| Age | Commit message (Collapse) | Author | 
|---|
|  |  | 
|  | Safe-Linking alignment checks should be done on the user's buffer and not
the mchunkptr. The new check adds support for cases in which:
MALLOC_ALIGNMENT != 2*(sizeof(size_t))
The default case for both 32 bits and 64 bits was already supported, and
this patch adds support for the described irregular case. | 
|  |  | 
|  | Safe-Linking is a security mechanism that protects single-linked
lists (such as the fastbins) from being tampered by attackers. The
mechanism makes use of randomness from ASLR (mmap_base), and when
combined with chunk alignment integrity checks, it protects the
pointers from being hijacked by an attacker.
While Safe-Unlinking protects double-linked lists (such as the small
bins), there wasn't any similar protection for attacks against
single-linked lists. This solution protects against 3 common attacks:
  * Partial pointer override: modifies the lower bytes (Little Endian)
  * Full pointer override: hijacks the pointer to an attacker's location
  * Unaligned chunks: pointing the list to an unaligned address
The design assumes an attacker doesn't know where the heap is located,
and uses the ASLR randomness to "sign" the single-linked pointers. We
mark the pointer as P and the location in which it is stored as L, and
the calculation will be:
  * PROTECT(P) := (L >> PAGE_SHIFT) XOR (P)
  * *L = PROTECT(P)
This way, the random bits from the address L (which start at the bits
in the PAGE_SHIFT position), will be merged with the LSB of the stored
protected pointer. This protection layer prevents an attacker from
modifying the pointer into a controlled value.
An additional check that the chunks are MALLOC_ALIGNed adds an
important layer:
  * Attackers can't point to illegal (unaligned) memory addresses
  * Attackers must guess correctly the alignment bits
On standard 32 bit Linux machines, an attacker will directly fail 7
out of 8 times, and on 64 bit machines it will fail 15 out of 16
times.
The proposed solution adds 3-4 asm instructions per malloc()/free()
and therefore has only minor performance implications if it has
any. A similar protection was added to Chromium's version of TCMalloc
in 2013, and according to their documentation the performance overhead
was less than 2%.
Signed-off-by: Eyal Itkin <eyalit@checkpoint.com> | 
|  | It fixes tst-signal6 and friends.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com> | 
|  | It fixes tst-cancel1 and friends.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com> | 
|  | It fixes:
FAIL sem got 1 expected 0
	failed: incorrect sem_nsems!
	semget(IPC_CREAT) = 0
	semctl(k) = 0
	sem_nsems = 0
for aarch64.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com> | 
|  | Similar to glibc commit
https://sourceware.org/git/?p=glibc.git;a=commit;h=6bbfc5c09fc5b5e3d4a0cddbbd4e2e457767dae7
we need to handle Linux kernel change, which removed stat64 family from default syscall set.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Waldemar Brodkorb <wbrodkorb@conet.de> | 
|  | map_newlink() may abort when interface list changed between netlink
request for getting interfaces and getting addresses. This commit is
ported from the same change from glibc commit.
Signed-off-by: Vincent Hou <vincent.houyi@gmail.com> | 
|  | Avoid calling select with empty sets which hangs the process
This makes uClibc-ng act like glibc and musl
Without this fix the test_poll of python3 testsuite hangs forever
Scenario of the issue:
If you call poll with only invalid file descriptors, like in python3
testsuite
(https://github.com/python/cpython/blob/master/Lib/test/test_poll.py#L83)
You will go through uClibc poll emulation code, which is based on
select syscall.
Your first call to select will fail, it will return -1 and errno will be
set to EBADF: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L120
Then you will go through the for loop which tests individually each file descriptor by calling
select on each one: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L163
each call will also return -1 with errno being equal to EBADF.
Therefore all pollfd will have the POLLNVAL flag in their respective revents field.
And, the most important, rset/wset/xset will stay empty.
Then the for loop ends, the "continue" makes the while loop run again.
The following select() is run again: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L120
But this time the sets are empty.
