aboutsummaryrefslogtreecommitdiff
path: root/io
AgeCommit message (Collapse)AuthorFilesLines
2024-10-01Do not use -Wp to disable fortify (BZ 31928)Adhemerval Zanella1-1/+1
The -Wp does not work properly if the compiler is configured to enable fortify by default, since it bypasses the compiler driver (which defines the fortify flags in this case). This patch is similar to the one used on Ubuntu [1]. I checked with a build for x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu, s390x-linux-gnu, and riscv64-linux-gnu with gcc-13 that enables the fortify by default. Co-authored-by: Matthias Klose <matthias.klose@canonical.com> [1] https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/glibc/tree/debian/patches/ubuntu/fix-fortify-source.patch Reviewed-by: DJ Delorie <dj@redhat.com>
2024-09-09io: Add FUSE-based test for fchmodFlorian Weimer2-0/+115
Test all mode arguments, and that extra bits are ignored as required by POSIX. Reviewed-by: DJ Delorie <dj@redhat.com>
2024-09-09io: Add tst-lstat-nofollow, tst-lstat-nofollow-time64Florian Weimer3-0/+101
They verify that lstat, lstat64 do not follow symbolic links. Reviewed-by: DJ Delorie <dj@redhat.com>
2024-08-30io: Fix destructive nature of tst-fchmod-errorsFlorian Weimer1-3/+10
We must not change the permissions of /dev/null if running as root. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2024-08-30io: Add error tests for fchmodFlorian Weimer2-0/+57
On Linux most descriptors that do not correspond to file system entities (such as anonymous pipes and sockets) have file permissions that can be changed. While it is possible to create a custom file system that returns (say) EINVAL for an fchmod attempt, testing this does not appear to be useful. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2024-08-22Test mkdirat use of mode argumentJoseph Myers1-0/+42
The test io/tst-mkdirat doesn't verify the permissions on the created directory (thus, doesn't verify at all anything about how mkdirat uses the mode argument). Add checks of this to the existing test. Tested for x86_64.
2024-08-16support: Use macros for *stat wrappersFlorian Weimer2-3/+3
Macros will automatically use the correct types, without having to fiddle with internal glibc macros. It's also impossible to get the types wrong due to aliasing because support_check_stat_fd and support_check_stat_path do not depend on the struct stat* types. The changes reveal some inconsistencies in tests. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2024-08-16io: Use struct statx and xstatx in testsFlorian Weimer14-95/+57
This avoids the need to define struct_statx to an appropriate struct stat type variant because struct statx does not change based on time/file offset flags. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2024-07-30Add STATX_SUBVOL from Linux 6.10 to bits/statx-generic.hAdhemerval Zanella1-0/+1
Tested for aarch64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2024-07-02debug: Fix clang open fortify wrapper (BZ 31927)Adhemerval Zanella1-5/+0
The clang open fortify wrapper from 4228baef1a94e8bde84ad74 added a restriction where open with 3 arguments where flags do not contain O_CREAT or O_TMPFILE are handled as invalid. They are not invalid, since the third argument is ignored, and the gcc wrapper also allows it. Checked x86_64-linux-gnu and with a yocto build for some affected packages. Tested-by: “Khem Raj <raj.khen@gmail.com>”
2024-06-27debug: Fix clang open fortify wrapper (BZ 31927)Adhemerval Zanella1-1/+1
The fcntl.h fortify wrapper for clang added by 86889e22db329abac61 missed the __fortify_clang_overload_arg and and also added the mode argument for the __fortify_function_error_function function, which leads clang to be able to correct resolve which overloaded function it should emit. Checked on x86_64-linux-gnu. Reported-by: Khem Raj <raj.khem@gmail.com> Tested-by: Khem Raj <raj.khem@gmail.com>
2024-04-02Always define __USE_TIME_BITS64 when 64 bit time_t is usedAdhemerval Zanella7-23/+23
It was raised on libc-help [1] that some Linux kernel interfaces expect the libc to define __USE_TIME_BITS64 to indicate the time_t size for the kABI. Different than defined by the initial y2038 design document [2], the __USE_TIME_BITS64 is only defined for ABIs that support more than one time_t size (by defining the _TIME_BITS for each module). The 64 bit time_t redirects are now enabled using a different internal define (__USE_TIME64_REDIRECTS). There is no expected change in semantic or code generation. Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu, and arm-linux-gnueabi [1] https://sourceware.org/pipermail/libc-help/2024-January/006557.html [2] https://sourceware.org/glibc/wiki/Y2038ProofnessDesign Reviewed-by: DJ Delorie <dj@redhat.com>
2024-03-15Add STATX_MNT_ID_UNIQUE from Linux 6.8 to bits/statx-generic.hJoseph Myers1-0/+1
Linux 6.8 adds a new STATX_MNT_ID_UNIQUE constant. Add it to glibc's bits/statx-generic.h. Tested for x86_64.
