Bug 7065

Summary: Support building glibc with -fstack-protector or -fstack-protector-all
Product: glibc Reporter: Nix <nix>
Component: buildAssignee: Florian Weimer <fweimer>
Status: RESOLVED FIXED    
Severity: enhancement CC: aj, atoth, carlos, fweimer, glibc-bugs, jyasskin, nick.alcock, toolchain, xake, zorry
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: 2.25   
Host: Target:
Build: Last reconfirmed:
Attachments: stack protector support for glibc
stack protector support against eglibc 2.13.

Description Nix 2008-12-04 00:38:31 UTC
Several distributions, including Gentoo, have patches which attempt to make 
glibc build when compiled with -fstack-protector. None of them that I have 
found actually work: at best, they make it crash instantly, because none of 
them suppress generation of stack guards around functions called before the 
guard is initialized (or even before ld-linux.so.2 has relocated itself).

For now I'd consider it more of a maintenance burden than it's worth to
isolate the parts of ld.so that are called before security_init(), so
I've just arranged to avoid using the stack-protector in ld.so, and
marked the few things not also in the dynamic loader which are used
during pre-guard-init static library initialization with
-fno-stack-protector. (An improvement might be to mark these with
-fno-stack-protector only when building the static library.)

I can't think of a way to isolate the functions in this set automatically, but 
if you get it wrong it's easy to tell because you get an instant coredump, so 
it's easy to prevent the set of -fno-stack-protectored functions from 
bitrotting, manually maintained though it must be.)

You can still use -fstack-protector-all in all the rest of glibc, which
is an order of magnitude more code than ld.so and includes really hairy
stuff like malloc() and lots of functions that themselves call
string-manipulation functions, so I'd say this is a pretty good
tradeoff.

Some of the module tests need adjustment: they don't link against
libc, so must specify -fno-stack-protector; the same is true of some of the 
configury, taking care not to specify that unless GCC is actually capable of 
accepting -fstack-protector. (We specify -lssp and leave the stack protector on 
where possible in configure tests.)

Results of tests and patch against glibc 2.9 following shortly.
Comment 1 Ulrich Drepper 2008-12-04 00:44:36 UTC
Never going to happen.
Comment 2 Nix 2008-12-04 00:53:50 UTC
test environment: 2.6.27.7 kernel+headers, glibc 2.8, GCC 4.3.3 20081121 
(prerelease), binutils 2.19.

config flags (my standard set for this machine):

/usr/packages/glibc/2.9/configure --prefix=/usr --enable-shared \
    --enable-profile --disable-bounded --enable-bind-now        \
    --enable-add-ons=nptl,libidn --enable-kernel=2.6.25         \
    --enable-check-abi=warn --enable-omitfp                     \
    --enable-stackguard-randomization TIMEOUTFACTOR=5

Below, PASS means 'baseline test failures only'. (I also compared
configure output to verify that -fstack-protector addition did not
change the results of any configure tests, and verified that the
appropriate -fstack-protector actually appeared in gcc commandlines at
the appropriate times.)

baseline:                              PASS, by definition
patch applied, no flags specified:     PASS
-fstack-protector in CFLAGS:           PASS
-fstack-protector-all in CFLAGS:       one failure due to #7066, buffer overrun
--without-stack-protector:             PASS
--with-stack-protector:                PASS
--with-stack-protector=all:            one failure due to #7066, buffer overrun

Test failures for baseline (unpatched):

math/test-ildoubl.out:

testing long double (inline functions)
Failure: Test: expm1 (1) == M_El - 1.0
Result:
 is:          1.71828182845904523532e+00   0xd.bf0a8b14576953500000p-3
 should be:   1.71828182845904523543e+00   0xd.bf0a8b14576953600000p-3
 difference:  1.08420217248550443401e-19   0x8.00000000000000000000p-66
 ulp       :  1.0000
 max.ulp   :  0.0000
Maximal error of `expm1'
 is      : 1 ulp
 accepted: 0 ulp

Test suite completed:
  3618 test cases plus 3005 tests for exception flags executed.
  2 errors occurred.

elf/check-localplt.out:

--- ../scripts/data/localplt-i386-linux-gnu.data        2006-01-11 
21:06:19.000000000 +0000
+++ -   2008-11-30 20:52:09.962033876 +0000
@@ -1,4 +1,5 @@
 libc.so: _Unwind_Find_FDE
+libc.so: __bzero
 libc.so: calloc
 libc.so: free
 libc.so: malloc

(This looks like something missing from localplt-i386-linux-gnu.data to
me, not a bug.)

(Holes in test coverage: not tested with a GCC too old to support
-fstack-protector. Static testing not performed: see #7064.)
Comment 3 Nix 2008-12-04 00:55:44 UTC
Created attachment 3087 [details]
stack protector support for glibc

This is posted at the request of Carlos O'Donell. TBH I don't care if it
doesn't go upstream, although given that it's already found a buffer overrun in
glibc I'd find that surprising. I'm more interested in distros picking it up.

(And 'never going to happen' is a peculiar statement. It has 'happened'. The
patch *exists*.)
Comment 4 Ryan S. Arnold 2008-12-10 17:09:10 UTC
Nix

A failure in elf/check-localplt.out as indicated by a new symbol in
scripts/data/localplt-i386-linux-gnu.data means that libc proper is invoking the
new symbol via the plt when in-fact it should be making a direct invocation to a
libc internal symbol.  There are very few conditions under which this is allowed
(notably those cases where we allow libc functionality to be overridden).

I've looked through the code and it appears that the sunrpc code is the only
relevant code which uses __bzero.  I don't think there's an internal hidden
version of the symbol.  So these calls to __bzero probably shouldn't be there. 
Instead, they should use memset.  Or perhaps that patch which you're using uses
__bzero?

In order to verify, one can look at the symbol table:

objdump -DR libc.so > libc.dis

Search libc.dis for:

__bzero@plt

You should see a plt call stub, e.g.

00016198 <__bzero@plt>:
   16198:       ff a3 0c 00 00 00       jmp    *0xc(%ebx)
   1619e:       68 00 00 00 00          push   $0x0
   161a3:       e9 e0 ff ff ff          jmp    16188 <h_errno+0x16168>

Now search for: "call   16198"

call   16198 <__bzero@plt>

This should bring you to the disassembly of the function which invoked __bzero
via the PLT.  You can then go into the C source file and replace this with a
memset.  Do this for all calls to the address for __bzero.
Comment 5 Ryan S. Arnold 2008-12-10 18:51:38 UTC
Here's a more thorough write-up of the same thing I just posted:

http://sources.redhat.com/glibc/wiki/Testing/Check-localplt

Invocation of __bzero() by the sunrpc code is acceptable since that code is in a
different library than libc.so so access via the PLT is expected.
Comment 6 Nix 2008-12-13 19:02:50 UTC
Nice description, Ryan :)

A lot of the sunrpc code *does* land in libc (all the client code). Notably, 
bindresvport(), clnt_create(), clnt_broadcast(), universal() (called from 
registerrpc() via a callback from svc_register()), svctcp_create(), 
svcudp_bufcreate(), and key_gendes(), _des_crypt() (obviously used for 
DES-encrypted SunRPC), all explicitly call __bzero() and land in libc.

Almost certainly these would use memset() were the SunRPC code not ancient 
Sun-derived gunge with a 1986 copyright date...
Comment 7 Attila Tóth 2008-12-14 11:32:10 UTC
Keep it going, guys.

To Ulrich Drepper:
How do you mean: "Never going to happen."?!

I always keen on people ignoring security measures.

Regards,
Dw.
Comment 8 Robert Connolly 2009-06-04 22:25:35 UTC
I've been using a compromise. Glibc's programs can be compiled 
with -fstack-protector-all, or whatever other options you may want 
(-D_FORTIFY_SOURCE=2, -fPIE, etc), but not the libraries. I use the configparms 
file and set build-programs=no to build the libraries 
without -fstack-protector, then remove build-programs=no and add 'CFLAGS 
+= -fstack-protector-all' to configparms. No patches needed, test suites pass 
(remove -fstack-protector during the test suite), no crashes.
Comment 9 Nix 2012-02-26 23:37:48 UTC
Created attachment 6248 [details]
stack protector support against eglibc 2.13.

This is the most recent version of this patch, against eglibc 2.13 (because that happens to be the version I'm using now, as I track Debian's glibc). It has needed no significant revisions for years, though the recent csu changes in upstream glibc may necessitate some small revisions.

(The ChangeLog is out of date: I haven't regenerated it since 2008.)
Comment 10 Andreas Jaeger 2012-04-21 12:55:37 UTC
Your change contains two different changes:
* Supporting stack-protector
* A different implementation of chk_fail function

For addition to glibc, I would only look at the stack-protector support. I suggest you continue discussing this on the libc-alpha list.
Comment 11 Jackie Rosen 2014-02-16 19:20:15 UTC Comment hidden (spam)
Comment 12 Nick Alcock 2016-02-17 10:19:41 UTC
(In reply to Andreas Jaeger from comment #10)
> Your change contains two different changes:
> * Supporting stack-protector
> * A different implementation of chk_fail function
> 
> For addition to glibc, I would only look at the stack-protector support. I
> suggest you continue discussing this on the libc-alpha list.

It's terribly late (I frankly forgot this bug existed) but I'm about to reanimate this one. (I suspect it protects me from CVE-2015-7545 and it seems unfair to keep it to myself like this.)

However, splitting the different changes apart is rather difficult: the stack-protector changes actually depend on the different stack_chk_fail, because the existing __stack_chk_fail() -> __fortify_fail() -> __libc_message() path ends up calling down to libio and the like, and if you're to use those for __stack_chk_fail() all those routines cannot themselves be compiled with stack-protection. The gentoo-derived routine I replaced it with uses none of that, and is standalone.

Anyway -- that's just one of several possible problems with this patch! I'll reanimate the patch against trunk and then bring it up on the list (and my apologies for putting it off for so long).
Comment 13 Nick Alcock 2016-02-17 10:22:16 UTC
(In reply to Nick Alcock from comment #12)
> It's terribly late (I frankly forgot this bug existed) but I'm about to
> reanimate this one. (I suspect it protects me from CVE-2015-7545 and it
> seems unfair to keep it to myself like this.)

Damn typos. CVE-2015-7547 of course. CVEs should have a check digit, I make this sort of typo way too often.
Comment 14 Attila Tóth 2016-02-19 10:26:43 UTC
(In reply to Nick Alcock from comment #12)
> (In reply to Andreas Jaeger from comment #10)
> > Your change contains two different changes:
> > * Supporting stack-protector
> > * A different implementation of chk_fail function
> > 
> > For addition to glibc, I would only look at the stack-protector support. I
> > suggest you continue discussing this on the libc-alpha list.
> 
> Anyway -- that's just one of several possible problems with this patch! I'll
> reanimate the patch against trunk and then bring it up on the list (and my
> apologies for putting it off for so long).

Happy to hear about it. Please share your stuff! Thx: Dw.
Comment 15 Nick Alcock 2016-02-20 10:27:26 UTC
Initial patch series (against trunk as of a couple of days ago) posted for review, complete with rough bits, "I don't understand this" bits, bits I posted specifically so they could be rejected and no changelog. But it works, and has no test failures. :)
Comment 16 Magnus Granberg 2016-02-20 11:57:27 UTC
(In reply to Nick Alcock from comment #15)
> Initial patch series (against trunk as of a couple of days ago) posted for
> review, complete with rough bits, "I don't understand this" bits, bits I
> posted specifically so they could be rejected and no changelog. But it
> works, and has no test failures. :)

The stack_chk_fail.c have been updated on >= glibc-2.20 on Gentoo
https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/glibc/files/2.20
On Gcc 6.0 it is a default configure option to turn on stack-protector-strong.
Keep up the work
Comment 17 Nick Alcock 2016-02-20 12:02:26 UTC
Yeah, that looks nice! though with its replacing all the chk functions it's even more clearly a separate thing (though still a prerequisite for my patch).
Comment 18 Nick Alcock 2016-03-08 14:14:08 UTC
Aside: just posted v5. No new failures remain on {x86,sparc}*-pc-linux-gnu or armv7l-unknown-linux-gnueabihf, and the entire package saving only ifunc resolvers, ld.so, a tiny bit of BSD signal handling, and early static library startup (unfortunately including brk() and sbrk()) is protected.
Comment 19 Nick Alcock 2016-03-08 14:15:07 UTC
Oh, and we no longer need to replace __stack_chk_fail etc as of a few patches ago (figured out the true root cause and fixed it properly).
Comment 20 cvs-commit@gcc.gnu.org 2016-07-28 17:05:56 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, fw/stack-protector has been created
        at  82f2eb623ce1d9bd0a4d2c45d9d47688e71ed383 (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=82f2eb623ce1d9bd0a4d2c45d9d47688e71ed383

commit 82f2eb623ce1d9bd0a4d2c45d9d47688e71ed383
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:16 2016 +0100

    Enable -fstack-protector=* when requested by configure.
    
