defined, like in hurd.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24 11:00:23 +05:30
Siddhesh Poyarekar
ee8d5e33ad realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]
realpath returns an allocated string when the result exceeds PATH_MAX,
which is unexpected when its second argument is not NULL.  This results
in the second argument (resolved) being uninitialized and also results
in a memory leak since the caller expects resolved to be the same as the
returned value.

Return NULL and set errno to ENAMETOOLONG if the result exceeds
PATH_MAX.  This fixes [BZ #28770], which is CVE-2021-3998.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-21 23:01:30 +05:30
Siddhesh Poyarekar
f9dab1b5f2 stdlib: Fix formatting of tests list in Makefile
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-01-13 18:50:55 +05:30
Siddhesh Poyarekar
5b766603ef stdlib: Sort tests in Makefile
Put one test per line and sort them.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-13 10:34:37 +05:30
Paul Eggert
581c785bf3 Update copyright dates with scripts/update-copyrights
I used these shell commands:

../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")

and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.

I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah.  I don't
know why I run into these diagnostics whereas others evidently do not.

remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2022-01-01 11:40:24 -08:00
Siddhesh Poyarekar
2bbd07c715 fortify: Fix spurious warning with realpath
The length and object size arguments were swapped around for realpath.
Also add a smoke test so that any changes in this area get caught in
future.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-12-17 18:49:27 +05:30
Jonathan Wakely
8a9a593115 Add alloc_align attribute to memalign et al
GCC 4.9.0 added the alloc_align attribute to say that a function
argument specifies the alignment of the returned pointer. Clang supports
the attribute too. Using the attribute can allow a compiler to generate
better code if it knows the returned pointer has a minimum alignment.
See https://gcc.gnu.org/PR60092 for more details.

GCC implicitly knows the semantics of aligned_alloc and posix_memalign,
but not the obsolete memalign. As a result, GCC generates worse code
when memalign is used, compared to aligned_alloc.  Clang knows about
aligned_alloc and memalign, but not posix_memalign.

This change adds a new __attribute_alloc_align__ macro to <sys/cdefs.h>
and then uses it on memalign (where it helps GCC) and aligned_alloc
(where GCC and Clang already know the semantics, but it doesn't hurt)
and xposix_memalign. It can't be used on posix_memalign because that
doesn't return a pointer (the allocated pointer is returned via a void**
parameter instead).

Unlike the alloc_size attribute, alloc_align only allows a single
argument. That means the new __attribute_alloc_align__ macro doesn't
really need to be used with double parentheses to protect a comma
between its arguments. For consistency with __attribute_alloc_size__
this patch defines it the same way, so that double parentheses are
required.

Signed-off-by: Jonathan Wakely <jwakely@redhat.com>

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-10-21 00:19:20 +01:00
omain GEISSLER
e037274c8e stdlib: Fix tst-canon-bz26341 when the glibc build current working directory is itself using symlinks. 2021-10-20 12:01:40 -03:00
Siddhesh Poyarekar
a643f60c53 Make sure that the fortified function conditionals are constant
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead.  Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of.  The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.

Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:

- Either the size is unknown (-1) or we know at compile time that the
  operation length is less than the object size.  We can call the
  original function in this case.  It could be that either the length,
  object size or both are non-constant, but the compiler, through
  range analysis, is able to fold the *comparison* to a constant.

- The size and length are known and the compiler can see at compile
  time that operation length > object size.  This is valid grounds for
  a warning at compile time, followed by emitting the _chk variant.

For everything else, emit the _chk variant.

This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-10-20 18:12:41 +05:30
Siddhesh Poyarekar
e938c02748 Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the
size of an object pointed to by one parameter is another parameter.
This doesn't make sense for the fortified versions of the functions
since that's the bit it's trying to validate.

This is harmless with __builtin_object_size since it has fairly simple
semantics when it comes to objects passed as function parameters.
With __builtin_dynamic_object_size we could (as my patchset for gcc[1]
already does) use the access attribute to determine the object size in
the general case but it misleads the fortified functions.

Basically the problem occurs when access attributes are present on
regular functions that have inline fortified definitions to generate
_chk variants; the attributes get inherited by these definitions,
causing problems when analyzing them.  For example with poll(fds, nfds,
timeout), nfds is hinted using the __attr_access as being the size of
fds.

Now, when analyzing the inline function definition in bits/poll2.h, the
compiler sees that nfds is the size of fds and tries to use that
information in the function body.  In _FORTIFY_SOURCE=3 case, where the
object size could be a non-constant expression, this information results
in the conclusion that nfds is the size of fds, which defeats the
purpose of the implementation because we're trying to check here if nfds
does indeed represent the size of fds.  Hence for this case, it is best
to not have the access attribute.

