posix: Add terminal control setting support for posix_spawn
Currently there is no proper way to set the controlling terminal through
posix_spawn in race free manner [1]. This forces shell implementations
to keep using fork+exec when launching background process groups,
even when using posix_spawn yields better performance.
This patch adds a new GNU extension so the creating process can
configure the created process terminal group. This is done with a new
flag, POSIX_SPAWN_TCSETPGROUP, along with two new attribute functions:
posix_spawnattr_tcsetpgrp_np, and posix_spawnattr_tcgetpgrp_np.
The function sets a new attribute, spawn-tcgroupfd, that references to
the controlling terminal.
The controlling terminal is set after the spawn-pgroup attribute, and
uses the spawn-tcgroupfd along with current creating process group
(so it is composable with POSIX_SPAWN_SETPGROUP).
To create a process and set the controlling terminal, one can use the
following sequence:
The controlling terminal file descriptor is ignored if the new flag is
not set.
This interface is slight different than the one provided by QNX [2],
which only provides the POSIX_SPAWN_TCSETPGROUP flag. The QNX
documentation does not specify how the controlling terminal is obtained
nor how it iteracts with POSIX_SPAWN_SETPGROUP. Since a glibc
implementation is library based, it is more straightforward and avoid
requires additional file descriptor operations to request the caller
to setup the controlling terminal file descriptor (and it also allows
a bit less error handling by posix_spawn).
Andreas Schwab [Tue, 18 Jan 2022 15:31:39 +0000 (16:31 +0100)]
Fix handling of unterminated bracket expressions in fnmatch (bug 28792)
When fnmatch processes a bracket expression, and eventually finds it to be
unterminated, it should rescan it, treating the starting bracket as a
normal character. That didn't happen when a matching character was found
while scanning the bracket expression.
H.J. Lu [Tue, 21 Dec 2021 20:25:20 +0000 (12:25 -0800)]
elf: Add a test for PT_LOAD segments with p_align == 1 [BZ #28688]
Add tst-p_alignmod2-edit to edit the copy of tst-p_alignmod-base.so to
set p_align of the first PT_LOAD segment to 1 and verify that the shared
library can be loaded normally.
H.J. Lu [Tue, 21 Dec 2021 02:33:55 +0000 (18:33 -0800)]
elf: Add a test for PT_LOAD segments with mixed p_align [BZ #28676]
Add tst-p_alignmod1-edit to edit the copy of tst-p_alignmod-base.so to
reduce p_align of the first PT_LOAD segment by half and verify that the
shared library is mapped with the maximum p_align of all PT_LOAD segments.
H.J. Lu [Fri, 15 Oct 2021 13:33:05 +0000 (06:33 -0700)]
Add and use link-test-modules-rpath-link [BZ #28455]
DT_RUNPATH is only used to find the immediate dependencies of the
executable or shared object containing the DT_RUNPATH entry:
1. Define link-test-modules-rpath-link if $(build-hardcoded-path-in-tests)
is yes.
2. Use $(link-test-modules-rpath-link) in build-module-helper so that
test modules can dlopen modules with DT_RUNPATH.
3. Add a test to show why link-test-modules-rpath-link is needed.
getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
No valid path returned by getcwd would fit into 1 byte, so reject the
size early and return NULL with errno set to ERANGE. This change is
prompted by CVE-2021-3999, which describes a single byte buffer
underflow and overflow when all of the following conditions are met:
- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory
Sequence of events:
- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
because the linux kernel checks for name length before it checks
buffer size
- The code falls back to the generic getcwd in sysdeps/posix
- In the generic func, the buf[0] is set to '\0' on line 250
- this while loop on line 262 is bypassed:
while (!(thisdev == rootdev && thisino == rootino))
since the rootfs (/) is bind mounted onto the directory and the flow
goes on to line 449, where it puts a '/' in the byte before the
buffer.
- Finally on line 458, it moves 2 bytes (the underflowed byte and the
'\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.
- buf is returned on line 469 and errno is not set.
Check if whether valgrind is available in the test environment.
If not, skip the test. Run smoke tests with valgrind to verify dynamic loader.
First, check if algrind works with the system ld.so in the test
environment. Then run the actual test inside the test environment,
using the just build ld.so and new libraries.
Samuel Thibault [Sat, 22 Jan 2022 00:12:05 +0000 (00:12 +0000)]
htl: Fix cleaning the reply port
If any RPC fails, the reply port will already be deallocated.
__pthread_thread_terminate thus has to defer taking its name until the very last
__thread_terminate_release which doesn't reply a message. But then we
have to read from the pthread structure.
