Rename the identifier sz to __sz everywhere.
Fixes: a643f60c53 ("Make sure that the fortified function conditionals are constant")
(cherry picked from commit 39ca997ab3)
This supports common coding patterns. The GCC C front end before
version 7 rejects the may_alias attribute on a struct definition
if it was not present in a previous forward declaration, so this
attribute can only be conditionally applied.
This implements the spirit of the change in Austin Group issue 1641.
Suggested-by: Marek Polacek <polacek@redhat.com>
Suggested-by: Jakub Jelinek <jakub@redhat.com>
Reviewed-by: Sam James <sam@gentoo.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
This commit adds a simple bind/accept/connect test for an IPv4 TCP
connection to a local process via the loopback interface.
Reviewed-by: Arjun Shankar <arjun@redhat.com>
It was raised on libc-help [1] that some Linux kernel interfaces expect
the libc to define __USE_TIME_BITS64 to indicate the time_t size for the
kABI. Different than defined by the initial y2038 design document [2],
the __USE_TIME_BITS64 is only defined for ABIs that support more than
one time_t size (by defining the _TIME_BITS for each module).
The 64 bit time_t redirects are now enabled using a different internal
define (__USE_TIME64_REDIRECTS). There is no expected change in semantic
or code generation.
Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu, and
arm-linux-gnueabi
[1] https://sourceware.org/pipermail/libc-help/2024-January/006557.html
[2] https://sourceware.org/glibc/wiki/Y2038ProofnessDesign
Reviewed-by: DJ Delorie <dj@redhat.com>
It improve fortify checks recv, recvfrom, poll, and ppoll. The compile
and runtime hecks have similar coverage as with GCC.
Checked on aarch64, armhf, x86_64, and i686.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
Since the _FORTIFY_SOURCE feature uses some routines of Glibc, they need to
be excluded from the fortification.
On top of that:
- some tests explicitly verify that some level of fortification works
appropriately, we therefore shouldn't modify the level set for them.
- some objects need to be build with optimization disabled, which
prevents _FORTIFY_SOURCE to be used for them.
Assembler files that implement architecture specific versions of the
fortified routines were not excluded from _FORTIFY_SOURCE as there is no
C header included that would impact their behavior.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reflow Makefile.
Sort using scripts/sort-makefile-lines.py.
Code generation is changed as routines are linked in sorted order
as expected.
No regressions on x86_64 and i686.
cmsg_len is supposed to be socklen_t according to standards, but it was made
size_t on Linux, see BZ 16919. For ports that have it socklen_t, SIZE_MAX is
too large. We can however explicitly cast it to the type of cmsg_len so it
will fit according to that type.
This checks that:
* We can send and receive fds over Unix domain sockets using SCM_RIGHTS;
* msg_controllen, cmsg_level, cmsg_type, cmsg_len are all filled in
correctly on receive;
* Most importantly, the received fd has or has not the close-on-exec
flag set depending on whether we pass MSG_CMSG_CLOEXEC to recvmsg ().
Checked on i686-gnu and x86_64-linux-gnu.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
Message-Id: <20230423160548.126576-4-bugaevc@gmail.com>
clang emits an warning when a double alias redirection is used, to warn
the the original symbol will be used even when weak definition is
overridden. However, this is a common pattern for weak_alias, where
multiple alias are set to same symbol.
Reviewed-by: Fangrui Song <maskray@google.com>
The inline and library functions that the CMSG_NXTHDR macro may expand
to increment the pointer to the header before checking the stride of
the increment against available space. Since C only allows incrementing
pointers to one past the end of an array, the increment must be done
after a length check. This commit fixes that and includes a regression
test for CMSG_FIRSTHDR and CMSG_NXTHDR.
The Linux, Hurd, and generic headers are all changed.
Tested on Linux on armv7hl, i686, x86_64, aarch64, ppc64le, and s390x.
[BZ #28846]
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.
I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah. I don't
know why I run into these diagnostics whereas others evidently do not.
remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
In _FORTIFY_SOURCE=3, the size expression may be non-constant,
resulting in branches in the inline functions remaining intact and
causing a tiny overhead. Clang (and in future, gcc) make sure that
the -1 case is always safe, i.e. any comparison of the generated
expression with (size_t)-1 is always false so that bit is taken care
of. The rest is avoidable since we want the _chk variant whenever we
have a size expression and it's not -1.
Rework the conditionals in a uniform way to clearly indicate two
conditions at compile time:
- Either the size is unknown (-1) or we know at compile time that the
operation length is less than the object size. We can call the
original function in this case. It could be that either the length,
object size or both are non-constant, but the compiler, through
range analysis, is able to fold the *comparison* to a constant.
