summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorLines
2017-03-14in static dl_iterate_phdr, fix use of possibly-uninitialized aux dataRich Felker-1/+1
this could only happen if an incomplete auxv was passed into the program, but it's better to just initialize the data anyway.
2017-03-14fix free of uninitialized buffer pointer on error in regexecRich Felker-3/+3
the fix in commit c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 for CVE-2016-8859 used gotos to exit on overflow conditions, but the code in that error path assumed the buffer pointer was valid or null. thus, the conditions which previously led to under-allocation and buffer overflow could instead lead to an invalid pointer being passed to free.
2017-03-05fix lsearch and lfind to pass key as first arg to the compar callbackSzabolcs Nagy-2/+2
this is not a conformance issue as posix does not specify the argument order, but the order is specified for bsearch and some systems document the order for lsearch consistently (openbsd). since there were two indpendent reports of this issue it's better to use the more widely expected argument order.
2017-02-15fix build regression in arm atomics asm with new binutilsRich Felker-1/+1
binutils commit bada43421274615d0d5f629a61a60b7daa71bc15 tightened immediate fixup handling in gas in such a way that the final .arch of an object file must be compatible with the fixups used when the instruction was assembled; this in turn broke assembling of atomics.s, at least in thumb mode. it's not clear whether this should be considered a bug in gas, but .object_arch is preferable anyway for our purpose here of controlling the ISA level tag on the object file being produced, and it's the intended directive for use in object files with runtime code selection. research by Szabolcs Nagy confirmed that .object_arch is supported in all relevant versions of binutils and clang's integrated assembler. patch by Reiner Herrmann.
2017-02-15s390x: implement dlsymBobby Bingham-0/+6
This was missed when writing the port initially.
2017-01-29avoid unbounded strlen in gettext functionsRich Felker-3/+3
use the standard strnlen idiom for cases where lengths greater than an imposed limit are going to be rejected immediately anyway.
2017-01-29fix use of uninitialized pointer in gettext coreRich Felker-2/+2
the plural_rule field of allocated msgcat structures was assumed to be initially-null but was never initialized. for future-proofing, the nplurals field which was left uninitialized should also be cleared. likewise, in the binding structure, the active field could be used uninitialized by a technicality: the a_store which stores the initial value of 0 may be implemented as a cas operation, which reads the old value. rather than fixing these issues individually, just use calloc for both allocations. this does result in wasteful clearing of name buffers (up to NAME_MAX+PATH_MAX) before filling them, but since the size if bounded and the time is dominated by filesystem operations, it really doesn't matter; simplicity and future-proofing have more value here. modified from patch submitted by He X.
2017-01-29fix bindtextdomain logic error deactivating other domainsRich Felker-1/+1
this loop was only supposed to deactivate other bindings for the same text domain name, but due to copy-and-paste error, deactivated all other bindings. patch by He X.
2017-01-19fix spurious EINTR errors from multithreaded set*id, etc.Rich Felker-1/+1
commit 78a8ef47c4d92b7680c52a85f80a81e29da86bb9 inadvertently removed the SA_RESTART flag from the sigaction for the internal signal handler used by __synccall for broadcasting. as a result, programs which did not use interrupting signals but which used set*id() in a multithreaded context could wrongly observe EINTR errors they're not prepared to handle.
2017-01-13fix crashes in x32 __tls_get_addrrofl0r-2/+6
x32 has another gratuitous difference to all other archs: it passes an array of 64bit values to __tls_get_addr(). usually it is an array of size_t.
2017-01-04treat base 1 as an error in strtol-family functionsRich Felker-1/+1
ISO C and POSIX only specify behavior for base arguments of 0 and 2-36; POSIX mandates an EINVAL error for unsupported bases. it's not clear that there's a requirement for implementations not to "support" additional bases as an extension, but "base 1" did not work in any meaningful way anyway, so it should be considered unsupported and thus an error.
