summaryrefslogtreecommitdiff
path: root/libc/stdlib
AgeCommit message (Collapse)Author
2020-12-23stdlib: fix potential UB and integer overflow with huge allocations using ↵Yann Sionneau
malloc-simple allocator Two things are fixed by this commit: 1/ It is wrong to allocate an object of size > PTRDIFF_MAX. It is explained in this thread: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63303 2/ There was a possible integer overflow in both malloc() and memalign() implementations of stdlib/malloc-simple. The malloc() integer overflow issue is fixed by the side effect of fixing the PTRDIFF_MAX issue. The memalign() one is fixed by adding a comparison. Signed-off-by: Yann Sionneau <yann@sionneau.net>
2020-04-01Resolve bug when using unusual MALLOC_ALIGNMENTEyal Itkin
Safe-Linking alignment checks should be done on the user's buffer and not the mchunkptr. The new check adds support for cases in which: MALLOC_ALIGNMENT != 2*(sizeof(size_t)) The default case for both 32 bits and 64 bits was already supported, and this patch adds support for the described irregular case.
2020-02-19malloc: add missing header for some arch (alpha)Waldemar Brodkorb
2020-02-16Add Safe-Linking to fastbinsEyal Itkin
Safe-Linking is a security mechanism that protects single-linked lists (such as the fastbins) from being tampered by attackers. The mechanism makes use of randomness from ASLR (mmap_base), and when combined with chunk alignment integrity checks, it protects the pointers from being hijacked by an attacker. While Safe-Unlinking protects double-linked lists (such as the small bins), there wasn't any similar protection for attacks against single-linked lists. This solution protects against 3 common attacks: * Partial pointer override: modifies the lower bytes (Little Endian) * Full pointer override: hijacks the pointer to an attacker's location * Unaligned chunks: pointing the list to an unaligned address The design assumes an attacker doesn't know where the heap is located, and uses the ASLR randomness to "sign" the single-linked pointers. We mark the pointer as P and the location in which it is stored as L, and the calculation will be: * PROTECT(P) := (L >> PAGE_SHIFT) XOR (P) * *L = PROTECT(P) This way, the random bits from the address L (which start at the bits in the PAGE_SHIFT position), will be merged with the LSB of the stored protected pointer. This protection layer prevents an attacker from modifying the pointer into a controlled value. An additional check that the chunks are MALLOC_ALIGNed adds an important layer: * Attackers can't point to illegal (unaligned) memory addresses * Attackers must guess correctly the alignment bits On standard 32 bit Linux machines, an attacker will directly fail 7 out of 8 times, and on 64 bit machines it will fail 15 out of 16 times. The proposed solution adds 3-4 asm instructions per malloc()/free() and therefore has only minor performance implications if it has any. A similar protection was added to Chromium's version of TCMalloc in 2013, and according to their documentation the performance overhead was less than 2%. Signed-off-by: Eyal Itkin <eyalit@checkpoint.com>
2020-01-28fix getenv bugAta, John (US)
The getenv() library call can trap under certain conditions. It compares the passed in environment variable name (var) with the name=variables (*ep) in the environment area and returns a pointer to the value in the environment if it exists. To accomplish this, it does a memcmp() using the length of the passed in name (len) for each environment variable (*ep) against the passed in name ( var). So memcmp will attempt to scan both strings for len bytes. However, if for some reason, len is equal to or greater than 16 and longer than the length of the *ep in the environment and the *ep resides near the end of a page boundary while the next page is not present or mapped, the memcmp could trap with a sigsegv error while continuing the scan with the optimization read-ahead. However, if strncmp is used instead, there is no problem since both source and destination scanning will stop when either reaches a terminating NULL
2019-09-30malloc: Add missing locks for some paths (valloc/memalign/posix_memalign)Kjetil Oftedal
The internal heap structures were not protected properly in memalign(). If multiple threads were concurrently allocating memory and one of them were requesting aligned memory via valloc,memalign or posix_memalign the internal heap data structures could be corrupted. Signed-off-by: Kjetil Oftedal <oftedal@gmail.com>
2018-11-01mkostemp64: clear flags, as mkostemp doesCarlos Santos
This should have been made in commit 9649721950 but was forgotten. Signed-off-by: Carlos Santos <casantos@datacom.com.br>
2018-08-10mbtowc: Fix non compliant behavior for end of stringChristophe Lyon
Match glibc behavior. * libc/stdlib/stdlib.c (mbtowc): Fix end of string behavior. Signed-off-by: Mickaël Guêné <mickael.guene@st.com> Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
2018-08-10nptl: Use vfork on MMU-less for system()Christophe Lyon
* libc/stdlib/system.c (FORK): Map to vfork if __ARCH_USE_MMU__ is defined. Signed-off-by: Mickaël Guêné <mickael.guene@st.com> Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
2018-04-17libdl: cleanup old inline changelogWaldemar Brodkorb
2018-03-01add missing include to quieten compilerWaldemar Brodkorb
2018-01-31malloc: add glibc compat symbolsWaldemar Brodkorb
2018-01-31malloc: add malloc_usable_size()Waldemar Brodkorb
2018-01-31remove arc4random (rc4 based)Waldemar Brodkorb
OpenBSD arc4random is using chacha20 cipher algorithm for a long time. This copy is still based on deprecated rc4 cipher algorithm. We could either update the arc4random.c or drop it. Drop it. Users should better use libbsd when using arc4random interface. Musl/glibc does not have arc4random either.
