Age | Commit message (Collapse) | Author |
|
Before this commit tst-tls-at-ctor test would segfault.
After it passes.
testsuite run before: https://pastebin.com/504JgQXa
testsuite run after: https://pastebin.com/d2aNciVt
Stafford Horne already fixed it in glibc:
* https://github.com/openrisc/or1k-glibc/blob/bcd87396ebe78228645c0731b06c934dfd88855a/sysdeps/or1k/dl-machine.h#L298
* https://github.com/openrisc/or1k-glibc/blob/bcd87396ebe78228645c0731b06c934dfd88855a/sysdeps/or1k/dl-machine.h#L99
|
|
|
|
Safe-Linking alignment checks should be done on the user's buffer and not
the mchunkptr. The new check adds support for cases in which:
MALLOC_ALIGNMENT != 2*(sizeof(size_t))
The default case for both 32 bits and 64 bits was already supported, and
this patch adds support for the described irregular case.
|
|
|
|
|
|
Safe-Linking is a security mechanism that protects single-linked
lists (such as the fastbins) from being tampered by attackers. The
mechanism makes use of randomness from ASLR (mmap_base), and when
combined with chunk alignment integrity checks, it protects the
pointers from being hijacked by an attacker.
While Safe-Unlinking protects double-linked lists (such as the small
bins), there wasn't any similar protection for attacks against
single-linked lists. This solution protects against 3 common attacks:
* Partial pointer override: modifies the lower bytes (Little Endian)
* Full pointer override: hijacks the pointer to an attacker's location
* Unaligned chunks: pointing the list to an unaligned address
The design assumes an attacker doesn't know where the heap is located,
and uses the ASLR randomness to "sign" the single-linked pointers. We
mark the pointer as P and the location in which it is stored as L, and
the calculation will be:
* PROTECT(P) := (L >> PAGE_SHIFT) XOR (P)
* *L = PROTECT(P)
This way, the random bits from the address L (which start at the bits
in the PAGE_SHIFT position), will be merged with the LSB of the stored
protected pointer. This protection layer prevents an attacker from
modifying the pointer into a controlled value.
An additional check that the chunks are MALLOC_ALIGNed adds an
important layer:
* Attackers can't point to illegal (unaligned) memory addresses
* Attackers must guess correctly the alignment bits
On standard 32 bit Linux machines, an attacker will directly fail 7
out of 8 times, and on 64 bit machines it will fail 15 out of 16
times.
The proposed solution adds 3-4 asm instructions per malloc()/free()
and therefore has only minor performance implications if it has
any. A similar protection was added to Chromium's version of TCMalloc
in 2013, and according to their documentation the performance overhead
was less than 2%.
Signed-off-by: Eyal Itkin <eyalit@checkpoint.com>
|
|
Recent is*_l fix broke uclibc build because removed __isctype_l
definition was used in libc/misc/ctype/ctype.c. Restore it.
Fixes: d1a3ca7ca566 ("include/ctype.h: drop is*_l macro definitions")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
It fixes tst-signal6 and friends.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
|
|
It fixes tst-cancel1 and friends.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
|
|
It fixes:
FAIL sem got 1 expected 0
failed: incorrect sem_nsems!
semget(IPC_CREAT) = 0
semctl(k) = 0
sem_nsems = 0
for aarch64.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
|
|
Only MMU variant is supported.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
|
|
ctype locale-specific macro definitions are broken because they result
in dereference of pointer to structure of incomplete type.
Drop these macros since they are optional and let applications use
functions with the same names.
This change fixes parted-3.3 build with uClibc-ng:
http://autobuild.buildroot.net/results/b7ba1210d5aa184b133f0171da621d2b0083ec39/build-end.log
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
Similar to glibc commit
https://sourceware.org/git/?p=glibc.git;a=commit;h=6bbfc5c09fc5b5e3d4a0cddbbd4e2e457767dae7
we need to handle Linux kernel change, which removed stat64 family from default syscall set.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Waldemar Brodkorb <wbrodkorb@conet.de>
|
|
map_newlink() may abort when interface list changed between netlink
request for getting interfaces and getting addresses. This commit is
ported from the same change from glibc commit.