    This finally turns on all the machinery added in previous commits.
    
    v3: Wrap long lines.
    v5: Shuffle to the end.
    
    	* Makeconfig (+stack-protector): New variable.
    	(+cflags): Use it.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=11533a025509becc37503eab765e8e769e882283

commit 11533a025509becc37503eab765e8e769e882283
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:15 2016 +0100

    Do not stack-protect sigreturn stubs.
    
    These are called from the kernel with the stack at a carefully-
    chosen location so that the stack frame can be restored: they must not
    move the stack pointer lest garbage be restored into the registers.
    
    We explicitly inhibit protection for SPARC and for signal/sigreturn.c:
    other arches either define their sigreturn stubs in .S files, or (i386,
    x86_64, mips) use macros expanding to top-level asm blocks and explicit
    labels in the text section to mock up a "function" without telling the
    compiler that one is there at all.
    
    v2: New.
    v3: Use $(no-stack-protector).
    v4: Use inhibit_stack_protector.
    v7: Add sigreturn.c.
    
    	* signal/Makefile (CFLAGS-sigreturn.c): Use
    	$(no-stack-protector).
    	* sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c:
    	(__rt_sigreturn_stub): Use inhibit_stack_protector.
    	* sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
    	(__rt_sigreturn_stub): Likewise.
    	(__sigreturn_stub): Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=14b3c413f1b1dd1bfc0bae45fc042a4de56b85af

commit 14b3c413f1b1dd1bfc0bae45fc042a4de56b85af
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:14 2016 +0100

    Drop explicit stack-protection of pieces of the system.
    
    This is probably a bad idea: maybe we want to stack-protect some parts
    of the system even when ! --enable-stack-protector.  I can easily adjust
    the patch to do that (though it'll mean introducing a new variable
    analogous to $(stack-protector) but not controlled by the configure
    flag.)
    
    But if we wanted to value consistency over security, and use the same
    stack-protection configure flag to control everything, this is how we'd
    do it!
    
    ("Always include at least one patch with something obviously wrong with
    it.")
    
    	* login/Makefile (pt_chown-cflags): Remove.
    	* nscd/Makefile (CFLAGS-nscd): Likewise.
    	* resolv/Makefile (CFLAGS-libresolv): Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=72bb1d426913236e2059e0001afcd75782ef8ff6

commit 72bb1d426913236e2059e0001afcd75782ef8ff6
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:13 2016 +0100

    Link various tests with -fno-stack-protector.
    
    These tests do not link with libc, so cannot see __stack_chk_fail().
    
    v3: Use $(no-stack-protector).
    
    	* elf/Makefile (CFLAGS-filtmod1.c): Use $(no-stack-protector) for
    	non-libc-linking testcase.
    	(CFLAGS-filtmod2.c): Likewise.
    	* stdlib/Makefile (CFLAGS-tst-putenvmod.c): Likewise.
    	* sysdeps/x86_64/Makefile (CFLAGS-tst-quad1pie.c): Likewise.
    	(CFLAGS-tst-quad2pie.c): Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f738b8f9e2c63772979e26e491ecf055bff28c50

commit f738b8f9e2c63772979e26e491ecf055bff28c50
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Tue Jun 7 12:06:12 2016 +0100

    De-PLTize __stack_chk_fail internal calls within libc.so.
    
    We use the same assembler-macro trick we use to de-PLTize
    compiler-generated libcalls to memcpy and memset to redirect
    __stack_chk_fail to __stack_chk_fail_local.
    
    v5: New.
    v6: Only do it within the shared library: with __stack_chk_fail_local
        in libc_pic.a now we don't need to worry about calls from inside
        other routines in libc_nonshared.a any more.
    
    	* sysdeps/generic/symbol-hacks.h (__stack_chk_fail): Add internal
    	alias.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4f2b01de3ab88daefdc239a3c25640153b88283d

commit 4f2b01de3ab88daefdc239a3c25640153b88283d
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:11 2016 +0100

    Add stack_chk_fail_local to libc.so.
    
    This is required by the next commit, which routes all
    __stack_chk_fail() calls in libc.so via this function to avoid
    the PLT.  It has be duplicated in libc.so and libc_nonshared.a
    because its entire reason for existence is to be hidden and avoid
    the PLT, so the copy in libc.so is not visible from elsewhere.
    
    Also stop all the variants of __stack_chk_fail from being stack-
    protected: this makes no sense and risks recursion.
    
    v5: Better explanation.  Add no-stack-protection of
        __stack_chk_fail_local etc.
    v6: Rework as suggested by Andreas: make a shared-only version of
        stack_chk_fail_local.c rather than linking libc_nonshared into
        libc.
    
    	* debug/libc-stack_chk_fail_local.c: New file.
    	* debug/Makefile (routines): Add it.
    	(shared-only-routines): Likewise.
    	(CFLAGS-stack_chk_fail.c): Use $(no-stack-protector).
    	(CFLAGS-stack_chk_fail_local.c): Likewise.
    	(CFLAGS-libc-stack_chk_fail_local.c): Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=085d48cdc5494e642cc7016649a75ab200a03781

commit 085d48cdc5494e642cc7016649a75ab200a03781
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:10 2016 +0100

    Work even with compilers hacked to enable -fstack-protector by default.
    
    With all the machinery we just added, we can easily arrange to work even
    when the compiler passes in -fstack-protector automatically: all the
    necessary bits of glibc are always compiled with -fno-stack-protector
    now.
    
    So tear out the check in configure, and add appropriate calls to
    -fno-stack-protector in tests that need them (largely those that use
    -nostdlib), since we don't yet have a __stack_chk_fail() that those
    tests can rely upon.  (GCC often provides one, but we cannot rely on
    this, especially not when bootstrapping.)
    
    v2: No longer pass in -lssp to anything.
    v5: Remove accidentally duplicated $(no_ssp)s.
    v6: Small revisions following Mike Frysinger's review.
    
    	* configure.ac: Add check for unsupported stack-protection level.
    	(libc_cv_predef_stack_protector): Remove.
    	(no_ssp): New variable.
    	(libc_cv_ld_gnu_indirect_function): Use it.
    	(libc_cv_asm_set_directive): Likewise.
    	(libc_cv_protected_data): Likewise.
    	(libc_cv_z_combreloc): Likewise.
    	(libc_cv_hashstyle): Likewise.
    	(libc_cv_has_glob_dat): Likewise.
    	(libc_cv_output_format): Likewise.
    	(libc_cv_ehdr_start): Likewise.
    	* aclocal.m4 (LIBC_TRY_LINK_STATIC): Likewise.
    	(LIBC_LINKER_FEATURE): Likewise.
    	(LIBC_COMPILER_BUILTIN_INLINED): Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=10bb23d6cd48055ba4974119bc1cf87f4d8063e5

commit 10bb23d6cd48055ba4974119bc1cf87f4d8063e5
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:09 2016 +0100

    Prevent the rtld mapfile computation from dragging in __stack_chk_fail*.
    
    The previous commit prevented rtld itself from being built with
    -fstack-protector, but this is not quite enough.  We identify which
    objects belong in rtld via a test link and analysis of the resulting
    mapfile.  That link is necessarily done against objects that are
    stack-protected, so drags in __stack_chk_fail_local, __stack_chk_fail,
    and all the libc and libio code they use.
    
    To stop this happening, use --defsym in the test librtld.map-production
    link to force the linker to predefine these two symbols (to 0, but it
    could be to anything).  (In a real link, this would of course be
    catastrophic, but these object files are never used for anything else.)
    
    v2: New.
    v6: Dummy out stack_chk_fail_local too.
    
    	* elf/Makefile (dummy-stack-chk-fail): New.
    	($(objpfx)librtld.map): Use it.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0718bc3e5680502076efaba7fe3000d8d896c52f

commit 0718bc3e5680502076efaba7fe3000d8d896c52f
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:08 2016 +0100

    Compile the entire dynamic linker with -fno-stack-protector.
    
    Also compile corresponding routines in the static libc.a with the same
    flag.
    
    v3: Use $(no-stack-protector).
        Introduce $(elide-stack-protector) and use it to reduce redundancy.
        Bring all the elisions together textually.
    
    	* elf/Makefile (elide-stack-protector): New.
    	(CFLAGS-.os): Use it, eliding $(all-rtld-routines).
    	(CFLAGS-.oX): Likewise, eliding $(elide-routines.os).
    	(rtld-CFLAGS): Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dcb6b662b71117834db8732bd46649557f554a58

commit dcb6b662b71117834db8732bd46649557f554a58
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:06 2016 +0100

    Mark all machinery needed in early static-link init as -fno-stack-protector.
    
    The startup code in csu/, brk() and sbrk(), and the
    __pthread_initialize_tcb_internal() function we just introduced are
    needed very early in initialization of a statically-linked program,
    before the stack guard is initialized.  Mark all of these as
    -fno-stack-protector.
    
    We also finally introduce @libc_cv_ssp@ and @no_stack_protector@, both
    substituted by the configury changes made earlier, to detect the case
    when -fno-stack-protector is supported by the compiler, and
    unconditionally pass it in when this is the case, whether or not
    --enable-stack-protector is passed to configure.  (This means that
    it'll even work when the compiler's been hacked to pass
    -fstack-protector by default, unless the hackage is so broken that
    it does so in a way that is impossible to override.)
    
    (At one point we marked __libc_fatal() as non-stack-protected too,
    but this was pointless: all it did was call other routines which *are*
    stack-protected.  The earliest __libc_fatal() call is in the
    DL_SYSDEP_OSCHECK hook on some platforms, when statically linking:
    this is fine, since it is after TLS and stack-canary initialization.
    I have tested invocation of programs statically and dynamically
    linked against this glibc on older kernels on x86 and ARM, and they
    still "work", i.e. fail with the appropriate message.)
    
    v2: No longer mark memcpy() as -fno-stack-protector.
    v3: Use $(no-stack-protector).
    v4: Use inhibit_stack_protector rather than de-protecting all of nptl-init.c.
    v5: Don't stack-protect brk() and sbrk() in the shared library.
    v7: Add comment in misc/Makefile.  Commit message tweak.
    
    	* config.make.in (have-ssp): New.
    	(no-stack-protector): New.
    	* csu/Makefile (CFLAGS-.o): Use it.
    	(CFLAGS-.og): Likewise.
    	(CFLAGS-.op): Likewise.
    	(CFLAGS-.os): Likewise.
    	* misc/Makefile (CFLAGS-sbrk.o): Likewise.
    	(CFLAGS-sbrk.op): Likewise.
    	(CFLAGS-sbrk.og): Likewise.
    	(CFLAGS-brk.o): Likewise.
    	(CFLAGS-brk.op): Likewise.
    	(CFLAGS-brk.og): Likewise.
    	* nptl/nptl-init.c [!SHARED] (__pthread_initialize_tcb_internal):
    	Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d23b1cd0cf47428831e451eb7fda5434982b0675

commit d23b1cd0cf47428831e451eb7fda5434982b0675
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Jul 4 12:25:57 2016 +0200

    Define inhibit_stack_protector

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1a410af4d0c0b57ca0eff9546cf18539ebfce8af

commit 1a410af4d0c0b57ca0eff9546cf18539ebfce8af
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:04 2016 +0100

    Initialize the stack guard earlier when linking statically.
    
    The address of the stack canary is stored in a per-thread variable,
    which means that we must ensure that the TLS area is intialized before
    calling any -fstack-protector'ed functions.  For dynamically linked
    applications, we ensure this (in a later patch) by disabling
    -fstack-protector for the whole dynamic linker, but for static
    applications the AT_ENTRY address is called directly by the kernel, so
    we must deal with the problem differently.
    
    So split out the part of pthread initialization that sets up the TCB
    (and, more generally, the TLS area) into a separate function (twice --
    there is one implementation in libpthread.a, and another outside it for
    programs that do not link with libpthread), then call it at
    initialization time.  Call that, and move the stack guard initialization
    above the DL_SYSDEP_OSCHECK hook, which if set will probably call
    functions which are stack-protected (it does on Linux and NaCL too).
    We also move apply_irel() up, so that we can still safely call functions
    that require ifuncs while in __pthread_initialize_tcb_internal()
    (though if stack-protection is enabled we still have to avoid calling
    functions that are not stack-protected at this stage).
    
    v2: describe why we don't move apply_irel() up, and the consequences.
    v6: We can safely move apply_irel() up now.
    
