Commit Graph

19251 Commits

Author SHA1 Message Date
Marius Strobl
41fc6f680b o Let rtld(1) set up psABI user trap handlers prior to executing the
objects' init functions instead of doing the setup via a constructor
  in libc as the init functions may already depend on these handlers
  to be in place. This gets us rid of:
  - the undefined order in which libc constructors as __guard_setup()
    and jemalloc_constructor() are executed WRT __sparc_utrap_setup(),
  - the requirement to link libc last so __sparc_utrap_setup() gets
    called prior to constructors in other libraries (see r122883).
  For static binaries, crt1.o still sets up the user trap handlers.
o Move misplaced prototypes for MD functions in to the MD prototype
  section of rtld.h.
o Sprinkle nitems().
2018-02-03 23:14:11 +00:00
Dimitry Andric
07577dfe2e Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to
6.0.0 (branches/release_60 r324090).

This introduces retpoline support, with the -mretpoline flag.  The
upstream initial commit message (r323155 by Chandler Carruth) contains
quite a bit of explanation.  Quoting:

  Introduce the "retpoline" x86 mitigation technique for variant #2 of
  the speculative execution vulnerabilities disclosed today,
  specifically identified by CVE-2017-5715, "Branch Target Injection",
  and is one of the two halves to Spectre.

  Summary:
  First, we need to explain the core of the vulnerability. Note that
  this is a very incomplete description, please see the Project Zero
  blog post for details:
  https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

  The basis for branch target injection is to direct speculative
  execution of the processor to some "gadget" of executable code by
  poisoning the prediction of indirect branches with the address of
  that gadget. The gadget in turn contains an operation that provides a
  side channel for reading data. Most commonly, this will look like a
  load of secret data followed by a branch on the loaded value and then
  a load of some predictable cache line. The attacker then uses timing
  of the processors cache to determine which direction the branch took
  *in the speculative execution*, and in turn what one bit of the
  loaded value was. Due to the nature of these timing side channels and
  the branch predictor on Intel processors, this allows an attacker to
  leak data only accessible to a privileged domain (like the kernel)
  back into an unprivileged domain.

  The goal is simple: avoid generating code which contains an indirect
  branch that could have its prediction poisoned by an attacker. In
  many cases, the compiler can simply use directed conditional branches
  and a small search tree. LLVM already has support for lowering
  switches in this way and the first step of this patch is to disable
  jump-table lowering of switches and introduce a pass to rewrite
  explicit indirectbr sequences into a switch over integers.

  However, there is no fully general alternative to indirect calls. We
  introduce a new construct we call a "retpoline" to implement indirect
  calls in a non-speculatable way. It can be thought of loosely as a
  trampoline for indirect calls which uses the RET instruction on x86.
  Further, we arrange for a specific call->ret sequence which ensures
  the processor predicts the return to go to a controlled, known
  location. The retpoline then "smashes" the return address pushed onto
  the stack by the call with the desired target of the original
  indirect call. The result is a predicted return to the next
  instruction after a call (which can be used to trap speculative
  execution within an infinite loop) and an actual indirect branch to
  an arbitrary address.

  On 64-bit x86 ABIs, this is especially easily done in the compiler by
  using a guaranteed scratch register to pass the target into this
  device.  For 32-bit ABIs there isn't a guaranteed scratch register
  and so several different retpoline variants are introduced to use a
  scratch register if one is available in the calling convention and to
  otherwise use direct stack push/pop sequences to pass the target
  address.

  This "retpoline" mitigation is fully described in the following blog
  post: https://support.google.com/faqs/answer/7625886

  We also support a target feature that disables emission of the
  retpoline thunk by the compiler to allow for custom thunks if users
  want them.  These are particularly useful in environments like
  kernels that routinely do hot-patching on boot and want to hot-patch
  their thunk to different code sequences. They can write this custom
  thunk and use `-mretpoline-external-thunk` *in addition* to
  `-mretpoline`. In this case, on x86-64 thu thunk names must be:
  ```
    __llvm_external_retpoline_r11
  ```
  or on 32-bit:
  ```
    __llvm_external_retpoline_eax
    __llvm_external_retpoline_ecx
    __llvm_external_retpoline_edx
    __llvm_external_retpoline_push
  ```
  And the target of the retpoline is passed in the named register, or in
  the case of the `push` suffix on the top of the stack via a `pushl`
  instruction.

