aboutsummaryrefslogtreecommitdiff
path: root/debug
AgeCommit message (Collapse)AuthorFilesLines
2023-01-25stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)Florian Weimer2-0/+131
This shows up as an assertion failure when sprintf is called with a specifier like "%.8g" and libquadmath is linked in: Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr <= file->next->write_end Fix this by detecting pointer wraparound in __vsprintf_internal and saturate the addition to the end of the address space instead. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2023-01-06Update copyright dates not handled by scripts/update-copyrightsJoseph Myers2-2/+2
I've updated copyright dates in glibc for 2023. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files.
2023-01-06Update copyright dates with scripts/update-copyrightsJoseph Myers101-101/+101
2022-11-09debug: Fix typo in tests-unsupported ruleAdhemerval Zanella1-1/+1
From commit 2e274cd8c1ebd0bd0c43a7f2e5433685740938ca.
2022-11-08Linux: Add ppoll fortify symbol for 64 bit time_t (BZ# 29746)Adhemerval Zanella1-12/+29
Similar to ppoll, the poll.h header needs to redirect the poll call to a proper fortified ppoll with 64 bit time_t support. The implementation is straightforward, just need to add a similar check as __poll_chk and call the 64 bit time_t ppoll version. The debug fortify tests are also extended to cover 64 bit time_t for affected ABIs. Unfortunately it requires an aditional symbol, which makes backport tricky. One possibility is to add a static inline version if compiler supports is and call abort instead of __chk_fail, so fortified version will call __poll64 in the end. Another possibility is to just remove the fortify support for _TIME_BITS=64. Checked on i686-linux-gnu.
2022-10-28Fix invalid pointer dereference in wcpcpy_chkSzabolcs Nagy1-2/+1
The src pointer is const and points to a different object, so accessing dest via src is invalid. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-10-28Fix invalid pointer dereference in wcscpy_chkSzabolcs Nagy1-27/+7
The src pointer is const and points to a different object, so accessing dest via src is invalid. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-09-05debug: test for more required cacellation points (BZ# 29274)Adhemerval Zanella3-53/+266
Generalize the test for cancellation point in __read_chk to also test the other fortified functions with required cancellation points. Since there is not easy way to force some syscalls to block (for instance pread) the test tests two modes: cancellation on blocked syscalls and early cancellation on pending request. Checked on x86_64-linux-gnu and aarch64-linux-gnu. Co-authored-by: Andreas Schwab <schwab@suse.de> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-08-03stdio: Clean up __libc_message after unconditional abortFlorian Weimer1-3/+1
Since commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83 ("malloc: Abort on heap corruption, without a backtrace [BZ #21754]"), __libc_message always terminates the process. Since commit a289ea09ea843ced6e5277c2f2e63c357bc7f9a3 ("Do not print backtraces on fatal glibc errors"), the backtrace facility has been removed. Therefore, remove enum __libc_message_action and the action argument of __libc_message, and mark __libc_message as _No_return. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-06-22debug: make __read_chk a cancellation point (bug 29274)Andreas Schwab3-10/+57
The __read_chk function, as the implementation behind the fortified read function, must be a cancellation point, thus it cannot use INLINE_SYSCALL.