2017-01-04fix getopt[_long] clobbering of optopt on successRich Felker-2/+5
getopt is only specified to modify optopt on error, and some software apparently infers an error from optopt!=0. getopt_long is changed analogously. the resulting behavior differs slightly from the behavior of the GNU implementation of getopt_long, which keeps an internal shadow copy of optopt and copies it to the public one on return, but since the GNU implementation also exhibits this shadow-copy behavior for plain getopt where is is non-conforming, I think this can reasonably be considered a bug rather than an intentional behavior that merits mimicing.
2017-01-02make globfree safe after failed glob from over-length argumentRich Felker-2/+2
commit 0dc99ac413d8bc054a2e95578475c7122455eee8 added input length checking to avoid unsafe VLA allocation, but put it in the wrong place, before the glob_t structure was zeroed out. while POSIX isn't clear on whether it's permitted to call globfree after glob failed with GLOB_NOSPACE, making it safe is clearly better than letting uninitialized pointers get passed to free in non-conforming callers. while we're fixing this, change strlen check to the idiomatic strnlen version to avoid unbounded input scanning before returning an error.
2017-01-02fix strftime %y for negative yearsRich Felker-2/+2
commit 583ea83541dcc6481c7a1bd1a9b485526bad84a1 fixed the case where tm_year is negative but the resulting year (offset by 1900) was still positive, which is always the case for time_t values that fit in 32 bits, but not for arbitrary inputs. based on an earlier patch by Julien Ramseier which was overlooked at the time the previous fix was applied.
2016-12-20fix support for initialized TLS in static PIE binariesRich Felker-0/+5
the static-linked version of __init_tls needs to locate the TLS initialization image via the ELF program headers, which requires determining the base address at which the program was loaded. the existing code attempted to do this by comparing the actual address of the program headers (obtained via auxv) with the virtual address for the PT_PHDR record in the program headers. however, the linker seems to produce a PT_PHDR record only when a program interpreter (dynamic linker) is used. thus the computation failed and used the default base address of 0, leading to a crash when trying to access the TLS image at the wrong address. the dynamic linker entry point and static-PIE rcrt1.o startup code compute the base address instead by taking the difference between the run-time address of _DYNAMIC and the virtual address in the PT_DYNAMIC record. this patch copies the approach they use, but with a weak symbolic reference to _DYNAMIC instead of obtaining the address from the crt_arch.h asm. this works because relocations have already been performed at the time __init_tls is called.
2016-12-19rework arm atomic/tp backends to be thumb-compatible and fdpic-readyRich Felker-56/+69
three problems are addressed: - use of pc arithmetic, which was difficult if not impossible to make correct in thumb mode on all models, so that relative rather than absolute pointers to the backends could be used. this was designed back when there was no coherent model for the early stages of the dynamic linker before relocations, and is no longer necessary. - assumption that data (the relative pointers to the backends) can be accessed at a constant displacement from the code. this will not be possible on future fdpic subarchs (for cortex-m), so move responsibility for loading the backend code address to the caller. - hard-coded arm opcodes using the .word directive. instead, use the .arch directive to work around the assembler's refusal to assemble instructions not available (or in some cases, available but just considered deprecated) in the target isa level. the obscure v6t2 arch is used for v6 code so as to (1) allow generation of thumb2 output if -mthumb is active, and (2) avoid warnings/errors for mcr barriers that clang would produce if we just set arch to v7-a. in addition, the __aeabi_read_tp function is moved out of the inner workings and implemented as an asm wrapper around a C function, so that asm code does not need to read global data. the asm wrapper serves to satisfy the ABI calling convention requirements for this function.
2016-12-17disable use of arm memcpy asm if building as thumb codeRich Felker-2/+2
the thumb incompatibilities in the asm are probably only minor and should be fixable, but for now just use the C version.
2016-12-17make arm setjmp/longjmp asm thumb2-compatibleRich Felker-2/+6
sp cannot be used in the ldm/stm register set in thumb mode.
2016-12-17use lookup table for malloc bin index instead of float conversionSzabolcs Nagy-2/+12
float conversion is slow and big on soft-float targets. The lookup table increases code size a bit on most hard float targets (and adds 60byte rodata), performance can be a bit slower because of position independent data access and cpu internal state dependence (cache, extra branches), but the overall effect should be minimal (common, small size allocations should be unaffected).