- The size and length are known and the compiler can see at compile
time that operation length > object size. This is valid grounds for
a warning at compile time, followed by emitting the _chk variant.
For everything else, emit the _chk variant.
This simplifies most of the fortified function implementations and at
the same time, ensures that only one call from _chk or the regular
function is emitted.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
AF_NETLINK support is not quite optional on modern Linux systems
anymore, so it is likely that the first attempt will always succeed.
Consequently, there is no need to cache the result. Keep AF_UNIX
and the Internet address families as a fallback, for the rare case
that AF_NETLINK is missing. The other address families previously
probed are totally obsolete be now, so remove them.
Use this simplified version as the generic implementation, disabling
Netlink support as needed.
A new build flag, _TIME_BITS, enables the usage of the newer 64-bit
time symbols for legacy ABI (where 32-bit time_t is default). The 64
bit time support is only enabled if LFS (_FILE_OFFSET_BITS=64) is
also used.
Different than LFS support, the y2038 symbols are added only for the
required ABIs (armhf, csky, hppa, i386, m68k, microblaze, mips32,
mips64-n32, nios2, powerpc32, sparc32, s390-32, and sh). The ABIs with
64-bit time support are unchanged, both for symbol and types
redirection.
On Linux the full 64-bit time support requires a minimum of kernel
version v5.1. Otherwise, the 32-bit fallbacks are used and might
results in error with overflow return code (EOVERFLOW).
The i686-gnu does not yet support 64-bit time.
This patch exports following rediretions to support 64-bit time:
* libc:
adjtime
adjtimex
clock_adjtime
clock_getres
clock_gettime
clock_nanosleep
clock_settime
cnd_timedwait
ctime
ctime_r
difftime
fstat
fstatat
futimens
futimes
futimesat
getitimer
getrusage
gettimeofday
gmtime
gmtime_r
localtime
localtime_r
lstat_time
lutimes
mktime
msgctl
mtx_timedlock
nanosleep
nanosleep
ntp_gettime
ntp_gettimex
ppoll
pselec
pselect
pthread_clockjoin_np
pthread_cond_clockwait
pthread_cond_timedwait
pthread_mutex_clocklock
pthread_mutex_timedlock
pthread_rwlock_clockrdlock
pthread_rwlock_clockwrlock
pthread_rwlock_timedrdlock
pthread_rwlock_timedwrlock
pthread_timedjoin_np
recvmmsg
sched_rr_get_interval
select
sem_clockwait
semctl
semtimedop
sem_timedwait
setitimer
settimeofday
shmctl
sigtimedwait
stat
thrd_sleep
time
timegm
timerfd_gettime
timerfd_settime
timespec_get
utime
utimensat
utimes
utimes
wait3
wait4
* librt:
aio_suspend
mq_timedreceive
mq_timedsend
timer_gettime
timer_settime
* libanl:
gai_suspend
Reviewed-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
The c59f716993 (accept) and 3ddf9bc185 (connect) added on io/Makefile
instead of socket/Makefile.
Checked on arm-linux-gnueabihf (where without the flags both the
tst-cancelx4 and tst-cancelx5 fails).
The libc version is identical and built with same flags. Both aarch64
and nios2 also requires to export __send and tt was done previously with
the HAVE_INTERNAL_SEND_SYMBOL (which forced the symbol creation).
All __send callers are internal to libc and the original issue that
required the symbol export was due a missing libc_hidden_def. So
a compat symbol is added for __send and the libc_hidden_def is
defined regardless.
Checked on x86_64-linux-gnu and i686-linux-gnu.
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
The types affected are __sig_atomic_t, sig_atomic_t, __sigset_t,
sigset_t, sigval_t, sigevent_t, and siginfo_t. __sig_atomic_t is a
scalar, so it's now directly available from bits/types.h. The others
get bits/types/ headers.
Side effects include: There have been small changes to which
non-signal headers expose which subset of the signal-related types.
A couple of architectures' nested siginfo_t fields had to be renamed
to prevent undesired macro expansion. Internal code that wants to
manipulate signal masks must now include <sigsetops.h> (which is not
installed) and should be aware that __sigaddset, __sigandset,
__sigdelset, __sigemptyset, and __sigorset no longer return a value
(unlike the public API). Relatedly, the public signal.h no longer
declares any of those functions. The obsolete sigmask() macro no
longer has a system-specific definition -- in the cases where it
matters, it didn't work anyway.
New Linux architectures should create bits/siginfo-arch.h and/or
bits/siginfo-consts-arch.h to customize their siginfo_t, rather than
duplicating everything in bits/siginfo.h (which no longer exists).