2022-05-13wcrtomb: Make behavior POSIX compliantSiddhesh Poyarekar2-7/+8
The GNU implementation of wcrtomb assumes that there are at least MB_CUR_MAX bytes available in the destination buffer passed to wcrtomb as the first argument. This is not compatible with the POSIX definition, which only requires enough space for the input wide character. This does not break much in practice because when users supply buffers smaller than MB_CUR_MAX (e.g. in ncurses), they compute and dynamically allocate the buffer, which results in enough spare space (thanks to usable_size in malloc and padding in alloca) that no actual buffer overflow occurs. However when the code is built with _FORTIFY_SOURCE, it runs into the hard check against MB_CUR_MAX in __wcrtomb_chk and hence fails. It wasn't evident until now since dynamic allocations would result in wcrtomb not being fortified but since _FORTIFY_SOURCE=3, that limitation is gone, resulting in such code failing. To fix this problem, introduce an internal buffer that is MB_LEN_MAX long and use that to perform the conversion and then copy the resultant bytes into the destination buffer. Also move the fortification check into the main implementation, which checks the result after conversion and aborts if the resultant byte count is greater than the destination buffer size. One complication is that applications that assume the MB_CUR_MAX limitation to be gone may not be able to run safely on older glibcs if they use static destination buffers smaller than MB_CUR_MAX; dynamic allocations will always have enough spare space that no actual overruns will occur. One alternative to fixing this is to bump symbol version to prevent them from running on older glibcs but that seems too strict a constraint. Instead, since these users will only have made this decision on reading the manual, I have put a note in the manual warning them about the pitfalls of having static buffers smaller than MB_CUR_MAX and running them on older glibc. Benchmarking: The wcrtomb microbenchmark shows significant increases in maximum execution time for all locales, ranging from 10x for ar_SA.UTF-8 to 1.5x-2x for nearly everything else. The mean execution time however saw practically no impact, with some results even being quicker, indicating that cache locality has a much bigger role in the overhead. Given that the additional copy uses a temporary buffer inside wcrtomb, it's likely that a hot path will end up putting that buffer (which is responsible for the additional overhead) in a similar place on stack, giving the necessary cache locality to negate the overhead. However in situations where wcrtomb ends up getting called at wildly different spots on the call stack (or is on different call stacks, e.g. with threads or different execution contexts) and is still a hotspot, the performance lag will be visible. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-04-25misc: Fix rare fortify crash on wchar funcs. [BZ 29030]Joan Bruguera1-0/+5
If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify checks should pass, and `__whatever_alias` should be called. Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`. A comment says the -1 case should work as: "The -1 check is redundant because since it implies that __glibc_safe_len_cond is true.". But this fails when: * `__s > 1` * `__osz == -1` (i.e. unknown size at compile time) * `__l` is big enough * `__l * __s <= __osz` can be folded to a constant (I only found this to be true for `mbsrtowcs` and other functions in wchar2.h) In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program. This commit adds the explicit `__osz == -1` check again. moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041 Minimal test case (test.c): #include <wchar.h> int main (void) { const char *hw = "HelloWorld"; mbsrtowcs (NULL, &hw, (size_t)-1, NULL); return 0; } Build with: gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test Output: *** buffer overflow detected ***: terminated Fixes: BZ #29030 Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-03-28debug: Improve fdelt_chk error messageCristian Rodríguez1-1/+2
It is not a "buffer overflow detected" but an out of range bit on fd_set Signed-off-by: Cristian Rodríguez <crrodriguez@opensuse.org> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-12debug: Synchronize feature guards in fortified functions [BZ #28746]Siddhesh Poyarekar2-10/+49
Some functions (e.g. stpcpy, pread64, etc.) had moved to POSIX in the main headers as they got incorporated into the standard, but their fortified variants remained under __USE_GNU. As a result, these functions did not get fortified when _GNU_SOURCE was not defined. Add test wrappers that check all functions tested in tst-chk0 at all levels with _GNU_SOURCE undefined and then use the failures to (1) exclude checks for _GNU_SOURCE functions in these tests and (2) Fix feature macro guards in the fortified function headers so that they're the same as the ones in the main headers. This fixes BZ #28746. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-01-12debug: Autogenerate _FORTIFY_SOURCE testsSiddhesh Poyarekar15-67/+67
Rename debug/tst-chk1.c to debug/tst-fortify.c and add make hackery to autogenerate tests with different macros enabled to build and run the same test with different configurations as well as different fortification levels. The change also ends up expanding the -lfs tests to include _FORTIFY_SOURCE=3. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-01-06debug: Remove catchsegv and libSegfault (BZ #14913)Adhemerval Zanella3-338/+2
Trapping SIGSEGV within the process is error-prone, adds security issues, and modern analysis design tends to happen out of the process (either by attaching a debugger or by post-mortem analysis). The libSegfault also has some design problems, it uses non async-signal-safe function (backtrace) on signal handler. There are multiple alternatives if users do want to use similar functionality, such as sigsegv gnulib module or libsegfault.
2022-01-01Update copyright dates not handled by scripts/update-copyrights.Paul Eggert3-3/+3
I've updated copyright dates in glibc for 2022. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. As well as the usual annual updates, mainly dates in --version output (minus csu/version.c which previously had to be handled manually but is now successfully updated by update-copyrights), there is a small change to the copyright notice in NEWS which should let NEWS get updated automatically next year. Please remember to include 2022 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them).
