aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2023-11-21elf: Remove LD_PROFILE for static binariesAdhemerval Zanella39-109/+165
The _dl_non_dynamic_init does not parse LD_PROFILE, which does not enable profile for dlopen objects. Since dlopen is deprecated for static objects, it is better to remove the support. It also allows to trim down libc.a of profile support. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21elf: Ignore LD_PROFILE for setuid binariesAdhemerval Zanella3-6/+17
Loader does not ignore LD_PROFILE in secure-execution mode (different than man-page states [1]), rather it uses a different path (/var/profile) and ignore LD_PROFILE_OUTPUT. Allowing secure-execution profiling is already a non good security boundary, since it enables different code paths and extra OS access by the process. But by ignoring LD_PROFILE_OUTPUT, the resulting profile file might also be acceded in a racy manner since the file name does not use any process-specific information (such as pid, timing, etc.). Another side-effect is it forces lazy binding even on libraries that might be with DF_BIND_NOW. [1] https://man7.org/linux/man-pages/man8/ld.so.8.html Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21s390: Use dl-symbol-redir-ifunc.h on cpu-tunablesAdhemerval Zanella2-15/+17
Using the memcmp symbol directly allows the compile to inline the memcmp calls (especially because _dl_tunable_set_hwcaps uses constants values), generating better code. Checked with tst-tunables on s390x-linux-gnu (qemu system). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21x86: Use dl-symbol-redir-ifunc.h on cpu-tunablesAdhemerval Zanella4-55/+32
The dl-symbol-redir-ifunc.h redirects compiler-generated libcalls to arch-specific memory implementations to avoid ifunc calls where it is not yet possible. The memcmp-isa-default-impl.h aims to fix the same issue by calling the specific memset implementation directly. Using the memcmp symbol directly allows the compiler to inline the memset calls (especially because _dl_tunable_set_hwcaps uses constants values), generating better code. Checked on x86_64-linux-gnu. Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21elf: Emit warning if tunable is ill-formattedAdhemerval Zanella1-0/+6
So caller knows that the tunable will be ignored. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21elf: Fix _dl_debug_vdprintf to work before self-relocationAdhemerval Zanella4-2/+48
The strlen might trigger and invalid GOT entry if it used before the process is self-relocated (for instance on dl-tunables if any error occurs). For i386, _dl_writev with PIE requires to use the old 'int $0x80' syscall mode because the calling the TLS register (gs) is not yet initialized. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21elf: Do not parse ill-formatted stringsAdhemerval Zanella2-16/+45
Instead of ignoring ill-formatted tunable strings, first, check all the tunable definitions are correct and then set each tunable value. It means that partially invalid strings, like "key1=value1:key2=key2=value' or 'key1=value':key2=value2=value2' do not enable 'key1=value1'. It avoids possible user-defined errors in tunable definitions. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21elf: Do not process invalid tunable formatAdhemerval Zanella2-7/+21
Tunable definitions with more than one '=' on are parsed and enabled, and any subsequent '=' are ignored. It means that tunables in the form 'tunable=tunable=value' or 'tunable=value=value' are handled as 'tunable=value'. These inputs are likely user input errors, which should not be accepted. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21elf: Add all malloc tunable to unsecvarsAdhemerval Zanella4-58/+86
Some environment variables allow alteration of allocator behavior across setuid boundaries, where a setuid program may ignore the tunable, but its non-setuid child can read it and adjust the memory allocator behavior accordingly. Most library behavior tunings is limited to the current process and does not bleed in scope; so it is unclear how pratical this misfeature is. If behavior change across privilege boundaries is desirable, it would be better done with a wrapper program around the non-setuid child that sets these envvars, instead of using the setuid process as the messenger. The patch as fixes tst-env-setuid, where it fail if any unsecvars is set. It also adds a dynamic test, although it requires --enable-hardcoded-path-in-tests so kernel correctly sets the setuid bit (using the loader command directly would require to set the setuid bit on the loader itself, which is not a usual deployment). Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