2024-02-28cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)Siddhesh Poyarekar2-0/+41
When passed a pointer to a zero-sized struct, the access attribute without the third argument misleads -Wstringop-overflow diagnostics to think that a function is writing 1 byte into the zero-sized structs. The attribute doesn't add that much value in this context, so drop it completely for _FORTIFY_SOURCE=3. Resolves: BZ #31383 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2024-02-27debug: Improve fcntl.h fortify warnings with clangAdhemerval Zanella2-2/+93
It improves open, open64, openat, and openat64. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-02-27socket: Improve fortify with clangAdhemerval Zanella1-8/+21
It improve fortify checks recv, recvfrom, poll, and ppoll. The compile and runtime hecks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert153-153/+153
2023-11-23Remove __access_noerrnoJoseph Myers1-7/+0
A recent commit, apparently commit 6c6fce572fb8f583f14d898e54fd7d25ae91cf56 "elf: Remove /etc/suid-debug support", resulted in localplt failures for i686-gnu and x86_64-gnu: Missing required PLT reference: ld.so: __access_noerrno After that commit, __access_noerrno is actually no longer used at all. So rather than just removing the localplt expectation for that symbol for Hurd, completely remove all definitions of and references to that symbol. Tested for x86_64, and with build-many-glibcs.py for i686-gnu and x86_64-gnu.
2023-11-20linux: Use fchmodat2 on fchmod for flags different than 0 (BZ 26401)Adhemerval Zanella1-2/+2
Linux 6.6 (09da082b07bbae1c) added support for fchmodat2, which has similar semantics as fchmodat with an extra flag argument. This allows fchmodat to implement AT_SYMLINK_NOFOLLOW and AT_EMPTY_PATH without the need for procfs. The syscall is registered on all architectures (with value of 452 except on alpha which is 562, commit 78252deb023cf087). The tst-lchmod.c requires a small fix where fchmodat checks two contradictory assertions ('(st.st_mode & 0777) == 2' and '(st.st_mode & 0777) == 3'). Checked on x86_64-linux-gnu on a 6.6 kernel. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-11-15y2038: Fix support for 64-bit time on legacy ABIsGaël PORTAY1-1/+1
This fixes a typo. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-09-07io: Fix record locking contants for powerpc64 with __USE_FILE_OFFSET64Aurelien Jarno2-0/+3
Commit 5f828ff824e3b7cd1 ("io: Fix F_GETLK, F_SETLK, and F_SETLKW for powerpc64") fixed an issue with the value of the lock constants on powerpc64 when not using __USE_FILE_OFFSET64, but it ended-up also changing the value when using __USE_FILE_OFFSET64 causing an API change. Fix that by also checking that define, restoring the pre 4d0fe291aed3a476a commit values: Default values: - F_GETLK: 5 - F_SETLK: 6 - F_SETLKW: 7 With -D_FILE_OFFSET_BITS=64: - F_GETLK: 12 - F_SETLK: 13 - F_SETLKW: 14 At the same time, it has been noticed that there was no test for io lock with __USE_FILE_OFFSET64, so just add one. Tested on x86_64-linux-gnu, i686-linux-gnu and powerpc64le-unknown-linux-gnu. Resolves: BZ #30804. Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2023-08-15io/tst-statvfs: fix statfs().f_type comparison test on some archesнаб1-1/+1
On i686 f_type is an i32 so the test fails when that has the top bit set. Explicitly cast to u32. Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz> Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-08-08linux: statvfs: allocate spare for f_typeнаб1-8/+11
