aboutsummaryrefslogtreecommitdiff
path: root/stdlib
AgeCommit message (Collapse)AuthorFilesLines
2022-07-27arc4random: simplify design for better safetyJason A. Donenfeld5-559/+45
Rather than buffering 16 MiB of entropy in userspace (by way of chacha20), simply call getrandom() every time. This approach is doubtlessly slower, for now, but trying to prematurely optimize arc4random appears to be leading toward all sorts of nasty properties and gotchas. Instead, this patch takes a much more conservative approach. The interface is added as a basic loop wrapper around getrandom(), and then later, the kernel and libc together can work together on optimizing that. This prevents numerous issues in which userspace is unaware of when it really must throw away its buffer, since we avoid buffering all together. Future improvements may include userspace learning more from the kernel about when to do that, which might make these sorts of chacha20-based optimizations more possible. The current heuristic of 16 MiB is meaningless garbage that doesn't correspond to anything the kernel might know about. So for now, let's just do something conservative that we know is correct and won't lead to cryptographic issues for users of this function. This patch might be considered along the lines of, "optimization is the root of all evil," in that the much more complex implementation it replaces moves too fast without considering security implications, whereas the incremental approach done here is a much safer way of going about things. Once this lands, we can take our time in optimizing this properly using new interplay between the kernel and userspace. getrandom(0) is used, since that's the one that ensures the bytes returned are cryptographically secure. But on systems without it, we fallback to using /dev/urandom. This is unfortunate because it means opening a file descriptor, but there's not much of a choice. Secondly, as part of the fallback, in order to get more or less the same properties of getrandom(0), we poll on /dev/random, and if the poll succeeds at least once, then we assume the RNG is initialized. This is a rough approximation, as the ancient "non-blocking pool" initialized after the "blocking pool", not before, and it may not port back to all ancient kernels, though it does to all kernels supported by glibc (≥3.2), so generally it's the best approximation we can do. The motivation for including arc4random, in the first place, is to have source-level compatibility with existing code. That means this patch doesn't attempt to litigate the interface itself. It does, however, choose a conservative approach for implementing it. Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org> Cc: Florian Weimer <fweimer@redhat.com> Cc: Cristian Rodríguez <crrodriguez@opensuse.org> Cc: Paul Eggert <eggert@cs.ucla.edu> Cc: Mark Harris <mark.hsj@gmail.com> Cc: Eric Biggers <ebiggers@kernel.org> Cc: linux-crypto@vger.kernel.org Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-07-22aarch64: Add optimized chacha20Adhemerval Zanella Netto1-2/+6
It adds vectorized ChaCha20 implementation based on libgcrypt cipher/chacha20-aarch64.S. It is used as default and only little-endian is supported (BE uses generic code). As for generic implementation, the last step that XOR with the input is omited. The final state register clearing is also omitted. On a virtualized Linux on Apple M1 it shows the following improvements (using formatted bench-arc4random data): GENERIC MB/s ----------------------------------------------- arc4random [single-thread] 380.89 arc4random_buf(16) [single-thread] 500.73 arc4random_buf(32) [single-thread] 552.61 arc4random_buf(48) [single-thread] 566.82 arc4random_buf(64) [single-thread] 574.01 arc4random_buf(80) [single-thread] 581.02 arc4random_buf(96) [single-thread] 591.19 arc4random_buf(112) [single-thread] 592.29 arc4random_buf(128) [single-thread] 596.43 ----------------------------------------------- OPTIMIZED MB/s ----------------------------------------------- arc4random [single-thread] 569.60 arc4random_buf(16) [single-thread] 825.78 arc4random_buf(32) [single-thread] 987.03 arc4random_buf(48) [single-thread] 1042.39 arc4random_buf(64) [single-thread] 1075.50 arc4random_buf(80) [single-thread] 1094.68 arc4random_buf(96) [single-thread] 1130.16 arc4random_buf(112) [single-thread] 1129.58 arc4random_buf(128) [single-thread] 1137.91 ----------------------------------------------- Checked on aarch64-linux-gnu.
2022-07-22stdlib: Add arc4random testsAdhemerval Zanella Netto5-0/+860
The basic tst-arc4random-chacha20.c checks if the output of ChaCha20 implementation matches the reference test vectors from RFC8439. The tst-arc4random-fork.c check if subprocesses generate distinct streams of randomness (if fork handling is done correctly). The tst-arc4random-stats.c is a statistical test to the randomness of arc4random, arc4random_buf, and arc4random_uniform. The tst-arc4random-thread.c check if threads generate distinct streams of randomness (if function are thread-safe). Checked on x86_64-linux-gnu, aarch64-linux, and powerpc64le-linux-gnu. Co-authored-by: Florian Weimer <fweimer@redhat.com> Checked on x86_64-linux-gnu and aarch64-linux-gnu.