    	* nptl/nptl-init.c (__pthread_initialize_tcb_internal): New
    	function, split out from...
    	(__pthread_initialize_minimal_internal): ... here.
    	* csu/libc-start.c (LIBC_START_MAIN): Call it.  Move stack canary
    	and apply_irel() initialization up.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c090aec57a599df633c4ee175dab96c3642f7c84

commit c090aec57a599df633c4ee175dab96c3642f7c84
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Tue Jun 7 12:06:03 2016 +0100

    Configury support for --enable-stack-protector.
    
    This adds =all and =strong, with obvious semantics, and with a rather
    arbitrarily-chosen default off, which we might well want to change to
    something stronger once this patch has been tested by people other than
    me.
    
    We don't validate the value of the option yet: that's in a later patch.
    Nor do we use it for anything at this stage.
    
    We differentiate between 'the compiler understands -fstack-protector'
    and 'the user wanted -fstack-protector' so that we can pass
    -fno-stack-protector in appropriate places even if the user didn't want
    to turn on -fstack-protector for other parts.  (This helps us overcome
    another existing limitation, that glibc doesn't work with GCCs hacked
    to pass in -fstack-protector by default.)
    
    We might want to add another configuration option to turn on
    -fstack-protector for nscd and other network-facing operations by
    default, but for now I've stuck with one option to control everything.
    
    v2: documentation in install.texi; better description of the option.
        INSTALL regenerated.
    v3: Substitute in no_stack_protector.
    v6: Small quoting/spacing revisions following Mike Frysinger's review.
        Add STACK_PROTECTOR_LEVEL.
    v7: Quoting changes. Report --enable-stack-protector argument values
        on error.
    
    	[BZ #7065]
    	* configure.ac (libc_cv_ssp): Move up.
    	(libc_cv_ssp_strong): Likewise.
    	(libc_cv_ssp_all): New.
    	(stack_protector): Augment, adding -fstack-protector-all.
    	(no_stack_protector): New.
    	(STACK_PROTECTOR_LEVEL): New.
    	(AC_ARG_ENABLE(stack-protector)): New configure flag.
    	* manual/install.texi (--enable-stack-protector): Document it.
    	* config.h.in (STACK_PROTECTOR_LEVEL): New macro.
    	* INSTALL: Regenerate.

-----------------------------------------------------------------------
Comment 21 cvs-commit@gcc.gnu.org 2016-12-21 11:41:13 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  fcd942370ff863f67f971e255d30fb9c1f127607 (commit)
      from  2908885c822eb43ffa2cdd67e0464e6d35afaf53 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fcd942370ff863f67f971e255d30fb9c1f127607

commit fcd942370ff863f67f971e255d30fb9c1f127607
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 12:04:12 2016 +0100

    x86_64: tst-quad1pie, tst-quad2pie: compile with -fPIE [BZ #7065]
    
    With stack protection enabled, these files have external symbol
    references for the first time, so the fact that they are not compiled
    with -fPIE and are then linked into a -pie binary starts to hurt.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog               |    6 ++++++
 sysdeps/x86_64/Makefile |    3 +++
 2 files changed, 9 insertions(+), 0 deletions(-)
Comment 22 cvs-commit@gcc.gnu.org 2016-12-21 17:22:58 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, fw/stack-protector has been created
        at  a547a051a93361a9ec4edf283bcebea66481fca8 (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a547a051a93361a9ec4edf283bcebea66481fca8

commit a547a051a93361a9ec4edf283bcebea66481fca8
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:01:30 2016 +0100

    Enable -fstack-protector=* when requested by configure [BZ #7065]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=299613826cccad6047f3bb4b9b2db97b9c899273

commit 299613826cccad6047f3bb4b9b2db97b9c899273
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:01:09 2016 +0100

    Do not stack-protect sigreturn stubs [BZ #7065]
    
    These are called from the kernel with the stack at a carefully-
    chosen location so that the stack frame can be restored: they must not
    move the stack pointer lest garbage be restored into the registers.
    
    We explicitly inhibit protection for SPARC and for signal/sigreturn.c:
    other arches either define their sigreturn stubs in .S files, or (i386,
    x86_64, mips) use macros expanding to top-level asm blocks and explicit
    labels in the text section to mock up a "function" without telling the
    compiler that one is there at all.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=59780db53ac8f56a492ce2949159939865cefad6

commit 59780db53ac8f56a492ce2949159939865cefad6
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:01:00 2016 +0100

    Drop explicit stack-protection of pieces of the system [BZ #7065]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8ac7f200cb4478e55b746c1b7739a2eb0dd58541

commit 8ac7f200cb4478e55b746c1b7739a2eb0dd58541
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:00:47 2016 +0100

    Link a non-libc-using test with -fno-stack-protector [BZ #7065]
    
    This test cannot reference __stack_chk_fail because it is not linked
    with libc at all.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a8c94a367800c222a068dfa56a696437bbf4b32d

commit a8c94a367800c222a068dfa56a696437bbf4b32d
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 15:58:22 2016 +0100

    PLT avoidance for __stack_chk_fail [BZ #7065]
    
    Add a hidden __stack_chk_fail_local alias to libc.so,
    and make sure that on targets which use __stack_chk_fail,
    this does not introduce a local PLT reference into libc.so.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52c67c89daad240cfa76b39a4827ee6d4dada510

commit 52c67c89daad240cfa76b39a4827ee6d4dada510
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:00:22 2016 +0100

    Work even with compilers whcih enable -fstack-protector by default [BZ #7065]
    
    With all the machinery we just added, we can easily arrange to work even
    when the compiler passes in -fstack-protector automatically: all the
    necessary bits of glibc are always compiled with -fno-stack-protector
    now.
    
    So tear out the check in configure, and add appropriate calls to
    -fno-stack-protector in tests that need them (largely those that use
    -nostdlib), since we don't yet have a __stack_chk_fail that those
    tests can rely upon.  (GCC often provides one, but we cannot rely on
    this, especially not when bootstrapping.)
    
    When stack protection is disabled, explicitly pass -fno-stack-protector
    to everything, to stop a compiler hacked to enable it from inserting
    calls to __stack_chk_fail via the PLT in every object file.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ceaed0d1f8713b9de5bdeda919525c8fcd61d89a

commit ceaed0d1f8713b9de5bdeda919525c8fcd61d89a
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:00:13 2016 +0100

    Ignore __stack_chk_fail* in the rtld mapfile computation [BZ #7065]
    
    The previous commit prevented rtld itself from being built with
    -fstack-protector, but this is not quite enough.  We identify which
    objects belong in rtld via a test link and analysis of the resulting
    mapfile.  That link is necessarily done against objects that are
    stack-protected, so drags in __stack_chk_fail_local, __stack_chk_fail,
    and all the libc and libio code they use.
    
    To stop this happening, use --defsym in the test librtld.map-production
    link to force the linker to predefine these two symbols (to 0, but it
    could be to anything).  (In a real link, this would of course be
    catastrophic, but these object files are never used for anything else.)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5abe578c24fce56130b9a44362907a83d076a06d

commit 5abe578c24fce56130b9a44362907a83d076a06d
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:00:03 2016 +0100

    Compile the dynamic linker without stack protection [BZ #7065]
    
    Also compile corresponding routines in the static libc.a with the same
    flag.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ab1993e7799af49caacc86f1e3a4d335b2f3420

commit 5ab1993e7799af49caacc86f1e3a4d335b2f3420
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 15:59:47 2016 +0100

    Disable stack protector in early static initialization [BZ #7065]
    
    The startup code in csu/, and the brk and sbrk functions are
    needed very early in initialization of a statically-linked program,
    before the stack guard is initialized; TLS initialization also uses
    memcpy, which cannot overrun its own stack.  Mark all of these as
    -fno-stack-protector.
    
    We also finally introduce @libc_cv_ssp@ and @no_stack_protector@, both
    substituted by the configury changes made earlier, to detect the case
    when -fno-stack-protector is supported by the compiler, and
    unconditionally pass it in when this is the case, whether or not
    --enable-stack-protector is passed to configure.  (This means that
    it'll even work when the compiler's been hacked to pass
    -fstack-protector by default, unless the hackage is so broken that
    it does so in a way that is impossible to override.)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=25becbb762c7a9aff36a389f2d63dcb5f7fecb7a

commit 25becbb762c7a9aff36a389f2d63dcb5f7fecb7a
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 15:59:32 2016 +0100

    Do not stack-protect ifunc resolvers [BZ #7065]
    
    When dynamically linking, ifunc resolvers are called before TLS is
    initialized, so they cannot be safely stack-protected.
    
    We avoid disabling stack-protection on large numbers of files by
    using __attribute__ ((__optimize__ ("-fno-stack-protector")))
    to turn it off just for the resolvers themselves.  (We provide
    the attribute even when statically linking, because we will later
    use it elsewhere too.)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f26f41f502828d18ebe18adaf7e0e161b6005f9

commit 8f26f41f502828d18ebe18adaf7e0e161b6005f9
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 16:58:42 2016 +0100

    Initialize the stack guard earlier when linking statically [BZ #7065]
    
    The address of the stack canary is stored in a per-thread variable,
    which means that we must ensure that the TLS area is intialized before
    calling any -fstack-protector'ed functions.  For dynamically linked
    applications, we ensure this (in a later patch) by disabling
    -fstack-protector for the whole dynamic linker, but for static
    applications, the AT_ENTRY address is called directly by the kernel, so
    we must deal with the problem differently.
    
    In static appliations, __libc_setup_tls performs the TCB setup and TLS
    initialization, so this commit arranges for it to be called early and
    unconditionally.  The call (and the stack guard initialization) is
    before the DL_SYSDEP_OSCHECK hook, which if set will probably call
    functions which are stack-protected (it does on Linux and NaCL too).  We
    also move apply_irel up, so that we can still safely call functions that
    require ifuncs while in __libc_setup_tls (though if stack-protection is
    enabled we still have to avoid calling functions that are not
    stack-protected at this stage).

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d3eb50f579a017e8b68f1d28d7de2e026c1b20f

commit 4d3eb50f579a017e8b68f1d28d7de2e026c1b20f
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Wed Dec 21 15:59:03 2016 +0100

    Configure support for --enable-stack-protector [BZ #7065]
    
    This adds =all and =strong, with obvious semantics, defaulting to off.
    
    We don't validate the value of the option yet: that's in a later patch.
    Nor do we use it for anything at this stage.
    
    We differentiate between 'the compiler understands -fstack-protector'
    and 'the user wanted -fstack-protector' so that we can pass
    -fno-stack-protector in appropriate places even if the user didn't want
    to turn on -fstack-protector for other parts.  (This helps us overcome
    another existing limitation, that glibc doesn't work with GCCs hacked
    to pass in -fstack-protector by default.)
    
    We also arrange to set the STACK_PROTECTOR_LEVEL #define to a value
    appropriate for the stack-protection level in use for each file in
    particular.

-----------------------------------------------------------------------
Comment 23 cvs-commit@gcc.gnu.org 2016-12-26 09:44:09 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  cecbc7967f0bcac718b6f8f8942b58403c0e917c (commit)
       via  2e6c45c59bcd40f1ae8466cbd32f4d263ff45619 (commit)
       via  1ad4ba28e9335c288687d1757bce3221c522f576 (commit)
       via  7cbb738d218fad3bc91deebfd8ce5f3918592b84 (commit)
       via  524a8ef2ad76af8ac049293d993a1856b0d888fb (commit)
       via  66a704c43cfec810fea67a6959f2d1c94f4d594f (commit)
       via  bc174f20b83d19167ecac14ce0762eddbe47cc64 (commit)
       via  995635f95b707488c23bba07be8016c9682d4045 (commit)
       via  10c85e76c09716e744b4a41006718400b1eb2e84 (commit)
       via  de6591238b478bc86b8cf5af01a484114e399213 (commit)
       via  003a27e8195470f470f4d9384ca70d4e9fc8bd1b (commit)
       via  03baef1c9cfb396d76cae20a00aee657871e79c4 (commit)
      from  81e0662e5f2c342ffa413826b7b100d56677b613 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cecbc7967f0bcac718b6f8f8942b58403c0e917c

commit cecbc7967f0bcac718b6f8f8942b58403c0e917c
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:09:10 2016 +0100

    Enable -fstack-protector=* when requested by configure [BZ #7065]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2e6c45c59bcd40f1ae8466cbd32f4d263ff45619

commit 2e6c45c59bcd40f1ae8466cbd32f4d263ff45619
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:09:06 2016 +0100

    Do not stack-protect sigreturn stubs [BZ #7065]
    
    These are called from the kernel with the stack at a carefully-
    chosen location so that the stack frame can be restored: they must not
    move the stack pointer lest garbage be restored into the registers.
    
