summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorLines
2024-03-02iconv: fix missing bounds checking for shift_jis decodingHEADmasterRich Felker-0/+1
the jis0208 table we use is only 84x94 in size, but the shift_jis encoding supports a 94x94 grid. attempts to convert sequences outside of the supported zone resulted in out-of-bounds table reads, misinterpreting adjacent rodata as part of the character table and thereby converting these sequences to unexpected characters.
2024-03-02add missing inline keyword on default a_barrier definitionRich Felker-1/+1
this is not needed, but may act as a hint to the compiler, and also serves to suppress unused function warnings if enabled (on by default since commit 86ac0f794731f03dfff40ee843ff9e2752945d5e).
2024-03-01iconv: add aliases for GBKRich Felker-1/+1
these are taken from the IANA registry, restricted to those that match the forms already used for other supported character encodings.
2024-03-01iconv: add euro symbol to GBK as single byte 0x80Rich Felker-0/+4
this is how it's defined in the cp936 document referenced by the IANA charset registry as defining GBK, and of the mappings defined there, was the only one missing. it is not accepted for GB18030, as GB18030 is a UTF and has its own unique mapping for the euro symbol.
2024-02-29iconv: add cp932 as an alias for shift_jisRich Felker-1/+1
2024-02-29riscv32: add thread supportStefan O'Rear-0/+76
Identical to riscv64 except for stack offsets in clone.
2024-02-29riscv32: add setjmp/longjmp and sigreturnStefan O'Rear-0/+114
Largely copied from riscv64 but required recalculation of offsets.
2024-02-29riscv32: add dlsymStefan O'Rear-0/+6
Identical to riscv64.
2024-02-29riscv32: add fenv and mathStefan O'Rear-0/+239
These are identical to riscv64.
2024-02-29getnameinfo: fix calling __dns_parse with potentially too large rlenAlexey Izbyshev-1/+3
__res_send returns the full answer length even if it didn't fit the buffer, but __dns_parse expects the length of the filled part of the buffer. This is analogous to commit 77327ed064bd57b0e1865cd0e0364057ff4a53b4, which fixed the only other __dns_parse call site.
2024-02-29posix_spawn: fix child spinning on write to a broken pipeAlexey Izbyshev-1/+6
A child process created by posix_spawn reports errors to its parent via a pipe, retrying infinitely on any write error to prevent falsely reporting success. If the (original) parent dies before write is attempted, there is nobody to report to, but the child will remain stuck in the write loop forever if SIGPIPE is blocked or ignored. Fix this by not retrying write if it fails with EPIPE.
2024-02-26loongarch64 __clone: align stack pointer mod 16wanghongliang-0/+1
According to LoongArch ABI Specs, stack need to be 16 align to improve performance and compiler layout of stack frames.
2024-02-25riscv: fall back to syscall __riscv_flush_icacheStefan O'Rear-0/+1
Matches glibc behavior and fixes a case where we could fall off the function without returning a value.
2024-02-25sh dlsym: fix passing of return address for RTLD_NEXT useRich Felker-1/+1
this code dates back to the original commit of the sh port, with no real clue as to how the bug was introduced. it looks like it was written to assume the return address was pushed to the stack like on x86, rather than arriving in the pr special register.
2024-02-24add statx interface using syscall, fallback to fstatatDuncan Bellamy-0/+42
2024-02-22use new SYS_fchmodat2 syscall to implement fchmodat with flagsGaël PORTAY-1/+4
commit 0dc4824479e357a3e23a02d35527e23fca920343 worked around for lack of flags argument in syscall for fchmodat. linux 6.6 introduced a new syscall, SYS_fchmodat2, fixing this deficiency. use it if any flags are passed, and fallback to the old strategy on ENOSYS. continue using the old syscall when there are no flags. this is the exact same strategy used when SYS_faccessat2 was used to implement faccessat with flags.
2024-02-22remove flag argument from fchmodat syscallGaël PORTAY-1/+1
linux's does not have the flag argument for fchmodat syscall.
2024-02-22add framework to support archs without a native wait4 syscallRich Felker-4/+71
this commit should make no codegen change for existing archs, but is a prerequisite for new archs including riscv32. the wait4 emulation backend provides both cancellable and non-cancellable variants because waitpid is required to be a cancellation point, but all of our other uses are not, and most of them cannot be. based on patch by Stefan O'Rear.
2024-02-17sh: fix sigsetjmp corrupting call-saved register r8Rich Felker-1/+1
due to incorrect base address register when attempting to reload the saved value of r8, the caller's value of r8 was not preserved.
