This change allows creating file descriptors with close-on-exec set in some
situations. SOCK_CLOEXEC and SOCK_NONBLOCK can be OR'ed in socket() and
socketpair()'s type parameter, and MSG_CMSG_CLOEXEC to recvmsg() makes file
descriptors (SCM_RIGHTS) atomically close-on-exec.
The numerical values for SOCK_CLOEXEC and SOCK_NONBLOCK are as in NetBSD.
MSG_CMSG_CLOEXEC is the first free bit for MSG_*.
The SOCK_* flags are not passed to MAC because this may cause incorrect
failures and can be done later via fcntl() anyway. On the other hand, audit
is expected to cope with the new flags.
For MSG_CMSG_CLOEXEC, unp_externalize() is extended to take a flags
argument.
Reviewed by: kib
multibyte support[0] and the new functions strenvisx and strsenvisx.
Add MLINKS for vis(3) functions add by this and the initial import from
NetBSD[1].
PR: bin/166364, bin/175418
Submitted by: "J.R. Oldroyd" <fbsd@opal.com>[0]
stefanf[1]
Obtained from: NetBSD
MFC after: 2 weeks
It is almost always a bug if nscd closes the connection unexpectedly but
programs should not be killed with SIGPIPE for it.
Reviewed by: bushman
Tested by: Jan Beich
MFC after: 1 week
int bindat(int fd, int s, const struct sockaddr *addr, socklen_t addrlen);
int connectat(int fd, int s, const struct sockaddr *name, socklen_t namelen);
which allow to bind and connect respectively to a UNIX domain socket with a
path relative to the directory associated with the given file descriptor 'fd'.
- Add manual pages for the new syscalls.
- Make the new syscalls available for processes in capability mode sandbox.
- Add capability rights CAP_BINDAT and CAP_CONNECTAT that has to be present on
the directory descriptor for the syscalls to work.
- Update audit(4) to support those two new syscalls and to handle path
in sockaddr_un structure relative to the given directory descriptor.
- Update procstat(1) to recognize the new capability rights.
- Document the new capability rights in cap_rights_limit(2).
Sponsored by: The FreeBSD Foundation
Discussed with: rwatson, jilles, kib, des
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
system call, which has a nice property - it never fails, so it is a bit
easier to use. If there is no support for capability mode in the kernel
the function will return false (not in a sandbox). If the kernel is compiled
with the support for capability mode, the function will return true or false
depending if the calling process is in the capability mode sandbox or not
respectively.
Sponsored by: The FreeBSD Foundation
routines provide write-only stdio FILE objects that store their data in a
dynamically allocated buffer. They are a string builder interface somewhat
akin to a completely dynamic sbuf.
Reviewed by: bde, jilles (earlier versions)
MFC after: 1 month
* Reopen the directory using openat(fd, ".", ...) instead of opening the
pathname again. This fixes a race condition where the meaning of the
pathname changes and allows a reopen with fdopendir().
* Always reopen the directory for union stacks, not only when DTF_REWIND
is passed. Applications should be able to fchdir(dirfd(dir)) and
*at(dirfd(dir), ...). DTF_REWIND now does nothing.
example from bsearch(3) too, so that we don't have to duplicate
the example code in both places.
PR: docs/176197
Reviewed by: stefanf
Approved by: remko (mentor), gjb (mentor)
MFC after: 1 week
- Remove unused #include.
- Do not cast away const.
- Use the canonical idiom to compare two numbers.
- Use proper type for sizes, i.e. size_t instead of int.
- Correct indentation.
- Simplify printf("\n") to puts("").
- Use return instead of exit() in main().
Submitted by: Christoph Mallon, christoph.mallon at gmx.de
Approved by: gjb (mentor)
Reviewed by: stefanf
MFC after: 1 week
qsort(3) can work together to sort an array of integers.
PR: docs/176197
Submitted by: Fernando, fapesteguia at opensistemas.com
Approved by: gjb (mentor)
MFC after: 1 week
now disables read-ahead. It used to effectively restore the system default
readahead hueristic if it had been changed; a negative value now restores
the default.
Reviewed by: kib
this is not a problem as they are resolved by libgcc. The exception is for
the __aeabi_mem* functions. These call back into libc to the appropriate
function. This causes issues for static binaries as we only link against
libc once so there is no way for it to call into libgcc and back.
