From adba20cf74bc6ea3910afe57d40ed755c92c2ddb Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Thu, 3 Mar 2016 08:24:18 +0100 Subject: S390: Do not use direct socket syscalls if build on kernels >= 4.3. [BZ #19682] Beginning with Linux 4.3, the kernel headers contain direct system call numbers __NR_socket etc. on s390x. On older kernels, the socket-multiplexer syscall __NR_socketcall was used. To enable these new syscalls, the patch "S390: Call direct system calls for socket operations." (https://sourceware.org/git/?p=glibc.git;a=commit;h=016495b818cb61df7d0d10e6db54074271b3e3a5) was applied upstream. If glibc 2.23 is configured with --enable-kernel=4.3 and newer, the direct socket syscalls are used. For older kernels, the socket-multiplexer syscall is used instead. In glibc 2.22 and earlier, this patch is not applied. If you build glibc on a kernel < 4.3, the socket-multiplexer syscall is used. But if you build glibc on kernel >= 4.3, the direct socket-syscalls are used. If you install this glibc on a kernel < 4.3, all socket operations will fail. See "Bug 19682 - s390x: Incorrect syscall definitions cause breakage with Linux 4.3 headers" (https://sourceware.org/bugzilla/show_bug.cgi?id=19682) The configure switch --enable-kernel does not influence this behaviour on older glibc-releases. The solution is to remove the direct socket-syscalls in sysdeps/unix/sysv/linux/s390/s390-64/syscalls.list (this patch) on older glibc-releases as it was done by the upstream patch, too. These entries were never used on s390x, but the c-files in sysdeps/unix/sysv/linux/. After this removal, the behaviour of the socket functions are not changed compared to the original glibc release version and the socket-multiplexer-syscall is always used. --- ChangeLog | 6 ++++++ NEWS | 2 +- sysdeps/unix/sysv/linux/s390/s390-64/syscalls.list | 19 ------------------- 3 files changed, 7 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4d4905b..13634d7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2016-03-02 Stefan Liebler + + [BZ #19682] + * sysdeps/unix/sysv/linux/s390/s390-64/syscalls.list: + Remove socketcall syscalls. + 2016-02-25 Carlos O'Donell [BZ #18665] diff --git a/NEWS b/NEWS index 53cf5a4..4aed159 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,7 @@ Version 2.20.1 * The following bugs are resolved with this release: 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, - 17625, 17630, 17801, 18032, 18665, 18694, 18928, 19018. + 17625, 17630, 17801, 18032, 18665, 18694, 18928, 19018, 19682. * A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/syscalls.list b/sysdeps/unix/sysv/linux/s390/s390-64/syscalls.list index 5b8c102..9f03d26 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/syscalls.list +++ b/sysdeps/unix/sysv/linux/s390/s390-64/syscalls.list @@ -12,22 +12,3 @@ shmget - shmget i:iii __shmget shmget semop - semop i:ipi __semop semop semget - semget i:iii __semget semget semctl - semctl i:iiii __semctl semctl - -# proper socket implementations: -accept - accept Ci:iBN __libc_accept __accept accept -bind - bind i:ipi __bind bind -connect - connect Ci:ipi __libc_connect __connect connect -getpeername - getpeername i:ipp __getpeername getpeername -getsockname - getsockname i:ipp __getsockname getsockname -getsockopt - getsockopt i:iiiBN __getsockopt getsockopt -listen - listen i:ii __listen listen -recv - recv Ci:ibni __libc_recv __recv recv -recvfrom - recvfrom Ci:ibniBN __libc_recvfrom __recvfrom recvfrom -recvmsg - recvmsg Ci:ipi __libc_recvmsg __recvmsg recvmsg -send - send Ci:ibni __libc_send __send send -sendmsg - sendmsg Ci:ipi __libc_sendmsg __sendmsg sendmsg -sendto - sendto Ci:ibnibn __libc_sendto __sendto sendto -setsockopt - setsockopt i:iiibn __setsockopt setsockopt -shutdown - shutdown i:ii __shutdown shutdown -socket - socket i:iii __socket socket -socketpair - socketpair i:iiif __socketpair socketpair -- cgit v1.1 From 7af8c37714ece3f02716f17e59631ada0c0ee0d9 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Mon, 4 Apr 2016 13:20:26 +0200 Subject: S390: Add hwcaps value for vector facility. The HWCAP_S390_VX flag in hwcap field of auxiliary vector indicates if the vector facility is available and the kernel is aware of it. This can be tested with LD_SHOW_AUXV=1 . Currently it does not show te, because it was not incremented by commit "S/390: Add hwcap value for transactional execution.". Thus _DL_HWCAP_COUNT is incremented by two. ChangeLog: * sysdeps/s390/dl-procinfo.c (_dl_s390_platforms): Add vector flag. * sysdeps/s390/dl-procinfo.h: Add vector capability. * sysdeps/unix/sysv/linux/s390/bits/hwcap.h (HWCAP_S390_VX): Define. (cherry picked from commit 4e28fa80886c71e6aaf85016b82ce981c0f12e6d) --- ChangeLog | 6 ++++++ sysdeps/s390/dl-procinfo.c | 4 ++-- sysdeps/s390/dl-procinfo.h | 3 ++- sysdeps/unix/sysv/linux/s390/bits/hwcap.h | 1 + 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 13634d7..729a7f6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2016-04-04 Stefan Liebler + + * sysdeps/s390/dl-procinfo.c (_dl_s390_platforms): Add vector flag. + * sysdeps/s390/dl-procinfo.h: Add vector capability. + * sysdeps/unix/sysv/linux/s390/bits/hwcap.h (HWCAP_S390_VX): Define. + 2016-03-02 Stefan Liebler [BZ #19682] diff --git a/sysdeps/s390/dl-procinfo.c b/sysdeps/s390/dl-procinfo.c index 89f8ebe..73c7ff9 100644 --- a/sysdeps/s390/dl-procinfo.c +++ b/sysdeps/s390/dl-procinfo.c @@ -46,11 +46,11 @@ #if !defined PROCINFO_DECL && defined SHARED ._dl_s390_cap_flags #else -PROCINFO_CLASS const char _dl_s390_cap_flags[11][9] +PROCINFO_CLASS const char _dl_s390_cap_flags[12][9] #endif #ifndef PROCINFO_DECL = { - "esan3", "zarch", "stfle", "msa", "ldisp", "eimm", "dfp", "edat", "etf3eh", "highgprs", "te" + "esan3", "zarch", "stfle", "msa", "ldisp", "eimm", "dfp", "edat", "etf3eh", "highgprs", "te", "vx" } #endif #if !defined SHARED || defined PROCINFO_DECL diff --git a/sysdeps/s390/dl-procinfo.h b/sysdeps/s390/dl-procinfo.h index 65322db..382cd7a 100644 --- a/sysdeps/s390/dl-procinfo.h +++ b/sysdeps/s390/dl-procinfo.h @@ -21,7 +21,7 @@ #define _DL_PROCINFO_H 1 #include -#define _DL_HWCAP_COUNT 10 +#define _DL_HWCAP_COUNT 12 #define _DL_PLATFORMS_COUNT 5 @@ -50,6 +50,7 @@ enum HWCAP_S390_ETF3EH = 1 << 8, HWCAP_S390_HIGH_GPRS = 1 << 9, HWCAP_S390_TE = 1 << 10, + HWCAP_S390_VX = 1 << 11, }; #define HWCAP_IMPORTANT (HWCAP_S390_ZARCH | HWCAP_S390_LDISP \ diff --git a/sysdeps/unix/sysv/linux/s390/bits/hwcap.h b/sysdeps/unix/sysv/linux/s390/bits/hwcap.h index f4659fc..f1f4688 100644 --- a/sysdeps/unix/sysv/linux/s390/bits/hwcap.h +++ b/sysdeps/unix/sysv/linux/s390/bits/hwcap.h @@ -35,3 +35,4 @@ #define HWCAP_S390_ETF3EH 256 #define HWCAP_S390_HIGH_GPRS 512 #define HWCAP_S390_TE 1024 +#define HWCAP_S390_VX 2048 -- cgit v1.1 From 66cdb5b20df45c4eb28ab27ebcfb67ef023338e3 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Mon, 4 Apr 2016 13:20:26 +0200 Subject: S390: Add new s390 platform. The new IBM z13 is added to platform string array. The macro _DL_PLATFORMS_COUNT is incremented to 8, because it was not incremented by commit "S/390: Sync AUXV capabilities and archs with kernel". ChangeLog: * sysdeps/s390/dl-procinfo.c (_dl_s390_cap_flags): Add z13. * sysdeps/s390/dl-procinfo.h (_DL_PLATFORMS_COUNT): Increased. (cherry picked from commit a1b0488fc9df3d895a2e5eefbcd348d3f7fe0e52) --- ChangeLog | 5 +++++ sysdeps/s390/dl-procinfo.c | 4 ++-- sysdeps/s390/dl-procinfo.h | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 729a7f6..3ecc89b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2016-04-04 Stefan Liebler + * sysdeps/s390/dl-procinfo.c (_dl_s390_cap_flags): Add z13. + * sysdeps/s390/dl-procinfo.h (_DL_PLATFORMS_COUNT): Increased. + +2016-04-04 Stefan Liebler + * sysdeps/s390/dl-procinfo.c (_dl_s390_platforms): Add vector flag. * sysdeps/s390/dl-procinfo.h: Add vector capability. * sysdeps/unix/sysv/linux/s390/bits/hwcap.h (HWCAP_S390_VX): Define. diff --git a/sysdeps/s390/dl-procinfo.c b/sysdeps/s390/dl-procinfo.c index 73c7ff9..aef2ba5 100644 --- a/sysdeps/s390/dl-procinfo.c +++ b/sysdeps/s390/dl-procinfo.c @@ -62,11 +62,11 @@ PROCINFO_CLASS const char _dl_s390_cap_flags[12][9] #if !defined PROCINFO_DECL && defined SHARED ._dl_s390_platforms #else -PROCINFO_CLASS const char _dl_s390_platforms[7][7] +PROCINFO_CLASS const char _dl_s390_platforms[8][7] #endif #ifndef PROCINFO_DECL = { - "g5", "z900", "z990", "z9-109", "z10", "z196", "zEC12" + "g5", "z900", "z990", "z9-109", "z10", "z196", "zEC12", "z13" } #endif #if !defined SHARED || defined PROCINFO_DECL diff --git a/sysdeps/s390/dl-procinfo.h b/sysdeps/s390/dl-procinfo.h index 382cd7a..9ba0f63 100644 --- a/sysdeps/s390/dl-procinfo.h +++ b/sysdeps/s390/dl-procinfo.h @@ -23,7 +23,7 @@ #define _DL_HWCAP_COUNT 12 -#define _DL_PLATFORMS_COUNT 5 +#define _DL_PLATFORMS_COUNT 8 /* The kernel provides up to 32 capability bits with elf_hwcap. */ #define _DL_FIRST_PLATFORM 32 -- cgit v1.1 From 3058f7487e5b98f7af0219f77464294000c84bf0 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Mon, 4 Apr 2016 13:20:26 +0200 Subject: S390: configure check for vector instruction support in assembler. The S390 specific test checks if the assembler has support for the new z13 vector instructions by compiling a vector instruction. The .machine and .machinemode directives are needed to compile the vector instruction without -march=z13 option on 31/64 bit. On success the macro HAVE_S390_VX_ASM_SUPPORT is defined. This macro is used to determine if the optimized functions can be build without compile errors. If the used assembler lacks vector support, then a warning is dumped while configuring and only the common code functions are build. The z13 instruction support was introduced in "[Committed] S/390: Add support for IBM z13." (https://sourceware.org/ml/binutils/2015-01/msg00197.html) ChangeLog: * config.h.in (HAVE_S390_VX_ASM_SUPPORT): New macro undefine. * sysdeps/s390/configure.ac: Add test for S390 vector instruction assembler support. * sysdeps/s390/configure: Regenerated. (cherry picked from commit 4f0a1cea34c05fb2acc16f1a2d291f53230eb4fb) --- ChangeLog | 7 +++++++ config.h.in | 3 +++ sysdeps/s390/configure | 41 +++++++++++++++++++++++++++++++++++++++++ sysdeps/s390/configure.ac | 29 +++++++++++++++++++++++++++++ 4 files changed, 80 insertions(+) diff --git a/ChangeLog b/ChangeLog index 3ecc89b..c68136c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ 2016-04-04 Stefan Liebler + * config.h.in (HAVE_S390_VX_ASM_SUPPORT): New macro undefine. + * sysdeps/s390/configure.ac: Add test for S390 vector instruction + assembler support. + * sysdeps/s390/configure: Regenerated. + +2016-04-04 Stefan Liebler + * sysdeps/s390/dl-procinfo.c (_dl_s390_cap_flags): Add z13. * sysdeps/s390/dl-procinfo.h (_DL_PLATFORMS_COUNT): Increased. diff --git a/config.h.in b/config.h.in index 7da1a9f..2b98d4a 100644 --- a/config.h.in +++ b/config.h.in @@ -97,6 +97,9 @@ /* Define if assembler supports AVX512. */ #undef HAVE_AVX512_ASM_SUPPORT +/* Define if assembler supports vector instructions on S390. */ +#undef HAVE_S390_VX_ASM_SUPPORT + /* Define if assembler supports Intel MPX. */ #undef HAVE_MPX_SUPPORT diff --git a/sysdeps/s390/configure b/sysdeps/s390/configure index 6948cc2..9e182f7 100644 --- a/sysdeps/s390/configure +++ b/sysdeps/s390/configure @@ -104,5 +104,46 @@ if test "$enable_lock_elision" = yes && test "$libc_cv_gcc_builtin_tbegin" = no critic_missing="$critic_missing The used GCC has no support for __builtin_tbegin, which is needed for lock-elision on target S390." fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for S390 vector instruction support" >&5 +$as_echo_n "checking for S390 vector instruction support... " >&6; } +if ${libc_cv_asm_s390_vx+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat > conftest.c <<\EOF +void testvecinsn () +{ + __asm__ (".machine \"z13\" \n\t" + ".machinemode \"zarch_nohighgprs\" \n\t" + "vistrbs %%v16,%%v17 \n\t" + "locghie %%r1,0" : :); +} +EOF +if { ac_try='${CC-cc} --shared conftest.c -o conftest.o &> /dev/null' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 + (eval $ac_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; } ; +then + libc_cv_asm_s390_vx=yes +else + libc_cv_asm_s390_vx=no +fi +rm -f conftest* +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_s390_vx" >&5 +$as_echo "$libc_cv_asm_s390_vx" >&6; } + +if test "$libc_cv_asm_s390_vx" = yes ; +then + $as_echo "#define HAVE_S390_VX_ASM_SUPPORT 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Use binutils with vector-support in order to use optimized implementations." >&5 +$as_echo "$as_me: WARNING: Use binutils with vector-support in order to use optimized implementations." >&2;} +fi + + test -n "$critic_missing" && as_fn_error $? " *** $critic_missing" "$LINENO" 5 diff --git a/sysdeps/s390/configure.ac b/sysdeps/s390/configure.ac index 493e9a4..4da134e 100644 --- a/sysdeps/s390/configure.ac +++ b/sysdeps/s390/configure.ac @@ -36,5 +36,34 @@ if test "$enable_lock_elision" = yes && test "$libc_cv_gcc_builtin_tbegin" = no critic_missing="$critic_missing The used GCC has no support for __builtin_tbegin, which is needed for lock-elision on target S390." fi + +AC_CACHE_CHECK(for S390 vector instruction support, libc_cv_asm_s390_vx, [dnl +cat > conftest.c <<\EOF +void testvecinsn () +{ + __asm__ (".machine \"z13\" \n\t" + ".machinemode \"zarch_nohighgprs\" \n\t" + "vistrbs %%v16,%%v17 \n\t" + "locghie %%r1,0" : :); +} +EOF +dnl +dnl test, if assembler supports S390 vector instructions +if AC_TRY_COMMAND([${CC-cc} --shared conftest.c -o conftest.o &> /dev/null]) ; +then + libc_cv_asm_s390_vx=yes +else + libc_cv_asm_s390_vx=no +fi +rm -f conftest* ]) + +if test "$libc_cv_asm_s390_vx" = yes ; +then + AC_DEFINE(HAVE_S390_VX_ASM_SUPPORT) +else + AC_MSG_WARN([Use binutils with vector-support in order to use optimized implementations.]) +fi + + test -n "$critic_missing" && AC_MSG_ERROR([ *** $critic_missing]) -- cgit v1.1 From 4b7ba5b8c4722d610862744c619bcaa5ad655385 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Mon, 4 Apr 2016 13:20:27 +0200 Subject: S390: Save and restore fprs/vrs while resolving symbols. On s390, no fpr/vrs were saved while resolving a symbol via _dl_runtime_resolve/_dl_runtime_profile. According to the abi, the fpr-arguments are defined as call clobbered. In leaf-functions, gcc 