Age | Commit message (Collapse) | Author |
|
Safe-Linking alignment checks should be done on the user's buffer and not
the mchunkptr. The new check adds support for cases in which:
MALLOC_ALIGNMENT != 2*(sizeof(size_t))
The default case for both 32 bits and 64 bits was already supported, and
this patch adds support for the described irregular case.
|
|
|
|
Safe-Linking is a security mechanism that protects single-linked
lists (such as the fastbins) from being tampered by attackers. The
mechanism makes use of randomness from ASLR (mmap_base), and when
combined with chunk alignment integrity checks, it protects the
pointers from being hijacked by an attacker.
While Safe-Unlinking protects double-linked lists (such as the small
bins), there wasn't any similar protection for attacks against
single-linked lists. This solution protects against 3 common attacks:
* Partial pointer override: modifies the lower bytes (Little Endian)
* Full pointer override: hijacks the pointer to an attacker's location
* Unaligned chunks: pointing the list to an unaligned address
The design assumes an attacker doesn't know where the heap is located,
and uses the ASLR randomness to "sign" the single-linked pointers. We
mark the pointer as P and the location in which it is stored as L, and
the calculation will be:
* PROTECT(P) := (L >> PAGE_SHIFT) XOR (P)
* *L = PROTECT(P)
This way, the random bits from the address L (which start at the bits
in the PAGE_SHIFT position), will be merged with the LSB of the stored
protected pointer. This protection layer prevents an attacker from
modifying the pointer into a controlled value.
An additional check that the chunks are MALLOC_ALIGNed adds an
important layer:
* Attackers can't point to illegal (unaligned) memory addresses
* Attackers must guess correctly the alignment bits
On standard 32 bit Linux machines, an attacker will directly fail 7
out of 8 times, and on 64 bit machines it will fail 15 out of 16
times.
The proposed solution adds 3-4 asm instructions per malloc()/free()
and therefore has only minor performance implications if it has
any. A similar protection was added to Chromium's version of TCMalloc
in 2013, and according to their documentation the performance overhead
was less than 2%.
Signed-off-by: Eyal Itkin <eyalit@checkpoint.com>
|
|
It fixes tst-signal6 and friends.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
|
|
It fixes tst-cancel1 and friends.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
|
|
It fixes:
FAIL sem got 1 expected 0
failed: incorrect sem_nsems!
semget(IPC_CREAT) = 0
semctl(k) = 0
sem_nsems = 0
for aarch64.
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
|
|
Similar to glibc commit
https://sourceware.org/git/?p=glibc.git;a=commit;h=6bbfc5c09fc5b5e3d4a0cddbbd4e2e457767dae7
we need to handle Linux kernel change, which removed stat64 family from default syscall set.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Waldemar Brodkorb <wbrodkorb@conet.de>
|
|
map_newlink() may abort when interface list changed between netlink
request for getting interfaces and getting addresses. This commit is
ported from the same change from glibc commit.
Signed-off-by: Vincent Hou <vincent.houyi@gmail.com>
|
|
Avoid calling select with empty sets which hangs the process
This makes uClibc-ng act like glibc and musl
Without this fix the test_poll of python3 testsuite hangs forever
Scenario of the issue:
If you call poll with only invalid file descriptors, like in python3
testsuite
(https://github.com/python/cpython/blob/master/Lib/test/test_poll.py#L83)
You will go through uClibc poll emulation code, which is based on
select syscall.
Your first call to select will fail, it will return -1 and errno will be
set to EBADF: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L120
Then you will go through the for loop which tests individually each file descriptor by calling
select on each one: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L163
each call will also return -1 with errno being equal to EBADF.
Therefore all pollfd will have the POLLNVAL flag in their respective revents field.
And, the most important, rset/wset/xset will stay empty.
Then the for loop ends, the "continue" makes the while loop run again.
The following select() is run again: https://github.com/wbx-github/uclibc-ng/blob/master/libc/sysdeps/linux/common/poll.c#L120
But this time the sets are empty.
