aboutsummaryrefslogtreecommitdiff
path: root/misc
AgeCommit message (Collapse)Author
2024-02-28cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383)Siddhesh Poyarekar
When passed a pointer to a zero-sized struct, the access attribute without the third argument misleads -Wstringop-overflow diagnostics to think that a function is writing 1 byte into the zero-sized structs. The attribute doesn't add that much value in this context, so drop it completely for _FORTIFY_SOURCE=3. Resolves: BZ #31383 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2024-02-27debug: Improve fcntl.h fortify warnings with clangAdhemerval Zanella
It improves open, open64, openat, and openat64. The compile and runtime checks have similar coverage as with GCC. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-02-27syslog: Improve fortify with clangAdhemerval Zanella
It improve fortify checks for syslog and vsyslog. The compile and runtime hecks have similar coverage as with GCC. The syslog fortify wrapper calls the va_arg version, since clang does not support __va_arg_pack. Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-02-27cdefs.h: Add clang fortify directivesAdhemerval Zanella
For instance, the read wrapper is currently expanded as: extern __inline __attribute__((__always_inline__)) __attribute__((__artificial__)) __attribute__((__warn_unused_result__)) ssize_t read (int __fd, void *__buf, size_t __nbytes) { return __glibc_safe_or_unknown_len (__nbytes, sizeof (char), __glibc_objsize0 (__buf)) ? __read_alias (__fd, __buf, __nbytes) : __glibc_unsafe_len (__nbytes, sizeof (char), __glibc_objsize0 (__buf)) ? __read_chk_warn (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)) : __read_chk (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)); } The wrapper relies on __builtin_object_size call lowers to a constant at compile-time and many other operations in the wrapper depends on having a single, known value for parameters. Because this is impossible to have for function parameters, the wrapper depends heavily on inlining to work and While this is an entirely viable approach on GCC, it is not fully reliable on clang. This is because by the time llvm gets to inlining and optimizing, there is a minimal reliable source and type-level information available (more information on a more deep explanation on how to fortify wrapper works on clang [1]). To allow the wrapper to work reliably and with the same functionality as with GCC, clang requires a different approach: * __attribute__((diagnose_if(c, “str”, “warning”))) which is a function level attribute; if the compiler can determine that 'c' is true at compile-time, it will emit a warning with the text 'str1'. If it would be better to emit an error, the wrapper can use "error" instead of "warning". * __attribute__((overloadable)) which is also a function-level attribute; and it allows C++-style overloading to occur on C functions. * __attribute__((pass_object_size(n))) which is a parameter-level attribute; and it makes the compiler evaluate __builtin_object_size(param, n) at each call site of the function that has the parameter, and passes it in as a hidden parameter. This attribute has two side-effects that are key to how FORTIFY works: 1. It can overload solely on pass_object_size (e.g. there are two overloads of foo in void foo(char * __attribute__((pass_object_size(0))) c); void foo(char *); (The one with pass_object_size attribute has precende over the default one). 2. A function with at least one pass_object_size parameter can never have its address taken (and overload resolution respects this). Thus the read wrapper can be implemented as follows, without hindering any fortify coverage compile and runtime: extern __inline __attribute__((__always_inline__)) __attribute__((__artificial__)) __attribute__((__overloadable__)) __attribute__((__warn_unused_result__)) ssize_t read (int __fd, void *const __attribute__((pass_object_size (0))) __buf, size_t __nbytes) __attribute__((__diagnose_if__ ((((__builtin_object_size (__buf, 0)) != -1ULL && (__nbytes) > (__builtin_object_size (__buf, 0)) / (1))), "read called with bigger length than size of the destination buffer", "warning"))) { return (__builtin_object_size (__buf, 0) == (size_t) -1) ? __read_alias (__fd, __buf, __nbytes) : __read_chk (__fd, __buf, __nbytes, __builtin_object_size (__buf, 0)); } To avoid changing the current semantic for GCC, a set of macros is defined to enable the clang required attributes, along with some changes on internal macros to avoid the need to issue the symbol_chk symbols (which are done through the __diagnose_if__ attribute for clang). The read wrapper is simplified as: __fortify_function __attribute_overloadable__ __wur ssize_t read (int __fd, __fortify_clang_overload_arg0 (void *, ,__buf), size_t __nbytes) __fortify_clang_warning_only_if_bos0_lt (__nbytes, __buf, "read called with bigger length than " "size of the destination buffer") { return __glibc_fortify (read, __nbytes, sizeof (char), __glibc_objsize0 (__buf), __fd, __buf, __nbytes); } There is no expected semantic or code change when using GCC. Also, clang does not support __va_arg_pack, so variadic functions are expanded to call va_arg implementations. The error function must not have bodies (address takes are expanded to nonfortified calls), and with the __fortify_function compiler might still create a body with the C++ mangling name (due to the overload attribute). In this case, the function is defined with __fortify_function_error_function macro instead. [1] https://docs.google.com/document/d/1DFfZDICTbL7RqS74wJVIJ-YnjQOj1SaoqfhbgddFYSM/edit Checked on aarch64, armhf, x86_64, and i686. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-01-30syslog: Fix integer overflow in __vsyslog_internal (CVE-2023-6780)Arjun Shankar