The fix for this is to include these symbols in libc but keep them hidden
so binaries use the libgcc version.
There are uncommon cases where fts_safe_changedir() may be called with a
non-NULL name that is not "..". Do not block or worse if an attacker put (a
(symlink to) a fifo or device where a directory used to be.
MFC after: 1 week
with the user's namespace.
- Correct size and position variables type from long to size_t.
- Do not set errno to ENOMEM on malloc failure, as malloc already does so.
- Implement the concept of "buffer data length", which mandates what SEEK_END
refers to and the allowed extent for a read.
- Use NULL as read-callback if the buffer is opened in write-only mode.
Conversely, use NULL as write-callback when opened in read-only mode.
- Implement the handling of the ``b'' character in the mode argument. A binary
buffer differs from a text buffer (default mode if ``b'' is omitted) in that
NULL bytes are never appended to writes and that the "buffer data length"
equals to the size of the buffer.
- Remove shall from the man page. Use indicative instead. Also, specify that
the ``b'' flag does not conform with POSIX but is supported by glibc.
- Update the regression test so that the ``b'' functionality and the "buffer
data length" concepts are tested.
- Minor style(9) corrections.
Suggested by: jilles
Reviewed by: cognet
Approved by: cognet
but use normal references instead of weak. This makes the statically
linked binaries to use fast gettimeofday(2) by forcing the linker to
resolve references and providing the neccessary functions.
Reported by: bde
Tested by: marius (sparc64)
MFC after: 2 weeks
in r7 and use ip to store the old version of r7 as it is not guaranteed to
be kept when calling a subroutine. The kernel will preserve the register
across system calls.
path longer than this.
- Fix an unreached case of check against sizeof buf, which in turn leads
to an off-by-one nul byte write on the stack. The original condition
can never be satisfied because the passed boundary is the maximum value
that can be returned, so code was harmless.
MFC after: 1 month
NetBSD's. This output size limited versions of vis and unvis functions
as well as a set of vis variants that allow arbitrary characters to be
specified for encoding.
Finally, MIME Quoted-Printable encoding as described in RFC 2045 is
supported.
A fork/exec could happen between open and fcntl, leaking a file descriptor.
Using O_CLOEXEC fixes this and as a side effect simplifies the code.
NetBSD already had this (I checked this after making the change myself).
Reviewed by: gabor
The changes were derived from what has been committed to NetBSD, with
modifications. These are:
1. Preserve the existsing GLOB_LIMIT behaviour by including the number
of matches to the set of parameters to limit.
2. Change some of the limits to avoid impacting normal use cases:
GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3)
can still provide a full command line of expanded names.
GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than
that 128 feels too low (it's not a limit that impacts the
behaviour of the test program listed in CVE-2010-2632).
GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can
still provide a fill command line of expanded names.
3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or
GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in
those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we
would otherwise overrun the buffer.
This change also modifies the existing behaviour of glob(3) in case
GLOB_LIMIT is specifies by limiting the *new* matches and not all
matches. This is an important distinction when GLOB_APPEND is set or
when the caller uses a non-zero gl_offs. Previously pre-existing
matches or the value of gl_offs would be counted in the number of
matches even though the man page states that glob(3) would return
GLOB_NOSPACE when gl_matchc or more matches were found.
The limits that cannot be circumvented are GLOB_LIMIT_STRING and
GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3)
again and with GLOB_APPEND set.
The entire description above applies only when GLOB_LIMIT has been
specified of course. No limits apply when this flag isn't set!
Obtained from: Juniper Networks, Inc
equivalent to malloc(size). This eliminates the conditional expression
used for calling either realloc() or malloc() when realloc() will do
all the time.
free and clear the gl_pathv pointer in the glob_t structure. Such
breaks the invariant of the glob_t structure, as stated in the comment
right in front of the globextend() function. If gl_pathv was non-NULL,
then gl_pathc was > 0. Making gl_pathv a NULL pointer without also
setting gl_pathc to 0 is wrong.
Since we otherwise don't free the memory associated with a glob_t in
error cases, it's unlikely that this change will cause a memory leak
that wasn't already there to begin with. Callers of glob(3) must
call globfree(3) irrespective of whether glob(3) returned an error
or not.