With the attributes gone, the expression evaluation should get delayed
until the function is actually inlined into its destinations.

Disable the access attribute for fortified function inline functions
when building at _FORTIFY_SOURCE=3 to make this work better.  The
access attributes remain for the _chk variants since they can be used
by the compiler to warn when the caller is passing invalid arguments.

[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-10-20 08:33:31 +05:30
Joseph Myers
a0f0c08e4f Fix stdlib/tst-setcontext.c for GCC 12 -Warray-compare
Building stdlib/tst-setcontext.c fails with GCC mainline:

tst-setcontext.c: In function 'f2':
tst-setcontext.c:61:16: error: comparison between two arrays [-Werror=array-compare]
   61 |   if (on_stack < st2 || on_stack >= st2 + sizeof (st2))
      |                ^
tst-setcontext.c:61:16: note: use '&on_stack[0] < &st2[0]' to compare the addresses

The comparison in this case is deliberate, so adjust it as suggested
in that note.

Tested with build-many-glibcs.py (GCC mainline) for aarch64-linux-gnu.
2021-10-05 14:25:40 +00:00
Siddhesh Poyarekar
30891f35fa Remove "Contributed by" lines
We stopped adding "Contributed by" or similar lines in sources in 2012
in favour of git logs and keeping the Contributors section of the
glibc manual up to date.  Removing these lines makes the license
header a bit more consistent across files and also removes the
possibility of error in attribution when license blocks or files are
copied across since the contributed-by lines don't actually reflect
reality in those cases.

Move all "Contributed by" and similar lines (Written by, Test by,
etc.) into a new file CONTRIBUTED-BY to retain record of these
contributions.  These contributors are also mentioned in
manual/contrib.texi, so we just maintain this additional record as a
courtesy to the earlier developers.

The following scripts were used to filter a list of files to edit in
place and to clean up the CONTRIBUTED-BY file respectively.  These
were not added to the glibc sources because they're not expected to be
of any use in future given that this is a one time task:

https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dc
https://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-09-03 22:06:44 +05:30
DJ Delorie
ac30324c67 test-dlclose-exit-race: avoid hang on pthread_create error
This test depends on the "last" function being called in a
different thread than the "first" function, as "last" posts
a semaphore that "first" is waiting on.  However, if pthread_create
fails - for example, if running in an older container before
the clone3()-in-container-EPERM fixes - exit() is called in the
same thread as everything else, the semaphore never gets posted,
and first hangs.

The fix is to pre-post that semaphore before a single-threaded
exit.

Reviewed-by: Arjun Shankar <arjun@redhat.com>
2021-08-04 15:33:21 -04:00
Siddhesh Poyarekar
4aedc25f55 __cxa_thread_atexit_impl: Abort on allocation failure [BZ #18524]
Abort in the unlikely event that allocation fails when trying to
register a TLS destructor.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2021-07-28 13:55:42 +05:30
H.J. Lu
5d98a7dae9 Define PTHREAD_STACK_MIN to sysconf(_SC_THREAD_STACK_MIN)
The constant PTHREAD_STACK_MIN may be too small for some processors.
Rename _SC_SIGSTKSZ_SOURCE to _DYNAMIC_STACK_SIZE_SOURCE.  When
_DYNAMIC_STACK_SIZE_SOURCE or _GNU_SOURCE are defined, define
PTHREAD_STACK_MIN to sysconf(_SC_THREAD_STACK_MIN) which is changed
to MIN (PTHREAD_STACK_MIN, sysconf(_SC_MINSIGSTKSZ)).

Consolidate <bits/local_lim.h> with <bits/pthread_stack_min.h> to
provide a constant target specific PTHREAD_STACK_MIN value.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-09 15:10:35 -07:00
Florian Weimer
7c241325d6 Force building with -fno-common
As a result, is not necessary to specify __attribute__ ((nocommon))
on individual definitions.

GCC 10 defaults to -fno-common on all architectures except ARC,
but this change is compatible with older GCC versions and ARC, too.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-09 20:09:14 +02:00
Siddhesh Poyarekar
b8a19968b0 Move mcheck symbol from stdlib to malloc
It is defined in malloc, so it belongs there.  Verified on x86_64 that
the built libraries are identical despite this change.
2021-07-08 18:47:21 +05:30
Florian Weimer
6f1c701026 dlfcn: Cleanups after -ldl is no longer required
This commit removes the ELF constructor and internal variables from
dlfcn/dlfcn.c.  The file now serves the same purpose as
nptl/libpthread-compat.c, so it is renamed to dlfcn/libdl-compat.c.
The use of libdl-shared-only-routines ensures that libdl.a is empty.