__vsyslog_internal calculated a buffer size by adding two integers, but did not first check if the addition would overflow. This commit fixes that. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-01-30syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6779)Arjun Shankar
__vsyslog_internal used the return value of snprintf/vsnprintf to calculate buffer sizes for memory allocation. If these functions (for any reason) failed and returned -1, the resulting buffer would be too small to hold output. This commit fixes that. All snprintf/vsnprintf calls are checked for negative return values and the function silently returns upon encountering them. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2024-01-30syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6246)Arjun Shankar
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER containing a long program name failed to update the required buffer size, leading to the allocation and overflow of a too-small buffer on the heap. This commit fixes that. It also adds a new regression test that uses glibc.malloc.check. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert
2023-11-22malloc: Use __get_nprocs on arena_get2 (BZ 30945)Adhemerval Zanella
This restore the 2.33 semantic for arena_get2. It was changed by 11a02b035b46 to avoid arena_get2 call malloc (back when __get_nproc was refactored to use an scratch_buffer - 903bc7dcc2acafc). The __get_nproc was refactored over then and now it also avoid to call malloc. The 11a02b035b46 did not take in consideration any performance implication, which should have been discussed properly. The __get_nprocs_sched is still used as a fallback mechanism if procfs and sysfs is not acessible. Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
2023-07-05misc/bits/syslog.h: Clearly separate declaration from definitionFrédéric Bérat
This allows to include bits/syslog-decl.h in include/sys/syslog.h and therefore be able to create the libc_hidden_builtin_proto (__syslog_chk) prototype. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05misc/bits/select2.h: Clearly separate declaration from definitionsFrédéric Bérat
The __fdelt_chk declaration needs to be available so that libc_hidden_proto can be used while not redefining __FD_ELT. Thus, misc/bits/select-decl.h is created to hold the corresponding prototypes. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05misc/sys/cdefs.h: Create FORTIFY redirects for internal callsFrédéric Bérat
The __REDIRECT* macros are creating aliases which may lead to unwanted PLT entries when fortification is enabled. To prevent these entries, the REDIRECT alias should be set to point to the existing __GI_* aliases. This is done transparently by creating a __REDIRECT_FORTIFY* version of these macros, that can be overwritten internally when necessary. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05Exclude routines from fortificationFrédéric Bérat
Since the _FORTIFY_SOURCE feature uses some routines of Glibc, they need to be excluded from the fortification. On top of that: - some tests explicitly verify that some level of fortification works appropriately, we therefore shouldn't modify the level set for them. - some objects need to be build with optimization disabled, which prevents _FORTIFY_SOURCE to be used for them. Assembler files that implement architecture specific versions of the fortified routines were not excluded from _FORTIFY_SOURCE as there is no C header included that would impact their behavior. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-06tests: Replace various function calls with their x variantFrédéric Bérat
With fortification enabled, few function calls return result need to be checked, has they get the __wur macro enabled. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-02Fix all the remaining misspellings -- BZ 25337Paul Pluzhnikov
2023-06-01tests: fix warn unused resultsFrédéric Bérat
With fortification enabled, few function calls return result need to be checked, has they get the __wur macro enabled. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-05-18misc: Reformat Makefile.Carlos O'Donell
Reflow Makefile. Sort using updated scripts/sort-makefile-lines.py. Code generation is changed as routines are linked in sorted order as expected. No regressions on x86_64 and i686. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-05-16misc: Reformat Makefile.Carlos O'Donell
Reflow Makefile. Sort using scripts/sort-makefile-lines.py. Code generation is changed as routines are linked in sorted order as expected. No regressions on x86_64 and i686.
