| Commit message (Expand) | Author | Age | Files | Lines |
|---|
| * | fix shm_open wrongly being cancellable | Rich Felker | 2013-07-20 | 1 | -1/+6 |
| * | fix uninitialized/stale use of alloc (%m modifier) flag in scanf•••for conversion specifiers, alloc is always set when the specifier is
parsed. however, if scanf stops due to mismatching literal text,
either an uninitialized (if no conversions have been performed yet) or
stale (from the previous conversion) of the flag will be used,
possibly causing an invalid pointer to be passed to free when the
function returns.
| Rich Felker | 2013-07-20 | 2 | -0/+4 |
| * | harden realloc/free to detect simple overflows•••the sizes in the header and footer for a chunk should always match. if
they don't, the program has definitely invoked undefined behavior, and
the most likely cause is a simple overflow, either of a buffer in the
block being freed or the one just below it.
crashing here should not only improve security of buggy programs, but
also aid in debugging, since the crash happens in a context where you
have a pointer to the likely-overflowed buffer.
| Rich Felker | 2013-07-19 | 1 | -0/+6 |
| * | improve [f]stat[v]fs functions, and possibly work around old kernels•••the main aim of this patch is to ensure that if not all fields are
filled in, they contain zeros, so as not to confuse applications.
reportedly some older kernels, including commonly used openvz kernels,
lack the f_flags field, resulting in applications reading random junk
as the mount flags; the common symptom seems to be wrongly considering
the filesystem to be mounted read-only and refusing to operate. glibc
has some amazingly ugly fallback code to get the mount flags for old
kernels, but having them really is not that important anyway; what
matters most is not presenting incorrect flags to the application.
I have also aimed to fill in some fields of statvfs that were
previously missing, and added code to explicitly zero the reserved
space at the end of the structure, which will make things easier in
the future if this space someday needs to be used.
| Rich Felker | 2013-07-19 | 1 | -2/+5 |
| * | change uid_t, gid_t, and id_t to unsigned types•••this change is both to fix one of the remaining type (and thus C++
ABI) mismatches with glibc/LSB and to allow use of the full range of
uid and gid values, if so desired.
passwd/group access functions were not prepared to deal with unsigned
values, so they too have been fixed with this commit.
| Rich Felker | 2013-07-19 | 2 | -6/+20 |
| * | make the dynamic linker find its path file relative to its own location•••prior to this change, using a non-default syslibdir was impractical on
systems where the ordinary library paths contain musl-incompatible
library files. the file containing search paths was always taken from
/etc, which would either correspond to a system-wide musl
installation, or fail to exist at all, resulting in searching of the
default library path.
the new search strategy is safe even for suid programs because the
pathname used comes from the PT_INTERP header of the program being
run, rather than any external input.
as part of this change, I have also begun differentiating the names of
arch variants that differ by endianness or floating point calling
convention. the corresponding changes in the build system and and gcc
wrapper script (to use an alternate dynamic linker name) for these
configurations have not yet been made.
| Rich Felker | 2013-07-18 | 1 | -1/+20 |
| * | fix off-by-one error in checks for implementation-internal signal numbers | Rich Felker | 2013-07-18 | 3 | -3/+3 |
| * | make posix_spawn (and functions that use it) use CLONE_VFORK flag•••this is both a minor scheduling optimization and a workaround for a
difficult-to-fix bug in qemu app-level emulation.
from the scheduling standpoint, it makes no sense to schedule the
parent thread again until the child has exec'd or exited, since the
parent will immediately block again waiting for it.
on the qemu side, as regular application code running on an underlying
libc, qemu cannot make arbitrary clone syscalls itself without
confusing the underlying implementation. instead, it breaks them down
into either fork-like or pthread_create-like cases. it was treating
the code in posix_spawn as pthread_create-like, due to CLONE_VM, which
caused horribly wrong behavior: CLONE_FILES broke the synchronization
mechanism, CLONE_SIGHAND broke the parent's signals, and CLONE_THREAD
caused the child's exec to end the parent -- if it hadn't already
crashed. however, qemu special-cases CLONE_VFORK and emulates that
with fork, even when CLONE_VM is also specified. this also gives
incorrect semantics for code that really needs the memory sharing, but
posix_spawn does not make use of the vm sharing except to avoid
momentary double commit charge.
programs using posix_spawn (including via popen) should now work
correctly under qemu app-level emulation.
| Rich Felker | 2013-07-17 | 1 | -1/+2 |
| * | fix missing argument in variadic syscall macros•••for 0-argument syscalls (1 argument to the macro, the syscall number),
the __SYSCALL_NARGS_X macro's ... argument was not satisfied. newer
compilers seem to care about this.
