aboutsummaryrefslogtreecommitdiff
path: root/sysdeps/posix
AgeCommit message (Collapse)Author
2024-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert
2023-11-07linux: Decorate __libc_fatal error bufferAdhemerval Zanella
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-10-24Move getaddrinfo from 'posix' into 'nss'Arjun Shankar
getaddrinfo is an entry point for nss functionality. This commit moves it from 'sysdeps/posix' to 'nss', gets rid of the stub in 'posix', and moves all associated tests as well. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-09-25Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]Romain Geissler
This patch fixes a very recently added leak in getaddrinfo. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-15getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)Siddhesh Poyarekar
When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-11stdio: Remove __libc_message alloca usageJoe Simmons-Talbott
Use a fixed size array instead. The maximum number of arguments is set by macro tricks. Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-09-06getaddrinfo: Get rid of allocaJoe Simmons-Talbott
Use a scratch_buffer rather than alloca to avoid potential stack overflow.
2023-09-05getcanonname: Fix a typoSiddhesh Poyarekar
This code is generally unused in practice since there don't seem to be any NSS modules that only implement _nss_MOD_gethostbyname2_r and not _nss_MOD_gethostbyname3_r. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-20hurd: readv: Get rid of allocaJoe Simmons-Talbott
Replace alloca with a scratch_buffer to avoid potential stack overflows. Checked on i686-gnu and x86_64-linux-gnu Message-Id: <20230619144334.2902429-1-josimmon@redhat.com>
2023-06-20hurd: writev: Add back cleanup handlerJoe Simmons-Talbott
There is a potential memory leak for large writes due to writev being a "shall occur" cancellation point. Add back the cleanup handler removed in cf30aa43a5917f441c9438aaee201c53c8e1d76b. Checked on i686-gnu and x86_64-linux-gnu. Message-Id: <20230619143842.2901522-1-josimmon@redhat.com>
2023-06-19hurd: writev: Get rid of allocaJoe Simmons-Talbott
Use a scratch_buffer rather than alloca to avoid potential stack overflows. Checked on i686-gnu and x86_64-linux-gnu Message-Id: <20230608155844.976554-1-josimmon@redhat.com>
2023-06-13posix: Handle success in gai_strerror()Dridi Boukelmoune
Signed-off-by: Dridi Boukelmoune <dridi.boukelmoune@gmail.com> Reviewed-by: Arjun Shankar <arjun@redhat.com>
2023-05-29posix: Add error message for EAI_OVERFLOWDridi Boukelmoune
Signed-off-by: Dridi Boukelmoune <dridi.boukelmoune@gmail.com> Reviewed-by: Arjun Shankar <arjun@redhat.com>
2023-03-28system: Add "--" after "-c" for sh (BZ #28519)Joe Simmons-Talbott
Prevent sh from interpreting a user string as shell options if it starts with '-' or '+'. Since the version of /bin/sh used for testing system() is different from the full-fledged system /bin/sh add support to it for handling "--" after "-c". Add a testcase to ensure the expected behavior. Signed-off-by: Joe Simmons-Talbott <josimmon@redhat.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-03-27libio: Do not autogenerate stdio_lim.hAdhemerval Zanella Netto
Instead define the required fields in system dependend files. The only system dependent definition is FILENAME_MAX, which should match POSIX PATH_MAX, and it is obtained from either kernel UAPI or mach headers. Currently set pre-defined value from current kernels. It avoids a circular dependendy when including stdio.h in gen-as-const-headers files. Checked on x86_64-linux-gnu and i686-linux-gnu Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-03-27Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functionsAdhemerval Zanella Netto
They are both used by __libc_freeres to free all library malloc allocated resources to help tooling like mtrace or valgrind with memory leak tracking. The current scheme uses assembly markers and linker script entries to consolidate the free routine function pointers in the RELRO segment and to be freed buffers in BSS. This patch changes it to use specific free functions for libc_freeres_ptrs buffers and call the function pointer array directly with call_function_static_weak. It allows the removal of both the internal macros and the linker script sections. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-03-07posix: Fix system blocks SIGCHLD erroneously [BZ #30163]Adam Yi
Fix bug that SIGCHLD is erroneously blocked forever in the following scenario: 1. Thread A calls system but hasn't returned yet 2. Thread B calls another system but returns SIGCHLD would be blocked forever in thread B after its system() returns, even after the system() in thread A returns. Although POSIX does not require, glibc system implementation aims to be thread and cancellation safe. This bug was introduced in 5fb7fc96350575c9adb1316833e48ca11553be49 when we moved reverting signal mask to happen when the last concurrently running system returns, despite that signal mask is per thread. This commit reverts this logic and adds a test. Signed-off-by: Adam Yi <ayi@janestreet.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2023-01-06Update copyright dates with scripts/update-copyrightsJoseph Myers
2022-09-28get_nscd_addresses: Fix subscript typos [BZ #29605]Jörg Sonnenberger
Fix the subscript on air->family, which was accidentally set to COUNT when it should have remained as I. Resolves: BZ #29605 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-09-26Use atomic_exchange_release/acquireWilco Dijkstra
Rename atomic_exchange_rel/acq to use atomic_exchange_release/acquire since these map to the standard C11 atomic builtins. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-08-30posix: Fix macro expansion producing 'defined' has undefined behaviorAdhemerval Zanella
The NEED_CHECK_SPEC is defined as: #define NEED_CHECK_SPEC \ (!defined _XBS5_ILP32_OFF32 || !defined _XBS5_ILP32_OFFBIG \ || !defined _XBS5_LP64_OFF64 || !defined _XBS5_LPBIG_OFFBIG \ || !defined _POSIX_V6_ILP32_OFF32 || !defined _POSIX_V6_ILP32_OFFBIG \ || !defined _POSIX_V6_LP64_OFF64 || !defined _POSIX_V6_LPBIG_OFFBIG \ || !defined _POSIX_V7_ILP32_OFF32 || !defined _POSIX_V7_ILP32_OFFBIG \ || !defined _POSIX_V7_LP64_OFF64 || !defined _POSIX_V7_LPBIG_OFFBIG) Which is undefined behavior accordingly to C Standard (Preprocessing directives, p4). Checked on x86_64-linux-gnu.