2018-01-02remove COMPAT_ATEXITWaldemar Brodkorb
2017-11-03malloc-standard/malloc.h: use getpagesizeYitai Schwartz
sysconf creates a lot of code dependencies. getpagesize dosen't. staticly linked code that calls malloc is now much smaller. Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
2017-06-21remove editor hints for viWaldemar Brodkorb
2017-06-08Fix mkostemp64 creation mode.Ignacy Gawędzki
All flavors of mkstemp create files with mode S_IRUSR | S_IWUSR, as per POSIX.1-2008. Make mkostemp64 follow that too instead of creating files with mode S_IRUSR | S_IWUSR | S_IXUSR. Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
2017-03-17Discard 3072 bytes instead of 256 bytesLoganaden Velvindron
This follows the recommendations outlined in Network Operations Division Cryptographic Requirements published on wikileaks on March 2017. We discard more bytes of the first keystream to reduce possibility of non-random bytes. This is similar to a change in FreeBSD: https://svnweb.freebsd.org/base?view=revision&revision=315225 Signed-off-by: Loganaden Velvindron <logan@hackers.mu>
2017-02-25Only set *memptr when success for posix_memalignKito Cheng
2017-01-14add secure_getenv() functionWaldemar Brodkorb
2016-12-20remove __MALLOC_GLIBC_COMPAT__ optionWaldemar Brodkorb
This option is enabled for a long time and I see no useful case where we should be incompatible to glibc here.
2016-11-27remove UCLIBC_HAS_LFSWaldemar Brodkorb
2016-11-27add aligned_alloc required for latest gcc libstdc++Waldemar Brodkorb
2016-06-01remove MJN only debug messagesWaldemar Brodkorb
2016-05-18remove linuxthreads.new, rename linuxthreads.oldWaldemar Brodkorb
Linuxthreads.new isn't really useful with the existence of NPTL/TLS for well supported architectures. There is no reason to use LT.new for ARM/MIPS or other architectures supporting NPTL/TLS. It is not available for noMMU architectures like Blackfin or FR-V. To simplify the live of the few uClibc-ng developers, LT.new is removed and LT.old is renamed to LT. LINUXTHREADS_OLD -> UCLIBC_HAS_LINUXTHREADS
2016-02-24Replaced any occurence of /bin/sh with _PATH_BSHELL to allow easier ↵Ubaldo Porcheddu
portability on system with default shell on a different directory, like for instance on android. Signed-off-by: Ubaldo Porcheddu <ubaldo@eja.it>
2016-01-10order of special checks mattersWaldemar Brodkorb
The order of special checks seems critical for some applications. Xorg 1.18.0 fails to start with XNFreallocarray error. Took me some time to run with MALLOC_DEBUG=2 to find out. MALLOC_STANDARD is not affected.
2016-01-06pthread_atfork handlers not removed during dlcloseWaldemar Brodkorb
Invoke pthread_atfork handler cleanup when removing the associated DSO... If a program loads a DSO (dlopen) that sets up a pthread_atfork handler(s), and then subsequently closes the DSO, the handler(s) are left in place. If fork() is subsequently called, the handlers are invoked even though the DSO has been removed causing crashes or unpredictable code execution. This is because the code in __cxa_finalize(atexit.c)to invoke the unregister_atfork() routine is ifdef'd out with the comment that it hasn't been "looked into this yet...". Refs.: http://bugs.busybox.net/show_bug.cgi?id=8211 http://sourceware.org/bugzilla/show_bug.cgi?id=13502 Add test-case, enable cleanup for NPTL only. Signed-off-by: John Ata <john.ata@baesystems.com> Signed-off-by: Leonid Lisovskiy <lly.dev@gmail.com>
2016-01-02remove attribute hidden, as the function is used in linuxthreads.oldWaldemar Brodkorb
On avr32/cris the build with MALLOC fails, when compiling linuxthreads.