| Rich Felker | 2013-07-17 | 1 | -1/+1 |
| * | fix error code on time conversion overflows•••POSIX mandates EOVERFLOW for this condition.
| Rich Felker | 2013-07-17 | 4 | -4/+4 |
| * | fix fd leak in file mapping code used in new zoneinfo support | Rich Felker | 2013-07-17 | 1 | -1/+1 |
| * | the big time handling overhaul•••this commit has two major user-visible parts: zoneinfo-format time
zones are now supported, and overflow handling is intended to be
complete in the sense that all functions return a correct result if
and only if the result fits in the destination type, and otherwise
return an error. also, some noticable bugs in the way DST detection
and normalization worked have been fixed, and performance may be
better than before, but it has not been tested.
| Rich Felker | 2013-07-17 | 18 | -348/+649 |
| * | fix omission of dtv setup in static linked programs on TLS variant I archs•••apparently this was never noticed before because the linker normally
optimizes dynamic TLS models to non-dynamic ones when static linking,
thus eliminating the calls to __tls_get_addr which crash when the dtv
is missing. however, some libsupc++ code on ARM was calling
__tls_get_addr when static linked and crashing. the reason is unclear
to me, but with this issue fixed it should work now anyway.
| Rich Felker | 2013-07-13 | 1 | -1/+1 |
| * | fix invalid library phdr pointers passed to callback from dl_iterate_phdr•••map_library was saving pointers to an automatic-storage buffer rather
than pointers into the mapping. this should be a fairly simple fix,
but the patch here is slightly complicated by two issues:
1. supporting gratuitously obfuscated ELF files where the program
headers are not right at the beginning of the file.
2. cleaning up the map_library function so that data isn't clobbered
by the time we need it.
| Rich Felker | 2013-07-10 | 1 | -9/+16 |
| * | fix a couple misleading/wrong signal descriptions in strsignal•••there are still several more that are misleading, but SIGFPE (integer
division error misdescribed as floating point) and and SIGCHLD
(possibly non-exit status change events described as exiting) were the
worst offenders.
| Rich Felker | 2013-07-09 | 1 | -2/+2 |
| * | add realtime signals to strsignal•••the name format RTnn/RTnnn was chosen to minimized bloat while
uniquely identifying the signal.
| Rich Felker | 2013-07-09 | 1 | -3/+19 |
| * | fix off-by-one array bound in strsignal | Rich Felker | 2013-07-09 | 1 | -1/+1 |
| * | fix bogus lazy allocation in ctermid and missing malloc failure check•••also clean up, optimize, and simplify the code, removing branches by
simply pre-setting the result string to an empty string, which will be
preserved if other operations fail.
| Rich Felker | 2013-07-09 | 1 | -10/+7 |
| * | fix fd leak on races and cancellation in ctermid | Rich Felker | 2013-07-09 | 1 | -2/+3 |
| * | fix missing SOCK_CLOEXEC in various functions that use sockets internally | Rich Felker | 2013-07-09 | 4 | -4/+4 |
| * | move core memalign code from aligned_alloc to __memalign•••there are two motivations for this change. one is to avoid
gratuitously depending on a C11 symbol for implementing a POSIX
function. the other pertains to the documented semantics. C11 does not
define any behavior for aligned_alloc when the length argument is not
a multiple of the alignment argument. posix_memalign on the other hand
places no requirements on the length argument. using __memalign as the
implementation of both, rather than trying to implement one in terms
of the other when their documented contracts differ, eliminates this
confusion.
| Rich Felker | 2013-07-04 | 3 | -49/+55 |
| * | move alignment check from aligned_alloc to posix_memalign•••C11 has no requirement that the alignment be a multiple of
sizeof(void*), and in fact seems to require any "valid alignment
supported by the implementation" to work. since the alignment of char
is 1 and thus a valid alignment, an alignment argument of 1 should be
accepted.
| Rich Felker | 2013-07-04 | 2 | -1/+2 |
| * | add stubs for additional legacy ether.h functions•••these would not be expensive to actually implement, but reading
/etc/ethers does not sound like a particularly useful feature, so for
now I'm leaving them as stubs.