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert102-102/+102
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-12-17fortify: Fix spurious warning with realpathSiddhesh Poyarekar2-1/+39
The length and object size arguments were swapped around for realpath. Also add a smoke test so that any changes in this area get caught in future. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-10-20debug: Add tests for _FORTIFY_SOURCE=3Siddhesh Poyarekar4-50/+69
Add some testing coverage for _FORTIFY_SOURCE=3. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-09-03Remove "Contributed by" linesSiddhesh Poyarekar29-31/+1
We stopped adding "Contributed by" or similar lines in sources in 2012 in favour of git logs and keeping the Contributors section of the glibc manual up to date. Removing these lines makes the license header a bit more consistent across files and also removes the possibility of error in attribution when license blocks or files are copied across since the contributed-by lines don't actually reflect reality in those cases. Move all "Contributed by" and similar lines (Written by, Test by, etc.) into a new file CONTRIBUTED-BY to retain record of these contributions. These contributors are also mentioned in manual/contrib.texi, so we just maintain this additional record as a courtesy to the earlier developers. The following scripts were used to filter a list of files to edit in place and to clean up the CONTRIBUTED-BY file respectively. These were not added to the glibc sources because they're not expected to be of any use in future given that this is a one time task: https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dc https://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-05-12Remove all usage of @BASH@ or ${BASH} in installed files, and hardcode ↵Romain GEISSLER2-4/+3
/bin/bash instead (FYI, this is a repost of https://sourceware.org/pipermail/libc-alpha/2019-July/105035.html now that FSF papers have been signed and confirmed on FSF side). This trivial patch attemps to fix BZ 24106. Basically the bash locally used when building glibc on the host shall not leak on the installed glibc, as the system where it is installed might be different and use another bash location. So I have looked for all occurences of @BASH@ or $(BASH) in installed files, and replaced it by /bin/bash. This was suggested by Florian Weimer in the bug report. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-03-01backtrace: Implement on top of <unwind-link.h>Florian Weimer1-67/+17
This reimplements the generic version of backtrace. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-03-01Implement <unwind-link.h> for dynamically loading the libgcc_s unwinderFlorian Weimer1-1/+1
This will be used to consolidate the libgcc_s access for backtrace and pthread_cancel. Unlike the existing backtrace implementations, it provides some hardening based on pointer mangling. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-02-01libSegFault: Fix printing signal number [BZ #27249]Vitaly Chikunov1-1/+1
Signal number is written into the tail of buf, but printed from the beginning, outputting garbage on the screen. Fix this by printing from the correct position. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Dmitry V. Levin <ldv@altlinux.org>
2021-01-02Update copyright dates not handled by scripts/update-copyrights.Paul Eggert3-3/+3
I've updated copyright dates in glibc for 2021. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. As well as the usual annual updates, mainly dates in --version output (minus csu/version.c which previously had to be handled manually but is now successfully updated by update-copyrights), there is a small change to the copyright notice in NEWS which should let NEWS get updated automatically next year. Please remember to include 2021 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them).
2021-01-02Update copyright dates with scripts/update-copyrightsPaul Eggert102-102/+102
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 6694 files FOO. I then removed trailing white space from benchtests/bench-pthread-locks.c and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this diagnostic from Savannah: remote: *** pre-commit check failed ... remote: *** error: lines with trailing whitespace found remote: error: hook declined to update refs/heads/master
2020-11-05Remove __warndeclSiddhesh Poyarekar2-71/+1
The macro is not used anymore, so remove it and warning-nop.c. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2020-07-07signal: Move sys_siglist to a compat symbolAdhemerval Zanella1-11/+7