This introduces __pthread_dealloc_finish() which does the recording of
the thread termination, so the slot can be reused really only just before
the __thread_terminate_release call. Only the real thread can set it, so
let's decouple this from the pthread_state by just removing the
PTHREAD_TERMINATED state and add a terminated field.
realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]
realpath returns an allocated string when the result exceeds PATH_MAX,
which is unexpected when its second argument is not NULL. This results
in the second argument (resolved) being uninitialized and also results
in a memory leak since the caller expects resolved to be the same as the
returned value.
Return NULL and set errno to ENAMETOOLONG if the result exceeds
PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998.
support: Add helpers to create paths longer than PATH_MAX
Add new helpers support_create_and_chdir_toolong_temp_directory and
support_chdir_toolong_temp_directory to create and descend into
directory trees longer than PATH_MAX.
introduced LLL_MUTEX_READ_LOCK, to skip CAS in spinlock loop
if atomic load fails. But, "continue" inside of do-while loop
does not skip the evaluation of escape expression, thus CAS
is not skipped.
Replace do-while with while and skip LLL_MUTEX_TRYLOCK if
LLL_MUTEX_READ_LOCK fails.
Samuel Thibault [Mon, 17 Jan 2022 23:18:20 +0000 (23:18 +0000)]
htl: Fix build error in annexc
We were getting
../scripts/evaluate-test.sh posix/annexc $? true false > /usr/src/glibc-upstream/build/posix/annexc.test-result
In file included from ../include/pthread.h:1,
from <stdin>:1:
../sysdeps/htl/include/pthread.h:7:62: error: missing binary operator before token "("
7 | # if defined __USE_EXTERN_INLINES && defined _LIBC && !IS_IN (libsupport)
| ^
Aurelien Jarno [Mon, 17 Jan 2022 18:41:40 +0000 (19:41 +0100)]
x86: use default cache size if it cannot be determined [BZ #28784]
In some cases (e.g QEMU, non-Intel/AMD CPU) the cache information can
not be retrieved and the corresponding values are set to 0.
Commit 2d651eb9265d ("x86: Move x86 processor cache info to
cpu_features") changed the behaviour in such case by defining the
__x86_shared_cache_size and __x86_data_cache_size variables to 0 instead
of using the default values. This cause an issue with the i686 SSE2
optimized bzero/routine which assumes that the cache size is at least
128 bytes, and otherwise tries to zero/set the whole address space minus
128 bytes.
Fix that by restoring the original code to only update
__x86_shared_cache_size and __x86_data_cache_size variables if the
corresponding cache sizes are not zero.
It is similar to epoll_wait, with the difference the timeout has
nanosecond resoluting by using struct timespec instead of int.
Although Linux interface only provides 64 bit time_t support, old
32 bit interface is also provided (so keep in sync with current
practice and to no force opt-in on 64 bit time_t).
H.J. Lu [Sat, 15 Jan 2022 22:23:20 +0000 (14:23 -0800)]
Properly handle --disable-default-pie [BZ #28780]
When --disable-default-pie is used, all glibc programs and the testsuite
should be built as position dependent executables (non-PIE), regardless
if the build compiler supports PIE or static PIE.
When --disable-default-pie is used, don't build static PIE by default.
elf: Fix 64 time_t support for installed statically binaries
The usage of internal static symbol for statically linked binaries
does not work correctly for objects built with -D_TIME_BITS=64,
since the internal definition does not provide the expected aliases.
This patch makes it to use the default stat functions instead (which
uses the default 64 time_t alias and types).
Checked on i686-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
Florian Weimer [Mon, 17 Jan 2022 08:57:19 +0000 (09:57 +0100)]
elf: Set l_contiguous to 1 for the main map in more cases
l_contiguous was not initialized at all for the main map and
always 0. This commit adds code to check if the LOAD segments
are adjacent to each other, and sets l_contiguous accordingly.
This helps _dl_find_object because it is more efficient if the
main mapping is contiguous.
Note that not all (PIE or non-PIE) binaries are contiguous in this
way because BFD ld creates executables with LOAD holes:
ELF LOAD segments creating holes in the process image on GNU/Linux
https://sourceware.org/pipermail/binutils/2022-January/119082.html
https://sourceware.org/bugzilla/show_bug.cgi?id=28743
Samuel Thibault [Sat, 15 Jan 2022 16:35:51 +0000 (17:35 +0100)]
htl: Hide __pthread_attr's __schedparam type [BZ #23088]
The content of the structure is only used internally, so we can make
__pthread_attr_getschedparam and __pthread_attr_setschedparam convert
between the public sched_param type and an internal __sched_param.
