Commit Graph

749 Commits

Author SHA1 Message Date
Adhemerval Zanella
3fcb410465 malloc: Use __get_nprocs on arena_get2 (BZ 30945)
This restore the 2.33 semantic for arena_get2.  It was changed by
11a02b035b to avoid arena_get2 call malloc (back when __get_nproc
was refactored to use an scratch_buffer - 903bc7dcc2).  The
__get_nproc was refactored over then and now it also avoid to call
malloc.

The 11a02b035b did not take in consideration any performance
implication, which should have been discussed properly.  The
__get_nprocs_sched is still used as a fallback mechanism if procfs
and sysfs is not acessible.

Checked on x86_64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>

(cherry picked from commit 472894d2cf)
2024-02-12 10:20:44 -03:00
Siddhesh Poyarekar
c5c792092b cdefs: Limit definition of fortification macros
Define the __glibc_fortify and other macros only when __FORTIFY_LEVEL >
0.  This has the effect of not defining these macros on older C90
compilers that do not have support for variable length argument lists.

Also trim off the trailing backslashes from the definition of
__glibc_fortify and __glibc_fortify_n macros.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 2337e04e21)
2023-02-02 09:30:30 -05:00
Tulio Magno Quites Machado Filho
a4217408a3 Apply asm redirections in syslog.h before first use [BZ #27087]
Similar to d0fa09a770, but for syslog.h when _FORTIFY_SOURCE > 0.
Fixes [BZ #27087] by applying long double-related asm redirections
before using functions in bits/syslog.h.

Tested with build-many-glibcs.py.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 227df6243a)
2022-11-30 08:48:11 -03:00
Paul Eggert
86a701a204 regex: copy back from Gnulib
Copy regex-related files back from Gnulib, to fix a problem with
static checking of regex calls noted by Martin Sebor.  This merges the
following changes:

* New macro __attribute_nonnull__ in misc/sys/cdefs.h, for use later
when copying other files back from Gnulib.

* Use __GNULIB_CDEFS instead of __GLIBC__ when deciding
whether to include bits/wordsize.h etc.

* Avoid duplicate entries in epsilon closure table.

* New regex.h macro _REGEX_NELTS to let regexec say that its pmatch
arg should contain nmatch elts.  Use that for regexec, instead of
__attr_access (which is incorrect).

* New regex.h macro _Attr_access_ which is like __attr_access except
portable to non-glibc platforms.

* Add some DEBUG_ASSERTs to pacify gcc -fanalyzer and to catch
recently-fixed performance bugs if they recur.

* Add Gnulib-specific stuff to port the dynarray- and lock-using parts
of regex code to non-glibc platforms.

* Fix glibc bug 11053.

* Avoid some undefined behavior when popping an empty fail stack.

(cherry picked from commit 0b5ca7c3e5)
2022-11-11 16:53:00 +01:00
Adhemerval Zanella
aa8a87f51d misc: Use 64 bit stat for getusershell (BZ# 29204)
This is a missing spot initially from 52a5fe70a2.

Checked on i686-linux-gnu.

(cherry picked from commit ec995fb215)
2022-06-01 13:34:49 -03:00
Adhemerval Zanella
b349fe0722 misc: Use 64 bit stat for daemon (BZ# 29203)
This is a missing spot initially from 52a5fe70a2.

Checked on i686-linux-gnu.

(cherry picked from commit 3fbc33010c)
2022-06-01 13:30:48 -03:00
Siddhesh Poyarekar
b72bbba236 fortify: Ensure that __glibc_fortify condition is a constant [BZ #29141]
The fix c8ee1c85 introduced a -1 check for object size without also
checking that object size is a constant.  Because of this, the tree
optimizer passes in gcc fail to fold away one of the branches in
__glibc_fortify and trips on a spurious Wstringop-overflow.  The warning
itself is incorrect and the branch does go away eventually in DCE in the
rtl passes in gcc, but the constant check is a helpful hint to simplify
code early, so add it in.

Resolves: BZ #29141
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 61a8753010)
2022-05-16 22:06:54 +05:30
Joan Bruguera
ca0faa140f misc: Fix rare fortify crash on wchar funcs. [BZ 29030]
If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify
checks should pass, and `__whatever_alias` should be called.

Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but
on commit a643f60c53, this was moved into `__glibc_safe_or_unknown_len`.