2022-07-22stdlib: Add arc4random, arc4random_buf, and arc4random_uniform (BZ #4417)Adhemerval Zanella Netto7-0/+603
The implementation is based on scalar Chacha20 with per-thread cache. It uses getrandom or /dev/urandom as fallback to get the initial entropy, and reseeds the internal state on every 16MB of consumed buffer. To improve performance and lower memory consumption the per-thread cache is allocated lazily on first arc4random functions call, and if the memory allocation fails getentropy or /dev/urandom is used as fallback. The cache is also cleared on thread exit iff it was initialized (so if arc4random is not called it is not touched). Although it is lock-free, arc4random is still not async-signal-safe (the per thread state is not updated atomically). The ChaCha20 implementation is based on RFC8439 [1], omitting the final XOR of the keystream with the plaintext because the plaintext is a stream of zeros. This strategy is similar to what OpenBSD arc4random does. The arc4random_uniform is based on previous work by Florian Weimer, where the algorithm is based on Jérémie Lumbroso paper Optimal Discrete Uniform Generation from Coin Flips, and Applications (2013) [2], who credits Donald E. Knuth and Andrew C. Yao, The complexity of nonuniform random number generation (1976), for solving the general case. The main advantage of this method is the that the unit of randomness is not the uniform random variable (uint32_t), but a random bit. It optimizes the internal buffer sampling by initially consuming a 32-bit random variable and then sampling byte per byte. Depending of the upper bound requested, it might lead to better CPU utilization. Checked on x86_64-linux-gnu, aarch64-linux, and powerpc64le-linux-gnu. Co-authored-by: Florian Weimer <fweimer@redhat.com> Reviewed-by: Yann Droneaud <ydroneaud@opteya.com> [1] https://datatracker.ietf.org/doc/html/rfc8439 [2] https://arxiv.org/pdf/1304.1916.pdf
2022-07-05stdlib: Simplify buffer management in canonicalizeFlorian Weimer1-64/+51
Move the buffer management from realpath_stk to __realpath. This allows returning directly after allocation errors. Always make a copy of the result buffer using strdup even if it is already heap-allocated. (Heap-allocated buffers are somewhat rare.) This avoids GCC warnings at certain optimization levels. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-06-30Refactor internal-signals.hAdhemerval Zanella1-5/+5
The main drive is to optimize the internal usage and required size when sigset_t is embedded in other data structures. On Linux, the current supported signal set requires up to 8 bytes (16 on mips), was lower than the user defined sigset_t (128 bytes). A new internal type internal_sigset_t is added, along with the functions to operate on it similar to the ones for sigset_t. The internal-signals.h is also refactored to remove unused functions Besides small stack usage on some functions (posix_spawn, abort) it lower the struct pthread by about 120 bytes (112 on mips). Checked on x86_64-linux-gnu. Reviewed-by: Arjun Shankar <arjun@redhat.com>
2022-06-23stdlib: Fixup mbstowcs NULL __dst handling. [BZ #29279]Noah Goldstein1-4/+4
commit 464d189b9622932a75302290625de84931656ec0 (origin/master, origin/HEAD) Author: Noah Goldstein <goldstein.w.n@gmail.com> Date: Wed Jun 22 08:24:21 2022 -0700 stdlib: Remove attr_write from mbstows if dst is NULL [BZ: 29265] Incorrectly called `__mbstowcs_chk` in the NULL __dst case which is incorrect as in the NULL __dst case we are explicitly skipping the objsize checks. As well, remove the `__always_inline` attribute which exists in `__fortify_function`. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-06-22stdlib: Remove attr_write from mbstows if dst is NULL [BZ: 29265]Noah Goldstein3-5/+21
mbstows is defined if dst is NULL and is defined to special cased if dst is NULL so the fortify objsize check if incorrect in that case. Tested on x86-64 linux. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-06-22stdlib: Remove trailing whitespace from MakefileNoah Goldstein1-1/+1
This causes precommit tests to fail when pushing commits that modify this file.