The symbol was deprecated by strsignal and its usage imposes issues such as copy relocations. Its internal name is changed to __sys_siglist and __sys_sigabbrev to avoid static linking usage. The compat code is also refactored, since both Linux and Hurd usage the same strategy: export the same array with different object sizes. The libSegfault change avoids calling strsignal on the SIGFAULT signal handler (the current usage is already sketchy, adding a call that potentially issue locale internal function is even sketchier). Checked on x86_64-linux-gnu and i686-linux-gnu. I also run a check-abi on all affected platforms. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2020-02-18mips: Fix bracktrace result for signal framesAdhemerval Zanella1-0/+5
MIPS fallback code handle a frame where its FDE can not be obtained (for instance a signal frame) by reading the kernel allocated signal frame and adding '2' to the value of 'sc_pc' [1]. The added value is used to recognize an end of an EH region on mips16 [2]. The fix adjust the obtained signal frame value and remove the libgcc added value by checking if the previous frame is a signal frame one. Checked with backtrace and tst-sigcontext-get_pc tests on mips-linux-gnu and mips64-linux-gnu. [1] libgcc/config/mips/linux-unwind.h from gcc code. [2] gcc/config/mips/mips.h from gcc code. */
2020-02-11debug: Add missing locale dependencies of fortify testsFlorian Weimer1-0/+11
The missing dependencies result in failures like this if make check is invoked with sufficient parallelism for the debug subdirectory: FAIL: debug/tst-chk2 FAIL: debug/tst-chk3 FAIL: debug/tst-chk4 FAIL: debug/tst-chk5 FAIL: debug/tst-chk6 FAIL: debug/tst-lfschk1 FAIL: debug/tst-lfschk2 FAIL: debug/tst-lfschk3 FAIL: debug/tst-lfschk4 FAIL: debug/tst-lfschk5 FAIL: debug/tst-lfschk6
2020-01-21Fix array overflow in backtrace on PowerPC (bug 25423)Andreas Schwab1-0/+12
When unwinding through a signal frame the backtrace function on PowerPC didn't check array bounds when storing the frame address. Fixes commit d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
2020-01-01Update copyright dates not handled by scripts/update-copyrights.Joseph Myers3-3/+3
I've updated copyright dates in glibc for 2020. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. As well as the usual annual updates, mainly dates in --version output (minus libc.texinfo which previously had to be handled manually but is now successfully updated by update-copyrights), there is a fix to sysdeps/unix/sysv/linux/powerpc/bits/termios-c_lflag.h where a typo in the copyright notice meant it failed to be updated automatically. Please remember to include 2020 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them).
2020-01-01Update copyright dates with scripts/update-copyrights.Joseph Myers103-103/+103
2019-09-07Prefer https to http for gnu.org and fsf.org URLsPaul Eggert103-103/+103
Also, change sources.redhat.com to sourceware.org. This patch was automatically generated by running the following shell script, which uses GNU sed, and which avoids modifying files imported from upstream: sed -ri ' s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g ' \ $(find $(git ls-files) -prune -type f \ ! -name '*.po' \ ! -name 'ChangeLog*' \ ! -path COPYING ! -path COPYING.LIB \ ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \ ! -path manual/texinfo.tex ! -path scripts/config.guess \ ! -path scripts/config.sub ! -path scripts/install-sh \ ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \ ! -path INSTALL ! -path locale/programs/charmap-kw.h \ ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \ ! '(' -name configure \ -execdir test -f configure.ac -o -f configure.in ';' ')' \ ! '(' -name preconfigure \ -execdir test -f preconfigure.ac ';' ')' \ -print) and then by running 'make dist-prepare' to regenerate files built from the altered files, and then executing the following to cleanup: chmod a+x sysdeps/unix/sysv/linux/riscv/configure # Omit irrelevant whitespace and comment-only changes, # perhaps from a slightly-different Autoconf version. git checkout -f \ sysdeps/csky/configure \ sysdeps/hppa/configure \ sysdeps/riscv/configure \ sysdeps/unix/sysv/linux/csky/configure # Omit changes that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines git checkout -f \ sysdeps/powerpc/powerpc64/ppc-mcount.S \ sysdeps/unix/sysv/linux/s390/s390-64/syscall.S # Omit change that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-08-23Refactor sigcontextinfo.hAdhemerval Zanella1-3/+13