    We explicitly inhibit protection for SPARC and for signal/sigreturn.c:
    other arches either define their sigreturn stubs in .S files, or (i386,
    x86_64, mips) use macros expanding to top-level asm blocks and explicit
    labels in the text section to mock up a "function" without telling the
    compiler that one is there at all.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1ad4ba28e9335c288687d1757bce3221c522f576

commit 1ad4ba28e9335c288687d1757bce3221c522f576
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:09:03 2016 +0100

    Drop explicit stack-protection of pieces of the system [BZ #7065]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7cbb738d218fad3bc91deebfd8ce5f3918592b84

commit 7cbb738d218fad3bc91deebfd8ce5f3918592b84
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:09:00 2016 +0100

    Link a non-libc-using test with -fno-stack-protector [BZ #7065]
    
    This test cannot reference __stack_chk_fail because it is not linked
    with libc at all.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=524a8ef2ad76af8ac049293d993a1856b0d888fb

commit 524a8ef2ad76af8ac049293d993a1856b0d888fb
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:57 2016 +0100

    PLT avoidance for __stack_chk_fail [BZ #7065]
    
    Add a hidden __stack_chk_fail_local alias to libc.so,
    and make sure that on targets which use __stack_chk_fail,
    this does not introduce a local PLT reference into libc.so.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=66a704c43cfec810fea67a6959f2d1c94f4d594f

commit 66a704c43cfec810fea67a6959f2d1c94f4d594f
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:54 2016 +0100

    Work even with compilers which enable -fstack-protector by default [BZ #7065]
    
    With all the machinery we just added, we can easily arrange to work even
    when the compiler passes in -fstack-protector automatically: all the
    necessary bits of glibc are always compiled with -fno-stack-protector
    now.
    
    So tear out the check in configure, and add appropriate calls to
    -fno-stack-protector in tests that need them (largely those that use
    -nostdlib), since we don't yet have a __stack_chk_fail that those
    tests can rely upon.  (GCC often provides one, but we cannot rely on
    this, especially not when bootstrapping.)
    
    When stack protection is disabled, explicitly pass -fno-stack-protector
    to everything, to stop a compiler hacked to enable it from inserting
    calls to __stack_chk_fail via the PLT in every object file.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc174f20b83d19167ecac14ce0762eddbe47cc64

commit bc174f20b83d19167ecac14ce0762eddbe47cc64
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:51 2016 +0100

    Ignore __stack_chk_fail* in the rtld mapfile computation [BZ #7065]
    
    The previous commit prevented rtld itself from being built with
    -fstack-protector, but this is not quite enough.  We identify which
    objects belong in rtld via a test link and analysis of the resulting
    mapfile.  That link is necessarily done against objects that are
    stack-protected, so drags in __stack_chk_fail_local, __stack_chk_fail,
    and all the libc and libio code they use.
    
    To stop this happening, use --defsym in the test librtld.map-production
    link to force the linker to predefine these two symbols (to 0, but it
    could be to anything).  (In a real link, this would of course be
    catastrophic, but these object files are never used for anything else.)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=995635f95b707488c23bba07be8016c9682d4045

commit 995635f95b707488c23bba07be8016c9682d4045
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:48 2016 +0100

    Compile the dynamic linker without stack protection [BZ #7065]
    
    Also compile corresponding routines in the static libc.a with the same
    flag.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=10c85e76c09716e744b4a41006718400b1eb2e84

commit 10c85e76c09716e744b4a41006718400b1eb2e84
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:45 2016 +0100

    Disable stack protector in early static initialization [BZ #7065]
    
    The startup code in csu/, and the brk and sbrk functions are
    needed very early in initialization of a statically-linked program,
    before the stack guard is initialized; TLS initialization also uses
    memcpy, which cannot overrun its own stack.  Mark all of these as
    -fno-stack-protector.
    
    We also finally introduce @libc_cv_ssp@ and @no_stack_protector@, both
    substituted by the configury changes made earlier, to detect the case
    when -fno-stack-protector is supported by the compiler, and
    unconditionally pass it in when this is the case, whether or not
    --enable-stack-protector is passed to configure.  (This means that
    it'll even work when the compiler's been hacked to pass
    -fstack-protector by default, unless the hackage is so broken that
    it does so in a way that is impossible to override.)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=de6591238b478bc86b8cf5af01a484114e399213

commit de6591238b478bc86b8cf5af01a484114e399213
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:41 2016 +0100

    Do not stack-protect ifunc resolvers [BZ #7065]
    
    When dynamically linking, ifunc resolvers are called before TLS is
    initialized, so they cannot be safely stack-protected.
    
    We avoid disabling stack-protection on large numbers of files by
    using __attribute__ ((__optimize__ ("-fno-stack-protector")))
    to turn it off just for the resolvers themselves.  (We provide
    the attribute even when statically linking, because we will later
    use it elsewhere too.)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=003a27e8195470f470f4d9384ca70d4e9fc8bd1b

commit 003a27e8195470f470f4d9384ca70d4e9fc8bd1b
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:34 2016 +0100

    Initialize the stack guard earlier when linking statically [BZ #7065]
    
    The address of the stack canary is stored in a per-thread variable,
    which means that we must ensure that the TLS area is intialized before
    calling any -fstack-protector'ed functions.  For dynamically linked
    applications, we ensure this (in a later patch) by disabling
    -fstack-protector for the whole dynamic linker, but for static
    applications, the AT_ENTRY address is called directly by the kernel, so
    we must deal with the problem differently.
    
    In static appliations, __libc_setup_tls performs the TCB setup and TLS
    initialization, so this commit arranges for it to be called early and
    unconditionally.  The call (and the stack guard initialization) is
    before the DL_SYSDEP_OSCHECK hook, which if set will probably call
    functions which are stack-protected (it does on Linux and NaCL too).  We
    also move apply_irel up, so that we can still safely call functions that
    require ifuncs while in __libc_setup_tls (though if stack-protection is
    enabled we still have to avoid calling functions that are not
    stack-protected at this stage).

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=03baef1c9cfb396d76cae20a00aee657871e79c4

commit 03baef1c9cfb396d76cae20a00aee657871e79c4
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:08:18 2016 +0100

    Configure support for --enable-stack-protector [BZ #7065]
    
    This adds =all and =strong, with obvious semantics, defaulting to off.
    
    We don't validate the value of the option yet: that's in a later patch.
    Nor do we use it for anything at this stage.
    
    We differentiate between 'the compiler understands -fstack-protector'
    and 'the user wanted -fstack-protector' so that we can pass
    -fno-stack-protector in appropriate places even if the user didn't want
    to turn on -fstack-protector for other parts.  (This helps us overcome
    another existing limitation, that glibc doesn't work with GCCs hacked
    to pass in -fstack-protector by default.)
    
    We also arrange to set the STACK_PROTECTOR_LEVEL #define to a value
    appropriate for the stack-protection level in use for each file in
    particular.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                         |  149 +++++++++++++
 INSTALL                                           |   11 +
 Makeconfig                                        |    8 +-
 NEWS                                              |    4 +
 aclocal.m4                                        |    6 +-
 config.h.in                                       |   10 +
 config.make.in                                    |    2 +
 configure                                         |  243 +++++++++++----------
 configure.ac                                      |  146 +++++++------
 csu/Makefile                                      |    4 +
 csu/libc-start.c                                  |   29 ++--
 csu/libc-tls.c                                    |   17 +-
 debug/Makefile                                    |    6 +
 debug/stack_chk_fail.c                            |    2 +
 elf/Makefile                                      |   30 +++-
 elf/ifuncdep2.c                                   |    3 +
 elf/ifuncmain6pie.c                               |    1 +
 elf/ifuncmain7.c                                  |    1 +
 elf/ifuncmod1.c                                   |    3 +
 elf/ifuncmod5.c                                   |    3 +
 elf/rtld-Rules                                    |    2 +
 include/libc-symbols.h                            |   12 +-
 login/Makefile                                    |    1 -
 manual/install.texi                               |   11 +
 misc/Makefile                                     |    7 +
 nptl/nptl-init.c                                  |   16 --
 nscd/Makefile                                     |    1 -
 resolv/Makefile                                   |    1 -
 signal/Makefile                                   |    2 +
 string/Makefile                                   |    4 +
 sysdeps/generic/ifunc-sel.h                       |    2 +
 sysdeps/generic/ldsodefs.h                        |   11 +
 sysdeps/generic/symbol-hacks.h                    |   12 +
 sysdeps/i386/Makefile                             |    2 +-
 sysdeps/nacl/nacl_interface_query.c               |    1 +
 sysdeps/powerpc/ifunc-sel.h                       |    2 +
 sysdeps/unix/make-syscalls.sh                     |    1 +
 sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c |    8 +-
 sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c |    4 +-
 sysdeps/unix/sysv/linux/x86_64/x32/getcpu.c       |    1 +
 sysdeps/x86_64/ifuncmod8.c                        |    1 +
 41 files changed, 539 insertions(+), 241 deletions(-)
Comment 24 Florian Weimer 2016-12-26 13:08:06 UTC
Fixed in 2.25.
Comment 25 cvs-commit@gcc.gnu.org 2016-12-26 13:09:01 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, fw/stack-protector has been deleted
       was  a547a051a93361a9ec4edf283bcebea66481fca8

- Log -----------------------------------------------------------------
a547a051a93361a9ec4edf283bcebea66481fca8 Enable -fstack-protector=* when requested by configure [BZ #7065]
-----------------------------------------------------------------------
Comment 26 cvs-commit@gcc.gnu.org 2017-02-05 15:59:08 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The annotated tag, glibc-2.25 has been created
        at  be176490b818b65b5162c332eb6b581690b16e5c (tag)
   tagging  db0242e3023436757bbc7c488a779e6e3343db04 (commit)
  replaces  glibc-2.24
 tagged by  Siddhesh Poyarekar
        on  Sun Feb 5 21:19:00 2017 +0530

- Log -----------------------------------------------------------------
The GNU C Library
=================

The GNU C Library version 2.25 is now available.

The GNU C Library is used as *the* C library in the GNU system and
in GNU/Linux systems, as well as many other systems that use Linux
as the kernel.

The GNU C Library is primarily designed to be a portable
and high performance C library.  It follows all relevant
standards including ISO C11 and POSIX.1-2008.  It is also
internationalized and has one of the most complete
internationalization interfaces known.

The GNU C Library webpage is at http://www.gnu.org/software/libc/

Packages for the 2.25 release may be downloaded from:
        http://ftpmirror.gnu.org/libc/
        http://ftp.gnu.org/gnu/libc/

The mirror list is at http://www.gnu.org/order/ftp.html

NEWS for version 2.25
=====================

* The feature test macro __STDC_WANT_LIB_EXT2__, from ISO/IEC TR
  24731-2:2010, is supported to enable declarations of functions from that
  TR.  Note that not all functions from that TR are supported by the GNU C
  Library.

* The feature test macro __STDC_WANT_IEC_60559_BFP_EXT__, from ISO/IEC TS
  18661-1:2014, is supported to enable declarations of functions and macros
  from that TS.  Note that not all features from that TS are supported by
  the GNU C Library.

* The feature test macro __STDC_WANT_IEC_60559_FUNCS_EXT__, from ISO/IEC TS
  18661-4:2015, is supported to enable declarations of functions and macros
  from that TS.  Note that most features from that TS are not supported by
  the GNU C Library.

* The nonstandard feature selection macros _REENTRANT and _THREAD_SAFE are
  now treated as compatibility synonyms for _POSIX_C_SOURCE=199506L.
  Since the GNU C Library defaults to a much newer revision of POSIX, this
  will only affect programs that specifically request an old conformance
  mode.  For instance, a program compiled with -std=c89 -D_REENTRANT will
  see a change in the visible declarations, but a program compiled with
  just -D_REENTRANT, or -std=c99 -D_POSIX_C_SOURCE=200809L -D_REENTRANT,
  will not.