2023-11-21elf: Ignore GLIBC_TUNABLES for setuid/setgid binariesAdhemerval Zanella9-161/+299
The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2023-11-21elf: Add GLIBC_TUNABLES to unsecvarsAdhemerval Zanella2-28/+5
setuid/setgid process now ignores any glibc tunables, and filters out all environment variables that might changes its behavior. This patch also adds GLIBC_TUNABLES, so any spawned process by setuid/setgid processes should set tunable explicitly. Checked on x86_64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21elf: Remove /etc/suid-debug supportAdhemerval Zanella4-24/+3
Since malloc debug support moved to a different library (libc_malloc_debug.so), the glibc.malloc.check requires preloading the debug library to enable it. It means that suid-debug support has not been working since 2.34. To restore its support, it would require to add additional information and parsing to where to find libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-11-21stdlib: The qsort implementation needs to use heapsort in more casesFlorian Weimer3-4/+187
The existing logic avoided internal stack overflow. To avoid a denial-of-service condition with adversarial input, it is necessary to fall over to heapsort if tail-recursing deeply, too, which does not result in a deep stack of pending partitions. The new test stdlib/tst-qsort5 is based on Douglas McIlroy's paper on this subject. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-21stdlib: Handle various corner cases in the fallback heapsort for qsortFlorian Weimer3-17/+173
The previous implementation did not consistently apply the rule that the child nodes of node K are at 2 * K + 1 and 2 * K + 2, or that the parent node is at (K - 1) / 2. Add an internal test that targets the heapsort implementation directly. Reported-by: Stepan Golosunov <stepan@golosunov.pp.ru> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-21stdlib: Avoid another self-comparison in qsortFlorian Weimer1-1/+1
In the insertion phase, we could run off the start of the array if the comparison function never runs zero. In that case, it never finds the initial element that terminates the iteration. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-21hurd: fix restarting reauth_dtable on signalSamuel Thibault1-12/+23
While inside the critical section, RPCs would not be restarted, so we have to handle EINTR errors.
2023-11-20hurd: Prevent the final file_exec_paths call from signalsSamuel Thibault2-1/+27
Otherwise if the exec server started thrashing the old task, we won't be able to restart the exec. This notably fixes building ghc.
2023-11-20manual: Fix termios.c example. (Bug 31078)Carlos O'Donell1-2/+1
Remove the unused 'char *name;' from the example. Use write instead of putchar to write input as it is read. Example tested on x86_64 by compiling and running the example. Tested by building the manual pdf and reviewing the results. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-11-20aarch64: Add vector implementations of expm1 routinesJoe Ramsay15-108/+570
May discard sign of 0 - auto tests for -0 and -0x1p-10000 updated accordingly.
2023-11-20linux: Use fchmodat2 on fchmod for flags different than 0 (BZ 26401)Adhemerval Zanella3-55/+77
Linux 6.6 (09da082b07bbae1c) added support for fchmodat2, which has similar semantics as fchmodat with an extra flag argument. This allows fchmodat to implement AT_SYMLINK_NOFOLLOW and AT_EMPTY_PATH without the need for procfs. The syscall is registered on all architectures (with value of 452 except on alpha which is 562, commit 78252deb023cf087). The tst-lchmod.c requires a small fix where fchmodat checks two contradictory assertions ('(st.st_mode & 0777) == 2' and '(st.st_mode & 0777) == 3'). Checked on x86_64-linux-gnu on a 6.6 kernel. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-11-20intl: Add test case for bug 16621Florian Weimer2-1/+42
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-20resolv: free only initialized items from gai poolJan Palus1-1/+2
pool_max_size denotes total allocated rows in pool but possibly not yet initialized. it's pool_size that represents number of actually occupied rows hence use it when freeing pool to avoid freeing random addresses. Signed-off-by: Jan Palus <jpalus@fastmail.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-11-20ldconfig: Fixes for skipping temporary files.Florian Weimer1-4/+15
Arguments to a memchr call were swapped, causing incorrect skipping of files. Files related to dpkg have different names: they actually end in .dpkg-new and .dpkg-tmp, not .tmp as I mistakenly assumed. Fixes commit 2aa0974d2573441bffd59 ("elf: ldconfig should skip temporary files created by package managers").
