* Makerules (sysd-rules): Define PTW for ptw-* files.

	* Versions: Define GLIBC_2.7 for libc.
	* include/stdio.h: Declare __fortify_fail.
	* debug/fortify_fail.c: New file.
	* debug/Makefile (routines): Add fortify_fail.
	* debug/chk_fail.c: Use __fortify_fail.
	* debug/stack_chk_fail.c: Likewise.
	* io/Versions: Export __open_2, __open64_2, __openat_2, and
	__openat64_2 for GLIBC_2.7.
	* io/fcntl.h: When compiling with fortification, include bits/fcntl2.h.
	* io/open.c: Define *_2 variant of function which checks for O_CREAT
	and fails if necessary.
	* io/open64.c: Likewise.
	* io/openat.c: Likewise.
	* io/openat64.c: Likewise.
	* sysdeps/unix/sysv/linux/open64.c: Likewise.
	* sysdeps/unix/sysv/linux/openat.c: Likewise.
	* sysdeps/unix/sysv/linux/openat64.c: Likewise.
	* io/bits/fcntl2.h: New file.
	* include/fcntl.h: Declare __open_2, __open64_2, __openat_2, and
	__openat64_2.
	* include/bits/fcntl2.h: New file.
	* sysdeps/unix/sysv/linux/Makefile [subdir=io] (sysdep_routines):
	Add open_2.
	* sysdeps/unix/sysv/linux/open_2.c: New file.