2022-08-23Merge _GL_UNUSED C23 patch from GnulibPaul Eggert
* posix/getopt.c (_getopt_initialize): * sysdeps/posix/tempname.c (try_dir, try_nocreate): Put _GL_UNUSED before args instead of after. This makes no difference for glibc. It is needed for Gnulib when being compiled on non-GCC C23 compilers.
2022-08-03stdio: Clean up __libc_message after unconditional abortFlorian Weimer
Since commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83 ("malloc: Abort on heap corruption, without a backtrace [BZ #21754]"), __libc_message always terminates the process. Since commit a289ea09ea843ced6e5277c2f2e63c357bc7f9a3 ("Do not print backtraces on fatal glibc errors"), the backtrace facility has been removed. Therefore, remove enum __libc_message_action and the action argument of __libc_message, and mark __libc_message as _No_return. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2022-06-30Refactor internal-signals.hAdhemerval Zanella
The main drive is to optimize the internal usage and required size when sigset_t is embedded in other data structures. On Linux, the current supported signal set requires up to 8 bytes (16 on mips), was lower than the user defined sigset_t (128 bytes). A new internal type internal_sigset_t is added, along with the functions to operate on it similar to the ones for sigset_t. The internal-signals.h is also refactored to remove unused functions Besides small stack usage on some functions (posix_spawn, abort) it lower the struct pthread by about 120 bytes (112 on mips). Checked on x86_64-linux-gnu. Reviewed-by: Arjun Shankar <arjun@redhat.com>
2022-06-01socket: Use 64 bit stat for isfdtype (BZ# 29209)Adhemerval Zanella
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-06-01posix: Use 64 bit stat for fpathconf (_PC_ASYNC_IO) (BZ# 29208)Adhemerval Zanella
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-06-01posix: Use 64 bit stat for posix_fallocate fallback (BZ# 29207)Adhemerval Zanella
This is a missing spot initially from 52a5fe70a2c77935. Checked on i686-linux-gnu.
2022-03-23gmon: Remove unused sprofil.c functionsAdhemerval Zanella
2022-03-23getaddrinfo: Refactor code for readabilitySiddhesh Poyarekar
The close_retry goto jump is confusing and clumsy to read, so refactor the code a bit to make it easier to follow. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gai_init: Avoid jumping from if condition to its else counterpartSiddhesh Poyarekar
Clean up another antipattern where code flows from an if condition to its else counterpart with a goto. Most of the change in this patch is whitespace-only; a `git diff -b` ought to show the actual logic changes. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaiconf_init: Refactor some bits for readabilitySiddhesh Poyarekar
Split out line processing for `label`, `precedence` and `scopev4` into separate functions instead of the gotos. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gethosts: Return EAI_MEMORY on allocation failureSiddhesh Poyarekar
All other cases of failures due to lack of memory return EAI_MEMORY, so it seems wrong to return EAI_SYSTEM here. The only reason convert_hostent_to_gaih_addrtuple could fail is on calloc failure. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Split result generation into its own functionSiddhesh Poyarekar
Simplify the loop a wee bit and clean up variable names too. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: split loopback lookup into its own functionSiddhesh Poyarekar
Flatten the condition nesting and replace the alloca for RET.AT/ATR with a single array LOCAL_AT[2]. This gets rid of alloca and alloca accounting. `git diff -b` is probably the best way to view this change since much of the diff is whitespace changes. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: make gethosts into a functionSiddhesh Poyarekar
The macro is quite a pain to debug, so make gethosts into a function to make it easier to maintain. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: separate nss lookup loop into its own functionSiddhesh Poyarekar
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Split nscd lookup code into its own function.Siddhesh Poyarekar
Add a new member got_ipv6 to indicate if the results have an IPv6 result and use it instead of the local got_ipv6. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Split simple gethostbyname into its own functionSiddhesh Poyarekar
Add a free_at flag in gaih_result to indicate if res.at needs to be freed by the caller. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: make numeric lookup a separate routineSiddhesh Poyarekar
Introduce the gaih_result structure and general paradigm for cleanups that follow to process the lookup request and return a result. A lookup function (like text_to_binary_address), should return an integer error code and set members of gaih_result based on what it finds. If the function does not have a result and no errors have occurred during the lookup, it should return 0 and res.at should be set to NULL, allowing a subsequent function to do the lookup until we run out of options. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Simplify service resolutionSiddhesh Poyarekar
