GNU C Library master sources branch release/2.26/master updated. glibc-2.26-189-g33f5de7

fw@sourceware.org fw@sourceware.org
Mon Oct 22 12:54:00 GMT 2018


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  33f5de7a79b27b9dce30a46d6681974653a85004 (commit)
       via  6ae2ca620a955f1e3465e58b5180c5a7fd596dd0 (commit)
       via  fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff (commit)
       via  70e810a30cb15d0b54118f8eb92aa656b945b984 (commit)
       via  dd03d15e283de6c2fff8f5204b092e9d9d127cc6 (commit)
       via  935cecfe9a4c9bf0396766f5e2b24570f92317ae (commit)
       via  3fb525c1033c70693d78010d01472bd0ed96e25f (commit)
       via  636f49ba925d5fe677212bb94b20f2c5e67d4a4f (commit)
       via  d161b294e1267ca275352c26850255c5efc998de (commit)
       via  e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f (commit)
       via  27611fd05b444042de4a718c2f21e9efae755825 (commit)
      from  48bef587bfd4b6c11ae227075eb1492b10a395a8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=33f5de7a79b27b9dce30a46d6681974653a85004

commit 33f5de7a79b27b9dce30a46d6681974653a85004
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Dec 18 22:55:28 2017 +0000

    Disable -Wrestrict for two nptl/tst-attr3.c tests.
    
    nptl/tst-attr3 fails to build with GCC mainline because of
    (deliberate) aliasing between the second (attributes) and fourth
    (argument to thread start routine) arguments to pthread_create.
    
    Although both those arguments are restrict-qualified in POSIX,
    pthread_create does not actually dereference its fourth argument; it's
    an opaque pointer passed to the thread start routine.  Thus, the
    aliasing is actually valid in this case, and it's deliberate in the
    test.  So this patch makes the test disable -Wrestrict for the two
    pthread_create calls in question.  (-Wrestrict was added in GCC 7,
    hence the __GNUC_PREREQ conditions, but the particular warning in
    question is new in GCC 8.)
    
    Tested compilation with build-many-glibcs.py for aarch64-linux-gnu.
    
    	* nptl/tst-attr3.c: Include <libc-diag.h>.
    	(do_test) [__GNUC_PREREQ (7, 0)]: Ignore -Wrestrict for two tests.
    
    (cherry picked from commit 40c4162df6766fb1e8ede875ca8df25d8075d3a5)

diff --git a/ChangeLog b/ChangeLog
index d4223db..c6dfc5e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-12-18  Joseph Myers  <joseph@codesourcery.com>
+
+	* nptl/tst-attr3.c: Include <libc-diag.h>.
+	(do_test) [__GNUC_PREREQ (7, 0)]: Ignore -Wrestrict for two tests.
+
 2017-11-14  Joseph Myers  <joseph@codesourcery.com>
 
 	* string/bug-strncat1.c: Include <libc-diag.h>.
diff --git a/nptl/tst-attr3.c b/nptl/tst-attr3.c
index bc23386..420a7db 100644
--- a/nptl/tst-attr3.c
+++ b/nptl/tst-attr3.c
@@ -26,6 +26,7 @@
 #include <unistd.h>
 
 #include <stackinfo.h>
+#include <libc-diag.h>
 
 static void *
 tf (void *arg)
@@ -362,7 +363,16 @@ do_test (void)
       result = 1;
     }
 
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+  /* GCC 8 warns about aliasing of the restrict-qualified arguments
+     passed &a.  Since pthread_create does not dereference its fourth
+     argument, this aliasing, which is deliberate in this test, cannot
+     in fact cause problems.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wrestrict");
+#endif
   err = pthread_create (&th, &a, tf, &a);
+  DIAG_POP_NEEDS_COMMENT;
   if (err)
     {
       error (0, err, "pthread_create #2 failed");
@@ -388,7 +398,16 @@ do_test (void)
       result = 1;
     }
 
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+  /* GCC 8 warns about aliasing of the restrict-qualified arguments
+     passed &a.  Since pthread_create does not dereference its fourth
+     argument, this aliasing, which is deliberate in this test, cannot
+     in fact cause problems.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wrestrict");
+#endif
   err = pthread_create (&th, &a, tf, &a);
+  DIAG_POP_NEEDS_COMMENT;
   if (err)
     {
       error (0, err, "pthread_create #3 failed");

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6ae2ca620a955f1e3465e58b5180c5a7fd596dd0

commit 6ae2ca620a955f1e3465e58b5180c5a7fd596dd0
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Nov 14 17:50:36 2017 +0000

    Fix string/bug-strncat1.c build with GCC 8.
    
    GCC 8 warns about strncat calls with truncated output.
    string/bug-strncat1.c tests such a call; this patch disables the
    warning for it.
    
    Tested (compilation) with GCC 8 for x86_64-linux-gnu with
    build-many-glibcs.py (in conjunction with Martin's patch to allow
    glibc to build).
    
    	* string/bug-strncat1.c: Include <libc-diag.h>.
    	(main): Disable -Wstringop-truncation for strncat call for GCC 8.
    