This is the only missing part in struct statvfs. The LSB calls [f]statfs() deprecated, and its weird types are definitely off-putting. However, its use is required to get f_type. Instead, allocate one of the six spares to f_type, copied directly from struct statfs. This then becomes a small glibc extension to the standard interface on Linux and the Hurd, instead of two different interfaces, one of which is quite odd due to being an ABI type, and there no longer is any reason to use statfs(). The underlying kernel type is a mess, but all architectures agree on u32 (or more) for the ABI, and all filesystem magicks are 32-bit integers. We don't lose any generality by using u32, and by doing so we both make the API consistent with the Hurd, and allow C++ switch(f_type) { case RAMFS_MAGIC: ...; } Also fix tst-statvfs so that it actually fails; as it stood, all it did was return 0 always. Test statfs()' and statvfs()' f_types are the same. Link: https://lore.kernel.org/linux-man/f54kudgblgk643u32tb6at4cd3kkzha6hslahv24szs4raroaz@ogivjbfdaqtb/t/#u Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-07-05Exclude routines from fortificationFrédéric Bérat1-0/+16
Since the _FORTIFY_SOURCE feature uses some routines of Glibc, they need to be excluded from the fortification. On top of that: - some tests explicitly verify that some level of fortification works appropriately, we therefore shouldn't modify the level set for them. - some objects need to be build with optimization disabled, which prevents _FORTIFY_SOURCE to be used for them. Assembler files that implement architecture specific versions of the fortified routines were not excluded from _FORTIFY_SOURCE as there is no C header included that would impact their behavior. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-02Fix all the remaining misspellings -- BZ 25337Paul Pluzhnikov2-2/+2
2023-06-01tests: replace ftruncate by xftruncateFrédéric Bérat1-1/+1
With fortification enabled, ftruncate calls return result needs to be checked, has it gets the __wur macro enabled. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-01tests: replace write by xwriteFrédéric Bérat10-10/+20
Using write without cheks leads to warn unused result when __wur is enabled. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-05-30io: Fix record locking contants on 32 bit arch with 64 bit default time_t ↵Adhemerval Zanella3-24/+132
(BZ#30477) For architecture with default 64 bit time_t support, the kernel does not provide LFS and non-LFS values for F_GETLK, F_GETLK, and F_GETLK (the default value used for 64 bit architecture are used). This is might be considered an ABI break, but the currenct exported values is bogus anyway. The POSIX lockf is not affected since it is aliased to lockf64, which already uses the LFS values. Checked on i686-linux-gnu and the new tests on a riscv32. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-05-30io: Re-flow and sort multiline Makefile definitionsAdhemerval Zanella1-1/+1
2023-05-25io: Re-flow and sort multiline Makefile definitionsAdhemerval Zanella1-63/+199
2023-05-20io: Fix a typoSergey Bugaev1-2/+2
Fixes 85f7554cd97e7f03d8dc66278653045ef63a2221 "Add test case for O_TMPFILE handling in open, openat" Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230520115531.3911877-3-bugaevc@gmail.com>
2023-02-06Replace rawmemchr (s, '\0') with strchrWilco Dijkstra1-1/+1
Almost all uses of rawmemchr find the end of a string. Since most targets use a generic implementation, replacing it with strchr is better since that is optimized by compilers into strlen (s) + s. Also fix the generic rawmemchr implementation to use a cast to unsigned char in the if statement. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-01-17Add STATX_DIOALIGN from Linux 6.1 to bits/statx-generic.hJoseph Myers1-0/+1
Linux 6.1 adds a new STATX_DIOALIGN constant. Add it to glibc's bits/statx-generic.h. Tested for x86_64.
