* posix/execvpe.c (__execvpe_common): Since strnlen doesn't inspect
beyond NAME_MAX and NAME_MAX does not cover the NUL, we need
to explicitly check for the NUL. I.e. the existing check for,
file_len-1 > NAME_MAX, was never true. This check is required
so that we're guaranteed that file_len includes the NUL, as we
depend on that in the following memcpy to properly terminate
the file buffer passed to execve(). Otherwise that call will trigger
UMR when inspecting the passed file, which can be seen with valgrind.
Note returning ENAMETOOLONG early here for FILE names > NAME_MAX
will also avoid redundant processing of ENAMETOOLONG on each entry
in $PATH, after the change in [BZ #33626] is applied.
Reviewed-by: Collin Funk <collin.funk1@gmail.com>
The clang default to warning for missing fall-through and it does
not support all comment-like annotation that gcc does. Use C23
[[fallthrough]] annotation instead.
proper attribute instead.
Reviewed-by: Collin Funk <collin.funk1@gmail.com>
The setrlimit(2) function returns 0 on success and -1 on error, but
several test files were incorrectly checking for a return value of 1
to detect errors. This means the error checks would never trigger,
causing tests to continue silently even when setrlimit() failed.
This commit fixes the error checks in five files to correctly test
for -1, matching both the documented behavior and the pattern used
correctly in other parts of the codebase.
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Collin Funk <collin.funk1@gmail.com>
Found by Coverity in Gnulib.
* posix/glob.c (__glob): Add scratch_buffer_free invocation, to match
scratch_buffer_init invocation.
Reviewed-by: Collin Funk <collin.funk1@gmail.com>
* posix/glob.c (__glob): Strip trailing slashes before the recursive
call, so it is not called for every slash in the pattern.
* posix/tst-glob-bz30635.c: Add two test cases that would previously
segmentation fault. The first test has many trailing slashes and the
second has many slashes following a wildcard character.
* posix/Makefile (tests): Add the new test.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
The struct shmdir_name in include/shm-directory.h has name field to
contains the full path of the POSIX IPC object (shm and sem).
The size was previously set to sizeof (SHMDIR) + 4 + NAME_MAX, where 4
bytes were reserved for the optional "sem." prefix.
This led to incorrect execution of the __shm_get_name function
in posix/shm-directory.c which is used accross in shm_[open/unlink] and
sem_[open/unlink] functions.
For shm_[open/unlink]:
This is because the name field was large enough to hold 268 characters
(255 + 4 + 9) instead of the maximum allowed 263 characters (255 + 9).
This caused the __shm_get_name to not throw ENAMETOOLONG error when the
name length exceeded NAME_MAX (255) upto 259 characters.
For sem_[open/unlink]:
Similarly, the __shm_get_name incorrectly returned success for names of
length 255 instead of 251 (255 - 4).
This was overlooked as finally these functions throw the correct
ENAMETOOLONG error; which was thrown by the openat syscall, which is
called later in the shm_* and sem_* functions.
This patch corrects the size of name field in struct shmdir_name to
sizeof (SHMDIR) + NAME_MAX. The __shm_get_name function return
ENAMETOOLONG if alloc_buffer_has_failed returns true (which only happens
when copy length > alloc_buffer_size (buffer)).
Relevant runtime monitoring were done in gdb to confirm the same.
Signed-off-by: Prasanna Paithankar <paithankarprasanna@gmail.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
It now calls __libc_assert, which contains similar logic. The assert
call only requires memory allocation for the message translation, so
test-assert2.c is adapted to handle it.
It also removes the fxprintf from assert/assert_perror; although it
is not 100% backwards-compatible (write message only if there is a
file descriptor associated with the stderr). It now writes bytes
directly without going through the wide stream state.
Checked on aarch64-linux-gnu.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
Mode 0777 should be used for directories only because it results
in executable entries (after typical umasks are applied).
Reviewed-by: Arjun Shankar <arjun@redhat.com>
If a memory allocation failure occurs during bracket expression
parsing in regcomp, a double-free error may result.