    (cherry picked from commit ec72135e5f1d061cb5cf7cd1b855fd6290be10d9)

diff --git a/ChangeLog b/ChangeLog
index 65633db..d4223db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-11-14  Joseph Myers  <joseph@codesourcery.com>
+
+	* string/bug-strncat1.c: Include <libc-diag.h>.
+	(main): Disable -Wstringop-truncation for strncat call for GCC 8.
+
 2018-06-14  Joseph Myers  <joseph@codesourcery.com>
 
 	* string/tester.c (test_strncat) [__GNUC_PREREQ (7, 0)]: Also
diff --git a/string/bug-strncat1.c b/string/bug-strncat1.c
index f1b5c37..b22beba 100644
--- a/string/bug-strncat1.c
+++ b/string/bug-strncat1.c
@@ -4,13 +4,21 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <libc-diag.h>
 
 char d[3] = "\0\1\2";
 
 int
 main (void)
 {
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+  /* GCC 8 warns about strncat truncating output; this is deliberately
+     tested here.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-truncation");
+#endif
   strncat (d, "\5\6", 1);
+  DIAG_POP_NEEDS_COMMENT;
   if (d[0] != '\5')
     {
       puts ("d[0] != '\\5'");

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff

commit fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Thu Jun 14 14:20:00 2018 +0000

    Ignore -Wrestrict for one strncat test.
    
    With current GCC mainline, one strncat test involving a size close to
    SIZE_MAX results in a -Wrestrict warning that that buffer size would
    imply that the two buffers must overlap.  This patch fixes the build
    by adding disabling of -Wrestrict (for GCC versions supporting that
    option) to the already-present disabling of -Wstringop-overflow= and
    -Warray-bounds for this test.
    
    Tested with build-many-glibcs.py that this restores the testsuite
    build with GCC mainline for aarch64-linux-gnu.
    
    	* string/tester.c (test_strncat) [__GNUC_PREREQ (7, 0)]: Also
    	ignore -Wrestrict for one test.
    
    (cherry picked from commit 35ebb6b0c48bc671d9c54e089884f9bf6fca540e)

diff --git a/ChangeLog b/ChangeLog
index 61a3c87..65633db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-14  Joseph Myers  <joseph@codesourcery.com>
+
+	* string/tester.c (test_strncat) [__GNUC_PREREQ (7, 0)]: Also
+	ignore -Wrestrict for one test.
+
 2017-12-18  Joseph Myers  <joseph@codesourcery.com>
 
 	* string/tester.c (test_strncat): Also disable -Warray-bounds
diff --git a/string/tester.c b/string/tester.c
index 02ea8e1..8fdbe3d 100644
--- a/string/tester.c
+++ b/string/tester.c
@@ -485,6 +485,10 @@ test_strncat (void)
 	       deliberately tested here; GCC 8 gives a -Warray-bounds
 	       warning about this.  */
 	    DIAG_IGNORE_NEEDS_COMMENT (7, "-Wstringop-overflow=");
+	    /* GCC 9 as of 2018-06-14 warns that the size passed is
+	       large enough that, if it were the actual object size,
+	       the objects would have to overlap.  */
+	    DIAG_IGNORE_NEEDS_COMMENT (9, "-Wrestrict");
 #endif
 	    DIAG_IGNORE_NEEDS_COMMENT (8, "-Warray-bounds");
 	    check (strncat (buf1 + n2, buf2 + n1, ~((size_t) 0) - n4)

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=70e810a30cb15d0b54118f8eb92aa656b945b984

commit 70e810a30cb15d0b54118f8eb92aa656b945b984
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Dec 18 22:52:41 2017 +0000

    Disable strncat test array-bounds warnings for GCC 8.
    
    Some strncat tests fail to build with GCC 8 because of -Warray-bounds
    warnings.  These tests are deliberately test over-large size arguments
    passed to strncat, and already disable -Wstringop-overflow warnings,
    but now the warnings for these tests come under -Warray-bounds so that
    option needs disabling for them as well, which this patch does (with
    an update on the comments; the DIAG_IGNORE_NEEDS_COMMENT call for
    -Warray-bounds doesn't need to be conditional itself, because that
    option is supported by all versions of GCC that can build glibc).
    
    Tested compilation with build-many-glibcs.py for aarch64-linux-gnu.
    
    	* string/tester.c (test_strncat): Also disable -Warray-bounds
    	warnings for two tests.
    
    (cherry picked from commit 1421f39b7eadd3b5fbd2a3f2da1fc006b69fbc42)

diff --git a/ChangeLog b/ChangeLog
index 3d3d364..61a3c87 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-12-18  Joseph Myers  <joseph@codesourcery.com>
+
+	* string/tester.c (test_strncat): Also disable -Warray-bounds
+	warnings for two tests.
+
 2017-11-14  Joseph Myers  <joseph@codesourcery.com>
 
 	* string/tester.c (test_stpncpy): Disable -Wstringop-truncation
diff --git a/string/tester.c b/string/tester.c
index 66b1151..02ea8e1 100644
--- a/string/tester.c
+++ b/string/tester.c
@@ -387,9 +387,11 @@ test_strncat (void)
   DIAG_PUSH_NEEDS_COMMENT;
 #if __GNUC_PREREQ (7, 0)
   /* GCC 7 warns about the size passed to strncat being larger than
-     the size of the buffer; this is deliberately tested here..  */
+     the size of the buffer; this is deliberately tested here; GCC 8
+     gives a -Warray-bounds warning about this.  */
   DIAG_IGNORE_NEEDS_COMMENT (7, "-Wstringop-overflow=");
 #endif
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Warray-bounds");
   (void) strncat (one, two, 99);
   DIAG_POP_NEEDS_COMMENT;
   equal (one, "ghef", 5);			/* Basic test encore. */
@@ -480,9 +482,11 @@ test_strncat (void)
 #if __GNUC_PREREQ (7, 0)
 	    /* GCC 7 warns about the size passed to strncat being
 	       larger than the size of the buffer; this is
-	       deliberately tested here..  */
+	       deliberately tested here; GCC 8 gives a -Warray-bounds
+	       warning about this.  */
 	    DIAG_IGNORE_NEEDS_COMMENT (7, "-Wstringop-overflow=");
 #endif
+	    DIAG_IGNORE_NEEDS_COMMENT (8, "-Warray-bounds");
 	    check (strncat (buf1 + n2, buf2 + n1, ~((size_t) 0) - n4)
 		   == buf1 + n2, ntest);
 	    DIAG_POP_NEEDS_COMMENT;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dd03d15e283de6c2fff8f5204b092e9d9d127cc6