Signed-off-by: Vincent Hou <vincent.houyi@gmail.com>
|
|
Avoid calling select with empty sets which hangs the process
This makes uClibc-ng act like glibc and musl
Without this fix the test_poll of python3 testsuite hangs forever
Scenario of the issue:
If you call poll with only invalid file descriptors, like in python3
testsuite
(https://github.com/python/cpython/blob/master/Lib/test/test_poll.py#L83)
You will go through uClibc poll emulation code, which is based on
select syscall.
Your first call to select will fail, it will return -1 and errno will be
set to EBADF: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L120
Then you will go through the for loop which tests individually each file descriptor by calling
select on each one: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L163
each call will also return -1 with errno being equal to EBADF.
Therefore all pollfd will have the POLLNVAL flag in their respective revents field.
And, the most important, rset/wset/xset will stay empty.
Then the for loop ends, the "continue" makes the while loop run again.
The following select() is run again: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L120
But this time the sets are empty.
If the poll was called with timeout set to -1, this select will hang forever because there is no timeout
and the sets are empty so no event will ever wake it up.
test program:
int main(void)
{
struct pollfd pfd;
int ret;
int pipe_fds[2];
pipe(pipe_fds);
close(pipe_fds[0]);
close(pipe_fds[1]);
pfd.fd = pipe_fds[0];
pfd.events = POLLIN | POLLOUT | POLLPRI;
pfd.revents = 0;
ret = poll(&pfd, 1, -1);
printf("ret: %d\n", ret);
if (ret < 0)
printf("error: %s", strerror(errno));
else {
puts("revents: ");
if (pfd.revents & POLLERR)
printf(" POLLERR");
if (pfd.revents & POLLHUP)
printf(" POLLHUP");
if (pfd.revents & POLLNVAL)
printf(" POLLNVAL");
puts("");
}
return 0;
}
This hangs on uClibc-ng aarch64 and Kalray's arch (kv3) but does the following on musl and glibc:
"
ret: 1
revents:
POLLNVAL
"
strace output of this program with uClibc *without* the patch applied:
pselect6(4, [3], [3], [3], NULL, NULL) = -1 EBADF (Bad file descriptor)
pselect6(4, [3], [3], [3], {tv_sec=0, tv_nsec=0}, NULL) = -1 EBADF (Bad file descriptor)
pselect6(0, 0x7ffffffb80, 0x7ffffffb68, 0x7ffffffb50, NULL, NULL
(never finishes)
strace output of this program with uClibc *with* the patch applied:
pselect6(4, [3], [3], [3], NULL, NULL) = -1 EBADF (Bad file descriptor)
pselect6(4, [3], [3], [3], {tv_sec=0, tv_nsec=0}, NULL) = -1 EBADF (Bad file descriptor)
write(1, "ret: 1\n", 7ret: 1
) = 7
write(1, "revents: \n", 10revents:
) = 10
write(1, " POLLNVAL\n", 10 POLLNVAL
) = 10
exit_group(0) = ?
+++ exited with 0 +++
|
|
The getenv() library call can trap under certain conditions. It compares the
passed in environment variable name (var) with the name=variables (*ep) in the
environment area and returns a pointer to the value in the environment if it
exists. To accomplish this, it does a memcmp() using the length of the passed
in name (len) for each environment variable (*ep) against the passed in name (
var). So memcmp will attempt to scan both strings for len bytes. However, if
for some reason, len is equal to or greater than 16 and longer than the length
of the *ep in the environment and the *ep resides near the end of a page
boundary while the next page is not present or mapped, the memcmp could trap
with a sigsegv error while continuing the scan with the optimization
read-ahead. However, if strncmp is used instead, there is no problem since both
source and destination scanning will stop when either reaches a terminating
NULL
|
|
|
|
Signed-off-by: Yann Sionneau <ysionneau@kalray.eu>
|
|
|
|
Hi,
This diff fixes a typo in the PTRACE_EVENT_SECCOMP event code.
