Rich Felker [Sun, 28 May 2017 01:36:00 +0000 (21:36 -0400)]
fix iconv conversions to legacy 8bit encodings
there was missing reverse-conversion logic for the case, handled
specially in the character set tables, where a byte represents a
unicode codepoint with the same value.
this patch adds code to handle the case, and refactors the two-level
10-bit table lookup for legacy character sets into a function to avoid
repeating it yet another time as part of the fix.
Rich Felker [Sun, 23 Apr 2017 00:45:16 +0000 (20:45 -0400)]
have posix_spawnattr_setflags check for supported flags
per POSIX, EINVAL is not a mandatory error, only an optional one. but
reporting unsupported flags allows an application to fallback
gracefully when a requested feature is not supported. this is not
helpful now, but it may be in the future if additional flags are
added.
had this checking been present before, applications would have been
able to check for the newly-added POSIX_SPAWN_SETSID feature (added in
commit
bb439bb17108b67f3df9c9af824d3a607b5b059d) at runtime.
Rich Felker [Sun, 23 Apr 2017 00:40:09 +0000 (20:40 -0400)]
add no-op POSIX_SPAWN_USEVFORK to spawn.h
the bit is reserved anyway for ABI-compat reasons; this documents it
and makes it so we can have posix_spawnattr_setflags check for flag
validity without hard-coding an anonymous bit value.
Bobby Bingham [Sun, 26 Mar 2017 19:50:37 +0000 (14:50 -0500)]
s390x: provide sigcontext struct definition
This structure was missed when creating the s390x port.
This is based on the report and patch from William Pitcock, but with a
modified structure defintion to more closely match the kernel's
definition.
Rich Felker [Sat, 22 Apr 2017 22:39:40 +0000 (18:39 -0400)]
implement new posix_spawn flag POSIX_SPAWN_SETSID
this functionality has been adopted for inclusion in the next issue of
POSIX as the result of Austin Group issue #1044.
based on patch by Daurnimator.
Rich Felker [Sat, 22 Apr 2017 21:48:37 +0000 (17:48 -0400)]
remove va_arg hacks in printf core with undefined behavior
the code being removed was written to optimize for size assuming the
compiler cannot collapse code paths for different types with the same
underlying representation. modern compilers sometimes succeed in
making this optimization themselves, but either way it's a small size
difference and not worth the source-level complexity or the UB
involved in this hack.
some incorrect use of va_arg still remains, particularly use of void *
where the actual argument has a different pointer type. fixing this
requires some actual code additions, rather than just removing cruft,
so I'm leaving it to be done later as a separate commit.
Rich Felker [Fri, 21 Apr 2017 21:41:10 +0000 (17:41 -0400)]
make ttyname[_r] return ENODEV rather than ENOENT
commit
0a950dcf15bb9f7274c804dca490e9e20e475f3e added checking that
the pathname a tty device was opened with actually matches the device,
which can fail to hold when a container inherits a tty from outside
the container. the error code added at the time was ENOENT; however,
discussions between affected applications and glibc developers
resulted in glibc adopting ENODEV as the error for this condition, and
this has now been documented in the man pages project as well. adopt
the same error code for consistency.
patch by Christian Brauner.
Rich Felker [Fri, 21 Apr 2017 21:34:26 +0000 (17:34 -0400)]
fix regression in support for resolv.conf attempts option
commit
d6cb08bcaca4ff1f921375510ca72bccea969c75 moved the code and
introduced an incorrect string offset for the new parsing, probably
due to a copy-and-paste error.
patch by Stefan Sedich.
Szabolcs Nagy [Mon, 3 Apr 2017 00:38:13 +0000 (02:38 +0200)]
fix scalbn when result is in the subnormal range
in nearest rounding mode scalbn could introduce double rounding error
when an intermediate value and the final result were both in the
subnormal range e.g.
scalbn(0x1.7ffffffffffffp-1, -1073)
returned 0x1p-1073 instead of 0x1p-1074, because the intermediate
computation got rounded to 0x1.8p-1023.
with the fix an intermediate value can only be in the subnormal range
if the final result is 0 which is correct even after double rounding.
(there still can be two roundings so signals may be raised twice, but
that's only observable with trapping exceptions which is not supported.)
Rich Felker [Fri, 21 Apr 2017 21:24:46 +0000 (17:24 -0400)]
allow full-range file offsets to mmap on archs with 64-bit syscall args
normally 32-bit archs use the mmap2 syscall and are limited to an
offset of 2^32 pages. however some 32-bit archs (mainly ILP32-on-64
ones like x32) have 64-bit syscall argument slots and thus can accept
the full range. don't artifically limit them.
Rich Felker [Wed, 12 Apr 2017 02:10:52 +0000 (22:10 -0400)]
fix dl_iterate_phdr in static PIE binaries
analogous to commit
5bf7eba213cacc4c1220627c91c28deff2ffecda, use of
AT_PHDR/PT_PHDR does not actually work to find the program base, and
the method with _DYNAMIC vs PT_DYNAMIC must be used as an alternative.
patch by Shiz, along with testing to confirm that this fixes unwinding
in static PIE.
Rich Felker [Wed, 12 Apr 2017 02:01:31 +0000 (22:01 -0400)]
fix read past end of buffer in getaddrinfo backend
due to testing buf[i].family==AF_INET before checking i==cnt, it was
possible to read past the end of the array, or past the valid part. in
practice, without active bounds/indeterminate-value checking by the
compiler, the worst that happened was failure to return early and
optimize out the sorting that's unneeded for v4-only results.
returning on i==cnt-1 rather than i==cnt would be an alternate fix,
but the approach this patch takes is more idiomatic and less
error-prone.
patch by Timo Teräs.
