IABSD.fr/src/libexec

Branch :


Log

Author Commit Date CI Message
b0714f38 2022-01-17 01:35:36 Nothing depends on archdep.h pulling in other #includes anymore, so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" these are the ones I tested; kettenis@ was on board with the concept
b0a1b819 2022-01-16 02:17:05 Nothing depends on archdep.h pulling in other #includes anymore, so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" ok jca@
2a697c88 2022-01-16 02:16:40 Nothing depends on archdep.h pulling in other #includes anymore, so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" ok kettenis@
b3a968f5 2022-01-16 02:14:27 Nothing depends on archdep.h pulling in other #includes anymore, so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" ok aoyama@
1f204c7b 2022-01-08 18:30:18 archdep.h needed for _dl_dcbf, on powerpc
fa1e3a20 2022-01-08 17:28:49 need "archdep.h" for _dl_md_plabel on hppa
b722ba42 2022-01-08 06:49:41 Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*" dir.c improvement from jsg@ ok and testing assistance deraadt@
29ec0a10 2022-01-04 13:43:14 - add LDAP - capitalise RADIUS when referring to the protocol - remove tis from raf czlonka ok sthen ajacoutot
7544b685 2021-12-30 08:39:19 Sync from libc: Use _MAX_PAGE_SHIFT, rather than #ifdef mips64 ok otto@
5a2b798a 2021-12-30 04:48:13 Delete dead (duplicate) test
1d60349d 2021-12-23 18:50:31 Roll the syscalls that have an off_t argument to remove the explicit padding. Switch libc and ld.so to the generic stubs for these calls. WARNING: reboot to updated kernel before installing libc or ld.so! Time for a story... When gcc (back in 1.x days) first implemented long long, it didn't (always) pass 64bit arguments in 'aligned' registers/stack slots, with the result that argument offsets didn't match structure offsets. This affected the nine system calls that pass off_t arguments: ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate To avoid having to do custom ASM wrappers for those, BSD put an explicit pad argument in so that the off_t argument would always start on a even slot and thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use __syscall() and pass an extra '0' argument. The ABIs for different CPUs eventually settled how things should be passed on each and gcc 2.x followed them. The only arch now where it helps is landisk, which needs to skip the last argument register if it would be the first half of a 64bit argument. So: add new syscalls without the pad argument and on landisk do that skipping directly in the syscall handler in the kernel. Keep compat support for the existing syscalls long enough for the transition. ok deraadt@
4888f4f4 2021-12-15 17:06:01 spamd: convert to opaque HMAC_CTX ok jsing
1dde9cbe 2021-12-14 07:20:16 A better approach is to defined __CONCAT locally
64890fb5 2021-12-14 02:17:39 Sigh. This sys/cdefs.h is hiding use of __CONCAT in a non-C context. Needs some other repairs first.
e16a722a 2021-12-13 18:28:39 including sys/cdefs.h manually started as a result of netbsd trying to macro-build a replacement for sccsid, and was done without any concern for namespace damage. Unfortunately this practice started infecting other code as others were unaware they didn't need the file. ok millert guenther
1be08e70 2021-11-27 15:13:09 Remove an unneeded variable to fix compiler warning with clang 13. OK jsg@
a5dfec8f 2021-11-16 21:55:21 fix an accidental NULL deref introduced last year, found by patrick. rewrite the code with a goto so this never happens again. ok patrick millert
246ef78e 2021-11-14 22:07:38 Delete all the no-op RELOC_GOT() macros and their uses. Annotate RELOC_DYN() on non-hppa as only used in lib/csu. Delete some inconsistent comments, adjust whitespace, and reorder mips64's archdep.h so that the ld.so/*/archdep.h files look (almost) the same. ok visa@ kettenis@
b3331980 2021-11-12 22:28:13 Add support for RELR relocations in the executable and share objects. This doesn't affect ld.so's self-reloc, which still requires DT_REL/DT_RELA ok kettenis@
9e6d8a17 2021-11-09 21:22:29 Like most archs, riscv doesn't need resolution of JUMP_SLOT relocations in static PIE binaries: delete RELOC_JMPREL and HAVE_JMPREL there. ok kettenis@
b7041c07 2021-10-24 21:24:15 For open/openat, if the flags parameter does not contain O_CREAT, the 3rd (variadic) mode_t parameter is irrelevant. Many developers in the past have passed mode_t (0, 044, 0644, or such), which might lead future people to copy this broken idiom, and perhaps even believe this parameter has some meaning or implication or application. Delete them all. This comes out of a conversation where tb@ noticed that a strange (but intentional) pledge behaviour is to always knock-out high-bits from mode_t on a number of system calls as a safety factor, and his bewilderment that this appeared to be happening against valid modes (at least visually), but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef. ok millert