This allows to avoid to spuriously expose the sched_param type.
Samuel Thibault [Sat, 15 Jan 2022 13:55:23 +0000 (14:55 +0100)]
hurd: Fix pthread_kill on exiting/ted thread
We have to drop the kernel_thread port from the thread structure, to
avoid pthread_kill's call to _hurd_thread_sigstate trying to reference
it and fail.
Florian Weimer [Fri, 14 Jan 2022 19:16:05 +0000 (20:16 +0100)]
x86: Add x86-64-vN check to early startup
This ISA level covers the glibc build itself. <dl-hwcap-check.h>
cannot be used because this check (by design) happens before
DL_PLATFORM_INIT and the x86 CPU flags initialization.
Florian Weimer [Fri, 14 Jan 2022 15:09:20 +0000 (16:09 +0100)]
Generate gcc-macros.h
The file can be used to check the effect of the default compiler
flags on code generation even in areas of the build that uses
non-default compiler flags.
$ cat nptl/test-condattr-printers.out
Error: Response does not match the expected pattern.
Command: start
Expected pattern: main
Response: Temporary breakpoint 1 at 0x11d5: file test-condattr-printers.c, line 43.
Starting program: /export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/nptl/test-condattr-printers
This GDB supports auto-downloading debuginfo from the following URLs:
https://debuginfod.fedoraproject.org/
Enable debuginfod for this session? (y or [n])
Disable debuginfod to avoid GDB messages. This fixes BZ #28757.
Joseph Myers [Thu, 13 Jan 2022 22:18:13 +0000 (22:18 +0000)]
Update syscall lists for Linux 5.16
Linux 5.16 has one new syscall, futex_waitv. Update
syscall-names.list and regenerate the arch-syscall.h headers with
build-many-glibcs.py update-syscalls.
The configure check for CAN_USE_REGISTER_ASM_EBP tried to compile a
simple function that uses %ebp as an inline assembly operand. If
compilation failed, CAN_USE_REGISTER_ASM_EBP was set 0, which
eventually had these consequences:
(1) %ebx was avoided as an inline assembly operand, with an
assembler macro hack to avoid unnecessary register moves.
(2) %ebp was avoided as an inline assembly operand, using an
out-of-line syscall function for 6-argument system calls.
(1) is no longer needed for any GCC version that is supported for
building glibc. %ebx can be used directly as a register operand.
Therefore, this commit removes the %ebx avoidance completely. This
avoids the assembler macro hack, which turns out to be incompatible
with the current Systemtap probe macros (which switch to .altmacro
unconditionally).
(2) is still needed in many build configurations. The existing
configure check cannot really capture that because the simple function
succeeds to compile, while the full glibc build still fails.
Therefore, this commit removes the check, the CAN_USE_REGISTER_ASM_EBP
macro, and uses the out-of-line syscall function for 6-argument system
calls unconditionally.
debug: Synchronize feature guards in fortified functions [BZ #28746]
Some functions (e.g. stpcpy, pread64, etc.) had moved to POSIX in the
main headers as they got incorporated into the standard, but their
fortified variants remained under __USE_GNU. As a result, these
functions did not get fortified when _GNU_SOURCE was not defined.
Add test wrappers that check all functions tested in tst-chk0 at all
levels with _GNU_SOURCE undefined and then use the failures to (1)
exclude checks for _GNU_SOURCE functions in these tests and (2) Fix
feature macro guards in the fortified function headers so that they're
the same as the ones in the main headers.
Rename debug/tst-chk1.c to debug/tst-fortify.c and add make hackery to
autogenerate tests with different macros enabled to build and run the
same test with different configurations as well as different
fortification levels.
The change also ends up expanding the -lfs tests to include
_FORTIFY_SOURCE=3.
The __convert_scm_timestamps() only updates the control message last
pointer for SOL_SOCKET type, so if the message control buffer contains
multiple ancillary message types the converted timestamp one might
overwrite a valid message.
The test check if the extra ancillary space is correctly handled
by recvmsg/recvmmsg, where if there is no extra space for the 64-bit
time_t converted message the control buffer should be marked with
MSG_TRUNC. It also check if recvmsg/recvmmsg handle correctly multiple
ancillary data.
Checked on x86_64-linux and on i686-linux-gnu on both 5.11 and
4.15 kernel.