A comment says the -1 case should work as: "The -1 check is redundant because
since it implies that __glibc_safe_len_cond is true.". But this fails when:
* `__s > 1`
* `__osz == -1` (i.e. unknown size at compile time)
* `__l` is big enough
* `__l * __s <= __osz` can be folded to a constant
(I only found this to be true for `mbsrtowcs` and other functions in wchar2.h)

In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be
called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program.

This commit adds the explicit `__osz == -1` check again.
moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041

Minimal test case (test.c):
    #include <wchar.h>

    int main (void)
    {
        const char *hw = "HelloWorld";
        mbsrtowcs (NULL, &hw, (size_t)-1, NULL);
        return 0;
    }

Build with:
    gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test

Output:
    *** buffer overflow detected ***: terminated

Fixes: BZ #29030
Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 33e03f9cd2)
2022-04-25 18:44:27 +05:30
Siddhesh Poyarekar
d6a58bd81d Enable _FORTIFY_SOURCE=3 for gcc 12 and above
gcc 12 now has support for the __builtin_dynamic_object_size builtin.
Adapt the macro checks to enable _FORTIFY_SOURCE=3 on gcc 12 and above.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 86bf0feb0e)
2022-03-11 20:36:24 +05:30
Siddhesh Poyarekar
98ea9372cc __glibc_unsafe_len: Fix comment
We know that the length is *unsafe*.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ae23fa3e5f)
2022-03-11 20:36:24 +05:30
Siddhesh Poyarekar
0e6ebf06e4 Make sure that the fortified function conditionals are constant
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead.  Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of.  The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.

Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:

- Either the size is unknown (-1) or we know at compile time that the
  operation length is less than the object size.  We can call the
  original function in this case.  It could be that either the length,
  object size or both are non-constant, but the compiler, through
  range analysis, is able to fold the *comparison* to a constant.

- The size and length are known and the compiler can see at compile
  time that operation length > object size.  This is valid grounds for
  a warning at compile time, followed by emitting the _chk variant.

For everything else, emit the _chk variant.

This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit a643f60c53)
2022-03-11 20:36:24 +05:30
Siddhesh Poyarekar
c82bdf033f Don't add access size hints to fortifiable functions
In the context of a function definition, the size hints imply that the
size of an object pointed to by one parameter is another parameter.
This doesn't make sense for the fortified versions of the functions
since that's the bit it's trying to validate.

This is harmless with __builtin_object_size since it has fairly simple
semantics when it comes to objects passed as function parameters.
With __builtin_dynamic_object_size we could (as my patchset for gcc[1]
already does) use the access attribute to determine the object size in
the general case but it misleads the fortified functions.

Basically the problem occurs when access attributes are present on
regular functions that have inline fortified definitions to generate
_chk variants; the attributes get inherited by these definitions,
causing problems when analyzing them.  For example with poll(fds, nfds,
timeout), nfds is hinted using the __attr_access as being the size of
fds.

Now, when analyzing the inline function definition in bits/poll2.h, the
compiler sees that nfds is the size of fds and tries to use that
information in the function body.  In _FORTIFY_SOURCE=3 case, where the
object size could be a non-constant expression, this information results
in the conclusion that nfds is the size of fds, which defeats the
purpose of the implementation because we're trying to check here if nfds
does indeed represent the size of fds.  Hence for this case, it is best
to not have the access attribute.

With the attributes gone, the expression evaluation should get delayed
until the function is actually inlined into its destinations.

Disable the access attribute for fortified function inline functions
when building at _FORTIFY_SOURCE=3 to make this work better.  The
access attributes remain for the _chk variants since they can be used
by the compiler to warn when the caller is passing invalid arguments.

[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit e938c02748)
2022-03-11 20:36:24 +05:30
Adhemerval Zanella
e870aac897 misc: Add __get_nprocs_sched
This is an internal function meant to return the number of avaliable
processor where the process can scheduled, different than the
__get_nprocs which returns a the system available online CPU.

The Linux implementation currently only calls __get_nprocs(), which
in tuns calls sched_getaffinity.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 11a02b035b)
2021-10-01 18:19:09 +02:00
Florian Weimer
31902ae639 Linux: Fix fcntl, ioctl, prctl redirects for _TIME_BITS=64 (bug 28182)
__REDIRECT and __THROW are not compatible with C++ due to the ordering of the
__asm__ alias and the throw specifier. __REDIRECT_NTH has to be used
instead.

