The 7bb8045ec0 path made the '%n' fortify check ignore EMFILE errors
while trying to open /proc/self/maps, and this added a security
issue where EMFILE can be attacker-controlled thus making it
ineffective for some cases.
The EMFILE failure is reinstated but with a different error
message. Also, to improve the false positive of the hardening for
the cases where no new files can be opened, the
_dl_readonly_area now uses _dl_find_object to check if the
memory area is within a writable ELF segment. The procfs method is
still used as fallback.
Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Arjun Shankar <arjun@redhat.com>
On both Linux and Hurd the __eloop_threshold() is always a constant
(40 and 32 respectively), so there is no need to always call
__sysconf (_SC_SYMLOOP_MAX) for Linux case (!SYMLOOP_MAX). To avoid
a name clash with gnulib, rename the new file min-eloop-threshold.h.
Checked on x86_64-linux-gnu and with a build for x86_64-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
Florian Weimer [Fri, 21 Mar 2025 09:33:25 +0000 (10:33 +0100)]
support: Link links-dso-program-c against libgcc_s
If C++ support is not available, links-dso-program-c is used
instead of the C++ version. The C version was not linked against
libgcc_s, which meant that thread cancellation and the backtrace
function did not work in containers tests in that situation.
Frédéric Bérat [Fri, 7 Mar 2025 17:16:30 +0000 (18:16 +0100)]
Add _FORTIFY_SOURCE support for inet_ntop
- Create the __inet_ntop_chk routine that verifies that the builtin size
of the destination buffer is at least as big as the size given by the
user.
- Redirect calls from inet_ntop to __inet_ntop_chk or __inet_ntop_warn
- Update the abilist for this new routine
- Update the manual to mention the new fortification
Wilco Dijkstra [Tue, 18 Mar 2025 12:14:52 +0000 (12:14 +0000)]
malloc: Improve csize2tidx
Remove the alignment rounding up from csize2tidx - this makes no sense
since the input should be a chunk size. Removing it enables further
optimizations, for example chunksize_nomask can be safely used and
invalid sizes < MINSIZE are not mapped to a valid tidx.
/usr/bin/ld: [...]libc.so: undefined reference to `__tunable_is_initialized@GLIBC_PRIVATE'
Since the custom link invocation links against system glibc instead
of the built one.
The only requirement is to avoid liborigin.so linked with a full path,
which is the default for --enable-hardcoded-path-in-tests. There
is no need to use a custom rule.
Pierre Blanchard [Tue, 18 Mar 2025 17:07:31 +0000 (17:07 +0000)]
AArch64: Optimize algorithm in users of SVE expf helper
Polynomial order was unnecessarily high, unlocking multiple
optimizations.
Max error for new SVE expf is 0.88 +0.5ULP.
Max error for new SVE coshf is 2.56 +0.5ULP.
Performance improvement on Neoverse V1: expf (30%), coshf (26%).
Wilco Dijkstra [Tue, 18 Mar 2025 12:30:10 +0000 (12:30 +0000)]
malloc: Improve arena_for_chunk()
Change heap_max_size() to improve performance of arena_for_chunk().
Instead of a complex calculation, using a simple mask operation to get the
arena base pointer. HEAP_MAX_SIZE should be larger than the huge page size,
otherwise heaps will use not huge pages.
On AArch64 this removes 6 instructions from arena_for_chunk(), and
bench-malloc-thread improves by 1.1% - 1.8%.
tst-fopen-threaded: Only check EOF for failing read
The fread race checker looks for EOF in every thread, which is incorrect
since threads calling fread successfully could lag behind and read the
EOF condition, resulting in multiple threads thinking that they
encountered an EOF.
Only look for EOF condition if fread fails to read a char. Also drop
the clearerr() since it could mask the failure of another reader, thus
hiding a test failure.
Finally, also check for error in the stream for completeness.