commit dd03d15e283de6c2fff8f5204b092e9d9d127cc6
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Nov 14 17:52:26 2017 +0000

    Fix string/tester.c build with GCC 8.
    
    GCC 8 warns about more cases of string functions truncating their
    output or not copying a trailing NUL byte.
    
    This patch fixes testsuite build failures caused by such warnings in
    string/tester.c.  In general, the warnings are disabled around the
    relevant calls using DIAG_* macros, since the relevant cases are being
    deliberately tested.  In one case, the warning is with
    -Wstringop-overflow= instead of -Wstringop-truncation; in that case,
    the conditional is __GNUC_PREREQ (7, 0) (being the version where
    -Wstringop-overflow= was introduced), to allow the conditional to be
    removed sooner, since it's harmless to disable the warning for a
    GCC version where it doesn't actually occur.  In the case of warnings
    for strncpy calls in test_memcmp, the calls in question are changed to
    use memcpy, as they don't copy a trailing NUL and the point of that
    code is to test memcmp rather than strncpy.
    
    Tested (compilation) with GCC 8 for x86_64-linux-gnu with
    build-many-glibcs.py (in conjunction with Martin's patch to allow
    glibc to build).
    
    	* string/tester.c (test_stpncpy): Disable -Wstringop-truncation
    	for stpncpy calls for GCC 8.
    	(test_strncat): Disable -Wstringop-truncation warning for strncat
    	calls for GCC 8.  Disable -Wstringop-overflow= warning for one
    	strncat call for GCC 7.
    	(test_strncpy): Disable -Wstringop-truncation warning for strncpy
    	calls for GCC 8.
    	(test_memcmp): Use memcpy instead of strncpy for calls not copying
    	trailing NUL.
    
    (cherry picked from commit 2e64ec9c9eac3aeb70f7cfa2392846c87c28068e)

diff --git a/ChangeLog b/ChangeLog
index 0b7a920..3d3d364 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2017-11-14  Joseph Myers  <joseph@codesourcery.com>
+
+	* string/tester.c (test_stpncpy): Disable -Wstringop-truncation
+	for stpncpy calls for GCC 8.
+	(test_strncat): Disable -Wstringop-truncation warning for strncat
+	calls for GCC 8.  Disable -Wstringop-overflow= warning for one
+	strncat call for GCC 7.
+	(test_strncpy): Disable -Wstringop-truncation warning for strncpy
+	calls for GCC 8.
+	(test_memcmp): Use memcpy instead of strncpy for calls not copying
+	trailing NUL.
+
 2017-12-18  Joseph Myers  <joseph@codesourcery.com>
 
 	[BZ #22446]
diff --git a/string/tester.c b/string/tester.c
index 4b928b4..66b1151 100644
--- a/string/tester.c
+++ b/string/tester.c
@@ -264,8 +264,15 @@ test_stpncpy (void)
 {
   it = "stpncpy";
   memset (one, 'x', sizeof (one));
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+  /* GCC 8 warns about stpncpy truncating output; this is deliberately
+     tested here.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-truncation");
+#endif
   check (stpncpy (one, "abc", 2) == one + 2, 1);
   check (stpncpy (one, "abc", 3) == one + 3, 2);
+  DIAG_POP_NEEDS_COMMENT;
   check (stpncpy (one, "abc", 4) == one + 3, 3);
   check (one[3] == '\0' && one[4] == 'x', 4);
   check (stpncpy (one, "abcd", 5) == one + 4, 5);
@@ -420,13 +427,27 @@ test_strncat (void)
   equal (one, "cd", 9);
 
   (void) strcpy (one, "ab");
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+  /* GCC 8 warns about strncat truncating output; this is deliberately
+     tested here.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-truncation");
+#endif
   (void) strncat (one, "cdef", 2);
+  DIAG_POP_NEEDS_COMMENT;
   equal (one, "abcd", 10);			/* Count-limited. */
 
   (void) strncat (one, "gh", 0);
   equal (one, "abcd", 11);			/* Zero count. */
 
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+  /* GCC 8 warns about strncat bound equal to source length; this is
+     deliberately tested here.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-overflow=");
+#endif
   (void) strncat (one, "gh", 2);
+  DIAG_POP_NEEDS_COMMENT;
   equal (one, "abcdgh", 12);		/* Count and length equal. */
 
   DIAG_PUSH_NEEDS_COMMENT;
@@ -523,11 +544,25 @@ test_strncpy (void)
   equal (one, "abc", 2);			/* Did the copy go right? */
 