Szabolcs Nagy [Sun, 19 Mar 2017 04:26:45 +0000 (05:26 +0100)]
aarch64: add single instruction math functions
this should increase performance and reduce code size on aarch64.
the compiled code was checked against using __builtin_* instead
of inline asm with gcc-6.2.0.
lrint is two instructions.
c with inline asm is used because it is safer than a pure asm
implementation, this prevents ll{rint,round} to be an alias
of l{rint,round} (because the types don't match) and depends
on gcc style inline asm support.
ceil, floor, round, trunc can either raise inexact on finite
non-integer inputs or not raise any exceptions. the new
implementation does not raise exceptions while the generic
c code does.
on aarch64, the underflow exception is signaled before rounding
(ieee 754 allows both before and after rounding, but it must be
consistent), the generic fma c code signals it after rounding
so using single instruction fixes a slight conformance issue too.
Julien Ramseier [Tue, 21 Mar 2017 16:35:16 +0000 (12:35 -0400)]
fix strptime output for %C without %y
in this case, a potentially-uninitialized or unrelated existing value
in tm_year was being used. instead use 0 if %y was not present.
Julien Ramseier [Tue, 21 Mar 2017 16:30:45 +0000 (12:30 -0400)]
fix processing of strptime %p format
string pointer was not advanced after matching.
Julien Ramseier [Tue, 21 Mar 2017 16:30:03 +0000 (12:30 -0400)]
fix off-by-one in strptime %j
tm_yday range is 0-365 while %j is 1-366
Julien Ramseier [Tue, 21 Mar 2017 16:24:23 +0000 (12:24 -0400)]
regex: fix newline matching with negated brackets
With REG_NEWLINE, POSIX says:
"A <newline> in string shall not be matched by a period outside
a bracket expression or by any form of a non-matching list"
Rich Felker [Tue, 21 Mar 2017 16:13:59 +0000 (12:13 -0400)]
increase limit on locale name length from 15 to 23 bytes
the old limit was one byte too short to support locale names of the
form xx_XX.UTF-8@modifier where modifier is more than 3 bytes, a form
which various real-world locale names take. the problem could be
avoided by omitting the useless ".UTF-8" part, but users may need to
have it present when operating on mixed-libc systems or when it will
be carried over (e.g. across ssh) to other systems.
the new limit is chosen sufficient for existing/reasonable locale
names while still keeping the size of setlocale's static buffer small.
also add locale_impl.h to the Makefile's list of headers which force
rebuild of source files, to prevent dangerously inconsistent object
files from getting used after this change.
Rich Felker [Tue, 21 Mar 2017 12:59:48 +0000 (08:59 -0400)]
search locale name variants for gettext translations
often translations will be named only by language, whereas locale
names may also include a territory code, modifier, and codeset
portion. previously, only translations exactly matching the locale
name were loaded. this was a major usability issue, requiring
workarounds like symlinks or tweaking of the locale name.
with these changes, gettext now searches for translations by first
removing the codeset portion of the locale name, then trying the
remainder in full, with modifier (@mod) removed, with territory code
(_XX) removed, and with both removed.
part of the reason gettext lacked support for searching fallbacks
before is that the candidate pathname for a translation file was
constructed on each call and used as the key to lookup an
already-mapped translation file. this was very costly/inefficient. we
now use the tuple of textdomain binding pointer, locale map pointer,
and integer category id as the key for looking up a translation file
mapping.
based on patch by He X.
Rich Felker [Tue, 21 Mar 2017 12:54:19 +0000 (08:54 -0400)]
make setlocale return a single name for LC_ALL if all categories match
when called for LC_ALL, setlocale has to return a string representing
the state of all locale categories. the simplest way to do this was to
always return a delimited list of values for each category, but that's
not friendly in the fairly common case where all categories have the
same setting. He X proposed a patch to check for this case and return
a single name; this patch is a simplified approach to do the same.
Rich Felker [Tue, 21 Mar 2017 12:35:59 +0000 (08:35 -0400)]
fix dlopen/dlsym regression opening libs already loaded at startup
commit
4ff234f6cba96403b5de6d29d48a59fd73252040 erroneously changed
the condition for running certain code at dlopen time to check whether
the library was already relocated rather than whether it already had
its deps[] table filled. this was out of concern over whether the code
under the conditional would be idempotent/safe to call on an
already-loaded libraries. however, I missed a consideration in the
opposite direction: if a library was loaded at program startup rather
than dlopen, its deps[] table was not yet allocated/filled, and
load_deps needs to be called at dlopen time in order for dlsym to be
able to perform dependency-order symbol lookups.
in order to avoid wasteful allocation of lazy-binding relocation
tables for libraries which were already loaded and relocated at
startup, the check for !p->relocated is not deleted entirely, but
moved to apply only to allocation of these dables.
Rich Felker [Thu, 16 Mar 2017 00:27:38 +0000 (20:27 -0400)]
fix POSIX-format TZ dst transition times for southern hemisphere
the time of day at which daylight time switches over is specified in
local time in the dst state prior to the transition. the code for
handling this wrongly assumed it needed to switch whether dst or
standard offset is applied to the transition time when the dst end
date is before the dst start date (souther hemisphere summer), but in
fact the end transition time should always be adjusted for dst, and
the start transition time should always be adjusted for standard time.