2016-12-16handle ^ and $ in BRE subexpression start and end as anchorsSzabolcs Nagy-9/+12
In BRE, ^ is an anchor at the beginning of an expression, optionally it may be an anchor at the beginning of a subexpression and must be treated as a literal otherwise. Previously musl treated ^ in subexpressions as literal, but at least glibc and gnu sed treats it as an anchor and that's the more useful behaviour: it can always be escaped to get back the literal meaning. Same for $ at the end of a subexpression. Portable BRE should not rely on this, but there are sed commands in build scripts which do. This changes the meaning of the BREs: \(^a\) \(a\|^b\) \(a$\) \(a$\|b\)
2016-12-16fix mrand48/jrand48 return value on 64-bit archsRich Felker-1/+1
POSIX specifies the result to have signed 32-bit range. on 32-bit archs, the implicit conversion to long achieved the desired range already, but when long is 64-bit, a cast is needed. patch by Ed Schouten.
2016-12-16fix crashing sigsetjmp on s390xBobby Bingham-1/+1
the bz instruction that was wrongly used only admits a small immediate displacement and cannot be used with external symbols; apparently the linker fails to diagnose the overflow.
2016-12-06remove largish unused field from pthread structureRich Felker-1/+0
2016-11-12work around gdb issues recognizing sigreturn trampoline on x86_64Rich Felker-8/+6
gdb can only backtrace/unwind across signal handlers if it recognizes the sa_restorer trampoline. for x86_64, gdb first attempts to determine the symbol name for the function in which the program counter resides and match it against "__restore_rt". if no name can be found (e.g. in the case of a stripped binary), the exact instruction sequence is matched instead. when matching the function name, however, gdb's unwind code wrongly considers the interval [sym,sym+size] rather than [sym,sym+size). thus, if __restore_rt begins immediately after another function, gdb wrongly identifies pc as lying within the previous adjacent function. this patch adds a nop before __restore_rt to preclude that possibility. it also removes the symbol name __restore and replaces it with a macro since the stability of whether gdb identifies the function as __restore_rt or __restore is not clear. for the no-symbols case, the instruction sequence is changed to use %rax rather than %eax to match what gdb expects. based on patch by Szabolcs Nagy, with extended description and corresponding x32 changes added.
2016-11-11add s390x portBobby Bingham-0/+269
2016-11-11treat null vdso base same as missingBobby Bingham-0/+1
On s390x, the kernel provides AT_SYSINFO_EHDR, but sets it to zero, if the program being run does not have a program interpreter. This causes problems when running the dynamic linker directly.
2016-11-11generalize ELF hash table types not to assume 32-bit entriesRich Felker-1/+2
alpha and s390x gratuitously use 64-bit entries (wasting 2x space and cache utilization) despite the values always being 32-bit. based on patch by Bobby Bingham, with changes suggested by Alexander Monakov to use the public Elf_Symndx type from link.h (and make it properly variable by arch) rather than adding new internal infrastructure for handling the type.
2016-11-08fix build regression on archs with variable page sizeRich Felker-1/+1
commit 31fb174dd295e50f7c5cf18d31fcfd5fe5a063b7 used DEFAULT_GUARD_SIZE from pthread_impl.h in a static initializer, breaking build on archs where its definition, PAGE_SIZE, is not a constant. instead, just define DEFAULT_GUARD_SIZE as 4096, the minimal page size on any arch we support. pthread_create rounds up to whole pages anyway, so defining it to 1 would also work, but a moderately meaningful value is nicer to programs that use pthread_attr_getguardsize on default-initialized attribute objects.
2016-11-08add limited pthread_setattr_default_np API to set stack size defaultsRich Felker-4/+43
based on patch by Timo Teräs: While generally this is a bad API, it is the only existing API to affect c++ (std::thread) and c11 (thrd_create) thread stack size. This patch allows applications only to increate stack and guard page sizes.
