Explain the security issue and set context for the vulnerability to help
downstreams get a better understanding of the issue.
Reviewed-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
The wordexp fails to properly initialize the input wordexp_t when
WRDE_REUSE is used. The wordexp_t struct is properly freed, but
reuses the old wc_wordc value and updates the we_wordv in the
wrong position. A later wordfree will then call free with an
invalid pointer.
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Reported-by: H. J. Lu <hjl.tools@gmail.com>
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
Tested-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
The previous default for LD_PROFILE_OUTPUT, /var/tmp, is insecure
because it's typically a 1777 directory, and other systems could
place malicious files there which interfere with execution.
Requiring the user to specify a profiling directory mitigates
the impact of bug 33797. Clear LD_PROFILE_OUTPUT alongside
with LD_PROFILE.
Rework the test not to use predictable file names.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Explain the security issue and set context for the vulnerability to help
downstreams get a better understanding of the issue.
Reviewed-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
Explain the security issue and set context for the vulnerability to help
downstreams get a better understanding of the issue.
Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
The default network value of zero for net was never tested for and
results in a DNS query constructed from uninitialized stack bytes.
The solution is to provide a default query for the case where net
is zero.
Adding a test case for this was straight forward given the existence of
tst-resolv-network and if the test is added without the fix you observe
this failure:
FAIL: resolv/tst-resolv-network
original exit status 1
error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
error: 1 test failures
With a random QNAME resulting from the use of uninitialized stack bytes.
After the fix the test passes.
Additionally verified using wireshark before and after to ensure
on-the-wire bytes for the DNS query were as expected.
No regressions on x86_64.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the
overflow check for alignment in memalign functions, _mid_memalign and
_int_memalign. Reinstate the overflow check in _int_memalign, aligned
with the PTRDIFF_MAX change since that is directly responsible for the
CVE. The missing _mid_memalign check is not relevant (and does not have
a security impact) and may need a different approach to fully resolve,
so it has been omitted.
CVE-Id: CVE-2026-0861
Vulnerable-Commit: 9bf8e29ca1
Reported-by: Igor Morgenstern, Aisle Research
Fixes: BZ #33796
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
Commit 244c404ae8 added -threaded-main and
-threaded-worker variants of several malloc tests with some exceptions.
tst-mallocfork calls fork from a signal handler, leading to sporadic
deadlocks when multi-threaded since fork is not AS-safe when
multi-threading. This commit therefore adds tst-mallocfork to the
appropriate exception list.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
In permissive mode, during audit module handling, check_gcs is unaware
that it is handling audit modules rather than the binary itself. It
causes the loader to fail to load the audit module, rather than
loading it and disabling GCS.
Also extends GCS tests with 4 LD_AUDIT tests:
1. tst-gcs-audit-disabled: checks if the audit module without GCS
marking is loaded with default gcs support.
2. tst-gcs-audit-enforced: checks if the audit module without GCS
marking is not loaded when GCS is enforced.
3. tst-gcs-audit-optional: checks if the audit module without GCS
marking is loaded when GCS is optional.
4. tst-gcs-audit-override: check if the audit modules without GCS
marking is loaded when GCS is overrided.
Checked on aarch64-linux-gnu with Linux 6.18 on Apple M4 emulated (for
BTI support) and on qemu 10.1.50 simulated (for GCS).
Reviewed-by: Yury Khrustalev <yury.khrustalev@arm.com>
Tested-by: Yury Khrustalev <yury.khrustalev@arm.com>
There are modeled after the 'shared' tests subset and it adds 4 new
tests:
1. tst-gcs-preload-disabled: checks if GCS is disabled when a LD_PRELOAD
module is used without GCS marking with default GCS support.
2. tst-gcs-preload-enforced-abort: chekcs if loader aborts startup when
a LD_PRELOAD is used without GCS marking and GCS is enforced.
3. tst-gcs-preload-optional: checks if GCS is disabled when a LD_PRELOAD
is used without GCS marking and GCS is optional.
4. tst-gcs-preload-override: checks if GCS is enabled when a LD_PRELOAD
is used without GCS marking and GCS is overrided.
Checked on aarch64-linux-gnu with Linux 6.18 on Apple M4 emulated (for
BTI support) and on qemu 10.1.50 simulated (for GCS).
Reviewed-by: Yury Khrustalev <yury.khrustalev@arm.com>
Tested-by: Yury Khrustalev <yury.khrustalev@arm.com>
This patch adds 3 new tests:
1. tst-bti-permissive-audit: checks that process runs when an LD_AUDIT module
not marked with BTI but BTI is not enforced.
2. tst-bti-prot-audit: checks if the process correctly handles audit module with
BTI marking when BTI is enforced.
3. tst-bti-unprot-audit: check if the process ignores an audit module without
BTI marking when BTI is enforced.