Fixes commit 8a40aff86b ("io: Add time64 alias
for fcntl"), commit 82c395d91e ("misc: Add
time64 alias for ioctl"), commit b39ffab860
("Linux: Add time64 alias for prctl").

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit c87fcacc50)
2021-08-06 16:42:40 +02:00
Siddhesh Poyarekar
b8e8bb324a xmalloc: Fix warnings with gcc analyzer
Tell the compiler that xmalloc family of allocators always return
non-NULL.  xrealloc in locale/programs also always returns non-NULL,
but that conflicts with default realloc behaviour and that of xrealloc
in libsupport, so keep it as is for now and resolve the differences
later.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2021-07-28 17:45:14 +05:30
Siddhesh Poyarekar
2d2d9f2b48 Move malloc hooks into a compat DSO
Remove all malloc hook uses from core malloc functions and move it
into a new library libc_malloc_debug.so.  With this, the hooks now no
longer have any effect on the core library.

libc_malloc_debug.so is a malloc interposer that needs to be preloaded
to get hooks functionality back so that the debugging features that
depend on the hooks, i.e. malloc-check, mcheck and mtrace work again.
Without the preloaded DSO these debugging features will be nops.
These features will be ported away from hooks in subsequent patches.

Similarly, legacy applications that need hooks functionality need to
preload libc_malloc_debug.so.

The symbols exported by libc_malloc_debug.so are maintained at exactly
the same version as libc.so.

Finally, static binaries will no longer be able to use malloc
debugging features since they cannot preload the debugging DSO.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-07-22 18:37:59 +05:30
Florian Weimer
82c395d91e misc: Add time64 alias for ioctl
Reviewed-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-07-21 11:58:09 +02:00
Florian Weimer
7c241325d6 Force building with -fno-common
As a result, is not necessary to specify __attribute__ ((nocommon))
on individual definitions.

GCC 10 defaults to -fno-common on all architectures except ARC,
but this change is compatible with older GCC versions and ARC, too.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-09 20:09:14 +02:00
Florian Weimer
30639e79d3 Linux: Cleanups after librt move
librt.so is no longer installed for PTHREAD_IN_LIBC, and tests
are not linked against it.  $(librt) is introduced globally for
shared tests that need to be linked for both PTHREAD_IN_LIBC
and !PTHREAD_IN_LIBC.

GLIBC_PRIVATE symbols that were needed during the transition are
removed again.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-06-28 09:51:01 +02:00
Adhemerval Zanella
4c3df0eba5 linux: Only use 64-bit syscall if required for select
For !__ASSUME_TIME64_SYSCALLS there is no need to issue a 64-bit syscall
if the provided timeout fits in a 32-bit one.  The 64-bit usage should
be rare since the timeout is a relative one.  This also avoids the need
to use supports_time64() (which breaks the usage case of live migration
like CRIU or similar).

It also fixes an issue on 32-bit select call for !__ASSUME_PSELECT
(microblase with older kernels only) where the expected timeout
is a 'struct timeval' instead of 'struct timespec'.

Checked on i686-linux-gnu on a 4.15 kernel and on a 5.11 kernel
(with and without --enable-kernel=5.1) and on x86_64-linux-gnu.

Reviewed-by: Lukasz Majewski <lukma@denx.de>
2021-06-22 12:09:52 -03:00
Adhemerval Zanella
91cf411ad3 linux: Only use 64-bit syscall if required for pselect
For !__ASSUME_TIME64_SYSCALLS there is no need to issue a 64-bit syscall
if the provided timeout fits in a 32-bit one.  The 64-bit usage should
be rare since the timeout is a relative one.  This also avoids the need
to use supports_time64() (which breaks the usage case of live migration
like CRIU or similar).

Checked on i686-linux-gnu on a 4.15 kernel and on a 5.11 kernel
(with and without --enable-kernel=5.1) and on x86_64-linux-gnu.

Reviewed-by: Lukasz Majewski <lukma@denx.de>
2021-06-22 12:09:52 -03:00
Florian Weimer
412b05fec9 Add hidden prototypes for fsync, fdatasync
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-06-22 09:51:14 +02:00
Adhemerval Zanella
088d3291ef y2038: Add test coverage
It is enabled through a new rule, tests-y2038, which is built only
when the ABI supports the comapt 64-bit time_t (defined by the
header time64-compat.h, which also enables the creation of the
symbol Version for Linux).  It means the tests are not built
for ABI which already provide default 64-bit time_t.