2016-11-08fix pthread_create regression from stack/guard size simplificationRich Felker-1/+4
commit 33ce920857405d4f4b342c85b74588a15e2702e5 broke pthread_create in the case where a null attribute pointer is passed; rather than using the default sizes, sizes of 0 (plus the remainder of one page after TLS/TCB use) were used.
2016-11-07simplify pthread_attr_t stack/guard size representationRich Felker-11/+13
previously, the pthread_attr_t object was always initialized all-zero, and stack/guard size were represented as differences versus their defaults. this required lots of confusing offset arithmetic everywhere they were used. instead, have pthread_attr_init fill in the default values, and work with absolute sizes everywhere.
2016-11-07fix swprintf internal buffer state and error handlingRich Felker-1/+8
the swprintf write callback never reset its buffer pointers, so after its 256-byte buffer filled up, it would keep repeating those bytes over and over in the output until the destination buffer filled up. it also failed to set the error indicator for the stream on EILSEQ, potentially allowing output to continue after the error.
2016-11-07fix integer overflow of tm_year in __secs_to_tmDaniel Sabogal-4/+5
the overflow check for years+100 did not account for the extra year computed from the remaining months. instead, perform this check after obtaining the final number of years.
2016-11-07fix parsing of quoted time zone namesHannu Nyman-1/+1
Fix parsing of the < > quoted time zone names. Compare the correct character instead of repeatedly comparing the first character.
2016-10-21redesign snprintf without undefined behaviorRich Felker-25/+38
the old snprintf design setup the FILE buffer pointers to point directly into the destination buffer; if n was actually larger than the buffer size, the pointer arithmetic to compute the buffer end pointer was undefined. this affected sprintf, which is implemented in terms of snprintf, as well as some unusual but valid direct uses of snprintf. instead, setup the FILE as unbuffered and have its write function memcpy to the destination. the printf core sets up its own temporary buffer for unbuffered streams.
2016-10-20add missing confstr constantsDaniel Sabogal-1/+1
the _CS_V6_ENV and _CS_V7_ENV constants are required to be available for use with confstr. glibc defines these constants with values 1148 and 1149, respectively. the only missing (and required) confstr constants are _CS_POSIX_V7_THREADS_CFLAGS and _CS_POSIX_V7_THREADS_LDFLAGS which remain unavailable in glibc.
2016-10-20fix minor problem in previous strtod non-nearest rounding bug fixRich Felker-1/+1
commit 6ffdc4579ffb34f4aab69ab4c081badabc7c0a9a set lnz in the code path for non-zero digits after a huge string of zeros, but the assignment of dc to lnz truncates if the value of dc does not fit in int; this is possible for some pathologically long inputs, either via strings on 64-bit systems or via scanf-family functions. instead, simply set lnz to match the point at which we add the artificial trailing 1 bit to simulate nonzero digits after a huge run of zeros.
2016-10-20fix strtod int optimization in non-nearest rounding modeSzabolcs Nagy-1/+4
the mid-sized integer optimization relies on lnz set up properly to mark the last non-zero decimal digit, but this was not done if the non-zero digit lied outside the KMAX digits of the base 10^9 number representation. so if the fractional part was a very long list of zeros (>2048*9 on x86) followed by non-zero digits then the integer optimization could kick in discarding the tiny non-zero fraction which can mean wrong result on non-nearest rounding mode. strtof, strtod and strtold were all affected.
2016-10-20fix strtod and strtof rounding with many trailing zerosSzabolcs Nagy-0/+3
in certain cases excessive trailing zeros could cause incorrect rounding from long double to double or float in decfloat. e.g. in strtof("9444733528689243848704.000000", 0) the argument is 0x1.000001p+73, exactly halfway between two representible floats, this incorrectly got rounded to 0x1.000002p+73 instead of 0x1p+73, but with less trailing 0 the rounding was fine. the fix makes sure that the z index always points one past the last non-zero digit in the base 10^9 representation, this way trailing zeros don't affect the rounding logic.
2016-10-20fix gratuitous undefined behavior in strptimeRich Felker-2/+7
accessing an object of type const char *restrict as if it had type char * is not defined.