   (void) strcpy (one, "abcdefgh");
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+  /* GCC 8 warns about strncpy truncating output; this is deliberately
+     tested here.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-truncation");
+#endif
   (void) strncpy (one, "xyz", 2);
+  DIAG_POP_NEEDS_COMMENT;
   equal (one, "xycdefgh", 3);			/* Copy cut by count. */
 
   (void) strcpy (one, "abcdefgh");
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+  /* GCC 8 warns about strncpy truncating output; this is deliberately
+     tested here.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-truncation");
+#endif
   (void) strncpy (one, "xyz", 3);		/* Copy cut just before NUL. */
+  DIAG_POP_NEEDS_COMMENT;
   equal (one, "xyzdefgh", 4);
 
   (void) strcpy (one, "abcdefgh");
@@ -542,7 +577,14 @@ test_strncpy (void)
   equal (one+5, "fgh", 9);
 
   (void) strcpy (one, "abc");
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+  /* GCC 8 warns about strncpy truncating output; this is deliberately
+     tested here.  */
+  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-truncation");
+#endif
   (void) strncpy (one, "xyz", 0);		/* Zero-length copy. */
+  DIAG_POP_NEEDS_COMMENT;
   equal (one, "abc", 10);
 
   (void) strncpy (one, "", 2);		/* Zero-length source. */
@@ -1151,8 +1193,8 @@ test_memcmp (void)
     {
       char *a = one + i;
       char *b = two + i;
-      strncpy(a, "--------11112222", 16);
-      strncpy(b, "--------33334444", 16);
+      memcpy(a, "--------11112222", 16);
+      memcpy(b, "--------33334444", 16);
       check(memcmp(b, a, 16) > 0, cnt++);
       check(memcmp(a, b, 16) < 0, cnt++);
     }

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=935cecfe9a4c9bf0396766f5e2b24570f92317ae

commit 935cecfe9a4c9bf0396766f5e2b24570f92317ae
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Oct 22 14:08:12 2018 +0200

    Fix nscd readlink argument aliasing (bug 22446).
    
    Current GCC mainline detects that nscd calls readlink with the same
    buffer for both input and output, which is not valid (those arguments
    are both restrict-qualified in POSIX).  This patch makes it use a
    separate buffer for readlink's input (with a size that is sufficient
    to avoid truncation, so there should be no problems with warnings
    about possible truncation, though not strictly minimal, but much
    smaller than the buffer for output) to avoid this problem.
    
    Tested compilation for aarch64-linux-gnu with build-many-glibcs.py.
    
    	[BZ #22446]
    	* nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate
    	buffers for readlink input and output.
    
    (cherry picked from commit 49b036bce9f021ae994a85aee8b410d20b29c8b7)

diff --git a/ChangeLog b/ChangeLog
index 49bcd10..0b7a920 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-12-18  Joseph Myers  <joseph@codesourcery.com>
+
+	[BZ #22446]
+	* nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate
+	buffers for readlink input and output.
+
 2017-12-15  Steve Ellcey  <sellcey@cavium.com>
 
 	* nscd/dbg_log.c (dbg_log): Increase msg buffer size.
diff --git a/NEWS b/NEWS
index fecdbdf..f6c9a14 100644
--- a/NEWS
+++ b/NEWS
@@ -127,6 +127,7 @@ The following bugs are resolved with this release:
   [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
   [22377] Provide a C++ version of iseqsig
   [22442] if_nametoindex: Check length of ifname before copying it
+  [22446] Fix nscd readlink argument aliasing
   [22447] Avoid use of strlen in getlogin_r
   [22463] Fix p_secstodate overflow handling
   [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice
diff --git a/nscd/connections.c b/nscd/connections.c
index cc1ed72..dab722d 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -1077,14 +1077,15 @@ cannot handle old request version %d; current version is %d"),
       if (debug_level > 0)
 	{
 #ifdef SO_PEERCRED
+	  char pbuf[sizeof ("/proc//exe") + 3 * sizeof (long int)];
 # ifdef PATH_MAX
 	  char buf[PATH_MAX];
 # else
 	  char buf[4096];
 # endif
 
-	  snprintf (buf, sizeof (buf), "/proc/%ld/exe", (long int) pid);
-	  ssize_t n = readlink (buf, buf, sizeof (buf) - 1);
+	  snprintf (pbuf, sizeof (pbuf), "/proc/%ld/exe", (long int) pid);
+	  ssize_t n = readlink (pbuf, buf, sizeof (buf) - 1);
 
 	  if (n <= 0)
 	    dbg_log (_("\

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3fb525c1033c70693d78010d01472bd0ed96e25f

commit 3fb525c1033c70693d78010d01472bd0ed96e25f
Author: Steve Ellcey <sellcey@caviumnetworks.com>
Date:   Fri Dec 15 09:08:23 2017 -0800

    Increase buffer size due to warning from ToT GCC
    
    	* nscd/dbg_log.c (dbg_log): Increase msg buffer size.
    
