Commit Graph

42045 Commits

Author SHA1 Message Date
Andreas K. Hüttel 9b2f20dd54
po: update translations (final, only timestamp and line number changes)
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-28 13:47:28 +01:00
Andreas K. Hüttel b8c0cb4b1c
libc.pot: regenerate (only line number changes)
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-28 12:36:07 +01:00
Andreas K. Hüttel fda82f6e80
INSTALL: update last tested version numbers
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-28 12:31:08 +01:00
Andreas K. Hüttel 27bebf9b4f
contrib.texi: minor improvements
Mention CORE-MATH developers by name
Fix accent

Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-27 16:30:54 +01:00
Andreas K. Hüttel 115afa9daa
NEWS: Add some more news from the 2.41 cycle
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-27 14:36:43 +01:00
Andreas K. Hüttel 604a340e91
contrib.texi: Update from 2.40..2.41 commit log
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-27 01:06:16 +01:00
Andreas K. Hüttel 181b6258e3
NEWS: Add reference to (single) advisory
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-26 23:30:13 +01:00
Andreas K. Hüttel 306acc0519
NEWS: Add list of bugs fixed in 2.41
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-26 23:26:07 +01:00
Andreas K. Hüttel dc650eb715
NEWS: editorial changes (language, line breaks)
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-26 20:09:26 +01:00
Xi Ruoyao b31ed9581b
testsuite: Make stdio-common/tst-printf-format-*-mem UNSUPPORTED if the mtrace output does not exist
When gawk was not built with MPFR, there's no mtrace output and those
tests FAIL.  But we should make them UNSUPPORTED like other
tst-printf-format-* tests in the case.

Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Reviewed-by: Sam James <sam@gentoo.org>
Reviewed-by: Andreas K Hüttel <dilfridge@gentoo.org>
2025-01-26 16:15:38 +01:00
Sam James 8d55f2fb17
elf: fix 'valgrind' typo in comment 2025-01-25 05:34:20 +00:00
Sam James fc8f253d80
malloc: cleanup casts in tst-calloc
Followup to c3d1dac96b. As pointed out by
Maciej W. Rozycki, the casts are obviously useless now.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2025-01-25 05:34:05 +00:00
H.J. Lu 8ab34497de stdlib: Test using setenv with updated environ [BZ #32588]
Add a test for setenv with updated environ.  Verify that BZ #32588 is
fixed.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2025-01-25 07:31:41 +08:00
Aurelien Jarno aba14403c6 LICENSES: update CORE-MATH copyright
Many more files from the CORE-MATH have been added. Also update the
authors and copyright years.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-24 23:21:49 +01:00
Aurelien Jarno 1ed3e44688 LICENSES: update location of getaddrinfo.c and getnameinfo.c
posix/getaddrinfo.c got moved into nss/getaddrinfo.c in commit
7f602256ab ("Move getaddrinfo from 'posix' into 'nss'")

inet/getnameinfo.c got moved into nss/getnameinfo.c in commit
2f1c 6652 d7b3 ("Move getnameinfo from 'inet' to 'nss'")

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-24 23:21:49 +01:00
Aurelien Jarno 4871ab841b LICENSES: remove Intel License Agreement
The corresponding files are gone with the IA64 removal in commit
460860f457 ("Remove ia64-linux-gnu").

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-24 23:21:49 +01:00
Florian Weimer 12b4a1fc6e stdlib: Re-implement free (environ) compatibility kludge for setenv
For the originally failing application (userhelper from usermode),
it is not actually necessary to call realloc on the environ
pointer.  Yes, there will be a memory leak because the application
assigns a heap-allocated pointer to environ that it never frees,
but this leak was always there: the old realloc-based setenv had
a hidden internal variable, last_environ, that was used in a similar
way to __environ_array_list.  The application is not impacted by
the leak anyway because the relevant operations do not happen in
a loop.

The change here just uses a separte heap allocation and points
environ to that.  This means that if an application calls
free (environ) and restores the environ pointer to the value
at process start, and does not modify the environment further,
nothing bad happens.