The new rule already adds the required LFS and 64-bit time_t
compiler flags.

The current coverage is:

  * libc:
    - adjtime                       tst-adjtime-time64
    - adjtimex                      tst-adjtimex-time64
    - clock_adjtime                 tst-clock_adjtime-time64
    - clock_getres                  tst-clock-time64, tst-cpuclock1-time64
    - clock_gettime                 tst-clock-time64, tst-clock2-time64,
				    tst-cpuclock1-time64
    - clock_nanosleep               tst-clock_nanosleep-time64,
				    tst-cpuclock1-time64
    - clock_settime                 tst-clock2-time64
    - cnd_timedwait                 tst-cnd-timedwait-time64
    - ctime                         tst-ctime-time64
    - ctime_r                       tst-ctime-time64
    - difftime                      tst-difftime-time64
    - fstat                         tst-stat-time64
    - fstatat                       tst-stat-time64
    - futimens                      tst-futimens-time64
    - futimes                       tst-futimes-time64
    - futimesat                     tst-futimesat-time64
    - fts_*                         tst-fts-time64
    - getitimer                     tst-itimer-timer64
    - getrusage
    - gettimeofday                  tst-clock_nanosleep-time64
    - glob / globfree               tst-gnuglob64-time64
    - gmtime                        tst-gmtime-time64
    - gmtime_r                      tst-gmtime-time64
    - lstat                         tst-stat-time64
    - localtime                     tst-y2039-time64
    - localtime_t                   tst-y2039-time64
    - lutimes                       tst-lutimes-time64
    - mktime                        tst-mktime4-time64
    - mq_timedreceive               tst-mqueue{1248}-time64
    - mq_timedsend                  tst-mqueue{1248}-time64
    - msgctl                        test-sysvmsg-time64
    - mtx_timedlock                 tst-mtx-timedlock-time64
    - nanosleep                     tst-cpuclock{12}-time64,
				    tst-mqueue8-time64, tst-clock-time64
    - nftw / ftw                    ftwtest-time64
    - ntp_adjtime                   tst-ntp_adjtime-time64
    - ntp_gettime                   tst-ntp_gettime-time64
    - ntp_gettimex                  tst-ntp_gettimex-time64
    - ppoll                         tst-ppoll-time64
    - pselect                       tst-pselect-time64
    - pthread_clockjoin_np          tst-join14-time64
    - pthread_cond_clockwait        tst-cond11-time64
    - pthread_cond_timedwait        tst-abstime-time64
    - pthread_mutex_clocklock       tst-abstime-time64
    - pthread_mutex_timedlock       tst-abstime-time64
    - pthread_rwlock_clockrdlock    tst-abstime-time64, tst-rwlock14-time64
    - pthread_rwlock_clockwrlock    tst-abstime-time64, tst-rwlock14-time64
    - pthread_rwlock_timedrdlock    tst-abstime-time64, tst-rwlock14-time64
    - pthread_rwlock_timedwrlock    tst-abstime-time64, tst-rwlock14-time64
    - pthread_timedjoin_np          tst-join14-time64
    - recvmmsg                      tst-cancel4_2-time64
    - sched_rr_get_interval         tst-sched_rr_get_interval-time64
    - select                        tst-select-time64
    - sem_clockwait                 tst-sem5-time64
    - sem_timedwait                 tst-sem5-time64
    - semctl                        test-sysvsem-time64
    - semtimedop                    test-sysvsem-time64
    - setitimer                     tst-mqueue2-time64, tst-itimer-timer64
    - settimeofday                  tst-settimeofday-time64
    - shmctl                        test-sysvshm-time64
    - sigtimedwait                  tst-sigtimedwait-time64
    - stat                          tst-stat-time64
    - thrd_sleep                    tst-thrd-sleep-time64
    - time                          tst-mqueue{1248}-time64
    - timegm                        tst-timegm-time64
    - timer_gettime                 tst-timer4-time64
    - timer_settime                 tst-timer4-time64
    - timerfd_gettime               tst-timerfd-time64
    - timerfd_settime               tst-timerfd-time64
    - timespec_get                  tst-timespec_get-time64
    - timespec_getres               tst-timespec_getres-time64
    - utime                         tst-utime-time64
    - utimensat                     tst-utimensat-time64
    - utimes                        tst-utimes-time64
    - wait3                         tst-wait3-time64
    - wait4                         tst-wait4-time64