This commit adds a new mode option 'e' that must follow any 'b', '+' and/or
'x' options. C11 is clear about the 'x' needing to follow 'b' and/or '+' and
that is what we implement; therefore, require a strict position for 'e' as
well.
For freopen() with a non-NULL path argument and fopen(), the close-on-exec
flag is set iff the 'e' mode option is specified. For freopen() with a NULL
path argument and fdopen(), the close-on-exec flag is turned on if the 'e'
mode option is specified and remains unchanged otherwise.
Although the same behaviour for fopen() can be obtained by open(O_CLOEXEC)
and fdopen(), this needlessly complicates the calling code.
Apart from the ordering requirement, the new option matches glibc.
PR: kern/169320
libc.a and libc_p.a. In addition, define isnan in libm.a and libm_p.a,
but not in libm.so.
This makes it possible to statically link executables using both isnan
and isnanf with libc and libm.
Tested by: kargl
MFC after: 1 week
output and replace it with a new visible sysctl kern.ipc.acceptqueue
of the same functionality. It specifies the maximum length of the
accept queue on a listen socket.
The old kern.ipc.somaxconn remains available for reading and writing
for compatibility reasons so that existing programs, scripts and
configurations continue to work. There no plans to ever remove the
orginal and now hidden kern.ipc.somaxconn.
This adds two features:
* uid_from_user() and gid_from_group() as the reverse of user_from_uid()
and groups_from_gid().
* pwcache_userdb() and pwcache_groupdb() which allow alternative lookup
functions to be used. For example lookups from passwd and group
databases in a non-standard location.
srandomdev(). This doesn't actually work
with any modern C compiler:
In particular, both clang and modern gcc
verisons silently elide any xor operation
with 'junk'.
Approved by: secteam
MFC after: 3 days
After further discussion, instead of pretending to use
uid_t and gid_t as upstream Solaris and linux try to, we
are better using u_int, which is in fact what the code
can handle and best approaches the range of values used
by uid and gid.
Discussed with: bde
Reviewed by: bde
The previous change (based on Solaris) doesn't work properly either
as the casting only has the effect of quieting the compiler.
Move back to the previous solution but adjust the sizeof()
type in xdr_array(). This should mostly work (by accident).
Reported by: bde
1) Don't iterate the loop from the environment array beginning each time,
iterate it under the last place we deactivate instead.
2) Call __rebuild_environ() not on each iteration but once, only at the end
of whole loop (of course, only in case if something is changed).
MFC after: 1 week
As part of the previous commit, uses of xdr_int() were replaced
with xdr_u_int(). This has undesired effects as the second
argument doesn't match exactly uid_t or gid_t. It also breaks
assumptions in the size of the provided types.
To work around those issues we revert back to the use of xdr_int()
but provide proper casting so the behaviour doesn't change.
While here fix a style issue in the affected lines.
Reported by: bde
When creating a client with clnt_tli_create, it uses strdup to copy
strings for these fields if nconf is passed in. clnt_dg_destroy frees
these strings already. Make sure clnt_vc_destroy frees them in the same
way.
This change matches the reference (OpenSolaris) implementation.
Tested by: David Wolfskill
Obtained from: Bull GNU/Linux NFSv4 Project (libtirpc)
MFC after: 2 weeks
__rpc_getconfip is supposed to return the first netconf
entry supporting tcp or udp, respectively. The code will
currently return the *last* entry, plus it will leak
memory when there is more than one such entry.
This change matches the reference (OpenSolaris)
implementation.
Tested by: David Wolfskill
Obtained from: Bull GNU/linux NFSv4 Project (libtirpc)
MFC after: 1 week
to craft environment variables with similar names like that:
a=1
a=2
...
unsetenv("a") should remove them all to make later getenv("a") impossible.
Fix it to do so (this is GNU autoconf test #3 failure too).
PR: 172273
MFC after: 1 week
This fixes a race condition where another thread may fork() before CLOEXEC
is set, unintentionally passing the descriptor to the child process.
This commit only adds O_CLOEXEC flags to open() or openat() calls where no
fcntl(fd, F_SETFD, FD_CLOEXEC) follows. The separate fcntl() call still
leaves a race window so it should be fixed later.