2022-04-13stdlib: Reflow and sort most variable assignmentsAdhemerval Zanella1-63/+227
2022-03-31realpath: Bring back GNU extension on ENOENT and EACCES [BZ #28996]Siddhesh Poyarekar2-5/+8
The GNU extension for realpath states that if the path resolution fails with ENOENT or EACCES and the resolved buffer is non-NULL, it will contain part of the path that failed resolution. commit 949ad78a189194048df8a253bb31d1d11d919044 broke this when it omitted the copy on failure. Bring it back partially to continue supporting this GNU extension. Resolves: BZ #28996 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
2022-03-31stdlib: Fix tst-getrandom memcmp callAdhemerval Zanella1-1/+1
The idea is to check if the up sizeof (buf) are equal, not only the first byte. Checked on x86_64-linux-gnu and i686-linux-gnu.
2022-03-31stdlib: Fix tst-rand48.c printf typesAdhemerval Zanella1-3/+3
Checked on x86_64-linux-gnu and i686-linux-gnu.
2022-03-10Add some missing access function attributesSteve Grubb1-2/+4
This patch adds some missing access function attributes to getrandom / getentropy and several functions in sys/xattr.h Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-02-21realpath: Do not copy result on failure (BZ #28815)Siddhesh Poyarekar2-3/+5
On failure, the contents of the resolved buffer passed in by the caller to realpath are undefined. Do not copy any partial resolution to the buffer and also do not test resolved contents in test-canon.c. Resolves: BZ #28815 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-01-25stdlib: Avoid -Wuse-after-free in __add_to_environ [BZ #26779]Martin Sebor1-2/+4
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-01-24realpath: Avoid overwriting preexisting error (CVE-2021-3998)Siddhesh Poyarekar1-1/+1
Set errno and failure for paths that are too long only if no other error occurred earlier. Related: BZ #28770 Reviewed-by: Andreas Schwab <schwab@linux-m68k.org> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24tst-realpath-toolong: Fix hurd buildSiddhesh Poyarekar1-0/+4
Define PATH_MAX to a constant if it isn't already defined, like in hurd. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-21realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]Siddhesh Poyarekar3-2/+60
realpath returns an allocated string when the result exceeds PATH_MAX, which is unexpected when its second argument is not NULL. This results in the second argument (resolved) being uninitialized and also results in a memory leak since the caller expects resolved to be the same as the returned value. Return NULL and set errno to ENAMETOOLONG if the result exceeds PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-13stdlib: Fix formatting of tests list in MakefileSiddhesh Poyarekar1-75/+77
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-01-13stdlib: Sort tests in MakefileSiddhesh Poyarekar1-24/+75
Put one test per line and sort them. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert211-211/+211
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-12-17fortify: Fix spurious warning with realpathSiddhesh Poyarekar1-1/+1
The length and object size arguments were swapped around for realpath. Also add a smoke test so that any changes in this area get caught in future. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-10-21Add alloc_align attribute to memalign et alJonathan Wakely1-1/+3
GCC 4.9.0 added the alloc_align attribute to say that a function argument specifies the alignment of the returned pointer. Clang supports the attribute too. Using the attribute can allow a compiler to generate better code if it knows the returned pointer has a minimum alignment. See https://gcc.gnu.org/PR60092 for more details. GCC implicitly knows the semantics of aligned_alloc and posix_memalign, but not the obsolete memalign. As a result, GCC generates worse code when memalign is used, compared to aligned_alloc. Clang knows about aligned_alloc and memalign, but not posix_memalign. This change adds a new __attribute_alloc_align__ macro to <sys/cdefs.h> and then uses it on memalign (where it helps GCC) and aligned_alloc (where GCC and Clang already know the semantics, but it doesn't hurt) and xposix_memalign. It can't be used on posix_memalign because that doesn't return a pointer (the allocated pointer is returned via a void** parameter instead). Unlike the alloc_size attribute, alloc_align only allows a single argument. That means the new __attribute_alloc_align__ macro doesn't really need to be used with double parentheses to protect a comma between its arguments. For consistency with __attribute_alloc_size__ this patch defines it the same way, so that double parentheses are required. Signed-off-by: Jonathan Wakely <jwakely@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2021-10-20stdlib: Fix tst-canon-bz26341 when the glibc build current working directory ↵omain GEISSLER1-0/+6
is itself using symlinks.
