It appears that the stackframe layout can be slightly different depending on
compiler and target architecture. For example, when using CHERI LLVM for RISC-V
we can actually overflow the buffer by up to 8 bytes without SSP detecting it.
Fix this by increasing the overflow to 15 bytes.
Reviewed By: ngie, emaste
Differential Revision: https://reviews.freebsd.org/D28997
Since 4581cefc1e
ATF opens the results file on startup. This fixes problems like
capsicumized tests not being able to open the file on exit.
However, this test closes all file descriptors above 3 to get a
deterministic fd table allocation for the child. Instead of using closefrom
(which will close the ATF output file FD) I've changed this test use
the lowest available fd and pass that to the helper program as a string.
We could also try to re-open the results file in ATF if we get a EBADF
error, but that will fail when running under Capsicum.
Reviewed By: cem
Differential Revision: https://reviews.freebsd.org/D28684
Since 4581cefc1e
ATF opens the results file on startup. This fixes problems like
capsicumized tests not being able to open the file on exit.
However, this test closes all file descriptors just to check that
socketpair returns fd 3+4 and thereby also closes the ATF results file.
This then results in an EBADF when writing the result so the test is
reported as broken.
While system calls that create new file descriptors (must?) use the lowest
available file descriptor number, it does not seem useful to test this
property here. Drop the check for FD==3/4 to unbreak the testsuite.
We could also try to re-open the results file in ATF if we get a EBADF
error, but that will fail when running under Capsicum.
Reviewed By: cem
Differential Revision: https://reviews.freebsd.org/D28683
The rpc_control() API does not accept the CLCR_SET_RPCB_TIMEOUT command,
it only accepts RPC_SVC_CONNMAXREC_GET/RPC_SVC_CONNMAXREC_SET, so it was
not doing anything.
Instead of incorrectly calling this API, use clnt_create_timed() instead.
I noticed this because the test was timing out after 120s in the CheriBSD CI.
Reviewed By: ngie
Differential Revision: https://reviews.freebsd.org/D28478
Add shims to map NetBSD's API to CPUSET(9). Obviously the invalid input
parts of these tests are relatively useless since we're just testing the
shims that aren't used elsewhere, there's still some amount of value in
the parts testing valid inputs.
Differential Revision: https://reviews.freebsd.org/D27307
Part of the libregex functionality leaked into the tests it shares with
the standard regex(3). Introduce a P flag to set the REG_POSIX cflag to
indicate that libc regex should effectively do nothing while libregex should
specifically run it in non-extended mode.
This unbreaks the libc/regex test run.
Reported by: Jenkins
This is the last of the needed GNU expressions before we can unleash bsdgrep
by default. \b is effectively an agnostic equivalent of \< and \>, while
\B will match every space that isn't making a transition from
nonchar -> char or char -> nonchar.
This fixes a "suggested parens" compile warning-into-error
that shows up on gcc-6.4.
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D26789
An old it_value of {4,3} is valid. Allow it.
Reviewed by: bdrewery
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D26445
In IEEE 1003.1-2008 [1] and earlier revisions, BRE/ERE grammar allows for
any character to be escaped, but "ORD_CHAR preceded by an unescaped
<backslash> character [gives undefined results]".
Historically, we've interpreted an escaped ordinary character as the
ordinary character itself. This becomes problematic when some extensions
give special meanings to an otherwise ordinary character
(e.g. GNU's \b, \s, \w), meaning we may have two different valid
interpretations of the same sequence.
To make this easier to deal with and given that the standard calls this
undefined, we should throw an error (EESCAPE) if we run into this scenario
to ease transition into a state where some escaped ordinaries are blessed
with a special meaning -- it will either error out or have extended
behavior, rather than have two entirely different versions of undefined
behavior that leave the consumer of regex(3) guessing as to what behavior
will be used or leaving them with false impressions.
This change bumps the symbol version of regcomp to FBSD_1.6 and provides the
old escape semantics for legacy applications, just in case one has an older
application that would immediately turn into a pumpkin because of an
extraneous escape that's embedded or otherwise critical to its operation.
This is the final piece needed before enhancing libregex with GNU extensions
and flipping the switch on bsdgrep.
[1] http://pubs.opengroup.org/onlinepubs/9699919799.2016edition/
PR: 229925 (exp-run, courtesy of antoine)
Differential Revision: https://reviews.freebsd.org/D10510
The version that ended upstream was ultimately slightly different than the
version committed here; notably, statvfs() is used but it's redefined
appropriately to statfs() on FreeBSD since we don't provide the fstypename
for the former interface.
The revokex test does not work when the scratch directory is created on NFS.
Given the nature of NFS, it likely can never work without looking like a
security hole since O_SEARCH would rely on the server knowing that the
directory did have +x at the time of open and that it's OK for it to have
been revoked based on POSIX specification for O_SEARCH.
This does mean that O_SEARCH is only partially functional on NFS in general,
but I suspect the execute bit getting revoked in the process is likely not
common.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D23573
The RCSID data was wrong, so this is effectively a record-only merge
with correction of said data. No further changes should be needed in this
area, as we've now upstreamed our local changes to this specific test.