This patch refactor sigcontextinfo.h header to use SA_SIGINFO as default for both gmon and debug implementations. This allows simplify profil-counter.h on Linux to use a single implementation and remove the requirements for newer ports to redefine __sigaction/sigaction to use SA_SIGINFO. The GET_PC macro is also replaced with a function sigcontext_get_pc that returns an uintptr_t instead of a void pointer. It allows easier convertion to integer on ILP32 architecture, such as x32, without the need to suppress compiler warnings. The patch also requires some refactor of register-dump.h file for some architectures (to reflect it is now called from a sa_sigaction instead of sa_handler signal context). - Alpha, i386, and s390 are straighfoward to take in consideration the new argument type. - ia64 takes in consideration the kernel pass a struct sigcontextt as third argument for sa_sigaction. - sparc take in consideration the kernel pass a pt_regs struct as third argument for sa_sigaction. - m68k dummy function is removed and the FP state is dumped on register_dump itself. - For SH the register-dump.h file is consolidate on a common implementation and the floating-point state is checked based on ownedfp field. The register_dump does not change its output format in any affected architecture. I checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu, arm-linux-gnueabihf, sparcv9-linux-gnu, sparc64-linux-gnu, powerpc-linux-gnu, powerpc64-linux-gnu, and powerpc64le-linux-gnu. I also checked the libSegFault.so through catchsegv on alpha-linux-gnu, m68k-linux-gnu and sh4-linux-gnu to confirm the output has not changed. Adhemerval Zanella <adhemerval.zanella@linaro.org> Florian Weimer <fweimer@redhat.com> * debug/segfault.c (install_handler): Use SA_SIGINFO if defined. * sysdeps/generic/profil-counter.h (__profil_counter): Cast to uintptr_t. * sysdeps/generic/sigcontextinfo.h (GET_PC): Rename to sigcontext_get_pc and return aligned cast to uintptr_t. * sysdeps/mach/hurd/i386/sigcontextinfo.h (GET_PC): Likewise. * sysdeps/posix/profil.c (profil_count): Change PC argument to uintptr_t. (__profil): Use SA_SIGINFO. * sysdeps/posix/sprofil.c (profil_count): Change PCP argument to uintptr_t. (__sprofil): Use SA_SIGINFO. * sysdeps/unix/sysv/linux/profil-counter.h: New file. * sysdeps/unix/sysv/linux/aarch64/profil-counter.h: Remove file. * sysdeps/unix/sysv/linux/csky/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/hppa/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/i386/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/ia64/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/microblaze/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/mips/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/nios2/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/powerpc/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/x86_64/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/riscv/profil-counter.h: Likewise. * sysdeps/sysv/linux/s390/s390-32/profil-counter.h: Likewise. * sysdeps/sysv/linux/s390/s390-64/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/sh/profil-counter.h: Likewise. * sysdeps/unix/sysv/linux/arm/profil-counter.h (__profil_counter): Assume SA_SIGINFO and use sigcontext_get_pc instead of GET_PC. * sysdeps/unix/sysv/linux/sparc/profil-counter.h: New file. * sysdeps/unix/sysv/linux/sparc/sparc64/profil-counter.h: Remove file. * sysdeps/unix/sysv/linux/sparc/sparc32/profil-counter.h: Likewise. * sysdpes/unix/sysv/linux/aarch64/sigcontextinfo.h (SIGCONTEXT, GET_PC, __sigaction, sigaction): Remove defines. (sigcontext_get_pc): New function. * sysdeps/unix/sysv/linux/alpha/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/arm/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/csky/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/hppa/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/i386/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/ia64/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/m68k/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/mips/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/nios2/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/s390/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/microblaze/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/powerpc/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/riscv/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/sh/sigcontextinfo.h: Likewise. * sysdeps/sysv/linux/sparc/sparc32/sigcontextinfo.h: Likewise. * sysdeps/sysv/linux/sparc/sparc64/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/x86_64/sigcontextinfo.h: Likewise. * sysdeps/unix/sysv/linux/alpha/register-dump.h (register_dump): Handle CTX argument as ucontext_t. * sysdeps/unix/sysv/linux/i386/register-dump.h: Likewise. Likewise. * sysdeps/unix/sysv/linux/m68k/register-dump.h: Likewise. * sysdeps/sysv/linux/s390/s390-32/register-dump.h: Likewise. * sysdeps/sysv/linux/s390/s390-64/register-dump.h: Likewise. * sysdeps/unix/sysv/linux/sh/register-dump.h: New file. * sysdeps/unix/sysv/linux/sh/sh4/register-dump.h: Remove File. * sysdeps/unix/sysv/linux/sh/sh3/register-dump.h: Likewise. * sysdeps/unix/sysv/linux/sparc/sparc32/register-dump.h: Likewise. * sysdeps/unix/sysv/linux/sparc/sparc64/register-dump.h: Likewise. * sysdeps/unix/sysv/linux/Makefile (tests-internal): Add tst-sigcontextinfo-get_pc. * sysdeps/unix/sysv/linux/tst-sigcontextinfo-get_pc.c: New file. (CFLAGS-tst-sigcontextinfo-get_pc.c): New rule.