  Some C libraries once required _REENTRANT and/or _THREAD_SAFE to be
  defined by all multithreaded code, but glibc has not required this for
  many years.

* The inclusion of <sys/sysmacros.h> by <sys/types.h> is deprecated.  This
  means that in a future release, the macros “major”, “minor”, and “makedev”
  will only be available from <sys/sysmacros.h>.

  These macros are not part of POSIX nor XSI, and their names frequently
  collide with user code; see for instance glibc bug 19239 and Red Hat bug
  130601.  <stdlib.h> includes <sys/types.h> under _GNU_SOURCE, and C++ code
  presently cannot avoid being compiled under _GNU_SOURCE, exacerbating the
  problem.

* New <fenv.h> features from TS 18661-1:2014 are added to libm: the
  fesetexcept, fetestexceptflag, fegetmode and fesetmode functions, the
  femode_t type and the FE_DFL_MODE and FE_SNANS_ALWAYS_SIGNAL macros.

* Integer width macros from TS 18661-1:2014 are added to <limits.h>:
  CHAR_WIDTH, SCHAR_WIDTH, UCHAR_WIDTH, SHRT_WIDTH, USHRT_WIDTH, INT_WIDTH,
  UINT_WIDTH, LONG_WIDTH, ULONG_WIDTH, LLONG_WIDTH, ULLONG_WIDTH; and to
  <stdint.h>: INT8_WIDTH, UINT8_WIDTH, INT16_WIDTH, UINT16_WIDTH,
  INT32_WIDTH, UINT32_WIDTH, INT64_WIDTH, UINT64_WIDTH, INT_LEAST8_WIDTH,
  UINT_LEAST8_WIDTH, INT_LEAST16_WIDTH, UINT_LEAST16_WIDTH,
  INT_LEAST32_WIDTH, UINT_LEAST32_WIDTH, INT_LEAST64_WIDTH,
  UINT_LEAST64_WIDTH, INT_FAST8_WIDTH, UINT_FAST8_WIDTH, INT_FAST16_WIDTH,
  UINT_FAST16_WIDTH, INT_FAST32_WIDTH, UINT_FAST32_WIDTH, INT_FAST64_WIDTH,
  UINT_FAST64_WIDTH, INTPTR_WIDTH, UINTPTR_WIDTH, INTMAX_WIDTH,
  UINTMAX_WIDTH, PTRDIFF_WIDTH, SIG_ATOMIC_WIDTH, SIZE_WIDTH, WCHAR_WIDTH,
  WINT_WIDTH.

* New <math.h> features are added from TS 18661-1:2014:

  - Signaling NaN macros: SNANF, SNAN, SNANL.

  - Nearest integer functions: roundeven, roundevenf, roundevenl, fromfp,
    fromfpf, fromfpl, ufromfp, ufromfpf, ufromfpl, fromfpx, fromfpxf,
    fromfpxl, ufromfpx, ufromfpxf, ufromfpxl.

  - llogb functions: the llogb, llogbf and llogbl functions, and the
    FP_LLOGB0 and FP_LLOGBNAN macros.

  - Max-min magnitude functions: fmaxmag, fmaxmagf, fmaxmagl, fminmag,
    fminmagf, fminmagl.

  - Comparison macros: iseqsig.

  - Classification macros: iscanonical, issubnormal, iszero.

  - Total order functions: totalorder, totalorderf, totalorderl,
    totalordermag, totalordermagf, totalordermagl.

  - Canonicalize functions: canonicalize, canonicalizef, canonicalizel.

  - NaN functions: getpayload, getpayloadf, getpayloadl, setpayload,
    setpayloadf, setpayloadl, setpayloadsig, setpayloadsigf, setpayloadsigl.

* The functions strfromd, strfromf, and strfroml, from ISO/IEC TS 18661-1:2014,
  are added to libc.  They convert a floating-point number into string.

* Most of glibc can now be built with the stack smashing protector enabled.
  It is recommended to build glibc with --enable-stack-protector=strong.
  Implemented by Nick Alcock (Oracle).

* The function explicit_bzero, from OpenBSD, has been added to libc.  It is
  intended to be used instead of memset() to erase sensitive data after use;
  the compiler will not optimize out calls to explicit_bzero even if they
  are "unnecessary" (in the sense that no _correct_ program can observe the
  effects of the memory clear).

* On ColdFire, MicroBlaze, Nios II and SH3, the float_t type is now defined
  to float instead of double.  This does not affect the ABI of any libraries
  that are part of the GNU C Library, but may affect the ABI of other
  libraries that use this type in their interfaces.

* On x86_64, when compiling with -mfpmath=387 or -mfpmath=sse+387, the
  float_t and double_t types are now defined to long double instead of float
  and double.  These options are not the default, and this does not affect
  the ABI of any libraries that are part of the GNU C Library, but it may
  affect the ABI of other libraries that use this type in their interfaces,
  if they are compiled or used with those options.

* The getentropy and getrandom functions, and the <sys/random.h> header file
  have been added.

* The buffer size for byte-oriented stdio streams is now limited to 8192
  bytes by default.  Previously, on Linux, the default buffer size on most
  file systems was 4096 bytes (and thus remains unchanged), except on
  network file systems, where the buffer size was unpredictable and could be
  as large as several megabytes.

* The <sys/quota.h> header now includes the <linux/quota.h> header.  Support
  for the Linux quota interface which predates kernel version 2.4.22 has
  been removed.

* The malloc_get_state and malloc_set_state functions have been removed.
  Already-existing binaries that dynamically link to these functions will
  get a hidden implementation in which malloc_get_state is a stub.  As far
  as we know, these functions are used only by GNU Emacs and this change
  will not adversely affect already-built Emacs executables.  Any undumped
  Emacs executables, which normally exist only during an Emacs build, should
  be rebuilt by re-running “./configure; make” in the Emacs build tree.

* The “ip6-dotint” and “no-ip6-dotint” resolver options, and the
  corresponding RES_NOIP6DOTINT flag from <resolv.h> have been removed.
  “no-ip6-dotint” had already been the default, and support for the
  “ip6-dotint” option was removed from the Internet in 2006.

* The "ip6-bytestring" resolver option and the corresponding RES_USEBSTRING
  flag from <resolv.h> have been removed.  The option relied on a
  backwards-incompatible DNS extension which was never deployed on the
  Internet.

* The flags RES_AAONLY, RES_PRIMARY, RES_NOCHECKNAME, RES_KEEPTSIG,
  RES_BLAST defined in the <resolv.h> header file have been deprecated.
  They were already unimplemented.

* The "inet6" option in /etc/resolv.conf and the RES_USE_INET6 flag for
  _res.flags are deprecated.  The flag was standardized in RFC 2133, but
  removed again from the IETF name lookup interface specification in RFC
  2553.  Applications should use getaddrinfo instead.

* DNSSEC-related declarations and definitions have been removed from the
  <arpa/nameser.h> header file, and libresolv will no longer attempt to
  decode the data part of DNSSEC record types.  Previous versions of glibc
  only implemented minimal support for the previous version of DNSSEC, which
  is incompatible with the currently deployed version.

* The resource record type classification macros ns_t_qt_p, ns_t_mrr_p,
  ns_t_rr_p, ns_t_udp_p, ns_t_xfr_p have been removed from the
  <arpa/nameser.h> header file because the distinction between RR types and
  meta-RR types is not officially standardized, subject to revision, and
  thus not suitable for encoding in a macro.

* The types res_sendhookact, res_send_qhook, re_send_rhook, and the qhook
  and rhook members of the res_state type in <resolv.h> have been removed.
  The glibc stub resolver did not support these hooks, but the header file
  did not reflect that.

* For multi-arch support it is recommended to use a GCC which has
  been built with support for GNU indirect functions.  This ensures
  that correct debugging information is generated for functions
  selected by IFUNC resolvers.  This support can either be enabled by
  configuring GCC with '--enable-gnu-indirect-function', or by
  enabling it by default by setting 'default_gnu_indirect_function'
  variable for a particular architecture in the GCC source file
  'gcc/config.gcc'.

* GDB pretty printers have been added for mutex and condition variable
  structures in POSIX Threads. When installed and loaded in gdb these pretty
  printers show various pthread variables in human-readable form when read
  using the 'print' or 'display' commands in gdb.

* Tunables feature added to allow tweaking of the runtime for an application
  program.  This feature can be enabled with the '--enable-tunables' configure
  flag.  The GNU C Library manual has details on usage and README.tunables has
  instructions on adding new tunables to the library.

* A new version of condition variables functions have been implemented in
  the NPTL implementation of POSIX Threads to provide stronger ordering
  guarantees.

* A new version of pthread_rwlock functions have been implemented to use a more
  scalable algorithm primarily through not using a critical section anymore to
  make state changes.

Security related changes:

* On ARM EABI (32-bit), generating a backtrace for execution contexts which
  have been created with makecontext could fail to terminate due to a
  missing .cantunwind annotation.  This has been observed to lead to a hang
  (denial of service) in some Go applications compiled with gccgo.  Reported
  by Andreas Schwab.  (CVE-2016-6323)

* The DNS stub resolver functions would crash due to a NULL pointer
  dereference when processing a query with a valid DNS question type which
  was used internally in the implementation.  The stub resolver now uses a
  question type which is outside the range of valid question type values.
  (CVE-2015-5180)

Contributors
============

This release was made possible by the contributions of many people.
The maintainers are grateful to everyone who has contributed
changes or bug reports.  These include:

Adhemerval Zanella
Alan Modra
Alexandre Oliva
Andreas Schwab
Andrew Senkevich
Aurelien Jarno
Brent W. Baccala
Carlos O'Donell
Chris Metcalf
Chung-Lin Tang
DJ Delorie
David S. Miller
Denis Kaganovich
Dmitry V. Levin
Ernestas Kulik
Florian Weimer
Gabriel F T Gomes
Gabriel F. T. Gomes
H.J. Lu
Jakub Jelinek
James Clarke
James Greenhalgh
Jim Meyering
John David Anglin
Joseph Myers
Maciej W. Rozycki
Mark Wielaard
Martin Galvan
Martin Pitt
Mike Frysinger
Märt Põder
Nick Alcock
Paul E. Murphy
Paul Murphy
Rajalakshmi Srinivasaraghavan
Rasmus Villemoes
Rical Jasan
Richard Henderson
Roland McGrath
Samuel Thibault
Siddhesh Poyarekar
Stefan Liebler
Steve Ellcey
Svante Signell
Szabolcs Nagy
Tom Tromey
Torvald Riegel
Tulio Magno Quites Machado Filho
Wilco Dijkstra
Yury Norov
Zack Weinberg
-----BEGIN PGP SIGNATURE-----

iQEcBAABAgAGBQJYl0mTAAoJEHnEPfvxzyGHXTgH/jsS205Wdz9EniZrJ6+NXCm1
F/eeOMotGNv82BYaLRnw9XrF7p6+ND8E+7rSvFZT5O309OrdLjg4QG6M63COMRCh
6KKtQUM/00I1u4AYkOOgrUkor3m58GgeQUziOxXNvQNoU8zLguPk4kzVsvxq6lJR
/IROH2Mfl1AggOGq9Y1R/0uQCpj4jJSLETxJupg4calGPZQW3isogucSmogdccAB
Bqso7L40Xo4LJnEoD7JurlMrP5x043TttmTyvnFTtxRZTAHVjyQpFMKHaSkMgtIG
+fe26Ua3oMqbE9A9G3qiMIrPEqu+0tWKbvci0FeaE30vfI6YtVcd8I0RlBW9gok=
=3NM3
-----END PGP SIGNATURE-----

