aboutsummaryrefslogtreecommitdiff
path: root/debug
AgeCommit message (Collapse)Author
2023-12-29debug: Add fortify dprintf testsAdhemerval Zanella
Similar to other printf-like ones. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-12-29debug: Increase tst-fortify checks for compiler without __va_arg_pack supportAdhemerval Zanella
The fortify wrappers for varargs functions already add fallbacks to builtins calls if __va_arg_pack is not supported. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-12-29debug: Adapt fortify tests to libsupportAdhemerval Zanella
Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-10-04debug: Add regression tests for BZ 30932Adhemerval Zanella
Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-08-03chk: Add and fix hidden builtin definitions for *_chkSamuel Thibault
Otherwise on gnu-i686 there are unwanted PLT entries in libc.so when fortification is enabled. Tested for i686-gnu, x86_64-gnu, i686-linux-gnu and x86_64-linux-gnu
2023-08-03Subject: hurd: Make __realpath return EINVAL on NULL bufSamuel Thibault
As Posix and stdlib/test-canon.c expects it, and rather than letting pathconf crash.
2023-07-05misc/bits/select2.h: Clearly separate declaration from definitionsFrédéric Bérat
The __fdelt_chk declaration needs to be available so that libc_hidden_proto can be used while not redefining __FD_ELT. Thus, misc/bits/select-decl.h is created to hold the corresponding prototypes. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05unistd: Avoid PLT entries with _FORTIFY_SOURCEFrédéric Bérat
The change is meant to avoid unwanted PLT entries for the read_chk, getdomainname_chk and getlogin_r_chk routines when _FORTIFY_SOURCE is set. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05wchar: Avoid PLT entries with _FORTIFY_SOURCEFrédéric Bérat
The change is meant to avoid unwanted PLT entries for the wmemset and wcrtomb routines when _FORTIFY_SOURCE is set. On top of that, ensure that *_chk routines have their hidden builtin definitions available. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05stdio: Ensure *_chk routines have their hidden builtin definition availableFrédéric Bérat
If libc_hidden_builtin_{def,proto} isn't properly set for *_chk routines, there are unwanted PLT entries in libc.so. There is a special case with __asprintf_chk: If ldbl_* macros are used for asprintf, ABI gets broken on s390x, if it isn't, ppc64le isn't building due to multiple asm redirections. This is due to the inclusion of bits/stdio-lbdl.h for ppc64le whereas it isn't for s390x. This header creates redirections, which are not compatible with the ones generated using libc_hidden_def. Yet, we can't use libc_hidden_ldbl_proto on s390x since it will not create a simple strong alias (e.g. as done on x86_64), but a versioned alias, leading to ABI breakage. This results in errors on s390x: /usr/bin/ld: glibc/iconv/../libio/bits/stdio2.h:137: undefined reference to `__asprintf_chk' Original __asprintf_chk symbols: 00000000001395b0 T __asprintf_chk 0000000000177e90 T __nldbl___asprintf_chk __asprintf_chk symbols with ldbl_* macros: 000000000012d590 t ___asprintf_chk 000000000012d590 t __asprintf_chk@@GLIBC_2.4 000000000012d590 t __GI___asprintf_chk 000000000012d590 t __GL____asprintf_chk___asprintf_chk 0000000000172240 T __nldbl___asprintf_chk __asprintf_chk symbols with the patch: 000000000012d590 t ___asprintf_chk 000000000012d590 T __asprintf_chk 000000000012d590 t __GI___asprintf_chk 0000000000172240 T __nldbl___asprintf_chk Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-07-05string: Ensure *_chk routines have their hidden builtin definition availableFrédéric Bérat
If libc_hidden_builtin_{def,proto} isn't properly set for *_chk routines, there are unwanted PLT entries in libc.so. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05Exclude routines from fortificationFrédéric Bérat
Since the _FORTIFY_SOURCE feature uses some routines of Glibc, they need to be excluded from the fortification. On top of that: - some tests explicitly verify that some level of fortification works appropriately, we therefore shouldn't modify the level set for them. - some objects need to be build with optimization disabled, which prevents _FORTIFY_SOURCE to be used for them. Assembler files that implement architecture specific versions of the fortified routines were not excluded from _FORTIFY_SOURCE as there is no C header included that would impact their behavior. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-22debug/readlink{, at}_chk.c: Harmonize declaration and definitionFrederic Berat
The declaration and definition of these routines aren't consistent. Make the definition of __readlink_chk and __readlinkat_chk match the declaration of the routines they fortify. While there are no problems today this avoids any future potential problems related to the mismatch. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-14Add the wcslcpy, wcslcat functionsFlorian Weimer
These functions are about to be added to POSIX, under Austin Group issue 986. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-14Implement strlcpy and strlcat [BZ #178]Florian Weimer
These functions are about to be added to POSIX, under Austin Group issue 986. The fortified strlcat implementation does not raise SIGABRT if the destination buffer does not contain a null terminator, it just inherits the non-failing regular strlcat behavior. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-02Fix all the remaining misspellings -- BZ 25337Paul Pluzhnikov
2023-05-16debug: Reformat Makefile.Carlos O'Donell
Fix list terminator whitspace. Sort using scripts/sort-makefile-lines.py. No code generation changes observed in binary artifacts. No regressions on x86_64 and i686.
