contexts as rtld's malloc is not thread safe and is only supposed to be
called with exclusive bind lock already held.
The originating PR submitted a patch on top of different pre-requisite
workaroud for unsafe dlopen calls, and the patch was midief slighlty to apply
to stock sources for the purpose of this commit. Running rtld malloc from
unlocked contexts is a bug on its own.
PR: 126950
Submited by: Oleg Dolgov
Before we had a posix_openpt() that allocated PTY's with proper
permissions in place, we used this set-uid utility to change the
ownership of PTY slave devices to the real user ID of the process. This
utility was used to implement grantpt().
In my first designs of the MPSAFE TTY layer, I replaced this by adding
an ioctl() called TIOCGRANTPT, which was used to change the ownership.
I left the pt_chown utility, because older C libraries needed it to work
properly.
After some discussions back in June I changed the PTY code to set
permissions properly upon creation. Fortunately the previous grantpt()
implementation changed permissions by hand when pt_chown is not
installed, which always succeeds. This means grantpt() still works
properly, even though the set-uid utility is missing.
I've done tests with FreeBSD 5.2.1, FreeBSD 6.3 and FreeBSD 7.0 jails.
All of them still work if I remove pt_chown.
Reviewed by: philip (ex-mentor)
understand which code paths aren't possible.
This commit eliminates 117 false positive bug reports of the form
"allocate memory; error out if pointer is NULL; use pointer".
- It is opt-out for now so as to give it maximum testing, but it may be
turned opt-in for stable branches depending on the consensus. You
can turn it off with WITHOUT_SSP.
- WITHOUT_SSP was previously used to disable the build of GNU libssp.
It is harmless to steal the knob as SSP symbols have been provided
by libc for a long time, GNU libssp should not have been much used.
- SSP is disabled in a few corners such as system bootstrap programs
(sys/boot), process bootstrap code (rtld, csu) and SSP symbols themselves.
- It should be safe to use -fstack-protector-all to build world, however
libc will be automatically downgraded to -fstack-protector because it
breaks rtld otherwise.
- This option is unavailable on ia64.
Enable GCC stack protection (aka Propolice) for kernel:
- It is opt-out for now so as to give it maximum testing.
- Do not compile your kernel with -fstack-protector-all, it won't work.
Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
programs.
From the PR description:
The gcc runtime's _Unwind_Find_FDE function, invoked during exception
handling's stack unwinding, is not safe to execute from within multiple
threads. FreeBSD' s dl_iterate_phdr() however permits multiple threads
to pass through it though. The result is surprisingly reliable infinite
looping of one or more threads if they just happen to be unwinding at
the same time.
Introduce the new lock that is write locked around the dl_iterate_pdr,
thus providing required exclusion for the stack unwinders.
PR: threads/123062
Submitted by: Andy Newman <an at atrn org>
Reviewed by: kan
MFC after: 2 weeks
This code came from the merged mips2 and Juniper mips repositories.
Warner Losh, Randall Seager, Oleksandr Tymoshenko and Olivier Houchard
worked to merge, debug and integrate this code. This code may also
contain code derived from NetBSD.
sparc64, use ANSI function headers and specifically indicate the lack of
arguments with 'void'. Otherwise, warnings are generated at WARNS=3 for
libkse, leading to a compile failure with -Werror.
unique names based on the submitted filename, a strftime(3) format
string and a two digit sequence number.
By default the strftime(3) format string is %Y%m%d (YYYYMMDD), but
this can be changed by the -F option.
PR: bin/106049 (based on patch in that PR)
Approved by: grog@ (mentor)
src/Makefile.inc1 rev. 1.590, it can allow installing a world
cross-built for a different arch over the live system. The procedure
is more or less as follows:
cp -R /rescue /rescue.old
make installkernel TARGET_ARCH=foo
make -DNO_RTLD installworld TARGET_ARCH=foo
^^^^^^^^^
PATH=/rescue.old
chflags noschg /libexec/ld-elf.so.1
cp /usr/obj/foo/usr/src/libexec/rtld/ld-elf.so.1 /libexec
chflags schg /libexec/ld-elf.so.1
<ditto for ld-elf32.so.1 if installing for amd64>
reboot
in the way we implement handling of relocations.
As for the kernel part this fixes the loading of lots of modules,
which failed to load due to unresolvable symbols when built after
the GCC 4.2.0 import. This wasn't due to a change in GCC itself
though but one of several changes in configuration done along the
import. Specfically, HAVE_AS_REGISTER_PSEUDO_OP, which causes GCC
to denote global registers used for scratch purposes and in turn
GAS uses R_SPARC_OLO10 relocations for, is now defined.
While at it replace some more ELF_R_TYPE which should have been
ELF64_R_TYPE_ID but didn't cause problems so far.