4.9 and newer can use fprs for saving/restoring gprs instead of saving them to the stack. If gcc do this in one of the resolver-functions, then the floating point arguments of a library-function are invalid for the first library-function-call. Thus, this patch saves/restores the fprs around the resolving code. The same could occur for vector registers. Furthermore an ifunc-resolver could also clobber the vector/floating point argument registers. Thus this patch provides the further variants _dl_runtime_resolve_vx/ _dl_runtime_profile_vx, which are used if the kernel claims, that we run on a machine with vector registers. Furthermore, if _dl_runtime_profile calls _dl_call_pltexit, the pointers to inregs-/outregs-structs were setup invalid. Now they point to the correct location in the stack-frame. Before branching back to the caller, the return values are now restored instead of containing the return values of the _dl_call_pltexit() call. On s390-32, an endless loop occurs if _dl_call_pltexit() should be called. Now, this code-path branches to this function instead of just after the preceding basr-instruction. ChangeLog: * sysdeps/s390/s390-32/dl-trampoline.S: Include dl-trampoline.h twice to create a non-vector/vector version for _dl_runtime_resolve and _dl_runtime_profile. Move implementation to ... * sysdeps/s390/s390-32/dl-trampoline.h: ... here. (_dl_runtime_resolve) Save and restore fpr/vrs. (_dl_runtime_profile) Save and restore vrs and fix some issues if _dl_call_pltexit is called. * sysdeps/s390/s390-32/dl-machine.h (elf_machine_runtime_setup): Choose the correct resolver function if running on a machine with vx. * sysdeps/s390/s390-64/dl-trampoline.S: Include dl-trampoline.h twice to create a non-vector/vector version for _dl_runtime_resolve and _dl_runtime_profile. Move implementation to ... * sysdeps/s390/s390-64/dl-trampoline.h: ... here. (_dl_runtime_resolve) Save and restore fpr/vrs. (_dl_runtime_profile) Save and restore vrs and fix some issues * sysdeps/s390/s390-64/dl-machine.h: (elf_machine_runtime_setup): Choose the correct resolver function if running on a machine with vx. (cherry picked from commit 4603c51ef7989d7eb800cdd6f42aab206f891077 and commit d8a012c5c9e4bfc1b8db2bc6deacb85b44a2e1eb) --- ChangeLog | 20 ++++ sysdeps/s390/s390-32/dl-machine.h | 27 ++++- sysdeps/s390/s390-32/dl-trampoline.S | 134 ++-------------------- sysdeps/s390/s390-32/dl-trampoline.h | 215 +++++++++++++++++++++++++++++++++++ sysdeps/s390/s390-64/dl-machine.h | 27 ++++- sysdeps/s390/s390-64/dl-trampoline.S | 130 ++------------------- sysdeps/s390/s390-64/dl-trampoline.h | 211 ++++++++++++++++++++++++++++++++++ 7 files changed, 516 insertions(+), 248 deletions(-) create mode 100644 sysdeps/s390/s390-32/dl-trampoline.h create mode 100644 sysdeps/s390/s390-64/dl-trampoline.h diff --git a/ChangeLog b/ChangeLog index c68136c..bcacb57 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,25 @@ 2016-04-04 Stefan Liebler + * sysdeps/s390/s390-32/dl-trampoline.S: Include dl-trampoline.h twice + to create a non-vector/vector version for _dl_runtime_resolve and + _dl_runtime_profile. Move implementation to ... + * sysdeps/s390/s390-32/dl-trampoline.h: ... here. + (_dl_runtime_resolve) Save and restore fpr/vrs. + (_dl_runtime_profile) Save and restore vrs and fix some issues + if _dl_call_pltexit is called. + * sysdeps/s390/s390-32/dl-machine.h (elf_machine_runtime_setup): + Choose the correct resolver function if running on a machine with vx. + * sysdeps/s390/s390-64/dl-trampoline.S: Include dl-trampoline.h twice + to create a non-vector/vector version for _dl_runtime_resolve and + _dl_runtime_profile. Move implementation to ... + * sysdeps/s390/s390-64/dl-trampoline.h: ... here. + (_dl_runtime_resolve) Save and restore fpr/vrs. + (_dl_runtime_profile) Save and restore vrs and fix some issues + * sysdeps/s390/s390-64/dl-machine.h: (elf_machine_runtime_setup): + Choose the correct resolver function if running on a machine with vx. + +2016-04-04 Stefan Liebler + * config.h.in (HAVE_S390_VX_ASM_SUPPORT): New macro undefine. * sysdeps/s390/configure.ac: Add test for S390 vector instruction assembler support. diff --git a/sysdeps/s390/s390-32/dl-machine.h b/sysdeps/s390/s390-32/dl-machine.h index 527233b..4539592 100644 --- a/sysdeps/s390/s390-32/dl-machine.h +++ b/sysdeps/s390/s390-32/dl-machine.h @@ -89,6 +89,11 @@ elf_machine_runtime_setup (struct link_map *l, int lazy, int profile) { extern void _dl_runtime_resolve (Elf32_Word); extern void _dl_runtime_profile (Elf32_Word); +#if defined HAVE_S390_VX_ASM_SUPPORT + extern void _dl_runtime_resolve_vx (Elf32_Word); + extern void _dl_runtime_profile_vx (Elf32_Word); +#endif + if (l->l_info[DT_JMPREL] && lazy) { @@ -116,7 +121,14 @@ elf_machine_runtime_setup (struct link_map *l, int lazy, int profile) end in this function. */ if (__glibc_unlikely (profile)) { +#if defined HAVE_S390_VX_ASM_SUPPORT + if (GLRO(dl_hwcap) & HWCAP_S390_VX) + got[2] = (Elf32_Addr) &_dl_runtime_profile_vx; + else + got[2] = (Elf32_Addr) &_dl_runtime_profile; +#else got[2] = (Elf32_Addr) &_dl_runtime_profile; +#endif if (GLRO(dl_profile) != NULL && _dl_name_match_p (GLRO(dl_profile), l)) @@ -125,9 +137,18 @@ elf_machine_runtime_setup (struct link_map *l, int lazy, int profile) GL(dl_profile_map) = l; } else - /* This function will get called to fix up the GOT entry indicated by - the offset on the stack, and then jump to the resolved address. */ - got[2] = (Elf32_Addr) &_dl_runtime_resolve; + { + /* This function will get called to fix up the GOT entry indicated by + the offset on the stack, and then jump to the resolved address. */ +#if defined HAVE_S390_VX_ASM_SUPPORT + if (GLRO(dl_hwcap) & HWCAP_S390_VX) + got[2] = (Elf32_Addr) &_dl_runtime_resolve_vx; + else + got[2] = (Elf32_Addr) &_dl_runtime_resolve; +#else + got[2] = (Elf32_Addr) &_dl_runtime_resolve; +#endif + } } return lazy; diff --git a/sysdeps/s390/s390-32/dl-trampoline.S b/sysdeps/s390/s390-32/dl-trampoline.S index d3a8548..85e73d9 100644 --- a/sysdeps/s390/s390-32/dl-trampoline.S +++ b/sysdeps/s390/s390-32/dl-trampoline.S @@ -16,130 +16,18 @@ License along with the GNU C Library; if not, see . */ -/* This code is used in dl-runtime.c to call the `fixup' function - and then redirect to the address it returns. */ - -/* The PLT stubs will call _dl_runtime_resolve/_dl_runtime_profile - * with the following linkage: - * r2 - r6 : parameter registers - * f0, f2 : floating point parameter registers - * 24(r15), 28(r15) : PLT arguments PLT1, PLT2 - * 96(r15) : additional stack parameters - * The normal clobber rules for function calls apply: - * r0 - r5 : call clobbered - * r6 - r13 : call saved - * r14 : return address (call clobbered) - * r15 : stack pointer (call saved) - * f4, f6 : call saved - * f0 - f3, f5, f7 - f15 : call clobbered - */ - #include .text - .globl _dl_runtime_resolve - .type _dl_runtime_resolve, @function - cfi_startproc - .align 16 -_dl_runtime_resolve: - stm %r2,%r5,32(%r15) # save registers - st %r14,8(%r15) - cfi_offset (r14, -88) - lr %r0,%r15 # create stack frame - ahi %r15,-96 - cfi_adjust_cfa_offset (96) - st 0,0(%r15) - lm %r2,%r3,120(%r15) # load args saved by PLT - basr %r1,0 -0: l %r14,1f-0b(%r1) - bas %r14,0(%r14,%r1) # call resolver - lr %r1,%r2 # function addr returned in r2 - ahi %r15,96 # remove stack frame - cfi_adjust_cfa_offset (-96) - l %r14,8(15) # restore registers - lm %r2,%r5,32(%r15) - br %r1 -1: .long _dl_fixup - 0b - cfi_endproc - .size _dl_runtime_resolve, .-_dl_runtime_resolve - - -#ifndef PROF - .globl _dl_runtime_profile - .type _dl_runtime_profile, @function - cfi_startproc - .align 16 -_dl_runtime_profile: - stm %r2,%r6,32(%r15) # save registers - std %f0,56(%r15) - std %f2,64(%r15) - st %r6,8(%r15) - st %r12,12(%r15) - st %r14,16(%r15) - cfi_offset (r6, -64) - cfi_offset (f0, -40) - cfi_offset (f2, -32) - cfi_offset (r12, -84) - cfi_offset (r14, -80) - lr %r12,%r15 # create stack frame - cfi_def_cfa_register (12) - ahi %r15,-96 - st %r12,0(%r15) - lm %r2,%r3,24(%r12) # load arguments saved by PLT - lr %r4,%r14 # return address as third parameter - basr %r1,0 -0: l %r14,6f-0b(%r1) - la %r5,32(%r12) # pointer to struct La_s390_32_regs - la %r6,20(%r12) # long int * framesize - bas %r14,0(%r14,%r1) # call resolver - lr %r1,%r2 # function addr returned in r2 - icm %r0,15,20(%r12) # load & test framesize - jnm 2f - - lm %r2,%r6,32(%r12) - ld %f0,56(%r12) - ld %f2,64(%r12) - lr %r15,%r12 # remove stack frame - cfi_def_cfa_register (15) - l %r14,16(%r15) # restore registers - l %r12,12(%r15) - br %r1 # tail-call to the resolved function - - cfi_def_cfa_register (12) -2: jz 4f # framesize == 0 ? - ahi %r0,7 # align framesize to 8 - lhi %r2,-8 - nr %r0,%r2 - slr %r15,%r0 # make room for framesize bytes - st %r12,0(%r15) - la %r2,96(%r15) - la %r3,96(%r12) - srl %r0,3 -3: mvc 0(8,%r2),0(%r3) # copy additional parameters - la %r2,8(%r2) - la %r3,8(%r3) - brct %r0,3b -4: lm %r2,%r6,32(%r12) # load register parameters - ld %f0,56(%r12) - ld %f2,64(%r12) - basr %r14,%r1 # call resolved function - stm %r2,%r3,72(%r12) - std %f0,80(%r12) - lm %r2,%r3,24(%r12) # load arguments saved by PLT - basr %r1,0 -5: l %r14,7f-5b(%r1) - la %r4,32(%r12) # pointer to struct La_s390_32_regs - la %r5,72(%r12) # pointer to struct La_s390_32_retval - basr %r14,%r1 # call _dl_call_pltexit - - lr %r15,%r12 # remove stack frame - cfi_def_cfa_register (15) - l %r14,16(%r15) # restore registers - l %r12,12(%r15) - br %r14 - -6: .long _dl_profile_fixup - 0b -7: .long _dl_call_pltexit - 5b - cfi_endproc - .size _dl_runtime_profile, .-_dl_runtime_profile +/* Create variant of _dl_runtime_resolve/profile for machines before z13. + No vector registers are saved/restored. */ +#include + +#if defined HAVE_S390_VX_ASM_SUPPORT +/* Create variant of _dl_runtime_resolve/profile for z13 and newer. + The vector registers are saved/restored, too.*/ +# define _dl_runtime_resolve _dl_runtime_resolve_vx +# define _dl_runtime_profile _dl_runtime_profile_vx +# define RESTORE_VRS +# include #endif diff --git a/sysdeps/s390/s390-32/dl-trampoline.h b/sysdeps/s390/s390-32/dl-trampoline.h new file mode 100644 index 0000000..5627567 --- /dev/null +++ b/sysdeps/s390/s390-32/dl-trampoline.h @@ -0,0 +1,215 @@ +/* PLT trampolines. s390 version. + Copyright (C) 2016 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This code is used in dl-runtime.c to call the `fixup' function + and then redirect to the address it returns. */ + +/* The PLT stubs will call _dl_runtime_resolve/_dl_runtime_profile + * with the following linkage: + * r2 - r6 : parameter registers + * f0, f2 : floating point parameter registers + * v24, v26, v28, v30, v25, v27, v29, v31 : vector parameter registers + * 24(r15), 28(r15) : PLT arguments PLT1, PLT2 + * 96(r15) : additional stack parameters + * The normal clobber rules for function calls apply: + * r0 - r5 : call clobbered + * r6 - r13 : call saved + * r14 : return address (call clobbered) + * r15 : stack pointer (call saved) + * f4, f6 : call saved + * f0 - f3, f5, f7 - f15 : call clobbered + * v0 - v3, v5, v7 - v15 : bytes 0-7 overlap with fprs: call clobbered + bytes 8-15: call clobbered + * v4, v6 : bytes 0-7 overlap with f4, f6: call saved + bytes 8-15: call clobbered + * v16 - v31 : call clobbered + */ + + + .globl _dl_runtime_resolve + .type _dl_runtime_resolve, @function + cfi_startproc + .align 16 +_dl_runtime_resolve: + stm %r2,%r5,32(%r15) # save registers + cfi_offset (r2, -64) + cfi_offset (r3, -60) + cfi_offset (r4, -56) + cfi_offset (r5, -52) + std %f0,56(%r15) + cfi_offset (f0, -40) + std %f2,64(%r15) + cfi_offset (f2, -32) + st %r14,8(%r15) + cfi_offset (r14, -88) + lr %r0,%r15 + lm %r2,%r3,24(%r15) # load args saved by PLT +#ifdef RESTORE_VRS + ahi %r15,-224 # create stack frame + cfi_adjust_cfa_offset (224) + .machine push + .machine "z13" + .machinemode "zarch_nohighgprs" + vstm %v24,%v31,96(%r15) # store call-clobbered vr arguments + cfi_offset (v24, -224) + cfi_offset (v25, -208) + cfi_offset (v26, -192) + cfi_offset (v27, -176) + cfi_offset (v28, -160) + cfi_offset (v29, -144) + cfi_offset (v30, -128) + cfi_offset (v31, -112) + .machine pop +#else + ahi %r15,-96 # create stack frame + cfi_adjust_cfa_offset (96) +#endif + st %r0,0(%r15) # write backchain + basr %r1,0 +0: l %r14,1f-0b(%r1) + bas %r14,0(%r14,%r1) # call _dl_fixup + lr %r1,%r2 # function addr returned in r2 +#ifdef RESTORE_VRS + .machine push + .machine "z13" + .machinemode "zarch_nohighgprs" + vlm %v24,%v31,96(%r15) # restore vector registers + .machine pop + ahi %r15,224 # remove stack frame + cfi_adjust_cfa_offset (-224) +#else + ahi %r15,96 # remove stack frame + cfi_adjust_cfa_offset (-96) +#endif + l %r14,8(15) # restore registers + ld %f0,56(%r15) + ld %f2,64(%r15) + lm %r2,%r5,32(%r15) + br %r1 +1: .long _dl_fixup - 0b + cfi_endproc + .size _dl_runtime_resolve, .