Tuan M. Hoang [Tue, 14 Mar 2017 20:44:04 +0000 (16:44 -0400)]
s390x: fix fpreg_t and remove unused per_struct
Including sys/procfs.h complains unknown type name 'fpreg_t' in
bits/user.h. fpreg_t in bits/signal.h and elf_fpreg_t in bits/user.h
are practically the same.
per_struct is never used, even conflicts with kernel header
asm/ptrace.h
Rich Felker [Wed, 15 Mar 2017 20:50:19 +0000 (16:50 -0400)]
precalculate gnu hash rather than doing it lazily in find_sym inner loop
this change was suggested based on testing done by Timo Teräs almost
two years ago; the branch (and probably call prep overhead) in the
inner loop was found to contribute noticably to total symbol lookup
time. this change will make lookup slightly slower if libraries were
built with only the traditional "sysv" ELF hash table, but based on
how much slower lookup tends to be without the gnu hash table, it
seems reasonable to assume that (1) users building without gnu hash
don't care about dynamic linking performance, and (2) the extra time
spent computing the gnu hash is likely to be dominated by the slowness
of the sysv hash table lookup anyway.
Szabolcs Nagy [Wed, 15 Mar 2017 01:55:49 +0000 (02:55 +0100)]
fix threshold constants in j0f, y0f, j1f, y1f
partly following freebsd rev 279491
https://svnweb.freebsd.org/base?view=revision&revision=279491
(musl had some of the fixes before freebsd).
the change should not matter much for j0f, y0f, but it improves
j1f and y1f in [2.5,~3.75] (that is [0x40200000,~0x40700000]).
near roots (e.g. around 3.8317 for j1f) there are still large
ulp errors.
dropped code that tried to raise inexact.
Rich Felker [Tue, 14 Mar 2017 23:00:02 +0000 (19:00 -0400)]
remove unused refcnt field for shared libraries
Rich Felker [Tue, 14 Mar 2017 22:51:27 +0000 (18:51 -0400)]
avoid loading of multiple libc versions via explicit pathname
such loading is unsafe, and can happen when programs use their own
logic to locate a .so file then pass the absolute pathname to dlopen,
or if an absolute pathname ends up in DT_NEEDED headers. multiple
loads with only the base name were already precluded, provided libc
was named appropriately, by special-casing standard library names.
one function symbol (in the reserved namespace, but public, since it's
part of the crt1 entry point ABI) and one data symbol are checked.
this way we avoid likely false positives, particularly from libraries
interposing and wrapping functions. there is no hard requirement to
avoid breaking such usage, since trying to run a hook before libc is
even initialized is not a supported usage case, but it's friendlier
not to break things.
Rich Felker [Tue, 14 Mar 2017 19:13:16 +0000 (15:13 -0400)]
fix one-byte overflow in legacy getpass function
if the length of the input was equal to the buffer size (128), a fixed
value of zero was written one byte past the end of the static buffer.
Rich Felker [Tue, 14 Mar 2017 19:06:58 +0000 (15:06 -0400)]
fix wide scanf's use of a compound literal past its lifetime
Rich Felker [Tue, 14 Mar 2017 18:31:34 +0000 (14:31 -0400)]
fix possible fd leak, unrestored cancellation state on dns socket fail
Rich Felker [Tue, 14 Mar 2017 18:29:50 +0000 (14:29 -0400)]
in static dl_iterate_phdr, fix use of possibly-uninitialized aux data
this could only happen if an incomplete auxv was passed into the
program, but it's better to just initialize the data anyway.
Rich Felker [Tue, 14 Mar 2017 18:18:07 +0000 (14:18 -0400)]
fix free of uninitialized buffer pointer on error in regexec
the fix in commit
c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 for
CVE-2016-8859 used gotos to exit on overflow conditions, but the code
in that error path assumed the buffer pointer was valid or null. thus,
the conditions which previously led to under-allocation and buffer
overflow could instead lead to an invalid pointer being passed to
free.
Rich Felker [Mon, 13 Mar 2017 12:52:41 +0000 (08:52 -0400)]
emulate lazy relocation as deferrable relocation
traditional lazy relocation with call-time plt resolver is
intentionally not implemented, as it is a huge bug surface and demands
significant amounts of arch-specific code and requires ongoing
maintenance to ensure compatibility with applications which make use
of new additions to the arch's register file in passing function
arguments.
some applications, however, depend on the ability to dlopen modules
which have unsatisfied symbol references at the time they are loaded,
either avoiding use of the affected interfaces or manually loading
another module to provide the missing definition via their own module
dependency tracking outside the ELF data structures. while such usage
is non-conforming, failure to support it has been a significant
obstacle for users/distributions trying to support affected software,
particularly the X.org server.
instead of resolving lazy relocations at call time, this patch saves
unresolved GOT/PLT relocations for deferral and retries them after
each subsequent dlopen until they are resolved. since dlopen is the
only time at which the effective global symbol table can change, this
behavior is not observably different from traditional lazy binding,
and the required code is minimal.
Rich Felker [Mon, 13 Mar 2017 04:30:26 +0000 (00:30 -0400)]
reorder addend handling before symbol lookup in relocation code
these two tasks are independent now, but in order to support lazy
relocations, the failure path for symbol lookup may want the addend to
be available.
Rich Felker [Mon, 13 Mar 2017 01:03:05 +0000 (21:03 -0400)]
rework ldso handling of global symbol table for consistency
when loading libraries with dlopen, the caller can request that the
library's symbols become part of the global symbol table, or that they
only be used for resolving relocations in the loaded library and its
dependencies. in the latter case, a subsequent dlopen of the same
library can upgrade it to global status.
previously, if a library was upgraded from local to global mode, its
symbols entered the symbol lookup search order at the point where the
library was originally loaded. this means that a new call to dlopen
could change the value of a symbol that already had a visible
definition, an inconsistency which applications could observe.