- Sync a sanity check between kernel and rtld(1) and change it to be
maintenance free regarding the type used for the lookup table.
- Sprinkle const on lookup tables.
- Use __FBSDID.
Reported and tested by: yongari
MFC after: 5 days
itself. It needs mmap(2), which now needs getosreldate(3) and
which in turn uses a global variable to cache the result. This
cannot be done before linking is done.
See also: ../sparc64/reloc.c:1.15
Approved by: re (kensmith)
setenv(3) by tracking the size of the memory allocated instead of using
strlen() on the current value.
Convert all calls to POSIX from historic BSD API:
- unsetenv returns an int.
- putenv takes a char * instead of const char *.
- putenv no longer makes a copy of the input string.
- errno is set appropriately for POSIX. Exceptions involve bad environ
variable and internal initialization code. These both set errno to
EFAULT.
Several patches to base utilities to handle the POSIX changes from
Andrey Chernov's previous commit. A few I re-wrote to use setenv()
instead of putenv().
New regression module for tools/regression/environ to test these
functions. It also can be used to test the performance.
Bump __FreeBSD_version to 700050 due to API change.
PR: kern/99826
Approved by: wes
Approved by: re (kensmith)
potentially dangerous environment variables all together. It should be
noted that the run-time linker will not honnor these environment variables
if the process is tainted currently. However, once a child of the tainted
process calls setuid(2), it's status as being tainted (as defined by
issetugid(2)) will be removed. This could be problematic because
subsequent activations of the run-time linker could honnor these
dangerous variables.
This is more of an anti foot-shot mechanism, there is nothing I am
aware of in base that does this, however there may be third party
utilities which do, and there is no real negative impact of clearing
these environment variables.
Discussed on: secteam
Reviewed by: cperciva
PR: kern/109836
MFC after: 2 weeks
symbol lookup failures that later result in null-pointer
dereferences. This needs looking into, but since we're
close to release it's possible that it's not resolved before
that time.
Warning, after symbol versioning is enabled, going back is not easy
(use WITHOUT_SYMVER at your own risk).
Change the default thread library to libthr.
There most likely still needs to be a version bump for at least the
thread libraries. If necessary, this will happen later.
Not because I admit they are technically wrong and not because of bug
reports (I receive nothing). But because I surprisingly meets so
strong opposition and resistance so lost any desire to continue that.
Anyone who interested in POSIX can dig out what changes and how
through cvs diffs.
to override weak symbols exported by libc, so by definition these two
are using the same symbol version names.
Reflect the reality by referring to libc's Versions.def directly.
The support for RFC 2640 (UTF8) is optional and rudimentary.
The server just advertises its capability to handle UTF-8 file
names and relies on its own 8-bit cleanness, as well as on
the backward compatibility of UTF-8 with ASCII. So uploaded
files will have UTF-8 names, but the initial server contents
should be prepared in UTF-8 by hand, no on-the-fly conversion
of file names will be done.
PR: bin/111714
Submitted by: Zhang Weiwu <see email in the PR>
MFC after: 1 week
main object list, its versioning information needs to be examined
separately.
This hopefully fixes problems that people running with SYMVER_ENABLED
are experiencing.
activate the traces, set the LD_UTRACE (or LD_32_UTRACE) environment
variable. This also includes code in kdump(8) to parse the traces.
Reviewed by: kan, jdp
MFC after: 2 weeks
dso that are actually loading. If dso a.so depends on b.so, then dlsym
with handle from dlopen("b.so") will fail unconditionally.
Correct implementation shall use the Obj_Entry.needed list to walk
dependencies DAG.
Test provided by: jkim
Tested (prev. version) by: jkim, Nicolas Blais <nb_root at videotron ca>, h.blanke at chello nl
Pointy hat to: kib
Approved by: kan (mentor)
given as dso handle, but also in the implicit dependencies of that dso.
Also, const-ify the read-only parameter objlist of symlook_list.
Reported by: "Simon 'corecode' Schubert" <corecode at fs ei tum de>
Approved by: kan (mentor)
X-MFC-After: 6.2
ignoring errors when sourcing rc.conf* files. The most common error
occurs when users put a command of some sort into those files.
(ifconfig is a popular choice)
2. Make the file rotation logic simpler by starting one down from
the "top" of the list, rather than at the top.
3. Try to make file rotation more secure by calling unlink(1) on all
new file names before rotating an old file to the new name, rather than
merely calling 'rm -f' on any files that exceed the number of files
to save.
- Don't use full path in .Nm (we just don't do that).
- Correct some frivolous and poorly rendering language,
such as using possessive case for .Nm or .Fl .
- Use the same capitalization for "user ID" as in setuid(2) and getuid(2).
- Bring SEE ALSO in accord with the text.