Joseph Myers [Fri, 14 Mar 2025 15:58:11 +0000 (15:58 +0000)]
Implement C23 powr
C23 adds various <math.h> function families originally defined in TS
18661-4. Add the powr functions, which are like pow, but with simpler
handling of special cases (based on exp(y*log(x)), so negative x and
0^0 are domain errors, powers of -0 are always +0 or +Inf never -0 or
-Inf, and 1^+-Inf and Inf^0 are also domain errors, while NaN^0 and
1^NaN are NaN). The test inputs are taken from those for pow, with
appropriate adjustments (including removing all tests that would be
domain errors from those in auto-libm-test-in and adding some more
such tests in libm-test-powr.inc).
The underlying implementation uses __ieee754_pow functions after
dealing with all special cases that need to be handled differently.
It might be a little faster (avoiding a wrapper and redundant checks
for special cases) to have an underlying implementation built
separately for both pow and powr with compile-time conditionals for
special-case handling, but I expect the benefit of that would be
limited given that both functions will end up needing to use the same
logic for computing pow outside of special cases.
My understanding is that powr(negative, qNaN) should raise "invalid":
that the rule on "invalid" for an argument outside the domain of the
function takes precedence over a quiet NaN argument producing a quiet
NaN result with no exceptions raised (for rootn it's explicit that the
0th root of qNaN raises "invalid"). I've raised this on the WG14
reflector to confirm the intent.
Tested for x86_64 and x86, and with build-many-glibcs.py.
elf: Canonicalize $ORIGIN in an explicit ld.so invocation [BZ 25263]
When an executable is invoked directly, we calculate $ORIGIN by calling
readlink on /proc/self/exe, which the Linux kernel resolves to the
target of any symlinks. However, if an executable is run through ld.so,
we cannot use /proc/self/exe and instead use the path given as an
argument. This leads to a different calculation of $ORIGIN, which is
most notable in that it causes ldd to behave differently (e.g., by not
finding a library) from directly running the program.
To make the behavior consistent, take advantage of the fact that the
kernel also resolves /proc/self/fd/ symlinks to the target of any
symlinks in the same manner, so once we have opened the main executable
in order to load it, replace the user-provided path with the result of
calling readlink("/proc/self/fd/N").
(On non-Linux platforms this resolution does not happen and so no
behavior change is needed.)
The __fd_to_filename requires _fitoa_word and _itoa_word, which for
32-bits pulls a lot of definitions from _itoa.c (due _ITOA_NEEDED
being defined). To simplify the build move the required function
to a new file, _fitoa_word.c.
Checked on x86_64-linux-gnu and i686-linux-gnu.
Co-authored-by: Geoffrey Thomas <geofft@ldpreload.com> Reviewed-by: Geoffrey Thomas <geofft@ldpreload.com> Tested-by: Geoffrey Thomas <geofft@ldpreload.com>
nptl: Check if thread is already terminated in sigcancel_handler (BZ 32782)
The SIGCANCEL signal handler should not issue __syscall_do_cancel,
which calls __do_cancel and __pthread_unwind, if the cancellation
is already in proces (and libgcc unwind is not reentrant). Any
cancellation signal received after is ignored.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Florian Weimer [Thu, 13 Mar 2025 05:07:07 +0000 (06:07 +0100)]
nptl: PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786)
The new initializer and struct layout does not initialize the
__g_signals field in the old struct layout before the change in
commit c36fc50781995e6758cae2b6927839d0157f213c ("nptl: Remove
g_refs from condition variables"). Bring back fields at the end
of struct __pthread_cond_s, so that they are again zero-initialized.
The current approach tracks math maximum supported errors by explicitly
setting them per function and architecture. On newer implementations or
new compiler versions, the file is updated with newer values if it
shows higher results. The idea is to track the maximum known error, to
update the manual with the obtained values.
The constant libm-test-ulps shows little value, where it is usually a
mechanical change done by the maintainer, for past releases it is
usually ignored whether the ulp change resulted from a compiler
regression, and the math tests already have a maximum ulp error that
triggers a regression.
It was shown by a recent update after the new acosf [1] implementation
that is correctly rounded, where the libm-test-ulps was indeed from a
compiler issue.