  There is one other important source of indirect branches in x86 ELF
  binaries: the PLT. These patches also include support for LLD to
  generate PLT entries that perform a retpoline-style indirection.

  The only other indirect branches remaining that we are aware of are
  from precompiled runtimes (such as crt0.o and similar). The ones we
  have found are not really attackable, and so we have not focused on
  them here, but eventually these runtimes should also be replicated for
  retpoline-ed configurations for completeness.

  For kernels or other freestanding or fully static executables, the
  compiler switch `-mretpoline` is sufficient to fully mitigate this
  particular attack. For dynamic executables, you must compile *all*
  libraries with `-mretpoline` and additionally link the dynamic
  executable and all shared libraries with LLD and pass `-z
  retpolineplt` (or use similar functionality from some other linker).
  We strongly recommend also using `-z now` as non-lazy binding allows
  the retpoline-mitigated PLT to be substantially smaller.

  When manually apply similar transformations to `-mretpoline` to the
  Linux kernel we observed very small performance hits to applications
  running typic al workloads, and relatively minor hits (approximately
  2%) even for extremely syscall-heavy applications. This is largely
  due to the small number of indirect branches that occur in
  performance sensitive paths of the kernel.

  When using these patches on statically linked applications,
  especially C++ applications, you should expect to see a much more
  dramatic performance hit. For microbenchmarks that are switch,
  indirect-, or virtual-call heavy we have seen overheads ranging from
  10% to 50%.

  However, real-world workloads exhibit substantially lower performance
  impact. Notably, techniques such as PGO and ThinLTO dramatically
  reduce the impact of hot indirect calls (by speculatively promoting
  them to direct calls) and allow optimized search trees to be used to
  lower switches. If you need to deploy these techniques in C++
  applications, we *strongly* recommend that you ensure all hot call
  targets are statically linked (avoiding PLT indirection) and use both
  PGO and ThinLTO. Well tuned servers using all of these techniques saw
  5% - 10% overhead from the use of retpoline.

  We will add detailed documentation covering these components in
  subsequent patches, but wanted to make the core functionality
  available as soon as possible. Happy for more code review, but we'd
  really like to get these patches landed and backported ASAP for
  obvious reasons. We're planning to backport this to both 6.0 and 5.0
  release streams and get a 5.0 release with just this cherry picked
  ASAP for distros and vendors.

  This patch is the work of a number of people over the past month:
  Eric, Reid, Rui, and myself. I'm mailing it out as a single commit
  due to the time sensitive nature of landing this and the need to
  backport it. Huge thanks to everyone who helped out here, and
  everyone at Intel who helped out in discussions about how to craft
  this. Also, credit goes to Paul Turner (at Google, but not an LLVM
  contributor) for much of the underlying retpoline design.

  Reviewers: echristo, rnk, ruiu, craig.topper, DavidKreitzer

  Subscribers: sanjoy, emaste, mcrosier, mgorny, mehdi_amini, hiraditya, llvm-commits

  Differential Revision: https://reviews.llvm.org/D41723

MFC after:	3 months
X-MFC-With:	r327952
PR:		224669
2018-02-02 22:28:12 +00:00
Kirk McKusick
8a9493deb2 In the sbwrite(3) function, ensure that the file descriptor has been
upgraded to writable.

Reported by: Kyle Evans <kevans@freebsd.org>
2018-02-02 22:06:15 +00:00
Dimitry Andric
6d18171c19 Vendor import of llvm release_60 branch r324090:
https://llvm.org/svn/llvm-project/llvm/branches/release_60@324090
2018-02-02 17:07:53 +00:00
Ed Maste
b97bb95c9f Use standard 2-clause license where copyright is held by the FreeBSD Foundation 2018-02-02 16:47:32 +00:00
Warner Losh
0fd19f4a95 The routines defined in comparedf2 and comparesf2 are defined in libc
for softfloat mips. No need to include them here.
2018-02-02 05:04:43 +00:00
Kirk McKusick
687ae71f59 Fix punctuation. 2018-02-02 00:01:50 +00:00
Dimitry Andric
842d113b5c Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to
6.0.0 (branches/release_60 r323948).