7 files changed, 232 insertions, 7 deletions

diff --git a/io/Versions b/io/Versions
index 9cc515796d..d603668f4f 100644
--- a/io/Versions
+++ b/io/Versions
@@ -116,4 +116,7 @@ libc {
   GLIBC_2.6 {
     utimensat; futimens;
   }
+  GLIBC_2.7 {
+    __open_2; __open64_2; __openat_2; __openat64_2;
+  }
 }
diff --git a/io/bits/fcntl2.h b/io/bits/fcntl2.h
new file mode 100644
index 0000000000..5f400aed72
--- /dev/null
+++ b/io/bits/fcntl2.h
@@ -0,0 +1,155 @@
+/* Checking macros for fcntl functions.
+   Copyright (C) 2007 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, write to the Free
+   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+   02111-1307 USA.  */
+
+#ifndef	_FCNTL_H
+# error "Never include <bits/fcntl2.h> directly; use <fcntl.h> instead."
+#endif
+
+/* Check that calls to open and openat with O_CREAT set have an
+   appropriate third/fourth parameter.  */
+#ifndef __USE_FILE_OFFSET64
+extern int __open_2 (__const char *__path, int __oflag);
+#else
+extern int __REDIRECT (__open_2, (__const char *__file, int __oflag),
+		       __open64_2) __nonnull ((1));
+#endif
+
+#define open(fname, flags, ...) \
+  ({ int ___r;								      \
+     /* If the compiler complains about an invalid type, excess elements, etc \
+	in the initialization this means a paraleter of the wrong type has    \
+	been passed to open. */					      \
+     int ___arr[] = { __VA_ARGS__ };					      \
+     if (__builtin_constant_p (flags) && (flags & O_CREAT) != 0)	      \
+       {								      \
+	 /* If the compile complains about the size of this array type the    \
+	    the mode parameter is missing since O_CREAT has been used.  */    \
+	 typedef int __open_missing_mode[(flags & O_CREAT) != 0		      \
+					 ? ((long int) sizeof (___arr)	      \
+					    - (long int) sizeof (int)) : 1];  \
+       }								      \
+     if (sizeof (___arr) == 0)						      \
+       ___r = __open_2 (fname, flags);					      \
+     else								      \
+       {								      \
+	 /* If the compile complains about the size of this array type too    \
+	    many parameters have been passed to open.  */		      \
+	 typedef int __open_too_many_args[-(sizeof (___arr) > sizeof (int))]; \
+	 ___r = open (fname, flags, ___arr[0]);				      \
+       }								      \
+     ___r;								      \
+  })
+
+
+#ifdef __USE_LARGEFILE64
+extern int __open64_2 (__const char *__path, int __oflag);
+
+# define open64(fname, flags, ...) \
+  ({ int ___r;								      \
+     /* If the compiler complains about an invalid type, excess elements, etc \
+	in the initialization this means a paraleter of the wrong type has    \
+	been passed to open64. */					      \
+     int ___arr[] = { __VA_ARGS__ };					      \
+     if (__builtin_constant_p (flags) && (flags & O_CREAT) != 0)	      \
+       {								      \
+	 /* If the compile complains about the size of this array type the    \
+	    the mode parameter is missing since O_CREAT has been used.  */    \
+	 typedef int __open_missing_mode[(flags & O_CREAT) != 0		      \
+					 ? ((long int) sizeof (___arr)	      \
+					    - (long int) sizeof (int)) : 1];  \
+       }								      \
+     if (sizeof (___arr) == 0)						      \
+       ___r = __open64_2 (fname, flags);				      \
+     else								      \
+       {								      \
+	 /* If the compile complains about the size of this array type too    \
+	    many parameters have been passed to open64.  */		      \
+	 typedef int __open_too_many_args[-(sizeof (___arr) > sizeof (int))]; \
+	 ___r = open64 (fname, flags, ___arr[0]);			      \
+       }								      \
+     ___r;								      \
+  })
+#endif
+
+#ifdef __USE_ATFILE
+# ifndef __USE_FILE_OFFSET64
+extern int __openat_2 (int __fd, __const char *__path, int __oflag);
+# else
+extern int __REDIRECT (__openat_2, (int __fd, __const char *__file,
+				    int __oflag), __openat64_2)
+     __nonnull ((1));
+# endif
+
+# define openat(fd, fname, flags, ...) \
+  ({ int ___r;								      \
+     /* If the compiler complains about an invalid type, excess elements, etc \
+	in the initialization this means a paraleter of the wrong type has    \
+	been passed to openat. */					      \
+     int ___arr[] = { __VA_ARGS__ };					      \
+     if (__builtin_constant_p (flags) && (flags & O_CREAT) != 0)	      \
+       {								      \
+	 /* If the compile complains about the size of this array type the    \
+	    the mode parameter is missing since O_CREAT has been used.  */    \
+	 typedef int __open_missing_mode[(flags & O_CREAT) != 0		      \
+					 ? ((long int) sizeof (___arr)	      \
+					    - (long int) sizeof (int)) : 1];  \
+       }								      \
+     if (sizeof (___arr) == 0)						      \
+       ___r = __openat_2 (fd, fname, flags);				      \
+     else								      \
+       {								      \
+	 /* If the compile complains about the size of this array type too    \
+	    many parameters have been passed to openat.  */		      \
+	 typedef int __open_too_many_args[-(sizeof (___arr) > sizeof (int))]; \
+	 ___r = openat (fd, fname, flags, ___arr[0]);			      \
+       }								      \
+     ___r;								      \
+  })
+
+
+# ifdef __USE_LARGEFILE64
+extern int __openat64_2 (int __fd, __const char *__path, int __oflag);
+
+#  define openat64(fd, fname, flags, ...) \
+  ({ int ___r;								      \
+     /* If the compiler complains about an invalid type, excess elements, etc \
+	in the initialization this means a paraleter of the wrong type has    \
+	been passed to openat64. */					      \
+     int ___arr[] = { __VA_ARGS__ };					      \
+     if (__builtin_constant_p (flags) && (flags & O_CREAT) != 0)	      \
+       {								      \
+	 /* If the compile complains about the size of this array type the    \
+	    the mode parameter is missing since O_CREAT has been used.  */    \
+	 typedef int __open_missing_mode[(flags & O_CREAT) != 0		      \
+					 ? ((long int) sizeof (___arr)	      \
+					    - (long int) sizeof (int)) : 1];  \
+       }								      \
+     if (sizeof (___arr) == 0)						      \
+       ___r = __openat64_2 (fd, fname, flags);				      \
+     else								      \
+       {								      \
+	 /* If the compile complains about the size of this array type too    \
+	    many parameters have been passed to openat.  */		      \
+	 typedef int __open_too_many_args[-(sizeof (___arr) > sizeof (int))]; \
+	 ___r = openat64 (fd, fname, flags, ___arr[0]);			      \
+       }								      \
+     ___r;								      \
+  })
+# endif
+#endif
diff --git a/io/fcntl.h b/io/fcntl.h
index 72a944b3d4..c89bf625bf 100644
--- a/io/fcntl.h
+++ b/io/fcntl.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991,1992,1994-2001,2003,2004,2005,2006
+/* Copyright (C) 1991,1992,1994-2001,2003,2004,2005,2006,2007
 	Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -210,6 +210,12 @@ extern int posix_fallocate64 (int __fd, __off64_t __offset, __off64_t __len);
 # endif
 #endif
 
+
+/* Define some macros helping to catch common problems.  */
+#if __USE_FORTIFY_LEVEL > 0 && !defined __cplusplus
+# include <bits/fcntl2.h>
+#endif
+
 __END_DECLS
 