If the poll was called with timeout set to -1, this select will hang forever because there is no timeout
and the sets are empty so no event will ever wake it up.
test program:
int main(void)
{
	struct pollfd pfd;
	int ret;
	int pipe_fds[2];
	pipe(pipe_fds);
	close(pipe_fds[0]);
	close(pipe_fds[1]);
	pfd.fd = pipe_fds[0];
	pfd.events = POLLIN | POLLOUT | POLLPRI;
	pfd.revents = 0;
	ret = poll(&pfd, 1, -1);
	printf("ret: %d\n", ret);
	if (ret < 0)
		printf("error: %s", strerror(errno));
	else {
		puts("revents: ");
		if (pfd.revents & POLLERR)
			printf(" POLLERR");
		if (pfd.revents & POLLHUP)
			printf(" POLLHUP");
		if (pfd.revents & POLLNVAL)
			printf(" POLLNVAL");
		puts("");
	}
	return 0;
}
This hangs on uClibc-ng aarch64 and Kalray's arch (kv3) but does the following on musl and glibc:
"
ret: 1
revents:
 POLLNVAL
"
strace output of this program with uClibc *without* the patch applied:
pselect6(4, [3], [3], [3], NULL, NULL)  = -1 EBADF (Bad file descriptor)
pselect6(4, [3], [3], [3], {tv_sec=0, tv_nsec=0}, NULL) = -1 EBADF (Bad file descriptor)
pselect6(0, 0x7ffffffb80, 0x7ffffffb68, 0x7ffffffb50, NULL, NULL
(never finishes)
strace output of this program with uClibc *with* the patch applied:
pselect6(4, [3], [3], [3], NULL, NULL)  = -1 EBADF (Bad file descriptor)
pselect6(4, [3], [3], [3], {tv_sec=0, tv_nsec=0}, NULL) = -1 EBADF (Bad file descriptor)
write(1, "ret: 1\n", 7ret: 1
)                 = 7
write(1, "revents: \n", 10revents:
)             = 10
write(1, " POLLNVAL\n", 10 POLLNVAL
)             = 10
exit_group(0)                           = ?
+++ exited with 0 +++ | 
|  | The getenv() library call can trap under certain conditions.  It compares the
passed in environment variable name (var) with the name=variables (*ep) in the
environment area and returns a pointer to the value in the environment if it
exists.  To accomplish this, it does a memcmp() using the length of the passed
in name (len) for each environment variable (*ep) against the passed in name (
var).  So memcmp will attempt to scan both strings for len bytes. However, if
for some reason, len is equal to or greater than 16 and  longer than the length
of  the *ep in the environment and the *ep resides near the end of a page
boundary while the next page is not present or mapped, the memcmp could trap
with a sigsegv error while continuing the scan with the optimization
read-ahead. However, if strncmp is used instead, there is no problem since both
source and destination scanning will stop when either reaches a terminating
NULL | 
|  | Hi,
This diff fixes a typo in the PTRACE_EVENT_SECCOMP event code.
The typo itself was introduced in 2012 when syncing with glibc header
files and was itself fixed in 2013 in the glibc headers. | 
|  | basically from or1k port of uClibc-ng, with fixes for structures in
pthreadtypes.h from 64 bit architectures.
18 testsuite failures counted. | 
|  |  | 
|  |  | 
|  |  | 
|  | The return type of syscall() is long so __syscall_error, which is jumped
to by syscall handlers to stash an error number into errno, must return
long too otherwhise it returs 4294967295L instead of -1L. For example,
syscall for x86_64 is defined in libc/sysdeps/linux/x86_64/syscall.S as
    syscall:
        movq %rdi, %rax         /* Syscall number -> rax.  */
        movq %rsi, %rdi         /* shift arg1 - arg5.  */
        movq %rdx, %rsi
        movq %rcx, %rdx
        movq %r8, %r10
        movq %r9, %r8
        movq 8(%rsp),%r9        /* arg6 is on the stack.  */
        syscall                 /* Do the system call.  */
        cmpq $-4095, %rax       /* Check %rax for error.  */
        jae __syscall_error     /* Branch forward if it failed.  */
        ret                     /* Return to caller.  */
In libc/sysdeps/linux/x86_64/__syscall_error.c, __syscall_error is
defined as
    int __syscall_error(void) attribute_hidden;
    int __syscall_error(void)
    {
        register int err_no __asm__ ("%rcx");
        __asm__ ("mov %rax, %rcx\n\t"
                 "neg %rcx");
        __set_errno(err_no);
        return -1;
    }
So __syscall_error returns -1 as a 32-bit int in a 64-bit register, %rax
(0x00000000ffffffff, whose decimal value is decimal 4294967295) and a
test like this always returns false:
    if (syscall(number, ...) == -1)
        foo();
Fix the error by making __syscall_error return a long, like syscall().