2015-12-17libc/stdlib: canonicalize_file_name() memory leakWojciech Nizinski
Uclibc's canonicalize_file_name() is allocating temprary buffer of 4kB (PATH_MAX), and passing it to realpath() as second argument. Function is not checking if realpath() fails and memory is lost.
2015-12-09Make malloc_stats() GNU libc compatibleWaldemar Brodkorb
This fix commit 76dfc7ce8c "Some requested additional malloc entry points" from 2004's Signed-off-by: Leonid Lisovskiy <lly.dev@gmail.com> Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
2015-08-14getenv: allow overwriting of functionWaldemar Brodkorb
This fixes static compile issues of sudo, because sudo uses it's own getenv implementation.
2015-08-14add mkstemps, mkstemps64 and mkostemps, mkostemps64 functionsRomain Naour
Change __gen_tempname() prototype in order to pass the additional suffix lenght. In __gen_tempname() add a new check for suffixlen. Update some comments in the code. Signed-off-by: Romain Naour <romain.naour@openwide.fr> Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
2015-04-13return NULL for realloc(p,0) like glibcWaldemar Brodkorb
See discussion here about the issue: https://sourceware.org/bugzilla/show_bug.cgi?id=12547 Fixes testsuite errors.
2015-04-12remove more of the link_warningsWaldemar Brodkorb
Only the stub warnings left for now.
2015-03-29merge uClibc git masterWaldemar Brodkorb
2015-03-22atexit_old: Do not add it to shared libcKhem Raj
atexit should only be in either uclibc_nonshared.a shared libc case or libc.a in static build case Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-03-18malloc-standard: Add locking to malloc_trimBernhard Reutner-Fischer
Closes bugzilla #4586 Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-03-18malloc: checked_request2size failure deadlocksZhiqiang Zhang
For some rarely cases(almost App bugs), calling malloc with a very largre size, checked_request2size check will fail,set ENOMEM, and return 0 to caller. But this will let __malloc_lock futex locked and owned by the caller. In multithread circumstance, other thread calling malloc/calloc will NOT succeed and get locked. Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-02-14Revert "resolve merge"Waldemar Brodkorb
This reverts commit 6b6ede3d15f04fe825cfa9f697507457e3640344.
2015-02-14resolve mergeWaldemar Brodkorb
2015-01-26merge upstream changesWaldemar Brodkorb
2015-01-23add argument check in setenv()Xishi Qiu
setenv() in glibc/eglibc will check the argument, like this, ... if (name == NULL || *name == '\0' || strchr (name, '=') != NULL) { __set_errno (EINVAL); return -1; } ... So add argument check in uclibc's setenv() too. Signed-off-by: Xishi Qiu <qiuxishi@huawei.com> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-01-22libc: Avoid redundant setting of ENOMEMBernhard Reutner-Fischer
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-01-01remove unused Linux 2.0 compat code, otherwise c6x without NPTL is brokenWaldemar Brodkorb
2014-12-15mkostemp: fix implementationAnthony G. Basile
mkostemp(char *template, int flags) generates a unique temporary filename from a template. The flags parameter accepts three of the same flags as open(2): O_APPEND, O_CLOEXEC, and O_SYNC. The current implementation of mkostemp(3) does not respect the flags and in fact confuses the flags with the file mode which should always be S_IRUSR | S_IWUSR. This patch corrects this issue. Signed-off-by: Anthony G. Basile <blueness@gentoo.org> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2014-12-10mkostemp: fix implementationAnthony G. Basile
mkostemp(char *template, int flags) generates a unique temporary filename from a template. The flags parameter accepts three of the same flags as open(2): O_APPEND, O_CLOEXEC, and O_SYNC. The current implementation of mkostemp(3) does not respect the flags and in fact confuses the flags with the file mode which should always be S_IRUSR | S_IWUSR. This patch corrects this issue. Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
2014-09-20linuxthreads: remove unused s390 codeWaldemar Brodkorb
Cleanup linuxthreads by removing unused s390 code. Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
2014-09-16libc: silence missing prototype warningBernhard Reutner-Fischer
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>