    (cherry picked from commit a7e3edf4f252fb72afeb8ecca946a2d8294bb577)

diff --git a/ChangeLog b/ChangeLog
index 022cbc6..49bcd10 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2017-12-15  Steve Ellcey  <sellcey@cavium.com>
+
+	* nscd/dbg_log.c (dbg_log): Increase msg buffer size.
+
 2017-11-22  Joseph Myers  <joseph@codesourcery.com>
 
 	[BZ #22463]
diff --git a/nscd/dbg_log.c b/nscd/dbg_log.c
index d4b19ac..2190c16 100644
--- a/nscd/dbg_log.c
+++ b/nscd/dbg_log.c
@@ -67,7 +67,7 @@ dbg_log (const char *fmt,...)
       char buf[256];
       strftime (buf, sizeof (buf), "%c", &now);
 
-      char msg[512];
+      char msg[1024];
       snprintf (msg, sizeof (msg), "%s - %d: %s%s", buf, getpid (), msg2,
 		msg2[strlen (msg2) - 1] == '\n' ? "" : "\n");
       if (dbgout)

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=636f49ba925d5fe677212bb94b20f2c5e67d4a4f

commit 636f49ba925d5fe677212bb94b20f2c5e67d4a4f
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Oct 22 13:58:06 2018 +0200

    Fix p_secstodate overflow handling (bug 22463).
    
    The resolv/res_debug.c function p_secstodate (which is a public
    function exported from libresolv, taking an unsigned long argument)
    does:
    
            struct tm timebuf;
            time = __gmtime_r(&clock, &timebuf);
            time->tm_year += 1900;
            time->tm_mon += 1;
            sprintf(output, "%04d%02d%02d%02d%02d%02d",
                    time->tm_year, time->tm_mon, time->tm_mday,
                    time->tm_hour, time->tm_min, time->tm_sec);
    
    If __gmtime_r returns NULL (because the year overflows the range of
    int), this will dereference a null pointer.  Otherwise, if the
    computed year does not fit in four characters, this will cause a
    buffer overrun of the fixed-size 15-byte buffer.  With current GCC
    mainline, there is a compilation failure because of the possible
    buffer overrun.
    
    I couldn't find a specification for how this function is meant to
    behave, but Paul pointed to RFC 4034 as relevant to the cases where
    this function is called from within glibc.  The function's interface
    is inherently problematic when dates beyond Y2038 might be involved,
    because of the ambiguity in how to interpret 32-bit timestamps as such
    dates (the RFC suggests interpreting times as being within 68 years of
    the present date, which would mean some kind of interface whose
    behavior depends on the present date).
    
    This patch works on the basis of making a minimal fix in preparation
    for obsoleting the function.  The function is made to handle times in
    the interval [0, 0x7fffffff] only, on all platforms, with <overflow>
    used as the output string in other cases (and errno set to EOVERFLOW
    in such cases).  This seems to be a reasonable state for the function
    to be in when made a compat symbol by a future patch, being compatible
    with any existing uses for existing timestamps without trying to work
    for later timestamps.  Results independent of the range of time_t also
    simplify the testcase.
    
    I couldn't persuade GCC to recognize the ranges of the struct tm
    fields by adding explicit range checks with a call to
    __builtin_unreachable if outside the range (this looks similar to
    <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80776>), so having added
    a range check on the input, this patch then disables the
    -Wformat-overflow= warning for the sprintf call (I prefer that to the
    use of strftime, as being more transparently correct without knowing
    what each of %m and %M etc. is).
    
    I do not know why this build failure should be new with mainline GCC
    (that is, I don't know what GCC change might have introduced it, when
    the basic functionality for such warnings was already in GCC 7).
    
    I do not know if this is a security issue (that is, if there are
    plausible ways in which a date before -999 or after 9999 from an
    untrusted source might end up in this function).  The system clock is
    arguably an untrusted source (in that e.g. NTP is insecure), but
    probably not to that extent (NTP can't communicate such wild
    timestamps), and uses from within glibc are limited to 32-bit inputs.
    
    Tested with build-many-glibcs.py that this restores the build for arm
    with yesterday's mainline GCC.  Also tested for x86_64 and x86.
    
    	[BZ #22463]
    	* resolv/res_debug.c: Include <libc-diag.h>.
    	(p_secstodate): Assert time_t at least as wide as u_long.  On
    	overflow, use integer seconds since the epoch as output, or use
    	"<overflow>" as output and set errno to EOVERFLOW if integer
    	seconds since the epoch would be 14 or more characters.
    	(p_secstodate) [__GNUC_PREREQ (7, 0)]: Disable -Wformat-overflow=
    	for sprintf call.
    	* resolv/tst-p_secstodate.c: New file.
    	* resolv/Makefile (tests): Add tst-p_secstodate.
    	($(objpfx)tst-p_secstodate): Depend on $(objpfx)libresolv.so.
    
    (cherry picked from commit f120cda6072d830df92656dad0c89967547b97dc)

diff --git a/ChangeLog b/ChangeLog
index 9109e38..022cbc6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2017-11-22  Joseph Myers  <joseph@codesourcery.com>
+
+	[BZ #22463]
+	* resolv/res_debug.c: Include <libc-diag.h>.
+	(p_secstodate): Assert time_t at least as wide as u_long.  On
+	overflow, use integer seconds since the epoch as output, or use
+	"<overflow>" as output and set errno to EOVERFLOW if integer
+	seconds since the epoch would be 14 or more characters.
+	(p_secstodate) [__GNUC_PREREQ (7, 0)]: Disable -Wformat-overflow=
+	for sprintf call.
+	* resolv/tst-p_secstodate.c: New file.
+	* resolv/Makefile (tests): Add tst-p_secstodate.
+	($(objpfx)tst-p_secstodate): Depend on $(objpfx)libresolv.so.
+
 2017-11-12  Paul Eggert  <eggert@cs.ucla.edu>
 
 	timezone: pacify GCC -Wstringop-truncation
diff --git a/NEWS b/NEWS
index 5569e8d..fecdbdf 100644
--- a/NEWS
+++ b/NEWS
@@ -128,6 +128,7 @@ The following bugs are resolved with this release:
   [22377] Provide a C++ version of iseqsig
   [22442] if_nametoindex: Check length of ifname before copying it
   [22447] Avoid use of strlen in getlogin_r
+  [22463] Fix p_secstodate overflow handling
   [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice
   [22636] PTHREAD_STACK_MIN is too small on x86-64
   [22637] nptl: Fix stack guard size accounting
diff --git a/resolv/Makefile b/resolv/Makefile
index ec7e4fd..8eb405a 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -53,6 +53,7 @@ tests += \
   tst-resolv-network \
   tst-resolv-res_init-multi \
   tst-resolv-search \
+  tst-p_secstodate \
 