Checked on aarch64-linux-gnu with Linux 6.18 on Apple M4 emulated (for
BTI support) and on qemu 10.1.50 simulated (for GCS).
Reviewed-by: Yury Khrustalev <yury.khrustalev@arm.com>
Tested-by: Yury Khrustalev <yury.khrustalev@arm.com>
Add 3 new tests to check if LD_PRELOAD is correctly handled:
1. tst-bti-abort-unprot-preload: checks if the process is aborted if
a LD_PRELOAD module without BTI marking is used and BTI is enforced.
2. tst-bti-dep-prot-preload: checks if the process works correctly if
a LD_PRELOAD module with BTI marking is used and BTI is enforced.
3. tst-bti-permissive-preload: checks if the process works correctly
if a LD_PRELOAD module with BTI marking is used and BTI is not
enforced.
Reviewed-by: Yury Khrustalev <yury.khrustalev@arm.com>
Tested-by: Yury Khrustalev <yury.khrustalev@arm.com>
Introduce DL_DEBUG_SECURITY mask to enable messages related to
loading modules that lack certain target-dependent hardening
or security features.
Use this mask for warnings related to AArch64 BTI and GCS.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
When the compiler selects IEEE-128 long double ABI(-mabi=ieeelongdouble),
calls to printf, fprintf, sprintf and snprintf are redirected to the
__printfieee128, __fprintfieee128, __sprintfieee128 and __snprintfieee128
symbols respectively. This causes "break printf" (and others) in
GDB to fail because the original symbol names do not exist as global
symbols in libc.so.6.
Fix this by adding local symbol aliases in the ieee128 compatibility
files so that the original symbol names are present in the symbol table
again. This restores the expected GDB behavior ("break printf" works)
without requiring dynamic symbols or versioned compatibility symbols.
Suggested-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
The __USE_EXTERN_INLINES is gated __OPTIMIZE_SIZE__, so also gated
the alias required using the same logic.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
The 13cfd77bf5 change broke the b5d88fa6c3 fix by removing the symbol
to __symbol redirections. Although it works for -O2 with both gcc
and clang, with -Os without the redirection, the libcall might still
be issued.
This patch reinstates the b5d88fa6c3 fix, with a modification that
allows each ifunc variant to control which trunc to issue. This is
required for clang, which defines HAVE_X86_INLINE_TRUNC to 1 (meaning
that trunc will always be lowered to the instruction on -Os).
Checked on x86_64-linux-gnu with -O2 and -Os with gcc-15 and clang-18.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
The CORE-MATH c423b9a3 commit made atanh to use a slight different
muldd_acc and polydd (which uses muldd_acc internally) compared
to previous version.
The new tests were suggested by Paul Zimmermann (although I did
not see any regression).
Checked on x86_64-linux-gnu, x86_64-linux-gnu-v3, aarch64-linux-gnu,
and i686-linux-gnu.
Reviewed-by: Paul Zimmermann <Paul.Zimmermann@inria.fr>
The CORE-MATH c423b9a3 commit made atanh to use a slight different
muldd_acc, mulddd, and polydd (which uses muldd_acc internally)
compare to asinh and acosh.
The new tests were suggested by Paul Zimmermann (although I did
not see any regression).
Checked on x86_64-linux-gnu, x86_64-linux-gnu-v3, aarch64-linux-gnu,
and i686-linux-gnu.
Reviewed-by: Paul Zimmermann <Paul.Zimmermann@inria.fr>
When either program path of module name is empty, don't print an
empty string followed by a colon.
Also fix-up test for a static BTI binary to check error message
for this case.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
__sigreturn2 uses _hurd_sigstate_unlock after restoring the interrupted
xmm values, we thus need it not to touch xmm. It makes sense to inline
sigstate_is_global_rcv _hurd_sigstate_lock/unlock anyway. unlock calls
gsync_wake, so we need to avoid xmm there as well.
If the kernel supports the COPY_FILE_RANGE_64 FUSE interface, we can
safely tests the large size values.
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Tested-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
On Linux >= 6.18, the kernel submits the new COPY_FILE_RANGE_64
operation to the fuse implementation for large files. There is a
fall-back routine to COPY_FILE_RANGE but it's only used if
COPY_FILE_RANGE_64 returns ENOSYS.
So, return ENOSYS instead of EIO for "unsupported" operations in order
to make the kernel do the correct thing for this case and maybe in case
that a new operation is added into the kernel fuse interface in the
future.
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
All checks related to the PT_GNU_PROPERTY bits would be skipped
if the binary had no PT_GNU_PROPERTY note at all. This meant that
enforcing an abort when some bits are not present was not possible.
Fixes BZ 33713
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Andreas K. Hüttel
Aurelien Jarno
Adhemerval Zanella
Carlos O'Donell
Xi Ruoyao
Florian Weimer
Samuel Thibault
Siddhesh Poyarekar
Arjun Shankar
Yury Khrustalev
Sachin Monga