The typo itself was introduced in 2012 when syncing with glibc header
files and was itself fixed in 2013 in the glibc headers.
|
|
basically from or1k port of uClibc-ng, with fixes for structures in
pthreadtypes.h from 64 bit architectures.
18 testsuite failures counted.
|
|
|
|
|
|
|
|
The return type of syscall() is long so __syscall_error, which is jumped
to by syscall handlers to stash an error number into errno, must return
long too otherwhise it returs 4294967295L instead of -1L. For example,
syscall for x86_64 is defined in libc/sysdeps/linux/x86_64/syscall.S as
syscall:
movq %rdi, %rax /* Syscall number -> rax. */
movq %rsi, %rdi /* shift arg1 - arg5. */
movq %rdx, %rsi
movq %rcx, %rdx
movq %r8, %r10
movq %r9, %r8
movq 8(%rsp),%r9 /* arg6 is on the stack. */
syscall /* Do the system call. */
cmpq $-4095, %rax /* Check %rax for error. */
jae __syscall_error /* Branch forward if it failed. */
ret /* Return to caller. */
In libc/sysdeps/linux/x86_64/__syscall_error.c, __syscall_error is
defined as
int __syscall_error(void) attribute_hidden;
int __syscall_error(void)
{
register int err_no __asm__ ("%rcx");
__asm__ ("mov %rax, %rcx\n\t"
"neg %rcx");
__set_errno(err_no);
return -1;
}
So __syscall_error returns -1 as a 32-bit int in a 64-bit register, %rax
(0x00000000ffffffff, whose decimal value is decimal 4294967295) and a
test like this always returns false:
if (syscall(number, ...) == -1)
foo();
Fix the error by making __syscall_error return a long, like syscall().
The problem can be circumvented by the caller by coercing the returned
value to int before comparing it to -1:
if ((int) syscall(number, ...) == -1)
foo();
The same problem probably occurs on other 64-bit systems but so far only
x86_64 was tested, so this change must be considered experimental.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
|
|
|
|
(gdb) print offsetof(struct __jmp_buf_tag, __mask_was_saved)
$12 = (int *) 0x1f0
using https://stackoverflow.com/a/39663128/2171120
|
|
Update from linux/arch/sparc/include/uapi/asm/uctx.h
|
|
|
|
|
|
This symbol was causing a build failure with the new toolchain. It
looks like it has always been wrong.
The main issue was checking for PIC rather than __PIC__.
Remove all PSEUDO_* macros and ther SYSCALL_ERROR_NAME macro as they are
not needed by uclibc-ng, they are used in glibc for building up syscalls
there, but not here.
Fixes error:
/opt/shorne/software/or1k-linux/bin/../lib/gcc/or1k-linux/9.0.1/../../../../or1k-linux/bin/ld: libc/libc_so.a(or1k_clone.os): pc-relative relocation against dynamic symbol __syscall_error
/opt/shorne/software/or1k-linux/bin/../lib/gcc/or1k-linux/9.0.1/../../../../or1k-linux/bin/ld: final link failed: bad value
Signed-off-by: Stafford Horne <shorne@gmail.com>
|
|
The internal heap structures were not protected properly in
memalign(). If multiple threads were concurrently allocating memory and
one of them were requesting aligned memory via valloc,memalign or
posix_memalign the internal heap data structures could be corrupted.