 # These tests need libdl.
 ifeq (yes,$(build-shared))
@@ -178,7 +179,7 @@ $(objpfx)tst-resolv-canonname: \
 $(objpfx)tst-ns_name: $(objpfx)libresolv.so
 $(objpfx)tst-ns_name.out: tst-ns_name.data
 $(objpfx)tst-ns_name_compress: $(objpfx)libresolv.so
-
+$(objpfx)tst-p_secstodate: $(objpfx)libresolv.so
 
 # This test case uses the deprecated RES_USE_INET6 resolver option.
 CFLAGS-tst-res_use_inet6.c += -Wno-error
diff --git a/resolv/res_debug.c b/resolv/res_debug.c
index 919b86e..154a4f8 100644
--- a/resolv/res_debug.c
+++ b/resolv/res_debug.c
@@ -107,6 +107,7 @@
 #include <string.h>
 #include <time.h>
 #include <shlib-compat.h>
+#include <libc-diag.h>
 
 #ifdef SPRINTF_CHAR
 # define SPRINTF(x) strlen(sprintf/**/x)
@@ -1054,6 +1055,8 @@ libresolv_hidden_def (__dn_count_labels)
 /*
  * Make dates expressed in seconds-since-Jan-1-1970 easy to read.
  * SIG records are required to be printed like this, by the Secure DNS RFC.
+ * This is an obsolescent function and does not handle dates outside the
+ * signed 32-bit range.
  */
 char *
 p_secstodate (u_long secs) {
@@ -1063,12 +1066,31 @@ p_secstodate (u_long secs) {
 	struct tm *time;
 
 	struct tm timebuf;
-	time = __gmtime_r(&clock, &timebuf);
+	/* The call to __gmtime_r can never produce a year overflowing
+	   the range of int, given the check on SECS, but check for a
+	   NULL return anyway to avoid a null pointer dereference in
+	   case there are any other unspecified errors.  */
+	if (secs > 0x7fffffff
+	    || (time = __gmtime_r (&clock, &timebuf)) == NULL) {
+		strcpy (output, "<overflow>");
+		__set_errno (EOVERFLOW);
+		return output;
+	}
 	time->tm_year += 1900;
 	time->tm_mon += 1;
+	/* The struct tm fields, given the above range check,
+	   must have values that mean this sprintf exactly fills the
+	   buffer.  But as of GCC 8 of 2017-11-21, GCC cannot tell
+	   that, even given range checks on all fields with
+	   __builtin_unreachable called for out-of-range values.  */
+	DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+	DIAG_IGNORE_NEEDS_COMMENT (8, "-Wformat-overflow=");
+#endif
 	sprintf(output, "%04d%02d%02d%02d%02d%02d",
 		time->tm_year, time->tm_mon, time->tm_mday,
 		time->tm_hour, time->tm_min, time->tm_sec);
+	DIAG_POP_NEEDS_COMMENT;
 	return (output);
 }
 libresolv_hidden_def (__p_secstodate)
diff --git a/resolv/tst-p_secstodate.c b/resolv/tst-p_secstodate.c
new file mode 100644
index 0000000..9dac1ad
--- /dev/null
+++ b/resolv/tst-p_secstodate.c
@@ -0,0 +1,67 @@
+/* Test p_secstodate.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <array_length.h>
+#include <limits.h>
+#include <resolv.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+
+struct test
+{
+  /* Argument to p_secstodate.  */
+  unsigned long int in;
+  /* Expected output.  */
+  const char *out;
+};
+
+static const struct test tests[] =
+  {
+    { 0UL, "19700101000000" },
+    { 12345UL, "19700101032545" },
+    { 999999999UL, "20010909014639" },
+    { 2147483647UL, "20380119031407" },
+    { 2147483648UL, "<overflow>" },
+    { 4294967295UL, "<overflow>" },
+#if ULONG_MAX > 0xffffffffUL
+    { 4294967296UL, "<overflow>" },
+    { 9999999999UL, "<overflow>" },
+    { LONG_MAX, "<overflow>" },
+    { ULONG_MAX, "<overflow>" },
+#endif
+  };
+
+static int
+do_test (void)
+{
+  int ret = 0;
+  for (size_t i = 0; i < array_length (tests); i++)
+    {
+      char *p = p_secstodate (tests[i].in);
+      printf ("Test %zu: %lu -> %s\n", i, tests[i].in, p);
+      if (strcmp (p, tests[i].out) != 0)
+	{
+	  printf ("test %zu failed", i);
+	  ret = 1;
+	}
+    }
+  return ret;
+}
+
+#include <support/test-driver.c>

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d161b294e1267ca275352c26850255c5efc998de

commit d161b294e1267ca275352c26850255c5efc998de
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Sun Nov 12 22:00:28 2017 -0800

    timezone: pacify GCC -Wstringop-truncation
    
    Problem reported by Martin Sebor in:
    https://sourceware.org/ml/libc-alpha/2017-11/msg00336.html
    * timezone/zic.c (writezone): Use memcpy, not strncpy.
    
