summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorLines
2022-08-01fix strings.h feature test macro usage due to missing features.hMichael Pratt-0/+1
2022-08-01fix ESRCH error handling for clock_getcpuclockidEugene Yudin-0/+1
the syscall used to probe availability of the clock fails with EINVAL when the requested pid does not exist, but clock_getcpuclockid is specified to use ESRCH for this purpose.
2022-08-01aarch64: add vforkSzabolcs Nagy-0/+9
The generic vfork implementation uses clone(SIGCHLD) which has fork semantics. Implement vfork as clone(SIGCHLD|CLONE_VM|CLONE_VFORK, 0) instead which has vfork semantics. (stack == 0 means sp is unchanged in the child.) Some users rely on vfork semantics when memory overcommit is disabled or when the vfork child runs code that synchronizes with the parent process (non-conforming).
2022-08-01fix mishandling of errno in getaddrinfo AI_ADDRCONFIG logicRich Felker-0/+2
this code attempts to use the value of errno from failure of socket or connect to infer availability of the requested address family (v4 or v6). however, in the case where connect failed, there is an intervening call to close between connect and the use of errno. close is not required to preserve errno on success, and in fact the __aio_close code, which is called whenever aio is linked and thus always called in dynamic-linked programs, unconditionally clobbers errno. as a result, getaddrinfo fails with EAI_SYSTEM and errno=ENOENT rather than correctly determining that the address family was unavailable. this fix is based on report/patch by Jussi Nieminen, but simplified slightly to avoid breaking the case where socket, not connect, failed.
2022-07-19early stage ldso: remove symbolic references via error handling functionRich Felker-2/+11
while the error handling function should not be reached in stage 2 (assuming ldso itself was linked correctly), this was not statically determinate from the compiler's perspective, and in theory a compiler performing LTO could lift the TLS references (errno and other things) out of the printf-family functions called in a stage where TLS is not yet initialized. instead, perform the call via a static-storage, internal-linkage function pointer which will be set to a no-op function until the stage where the real error handling function should be reachable. inspired by commit 63c67053a3e42e9dff788de432f82ff07d4d772a.
2022-07-02in early stage ldso before __dls2b, call mprotect with __syscallAlex Xu (Hello71)-6/+8
if LTO is enabled, gcc hoists the call to ___errno_location outside the loop even though the access to errno is gated behind head != &ldso because ___errno_location is marked __attribute__((const)). this causes the program to crash because TLS is not yet initialized when called from __dls2. this is also possible if LTO is not enabled; even though gcc 11 doesn't do it, it is still wrong to use errno here. since the start and end are already aligned, we can simply call __syscall instead of using global errno. Fixes: e13a2b8953ef ("implement PT_GNU_RELRO support")
2022-06-23avoid limited space of random temp file names if clock resolution is lowRich Felker-1/+1
this is not an issue that was actually hit, but I noticed it during previous changes to __randname: if the resolution of tv_nsec is too low, the space of temp file names obtainable by a thread could plausibly be exhausted. mixing in tv_sec avoids this.
2022-06-03remove random filename obfuscation that leaks ASLR informationRich Felker-1/+2
the __randname function is used by various temp file creation interfaces as a backend to produce a name to attempt using. it does not have to produce results that are safe against guessing, and only aims to avoid unintentional collisions. mixing the address of an object on the stack in a reversible manner leaked ASLR information, potentially allowing an attacker who can observe the temp files created and their creation timestamps to narrow down the possible ASLR state of the process that created them. there is no actual value in mixing these addresses in; it was just obfuscation. so don't do it. instead, mix the tid, just to avoid collisions if multiple processes/threads stampede to create temp files at the same moment. even without this measure, they should not collide unless the clock source is very low resolution, but it's a cheap improvement. if/when we have a guaranteed-available userspace csprng, it could be used here instead. even though there is no need for cryptographic entropy here, it would avoid having to reason about clock resolution and such to determine whether the behavior is nice.
2022-06-03ensure distinct query id for parallel A and AAAA queries in resolverRich Felker-0/+3
assuming a reasonable realtime clock, res_mkquery is highly unlikely to generate the same query id twice in a row, but it's possible with a very low-resolution system clock or under extreme delay of forward progress. when it happens, res_msend fails to wait for both answers, and instead stops listening after getting two answers to the same query (A or AAAA). to avoid this, increment one byte of the second query's id if it matches the first query's. don't bother checking if the second byte is also equal, since it doesn't matter; we just need to ensure that at least one byte is distinct.
