Age | Commit message (Collapse) | Author | Files | Lines |
|
The GNU_PROPERTY_NO_MEMORY_SEAL is a GNU property per module instructing
the glibc not to seal the object PT_LOAD. It can be used for any reason
the modules require to seal not to be enabled (i.e., on Firefox hack to
bypass the dynamic loader and enable DT_RELR on older glibc [1]). In
this case, it is up to the module to apply memory sealing itself.
The sealing is applied by default, and it is always enforced with
glibc.rtld.seal=2.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and
powerpc64le-linux-gnu.
[1] https://glandium.org/blog/?p=4297
|
|
So the static binary can opt-out of memory sealing.
Checked on x86_64-linux-gnu.
|
|
The new Linux mseal syscall allows seal memory mappings to avoid
further changes such as memory protection or remap. The sealing
is done in multiple places where the memory is supposed to
be immutable over program execution:
* All shared library dependencies from the binary, including the
read-only segments after PT_GNU_RELRO setup.
* The binary itself, including dynamic and static links. In both
It is up either to binary or the loader to set up the sealing.
* Any preload libraries.
* Any library loaded with dlopen with RTLD_NODELETE flag (including
libgcc.so loaded to enable unwind and/or thread cancellation).
* Audit modules.
* The loader bump allocator.
For binary dependencies, the RTLD_NODELETE signals the
link_map should be sealed. It also makes dlopen objects with the
flag sealed as well.
The sealing is controlled by a new tunable, glibc.rtld.seal, with
three different states:
0. Disabled, where no memory sealing is done.
1. Enabled, where the loader will issue the mseal syscall on the
memory mappings but any failure will be ignored. This is
the default.
2. Enforce, similar to Enabled but any failure from the mseal
will terminate the process.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
|
|
It has been added on Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370)
as a way to block operations such as mapping, moving to another location,
shrinking the size, expanding the size, or modifying it to a pre-existent
memory mapping.
Although the system only work on 64 bit CPU, the entrypoint was
added for all ABIs (since kernel might eventually implement it to
additional ones and/or the abi can execute on a 64-bit kernel).
Checked on x86_64-linux-gnu.
|
|
* On dlopen dependencies for objects opened with RTLD_NODELETE
(since it does not make sense to unload a dependency of a
RTLD_NODELETE object);
* For the main map executable.
* For the main map DT_NEEDED dependencies.
* On __libc_unwind_link_get for libgcc_s.so (used for backtrace and
unwind).
Checked on x86_64-linux-gnu.
|
|
This helps HotColdSplitting in GCC/LLVM.
Thought about doing `exit` as well since its only called once per
process, but since its easy to imagine a hot path leading into
`exit(0)`, its less clear if its profitable.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
|
requests.
Message-ID: <gtxd6s4s7fi7hdrlb7zayq3akij7x6jqawwq3zfl3v4nqspulo@euucuzeonrl6>
|
|
Even if C/POSIX standard states that exit is not formally thread-unsafe,
calling it more than once is UB. The glibc already supports
it for the single-thread, and both elf/nodelete2.c and tst-rseq-disable.c
call exit from a DSO destructor (which is called by _dl_fini, registered
at program startup with __cxa_atexit).
However, there are still race issues when it is called more than once
concurrently by multiple threads. A recent Rust PR triggered this
issue [1], which resulted in an Austin Group ask for clarification [2].
Besides it, there is a discussion to make concurrent calling not UB [3],
wtih a defined semantic where any remaining callers block until the first
call to exit has finished (reentrant calls, leaving through longjmp, and
exceptions are still undefined).
For glibc, at least reentrant calls are required to be supported to avoid
changing the current behaviour. This requires locking using a recursive
lock, where any exit called by atexit() handlers resumes at the point of
the current handler (thus avoiding calling the current handle multiple
times).
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
[1] https://github.com/rust-lang/rust/issues/126600
[2] https://austingroupbugs.net/view.php?id=1845
[3] https://www.openwall.com/lists/libc-coord/2024/07/24/4
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
|
It was added by commit c62b758bae6af16 as a way for userspace to
check if two file descriptors refer to the same struct file.
Checked on aarch64-linux-gnu.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
Tested for aarch64-linux-gnu.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
This patch updates the kernel version in the tests tst-mman-consts.py,
tst-mount-consts.py, and tst-pidfd-consts.py to 6.9.
There are no new constants covered by these tests in 6.10.
Tested with build-many-glibcs.py.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
Linux 6.10 changes for syscall are:
* mseal for all architectures.