2024-02-16add loongarch64 portHongliang Wang-0/+257
Author: Xiaojuan Zhai <zhaixiaojuan@loongson.cn> Author: Meidan Li <limeidan@loongson.cn> Author: Guoqi Chen <chenguoqi@loongson.cn> Author: Xiaolin Zhao <zhaoxiaolin@loongson.cn> Author: Fan peng <fanpeng@loongson.cn> Author: Jiantao Shan <shanjiantao@loongson.cn> Author: Xuhui Qiang <qiangxuhui@loongson.cn> Author: Jingyun Hua <huajingyun@loongson.cn> Author: Liu xue <liuxue@loongson.cn> Author: Hongliang Wang <wanghongliang@loongson.cn>
2024-02-16strftime: fix breakage in last change (uninitialized pointer access)Rich Felker-1/+6
commit f47a5d400b8ffa26cfc5b345dbff52fec94ac7f3 overlooked that strtoul was responsible for setting p to a const-laundered copy of the format string pointer f, even in the case where there was no number to parse. by making the call conditional on isdigit, that copy was lost. the logic here is a mess and should be cleaned up, but for now, this seems to be the least invasive change that undoes the breakage.
2024-02-07syslog: use C locale for timestamp generationRich Felker-1/+2
depending on contents of the LC_TIME locale, log messages could be malformatted (especially if the ABMON strings contain non-alphabetic characters) or the subsequent code could invoke undefined behavior, via passing a timebuf[] with unspecified contents to snprintf, if the translated ABMON string did not fit in the 16-byte timebuf. this does not appear to be a security-relevant bug, as locale loading functionality is intentionally not available to set*id programs -- the MUSL_LOCPATH environment variable is ignored when libc.secure is true, and custom locales are not loadable without it.
2024-02-03riscv: add TLSDESC supportRich Felker-0/+32
2024-02-03sqrtl: fix invalid use of a non-constant-expression as static initializerRich Felker-2/+2
having these constants be static was unnecessary, so just remove the static. this error should have been caught by compilers, but recent versions of both gcc and clang accept these as "other forms of constant expressions" which the C standard allows.
2024-02-03riscv: correct symbol version of __vdso_flush_icachegns-1/+1
Previously, __riscv_flush_icache would not work correctly as __vdso_flush_icache had a wrong symbol version. Fix this by correcting symbol version. Fixes: 0a48860c27a8 ("add riscv64 architecture support")
2024-01-25add preadv2 and pwritev2 syscall wrappers, flag value macrosRich Felker-0/+34
2024-01-21expose ppoll in default feature profileRich Felker-1/+1
the ppoll function has been accepted as a future part of the standard as the outcome of Austin Group tracker issue 1263. at some point it should be exposed unconditionally, but for now, expose it in the default feature profile.
2024-01-21move ppoll from src/linux to src/select reflecting future standardizationRich Felker-0/+0
the ppoll function has been accepted as a future part of the standard as the outcome of Austin Group tracker issue 1263. move the source file to reflect this.
2024-01-17remove INT_MAX limit on the n argument to snprintf/swprintfRich Felker-8/+0
this was a POSIX requirement that was always in conflict with ISO C, which specified a well-defined behavior for snprintf and swprintf so long as the actual number of bytes/characters produced did not exceed INT_MAX. I originally raised this conflict for snprintf with the Austin Group as tracker issue 761, which was never resolved. it was later reported again as issue 1219, and as a result the conflicting requirement has been removed. the corresponding issue with swprintf does not seem to have been addressed, but as the same reasoning applies to it, I am removing the limitation on n for swprintf as well.
2023-11-21strftime: don't attempt to parse field width without seeing a digitRich Felker-1/+2
strtoul will consume leading whitespace or sign characters, which are not valid in this context, thereby accepting invalid field specifiers. so, avoid calling it unless there is a number to parse as the width.
2023-11-16mntent: fields are delimited only by tabs or spaces, not general whitespaceRich Felker-1/+1
this matters because the kernel-provided mtab only escapes tabs, spaces, newlines, and backslashes. it leaves carriage returns, form feeds, and vertical tabs literal.
2023-11-16mntent: unescape octal sequencesq66-4/+40
As entries in mtab are delimited by spaces, whitespace characters are escaped as octal sequences. When reading them out, we have to unescape these sequences to get the proper string.
2023-11-06ldso: convert TLSDESC_BACKWARDS from "#ifdef" to "if" logicRich Felker-0/+4
this style is preferred because it allows the code to be compile-checked even on archs where it is not used.
2023-11-06byte-based printf family: emit a nul byte for %lc with argument zeroRich Felker-0/+2
this is contrary to the spec as written, which requires %lc to behave as if it were %ls on a 2-wchar_t buffer containing the argument and zero. however, apparently no other implementations conform to the spec as written, and in response to Austin Group issue #1647, WG14 chose to align with existing practice and have %lc produce output for this case.