Adhemerval Zanella (69):
      Fix test-skeleton C99 designed initialization
      nptl: Consolidate sem_open implementations
      nptl: Set sem_open as a non cancellation point (BZ #15765)
      nptl: Remove sparc sem_wait
      nptl: Fix sem_wait and sem_timedwait cancellation (BZ#18243)
      rt: Set shm_open as a non cancellation point (BZ #18243)
      nptl: Consolidate sem_init implementations
      posix: Correctly enable/disable cancellation on Linux posix_spawn
      posix: Correctly block/unblock all signals on Linux posix_spawn
      Add INTERNAL_SYSCALL_CALL
      posix: Fix open file action for posix_spawn on Linux
      Remove C++ style comments from string3.h
      libio: Multiple fixes for open_{w}memstram (BZ#18241 and BZ#20181)
      Fix tst-memstream3 build failure
      Consolidate fallocate{64} implementations
      Consolidate posix_fallocate{64} implementations
      Consolidate posix_fadvise implementations
      Fix iseqsig for ports that do not support FE_INVALID
      Consolidate Linux sync_file_range implementations
      Fix posix_fadvise64 build on mips64n64
      Fix Linux fallocate tests for EOPNOTSUPP
      Fix Linux sh4 pread/pwrite argument passing
      Fix sparc build due missing __WORDSIZE_TIME64_COMPAT32 definition
      Consolidate lseek/lseek64/llseek implementations
      Consolidate Linux ftruncate implementations
      Consolidate Linux truncate implementations
      Consolidate Linux access implementation
      Fix sh4 build with __ASSUME_ST_INO_64_BIT redefinition
      New internal function __access_noerrno
      Consolidate Linux setrlimit and getrlimit implementation
      Fix hurd __access_noerrno implementation.
      Fix writes past the allocated array bounds in execvpe (BZ#20847)
      Remove cached PID/TID in clone
      powerpc: Remove stpcpy internal clash with IFUNC
      powerpc: Remove stpcpy internal clash with IFUNC
      Fix writes past the allocated array bounds in execvpe (BZ#20847)
      Consolidate rename Linux implementation
      Consolidate renameat Linux implementation
      Fix powerpc64/power7 memchr for large input sizes
      Fix typos and missing closing bracket in test-memchr.c
      Adjust benchtests to new support library.
      benchtests: Add fmax/fmin benchmarks
      benchtests: Add fmaxf/fminf benchmarks
      Fix x86_64 memchr for large input sizes
      powerpc: Remove f{max,min}{f} assembly implementations
      Add __ASSUME_DIRECT_SYSVIPC_SYSCALL for Linux
      Refactor Linux ipc_priv header
      Consolidate Linux msgctl implementation
      Consolidate Linux msgrcv implementation
      Use msgsnd syscall for Linux implementation
      Use msgget syscall for Linux implementation
      Add SYSV message queue test
      Consolidate Linux semctl implementation
      Use semget syscall for Linux implementation
      Use semop syscall for Linux implementation
      Consolidate Linux semtimedop implementation
      Add SYSV semaphore test
      Use shmat syscall for Linux implementation
      Consolidate Linux shmctl implementation
      Use shmdt syscall for linux implementation
      Use shmget syscall for linux implementation
      Add SYSV shared memory test
      Fix i686 memchr for large input sizes
      Fix test-sysvsem on some platforms
      Fix x86 strncat optimized implementation for large sizes
      Remove duplicate strcat implementations
      Use fortify macros for b{zero,copy} along decl from strings.h
      Move fortified explicit_bzero back to string3
      Add missing bugzilla reference in previous ChangeLog entry

Alan Modra (1):
      powerpc32: make PLT call in _mcount compatible with -msecure-plt (bug 20554)

Alexandre Oliva (2):
      [PR19826] fix non-LE TLS in static programs
      Bug 20915: Do not initialize DTV of other threads.

Andreas Schwab (11):
      arm: mark __startcontext as .cantunwind (bug 20435)
      Properly initialize glob structure with GLOB_BRACE|GLOB_DOOFFS (bug 20707)
      Fix multiple definitions of mk[o]stemp[s]64
      Get rid of __elision_available
      Fix testsuite timeout handling
      powerpc: remove _dl_platform_string and _dl_powerpc_platforms
      Fix assertion failure on test timeout
      Fix ChangeLog typo
      Revert "Fix ChangeLog typo"
      m68k: fix 64bit atomic ops
      Fix missing test dependency

Andrew Senkevich (4):
      x86_64: Call finite scalar versions in vectorized log, pow, exp (bz #20033).
      Install libm.a as linker script (bug 20539).
      Better design of libm.a installation rule.
      Disable TSX on some Haswell processors.

Aurelien Jarno (14):
      alpha: fix ceil on sNaN input
      alpha: fix floor on sNaN input
      alpha: fix rint on sNaN input
      alpha: fix trunc for big input values
      powerpc: fix ifunc-sel.h with GCC 6
      powerpc: fix ifunc-sel.h fix asm constraints and clobber list
      sparc64: add a VIS3 version of ceil, floor and trunc
      sparc: build with -mvis on sparc32/sparcv9 and sparc64
      sparc: remove fdim sparc specific implementations
      sparc32/sparcv9: add a VIS3 version of fdim
      Set NODELETE flag after checking for NULL pointer
      conform tests: call perl with '-I.'
      gconv.h: fix build with GCC 7
      x86_64: fix static build of __memcpy_chk for compilers defaulting to PIC/PIE

Brent W. Baccala (1):
      hurd: Fix spurious port deallocation

Carlos O'Donell (17):
      Open development for 2.25.
      Update PO files.
      Bug 20292 - Simplify and test _dl_addr_inside_object
      Bug 20689: Fix FMA and AVX2 detection on Intel
      Fix atomic_fetch_xor_release.
      Add missing include for stdlib.h.
      Fix building tst-linkall-static.
      Add include/crypt.h.
      Bug 20729: Fix building with -Os.
      Bug 20729: Include libc-internal.h where required.
      Bug 20729: Fix build failures on ppc64 and other arches.
      Remove out of date PROJECTS file.
      Bug 20918 - Building with --enable-nss-crypt fails tst-linkall-static
      Bug 11941: ld.so: Improper assert map->l_init_called in dlclose
      Add deferred cancellation regression test for getpwuid_r.
      Fix failing pretty printer tests when CPPFLAGS has optimizations.
      Bug 20116: Fix use after free in pthread_create()

Chris Metcalf (6):
      Make sure tilepro uses kernel atomics fo atomic_store
      Make tile's set_dataplane API compatibility-only
      tile: create new math-tests.h header
      build-many-glibcs: Revert -fno-isolate-erroneous-paths options for tilepro
      tile: pass __IPC_64 as zero for SysV IPC calls
      tile: Check for pointer add overflow in memchr

Chung-Lin Tang (1):
      Add ipc_priv.h header for Nios II to set __IPC_64 to zero.

DJ Delorie (1):
      * elf/dl-tunables.c (tunable_set_val_if_valid_range): Split into ...

David S. Miller (4):
      Fix wide-char testsuite SIGBUS on platforms such as Sparc.
      Fix sNaN handling in nearbyint on 32-bit sparc.
      Fix a sparc header conformtest failure.
      sparc: Remove optimized math routines which cause testsuite failures.

Denis Kaganovich (1):
      configure: accept __stack_chk_fail_local for ssp support too [BZ #20662]

Dmitry V. Levin (1):
      Fix typos in the spelling of "implementation"

Ernestas Kulik (1):
      localedata: lt_LT: use hyphens in d_fmt [BZ #20497]

Florian Weimer (100):
      malloc: Preserve arena free list/thread count invariant [BZ #20370]
      malloc: Run tests without calling mallopt [BZ #19469]
      Add support for referencing specific symbol versions
      elf: dl-minimal malloc needs to respect fundamental alignment
      elf: Avoid using memalign for TLS allocations [BZ #17730]
      elf: Do not use memalign for TCB/TLS blocks allocation [BZ #17730]
      x86: Use sysdep.o from libc.a in static libraries
      Add missing reference to bug 20452
      nptl/tst-tls3-malloc: Force freeing of thread stacks
      Add NEWS entry for CVE-2016-6323
      Add CVE-2016-6323 missing from NEWS entry
      Do not override objects in libc.a in other static libraries [BZ #20452]
      nptl/tst-once5: Reduce time to expected failure
      argp: Do not override GCC keywords with macros [BZ #16907]
      string: More tests for strcmp, strcasecmp, strncmp, strncasecmp
      nptl: Avoid expected SIGALRM in most tests [BZ #20432]
      Correct incorrect bug number in changelog
      malloc: Simplify static malloc interposition [BZ #20432]
      Base <sys/quota.h> on Linux kernel headers [BZ #20525]
      vfprintf: Avoid creating a VLA which complicates stack management
      vfscanf: Avoid multiple reads of multi-byte character width
      malloc: Automated part of conversion to __libc_lock
      resolv: Remove _LIBC_REENTRANT
      Remove the ptw-% patterns
      inet: Add __inet6_scopeid_pton function [BZ #20611]
      sysd-rules: Cut down the number of rtld-% pattern rules
      Remove remnants of .og patterns
      sln: Preprocessor cleanups
      Generate .op pattern rules for profiling builds only
      Avoid running $(CXX) during build to obtain header file paths
      Add test case for O_TMPFILE handling in open, openat
      manual: Clarify the documentation of strverscmp [BZ #20524]
      Remove obsolete DNSSEC support [BZ #20591]
      resolv: Remove the BIND_4_COMPAT macro
      <arpa/nameser.h>, <arpa/nameser_compat.h>: Remove versions
      <arpa/nameser.h>: Remove RR type classification macros [BZ #20592]
      malloc: Manual part of conversion to __libc_lock
      resolv: Remove unsupported hook functions from the API [BZ #20016]
      test-skeleton.c: Remove unintended #include <stdarg.h>.
      tst-open-tmpfile: Add checks for open64, openat64, linkat
      manual: Clarify NSS error reporting
      resolv: Deprecate unimplemented flags
      resolv: Remove RES_NOIP6DOTINT and its implementation
      resolv: Remove RES_USEBSTRING and its implementation [BZ #20629]
      resolv: Compile without -Wno-write-strings
      math: Define iszero as a function template for C++ [BZ #20715]
      math.h: Wrap C++ bits in extern "C++"
      iconv: Avoid writable data and relocations in IBM charsets
      iconv: Avoid writable data and relocations in ISO646
      malloc: Remove malloc_get_state, malloc_set_state [BZ #19473]
      malloc: Use accessors for chunk metadata access
      sysmalloc: Initialize previous size field of mmaped chunks
      Add test for linking against most static libraries
      i386: Support CFLAGS which imply -fno-omit-frame-pointer [BZ #20729]
      crypt: Use internal names for the SHA-2 block functions
      malloc: Update comments about chunk layout
      nptl: Document the reason why __kind in pthread_mutex_t is part of the ABI
      s390x: Add hidden definition for __sigsetjmp
      elf: Assume TLS is initialized in _dl_map_object_from_fd
      powerpc: Remove unintended __longjmp symbol from ABI
      powerpc: Add hidden definition for __sigsetjmp
      gconv: Adjust GBK to support the Euro sign
      libio: Limit buffer size to 8192 bytes [BZ #4099]
      Implement _dl_catch_error, _dl_signal_error in libc.so [BZ #16628]
      ld.so: Remove __libc_memalign
      aarch64: Use explicit offsets in _dl_tlsdesc_dynamic
      elf/tst-tls-manydynamic: New test
      support: Introduce new subdirectory for test infrastructure
      inet: Make IN6_IS_ADDR_UNSPECIFIED etc. usable with POSIX [BZ #16421]
      debug: Additional compiler barriers for backtrace tests [BZ #20956]
      Add getentropy, getrandom, <sys/random.h> [BZ #17252]
      Expose linking against libsupport as make dependency
      nptl/tst-cancel7: Add missing case label
      Add missing bug number to ChangeLog
      Do not require memset elimination in explicit_bzero test
      Remove unused function _dl_tls_setup
      scripts/test_printers_common.py: Log GDB error message
      rpcinfo: Remove traces of unbuilt helper program
      sunrpc: Always obtain AF_INET addresses from NSS [BZ #20964]
      resolv: Remove processing of unimplemented "spoof" host.conf options
      Declare getentropy in <unistd.h> [BZ #17252]
      support: Add support for delayed test failure reporting
      Add file missing from ChangeLog in previous commit
      Fix various typos in the ChangeLog
      resolv: Turn historic name lookup functions into compat symbols
      getentropy: Declare it in <unistd.h> for __USE_MISC [BZ #17252]
      support: Helper functions for entering namespaces
      support: Use support_record_failure consistently
      support: Implement --verbose option for test programs
      resolv: Add beginnings of a libresolv test suite
      resolv: Deprecate the "inet6" option and RES_USE_INET6 [BZ #19582]
      resolv: Deprecate RES_BLAST
      tunables: Use correct unused attribute
      CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ #18784]
      Update DNS RR type definitions [BZ #20593]
      malloc: Run tunables tests only if tunables are enabled
      support: Use %td for pointer difference in xwrite
      support: struct netent portability fix for support_format_netent
      string/tst-strcoll-overflow: Do not accept timeout as test result
      nptl: Add tst-robust-fork

Gabriel F T Gomes (1):
      Fix warning caused by unused-result in bug-atexit3-lib.cc

Gabriel F. T. Gomes (10):
      Add strfromd, strfromf, and strfroml functions
      Use read_int in vfscanf
      Use write_message instead of write
      Write messages to stdout and use write_message instead of write
      Make w_log1p type-generic
      Fix arg used as litteral suffix in tst-strfrom.h
      Make w_scalbln type-generic
      Replace use of snprintf with strfrom in libm tests
      Fix typo in manual for iseqsig
      Move wrappers to libm-compat-calls-auto

H.J. Lu (8):
      X86: Change bit_YMM_state to (1 << 2)
      X86-64: Correct CFA in _dl_runtime_resolve
      X86-64: Add _dl_runtime_resolve_avx[512]_{opt|slow} [BZ #20508]
      X86: Don't assert on older Intel CPUs [BZ #20647]
      Check IFUNC definition in unrelocated shared library [BZ #20019]
      X86_64: Don't use PLT nor GOT in static archives [BZ #20750]
      Add VZEROUPPER to memset-vec-unaligned-erms.S [BZ #21081]
      Allow IFUNC relocation against unrelocated shared library

Jakub Jelinek (1):
      * soft-fp/op-common.h (_FP_MUL, _FP_FMA, _FP_DIV): Add

James Clarke (1):
      Bug 21053: sh: Reduce namespace pollution from sys/ucontext.h

James Greenhalgh (1):
      [soft-fp] Add support for various half-precision conversion routines.