Because fts keeps internal file descriptors open across calls, making such
descriptors close-on-exec helps not only multi-threaded applications but
also single-threaded applications.
In particular, this prevents passing a temporary file descriptor for saving
the current directory to processes created via find -exec.
The attempt to merge changes from the linux libtirpc caused
rpc.lockd to exit after startup under unclear conditions.
After many hours of selective experiments and inconsistent results
the conclusion is that it's better to just revert everything and
restart in a future time with a much smaller subset of the
changes.
____
MFC after: 3 days
Reported by: David Wolfskill
Tested by: David Wolfskill
Passing an invalid pointer results in undefined behaviour.
The wrappers in libthr access some of the data pointed to by the arguments
in userland, so that an invalid pointer will cause a signal and not an
[EFAULT] error return.
Furthermore, if the [EFAULT] error occurs when the kernel is writing, it is
not a proper error in the sense that the call still commits (changing the
signal disposition or accepting the signal).
MFC after: 1 week
The following change caused rpc.lockd to exit after startup:
____
libtirpc: be sure to free cl_netid and cl_tp
When creating a client with clnt_tli_create, it uses strdup to copy
strings for these fields if nconf is passed in. clnt_dg_destroy frees
these strings already. Make sure clnt_vc_destroy frees them in the
same way.
____
MFC after: 3 days
Reported by: David Wolfskill
Tested by: David Wolfskill
The ENOTDIR mapping was introduced in r235266 for kern/128933 based on
an interpretation of the somewhat ambiguous language in the POSIX realpath
specification. The interpretation is inconsistent with Solaris and Linux,
a regression from 9.0, and does not appear to be permitted by the
description of ENOTDIR:
20 ENOTDIR Not a directory. A component of the specified pathname
existed, but it was not a directory, when a directory was
expected.
PR: standards/171577
MFC after: 3 days
For some reason, libc exports the symbol .cerror (HIDENAME(cerror)), albeit
in the FBSDprivate_1.0 version. It looks like there is no reason for this
since it is not used from other libraries. Given that it cannot be accessed
from C and its strange calling convention, it is rather unlikely that other
things rely on it. Perhaps it is from a time when symbols could not be
hidden.
Most of the amd64 assembler code jumps to .cerror using the GOT. It can jump
to it directly now, as in non-PIC mode.
There are also some minor size optimizations to instructions but they yield
virtually no benefit in the size of libc.so.7 due to padding.
Reviewed by: kib
For some reason, libc exports the symbol .cerror (HIDENAME(cerror)), albeit
in the FBSDprivate_1.0 version. It looks like there is no reason for this
since it is not used from other libraries. Given that it cannot be accessed
from C and its strange calling convention, it is rather unlikely that other
things rely on it. Perhaps it is from a time when symbols could not be
hidden.
Not exporting .cerror causes it to be jumped to directly instead of via the
PLT.
This change also takes advantage of .cerror's new status by not saving and
loading %ebx before jumping to it. (Therefore, .cerror now saves and loads
%ebx itself.) Where there was a conditional jump to a jump to .cerror, the
conditional jump has been changed to jump to .cerror directly (many modern
CPUs don't do static prediction and in any case it is not much of a benefit
anyway).
This change makes libc.so.7 a few kilobytes smaller.
Reviewed by: kib
This structure is not part of POSIX. According to POSIX, gettimeofday()
has the following prototype:
int gettimeofday(struct timeval *restrict tp, void *restrict tzp);
Also, POSIX states that gettimeofday() shall return 0 (as long as tzp is
not used). Remove dead error handling code. Also use NULL for a
nul-pointer instead of integer 0.
While there, change all pieces of code that only use tv_sec to use
time(3), as this provides less overhead.
We especifically ignored the glibc compatibility changes
but this should help interaction with Solaris and Linux.