MFC after:	3 months
X-MFC-With:	r327952
PR:		224669
2018-02-01 21:41:15 +00:00
Dimitry Andric
ee3c57deda Vendor import of compiler-rt release_60 branch r323948:
https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@323948
2018-02-01 21:14:23 +00:00
Dimitry Andric
bddbc598a7 Vendor import of clang release_60 branch r323948:
https://llvm.org/svn/llvm-project/cfe/branches/release_60@323948
2018-02-01 21:14:15 +00:00
Dimitry Andric
4a6a1ccbec Vendor import of llvm release_60 branch r323948:
https://llvm.org/svn/llvm-project/llvm/branches/release_60@323948
2018-02-01 21:07:55 +00:00
Glen Barber
9de4d0b11e Fix build by escaping a line break.
PR:		225597
Submitted by:	cbnfinley at gmail.com
Sponsored by:	The FreeBSD Foundation
2018-01-31 21:41:42 +00:00
John Baldwin
2c4bb7e326 Don't include long double routines on architectures with small long double.
Reviewed by:	emaste
Sponsored by:	DARPA / AFRL
Differential Revision:	https://reviews.freebsd.org/D13874
2018-01-31 18:13:33 +00:00
John Baldwin
acf1f71044 Add a new set of simple tests for makecontext().
In contrast to the existing NetBSD setcontext_link test, these tests
verify that passing from 1 to 6 arguments through to the callback function
work correctly which can be useful for testing ABIs which split arguments
between registers and the stack.

Sponsored by:	DARPA / AFRL
2018-01-31 18:02:02 +00:00
John Baldwin
b16fa5e718 Remove limitation of 6 arguments for makecontext() on mips.
This implementation spills additional arguments on the stack so works
fine with more than 6 arguments.  I believe the check was just copied
over from sparc64 (which doesn't support spilling onto the stack)

Sponsored by:	DARPA / AFRL
2018-01-31 18:00:23 +00:00
John Baldwin
80996ef878 Remove bogus checks against NCARGS.
NCARGS isn't a limit on the number of arguments to pass to a function,
but the number of bytes that can be consumed by arguments to exec.  As
such, it is not suitable for a limit on the count of arguments passed
to makecontext().

Sponsored by:	DARPA / AFRL
2018-01-31 17:57:59 +00:00
John Baldwin
7193311b15 Clarify that the additional arguments to makecontext() are of type int.
MFC after:	1 week
Sponsored by:	DARPA / AFRL
2018-01-31 17:56:36 +00:00
John Baldwin
ec56d65061 Consistently use 16-byte alignment for MIPS N32 and N64.
- Add a new <machine/abi.h> header to hold constants shared between C
  and assembly such as CALLFRAME_SZ.
- Add a new STACK_ALIGN constant to <machine/abi.h> and use it to
  replace hardcoded constants in the kernel and makecontext().  As a
  result of this, ensure the stack pointer on N32 and N64 is 16-byte
  aligned for N32 and N64 after exec(), after pthread_create(), and
  when sending signals rather than 8-byte aligned.

Reviewed by:	jmallett
Sponsored by:	DARPA / AFRL
Differential Revision:	https://reviews.freebsd.org/D13875
2018-01-31 17:36:39 +00:00
Warner Losh
5fe6063df9 Move strtold wrapper from strtol.c to its own strtold.c. This code
was written by theraven@ (David Chisnall) entirely, there's no
original Berkeley code left here so just copy his copyright over.
2018-01-31 03:05:14 +00:00
Pedro F. Giffuni
6ea268b652 libedit: sort the Makefile in line with NetBSD's version.
NetBSD's libedit has been been cleaned-up considerably so the
non--widecharacter version is no longer an option. Re -sorting the
Makefile should make it easier for some brave soul trying to update it.