2022-05-15mntent: fix potential mishandling of extremely long linesRich Felker-0/+2
commit 05973dc3bbc1aca9b3c8347de6879ed72147ab3b made it so that lines longer than INT_MAX can in theory be read, but did not use a suitable type for the positions determined by sscanf. we could change to using size_t, but since the signature for getmntent_r does not admit lines longer than INT_MAX, it does not make sense to support them in the legacy thread-unsafe form either -- the principle here is that there should not be an incentive to use the unsafe function to get added functionality.
2022-05-15mntent: fix parsing lines with optional fieldsAlyssa Ross-3/+7
According to fstab(5), the last two fields are optional, but this wasn't accepted. After this change, only the first field is required, which matches glibc's behaviour. Using sscanf as before, it would have been impossible to differentiate between 0 fields and 4 fields, because sscanf would have returned 0 in both cases due to the use of assignment suppression and %n for the string fields (which is important to avoid copying any strings). So instead, before calling sscanf, initialize every string to the empty string, and then we can check which strings are empty afterwards to know how many fields were matched.
2022-05-06fix constraint violation in qsort wrapper around qsort_rRich Felker-1/+1
function pointer types do not implicitly convert to void *. a cast is required here.
2022-05-04use __fstat instead of __fstatat with AT_EMPTY_PATH in __map_fileRich Felker-2/+1
this isolates knowledge of the nonstandard AT_EMPTY_PATH extension to one place and returns __map_file to its prior simplicity.
2022-05-04provide an internal namespace-safe __fstatRich Felker-2/+5
this avoids the need for implementation-internal callers to depend on the nonstandard AT_EMPTY_PATH extension to use __fstatat and isolates knowledge of that extension to the implementation of __fstat.
2022-05-01only use fstatat and others legacy stat syscalls if they existRich Felker-1/+9
riscv32 and future architectures only provide statx.
2022-05-01drop direct use of stat syscalls in internal __map_fileRich Felker-3/+3
this function is used to implement some baseline ISO C interfaces, so it cannot call any of the stat functions by their public names. use the namespace-safe __fstatat instead.
2022-05-01provide an internal namespace-safe __fstatatRich Felker-1/+11
this makes it so we can drop direct stat syscall use in interfaces that can't use the POSIX namespace.
2022-05-01drop direct use of stat syscalls in fchmodatRich Felker-8/+7
instead, use the fstatat/stat functions, so that the logic for which syscalls are present and usable is all in fstatat. this results in a slight increase in cost for old kernels on 32-bit archs: now statx will be attempted first rather than just using the legacy time32 syscalls, despite us not caring about timestamps. however, it's not even clear that the legacy syscalls *should* succeed if the timestamps are out of range; arguably they should fail with EOVERFLOW. as such, paying a small cost here on old kernels seems well-motivated. with this change, fchmodat itself is no longer blocking ports to new archs that lack the legacy syscalls.
2022-05-01drop use of stat operation in temporary file name generationRich Felker-10/+6
this change serves two purposes: 1. it eliminates one of the few remaining uses of the kernel stat structure which will not be present in future archs, avoiding the need for growing ifdef logic here. 2. it potentially makes the operations less expensive when the candidate exists as a non-symlink by avoiding the need to read the inode (assuming the directory tables suffice to distinguish symlinks). this uses the idiom I discovered while rewriting realpath for commit 29ff7599a448232f2527841c2362643d246cee36 of being able to use the readlink operation as an inexpensive probe for file existence that doesn't following symlinks.
2022-05-01only fallback to gettimeofday/settimeofday syscalls if they existStefan O'Rear-0/+4
riscv32 and future architectures only provide the clock_ functions.
2022-05-01only use getrlimit/setrlimit syscalls if they existStefan O'Rear-1/+11
riscv32 and future architectures only provide prlimit64.
2022-04-27don't remap internal-use syscall macros to nonexistent time32 syscallsStefan O'Rear-10/+10
riscv32 and future architectures lack the _time32 variants entirely, so don't try to use their numbers. instead, reflect that they're not present.
2022-04-27remove ARMSUBARCH relic from configureStefan O'Rear-5/+0
commit 0f814a4e57e80d2512934820b878211e9d71c93e removed its use.
2022-04-20add missing POSIX confstr keys for pthread CFLAGS/LDFLAGSRich Felker-1/+3
_CS_POSIX_V7_THREADS_CFLAGS and _CS_POSIX_V7_THREADS_LDFLAGS have been missing for a long time, which is a conformance defect. we were waiting on glibc to add them or at least agree on the numeric values they will have so as to keep the numbering aligned. it looks like they will be added to glibc with these numbers, and in any case, this list does not have any significant churn that would result in the numbers getting taken.
2022-04-10fix incorrect parameter name in internal netlink.h RTA_OK macroOndrej Jirman-1/+1
the wrong name works only by accident.