-_dl_runtime_resolve + + +#ifndef PROF + .globl _dl_runtime_profile + .type _dl_runtime_profile, @function + cfi_startproc + .align 16 +_dl_runtime_profile: + stm %r2,%r6,32(%r15) # save registers + cfi_offset (r2, -64) # + r6 needed as arg for + cfi_offset (r3, -60) # _dl_profile_fixup + cfi_offset (r4, -56) + cfi_offset (r5, -52) + cfi_offset (r6, -48) + std %f0,56(%r15) + cfi_offset (f0, -40) + std %f2,64(%r15) + cfi_offset (f2, -32) + st %r12,12(%r15) # r12 is used as backup of r15 + cfi_offset (r12, -84) + st %r14,16(%r15) + cfi_offset (r14, -80) + lr %r12,%r15 # backup stack pointer + cfi_def_cfa_register (12) +#ifdef RESTORE_VRS + ahi %r15,-224 # create stack frame + .machine push + .machine "z13" + .machinemode "zarch_nohighgprs" + vstm %v24,%v31,96(%r15) # store call-clobbered vr arguments + cfi_offset (v24, -224) + cfi_offset (v25, -208) + cfi_offset (v26, -192) + cfi_offset (v27, -176) + cfi_offset (v28, -160) + cfi_offset (v29, -144) + cfi_offset (v30, -128) + cfi_offset (v31, -112) + .machine pop +#else + ahi %r15,-96 # create stack frame +#endif + st %r12,0(%r15) # save backchain + lm %r2,%r3,24(%r12) # load arguments saved by PLT + lr %r4,%r14 # return address as third parameter + basr %r1,0 +0: l %r14,6f-0b(%r1) + la %r5,32(%r12) # pointer to struct La_s390_32_regs + la %r6,20(%r12) # long int * framesize + bas %r14,0(%r14,%r1) # call resolver + lr %r1,%r2 # function addr returned in r2 + ld %f0,56(%r12) # restore call-clobbered arg fprs + ld %f2,64(%r12) +#ifdef RESTORE_VRS + .machine push + .machine "z13" + .machinemode "zarch_nohighgprs" + vlm %v24,%v31,96(%r15) # restore call-clobbered arg vrs + .machine pop +#endif + icm %r0,15,20(%r12) # load & test framesize + jnm 2f + + lm %r2,%r6,32(%r12) + lr %r15,%r12 # remove stack frame + cfi_def_cfa_register (15) + l %r14,16(%r15) # restore registers + l %r12,12(%r15) + br %r1 # tail-call to the resolved function + + cfi_def_cfa_register (12) +2: jz 4f # framesize == 0 ? + ahi %r0,7 # align framesize to 8 + lhi %r2,-8 + nr %r0,%r2 + slr %r15,%r0 # make room for framesize bytes + st %r12,0(%r15) # save backchain + la %r2,96(%r15) + la %r3,96(%r12) + srl %r0,3 +3: mvc 0(8,%r2),0(%r3) # copy additional parameters + la %r2,8(%r2) + la %r3,8(%r3) + brct %r0,3b +4: lm %r2,%r6,32(%r12) # load register parameters + basr %r14,%r1 # call resolved function + stm %r2,%r3,72(%r12) # store return values r2, r3, f0 + std %f0,80(%r12) # to struct La_s390_32_retval + lm %r2,%r3,24(%r12) # load arguments saved by PLT + basr %r1,0 +5: l %r14,7f-5b(%r1) + la %r4,32(%r12) # pointer to struct La_s390_32_regs + la %r5,72(%r12) # pointer to struct La_s390_32_retval + bas %r14,0(%r14,%r1) # call _dl_call_pltexit + + lr %r15,%r12 # remove stack frame + cfi_def_cfa_register (15) + l %r14,16(%r15) # restore registers + l %r12,12(%r15) + l %r2,72(%r15) # restore return values + l %r3,76(%r15) + ld %f0,80(%r15) + br %r14 + +6: .long _dl_profile_fixup - 0b +7: .long _dl_call_pltexit - 5b + cfi_endproc + .size _dl_runtime_profile, .-_dl_runtime_profile +#endif diff --git a/sysdeps/s390/s390-64/dl-machine.h b/sysdeps/s390/s390-64/dl-machine.h index e48d355..c65c850 100644 --- a/sysdeps/s390/s390-64/dl-machine.h +++ b/sysdeps/s390/s390-64/dl-machine.h @@ -26,6 +26,7 @@ #include #include #include +#include #include #define ELF_MACHINE_IRELATIVE R_390_IRELATIVE @@ -78,6 +79,10 @@ elf_machine_runtime_setup (struct link_map *l, int lazy, int profile) { extern void _dl_runtime_resolve (Elf64_Word); extern void _dl_runtime_profile (Elf64_Word); +#if defined HAVE_S390_VX_ASM_SUPPORT + extern void _dl_runtime_resolve_vx (Elf64_Word); + extern void _dl_runtime_profile_vx (Elf64_Word); +#endif if (l->l_info[DT_JMPREL] && lazy) { @@ -105,7 +110,14 @@ elf_machine_runtime_setup (struct link_map *l, int lazy, int profile) end in this function. */ if (__glibc_unlikely (profile)) { +#if defined HAVE_S390_VX_ASM_SUPPORT + if (GLRO(dl_hwcap) & HWCAP_S390_VX) + got[2] = (Elf64_Addr) &_dl_runtime_profile_vx; + else + got[2] = (Elf64_Addr) &_dl_runtime_profile; +#else got[2] = (Elf64_Addr) &_dl_runtime_profile; +#endif if (GLRO(dl_profile) != NULL && _dl_name_match_p (GLRO(dl_profile), l)) @@ -114,9 +126,18 @@ elf_machine_runtime_setup (struct link_map *l, int lazy, int profile) GL(dl_profile_map) = l; } else - /* This function will get called to fix up the GOT entry indicated by - the offset on the stack, and then jump to the resolved address. */ - got[2] = (Elf64_Addr) &_dl_runtime_resolve; + { + /* This function will get called to fix up the GOT entry indicated by + the offset on the stack, and then jump to the resolved address. */ +#if defined HAVE_S390_VX_ASM_SUPPORT + if (GLRO(dl_hwcap) & HWCAP_S390_VX) + got[2] = (Elf64_Addr) &_dl_runtime_resolve_vx; + else + got[2] = (Elf64_Addr) &_dl_runtime_resolve; +#else + got[2] = (Elf64_Addr) &_dl_runtime_resolve; +#endif + } } return lazy; diff --git a/sysdeps/s390/s390-64/dl-trampoline.S b/sysdeps/s390/s390-64/dl-trampoline.S index 87c6d50..f089266 100644 --- a/sysdeps/s390/s390-64/dl-trampoline.S +++ b/sysdeps/s390/s390-64/dl-trampoline.S @@ -16,126 +16,18 @@ License along with the GNU C Library; if not, see . */ -/* The PLT stubs will call _dl_runtime_resolve/_dl_runtime_profile - * with the following linkage: - * r2 - r6 : parameter registers - * f0, f2, f4, f6 : floating point parameter registers - * 48(r15), 56(r15) : PLT arguments PLT1, PLT2 - * 160(r15) : additional stack parameters - * The normal clobber rules for function calls apply: - * r0 - r5 : call clobbered - * r6 - r13 : call saved - * r14 : return address (call clobbered) - * r15 : stack pointer (call saved) - * f1, f3, f5, f7 : call saved - * f0 - f3, f5, f7 - f15 : call clobbered - */ - #include .text - .globl _dl_runtime_resolve - .type _dl_runtime_resolve, @function - cfi_startproc - .align 16 -_dl_runtime_resolve: - stmg %r2,%r5,64(15) # save call-clobbered argument registers - stg %r14,96(15) - cfi_offset (r14, -64) - lgr %r0,%r15 - aghi %r15,-160 # create stack frame - cfi_adjust_cfa_offset (160) - stg %r0,0(%r15) # write backchain - lmg %r2,%r3,208(%r15)# load args saved by PLT - brasl %r14,_dl_fixup # call fixup - lgr %r1,%r2 # function addr returned in r2 - aghi %r15,160 # remove stack frame - cfi_adjust_cfa_offset (-160) - lg %r14,96(15) # restore registers - lmg %r2,%r5,64(15) - br %r1 - cfi_endproc - .size _dl_runtime_resolve, .-_dl_runtime_resolve - - -#ifndef PROF - .globl _dl_runtime_profile - .type _dl_runtime_profile, @function - cfi_startproc - .align 16 -_dl_runtime_profile: - stmg %r2,%r6,64(%r15) # save call-clobbered arg regs - std %f0,104(%r15) # + r6 needed as arg for - std %f2,112(%r15) # _dl_profile_fixup - std %f4,120(%r15) - std %f6,128(%r15) - stg %r12,24(%r15) # r12 is used as backup of r15 - stg %r14,32(%r15) - cfi_offset (r6, -96) - cfi_offset (f0, -56) - cfi_offset (f2, -48) - cfi_offset (f4, -40) - cfi_offset (f6, -32) - cfi_offset (r12, -136) - cfi_offset (r14, -128) - lgr %r12,%r15 # backup stack pointer - cfi_def_cfa_register (12) - aghi %r15,-160 # create stack frame - stg %r12,0(%r15) # save backchain - lmg %r2,%r3,48(%r12) # load arguments saved by PLT - lgr %r4,%r14 # return address as third parameter - la %r5,64(%r12) # pointer to struct La_s390_32_regs - la %r6,40(%r12) # long int * framesize - brasl %r14,_dl_profile_fixup # call resolver - lgr %r1,%r2 # function addr returned in r2 - lg %r0,40(%r12) # load framesize - ltgr %r0,%r0 - jnm 1f - - lmg %r2,%r6,64(%r12) # framesize < 0 means no pltexit call - ld %f0,104(%r12) # so we can do a tail call without - ld %f2,112(%r12) # copying the arg overflow area - ld %f4,120(%r12) - ld %f6,128(%r12) - - lgr %r15,%r12 # remove stack frame - cfi_def_cfa_register (15) - lg %r14,32(%r15) # restore registers - lg %r12,24(%r15) - br %r1 # tail-call to resolved function - - cfi_def_cfa_register (12) -1: jz 4f # framesize == 0 ? - aghi %r0,7 # align framesize to 8 - nill %r0,0xfff8 - slgr %r15,%r0 # make room for framesize bytes - stg %r12,0(%r15) - la %r2,160(%r15) - la %r3,160(%r12) - srlg %r0,%r0,3 -3: mvc 0(8,%r2),0(%r3) # copy additional parameters - la %r2,8(%r2) - la %r3,8(%r3) - brctg %r0,3b -4: lmg %r2,%r6,64(%r12) # load register parameters - ld %f0,104(%r12) # restore call-clobbered arg regs - ld %f2,112(%r12) - ld %f4,120(%r12) - ld %f6,128(%r12) - basr %r14,%r1 # call resolved function - stg %r2,136(%r12) - std %f0,144(%r12) - lmg %r2,%r3,48(%r12) # load arguments saved by PLT - la %r4,32(%r12) # pointer to struct La_s390_32_regs - la %r5,72(%r12) # pointer to struct La_s390_32_retval - brasl %r14,_dl_call_pltexit - - lgr %r15,%r12 # remove stack frame - cfi_def_cfa_register (15) - lg %r14,32(%r15) # restore registers - lg %r12,24(%r15) - br %r14 - - cfi_endproc - .size _dl_runtime_profile, .-_dl_runtime_profile +/* Create variant of _dl_runtime_resolve/profile for machines before z13. + No vector registers are saved/restored. */ +#include + +#if defined HAVE_S390_VX_ASM_SUPPORT +/* Create variant of _dl_runtime_resolve/profile for z13 and newer. + The vector registers are saved/restored, too.*/ +# define _dl_runtime_resolve _dl_runtime_resolve_vx +# define _dl_runtime_profile _dl_runtime_profile_vx +# define RESTORE_VRS +# include #endif diff --git a/sysdeps/s390/s390-64/dl-trampoline.h b/sysdeps/s390/s390-64/dl-trampoline.h new file mode 100644 index 0000000..658e3a3 --- /dev/null +++ b/sysdeps/s390/s390-64/dl-trampoline.h @@ -0,0 +1,211 @@ +/* PLT trampolines. s390x version. + Copyright (C) 2016 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* The PLT stubs will call _dl_runtime_resolve/_dl_runtime_profile + * with the following linkage: + * r2 - r6 : parameter registers + * f0, f2, f4, f6 : floating point parameter registers + * v24, v26, v28, v30, v25, v27, v29, v31 : vector parameter registers + * 48(r15), 56(r15) : PLT arguments PLT1, PLT2 + * 160(r15) : additional stack parameters + * The normal clobber rules for function calls apply: + * r0 - r5 : call clobbered + * r6 - r13 : call saved + * r14 : return address (call clobbered) + * r15 : stack pointer (call saved) + * f0 - f7 : call clobbered + * f8 - f15 : call saved + * v0 - v7 : bytes 0-7 overlap with f0-f7: call clobbered + bytes 8-15: call clobbered + * v8 - v15 : bytes 0-7 overlap with f8-f15: call saved + bytes 8-15: call clobbered + * v16 - v31 : call clobbered + */ + + .globl _dl_runtime_resolve + .type _dl_runtime_resolve, @function + cfi_startproc + .align 16 +_dl_runtime_resolve: + stmg %r2,%r5,64(%r15) # save call-clobbered argument registers + cfi_offset (r2, -96) + cfi_offset (r3, -88) + cfi_offset (r4, -80) + cfi_offset (r5, -72) + std %f0,104(%r15) + cfi_offset (f0, -56) + std %f2,112(%r15) + cfi_offset (f2, -48) + std %f4,120(%r15) + cfi_offset (f4, -40) + std %f6,128(%r15) + cfi_offset (f6, -32) + stg %r14,96(15) + cfi_offset (r14, -64) + lmg %r2,%r3,48(%r15) # load args for fixup saved by PLT + lgr %r0,%r15 +#ifdef RESTORE_VRS + aghi %r15,-288 # create stack frame + cfi_adjust_cfa_offset (288) + .machine push + .machine "z13" + vstm %v24,%v31,160(%r15)# store call-clobbered vector argument registers + cfi_offset (v24, -288) + cfi_offset (v25, -272) + cfi_offset (v26, -256) + cfi_offset (v27, -240) + cfi_offset (v28, -224) + cfi_offset (v29, -208) + cfi_offset (v30, -192) + cfi_offset (v31, -176) + .machine pop +#else + aghi %r15,-160 # create stack frame + cfi_adjust_cfa_offset (160) +#endif + stg %r0,0(%r15) # write backchain + brasl %r14,_dl_fixup # call _dl_fixup + lgr %r1,%r2 # function addr returned in r2 +#ifdef RESTORE_VRS + .machine push + .machine "z13" + vlm %v24,%v31,160(%r15)# restore vector registers + .machine pop + aghi %r15,288 # remove stack frame + cfi_adjust_cfa_offset (-288) +#else + aghi %r15,160 # remove stack frame + cfi_adjust_cfa_offset (-160) +#endif + lg %r14,96(%r15) # restore registers + ld %f0,104(%r15) + ld %f2,112(%r15) + ld %f4,120(%r15) + ld %f6,128(%r15) + lmg %r2,%r5,64(%r15) + br %r1 + cfi_endproc + .size _dl_runtime_resolve, .-_dl_runtime_resolve + + +#ifndef PROF + .globl _dl_runtime_profile + .type _dl_runtime_profile, @function + cfi_startproc + .align 16 +_dl_runtime_profile: + stmg %r2,%r6,64(%r15) # save call-clobbered arg regs + cfi_offset (r2, -96) # + r6 needed as arg for + cfi_offset (r3, -88) # _dl_profile_fixup + cfi_offset (r4, -80) + cfi_offset (r5, -72) + cfi_offset (r6, -64) + std %f0,104(%r15) + cfi_offset (f0, -56) + std %f2,112(%r15) + cfi_offset (f2, -48) + std %f4,120(%r15) + cfi_offset (f4, -40) + std %f6,128(%r15) + cfi_offset (f6, -32) + stg %r12,24(%r15) # r12 is used as backup of r15 + cfi_offset (r12, -136) + stg %r14,32(%r15) + cfi_offset (r14, -128) + lgr %r12,%r15 # backup stack pointer + cfi_def_cfa_register (12) +#ifdef RESTORE_VRS + aghi %r15,-288 # create stack frame + .machine push + .machine "z13" + vstm %v24,%v31,160(%r15)# store call-clobbered vector argument registers + cfi_offset (v24, -288) + cfi_offset (v25, -272) + cfi_offset (v26, -256) + cfi_offset (v27, -240) + cfi_offset (v28, -224) + cfi_offset (v29, -208) + cfi_offset (v30, -192) + cfi_offset (v31, -176) + .machine pop +#else + aghi %r15,-160 # create stack frame +#endif + stg %r12,0(%r15) # save backchain + lmg %r2,%r3,48(%r12) # load arguments saved by PLT + lgr %r4,%r14 # return address as third parameter + la %r5,64(%r12) # pointer to struct La_s390_64_regs + la %r6,40(%r12) # long int * framesize + brasl %r14,_dl_profile_fixup # call resolver + lgr %r1,%r2 # function addr returned in r2 + ld %f0,104(%r12) # restore call-clobbered arg fprs + ld %f2,112(%r12) + ld %f4,120(%r12) + ld %f6,128(%r12) +#ifdef RESTORE_VRS + .machine push + .machine "z13" + vlm %v24,%v31,160(%r15) # restore call-clobbered arg vrs + .machine pop +#endif + lg %r0,40(%r12) # load framesize + ltgr %r0,%r0 + jnm 1f + + lmg %r2,%r6,64(%r12) # framesize < 0 means no pltexit call + # so we can do a tail call without + # copying the arg overflow area + lgr %r15,%r12 # remove stack frame + cfi_def_cfa_register (15) + lg %r14,32(%r15) # restore registers + lg %r12,24(%r15) + br %r1 # tail-call to resolved function + + cfi_def_cfa_register (12) +1: jz 4f # framesize == 0 ? + aghi %r0,7 # align framesize to 8 + nill %r0,0xfff8 + slgr %r15,%r0 # make room for framesize bytes + stg %r12,0(%r15) # save backchain + la %r2,160(%r15) + la %r3,160(%r12) + srlg %r0,%r0,3 +3: mvc 0(8,%r2),0(%r3) # copy additional parameters + la %r2,8(%r2) # depending on framesize + la %r3,8(%r3) + brctg %r0,3b +4: lmg %r2,%r6,64(%r12) # restore call-clobbered arg gprs + basr %r14,%r1 # call resolved function + stg %r2,136(%r12) # store return values r2, f0 + std %f0,144(%r12) # to struct La_s390_64_retval + lmg %r2,%r3,48(%r12) # load arguments saved by PLT + la %r4,64(%r12) # pointer to struct La_s390_64_regs + la %r5,136(%r12) # pointer to struct La_s390_64_retval + brasl %r14,_dl_call_pltexit + + lgr %r15,%r12 # remove stack frame + cfi_def_cfa_register (15) + lg %r14,32(%r15) # restore registers + lg %r12,24(%r15) + lg %r2,136(%r15) # restore return values + ld %f0,144(%r15) + br %r14 # Jump back to caller + + cfi_endproc + .size _dl_runtime_profile, .