* map_shadow_stack for x32.
* Replace sync_file_range with sync_file_range2 for csky (which
fixes a broken sync_file_range usage).
Update syscall-names.list and regenerate the arch-syscall.h headers
with build-many-glibcs.py update-syscalls.
Tested with build-many-glibcs.py.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
Tested with build-many-glibcs.py (host-libraries, compilers and glibcs
builds).
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
(bz 31394)
It seems the kernel can not deal with uncommitted stack space in the area intended
for the register window when executing the clone() system call. So create a nested
frame (proxy for the kernel frame) and flush it from the processor to memory to
force committing pages to the stack before invoking the system call.
Bug: https://www.mail-archive.com/debian-glibc@lists.debian.org/msg62592.html
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31394
See-also: https://lore.kernel.org/sparclinux/62f9be9d-a086-4134-9a9f-5df8822708af@mkarcher.dialup.fu-berlin.de/
Signed-off-by: Michael Karcher <sourceware-bugzilla@mkarcher.dialup.fu-berlin.de>
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
The existing description for setrlimit() has some ambiguity. It could be
understood to have the semantics of getrlimit(), i.e., the limits from the
process are stored in the provided rlp pointer.
Make the description more explicit that rlp are the input values, and that
the limits of the process is changed with this function.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
The manual entry for `putc' described what "most systems" do instead of
describing the glibc implementation and its guarantees. This commit
fixes that by warning that putc may be implemented as a macro that
double-evaluates `stream', and removing the performance claim.
Even though the current `putc' implementation does not double-evaluate
`stream', offering this obscure guarantee as an extension to what
POSIX allows does not seem very useful.
The entry for `putwc' is also edited to bring it in line with `putc'.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
From new tests added by 4dc22baa84bdb4111c0ac0db7139bf9ab953bf61.
Signed-off-by: Julian Zhu <jz531210@gmail.com>
|
|
Fixes build failures on Hurd.
|
|
This helps compilers split the codegen for setting up the arguments
(`__expression`, `__filename`, etc...) from the potentially hot cold
where the `assert` is to a presumably cold region on the assertion
failure path.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
Reviewed-by: Sam James <sam@gentoo.org>
|
|
Complement commit b03e4d7bd25b ("stdio: fix vfscanf with matches longer
than INT_MAX (bug 27650)") and add a test case for the issue, inspired
by the reproducer provided with the bug report.
This has been verified to succeed as from the commit referred and fail
beforehand.
As the test requires 2GiB of data to be passed around its performance
has been evaluated using a choice of systems and the execution time
determined to be respectively in the range of 9s for POWER9@2.166GHz,
24s for FU740@1.2GHz, and 40s for 74Kf@950MHz. As this is on the verge
of and beyond the default timeout it has been increased by the factor of
8. Regardless, following recent practice the test has been added to the
standard rather than extended set.
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
Add a FAIL test failure helper analogous to FAIL_RET, that does not
cause the current function to return, providing a standardized way to
report a test failure with a message supplied while permitting the
caller to continue executing, for further reporting, cleaning up, etc.
Update existing test cases that provide a conflicting definition of FAIL
by removing the local FAIL definition and then as follows:
- tst-fortify-syslog: provide a meaningful message in addition to the
file name already added by <support/check.h>; 'support_record_failure'
is already called by 'support_print_failure_impl' invoked by the new
FAIL test failure helper.
- tst-ctype: no update to FAIL calls required, with the name of the file
and the line number within of the failure site additionally included
by the new FAIL test failure helper, and error counting plus count
reporting upon test program termination also already provided by
'support_record_failure' and 'support_report_failure' respectively,
called by 'support_print_failure_impl' and 'adjust_exit_status' also
respectively. However in a number of places 'printf' is called and
the error count adjusted by hand, so update these places to make use
of FAIL instead. And last but not least adjust the final summary just
to report completion, with any error count following as reported by
the test driver.
- test-tgmath2: no update to FAIL calls required, with the name of the
file of the failure site additionally included by the new FAIL test
failure helper. Also there is no need to track the return status by
hand as any call to FAIL will eventually cause the test case to return
an unsuccesful exit status regardless of the return status from the
test function, via a call to 'adjust_exit_status' made by the test
driver.
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
Remove local FAIL macro in favor to FAIL_RET from <support/check.h>,
which provides equivalent reporting, with the name of the file of the
failure site additionally included, for the tst-truncate-common core
shared between the tst-truncate and tst-truncate64 tests.