In FreeBSD's O_SEARCH implementation, O_SEARCH in conjunction with O_RDWR or
O_WRONLY is explicitly rejected. In this case, O_RDWR was not necessary
anyways as the file will get created with or without it.
This was submitted upstream as misc/54940 and committed in rev 1.8 of the
file.
Coverity correctly reports this as a resource leak. It's an admittedly minor
one, but plug it anyways.
This has been submitted upstream as misc/54939.
CID: 978288
O_SEARCH is defined by POSIX [0] to open a directory for searching, skipping
permissions checks on the directory itself after the initial open(). This is
close to the semantics we've historically applied for O_EXEC on a directory,
which is UB according to POSIX. Conveniently, O_SEARCH on a file is also
explicitly undefined behavior according to POSIX, so O_EXEC would be a fine
choice. The spec goes on to state that O_SEARCH and O_EXEC need not be
distinct values, but they're not defined to be the same value.
This was pointed out as an incompatibility with other systems that had made
its way into libarchive, which had assumed that O_EXEC was an alias for
O_SEARCH.
This defines compatibility O_SEARCH/FSEARCH (equivalent to O_EXEC and FEXEC
respectively) and expands our UB for O_EXEC on a directory. O_EXEC on a
directory is checked in vn_open_vnode already, so for completeness we add a
NOEXECCHECK when O_SEARCH has been specified on the top-level fd and do not
re-check that when descending in namei.
[0] https://pubs.opengroup.org/onlinepubs/9699919799/
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D23247
The current code clearly intended for these to be octal based on the values
used, but the octal prefix was forgotten. Add it now for correctness, but
note that we don't currently execute these tests.
This has been submitted upstream as misc/54902, so I've omitted the standard
FreeBSD markers that we tend to put into netbsd-tests for upstream-candidate
identification.
Reviewed by: ngie
MFC after: 3 days
gets is unsafe and shouldn't be used (for many years now). Leave it in
the existing symbol version so anything that previously linked aginst it
still runs, but do not allow new software to link against it.
(The compatability/legacy implementation must not be static so that
the symbol and in particular the compat sym gets@FBSD_1.0 make it
into libc.)
PR: 222796 (exp-run)
Reported by: Paul Vixie
Reviewed by: allanjude, cy, eadler, gnn, jhb, kib, ngie (some earlier)
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D12298
When O_CREAT is specified, the third, variadic argument is
required as the permission. If on is not passed, then depending
on the ABI, either the contents of the third argument register
or some arbitrary stuff on the stack will be used as the permission.
This has been merged to NetBSD.
Reviewed by: asomers, ngie
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D20972
Historically we have not distinguished between kernel wirings and user
wirings for accounting purposes. User wirings (via mlock(2)) were
subject to a global limit on the number of wired pages, so if large
swaths of physical memory were wired by the kernel, as happens with
the ZFS ARC among other things, the limit could be exceeded, causing
user wirings to fail.
The change adds a new counter, v_user_wire_count, which counts the
number of virtual pages wired by user processes via mlock(2) and
mlockall(2). Only user-wired pages are subject to the system-wide
limit which helps provide some safety against deadlocks. In
particular, while sources of kernel wirings typically support some
backpressure mechanism, there is no way to reclaim user-wired pages
shorting of killing the wiring process. The limit is exported as
vm.max_user_wired, renamed from vm.max_wired, and changed from u_int
to u_long.
The choice to count virtual user-wired pages rather than physical
pages was done for simplicity. There are mechanisms that can cause
user-wired mappings to be destroyed while maintaining a wiring of
the backing physical page; these make it difficult to accurately
track user wirings at the physical page layer.
The change also closes some holes which allowed user wirings to succeed
even when they would cause the system limit to be exceeded. For
instance, mmap() may now fail with ENOMEM in a process that has called
mlockall(MCL_FUTURE) if the new mapping would cause the user wiring
limit to be exceeded.
Note that bhyve -S is subject to the user wiring limit, which defaults
to 1/3 of physical RAM. Users that wish to exceed the limit must tune
vm.max_user_wired.
Reviewed by: kib, ngie (mlock() test changes)
Tested by: pho (earlier version)
MFC after: 45 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D19908
This was shown to be a problem by side effect of now-enabled test case,
which was going through C, en_US.UTF-8, ja_JP.SJIS, and ja_JP.eucJP,
and failing eventually as data in mbrtowc's mbstate, that was
perfectly correct for en_US.UTF-8 was treated as incorrect for
ja_JP.SJIS, failing the entire test case.
This makes the persistent mbstates to be per ctype-component,
and not per-locale so we could easily reset the mbstates when
only LC_CTYPE is changed.