POSIX is unclear whether this should happen or whether it's permitted
to happen, but the resolution of Austin Group issue #982 made it
formally unspecified.
with this patch, a library whose mode is upgraded from local to global
enters the symbol lookup order at the point where it was made global,
so that symbol resolution before and after the upgrade are consistent.
in order to implement this change, the per-dso global flag is replaced
with a separate set of linked-list pointers for participation in the
global symbol table. this permits the order of dso objects for symbol
resolution to differ from the order used for iteration of all loaded
libraries. it also improves performance of find_sym, by avoiding a
branch per iteration and skipping, and especially in the case where
many non-global libraries have been loaded, by allowing the loop to
skip over them entirely. logic for temporarily adding non-global
libraries to the symbol table for relocation purposes is also mildly
simplified.
Szabolcs Nagy [Sat, 3 Dec 2016 20:52:43 +0000 (20:52 +0000)]
treat STB_WEAK and STB_GNU_UNIQUE like STB_GLOBAL in find_sym
A weak symbol definition is not special during dynamic linking, so
don't let a strong definition in a later module override it.
(glibc dynamic linker allows overriding weak definitions if
LD_DYNAMIC_WEAK is set, musl does not.)
STB_GNU_UNIQUE means that the symbol is global, even if it is in a
module that's loaded with RTLD_LOCAL, and all references resolve to
the same definition. This semantics is only relevant for c++ plugin
systems and even there it's often not what the user wants (so it can
be turned off in g++ by -fno-gnu-unique when the c++ shared lib is
compiled). In musl just treat it like STB_GLOBAL.
Rich Felker [Wed, 8 Mar 2017 18:35:33 +0000 (13:35 -0500)]
fix ld-behavior-dependent crash in ppc64 ldso startup
the 32-bit pc-relative address for stage 2 of dynamic linker entry was
wrongly loaded with a zero-extending load instead of sign-extending
load, resulting in an invalid jump if the offset happened to be
negative, which depends on the linker's ordering of text sections.
Szabolcs Nagy [Sun, 5 Mar 2017 22:03:35 +0000 (23:03 +0100)]
fix lsearch and lfind to pass key as first arg to the compar callback
this is not a conformance issue as posix does not specify the
argument order, but the order is specified for bsearch and some
systems document the order for lsearch consistently (openbsd).
since there were two indpendent reports of this issue it's better
to use the more widely expected argument order.
Rich Felker [Thu, 23 Feb 2017 00:25:13 +0000 (19:25 -0500)]
allow page size to vary on arm
the ABI for arm was silently changed at some point to allow page sizes
other than 4k; traditional binaries built with only 4k-aligned offsets
between load segments cannot run on such systems, but newer binutils
versions use 64k offset alignment.
while larger page size is undesirable for various reasons, users have
encountered hardware and/or kernels that lock the page size to a
larger value, so follow the new ABI and allow it to vary.
Rich Felker [Wed, 15 Feb 2017 22:05:50 +0000 (17:05 -0500)]
fix build regression in arm atomics asm with new binutils
binutils commit
bada43421274615d0d5f629a61a60b7daa71bc15 tightened
immediate fixup handling in gas in such a way that the final .arch of
an object file must be compatible with the fixups used when the
instruction was assembled; this in turn broke assembling of atomics.s,
at least in thumb mode.
it's not clear whether this should be considered a bug in gas, but
.object_arch is preferable anyway for our purpose here of controlling
the ISA level tag on the object file being produced, and it's the
intended directive for use in object files with runtime code
selection. research by Szabolcs Nagy confirmed that .object_arch is
supported in all relevant versions of binutils and clang's integrated
assembler.
patch by Reiner Herrmann.
Bobby Bingham [Mon, 6 Feb 2017 03:29:52 +0000 (21:29 -0600)]
s390x: implement dlsym
This was missed when writing the port initially.
Rich Felker [Sun, 29 Jan 2017 16:24:20 +0000 (11:24 -0500)]
avoid unbounded strlen in gettext functions
use the standard strnlen idiom for cases where lengths greater than an
imposed limit are going to be rejected immediately anyway.
Rich Felker [Sun, 29 Jan 2017 16:14:00 +0000 (11:14 -0500)]
fix use of uninitialized pointer in gettext core
the plural_rule field of allocated msgcat structures was assumed to be
initially-null but was never initialized. for future-proofing, the
nplurals field which was left uninitialized should also be cleared.
likewise, in the binding structure, the active field could be used
uninitialized by a technicality: the a_store which stores the initial
value of 0 may be implemented as a cas operation, which reads the old
value.
rather than fixing these issues individually, just use calloc for both
allocations. this does result in wasteful clearing of name buffers (up
to NAME_MAX+PATH_MAX) before filling them, but since the size if
bounded and the time is dominated by filesystem operations, it really
doesn't matter; simplicity and future-proofing have more value here.
modified from patch submitted by He X.
Rich Felker [Sun, 29 Jan 2017 05:11:23 +0000 (00:11 -0500)]
fix bindtextdomain logic error deactivating other domains
this loop was only supposed to deactivate other bindings for the same
text domain name, but due to copy-and-paste error, deactivated all
other bindings.
patch by He X.
Rich Felker [Thu, 19 Jan 2017 16:45:01 +0000 (11:45 -0500)]
fix spurious EINTR errors from multithreaded set*id, etc.
commit
78a8ef47c4d92b7680c52a85f80a81e29da86bb9 inadvertently removed
the SA_RESTART flag from the sigaction for the internal signal handler
used by __synccall for broadcasting. as a result, programs which did
not use interrupting signals but which used set*id() in a
multithreaded context could wrongly observe EINTR errors they're not
prepared to handle.
rofl0r [Fri, 13 Jan 2017 10:28:46 +0000 (10:28 +0000)]
fix crashes in x32 __tls_get_addr
x32 has another gratuitous difference to all other archs:
it passes an array of 64bit values to __tls_get_addr().
usually it is an array of size_t.