Add new __SI_* macros if necessary. Ports to other operating systems
are strongly encouraged to generalize this scheme further.
* bits/sigevent-consts.h
* bits/siginfo-consts.h
* bits/types/__sigset_t.h
* bits/types/sigevent_t.h
* bits/types/siginfo_t.h
* sysdeps/unix/sysv/linux/bits/sigevent-consts.h
* sysdeps/unix/sysv/linux/bits/siginfo-consts.h
* sysdeps/unix/sysv/linux/bits/types/__sigset_t.h
* sysdeps/unix/sysv/linux/bits/types/sigevent_t.h
* sysdeps/unix/sysv/linux/bits/types/siginfo_t.h:
New system-dependent bits headers.
* sysdeps/unix/sysv/linux/bits/siginfo-arch.h
* sysdeps/unix/sysv/linux/bits/siginfo-consts-arch.h
* sysdeps/unix/sysv/linux/ia64/bits/siginfo-arch.h
* sysdeps/unix/sysv/linux/ia64/bits/siginfo-consts-arch.h
* sysdeps/unix/sysv/linux/mips/bits/siginfo-arch.h
* sysdeps/unix/sysv/linux/sparc/bits/siginfo-arch.h
* sysdeps/unix/sysv/linux/tile/bits/siginfo-arch.h
* sysdeps/unix/sysv/linux/tile/bits/siginfo-consts-arch.h
* sysdeps/unix/sysv/linux/x86/bits/siginfo-arch.h:
New Linux-only system-dependent bits headers.
* signal/bits/types/sig_atomic_t.h
* signal/bits/types/sigset_t.h
* signal/bits/types/sigval_t.h:
New non-system-dependent bits headers.
* sysdeps/generic/sigsetops.h
* sysdeps/unix/sysv/linux/sigsetops.h:
New internal headers.
* include/bits/types/sig_atomic_t.h
* include/bits/types/sigset_t.h
* include/bits/types/sigval_t.h:
New wrappers.
* signal/sigsetops.h
* bits/siginfo.h
* bits/sigset.h
* sysdeps/unix/sysv/linux/bits/siginfo.h
* sysdeps/unix/sysv/linux/bits/sigset.h
* sysdeps/unix/sysv/linux/ia64/bits/siginfo.h
* sysdeps/unix/sysv/linux/mips/bits/siginfo.h
* sysdeps/unix/sysv/linux/s390/bits/siginfo.h
* sysdeps/unix/sysv/linux/sparc/bits/siginfo.h
* sysdeps/unix/sysv/linux/tile/bits/siginfo.h
* sysdeps/unix/sysv/linux/x86/bits/siginfo.h:
Deleted.
* signal/Makefile, sysdeps/unix/sysv/linux/Makefile:
Update lists of installed headers.
* posix/bits/types.h: Define __sig_atomic_t here.
* signal/signal.h: Use the new bits headers; no need to handle
__need_sig_atomic_t nor __need_sigset_t. Don't use __sigmask
to define sigmask.
* include/signal.h: No need to handle __need_sig_atomic_t
nor __need_sigset_t. Don't define __sigemptyset.
* io/sys/poll.h, setjmp/setjmp.h
* sysdeps/arm/sys/ucontext.h, sysdeps/generic/sys/ucontext.h
* sysdeps/i386/sys/ucontext.h, sysdeps/m68k/sys/ucontext.h
* sysdeps/mach/hurd/i386/bits/sigcontext.h
* sysdeps/mips/sys/ucontext.h, sysdeps/powerpc/novmxsetjmp.h
* sysdeps/pthread/bits/sigthread.h
* sysdeps/unix/sysv/linux/hppa/sys/ucontext.h
* sysdeps/unix/sysv/linux/m68k/sys/ucontext.h
* sysdeps/unix/sysv/linux/mips/sys/ucontext.h
* sysdeps/unix/sysv/linux/nios2/sys/ucontext.h
* sysdeps/unix/sysv/linux/powerpc/sys/ucontext.h
* sysdeps/unix/sysv/linux/s390/sys/ucontext.h
* sysdeps/unix/sysv/linux/sh/sys/ucontext.h
* sysdeps/unix/sysv/linux/sparc/sys/ucontext.h
* sysdeps/unix/sysv/linux/tile/sys/ucontext.h
* sysdeps/unix/sysv/linux/x86/sys/ucontext.h:
Use bits/types/__sigset_t.h.