2019-08-19Do not print backtraces on fatal glibc errorsFlorian Weimer2-29/+4
If the process is in a bad state, we used to print backtraces in many cases. This is problematic because doing so could involve a lot of work, like loading libgcc_s using the dynamic linker, and this could itself be targeted by exploit writers. For example, if the crashing process was forked from a long-lived process, the addresses in the error message could be used to bypass ASLR. Commit ed421fca42fd9b4cab7c66e77894b8dd7ca57ed0 ("Avoid backtrace from __stack_chk_fail [BZ #12189]"), backtraces where no longer printed because backtrace_and_maps was always called with do_abort == 1. Rather than fixing this logic error, this change removes the backtrace functionality from the sources. With the prevalence of external crash handlers, it does not appear to be particularly useful. The crash handler may also destroy useful information for debugging. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2019-02-03libio: Use stdin consistently for input functions [BZ #24153]Florian Weimer1-8/+8
The internal _IO_stdin_ variable is not updated when the application assigns to stdin, which is a GNU extension.
2019-01-03nptl: Fix testcases for new pthread cancellation mechanismAdhemerval Zanella1-9/+10
With upcoming fix for BZ#12683, pthread cancellation does not act for: 1. If syscall is blocked but with some side effects already having taken place (e.g. a partial read or write). 2. After the syscall has returned. The main change is due the fact programs need to act in syscalls with side-effects (for instance, to avoid leak of allocated resources or handle partial read/write). This patch changes the NPTL testcase that assumes the old behavior and also changes the tst-backtrace{5,6} to ignore the cancellable wrappers. Checked on i686-linux-gnu, x86_64-linux-gnu, x86_64-linux-gnux32, aarch64-linux-gnu, arm-linux-gnueabihf, powerpc64le-linux-gnu, powerpc-linux-gnu, sparcv9-linux-gnu, and sparc64-linux-gnu. * debug/tst-backtrace5.c (handle_signal): Avoid cancellable wrappers in backtrace analysis. * nptl/tst-cancel4.c (tf_write): Handle cancelled syscall with side-effects. (tf_send): Likewise.
2019-01-02Set behavior of sprintf-like functions with overlapping source and destinationGabriel F. T. Gomes2-0/+8
According to ISO C99, passing the same buffer as source and destination to sprintf, snprintf, vsprintf, or vsnprintf has undefined behavior. Until the commit commit 4e2f43f842ef5e253cc23383645adbaa03cedb86 Author: Zack Weinberg <zackw@panix.com> Date: Wed Mar 7 14:32:03 2018 -0500 Use PRINTF_FORTIFY instead of _IO_FLAGS2_FORTIFY (bug 11319) a call to sprintf or vsprintf with overlapping buffers, for instance vsprintf (buf, "%sTEXT", buf), would append `TEXT' into buf, while a call to snprintf or vsnprintf would override the contents of buf. After the aforementioned commit, the behavior of sprintf and vsprintf changed (so that they also override the contents of buf). This patch reverts this behavioral change, because it will likely break applications that rely on the previous behavior, even though it is undefined by ISO C. As noted by Szabolcs Nagy, this is used in SPEC2017 507.cactuBSSN_r/src/PUGH/PughUtils.c: sprintf(mess," Size:"); for (i=0;i<dim+1;i++) { sprintf(mess,"%s %d",mess,pughGH->GFExtras[dim]->nsize[i]); } More important to notice is the fact that the overwriting of the destination buffer is not the only behavior affected by the refactoring. Before the refactoring, sprintf and vsprintf would use _IO_str_jumps, whereas __sprintf_chk and __vsprintf_chk would use _IO_str_chk_jumps. After the refactoring, all use _IO_str_chk_jumps, which would make sprintf and vsprintf report buffer overflows and terminate the program. This patch also reverts this behavior, by installing the appropriate jump table for each *sprintf functions. Apart from reverting the changes, this patch adds a test case that has the old behavior hardcoded, so that regressions are noticed if something else unintentionally changes the behavior. Tested for powerpc64le.
2019-01-01Update copyright dates not handled by scripts/update-copyrights.Joseph Myers3-3/+3
I've updated copyright dates in glibc for 2019. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. Please remember to include 2019 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them). * NEWS: Update copyright dates. * catgets/gencat.c (print_version): Likewise. * csu/version.c (banner): Likewise. * debug/catchsegv.sh: Likewise. * debug/pcprofiledump.c (print_version): Likewise. * debug/xtrace.sh (do_version): Likewise. * elf/ldconfig.c (print_version): Likewise. * elf/ldd.bash.in: Likewise. * elf/pldd.c (print_version): Likewise. * elf/sotruss.sh: Likewise. * elf/sprof.c (print_version): Likewise. * iconv/iconv_prog.c (print_version): Likewise. * iconv/iconvconfig.c (print_version): Likewise. * locale/programs/locale.c (print_version): Likewise. * locale/programs/localedef.c (print_version): Likewise. * login/programs/pt_chown.c (print_version): Likewise. * malloc/memusage.sh (do_version): Likewise. * malloc/memusagestat.c (print_version): Likewise. * malloc/mtrace.pl: Likewise. * manual/libc.texinfo: Likewise. * nptl/version.c (banner): Likewise. * nscd/nscd.c (print_version): Likewise. * nss/getent.c (print_version): Likewise. * nss/makedb.c (print_version): Likewise. * posix/getconf.c (main): Likewise. * scripts/test-installation.pl: Likewise. * sysdeps/unix/sysv/linux/lddlibc4.c (main): Likewise.
