musl/src/misc, branch master musl - an implementation of the standard library for Linux-based systems hasmntopt: match only whole options not arbitrary substrings 2025-02-09T18:36:44+00:00 Rich Felker dalias@aerifal.cx 2025-02-09T18:36:44+00:00 4c4f15dae57125e5b65b9690901384ae501d38e2 the man page for this nonstandardized function has historically documented it as scanning for a substring; however, this is functionally incorrect (matches the substring "atime" in the "noatime" option, for example) and differs from other existing implementations. with the change made here, it should match glibc and other implementations, only matching whole options delimited by commas or separated from a value by an equals sign. 
the man page for this nonstandardized function has historically
documented it as scanning for a substring; however, this is
functionally incorrect (matches the substring "atime" in the "noatime"
option, for example) and differs from other existing implementations.

with the change made here, it should match glibc and other
implementations, only matching whole options delimited by commas or
separated from a value by an equals sign.
mntent: exclude trailing newline from parsed field 2024-10-22T21:44:52+00:00 Alyssa Ross hi@alyssa.is 2024-10-19T18:13:21+00:00 4e6c827cf48aa4277033d3444e419cb435b0a68c When the pattern was changed from matching any whitespace to just matching spaces and tabs, a newline started being appended to the value of the matched field, if that field was a string. For example, in a 4-field line, the mnt_opts field would have a newline on the end. This happened because a newline is not a space or a tab, and so was matched as part of the value before the end of the string was reached. \n should therefore be added as a character that terminates a value. This shouldn't interfere with the intention of the change to space and tab only, as it was trying to make sure that other whitespace like carriage returns, that should have been part of parsed values, were. Fixes: f314e133 
When the pattern was changed from matching any whitespace to just
matching spaces and tabs, a newline started being appended to the
value of the matched field, if that field was a string. For example,
in a 4-field line, the mnt_opts field would have a newline on the end.

This happened because a newline is not a space or a tab, and so was
matched as part of the value before the end of the string was reached.
\n should therefore be added as a character that terminates a value.
This shouldn't interfere with the intention of the change to space and
tab only, as it was trying to make sure that other whitespace like
carriage returns, that should have been part of parsed values, were.

Fixes: f314e133
syslog: revert LOG_FAC/LOG_FACMASK changes 2024-07-05T17:22:25+00:00 Rich Felker dalias@aerifal.cx 2024-07-05T17:22:25+00:00 dd1e63c3638d5f9afb857fccf6ce1415ca5f1b8b commit 895736d49bd2bb318c69de99a05ea70c035c2da9 made these changes along with fixing a real bug in LOG_MAKEPRI. based on further information, they do not seem to be well-motivated or in line with policy. the result of LOG_FAC is not a meaningful facility value if we shift it down like before, but apparently the way it is used by applications is as an index into an array of facility names. moreover, all historical systems which define it do so with the shift. as it is a nonstandard interface, there is no justification for providing a macro by the same name that is incompatible with historical practice. the value of LOG_FACMASK likewise is 0x3f8 on all historical systems checked. while only 5 bits are used for existing facility codes, the convention seems to be that all 7 bits belong to the facility field and theoretically could be used to expand to having more facilities. that seems unlikely to happen, but there is no reason to make a gratuitously incompatible change here. 
commit 895736d49bd2bb318c69de99a05ea70c035c2da9 made these changes
along with fixing a real bug in LOG_MAKEPRI. based on further
information, they do not seem to be well-motivated or in line with
policy.

the result of LOG_FAC is not a meaningful facility value if we shift
it down like before, but apparently the way it is used by applications
is as an index into an array of facility names. moreover, all
historical systems which define it do so with the shift. as it is a
nonstandard interface, there is no justification for providing a macro
by the same name that is incompatible with historical practice.

the value of LOG_FACMASK likewise is 0x3f8 on all historical systems
checked. while only 5 bits are used for existing facility codes, the
convention seems to be that all 7 bits belong to the facility field
and theoretically could be used to expand to having more facilities.
that seems unlikely to happen, but there is no reason to make a
gratuitously incompatible change here.
syslog: fix incorrect LOG_MAKEPRI and LOG_FAC[MASK] macros 2024-06-13T15:48:40+00:00 Rich Felker dalias@aerifal.cx 2024-06-13T15:48:40+00:00 895736d49bd2bb318c69de99a05ea70c035c2da9 these are nonstandard and unnecessary for using the associated functionality, but resulted in applications that used them malfunctioning. patch based on proposed fix by erny hombre. 
these are nonstandard and unnecessary for using the associated
functionality, but resulted in applications that used them
malfunctioning.

patch based on proposed fix by erny hombre.
initgroups: do not artificially limit number of supplementary groups 2024-04-14T03:05:46+00:00 Rich Felker dalias@aerifal.cx 2024-04-13T16:15:37+00:00 3f49203c55ccd5d4217abf13addb18844136455f historically linux limited the number of supplementary groups a process could be in to 32, but this limit was raised to 65536 in linux 2.6.4. proposals to support the new limit, change NGROUPS_MAX, or make it dynamic have been stalled due to the impact it would have on initgroups where the groups array exists in automatic storage. the changes here decouple initgroups from the value of NGROUPS_MAX and allow it to fall back to allocating a buffer in the case where getgrouplist indicates the user has more supplementary groups than could be reported in the buffer. getgrouplist already involves allocation, so this does not pull in any new link dependency. likewise, getgrouplist is already using the public malloc (vs internal libc one), so initgroups does the same. if this turns out not to be the best choice, both can be changed together later. the initial buffer size is left at 32, but now as the literal value, so that any potential future change to NGROUPS_MAX will not affect initgroups. 
historically linux limited the number of supplementary groups a
process could be in to 32, but this limit was raised to 65536 in linux
2.6.4. proposals to support the new limit, change NGROUPS_MAX, or make
it dynamic have been stalled due to the impact it would have on
initgroups where the groups array exists in automatic storage.