-_dl_runtime_profile +#endif -- cgit v1.1 From 4cf2b4e80a41f96f1b867f253547241871827ef1 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Mon, 4 Apr 2016 13:20:27 +0200 Subject: S390: Extend structs La_s390_regs / La_s390_retval with vector-registers. Starting with z13, vector registers can also occur as argument registers. Thus the passed input/output register structs for la_s390_[32|64]_gnu_plt[enter|exit] functions should reflect those new registers. This patch extends these structs La_s390_regs and La_s390_retval and adjusts _dl_runtime_profile() to handle those fields in case of running on a z13 machine. ChangeLog: * sysdeps/s390/bits/link.h: (La_s390_vr) New typedef. (La_s390_32_regs): Append vector register lr_v24-lr_v31. (La_s390_64_regs): Likewise. (La_s390_32_retval): Append vector register lrv_v24. (La_s390_64_retval): Likeweise. * sysdeps/s390/s390-32/dl-trampoline.h (_dl_runtime_profile): Handle extended structs La_s390_32_regs and La_s390_32_retval. * sysdeps/s390/s390-64/dl-trampoline.h (_dl_runtime_profile): Handle extended structs La_s390_64_regs and La_s390_64_retval. (cherry picked from commit 5cdd1989d1d2f135d02e66250f37ba8e767f9772) --- ChangeLog | 12 ++++++ sysdeps/s390/bits/link.h | 29 +++++++++++++ sysdeps/s390/s390-32/dl-trampoline.h | 76 +++++++++++++++++++------------- sysdeps/s390/s390-64/dl-trampoline.h | 84 +++++++++++++++++++++--------------- 4 files changed, 136 insertions(+), 65 deletions(-) diff --git a/ChangeLog b/ChangeLog index bcacb57..c47c0b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,17 @@ 2016-04-04 Stefan Liebler + * sysdeps/s390/bits/link.h: (La_s390_vr) New typedef. + (La_s390_32_regs): Append vector register lr_v24-lr_v31. + (La_s390_64_regs): Likewise. + (La_s390_32_retval): Append vector register lrv_v24. + (La_s390_64_retval): Likeweise. + * sysdeps/s390/s390-32/dl-trampoline.h (_dl_runtime_profile): + Handle extended structs La_s390_32_regs and La_s390_32_retval. + * sysdeps/s390/s390-64/dl-trampoline.h (_dl_runtime_profile): + Handle extended structs La_s390_64_regs and La_s390_64_retval. + +2016-04-04 Stefan Liebler + * sysdeps/s390/s390-32/dl-trampoline.S: Include dl-trampoline.h twice to create a non-vector/vector version for _dl_runtime_resolve and _dl_runtime_profile. Move implementation to ... diff --git a/sysdeps/s390/bits/link.h b/sysdeps/s390/bits/link.h index a5ab546..9de8ebe 100644 --- a/sysdeps/s390/bits/link.h +++ b/sysdeps/s390/bits/link.h @@ -19,6 +19,9 @@ # error "Never include directly; use instead." #endif +#if defined HAVE_S390_VX_ASM_SUPPORT +typedef char La_s390_vr[16]; +#endif #if __ELF_NATIVE_CLASS == 32 @@ -32,6 +35,16 @@ typedef struct La_s390_32_regs uint32_t lr_r6; double lr_fp0; double lr_fp2; +# if defined HAVE_S390_VX_ASM_SUPPORT + La_s390_vr lr_v24; + La_s390_vr lr_v25; + La_s390_vr lr_v26; + La_s390_vr lr_v27; + La_s390_vr lr_v28; + La_s390_vr lr_v29; + La_s390_vr lr_v30; + La_s390_vr lr_v31; +# endif } La_s390_32_regs; /* Return values for calls from PLT on s390-32. */ @@ -40,6 +53,9 @@ typedef struct La_s390_32_retval uint32_t lrv_r2; uint32_t lrv_r3; double lrv_fp0; +# if defined HAVE_S390_VX_ASM_SUPPORT + La_s390_vr lrv_v24; +# endif } La_s390_32_retval; @@ -77,6 +93,16 @@ typedef struct La_s390_64_regs double lr_fp2; double lr_fp4; double lr_fp6; +# if defined HAVE_S390_VX_ASM_SUPPORT + La_s390_vr lr_v24; + La_s390_vr lr_v25; + La_s390_vr lr_v26; + La_s390_vr lr_v27; + La_s390_vr lr_v28; + La_s390_vr lr_v29; + La_s390_vr lr_v30; + La_s390_vr lr_v31; +# endif } La_s390_64_regs; /* Return values for calls from PLT on s390-64. */ @@ -84,6 +110,9 @@ typedef struct La_s390_64_retval { uint64_t lrv_r2; double lrv_fp0; +# if defined HAVE_S390_VX_ASM_SUPPORT + La_s390_vr lrv_v24; +# endif } La_s390_64_retval; diff --git a/sysdeps/s390/s390-32/dl-trampoline.h b/sysdeps/s390/s390-32/dl-trampoline.h index 5627567..086449f 100644 --- a/sysdeps/s390/s390-32/dl-trampoline.h +++ b/sysdeps/s390/s390-32/dl-trampoline.h @@ -112,28 +112,31 @@ _dl_runtime_resolve: cfi_startproc .align 16 _dl_runtime_profile: - stm %r2,%r6,32(%r15) # save registers - cfi_offset (r2, -64) # + r6 needed as arg for - cfi_offset (r3, -60) # _dl_profile_fixup - cfi_offset (r4, -56) - cfi_offset (r5, -52) - cfi_offset (r6, -48) - std %f0,56(%r15) - cfi_offset (f0, -40) - std %f2,64(%r15) - cfi_offset (f2, -32) st %r12,12(%r15) # r12 is used as backup of r15 cfi_offset (r12, -84) st %r14,16(%r15) cfi_offset (r14, -80) lr %r12,%r15 # backup stack pointer cfi_def_cfa_register (12) + ahi %r15,-264 # create stack frame: + # 96 + sizeof(La_s390_32_regs) + st %r12,0(%r15) # save backchain + + stm %r2,%r6,96(%r15) # save registers + cfi_offset (r2, -264) # + r6 needed as arg for + cfi_offset (r3, -260) # _dl_profile_fixup + cfi_offset (r4, -256) + cfi_offset (r5, -252) + cfi_offset (r6, -248) + std %f0,120(%r15) + cfi_offset (f0, -240) + std %f2,128(%r15) + cfi_offset (f2, -232) #ifdef RESTORE_VRS - ahi %r15,-224 # create stack frame .machine push .machine "z13" .machinemode "zarch_nohighgprs" - vstm %v24,%v31,96(%r15) # store call-clobbered vr arguments + vstm %v24,%v31,136(%r15) # store call-clobbered vr arguments cfi_offset (v24, -224) cfi_offset (v25, -208) cfi_offset (v26, -192) @@ -143,31 +146,31 @@ _dl_runtime_profile: cfi_offset (v30, -128) cfi_offset (v31, -112) .machine pop -#else - ahi %r15,-96 # create stack frame #endif - st %r12,0(%r15) # save backchain + lm %r2,%r3,24(%r12) # load arguments saved by PLT lr %r4,%r14 # return address as third parameter basr %r1,0 0: l %r14,6f-0b(%r1) - la %r5,32(%r12) # pointer to struct La_s390_32_regs + la %r5,96(%r15) # pointer to struct La_s390_32_regs la %r6,20(%r12) # long int * framesize bas %r14,0(%r14,%r1) # call resolver lr %r1,%r2 # function addr returned in r2 - ld %f0,56(%r12) # restore call-clobbered arg fprs - ld %f2,64(%r12) + ld %f0,120(%r15) # restore call-clobbered arg fprs + ld %f2,128(%r15) #ifdef RESTORE_VRS .machine push .machine "z13" .machinemode "zarch_nohighgprs" - vlm %v24,%v31,96(%r15) # restore call-clobbered arg vrs + vlm %v24,%v31,136(%r15) # restore call-clobbered arg vrs .machine pop #endif icm %r0,15,20(%r12) # load & test framesize jnm 2f - lm %r2,%r6,32(%r12) + lm %r2,%r6,96(%r15) # framesize < 0 means no pltexit call + # so we can do a tail call without + # copying the arg overflow area lr %r15,%r12 # remove stack frame cfi_def_cfa_register (15) l %r14,16(%r15) # restore registers @@ -175,7 +178,9 @@ _dl_runtime_profile: br %r1 # tail-call to the resolved function cfi_def_cfa_register (12) -2: jz 4f # framesize == 0 ? +2: la %r4,96(%r15) # pointer to struct La_s390_32_regs + st %r4,32(%r12) + jz 4f # framesize == 0 ? ahi %r0,7 # align framesize to 8 lhi %r2,-8 nr %r0,%r2 @@ -188,24 +193,35 @@ _dl_runtime_profile: la %r2,8(%r2) la %r3,8(%r3) brct %r0,3b -4: lm %r2,%r6,32(%r12) # load register parameters +4: lm %r2,%r6,0(%r4) # load register parameters basr %r14,%r1 # call resolved function - stm %r2,%r3,72(%r12) # store return values r2, r3, f0 - std %f0,80(%r12) # to struct La_s390_32_retval - lm %r2,%r3,24(%r12) # load arguments saved by PLT + stm %r2,%r3,40(%r12) # store return values r2, r3, f0 + std %f0,48(%r12) # to struct La_s390_32_retval +#ifdef RESTORE_VRS + .machine push + .machine "z13" + vst %v24,56(%r12) # store return value v24 + .machine pop +#endif + lm %r2,%r4,24(%r12) # r2, r3: load arguments saved by PLT + # r4: pointer to struct La_s390_32_regs basr %r1,0 5: l %r14,7f-5b(%r1) - la %r4,32(%r12) # pointer to struct La_s390_32_regs - la %r5,72(%r12) # pointer to struct La_s390_32_retval + la %r5,40(%r12) # pointer to struct La_s390_32_retval bas %r14,0(%r14,%r1) # call _dl_call_pltexit lr %r15,%r12 # remove stack frame cfi_def_cfa_register (15) l %r14,16(%r15) # restore registers l %r12,12(%r15) - l %r2,72(%r15) # restore return values - l %r3,76(%r15) - ld %f0,80(%r15) + lm %r2,%r3,40(%r15) # restore return values + ld %f0,48(%r15) +#ifdef RESTORE_VRS + .machine push + .machine "z13" + vl %v24,56(%r15) # restore return value v24 + .machine pop +#endif br %r14 6: .long _dl_profile_fixup - 0b diff --git a/sysdeps/s390/s390-64/dl-trampoline.h b/sysdeps/s390/s390-64/dl-trampoline.h index 658e3a3..33ea3de 100644 --- a/sysdeps/s390/s390-64/dl-trampoline.h +++ b/sysdeps/s390/s390-64/dl-trampoline.h @@ -109,31 +109,34 @@ _dl_runtime_resolve: cfi_startproc .align 16 _dl_runtime_profile: - stmg %r2,%r6,64(%r15) # save call-clobbered arg regs - cfi_offset (r2, -96) # + r6 needed as arg for - cfi_offset (r3, -88) # _dl_profile_fixup - cfi_offset (r4, -80) - cfi_offset (r5, -72) - cfi_offset (r6, -64) - std %f0,104(%r15) - cfi_offset (f0, -56) - std %f2,112(%r15) - cfi_offset (f2, -48) - std %f4,120(%r15) - cfi_offset (f4, -40) - std %f6,128(%r15) - cfi_offset (f6, -32) stg %r12,24(%r15) # r12 is used as backup of r15 cfi_offset (r12, -136) stg %r14,32(%r15) cfi_offset (r14, -128) lgr %r12,%r15 # backup stack pointer cfi_def_cfa_register (12) + aghi %r15,-360 # create stack frame: + # 160 + sizeof(La_s390_64_regs) + stg %r12,0(%r15) # save backchain + + stmg %r2,%r6,160(%r15) # save call-clobbered arg regs + cfi_offset (r2, -360) # + r6 needed as arg for + cfi_offset (r3, -352) # _dl_profile_fixup + cfi_offset (r4, -344) + cfi_offset (r5, -336) + cfi_offset (r6, -328) + std %f0,200(%r15) + cfi_offset (f0, -320) + std %f2,208(%r15) + cfi_offset (f2, -312) + std %f4,216(%r15) + cfi_offset (f4, -304) + std %f6,224(%r15) + cfi_offset (f6, -296) #ifdef RESTORE_VRS - aghi %r15,-288 # create stack frame .machine push .machine "z13" - vstm %v24,%v31,160(%r15)# store call-clobbered vector argument registers + vstm %v24,%v31,232(%r15) # store call-clobbered vector arguments cfi_offset (v24, -288) cfi_offset (v25, -272) cfi_offset (v26, -256) @@ -143,31 +146,28 @@ _dl_runtime_profile: cfi_offset (v30, -192) cfi_offset (v31, -176) .machine pop -#else - aghi %r15,-160 # create stack frame #endif - stg %r12,0(%r15) # save backchain lmg %r2,%r3,48(%r12) # load arguments saved by PLT lgr %r4,%r14 # return address as third parameter - la %r5,64(%r12) # pointer to struct La_s390_64_regs + la %r5,160(%r15) # pointer to struct La_s390_64_regs la %r6,40(%r12) # long int * framesize brasl %r14,_dl_profile_fixup # call resolver lgr %r1,%r2 # function addr returned in r2 - ld %f0,104(%r12) # restore call-clobbered arg fprs - ld %f2,112(%r12) - ld %f4,120(%r12) - ld %f6,128(%r12) + ld %f0,200(%r15) # restore call-clobbered arg fprs + ld %f2,208(%r15) + ld %f4,216(%r15) + ld %f6,224(%r15) #ifdef RESTORE_VRS .machine push .machine "z13" - vlm %v24,%v31,160(%r15) # restore call-clobbered arg vrs + vlm %v24,%v31,232(%r15) # restore call-clobbered arg vrs .machine pop #endif lg %r0,40(%r12) # load framesize ltgr %r0,%r0 jnm 1f - lmg %r2,%r6,64(%r12) # framesize < 0 means no pltexit call + lmg %r2,%r6,160(%r15) # framesize < 0 means no pltexit call # so we can do a tail call without # copying the arg overflow area lgr %r15,%r12 # remove stack frame @@ -177,7 +177,9 @@ _dl_runtime_profile: br %r1 # tail-call to resolved function cfi_def_cfa_register (12) -1: jz 4f # framesize == 0 ? +1: la %r4,160(%r15) # pointer to struct La_s390_64_regs + stg %r4,64(%r12) + jz 4f # framesize == 0 ? aghi %r0,7 # align framesize to 8 nill %r0,0xfff8 slgr %r15,%r0 # make room for framesize bytes @@ -189,21 +191,33 @@ _dl_runtime_profile: la %r2,8(%r2) # depending on framesize la %r3,8(%r3) brctg %r0,3b -4: lmg %r2,%r6,64(%r12) # restore call-clobbered arg gprs +4: lmg %r2,%r6,0(%r4) # restore call-clobbered arg gprs basr %r14,%r1 # call resolved function - stg %r2,136(%r12) # store return values r2, f0 - std %f0,144(%r12) # to struct La_s390_64_retval - lmg %r2,%r3,48(%r12) # load arguments saved by PLT - la %r4,64(%r12) # pointer to struct La_s390_64_regs - la %r5,136(%r12) # pointer to struct La_s390_64_retval + stg %r2,72(%r12) # store return values r2, f0 + std %f0,80(%r12) # to struct La_s390_64_retval +#ifdef RESTORE_VRS + .machine push + .machine "z13" + vst %v24,88(%r12) # store return value v24 + .machine pop +#endif + lmg %r2,%r4,48(%r12) # r2, r3: load arguments saved by PLT + # r4: pointer to struct La_s390_64_regs + la %r5,72(%r12) # pointer to struct La_s390_64_retval brasl %r14,_dl_call_pltexit lgr %r15,%r12 # remove stack frame cfi_def_cfa_register (15) lg %r14,32(%r15) # restore registers lg %r12,24(%r15) - lg %r2,136(%r15) # restore return values - ld %f0,144(%r15) + lg %r2,72(%r15) # restore return values + ld %f0,80(%r15) +#ifdef RESTORE_VRS + .machine push + .machine "z13" + vl %v24,88(%r15) # restore return value v24 + .machine pop +#endif br %r14 # Jump back to caller cfi_endproc -- cgit v1.1 From 57d1664a03c298147ee6da9e0d513117fe750427 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Sat, 9 Apr 2016 20:02:48 -0400 Subject: configure: fix `test ==` usage POSIX defines the = operator, but not ==. Fix the few places where we incorrectly used ==. (cherry picked from commit b2d4456b333970ab4cb01ed8045b9a8d2c4832f3) --- ChangeLog | 5 +++++ sysdeps/x86_64/configure | 4 ++-- sysdeps/x86_64/configure.ac | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index c47c0b5..9fcba1d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2016-04-09 Mike Frysinger + + * sysdeps/x86_64/configure.ac: Change == to = when calling test. + * sysdeps/x86_64/configure: Likewise. + 2016-04-04 Stefan Liebler * sysdeps/s390/bits/link.h: (La_s390_vr) New typedef. diff --git a/sysdeps/x86_64/configure b/sysdeps/x86_64/configure index 7d4dadd..0c0e4d0 100644 --- a/sysdeps/x86_64/configure +++ b/sysdeps/x86_64/configure @@ -117,7 +117,7 @@ rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_avx512" >&5 $as_echo "$libc_cv_asm_avx512" >&6; } -if test $libc_cv_asm_avx512 == yes; then +if test $libc_cv_asm_avx512 = yes; then $as_echo "#define HAVE_AVX512_ASM_SUPPORT 1" >>confdefs.h fi @@ -244,7 +244,7 @@ rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_mpx" >&5 $as_echo "$libc_cv_asm_mpx" >&6; } -if test $libc_cv_asm_mpx == yes; then +if test $libc_cv_asm_mpx = yes; then $as_echo "#define HAVE_MPX_SUPPORT 1" >>confdefs.h fi diff --git a/sysdeps/x86_64/configure.ac b/sysdeps/x86_64/configure.ac index c9f9a51..4b3d7bf 100644 --- a/sysdeps/x86_64/configure.ac +++ b/sysdeps/x86_64/configure.ac @@ -34,7 +34,7 @@ else libc_cv_asm_avx512=no fi rm -f conftest*]) -if test $libc_cv_asm_avx512 == yes; then +if test $libc_cv_asm_avx512 = yes; then AC_DEFINE(HAVE_AVX512_ASM_SUPPORT) fi @@ -86,7 +86,7 @@ else libc_cv_asm_mpx=no fi rm -f conftest*]) -if test $libc_cv_asm_mpx == yes; then +if test $libc_cv_asm_mpx = yes; then AC_DEFINE(HAVE_MPX_SUPPORT) fi -- cgit v1.1 From ee35f1cb547e21538b4c6ef0ed7515635552baa6 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Thu, 28 Apr 2016 10:25:49 +0200 Subject: S/390: Fix setcontext/swapcontext which are not restoring sigmask. This patch uses sigprocmask(SIG_SETMASK) instead of SIG_BLOCK in setcontext, swapcontext. (cherry picked from commit 