Refactor the code to split out the service resolution code into a separate function. Allocate the service tuples array just once to the size of the typeproto array, thus avoiding the unnecessary pointer chasing and stack allocations. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22getaddrinfo: Fix leak with AI_ALL [BZ #28852]Siddhesh Poyarekar
Use realloc in convert_hostent_to_gaih_addrtuple and fix up pointers in the result list so that a single block is maintained for hostbyname3_r/hostbyname2_r and freed in gaih_inet. This result is never merged with any other results, since the hosts database does not permit merging. Resolves BZ #28852. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22gaih_inet: Simplify canon name resolutionSiddhesh Poyarekar
Simplify logic for allocation of canon to remove the canonbuf variable; canon now always points to an allocated block. Also pull the canon name set into a separate function. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-03-22Simplify allocations and fix merge and continue actions [BZ #28931]Siddhesh Poyarekar
Allocations for address tuples is currently a bit confusing because of the pointer chasing through PAT, making it hard to observe the sequence in which allocations have been made. Narrow scope of the pointer chasing through PAT so that it is only used where necessary. This also tightens actions behaviour with the hosts database in getaddrinfo to comply with the manual text. The "continue" action discards previous results and the "merge" action results in an immedate lookup failure. Consequently, chaining of allocations across modules is no longer necessary, thus opening up cleanup opportunities. A test has been added that checks some combinations to ensure that they work correctly. Resolves: BZ #28931 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
2022-01-24getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)Siddhesh Poyarekar
No valid path returned by getcwd would fit into 1 byte, so reject the size early and return NULL with errno set to ERANGE. This change is prompted by CVE-2021-3999, which describes a single byte buffer underflow and overflow when all of the following conditions are met: - The buffer size (i.e. the second argument of getcwd) is 1 byte - The current working directory is too long - '/' is also mounted on the current working directory Sequence of events: - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG because the linux kernel checks for name length before it checks buffer size - The code falls back to the generic getcwd in sysdeps/posix - In the generic func, the buf[0] is set to '\0' on line 250 - this while loop on line 262 is bypassed: while (!(thisdev == rootdev && thisino == rootino)) since the rootfs (/) is bind mounted onto the directory and the flow goes on to line 449, where it puts a '/' in the byte before the buffer. - Finally on line 458, it moves 2 bytes (the underflowed byte and the '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. - buf is returned on line 469 and errno is not set. This resolves BZ #28769. Reviewed-by: Andreas Schwab <schwab@linux-m68k.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Signed-off-by: Qualys Security Advisory <qsa@qualys.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-15hurd: Fix timer/clock_getres crash on NULL res parameterSamuel Thibault
POSIX allows res to be NULL.
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-09-27posix: Remove spawni.cAdhemerval Zanella
Although it provide an alternate implementation that communicates using pipe() instead of shared memory, no port uses and it adds extra burden for posix_spawn() extensions. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2021-09-03Remove "Contributed by" linesSiddhesh Poyarekar
We stopped adding "Contributed by" or similar lines in sources in 2012 in favour of git logs and keeping the Contributors section of the glibc manual up to date. Removing these lines makes the license header a bit more consistent across files and also removes the possibility of error in attribution when license blocks or files are copied across since the contributed-by lines don't actually reflect reality in those cases. Move all "Contributed by" and similar lines (Written by, Test by, etc.) into a new file CONTRIBUTED-BY to retain record of these contributions. These contributors are also mentioned in manual/contrib.texi, so we just maintain this additional record as a courtesy to the earlier developers. The following scripts were used to filter a list of files to edit in place and to clean up the CONTRIBUTED-BY file respectively. These were not added to the glibc sources because they're not expected to be of any use in future given that this is a one time task: https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dc https://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-08-04gethosts: Remove unused argument _typeSiddhesh Poyarekar
The generated code is unchanged.
2021-08-03gaiconf_init: Avoid double-free in label and precedence listsSiddhesh Poyarekar
labellist and precedencelist could get freed a second time if there are allocation failures, so set them to NULL to avoid a double-free. Reviewed-by: Arjun Shankar <arjun@redhat.com>