* misc/sys/select.h, posix/spawn.h
* sysdeps/unix/sysv/linux/powerpc/sys/ucontext.h
* sysdeps/unix/sysv/linux/sys/epoll.h
* sysdeps/unix/sysv/linux/sys/signalfd.h:
Use bits/types/sigset_t.h.
* resolv/netdb.h, rt/mqueue.h: Use bits/types/sigevent_t.h.
* rt/aio.h: Use bits/types/sigevent_t.h and bits/sigevent-consts.h.
* socket/sys/socket.h: Don't include bits/sigset.h.
* login/utmp_file.c, shadow/lckpwdf.c, signal/sigandset.c
* signal/sigisempty.c, stdlib/abort.c, sysdeps/posix/profil.c
* sysdeps/posix/sigignore.c, sysdeps/posix/sigintr.c
* sysdeps/posix/signal.c, sysdeps/posix/sigset.c
* sysdeps/posix/sprofil.c, sysdeps/posix/sysv_signal.c
* sysdeps/unix/sysv/linux/nptl-signals.h:
Include sigsetops.h.
* signal/sigaddset.c, signal/sigandset.c, signal/sigdelset.c
* signal/sigorset.c, stdlib/abort.c, sysdeps/posix/sigignore.c
* sysdeps/posix/signal.c, sysdeps/posix/sigset.c:
__sigaddset, __sigandset, __sigdelset, __sigemptyset, __sigorset
now return no value.
* signal/sigaddset.c, signal/sigdelset.c, signal/sigismem.c
Include <errno.h>, <signal.h>, and <sigsetops.h> instead of
"sigsetops.h".
* signal/sigsetops.c: Explicitly define __sigismember,
__sigaddset, and __sigdelset as compatibility symbols.
* signal/Versions: Correct commentary on __sigpause,
__sigaddset, __sigdelset, __sigismember.
* inet/rcmd.c: Include sigsetops.h. Convert old code using
__sigblock/__sigsetmask to use __sigprocmask and friends.
sys/socket.h includes sys/uio.h to get the definition of the iovec
structure.
POSIX allows sys/socket.h to make all sys/uio.h symbols visible.
However, all of sys/uio.h is XSI-shaded, so for non-XSI POSIX this
results in conformtest failures (for sys/socket.h and other headers
that include it):
Namespace violation: "UIO_MAXIOV"
Namespace violation: "readv"
Namespace violation: "writev"
Now, there is some ambiguity in POSIX about what namespace
reservations apply in this case - see
http://austingroupbugs.net/view.php?id=1127 - but glibc convention
would still avoid declaring readv and writev, for example, for feature
test macros that don't include them (if only headers from the relevant
standard are included), even if such declarations are permitted, so
there is a bug here according to glibc conventions.
This patch moves the struct iovec definition to a new
bits/types/struct_iovec.h header and includes that from sys/socket.h
instead of including the whole of sys/uio.h. This fixes the namespace
issue; however, three files in glibc that were relying on the implicit
inclusion needed to be updated to include sys/uio.h explicitly. So
there is a question of whether sys/socket.h should continue to include
sys/uio.h under some conditions, such as __USE_XOPEN or __USE_MISC or
__USE_XOPEN || __USE_MISC, for greater compatibility with code that
(wrongly) expects this optional inclusion to be present there. (I
think the three affected files in glibc should still have explicit
sys/uio.h inclusions added in any case, however.)
Tested for x86_64.
[BZ #21426]
* misc/bits/types/struct_iovec.h: New file.
* misc/Makefile (headers): Add bits/types/struct_iovec.h.
* include/bits/types/struct_iovec.h: New file.
* bits/uio.h (struct iovec): Replace by inclusion of
<bits/types/struct_iovec.h>.
* sysdeps/unix/sysv/linux/bits/uio.h (struct iovec): Likewise.
* socket/sys/socket.h: Include <bits/types/struct_iovec.h> instead
of <sys/uio.h>.
* nptl/tst-cancel4.c: Include <sys/uio.h>
* posix/test-errno.c: Likewise.
* support/resolv_test.c: Likewise.
* conform/Makefile (test-xfail-POSIX2008/arpa/inet.h/conform):
Remove.
(test-xfail-POSIX2008/netdb.h/conform): Likewise.
(test-xfail-POSIX2008/netinet/in.h/conform): Likewise.
(test-xfail-POSIX2008/sys/socket.h/conform): Likewise.
Simplify the Linux accept4 implementation based on the assumption
that it is available in some way. __ASSUME_ACCEPT4_SOCKETCALL was
previously unused, so remove it.
For ia64, the accept4 system call (and socket call) were backported
in kernel version 3.2.18. Reflect this in the installation
instructions.