2023-01-06Update copyright dates with scripts/update-copyrightsJoseph Myers152-152/+152
2022-11-08Linux: Add ppoll fortify symbol for 64 bit time_t (BZ# 29746)Adhemerval Zanella1-0/+25
Similar to ppoll, the poll.h header needs to redirect the poll call to a proper fortified ppoll with 64 bit time_t support. The implementation is straightforward, just need to add a similar check as __poll_chk and call the 64 bit time_t ppoll version. The debug fortify tests are also extended to cover 64 bit time_t for affected ABIs. Unfortunately it requires an aditional symbol, which makes backport tricky. One possibility is to add a static inline version if compiler supports is and call abort instead of __chk_fail, so fortified version will call __poll64 in the end. Another possibility is to just remove the fortify support for _TIME_BITS=64. Checked on i686-linux-gnu.
2022-11-01configure: Use -Wno-ignored-attributes if compiler warns about multiple aliasesAdhemerval Zanella1-8/+10
clang emits an warning when a double alias redirection is used, to warn the the original symbol will be used even when weak definition is overridden. However, this is a common pattern for weak_alias, where multiple alias are set to same symbol. Reviewed-by: Fangrui Song <maskray@google.com>
2022-11-01Use uintptr_t in fts for pointer alignmentSzabolcs Nagy1-1/+2
The code assumed unsigned long can represent pointers. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-06-05grep: egrep -> grep -E, fgrep -> grep -FSam James1-1/+1
Newer versions of GNU grep (after grep 3.7, not inclusive) will warn on 'egrep' and 'fgrep' invocations. Convert usages within the tree to their expanded non-aliased counterparts to avoid irritating warnings during ./configure and the test suite. Signed-off-by: Sam James <sam@gentoo.org> Reviewed-by: Fangrui Song <maskray@google.com>
2022-04-28linux: Fix fchmodat with AT_SYMLINK_NOFOLLOW for 64 bit time_t (BZ#29097)Adhemerval Zanella3-4/+28
The AT_SYMLINK_NOFOLLOW emulation ues the default 32 bit stat internal calls, which fails with EOVERFLOW if the file constains timestamps beyond 2038. Checked on i686-linux-gnu.
2022-02-28io: Add fsync call in tst-statFlorian Weimer1-0/+4
io/tst-stat and io/tst-stat-lfs fail sporadically on the Fedora builders, and this change hopefully helps to avoid the issue.
2022-01-25io: Fix use-after-free in ftw [BZ #26779]Martin Sebor1-2/+3
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert152-152/+152
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-11-24io: Refactor close_range and closefromAdhemerval Zanella4-8/+355
Now that Hurd implementis both close_range and closefrom (f2c996597d), we can make close_range() a base ABI, and make the default closefrom() implementation on top of close_range(). The generic closefrom() implementation based on __getdtablesize() is moved to generic close_range(). On Linux it will be overriden by the auto-generation syscall while on Hurd it will be a system specific implementation. The closefrom() now calls close_range() and __closefrom_fallback(). Since on Hurd close_range() does not fail, __closefrom_fallback() is an empty static inline function set by__ASSUME_CLOSE_RANGE. The __ASSUME_CLOSE_RANGE also allows optimize Linux __closefrom_fallback() implementation when --enable-kernel=5.9 or higher is used. Finally the Linux specific tst-close_range.c is moved to io and enabled as default. The Linuxism and CLOSE_RANGE_UNSHARE are guarded so it can be built for Hurd (I have not actually test it). Checked on x86_64-linux-gnu, i686-linux-gnu, and with a i686-gnu build.