    (cherry picked from commit e69897bf202e18034cbef26f363bae64de70a196)

diff --git a/ChangeLog b/ChangeLog
index e2febbc..9109e38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-11-12  Paul Eggert  <eggert@cs.ucla.edu>
+
+	timezone: pacify GCC -Wstringop-truncation
+	Problem reported by Martin Sebor in:
+	https://sourceware.org/ml/libc-alpha/2017-11/msg00336.html
+	* timezone/zic.c (writezone): Use memcpy, not strncpy.
+
 2017-11-15  Martin Sebor  <msebor@redhat.com>
 
 	* misc/sys/cdefs.h (__attribute_nonstring__): New macro.
diff --git a/timezone/zic.c b/timezone/zic.c
index 946bf6f..e738386 100644
--- a/timezone/zic.c
+++ b/timezone/zic.c
@@ -1949,7 +1949,7 @@ writezone(const char *const name, const char *const string, char version)
 		}
 #define DO(field)	fwrite(tzh.field, sizeof tzh.field, 1, fp)
 		tzh = tzh0;
-		strncpy(tzh.tzh_magic, TZ_MAGIC, sizeof tzh.tzh_magic);
+		memcpy(tzh.tzh_magic, TZ_MAGIC, sizeof tzh.tzh_magic);
 		tzh.tzh_version[0] = version;
 		convert(thistypecnt, tzh.tzh_ttisgmtcnt);
 		convert(thistypecnt, tzh.tzh_ttisstdcnt);

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f

commit e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f
Author: Martin Sebor <msebor@redhat.com>
Date:   Wed Nov 15 17:39:59 2017 -0700

    utmp: Avoid -Wstringop-truncation warning
    
    The -Wstringop-truncation option new in GCC 8 detects common misuses
    of the strncat and strncpy function that may result in truncating
    the copied string before the terminating NUL.  To avoid false positive
    warnings for correct code that intentionally creates sequences of
    characters that aren't guaranteed to be NUL-terminated, arrays that
    are intended to store such sequences should be decorated with a new
    nonstring attribute.  This change add this attribute to Glibc and
    uses it to suppress such false positives.
    
    ChangeLog:
    	* misc/sys/cdefs.h (__attribute_nonstring__): New macro.
    	* sysdeps/gnu/bits/utmp.h (struct utmp): Use it.
    	* sysdeps/unix/sysv/linux/s390/bits/utmp.h (struct utmp): Same.
    
    (cherry picked from commit 7532837d7b03b3ca5b9a63d77a5bd81dd23f3d9c)

diff --git a/ChangeLog b/ChangeLog
index 8f50987..e2febbc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-15  Martin Sebor  <msebor@redhat.com>
+
+	* misc/sys/cdefs.h (__attribute_nonstring__): New macro.
+	* sysdeps/gnu/bits/utmp.h (struct utmp): Use it.
+	* sysdeps/unix/sysv/linux/s390/bits/utmp.h (struct utmp): Same.
+
 2017-11-22  Joseph Myers  <joseph@codesourcery.com>
 
 	[BZ #22447]
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 0c80821..41261fe 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -408,6 +408,15 @@
 # endif
 #endif
 
+#if __GNUC_PREREQ (8, 0)
+/* Describes a char array whose address can safely be passed as the first
+   argument to strncpy and strncat, as the char array is not necessarily
+   a NUL-terminated string.  */
+# define __attribute_nonstring__ __attribute__ ((__nonstring__))
+#else
+# define __attribute_nonstring__
+#endif
+
 #if (!defined _Static_assert && !defined __cplusplus \
      && (defined __STDC_VERSION__ ? __STDC_VERSION__ : 0) < 201112 \
      && (!__GNUC_PREREQ (4, 6) || defined __STRICT_ANSI__))
diff --git a/sysdeps/gnu/bits/utmp.h b/sysdeps/gnu/bits/utmp.h
index 2ee11cb..71c9fa2 100644
--- a/sysdeps/gnu/bits/utmp.h
+++ b/sysdeps/gnu/bits/utmp.h
@@ -59,10 +59,13 @@ struct utmp
 {
   short int ut_type;		/* Type of login.  */
   pid_t ut_pid;			/* Process ID of login process.  */
-  char ut_line[UT_LINESIZE];	/* Devicename.  */
+  char ut_line[UT_LINESIZE]
+    __attribute_nonstring__;	/* Devicename.  */
   char ut_id[4];		/* Inittab ID.  */
-  char ut_user[UT_NAMESIZE];	/* Username.  */
-  char ut_host[UT_HOSTSIZE];	/* Hostname for remote login.  */
+  char ut_user[UT_NAMESIZE]
+    __attribute_nonstring__;	/* Username.  */
+  char ut_host[UT_HOSTSIZE]
+    __attribute_nonstring__;	/* Hostname for remote login.  */
   struct exit_status ut_exit;	/* Exit status of a process marked
 				   as DEAD_PROCESS.  */
 /* The ut_session and ut_tv fields must be the same size when compiled
diff --git a/sysdeps/unix/sysv/linux/s390/bits/utmp.h b/sysdeps/unix/sysv/linux/s390/bits/utmp.h
index 36114c3..f754f37 100644
--- a/sysdeps/unix/sysv/linux/s390/bits/utmp.h
+++ b/sysdeps/unix/sysv/linux/s390/bits/utmp.h
@@ -59,10 +59,13 @@ struct utmp
 {
   short int ut_type;		/* Type of login.  */
   pid_t ut_pid;			/* Process ID of login process.  */
-  char ut_line[UT_LINESIZE];	/* Devicename.  */
+  char ut_line[UT_LINESIZE]
+     __attribute_nonstring__;	/* Devicename.  */
   char ut_id[4];		/* Inittab ID.  */
-  char ut_user[UT_NAMESIZE];	/* Username.  */
-  char ut_host[UT_HOSTSIZE];	/* Hostname for remote login.  */
+  char ut_user[UT_NAMESIZE]
+     __attribute_nonstring__;	/* Username.  */
+  char ut_host[UT_HOSTSIZE]
+     __attribute_nonstring__;	/* Hostname for remote login.  */
   struct exit_status ut_exit;	/* Exit status of a process marked
 				   as DEAD_PROCESS.  */
 /* The ut_session and ut_tv fields must be the same size when compiled