This commit adjusts the test suite not to use $(libdl).  The libdl.so
symbolic link is no longer installed.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-06-03 09:11:45 +02:00
Martin Sebor
c1760eaf3b Enable support for GCC 11 -Wmismatched-dealloc.
To help detect common kinds of memory (and other resource) management
bugs, GCC 11 adds support for the detection of mismatched calls to
allocation and deallocation functions.  At each call site to a known
deallocation function GCC checks the set of allocation functions
the former can be paired with and, if the two don't match, issues
a -Wmismatched-dealloc warning (something similar happens in C++
for mismatched calls to new and delete).  GCC also uses the same
mechanism to detect attempts to deallocate objects not allocated
by any allocation function (or pointers past the first byte into
allocated objects) by -Wfree-nonheap-object.

This support is enabled for built-in functions like malloc and free.
To extend it beyond those, GCC extends attribute malloc to designate
a deallocation function to which pointers returned from the allocation
function may be passed to deallocate the allocated objects.  Another,
optional argument designates the positional argument to which
the pointer must be passed.

This change is the first step in enabling this extended support for
Glibc.
2021-05-16 15:21:18 -06:00
Vitaly Buka
16adc58e73 stdlib: Fix data race in __run_exit_handlers [BZ #27749]
Keep __exit_funcs_lock almost all the time and unlock it only to execute
callbacks. This fixed two issues.

1. f->func.cxa was modified outside the lock with rare data race like:
	thread 0: __run_exit_handlers unlock __exit_funcs_lock
	thread 1: __internal_atexit locks __exit_funcs_lock
	thread 0: f->flavor = ef_free;
	thread 1: sees ef_free and use it as new
	thread 1: new->func.cxa.fn = (void (*) (void *, int)) func;
	thread 1: new->func.cxa.arg = arg;
	thread 1: new->flavor = ef_cxa;
	thread 0: cxafct = f->func.cxa.fn;  // it's wrong fn!
	thread 0: cxafct (f->func.cxa.arg, status);  // it's wrong arg!
	thread 0: goto restart;
	thread 0: call the same exit_function again as it's ef_cxa

2. Don't unlock in main while loop after *listp = cur->next. If *listp
   is NULL and __exit_funcs_done is false another thread may fail in
   __new_exitfn on assert (l != NULL):
	 thread 0: *listp = cur->next;  // It can be the last: *listp = NULL.
	 thread 0: __libc_lock_unlock
	 thread 1: __libc_lock_lock in __on_exit
	 thread 1: __new_exitfn
	 thread 1: if (__exit_funcs_done)  // false: thread 0 isn't there yet.
	 thread 1: l = *listp
	 thread 1: moves one and crashes on assert (l != NULL);

The test needs multiple iterations to consistently fail without the fix.

Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749

Checked on x86_64-linux-gnu.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-05-14 11:36:40 -03:00
Martin Sebor
26492c0a14 Annotate additional APIs with GCC attribute access.
This change continues the improvements to compile-time out of bounds
checking by decorating more APIs with either attribute access, or by
explicitly providing the array bound in APIs such as tmpnam() that
expect arrays of some minimum size as arguments.  (The latter feature
is new in GCC 11.)

The only effects of the attribute and/or the array bound is to check
and diagnose calls to the functions that fail to provide a sufficient
number of elements, and the definitions of the functions that access
elements outside the specified bounds.  (There is no interplay with
_FORTIFY_SOURCE here yet.)

Tested with GCC 7 through 11 on x86_64-linux.
2021-05-06 11:01:05 -06:00
Florian Weimer
93d78ec1cb nptl: Move pthread_setcancelstate into libc
No new symbol version is required because there was a forwarder.

The symbol has been moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-04-21 19:49:50 +02:00
Siddhesh Poyarekar
716a3bdc41 support: Add capability to fork an sgid child
Add a new function support_capture_subprogram_self_sgid that spawns an
sgid child of the running program with its own image and returns the
exit code of the child process.  This functionality is used by at
least three tests in the testsuite at the moment, so it makes sense to
consolidate.

There is also a new function support_subprogram_wait which should
provide simple system() like functionality that does not set up file
actions.  This is useful in cases where only the return code of the
spawned subprocess is interesting.

This patch also ports tst-secure-getenv to this new function.  A
subsequent patch will port other tests.  This also brings an important
change to tst-secure-getenv behaviour.  Now instead of succeeding, the
test fails as UNSUPPORTED if it is unable to spawn a setgid child,
which is how it should have been in the first place.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-04-12 19:03:19 +05:30
Samuel Thibault
64786a7090 fork.h: replace with register-atfork.h
UNREGISTER_ATFORK is now defined for all ports in register-atfork.h, so most
previous includes of fork.h actually only need register-atfork.h now, and
cxa_finalize.c does not need an ifdef UNREGISTER_ATFORK any more.