2023-11-06remove arbitrary limit from dns result parsingQuentin Rameau-1/+0
The name resolution would abort when getting more than 63 records per request, due to what seems to be a left-over from the original code. This check was non-breaking but spurious prior to TCP fallback support, since any 512-byte packet with more than 63 records was necessarily malformed. But now, it wrongly rejects valid results. Reported by Daniel Stefanik in Alpine Linux aports issue 15320.
2023-11-06pass AT_NO_AUTOMOUNT when emulating fstatat via statxAlexey Izbyshev-0/+1
AT_NO_AUTOMOUNT is implied for stat/lstat/fstatat syscalls since Linux 3.1 (commit b6c8069d3577481390b3f24a8434ad72a3235594). However, this is not the case for statx syscall, which defaults to automounting, so this flag must be passed explicitly when statx is used to implement stat-like functions. This change affects only arches which use 32-bit seconds in struct kstat, as well as out-of-tree/future ports to arches which lack SYS_fstatat.
2023-11-06__year_to_secs: fix dangling pointerAlex Xu (Hello71)-2/+2
The lifetime of the compound literal ends after the "if" statement's implicit block. gcc also warns about this.
2023-11-06timer_create: volatile static -> static volatileAlex Xu (Hello71)-1/+1
C11 6.11.5p1: > The placement of a storage-class specifier other than at the > beginning of the declaration specifiers in a declaration is an > obsolescent feature. gcc also warns about this.
2023-11-06ensure valid setxid return value in an unexpected error caseMarkus Wichmann-1/+1
If __synccall() fails to capture all threads because tkill fails for some reason other than EAGAIN, then the callback given will never be executed, so nothing will ever overwrite the initial value. So that is the value that will be returned from the function. The previous setting of 1 is not a valid value for setuid() et al. to return. I chose -EAGAIN since I don't know the reason the synccall failed ahead of time, but EAGAIN is a specified error code for a possibly temporary failure in setuid().
2023-11-06synccall: add separate exit_sem to fix thread release logic bugMarkus Wichmann-3/+5
The code intends for the sem_post() in line 97 (now 98) to only unblock target threads waiting on line 29. But after the first thread is released, the next sem_post() might also unblock a thread waiting on line 36. That would cause the thread to return to the execution of user code before all threads are done, leading to user code being executed in a mixed-credentials environment. What's more, if this happens more than once, then the mass release on line 110 (now line 111) will cause multiple threads to execute the callback at the same time, and the callbacks are currently not written to cope with that situation. Adding another semaphore allows the caller to say explicitly which threads it wants to release.
2023-08-24glob: fix wrong return code when aborting before any matchesRich Felker-1/+1
when the result count was zero, glob was ignoring a possible GLOB_ABORTED error code and returning GLOB_NOMATCH. whether this happened could be nondeterministic and dependent on the order of dirent enumeration, in cases where multiple matches were present and only some produced errors. caught by Tor's test_util_glob.
2023-08-19statvfs: allocate spare for f_typeнаб-0/+1
This is the only missing part in struct statvfs. The LSB calls [f]statfs() deprecated, and its weird types are definitely off-putting. However, its use is required to get f_type. Instead, allocate one of the six spares to f_type, copied directly from struct statfs. This then becomes a small extension to the standard interface on Linux, instead of two different interfaces, one of which is quite odd due to being an ABI type, and there no longer is any reason to use statfs(). The underlying kernel type is a mess, but all architectures agree on u32 (or more) for the ABI, and all filesystem magicks are 32-bit integers. Since commit 6567db65f495cf7c11f5c1e60a3e54543d5a69bc (prior to 1.0.0), the spare slots have been zero-filled, so on all versions that may be reasonably be encountered in the wild, applications can rely on a nonzero f_type as indication that the new field has been filled in.
2023-08-19math: fix ld80 powl(x,huge) and powl(LDBL_MAX,small)Szabolcs Nagy-13/+21
powl used >= LDBL_MAX as infinity check, but LDBL_MAX is finite, so this can cause wrong results e.g. powl(LDBL_MAX, 0.5) returned inf or powl(2, LDBL_MAX) returned inf without raising overflow. huge y values (close to LDBL_MAX) could cause intermediate results to overflow (computing y * log2(x) with more than long double precision) and e.g. powl(0.5, 0x1p16380L) or powl(10, 0x1p16380L) returned nan. this is fixed by handling huge y early since that always overflows or underflows. reported by Paul Zimmermann against expl10 (which uses powl).
2023-08-19math: fix ld80 acoshl(x) for x < 0Szabolcs Nagy-3/+7
acosh(x) is nan for x < 1, but x < 0 cases were not handled specially and acoshl gave wrong result for some -0x1p32 < x < -2 values, e.g.: acoshl(-0x1p20) returned -inf, acoshl(-0x1.4p20) returned -0x1.db365758403aa9acp+0L, fixed by checking the sign bit and handling it specially. reported by Paul Zimmermann.