the changes here decouple initgroups from the value of NGROUPS_MAX and
allow it to fall back to allocating a buffer in the case where
getgrouplist indicates the user has more supplementary groups than
could be reported in the buffer. getgrouplist already involves
allocation, so this does not pull in any new link dependency.
likewise, getgrouplist is already using the public malloc (vs internal
libc one), so initgroups does the same. if this turns out not to be
the best choice, both can be changed together later.

the initial buffer size is left at 32, but now as the literal value,
so that any potential future change to NGROUPS_MAX will not affect
initgroups.
syslog: use C locale for timestamp generation 2024-02-07T21:08:11+00:00 Rich Felker dalias@aerifal.cx 2024-02-07T21:08:11+00:00 39838619bb8b65a8897abcfda8c17ad6de0115d8 depending on contents of the LC_TIME locale, log messages could be malformatted (especially if the ABMON strings contain non-alphabetic characters) or the subsequent code could invoke undefined behavior, via passing a timebuf[] with unspecified contents to snprintf, if the translated ABMON string did not fit in the 16-byte timebuf. this does not appear to be a security-relevant bug, as locale loading functionality is intentionally not available to set*id programs -- the MUSL_LOCPATH environment variable is ignored when libc.secure is true, and custom locales are not loadable without it. 
depending on contents of the LC_TIME locale, log messages could be
malformatted (especially if the ABMON strings contain non-alphabetic
characters) or the subsequent code could invoke undefined behavior,
via passing a timebuf[] with unspecified contents to snprintf, if
the translated ABMON string did not fit in the 16-byte timebuf.

this does not appear to be a security-relevant bug, as locale loading
functionality is intentionally not available to set*id programs -- the
MUSL_LOCPATH environment variable is ignored when libc.secure is true,
and custom locales are not loadable without it.
mntent: fields are delimited only by tabs or spaces, not general whitespace 2023-11-16T17:55:21+00:00 Rich Felker dalias@aerifal.cx 2023-11-16T17:55:21+00:00 f314e133929b6379eccc632bef32eaebb66a7335 this matters because the kernel-provided mtab only escapes tabs, spaces, newlines, and backslashes. it leaves carriage returns, form feeds, and vertical tabs literal. 
this matters because the kernel-provided mtab only escapes tabs,
spaces, newlines, and backslashes. it leaves carriage returns, form
feeds, and vertical tabs literal.
mntent: unescape octal sequences 2023-11-16T17:06:17+00:00 q66 q66@chimera-linux.org 2023-11-09T19:48:44+00:00 ee1d39bc1573c1ae49ee6b658938b56bbef95a6c As entries in mtab are delimited by spaces, whitespace characters are escaped as octal sequences. When reading them out, we have to unescape these sequences to get the proper string. 
As entries in mtab are delimited by spaces, whitespace characters
are escaped as octal sequences. When reading them out, we have to
unescape these sequences to get the proper string.
getopt: fix null pointer arithmetic ub 2023-04-11T13:18:38+00:00 Alexey Izbyshev izbyshev@ispras.ru 2023-03-10T17:00:31+00:00 6d322159c633050a405b03b927db76b89e402014 When an option that requires an argument is the last character of argv[argc-1], getopt computes argv[argc] + optpos. While optpos is always zero in this case, adding it to null pointer is still undefined. 
When an option that requires an argument is the last character of
argv[argc-1], getopt computes argv[argc] + optpos. While optpos
is always zero in this case, adding it to null pointer is still
undefined.
nftw: fix use of uninitialized struct stat 2023-04-11T13:18:01+00:00 Alexey Izbyshev izbyshev@ispras.ru 2023-03-10T14:00:50+00:00 35e9831156efc1b54e1a91917ba0f787d5df3353 If lstat/stat fails with EACCES, st is left uninitialized, but its st_dev/st_ino fields are then used in several places: * for FTW_MOUNT check (in practice typically results in a false positive and an early return) * for copying to the new struct history (though the struct is not used afterwards since we don't recurse in this case) * for cycle detection check (could theoretically result in a false positive and an early return) To avoid adding FTW_NS checks to all these places, fix this by zero-initializing st_dev/st_ino (which can never match an existing dentry due to zero inode being reserved in Linux), and check for FTW_NS only when handling FTW_MOUNT since we need two valid dentries there. 
If lstat/stat fails with EACCES, st is left uninitialized, but its
st_dev/st_ino fields are then used in several places:

* for FTW_MOUNT check (in practice typically results in a false
  positive and an early return)
* for copying to the new struct history (though the struct is not used
  afterwards since we don't recurse in this case)
* for cycle detection check (could theoretically result in a false
  positive and an early return)

To avoid adding FTW_NS checks to all these places, fix this by
zero-initializing st_dev/st_ino (which can never match an existing
dentry due to zero inode being reserved in Linux), and check for FTW_NS
only when handling FTW_MOUNT since we need two valid dentries there.