MFC after: 5 days
crunched floppies, but they can be included as options in
src/release/picobsd (omitted by default though.) Therefore
preserve the RELEASE_CRUNCH knob in their Makefiles, but
tell its real purpose in a comment.
from accept(2) and fork(2). Also close all unneeded fds
in the child process, namely listening sockets for all
address families and the fd initially obtained from accept(2).
(The main ftpd code operates on stdin/stdout anyway as it
has been designed for running from inetd.)
MFC after: 5 days
By default, create a pid file at the standard location, /var/run/ftpd.pid,
in accord with the expected behavior of a stock system daemon.
MFC after: 5 days
* Add posix_memalign().
* Move calloc() from calloc.c to malloc.c. Add a calloc() implementation in
rtld-elf in order to make the loader happy (even though calloc() isn't
used in rtld-elf).
* Add _malloc_prefork() and _malloc_postfork(), and use them instead of
directly manipulating __malloc_lock.
Approved by: phk, markm (mentor)
POSIX. This also makes the struct correct we ever implement an i386-time64
architecture. Not that we need too.
Reviewed by: imp, brooks
Approved by: njl (acpica), des (no objects, touches procfs)
Tested with: make universe
oldest versioned symbol available. Do not accept hidden symbols for
all other versions.
Use "<obj->path>: <error message>" for all error messages in new
functions to make them more consistent.
to be compatible with symbol versioning support as implemented by
GNU libc and documented by http://people.redhat.com/~drepper/symbol-versioning
and LSB 3.0.
Implement dlvsym() function to allow lookups for a specific version of
a given symbol.
means:
o Remove Elf64_Quarter,
o Redefine Elf64_Half to be 16-bit,
o Redefine Elf64_Word to be 32-bit,
o Add Elf64_Xword and Elf64_Sxword for 64-bit entities,
o Use Elf_Size in MI code to abstract the difference between
Elf32_Word and Elf64_Word.
o Add Elf_Ssize as the signed counterpart of Elf_Size.
MFC after: 2 weeks
we included the length of the path in the returned size but not the length
of the associated Dl_serpath structure. Without this fix, programs
attempting to allocate a structure to hold the search path information
would allocate too small of a buffer and rtld would overrun the buffer
while filling it via a subsequent RTLD_DI_SERINFO request.
Submitted by: "William K. Josephson" wkj at morphisms dot net
Reviewed by: jdp
MFC after: 2 weeks
Like on libthr, there is an i386_set_gsbase() stub implementation here
to avoid libc.so.5 issues. This should likely be a weak symbol and I
expect this will be fixed soon.
Approved by: re
method of executing commands remotely. There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat. It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.
loads and stores (resp.) The ldq_u and stq_u instruction mask off the
lower 3 bits of the final address before loading from or storing to
the address, so as to avoid unaligned loads and stores. They do not
themselves allow loads from or stores to unaligned addresses. Replace
the macro definitions by a packed struct dereference.
Submitted by: Richard Henderson (rth at twiddle dot net)
rc.conf[.local]. Fix this, and leave the default as 2048.
Update the copyright year to include the present.
Update the assignment of the copyright to be me personally,
instead of "The FreeBSD Project" which is not a legal entity,
and therefore not a proper assignee. My intention remains the
same however, that this code continue to be BSD licensed, and
freely available to anyone that wants it under those terms.
PR: conf/75722
Submitted by: Nicolas Rachinsky <list@rachinsky.de>
during authentication. Thus we need to call getpwnam *after* the user
has been authenticated. Colin mentioned that we should also move the
check for root in that case.
are initialised to zero. When freeing TLS, don't attempt to free DTV
slots which were not used.
Pointed out by: Joerg Sonnenberger
X-MFC-After: After the branch, probably
5.0-RELEASE), a visually elusive bug was introduced. A comparison
operator was changed to assignment. As a result, rexecd behaved
always as if the `-i' option had been specified. It would allow root
logins. This commit corrects the situation in the obvious way.
A separate bug was introduced at the same time. The PAM library
functions are called between the invocation of getpwnam(3) and the use
of the returned static object. Since many PAM library functions
result in additional getpwnam(3) calls, the contents of the returned
static object could be changed from under rexecd. With this commit,
getpwnam_r(3) is used instead.
Other PAM-using applications should be reviewed for similar errors in
getpw* usage.
Security: rexecd's documented default policy of disallowing root
logins was not enforced.
Reviewed by: cperciva
LD_LIBMAP_DISABLE, LD_LIBRARY_PATH) are used, then make sure the
libraries being loaded aren't on a noexec-mounted filesystem.
This is a compromise position: I'm assuming that nobody will be silly
enough to set the noexec mount flag on part of the default library
path, in order to avoid adding extra overhead into the common case
(where those environment variables aren't used).
Discussed with: csjp, secteam
MFC after: 1 week