2022-04-07release 1.2.3v1.2.3Rich Felker-1/+41
2022-03-27accept null pointer as message argument to gettext functionspsykose-0/+3
the change to support passing null was rejected in the past on the grounds that GNU gettext documented it as undefined, on an assumption that only glibc accepted it and that the standalone GNU gettext did not. but it turned out that both explicitly accept it. in light of this, since some software assumes null can be passed safely, allow it.
2022-03-16fix invalid free of duplocale object when malloc has been replacedIsaiah Poston-0/+5
newlocale and freelocale use __libc_malloc and __libc_free, but duplocale used malloc. If malloc was replaced, this resulted in invalid free using the wrong allocator when passing the result of duplocale to freelocale. Instead, use libc-internal malloc for duplocale. This bug was introduced by commit 1e4204d522670a1d8b8ab85f1cfefa960547e8af.
2022-03-08fix __WORDSIZE on x32 sys/user.hRich Felker-1/+1
sys/reg.h already had it right as 32, to which it was explicitly changed when commit 664cd341921007cea52c8891f27ce35927dca378 derived x32 from x86_64. but the copy exposed in sys/user.h was missed.
2022-03-08sys/ptrace.h: add PTRACE_GET_RSEQ_CONFIGURATION from linux v5.13Szabolcs Nagy-0/+9
see linux commit 90f093fa8ea48e5d991332cee160b761423d55c1 rseq, ptrace: Add PTRACE_GET_RSEQ_CONFIGURATION request the struct type got __ prefix to follow existing practice.
2022-03-08sys/prctl.h: add PR_PAC_{SET,GET}_ENABLED_KEYS from linux v5.13Szabolcs Nagy-0/+3
see linux commit 201698626fbca1cf1a3b686ba14cf2a056500716 arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS)
2022-03-08elf.h: add NT_ARM_PAC_ENABLED_KEYS from linux v5.13Szabolcs Nagy-0/+1
see linux commit 201698626fbca1cf1a3b686ba14cf2a056500716 arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS)
2022-03-08netinet/in.h: add INADDR_DUMMY from linux v5.13Szabolcs Nagy-0/+1
see linux commit 321827477360934dc040e9d3c626bf1de6c3ab3c icmp: don't send out ICMP messages with a source address of 0.0.0.0 "RFC7600 reserves a dummy address to be used as a source for ICMP messages (192.0.0.8/32), so let's teach the kernel to substitute that address as a last resort if the regular source address selection procedure fails."
2022-03-08bits/syscall.h: add landlock syscalls from linux v5.13Szabolcs Nagy-0/+48
see linux commit a49f4f81cb48925e8d7cbd9e59068f516e984144 arch: Wire up Landlock syscalls linuxcommit 17ae69aba89dbfa2139b7f8024b757ab3cc42f59 Merge tag 'landlock_v34' of ... jmorris/linux-security Landlock provides for unprivileged application sandboxing. The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic.
2022-03-08netinet/tcp.h: add tcp_zerocopy_receive fields from linux v5.12Szabolcs Nagy-0/+4
see linux commit 7eeba1706eba6def15f6cb2fc7b3c3b9a2651edc tcp: Add receive timestamp support for receive zerocopy. linux commit 3c5a2fd042d0bfac71a2dfb99515723d318df47b tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2022-03-08netinet/tcp.h: add TCP_NLA_* values up to linux v5.12Szabolcs Nagy-0/+2
TCP_NLA_EDT was new in v5.9, see linux commit 48040793fa6003d211f021c6ad273477bcd90d91 tcp: add earliest departure time to SCM_TIMESTAMPING_OPT_STATS TCP_NLA_TTL is new in v5.12, see linux commit e7ed11ee945438b737e2ae2370e35591e16ec371 tcp: add TTL to SCM_TIMESTAMPING_OPT_STATS
2022-03-08s390x: add ptrace requests from linux v5.12Szabolcs Nagy-0/+3
PTRACE_OLDSETOPTIONS is old, but it was missing, PTRACE_SYSEMU and PTRACE_SYSEMU_SINGLESTEP are new, see linux commit 56e62a73702836017564eaacd5212e4d0fa1c01d s390: convert to generic entry
2022-03-08bits/syscall.h: add mount_setattr from linux v5.12Szabolcs Nagy-0/+16
new syscall to change the properties of a mount or a mount tree using file descriptors which the new mount api is based on, see linux commit 2a1867219c7b27f928e2545782b86daaf9ad50bd fs: add mount_setattr()
2022-03-08signal.h: add new sa_flags from linux v5.11Szabolcs Nagy-0/+3
see linux commit a54f0dfda754c5cecc89a14dab68a3edc1e497b5 signal: define the SA_UNSUPPORTED bit in sa_flags linux commit 6ac05e832a9e96f9b1c42a8917cdd317d7b6c8fa signal: define the SA_EXPOSE_TAGBITS bit in sa_flags Note: SA_ is in the posix reserved namespace so these linux specific flags can be exposed when compiling for posix.