This patch removes all arch-specific libm-test-ulps, adds system generic
libm-test-ulps where applicable, and changes its semantics. The generic
files now track specific implementation constraints, like if it is
expected to be correctly rounded, or if the system-specific has
different error expectations.
Now multiple libm-test-ulps can be defined, and system-specific
overrides generic implementation. This is for the case where
arch-specific implementation might show worse precision than generic
implementation, for instance, the cbrtf on i686.
Regressions are only reported if the implementation shows larger errors
than 9 ulps (13 for IBM long double) unless it is overridden by
libm-test-ulps and the maximum error is not printed at the end of tests.
The regen-ulps rule is also removed since it does not make sense to
update the libm-test-ulps automatically.
The manual error table is also removed, Paul Zimmermann and others have
been tracking libm precision with a more comprehensive analysis for some
releases; so link to his work instead.
Florian Weimer [Wed, 12 Mar 2025 10:29:10 +0000 (11:29 +0100)]
Makefile: Clean up pthread_atfork integration
Do not add the pthread_atfork routine again in nptl/Makefile,
instead rely on sysdeps/pthread/Makefile for the integration
(as this is the directory that contains the source file).
In sysdeps/pthread/Makefile, add to static-only-routines.
Florian Weimer [Tue, 11 Mar 2025 14:30:52 +0000 (15:30 +0100)]
elf: Test dlopen (NULL, RTLD_LAZY) from an ELF constructor
This call must not complete initialization of all shared objects
in the global scope because the ELF constructor which makes the call
likely has not finished initialization. Calling more constructors
at this point would expose those to a partially constructed
dependency.
This completes the revert of commit 9897ced8e78db5d813166a7ccccfd5a
("elf: Run constructors on cyclic recursive dlopen (bug 31986)").
Aurelien Jarno [Thu, 6 Mar 2025 18:34:15 +0000 (19:34 +0100)]
math: Remove an extra semicolon in math function declarations
Commit 6bc301672bfbd ("math: Remove __XXX math functions from installed
math.h [BZ #32418]") left an extra semicolon after macro expansion. For
instance the ceil declaration after expansion is:
Sergey Kolosov [Tue, 28 Jan 2025 22:56:26 +0000 (23:56 +0100)]
nptl: extend test coverage for sched_yield
We add sched_yield() API testing to the existing thread affinity
test case because it allows us to test sched_yield() operation
in the following scenarios:
* On a main thread.
* On multiple threads simultaneously.
* On every CPU the system reports simultaneously.
The ensures we exercise sched_yield() in as many scenarios as
we would exercise calls to the affinity functions.
Additionally, the test is improved by adding a semaphore to coordinate
all the threads running, so that an early starter thread won't consume
cpu resources that could be used to start the other threads.
Co-authored-by: DJ Delorie <dj@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Joseph Myers [Fri, 7 Mar 2025 19:15:26 +0000 (19:15 +0000)]
Implement C23 rsqrt
C23 adds various <math.h> function families originally defined in TS
18661-4. Add the rsqrt functions (1/sqrt(x)). The test inputs are
taken from those for sqrt.
Tested for x86_64 and x86, and with build-many-glibcs.py.
Carlos O'Donell [Thu, 20 Feb 2025 19:26:45 +0000 (14:26 -0500)]
manual: Mark perror as MT-unsafe and update check-safety.sh
The manual marked perror as MT-safe, but then listed a remark
indicating that it was unsafe because of a race between the function
and access to stderr. The function is indeed MT-unsafe because
of the unlocked access to stderr internals and bug 32730 has been
filed to address this issue.
The script manual/check-safety.sh should have caught this issue,
but a missed escaping of "?" along with searching of all inputs
again via "$@" resulted in a non-functional regexp.
In order to avoid regressions we also update check-safety.sh.
The script manual/check-safety.sh is updated in the following ways:
* The MT-unsafe remarks in MT-safe context check is fixed.
- It now detects the perror safety note mistake.
* Comments updated indicating that we allow MT context marks
to count for other contexts if they are related.
- This is why commit ad9c4c536115ba38be3e63592a632709ec8209b4
failed and the failure is now understood as expected.