2023-04-17debug: Re-flow and sort routines variable in MakefileFlorian Weimer
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-01-25stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)Florian Weimer
This shows up as an assertion failure when sprintf is called with a specifier like "%.8g" and libquadmath is linked in: Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr <= file->next->write_end Fix this by detecting pointer wraparound in __vsprintf_internal and saturate the addition to the end of the address space instead. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2023-01-06Update copyright dates not handled by scripts/update-copyrightsJoseph Myers
I've updated copyright dates in glibc for 2023. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files.
2023-01-06Update copyright dates with scripts/update-copyrightsJoseph Myers
2022-11-09debug: Fix typo in tests-unsupported ruleAdhemerval Zanella
From commit 2e274cd8c1ebd0bd0c43a7f2e5433685740938ca.
2022-11-08Linux: Add ppoll fortify symbol for 64 bit time_t (BZ# 29746)Adhemerval Zanella
Similar to ppoll, the poll.h header needs to redirect the poll call to a proper fortified ppoll with 64 bit time_t support. The implementation is straightforward, just need to add a similar check as __poll_chk and call the 64 bit time_t ppoll version. The debug fortify tests are also extended to cover 64 bit time_t for affected ABIs. Unfortunately it requires an aditional symbol, which makes backport tricky. One possibility is to add a static inline version if compiler supports is and call abort instead of __chk_fail, so fortified version will call __poll64 in the end. Another possibility is to just remove the fortify support for _TIME_BITS=64. Checked on i686-linux-gnu.
2022-10-28Fix invalid pointer dereference in wcpcpy_chkSzabolcs Nagy
The src pointer is const and points to a different object, so accessing dest via src is invalid. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-10-28Fix invalid pointer dereference in wcscpy_chkSzabolcs Nagy
The src pointer is const and points to a different object, so accessing dest via src is invalid. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2022-09-05debug: test for more required cacellation points (BZ# 29274)Adhemerval Zanella
Generalize the test for cancellation point in __read_chk to also test the other fortified functions with required cancellation points. Since there is not easy way to force some syscalls to block (for instance pread) the test tests two modes: cancellation on blocked syscalls and early cancellation on pending request. Checked on x86_64-linux-gnu and aarch64-linux-gnu. Co-authored-by: Andreas Schwab <schwab@suse.de> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-08-03stdio: Clean up __libc_message after unconditional abortFlorian Weimer
Since commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83 ("malloc: Abort on heap corruption, without a backtrace [BZ #21754]"), __libc_message always terminates the process. Since commit a289ea09ea843ced6e5277c2f2e63c357bc7f9a3 ("Do not print backtraces on fatal glibc errors"), the backtrace facility has been removed. Therefore, remove enum __libc_message_action and the action argument of __libc_message, and mark __libc_message as _No_return. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-06-22debug: make __read_chk a cancellation point (bug 29274)Andreas Schwab
The __read_chk function, as the implementation behind the fortified read function, must be a cancellation point, thus it cannot use INLINE_SYSCALL.