Rich Felker [Thu, 5 Jan 2017 03:54:06 +0000 (22:54 -0500)]
fix crash from corrupted tls module list after failed dlopen
commit
d56460c939c94a6c547abe8238f442b8de10bfbd introduced this
regression as part of splitting the tls module list out of the dso
list. the new code added to dlopen's failure path to undo the changes
adding the partially-loaded libraries reset the tls_tail pointer
correctly, but did not clear its link to the next list entry. thus, at
least until the next successful dlopen, the list was not terminated
but ended with an invalid next pointer, which __copy_tls attempted to
follow when a new thread was created.
patch by Mikael Vidstedt.
Rich Felker [Thu, 5 Jan 2017 00:48:21 +0000 (19:48 -0500)]
treat base 1 as an error in strtol-family functions
ISO C and POSIX only specify behavior for base arguments of 0 and
2-36; POSIX mandates an EINVAL error for unsupported bases. it's not
clear that there's a requirement for implementations not to "support"
additional bases as an extension, but "base 1" did not work in any
meaningful way anyway, so it should be considered unsupported and thus
an error.
Rich Felker [Thu, 5 Jan 2017 00:02:02 +0000 (19:02 -0500)]
fix getopt[_long] clobbering of optopt on success
getopt is only specified to modify optopt on error, and some software
apparently infers an error from optopt!=0.
getopt_long is changed analogously. the resulting behavior differs
slightly from the behavior of the GNU implementation of getopt_long,
which keeps an internal shadow copy of optopt and copies it to the
public one on return, but since the GNU implementation also exhibits
this shadow-copy behavior for plain getopt where is is non-conforming,
I think this can reasonably be considered a bug rather than an
intentional behavior that merits mimicing.
Rich Felker [Wed, 4 Jan 2017 22:08:19 +0000 (17:08 -0500)]
reduce impact of REG_* namespace pollution in x86[_64] signal.h
when _GNU_SOURCE is defined, which is always the case when compiling
c++ with gcc, these macros for the the indices in gregset_t are
exposed and likely to clash with applications. by using enum constants
rather than macros defined with integer literals, we can make the
clash slightly less likely to break software. the macros are still
defined in case anything checks for them with #ifdef, but they're
defined to expand to themselves so that non-file-scope (e.g.
namespaced) identifiers by the same names still work.
for the sake of avoiding mistakes, the changes were generated with sed
via the command:
sed -i -e 's/#define *\(REG_[A-Z_0-9]\{1,\}\) *\([0-9]\{1,\}\)'\
'/enum { \1 = \2 };\n#define \1 \1/' \
arch/i386/bits/signal.h arch/x86_64/bits/signal.h arch/x32/bits/signal.h
Rich Felker [Tue, 3 Jan 2017 00:47:12 +0000 (19:47 -0500)]
make globfree safe after failed glob from over-length argument
commit
0dc99ac413d8bc054a2e95578475c7122455eee8 added input length
checking to avoid unsafe VLA allocation, but put it in the wrong
place, before the glob_t structure was zeroed out. while POSIX isn't
clear on whether it's permitted to call globfree after glob failed
with GLOB_NOSPACE, making it safe is clearly better than letting
uninitialized pointers get passed to free in non-conforming callers.
while we're fixing this, change strlen check to the idiomatic strnlen
version to avoid unbounded input scanning before returning an error.
Rich Felker [Mon, 2 Jan 2017 22:30:40 +0000 (17:30 -0500)]
fix strftime %y for negative years
commit
583ea83541dcc6481c7a1bd1a9b485526bad84a1 fixed the case where
tm_year is negative but the resulting year (offset by 1900) was still
positive, which is always the case for time_t values that fit in 32
bits, but not for arbitrary inputs.
based on an earlier patch by Julien Ramseier which was overlooked at
the time the previous fix was applied.
Rich Felker [Sun, 1 Jan 2017 03:27:17 +0000 (22:27 -0500)]
release 1.1.16
Szabolcs Nagy [Sun, 25 Dec 2016 09:43:42 +0000 (10:43 +0100)]
update tcp_info struct to linux v4.9
export tcp data delivery rate in tcp_info struct.
see linux commit
eb8329e0a04db0061f714f033b4454326ba147f4
Szabolcs Nagy [Sun, 25 Dec 2016 09:42:15 +0000 (10:42 +0100)]
add MS_NOREMOTELOCK mount flag from linux v4.9
for handling file locking on overlayfs.
see linux commit
c568d68341be7030f5647def68851e469b21ca11
Szabolcs Nagy [Sun, 25 Dec 2016 09:41:06 +0000 (10:41 +0100)]
add pkey_{mprotect,alloc,free} syscalls from linux v4.9
see linux commit
e8c24d3a23a469f1f40d4de24d872ca7023ced0a
and linux Documentation/x86/protection-keys.txt
Rich Felker [Tue, 20 Dec 2016 19:19:32 +0000 (14:19 -0500)]
fix support for initialized TLS in static PIE binaries
the static-linked version of __init_tls needs to locate the TLS
initialization image via the ELF program headers, which requires
determining the base address at which the program was loaded. the
existing code attempted to do this by comparing the actual address of
the program headers (obtained via auxv) with the virtual address for
the PT_PHDR record in the program headers. however, the linker seems
to produce a PT_PHDR record only when a program interpreter (dynamic
linker) is used. thus the computation failed and used the default base
address of 0, leading to a crash when trying to access the TLS image
at the wrong address.
the dynamic linker entry point and static-PIE rcrt1.o startup code
compute the base address instead by taking the difference between the
run-time address of _DYNAMIC and the virtual address in the PT_DYNAMIC
record. this patch copies the approach they use, but with a weak
symbolic reference to _DYNAMIC instead of obtaining the address from
the crt_arch.h asm. this works because relocations have already been
performed at the time __init_tls is called.
