Make the system call honor `AT_SYMLINK_NOFOLLOW`.
Also enable this from `linux_faccessat2` where the issue arised the first time.
Update manual pages accordingly.
PR: 275295
Reported by: kenrap@kennethraplee.com
Approved by: kib@
Differential Revision: https://reviews.freebsd.org/D46267
Derived from tests posted by kib in D46108. I made one of them use a
pthread barrier instead of sleeping.
Reviewed by: kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46176
Call it libc_exit_test instead of exit_test because the NetBSD test
suite already has a file with the latter name. This is in preparation
for adding other exit()-related tests.
MFC after: 2 weeks
Improve wording and also fix the constants' names.
Sponsored by: The FreeBSD Foundation
MFC after: 2 days
Reviewed by: dev_submerge.ch
Differential Revision: https://reviews.freebsd.org/D46220
These were accidentally lost when moving recvmmsg and sendmmsg back
from libc to libsys.
Reported by: Mark Millard <marklmi@yahoo.com>
Reviewed by: brooks, imp
Fixes: 29d079c964 libsys: move __libsys_interposer consumers
Differential Revision: https://reviews.freebsd.org/D46200
The function is called by rtld with the rtld bind lock write-locked,
when fixing the stack permission during dso load. Not every ARMv7 CPU
supports the div, which causes the recursive entry into rtld to resolve
the __aeabi_uidiv symbol, causing self-lock.
Workaround the problem by using roundup2() instead of open-coding less
efficient formula.
Diagnosed by: mmel
Based on submission by: John F Carr <jfc@mit.edu>
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
An overread condition in memccpy(dst, src, c, len) would occur if
src does not cross a 16 byte boundary and there is no instance of
c between *src and the next 16 byte boundary. This could cause a
read fault if src is just before the end of a page and the next page
is unmapped or unreadable.
The bug is a consequence of basing memccpy() on the strlcpy() code:
whereas strlcpy() assumes that src is a nul-terminated string and
hence a terminator is always present, c may not be present at all in
the source string. It was not caught earlier due to insufficient
unit test design.
As a part of the fix, the function is refactored such that the runt
case (buffer length from last alignment boundary between 1 and 32 B)
is handled separately. This reduces the number of conditional
branches on all code paths and simplifies the handling of early
matches in the non-runt case. Performance is improved slightly.
os: FreeBSD
arch: amd64
cpu: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
│ memccpy.unfixed.out │ memccpy.fixed.out │
│ sec/op │ sec/op vs base │
Short 66.76µ ± 0% 62.45µ ± 1% -6.44% (p=0.000 n=20)
Mid 7.938µ ± 0% 7.967µ ± 0% +0.36% (p=0.001 n=20)
Long 3.577µ ± 0% 3.577µ ± 0% ~ (p=0.429 n=20)
geomean 12.38µ 12.12µ -2.08%
│ memccpy.unfixed.out │ memccpy.fixed.out │
│ B/s │ B/s vs base │
Short 1.744Gi ± 0% 1.864Gi ± 1% +6.89% (p=0.000 n=20)
Mid 14.67Gi ± 0% 14.61Gi ± 0% -0.36% (p=0.001 n=20)
Long 32.55Gi ± 0% 32.55Gi ± 0% ~ (p=0.429 n=20)
geomean 9.407Gi 9.606Gi +2.12%
Reported by: getz
Reviewed by: getz
Approved by: mjg (blanket, via IRC)
See also: D46051
MFC: stable/14
Event: GSoC 2024
Differential Revision: https://reviews.freebsd.org/D46052
Checking the first nibble of the IPv6 address to be 0 and then
excluding two well known cases (v4-mapped, loopback) leaves us with
more cases where the first nibble could be 0, e.g., the RFC 6052,
2.1 Well-Known Prefix 64:ff9b::/96.
It is not practical to track them all and it is not clear what lead
to this special casing originally, so remove them.
While here also remove the IN6_IS_ADDR_LINKLOCAL() + NI_NUMERICHOST
case as link-local address resolution does exist.
We do leave the IN6_IS_ADDR_MULTICAST() case for now as I could
not find any references to any official reverse lookups for these.
Adding comments for more case (and some historic behaviour) in order
to make it easier to follow the logic.
PR: 279618
Fixes: 6cb9418289
MFC after: 6 weeks
Reviewed by: hrs
Differential Revision: https://reviews.freebsd.org/D45547
Add the ability to pre-resolve architecture-specific EABI symbols and
use it on arm for selected EABI functions. These functions can be called
with rtld bind lock write-locked, so they should be resolved in forward.