2023-05-10Added Redirects to longdouble error functions [BZ #29033]Sachin Monga
This patch redirects the error functions to the appropriate longdouble variants which enables the compiler to optimize for the abi ieeelongdouble. Signed-off-by: Sachin Monga <smonga@linux.ibm.com>
2023-05-01Mark various cold functions as __COLDSergey Bugaev
GCC docs explicitly list perror () as a good candidate for using __attribute__ ((cold)). So apply __COLD to perror () and similar functions. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131223.2507236-3-bugaevc@gmail.com>
2023-04-29cdefs.h: Define __COLDSergey Bugaev
This expands to __attribute__ ((cold)) when supported. It should be used to mark up functions that are invoked rarely. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
2023-04-22misc: Convert daemon () to GNU coding styleSergey Bugaev
This is nicer, and is going to be required for the following changes to reasonably stay within the 79 column limit. No functional change. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Message-Id: <20230419160207.65988-2-bugaevc@gmail.com>
2023-03-27Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functionsAdhemerval Zanella Netto
They are both used by __libc_freeres to free all library malloc allocated resources to help tooling like mtrace or valgrind with memory leak tracking. The current scheme uses assembly markers and linker script entries to consolidate the free routine function pointers in the RELRO segment and to be freed buffers in BSS. This patch changes it to use specific free functions for libc_freeres_ptrs buffers and call the function pointer array directly with call_function_static_weak. It allows the removal of both the internal macros and the linker script sections. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-02-27cdefs.h: fix "__clang_major" typoPaul Eggert
* misc/sys/cdefs.h: Fix misspelling of "__clang_major__". Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-02-17Use uintptr_t instead of performing pointer subtraction with a null pointerQihao Chencao
Signed-off-by: Qihao Chencao <twose@qq.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-02-02cdefs: Limit definition of fortification macrosSiddhesh Poyarekar
Define the __glibc_fortify and other macros only when __FORTIFY_LEVEL > 0. This has the effect of not defining these macros on older C90 compilers that do not have support for variable length argument lists. Also trim off the trailing backslashes from the definition of __glibc_fortify and __glibc_fortify_n macros. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Florian Weimer <fweimer@redhat.com>
2023-01-06Update copyright dates with scripts/update-copyrightsJoseph Myers
2022-11-29Apply asm redirections in syslog.h before first use [BZ #27087]Tulio Magno Quites Machado Filho
Similar to d0fa09a770, but for syslog.h when _FORTIFY_SOURCE > 0. Fixes [BZ #27087] by applying long double-related asm redirections before using functions in bits/syslog.h. Tested with build-many-glibcs.py. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-11-01configure: Use -Wno-ignored-attributes if compiler warns about multiple aliasesAdhemerval Zanella
clang emits an warning when a double alias redirection is used, to warn the the original symbol will be used even when weak definition is overridden. However, this is a common pattern for weak_alias, where multiple alias are set to same symbol. Reviewed-by: Fangrui Song <maskray@google.com>
2022-10-18Use PTR_MANGLE and PTR_DEMANGLE unconditionally in C sourcesFlorian Weimer
In the future, this will result in a compilation failure if the macros are unexpectedly undefined (due to header inclusion ordering or header inclusion missing altogether). Assembler sources are more difficult to convert. In many cases, they are hand-optimized for the mangling and no-mangling variants, which is why they are not converted. sysdeps/s390/s390-32/__longjmp.c and sysdeps/s390/s390-64/__longjmp.c are special: These are C sources, but most of the implementation is in assembler, so the PTR_DEMANGLE macro has to be undefined in some cases, to match the assembler style. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-10-18Introduce <pointer_guard.h>, extracted from <sysdep.h>Florian Weimer