No functional change intended.

MFC after:	5 days
2018-01-29 22:38:23 +00:00
Kyle Evans
e0656a4914 libregex: Mark gnuext test as an expected fail
The test was added prematurely as a goal to reach with the GNU extension
functionality, but the functionality has not yet been introduced. Mark it as
an expected fail until that point.
2018-01-29 14:00:33 +00:00
Mariusz Zaborski
5869a5d8ea The name of the library is exactly the same like one of name the name of the
functions.

We should not create MLINKS for that one, because it's break a build.

Submitted by:	lwhsu@
2018-01-29 05:29:28 +00:00
Mariusz Zaborski
eca3793736 Document the syslog Casper service.
Reviewed by:	bcr@
Differential Revision:	https://reviews.freebsd.org/D14084
2018-01-29 04:38:11 +00:00
Mariusz Zaborski
c1d2583d9d Add cap_random.3 to build system.
This should be done with r328494.
2018-01-27 22:57:06 +00:00
Mariusz Zaborski
90b809116a Fix caspermock - the cap_recv_nvlist should return nvlist. 2018-01-27 22:53:29 +00:00
Mariusz Zaborski
f45de90e55 Document the random Casper service.
Reviewed by:	bcr@
Differential Revision:	https://reviews.freebsd.org/D14072
2018-01-27 22:49:34 +00:00
Pedro F. Giffuni
b9b20abf2b libthr: Fix missing break in switch.
This is also a warning in recent GCC with -Wimplicit-fallthrough.

CID:	1356262
Obtained from:	DragonFly (git 0f037c78 - partial)
2018-01-27 22:27:55 +00:00
Mariusz Zaborski
28b6f7c86a Add SPDX tags for libcasper(3) and services.
MFC after:	2 weeks
2018-01-27 12:55:34 +00:00
Mariusz Zaborski
56a791046d Document the grp Casper service.
Reviewed by:	brueffer@, bcr@
Differential Revision:	https://reviews.freebsd.org/D13821
2018-01-27 11:54:51 +00:00
John Baldwin
95c4f0f257 Clarify some comments in the MIPS makecontext().
- N32 and N64 do not have a $a0-3 gap.
- Use 'sp += 4' to skip over the gap for O32 rather than '+= i'.  It
  doesn't make a functional change, but makes the code match the comment.

Sponsored by:	DARPA / AFRL
2018-01-27 00:39:49 +00:00
Maxim Konovalov
c042d0ca4a o EMFILE errno documented.
PR:		219209
Submitted by:	yuri (with minor adjustment)
Reviewed by:	brooks
2018-01-26 08:38:26 +00:00
Kirk McKusick
dffce2150e Refactoring of reading and writing of the UFS/FFS superblock.
Specifically reading is done if ffs_sbget() and writing is done
in ffs_sbput(). These functions are exported to libufs via the
sbget() and sbput() functions which then used in the various
filesystem utilities. This work is in preparation for adding
subperblock check hashes.

No functional change intended.

Reviewed by: kib
2018-01-26 00:58:32 +00:00
Kirk McKusick
4cfb30ed21 Update .Dd missed in -r328304.
Reported by: Bjoern Zeeb (bz)
MFC with:    328304
2018-01-24 22:36:21 +00:00
Dimitry Andric
042b1c2ef5 Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to
6.0.0 (branches/release_60 r323338).

MFC after:	3 months
X-MFC-With:	r327952
PR:		224669
2018-01-24 22:35:00 +00:00
Dimitry Andric
b99ba46cc7 Vendor import of compiler-rt release_60 branch r323338:
https://llvm.org/svn/llvm-project/compiler-rt/branches/release_60@323338
2018-01-24 20:25:48 +00:00
Dimitry Andric
520a89e9d3 Vendor import of clang release_60 branch r323338:
https://llvm.org/svn/llvm-project/cfe/branches/release_60@323338
2018-01-24 20:25:37 +00:00
Dimitry Andric
a096e0bdf6 Vendor import of llvm release_60 branch r323338:
https://llvm.org/svn/llvm-project/llvm/branches/release_60@323338
2018-01-24 20:23:48 +00:00
Martin Matuska
a2a3407c7e MFV r328323,328324:
Sync libarchive with vendor.

