aboutsummaryrefslogtreecommitdiff
path: root/sysdeps/posix
AgeCommit message (Collapse)AuthorFilesLines
2024-10-08stdlib: Make abort/_Exit AS-safe (BZ 26275)Adhemerval Zanella1-3/+3
The recursive lock used on abort does not synchronize with a new process creation (either by fork-like interfaces or posix_spawn ones), nor it is reinitialized after fork(). Also, the SIGABRT unblock before raise() shows another race condition, where a fork or posix_spawn() call by another thread, just after the recursive lock release and before the SIGABRT signal, might create programs with a non-expected signal mask. With the default option (without POSIX_SPAWN_SETSIGDEF), the process can see SIG_DFL for SIGABRT, where it should be SIG_IGN. To fix the AS-safe, raise() does not change the process signal mask, and an AS-safe lock is used if a SIGABRT is installed or the process is blocked or ignored. With the signal mask change removal, there is no need to use a recursive loc. The lock is also taken on both _Fork() and posix_spawn(), to avoid the spawn process to see the abort handler as SIG_DFL. A read-write lock is used to avoid serialize _Fork and posix_spawn execution. Both sigaction (SIGABRT) and abort() requires to lock as writer (since both change the disposition). The fallback is also simplified: there is no need to use a loop of ABORT_INSTRUCTION after _exit() (if the syscall does not terminate the process, the system is broken). The proposed fix changes how setjmp works on a SIGABRT handler, where glibc does not save the signal mask. So usage like the below will now always abort. static volatile int chk_fail_ok; static jmp_buf chk_fail_buf; static void handler (int sig) { if (chk_fail_ok) { chk_fail_ok = 0; longjmp (chk_fail_buf, 1); } else _exit (127); } [...] signal (SIGABRT, handler); [....] chk_fail_ok = 1; if (! setjmp (chk_fail_buf)) { // Something that can calls abort, like a failed fortify function. chk_fail_ok = 0; printf ("FAIL\n"); } Such cases will need to use sigsetjmp instead. The _dl_start_profile calls sigaction through _profil, and to avoid pulling abort() on loader the call is replaced with __libc_sigaction. Checked on x86_64-linux-gnu and aarch64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
2024-09-26Fix missing randomness in __gen_tempname (bug 32214)Andreas Schwab1-0/+2
Make sure to update the random value also if getrandom fails. Fixes: 686d542025 ("posix: Sync tempname with gnulib")
2024-04-10posix: Sync tempname with gnulibAdhemerval Zanella1-114/+59
The gnulib version contains an important change (9ce573cde), which fixes some problems with multithreading, entropy loss, and ASLR leak nfo. It also fixes an issue where getrandom is not being used on some new files generation (only for __GT_NOCREATE on first try). The 044bf893ac removed __path_search, which is now moved to another gnulib shared files (stdio-common/tmpdir.{c,h}). Tthis patch also fixes direxists to use __stat64_time64 instead of __xstat64, and move the include of pathmax.h for !_LIBC (since it is not used by glibc). The license is also changed from GPL 3.0 to 2.1, with permission from the authors (Bruno Haible and Paul Eggert). The sync also removed the clock fallback, since clock_gettime with CLOCK_REALTIME is expected to always succeed. It syncs with gnulib commit 323834962817af7b115187e8c9a833437f8d20ec. Checked on x86_64-linux-gnu. Co-authored-by: Bruno Haible <bruno@clisp.org> Co-authored-by: Paul Eggert <eggert@cs.ucla.edu> Reviewed-by: Bruno Haible <bruno@clisp.org>
2024-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert71-71/+71
2023-11-07linux: Decorate __libc_fatal error bufferAdhemerval Zanella1-0/+3
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-10-24Move getaddrinfo from 'posix' into 'nss'Arjun Shankar1-2625/+0
getaddrinfo is an entry point for nss functionality. This commit moves it from 'sysdeps/posix' to 'nss', gets rid of the stub in 'posix', and moves all associated tests as well. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-09-25Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]Romain Geissler1-3/+1
This patch fixes a very recently added leak in getaddrinfo. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-15getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)Siddhesh Poyarekar1-8/+17
When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-11stdio: Remove __libc_message alloca usageJoe Simmons-Talbott1-34/+13
Use a fixed size array instead. The maximum number of arguments is set by macro tricks. Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-09-06getaddrinfo: Get rid of allocaJoe Simmons-Talbott1-15/+9
Use a scratch_buffer rather than alloca to avoid potential stack overflow.