Signed-off-by: Kjetil Oftedal <oftedal@gmail.com>
|
|
This patch fixes the incorrect guard by __USE_MISC of struct winsize and
struct termio in powerpc termios header. Current states leads to build
failures if the program defines _XOPEN_SOURCE, but not _DEFAULT_SOURCE
or either _BSD_SOURCE or _SVID_SOURCE. Without any definition,
__USE_MISC will not be defined and neither the struct definitions.
This patch copies the default Linux ioctl-types.h by adjusting only the
character control field (c_cc) size in struct termio.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[Vadim: adopted for uclibc ]
|
|
This reverts commit 14c36638c1a125b1c2d06857c7e7c44f266d0e8e.
|
|
Fix redefinition of 'struct termios' by syncing termios powerpc headers
from glibc, the commit which fixed the same issue in glibc:
d4795e4a43e6f0c221bc5dc64c612206a21a177b PowerPC: Fix termios definitions
https://sourceware.org/git/?p=glibc.git;a=commit;h=d4795e4a43e6f0c221bc5dc64c612206a21a177b
it fixed the following bug request:
https://bugzilla.redhat.com/show_bug.cgi?id=1122714
In case of Buildroot it fixes flashrom build for PowerPC.
Fixes:
http://autobuild.buildroot.net/results/797dde5cbf0e94162c7cc7b557841605c78ac2f3/
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
|
|
This is a follow up to an incorrect fix for memmove() problem in:
commit 785dee78552f9ad06819bf7eb1adc05b43110842
Author: Petar Jovanovic <petar.jovanovic@rt-rk.com>
Date: Mon May 6 13:29:02 2019 +0000
mips: fix memmove() call when __ARCH_HAS_BWD_MEMCPY__ is not defined
Calling memcpy from memmove should be skipped in two cases:
a) if arch's memcpy uses a backward copying (e.g. SH4)
b) if arch's memcpy is not fully safe for overlapping regions (MIPS)
Signed-off-by: Petar Jovanovic <petar.jovanovic@rt-rk.com>
|
|
Summary:
Recent arch do not support Legacy.
Thus they don't define ARCH_HAS_DEPRECATED_SYSCALLS
But this led to per-arch headers not being installed and common-generic ones taking precedence.
So it was impossible to declare arch-specific statfs.h for instance, to force 64-bit mode only.
This was leading to the following situation to happen:
1/ an application compiles (say without -D_FILE_OFFSET_BITS set)
it therefore uses struct statfs from libc/sysdeps/linux/common-generic/bits/statfs.h
where f_type and f_bsize fields are U32: https://elixir.bootlin.com/uclibc-ng/latest/source/libc/sysdeps/linux/common-generic/bits/statfs.h#L18
2/ application calls "statfs"
3/ uClibc issues "statfs64" syscall (because __NR_statfs64 is defined and __NR_statfs is undefined):
https://elixir.bootlin.com/uclibc-ng/latest/source/libc/sysdeps/linux/common/statfs.c#L14
4/ if Linux kernel port is not defining CONFIG_COMPAT, it calls do_statfs_native
https://elixir.bootlin.com/linux/latest/source/fs/statfs.c#L195
5/ it does copy_to_user of the size of struct statfs defined in the kernel source tree:
https://elixir.bootlin.com/linux/latest/source/fs/statfs.c#L161
6/ Generic struct statfs in the kernel is defined like this:
https://elixir.bootlin.com/linux/latest/source/include/uapi/asm-generic/statfs.h#L23
f_type and f_bsize fields are long (64 bits) for 64-bit archs.
7/ memory corruption occurs because of this mismatch
Solution:
Allow to not define __ARCH_HAS_DEPRECATED_SYSCALLS__ *and* declare its own arch-specific statfs.h header, matching the kernel one.
(for instance with f_type and f_bsize defined as long)
Does this change break other archs?
This change allows headers in libc/sysdeps/linux/<ARCH>/bits/ to override ones in libc/sysdeps/linux/common-generic/bits/
The only arch which does not define __ARCH_HAS_DEPRECATED_SYSCALLS__ *and* has a header in libc/sysdeps/linux/<ARCH>/bits/ which can conflict with one in libc/sysdeps/linux/common-generic/bits/
is c6x.