Check if the socket support 64-bit network packages timestamps
(SO_TIMESTAMP and SO_TIMESTAMPNS). This will be used on recvmsg
and recvmmsg tests to check if the timestamp should be generated.
elf: Fix 64 time_t support for installed statically binaries
The usage of internal static symbol for statically linked binaries
does not work correctly for objects built with -D_TIME_BITS=64,
since the internal definition does not provide the expected aliases.
This patch makes it to use the default stat functions instead (which
uses the default 64 time_t alias and types).
Szabolcs Nagy [Tue, 14 Dec 2021 11:15:07 +0000 (11:15 +0000)]
aarch64: Add HWCAP2_ECV from Linux 5.16
Indicates the availability of enhanced counter virtualization extension
of armv8.6-a with self-synchronized virtual counter CNTVCTSS_EL0 usable
in userspace.
Noah Goldstein [Sun, 9 Jan 2022 22:02:28 +0000 (16:02 -0600)]
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
__wcscmp_evex. For x86_64 this covers the entire address range so any
length larger could not possibly be used to bound `s1` or `s2`.
test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
Noah Goldstein [Sun, 9 Jan 2022 22:02:21 +0000 (16:02 -0600)]
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
__wcscmp_avx2. For x86_64 this covers the entire address range so any
length larger could not possibly be used to bound `s1` or `s2`.
test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
Szabolcs Nagy [Fri, 31 Dec 2021 09:50:50 +0000 (09:50 +0000)]
math: Fix float conversion regressions with gcc-12 [BZ #28713]
Converting double precision constants to float is now affected by the
runtime dynamic rounding mode instead of being evaluated at compile
time with default rounding mode (except static object initializers).
This can change the computed result and cause performance regression.
The known correctness issues (increased ulp errors) are already fixed,
this patch fixes remaining cases of unnecessary runtime conversions.
Add float M_* macros to math.h as new GNU extension API. To avoid
conversions the new M_* macros are used and instead of casting double
literals to float, use float literals (only required if the conversion
is inexact).
The patch was tested on aarch64 where the following symbols had new
spurious conversion instructions that got fixed:
Florian Weimer [Mon, 10 Jan 2022 12:31:39 +0000 (13:31 +0100)]
elf: Simplify software TM implementation in _dl_find_object
With the current set of fences, the version update at the start
of the TM write operation is redundant, and the version update
at the end does not need to use an atomic read-modify-write
operation.
Also use relaxed MO stores during the dlclose update, and skip any
version changes there.
Suggested-by: Szabolcs Nagy <szabolcs.nagy@arm.com> Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
Florian Weimer [Fri, 7 Jan 2022 12:21:57 +0000 (13:21 +0100)]
elf: Fix fences in _dl_find_object_update (bug 28745)
As explained in Hans Boehm, Can Seqlocks Get Along with Programming
Language Memory Models?, an acquire fence is needed in
_dlfo_read_success. The lack of a fence resulted in an observable
bug on powerpc64le compile-time load reordering.
The fence in _dlfo_mappings_begin_update has been reordered, turning
the fence/store sequence into a release MO store equivalent.
Relaxed MO loads are used on the reader side, and relaxed MO stores
on the writer side for the shared data, to avoid formal data races.
This is just to be conservative; it should not actually be necessary
given how the data is used.
This commit also fixes the test run time. The intent was to run it
for 3 seconds, but 0.3 seconds was enough to uncover the bug very
occasionally (while 3 seconds did not reliably show the bug on every
test run).
Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
debug: Remove catchsegv and libSegfault (BZ #14913)
Trapping SIGSEGV within the process is error-prone, adds security
issues, and modern analysis design tends to happen out of the
process (either by attaching a debugger or by post-mortem analysis).
The libSegfault also has some design problems, it uses non
async-signal-safe function (backtrace) on signal handler.
There are multiple alternatives if users do want to use similar
functionality, such as sigsegv gnulib module or libsegfault.
Stafford Horne [Tue, 19 Oct 2021 21:54:11 +0000 (06:54 +0900)]
or1k: Build Infrastructure
Here we define the minumum linux kernel version at 5.4.0, as that is the
long term support version where 32-bit architectures start to support
64-bit time API's. The OpenRISC kernel had some bugs up until version 5.8
which caused issues with glibc fork/clone, they have been backported to
5.4 but not previous versions.
Stafford Horne [Tue, 19 Oct 2021 21:50:21 +0000 (06:50 +0900)]
or1k: math soft float support
OpenRISC support hard float but I will like to submit that after glibc
soft float goes upstream. The hard float support depends on adding user
access to the FPCSR, which is not supported by the kernel yet.