Commit Graph

40628 Commits

Author SHA1 Message Date
Adhemerval Zanella
55f41ef8de elf: Remove LD_PROFILE for static binaries
The _dl_non_dynamic_init does not parse LD_PROFILE, which does not
enable profile for dlopen objects.  Since dlopen is deprecated for
static objects, it is better to remove the support.

It also allows to trim down libc.a of profile support.

Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
4a133885a7 elf: Ignore LD_PROFILE for setuid binaries
Loader does not ignore LD_PROFILE in secure-execution mode (different
than man-page states [1]), rather it uses a different path
(/var/profile) and ignore LD_PROFILE_OUTPUT.

Allowing secure-execution profiling is already a non good security
boundary, since it enables different code paths and extra OS access by
the process.  But by ignoring LD_PROFILE_OUTPUT, the resulting profile
file might also be acceded in a racy manner since the file name does not
use any process-specific information (such as pid, timing, etc.).

Another side-effect is it forces lazy binding even on libraries that
might be with DF_BIND_NOW.

[1] https://man7.org/linux/man-pages/man8/ld.so.8.html
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
1c87f71a36 s390: Use dl-symbol-redir-ifunc.h on cpu-tunables
Using the memcmp symbol directly allows the compile to inline the
memcmp calls (especially because _dl_tunable_set_hwcaps uses constants
values), generating better code.

Checked with tst-tunables on s390x-linux-gnu (qemu system).
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
4862d546c0 x86: Use dl-symbol-redir-ifunc.h on cpu-tunables
The dl-symbol-redir-ifunc.h redirects compiler-generated libcalls to
arch-specific memory implementations to avoid ifunc calls where it is not
yet possible. The memcmp-isa-default-impl.h aims to fix the same issue
by calling the specific memset implementation directly.

Using the memcmp symbol directly allows the compiler to inline the memset
calls (especially because _dl_tunable_set_hwcaps uses constants values),
generating better code.

Checked on x86_64-linux-gnu.

Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
eb9291aaa6 elf: Emit warning if tunable is ill-formatted
So caller knows that the tunable will be ignored.

Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
434eca873f elf: Fix _dl_debug_vdprintf to work before self-relocation
The strlen might trigger and invalid GOT entry if it used before
the process is self-relocated (for instance on dl-tunables if any
error occurs).

For i386, _dl_writev with PIE requires to use the old 'int $0x80'
syscall mode because the calling the TLS register (gs) is not yet
initialized.

Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
680c597e9c elf: Do not parse ill-formatted strings
Instead of ignoring ill-formatted tunable strings, first, check all the
tunable definitions are correct and then set each tunable value. It
means that partially invalid strings, like "key1=value1:key2=key2=value'
or 'key1=value':key2=value2=value2' do not enable 'key1=value1'. It
avoids possible user-defined errors in tunable definitions.

Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
b4cf6cac73 elf: Do not process invalid tunable format
Tunable definitions with more than one '=' on are parsed and enabled,
and any subsequent '=' are ignored.  It means that tunables in the form
'tunable=tunable=value' or 'tunable=value=value' are handled as
'tunable=value'.  These inputs are likely user input errors, which
should not be accepted.

Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
11f7e3dd8f elf: Add all malloc tunable to unsecvars
Some environment variables allow alteration of allocator behavior
across setuid boundaries, where a setuid program may ignore the
tunable, but its non-setuid child can read it and adjust the memory
allocator behavior accordingly.

Most library behavior tunings is limited to the current process and does
not bleed in scope; so it is unclear how pratical this misfeature is.
If behavior change across privilege boundaries is desirable, it would be
better done with a wrapper program around the non-setuid child that sets
these envvars, instead of using the setuid process as the messenger.

The patch as fixes tst-env-setuid, where it fail if any unsecvars is
set.  It also adds a dynamic test, although it requires
--enable-hardcoded-path-in-tests so kernel correctly sets the setuid
bit (using the loader command directly would require to set the
setuid bit on the loader itself, which is not a usual deployment).

Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

Checked on x86_64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
9c96c87d60 elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc
tunable environment variables' behavior unchanged across security
boundaries.  However, CVE-2023-4911 shows how tricky can be
tunable parsing in a security-sensitive environment.

Not only parsing, but the malloc tunable essentially changes some
semantics on setuid/setgid processes.  Although it is not a direct
security issue, allowing users to change setuid/setgid semantics is not
a good security practice, and requires extra code and analysis to check
if each tunable is safe to use on all security boundaries.

It also means that security opt-in features, like aarch64 MTE, would
need to be explicit enabled by an administrator with a wrapper script
or with a possible future system-wide tunable setting.