The file that can override is ../libc/sysdeps/linux/c6x/bits/kernel_stat.h
This, btw, means that, today, this file is there and is not used (during compilation, GNU Make overrides the rule):
Makefile.in:152: warning: overriding recipe for target `include/bits/kernel_stat.h'
Makefile.in:148: warning: ignoring old recipe for target `include/bits/kernel_stat.h'
I was not able to compile uClibc with the only binary toolchain I found for c6x arch (gcc-4.5.1 from code sourcery: https://sourcery.mentor.com/GNUToolchain/release1882)
However, I can tell that c6x's kernel_stat.h only defines two structs: kernel_stat and kernel_stat64: https://elixir.bootlin.com/uclibc-ng/latest/source/libc/sysdeps/linux/c6x/bits/kernel_stat.h
And I can also tell that those structs are only used when using xstat conversion functions (__xstat32_conv / xstat_conv) which are only used and present in the __ARCH_HAS_DEPRECATED_SYSCALLS__ == y case.
However, c6x does not define __ARCH_HAS_DEPRECATED_SYSCALLS__
So I think I can say that this change does not affect c6x nor other archs.
|
|
We don't support shared libraries and thus _init/_fini. But loading
nommu binaries blows they aren't cleared, so do that.
Signed-off-by: Christoph Hellwig <hch@lst.de>
|
|
This avoids a nommu build failure.
Signed-off-by: Christoph Hellwig <hch@lst.de>
|
|
There is no opendir64(), thus even programs built for 64-bit off_t
use opendir(). Before this change, internally opendir() uses fstat(),
with the following breakage if some of struct stat fields are too narrow:
$ strace ls -l
execve("/busybox/ls", ["ls", "-l"], 0x7ffcdc43ede8 /* 16 vars */) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
getuid32() = 0
time([1551486393 /* 2019-03-02T00:26:33+0000 */]) = 1551486393 (2019-03-02T00:26:33+0000)
ioctl(0, TIOCGWINSZ, {ws_row=38, ws_col=120, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(NULL) = 0x9768000
brk(0x9769000) = 0x9769000
lstat64(".", 0xffa6e374) = 0
open(".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, 0xffa6e378) = -1 EOVERFLOW (Value too large for defined data type)
See https://bugs.busybox.net/show_bug.cgi?id=11651
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
|
|
__UCLIBC_HAS_PROGRAM_INVOCATION_NAME__
This fixes the issue reported at https://github.com/wbx-github/uclibc-ng/issues/2
Signed-off-by: Yann Sionneau <yann@sionneau.net>
|
|
When arch (such as MIPS) does not define __ARCH_HAS_BWD_MEMCPY__, memmove()
calls memcpy() which is wrong for overlapping regions.
Signed-off-by: Petar Jovanovic <petar.jovanovic@rt-rk.com>
|
|
uClibc-ng don't build with gcc 9.1 [1] due to a new check that
"catch illegal asm constraint usage" [2].
gcc 9.1 print this error:
"invalid hard register usage between earlyclobber operand and input operand"
The asm constraint is present in uClibc since it support sparc (back in 2002)[3].
Note: There is no such constraint is Glibc counterpart code [4].
[1] https://gitlab.com/kubu93/toolchains-builder/-/jobs/205435757
[2] https://github.com/gcc-mirror/gcc/commit/b782636f28f5c378897c238081d28d7a4a6ca578
[3] https://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=3b6d086531102b6d09ce852feb1e370d5dca3ce9
[4]
+https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/sparc/sysdep.h;h=981b2a26b7a91093f821c97876
+e55bc4be2d9f8a;hb=HEAD
|
|
preadv/pwritev don't provide separate version for 64-bit wide off_t,
and default to 32-bit wide off_t, which results in a mismatch between
declaration and definition for user programs built with
-D_FILE_OFFSET_BITS=64.