2022-03-08signal.h: add SYS_USER_DISPATCH si_code value from linux v5.11Szabolcs Nagy-0/+1
see linux commit 1d7637d89cfce54a4f4a41c2325288c2f47470e8 signal: Expose SYS_USER_DISPATCH si_code type
2022-03-08signal.h: add si_code values for SIGSYSSzabolcs Nagy-0/+2
unlike other si_code defines, SYS_ is not in the posix reserved namespace which is likely the reason why SYS_SECCOMP was previously missing (was new in linux v3.5).
2022-03-08netinet/tcp.h: add tcp zerocopy related changes from linux v5.11Szabolcs Nagy-0/+5
see linux commit 18fb76ed53865c1b5d5f0157b1b825704590beb5 net-zerocopy: Copy straggler unaligned data for TCP Rx. zerocopy. linux commit 94ab9eb9b234ddf23af04a4bc7e8db68e67b8778 net-zerocopy: Defer vm zap unless actually needed.
2022-03-08netinet/if_ether.h: add ETH_P_CFM from linux v5.11Szabolcs Nagy-0/+1
see linux commit fbaedb4129838252570410c65abb2036b5505cbd bridge: uapi: cfm: Added EtherType used by the CFM protocol.
2022-03-08sys/socket.h: add new SO_ socket options from linux v5.11Szabolcs Nagy-0/+2
see linux commit 7fd3253a7de6a317a0683f83739479fb880bffc8 net: Introduce preferred busy-polling linux commit 7c951cafc0cb2e575f1d58677b95ac387ac0a5bd net: Add SO_BUSY_POLL_BUDGET socket option
2022-03-08sys/prctl.h: add PR_SET_SYSCALL_USER_DISPATCH from linux v5.11Szabolcs Nagy-0/+6
see linux commit 1446e1df9eb183fdf81c3f0715402f1d7595d4cb kernel: Implement selective syscall userspace redirection linux commit 36a6c843fd0d8e02506681577e96dabd203dd8e8 entry: Use different define for selector variable in SUD redirect syscalls to a userspace handler via SIGSYS, except for a specific range of code. can be toggled via a memory write to a selector variable. mainly for wine.
2022-03-08bits/syscall.h: add epoll_pwait2 from linux v5.11Szabolcs Nagy-0/+16
see linux commit b0a0c2615f6f199a656ed8549d7dce625d77aa77 epoll: wire up syscall epoll_pwait2 linux commit 58169a52ebc9a733aeb5bea857bc5daa71a301bb epoll: add syscall epoll_pwait2 epoll_wait with struct timespec timeout instead of int. no time32 variant.
2022-03-08nice: return EPERM instead of EACCESAlexey Kodanev-1/+8
To comply with POSIX, change errno from EACCES to EPERM when the caller did not have the required privilege.
2022-03-08protect stack canary from leak via read-as-string by zeroing second bytejvoisin-0/+9
This reduces entropy of the canary from 64-bit to 56-bit in exchange for mitigating non-terminated C string overflows by setting the second byte of the canary to nul, so that off-by-one write overflow with a nul byte can still be detected. Idea from GrapheneOS bionic commit 7024d880b51f03a796ff8832f1298f2f1531fd7b
2022-03-08math: avoid runtime conversions of floating-point constantsSzabolcs Nagy-2/+6
gcc-12 with -frounding-mode will do inexact constant conversions at runtime according to the runtime rounding mode. in the math library we want constants to be rounding mode independent so this patch fixes cases where new runtime conversions happen with gcc-12. fortunately this only affects two minor cases, the fix uses global initializers where rounding mode does not apply. after the patch the same amount of conversions happen with gcc-12 as with gcc-11.
2022-02-20fix spurious failures by fgetws when buffer ends with partial characterRich Felker-6/+1
commit a90d9da1d1b14d81c4f93e1a6d1a686c3312e4ba made fgetws look for changes to errno by fgetwc to detect encoding errors, since ISO C did not allow the implementation to set the stream's error flag in this case, and the fgetwc interface did not admit any other way to detect the error. however, the possibility of fgetwc setting errno to EILSEQ in the success path was overlooked, and in fact this can happen if the buffer ends with a partial character, causing mbtowc to be called with only part of the character available. since that change was made, the C standard was amended to specify that fgetwc set the stream error flag on encoding errors, and commit 511d70738bce11a67219d0132ce725c323d00e4e made it do so. thus, there is no longer any need for fgetws to poke at errno to handle encoding errors. this commit reverts commit a90d9da1d1b14d81c4f93e1a6d1a686c3312e4ba and thereby fixes the problem.