2023-09-05getcanonname: Fix a typoSiddhesh Poyarekar1-1/+1
This code is generally unused in practice since there don't seem to be any NSS modules that only implement _nss_MOD_gethostbyname2_r and not _nss_MOD_gethostbyname3_r. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-20hurd: readv: Get rid of allocaJoe Simmons-Talbott1-16/+12
Replace alloca with a scratch_buffer to avoid potential stack overflows. Checked on i686-gnu and x86_64-linux-gnu Message-Id: <20230619144334.2902429-1-josimmon@redhat.com>
2023-06-20hurd: writev: Add back cleanup handlerJoe Simmons-Talbott1-3/+7
There is a potential memory leak for large writes due to writev being a "shall occur" cancellation point. Add back the cleanup handler removed in cf30aa43a5917f441c9438aaee201c53c8e1d76b. Checked on i686-gnu and x86_64-linux-gnu. Message-Id: <20230619143842.2901522-1-josimmon@redhat.com>
2023-06-19hurd: writev: Get rid of allocaJoe Simmons-Talbott1-23/+14
Use a scratch_buffer rather than alloca to avoid potential stack overflows. Checked on i686-gnu and x86_64-linux-gnu Message-Id: <20230608155844.976554-1-josimmon@redhat.com>
2023-06-13posix: Handle success in gai_strerror()Dridi Boukelmoune1-0/+1
Signed-off-by: Dridi Boukelmoune <dridi.boukelmoune@gmail.com> Reviewed-by: Arjun Shankar <arjun@redhat.com>
2023-05-29posix: Add error message for EAI_OVERFLOWDridi Boukelmoune1-0/+1
Signed-off-by: Dridi Boukelmoune <dridi.boukelmoune@gmail.com> Reviewed-by: Arjun Shankar <arjun@redhat.com>
2023-03-28system: Add "--" after "-c" for sh (BZ #28519)Joe Simmons-Talbott1-0/+1
Prevent sh from interpreting a user string as shell options if it starts with '-' or '+'. Since the version of /bin/sh used for testing system() is different from the full-fledged system /bin/sh add support to it for handling "--" after "-c". Add a testcase to ensure the expected behavior. Signed-off-by: Joe Simmons-Talbott <josimmon@redhat.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-03-27libio: Do not autogenerate stdio_lim.hAdhemerval Zanella Netto1-5/+0
Instead define the required fields in system dependend files. The only system dependent definition is FILENAME_MAX, which should match POSIX PATH_MAX, and it is obtained from either kernel UAPI or mach headers. Currently set pre-defined value from current kernels. It avoids a circular dependendy when including stdio.h in gen-as-const-headers files. Checked on x86_64-linux-gnu and i686-linux-gnu Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-03-27Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functionsAdhemerval Zanella Netto2-3/+6
They are both used by __libc_freeres to free all library malloc allocated resources to help tooling like mtrace or valgrind with memory leak tracking. The current scheme uses assembly markers and linker script entries to consolidate the free routine function pointers in the RELRO segment and to be freed buffers in BSS. This patch changes it to use specific free functions for libc_freeres_ptrs buffers and call the function pointer array directly with call_function_static_weak. It allows the removal of both the internal macros and the linker script sections. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-03-07posix: Fix system blocks SIGCHLD erroneously [BZ #30163]Adam Yi1-3/+3
Fix bug that SIGCHLD is erroneously blocked forever in the following scenario: 1. Thread A calls system but hasn't returned yet 2. Thread B calls another system but returns SIGCHLD would be blocked forever in thread B after its system() returns, even after the system() in thread A returns. Although POSIX does not require, glibc system implementation aims to be thread and cancellation safe. This bug was introduced in 5fb7fc96350575c9adb1316833e48ca11553be49 when we moved reverting signal mask to happen when the last concurrently running system returns, despite that signal mask is per thread. This commit reverts this logic and adds a test. Signed-off-by: Adam Yi <ayi@janestreet.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-01-06Update copyright dates with scripts/update-copyrightsJoseph Myers72-72/+72
2022-09-28get_nscd_addresses: Fix subscript typos [BZ #29605]Jörg Sonnenberger1-3/+3
Fix the subscript on air->family, which was accidentally set to COUNT when it should have remained as I. Resolves: BZ #29605 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-09-26Use atomic_exchange_release/acquireWilco Dijkstra1-2/+2
Rename atomic_exchange_rel/acq to use atomic_exchange_release/acquire since these map to the standard C11 atomic builtins. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-08-30posix: Fix macro expansion producing 'defined' has undefined behaviorAdhemerval Zanella1-3/+7
The NEED_CHECK_SPEC is defined as: #define NEED_CHECK_SPEC \ (!defined _XBS5_ILP32_OFF32 || !defined _XBS5_ILP32_OFFBIG \ || !defined _XBS5_LP64_OFF64 || !defined _XBS5_LPBIG_OFFBIG \ || !defined _POSIX_V6_ILP32_OFF32 || !defined _POSIX_V6_ILP32_OFFBIG \ || !defined _POSIX_V6_LP64_OFF64 || !defined _POSIX_V6_LPBIG_OFFBIG \ || !defined _POSIX_V7_ILP32_OFF32 || !defined _POSIX_V7_ILP32_OFFBIG \ || !defined _POSIX_V7_LP64_OFF64 || !defined _POSIX_V7_LPBIG_OFFBIG) Which is undefined behavior accordingly to C Standard (Preprocessing directives, p4). Checked on x86_64-linux-gnu.