2023-07-17fix rejection of dns responses with pointers past 512 byte offsetRich Felker-2/+2
the __dns_parse code used by the stub resolver traditionally included code to reject label pointers to offsets past a 512 byte limit, despite never processing the label contents, only stepping over them. when commit 51d4669fb97782f6a66606da852b5afd49a08001 added support for tcp fallback, this limit was overlooked, and as a result, it was at least theoretically possible for some valid large answers to be rejected on account of these offsets. since the limit was never serving any useful purpose, just remove it.
2023-07-04dns stub resolver: increase buffer size to handle chained CNAMEsRich Felker-1/+1
in the event of chained CNAMEs, the answer to a query will contain the entire CNAME chain, not just one CNAME record. previously, the answer buffer size had been chosen to admit a maximal-length CNAME, but only one. a moderate-length chain could fill the available 768 bytes leaving no room for an actual address answering the query. while the DNS RFCs do not specify any limit on the length of a CNAME chain, or any reasonable behavior is the chain exceeds the entire 64k possible message size, actual recursive servers have to impose a limit, and a such, for all practical purposes, chains longer than this limit are not usable. it turns out BIND has a hard-coded limit of 16, and Unbound has a default limit of 11. assuming the recursive server makes use of "compression" (pointers), each maximal-length CNAME record takes at most 268 bytes, and thus any chain up to length 16 fits in at most 4288 bytes. this patch increases the answer buffer size to preserve the original intent of having 512 bytes available for address answers, plus space needed for a maximal CNAME chain, for a total of 4800 bytes. the resulting size of 9600 bytes for two queries (A+AAAA) is still well within what is reasonable to place in automatic storage.
2023-06-12printf core: fix gratuitous integer formatting buffer sizeRich Felker-1/+1
the extra terms 3 and LDBL_MANT_DIG/4 are remnants of a proto-musl implementation of printf where the sign/prefix and floating point conversions were performed naively into this buffer. having them there obscures the actual intended buffer size (sufficient to hold between 2 and 3 octal digits per byte, rounded up to 3 for simplicity) and interferes with upcoming work to add C2x binary formats which would otherwise be stuck having to explain a similar fix to buffer size as part of an unrelated change.
2023-06-12all printf variants: fix argument type handling for %c and %lcRich Felker-4/+4
%c takes an argument of type int, not char, and %lc/%C takes an argument of type wint_t (unsigned), not int. for most cases, this makes no practical difference, but since wide printf variants convert narrow %c format specifiers via btowc, interpreting the promoted-to-int unsigned char value passed in as a (signed, on most archs) char causes 255 to get collapsed to EOF and interpreted as such by btowc. this is only relevant in the byte-based C locale, so prior to commit f22a9edaf8a6f2ca1d314d18b3785558279a5c03, there was no observable distinction in behavior. for UTF-8, all bytes which might be negative when interpreted as char are encoding errors when used with %c/btowc.
2023-06-01fix public clone function to be safe and usable by applicationsRich Felker-16/+68
the clone() function has been effectively unusable since it was added, due to producing a child process with inconsistent state. in particular, the child process's thread structure still contains the tid, thread list pointers, thread count, and robust list for the parent. this will cause malfunction in interfaces that attempt to use the tid or thread list, some of which are specified to be async-signal-safe. this patch attempts to make clone() consistent in a _Fork-like sense. as in _Fork, when the parent process is multi-threaded, the child process inherits an async-signal context where it cannot call AS-unsafe functions, but its context is now intended to be safe for calling AS-safe functions. making clone fork-like would also be a future option, if it turns out that this is what makes sense to applications, but it's not done at this time because the changes would be more invasive. in the case where the CLONE_VM flag is used, clone is only vfork-like, not _Fork-like. in particular, the child will see itself as having the parent's tid, and cannot safely call any libc functions but one of the exec family or _exit. handling of flags and variadic arguments is also changed so that arguments are only consumed with flags that indicate their presence, and so that flags which produce an inconsistent state are disallowed (reported as EINVAL). in particular, all libc functions carry a contract that they are only callable with ABI requirements met, which includes having a valid thread pointer to a thread structure that's unique within the process, and whose contents are opaque and only able to be setup internally by the implementation. the only way for an application to use flags that violate these requirements without executing any libc code is to perform the syscall from application-provided asm.
2023-06-01fix broken thread list unlocking after forkRich Felker-1/+1
apparently Linux clears the registered exit futex address on fork. this means that, if after forking the child process becomes multithreaded and the original thread exits, the thread list will never be unlocked, and future attempts to use the thread list will deadlock. re-register the exit futex address after _Fork in the child to ensure that it's preserved.