  * librt:
    - aio_suspend                   tst-aio6-time64
    - mq_timedreceive               tst-mqueue{1248}-time64
    - mq_timedsend                  tst-mqueue{1248}-time64
    - timer_gettime                 tst-timer4-time64
    - timer_settime                 tst-timer4-time64

  * libanl:
    - gai_suspend

Reviewed-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-06-15 10:42:11 -03:00
Adhemerval Zanella
47f24c21ee y2038: Add support for 64-bit time on legacy ABIs
A new build flag, _TIME_BITS, enables the usage of the newer 64-bit
time symbols for legacy ABI (where 32-bit time_t is default).  The 64
bit time support is only enabled if LFS (_FILE_OFFSET_BITS=64) is
also used.

Different than LFS support, the y2038 symbols are added only for the
required ABIs (armhf, csky, hppa, i386, m68k, microblaze, mips32,
mips64-n32, nios2, powerpc32, sparc32, s390-32, and sh).  The ABIs with
64-bit time support are unchanged, both for symbol and types
redirection.

On Linux the full 64-bit time support requires a minimum of kernel
version v5.1.  Otherwise, the 32-bit fallbacks are used and might
results in error with overflow return code (EOVERFLOW).

The i686-gnu does not yet support 64-bit time.

This patch exports following rediretions to support 64-bit time:

  * libc:
    adjtime
    adjtimex
    clock_adjtime
    clock_getres
    clock_gettime
    clock_nanosleep
    clock_settime
    cnd_timedwait
    ctime
    ctime_r
    difftime
    fstat
    fstatat
    futimens
    futimes
    futimesat
    getitimer
    getrusage
    gettimeofday
    gmtime
    gmtime_r
    localtime
    localtime_r
    lstat_time
    lutimes
    mktime
    msgctl
    mtx_timedlock
    nanosleep
    nanosleep
    ntp_gettime
    ntp_gettimex
    ppoll
    pselec
    pselect
    pthread_clockjoin_np
    pthread_cond_clockwait
    pthread_cond_timedwait
    pthread_mutex_clocklock
    pthread_mutex_timedlock
    pthread_rwlock_clockrdlock
    pthread_rwlock_clockwrlock
    pthread_rwlock_timedrdlock
    pthread_rwlock_timedwrlock
    pthread_timedjoin_np
    recvmmsg
    sched_rr_get_interval
    select
    sem_clockwait
    semctl
    semtimedop
    sem_timedwait
    setitimer
    settimeofday
    shmctl
    sigtimedwait
    stat
    thrd_sleep
    time
    timegm
    timerfd_gettime
    timerfd_settime
    timespec_get
    utime
    utimensat
    utimes
    utimes
    wait3
    wait4

  * librt:
    aio_suspend
    mq_timedreceive
    mq_timedsend
    timer_gettime
    timer_settime

  * libanl:
    gai_suspend

Reviewed-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-06-15 10:42:11 -03:00
Florian Weimer
6f1c701026 dlfcn: Cleanups after -ldl is no longer required
This commit removes the ELF constructor and internal variables from
dlfcn/dlfcn.c.  The file now serves the same purpose as
nptl/libpthread-compat.c, so it is renamed to dlfcn/libdl-compat.c.
The use of libdl-shared-only-routines ensures that libdl.a is empty.

This commit adjusts the test suite not to use $(libdl).  The libdl.so
symbolic link is no longer installed.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-06-03 09:11:45 +02:00
Martin Sebor
c1760eaf3b Enable support for GCC 11 -Wmismatched-dealloc.
To help detect common kinds of memory (and other resource) management
bugs, GCC 11 adds support for the detection of mismatched calls to
allocation and deallocation functions.  At each call site to a known
deallocation function GCC checks the set of allocation functions
the former can be paired with and, if the two don't match, issues
a -Wmismatched-dealloc warning (something similar happens in C++
for mismatched calls to new and delete).  GCC also uses the same
mechanism to detect attempts to deallocate objects not allocated
by any allocation function (or pointers past the first byte into
allocated objects) by -Wfree-nonheap-object.