Reviewed by: bapt, pfg
Approved by: kib (mentor, implicit)
Differential Revision: https://reviews.freebsd.org/D17796
sbt is the time in the future that the tsleep_sbt() is expected to be completed
at. sbtt is the current time. Depending on the precision with sysctl
kern.timecounter.alloweddeviation the start time may be incremented by
tc_tick_sbt. The same increment is needed for the current time of sbtt before
calculating the difference. The impact of missing this increment is that rmtp
may increase by one tc_tick_sbt on every early [EINTR] return. If the same
struct is passed in for rqtp as rmtp this can result in rqtp effectively
incrementing by tc_tick_sbt and sleeping longer than originally intended.
This problem was introduced in r247797.
Reviewed by: kib, markj, vangyzen (all on an older version of the test)
MFC after: 2 weeks
Sponsored by: Dell EMC
Differential Revision: https://reviews.freebsd.org/D14362
sparc64 and riscv do not support 10 arguments, but MIPS now does.
While here, combine clauses for architectures that support the same
number of arguments to reduce duplication.
Sponsored by: DARPA / AFRL
The man page is years out of date regarding errors. Our implementation _does_
allow unaligned addresses, and it _does_not_ check for negative lengths,
because the length is unsigned. It checks for overflow instead.
Update the tests accordingly.
Reviewed by: bcr
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D13826
Currently, regex(3) exhibits the following wrong behavior as demonstrated
with sed:
- echo "a{1,2,3}b" | sed -r "s/{/_/" (1)
- echo "a{1,2,3}b" | sed "s/\}/_/" (2)
- echo "a{1,2,3}b" | sed -r "s/{}/_/" (3)
Cases (1) and (3) should throw errors but they actually succeed, and (2)
throws an error when it should match the literal '}'. The correct behavior
was decided by comparing to the behavior with the equivalent BRE (1)(3) or
ERE (2) and consulting POSIX, along with some reasonable evaluation.
Tests were also adjusted/added accordingly.
PR: 166861
Reviewed by: emaste, ngie, pfg
Approved by: emaste (mentor)
MFC after: never
Differential Revision: https://reviews.freebsd.org/D10315
o Replace __riscv64 with (__riscv && __riscv_xlen == 64)
This is required to support new GCC 7.1 compiler.
This is compatible with current GCC 6.1 compiler.
RISC-V is extensible ISA and the idea here is to have built-in define
per each extension, so together with __riscv we will have some subset
of these as well (depending on -march string passed to compiler):
__riscv_compressed
__riscv_atomic
__riscv_mul
__riscv_div
__riscv_muldiv
__riscv_fdiv
__riscv_fsqrt
__riscv_float_abi_soft
__riscv_float_abi_single
__riscv_float_abi_double
__riscv_cmodel_medlow
__riscv_cmodel_medany
__riscv_cmodel_pic
__riscv_xlen
Reviewed by: ngie
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D11901
BREs recently became prematurely sensitive to the branching operator, which
outright broke expressions that used it instead of failing silently. Test
that \| is matching a literal | for the time being.
Reviewed by: cem, emaste, ngie
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D11577
ATF cleanup routines run in separate processes from the tests themselves, so
they can't share global variables.
Also, setdomainname_test needs to be is_exclusive because the test cases
access a global resource.
PR: 219967
Reviewed by: ngie
MFC after: 3 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D11188
the limit to 32MB instead.
Require user=root and memory=64MB+ first so one can be reasonably sure that
the test will function appropriately.
MFC after: 1 month
MFC with: r320726
PR: 220502
The kern.coredump sysctl can be set to 0 to disable coredumps. Skip the
'status_coredump' and 'wait6_coredumped' tests if this sysctl is set to 0
rather than reporting a failure.
Submitted by: brooks
Reviewed by: ngie
Obtained from: CheriBSD
Sponsored by: DARPA / AFRL
Differential Revision: https://reviews.freebsd.org/D10665
This is being done to avoid dereferencing a NULL pointer via strlcat,
obscuring the underlying issue with the getcwd(3) call.
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
- Apply the logic to the FreeBSD block
- Fix a typo with the getconf(1) call that I would have caught, were
it not for the fact that I got the blocks wrong.
- Consolidate the hardcoded buffer sizes to the NetBSD block.
This would have been discovered had I run the test on a system where
PATH_MAX != 1024 (I don't have that at my disposal right at this moment).
MFC after: 3 weeks
MFC with: r318210
Sponsored by: Dell EMC Isilon
In the event the value of PATH_MAX was changed, the assumption that
MAXPATHLEN is 1024 (and hence the buffer length required to trigger
SSP to fail for read(2)) would be invalidated. Query getconf(1) for
the actual value of MAXPATHLEN via _XOPEN_PATH_MAX instead, and
increment the value by 1 to ensure that the SSP support tests the
stack smashing support properly.
MFC after: 3 weeks
Sponsored by: Dell EMC Isilon
Restore the stock (upstream) code under an #else block, so it's easier
for me to visualize and understand the code that needs to be upstreamed.
MFC after: 2 months
X-MFC with: r316178, r316179, r316180
Sponsored by: Dell EMC Isilon
msgsnd(2)'s msgsz argument does not describe the full structure, only the
message component.
Reported by: Coverity
CIDs: 1368703, 1368711
Sponsored by: Dell EMC Isilon