If the poll was called with timeout set to -1, this select will hang forever because there is no timeout
and the sets are empty so no event will ever wake it up.
test program:
int main(void)
{
struct pollfd pfd;
int ret;
int pipe_fds[2];
pipe(pipe_fds);
close(pipe_fds[0]);
close(pipe_fds[1]);
pfd.fd = pipe_fds[0];
pfd.events = POLLIN | POLLOUT | POLLPRI;
pfd.revents = 0;
ret = poll(&pfd, 1, -1);
printf("ret: %d\n", ret);
if (ret < 0)
printf("error: %s", strerror(errno));
else {
puts("revents: ");
if (pfd.revents & POLLERR)
printf(" POLLERR");
if (pfd.revents & POLLHUP)
printf(" POLLHUP");
if (pfd.revents & POLLNVAL)
printf(" POLLNVAL");
puts("");
}
return 0;
}
This hangs on uClibc-ng aarch64 and Kalray's arch (kv3) but does the following on musl and glibc:
"
ret: 1
revents:
POLLNVAL
"
strace output of this program with uClibc *without* the patch applied:
pselect6(4, [3], [3], [3], NULL, NULL) = -1 EBADF (Bad file descriptor)
pselect6(4, [3], [3], [3], {tv_sec=0, tv_nsec=0}, NULL) = -1 EBADF (Bad file descriptor)
pselect6(0, 0x7ffffffb80, 0x7ffffffb68, 0x7ffffffb50, NULL, NULL
(never finishes)
strace output of this program with uClibc *with* the patch applied:
pselect6(4, [3], [3], [3], NULL, NULL) = -1 EBADF (Bad file descriptor)
pselect6(4, [3], [3], [3], {tv_sec=0, tv_nsec=0}, NULL) = -1 EBADF (Bad file descriptor)
write(1, "ret: 1\n", 7ret: 1
) = 7
write(1, "revents: \n", 10revents:
) = 10
write(1, " POLLNVAL\n", 10 POLLNVAL
) = 10
exit_group(0) = ?
+++ exited with 0 +++
|
|
The getenv() library call can trap under certain conditions. It compares the
passed in environment variable name (var) with the name=variables (*ep) in the
environment area and returns a pointer to the value in the environment if it
exists. To accomplish this, it does a memcmp() using the length of the passed
in name (len) for each environment variable (*ep) against the passed in name (
var). So memcmp will attempt to scan both strings for len bytes. However, if
for some reason, len is equal to or greater than 16 and longer than the length
of the *ep in the environment and the *ep resides near the end of a page
boundary while the next page is not present or mapped, the memcmp could trap
with a sigsegv error while continuing the scan with the optimization
read-ahead. However, if strncmp is used instead, there is no problem since both
source and destination scanning will stop when either reaches a terminating
NULL
|
|
Hi,
This diff fixes a typo in the PTRACE_EVENT_SECCOMP event code.
The typo itself was introduced in 2012 when syncing with glibc header
files and was itself fixed in 2013 in the glibc headers.
|
|
basically from or1k port of uClibc-ng, with fixes for structures in
pthreadtypes.h from 64 bit architectures.
18 testsuite failures counted.
|
|
|
|
|
|
|
|
The return type of syscall() is long so __syscall_error, which is jumped
to by syscall handlers to stash an error number into errno, must return
long too otherwhise it returs 4294967295L instead of -1L. For example,
syscall for x86_64 is defined in libc/sysdeps/linux/x86_64/syscall.S as
syscall:
movq %rdi, %rax /* Syscall number -> rax. */
movq %rsi, %rdi /* shift arg1 - arg5. */
movq %rdx, %rsi
movq %rcx, %rdx
movq %r8, %r10
movq %r9, %r8
movq 8(%rsp),%r9 /* arg6 is on the stack. */
syscall /* Do the system call. */
cmpq $-4095, %rax /* Check %rax for error. */
jae __syscall_error /* Branch forward if it failed. */
ret /* Return to caller. */
In libc/sysdeps/linux/x86_64/__syscall_error.c, __syscall_error is
defined as
int __syscall_error(void) attribute_hidden;
int __syscall_error(void)
{
register int err_no __asm__ ("%rcx");
__asm__ ("mov %rax, %rcx\n\t"
"neg %rcx");
__set_errno(err_no);
return -1;
}
So __syscall_error returns -1 as a 32-bit int in a 64-bit register, %rax
(0x00000000ffffffff, whose decimal value is decimal 4294967295) and a
test like this always returns false:
if (syscall(number, ...) == -1)
foo();
Fix the error by making __syscall_error return a long, like syscall().