This support is enabled for built-in functions like malloc and free.
To extend it beyond those, GCC extends attribute malloc to designate
a deallocation function to which pointers returned from the allocation
function may be passed to deallocate the allocated objects.  Another,
optional argument designates the positional argument to which
the pointer must be passed.

This change is the first step in enabling this extended support for
Glibc.
2021-05-16 15:21:18 -06:00
Érico Nogueira
330001202a misc: use _fitoa_word to implement __fd_to_filename.
In a default build for x86_64, size decreased by 24 bytes:
1883294 to 1883270.

Aditionally, avoids repeating the number printing logic in multiple
places.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-05-07 13:54:36 -03:00
Martin Sebor
26492c0a14 Annotate additional APIs with GCC attribute access.
This change continues the improvements to compile-time out of bounds
checking by decorating more APIs with either attribute access, or by
explicitly providing the array bound in APIs such as tmpnam() that
expect arrays of some minimum size as arguments.  (The latter feature
is new in GCC 11.)

The only effects of the attribute and/or the array bound is to check
and diagnose calls to the functions that fail to provide a sufficient
number of elements, and the definitions of the functions that access
elements outside the specified bounds.  (There is no interplay with
_FORTIFY_SOURCE here yet.)

Tested with GCC 7 through 11 on x86_64-linux.
2021-05-06 11:01:05 -06:00
Florian Weimer
0b7d48d106 nptl: Move sem_close, sem_open into libc
The symbols were moved using move-symbol-to-libc.py.

Both functions are moved at the same time because they depend
on internal functions in sysdeps/pthread/sem_routines.c, which
are moved in this commit as well.  Additional hidden prototypes
are required to avoid check-localplt failures.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-05-05 17:19:38 +02:00
Martin Sebor
a1561c3bbe Add __attribute_access_none to disable GCC warnings [BZ #27714]
GCC 11 warns when a pointer to an uninitialized object is passed
to a function that takes a const-qualified argument.  This is done
on the assumption that most such functions read from the object.
For the rare case of a function that doesn't, GCC 11 extends
attribute access to add a new mode called none.

POSIX pthread_setspecific() is one such rare function that takes
a const void* argument but that doesn't read from the object it
points to.  To suppress the -Wmaybe-uninitialized issued by GCC
11 when the address of an uninitialized object is passed to it
(e.g., the result of malloc()), this change #defines
__attr_access_none in cdefs.h and uses the macro on the function
in sysdeps/htl/pthread.h and sysdeps/nptl/pthread.h.
2021-04-27 13:01:55 -06:00
Florian Weimer
93d78ec1cb nptl: Move pthread_setcancelstate into libc
No new symbol version is required because there was a forwarder.

The symbol has been moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-04-21 19:49:50 +02:00
Adhemerval Zanella
5ad1a81c8e misc: syslog: Use static const for AF_UNIX address
Checked on x86_64-linux-gnu.
2021-04-15 11:32:40 -03:00
Adhemerval Zanella
7f3ab33f20 misc: syslog: Use CLOC_EXEC with _PATH_CONSOLE (BZ #17145)
The syslog open the '/dev/console' for LOG_CONS without O_CLOEXEC,
which might leak in multithread programs that call fork.

Checked on x86_64-linux-gnu.
2021-04-15 11:32:40 -03:00
Adhemerval Zanella
ded3cef361 misc: syslog: Assume MSG_NOSIGNAL support (BZ #17144)
MSG_NOSIGNAL was added on POSIX 2008 and Hurd seems to support it.
The SIGPIPE handling also makes the implementation not thread-safe
(due the sigaction usage).

Checked on x86_64-linux-gnu.
2021-04-15 11:32:40 -03:00
Adhemerval Zanella
7cb10381a4 misc: syslog: Use bool for connected
Checked on x86_64-linux-gnu.
2021-04-15 11:32:40 -03:00
Dan Raymond
f2913118cd misc: syslog: Fix calls to openlog() with LOG_KERN facility (BZ #3604)
POSIX states for syslog [1]:

  "Values of the priority argument are formed by OR'ing together a
  severity-level value and an optional facility value. If no
  facility value is specified, the current default facility value is
  used."