2023-11-20nptl: Link tst-execstack-threads-mod.so with -z execstackFlorian Weimer1-0/+1
This ensures that the test still links with a linker that refuses to create an executable stack marker automatically. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-20nptl: Rename tst-execstack to tst-execstack-threadsFlorian Weimer4-6/+11
So that the test is harder to confuse with elf/tst-execstack (although the tests are supposed to be the same). Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-19Remove untyped mach RPC code.Flavio Cruz4-141/+0
Existing MiG does not support untyped messages and the Hurd will continue to use typed messages for the foreseeable future. Message-ID: <ZVmYX6j4pYNUfqn4@jupiter.tail36e24.ts.net>
2023-11-19_hurd_intr_rpc_mach_msg: handle message iteration correctly.Flavio Cruz1-12/+12
The `ty` pointer is only set at the end of the loop so that `msgtl_header.msgt_inline` and `msgtl_header.msgt_deallocate` remain valid. Also, when deallocating memory, we use the length from the message directly rather than hard coding mach_port_t since we want to deallocate any kind of OOL data. Message-ID: <ZVlGVD6eEN-dXsOr@jupiter.tail36e24.ts.net>
2023-11-16localedata: Convert oc_FR locale to UTF-8Mike FABIAN1-15/+15
2023-11-16localedata: Add information for OccitanMike FABIAN1-4/+6
Resolves: BZ # 28787
2023-11-16elf: Fix force_first handling in dlclose (bug 30981)Florian Weimer3-13/+29
The force_first parameter was ineffective because the dlclose'd object was not necessarily the first in the maps array. Also enable force_first handling unconditionally, regardless of namespace. The initial object in a namespace should be destructed first, too. The _dl_sort_maps_dfs function had early returns for relocation dependency processing which broke force_first handling, too, and this is fixed in this change as well. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-16elf: Handle non-directory name in search path (BZ 31035)Adhemerval Zanella5-3/+103
The open_path stops if a relative path in search path contains a component that is a non directory (for instance, if the component is an existing file). For instance: $ cat > lib.c <<EOF > void foo (void) {} > EOF $ gcc -shared -fPIC -o lib.so lib.c $ cat > main.c <<EOF extern void foo (); int main () { foo (); return 0; } EOF $ gcc -o main main.c lib.so $ LD_LIBRARY_PATH=. ./main $ LD_LIBRARY_PATH=non-existing/path:. ./main $ LD_LIBRARY_PATH=$(pwd)/main:. ./main $ LD_LIBRARY_PATH=./main:. ./main ./main: error while loading shared libraries: lib.so: cannot open shared object file: No such file or directory The invalid './main' should be ignored as a non-existent one, instead as a valid but non accessible file. Absolute paths do not trigger this issue because their status are initialized as 'unknown' and open_path check if this is a directory. Checked on x86_64-linux-gnu. Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
2023-11-16New Zealand locales (en_NZ & mi_NZ) first day of week should be MondayMike FABIAN2-0/+2
Resolves: BZ #29486
2023-11-15x86: Fix unchecked AVX512-VBMI2 usage in strrchr-evex-base.SNoah Goldstein1-24/+51
strrchr-evex-base used `vpcompress{b|d}` in the page cross logic but was missing the CPU_FEATURE checks for VBMI2 in the ifunc/ifunc-impl-list. The fix is either to add those checks or change the logic to not use `vpcompress{b|d}`. Choosing the latter here so that the strrchr-evex implementation is usable on SKX. New implementation is a bit slower, but this is in a cold path so its probably okay.
2023-11-15posix: Check pidfd_spawn with tst-spawn7-pidAdhemerval Zanella1-1/+1
Without using the macro, posix_spawn is used instead. Checked on x86_64-linux-gnu.