The problem can be circumvented by the caller by coercing the returned
value to int before comparing it to -1:
    if ((int) syscall(number, ...) == -1)
        foo();
The same problem probably occurs on other 64-bit systems but so far only
x86_64 was tested, so this change must be considered experimental.
Signed-off-by: Carlos Santos <unixmania@gmail.com> | 
|  | (gdb) print offsetof(struct __jmp_buf_tag, __mask_was_saved)
$12 = (int *) 0x1f0
using https://stackoverflow.com/a/39663128/2171120 | 
|  | Update from linux/arch/sparc/include/uapi/asm/uctx.h | 
|  |  | 
|  |  | 
|  | This symbol was causing a build failure with the new toolchain.  It
looks like it has always been wrong.
The main issue was checking for PIC rather than __PIC__.
Remove all PSEUDO_* macros and ther SYSCALL_ERROR_NAME macro as they are
not needed by uclibc-ng, they are used in glibc for building up syscalls
there, but not here.
Fixes error:
  /opt/shorne/software/or1k-linux/bin/../lib/gcc/or1k-linux/9.0.1/../../../../or1k-linux/bin/ld: libc/libc_so.a(or1k_clone.os): pc-relative relocation against dynamic symbol __syscall_error
  /opt/shorne/software/or1k-linux/bin/../lib/gcc/or1k-linux/9.0.1/../../../../or1k-linux/bin/ld: final link failed: bad value
Signed-off-by: Stafford Horne <shorne@gmail.com> | 
|  | The internal heap structures were not protected properly in
memalign(). If multiple threads were concurrently allocating memory and
one of them were requesting aligned memory via valloc,memalign or
posix_memalign the internal heap data structures could be corrupted.
Signed-off-by: Kjetil Oftedal <oftedal@gmail.com> | 
|  | This patch fixes the incorrect guard by __USE_MISC of struct winsize and
struct termio in powerpc termios header.  Current states leads to build
failures if the program defines _XOPEN_SOURCE, but not _DEFAULT_SOURCE
or either _BSD_SOURCE or _SVID_SOURCE.  Without any definition,
__USE_MISC will not be defined and neither the struct definitions.
This patch copies the default Linux ioctl-types.h by adjusting only the
character control field (c_cc) size in struct termio.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[Vadim: adopted for uclibc ] | 
|  | This is a follow up to an incorrect fix for memmove() problem in:
commit 785dee78552f9ad06819bf7eb1adc05b43110842
Author: Petar Jovanovic <petar.jovanovic@rt-rk.com>
Date:   Mon May 6 13:29:02 2019 +0000
    mips: fix memmove() call when __ARCH_HAS_BWD_MEMCPY__ is not defined
Calling memcpy from memmove should be skipped in two cases:
a) if arch's memcpy uses a backward copying (e.g. SH4)
b) if arch's memcpy is not fully safe for overlapping regions (MIPS)
Signed-off-by: Petar Jovanovic <petar.jovanovic@rt-rk.com> | 
|  | We don't support shared libraries and thus _init/_fini.  But loading
nommu binaries blows they aren't cleared, so do that.
Signed-off-by: Christoph Hellwig <hch@lst.de> | 
|  | This avoids a nommu build failure.