____
Fixed infinite loop in svc_run()
author Steve Dickson
Tue, 10 Jun 2008 12:35:52 -0500 (13:35 -0400)
Fixed infinite loop in svc_run()
____
__rpc_taddr2uaddr_af() assumes the netbuf to always have a
non-zero data. This is a bad assumption and can lead to a
seg-fault. This patch adds a check for zero length and returns
NULL when found.
author Steve Dickson
Mon, 27 Oct 2008 11:46:54 -0500 (12:46 -0400)
____
Changed clnt_spcreateerror() to return clearer
and more concise error messages.
author Steve Dickson
Thu, 20 Nov 2008 08:55:31 -0500 (08:55 -0500)
____
Converted all uid and gid variables of the type uid_t and gid_t.
author Steve Dickson
Wed, 28 Jan 2009 12:44:46 -0500 (12:44 -0500)
____
libtirpc: set r_netid and r_owner in __rpcb_findaddr_timed
These fields in the rpcbind GETADDR call are being passed uninitialized
to CLNT_CALL. In the case of x86_64 at least, this usually leads to a
segfault. On x86, it sometimes causes segfaults and other times causes
garbage to be sent on the wire.
rpcbind generally ignores the r_owner field for calls that come in over
the wire, so it really doesn't matter what we send in that slot. We just
need to send something. The reference implementation from Sun seems to
send a blank string. Have ours follow suit.
author Jeff Layton
Fri, 13 Mar 2009 11:44:16 -0500 (12:44 -0400)
____
libtirpc: be sure to free cl_netid and cl_tp
When creating a client with clnt_tli_create, it uses strdup to copy
strings for these fields if nconf is passed in. clnt_dg_destroy frees
these strings already. Make sure clnt_vc_destroy frees them in the same
way.
author Jeff Layton
Fri, 13 Mar 2009 11:47:36 -0500 (12:47 -0400)
Obtained from: Bull GNU/Linux NFSv4 Project
MFC after: 3 weeks
On Windows, AUX is the auxiliary device, usually pointing to COM1.
Therefore it is forbidden to create a file named aux.c. To make it a bit
easier for Windows users to check out our source code, rename this file
to auxv.c.
MFC after: 1 month
Discussed with: kib
Suggested by: Eric van Gyzen <eric vangyzen net>
Apart from the fact that nothing should have OPEN_MAX as a limit (as opposed
to RLIMIT_NOFILE from getrlimit() or _SC_OPEN_MAX from sysconf()), POSIX
does not require us to check this. POSIX does have a requirement on the
application that maxfds not exceed {OPEN_MAX}, but does not require the
implementation to check it ("may fail").
PR: 95239
Apart from the fact that nothing should have OPEN_MAX as a limit (as opposed
to RLIMIT_NOFILE from getrlimit() or _SC_OPEN_MAX from sysconf()), POSIX
does not require us to check this.
PR: 95239
Submitted by: Todd Miller
Append '__' prefix to the tag of struct oflock, and put it under BSD
namespace. Structure is needed both by libc and kernel, thus cannot be
hidden under #ifdef _KERNEL.
Move a set of non-standard F_* and O_* constants into BSD namespace.
SUSv4 explicitely allows implemenation to pollute F_* and O_* names
after fcntl.h is included, but it costs us nothing to adhere
to the specification if exact POSIX compliance level is requested by
user code.
Change some spaces after #define to tabs.
Noted by and discussed with: bde
MFC after: 1 week
This method is more sandbox-friendly and also should be faster as only
one syscall is needed instead of three.
In case of an error fall back to the old method.
Reviewed by: simon, gleb
MFC after: 2 weeks
The function isascii_l() is not in POSIX even though isascii() is,
probably because isascii() is marked as obsolete. The other functions,
like digittoint_l() and ishexnumber_l(), are FreeBSD-specific just like
their non-_l versions.
clock_gettime(2) functions if supported. The speedup seen in
microbenchmarks is in range 4x-7x depending on the hardware.
Only amd64 and i386 architectures are supported. Libc uses rdtsc and
kernel data to calculate current time, if enabled by kernel.
Hopefully, this code is going to migrate into vdso in some future.
Discussed with: bde
Reviewed by: jhb
Tested by: flo
MFC after: 1 month
First, extend the changes in r230782 to better handle the common case
of using NOREUSE with sequential reads. A NOREUSE file descriptor
will now track the last implicit DONTNEED request it made as a result
of a NOREUSE read. If a subsequent NOREUSE read is adjacent to the
previous range, it will apply the DONTNEED request to the entire range
of both the previous read and the current read. The effect is that
each read of a file accessed sequentially will apply the DONTNEED
request to the entire range that has been read. This allows NOREUSE
to properly handle misaligned reads by flushing each buffer to cache
once it has been completely read.