Rich Felker [Tue, 20 Dec 2016 02:53:33 +0000 (21:53 -0500)]
when building for arm as thumb2 code, also request assembly as thumb
all assembly is now thumb2-compatible. on existing targets this is at
best a size optimization, but it will also facilitate porting to
thumb2-isa-only arm variants.
Rich Felker [Mon, 19 Dec 2016 00:38:53 +0000 (19:38 -0500)]
rework arm atomic/tp backends to be thumb-compatible and fdpic-ready
three problems are addressed:
- use of pc arithmetic, which was difficult if not impossible to make
correct in thumb mode on all models, so that relative rather than
absolute pointers to the backends could be used. this was designed
back when there was no coherent model for the early stages of the
dynamic linker before relocations, and is no longer necessary.
- assumption that data (the relative pointers to the backends) can be
accessed at a constant displacement from the code. this will not be
possible on future fdpic subarchs (for cortex-m), so move
responsibility for loading the backend code address to the caller.
- hard-coded arm opcodes using the .word directive. instead, use the
.arch directive to work around the assembler's refusal to assemble
instructions not available (or in some cases, available but just
considered deprecated) in the target isa level. the obscure v6t2
arch is used for v6 code so as to (1) allow generation of thumb2
output if -mthumb is active, and (2) avoid warnings/errors for mcr
barriers that clang would produce if we just set arch to v7-a.
in addition, the __aeabi_read_tp function is moved out of the inner
workings and implemented as an asm wrapper around a C function, so
that asm code does not need to read global data. the asm wrapper
serves to satisfy the ABI calling convention requirements for this
function.
Rich Felker [Sun, 18 Dec 2016 00:39:28 +0000 (19:39 -0500)]
disable use of arm memcpy asm if building as thumb code
the thumb incompatibilities in the asm are probably only minor and
should be fixable, but for now just use the C version.
Rich Felker [Sun, 18 Dec 2016 00:30:03 +0000 (19:30 -0500)]
make arm setjmp/longjmp asm thumb2-compatible
sp cannot be used in the ldm/stm register set in thumb mode.
Szabolcs Nagy [Sat, 17 Dec 2016 14:03:24 +0000 (15:03 +0100)]
use lookup table for malloc bin index instead of float conversion
float conversion is slow and big on soft-float targets.
The lookup table increases code size a bit on most hard float targets
(and adds 60byte rodata), performance can be a bit slower because of
position independent data access and cpu internal state dependence
(cache, extra branches), but the overall effect should be minimal
(common, small size allocations should be unaffected).
Szabolcs Nagy [Thu, 24 Nov 2016 00:44:49 +0000 (01:44 +0100)]
handle ^ and $ in BRE subexpression start and end as anchors
In BRE, ^ is an anchor at the beginning of an expression, optionally
it may be an anchor at the beginning of a subexpression and must be
treated as a literal otherwise.
Previously musl treated ^ in subexpressions as literal, but at least
glibc and gnu sed treats it as an anchor and that's the more useful
behaviour: it can always be escaped to get back the literal meaning.
Same for $ at the end of a subexpression.
Portable BRE should not rely on this, but there are sed commands in
build scripts which do.
This changes the meaning of the BREs:
\(^a\)
\(a\|^b\)
\(a$\)
\(a$\|b\)
Rich Felker [Sat, 17 Dec 2016 04:19:27 +0000 (23:19 -0500)]
fix mrand48/jrand48 return value on 64-bit archs
POSIX specifies the result to have signed 32-bit range. on 32-bit
archs, the implicit conversion to long achieved the desired range
already, but when long is 64-bit, a cast is needed.
patch by Ed Schouten.
Quentin Rameau [Mon, 12 Dec 2016 20:01:26 +0000 (21:01 +0100)]
in public headers, don't assume pre-C99 compilers have __inline keyword
Bobby Bingham [Sun, 27 Nov 2016 18:18:10 +0000 (12:18 -0600)]
fix crashing sigsetjmp on s390x
the bz instruction that was wrongly used only admits a small immediate
displacement and cannot be used with external symbols; apparently the
linker fails to diagnose the overflow.
Bobby Bingham [Tue, 15 Nov 2016 03:37:42 +0000 (21:37 -0600)]
fix use of incomplete struct type in s390x user.h
Bobby Bingham [Tue, 15 Nov 2016 03:37:41 +0000 (21:37 -0600)]
fix typo in s390x user.h
Rich Felker [Thu, 15 Dec 2016 17:18:24 +0000 (12:18 -0500)]
remove legacy i386 fallback stdarg implementation and framework
this has been slated for removal for a long time. there is
fundamentally no way to implement stdarg without compiler assistance;
any attempt to do so has serious undefined behavior; its working
depends not just (as a common misconception goes) on ABI, but also on
assumptions about compiler code generation internal to a translation
unit, which is not subject to external ABI constraints.
Rich Felker [Wed, 7 Dec 2016 03:57:15 +0000 (22:57 -0500)]
remove largish unused field from pthread structure
Rich Felker [Sun, 13 Nov 2016 00:43:37 +0000 (19:43 -0500)]
work around gdb issues recognizing sigreturn trampoline on x86_64
gdb can only backtrace/unwind across signal handlers if it recognizes
the sa_restorer trampoline. for x86_64, gdb first attempts to
determine the symbol name for the function in which the program
counter resides and match it against "__restore_rt". if no name can be
found (e.g. in the case of a stripped binary), the exact instruction
sequence is matched instead.
when matching the function name, however, gdb's unwind code wrongly
considers the interval [sym,sym+size] rather than [sym,sym+size).
thus, if __restore_rt begins immediately after another function, gdb
wrongly identifies pc as lying within the previous adjacent function.
this patch adds a nop before __restore_rt to preclude that
possibility. it also removes the symbol name __restore and replaces it
with a macro since the stability of whether gdb identifies the
function as __restore_rt or __restore is not clear.
for the no-symbols case, the instruction sequence is changed to use
%rax rather than %eax to match what gdb expects.
based on patch by Szabolcs Nagy, with extended description and
corresponding x32 changes added.