2023-11-15sparc: Fix broken memset for sparc32 [BZ #31068]Andreas Larsson1-2/+2
Fixes commit a61933fe27df ("sparc: Remove bzero optimization") that after moving code jumped to the wrong label 4. Verfied by successfully running string/test-memset on sparc32. Signed-off-by: Andreas Larsson <andreas@gaisler.com> Signed-off-by: Ludwig Rydberg <ludwig.rydberg@gaisler.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-15y2038: Fix support for 64-bit time on legacy ABIsGaël PORTAY1-1/+1
This fixes a typo. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-14hurd: Fix spawni returning allocation errors.Samuel Thibault1-2/+8
2023-11-14hurd: Make _hurd_intr_rpc_mach_msg avoid returning MACH_SEND_INTERRUPTEDSamuel Thibault1-0/+6
When the given options do not include MACH_SEND_INTERRUPT, _hurd_intr_rpc_mach_msg (aka mach_msg) is not supposed to return MACH_SEND_INTERRUPTED. In such a case we thus have to retry sending the message. This was observed to fix various occurrences of spurious "(ipc/send) interrupted" errors when running haskell programs.
2023-11-13AArch64: Remove Falkor memcpyWilco Dijkstra8-332/+1
The latest implementations of memcpy are actually faster than the Falkor implementations [1], so remove the falkor/phecda ifuncs for memcpy and the now unused IS_FALKOR/IS_PHECDA defines. [1] https://sourceware.org/pipermail/libc-alpha/2022-December/144227.html Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-13AArch64: Add memset_zva64Wilco Dijkstra6-68/+38
Add a specialized memset for the common ZVA size of 64 to avoid the overhead of reading the ZVA size. Since the code is identical to __memset_falkor, remove the latter. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-13AArch64: Cleanup emag memsetWilco Dijkstra4-197/+90
Cleanup emag memset - merge the memset_base64.S file, remove the unused ZVA code (since it is disabled on emag). Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-13test: Run the tst-tls-allocation-failure-static-patched with test-wrapper.Yanzhang Wang1-1/+1
If we use cross test with ssh, this test needs to be ran on the remote.
2023-11-10aarch64: Add vector implementations of log1p routinesJoe Ramsay15-26/+526
May discard sign of zero.
2023-11-10aarch64: Add vector implementations of atan2 routinesJoe Ramsay15-0/+535
2023-11-10aarch64: Add vector implementations of atan routinesJoe Ramsay13-0/+407
2023-11-10aarch64: Add vector implementations of acos routinesJoe Ramsay13-1/+440
2023-11-10aarch64: Add vector implementations of asin routinesJoe Ramsay13-1/+407
2023-11-08Fix type typo in “String/Array Conventions” docPaul Eggert1-1/+1
* manual/string.texi (String/Array Conventions): Fix typo reported by Alejandro Colomar <alx@kernel.org> in: https://sourceware.org/pipermail/libc-alpha/2023-November/152646.html
2023-11-08stdlib: Avoid element self-comparisons in qsortFlorian Weimer1-3/+5
This improves compatibility with applications which assume that qsort does not invoke the comparison function with equal pointer arguments. The newly introduced branches should be predictable, as leading to a call to the comparison function. If the prediction fails, we avoid calling the function. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-11-07elf: Add glibc.mem.decorate_maps tunableAdhemerval Zanella5-6/+38
The PR_SET_VMA_ANON_NAME support is only enabled through a configurable kernel switch, mainly because assigning a name to a anonymous virtual memory area might prevent that area from being merged with adjacent virtual memory areas. For instance, with the following code: void *p1 = mmap (NULL, 1024 * 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); void *p2 = mmap (p1 + (1024 * 4096), 1024 * 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); The kernel will potentially merge both mappings resulting in only one segment of size 0x800000. If the segment is names with PR_SET_VMA_ANON_NAME with different names, it results in two mappings. Although this will unlikely be an issue for pthread stacks and malloc arenas (since for pthread stacks the guard page will result in a PROT_NONE segment, similar to the alignment requirement for the arena block), it still might prevent the mmap memory allocated for detail malloc. There is also another potential scalability issue, where the prctl requires to take the mmap global lock which is still not fully fixed in Linux [1] (for pthread stacks and arenas, it is mitigated by the stack cached and the arena reuse). So this patch disables anonymous mapping annotations as default and add a new tunable, glibc.mem.decorate_maps, can be used to enable it. [1] https://lwn.net/Articles/906852/ Checked on x86_64-linux-gnu and aarch64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>