The problem can be circumvented by the caller by coercing the returned
value to int before comparing it to -1:
if ((int) syscall(number, ...) == -1)
foo();
The same problem probably occurs on other 64-bit systems but so far only
x86_64 was tested, so this change must be considered experimental.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
|
|
(gdb) print offsetof(struct __jmp_buf_tag, __mask_was_saved)
$12 = (int *) 0x1f0
using https://stackoverflow.com/a/39663128/2171120
|
|
Update from linux/arch/sparc/include/uapi/asm/uctx.h
|
|
|
|
|
|
This symbol was causing a build failure with the new toolchain. It
looks like it has always been wrong.
The main issue was checking for PIC rather than __PIC__.
Remove all PSEUDO_* macros and ther SYSCALL_ERROR_NAME macro as they are
not needed by uclibc-ng, they are used in glibc for building up syscalls
there, but not here.
Fixes error:
/opt/shorne/software/or1k-linux/bin/../lib/gcc/or1k-linux/9.0.1/../../../../or1k-linux/bin/ld: libc/libc_so.a(or1k_clone.os): pc-relative relocation against dynamic symbol __syscall_error
/opt/shorne/software/or1k-linux/bin/../lib/gcc/or1k-linux/9.0.1/../../../../or1k-linux/bin/ld: final link failed: bad value
Signed-off-by: Stafford Horne <shorne@gmail.com>
|
|
The internal heap structures were not protected properly in
memalign(). If multiple threads were concurrently allocating memory and
one of them were requesting aligned memory via valloc,memalign or
posix_memalign the internal heap data structures could be corrupted.
Signed-off-by: Kjetil Oftedal <oftedal@gmail.com>
|
|
This patch fixes the incorrect guard by __USE_MISC of struct winsize and
struct termio in powerpc termios header. Current states leads to build
failures if the program defines _XOPEN_SOURCE, but not _DEFAULT_SOURCE
or either _BSD_SOURCE or _SVID_SOURCE. Without any definition,
__USE_MISC will not be defined and neither the struct definitions.
This patch copies the default Linux ioctl-types.h by adjusting only the
character control field (c_cc) size in struct termio.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[Vadim: adopted for uclibc ]
|
|
This is a follow up to an incorrect fix for memmove() problem in:
commit 785dee78552f9ad06819bf7eb1adc05b43110842
Author: Petar Jovanovic <petar.jovanovic@rt-rk.com>
Date: Mon May 6 13:29:02 2019 +0000
mips: fix memmove() call when __ARCH_HAS_BWD_MEMCPY__ is not defined
Calling memcpy from memmove should be skipped in two cases:
a) if arch's memcpy uses a backward copying (e.g. SH4)
b) if arch's memcpy is not fully safe for overlapping regions (MIPS)
Signed-off-by: Petar Jovanovic <petar.jovanovic@rt-rk.com>
|
|
We don't support shared libraries and thus _init/_fini. But loading
nommu binaries blows they aren't cleared, so do that.
Signed-off-by: Christoph Hellwig <hch@lst.de>
|
|
This avoids a nommu build failure.