a39bec83 2021-10-23 19:08:48 ensure that sensitive data is zeroed out from mem. ok beck@
052aa85f 2021-10-07 14:47:32 Print the name of the symbol that can't be resolved when using LD_DEBUG ok mpi, kn
75fec711 2021-09-13 17:42:47 various formatting fixes;
ce828c77 2021-09-13 11:49:21 introduce /etc/bsd.re-config which can be used to configure the kernel using config(8); the contents of this configuration file will be fed to config(8) after kernel relinking is done, so on the next boot the new kernel will have all the configuration changes set by the user this comes handy if you still want to use KARL while making changes to the GENERIC kernel diff from Paul de Weerd with input from several developers
06971c39 2021-09-02 20:57:58 remove sys/param.h use, by replacing MAXLOGNAME -> LOGIN_NAME_MAX and MAXHOSTNAMELEN -> HOST_NAME_MAX+1
fa56b7e6 2021-07-14 13:33:57 Remove unneeded calls to tls_init(3) As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
bc5a8259 2021-07-12 15:09:18 Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
233f47c2 2021-07-07 07:28:56 Hoist whole TLS initialization instead of loading the cert/key into memory first and setting them up later on, nowadays it's possible to do both steps in just one go through tls_config_set_{cert,key}_file(3) so use it and then init TLS. No functional change. OK kn@
6a3ad11d 2021-06-26 14:50:25 Make lazy binding work on riscv64. prompted by deraadt@
c5bd6813 2021-06-26 14:47:54 Build ld.so with --march=rv64imac on riscv64 to be absolutely sure that ld.so doesn't use the FP registers. ok deraadt@
bde8342f 2021-06-26 14:46:48 Use AFLAGS when building syscall stubs. Drop AINC wich isn't used. ok deraadt@
296fbf9f 2021-06-02 07:29:03 add RTLD_NODELETE support if RTLD_NODELETE isn't POSIX, it is widely deployed: at least linux, freebsd, dragonfly, netbsd, solaris, illumos, apple, and fuchsia have it. ok kettenis@ on previous version with help from and ok guenther@ diff partially inspired from a diff from brad@
18a2fcc3 2021-05-31 16:18:01 Convert K&R function definitions to modern C. OK naddy@, millert@
f9a87ca6 2021-05-25 17:01:36 program headers: do not rely on DYNAMIC coming before GNU_RELRO Except for some specific cases (thanks guenther) ELF mandates nothing but the file header be at a fixed location, hence ld.so(1) must not assume any specific order for headers, segments, etc. Looping over the program header table to parse segment headers, _dl_boot() creates the executable object upon DYNAMIC and expects it to be set upon GNU_RELRO, resulting in a NULL dereference iff that order is reversed. Store relocation bits in temporary variables and update the executable object once all segment headers are parsed to lift this dependency. Under __mips__ _dl_boot() later on uses the same temporary variable, so move nothing but the declaration out of MI code so as to not alter the MD code's logic/behaviour. Found while porting patchelf(1) from NixOS. OK guenther
0c50dd5d 2021-05-23 17:01:21 Constify function parameters. OK martijn@
12233708 2021-05-22 14:30:46 Remove useless fflush(3) calls. lreply() already called fflush(3). OK martijn@
c7141df2 2021-05-22 14:25:30 Remove useless islower(2) before toupper(3). OK martijn@
330fc432 2021-05-20 15:21:03 Removes the useless FILE* parameter of get_line(). While here fix minor whitespace mistake. "looks fine to me" chris@
94ffa4e9 2021-05-16 16:00:50 Correct problem in riscv64 dtors execution load the function pointer correctly and do not overwrite it in csu. allows most ld.so regressions to pass confirmed by jsg@, ok kettenis
fcba609b 2021-05-15 13:37:43 Add pledge for ftpd's user processes. OK tobhe@
6d91b5a8 2021-04-28 15:16:26 riscv64 ld.so derived from arm64 go ahead deraadt@
52918795 2021-04-19 06:43:15 Same internal consistency check as libc malloc: size in hash table should correspond to size of chunk meta data
0458707b 2021-03-16 18:03:06 On i386 don't attempt to map shared libraries in low memory when a large executable's .text section crosses the 512MB exec line. Executables that have MAXTSIZ > 64MB can map above the default 512MB exec line. When this happens, shared libs that attempt to map into low memory will find their .data section can not be mapped. ld.so will attempt to remap the share lib at higher addresses until it can be mapped. For very large executables like chrome this process is very time consuming. This change detects how much of the executable's .text section exceeds 512MB and uses that as the initial hint for shared libs to map into which avoids attempting to map into blocked memory. okay deraadt@
07817e4b 2021-01-02 20:32:20 Check auth_mkvalue(3) return value for NULL (malloc failure). For constant strings we don't actually need to use auth_mkvalue(3). Problem reported by Ross L Richardson.