* All checks now have verbose output.
* Back reference based duplicate checks are removed.
- They are too complex and don't cover all cases.
H.J. Lu [Fri, 7 Mar 2025 00:58:47 +0000 (08:58 +0800)]
elf: Check if __attribute__ ((aligned (65536))) is supported
The BZ #32763 tests fail to build for MicroBlaze (which defines
MAX_OFILE_ALIGNMENT to (32768*8) in GCC, so __attribute__ ((aligned
(65536))) is unsupported). Add a configure-time check to enable BZ #32763
tests only if __attribute__ ((aligned (65536))) is supported.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com> Reviewed-by: Sam James <sam@gentoo.org>
Samuel Thibault [Wed, 5 Mar 2025 23:14:06 +0000 (00:14 +0100)]
htl: Make __pthread_sigmask directly call __sigthreadmask
If no thread was created yet, __pthread_sigstate will not find our ss
because self->kernel_thread is still nul, and then change the global
sigstate instead of our sigstate! We can directly call __sigthreadmask and
skip the (bogus) lookup step.
powerpc was the only architecture with arch-specific hooks for
LD_SHOW_AUXV, and with the information moved to ld diagnostics there
is no need to keep the _dl_procinfo hook.
Checked with a build for all affected ABIs.
Reviewed-by: Peter Bergner <bergner@linux.ibm.com>
powerpc: Move AT_HWCAP descriptions to ld diagnostics
The ld.so diagnostics already prints AT_HWCAP values, but only in
hexadecimal. To avoid duplicating the strings, consolidate the
hwcap_names from cpu-features.h on a new file, dl-hwcap-info.h
(and it also improves the hwcap string description with more
values).
For future AT_HWCAP3/AT_HWCAP4 extensions, it is just a matter
to add them on dl-hwcap-info.c so both ld diagnostics and
tunable filtering will parse the new values.
Checked on powerpc64le-linux-gnu.
Reviewed-by: Peter Bergner <bergner@linux.ibm.com>
Add a new randomized strlen test similar to bench-random-memcpy. Instead of
repeating the same call to strlen over and over again, it times a large number
of different strings. The distribution of the string length and alignment is
based on SPEC2017.
Wilco Dijkstra [Mon, 18 Mar 2024 15:05:38 +0000 (15:05 +0000)]
benchtests: Improve large memcpy/memset benchmarks
Adjust sizes between 64KB and 16MB and iterations based on length.
Remove incorrect uses of alloc_bufs since we're not interested in measuring
Linux clear_page time. Use getpagesize() - 1 instead of 4095 when
aligning within a page.
manual: Explain sched_yield semantics with different schedulers
The manual entry for sched_yield mentions that the function call could
be a nop if there are no other tasks with the same absolute priority.
Expand the explanation to include example schedulers on Linux so that
it's clear that sched_yield may not always result in a different task
being scheduled.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Joseph Myers <josmyers@redhat.com>
Sam James [Tue, 18 Feb 2025 18:49:09 +0000 (18:49 +0000)]
Pass -Wl,--no-error-execstack for tests where -Wl,-z,execstack is used [PR32717]
When GNU Binutils is configured with --enable-error-execstack=yes, a handful
of our tests which rely on -Wl,-z,execstack fail. Pass --Wl,--no-error-execstack
to override the behaviour and get a warning instead.
Ben Kallus [Fri, 14 Feb 2025 05:34:54 +0000 (00:34 -0500)]
malloc: Add integrity check to largebin nextsizes
If attacker overwrites the bk_nextsize link in the first chunk of a
largebin that later has a smaller chunk inserted into it, malloc will
write a heap pointer into an attacker-controlled address [0].
This patch adds an integrity check to mitigate this attack.
Wilco Dijkstra [Fri, 28 Feb 2025 16:52:25 +0000 (16:52 +0000)]
Remove unused dl-procinfo.h
Remove unused _dl_hwcap_string defines. As a result many dl-procinfo.h headers
can be removed. This also removes target specific _dl_procinfo implementations
which only printed HWCAP strings using dl_hwcap_string.