So the patch fixes an existing violation of the openlog interface contract
where it is ignoring the facility argument when the value is zero

It allows the use LOG_KERN by calling openlog prior syslog usage.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

[1] https://pubs.opengroup.org/onlinepubs/9699919799/functions/syslog.html
2021-04-13 16:33:27 -03:00
Adhemerval Zanella
cedbf6d5f3 linux: always update select timeout (BZ #27706)
The timeout should be updated even on failure for time64 support.

Checked on i686-linux-gnu.
2021-04-12 18:38:37 -03:00
Adhemerval Zanella
9d7c5cc38e linux: Normalize and return timeout on select (BZ #27651)
The commit 2433d39b69, which added time64 support to select, changed
the function to use __NR_pselect6 (or __NR_pelect6_time64) on all
architectures.  However, on architectures where the symbol was
implemented with __NR_select the kernel normalizes the passed timeout
instead of return EINVAL.  For instance, the input timeval
{ 0, 5000000 } is interpreted as { 5, 0 }.

And as indicated by BZ #27651, this semantic seems to be expected
and changing it results in some performance issues (most likely
the program does not check the return code and keeps issuing
select with unormalized tv_usec argument).

To avoid a different semantic depending whether which syscall the
architecture used to issue, select now always normalize the timeout
input.  This is a slight change for some ABIs (for instance aarch64).

Checked on x86_64-linux-gnu and i686-linux-gnu.
2021-04-12 18:38:37 -03:00
Adhemerval Zanella
1b53b5d970 misc: Fix tst-select timeout handling (BZ#27648)
Instead of polling the stderr, create two pipes and fork to check
if child timeout as expected similar to tst-pselect.c.  Also lower
the timeout value.

Checked on x86_64-linux-gnu.
2021-03-26 11:57:11 -03:00
Lukasz Majewski
bff3019afc tst: Provide test for select
This change adds new test to assess select()'s timeout related
functionality (the rdfs set provides valid fd - stderr - but during
normal program operation there is no data to be read, so one just
waits for timeout).

To be more specific - two use cases are checked:
- if select() times out immediately when passed struct timeval has
  zero values of tv_usec and tv_sec.
- if select() times out after timeout specified in passed argument

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-03-23 12:23:33 +01:00
Florian Weimer
9fc813e1a3 Implement <unwind-link.h> for dynamically loading the libgcc_s unwinder
This will be used to consolidate the libgcc_s access for backtrace
and pthread_cancel.

Unlike the existing backtrace implementations, it provides some
hardening based on pointer mangling.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-03-01 15:58:01 +01:00
Adhemerval Zanella
c8ba52ab33 misc: Sync cdefs.h with gnulib
It adds __glibc_has_builtin, __glibc_has_extension, and
__attribute_maybe_unused__ alongsize with some fixes.

The differences are:

--- glibc
+++ gnulib
@@ -259,7 +259,9 @@
 # define __attribute_const__ /* Ignore */
 #endif

-#if __GNUC_PREREQ (2,7) || __glibc_has_attribute (__unused__)
+#if defined __STDC_VERSION__ && 201710L < __STDC_VERSION__
+# define __attribute_maybe_unused__ [[__maybe_unused__]]
+#elif __GNUC_PREREQ (2,7) || __glibc_has_attribute (__unused__)
 # define __attribute_maybe_unused__ __attribute__ ((__unused__))
 #else
 # define __attribute_maybe_unused__ /* Ignore */
@@ -485,7 +487,7 @@

 /* The #ifndef lets Gnulib avoid including these on non-glibc
    platforms, where the includes typically do not exist.  */
-#ifdef __GLIBC__
+#ifndef __WORDSIZE
 # include <bits/wordsize.h>
 # include <bits/long-double.h>
 #endif

The [[__attribute_maybe_unused__]] attribute removal __ is due Joseph
questioning gcc support with -std=c2x or -std=gnu2x [1].

The _WORDSIZE replacement by __GLIBC__ is because it does not play
well with internal cdefs.h that also uses
__LDOUBLE_REDIRECTS_TO_FLOAT128_ABI.

Checked on x86_64-linux-gnu.