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
Remove local FAIL macro in favor to FAIL_EXIT1 from <support/check.h>,
which provides equivalent reporting, with the name of the file and the
line number within of the failure site additionally included. Remove
FAIL_ERR altogether and include ": %m" explicitly with the format string
supplied to FAIL_EXIT1 as there seems little value to have a separate
macro just for this.
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
From new tests added by 4dc22baa84bdb4111c0ac0db7139bf9ab953bf61.
|
|
From new tests added by 4dc22baa84bdb4111c0ac0db7139bf9ab953bf61.
|
|
From new tests added by 4dc22baa84bdb4111c0ac0db7139bf9ab953bf61.
|
|
From new tests added by 4dc22baa84bdb4111c0ac0db7139bf9ab953bf61.
|
|
From new tests added by 4dc22baa84bdb4111c0ac0db7139bf9ab953bf61.
|
|
Adjust the ULPs for the log2p1 implementation.
|
|
Generated with make regen-ulps using gcc14 on a visionfive2 SBC.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Needed due to:
"This patch adds larger ulp errors for the log2p1 function."
commit 4dc22baa84bdb4111c0ac0db7139bf9ab953bf61
|
|
Use RXX_LP in RTLD_START_ENABLE_X86_FEATURES. Support shadow stack during
startup for Linux 6.10:
commit 2883f01ec37dd8668e7222dfdb5980c86fdfe277
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Fri Mar 15 07:04:33 2024 -0700
x86/shstk: Enable shadow stacks for x32
1. Add shadow stack support to x32 signal.
2. Use the 64-bit map_shadow_stack syscall for x32.
3. Set up shadow stack for x32.
Add the map_shadow_stack system call to <fixup-asm-unistd.h> and regenerate
arch-syscall.h. Tested on Intel Tiger Lake with CET enabled x32. There
are no regressions with CET enabled x86-64. There are no changes in CET
enabled x86-64 _dl_start_user.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
|
|
Remove sysdeps/x86_64/x32/dl-machine.h by folding x32 ARCH_LA_PLTENTER,
ARCH_LA_PLTEXIT and RTLD_START into sysdeps/x86_64/dl-machine.h. There
are no regressions on x86-64 nor x32. There are no changes in x86-64
_dl_start_user. On x32, _dl_start_user changes are
<_dl_start_user>:
mov %eax,%r12d
+ mov %esp,%r13d
mov (%rsp),%edx
mov %edx,%esi
- mov %esp,%r13d
and $0xfffffff0,%esp
mov 0x0(%rip),%edi # <_dl_start_user+0x14>
lea 0x8(%r13,%rdx,4),%ecx
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
|
|
|
|
The current toolchain does not consistently generate it, and
glibc does not use it.
Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
|
For now, do not enable this mode by default due to the potential
impact on compatibility with existing deployments.
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
I think using a “-” prefix is less confusing than introducing
double-negation construct (“no-no-tld-query”).
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
In single-request mode, there is no second response after an error
because the second query has not been sent yet. Waiting for it
introduces an unnecessary timeout.
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
Improve aligned_alloc/calloc/malloc test coverage by adding
multi-threaded tests with random memory allocations and with/without
cross-thread memory deallocations.
Perform a number of memory allocation calls with random sizes limited
to 0xffff.
Use the existing DSO ('malloc/tst-aligned_alloc-lib.c') to randomize
allocator selection.
The multi-threaded allocation/deallocation is staged as described below:
- Stage 1: Half of the threads will be allocating memory and the
other half will be waiting for them to finish the allocation.
- Stage 2: Half of the threads will be allocating memory and the
other half will be deallocating memory.
- Stage 3: Half of the threads will be deallocating memory and the
second half waiting on them to finish.
Add 'malloc/tst-aligned-alloc-random-thread.c' where each thread will
deallocate only the memory that was previously allocated by itself.
Add 'malloc/tst-aligned-alloc-random-thread-cross.c' where each thread
will deallocate memory that was previously allocated by another thread.
The intention is to be able to utilize existing malloc testing to ensure
that similar allocation APIs are also exposed to the same rigors.
Reviewed-by: Arjun Shankar <arjun@redhat.com>
|
|
Make sure the DSO used by aligned_alloc/calloc/malloc tests does not get
a global lock on multithreaded tests.
Reviewed-by: Arjun Shankar <arjun@redhat.com>
|
|
Changes in v2:
- added larger error for long double on AMD reported by Adhemerval
(https://sourceware.org/pipermail/libc-alpha/2024-June/157755.html)
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|