Signed-off-by: Christoph Hellwig <hch@lst.de> | 
|  | There is no opendir64(), thus even programs built for 64-bit off_t
use opendir(). Before this change, internally opendir() uses fstat(),
with the following breakage if some of struct stat fields are too narrow:
$ strace ls -l
execve("/busybox/ls", ["ls", "-l"], 0x7ffcdc43ede8 /* 16 vars */) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
getuid32()                              = 0
time([1551486393 /* 2019-03-02T00:26:33+0000 */]) = 1551486393 (2019-03-02T00:26:33+0000)
ioctl(0, TIOCGWINSZ, {ws_row=38, ws_col=120, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(NULL)                               = 0x9768000
brk(0x9769000)                          = 0x9769000
lstat64(".", 0xffa6e374)                = 0
open(".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, 0xffa6e378)                    = -1 EOVERFLOW (Value too large for defined data type)
See https://bugs.busybox.net/show_bug.cgi?id=11651
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com> | 
|  | When arch (such as MIPS) does not define __ARCH_HAS_BWD_MEMCPY__, memmove()
calls memcpy() which is wrong for overlapping regions.
Signed-off-by: Petar Jovanovic <petar.jovanovic@rt-rk.com> | 
|  | uClibc-ng don't build with gcc 9.1 [1] due to a new check that
"catch illegal asm constraint usage" [2].
gcc 9.1 print this error:
"invalid hard register usage between earlyclobber operand and input operand"
The asm constraint is present in uClibc since it support sparc (back in 2002)[3].
Note: There is no such constraint is Glibc counterpart code [4].
[1] https://gitlab.com/kubu93/toolchains-builder/-/jobs/205435757
[2] https://github.com/gcc-mirror/gcc/commit/b782636f28f5c378897c238081d28d7a4a6ca578
[3] https://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=3b6d086531102b6d09ce852feb1e370d5dca3ce9
[4]
+https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/sparc/sysdep.h;h=981b2a26b7a91093f821c97876
+e55bc4be2d9f8a;hb=HEAD | 
|  | preadv/pwritev don't provide separate version for 64-bit wide off_t,
and default to 32-bit wide off_t, which results in a mismatch between
declaration and definition for user programs built with
-D_FILE_OFFSET_BITS=64.
Make offset argument of both functions __off64_t.
This fixes test misc/tst-preadvwritev on xtensa.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> | 
|  | xtensa assembler is capable of representing register loads with either
movi + addmi, l32r or const16, depending on the core configuration.
Don't use '.literal' and 'l32r' directly in the code, use 'movi' and let
the assembler relax them.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> | 
|  | For ARCH where shared lib are not supported:
- SHARED is not set (!SHARED is true)
- __ARCH_HAS_NO_LDSO__ is set
so code inside #if !defined __ARCH_HAS_NO_LDSO__ && !defined SHARED
is compiled-out.
But without a call do _dl_aux_init(), _dl_phdr stays NULL and
__libc_setup_tls won't be able to allocate memory for the in-executable TLS
and also won't be able to load the initimage from ELF TLS segment.
This results in segfault when doing things like "errno = 0" like
in tst-cancel15.c for instance in uClibc-ng testsuite.
Signed-off-by: Yann Sionneau <ysionneau@kalray.eu> | 
|  | --000000000000cb1b1305827e5ae0
Content-Type: text/plain; charset="UTF-8"
Hi,
Current version of uClibc-ng has issue in open_memstream() function.
If the cookie variable is NULL (due malloc() fail) then null pointer is
dereferenced after if block.
The attached patch fixes this issue.
--
Best regards,
Eugene
<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,<div><br></div><div>Current version of uClibc-ng has issue in open_memstream() function.</div><div>If the cookie variable is NULL (due malloc() fail) then null pointer is dereferenced after if block.</div><div><br></div><div>The attached patch fixes this issue.<br clear="all"><div>-- <br></div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div><span><div>Best regards,<br></div>Eugene</span></div></div></div></div></div></div></div></div></div> | 
|  | Old version manages strings the regular way (i.e. counting on zero-ended
sequences). In fact strings captured from the /etc/ethers file are
'\n'-ended. So, for example, using strchr function could lead to buffer
overflow.
Reported-by: "Andrey V. Zhmurin" <zhmurin_a@mcst.ru | 
|  | Definitions of POLLWRNORM, POLLWRBAND and POLLREMOVE in xtensa linux
kernel are non-standard. Provide bits/poll.h with correct values for
these constants.