[1] https://sourceware.org/pipermail/libc-alpha/2021-January/121600.html
2021-02-09 16:57:52 -03:00
Szabolcs Nagy
47618209d0 Use hidden visibility for early static PIE code
Extern symbol access in position independent code usually involves GOT
indirection which needs RELATIVE reloc in a static linked PIE. (On
some targets this is avoided e.g. because the linker can relax a GOT
access to a pc-relative access, but this is not generally true.) Code
that runs before static PIE self relocation must avoid relying on
dynamic relocations which can be ensured by using hidden visibility.
However we cannot just make all symbols hidden:

On i386, all calls to IFUNC functions must go through PLT and calls to
hidden functions CANNOT go through PLT in PIE since EBX used in PIE PLT
may not be set up for local calls to hidden IFUNC functions.

This patch aims to make symbol references hidden in code that is used
before and by _dl_relocate_static_pie when building a static PIE libc.
Note: for an object that is used in the startup code, its references
and definition may not have consistent visibility: it is only forced
hidden in the startup code.

This is needed for fixing bug 27072.

Co-authored-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2021-01-21 15:55:01 +00:00
Siddhesh Poyarekar
eeaa19f75e mntent: Use __putc_unlocked instead of fputc_unlocked
__putc_unlocked is guaranteed to be inlined all the time as opposed to
fputc_unlocked, which does not get inlined when glibc is built with
-Os.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2021-01-08 21:02:12 +05:30
Paul Eggert
2b778ceb40 Update copyright dates with scripts/update-copyrights
I used these shell commands:

../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")

and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
2021-01-02 12:17:34 -08:00
Siddhesh Poyarekar
c43c579612 Introduce _FORTIFY_SOURCE=3
Introduce a new _FORTIFY_SOURCE level of 3 to enable additional
fortifications that may have a noticeable performance impact, allowing
more fortification coverage at the cost of some performance.

With llvm 9.0 or later, this will replace the use of
__builtin_object_size with __builtin_dynamic_object_size.

__builtin_dynamic_object_size
-----------------------------

__builtin_dynamic_object_size is an LLVM builtin that is similar to
__builtin_object_size.  In addition to what __builtin_object_size
does, i.e. replace the builtin call with a constant object size,
__builtin_dynamic_object_size will replace the call site with an
expression that evaluates to the object size, thus expanding its
applicability.  In practice, __builtin_dynamic_object_size evaluates
these expressions through malloc/calloc calls that it can associate
with the object being evaluated.

A simple motivating example is below; -D_FORTIFY_SOURCE=2 would miss
this and emit memcpy, but -D_FORTIFY_SOURCE=3 with the help of
__builtin_dynamic_object_size is able to emit __memcpy_chk with the
allocation size expression passed into the function:

void *copy_obj (const void *src, size_t alloc, size_t copysize)
{
  void *obj = malloc (alloc);
  memcpy (obj, src, copysize);
  return obj;
}

Limitations
-----------

If the object was allocated elsewhere that the compiler cannot see, or
if it was allocated in the function with a function that the compiler
does not recognize as an allocator then __builtin_dynamic_object_size
also returns -1.

Further, the expression used to compute object size may be non-trivial
and may potentially incur a noticeable performance impact.  These
fortifications are hence enabled at a new _FORTIFY_SOURCE level to
allow developers to make a choice on the tradeoff according to their
environment.
2020-12-31 16:55:21 +05:30
Siddhesh Poyarekar
be37b80705 misc: Use __ferror_unlocked instead of ferror
The ferror results in an unnecessary PLT reference.  Use
__ferror_unlocked instead , which gets inlined.
2020-12-23 07:03:42 +05:30
Siddhesh Poyarekar
9798906a42 addmntent: Remove unbounded alloca usage from getmntent [BZ#27083]
The addmntent function replicates elements of struct mnt on stack
using alloca, which is unsafe.  Put characters directly into the
stream, escaping them as they're being written out.

Also add a test to check all escaped characters with addmntent and
getmntent.
2020-12-22 21:32:55 +05:30
Florian Weimer
e7570f4131 Replace __libc_multiple_libcs with __libc_initial flag
Change sbrk to fail for !__libc_initial (in the generic
implementation).  As a result, sbrk is (relatively) safe to use
for the __libc_initial case (from the main libc).  It is therefore
no longer necessary to avoid using it in that case (or updating the
brk cache), and the __libc_initial flag does not need to be updated
as part of dlmopen or static dlopen.

As before, direct brk system calls on Linux may lead to memory
corruption.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2020-12-16 15:13:40 +01:00
Jonny Grant
2ea6af7447 Fix spelling and grammar in several comments 2020-12-12 01:16:56 +01:00