2022-05-13wcrtomb: Make behavior POSIX compliantSiddhesh Poyarekar
The GNU implementation of wcrtomb assumes that there are at least MB_CUR_MAX bytes available in the destination buffer passed to wcrtomb as the first argument. This is not compatible with the POSIX definition, which only requires enough space for the input wide character. This does not break much in practice because when users supply buffers smaller than MB_CUR_MAX (e.g. in ncurses), they compute and dynamically allocate the buffer, which results in enough spare space (thanks to usable_size in malloc and padding in alloca) that no actual buffer overflow occurs. However when the code is built with _FORTIFY_SOURCE, it runs into the hard check against MB_CUR_MAX in __wcrtomb_chk and hence fails. It wasn't evident until now since dynamic allocations would result in wcrtomb not being fortified but since _FORTIFY_SOURCE=3, that limitation is gone, resulting in such code failing. To fix this problem, introduce an internal buffer that is MB_LEN_MAX long and use that to perform the conversion and then copy the resultant bytes into the destination buffer. Also move the fortification check into the main implementation, which checks the result after conversion and aborts if the resultant byte count is greater than the destination buffer size. One complication is that applications that assume the MB_CUR_MAX limitation to be gone may not be able to run safely on older glibcs if they use static destination buffers smaller than MB_CUR_MAX; dynamic allocations will always have enough spare space that no actual overruns will occur. One alternative to fixing this is to bump symbol version to prevent them from running on older glibcs but that seems too strict a constraint. Instead, since these users will only have made this decision on reading the manual, I have put a note in the manual warning them about the pitfalls of having static buffers smaller than MB_CUR_MAX and running them on older glibc. Benchmarking: The wcrtomb microbenchmark shows significant increases in maximum execution time for all locales, ranging from 10x for ar_SA.UTF-8 to 1.5x-2x for nearly everything else. The mean execution time however saw practically no impact, with some results even being quicker, indicating that cache locality has a much bigger role in the overhead. Given that the additional copy uses a temporary buffer inside wcrtomb, it's likely that a hot path will end up putting that buffer (which is responsible for the additional overhead) in a similar place on stack, giving the necessary cache locality to negate the overhead. However in situations where wcrtomb ends up getting called at wildly different spots on the call stack (or is on different call stacks, e.g. with threads or different execution contexts) and is still a hotspot, the performance lag will be visible. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-04-25misc: Fix rare fortify crash on wchar funcs. [BZ 29030]Joan Bruguera
If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify checks should pass, and `__whatever_alias` should be called. Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`. A comment says the -1 case should work as: "The -1 check is redundant because since it implies that __glibc_safe_len_cond is true.". But this fails when: * `__s > 1` * `__osz == -1` (i.e. unknown size at compile time) * `__l` is big enough * `__l * __s <= __osz` can be folded to a constant (I only found this to be true for `mbsrtowcs` and other functions in wchar2.h) In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program. This commit adds the explicit `__osz == -1` check again. moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041 Minimal test case (test.c): #include <wchar.h> int main (void) { const char *hw = "HelloWorld"; mbsrtowcs (NULL, &hw, (size_t)-1, NULL); return 0; } Build with: gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test Output: *** buffer overflow detected ***: terminated Fixes: BZ #29030 Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-03-28debug: Improve fdelt_chk error messageCristian Rodríguez
It is not a "buffer overflow detected" but an out of range bit on fd_set Signed-off-by: Cristian Rodríguez <crrodriguez@opensuse.org> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-12debug: Synchronize feature guards in fortified functions [BZ #28746]Siddhesh Poyarekar
Some functions (e.g. stpcpy, pread64, etc.) had moved to POSIX in the main headers as they got incorporated into the standard, but their fortified variants remained under __USE_GNU. As a result, these functions did not get fortified when _GNU_SOURCE was not defined. Add test wrappers that check all functions tested in tst-chk0 at all levels with _GNU_SOURCE undefined and then use the failures to (1) exclude checks for _GNU_SOURCE functions in these tests and (2) Fix feature macro guards in the fortified function headers so that they're the same as the ones in the main headers. This fixes BZ #28746. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-01-12debug: Autogenerate _FORTIFY_SOURCE testsSiddhesh Poyarekar
Rename debug/tst-chk1.c to debug/tst-fortify.c and add make hackery to autogenerate tests with different macros enabled to build and run the same test with different configurations as well as different fortification levels. The change also ends up expanding the -lfs tests to include _FORTIFY_SOURCE=3. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-01-06debug: Remove catchsegv and libSegfault (BZ #14913)Adhemerval Zanella
Trapping SIGSEGV within the process is error-prone, adds security issues, and modern analysis design tends to happen out of the process (either by attaching a debugger or by post-mortem analysis). The libSegfault also has some design problems, it uses non async-signal-safe function (backtrace) on signal handler. There are multiple alternatives if users do want to use similar functionality, such as sigsegv gnulib module or libsegfault.
2022-01-01Update copyright dates not handled by scripts/update-copyrights.Paul Eggert
I've updated copyright dates in glibc for 2022. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. As well as the usual annual updates, mainly dates in --version output (minus csu/version.c which previously had to be handled manually but is now successfully updated by update-copyrights), there is a small change to the copyright notice in NEWS which should let NEWS get updated automatically next year. Please remember to include 2022 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them).