2021-10-20Make sure that the fortified function conditionals are constantSiddhesh Poyarekar1-40/+17
In _FORTIFY_SOURCE=3, the size expression may be non-constant, resulting in branches in the inline functions remaining intact and causing a tiny overhead. Clang (and in future, gcc) make sure that the -1 case is always safe, i.e. any comparison of the generated expression with (size_t)-1 is always false so that bit is taken care of. The rest is avoidable since we want the _chk variant whenever we have a size expression and it's not -1. Rework the conditionals in a uniform way to clearly indicate two conditions at compile time: - Either the size is unknown (-1) or we know at compile time that the operation length is less than the object size. We can call the original function in this case. It could be that either the length, object size or both are non-constant, but the compiler, through range analysis, is able to fold the *comparison* to a constant. - The size and length are known and the compiler can see at compile time that operation length > object size. This is valid grounds for a warning at compile time, followed by emitting the _chk variant. For everything else, emit the _chk variant. This simplifies most of the fortified function implementations and at the same time, ensures that only one call from _chk or the regular function is emitted. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-10-20Don't add access size hints to fortifiable functionsSiddhesh Poyarekar1-2/+3
In the context of a function definition, the size hints imply that the size of an object pointed to by one parameter is another parameter. This doesn't make sense for the fortified versions of the functions since that's the bit it's trying to validate. This is harmless with __builtin_object_size since it has fairly simple semantics when it comes to objects passed as function parameters. With __builtin_dynamic_object_size we could (as my patchset for gcc[1] already does) use the access attribute to determine the object size in the general case but it misleads the fortified functions. Basically the problem occurs when access attributes are present on regular functions that have inline fortified definitions to generate _chk variants; the attributes get inherited by these definitions, causing problems when analyzing them. For example with poll(fds, nfds, timeout), nfds is hinted using the __attr_access as being the size of fds. Now, when analyzing the inline function definition in bits/poll2.h, the compiler sees that nfds is the size of fds and tries to use that information in the function body. In _FORTIFY_SOURCE=3 case, where the object size could be a non-constant expression, this information results in the conclusion that nfds is the size of fds, which defeats the purpose of the implementation because we're trying to check here if nfds does indeed represent the size of fds. Hence for this case, it is best to not have the access attribute. With the attributes gone, the expression evaluation should get delayed until the function is actually inlined into its destinations. Disable the access attribute for fortified function inline functions when building at _FORTIFY_SOURCE=3 to make this work better. The access attributes remain for the _chk variants since they can be used by the compiler to warn when the caller is passing invalid arguments. [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581125.html Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-10-05Fix stdlib/tst-setcontext.c for GCC 12 -Warray-compareJoseph Myers1-1/+1
Building stdlib/tst-setcontext.c fails with GCC mainline: tst-setcontext.c: In function 'f2': tst-setcontext.c:61:16: error: comparison between two arrays [-Werror=array-compare] 61 | if (on_stack < st2 || on_stack >= st2 + sizeof (st2)) | ^ tst-setcontext.c:61:16: note: use '&on_stack[0] < &st2[0]' to compare the addresses The comparison in this case is deliberate, so adjust it as suggested in that note. Tested with build-many-glibcs.py (GCC mainline) for aarch64-linux-gnu.
2021-09-03Remove "Contributed by" linesSiddhesh Poyarekar51-52/+0
We stopped adding "Contributed by" or similar lines in sources in 2012 in favour of git logs and keeping the Contributors section of the glibc manual up to date. Removing these lines makes the license header a bit more consistent across files and also removes the possibility of error in attribution when license blocks or files are copied across since the contributed-by lines don't actually reflect reality in those cases. Move all "Contributed by" and similar lines (Written by, Test by, etc.) into a new file CONTRIBUTED-BY to retain record of these contributions. These contributors are also mentioned in manual/contrib.texi, so we just maintain this additional record as a courtesy to the earlier developers. The following scripts were used to filter a list of files to edit in place and to clean up the CONTRIBUTED-BY file respectively. These were not added to the glibc sources because they're not expected to be of any use in future given that this is a one time task: https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dc https://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-08-04test-dlclose-exit-race: avoid hang on pthread_create errorDJ Delorie1-1/+13