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=27611fd05b444042de4a718c2f21e9efae755825

commit 27611fd05b444042de4a718c2f21e9efae755825
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Wed Nov 22 18:44:23 2017 +0000

    Avoid use of strlen in getlogin_r (bug 22447).
    
    Building glibc with current mainline GCC fails, among other reasons,
    because of an error for use of strlen on the nonstring ut_user field.
    This patch changes the problem code in getlogin_r to use __strnlen
    instead.  It also needs to set the trailing NUL byte of the result
    explicitly, because of the case where ut_user does not have such a
    trailing NUL byte (but the result should always have one).
    
    Tested for x86_64.  Also tested that, in conjunction with
    <https://sourceware.org/ml/libc-alpha/2017-11/msg00797.html>, it fixes
    the build for arm with mainline GCC.
    
    	[BZ #22447]
    	* sysdeps/unix/getlogin_r.c (__getlogin_r): Use __strnlen not
    	strlen to compute length of ut_user and set trailing NUL byte of
    	result explicitly.
    
    (cherry picked from commit 4bae615022cb5a5da79ccda83cc6c9ba9f2d479c)

diff --git a/ChangeLog b/ChangeLog
index 9f47705..8f50987 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-11-22  Joseph Myers  <joseph@codesourcery.com>
+
+	[BZ #22447]
+	* sysdeps/unix/getlogin_r.c (__getlogin_r): Use __strnlen not
+	strlen to compute length of ut_user and set trailing NUL byte of
+	result explicitly.
+
 2018-10-19  Ilya Yu. Malakhov  <malakhov@mcst.ru>
 
 	[BZ #23562]
diff --git a/NEWS b/NEWS
index 33bc519..5569e8d 100644
--- a/NEWS
+++ b/NEWS
@@ -127,6 +127,7 @@ The following bugs are resolved with this release:
   [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
   [22377] Provide a C++ version of iseqsig
   [22442] if_nametoindex: Check length of ifname before copying it
+  [22447] Avoid use of strlen in getlogin_r
   [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice
   [22636] PTHREAD_STACK_MIN is too small on x86-64
   [22637] nptl: Fix stack guard size accounting
diff --git a/sysdeps/unix/getlogin_r.c b/sysdeps/unix/getlogin_r.c
index 4a6a40e..ad8e911 100644
--- a/sysdeps/unix/getlogin_r.c
+++ b/sysdeps/unix/getlogin_r.c
@@ -80,7 +80,7 @@ __getlogin_r (char *name, size_t name_len)
 
   if (result == 0)
     {
-      size_t needed = strlen (ut->ut_user) + 1;
+      size_t needed = __strnlen (ut->ut_user, UT_NAMESIZE) + 1;
 
       if (needed > name_len)
 	{
@@ -89,7 +89,8 @@ __getlogin_r (char *name, size_t name_len)
 	}
       else
 	{
-	  memcpy (name, ut->ut_user, needed);
+	  memcpy (name, ut->ut_user, needed - 1);
+	  name[needed - 1] = 0;
 	  result = 0;
 	}
     }

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                |   76 ++++++++++++++++++++++++++++++
 NEWS                                     |    3 +
 misc/sys/cdefs.h                         |    9 ++++
 nptl/tst-attr3.c                         |   19 +++++++
 nscd/connections.c                       |    5 +-
 nscd/dbg_log.c                           |    2 +-
 resolv/Makefile                          |    3 +-
 resolv/res_debug.c                       |   24 +++++++++-
 resolv/tst-p_secstodate.c                |   67 ++++++++++++++++++++++++++
 string/bug-strncat1.c                    |    8 +++
 string/tester.c                          |   58 +++++++++++++++++++++--
 sysdeps/gnu/bits/utmp.h                  |    9 ++-
 sysdeps/unix/getlogin_r.c                |    5 +-
 sysdeps/unix/sysv/linux/s390/bits/utmp.h |    9 ++-
 timezone/zic.c                           |    2 +-
 15 files changed, 281 insertions(+), 18 deletions(-)
 create mode 100644 resolv/tst-p_secstodate.c


hooks/post-receive
-- 
GNU C Library master sources



More information about the Glibc-cvs mailing list