Second, apply the same changes made to read(2) by r230782 and this
change to writes. This provides much better performance in the
sequential write case as it allows writes to still be clustered. It
also provides much better performance for misaligned writes. It does
mean that NOREUSE will be generally ineffective for non-sequential
writes as the current implementation relies on a future NOREUSE
write's implicit DONTNEED request to flush the dirty buffer from the
current write.
MFC after: 2 weeks
string buffer for each linelist l_line into one large string. Since
linelists parsed out during the previous passes store the pointers to
previously allocated l_lines, the reallocation caused undefined
behaviour on accessing the buffers, and quite deterministic fault on
freeing them (in mountd(8) startup).
This fixes reading of netgroup(5) file which contains more then one
netgroup.
Discussed with: ghelmer
MFC after: 3 days
http://austingroupbugs.net/view.php?id=385#c713
(Resolved state) recommend this way for the current standard (called
"earlier" in the text)
"However, earlier versions of this standard did not require this, and the
same example had to be written as:
// buf was obtained by malloc(buflen)
ret = write(fd, buf, buflen);
if (ret < 0) {
int save = errno;
free(buf);
errno = save;
return ret;
}
"
from feedback I have for previous commit it seems that many people prefer
to avoid mass code change needed for current standard compliance
and prefer to track unpublished standard instead, which requires now
that free() itself must save errno, not its usage code.
So, I back out "save errno across free()" part of previous commit,
and will fill PR for changing free() isntead.
2) Remove now unused serrno.
MFC after: 1 week
"The setting of errno after a successful call to a function is
unspecified unless the description of that function specifies that
errno shall not be modified."
However, free() in IEEE Std 1003.1-2008 does not mention its interaction
with errno, so MAY modify it after successful call
(it depends on particular free() implementation, OS-specific, etc.).
So, save errno across free() calls to make code portable and
POSIX-conformant.
2) Remove unused serrno assignment.
MFC after: 1 week
The stat structures returned on pipes seems to contain all the
information required by POSIX. Especially the wording "and thus to a
pipe" makes little sense, because it seems to imply a certain
relationship between sockets and pipes that simply isn't there.
MFC after: 2 weeks
this fflush may fail to write data in the buffer.
PR: kern/137819
Submitted by: Eric Blake <ebb9@byu.net>
Reviewed by: theraven
Approved by: cperciva
MFC after: 2 weeks
function. The purpose of the __eabi() function is to set up the
runtime and is called first thing by main(). The runtime is already
set up for us prior to caling main, so there's nothing to do for
us in the EABI case.
avoid creating bad entries in the grp list as a result of memory allocation
failures while building new entries.
PR: bin/83340
Reviewed by: delphij (prior version of patch)
Introduce dirfd() libc exported symbol replacing macro with same name,
preserve _dirfd() macro for internal use.
Replace dirp->dd_fd with dirfd() call. Avoid using dirfd as variable
name to prevent shadowing global symbol.
Sponsored by: Google Summer Of Code 2011
[ENOENT] A component of file_name does not name an existing file or
file_name points to an empty string.
[ENOTDIR] A component of the path prefix is not a directory, or the
file_name argument contains at least one non- <slash> character
and ends with one or more trailing <slash> characters and the last
pathname component names an existing file that is neither a
directory nor a symbolic link to a directory.
Add checks for the listed conditions, and set errno accordingly.
Update the realpath(3) manpage to mention SUS behaviour. Remove the
requirement to include sys/param.h before stdlib.h.
PR: 128933
MFC after: 3 weeks
The typical case was:
static __inline int
convert_ccl(FILE *fp, char * __restrict p, [...])
{
[...]
if (p == SUPPRESS_PTR) {
[...]
} else {
[...]
}
[...]
}
This qualifier says that the pointer is the only one at that time
pointing to the resource.
Here, clang considers that "p" will never match "SUPPRESS_PTR" and
optimize the if{} block out. This leads to segfaults in programs calling
vfscanf(3) and vfwscanf(3) with just the format string (no arguments
following it).