Relevant vendor changes:
  PR #893: delete dead ppmd7 alloc callbacks
  PR #904: Fix archive freeing bug in bsdcat
  PR #961: Fix ZIP format names
  PR #962: Don't modify attributes for existing directories
           when ARCHIVE_EXTRACT_NO_OVERWRITE is set
  PR #964: Fix -Werror=implicit-fallthrough= for GCC 7
  PR #970: zip: Allow backslash as path separator

MFC after:	1 week
2018-01-24 14:24:17 +00:00
Ed Maste
4d2a062671 libcxxrt: Move mangled symbols out of extern "C++" in Version.map
r260553 added a number of mangled C++ symbols to Version.map inside of
an existing `extern "C++"` block.

ld.bfd 2.17.50 treats `extern "C++"` permissively and will match both
mangled and demangled symbols against the strings in the version map
block.  ld.lld interprets `extern "C++"` strictly, and matches only
demangled symbols.

I believe lld's behaviour is correct.  Contemporary versions of ld.bfd
also behave as lld does, so move the mangled symbols out of the
`extern "C++"` block.

PR:		225128, 185663
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2018-01-23 22:41:13 +00:00
Kirk McKusick
8557409f20 In the C library, the setting up of the group array by various
utilities is done by calling gr_addgid() for each group to be
added (usually found by traversing /etc/group) then calling the
setgroups() system call after the group set has been created.
The gr_addgid() function (helpfully?) deduplicates the addition
of group members. So, if you call it to add a group member that
already exists, it is just dropped. Because group[0] is the
effective group-ID and is over-written when a setgid program
is run, The value in group[0] is usually duplicated so that
group value is not lost when a setgid program is run.

Historically this happened because the group value indicated
in the password file also appears in /etc/group (e.g., if you
are group staff in the password file, you will also appear in
the staff line in /etc/group). But, with the addition of the
deduplication, the attempt to add group staff was lost because
it already appeared in group[0]. So, the fix is to deduplicate
starting from group[1] which allows a duplicate of the entry in
group[0], but not in later entries.

There is some confusion about the setgroups system call because in
BSD it has (always) set the entire group including the egid group
(in group[0]). However, in Linux, it skips over group[0] and starts
setting from group[1]. See this comment from linux_setgroups:

      /*
       * cr_groups[0] holds egid. Setting the whole set from
       * the supplied set will cause egid to be changed too.
       * Keep cr_groups[0] unchanged to prevent that.
       */

To make it clear what the BSD setgroups system call does, I
added the following paragraph to the setgroups(2) manual page:

   The first entry of the group array (gidset[0]) is used as the effective
   group-ID for the process.  This entry is over-written when a setgid
   program is run.  To avoid losing access to the privileges of the
   gidset[0] entry, it should be duplicated later in the group array.
   By convention, this happens because the group value indicated in the
   password file also appears in /etc/group.  The group value in the
   password file is placed in gidset[0] and that value then gets added a
   second time when the /etc/group file is scanned to create the group set.

Reported by: Paul McMath  paulm at tetrardus.net
Reviewed by: kib
MFC after:   2 weeks
2018-01-23 22:18:45 +00:00
Alan Somers
76f9d2759b mlock(2): correct documentation for error conditions.
The man page is years out of date regarding errors. Our implementation _does_
allow unaligned addresses, and it _does_not_ check for negative lengths,
because the length is unsigned. It checks for overflow instead.

Update the tests accordingly.

Reviewed by:	bcr
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D13826
2018-01-22 21:45:54 +00:00
Kyle Evans
e36cba8a36 libregex: Add a symbol map
kib points out that trying to re-use symbol versioning from libc is dirty
and wrong. The implementation in libregex is incompatible by design with the
implementation in libc. Using the symbol versions from libc can and likely
will cause confusions for linkers and bring unexpected behavior for
consumers that unwillingly (transitively) link against libregex.