The nptl-specific fork generation counters can then go to pthreadP.h, and
fork.h be removed.

Checked on x86_64-linux-gnu and i686-gnu.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-03-29 21:41:09 +02:00
Samuel Thibault
4631c2372a stdlib: Fix BZ #26241 testcase on GNU/Hurd
GNU/Hurd's readlink system call is partly implemented in userspace, which
also allocates a buffer on the stack for the result, and thus needs one
more path.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-03-24 21:58:05 +01:00
Adhemerval Zanella
961d7cff51 stdlib: Add testcase for BZ #26241
Old implementation of realpath allocates a PATH_MAX using alloca for
each symlink in the path, leading to MAXSYMLINKS times PATH_MAX
maximum stack usage.

The test create a symlink with __eloop_threshold() loops and creates
a thread with minimum stack size (obtained through
support_small_stack_thread_attribute).  The thread issues a stack
allocations that fill the thread allocated stack minus some slack
plus and the realpath usage (which assumes a bounded stack usage).
If realpath uses more than about 2 * PATH_MAX plus some slack it
triggers a stackoverflow.

Checked on x86_64-linux-gnu and i686-linux-gnu.

Reviewed-by: DJ Delorie <dj@redhat.com>
2021-01-20 11:13:53 -03:00
Adhemerval Zanella
42dda89dcb posix: Fix return value of system if shell can not be executed [BZ #27053]
POSIX states that system returned code for failure to execute the shell
shall be as if the shell had terminated using _exit(127).  This
behaviour was removed with 5fb7fc9635.

Checked on x86_64-linux-gnu.
2021-01-11 12:26:58 -03:00
Adhemerval Zanella
c6e0b0b5b0 stdlib: Sync canonicalize with gnulib [BZ #10635] [BZ #26592] [BZ #26341] [BZ #24970]
It sync with gnulib version ae9fb3d66.  The testcase for BZ#23741
(stdlib/test-bz22786.c) is adjusted to check also for ENOMEM.

The patch fixes multiple realpath issues:

  - Portability fixes for errno clobbering on free (BZ#10635).  The
    function does not call free directly anymore, although it might be
    done through scratch_buffer_free.  The free errno clobbering is
    being tracked by BZ#17924.

  - Pointer arithmetic overflows in realpath (BZ#26592).

  - Realpath cyclically call __alloca(path_max) to consume too much
    stack space (BZ#26341).

  - Realpath mishandles EOVERFLOW; stat not needed anyway (BZ#24970).
    The check is done through faccessat now.

Checked on x86_64-linux-gnu and i686-linux-gnu.
2021-01-05 11:33:16 -03:00
Paul Eggert
2b778ceb40 Update copyright dates with scripts/update-copyrights
I used these shell commands:

../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")

and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
2021-01-02 12:17:34 -08:00
Siddhesh Poyarekar
f9de8bfe1a nonstring: Enable __FORTIFY_LEVEL=3
Use __builtin_dynamic_object_size in the remaining functions that
don't have compiler builtins as is the case for string functions.
2020-12-31 16:55:21 +05:30
Lode Willems
59d572ef61 getenv: Move call to strlen to the branch it's used in.
The len variable is only used in the else branch.
We don't need the call to strlen if the name is 0 or 1 characters long.

2019-10-02  Lode Willems  <Lode.Willems@UGent.be>

	* tdlib/getenv.c: Move the call to strlen into the branch it's used.
2020-12-18 12:02:28 +05:30
Joseph Myers
e182654151 Remove strtoimax, strtoumax, wcstoimax, wcstoumax inlines
inttypes.h has inline implementations of the strtoimax, strtoumax,
wcstoimax and wcstoumax functions, despite the corresponding stdlib.h
and wchar.h inlines having been removed in 2007 (commit
9b2e9577b2).

Remove those inlines, thereby eliminating all references to the
corresponding __*_internal functions from installed headers (so they
could be made into compat symbols in future if desired).

Tested for x86_64 and x86.
2020-12-14 17:51:38 +00:00
Jonny Grant
2ea6af7447 Fix spelling and grammar in several comments 2020-12-12 01:16:56 +01:00
Joseph Myers
224b419d1e Make strtoimax, strtoumax, wcstoimax, wcstoumax into aliases
The functions strtoimax, strtoumax, wcstoimax, wcstoumax currently
have three implementations each (wordsize-32, wordsize-64 and dummy
implementation in stdlib/ using #error), defining the functions as
thin wrappers round corresponding *_internal functions.  Simplify the
code by changing them into aliases of functions such as strtol and
wcstoull.  This is more consistent with how e.g. imaxdiv is handled.

Tested for x86_64 and x86.
2020-12-08 18:15:27 +00:00