This allows us to define a generic no-op version of PTR_MANGLE and PTR_DEMANGLE. In the future, we can use PTR_MANGLE and PTR_DEMANGLE unconditionally in C sources, avoiding an unintended loss of hardening due to missing include files or unlucky header inclusion ordering. In i386 and x86_64, we can avoid a <tls.h> dependency in the C code by using the computed constant from <tcb-offsets.h>. <sysdep.h> no longer includes these definitions, so there is no cyclic dependency anymore when computing the <tcb-offsets.h> constants. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-09-05syslog: Remove extra whitespace between timestamp and message (BZ#29544)Adhemerval Zanella
The rfc3164 clear states that a single space character must follow the timestamp field. Checked on x86_64-linux-gnu.
2022-08-30syslog: Fix large messages (BZ#29536)Adhemerval Zanella
The a583b6add407c17cd change did not handle large messages that would require a heap allocation correctly, where the message itself is not take in consideration. This patch fixes it and extend the tst-syslog to check for large messages as well. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-06-24misc: Optimize internal usage of __libc_single_threadedAdhemerval Zanella
By adding an internal alias to avoid the GOT indirection. On some architecture, __libc_single_thread may be accessed through copy relocations and thus it requires to update also the copies default copy. This is done by adding a new internal macro, libc_hidden_data_{proto,def}, which has an addition argument that specifies the alias name (instead of default __GI_ one). Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Fangrui Song <maskray@google.com>
2022-06-02linux: Add process_madviseAdhemerval Zanella
It was added on Linux 5.10 (ecb8ac8b1f146915aa6b96449b66dd48984caacc) with the same functionality as madvise but using a pidfd of the target process. Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2022-06-01misc: Use 64 bit stat for getusershell (BZ# 29203)Adhemerval Zanella
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-06-01misc: Use 64 bit stat for daemon (BZ# 29203)Adhemerval Zanella
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-05-16sys/cdefs.h: Do not require C++ compilers to define __STDC__Jonathan Wakely
The check for an ISO C compiler assumes that anything GCC-like will define __STDC__, even if it's actually a C++ compiler. That's currently true for G++ and compilers like clang++ that also define __GNUC__, but it might not always be true. The C++ standard leaves it implementation-defined whether or not __STDC__ is defined by C++ compilers. And really the check should be "ISO C or ISO C++ conforming compiler" anyway. So only give an error if __GNUC__ is defined and neither __STDC__ nor __cplusplus is defined. Reviewed-by: Fangrui Song <maskray@google.com>
2022-05-16fortify: Ensure that __glibc_fortify condition is a constant [BZ #29141]Siddhesh Poyarekar
The fix c8ee1c85 introduced a -1 check for object size without also checking that object size is a constant. Because of this, the tree optimizer passes in gcc fail to fold away one of the branches in __glibc_fortify and trips on a spurious Wstringop-overflow. The warning itself is incorrect and the branch does go away eventually in DCE in the rtl passes in gcc, but the constant check is a helpful hint to simplify code early, so add it in. Resolves: BZ #29141 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-04-25misc: Fix rare fortify crash on wchar funcs. [BZ 29030]Joan Bruguera