This looks really bad, with expensive movfr2gr instructions, redundant
sign-extensions and masking (arguably it's a compiler
missed-optimzation), and a branch. Rewrite it with inline assembly:
Note that we cannot make it more readable with
"double a = __builtin_isnanf (x) ? y : x" because this C statement only
happens to produce what we want with https://gcc.gnu.org/PR66462, if
this bug is fixed in the future the generated code may change.
Sergei Zimmerman [Tue, 25 Feb 2025 18:05:40 +0000 (18:05 +0000)]
sysdeps/ieee754: Fix remainder sign of zero for FE_DOWNWARD (BZ #32711)
Single-precision remainderf() and quad-precision remainderl()
implementation derived from Sun is affected by an issue when the result
is +-0. IEEE754 requires that if remainder(x, y) = 0, its sign shall be
that of x regardless of the rounding direction.
The implementation seems to have assumed that x - x = +0 in all
rounding modes, which is not the case. When rounding direction is
roundTowardNegative the sign of an exact zero sum (or difference) is −0.
Regression tests that triggered this erroneous behavior are added to
math/libm-test-remainder.inc.
math: Add optimization barrier to ensure a1 + u.d is not reused [BZ #30664]
A number of fma tests started to fail on hppa when gcc was changed to
use Ranger rather than EVRP. Eventually I found that the value of
a1 + u.d in this is block of code was being computed in FE_TOWARDZERO
mode and not the original rounding mode:
if (TININESS_AFTER_ROUNDING)
{
w.d = a1 + u.d;
if (w.ieee.exponent == 109)
return w.d * 0x1p-108;
}
This caused the exponent value to be wrong and the wrong return path
to be used.
Here we add an optimization barrier after the rounding mode is reset
to ensure that the previous value of a1 + u.d is not reused.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Yangyu Chen [Mon, 24 Feb 2025 17:12:19 +0000 (01:12 +0800)]
RISC-V: Fix IFUNC resolver cannot access gp pointer
In some cases, an IFUNC resolver may need to access the gp pointer to
access global variables. Such an object may have l_relocated == 0 at
this time. In this case, an IFUNC resolver will fail to access a global
variable and cause a SIGSEGV.
This patch fixes this issue by relaxing the check of l_relocated in
elf_machine_runtime_setup, but added a check for SHARED case to avoid
using this code in static-linked executables. Such object have already
set up the gp pointer in load_gp function and l->l_scope will be NULL if
it is a pie object. So if we use these code to set up the gp pointer
again for static-pie, it will causing a SIGSEGV in glibc as original bug
on BZ #31317.
I have also reproduced and checked BZ #31317 using the mold commit bed5b1731b ("illumos: Treat absolute symbols specially"), this patch can
fix the issue.
Also, we used the wrong gp pointer previously because ref->st_value is
not the relocated address but just the offset from the base address of
ELF. An edge case may happen if we reference gp pointer in a IFUNC
resolver in a PIE object, but it will not happen in compiler-generated
codes since -pie will disable relax to gp. In this case, the GP will be
initialized incorrectly since the ref->st_value is not the address after
relocation. This patch fixes this issue by adding the l->l_addr to
ref->st_value to get the relocated address for the gp pointer. We don't
use SYMBOL_ADDRESS macro here because __global_pointer$ is a special
symbol that has SHN_ABS type, but it will use PC-relative addressing in
the load_gp function using lla.
Closes: BZ #32269 Fixes: 96d1b9ac23 ("RISC-V: Fix the static-PIE non-relocated object check") Co-authored-by: Vivian Wang <dramforever@live.com> Signed-off-by: Yangyu Chen <cyy@cyyself.name>
Stefan Liebler [Mon, 24 Feb 2025 13:13:00 +0000 (14:13 +0100)]
Increase the amount of data tested in stdio-common/tst-fwrite-pipe.c
The number of iterations and the length of the string are not high
enough on some systems causing the test to return false-positives.