2019-01-01Update copyright dates with scripts/update-copyrights.Joseph Myers103-103/+103
* All files with FSF copyright notices: Update copyright dates using scripts/update-copyrights. * locale/programs/charmap-kw.h: Regenerated. * locale/programs/locfile-kw.h: Likewise.
2018-12-05Use PRINTF_FORTIFY instead of _IO_FLAGS2_FORTIFY (bug 11319)Zack Weinberg21-493/+187
The _chk variants of all of the printf functions become much simpler. This is the last thing that we needed _IO_acquire_lock_clear_flags2 for, so it can go as well. I took the opportunity to make the headers included and the names of all local variables consistent across all the affected files. Since we ultimately want to get rid of __no_long_double as well, it must be possible to get all of the nontrivial effects of the _chk functions by calling the _internal functions with appropriate flags. For most of the __(v)xprintf_chk functions, this is covered by PRINTF_FORTIFY plus some up-front argument checks that can be duplicated. However, __(v)sprintf_chk installs a custom jump table so that it can crash instead of overflowing the output buffer. This functionality is moved to __vsprintf_internal, which now has a 'maxlen' argument like __vsnprintf_internal; to get the unsafe behavior of ordinary (v)sprintf, pass -1 for that argument. obstack_printf_chk and obstack_vprintf_chk are no longer in the same file. As a side-effect of the unification of both fortified and non-fortified vdprintf initialization, this patch fixes bug 11319 for __dprintf_chk and __vdprintf_chk, which was previously fixed only for dprintf and vdprintf by the commit commit 7ca890b88e6ab7624afb1742a9fffb37ad5b3fc3 Author: Ulrich Drepper <drepper@redhat.com> Date: Wed Feb 24 16:07:57 2010 -0800 Fix reporting of I/O errors in *dprintf functions. This patch adds a test case to avoid regressions. Tested for powerpc and powerpc64le.
2018-12-05Add __v*printf_internal with flags argumentsZack Weinberg10-10/+10
There are a lot more printf variants than there are scanf variants, and the code for setting up and tearing down their custom FILE variants around the call to __vf(w)printf is more complicated and variable. Therefore, I have added _internal versions of all the v*printf variants, rather than introducing helper routines so that they can all directly call __vf(w)printf_internal, as was done with scanf. As with the scanf changes, in this patch the _internal functions still look at the environmental mode bits and all callers pass 0 for the flags parameter. Several of the affected public functions had _IO_ name aliases that were not exported (but, in one case, appeared in libio.h anyway); I was originally planning to leave them as aliases to avoid having to touch internal callers, but it turns out ldbl_*_alias only work for exported symbols, so they've all been removed instead. It also turns out there were hardly any internal callers. _IO_vsprintf and _IO_vfprintf *are* exported, so those two stick around. Summary for the changes to each of the affected symbols: _IO_vfprintf, _IO_vsprintf: All internal calls removed, thus the internal declarations, as well as uses of libc_hidden_proto and libc_hidden_def, were also removed. The external symbol is now exposed via uses of ldbl_strong_alias to __vfprintf_internal and __vsprintf_internal, respectively. _IO_vasprintf, _IO_vdprintf, _IO_vsnprintf, _IO_vfwprintf, _IO_vswprintf, _IO_obstack_vprintf, _IO_obstack_printf: All internal calls removed, thus declaration in internal headers were also removed. They were never exported, so there are no aliases tying them to the internal functions. I.e.: entirely gone. __vsnprintf: Internal calls were always preceded by macros such as #define __vsnprintf _IO_vsnprintf, and #define __vsnprintf vsnprintf The macros were removed and their uses replaced with calls to the new internal function __vsnprintf_internal. Since there were no internal calls, the internal declaration was also removed. The external symbol is preserved with ldbl_weak_alias to ___vsnprintf. __vfwprintf: All internal calls converted into calls to __vfwprintf_internal, thus the internal declaration was removed. The function is now a wrapper that calls __vfwprintf_internal. The external symbol is preserved. __vswprintf: Similarly, but no external symbol. __vasprintf, __vdprintf, __vfprintf, __vsprintf: New internal wrappers. Not exported. vasprintf, vdprintf, vfprintf, vsprintf, vsnprintf, vfwprintf, vswprintf, obstack_vprintf, obstack_printf: These functions used to be aliases to the respective _IO_* function, they are now aliases to their respective __* functions. Tested for powerpc and powerpc64le.