2022-08-23Merge _GL_UNUSED C23 patch from GnulibPaul Eggert1-2/+2
* posix/getopt.c (_getopt_initialize): * sysdeps/posix/tempname.c (try_dir, try_nocreate): Put _GL_UNUSED before args instead of after. This makes no difference for glibc. It is needed for Gnulib when being compiled on non-GCC C23 compilers.
2022-08-03stdio: Clean up __libc_message after unconditional abortFlorian Weimer1-26/+21
Since commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83 ("malloc: Abort on heap corruption, without a backtrace [BZ #21754]"), __libc_message always terminates the process. Since commit a289ea09ea843ced6e5277c2f2e63c357bc7f9a3 ("Do not print backtraces on fatal glibc errors"), the backtrace facility has been removed. Therefore, remove enum __libc_message_action and the action argument of __libc_message, and mark __libc_message as _No_return. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-06-30Refactor internal-signals.hAdhemerval Zanella1-1/+1
The main drive is to optimize the internal usage and required size when sigset_t is embedded in other data structures. On Linux, the current supported signal set requires up to 8 bytes (16 on mips), was lower than the user defined sigset_t (128 bytes). A new internal type internal_sigset_t is added, along with the functions to operate on it similar to the ones for sigset_t. The internal-signals.h is also refactored to remove unused functions Besides small stack usage on some functions (posix_spawn, abort) it lower the struct pthread by about 120 bytes (112 on mips). Checked on x86_64-linux-gnu. Reviewed-by: Arjun Shankar <arjun@redhat.com>
2022-06-01socket: Use 64 bit stat for isfdtype (BZ# 29209)Adhemerval Zanella1-2/+2
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-06-01posix: Use 64 bit stat for fpathconf (_PC_ASYNC_IO) (BZ# 29208)Adhemerval Zanella1-2/+2
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-06-01posix: Use 64 bit stat for posix_fallocate fallback (BZ# 29207)Adhemerval Zanella2-4/+4
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-03-23gmon: Remove unused sprofil.c functionsAdhemerval Zanella1-12/+0
2022-03-23getaddrinfo: Refactor code for readabilitySiddhesh Poyarekar1-12/+33
The close_retry goto jump is confusing and clumsy to read, so refactor the code a bit to make it easier to follow. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gai_init: Avoid jumping from if condition to its else counterpartSiddhesh Poyarekar1-250/+248
Clean up another antipattern where code flows from an if condition to its else counterpart with a goto. Most of the change in this patch is whitespace-only; a `git diff -b` ought to show the actual logic changes. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaiconf_init: Refactor some bits for readabilitySiddhesh Poyarekar1-65/+84
Split out line processing for `label`, `precedence` and `scopev4` into separate functions instead of the gotos. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gethosts: Return EAI_MEMORY on allocation failureSiddhesh Poyarekar1-2/+2
All other cases of failures due to lack of memory return EAI_MEMORY, so it seems wrong to return EAI_SYSTEM here. The only reason convert_hostent_to_gaih_addrtuple could fail is on calloc failure. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Split result generation into its own functionSiddhesh Poyarekar1-90/+86
Simplify the loop a wee bit and clean up variable names too. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: split loopback lookup into its own functionSiddhesh Poyarekar1-65/+62
Flatten the condition nesting and replace the alloca for RET.AT/ATR with a single array LOCAL_AT[2]. This gets rid of alloca and alloca accounting. `git diff -b` is probably the best way to view this change since much of the diff is whitespace changes. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: make gethosts into a functionSiddhesh Poyarekar1-58/+59
The macro is quite a pain to debug, so make gethosts into a function to make it easier to maintain. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: separate nss lookup loop into its own functionSiddhesh Poyarekar1-277/+286
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Split nscd lookup code into its own function.Siddhesh Poyarekar1-114/+134
Add a new member got_ipv6 to indicate if the results have an IPv6 result and use it instead of the local got_ipv6. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Split simple gethostbyname into its own functionSiddhesh Poyarekar1-63/+64