| Rich Felker | 2013-07-01 | 1 | -0/+15 |
| * | fix failure of mbsrtowcs to record stop position when dest is full | Rich Felker | 2013-06-29 | 1 | -1/+4 |
| * | implement minimal dlinfo function | Rich Felker | 2013-06-29 | 2 | -0/+20 |
| * | add some comments about the mips ksigaction structure weirdness | Rich Felker | 2013-06-29 | 1 | -0/+3 |
| * | fix missing synchronization in calls from dynamic linker to global ctors•••this change is needed to correctly handle the case where a constructor
creates a new thread which calls dlopen. previously, the lock was not
held in this case. the reason for the complex logic to avoid locking
whenever possible is that, since the mutex is recursive, it will need
to inspect the thread pointer to get the current thread's tid, and
this requires initializing the thread pointer. we do not want
non-multi-threaded programs to attempt to access the thread pointer
unnecessarily; doing so could make them crash on ancient kernels that
don't support threads but which may otherwise be capable of running
the program.
| Rich Felker | 2013-06-29 | 1 | -0/+4 |
| * | prevent shmget from allocating objects that overflow ptrdiff_t•••rather than returning an error, we have to increase the size argument
so high that the kernel will have no choice but to fail. this is
because POSIX only permits the EINVAL error for size errors when a new
shared memory segment would be created; if it already exists, the size
argument must be ignored. unfortunately Linux is non-conforming in
this regard, but I want to keep the code correct in userspace anyway
so that if/when Linux is fixed, the behavior applications see will be
conforming.
| Rich Felker | 2013-06-29 | 1 | -0/+2 |
| * | work around wrong kernel type for sem_nsems member of struct semid_ds•••rejecting invalid values for n is fine even in the case where a new
sem will not be created, since the kernel does its range checks on n
even in this case as well.
by default, the kernel will bound the limit well below USHRT_MAX
anyway, but it's presumably possible that an administrator could
override this limit and break things.
| Rich Felker | 2013-06-28 | 1 | -0/+7 |
| * | implement week-based-year year numbers in strftime•••in the process, I refactored the week-number code so it can be used by
the week-based-year formats to determine year adjustments at the
boundary values. this also improves indention/code readability.
| Rich Felker | 2013-06-28 | 1 | -27/+34 |
| * | fix breakage in last commit to strftime due to missing INT_MAX•••that's what I get for changing a hard-coded threshold to a proper
non-magic-number without testing.
| Rich Felker | 2013-06-28 | 1 | -0/+1 |
| * | implement week numbers and half of the week-based-year logic for strftime•••output for plain week numbers (%U and %W) has been sanity-checked, and
output for the week-based-year week numbers (%V) has been checked
extensively against known-good data for the full non-negative range of
32-bit time_t.
year numbers for week-based years (%g and %G) are not yet implemented.
| Rich Felker | 2013-06-28 | 1 | -3/+38 |
| * | disallow creation of objects larger than PTRDIFF_MAX via mmap•••internally, other parts of the library assume sizes don't overflow
ssize_t and/or ptrdiff_t, and the way this assumption is made valid is
by preventing creating of such large objects. malloc already does so,
but the check was missing from mmap.
this is also a quality of implementation issue: even if the
implementation internally could handle such objects, applications
could inadvertently invoke undefined behavior by subtracting pointers
within an object. it is very difficult to guard against this in
applications, so a good implementation should simply ensure that it
does not happen.
| Rich Felker | 2013-06-27 | 1 | -0/+5 |
| * | fix syscall argument bug in pthread_getschedparam•••the address of the pointer to the sched param, rather than the
pointer, was being passed to the kernel.
| Rich Felker | 2013-06-26 | 1 | -1/+1 |
| * | fix temp file leak in sem_open on successful creation of new semaphore | Rich Felker | 2013-06-26 | 1 | -2/+2 |
| * | fix bug whereby sem_open leaked its own internal slots on failure | Rich Felker | 2013-06-26 | 1 | -3/+6 |
| * | in sem_open, don't leak vm mapping if fstat fails•••fstat should not fail under normal circumstances, so this fix is
mostly theoretical.
| Rich Felker | 2013-06-26 | 1 | -2/+2 |
| * | fix failure of pthread_setschedparam to pass correct param to kernel•••the address of the pointer, rather than the pointer, was being passed.
this was probably a copy-and-paste error from corresponding get code.
| Rich Felker | 2013-06-26 | 1 | -1/+1 |
| * | document in sysconf and unistd.h that per-thread cpu clocks exist | Rich Felker | 2013-06-26 | 1 | -1/+1 |
| * | fix iconv conversion to legacy 8bit codepages•••this seems to have been a simple copy-and-paste error from the code
for converting from legacy codepages.
| Rich Felker | 2013-06-26 | 1 | -2/+2 |
| * | remove useless conditional before free from dynamic linker path code | Rich Felker | 2013-06-26 | 1 | -1/+1 |
| * | fix dynamic linker handling of empty path file or error reading path file•••previously, the path string was being used despite being invalid. with
this change, empty path file or error reading the path file is treated
as an empty path. this is preferable to falling back to a default
path, so that attacks to prevent reading of the path file could not
result in loading incorrect and possibly dangerous (outdated or
mismatching ABI) libraries from.