2021-10-20Make sure that the fortified function conditionals are constantSiddhesh Poyarekar1-21/+6
In _FORTIFY_SOURCE=3, the size expression may be non-constant, resulting in branches in the inline functions remaining intact and causing a tiny overhead. Clang (and in future, gcc) make sure that the -1 case is always safe, i.e. any comparison of the generated expression with (size_t)-1 is always false so that bit is taken care of. The rest is avoidable since we want the _chk variant whenever we have a size expression and it's not -1. Rework the conditionals in a uniform way to clearly indicate two conditions at compile time: - Either the size is unknown (-1) or we know at compile time that the operation length is less than the object size. We can call the original function in this case. It could be that either the length, object size or both are non-constant, but the compiler, through range analysis, is able to fold the *comparison* to a constant. - The size and length are known and the compiler can see at compile time that operation length > object size. This is valid grounds for a warning at compile time, followed by emitting the _chk variant. For everything else, emit the _chk variant. This simplifies most of the fortified function implementations and at the same time, ensures that only one call from _chk or the regular function is emitted. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-10-20Don't add access size hints to fortifiable functionsSiddhesh Poyarekar2-5/+5
In the context of a function definition, the size hints imply that the size of an object pointed to by one parameter is another parameter. This doesn't make sense for the fortified versions of the functions since that's the bit it's trying to validate. This is harmless with __builtin_object_size since it has fairly simple semantics when it comes to objects passed as function parameters. With __builtin_dynamic_object_size we could (as my patchset for gcc[1] already does) use the access attribute to determine the object size in the general case but it misleads the fortified functions. Basically the problem occurs when access attributes are present on regular functions that have inline fortified definitions to generate _chk variants; the attributes get inherited by these definitions, causing problems when analyzing them. For example with poll(fds, nfds, timeout), nfds is hinted using the __attr_access as being the size of fds. Now, when analyzing the inline function definition in bits/poll2.h, the compiler sees that nfds is the size of fds and tries to use that information in the function body. In _FORTIFY_SOURCE=3 case, where the object size could be a non-constant expression, this information results in the conclusion that nfds is the size of fds, which defeats the purpose of the implementation because we're trying to check here if nfds does indeed represent the size of fds. Hence for this case, it is best to not have the access attribute. With the attributes gone, the expression evaluation should get delayed until the function is actually inlined into its destinations. Disable the access attribute for fortified function inline functions when building at _FORTIFY_SOURCE=3 to make this work better. The access attributes remain for the _chk variants since they can be used by the compiler to warn when the caller is passing invalid arguments. [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-10-07io: Fix ftw internal realloc buffer (BZ #28126)Adhemerval Zanella3-20/+117
The 106ff08526d3ca did not take in consideration the buffer might be reallocated if the total path is larger than PATH_MAX. The realloc uses 'dirbuf', where 'dirstreams' is the allocated buffer. Checked on x86_64-linux-gnu. Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2021-10-04io: Do not skip timestamps tests for 32-bit time_tAdhemerval Zanella1-1/+3
The first test in the set do not require 64-bit time_t support, so there is no need to return UNSUPPORTED for the whole test. The patch also adds another test with arbitrary date prior y2038. Checked on x86_64-linux-gnu and i686-linux-gnu.
2021-09-03Remove "Contributed by" linesSiddhesh Poyarekar12-12/+0
We stopped adding "Contributed by" or similar lines in sources in 2012 in favour of git logs and keeping the Contributors section of the glibc manual up to date. Removing these lines makes the license header a bit more consistent across files and also removes the possibility of error in attribution when license blocks or files are copied across since the contributed-by lines don't actually reflect reality in those cases. Move all "Contributed by" and similar lines (Written by, Test by, etc.) into a new file CONTRIBUTED-BY to retain record of these contributions. These contributors are also mentioned in manual/contrib.texi, so we just maintain this additional record as a courtesy to the earlier developers. The following scripts were used to filter a list of files to edit in place and to clean up the CONTRIBUTED-BY file respectively. These were not added to the glibc sources because they're not expected to be of any use in future given that this is a one time task: https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dc https://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-08-26Use support_open_dev_null_range io/tst-closefrom, misc/tst-close_range, and ↵Adhemerval Zanella1-15/+6
posix/tst-spawn5 (BZ #28260) It ensures a continuous range of file descriptor and avoid hitting the RLIMIT_NOFILE. Checked on x86_64-linux-gnu.
2021-08-06Linux: Fix fcntl, ioctl, prctl redirects for _TIME_BITS=64 (bug 28182)Florian Weimer1-4/+4
__REDIRECT and __THROW are not compatible with C++ due to the ordering of the __asm__ alias and the throw specifier. __REDIRECT_NTH has to be used instead. Fixes commit 8a40aff86ba5f64a3a84883e539cb67b ("io: Add time64 alias for fcntl"), commit 82c395d91ea4f69120d453aeec398e30 ("misc: Add time64 alias for ioctl"), commit b39ffab860cd743a82c91946619f1b8158 ("Linux: Add time64 alias for prctl"). Reviewed-by: Carlos O'Donell <carlos@redhat.com>