Co-authored-by: Siddhesh Poyarekar  <siddhesh@sourceware.org>
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
a72a4eb10b elf: Add GLIBC_TUNABLES to unsecvars
setuid/setgid process now ignores any glibc tunables, and filters out
all environment variables that might changes its behavior. This patch
also adds GLIBC_TUNABLES, so any spawned process by setuid/setgid
processes should set tunable explicitly.

Checked on x86_64-linux-gnu.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Adhemerval Zanella
6c6fce572f elf: Remove /etc/suid-debug support
Since malloc debug support moved to a different library
(libc_malloc_debug.so), the glibc.malloc.check requires preloading the
debug library to enable it.  It means that suid-debug support has not
been working since 2.34.

To restore its support, it would require to add additional information
and parsing to where to find libc_malloc_debug.so.

It is one thing less that might change AT_SECURE binaries' behavior
due to environment configurations.

Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21 16:15:42 -03:00
Florian Weimer
64e4acf24d stdlib: The qsort implementation needs to use heapsort in more cases
The existing logic avoided internal stack overflow.  To avoid
a denial-of-service condition with adversarial input, it is necessary
to fall over to heapsort if tail-recursing deeply, too, which does
not result in a deep stack of pending partitions.

The new test stdlib/tst-qsort5 is based on Douglas McIlroy's paper
on this subject.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-21 16:46:18 +01:00
Florian Weimer
55364e1f7d stdlib: Handle various corner cases in the fallback heapsort for qsort
The previous implementation did not consistently apply the rule that
the child nodes of node K are at 2 * K + 1 and 2 * K + 2, or
that the parent node is at (K - 1) / 2.

Add an internal test that targets the heapsort implementation
directly.

Reported-by: Stepan Golosunov <stepan@golosunov.pp.ru>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-21 16:46:02 +01:00
Florian Weimer
e4d8117b82 stdlib: Avoid another self-comparison in qsort
In the insertion phase, we could run off the start of the array if the
comparison function never runs zero.  In that case, it never finds the
initial element that terminates the iteration.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-21 16:45:47 +01:00
Samuel Thibault
dd858522bf hurd: fix restarting reauth_dtable on signal
While inside the critical section, RPCs would not be restarted, so we
have to handle EINTR errors.
2023-11-21 00:55:54 +01:00
Samuel Thibault
49b308a26e hurd: Prevent the final file_exec_paths call from signals
Otherwise if the exec server started thrashing the old task,
we won't be able to restart the exec.

This notably fixes building ghc.
2023-11-20 23:28:16 +01:00
Carlos O'Donell
3cbaacdfd2 manual: Fix termios.c example. (Bug 31078)
Remove the unused 'char *name;' from the example.

Use write instead of putchar to write input as it is read.

Example tested on x86_64 by compiling and running the example.

Tested by building the manual pdf and reviewing the results.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-11-20 16:42:23 -05:00
Joe Ramsay
a8830c9285 aarch64: Add vector implementations of expm1 routines
May discard sign of 0 - auto tests for -0 and -0x1p-10000 updated accordingly.
2023-11-20 17:53:14 +00:00
Adhemerval Zanella
65341f7bbe linux: Use fchmodat2 on fchmod for flags different than 0 (BZ 26401)
Linux 6.6 (09da082b07bbae1c) added support for fchmodat2, which has
similar semantics as fchmodat with an extra flag argument.  This
allows fchmodat to implement AT_SYMLINK_NOFOLLOW and AT_EMPTY_PATH
without the need for procfs.

The syscall is registered on all architectures (with value of 452
except on alpha which is 562, commit 78252deb023cf087).

The tst-lchmod.c requires a small fix where fchmodat checks two
contradictory assertions ('(st.st_mode & 0777) == 2' and
'(st.st_mode & 0777) == 3').

Checked on x86_64-linux-gnu on a 6.6 kernel.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-11-20 13:15:24 -03:00
Florian Weimer
c52c2c32db intl: Add test case for bug 16621
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-20 16:03:11 +01:00
Jan Palus
f2aaf18af5 resolv: free only initialized items from gai pool
pool_max_size denotes total allocated rows in pool but possibly not yet
initialized. it's pool_size that represents number of actually occupied
rows hence use it when freeing pool to avoid freeing random addresses.

Signed-off-by: Jan Palus <jpalus@fastmail.com>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-11-20 15:03:29 +01:00
Florian Weimer
cfb5a97a93 ldconfig: Fixes for skipping temporary files.
Arguments to a memchr call were swapped, causing incorrect skipping
of files.

Files related to dpkg have different names: they actually end in
.dpkg-new and .dpkg-tmp, not .tmp as I mistakenly assumed.