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-12-17fortify: Fix spurious warning with realpathSiddhesh Poyarekar
The length and object size arguments were swapped around for realpath. Also add a smoke test so that any changes in this area get caught in future. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-10-20debug: Add tests for _FORTIFY_SOURCE=3Siddhesh Poyarekar
Add some testing coverage for _FORTIFY_SOURCE=3. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-09-03Remove "Contributed by" linesSiddhesh Poyarekar
We stopped adding "Contributed by" or similar lines in sources in 2012 in favour of git logs and keeping the Contributors section of the glibc manual up to date. Removing these lines makes the license header a bit more consistent across files and also removes the possibility of error in attribution when license blocks or files are copied across since the contributed-by lines don't actually reflect reality in those cases. Move all "Contributed by" and similar lines (Written by, Test by, etc.) into a new file CONTRIBUTED-BY to retain record of these contributions. These contributors are also mentioned in manual/contrib.texi, so we just maintain this additional record as a courtesy to the earlier developers. The following scripts were used to filter a list of files to edit in place and to clean up the CONTRIBUTED-BY file respectively. These were not added to the glibc sources because they're not expected to be of any use in future given that this is a one time task: https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dc https://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-05-12Remove all usage of @BASH@ or ${BASH} in installed files, and hardcode ↵Romain GEISSLER
/bin/bash instead (FYI, this is a repost of https://sourceware.org/pipermail/libc-alpha/2019-July/105035.html now that FSF papers have been signed and confirmed on FSF side). This trivial patch attemps to fix BZ 24106. Basically the bash locally used when building glibc on the host shall not leak on the installed glibc, as the system where it is installed might be different and use another bash location. So I have looked for all occurences of @BASH@ or $(BASH) in installed files, and replaced it by /bin/bash. This was suggested by Florian Weimer in the bug report. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2021-03-01backtrace: Implement on top of <unwind-link.h>Florian Weimer
This reimplements the generic version of backtrace. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-03-01Implement <unwind-link.h> for dynamically loading the libgcc_s unwinderFlorian Weimer
This will be used to consolidate the libgcc_s access for backtrace and pthread_cancel. Unlike the existing backtrace implementations, it provides some hardening based on pointer mangling. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-02-01libSegFault: Fix printing signal number [BZ #27249]Vitaly Chikunov
Signal number is written into the tail of buf, but printed from the beginning, outputting garbage on the screen. Fix this by printing from the correct position. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Dmitry V. Levin <ldv@altlinux.org>
2021-01-02Update copyright dates not handled by scripts/update-copyrights.Paul Eggert
I've updated copyright dates in glibc for 2021. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. As well as the usual annual updates, mainly dates in --version output (minus csu/version.c which previously had to be handled manually but is now successfully updated by update-copyrights), there is a small change to the copyright notice in NEWS which should let NEWS get updated automatically next year. Please remember to include 2021 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them).
2021-01-02Update copyright dates with scripts/update-copyrightsPaul Eggert
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 6694 files FOO. I then removed trailing white space from benchtests/bench-pthread-locks.c and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this diagnostic from Savannah: remote: *** pre-commit check failed ... remote: *** error: lines with trailing whitespace found remote: error: hook declined to update refs/heads/master
2020-11-05Remove __warndeclSiddhesh Poyarekar
The macro is not used anymore, so remove it and warning-nop.c. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2020-07-07signal: Move sys_siglist to a compat symbolAdhemerval Zanella
The symbol was deprecated by strsignal and its usage imposes issues such as copy relocations. Its internal name is changed to __sys_siglist and __sys_sigabbrev to avoid static linking usage. The compat code is also refactored, since both Linux and Hurd usage the same strategy: export the same array with different object sizes. The libSegfault change avoids calling strsignal on the SIGFAULT signal handler (the current usage is already sketchy, adding a call that potentially issue locale internal function is even sketchier). Checked on x86_64-linux-gnu and i686-linux-gnu. I also run a check-abi on all affected platforms. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2020-02-18mips: Fix bracktrace result for signal framesAdhemerval Zanella
MIPS fallback code handle a frame where its FDE can not be obtained (for instance a signal frame) by reading the kernel allocated signal frame and adding '2' to the value of 'sc_pc' [1]. The added value is used to recognize an end of an EH region on mips16 [2]. The fix adjust the obtained signal frame value and remove the libgcc added value by checking if the previous frame is a signal frame one. Checked with backtrace and tst-sigcontext-get_pc tests on mips-linux-gnu and mips64-linux-gnu. [1] libgcc/config/mips/linux-unwind.h from gcc code. [2] gcc/config/mips/mips.h from gcc code. */
2020-02-11debug: Add missing locale dependencies of fortify testsFlorian Weimer
The missing dependencies result in failures like this if make check is invoked with sufficient parallelism for the debug subdirectory: FAIL: debug/tst-chk2 FAIL: debug/tst-chk3 FAIL: debug/tst-chk4 FAIL: debug/tst-chk5 FAIL: debug/tst-chk6 FAIL: debug/tst-lfschk1 FAIL: debug/tst-lfschk2 FAIL: debug/tst-lfschk3 FAIL: debug/tst-lfschk4 FAIL: debug/tst-lfschk5 FAIL: debug/tst-lfschk6
2020-01-21Fix array overflow in backtrace on PowerPC (bug 25423)Andreas Schwab
When unwinding through a signal frame the backtrace function on PowerPC didn't check array bounds when storing the frame address. Fixes commit d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").