Reported-by: Anastasia Belova <abelova@astralinux.ru>
Co-authored-by: Paul Eggert <eggert@cs.ucla.edu>
Reviewed-by: Andreas K. Huettel <dilfridge@gentoo.org>
The iovec size should account for all substrings between each conversion
specification. For the format:
"abc %s efg"
The list of substrings are:
["abc ", arg, " efg]
which is 2 times the number of maximum arguments *plus* one.
This issue triggered 'out of bounds' errors by stdlib/tst-bz20544 when
glibc is built with experimental UBSAN support [1].
Besides adjusting the iovec size, a new runtime and check is added to
avoid wrong __libc_message_impl usage.
Checked on x86_64-linux-gnu.
[1] https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/azanella/ubsan-undef
Co-authored-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
The master branch started to enable some warnings due to optimization
that were only triggered with -Os [1]. Enable the suppression regardless
of optimization level.
Checked on aarch64-linux-gnu build.
[1] https://gcc.gnu.org/pipermail/gcc-regression/2025-June/082378.html
Reviewed-by: Sam James <sam@gentoo.org>
Reviewed-by: Collin Funk <collin.funk1@gmail.com>
* posix/glob.h (glob_pattern_p): Add __nonnull ((1)) since this function
expects a string and does not check for NULL.
Signed-off-by: Collin Funk <collin.funk1@gmail.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Remove Changelog entries that use 'blacklist' or 'master' in the
test data. The test data still contains enough accented characters
to serve the purposes of the posix/tst-regex.c test.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
There is a spelling mistake in a test filename. Fix it.
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This helps with statically interposing getenv.
Updates commit 7a61e7f557
("stdlib: Make getenv thread-safe in more cases").
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
Rewriting the cpuset macros test to cover more use cases and port the
tests to the new test infrastructure.
The use cases include bad actor access attempts, before and after the
CPU set structure.
Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@redhat.com>
Some applications set environ to a heap-allocated pointer, call
setenv (expecting it to call realloc), free environ, and then
restore the original environ pointer. This breaks after
commit 7a61e7f557 ("stdlib: Make
getenv thread-safe in more cases") because after the setenv call,
the environ pointer does not point to the start of a heap allocation.
Instead, setenv creates a separate allocation and changes environ
to point into that. This means that the free call in the application
results in heap corruption.
The interim approach was more compatible with other libcs because
it does not assume that the incoming environ pointer is allocated
as if by malloc (if it was written by the application). However,
it seems to be more important to stay compatible with previous
glibc version: assume the incoming pointer is heap allocated,
and preserve this property after setenv calls.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Suppress Clang warning on adding an integer to a string, like:
tst-iconv-sticky-input-error.c:125:42: error: adding 'int' to a string does not append to the string [-Werror,-Wstring-plus-int]
125 | expected_output = "ABXY" + skip;
| ~~~~~~~^~~~~~
tst-iconv-sticky-input-error.c:125:42: note: use array indexing to silence this warning
125 | expected_output = "ABXY" + skip;
| ^
| & [ ]
Co-Authored-By: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
Although _chk functions are exported in libc.so.6, their prototypes aren't
provided. Their built versions are supported by compiler. Replace
__strcpy_chk with __builtin___strcpy_chk to silence Clang error:
./tst-gnuglob-skeleton.c:225:3: error: call to undeclared function '__strcpy_chk'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
225 | __strcpy_chk (dir->d.d_name, filesystem[dir->idx].name, NAME_MAX);
| ^
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Use empty initializer to silence GCC 4.9 or older:
getaddrinfo.c: In function ‘gaih_inet’:
getaddrinfo.c:1135:24: error: missing braces around initializer [-Werror=missing-braces]
/ sizeof (struct gaih_typeproto)] = {0};
^
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
GCC 4.9 doesn't define __STDC_VERSION__ and issues an error:
In file included from ../include/regex.h:2:0,
from ../posix/re_comp.h:23,
from ../include/re_comp.h:1,
from /tmp/cih_test_7IKTRI.c:10:
../posix/regex.h:650:19: error: "__STDC_VERSION__" is not defined [-Werror=undef]
# elif 199901L <= __STDC_VERSION__ || defined restrict
^
Use "#else" instead.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
Add braces to silence GCC 4.9 or older:
getaddrinfo.c: In function ‘gaih_inet’:
getaddrinfo.c:1135:24: error: missing braces around initializer [-Werror=missing-braces]
/ sizeof (struct gaih_typeproto)] = {0};
^
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
Fix variables in Makefiles:
1. There is a tab, not a space, between "variable" and =, +=, :=.
2. The last entry doesn't have a trailing \.
and sort them.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
popen modifies its file handler book-keeping under a lock that wasn't
being taken during fork. This meant that a concurrent popen and fork
could end up copying the lock in a "locked" state into the fork child,
where subsequently calling popen would lead to a deadlock due to the
already (spuriously) held lock.
This commit fixes the deadlock by appropriately taking the lock before
fork, and releasing/resetting it in the parent/child after the fork.
A new test for concurrent popen and fork is also added. It consistently
hangs (and therefore fails via timeout) without the fix applied.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
The recursive lock used on abort does not synchronize with a new process
creation (either by fork-like interfaces or posix_spawn ones), nor it
is reinitialized after fork().
Also, the SIGABRT unblock before raise() shows another race condition,
where a fork or posix_spawn() call by another thread, just after the
recursive lock release and before the SIGABRT signal, might create
programs with a non-expected signal mask. With the default option
(without POSIX_SPAWN_SETSIGDEF), the process can see SIG_DFL for
SIGABRT, where it should be SIG_IGN.
To fix the AS-safe, raise() does not change the process signal mask,
and an AS-safe lock is used if a SIGABRT is installed or the process
is blocked or ignored. With the signal mask change removal,
there is no need to use a recursive loc. The lock is also taken on
both _Fork() and posix_spawn(), to avoid the spawn process to see the
abort handler as SIG_DFL.
A read-write lock is used to avoid serialize _Fork and posix_spawn
execution. Both sigaction (SIGABRT) and abort() requires to lock
as writer (since both change the disposition).
The fallback is also simplified: there is no need to use a loop of
ABORT_INSTRUCTION after _exit() (if the syscall does not terminate the
process, the system is broken).
The proposed fix changes how setjmp works on a SIGABRT handler, where
glibc does not save the signal mask. So usage like the below will now
always abort.
static volatile int chk_fail_ok;
static jmp_buf chk_fail_buf;
static void
handler (int sig)
{
if (chk_fail_ok)
{
chk_fail_ok = 0;
longjmp (chk_fail_buf, 1);
}
else
_exit (127);
}
[...]
signal (SIGABRT, handler);
[....]
chk_fail_ok = 1;
if (! setjmp (chk_fail_buf))
{
// Something that can calls abort, like a failed fortify function.
chk_fail_ok = 0;
printf ("FAIL\n");
}
Such cases will need to use sigsetjmp instead.
The _dl_start_profile calls sigaction through _profil, and to avoid
pulling abort() on loader the call is replaced with __libc_sigaction.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
Macros will automatically use the correct types, without
having to fiddle with internal glibc macros. It's also
impossible to get the types wrong due to aliasing because
support_check_stat_fd and support_check_stat_path do not
depend on the struct stat* types.
The changes reveal some inconsistencies in tests.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Remove local FAIL macro in favor to FAIL_RET from <support/check.h>,
which provides equivalent reporting, with the name of the file of the
failure site additionally included, for the tst-truncate-common core
shared between the tst-truncate and tst-truncate64 tests.
Reviewed-by: DJ Delorie <dj@redhat.com>
The conditionals for several mtrace-based tests in catgets, elf, libio,
malloc, misc, nptl, posix, and stdio-common were incorrect leading to
test failures when bootstrapping glibc without perl.