Make offset argument of both functions __off64_t.
This fixes test misc/tst-preadvwritev on xtensa.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
xtensa assembler is capable of representing register loads with either
movi + addmi, l32r or const16, depending on the core configuration.
Don't use '.literal' and 'l32r' directly in the code, use 'movi' and let
the assembler relax them.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
Add description for _LARGEFILE_SOURCE, _LARGEFILE64_SOURCE,
_FILE_OFFSET_BITS and __USE_LARGEFILE, __USE_LARGEFILE64 and
__USE_FILE_OFFSET64 macros.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
|
|
This patch seems needed in builds where
- SHARED is not defined (no shared lib support)
- and USE_TLS is set
Without this patch, static_dtv is free'ed.
See the following backtrace:
0 __do_check_chunk (p=0x52638 <fork_handler_pool+2296>) at libc/stdlib/malloc-standard/malloc.c:80
1 0x0000000000017fa0 in __do_check_inuse_chunk (p=0x52638 <fork_handler_pool+2296>) at libc/stdlib/malloc-standard/malloc.c:143
2 0x0000000000017354 in free (mem=0x52648 <static_dtv>) at libc/stdlib/malloc-standard/free.c:293
3 0x000000000002d5b0 in _dl_deallocate_tls (tcb=0x58690, dealloc_tcb=false) at libpthread/nptl/sysdeps/generic/dl-tls.c:588
4 0x0000000000021c0c in __deallocate_stack (pd=0x58000) at libpthread/nptl/allocatestack.c:717
5 0x0000000000024408 in __free_tcb (pd=0x58000) at libpthread/nptl/pthread_create.c:217
6 0x00000000000200ac in pthread_join (threadid=360448, thread_return=0x0 <k1c_start>) at libpthread/nptl/pthread_join.c:109
7 0x0000000000010354 in tf (a=0x58000) at tst-basic3.c:42
8 0x00000000000247c8 in start_thread (arg=0x4000200960) at libpthread/nptl/pthread_create.c:285
9 0x0000000000026560 in ?? ()
This backtrace is obtained while debugging tst-basic3 from the uclibc-ng nptl testsuite.
It aborts because of the assert in malloc:
https://elixir.bootlin.com/uclibc-ng/v1.0.31/source/libc/stdlib/malloc-standard/malloc.c#L80
Signed-off-by: Yann Sionneau <ysionneau@kalray.eu>
|
|
For ARCH where shared lib are not supported:
- SHARED is not set (!SHARED is true)
- __ARCH_HAS_NO_LDSO__ is set
so code inside #if !defined __ARCH_HAS_NO_LDSO__ && !defined SHARED
is compiled-out.
But without a call do _dl_aux_init(), _dl_phdr stays NULL and
__libc_setup_tls won't be able to allocate memory for the in-executable TLS
and also won't be able to load the initimage from ELF TLS segment.
This results in segfault when doing things like "errno = 0" like
in tst-cancel15.c for instance in uClibc-ng testsuite.
Signed-off-by: Yann Sionneau <ysionneau@kalray.eu>
|
|
--000000000000cb1b1305827e5ae0
Content-Type: text/plain; charset="UTF-8"
Hi,
Current version of uClibc-ng has issue in open_memstream() function.
If the cookie variable is NULL (due malloc() fail) then null pointer is
dereferenced after if block.
The attached patch fixes this issue.
--
Best regards,
Eugene
<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,<div><br></div><div>Current version of uClibc-ng has issue in open_memstream() function.</div><div>If the cookie variable is NULL (due malloc() fail) then null pointer is dereferenced after if block.</div><div><br></div><div>The attached patch fixes this issue.<br clear="all"><div>-- <br></div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div><span><div>Best regards,<br></div>Eugene</span></div></div></div></div></div></div></div></div></div>
|