Bobby Bingham [Sat, 12 Nov 2016 03:52:05 +0000 (21:52 -0600)]
add s390x port
Bobby Bingham [Tue, 26 Jul 2016 03:52:58 +0000 (22:52 -0500)]
treat null vdso base same as missing
On s390x, the kernel provides AT_SYSINFO_EHDR, but sets it to zero, if the
program being run does not have a program interpreter. This causes
problems when running the dynamic linker directly.
Rich Felker [Fri, 11 Nov 2016 17:30:24 +0000 (12:30 -0500)]
generalize ELF hash table types not to assume 32-bit entries
alpha and s390x gratuitously use 64-bit entries (wasting 2x space and
cache utilization) despite the values always being 32-bit.
based on patch by Bobby Bingham, with changes suggested by Alexander
Monakov to use the public Elf_Symndx type from link.h (and make it
properly variable by arch) rather than adding new internal
infrastructure for handling the type.
Rich Felker [Tue, 8 Nov 2016 23:03:42 +0000 (18:03 -0500)]
fix build regression on archs with variable page size
commit
31fb174dd295e50f7c5cf18d31fcfd5fe5a063b7 used
DEFAULT_GUARD_SIZE from pthread_impl.h in a static initializer,
breaking build on archs where its definition, PAGE_SIZE, is not a
constant. instead, just define DEFAULT_GUARD_SIZE as 4096, the minimal
page size on any arch we support. pthread_create rounds up to whole
pages anyway, so defining it to 1 would also work, but a moderately
meaningful value is nicer to programs that use
pthread_attr_getguardsize on default-initialized attribute objects.
Rich Felker [Tue, 8 Nov 2016 17:09:05 +0000 (12:09 -0500)]
add limited pthread_setattr_default_np API to set stack size defaults
based on patch by Timo Teräs:
While generally this is a bad API, it is the only existing API to
affect c++ (std::thread) and c11 (thrd_create) thread stack size.
This patch allows applications only to increate stack and guard
page sizes.
Rich Felker [Tue, 8 Nov 2016 16:51:57 +0000 (11:51 -0500)]
fix pthread_create regression from stack/guard size simplification
commit
33ce920857405d4f4b342c85b74588a15e2702e5 broke pthread_create
in the case where a null attribute pointer is passed; rather than
using the default sizes, sizes of 0 (plus the remainder of one page
after TLS/TCB use) were used.
Rich Felker [Tue, 8 Nov 2016 04:19:19 +0000 (23:19 -0500)]
make netinet/in.h suppress clashing definitions from kernel headers
the linux kernel uapi headers provide their own definitions of the
structures from netinet/in.h, resulting in errors when a program
includes both the standard libc header and one or more of the
networking-related kernel headers that pull in the kernel definitions.
as before, we do not attempt to support the case where kernel headers
are included before the libc ones, since the kernel definitions may
have subtly incorrect types, namespace violations, etc. however, we
can easily support the inclusion of the kernel headers after the libc
ones, since the kernel headers provide a public interface for
suppressing their definitions. this patch adds the necessary macro
definitions for such suppression.
Rich Felker [Tue, 8 Nov 2016 01:47:24 +0000 (20:47 -0500)]
simplify pthread_attr_t stack/guard size representation
previously, the pthread_attr_t object was always initialized all-zero,
and stack/guard size were represented as differences versus their
defaults. this required lots of confusing offset arithmetic everywhere
they were used. instead, have pthread_attr_init fill in the default
values, and work with absolute sizes everywhere.
Rich Felker [Tue, 8 Nov 2016 01:39:59 +0000 (20:39 -0500)]
fix swprintf internal buffer state and error handling
the swprintf write callback never reset its buffer pointers, so after
its 256-byte buffer filled up, it would keep repeating those bytes
over and over in the output until the destination buffer filled up. it
also failed to set the error indicator for the stream on EILSEQ,
potentially allowing output to continue after the error.
Daniel Sabogal [Thu, 3 Nov 2016 02:29:36 +0000 (22:29 -0400)]
fix integer overflow of tm_year in __secs_to_tm
the overflow check for years+100 did not account for the extra
year computed from the remaining months. instead, perform this
check after obtaining the final number of years.
Szabolcs Nagy [Tue, 1 Nov 2016 01:49:09 +0000 (02:49 +0100)]
fix ldso reserved library name handling
If a DT_NEEDED entry was the prefix of a reserved library name
(up to the first dot) then it was incorrectly treated as a libc
reserved name.
e.g. libp.so dependency was not loaded as it matched libpthread
reserved name.
Szabolcs Nagy [Tue, 1 Nov 2016 01:44:56 +0000 (02:44 +0100)]
fix accidental global static pointer in ldso
this was harmless as load_library is not called concurrently,
but it used one word of bss.
Rich Felker [Mon, 7 Nov 2016 16:55:53 +0000 (11:55 -0500)]
don't claim support for resolv.h APIs that aren't supported
the value
19991006 for __RES implies availability of res_ninit and
related functions that take a resolver state argument; these are not
supported since our resolver is stateless. instead claim support for
just the older API by defining __RES to
19960801.
based on patch by Dmitrij D. Czarkoff.
Hannu Nyman [Mon, 24 Oct 2016 10:12:24 +0000 (13:12 +0300)]
fix parsing of quoted time zone names
Fix parsing of the < > quoted time zone names. Compare the correct
character instead of repeatedly comparing the first character.