Reported by: Mark Millard <marklmi@yahoo.com>, John F Carr <jfc@mit.edu>
Reviewed by: kib, imp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46104
GCC doesn't like `#pragma weak macro(foo)`, but that's fine; just slap
a __weak_symbol on the definition to more reliably make it weak
anyways.
Reviewed by: kib (earlier version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45976
GCC emits a warning about shadowing a builtin with our mempcpy
declaration, so switch it to using the same model as memcpy() and
use the apparently-existing __builtin___mempcpy_chk().
Reviewed by: kib (earlier version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45976
Test case to check if an implementation of memset correctly
handles the value passed being wider than a byte
Approved by: emaste
Reviewed By: fuz (GSoC mentor), emaste
Sponsored by: Google LLC (GSoC 2024)
Differential Revision: https://reviews.freebsd.org/D45738
The entire recv*() implementation set is ripe for opportunities to
validate, so do what we can with what we have.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45686
Notably sanity check indices passed to the FD_*() macros against the
size of the fd_set itself.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45685
Check both the buffer size of the iov object itself, as well as that
of each indidvidually io base.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45684
That is to say, fortify getrandom(2).
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45683
This includes all of the w*() equivalents to str*()/mem*() implemented
in more or less the same way. For these ones, we'll just use
header-only implementations from the start to stop further cluttering
the libc symbol table.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45682
The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45681
For poll/ppoll we just need to bounds-check the poll array that we're
about to write out to.
Reviewed by: kib, markj (earlier version)
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45680
ssp/ssp.h needed some improvements:
- `len` isn't always a size_t, it may need casted
- In some cases we may want to use a len that isn't specified as a
parameter (e.g., L_ctermid), so __ssp_redirect() should be more
flexible.
- In other cases we may want additional checking, so pull all of the
declaration bits out of __ssp_redirect_raw() so that some functions
can implement the body themselves.
strlcat/strlcpy should be the last of the fortified functions that get
their own __*_chk symbols, and these cases are only done to be
consistent with the rest of the str*() set.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45679
Switch away from pointer arithmetic to provide more obvious semantics
for checking overlap on pointer ranges. This lets us remove some casts
that need not exist and removes some possible fragility in its use.
While we're here, check for overflow just in case; sometimes we use a
caller-supplied size if __builtin_object_size(3) can't deduce the buffer
size, and we should fail the check if the size is nonsensical for the
provided buffers.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
The _FORTIFY_SOURCE tests will be generated by a lua script to avoid a
lot of redundancy in writing these tests. For each function that we're
fortifying, the plan is to test at least the following three scenarios:
- Writing up to one byte before the end of the buffer,
- Writing up to the end of the buffer,
- Writing one byte past the end of the buffer
The buffer is shoved into a struct on the stack to guarantee a stack
layout in which we have a valid byte after the buffer so that level 2
fortification will trip and we can have confidence that it wasn't some
other stack/memory protection instead.
The generated tests are divided roughly into which header we're
attributing them to so that we can parallelize the build -- the full set
is a bit over 9000 lines of C and takes 11s to build on the hardware
that I'm testing on if it's a single monolothic file.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45678
We'll be using it in some upcoming definitions in headers, so move it
back now but slap a warning on it. Our upcoming uses will all be inside
of inline functions, so we're not overly concerned about double
evaluation immediately.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45677
ZFS' libspl needs to be made aware that we have strlcat(3) and
strlcpy(3) to avoid some more complicated declaration duplication, so
go ahead and define these HAVE_ macros now.
libprocstat has to define `_KERNEL` and include kernel headers in order
to get what it wants, but this results in sys/cdefs.h being included too
late and we pick up the build breaking version of the __RENAME
definition. Just explicitly include sys/cdefs.h earlier rather than
disabling _FORTIFY_SOURCE. The zfs/ subdir only builds an object that
holds some structures and sizes, so just disable _FORTIFY_SOURCE there
entirely rather than trying to move #define _KERNEL into the file..
While we're here, make sure that we disable _FORTIFY_SOURCE in the
bootloader because we don't have the symbol renaming support today to do
it as cleanly as we'd like. ssp/ssp.h needs to be pulled into the libsa
environment so that other bits can understand that ssp is disabled in
the consistent __SSP_FORTIFY_LEVEL way that we try to do.
Reviewed by: allanjude (previous version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45676
We just need to check we are building for arm.
Reviewed by: manu, emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45644
This patch introduces userspace library support for the bnxt_re RoCE driver.
The library can be linked with RDMA applications such as perftest and rping.
The RoCE traffic has been tested with the rping and perftest utility.
Reviewed by: imp, kib, sumit.saxena@broadcom.com
Approved by: imp
Differential revision: https://reviews.freebsd.org/D45729