This change should not invalidate any previous testing that went into
the original getenv thread safety change, commit 7a61e7f557
("stdlib: Make getenv thread-safe in more cases").

The new test cases are modeled in part on the env -i use case from
bug 32588 (with !DO_MALLOC && !DO_EARLY_SETENV), and the previous
stdlib/tst-setenv-malloc test.  The DO_MALLOC && !DO_EARLY_SETENV
case in the new test should approximate what userhelper from the
usermode package does.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2025-01-24 22:37:49 +01:00
Florian Weimer 36fcdfbbc5 Revert "stdlib: Support malloc-managed environ arrays for compatibility"
This reverts commit b62759db04.

Reason for revert: Incompatible with “env -i” and coreutils (bug 32588).

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2025-01-24 12:25:29 +01:00
Florian Weimer b62759db04 stdlib: Support malloc-managed environ arrays for compatibility
Some applications set environ to a heap-allocated pointer, call
setenv (expecting it to call realloc), free environ, and then
restore the original environ pointer.  This breaks after
commit 7a61e7f557 ("stdlib: Make
getenv thread-safe in more cases") because after the setenv call,
the environ pointer does not point to the start of a heap allocation.
Instead, setenv creates a separate allocation and changes environ
to point into that.  This means that the free call in the application
results in heap corruption.

The interim approach was more compatible with other libcs because
it does not assume that the incoming environ pointer is allocated
as if by malloc (if it was written by the application).  However,
it seems to be more important to stay compatible with previous
glibc version: assume the incoming pointer is heap allocated,
and preserve this property after setenv calls.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2025-01-23 17:43:15 +01:00
Andreas K. Hüttel 76c3f7f81b
po: Incorporate translations
be ca cs da de el eo es fi fr gl hr hu ia id it ja ka ko lt nb nl pl pt ro ru rw sk sl sr sv tr uk vi zh_CN zh_TW

Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
2025-01-22 22:51:01 +01:00
Siddhesh Poyarekar d9dcfe766e Update advisory GLIBC-SA-2025-0001 (2.40)
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2025-01-22 09:41:05 -05:00
Siddhesh Poyarekar 94e908cee9 Add advisory text for CVE-2025-0395
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-22 08:23:53 -05:00
Siddhesh Poyarekar 68ee0f704c Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Include the space needed to store the length of the message itself, in
addition to the message string.  This resolves BZ #32582.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-22 08:17:17 -05:00
Yury Khrustalev d4626340b9
NEWS: Add note on Guarded Control Stack support
Reviewed-by: Andreas K. Huettel <dilfridge@gentoo.org>
2025-01-21 21:34:03 +01:00
Paul Pluzhnikov c6b6a8cf04 Fix typo: _POSIX_REATIME_SIGNALS -> _POSIX_REALTIME_SIGNALS [BZ# 32515]
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-21 15:03:42 +00:00
Yury Khrustalev 50eaf54883 aarch64: Add HWCAP_GCS
Use upper 32 bits of HWCAP.

Reviewed-by: Andreas K. Huettel <dilfridge@gentoo.org>
2025-01-21 11:45:14 +00:00
Florian Weimer 71b49e299d nptl: Include <stdbool.h> in tst-skeleton-affinity-inheritance.c
The file uses the identifiers bool, false, true.
2025-01-21 10:37:54 +01:00
Florian Weimer 1ac28b7818 stdlib: Test for expected sequence of random numbers from rand
As the test comment explains, this test is not quite valid, but
preserving the exact sequences helps distributions to port to
newer glibc versions.  We can remove this test if we ever switch
to a different implementation.

Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2025-01-20 21:31:59 +01:00
Florian Weimer 33b684e019 stdlib: Fix unintended change to the random_r implementation
Commit d5bceac99d changed the sequence
of random numbers.  This was completely unintended.  The statistical
properties of the new sequences are unclear, so restore the old
behavior.

Fixes commit d5bceac99d ("stdlib:
random_r: fix unaligned access in initstate and initstate_r
[BZ #30584]").

Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2025-01-20 21:31:55 +01:00
Florian Weimer a3131e71cf elf: Make tst-ro-dynamic-mod.map compatible with older binutils
Older versions such as binutils 2.35.2 do not recognize
PT_GNU_PROPERTY.

Fixes commit d3f2b71ef1
("aarch64: Fix tests not compatible with targets supporting GCS").
2025-01-20 20:35:10 +01:00
Michael Jeanson 5eafafc46c NEWS: Add the extensible rseq ABI to new features
Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
2025-01-20 18:47:11 +00:00
Florian Weimer b3a6bd625c Linux: Do not check unused bytes after sched_getattr in tst-sched_setattr
Linux 6.13 was released with a change that overwrites those bytes.
This means that the check_unused subtest fails.

Update the manual accordingly.

Tested-by: Xi Ruoyao <xry111@xry111.site>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 15:20:57 +01:00
Florian Weimer 89e61e96b7 i386: Update ulps for *pi functions
As seen with GCC 11.5 on an AMD Ryzen 9 7950X CPU, with an
-fpmath=sse, --disable-multi-arch build of glibc.
2025-01-20 11:34:38 +01:00
Yury Khrustalev d3f2b71ef1 aarch64: Fix tests not compatible with targets supporting GCS
- Add GCS marking to some of the tests when target supports GCS
 - Fix tst-ro-dynamic-mod.map linker script to avoid removing
   GNU properties
 - Add header with macros for GNU properties

Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
2025-01-20 09:36:19 +00:00
Szabolcs Nagy a335acb8b8 aarch64: Use __alloc_gcs in makecontext
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 09:36:19 +00:00
Szabolcs Nagy 3d8da0d91b aarch64: Add GCS user-space allocation logic
Allocate GCS based on the stack size, this can be used for coroutines
(makecontext) and thread creation (if the kernel allows user allocated
GCS).

Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
2025-01-20 09:36:19 +00:00
Szabolcs Nagy d3df351338 aarch64: Process gnu properties in static exe
Unlike for BTI, the kernel does not process GCS properties so update
GL(dl_aarch64_gcs) before the GCS status is set.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 09:36:19 +00:00
Szabolcs Nagy 29476485f9 aarch64: Ignore GCS property of ld.so
check_gcs is called for each dependency of a DSO, but the GNU property
of the ld.so is not processed so ldso->l_mach.gcs may not be correct.
Just assume ld.so is GCS compatible independently of the ELF marking.

Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
2025-01-20 09:36:19 +00:00
Szabolcs Nagy 4d56a5bbd6 aarch64: Handle GCS marking
- Handle GCS marking
 - Use l_searchlist.r_list for gcs (allows using the
   same function for static exe)

Co-authored-by: Yury Khrustalev <yury.khrustalev@arm.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 09:35:56 +00:00
Szabolcs Nagy 8d516b6f85 aarch64: Use l_searchlist.r_list for bti
Allows using the same function for static exe.

Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
2025-01-20 09:31:47 +00:00
Szabolcs Nagy 76b79f7241 aarch64: Mark objects with GCS property note
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2025-01-20 09:31:47 +00:00
Szabolcs Nagy 01f52b11de aarch64: Enable GCS in dynamic linked exe
Use the dynamic linker start code to enable GCS in the dynamic linked
case after _dl_start returns and before _dl_start_user which marks
the point after which user code may run.

Like in the static linked case this ensures that GCS is enabled on a
top level stack frame.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 09:31:47 +00:00
Szabolcs Nagy b81ee54bc9 aarch64: Enable GCS in static linked exe
Use the ARCH_SETUP_TLS hook to enable GCS in the static linked case.
The system call must be inlined and then GCS is enabled on a top
level stack frame that does not return and has no exception handlers
above it.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 09:31:47 +00:00
Szabolcs Nagy 9ad3d9267d aarch64: Add glibc.cpu.aarch64_gcs tunable
This tunable controls Guarded Control Stack (GCS) for the process.