the code to strip the final newline has also been removed; now that
newline is accepted as a delimiter, it's harmless to leave it in
place.
| Rich Felker | 2013-06-26 | 1 | -4/+3 |
| * | make newline-delimited dynamic linker path file actually work•••apparently the original commit was never tested properly, since
getline was only ever reading one line. the intent was to read the
entire file, so use getdelim with the null byte as delimiter as a
cheap way to read a whole file into memory.
| Rich Felker | 2013-06-25 | 1 | -1/+1 |
| * | implement inet_lnaof, inet_netof, and inet_makeaddr•••also move all legacy inet_* functions into a single file to avoid
wasting object file and compile time overhead on them.
the added functions are legacy interfaces for working with classful
ipv4 network addresses. they have no modern usefulness whatsoever, but
some programs unconditionally use them anyway, and they're tiny.
| Rich Felker | 2013-06-25 | 5 | -39/+55 |
| * | add ether_aton[_r] and ether_ntoa[_r] functions•••based on patch by Strake with minor stylistic changes, and combined
into a single file. this patch remained open for a long time due to
some question as to whether ether_aton would be better implemented in
terms of sscanf, and it's time something was committed, so here it is.
| Rich Felker | 2013-06-25 | 1 | -0/+43 |
| * | fix scanf %c conversion wrongly storing a terminating null byte•••this seems to have been a regression from the refactoring which added
the 'm' modifier.
| Rich Felker | 2013-06-22 | 2 | -4/+8 |
| * | fix major scanf breakage with unbuffered streams, fmemopen, etc.•••the shgetc api, used internally in scanf and int/float scanning code
to handle field width limiting and pushback, was designed assuming
that pushback could be achieved via a simple decrement on the file
buffer pointer. this only worked by chance for regular FILE streams,
due to the linux readv bug workaround in __stdio_read which moves the
last requested byte through the buffer rather than directly back to
the caller. for unbuffered streams and streams not using __stdio_read
but some other underlying read function, the first character read
could be completely lost, and replaced by whatever junk happened to be
in the unget buffer.
to fix this, simply have shgetc, when it performs an underlying read
operation on the stream, store the character read at the -1 offset
from the read buffer pointer. this is valid even for unbuffered
streams, as they have an unget buffer located just below the start of
the zero-length buffer. the check to avoid storing the character when
it is already there is to handle the possibility of read-only buffers.
no application-exposed FILE types are allowed to use read-only
buffers, but sscanf and strto* may use them internally when calling
functions which use the shgetc api.
| Rich Felker | 2013-06-22 | 1 | -0/+1 |
| * | fix invalid access in aio notification•••issue found and patch provided by Jens Gustedt. after the atomic store
to the error code field of the aiocb, the application is permitted to
free or reuse the storage, so further access is invalid. instead, use
the local copy that was already made.
| Rich Felker | 2013-06-16 | 1 | -1/+1 |
| * | fix uninitialized variable in lio (aio) code | Rich Felker | 2013-06-16 | 1 | -1/+1 |
| * | improve the quality of output from rand_r•••due to the interface requirement of having the full state contained in
a single object of type unsigned int, it is difficult to provide a
reasonable-quality implementation; most good PRNGs are immediately
ruled out because they need larger state. the old rand_r gave very
poor output (very short period) in its lower bits; normally, it's
desirable to throw away the low bits (as in rand()) when using a LCG,
but this is not possible since the state is only 32 bits and we need
31 bits of output.
glibc's rand_r uses the same LCG as musl's, but runs it for 3
iterations and only takes 10-11 bits from each iteration to construct
the output value. this partially fixes the period issue, but
introduces bias: not all outputs have the same frequency, and many do
not appear at all. with such a low period, the bias is likely to be
observable.
I tried many approaches to "fix" rand_r, and the simplest I found
which made it pass the "dieharder" tests was applying this
transformation to the output. the "temper" function is taken from
mersenne twister, where it seems to have been chosen for some rigorous
properties; here, the only formal property I'm using is that it's
one-to-one and thus avoids introducing bias.
should further deficiencies in rand_r be reported, the obvious "best"
solution is applying a 32-bit cryptographic block cipher in CTR mode.
I identified several possible ciphers that could be used directly or
adapted, but as they would be a lot slower and larger, I do not see a
justification for using them unless the current rand_r proves
deficient for some real-world use.
| Rich Felker | 2013-06-12 | 1 | -1/+10 |