This test depends on the "last" function being called in a different thread than the "first" function, as "last" posts a semaphore that "first" is waiting on. However, if pthread_create fails - for example, if running in an older container before the clone3()-in-container-EPERM fixes - exit() is called in the same thread as everything else, the semaphore never gets posted, and first hangs. The fix is to pre-post that semaphore before a single-threaded exit. Reviewed-by: Arjun Shankar <arjun@redhat.com>
2021-07-28__cxa_thread_atexit_impl: Abort on allocation failure [BZ #18524]Siddhesh Poyarekar1-0/+4
Abort in the unlikely event that allocation fails when trying to register a TLS destructor. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2021-07-09Define PTHREAD_STACK_MIN to sysconf(_SC_THREAD_STACK_MIN)H.J. Lu1-5/+6
The constant PTHREAD_STACK_MIN may be too small for some processors. Rename _SC_SIGSTKSZ_SOURCE to _DYNAMIC_STACK_SIZE_SOURCE. When _DYNAMIC_STACK_SIZE_SOURCE or _GNU_SOURCE are defined, define PTHREAD_STACK_MIN to sysconf(_SC_THREAD_STACK_MIN) which is changed to MIN (PTHREAD_STACK_MIN, sysconf(_SC_MINSIGSTKSZ)). Consolidate <bits/local_lim.h> with <bits/pthread_stack_min.h> to provide a constant target specific PTHREAD_STACK_MIN value. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-09Force building with -fno-commonFlorian Weimer1-1/+1
As a result, is not necessary to specify __attribute__ ((nocommon)) on individual definitions. GCC 10 defaults to -fno-common on all architectures except ARC, but this change is compatible with older GCC versions and ARC, too. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-07-08Move mcheck symbol from stdlib to mallocSiddhesh Poyarekar1-1/+1
It is defined in malloc, so it belongs there. Verified on x86_64 that the built libraries are identical despite this change.
2021-06-03dlfcn: Cleanups after -ldl is no longer requiredFlorian Weimer1-5/+3
This commit removes the ELF constructor and internal variables from dlfcn/dlfcn.c. The file now serves the same purpose as nptl/libpthread-compat.c, so it is renamed to dlfcn/libdl-compat.c. The use of libdl-shared-only-routines ensures that libdl.a is empty. This commit adjusts the test suite not to use $(libdl). The libdl.so symbolic link is no longer installed. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-05-16Enable support for GCC 11 -Wmismatched-dealloc.Martin Sebor3-6/+95
To help detect common kinds of memory (and other resource) management bugs, GCC 11 adds support for the detection of mismatched calls to allocation and deallocation functions. At each call site to a known deallocation function GCC checks the set of allocation functions the former can be paired with and, if the two don't match, issues a -Wmismatched-dealloc warning (something similar happens in C++ for mismatched calls to new and delete). GCC also uses the same mechanism to detect attempts to deallocate objects not allocated by any allocation function (or pointers past the first byte into allocated objects) by -Wfree-nonheap-object. This support is enabled for built-in functions like malloc and free. To extend it beyond those, GCC extends attribute malloc to designate a deallocation function to which pointers returned from the allocation function may be passed to deallocate the allocated objects. Another, optional argument designates the positional argument to which the pointer must be passed. This change is the first step in enabling this extended support for Glibc.
2021-05-14stdlib: Fix data race in __run_exit_handlers [BZ #27749]Vitaly Buka3-17/+133
Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL): thread 0: *listp = cur->next; // It can be the last: *listp = NULL. thread 0: __libc_lock_unlock thread 1: __libc_lock_lock in __on_exit thread 1: __new_exitfn thread 1: if (__exit_funcs_done) // false: thread 0 isn't there yet. thread 1: l = *listp thread 1: moves one and crashes on assert (l != NULL); The test needs multiple iterations to consistently fail without the fix. Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 Checked on x86_64-linux-gnu. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-05-06Annotate additional APIs with GCC attribute access.Martin Sebor1-2/+4
This change continues the improvements to compile-time out of bounds checking by decorating more APIs with either attribute access, or by explicitly providing the array bound in APIs such as tmpnam() that expect arrays of some minimum size as arguments. (The latter feature is new in GCC 11.) The only effects of the attribute and/or the array bound is to check and diagnose calls to the functions that fail to provide a sufficient number of elements, and the definitions of the functions that access elements outside the specified bounds. (There is no interplay with _FORTIFY_SOURCE here yet.) Tested with GCC 7 through 11 on x86_64-linux.