Jim Meyering (1):
      assert.h: allow gcc to detect assert(a = 1) errors

John David Anglin (1):
      hppa: Optimize atomic_compare_and_exchange_val_acq

Joseph Myers (181):
      Support __STDC_WANT_LIB_EXT2__ feature test macro.
      Define PF_QIPCRTR, AF_QIPCRTR from Linux 4.7 in bits/socket.h.
      Define UDP_ENCAP_* from Linux 4.7 in netinet/udp.h.
      Support __STDC_WANT_IEC_60559_BFP_EXT__ feature test macro.
      Fix typo in last arith.texi change.
      Support __STDC_WANT_IEC_60559_FUNCS_EXT__ feature test macro.
      Also handle __STDC_WANT_IEC_60559_BFP_EXT__ in <tgmath.h>.
      Do not call __nan in scalb functions.
      Fix math.h comment about bits/mathdef.h.
      Add tests for fegetexceptflag, fesetexceptflag.
      Fix powerpc fesetexceptflag clearing FE_INVALID (bug 20455).
      Fix test-fexcept when "inexact" implicitly raised.
      Add comment from sysdeps/powerpc/fpu/fraiseexcpt.c to fsetexcptflg.c.
      Add fesetexcept.
      Add fesetexcept: aarch64.
      Add fesetexcept: alpha.
      Add fesetexcept: arm.
      Add fesetexcept: hppa.
      Add fesetexcept: ia64.
      Add fesetexcept: m68k.
      Add fesetexcept: mips.
      Add fesetexcept: powerpc.
      Add fesetexcept: s390.
      Add fesetexcept: sh.
      Add fesetexcept: sparc.
      Fix soft-fp extended.h unpacking (GCC bug 77265).
      Add fetestexceptflag.
      Add femode_t functions.
      Add femode_t functions: aarch64.
      Add femode_t functions: alpha.
      Add femode_t functions: arm.
      Add femode_t functions: hppa.
      Add femode_t functions: ia64.
      Add femode_t functions: m68k.
      Add femode_t functions: mips.
      Add femode_t functions: powerpc.
      Add femode_t functions: s390.
      Add femode_t functions: sh.
      Add femode_t functions: sparc.
      Add e500 version of fetestexceptflag.
      Add <limits.h> integer width macros.
      Add <stdint.h> integer width macros.
      Add issubnormal.
      Add iszero.
      Fix iszero for excess precision.
      Add iscanonical.
      Fix ldbl-128ibm iscanonical for -mlong-double-64.
      Use __builtin_fma more in dbl-64 code.
      Add TCP_REPAIR_WINDOW from Linux 4.8.
      Fix LONG_WIDTH, ULONG_WIDTH include ordering issue.
      Add iseqsig.
      Make iseqsig handle excess precision.
      Avoid M_NAN + M_NAN in complex functions.
      Add totalorder, totalorderf, totalorderl.
      Add more totalorder tests.
      Clean up some complex functions raising FE_INVALID.
      Add totalordermag, totalordermagf, totalordermagl.
      Define HIGH_ORDER_BIT_IS_SET_FOR_SNAN to 0 or 1.
      Add getpayload, getpayloadf, getpayloadl.
      Stop powerpc copysignl raising "invalid" for sNaN argument (bug 20718).
      Use VSQRT instruction for ARM sqrt (bug 20660).
      Use -fno-builtin for sqrt benchmark.
      Fix cmpli usage in power6 memset.
      Add getpayloadl to libnldbl.
      Add canonicalize, canonicalizef, canonicalizel.
      Make strtod raise "inexact" exceptions (bug 19380).
      Add SNAN, SNANF, SNANL macros.
      Correct clog10 documentation (bug 19673).
      Fix linknamespace parallel test failures.
      Handle tilegx* machine names.
      Add localplt.data for MIPS.
      XFAIL check-execstack for MIPS.
      Make MIPS <sys/user.h> self-contained.
      Do not hardcode platform names in manual/libm-err-tab.pl (bug 14139).
      Fix alpha sqrt fegetenv namespace (bug 20768).
      Handle tests-unsupported if run-built-tests = no.
      Do not generate UNRESOLVED results for run-built-tests = no.
      Make check-installed-headers.sh ignore sys/sysctl.h for x32.
      Update nios2 localplt.data.
      Update alpha localplt.data.
      Add localplt.data for hppa.
      Add localplt.data for sh.
      Fix rpcgen buffer overrun (bug 20790).
      Refactor some libm type-generic macros.
      Make SH <sys/user.h> self-contained.
      Ignore -Wmaybe-uninitialized in stdlib/bug-getcontext.c.
      Add script to build many glibc configurations.
      Make tilegx32 install libraries in lib32 directories.
      Fix build-many-glibcs.py style issues.
      Make SH ucontext always match current kernels.
      Fix SH4 register-dump.h for soft-float.
      Fix crypt snprintf namespace (bug 20829).
      Enable linknamespace testing for libdl and libcrypt.
      Make Alpha <sys/user.h> self-contained.
      Actually use newly built host libraries in build-many-glibcs.py.
      Quote shell commands in logs from build-many-glibcs.py.
      Add setpayload, setpayloadf, setpayloadl.
      Make build-many-glibcs.py use -fno-isolate-erroneous-paths options for tilepro.
      Fix default float_t definition (bug 20855).
      Fix x86_64 -mfpmath=387 float_t, double_t (bug 20787).
      Fix SH4 FP_ILOGB0 (bug 20859).
      More NEWS entries / fixes for float_t / double_t changes.
      Refactor float_t, double_t information into bits/flt-eval-method.h.
      Make build-many-glibcs.py track component versions requested and used.
      Add setpayloadsig, setpayloadsigf, setpayloadsigl.
      Make build-many-glibcs.py re-exec itself if changed by checkout.
      Make build-many-glibcs.py store more information about builds.
      Do not include asm/cachectl.h in nios2 sys/cachectl.h.
      Fix sysdeps/ia64/fpu/libm-symbols.h for inclusion in testcases.
      Work around IA64 tst-setcontext2.c compile failure.
      Make ilogb wrappers type-generic.
      Refactor FP_FAST_* into bits/fp-fast.h.
      Add build-many-glibcs.py bot-cycle action.
      Make build-many-glibcs.py support running as a bot.
      Refactor FP_ILOGB* out of bits/mathdef.h.
      Add missing hidden_def (__sigsetjmp).
      Make ldbl-128 getpayload, setpayload functions use _Float128.
      Add llogb, llogbf, llogbl.
      Fix pow (qNaN, 0) result with -lieee (bug 20919), remove dead parts of wrappers.
      Fix sysdeps/ieee754 pow handling of sNaN arguments (bug 20916).
      Fix x86_64/x86 powl handling of sNaN arguments (bug 20916).
      Fix hypot sNaN handling (bug 20940).
      Fix typo in last ChangeLog message.
      Add build-many-glibcs.py option to strip installed shared libraries.
      Fix tests-printers handling for cross compiling.
      Use Linux 4.9 (headers) in build-many-glibcs.py.
      Add [BZ #19398] marker to ChangeLog entry.
      Include <linux/falloc.h> in bits/fcntl-linux.h.
      Refactor long double information into bits/long-double.h.
      Fix generic fmax, fmin sNaN handling (bug 20947).
      Fix powerpc fmax, fmin sNaN handling (bug 20947).
      Fix x86, x86_64 fmax, fmin sNaN handling, add tests (bug 20947).
      Make build-many-glibcs.py flush stdout before execv.
      Define FE_SNANS_ALWAYS_SIGNAL.
      Document sNaN argument error handling.
      Add fmaxmag, fminmag functions.
      Add preprocessor indentation for llogb macro in tgmath.h.
      Add roundeven, roundevenf, roundevenl.
      Update miscellaneous files from upstream sources.
      Fix nss_nisplus build with mainline GCC (bug 20978).
      Update NEWS feature test macro description of TS 18661-1 support.
      Fix tst-support_record_failure-2 for run-built-tests = no.
      Define __intmax_t, __uintmax_t in bits/types.h.
      Add fromfp functions.
      Update copyright dates with scripts/update-copyrights.
      Update copyright dates not handled by scripts/update-copyrights.
      Update config.guess and config.sub to current versions.
      Make build-many-glibcs.py use binutils 2.28 branch by default.
      Correct MIPS math-tests.h condition for sNaN payload preservation.
      Fix math/test-nearbyint-except for no-exceptions configurations.
      Add build-many-glibcs.py powerpc-linux-gnu-power4 build.
      Fix MIPS n32 lseek, lseek64 (bug 21019).
      Fix elf/tst-ldconfig-X for cross testing.
      Fix math/test-fenvinline for no-exceptions configurations.
      Update i386 libm-test-ulps.
      Fix MicroBlaze __backtrace get_frame_size namespace (bug 21022).
      Make MIPS soft-fp preserve NaN payloads for NAN2008.
      Fix MicroBlaze bits/setjmp.h for C++.
      Update libm-test XFAILs for ibm128 format.
      Fix malloc/ tests for GCC 7 -Walloc-size-larger-than=.
      Fix string/tester.c for GCC 7 -Wstringop-overflow=.
      Fix MIPS n64 readahead (bug 21026).
      Increase some test timeouts.
      Make fallback fesetexceptflag always succeed (bug 21028).
      Update MicroBlaze localplt.data.
      Fix math/test-fenv for no-exceptions / no-rounding-modes configurations.
      Improve libm-test XFAILing for ibm128-libgcc.
      XFAIL libm-test.inc tests as needed for ibm128.
      Fix elf/sotruss-lib format-truncation error.
      Fix ld-address format-truncation error.
      Fix testsuite build for GCC 7 -Wformat-truncation.
      Make endian-conversion macros always return correct types (bug 16458).
      Make fallback fegetexceptflag work with generic fetestexceptflag.
      Fix MIPS o32 posix_fadvise.
      Make soft-float powerpc swapcontext restore the signal mask (bug 21045).
      Update install.texi latest GCC version known to work.
      Avoid parallel GCC install in build-many-glibcs.py.
      Fix ARM fpu_control.h for assemblers requiring VFP insn names (bug 21047).
      Restore clock_* librt exports for MicroBlaze (bug 21061).
      Update README.libm-test.
      Remove very old libm-test-ulps entries.

Maciej W. Rozycki (2):
      MIPS: Add `.insn' to ensure a text label is defined as code not data
      MIPS: Use R_MICROMIPS_JALR rather than R_MIPS_JALR in microMIPS code

Mark Wielaard (1):
      Reduce memory size of tsearch red-black tree.