Rich Felker [Mon, 7 Nov 2016 16:49:22 +0000 (11:49 -0500)]
remove redundant feature test macro checks in sys/time.h
this header is XSI-shaded itself and thus does not need to limit
specific content to _XOPEN_SOURCE.
Rich Felker [Sat, 22 Oct 2016 00:57:15 +0000 (20:57 -0400)]
redesign snprintf without undefined behavior
the old snprintf design setup the FILE buffer pointers to point
directly into the destination buffer; if n was actually larger than
the buffer size, the pointer arithmetic to compute the buffer end
pointer was undefined. this affected sprintf, which is implemented in
terms of snprintf, as well as some unusual but valid direct uses of
snprintf.
instead, setup the FILE as unbuffered and have its write function
memcpy to the destination. the printf core sets up its own temporary
buffer for unbuffered streams.
Rich Felker [Thu, 20 Oct 2016 21:20:01 +0000 (17:20 -0400)]
fix various header namespace issues under feature-test-macro control
reported and changes suggested by Daniel Sabogal.
Rich Felker [Thu, 20 Oct 2016 21:04:37 +0000 (17:04 -0400)]
remove parameter names from public headers
inclusion of these names was unintentional and in most cases is a
namespace violation. Daniel Sabogal tracked down and reported these.
Rich Felker [Thu, 20 Oct 2016 21:01:56 +0000 (17:01 -0400)]
fix misspelling of a legacy macro name in sys/param.h
Daniel Sabogal [Mon, 5 Sep 2016 02:30:43 +0000 (22:30 -0400)]
add missing if_ether.h constants
ETH_P_HSR (IEC 62439-3 HSRv1) added in
linux 4.7 commit
ee1c27977284907d40f7f72c2d078d709f15811f
ETH_P_TSN (IEEE 1722) added in
linux 4.3 commit
1ab1e895492d8084dfc1c854efacde219e56b8c1
this constant breaks the ascending order to match the kernel header
ETH_P_XDSA (Multiplexed DSA protocol) added in
linux 3.18 commit
3e8a72d1dae374cf6fc1dba97cec663585845ff9
Daniel Sabogal [Mon, 5 Sep 2016 02:30:42 +0000 (22:30 -0400)]
add missing if_arp.h constant
ARPHRD_6LOWPAN (IPv6 over LoWPAN) added in
linux 3.14 commit
0abc652c796dab74d34d60473ec5594cd21620be
Daniel Sabogal [Sun, 4 Sep 2016 14:42:48 +0000 (10:42 -0400)]
fix typo in utmpx.h
Daniel Sabogal [Sun, 4 Sep 2016 14:42:47 +0000 (10:42 -0400)]
add missing confstr constants
the _CS_V6_ENV and _CS_V7_ENV constants are required to be available for use
with confstr. glibc defines these constants with values 1148 and 1149,
respectively.
the only missing (and required) confstr constants are
_CS_POSIX_V7_THREADS_CFLAGS and _CS_POSIX_V7_THREADS_LDFLAGS which remain
unavailable in glibc.
Rich Felker [Thu, 20 Oct 2016 18:40:59 +0000 (14:40 -0400)]
fix minor problem in previous strtod non-nearest rounding bug fix
commit
6ffdc4579ffb34f4aab69ab4c081badabc7c0a9a set lnz in the code
path for non-zero digits after a huge string of zeros, but the
assignment of dc to lnz truncates if the value of dc does not fit in
int; this is possible for some pathologically long inputs, either via
strings on 64-bit systems or via scanf-family functions.
instead, simply set lnz to match the point at which we add the
artificial trailing 1 bit to simulate nonzero digits after a huge
run of zeros.
Szabolcs Nagy [Sun, 4 Sep 2016 02:51:03 +0000 (04:51 +0200)]
fix strtod int optimization in non-nearest rounding mode
the mid-sized integer optimization relies on lnz set up properly
to mark the last non-zero decimal digit, but this was not done
if the non-zero digit lied outside the KMAX digits of the base
10^9 number representation.
so if the fractional part was a very long list of zeros (>2048*9 on
x86) followed by non-zero digits then the integer optimization could
kick in discarding the tiny non-zero fraction which can mean wrong
result on non-nearest rounding mode.
strtof, strtod and strtold were all affected.
Szabolcs Nagy [Sun, 4 Sep 2016 02:46:00 +0000 (04:46 +0200)]
fix strtod and strtof rounding with many trailing zeros
in certain cases excessive trailing zeros could cause incorrect
rounding from long double to double or float in decfloat.
e.g. in strtof("
9444733528689243848704.000000", 0) the argument
is 0x1.000001p+73, exactly halfway between two representible floats,
this incorrectly got rounded to 0x1.000002p+73 instead of 0x1p+73,
but with less trailing 0 the rounding was fine.
the fix makes sure that the z index always points one past the last
non-zero digit in the base 10^9 representation, this way trailing
zeros don't affect the rounding logic.
Rich Felker [Thu, 20 Oct 2016 17:22:20 +0000 (13:22 -0400)]
fix gratuitous undefined behavior in strptime
accessing an object of type const char *restrict as if it had type
char * is not defined.
Rich Felker [Thu, 20 Oct 2016 16:13:33 +0000 (12:13 -0400)]
fix getopt_long_only misinterpreting "--" as an option
Szabolcs Nagy [Tue, 11 Oct 2016 22:49:59 +0000 (00:49 +0200)]
fix float formatting of some exact halfway cases
in nearest rounding mode exact halfway cases were not following the
round to even rule if the rounding happened at a base
1000000000 digit
boundary of the internal representation and the previous digit was odd.
e.g. printf("%.0f", 1.5) printed 1 instead of 2.