This fixes the following strace build errors:
  In file included from xlat/pollflags.h:4:0,
                   from poll.c:34:
  ./static_assert.h:40:24: error: static assertion failed: "POLLWRBAND != 0x0100"
   # define static_assert _Static_assert
                          ^
  xlat/pollflags.h:75:1: note: in expansion of macro ‘static_assert’
   static_assert((POLLWRBAND) == (0x0100), "POLLWRBAND != 0x0100");
   ^~~~~~~~~~~~~
  ./static_assert.h:40:24: error: static assertion failed: "POLLREMOVE != 0x0800"
   # define static_assert _Static_assert
                          ^
  xlat/pollflags.h:117:1: note: in expansion of macro ‘static_assert’
   static_assert((POLLREMOVE) == (0x0800), "POLLREMOVE != 0x0800");
   ^~~~~~~~~~~~~
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> | 
|  | I've got several patches to fix ltp/openmp/uclibc-ng-test testcase fail on
c-sky.
- fix a ltp testcase.
- fix the problem that pthread creat will fail when libomp is linked before
  libc, the variable pagesize is not init.
- fix tst-cancel4 and tst-cancel16.  tst-cancelx4 and tst-cancelx16 still fail
  with this patch applied, cleanup handler is not called for open/creat/fcntl,
  seems some thing wrong with unwind, I haven't check the rootcause yet. | 
|  | Fix issues with aarch64 and df with mismatching header between kernel
and libc. | 
|  | On Linux/MIPS (O32 ABI) for system call we have two result registers - v0 and a3.
v0 contains actual syscall result on success or error number on fail, a3 set to 0/1
for indicating syscall success/fail. (if a3 == 1, v0 contains errno).
Now as we can see from definition of handle_sys (arch/mips/kernel/scall32-o32.S),
handler treats returned by syscall function (let's call "original") values in
range [-EMAXERRNO; 0[ as -errno, a3 is set to 1 and final returned (to userspace)
value is (-original).
INLINE_SYSCALL_NOERR_NCS defined in mips/bits/syscalls.h will handle
this behaviour.
Signed-off-by: Volodymyr Boyko <boyko.cxx@gmail.com> | 
|  | * ldso/ldso/arm/aeabi_read_tp.S: Add Thumb version.
	* ldso/ldso/arm/dl-startup.h: Do not force ARM encoding, adjust
	for Thumb.
	* ldso/ldso/arm/resolve.S: Force Thumb encoding on Thumb-only
	processors.
	* libc/sysdeps/linux/arm/crt1.S: Do not force ARM encoding, adjust
	for Thumb.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com> | 
|  | Added in kernel in kernel 3.10 in
1ff3c9677bff ("timekeeping: Add CLOCK_TAI clockid")
NOTE: CLOCK_SGI_CYCLE was not added, as it has been lately removed.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com> | 
|  | This should have been made in commit 9649721950 but was forgotten.
Signed-off-by: Carlos Santos <casantos@datacom.com.br> | 
|  |  | 
|  | Signed-off-by: Guo Ren <ren_guo@c-sky.com> | 
|  | The original from glibc received the end of the buffer and worked
backwards. Ours needs the beginning of the buffer.
Signed-off-by: Segev Finer <segev208@gmail.com> | 
|  | Call getpid() in INTERNAL_SYSCALL will break the argument regs,
because gcc couldn't save destoryed regs for system call asm.
Ref to glibc, we could just remove all the check code.
Signed-off-by: Guo Ren <ren_guo@c-sky.com> | 
|  | Match glibc behavior.
	* libc/stdlib/stdlib.c (mbtowc): Fix end of string behavior.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com> | 
|  | In case __nptl_nthreads is not defined in the final binary then avoid
dereferencing the address since it's null. Anyway this means there is
no other thread and so we must exit.
	* libc/misc/internals/__uClibc_main.c (__uClibc_main): Handle case
	where &__nptl_nthreads is null.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com> | 
|  | * libc/stdlib/system.c (FORK): Map to vfork if __ARCH_USE_MMU__
	is defined.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com> | 
|  | Change clone.S so that in FDPIC case we take into account the fact
that we are given a function descriptor.
	* libc/sysdeps/linux/arm/clone.S (__clone): Support __FDPIC__.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com> |