 #endif /* fcntl.h  */
diff --git a/io/open.c b/io/open.c
index 188110b3f3..c104406245 100644
--- a/io/open.c
+++ b/io/open.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991, 1995, 1996, 1997, 2002 Free Software Foundation, Inc.
+/* Copyright (C) 1991,1995,1996,1997,2002,2007 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -20,6 +20,9 @@
 #include <fcntl.h>
 #include <stdarg.h>
 #include <stddef.h>
+#include <stdio.h>
+
+extern char **__libc_argv attribute_hidden;
 
 /* Open FILE with access OFLAG.  If OFLAG includes O_CREAT,
    a third argument is the file protection.  */
@@ -51,4 +54,18 @@ libc_hidden_def (__open)
 stub_warning (open)
 
 weak_alias (__open, open)
+
+
+int
+__open_2 (file, oflag)
+     const char *file;
+     int oflag;
+{
+  if (oflag & O_CREAT)
+    __fortify_fail ("invalid open call: O_CREAT without mode");
+
+  return __open (file, oflag);
+}
+stub_warning (__open_2)
+
 #include <stub-tag.h>
diff --git a/io/open64.c b/io/open64.c
index d9a38112ac..7056718922 100644
--- a/io/open64.c
+++ b/io/open64.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991, 1995, 1996, 1997, 1999, 2000, 2002
+/* Copyright (C) 1991, 1995, 1996, 1997, 1999, 2000, 2002, 2007
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -21,7 +21,7 @@
 #include <fcntl.h>
 #include <stdarg.h>
 #include <stddef.h>
-#include <bp-sym.h>
+#include <stdio.h>
 
 /* Open FILE with access OFLAG.  If OFLAG includes O_CREAT,
    a third argument is the file protection.  */
@@ -51,7 +51,21 @@ __libc_open64 (file, oflag)
 }
 strong_alias (__libc_open64, __open64)
 libc_hidden_def (__open64)
-weak_alias (__libc_open64, BP_SYM (open64))
+weak_alias (__libc_open64, open64)
 
 stub_warning (open64)
+
+
+int
+__open64_2 (file, oflag)
+     const char *file;
+     int oflag;
+{
+  if (oflag & O_CREAT)
+    __fortify_fail ("invalid open64 call: O_CREAT without mode");
+
+  return __open64 (file, oflag);
+}
+stub_warning (__open64_2)
+
 #include <stub-tag.h>
diff --git a/io/openat.c b/io/openat.c
index c65ad19c7a..98fa1a1d64 100644
--- a/io/openat.c
+++ b/io/openat.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2005, 2006 Free Software Foundation, Inc.
+/* Copyright (C) 2005, 2006, 2007 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -20,6 +20,7 @@
 #include <fcntl.h>
 #include <stdarg.h>
 #include <stddef.h>
+#include <stdio.h>
 #include <sys/stat.h>
 
 /* Open FILE with access OFLAG.  Interpret relative paths relative to
@@ -68,4 +69,18 @@ libc_hidden_def (__openat)
 weak_alias (__openat, openat)
 stub_warning (openat)
 
+
+int
+__openat_2 (fd, file, oflag)
+     int fd;
+     const char *file;
+     int oflag;
+{
+  if (oflag & O_CREAT)
+    __fortify_fail ("invalid openat call: O_CREAT without mode");
+
+  return __openat (file, oflag);
+}
+stub_warning (__openat_2)
+
 #include <stub-tag.h>
diff --git a/io/openat64.c b/io/openat64.c
index 830701a949..2d63490c65 100644
--- a/io/openat64.c
+++ b/io/openat64.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2005, 2006 Free Software Foundation, Inc.
+/* Copyright (C) 2005, 2006, 2007 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -20,6 +20,7 @@
 #include <fcntl.h>
 #include <stdarg.h>
 #include <stddef.h>
+#include <stdio.h>
 #include <sys/stat.h>
 
 /* Open FILE with access OFLAG.  Interpret relative paths relative to
@@ -68,4 +69,18 @@ libc_hidden_def (__openat64)
 weak_alias (__openat64, openat64)
 stub_warning (openat64)
 
+
+int
+__openat64_2 (fd, file, oflag)
+     int fd;
+     const char *file;
+     int oflag;
+{
+  if (oflag & O_CREAT)
+    __fortify_fail ("invalid openat64 call: O_CREAT without mode");
+
+  return __openat64 (file, oflag);
+}
+stub_warning (__openat_2)
+
 #include <stub-tag.h>