If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify checks should pass, and `__whatever_alias` should be called. Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`. A comment says the -1 case should work as: "The -1 check is redundant because since it implies that __glibc_safe_len_cond is true.". But this fails when: * `__s > 1` * `__osz == -1` (i.e. unknown size at compile time) * `__l` is big enough * `__l * __s <= __osz` can be folded to a constant (I only found this to be true for `mbsrtowcs` and other functions in wchar2.h) In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program. This commit adds the explicit `__osz == -1` check again. moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041 Minimal test case (test.c): #include <wchar.h> int main (void) { const char *hw = "HelloWorld"; mbsrtowcs (NULL, &hw, (size_t)-1, NULL); return 0; } Build with: gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test Output: *** buffer overflow detected ***: terminated Fixes: BZ #29030 Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-04-15misc: Use 64 bit time_t interfaces on syslogAdhemerval Zanella
It also handles the highly unlikely case where localtime might return NULL, in this case only the PRI is set to hopefully instruct the relay to get eh TIMESTAMP (as defined by the RFC). Checked on x86_64-linux-gnu and i686-linux-gnu.
2022-04-15misc: syslog: Move SYSLOG_NAME to USE_MISC (BZ #16355)Adhemerval Zanella
There is no easy solution as described on first comment in bug report, and some code (like busybox) assumes facilitynames existance when SYSLOG_NAMES is defined (so we can't just remove it as suggested in comment #2). So use the easier solution and guard it with __USE_MISC.
2022-04-15misc: syslog: Use fixed-sized buffer and remove memstreamAdhemerval Zanella
A fixed-sized buffer is used instead of memstream for messages up to 1024 bytes to avoid the potential BUFSIZ (8K) malloc and free for each syslog call. Also, since the buffer size is know, memstream is replaced with a malloced buffer for larger messages. Checked on x86_64-linux-gnu.
2022-04-15misc: syslog: Simplify implementationAdhemerval Zanella
Use a temporary buffer for strftime instead of using internal libio members, simplify fprintf call on the memstream and memory allocation, use %b instead of %h, use dprintf instead of writev for LOG_PERROR. Checked on x86_64-linux-gnu and i686-linux-gnu.
2022-04-15misc: syslog: Fix indentation and styleAdhemerval Zanella
And also clenaup the headers, no semantic changes.
2022-04-15misc: Add syslog testAdhemerval Zanella
The test cover: - All possible priorities and facilities through TCP and UDP. - Same syslog tests for vsyslog. - Some openlog/syslog/close combinations. - openlog with LOG_CONS, LOG_PERROR, and LOG_PID. Internally is done with a test-container where the main process mimics the syslog server interface. The test does not cover multithread and async-signal usage. Checked on x86_64-linux-gnu.
2022-03-10Add some missing access function attributesSteve Grubb
This patch adds some missing access function attributes to getrandom / getentropy and several functions in sys/xattr.h Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-12Enable _FORTIFY_SOURCE=3 for gcc 12 and aboveSiddhesh Poyarekar
gcc 12 now has support for the __builtin_dynamic_object_size builtin. Adapt the macro checks to enable _FORTIFY_SOURCE=3 on gcc 12 and above. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-12-16Fix __minimal_malloc segfaults in __mmap due to stack-protectorStefan Liebler
Starting with commit b05fae4d8e34604a72ee36d2d3164391b76fcf0b "elf: Use the minimal malloc on tunables_strdup", I get lots of segfaults in static tests on s390x when also using, e.g.: export GLIBC_TUNABLES="glibc.elision.enable=1" tunables_strdup callls __minimal_malloc which tries to call __mmap due to insufficient space left. __mmap itself first setups a new stack frame and segfaults when copying the stack-protector canary from thread-pointer. The latter one is not yet setup. Thus this patch also turns off stack-protection for mmap. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>