Testcase stdio-common/tst-fwrite-bz29459.c was fixed in the same way in 1b6f868625403d6b7683af840e87d2b18d5d7731
(Increase the amount of data tested in stdio-common/tst-fwrite-bz29459.c, 2025-02-14)
Testcases stdio-common/tst-fwrite-bz29459.c and stdio-common/tst-fwrite-pipe.c
were introcued in 596a61cf6b51ce2d58b8ca4e1d1f4fdfe1440dbc
(libio: Start to return errors when flushing fwrite's buffer [BZ #29459], 2025-01-28)
Frédéric Bérat [Fri, 29 Nov 2024 13:48:43 +0000 (14:48 +0100)]
support: Add support_next_to_fault_before support function
Refactor the support_next_to_fault and add the
support_next_to_fault_before method returns a buffer with a protected
page before it, to be able to test buffer underflow accesses.
Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@redhat.com>
koraynilay [Sat, 22 Feb 2025 14:55:59 +0000 (15:55 +0100)]
math: Fix `unknown type name '__float128'` for clang 3.4 to 3.8.1 (bug 32694)
When compiling a program that includes <bits/floatn.h> using a clang version
between 3.4 (included) and 3.8.1 (included), clang will fail with `unknown type
name '__float128'; did you mean '__cfloat128'?`. This changes fixes the clang
prerequirements macro call in floatn.h to check for clang 3.9 instead of 3.4,
since support for __float128 was actually enabled in 3.9 by:
Michael Jeanson [Fri, 14 Feb 2025 18:54:22 +0000 (13:54 -0500)]
nptl: clear the whole rseq area before registration
Due to the extensible nature of the rseq area we can't explictly
initialize fields that are not part of the ABI yet. It was agreed with
upstream that all new fields will be documented as zero initialized by
userspace. Future kernels configured with CONFIG_DEBUG_RSEQ will
validate the content of all fields during registration.
Replace the explicit field initialization with a memset of the whole
rseq area which will cover fields as they are added to future kernels.
Signed-off-by: Michael Jeanson <mjeanson@efficios.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>
Yury Khrustalev [Tue, 21 Jan 2025 13:33:20 +0000 (13:33 +0000)]
aarch64: Add tests for Guarded Control Stack
These tests validate that GCS tunable works as expected depending
on the GCS markings in the test binaries.
Tests validate both static and dynamically linked binaries.
These new tests are AArch64 specific. Moreover, they are included only
if linker supports the "-z gcs=<value>" option. If built, these tests
will run on systems with and without HWCAP_GCS. In the latter case the
tests will be reported as UNSUPPORTED.
Carlos O'Donell [Thu, 20 Feb 2025 01:52:14 +0000 (20:52 -0500)]
manual: Mark setlogmask as AS-unsafe and AC-unsafe.
This fixes the check-safety.sh failure with commit ad9c4c536115ba38be3e63592a632709ec8209b4, and correctly marks
the function AS-unsafe and AC-unsafe due to the use of the
non-recursive lock.
Tested on x86_64 without regressions. Reviewed-by: Frédéric Bérat <fberat@redhat.com>
Wilco Dijkstra [Tue, 24 Dec 2024 18:01:59 +0000 (18:01 +0000)]
AArch64: Add SVE memset
Add SVE memset based on the generic memset with predicated load for sizes < 16.
Unaligned memsets of 128-1024 are improved by ~20% on average by using aligned
stores for the last 64 bytes. Performance of random memset benchmark improves
by ~2% on Neoverse V1.
H.J. Lu [Wed, 19 Feb 2025 23:08:26 +0000 (07:08 +0800)]
x86 (__HAVE_FLOAT128): Defined to 0 for Intel SYCL compiler [BZ #32723]
Intel compiler always defines __INTEL_LLVM_COMPILER. When SYCL is
enabled by -fsycl, it also defines SYCL_LANGUAGE_VERSION. Since Intel
SYCL compiler doesn't support _Float128:
https://github.com/intel/llvm/issues/16903
define __HAVE_FLOAT128 to 0 for Intel SYCL compiler.
This fixes BZ #32723.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com> Reviewed-by: Sam James <sam@gentoo.org>
projects / thirdparty / glibc.git / log