The following softwares were reported to abort with segmentation fault
and this patch fixes it:
o cmake
o smartd
o devel/ORBit2
dim@ opened an LLVM PR to discuss this clang optimization:
http://llvm.org/bugs/show_bug.cgi?id=12656
Tested by: bsam@
conversions. Both the specification and the documentation say the
width is interpreted as the max number of wide characters to read, but
the implementation was interpreting it as the number of bytes to convert.
(See also r105317.)
This change has security implications for any applications that depend
on the buggy behavior, but the impact in practice is probably nil.
Any such application would already be buggy on other platforms that
get the semantics right. Also, these conversions are rarely used;
%ls, %lc, and %l[ are more appropriate.
reading wide characters manually. With this change, they now use
fgetwc(). To make this work, we use an internal version of fgetwc()
with a few extensions: it takes an mbstate * because non-wide streams
don't have a built-in mbstate, and it indicates the number of bytes
read.
vfscanf() now resembles vfwscanf() more closely. Minor functional
improvements include working xlocale support in vfscanf(), setting the
stream error indicator on encoding errors, and proper handling of
shift-based encodings. (Actually, making shift-based encodings work
with non-wide streams is hopeless, but the implementation now matches
the broken specification.)
This tool changes the default buffering behaviour of standard
stdio streams.
It only works on dynamic binaries. To make it work for static
ones it would require cluttering stdio because there no single
entry point.
PR: 166660
Reviewed by: current@, jhb
Approved by: kib (mentor)
MFC after: 1 week
indicates the avaliability of FILE, to prevent possible reordering of
the writes as seen by other CPUs.
Reported by: Fengwei yin <yfw.bsd gmail com>
Reviewed by: jhb
MFC after: 1 week
by separate conversion functions. This will hopefully make bugs more
noticeable (I noticed several already) and provide opportunities to
reduce code duplication.
prior to 3.0.0 release). This fixes several bugs related to memory
initialization.
Mangle __jemalloc_a0{malloc,calloc,free}() just like all the other
library-internal symbols in jemalloc, and adjust the tls allocation code
in libc to use the mangled names.
(i.e., the return value would overflow), set errno to EOVERFLOW
and return an error. This improves the chances that buggy
applications -- for instance, ones that pass in a negative integer
as the size due to a bogus calculation -- will fail in safe ways.
Returning an error in these situations is specified by POSIX, but
POSIX appears to have an off-by-one error that isn't duplicated in
this change.
Previously, some of these functions would silently cap the size at
INT_MAX+1, and others would exit with an error after writing more
than INT_MAX characters.
PR: 39256
MFC after: 2 weeks
true if the size is zero.
- Fix a claim that sprintf() is the same as snprintf() with an
infinite size. It's equivalent to snprintf() with a size of
INT_MAX + 1.
- Document the return values in the return values section.
- Document the possible errno value of EOVERFLOW.
MFC after: 2 weeks
infinite loop pretty much unconditionally. It's remarkable that the
patch that introduced the bug was never tested, but even more
remarkable that nobody noticed for over two years.
PR: 167039
MFC after: 3 days
prior to 3.0.0 release) as contrib/jemalloc, and integrate it into libc.
The code being imported by this commit diverged from
lib/libc/stdlib/malloc.c in March 2010, which means that a portion of
the jemalloc 1.0.0 ChangeLog entries are relevant, as are the entries
for all subsequent releases.
outside the range of valid file descriptors
PR: kern/164970
Submitted by: Peter Jeremy <peterjeremy@acm.org>
Reviewed by: jilles
Approved by: cperciva
MFC after: 1 week
usermode context switches (long jumps and ucontext operations). If these
are used across threads, multiple threads can end up with the same TLS base.
Madness will then result.
This makes behavior on PPC match that on x86 systems and on Linux.
MFC after: 10 days
privilege attempts to toggle SF_SETTABLE flags.
- Use the '^' operator in the SF_SNAPSHOT anti-toggling check.
Flags are now stored to ip->i_flags in one place after all checks.
Submitted by: bde
is already open in this process.
If the named semaphore is already open, sem_open() only increments a
reference count and did not take the flags into account (which otherwise
happens by passing them to open()). Add an extra check for O_CREAT|O_EXCL.
PR: kern/166706
Reviewed by: davidxu
MFC after: 10 days