Fixes commit 2aa0974d25 ("elf: ldconfig should skip
temporary files created by package managers").
2023-11-20 10:57:34 +01:00
Florian Weimer
e21aa9b9cc nptl: Link tst-execstack-threads-mod.so with -z execstack
This ensures that the test still links with a linker that refuses
to create an executable stack marker automatically.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-20 09:22:25 +01:00
Florian Weimer
8c8eff33e4 nptl: Rename tst-execstack to tst-execstack-threads
So that the test is harder to confuse with elf/tst-execstack
(although the tests are supposed to be the same).

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-20 09:22:21 +01:00
Flavio Cruz
6ae7b5f43d Remove untyped mach RPC code.
Existing MiG does not support untyped messages and the Hurd will
continue to use typed messages for the foreseeable future.
Message-ID: <ZVmYX6j4pYNUfqn4@jupiter.tail36e24.ts.net>
2023-11-19 10:21:28 +01:00
Flavio Cruz
f11a92993c _hurd_intr_rpc_mach_msg: handle message iteration correctly.
The `ty` pointer is only set at the end of the loop so that
`msgtl_header.msgt_inline` and `msgtl_header.msgt_deallocate` remain
valid. Also, when deallocating memory, we use the length from the
message directly rather than hard coding mach_port_t since we want to
deallocate any kind of OOL data.
Message-ID: <ZVlGVD6eEN-dXsOr@jupiter.tail36e24.ts.net>
2023-11-19 00:37:20 +01:00
Mike FABIAN
dae3cf4134 localedata: Convert oc_FR locale to UTF-8 2023-11-16 23:58:17 +01:00
Mike FABIAN
70246b8495 localedata: Add information for Occitan
Resolves: BZ # 28787
2023-11-16 23:58:17 +01:00
Florian Weimer
849274d48f elf: Fix force_first handling in dlclose (bug 30981)
The force_first parameter was ineffective because the dlclose'd
object was not necessarily the first in the maps array.  Also
enable force_first handling unconditionally, regardless of namespace.
The initial object in a namespace should be destructed first, too.

The _dl_sort_maps_dfs function had early returns for relocation
dependency processing which broke force_first handling, too, and
this is fixed in this change as well.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-16 20:16:05 +01:00
Adhemerval Zanella
a8dcffb306 elf: Handle non-directory name in search path (BZ 31035)
The open_path stops if a relative path in search path contains a
component that is a non directory (for instance, if the component
is an existing file).

For instance:

  $ cat > lib.c <<EOF
  > void foo (void) {}
  > EOF
  $ gcc -shared -fPIC -o lib.so lib.c
  $ cat > main.c <<EOF
  extern void foo ();
  int main () { foo (); return 0; }
  EOF
  $ gcc -o main main.c lib.so
  $ LD_LIBRARY_PATH=. ./main
  $ LD_LIBRARY_PATH=non-existing/path:. ./main
  $ LD_LIBRARY_PATH=$(pwd)/main:. ./main
  $ LD_LIBRARY_PATH=./main:. ./main
  ./main: error while loading shared libraries: lib.so: cannot open shared object file: No such file or directory

The invalid './main' should be ignored as a non-existent one,
instead as a valid but non accessible file.

Absolute paths do not trigger this issue because their status are
initialized as 'unknown' and open_path check if this is a directory.

Checked on x86_64-linux-gnu.

Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
2023-11-16 11:01:51 -03:00
Mike FABIAN
3fddfe3c5d New Zealand locales (en_NZ & mi_NZ) first day of week should be Monday
Resolves: BZ #29486
2023-11-16 13:59:00 +01:00
Noah Goldstein
b7f8b6b64b x86: Fix unchecked AVX512-VBMI2 usage in strrchr-evex-base.S
strrchr-evex-base used `vpcompress{b|d}` in the page cross logic but
was missing the CPU_FEATURE checks for VBMI2 in the
ifunc/ifunc-impl-list.

The fix is either to add those checks or change the logic to not use
`vpcompress{b|d}`. Choosing the latter here so that the strrchr-evex
implementation is usable on SKX.

New implementation is a bit slower, but this is in a cold path so its
probably okay.
2023-11-15 11:09:44 -06:00
Adhemerval Zanella
0575073dda posix: Check pidfd_spawn with tst-spawn7-pid
Without using the macro, posix_spawn is used instead.

Checked on x86_64-linux-gnu.
2023-11-15 10:28:34 -03:00
Andreas Larsson
578190b7e4 sparc: Fix broken memset for sparc32 [BZ #31068]
Fixes commit a61933fe27 ("sparc: Remove bzero optimization") that
after moving code jumped to the wrong label 4.

Verfied by successfully running string/test-memset on sparc32.

Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Ludwig Rydberg <ludwig.rydberg@gaisler.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-15 10:26:37 -03:00
Gaël PORTAY
baea60b33e y2038: Fix support for 64-bit time on legacy ABIs
This fixes a typo.
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-15 10:15:12 -03:00
Samuel Thibault
323f367cc4 hurd: Fix spawni returning allocation errors. 2023-11-14 23:55:35 +01:00
Samuel Thibault
8f22e36238 hurd: Make _hurd_intr_rpc_mach_msg avoid returning MACH_SEND_INTERRUPTED
When the given options do not include MACH_SEND_INTERRUPT,
_hurd_intr_rpc_mach_msg (aka mach_msg) is not supposed to return
MACH_SEND_INTERRUPTED.  In such a case we thus have to retry sending the
message.

This was observed to fix various occurrences of spurious
"(ipc/send) interrupted" errors when running haskell programs.
2023-11-14 02:05:52 +01:00
Wilco Dijkstra
2f5524cc53 AArch64: Remove Falkor memcpy
The latest implementations of memcpy are actually faster than the Falkor
implementations [1], so remove the falkor/phecda ifuncs for memcpy and
the now unused IS_FALKOR/IS_PHECDA defines.

[1] https://sourceware.org/pipermail/libc-alpha/2022-December/144227.html

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-13 16:52:50 +00:00
Wilco Dijkstra
3d7090f14b AArch64: Add memset_zva64
Add a specialized memset for the common ZVA size of 64 to avoid the
overhead of reading the ZVA size.  Since the code is identical to
__memset_falkor, remove the latter.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-13 16:50:44 +00:00
Wilco Dijkstra
9627ab99b5 AArch64: Cleanup emag memset
Cleanup emag memset - merge the memset_base64.S file, remove
the unused ZVA code (since it is disabled on emag).

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-11-13 16:45:47 +00:00
Yanzhang Wang
2d27dc1c75 test: Run the tst-tls-allocation-failure-static-patched with test-wrapper.
If we use cross test with ssh, this test needs to be ran on the remote.
2023-11-13 15:55:33 +01:00
Joe Ramsay
3548a4f087 aarch64: Add vector implementations of log1p routines
May discard sign of zero.
2023-11-10 17:07:43 +00:00
Joe Ramsay
b07038c5d3 aarch64: Add vector implementations of atan2 routines 2023-11-10 17:07:43 +00:00
Joe Ramsay
d30c39f80d aarch64: Add vector implementations of atan routines 2023-11-10 17:07:42 +00:00
Joe Ramsay
b5d23367a8 aarch64: Add vector implementations of acos routines 2023-11-10 17:07:42 +00:00
Joe Ramsay
9bed498418 aarch64: Add vector implementations of asin routines 2023-11-10 17:07:42 +00:00
Paul Eggert
d1dcb565a1 Fix type typo in “String/Array Conventions” doc
* manual/string.texi (String/Array Conventions):
Fix typo reported by Alejandro Colomar <alx@kernel.org> in:
https://sourceware.org/pipermail/libc-alpha/2023-November/152646.html
2023-11-08 18:20:09 -08:00
Florian Weimer
f8cfb6836e stdlib: Avoid element self-comparisons in qsort
This improves compatibility with applications which assume that qsort
does not invoke the comparison function with equal pointer arguments.

The newly introduced branches should be predictable, as leading to a
call to the comparison function.  If the prediction fails, we avoid
calling the function.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-08 15:18:02 +01:00
Adhemerval Zanella
bf033c0072 elf: Add glibc.mem.decorate_maps tunable
The PR_SET_VMA_ANON_NAME support is only enabled through a configurable
kernel switch, mainly because assigning a name to a
anonymous virtual memory area might prevent that area from being
merged with adjacent virtual memory areas.

For instance, with the following code:

   void *p1 = mmap (NULL,
                    1024 * 4096,
                    PROT_READ | PROT_WRITE,
                    MAP_PRIVATE | MAP_ANONYMOUS,
                    -1,
                    0);

   void *p2 = mmap (p1 + (1024 * 4096),
                    1024 * 4096,
                    PROT_READ | PROT_WRITE,
                    MAP_PRIVATE | MAP_ANONYMOUS,
                    -1,
                    0);

The kernel will potentially merge both mappings resulting in only one
segment of size 0x800000.  If the segment is names with
PR_SET_VMA_ANON_NAME with different names, it results in two mappings.

Although this will unlikely be an issue for pthread stacks and malloc
arenas (since for pthread stacks the guard page will result in
a PROT_NONE segment, similar to the alignment requirement for the arena
block), it still might prevent the mmap memory allocated for detail
malloc.

There is also another potential scalability issue, where the prctl
requires
to take the mmap global lock which is still not fully fixed in Linux
[1] (for pthread stacks and arenas, it is mitigated by the stack
cached and the arena reuse).

So this patch disables anonymous mapping annotations as default and
add a new tunable, glibc.mem.decorate_maps, can be used to enable
it.

[1] https://lwn.net/Articles/906852/

Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-11-07 10:27:57 -03:00