Add a free_at flag in gaih_result to indicate if res.at needs to be freed by the caller. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: make numeric lookup a separate routineSiddhesh Poyarekar1-439/+452
Introduce the gaih_result structure and general paradigm for cleanups that follow to process the lookup request and return a result. A lookup function (like text_to_binary_address), should return an integer error code and set members of gaih_result based on what it finds. If the function does not have a result and no errors have occurred during the lookup, it should return 0 and res.at should be set to NULL, allowing a subsequent function to do the lookup until we run out of options. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Simplify service resolutionSiddhesh Poyarekar1-100/+78
Refactor the code to split out the service resolution code into a separate function. Allocate the service tuples array just once to the size of the typeproto array, thus avoiding the unnecessary pointer chasing and stack allocations. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22getaddrinfo: Fix leak with AI_ALL [BZ #28852]Siddhesh Poyarekar1-9/+25
Use realloc in convert_hostent_to_gaih_addrtuple and fix up pointers in the result list so that a single block is maintained for hostbyname3_r/hostbyname2_r and freed in gaih_inet. This result is never merged with any other results, since the hosts database does not permit merging. Resolves BZ #28852. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Simplify canon name resolutionSiddhesh Poyarekar1-55/+75
Simplify logic for allocation of canon to remove the canonbuf variable; canon now always points to an allocated block. Also pull the canon name set into a separate function. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22Simplify allocations and fix merge and continue actions [BZ #28931]Siddhesh Poyarekar1-52/+91
Allocations for address tuples is currently a bit confusing because of the pointer chasing through PAT, making it hard to observe the sequence in which allocations have been made. Narrow scope of the pointer chasing through PAT so that it is only used where necessary. This also tightens actions behaviour with the hosts database in getaddrinfo to comply with the manual text. The "continue" action discards previous results and the "merge" action results in an immedate lookup failure. Consequently, chaining of allocations across modules is no longer necessary, thus opening up cleanup opportunities. A test has been added that checks some combinations to ensure that they work correctly. Resolves: BZ #28931 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-01-24getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)Siddhesh Poyarekar1-0/+7
No valid path returned by getcwd would fit into 1 byte, so reject the size early and return NULL with errno set to ERANGE. This change is prompted by CVE-2021-3999, which describes a single byte buffer underflow and overflow when all of the following conditions are met: - The buffer size (i.e. the second argument of getcwd) is 1 byte - The current working directory is too long - '/' is also mounted on the current working directory Sequence of events: - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG because the linux kernel checks for name length before it checks buffer size - The code falls back to the generic getcwd in sysdeps/posix - In the generic func, the buf[0] is set to '\0' on line 250 - this while loop on line 262 is bypassed: while (!(thisdev == rootdev && thisino == rootino)) since the rootfs (/) is bind mounted onto the directory and the flow goes on to line 449, where it puts a '/' in the byte before the buffer. - Finally on line 458, it moves 2 bytes (the underflowed byte and the '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. - buf is returned on line 469 and errno is not set. This resolves BZ #28769. Reviewed-by: Andreas Schwab <schwab@linux-m68k.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Signed-off-by: Qualys Security Advisory <qsa@qualys.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-15hurd: Fix timer/clock_getres crash on NULL res parameterSamuel Thibault1-2/+5
POSIX allows res to be NULL.
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert72-72/+72
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-09-27posix: Remove spawni.cAdhemerval Zanella1-343/+0
Although it provide an alternate implementation that communicates using pipe() instead of shared memory, no port uses and it adds extra burden for posix_spawn() extensions. Reviewed-by: Florian Weimer <fweimer@redhat.com>