2021-04-21nptl: Move pthread_setcancelstate into libcFlorian Weimer1-7/+2
No new symbol version is required because there was a forwarder. The symbol has been moved using scripts/move-symbol-to-libc.py. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-04-12support: Add capability to fork an sgid childSiddhesh Poyarekar1-181/+18
Add a new function support_capture_subprogram_self_sgid that spawns an sgid child of the running program with its own image and returns the exit code of the child process. This functionality is used by at least three tests in the testsuite at the moment, so it makes sense to consolidate. There is also a new function support_subprogram_wait which should provide simple system() like functionality that does not set up file actions. This is useful in cases where only the return code of the spawned subprocess is interesting. This patch also ports tst-secure-getenv to this new function. A subsequent patch will port other tests. This also brings an important change to tst-secure-getenv behaviour. Now instead of succeeding, the test fails as UNSUPPORTED if it is unable to spawn a setgid child, which is how it should have been in the first place. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-03-29fork.h: replace with register-atfork.hSamuel Thibault1-3/+1
UNREGISTER_ATFORK is now defined for all ports in register-atfork.h, so most previous includes of fork.h actually only need register-atfork.h now, and cxa_finalize.c does not need an ifdef UNREGISTER_ATFORK any more. The nptl-specific fork generation counters can then go to pthreadP.h, and fork.h be removed. Checked on x86_64-linux-gnu and i686-gnu. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-03-24stdlib: Fix BZ #26241 testcase on GNU/HurdSamuel Thibault1-3/+4
GNU/Hurd's readlink system call is partly implemented in userspace, which also allocates a buffer on the stack for the result, and thus needs one more path. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-01-20stdlib: Add testcase for BZ #26241Adhemerval Zanella2-1/+103
Old implementation of realpath allocates a PATH_MAX using alloca for each symlink in the path, leading to MAXSYMLINKS times PATH_MAX maximum stack usage. The test create a symlink with __eloop_threshold() loops and creates a thread with minimum stack size (obtained through support_small_stack_thread_attribute). The thread issues a stack allocations that fill the thread allocated stack minus some slack plus and the realpath usage (which assumes a bounded stack usage). If realpath uses more than about 2 * PATH_MAX plus some slack it triggers a stackoverflow. Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
2021-01-11posix: Fix return value of system if shell can not be executed [BZ #27053]Adhemerval Zanella1-0/+17
POSIX states that system returned code for failure to execute the shell shall be as if the shell had terminated using _exit(127). This behaviour was removed with 5fb7fc96350575. Checked on x86_64-linux-gnu.
2021-01-05stdlib: Sync canonicalize with gnulib [BZ #10635] [BZ #26592] [BZ #26341] ↵Adhemerval Zanella2-170/+387
[BZ #24970] It sync with gnulib version ae9fb3d66. The testcase for BZ#23741 (stdlib/test-bz22786.c) is adjusted to check also for ENOMEM. The patch fixes multiple realpath issues: - Portability fixes for errno clobbering on free (BZ#10635). The function does not call free directly anymore, although it might be done through scratch_buffer_free. The free errno clobbering is being tracked by BZ#17924. - Pointer arithmetic overflows in realpath (BZ#26592). - Realpath cyclically call __alloca(path_max) to consume too much stack space (BZ#26341). - Realpath mishandles EOVERFLOW; stat not needed anyway (BZ#24970). The check is done through faccessat now. Checked on x86_64-linux-gnu and i686-linux-gnu.
2021-01-02Update copyright dates with scripts/update-copyrightsPaul Eggert208-208/+208
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 6694 files FOO. I then removed trailing white space from benchtests/bench-pthread-locks.c and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this diagnostic from Savannah: remote: *** pre-commit check failed ... remote: *** error: lines with trailing whitespace found remote: error: hook declined to update refs/heads/master
2020-12-31nonstring: Enable __FORTIFY_LEVEL=3Siddhesh Poyarekar1-18/+24
Use __builtin_dynamic_object_size in the remaining functions that don't have compiler builtins as is the case for string functions.
2020-12-18getenv: Move call to strlen to the branch it's used in.Lode Willems1-1/+1
The len variable is only used in the else branch. We don't need the call to strlen if the name is 0 or 1 characters long. 2019-10-02 Lode Willems <Lode.Willems@UGent.be> * tdlib/getenv.c: Move the call to strlen into the branch it's used.
2020-12-14Remove strtoimax, strtoumax, wcstoimax, wcstoumax inlinesJoseph Myers1-118/+0
inttypes.h has inline implementations of the strtoimax, strtoumax, wcstoimax and wcstoumax functions, despite the corresponding stdlib.h and wchar.h inlines having been removed in 2007 (commit 9b2e9577b228350b15d88303b00097dd58e8d29b). Remove those inlines, thereby eliminating all references to the corresponding __*_internal functions from installed headers (so they could be made into compat symbols in future if desired). Tested for x86_64 and x86.
2020-12-12Fix spelling and grammar in several commentsJonny Grant1-1/+1