Reported by:	kib
2018-01-22 18:40:19 +00:00
Kyle Evans
df1043c201 libregex: Drop WARNS to 2 to match libc
It's become clear that my armv7 builds didn't catch all of the warnings that
other builds are picking up, drop WARNS to 2 to match libc until they're all
caught.
2018-01-22 03:12:26 +00:00
Kyle Evans
fe5bf674e6 Add missing patch from r328240
regcomp uses some libc internal collation bits that are not available in the
libregex context. It's easy enough to bring in the needed parts that can
work in a libregex world, so do so.

Pointy hat to:	me
2018-01-22 02:58:33 +00:00
Kyle Evans
b37f6c9805 Add libregex, connect it to the build
libregex is a regex(3) implementation intended to feature GNU extensions and
any other non-POSIX compliant extensions that are deemed worthy.

These extensions are separated out into a separate library for the sake of
not cluttering up libc further with them as well as not deteriorating the
speed (or lack thereof) of the libc implementation.

libregex is implemented as a build of the libc implementation with LIBREGEX
defined to distinguish this from a libc build. The reasons for
implementation like this are two-fold:

1.) Maintenance- This reduces the overhead induced by adding yet another
regex implementation to base.

2.) Ease of use- Flipping on GNU extensions will be as simple as linking
against libregex, and POSIX-compliant compilations can be guaranteed with a
REG_POSIX cflag that should be ignored by libc/regex and disables extensions
in libregex. It is also easier to keep REG_POSIX sane and POSIX pure when
implemented in this fashion.

Tests are added for future functionality, but left disconnected for the time
being while other testing is done.

Reviewed by:	cem (previous version)
Differential Revision:	https://reviews.freebsd.org/D12934
2018-01-22 02:44:41 +00:00
Eitan Adler
bdf16dd67c iconv: adding missing break
break is probably intended and correct,
but has no correctness implications due to is94 => is96

Reviewed by:	cem, jilles
Reported by:	swildner@DragonFlyBSD.org
MFC After:	1 week
2018-01-21 21:09:08 +00:00
Kyle Evans
4f8f1c798e regex(3): Resolve issues with higher WARNS levels
libc is set for WARNS=2, but the incoming libregex will use WARNS=6.
Sprinkle some casts and (void)bc's to alleviate the warnings that come along
with the higher WARNS level.

These 'bc' parameters could be outright removed, but as of right now they
will be used in some parts of libregex land. Silence the warnings instead
rather than flip-flopping.
2018-01-21 04:57:29 +00:00
Kirk McKusick
72f854ce8f Correct fsck journal-recovery code to update a cylinder-group
check-hash after making changes to the cylinder group. The problem
was that the journal-recovery code was calling the libufs bwrite()
function instead of the cgput() function. The cgput() function updates
the cylinder-group check-hash before writing the cylinder group.

This change required the additions of the cgget() and cgput() functions
to the libufs API to avoid a gratuitous bcopy of every cylinder group
to be read or written. These new functions have been added to the
libufs manual pages. This was the first opportunity that I have had
to use and document the use of the EDOOFUS error code.

Reviewed by: kib
Reported by: emaste and others
2018-01-17 17:58:24 +00:00
Dimitry Andric
d23c4359df Pull in r322623 from upstream llvm trunk (by Andrew V. Tischenko):
Allow usage of X86-prefixes as separate instrs.
  Differential Revision: https://reviews.llvm.org/D42102

This should fix parse errors when x86 prefixes (such as 'lock' and
'rep') are followed by various non-mnemonic tokens, e.g. comments, .byte
directives and labels.

PR:		224669,225054
2018-01-17 17:11:55 +00:00
Fabien Thomas
9f4f1d4d1f Fix pmcstat exit from kernel introduced by r325275.
pmcstat request for close will generate a close event.
This event will be in turn received by pmcstat to close the file.

Reviewed by:	kib
Tested by:	pho
MFC after:	1 week
Sponsored by: Stormshield
2018-01-17 16:41:22 +00:00