The correct conditional for mtrace-based tests requires three checks:
first checking for run-built-tests, then build-shared, and lastly that
PERL is not equal to "no" (missing perl).
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
If the pidfd_spawn/pidfd_spawnp helper process succeeds, but evecve
fails for some reason (either with an invalid/non-existent, memory
allocation, etc.) the resulting pidfd is never closed, nor returned
to caller (so it can call close).
Since the process creation failed, it should be up to posix_spawn to
also, close the file descriptor in this case (similar to what it
does to reap the process).
This patch also changes the waitpid with waitid (P_PIDFD) for pidfd
case, to avoid a possible pid re-use.
Checked on x86_64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
These are required by the upcoming POSIX standard and are available on
other platforms.
Link: https://austingroupbugs.net/view.php?id=339
Signed-off-by: Mohamed Akram <mohd.akram@outlook.com>
Reviewed-by: Arjun Shankar <arjun@redhat.com>
It was raised on libc-help [1] that some Linux kernel interfaces expect
the libc to define __USE_TIME_BITS64 to indicate the time_t size for the
kABI. Different than defined by the initial y2038 design document [2],
the __USE_TIME_BITS64 is only defined for ABIs that support more than
one time_t size (by defining the _TIME_BITS for each module).
The 64 bit time_t redirects are now enabled using a different internal
define (__USE_TIME64_REDIRECTS). There is no expected change in semantic
or code generation.
Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu, and
arm-linux-gnueabi
[1] https://sourceware.org/pipermail/libc-help/2024-January/006557.html
[2] https://sourceware.org/glibc/wiki/Y2038ProofnessDesign
Reviewed-by: DJ Delorie <dj@redhat.com>
It improve fortify checks for read, pread, pread64, readlink,
readlinkat, getcwd, getwd, confstr, getgroups, ttyname_r, getlogin_r,
gethostname, and getdomainname. The compile and runtime checks have
similar coverage as with GCC.
Checked on aarch64, armhf, x86_64, and i686.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
* posix/regex.c: [!_LIBC && __GNUC_PREREQ (4, 3)]:
Omit GCC pragmas no longer needed when this file is used as part of Gnulib.
-Wold-style-definition no longer needs to be ignored because the regex
code no longer uses old style definitions. -Wtype-limits no longer
needs to be ignored because Gnulib already arranges for it to be
ignored in the C compiler flags. This patch is taken from Gnulib.
I've updated copyright dates in glibc for 2024. This is the patch for
the changes not generated by scripts/update-copyrights and subsequent
build / regeneration of generated files.
Many applications still rely on this prototype. Rebuilds without
this prototype result in an implicit function declaration, which can
introduce security vulnerabilities due to 32-bit pointer truncation.
All the crypt related functions, cryptographic algorithms, and
make requirements are removed, with only the exception of md5
implementation which is moved to locale folder since it is
required by localedef for integrity protection (libc's
locale-reading code does not check these, but localedef does
generate them).
Besides thec code itself, both internal documentation and the
manual is also adjusted. This allows to remove both --enable-crypt
and --enable-nss-crypt configure options.
Checked with a build for all affected ABIs.
Co-authored-by: Zack Weinberg <zack@owlfolio.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
getnameinfo is an entry points for nss functionality. This commit moves
it from the 'inet' subdirectory to 'nss'. The corresponding Versions
entry is also moved from 'posix' into 'nss'.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
getaddrinfo is an entry point for nss functionality. This commit moves
it from 'sysdeps/posix' to 'nss', gets rid of the stub in 'posix', and
moves all associated tests as well.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Pádraig Brady
Collin Funk
Adhemerval Zanella
Osama Abdelkader
Bruno Haible
Prasanna Paithankar
Florian Weimer
Cœur
Carlos O'Donell
Colin Ian King
Frédéric Bérat
Paul Pluzhnikov
Paul Eggert
H.J. Lu
Alejandro Colomar
Arjun Shankar
Maciej W. Rozycki
Jan Kurik
Mohamed Akram