2016-10-20fix getopt_long_only misinterpreting "--" as an optionRich Felker-1/+1
2016-10-20fix float formatting of some exact halfway casesSzabolcs Nagy-1/+2
in nearest rounding mode exact halfway cases were not following the round to even rule if the rounding happened at a base 1000000000 digit boundary of the internal representation and the previous digit was odd. e.g. printf("%.0f", 1.5) printed 1 instead of 2.
2016-10-20add pthread_setname_npFelix Janda-0/+26
the thread name is displayed by gdb's "info threads".
2016-10-20fix clock_nanosleep error caseDaniel Sabogal-1/+3
posix requires that EINVAL be returned if the first parameter specifies the cpu-time clock of the calling thread (CLOCK_THREAD_CPUTIME_ID). linux returns ENOTSUP instead so we handle this.
2016-10-20math: fix pow signed shift ubSzabolcs Nagy-2/+2
j is int32_t and thus j<<31 is undefined if j==1, so j is changed to uint32_t locally as a quick fix, the generated code is not affected. (this is a strict conformance fix, future c standard may allow 1<<31, see DR 463. the bug was inherited from freebsd fdlibm, the proper fix is to use uint32_t for all bit hacks, but that requires more intrusive changes.) reported by Daniel Sabogal
2016-10-20use dynamic buffer for getmntentNatanael Copa-4/+13
overlayfs may have fairly long lines so we use getline to allocate a buffer dynamically. The buffer will be allocated on first use, expand as needed, but will never be free'ed. Downstream bug: http://bugs.alpinelinux.org/issues/5703 Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
2016-10-20fix integer overflows and uncaught EOVERFLOW in printf coreRich Felker-46/+89
this patch fixes a large number of missed internal signed-overflow checks and errors in determining when the return value (output length) would exceed INT_MAX, which should result in EOVERFLOW. some of the issues fixed were reported by Alexander Cherepanov; others were found in subsequent review of the code. aside from the signed overflows being undefined behavior, the following specific bugs were found to exist in practice: - overflows computing length of floating point formats with huge explicit precisions, integer formats with prefix characters and huge explicit precisions, or string arguments or format strings longer than INT_MAX, resulted in wrong return value and wrong %n results. - literal width and precision values outside the range of int were misinterpreted, yielding wrong behavior in at least one well-defined case: string formats with precision greater than INT_MAX were sometimes truncated. - in cases where EOVERFLOW is produced, incorrect values could be written for %n specifiers past the point of exceeding INT_MAX. in addition to fixing these bugs, we now stop producing output immediately when output length would exceed INT_MAX, rather than continuing and returning an error only at the end.
2016-10-19fix integer overflow in float printf needed-precision computationRich Felker-1/+1
if the requested precision is close to INT_MAX, adding LDBL_MANT_DIG/3+8 overflows. in practice the resulting undefined behavior manifests as a large negative result, which is then used to compute the new end pointer (z) with a wildly out-of-bounds value (more overflow, more undefined behavior). the end result is at least incorrect output and character count (return value); worse things do not seem to happen, but detailed analysis has not been done. this patch fixes the overflow by performing the intermediate computation as unsigned; after division by 9, the final result necessarily fits in int.
2016-10-06fix regexec with haystack strings longer than INT_MAXRich Felker-26/+28
we inherited from TRE regexec code that's utterly wrong with respect to the integer types it's using. while it doesn't appear that compilers are producing unsafe output, signed integer overflows seem to happen, and regexec fails to find matches past offset INT_MAX. this patch fixes the type of all variables/fields used to store offsets in the string from int to regoff_t. after the changes, basic testing showed that regexec can now find matches past 2GB (INT_MAX) and past 4GB on x86_64, and code generation is unchanged on i386.
2016-10-06fix missing integer overflow checks in regexec buffer size computationsRich Felker-5/+18
most of the possible overflows were already ruled out in practice by regcomp having already succeeded performing larger allocations. however at least the num_states*num_tags multiplication can clearly overflow in practice. for safety, check them all, and use the proper type, size_t, rather than int. also improve comments, use calloc in place of malloc+memset, and remove bogus casts.