2018-08-21__readlink_chk: Remove micro-optimizationFlorian Weimer1-4/+0
2018-07-05Compile debug/stack_chk_fail_local.c with stack protectorFlorian Weimer1-2/+5
The resulting object file is statically linked into applications, so it is desirable to have (formal) stack protector coverage there.
2018-06-01libio: Avoid _allocate_buffer, _free_buffer function pointers [BZ #23236]Florian Weimer1-2/+2
These unmangled function pointers reside on the heap and could be targeted by exploit writers, effectively bypassing libio vtable validation. Instead, we ignore these pointers and always call malloc or free. In theory, this is a backwards-incompatible change, but using the global heap instead of the user-supplied callback functions should have little application impact. (The old libstdc++ implementation exposed this functionality via a public, undocumented constructor in its strstreambuf class.)
2018-03-21Use x86_64 backtrace as generic version.Joseph Myers1-57/+101
No glibc configuration uses the present debug/backtrace.c, whereas several #include the x86_64 version. The x86_64 version is effectively a generic one (using _Unwind_Backtrace from libgcc, which works much more reliably than the built-in functions used by debug/backtrace.c). This patch moves it to debug/backtrace.c and removes all the #includes of the x86_64 version from other architectures which are no longer required. I do not know whether all the other architecture-specific backtrace implementations that are based on _Unwind_Backtrace are required, or whether, where their differences from the generic version do something useful, suitable hooks could be added to the generic version to reduce the duplication involved. Tested with build-many-glibcs.py that installed stripped shared libraries are unchanged by this patch. * sysdeps/x86_64/backtrace.c: Move to .... * debug/backtrace.c: ... here. * sysdeps/aarch64/backtrace.c: Remove file. * sysdeps/alpha/backtrace.c: Likewise. * sysdeps/hppa/backtrace.c: Likewise. * sysdeps/ia64/backtrace.c: Likewise. * sysdeps/mips/backtrace.c: Likewise. * sysdeps/nios2/backtrace.c: Likewise. * sysdeps/riscv/backtrace.c: Likewise. * sysdeps/sh/backtrace.c: Likewise. * sysdeps/tile/backtrace.c: Likewise.
2018-02-21Remove _IO_file_flags define.Zack Weinberg5-22/+19
This entirely mechanical (except for some indentation fixups) patch replaces all uses of _IO_file_flags with _flags and removes the #define. Installed stripped libraries and executables are unchanged by this patch. * libio/libio.h (_IO_file_flags): Remove macro. All uses changed to _flags.
2018-02-21Remove legacy configuration knobs from libio.Zack Weinberg1-3/+0
This patch eliminates the "compatibility defines" _IO_UNIFIED_JUMPTABLES (always defined to 1, used in a number of #ifs which are therefore always false), _STDIO_USES_IOSTREAM (unused), __HAVE_COLUMN (unused), _IO_BE (replaced with __glibc_unlikely), and yet another redundant definition of EOF. Installed stripped libraries are unchanged by this patch. * libio/libio.h (_IO_UNIFIED_JUMPTABLES, _STDIO_USES_IOSTREAM) (__HAVE_COLUMN, _IO_BE): Don't define. (_IO_peekc_unlocked, _IO_getwc_unlocked, _IO_putwc_unlocked) (_IO_fwide_maybe_incompatible): Use __glibc_unlikely. * libio/libioP.h (EOF): Don't define. * libio/iofdopen.c, libio/iofopen.c, libio/iopopen.c * libio/iovdprintf.c, libio/oldiofdopen.c, libio/oldiofopen.c * libio/oldiopopen.c, debug/vdprintf_chk.c: Remove #if block testing _IO_UNIFIED_JUMPTABLES.