Martin Galvan (3):
      Add pretty printers for the NPTL lock types
      Add -B to python invocation to avoid generating pyc files
      Fix up tabs/spaces mismatches

Martin Pitt (1):
      locales: en_CA: update d_fmt [BZ #9842]

Mike Frysinger (5):
      localedata: change M$ to Microsoft
      ChangeLog: change Winblowz to Windows
      ChangeLog: fix date
      localedata: GBK: add mapping for 0x80->Euro sign [BZ #20864]
      localedata: bs_BA: fix yesexpr/noexpr [BZ #20974]

Märt Põder (1):
      locales: et_EE: locale has wrong {p,n}_cs_precedes value [BZ #20459]

Nick Alcock (14):
      Move all tests out of the csu subdirectory
      x86_64: tst-quad1pie, tst-quad2pie: compile with -fPIE [BZ #7065]
      Configure support for --enable-stack-protector [BZ #7065]
      Initialize the stack guard earlier when linking statically [BZ #7065]
      Do not stack-protect ifunc resolvers [BZ #7065]
      Disable stack protector in early static initialization [BZ #7065]
      Compile the dynamic linker without stack protection [BZ #7065]
      Ignore __stack_chk_fail* in the rtld mapfile computation [BZ #7065]
      Work even with compilers which enable -fstack-protector by default [BZ #7065]
      PLT avoidance for __stack_chk_fail [BZ #7065]
      Link a non-libc-using test with -fno-stack-protector [BZ #7065]
      Drop explicit stack-protection of pieces of the system [BZ #7065]
      Do not stack-protect sigreturn stubs [BZ #7065]
      Enable -fstack-protector=* when requested by configure [BZ #7065]

Paul E. Murphy (28):
      Remove tacit double usage in ldbl-128
      Refactor part of math Makefile
      Unify drift between _Complex function type variants
      Improve gen-libm-test.pl LIT() application
      Support for type-generic libm function implementations libm
      ldbl-128: Remove unused sqrtl declaration in e_asinl.c
      Add tst-wcstod-round
      Prepare to convert _Complex cosine functions
      Convert _Complex cosine functions to generated code
      Merge common usage of mul_split function
      Prepare to convert _Complex sine functions
      Convert _Complex sine functions to generated code
      Prepare to convert _Complex tangent functions
      Convert _Complex tangent functions to generated code
      sparcv9: Restore fdiml@GLIBC_2.1
      Prepare to convert remaining _Complex functions
      Convert remaining complex function to generated files
      ldbl-128: Rename 'long double' to '_Float128'
      ldbl-128: Cleanup e_gammal_r.c after _Float128 rename
      Make common fdim implementation generic.
      Make common nextdown implementation generic.
      Make common fmax implementation generic.
      Make common fmin implementation generic.
      Remove unneeded stubs for k_rem_pio2l.
      ldbl-128: Use L(x) macro for long double constants
      Make ldexpF generic.
      Remove __nan{f,,l} macros
      Build s_nan* objects from a generic template

Paul Murphy (1):
      powerpc: Cleanup fenv_private.h

Rajalakshmi Srinivasaraghavan (5):
      Refactor strtod tests
      Add tests for strfrom functions
      powerpc: strcmp optimization for power9
      powerpc: strncmp optimization for power9
      powerpc64: strchr/strchrnul optimization for power8

Rasmus Villemoes (1):
      linux: spawni.c: simplify error reporting to parent

Rical Jasan (28):
      Manual typos: Input/Output on Streams
      Manual typos: Low-Level Input/Output
      Manual typos: File System Interface
      Manual typos: Sockets
      Manual typos: Low-Level Terminal Interface
      Manual typos: Syslog
      Manual typos: Mathematics
      Manual typos: Arithmetic Functions
      Manual typos: Date and Time
      Manual typos: Resource Usage and Limitation
      Manual typos: Non-Local Exits
      Manual typos: Signal Handling
      Manual typos: The Basic Program/System Interface
      Manual typos: Processes
      Manual typos: Job Control
      Manual typos: Users and Groups
      Manual typos: System Management
      Manual typos: System Configuration Parameters
      Manual typos: DES Encryption and Password Handling
      Manual typos: Debugging support
      Manual typos: POSIX Threads
      Manual typos: Internal probes
      Manual typos: C Language Facilities in the Library
      Manual typos: Installing
      Manual typos: Library Maintenance
      Manual typos: Contributors to
      manual: Remove non-existent mount options S_IMMUTABLE and S_APPEND [BZ #11235]
      manual: Convert @tables of variables to @vtables.

Richard Henderson (1):
      alpha: Use saturating arithmetic in memchr

Roland McGrath (3):
      NaCl: Fix compile error in clock function.
      Fix generic wait3 after union wait_status removal.
      NaCl: Fix compile error for __dup after libc_hidden_proto addition.

Samuel Thibault (12):
      Fix recvmsg returning SIGLOST on PF_LOCAL sockets
      mach: Add more allowed external headers
      hurd: fix pathconf visibility
      hurd: fix fcntl visibility
      Fix exc2signal.c template
      mach: Fix old-style function definition.
      Fix old-style function definition
      hurdmalloc: Run fork handler as late as possible [BZ #19431]
      hurd: Fix stack pointer corruption in syscall
      hurd: Fix unused variable warning
      hurd: fix using hurd/signal.h in C++ programs
      hurd: fix using hurd.h in C++ programs

Siddhesh Poyarekar (47):
      Consolidate reduce_and_compute code
      Add fall through comments
      Use fabs(x) instead of branching on signedness of input to sin and cos
      Consolidate input partitioning into do_cos and do_sin
      Use do_sin for sin(x) where 0.25 < |x| < 0.855469
      Inline all support functions for sin and cos
      Remove __libc_csu_irel declaration
      Add tests-static to tests in malloc/Makefile
      consolidate sign checks for slow2
      Use copysign instead of ternary conditions for positive constants
      Use copysign instead of ternary for some sin/cos input ranges
      Make the quadrant shift K a bool in do_sincos_* functions
      Check n instead of k1 to decide on sign of sin/cos result
      Manual typos: System Databases and Name Service Switch
      Make quadrant shift a boolean in reduce_and_compute in s_sin.c
      Adjust calls to do_sincos_1 and do_sincos_2 in s_sincos.c
      Update comments for some functions in s_sin.c
      Add note on MALLOC_MMAP_* environment variables
      Document the M_ARENA_* mallopt parameters
      Remove references to sbrk to grow/shrink arenas
      Remove redundant definitions of M_ARENA_* macros
      Static inline functions for mallopt helpers
      Regenerate ULPs for aarch64
      Add ChangeLog for previous commit
      Link benchset tests against libsupport
      Add configure check for python program
      Fix pretty printer tests for run-built-tests == no
      Add framework for tunables
      Initialize tunable list with the GLIBC_TUNABLES environment variable
      Enhance --enable-tunables to select tunables frontend at build time
      User manual documentation for tunables
      Add NEWS item for tunables
      tunables: Avoid getenv calls and disable glibc.malloc.check by default
      Regenerate libc.pot
      Update translations from the Translation Project
      Merge translations from the Translation Project
      Fix typo in NEWS
      Merge translations from the Translation Project
      Fix environment traversal when an envvar value is empty
      Add target to incorporate translations from translations.org
      tunables: Fix environment variable processing for setuid binaries (bz #21073)
      Drop GLIBC_TUNABLES for setxid programs when tunables is disabled (bz #21073)
      tunables: Fail tests correctly when setgid does not work
      Add missing NEWS items
      Add list of bugs fixed in 2.25
      Add more contributors to contrib.texi
      Update for 2.25 release

Stefan Liebler (22):
      Get rid of array-bounds warning in __kernel_rem_pio2[f] with gcc 6.1 -O3.
      S390: Do not set FE_INEXACT with feraiseexcept (FE_OWERFLOW|FE_UNDERFLOW).
      S390: Support PLT and GOT references in check-localplt.
      S390: Regenerate ULPs
      Add configure check to test if gcc supports attribute ifunc.
      Use gcc attribute ifunc in libc_ifunc macro instead of inline assembly due to false debuginfo.
      s390: Refactor ifunc resolvers due to false debuginfo.
      i386, x86: Use libc_ifunc macro for time, gettimeofday.
      ppc: Use libc_ifunc macro for time, gettimeofday.
      Use libc_ifunc macro for clock_* symbols in librt.
      Use libc_ifunc macro for system in libpthread.
      Use libc_ifunc macro for vfork in libpthread.
      Use libc_ifunc macro for siglongjmp, longjmp in libpthread.
      S390: Fix fp comparison not raising FE_INVALID.
      Fix new testcase elf/tst-latepthread on s390x.
      S390: Regenerate ULPs.
      S390: Use C11-like atomics instead of plain memory accesses in lock elision code.
      S390: Use own tbegin macro instead of __builtin_tbegin.
      S390: Use new __libc_tbegin_retry macro in elision-lock.c.
      S390: Optimize lock-elision by decrementing adapt_count at unlock.
      S390: Fix FAIL in test string/tst-xbzero-opt [BZ #21006]
      S390: Adjust lock elision code after review.

Steve Ellcey (14):
      Fix -Wformat-length warning in tst-setgetname.c
      Fix warning from latest GCC in tst-printf.c
      Fix -Wformat-length warning in time/tst-strptime2.c
      Define wordsize.h macros everywhere
      Speed up math/test-tgmath2.c
      Document do_test in test-skeleton.c
      Define __ASSUME_ST_INO_64_BIT on all platforms.
      Add definitions to sysdeps/tile/tilepro/bits/wordsize.h.
      Always define XSTAT_IS_XSTAT64
      Allow [f]statfs64 to alias [f]statfs
      Fix for [f]statfs64/[f]statfs aliasing patch
      Partial ILP32 support for aarch64.
      Use XSTAT_IS_XSTAT64 in generic xstat functions
      Add comments to check-c++-types.sh.

Svante Signell (1):
      hurd: Fix adjtime call with OLDDELTA == NULL

Szabolcs Nagy (1):
      Make build-many-glibcs.py work on python3.2

Tom Tromey (1):
      Update and install proc_service.h [BZ #20311]

Torvald Riegel (12):
      Add atomic_exchange_relaxed.
      Add atomic operations required by the new condition variable.
      Fix incorrect double-checked locking related to _res_hconf.initialized.
      Use C11-like atomics instead of plain memory accesses in x86 lock elision.
      Robust mutexes: Fix lost wake-up.
      New condvar implementation that provides stronger ordering guarantees.
      Fix pthread_cond_t on sparc for new condvar.
      New pthread rwlock that is more scalable.
      robust mutexes: Fix broken x86 assembly by removing it
      Clear list of acquired robust mutexes in the child process after forking.
      Add compiler barriers around modifications of the robust mutex list.
      Fix mutex pretty printer test and pretty printer output.

Tulio Magno Quites Machado Filho (9):
      powerpc: Fix POWER9 implies
      powerpc: Installed-header hygiene
      powerpc: Regenerate ULPs
      powerpc: Fix TOC stub on powerpc64 clone()
      Document a behavior of an elided pthread_rwlock_unlock
      powerpc: Fix powerpc32/power7 memchr for large input sizes
      powerpc: Fix write-after-destroy in lock elision [BZ #20822]
      powerpc: Regenerate ULPs
      powerpc: Fix adapt_count update in __lll_unlock_elision

Wilco Dijkstra (4):
      An optimized memchr was missing for AArch64.  This version is similar to
      Improve generic rawmemchr for targets that don't have an
      Improve strtok and strtok_r performance.  Instead of calling strpbrk which
      This patch cleans up the strsep implementation and improves performance.

Yury Norov (1):
      * sysdeps/unix/sysv/linux/fxstat.c: Remove useless cast.

Zack Weinberg (20):
      Add utility macros for clang detection, and deprecation with messages.
      Minimize sysdeps code involved in defining major/minor/makedev.
      Deprecate inclusion of <sys/sysmacros.h> by <sys/types.h>
      Add tests for fortification of bcopy and bzero.
      Installed-header hygiene (BZ#20366): Simple self-contained fixes.
      Installed-header hygiene (BZ#20366): obsolete BSD u_* types.
      Installed-header hygiene (BZ#20366): conditionally defined structures.
      Installed-header hygiene (BZ#20366): time.h types.
      Installed-header hygiene (BZ#20366): stack_t.
      Installed header hygiene (BZ#20366): Test of installed headers.
      Minor correction to the "installed header hygiene" patches.
      Minor corrections to scripts/check-installed-headers.sh.
      [BZ #19239] Issue deprecation warnings on macro expansion.
      Fix typo in string/bits/string2.h.
      Fix build-and-build-again bug in sunrpc tests.
      Forgot to add the ChangeLog to the previous commit, doh.
      Correct comments in string.h re strcoll_l, strxfrm_l.
      Minor problems exposed by compiling C++ tests under _ISOMAC.
      Make _REENTRANT and _THREAD_SAFE aliases for _POSIX_C_SOURCE=199506L.
      New string function explicit_bzero (from OpenBSD).

steve ellcey-CA Eng-Software (1):
      Fix warnings from latest GCC.

-----------------------------------------------------------------------