2e807f29595eb5b1e5d0decc6e356a3562ecc58e) --- ChangeLog | 16 ++ NEWS | 2 +- stdlib/Makefile | 10 +- stdlib/tst-setcontext2.c | 230 +++++++++++++++++++++ sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S | 2 +- sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S | 16 +- sysdeps/unix/sysv/linux/s390/s390-64/setcontext.S | 2 +- sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S | 16 +- 8 files changed, 264 insertions(+), 30 deletions(-) create mode 100644 stdlib/tst-setcontext2.c diff --git a/ChangeLog b/ChangeLog index 9fcba1d..fc52787 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2016-04-28 Stefan Liebler + + [BZ #18080] + * sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S + (__setcontext): Use SIG_SETMASK instead of SIG_BLOCK. + * sysdeps/unix/sysv/linux/s390/s390-64/setcontext.S + (__setcontext): Likewise. + * sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S + (__swapcontext): Use SIG_SETMASK instead of SIG_BLOCK. + Call rt_sigprocmask syscall one time to set new signal mask + and retrieve the current signal mask instead of two calls. + * sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S + (__swapcontext): Likewise. + * stdlib/Makefile (tests): Add new testcase tst-setcontext2. + * stdlib/tst-setcontext2.c: New file. + 2016-04-09 Mike Frysinger * sysdeps/x86_64/configure.ac: Change == to = when calling test. diff --git a/NEWS b/NEWS index 4aed159..752b9b3 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,7 @@ Version 2.20.1 * The following bugs are resolved with this release: 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, - 17625, 17630, 17801, 18032, 18665, 18694, 18928, 19018, 19682. + 17625, 17630, 17801, 18032, 18080, 18665, 18694, 18928, 19018, 19682. * A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control diff --git a/stdlib/Makefile b/stdlib/Makefile index 9b2271b..dfb93b2 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -66,11 +66,11 @@ test-srcs := tst-fmtmsg tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ test-canon test-canon2 tst-strtoll tst-environ \ tst-xpg-basename tst-random tst-random2 tst-bsearch \ - tst-limits tst-rand48 bug-strtod tst-setcontext \ - test-a64l tst-qsort tst-system testmb2 bug-strtod2 \ - tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \ - tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \ - tst-makecontext2 tst-strtod6 tst-unsetenv1 \ + tst-limits tst-rand48 bug-strtod tst-setcontext \ + tst-setcontext2 test-a64l tst-qsort tst-system testmb2 \ + bug-strtod2 tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 \ + tst-rand48-2 tst-makecontext tst-strtod4 tst-strtod5 \ + tst-qsort2 tst-makecontext2 tst-strtod6 tst-unsetenv1 \ tst-makecontext3 bug-getcontext bug-fmtmsg1 \ tst-secure-getenv tst-strtod-overflow tst-strtod-round \ tst-tininess tst-strtod-underflow tst-tls-atexit diff --git a/stdlib/tst-setcontext2.c b/stdlib/tst-setcontext2.c new file mode 100644 index 0000000..8582cc0 --- /dev/null +++ b/stdlib/tst-setcontext2.c @@ -0,0 +1,230 @@ +/* Testcase checks, if setcontext(), swapcontext() restores signal-mask + and if pending signals are delivered after those calls. + Copyright (C) 2015 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include + +volatile int global; +volatile sig_atomic_t handlerCalled; + +static void +check (const char *funcName) +{ + sigset_t set; + + /* check if SIGUSR2 is unblocked after setcontext-call. */ + sigprocmask (SIG_BLOCK, NULL, &set); + + if (sigismember (&set, SIGUSR2) != 0) + { + printf ("FAIL: SIGUSR2 is blocked after %s.\n", funcName); + exit (1); + } + + if (sigismember (&set, SIGUSR1) != 1) + { + printf ("FAIL: SIGUSR1 is not blocked after %s.\n", funcName); + exit (1); + } +} + +static void +signalmask (int how, int signum) +{ + sigset_t set; + sigemptyset (&set); + sigaddset (&set, signum); + if (sigprocmask (how, &set, NULL) != 0) + { + printf ("FAIL: sigprocmaks (%d, %d, NULL): %m\n", how, signum); + exit (1); + } +} + +static void +signalpending (int signum, const char *msg) +{ + sigset_t set; + sigemptyset (&set); + if (sigpending (&set) != 0) + { + printf ("FAIL: sigpending: %m\n"); + exit (1); + } + if (sigismember (&set, SIGUSR2) != 1) + { + printf ("FAIL: Signal %d is not pending %s\n", signum, msg); + exit (1); + } +} + +static void +handler (int __attribute__ ((unused)) signum) +{ + handlerCalled ++; +} + +static int +do_test (void) +{ + ucontext_t ctx, oldctx; + struct sigaction action; + pid_t pid; + + pid = getpid (); + + /* unblock SIGUSR2 */ + signalmask (SIG_UNBLOCK, SIGUSR2); + + /* block SIGUSR1 */ + signalmask (SIG_BLOCK, SIGUSR1); + + /* register handler for SIGUSR2 */ + action.sa_flags = 0; + action.sa_handler = handler; + sigemptyset (&action.sa_mask); + sigaction (SIGUSR2, &action, NULL); + + if (getcontext (&ctx) != 0) + { + printf ("FAIL: getcontext: %m\n"); + exit (1); + } + + global++; + + if (global == 1) + { + puts ("after getcontext"); + + /* block SIGUSR2 */ + signalmask (SIG_BLOCK, SIGUSR2); + + /* send SIGUSR2 to me */ + handlerCalled = 0; + kill (pid, SIGUSR2); + + /* was SIGUSR2 handler called? */ + if (handlerCalled != 0) + { + puts ("FAIL: signal handler was called, but signal was blocked."); + exit (1); + } + + /* is SIGUSR2 pending? */ + signalpending (SIGUSR2, "before setcontext"); + + /* SIGUSR2 will be unblocked by setcontext-call. */ + if (setcontext (&ctx) != 0) + { + printf ("FAIL: setcontext: %m\n"); + exit (1); + } + } + else if (global == 2) + { + puts ("after setcontext"); + + /* check SIGUSR1/2 */ + check ("setcontext"); + + /* was SIGUSR2 handler called? */ + if (handlerCalled != 1) + { + puts ("FAIL: signal handler was not called after setcontext."); + exit (1); + } + + /* block SIGUSR2 */ + signalmask (SIG_BLOCK, SIGUSR2); + + /* send SIGUSR2 to me */ + handlerCalled = 0; + kill (pid, SIGUSR2); + + /* was SIGUSR2 handler called? */ + if (handlerCalled != 0) + { + puts ("FAIL: signal handler was called, but signal was blocked."); + exit (1); + } + + /* is SIGUSR2 pending? */ + signalpending (SIGUSR2, "before swapcontext"); + + if (swapcontext (&oldctx, &ctx) != 0) + { + printf ("FAIL: swapcontext: %m\n"); + exit (1); + } + + puts ("after returned from swapcontext"); + + if (global != 3) + { + puts ("FAIL: returned from swapcontext without ctx-context called."); + exit (1); + } + + puts ("test succeeded"); + return 0; + } + else if ( global != 3 ) + { + puts ("FAIL: 'global' not incremented three times"); + exit (1); + } + + puts ("after swapcontext"); + /* check SIGUSR1/2 */ + check ("swapcontext"); + + /* was SIGUSR2 handler called? */ + if (handlerCalled != 1) + { + puts ("FAIL: signal handler was not called after swapcontext."); + exit (1); + } + + /* check sigmask in old context of swapcontext-call */ + if (sigismember (&oldctx.uc_sigmask, SIGUSR2) != 1) + { + puts ("FAIL: SIGUSR2 is not blocked in oldctx.uc_sigmask."); + exit (1); + } + + if (sigismember (&oldctx.uc_sigmask, SIGUSR1) != 1) + { + puts ("FAIL: SIGUSR1 is not blocked in oldctx.uc_sigmaks."); + exit (1); + } + + /* change to old context, which was gathered by swapcontext() call. */ + setcontext (&oldctx); + + puts ("FAIL: returned from setcontext (&oldctx)"); + exit (1); +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S b/sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S index 42839e2..b263773 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S +++ b/sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S @@ -34,7 +34,7 @@ ENTRY(__setcontext) lr %r1,%r2 /* rt_sigprocmask (SIG_SETMASK, &sc->sc_mask, NULL, sigsetsize). */ - la %r2,SIG_BLOCK + la %r2,SIG_SETMASK la %r3,SC_MASK(%r1) slr %r4,%r4 lhi %r5,_NSIG8 diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S b/sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S index 9206aa3..8f9cfd8 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S +++ b/sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S @@ -24,7 +24,7 @@ /* __swapcontext (ucontext_t *oucp, const ucontext_t *ucp) Saves the machine context in oucp such that when it is activated, - it appears as if __swapcontextt() returned again, restores the + it appears as if __swapcontext() returned again, restores the machine context in ucp and thereby resumes execution in that context. @@ -39,13 +39,6 @@ ENTRY(__swapcontext) lr %r1,%r2 lr %r0,%r3 - /* sigprocmask (SIG_BLOCK, NULL, &sc->sc_mask). */ - la %r2,SIG_BLOCK - slr %r3,%r3 - la %r4,SC_MASK(%r1) - lhi %r5,_NSIG8 - svc SYS_ify(rt_sigprocmask) - /* Store fpu context. */ stfpc SC_FPC(%r1) std %f0,SC_FPRS(%r1) @@ -74,11 +67,12 @@ ENTRY(__swapcontext) /* Store general purpose registers. */ stm %r0,%r15,SC_GPRS(%r1) - /* sigprocmask (SIG_SETMASK, &sc->sc_mask, NULL). */ - la %r2,SIG_BLOCK + /* rt_sigprocmask (SIG_SETMASK, &ucp->uc_sigmask, &oucp->uc_sigmask, + sigsetsize). */ + la %r2,SIG_SETMASK lr %r5,%r0 la %r3,SC_MASK(%r5) - slr %r4,%r4 + la %r4,SC_MASK(%r1) lhi %r5,_NSIG8 svc SYS_ify(rt_sigprocmask) diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/setcontext.S b/sysdeps/unix/sysv/linux/s390/s390-64/setcontext.S index 83df5ce..1464e6a 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/setcontext.S +++ b/sysdeps/unix/sysv/linux/s390/s390-64/setcontext.S @@ -34,7 +34,7 @@ ENTRY(__setcontext) lgr %r1,%r2 /* sigprocmask (SIG_SETMASK, &sc->sc_mask, NULL). */ - la %r2,SIG_BLOCK + la %r2,SIG_SETMASK la %r3,SC_MASK(%r1) slgr %r4,%r4 lghi %r5,_NSIG8 diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S b/sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S index e3e624c..8346fd5 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S +++ b/sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S @@ -24,7 +24,7 @@ /* __swapcontext (ucontext_t *oucp, const ucontext_t *ucp) Saves the machine context in oucp such that when it is activated, - it appears as if __swapcontextt() returned again, restores the + it appears as if __swapcontext() returned again, restores the machine context in ucp and thereby resumes execution in that context. @@ -39,13 +39,6 @@ ENTRY(__swapcontext) lgr %r1,%r2 lgr %r0,%r3 - /* sigprocmask (SIG_BLOCK, NULL, &sc->sc_mask). */ - la %r2,SIG_BLOCK - slgr %r3,%r3 - la %r4,SC_MASK(%r1) - lghi %r5,_NSIG8 - svc SYS_ify(rt_sigprocmask) - /* Store fpu context. */ stfpc SC_FPC(%r1) std %f0,SC_FPRS(%r1) @@ -74,12 +67,13 @@ ENTRY(__swapcontext) /* Store general purpose registers. */ stmg %r0,%r15,SC_GPRS(%r1) - /* rt_sigprocmask (SIG_SETMASK, &sc->sc_mask, NULL, sigsetsize). */ - la %r2,SIG_BLOCK + /* rt_sigprocmask (SIG_SETMASK, &ucp->uc_sigmask, &oucp->uc_sigmask, + sigsetsize). */ + la %r2,SIG_SETMASK lgr %r5,%r0 la %r3,SC_MASK(%r5) + la %r4,SC_MASK(%r1) lghi %r5,_NSIG8 - slgr %r4,%r4 svc SYS_ify(rt_sigprocmask) /* Load fpu context. */ -- cgit v1.1 From edbab2450a084a275d418fba871a8c7b48001a71 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Thu, 28 Apr 2016 10:26:35 +0200 Subject: S390: Fix "backtrace() returns infinitely deep stack frames with makecontext()" [BZ #18508]. On s390/s390x backtrace(buffer, size) returns the series of called functions until "makecontext_ret" and additional entries (up to "size") with "makecontext_ret". GDB-backtrace is also warning: "Backtrace stopped: previous frame identical to this frame (corrupt stack?)" To reproduce this scenario you have to setup a new context with makecontext() and activate it with setcontext(). See e.g. cf() function in testcase stdlib/tst-makecontext.c. Or see bug in libgo "Bug 66303 - runtime.Caller() returns infinitely deep stack frames on s390x " (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66303). This patch omits the cfi_startproc/cfi_endproc directives in ENTRY/END macro of __makecontext_ret. Thus no frame information is generated in .eh_frame and backtrace stops after __makecontext_ret. There is also no .eh_frame info for _start or thread_start functions. ChangeLog: [BZ #18508] * stdlib/Makefile ($(objpfx)tst-makecontext3): Depend on $(libdl). * stdlib/tst-makecontext.c (cf): Test if _Unwind_Backtrace is not called infinitely times. (backtrace_helper): New function. (trace_arg): New struct. (st1): Enlarge stack size. * sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S: (__makecontext_ret): Omit cfi_startproc and cfi_endproc. * sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S: Likewise. (cherry picked from commit 890b7a4b33d482b5c768ab47d70758b80227e9bc) --- ChangeLog | 15 ++++++++ NEWS | 3 +- stdlib/Makefile | 2 ++ stdlib/tst-makecontext.c | 41 +++++++++++++++++++++- .../sysv/linux/s390/s390-32/__makecontext_ret.S | 8 +++++ .../sysv/linux/s390/s390-64/__makecontext_ret.S | 8 +++++ 6 files changed, 75 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fc52787..9ec6a56 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,20 @@ 2016-04-28 Stefan Liebler + [BZ #18508] + * stdlib/Makefile ($(objpfx)tst-makecontext3): + Depend on $(libdl). + * stdlib/tst-makecontext.c (cf): Test if _Unwind_Backtrace + is not called infinitely times. + (backtrace_helper): New function. + (trace_arg): New struct. + (st1): Enlarge stack size. + * sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S: + (__makecontext_ret): Omit cfi_startproc and cfi_endproc. + * sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S: + Likewise. + +2016-04-28 Stefan Liebler + [BZ #18080] * sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S (__setcontext): Use SIG_SETMASK instead of SIG_BLOCK. diff --git a/NEWS b/NEWS index 752b9b3..138aee2 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,8 @@ Version 2.20.1 * The following bugs are resolved with this release: 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, - 17625, 17630, 17801, 18032, 18080, 18665, 18694, 18928, 19018, 19682. + 17625, 17630, 17801, 18032, 18080, 18508, 18665, 18694, 18928, 19018, + 19682. * A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control diff --git a/stdlib/Makefile b/stdlib/Makefile index dfb93b2..1aa507b 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -157,3 +157,5 @@ tst-tls-atexit-lib.so-no-z-defs = yes $(objpfx)tst-tls-atexit: $(shared-thread-library) $(libdl) $(objpfx)tst-tls-atexit.out: $(objpfx)tst-tls-atexit-lib.so + +$(objpfx)tst-makecontext: $(libdl) diff --git a/stdlib/tst-makecontext.c b/stdlib/tst-makecontext.c index 7968a6d..ef1e27a 100644 --- a/stdlib/tst-makecontext.c +++ b/stdlib/tst-makecontext.c @@ -19,23 +19,62 @@ #include #include #include +#include +#include +#include +#include ucontext_t ucp; -char st1[8192]; +char st1[16384]; __thread int thr; int somevar = -76; long othervar = -78L; +struct trace_arg +{ + int cnt, size; +}; + +static _Unwind_Reason_Code +backtrace_helper (struct _Unwind_Context *ctx, void *a) +{ + struct trace_arg *arg = a; + if (++arg->cnt == arg->size) + return _URC_END_OF_STACK; + return _URC_NO_REASON; +} + void cf (int i) { + struct trace_arg arg = { .size = 100, .cnt = -1 }; + void *handle; + _Unwind_Reason_Code (*unwind_backtrace) (_Unwind_Trace_Fn, void *); + if (i != othervar || thr != 94) { printf ("i %d thr %d\n", i, thr); exit (1); } + /* Test if callback function of _Unwind_Backtrace is not called infinitely + times. See Bug 18508 or gcc bug "Bug 66303 - runtime.Caller() returns + infinitely deep stack frames on s390x.". + The go runtime calls backtrace_full() in + /libbacktrace/backtrace.c, which uses _Unwind_Backtrace(). */ + handle = dlopen (LIBGCC_S_SO, RTLD_LAZY); + if (handle != NULL) + { + unwind_backtrace = dlsym (handle, "_Unwind_Backtrace"); + if (unwind_backtrace != NULL) + { + unwind_backtrace (backtrace_helper, &arg); + assert (arg.cnt != -1 && arg.cnt < 100); + } + dlclose (handle); + } + /* Since uc_link below has been set to NULL, setcontext is supposed to terminate the process normally after this function returns. */ } diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S b/sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S index 83cf0d8..67ea206 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S +++ b/sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S @@ -17,6 +17,14 @@ #include +/* We do not want .eh_frame info so that __makecontext_ret stops unwinding + if backtrace was called within a context created by makecontext. (There + is also no .eh_frame info for _start or thread_start.) */ +#undef cfi_startproc +#define cfi_startproc +#undef cfi_endproc +#define cfi_endproc + ENTRY(__makecontext_ret) basr %r14,%r7 ltr %r8,%r8 /* Check whether uc_link is 0. */ diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S b/sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S index 71ecbab..a2bf3ca 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S +++ b/sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S @@ -17,6 +17,14 @@ #include +/* We do not want .eh_frame info so that __makecontext_ret stops unwinding + if backtrace was called within a context created by makecontext. (There + is also no .eh_frame info for _start or thread_start.) */ +#undef cfi_startproc +#define cfi_startproc +#undef cfi_endproc +#define cfi_endproc + ENTRY(__makecontext_ret) basr %r14,%r7 ltgr %r8,%r8 /* Check whether uc_link is 0. */ -- cgit v1.1 From 1029487ab3b2ef65ec9364cb15c44ee9c571224f Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 29 Apr 2016 10:35:34 +0200 Subject: CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ #20010] When converting a struct hostent response to struct gaih_addrtuple, the gethosts macro (which is called from gaih_inet) used alloca, without malloc fallback for large responses. This commit changes this code to use calloc unconditionally. This commit also consolidated a second hostent-to-gaih_addrtuple conversion loop (in gaih_inet) to use the new conversion function. (cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9) --- ChangeLog | 10 ++++ NEWS | 5 ++ sysdeps/posix/getaddrinfo.c | 130 +++++++++++++++++++++++--------------------- 3 files changed, 84 insertions(+), 61 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9ec6a56..b288fdb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2016-05-24 Florian Weimer + + [BZ #20010] + CVE-2016-3706 + * sysdeps/posix/getaddrinfo.c + (convert_hostent_to_gaih_addrtuple): New function. + (gethosts): Call convert_hostent_to_gaih_addrtuple. + (gaih_inet): Use convert_hostent_to_gaih_addrtuple to convert + AF_INET data. + 2016-04-28 Stefan Liebler [BZ #18508] diff --git a/NEWS b/NEWS index 138aee2..afca6c2 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,11 @@ Version 2.20.1 17625, 17630, 17801, 18032, 18080, 18508, 18665, 18694, 18928, 19018, 19682. +* Previously, getaddrinfo copied large amounts of address data to the stack, + even after the fix for CVE-2013-4458 has been applied, potentially + resulting in a stack overflow. getaddrinfo now uses a heap allocation + instead. Reported by Michael Petlan. (CVE-2016-3706) + * A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control of execution flow in the DNS client. The buffer overflow occurs in diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index 8f392b9..e63454a 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -168,9 +168,58 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, return 0; } +/* Convert struct hostent to a list of struct gaih_addrtuple objects. + h_name is not copied, and the struct hostent object must not be + deallocated prematurely. *RESULT must be NULL or a pointer to an + object allocated using malloc, which is freed. */ +static bool +convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, + int family, + struct hostent *h, + struct gaih_addrtuple **result) +{ + free (*result); + *result = NULL; + + /* Count the number of addresses in h->h_addr_list. */ + size_t count = 0; + for (char **p = h->h_addr_list; *p != NULL; ++p) + ++count; + + /* Report no data if no addresses are available, or if the incoming + address size is larger than what we can store. */ + if (count == 0 || h->h_length > sizeof (((struct gaih_addrtuple) {}).addr)) + return true; + + struct gaih_addrtuple *array = calloc (count, sizeof (*array)); + if (array == NULL) + return false; + + for (size_t i = 0; i < count; ++i) + { + if (family == AF_INET && req->ai_family == AF_INET6) + { + /* Perform address mapping. */ + array[i].family = AF_INET6; + memcpy(array[i].addr + 3, h->h_addr_list[i], sizeof (uint32_t)); + array[i].addr[2] = htonl (0xffff); + } + else + { + array[i].family = family; + memcpy (array[i].addr, h->h_addr_list[i], h->h_length); + } + array[i].next = array + i + 1; + } + array[0].name = h->h_name; + array[count - 1].next = NULL; + + *result = array; + return true; +} + #define gethosts(_family, _type) \ { \ - int i; \ int herrno; \ struct hostent th; \ struct hostent *h; \ @@ -219,36 +268,23 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, } \ else if (h != NULL) \ { \ - for (i = 0; h->h_addr_list[i]; i++) \ + /* Make sure that addrmem can be freed. */ \ + if (!malloc_addrmem) \ + addrmem = NULL; \ + if (!convert_hostent_to_gaih_addrtuple (req, _family,h, &addrmem)) \ { \ - if (*pat == NULL) \ - { \ - *pat = __alloca (sizeof (struct gaih_addrtuple)); \ - (*pat)->scopeid = 0; \ - } \ - uint32_t *addr = (*pat)->addr; \ - (*pat)->next = NULL; \ - (*pat)->name = i == 0 ? strdupa (h->h_name) : NULL; \ - if (_family == AF_INET && req->ai_family == AF_INET6) \ - { \ - (*pat)->family = AF_INET6; \ - addr[3] = *(uint32_t *) h->h_addr_list[i]; \ - addr[2] = htonl (0xffff); \ - addr[1] = 0; \ - addr[0] = 0; \ - } \ - else \ - { \ - (*pat)->family = _family; \ - memcpy (addr, h->h_addr_list[i], sizeof(_type)); \ - } \ - pat = &((*pat)->next); \ + _res.options |= old_res_options & RES_USE_INET6; \ + result = -EAI_SYSTEM; \ + goto free_and_return; \ } \ + *pat = addrmem; \ + /* The conversion uses malloc unconditionally. */ \ + malloc_addrmem = true; \ \ if (localcanon != NULL && canon == NULL) \ canon = strdupa (localcanon); \ \ - if (_family == AF_INET6 && i > 0) \ + if (_family == AF_INET6 && *pat != NULL) \ got_ipv6 = true; \ } \ } @@ -612,44 +648,16 @@ gaih_inet (const char *name, const struct gaih_service *service, { if (h != NULL) { - int i; - /* We found data, count the number of addresses. */ - for (i = 0; h->h_addr_list[i]; ++i) - ; - if (i > 0 && *pat != NULL) - --i; - - if (__libc_use_alloca (alloca_used - + i * sizeof (struct gaih_addrtuple))) - addrmem = alloca_account (i * sizeof (struct gaih_addrtuple), - alloca_used); - else - { - addrmem = malloc (i - * sizeof (struct gaih_addrtuple)); - if (addrmem == NULL) - { - result = -EAI_MEMORY; - goto free_and_return; - } - malloc_addrmem = true; - } - - /* Now convert it into the list. */ - struct gaih_addrtuple *addrfree = addrmem; - for (i = 0; h->h_addr_list[i]; ++i) + /* We found data, convert it. */ + if (!convert_hostent_to_gaih_addrtuple + (req, AF_INET, h, &addrmem)) { - if (*pat == NULL) - { - *pat = addrfree++; - (*pat)->scopeid = 0; - } - (*pat)->next = NULL; - (*pat)->family = AF_INET; - memcpy ((*pat)->addr, h->h_addr_list[i], - h->h_length); - pat = &((*pat)->next); + result = -EAI_MEMORY; + goto free_and_return; } + *pat = addrmem; + /* The conversion uses malloc unconditionally. */ + malloc_addrmem = true; } } else -- cgit v1.1 From 75cf90eb20d98270ea3903baefb75647ae61fd3f Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 29 Apr 2016 09:33:07 +0200 Subject: glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir Previously, application code had to set up the d_namlen member if the target supported it, involving conditional compilation. After this change, glob will use the length of the string in d_name instead of d_namlen to determine the file name length. All glibc targets provide the d_type and d_ino members, and setting them as needed for gl_readdir is straightforward. Changing the behavior with regards to d_ino is left to a future cleanup. (cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f) --- ChangeLog | 15 +++++++++++++++ manual/examples/mkdirent.c | 42 ++++++++++++++++++++++++++++++++++++++++++ manual/pattern.texi | 39 ++++++++++++++++++++++++++++++++++++++- posix/bug-glob2.c | 2 +- posix/glob.c | 24 +++--------------------- posix/tst-gnuglob.c | 2 +- 6 files changed, 100 insertions(+), 24 deletions(-) create mode 100644 manual/examples/mkdirent.c diff --git a/ChangeLog b/ChangeLog index b288fdb..c69a782 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,20 @@ 2016-05-24 Florian Weimer + glob: Simplify and document the interface for the GLOB_ALTDIRFUNC + callback function gl_readdir. + * posix/glob.c (NAMELEN, CONVERT_D_NAMLEN): Remove. + (CONVERT_DIRENT_DIRENT64): Use strcpy instead of memcpy. + (glob_in_dir): Remove len. Use strdup instead of malloc and + memcpy to copy the name. + * manual/pattern.texi (Calling Glob): Document requirements for + implementations of the gl_readdir callback function. + * manual/examples/mkdirent.c: New example. + * posix/bug-glob2.c (my_readdir): Set d_ino to 1 unconditionally, + per the manual guidance. + * posix/tst-gnuglob.c (my_readdir): Likewise. + +2016-05-24 Florian Weimer + [BZ #20010] CVE-2016-3706 * sysdeps/posix/getaddrinfo.c diff --git a/manual/examples/mkdirent.c b/manual/examples/mkdirent.c new file mode 100644 index 0000000..f8400f4 --- /dev/null +++ b/manual/examples/mkdirent.c @@ -0,0 +1,42 @@ +/* Example for creating a struct dirent object for use with glob. + Copyright (C) 2016 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + as published by the Free Software Foundation; either version 2 + of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, if not, see . +*/ + +#include +#include +#include +#include +#include + +struct dirent * +mkdirent (const char *name) +{ + size_t dirent_size = offsetof (struct dirent, d_name) + 1; + size_t name_length = strlen (name); + size_t total_size = dirent_size + name_length; + if (total_size < dirent_size) + { + errno = ENOMEM; + return NULL; + } + struct dirent *result = malloc (total_size); + if (result == NULL) + return NULL; + result->d_type = DT_UNKNOWN; + result->d_ino = 1; /* Do not skip this entry. */ + memcpy (result->d_name, name, name_length + 1); + return result; +} diff --git a/manual/pattern.texi b/manual/pattern.texi index da848c3..4cf26a7 100644 --- a/manual/pattern.texi +++ b/manual/pattern.texi @@ -237,7 +237,44 @@ function used to read the contents of a directory. It is used if the @code{GLOB_ALTDIRFUNC} bit is set in the flag parameter. The type of this field is @w{@code{struct dirent *(*) (void *)}}. -This is a GNU extension. +An implementation of @code{gl_readdir} needs to initialize the following +members of the @code{struct dirent} object: + +@table @code +@item d_type +This member should be set to the file type of the entry if it is known. +Otherwise, the value @code{DT_UNKNOWN} can be used. The @code{glob} +function may use the specified file type to avoid callbacks in cases +where the file type indicates that the data is not required. + +@item d_ino +This member needs to be non-zero, otherwise @code{glob} may skip the +current entry and call the @code{gl_readdir} callback function again to +retrieve another entry. + +@item d_name +This member must be set to the name of the entry. It must be +null-terminated. +@end table + +The example below shows how to allocate a @code{struct dirent} object +containing a given name. + +@smallexample +@include mkdirent.c.texi +@end smallexample + +The @code{glob} function reads the @code{struct dirent} members listed +above and makes a copy of the file name in the @code{d_name} member +immediately after the @code{gl_readdir} callback function returns. +Future invocations of any of the callback functions may dealloacte or +reuse the buffer. It is the responsibility of the caller of the +@code{glob} function to allocate and deallocate the buffer, around the +call to @code{glob} or using the callback functions. For example, an +application could allocate the buffer in the @code{gl_readdir} callback +function, and deallocate it in the @code{gl_closedir} callback function. + +The @code{gl_readdir} member is a GNU extension. @item gl_opendir The address of an alternative implementation of the @code{opendir} diff --git a/posix/bug-glob2.c b/posix/bug-glob2.c index 8e21deb..1b1ca5a 100644 --- a/posix/bug-glob2.c +++ b/posix/bug-glob2.c @@ -193,7 +193,7 @@ my_readdir (void *gdir) return NULL; } - dir->d.d_ino = dir->idx; + dir->d.d_ino = 1; /* glob should not skip this entry. */ #ifdef _DIRENT_HAVE_D_TYPE dir->d.d_type = filesystem[dir->idx].type; diff --git a/posix/glob.c b/posix/glob.c index aa4bb92..efa7569 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -57,10 +57,8 @@ #if defined HAVE_DIRENT_H || defined __GNU_LIBRARY__ # include -# define NAMLEN(dirent) strlen((dirent)->d_name) #else # define dirent direct -# define NAMLEN(dirent) (dirent)->d_namlen # ifdef HAVE_SYS_NDIR_H # include # endif @@ -76,12 +74,6 @@ #endif -/* In GNU systems, defines this macro for us. */ -#ifdef _D_NAMLEN -# undef NAMLEN -# define NAMLEN(d) _D_NAMLEN(d) -#endif - /* When used in the GNU libc the symbol _DIRENT_HAVE_D_TYPE is available if the `d_type' member for `struct dirent' is available. HAVE_STRUCT_DIRENT_D_TYPE plays the same role in GNULIB. */ @@ -105,12 +97,6 @@ /* If the system has the `struct dirent64' type we use it internally. */ #if defined _LIBC && !defined COMPILE_GLOB64 -# if defined HAVE_DIRENT_H || defined __GNU_LIBRARY__ -# define CONVERT_D_NAMLEN(d64, d32) -# else -# define CONVERT_D_NAMLEN(d64, d32) \ - (d64)->d_namlen = (d32)->d_namlen; -# endif # if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__ # define CONVERT_D_INO(d64, d32) @@ -127,8 +113,7 @@ # endif # define CONVERT_DIRENT_DIRENT64(d64, d32) \ - memcpy ((d64)->d_name, (d32)->d_name, NAMLEN (d32) + 1); \ - CONVERT_D_NAMLEN (d64, d32) \ + strcpy ((d64)->d_name, (d32)->d_name); \ CONVERT_D_INO (d64, d32) \ CONVERT_D_TYPE (d64, d32) #endif @@ -1562,7 +1547,6 @@ glob_in_dir (const char *pattern, const char *directory, int flags, while (1) { const char *name; - size_t len; #if defined _LIBC && !defined COMPILE_GLOB64 struct dirent64 *d; union @@ -1630,12 +1614,10 @@ glob_in_dir (const char *pattern, const char *directory, int flags, names = newnames; cur = 0; } - len = NAMLEN (d); - names->name[cur] = (char *) malloc (len + 1); + names->name[cur] = strdup (d->d_name); if (names->name[cur] == NULL) goto memory_error; - *((char *) mempcpy (names->name[cur++], name, len)) - = '\0'; + ++cur; ++nfound; } } diff --git a/posix/tst-gnuglob.c b/posix/tst-gnuglob.c index 1c72357..48c7527 100644 --- a/posix/tst-gnuglob.c +++ b/posix/tst-gnuglob.c @@ -211,7 +211,7 @@ my_readdir (void *gdir) return NULL; } - dir->d.d_ino = dir->idx; + dir->d.d_ino = 1; /* glob should not skip this entry. */ #ifdef _DIRENT_HAVE_D_TYPE dir->d.d_type = filesystem[dir->idx].type; -- cgit v1.1 From 3822125d1c520d5bb5e33cd9254a902d52d4eb19 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 4 May 2016 12:09:35 +0200 Subject: CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779] Instead, we store the data we need from the return value of readdir in an object of the new type struct readdir_result. This type is independent of the layout of struct dirent. (cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea) --- ChangeLog | 21 ++++ NEWS | 4 + posix/bug-glob2.c | 14 ++- posix/glob.c | 223 +++++++++++++++++++--------------- sysdeps/unix/sysv/linux/i386/glob64.c | 22 ++++ 5 files changed, 184 insertions(+), 100 deletions(-) diff --git a/ChangeLog b/ChangeLog index c69a782..c0b0a36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,26 @@ 2016-05-24 Florian Weimer + [BZ #19779] + CVE-2016-1234 + Avoid copying names of directory entries. + * posix/glob.c (DIRENT_MUST_BE, DIRENT_MIGHT_BE_SYMLINK) + (DIRENT_MIGHT_BE_DIR, CONVERT_D_INO, CONVERT_D_TYPE) + (CONVERT_DIRENT_DIRENT64, REAL_DIR_ENTRY): Remove macros. + (struct readdir_result): New type. + (D_TYPE_TO_RESULT, D_INO_TO_RESULT, READDIR_RESULT_INITIALIZER) + (GL_READDIR): New macros. + (readdir_result_might_be_symlink, readdir_result_might_be_dir) + (convert_dirent, convert_dirent64): New functions. + (glob_in_dir): Use struct readdir_result. Call convert_dirent or + convert_dirent64. Adjust references to the readdir result. + * sysdeps/unix/sysv/linux/i386/glob64.c: + (convert_dirent, GL_READDIR): Redefine for second file inclusion. + * posix/bug-glob2.c (LONG_NAME): Define. + (filesystem): Add LONG_NAME. + (my_DIR): Increase the size of room_for_dirent. + +2016-05-24 Florian Weimer + glob: Simplify and document the interface for the GLOB_ALTDIRFUNC callback function gl_readdir. * posix/glob.c (NAMELEN, CONVERT_D_NAMLEN): Remove. diff --git a/NEWS b/NEWS index afca6c2..92e0316 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,10 @@ Version 2.20.1 17625, 17630, 17801, 18032, 18080, 18508, 18665, 18694, 18928, 19018, 19682. +* The glob function suffered from a stack-based buffer overflow when it was + called with the GLOB_ALTDIRFUNC flag and encountered a long file name. + Reported by Alexander Cherepanov. (CVE-2016-1234) + * Previously, getaddrinfo copied large amounts of address data to the stack, even after the fix for CVE-2013-4458 has been applied, potentially resulting in a stack overflow. getaddrinfo now uses a heap allocation diff --git a/posix/bug-glob2.c b/posix/bug-glob2.c index 1b1ca5a..3f9c620 100644 --- a/posix/bug-glob2.c +++ b/posix/bug-glob2.c @@ -40,6 +40,17 @@ # define PRINTF(fmt, args...) #endif +#define LONG_NAME \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" static struct { @@ -58,6 +69,7 @@ static struct { ".", 3, DT_DIR, 0755 }, { "..", 3, DT_DIR, 0755 }, { "a", 3, DT_REG, 0644 }, + { LONG_NAME, 3, DT_REG, 0644 }, { "unreadable", 2, DT_DIR, 0111 }, { ".", 3, DT_DIR, 0111 }, { "..", 3, DT_DIR, 0755 }, @@ -75,7 +87,7 @@ typedef struct int level; int idx; struct dirent d; - char room_for_dirent[NAME_MAX]; + char room_for_dirent[sizeof (LONG_NAME)]; } my_DIR; diff --git a/posix/glob.c b/posix/glob.c index efa7569..5d97b3d 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -24,7 +24,9 @@ #include #include #include +#include #include +#include /* Outcomment the following line for production quality code. */ /* #define NDEBUG 1 */ @@ -73,69 +75,8 @@ # endif /* HAVE_VMSDIR_H */ #endif - -/* When used in the GNU libc the symbol _DIRENT_HAVE_D_TYPE is available - if the `d_type' member for `struct dirent' is available. - HAVE_STRUCT_DIRENT_D_TYPE plays the same role in GNULIB. */ -#if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE -/* True if the directory entry D must be of type T. */ -# define DIRENT_MUST_BE(d, t) ((d)->d_type == (t)) - -/* True if the directory entry D might be a symbolic link. */ -# define DIRENT_MIGHT_BE_SYMLINK(d) \ - ((d)->d_type == DT_UNKNOWN || (d)->d_type == DT_LNK) - -/* True if the directory entry D might be a directory. */ -# define DIRENT_MIGHT_BE_DIR(d) \ - ((d)->d_type == DT_DIR || DIRENT_MIGHT_BE_SYMLINK (d)) - -#else /* !HAVE_D_TYPE */ -# define DIRENT_MUST_BE(d, t) false -# define DIRENT_MIGHT_BE_SYMLINK(d) true -# define DIRENT_MIGHT_BE_DIR(d) true -#endif /* HAVE_D_TYPE */ - -/* If the system has the `struct dirent64' type we use it internally. */ -#if defined _LIBC && !defined COMPILE_GLOB64 - -# if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__ -# define CONVERT_D_INO(d64, d32) -# else -# define CONVERT_D_INO(d64, d32) \ - (d64)->d_ino = (d32)->d_ino; -# endif - -# ifdef _DIRENT_HAVE_D_TYPE -# define CONVERT_D_TYPE(d64, d32) \ - (d64)->d_type = (d32)->d_type; -# else -# define CONVERT_D_TYPE(d64, d32) -# endif - -# define CONVERT_DIRENT_DIRENT64(d64, d32) \ - strcpy ((d64)->d_name, (d32)->d_name); \ - CONVERT_D_INO (d64, d32) \ - CONVERT_D_TYPE (d64, d32) -#endif - - -#if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__ -/* Posix does not require that the d_ino field be present, and some - systems do not provide it. */ -# define REAL_DIR_ENTRY(dp) 1 -#else -# define REAL_DIR_ENTRY(dp) (dp->d_ino != 0) -#endif /* POSIX */ - #include #include - -/* NAME_MAX is usually defined in or . */ -#include -#ifndef NAME_MAX -# define NAME_MAX (sizeof (((struct dirent *) 0)->d_name)) -#endif - #include #ifdef _LIBC @@ -180,8 +121,111 @@ static const char *next_brace_sub (const char *begin, int flags) __THROWNL; +/* A representation of a directory entry which does not depend on the + layout of struct dirent, or the size of ino_t. */ +struct readdir_result +{ + const char *name; +# if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE + uint8_t type; +# endif + bool skip_entry; +}; + +# if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE +/* Initializer based on the d_type member of struct dirent. */ +# define D_TYPE_TO_RESULT(source) (source)->d_type, + +/* True if the directory entry D might be a symbolic link. */ +static bool +readdir_result_might_be_symlink (struct readdir_result d) +{ + return d.type == DT_UNKNOWN || d.type == DT_LNK; +} + +/* True if the directory entry D might be a directory. */ +static bool +readdir_result_might_be_dir (struct readdir_result d) +{ + return d.type == DT_DIR || readdir_result_might_be_symlink (d); +} +# else /* defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE */ +# define D_TYPE_TO_RESULT(source) + +/* If we do not have type information, symbolic links and directories + are always a possibility. */ + +static bool +readdir_result_might_be_symlink (struct readdir_result d) +{ + return true; +} + +static bool +readdir_result_might_be_dir (struct readdir_result d) +{ + return true; +} + +# endif /* defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE */ + +# if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__ +/* Initializer for skip_entry. POSIX does not require that the d_ino + field be present, and some systems do not provide it. */ +# define D_INO_TO_RESULT(source) false, +# else +# define D_INO_TO_RESULT(source) (source)->d_ino == 0, +# endif + +/* Construct an initializer for a struct readdir_result object from a + struct dirent *. No copy of the name is made. */ +#define READDIR_RESULT_INITIALIZER(source) \ + { \ + source->d_name, \ + D_TYPE_TO_RESULT (source) \ + D_INO_TO_RESULT (source) \ + } + #endif /* !defined _LIBC || !defined GLOB_ONLY_P */ +/* Call gl_readdir on STREAM. This macro can be overridden to reduce + type safety if an old interface version needs to be supported. */ +#ifndef GL_READDIR +# define GL_READDIR(pglob, stream) ((pglob)->gl_readdir (stream)) +#endif + +/* Extract name and type from directory entry. No copy of the name is + made. If SOURCE is NULL, result name is NULL. Keep in sync with + convert_dirent64 below. */ +static struct readdir_result +convert_dirent (const struct dirent *source) +{ + if (source == NULL) + { + struct readdir_result result = { NULL, }; + return result; + } + struct readdir_result result = READDIR_RESULT_INITIALIZER (source); + return result; +} + +#ifndef COMPILE_GLOB64 +/* Like convert_dirent, but works on struct dirent64 instead. Keep in + sync with convert_dirent above. */ +static struct readdir_result +convert_dirent64 (const struct dirent64 *source) +{ + if (source == NULL) + { + struct readdir_result result = { NULL, }; + return result; + } + struct readdir_result result = READDIR_RESULT_INITIALIZER (source); + return result; +} +#endif + + #ifndef attribute_hidden # define attribute_hidden #endif @@ -1546,55 +1590,36 @@ glob_in_dir (const char *pattern, const char *directory, int flags, while (1) { - const char *name; -#if defined _LIBC && !defined COMPILE_GLOB64 - struct dirent64 *d; - union - { - struct dirent64 d64; - char room [offsetof (struct dirent64, d_name[0]) - + NAME_MAX + 1]; - } - d64buf; - - if (__glibc_unlikely (flags & GLOB_ALTDIRFUNC)) - { - struct dirent *d32 = (*pglob->gl_readdir) (stream); - if (d32 != NULL) - { - CONVERT_DIRENT_DIRENT64 (&d64buf.d64, d32); - d = &d64buf.d64; - } - else - d = NULL; - } - else - d = __readdir64 (stream); + struct readdir_result d; + { + if (__builtin_expect (flags & GLOB_ALTDIRFUNC, 0)) + d = convert_dirent (GL_READDIR (pglob, stream)); + else + { +#ifdef COMPILE_GLOB64 + d = convert_dirent (__readdir (stream)); #else - struct dirent *d = (__builtin_expect (flags & GLOB_ALTDIRFUNC, 0) - ? ((struct dirent *) - (*pglob->gl_readdir) (stream)) - : __readdir (stream)); + d = convert_dirent64 (__readdir64 (stream)); #endif - if (d == NULL) + } + } + if (d.name == NULL) break; - if (! REAL_DIR_ENTRY (d)) + if (d.skip_entry) continue; /* If we shall match only directories use the information provided by the dirent call if possible. */ - if ((flags & GLOB_ONLYDIR) && !DIRENT_MIGHT_BE_DIR (d)) + if ((flags & GLOB_ONLYDIR) && !readdir_result_might_be_dir (d)) continue; - name = d->d_name; - - if (fnmatch (pattern, name, fnm_flags) == 0) + if (fnmatch (pattern, d.name, fnm_flags) == 0) { /* If the file we found is a symlink we have to make sure the target file exists. */ - if (!DIRENT_MIGHT_BE_SYMLINK (d) - || link_exists_p (dfd, directory, dirlen, name, pglob, - flags)) + if (!readdir_result_might_be_symlink (d) + || link_exists_p (dfd, directory, dirlen, d.name, + pglob, flags)) { if (cur == names->count) { @@ -1614,7 +1639,7 @@ glob_in_dir (const char *pattern, const char *directory, int flags, names = newnames; cur = 0; } - names->name[cur] = strdup (d->d_name); + names->name[cur] = strdup (d.name); if (names->name[cur] == NULL) goto memory_error; ++cur; diff --git a/sysdeps/unix/sysv/linux/i386/glob64.c b/sysdeps/unix/sysv/linux/i386/glob64.c index b4fcd1a..802c957 100644 --- a/sysdeps/unix/sysv/linux/i386/glob64.c +++ b/sysdeps/unix/sysv/linux/i386/glob64.c @@ -1,3 +1,21 @@ +/* Two glob variants with 64-bit support, for dirent64 and __olddirent64. + Copyright (C) 1998-2016 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + #include #include #include @@ -38,11 +56,15 @@ int __old_glob64 (const char *__pattern, int __flags, #undef dirent #define dirent __old_dirent64 +#undef GL_READDIR +# define GL_READDIR(pglob, stream) \ + ((struct __old_dirent64 *) (pglob)->gl_readdir (stream)) #undef __readdir #define __readdir(dirp) __old_readdir64 (dirp) #undef glob #define glob(pattern, flags, errfunc, pglob) \ __old_glob64 (pattern, flags, errfunc, pglob) +#define convert_dirent __old_convert_dirent #define glob_in_dir __old_glob_in_dir #define GLOB_ATTRIBUTE attribute_compat_text_section -- cgit v1.1 From 03e3ee42d64388243aed95b7702007640dcdd5b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20B=C3=ADlka?