Signed-off-by: Christoph Hellwig <hch@lst.de>
|
|
There is no opendir64(), thus even programs built for 64-bit off_t
use opendir(). Before this change, internally opendir() uses fstat(),
with the following breakage if some of struct stat fields are too narrow:
$ strace ls -l
execve("/busybox/ls", ["ls", "-l"], 0x7ffcdc43ede8 /* 16 vars */) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
getuid32() = 0
time([1551486393 /* 2019-03-02T00:26:33+0000 */]) = 1551486393 (2019-03-02T00:26:33+0000)
ioctl(0, TIOCGWINSZ, {ws_row=38, ws_col=120, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(NULL) = 0x9768000
brk(0x9769000) = 0x9769000
lstat64(".", 0xffa6e374) = 0
open(".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, 0xffa6e378) = -1 EOVERFLOW (Value too large for defined data type)
See https://bugs.busybox.net/show_bug.cgi?id=11651
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
|
|
When arch (such as MIPS) does not define __ARCH_HAS_BWD_MEMCPY__, memmove()
calls memcpy() which is wrong for overlapping regions.
Signed-off-by: Petar Jovanovic <petar.jovanovic@rt-rk.com>
|
|
uClibc-ng don't build with gcc 9.1 [1] due to a new check that
"catch illegal asm constraint usage" [2].
gcc 9.1 print this error:
"invalid hard register usage between earlyclobber operand and input operand"
The asm constraint is present in uClibc since it support sparc (back in 2002)[3].
Note: There is no such constraint is Glibc counterpart code [4].
[1] https://gitlab.com/kubu93/toolchains-builder/-/jobs/205435757
[2] https://github.com/gcc-mirror/gcc/commit/b782636f28f5c378897c238081d28d7a4a6ca578
[3] https://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=3b6d086531102b6d09ce852feb1e370d5dca3ce9
[4]
+https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/sparc/sysdep.h;h=981b2a26b7a91093f821c97876
+e55bc4be2d9f8a;hb=HEAD
|
|
preadv/pwritev don't provide separate version for 64-bit wide off_t,
and default to 32-bit wide off_t, which results in a mismatch between
declaration and definition for user programs built with
-D_FILE_OFFSET_BITS=64.
Make offset argument of both functions __off64_t.
This fixes test misc/tst-preadvwritev on xtensa.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
xtensa assembler is capable of representing register loads with either
movi + addmi, l32r or const16, depending on the core configuration.
Don't use '.literal' and 'l32r' directly in the code, use 'movi' and let
the assembler relax them.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
For ARCH where shared lib are not supported:
- SHARED is not set (!SHARED is true)
- __ARCH_HAS_NO_LDSO__ is set
so code inside #if !defined __ARCH_HAS_NO_LDSO__ && !defined SHARED
is compiled-out.
But without a call do _dl_aux_init(), _dl_phdr stays NULL and
__libc_setup_tls won't be able to allocate memory for the in-executable TLS
and also won't be able to load the initimage from ELF TLS segment.
This results in segfault when doing things like "errno = 0" like
in tst-cancel15.c for instance in uClibc-ng testsuite.
Signed-off-by: Yann Sionneau <ysionneau@kalray.eu>
|
|
--000000000000cb1b1305827e5ae0
Content-Type: text/plain; charset="UTF-8"
Hi,
Current version of uClibc-ng has issue in open_memstream() function.
If the cookie variable is NULL (due malloc() fail) then null pointer is
dereferenced after if block.
The attached patch fixes this issue.
--
Best regards,
Eugene
<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,<div><br></div><div>Current version of uClibc-ng has issue in open_memstream() function.</div><div>If the cookie variable is NULL (due malloc() fail) then null pointer is dereferenced after if block.</div><div><br></div><div>The attached patch fixes this issue.<br clear="all"><div>-- <br></div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div><span><div>Best regards,<br></div>Eugene</span></div></div></div></div></div></div></div></div></div>
|
|
Old version manages strings the regular way (i.e. counting on zero-ended
sequences). In fact strings captured from the /etc/ethers file are
'\n'-ended. So, for example, using strchr function could lead to buffer
overflow.
Reported-by: "Andrey V. Zhmurin" <zhmurin_a@mcst.ru
|
|
Definitions of POLLWRNORM, POLLWRBAND and POLLREMOVE in xtensa linux
kernel are non-standard. Provide bits/poll.h with correct values for
these constants.