0 = disabled: do not enable GCS
1 = enforced: check markings and fail if any binary is not marked
2 = optional: check markings but keep GCS off if a binary is unmarked
3 = override: enable GCS, markings are ignored

By default it is 0, so GCS is disabled, value 1 will enable GCS.

The status is stored into GL(dl_aarch64_gcs) early and only applied
later, since enabling GCS is tricky: it must happen on a top level
stack frame. Using GL instead of GLRO because it may need updates
depending on loaded libraries that happen after readonly protection
is applied, however library marking based GCS setting is not yet
implemented.

Describe new tunable in the manual.

Co-authored-by: Yury Khrustalev <yury.khrustalev@arm.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 09:31:33 +00:00
Szabolcs Nagy 3ac237fb71 aarch64: Add GCS support for makecontext
Changed the makecontext logic: previously the first setcontext jumped
straight to the user callback function and the return address is set
to __startcontext. This does not work when GCS is enabled as the
integrity of the return address is protected, so instead the context
is setup such that setcontext jumps to __startcontext which calls the
user callback (passed in x20).

The map_shadow_stack syscall is used to allocate a suitably sized GCS
(which includes some reserved area to account for altstack signal
handlers and otherwise supports maximum number of 16 byte aligned
stack frames on the given stack) however the GCS is never freed as
the lifetime of ucontext and related stack is user managed.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2025-01-20 09:22:41 +00:00
Szabolcs Nagy 7d22054db7 aarch64: Mark swapcontext with indirect_return
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2025-01-20 09:22:41 +00:00
Szabolcs Nagy 9885d13b66 aarch64: Add GCS support for setcontext
Userspace ucontext needs to store GCSPR, it does not have to be
compatible with the kernel ucontext. For now we use the linux
struct gcs_context layout but only use the gcspr field from it.

Similar implementation to the longjmp code, supports switching GCS
if the target GCS is capped, and unwinding a continuous GCS to a
previous state.

Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2025-01-20 09:22:41 +00:00
Szabolcs Nagy 1cf59c2603 aarch64: Add GCS support to vfork
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2025-01-20 09:22:41 +00:00
Szabolcs Nagy 5ff5e7836e aarch64: Add GCS support to longjmp
This implementations ensures that longjmp across different stacks
works: it scans for GCS cap token and switches GCS if necessary
then the target GCSPR is restored with a GCSPOPM loop once the
current GCSPR is on the same GCS.

This makes longjmp linear time in the number of jumped over stack
frames when GCS is enabled.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
2025-01-20 09:22:41 +00:00
Szabolcs Nagy 13cbbb0cb2 aarch64: Define jmp_buf offset for GCS
The target specific internal __longjmp is called with a __jmp_buf
argument which has its size exposed in the ABI. On aarch64 this has
no space left, so GCSPR cannot be restored in longjmp in the usual
way, which is needed for the Guarded Control Stack (GCS) extension.

setjmp is implemented via __sigsetjmp which has a jmp_buf argument
however it is also called with __pthread_unwind_buf_t argument cast
to jmp_buf (in cancellation cleanup code built with -fno-exception).
The two types, jmp_buf and __pthread_unwind_buf_t, have common bits
beyond the __jmp_buf field and there is unused space there which we
can use for saving GCSPR.

For this to work some bits of those two generic types have to be
reserved for target specific use and the generic code in glibc has
to ensure that __longjmp is always called with a __jmp_buf that is
embedded into one of those two types. Morally __longjmp should be
changed to take jmp_buf as argument, but that is an intrusive change
across targets.

Note: longjmp is never called with __pthread_unwind_buf_t from user
code, only the internal __libc_longjmp is called with that type and
thus the two types could have separate longjmp implementations on a
target. We don't rely on this now (but might in the future given that
cancellation unwind does not need to restore GCSPR).

Given the above this patch finds an unused slot for GCSPR. This
placement is not exposed in the ABI so it may change in the future.
This is also very target ABI specific so the generic types cannot
be easily changed to clearly mark the reserved fields.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
2025-01-20 09:22:41 +00:00