= Date: Sat, 11 Jul 2015 17:44:10 +0200 Subject: Handle overflow in __hcreate_r Hi, As in bugzilla entry there is overflow in hsearch when looking for prime number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large inputs before looking for prime. * misc/hsearch_r.c (__hcreate_r): Handle overflow. (cherry picked from commit 2f5c1750558fe64bac361f52d6827ab1bcfe52bc) --- ChangeLog | 10 ++++++++++ NEWS | 4 ++-- misc/hsearch_r.c | 9 ++++++++- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c0b0a36..64dea2e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2016-05-24 Ondřej Bílka + + * debug/strcpy_chk.c: Improve performance. + * debug/stpcpy_chk.c: Likewise. + * sysdeps/x86_64/strcpy_chk.S: Remove. + * sysdeps/x86_64/stpcpy_chk.S: Remove. + + [BZ #18240] + * misc/hsearch_r.c (__hcreate_r): Handle overflow. + 2016-05-24 Florian Weimer [BZ #19779] diff --git a/NEWS b/NEWS index 92e0316..d601938 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,8 @@ Version 2.20.1 * The following bugs are resolved with this release: 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, - 17625, 17630, 17801, 18032, 18080, 18508, 18665, 18694, 18928, 19018, - 19682. + 17625, 17630, 17801, 18032, 18080, 18240, 18508, 18665, 18694, 18928, + 19018, 19682. * The glob function suffered from a stack-based buffer overflow when it was called with the GLOB_ALTDIRFUNC flag and encountered a long file name. diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c index 81c27d8..4414a25 100644 --- a/misc/hsearch_r.c +++ b/misc/hsearch_r.c @@ -19,7 +19,7 @@ #include #include #include - +#include #include /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986 @@ -73,6 +73,13 @@ hcreate_r (nel, htab) return 0; } + if (nel >= SIZE_MAX / sizeof (_ENTRY)) + { + __set_errno (ENOMEM); + return 0; + } + + /* There is still another table active. Return with error. */ if (htab->table != NULL) return 0; -- cgit v1.1 From 902072efdbb724cea105f60842c4862070d7862e Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Thu, 28 Jan 2016 13:59:11 +0100 Subject: Improve check against integer wraparound in hcreate_r [BZ #18240] (cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb) --- ChangeLog | 12 +++++++++ misc/Makefile | 3 ++- misc/bug18240.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ misc/hsearch_r.c | 35 +++++++++++++------------- 4 files changed, 106 insertions(+), 19 deletions(-) create mode 100644 misc/bug18240.c diff --git a/ChangeLog b/ChangeLog index 64dea2e..cd343c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2016-05-24 Paul Eggert + + [BZ #18240] + * misc/hsearch_r.c (isprime, __hcreate_r): Protect against + unsigned int wraparound. + +2016-05-24 Florian Weimer + + [BZ #18240] + * misc/bug18240.c: New test. + * misc/Makefile (tests): Add it. + 2016-05-24 Ondřej Bílka * debug/strcpy_chk.c: Improve performance. diff --git a/misc/Makefile b/misc/Makefile index edac24c..ec5f961 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -76,7 +76,8 @@ install-lib := libg.a gpl2lgpl := error.c error.h tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \ - tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 + tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \ + bug18240 ifeq ($(run-built-tests),yes) tests-special += $(objpfx)tst-error1-mem.out endif diff --git a/misc/bug18240.c b/misc/bug18240.c new file mode 100644 index 0000000..4b26865 --- /dev/null +++ b/misc/bug18240.c @@ -0,0 +1,75 @@ +/* Test integer wraparound in hcreate. + Copyright (C) 2016 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include + +static void +test_size (size_t size) +{ + int res = hcreate (size); + if (res == 0) + { + if (errno == ENOMEM) + return; + printf ("error: hcreate (%zu): %m\n", size); + exit (1); + } + char *keys[100]; + for (int i = 0; i < 100; ++i) + { + if (asprintf (keys + i, "%d", i) < 0) + { + printf ("error: asprintf: %m\n"); + exit (1); + } + ENTRY e = { keys[i], (char *) "value" }; + if (hsearch (e, ENTER) == NULL) + { + printf ("error: hsearch (\"%s\"): %m\n", keys[i]); + exit (1); + } + } + hdestroy (); + + for (int i = 0; i < 100; ++i) + free (keys[i]); +} + +static int +do_test (void) +{ + test_size (500); + test_size (-1); + test_size (-3); + test_size (INT_MAX - 2); + test_size (INT_MAX - 1); + test_size (INT_MAX); + test_size (((unsigned) INT_MAX) + 1); + test_size (UINT_MAX - 2); + test_size (UINT_MAX - 1); + test_size (UINT_MAX); + return 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c index 4414a25..af55212 100644 --- a/misc/hsearch_r.c +++ b/misc/hsearch_r.c @@ -46,15 +46,12 @@ static int isprime (unsigned int number) { /* no even number will be passed */ - unsigned int div = 3; - - while (div * div < number && number % div != 0) - div += 2; - - return number % div != 0; + for (unsigned int div = 3; div <= number / div; div += 2) + if (number % div == 0) + return 0; + return 1; } - /* Before using the hash table we must allocate memory for it. Test for an existing table are done. We allocate one element more as the found prime number says. This is done for more effective @@ -73,13 +70,6 @@ hcreate_r (nel, htab) return 0; } - if (nel >= SIZE_MAX / sizeof (_ENTRY)) - { - __set_errno (ENOMEM); - return 0; - } - - /* There is still another table active. Return with error. */ if (htab->table != NULL) return 0; @@ -88,10 +78,19 @@ hcreate_r (nel, htab) use will not work. */ if (nel < 3) nel = 3; - /* Change nel to the first prime number not smaller as nel. */ - nel |= 1; /* make odd */ - while (!isprime (nel)) - nel += 2; + + /* Change nel to the first prime number in the range [nel, UINT_MAX - 2], + The '- 2' means 'nel += 2' cannot overflow. */ + for (nel |= 1; ; nel += 2) + { + if (UINT_MAX - 2 < nel) + { + __set_errno (ENOMEM); + return 0; + } + if (isprime (nel)) + break; + } htab->size = nel; htab->filled = 0; -- cgit v1.1 From c5bbc09ccc07fb9b61b7f0f5bf531d7c8c164469 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 12 Feb 2016 12:57:40 +0100 Subject: hsearch_r: Apply VM size limit in test case (cherry picked from commit f34f146e682d8d529dcf64b3c2781bf3f2f05f6c) --- ChangeLog | 4 ++++ misc/bug18240.c | 22 ++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/ChangeLog b/ChangeLog index cd343c7..c2b1307 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2016-05-24 Florian Weimer + + * misc/bug18240.c (do_test): Set RLIMIT_AS. + 2016-05-24 Paul Eggert [BZ #18240] diff --git a/misc/bug18240.c b/misc/bug18240.c index 4b26865..773586e 100644 --- a/misc/bug18240.c +++ b/misc/bug18240.c @@ -22,6 +22,7 @@ #include #include #include +#include static void test_size (size_t size) @@ -58,6 +59,27 @@ test_size (size_t size) static int do_test (void) { + /* Limit the size of the process, so that memory allocation will + fail without impacting the entire system. */ + { + struct rlimit limit; + if (getrlimit (RLIMIT_AS, &limit) != 0) + { + printf ("getrlimit (RLIMIT_AS) failed: %m\n"); + return 1; + } + long target = 100 * 1024 * 1024; + if (limit.rlim_cur == RLIM_INFINITY || limit.rlim_cur > target) + { + limit.rlim_cur = target; + if (setrlimit (RLIMIT_AS, &limit) != 0) + { + printf ("setrlimit (RLIMIT_AS) failed: %m\n"); + return 1; + } + } + } + test_size (500); test_size (-1); test_size (-3); -- cgit v1.1 From afc4daae0411d10e5d64646d5bafb05075e16151 Mon Sep 17 00:00:00 2001 From: Paul Pluzhnikov Date: Sat, 8 Aug 2015 15:53:03 -0700 Subject: Fix BZ #17905 (cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e) --- ChangeLog | 8 ++++++++ NEWS | 4 ++-- catgets/Makefile | 9 ++++++++- catgets/catgets.c | 19 ++++++++++++------- catgets/open_catalog.c | 23 ++++++++++++++--------- catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++ 6 files changed, 75 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index c2b1307..3652d5f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2016-05-24 Paul Pluzhnikov + + [BZ #17905] + * catgets/Makefile (tst-catgets-mem): New test. + * catgets/catgets.c (catopen): Don't use unbounded alloca. + * catgets/open_catalog.c (__open_catalog): Likewise. + * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca. + 2016-05-24 Florian Weimer * misc/bug18240.c (do_test): Set RLIMIT_AS. diff --git a/NEWS b/NEWS index d601938..e6a5207 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,8 @@ Version 2.20.1 * The following bugs are resolved with this release: 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, - 17625, 17630, 17801, 18032, 18080, 18240, 18508, 18665, 18694, 18928, - 19018, 19682. + 17625, 17630, 17801, 17905, 18032, 18080, 18240, 18508, 18665, 18694, + 18928, 19018, 19682. * The glob function suffered from a stack-based buffer overflow when it was called with the GLOB_ALTDIRFUNC flag and encountered a long file name. diff --git a/catgets/Makefile b/catgets/Makefile index 008d7db..bc144e3 100644 --- a/catgets/Makefile +++ b/catgets/Makefile @@ -34,6 +34,7 @@ test-srcs = test-gencat ifeq ($(run-built-tests),yes) tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \ $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out +tests-special += $(objpfx)tst-catgets-mem.out endif gencat-modules = xmalloc @@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/% generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \ test-gencat.h +generated += tst-catgets.mtrace tst-catgets-mem.out + generated-dirs += de -tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de +tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace ifeq ($(run-built-tests),yes) # This test just checks whether the program produces any error or not. @@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \ $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \ $(evaluate-test) + +$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \ + $(evaluate-test) endif diff --git a/catgets/catgets.c b/catgets/catgets.c index eac2827..820c0f6 100644 --- a/catgets/catgets.c +++ b/catgets/catgets.c @@ -16,7 +16,6 @@ License along with the GNU C Library; if not, see . */ -#include #include #include #include @@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag) __nl_catd result; const char *env_var = NULL; const char *nlspath = NULL; + char *tmp = NULL; if (strchr (cat_name, '/') == NULL) { @@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag) { /* Append the system dependent directory. */ size_t len = strlen (nlspath) + 1 + sizeof NLSPATH; - char *tmp = alloca (len); + tmp = malloc (len); + + if (__glibc_unlikely (tmp == NULL)) + return (nl_catd) -1; __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH); nlspath = tmp; @@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag) result = (__nl_catd) malloc (sizeof (*result)); if (result == NULL) - /* We cannot get enough memory. */ - return (nl_catd) -1; - - if (__open_catalog (cat_name, nlspath, env_var, result) != 0) + { + /* We cannot get enough memory. */ + result = (nl_catd) -1; + } + else if (__open_catalog (cat_name, nlspath, env_var, result) != 0) { /* Couldn't open the file. */ free ((void *) result); - return (nl_catd) -1; + result = (nl_catd) -1; } + free (tmp); return (nl_catd) result; } diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c index d582270..40251d6 100644 --- a/catgets/open_catalog.c +++ b/catgets/open_catalog.c @@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, size_t tab_size; const char *lastp; int result = -1; + char *buf = NULL; if (strchr (cat_name, '/') != NULL || nlspath == NULL) fd = open_not_cancel_2 (cat_name, O_RDONLY); @@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, if (__glibc_unlikely (bufact + (n) >= bufmax)) \ { \ char *old_buf = buf; \ - bufmax += 256 + (n); \ - buf = (char *) alloca (bufmax); \ - memcpy (buf, old_buf, bufact); \ + bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \ + buf = realloc (buf, bufmax); \ + if (__glibc_unlikely (buf == NULL)) \ + { \ + free (old_buf); \ + return -1; \ + } \ } /* The RUN_NLSPATH variable contains a colon separated list of descriptions where we expect to find catalogs. We have to recognize certain % substitutions and stop when we found the first existing file. */ - char *buf; size_t bufact; - size_t bufmax; + size_t bufmax = 0; size_t len; - buf = NULL; - bufmax = 0; - fd = -1; while (*run_nlspath != '\0') { @@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, /* Avoid dealing with directories and block devices */ if (__builtin_expect (fd, 0) < 0) - return -1; + { + free (buf); + return -1; + } if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0) goto close_unlock_return; @@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, /* Release the lock again. */ close_unlock_return: close_not_cancel_no_status (fd); + free (buf); return result; } diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c index fdaa834..25ef056 100644 --- a/catgets/tst-catgets.c +++ b/catgets/tst-catgets.c @@ -1,7 +1,10 @@ +#include #include #include #include +#include #include +#include static const char *msgs[] = @@ -12,6 +15,33 @@ static const char *msgs[] = }; #define nmsgs (sizeof (msgs) / sizeof (msgs[0])) + +/* Test for unbounded alloca. */ +static int +do_bz17905 (void) +{ + char *buf; + struct rlimit rl; + nl_catd result; + + const int sz = 1024 * 1024; + + getrlimit (RLIMIT_STACK, &rl); + rl.rlim_cur = sz; + setrlimit (RLIMIT_STACK, &rl); + + buf = malloc (sz + 1); + memset (buf, 'A', sz); + buf[sz] = '\0'; + setenv ("NLSPATH", buf, 1); + + result = catopen (buf, NL_CAT_LOCALE); + assert (result == (nl_catd) -1); + + free (buf); + return 0; +} + #define ROUNDS 5 int @@ -62,5 +92,6 @@ main (void) } } + result += do_bz17905 (); return result; } -- cgit v1.1 From 916ef0f69613613e11123657bff127bd26104630 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 29 Mar 2016 12:57:56 +0200 Subject: CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4) (cherry picked from commit f5b3338d70a7a2c626331ac4589b6deb2f610432) --- ChangeLog | 7 +++++++ NEWS | 4 ++++ resolv/nss_dns/dns-network.c | 5 +---- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3652d5f..4b5cd01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-05-24 Florian Weimer + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-05-24 Paul Pluzhnikov [BZ #17905] diff --git a/NEWS b/NEWS index e6a5207..dc8679f 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,10 @@ Version 2.20.1 called with the GLOB_ALTDIRFUNC flag and encountered a long file name. Reported by Alexander Cherepanov. (CVE-2016-1234) +* An unnecessary stack copy in _nss_dns_getnetbyname_r was removed. It + could result in a stack overflow when getnetbyname was called with an + overly long name. (CVE-2016-3075) + * Previously, getaddrinfo copied large amounts of address data to the stack, even after the fix for CVE-2013-4458 has been applied, potentially resulting in a stack overflow. getaddrinfo now uses a heap allocation diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 08cf0a6..335604a 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); if (anslen < 0) { -- cgit v1.1