This fixes the following strace build errors:
In file included from xlat/pollflags.h:4:0,
from poll.c:34:
./static_assert.h:40:24: error: static assertion failed: "POLLWRBAND != 0x0100"
# define static_assert _Static_assert
^
xlat/pollflags.h:75:1: note: in expansion of macro ‘static_assert’
static_assert((POLLWRBAND) == (0x0100), "POLLWRBAND != 0x0100");
^~~~~~~~~~~~~
./static_assert.h:40:24: error: static assertion failed: "POLLREMOVE != 0x0800"
# define static_assert _Static_assert
^
xlat/pollflags.h:117:1: note: in expansion of macro ‘static_assert’
static_assert((POLLREMOVE) == (0x0800), "POLLREMOVE != 0x0800");
^~~~~~~~~~~~~
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
|
I've got several patches to fix ltp/openmp/uclibc-ng-test testcase fail on
c-sky.
- fix a ltp testcase.
- fix the problem that pthread creat will fail when libomp is linked before
libc, the variable pagesize is not init.
- fix tst-cancel4 and tst-cancel16. tst-cancelx4 and tst-cancelx16 still fail
with this patch applied, cleanup handler is not called for open/creat/fcntl,
seems some thing wrong with unwind, I haven't check the rootcause yet.
|
|
Fix issues with aarch64 and df with mismatching header between kernel
and libc.
|
|
On Linux/MIPS (O32 ABI) for system call we have two result registers - v0 and a3.
v0 contains actual syscall result on success or error number on fail, a3 set to 0/1
for indicating syscall success/fail. (if a3 == 1, v0 contains errno).
Now as we can see from definition of handle_sys (arch/mips/kernel/scall32-o32.S),
handler treats returned by syscall function (let's call "original") values in
range [-EMAXERRNO; 0[ as -errno, a3 is set to 1 and final returned (to userspace)
value is (-original).
INLINE_SYSCALL_NOERR_NCS defined in mips/bits/syscalls.h will handle
this behaviour.
Signed-off-by: Volodymyr Boyko <boyko.cxx@gmail.com>
|
|
* ldso/ldso/arm/aeabi_read_tp.S: Add Thumb version.
* ldso/ldso/arm/dl-startup.h: Do not force ARM encoding, adjust
for Thumb.
* ldso/ldso/arm/resolve.S: Force Thumb encoding on Thumb-only
processors.
* libc/sysdeps/linux/arm/crt1.S: Do not force ARM encoding, adjust
for Thumb.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
|
|
Added in kernel in kernel 3.10 in
1ff3c9677bff ("timekeeping: Add CLOCK_TAI clockid")
NOTE: CLOCK_SGI_CYCLE was not added, as it has been lately removed.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
|
|
This should have been made in commit 9649721950 but was forgotten.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
|
|
|
|
Signed-off-by: Guo Ren <ren_guo@c-sky.com>
|
|
The original from glibc received the end of the buffer and worked
backwards. Ours needs the beginning of the buffer.
Signed-off-by: Segev Finer <segev208@gmail.com>
|
|
Call getpid() in INTERNAL_SYSCALL will break the argument regs,
because gcc couldn't save destoryed regs for system call asm.
Ref to glibc, we could just remove all the check code.
Signed-off-by: Guo Ren <ren_guo@c-sky.com>
|
|
Match glibc behavior.
* libc/stdlib/stdlib.c (mbtowc): Fix end of string behavior.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
|
|
In case __nptl_nthreads is not defined in the final binary then avoid
dereferencing the address since it's null. Anyway this means there is
no other thread and so we must exit.
* libc/misc/internals/__uClibc_main.c (__uClibc_main): Handle case
where &__nptl_nthreads is null.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
|
|
* libc/stdlib/system.c (FORK): Map to vfork if __ARCH_USE_MMU__
is defined.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
|
|
Change clone.S so that in FDPIC case we take into account the fact
that we are given a function descriptor.
* libc/sysdeps/linux/arm/clone.S (__clone): Support __FDPIC__.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
|
|
* libc/misc/internals/__uClibc_main.c (funcdesc_value): New.
(fdpic_init_array_jump): New.
(__uClibc_fini): Support __FDPIC__.
(__uClibc_main): Likewise.
Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
|