f0617203 2020-12-27 15:11:04 We know about optreset from unistd.h. From Jan Stary, thanks. OK martijn
e8542567 2020-12-26 13:17:33 Fix a nasty mem leak in ld.so's own malloc. This was hard to diagnose, since malloc dumping and gdb do not help at all when studying ld.so. In the end it turns out ot be a simple merge error causing extra mmap calls. ok miller@ tb@
15572fcf 2020-11-28 19:49:30 Add retguard to macppc kernel locore.S, ofwreal.S, setjmp.S This changes RETGUARD_SETUP(ffs) to RETGUARD_SETUP(ffs, %r11, %r12) and RETGUARD_CHECK(ffs) to RETGUARD_CHECK(ffs, %r11, %r12) to show that r11 and r12 are in use between setup and check, and to pick registers other than r11 and r12 in some kernel functions. ok mortimer@ deraadt@
d2c5a474 2020-10-26 22:07:05 Retguard asm macros for powerpc libc, ld.so Add retguard to some, but not all, asm functions in libc. Edit SYS.h in libc to remove the PREFIX macros and add SYSENTRY (more like aarch64 and powerpc64), so we can insert RETGUARD_SETUP after SYSENTRY. Some .S files in this commit don't get retguard, but do stop using the old prefix macros. Tested by deraadt@, who put this diff in a macppc snap.
ac44ab0d 2020-10-16 23:42:53 Use the retguard macros from asm.h to protect the system call stubs. ok mortimer kettenis
fa3953db 2020-10-15 04:12:43 make three mib[] arrays const, as was done in libc
14dbc680 2020-10-11 18:28:17 Don't skip file systems just because the parent fs is nodev and nosuid. Fixes instances where a mount point uses the nodev and nosuid options but another file system mounted inside that hierarchy does not. OK schwarze@
352e64a1 2020-09-17 06:51:06 afs, nnpfs, and procfs are no longer supported, so stop looking for them in mount(8) output; no functional change intended; OK millert@
0a0d7ac4 2020-09-14 14:43:13 Do not bother scanning file systems that are both nodev and nosuid for SUID, SGID, and device files, implementing an idea that deraadt@ came up with based on a somewhat similar idea from millert@ after a loosely related comment from Rupert Gallagher on misc@. While here, minimally simplify the way mount options are parsed, hoping to make the parsing more readable and also more robust. OK millert@ deraadt@
25be1e55 2020-09-14 08:00:57 No need to check for NULL before calling free. from miod@
9be2b23b 2020-09-12 17:14:23 Documentation fixes by jmc.
f95714a4 2020-09-12 15:06:12 Import login_ldap. The code is based login_ldap port, but uses our own aldap implementation instead of openldap. It also uses a stand alone configuration file instead of login.conf, since setting this up might contain information not destined for everyone to see. OK bluhm@ "Go for it" deraadt@
a7b56afa 2020-09-06 17:08:29 Move definiton of struct token_types *tt to init.c from header file. Makes it build with -fno-common. ok deraadt
d3e0725e 2020-08-11 23:32:06 clang 10 now emits calls to __multi3 from libcompiler_rt Hints from kettenis@, ok kettenis@ deraadt@
92e19e77 2020-07-18 16:41:43 Use the same names as the 64-bit PowerPC ELF ABI for the relocations.
122a6b72 2020-07-16 21:26:18 Rewrite loop to match what is written down in the ABI document. ok drahn@
af856e3a 2020-07-16 21:18:09 Make lazy binding work. Committing on behalf of drahn@ who is a bit busy.
bdf34362 2020-07-08 10:41:38 Clarify man page OK sobrado@ jmc@
89c7f3c9 2020-06-28 20:52:05 Disable powerpc64 lazy binding, code was not for 64 bit ABI DT_PPC_GOT is not used on powerpc64, delete.
61dad853 2020-06-28 17:58:40 Powerpc64 ld.so asm code needs to conform to Powerpc64 abi, not 32bit. ok kettenis@
6a2e3db8 2020-06-25 04:00:58 PowerPC64 ld.so code. Mostly ported, code runs far enough to start first symbol string lookup. build with -gdwarf-4 to remove asm warnings. Do not bother supporting 32 bit non-pic relocations in shared libraries. (however leave the code there for now)
da07b1a3 2020-05-27 03:12:06 Remove support for world-writable mail spools. They won't work any more due to pledge restrictions so just print an error and exit if the spool is world-writable. OK beck@
e3568ce2 2020-05-15 17:25:39 Fix handling of passwd entries with an empty password. Initialize "pass" to the empty string instead of NULL, otherwise crypt_checkpass() will dereference NULL. From Yuichiro Naito via yasuoka@. OK deraadt@
c6bdb7a3 2020-05-08 11:04:50 ld.so(1) also ignores LD_LIBRARY_PATH an friends for set-group-ID executables While here, use consistent casing and don't use .Ev for set-user-ID/set-group-ID. from Miod
b3f796b2 2020-05-08 10:57:50 LD_DEBUG is ignored for set-user-ID and set-group-ID executables from Miod
fa9f1946 2020-03-27 22:17:47 Add missing space in stack smash handler error message. ok kettenis@, deraadt@
f74a2b77 2020-03-13 09:31:24 Anthony Steinhauser reports that 32-bit arm cpus have the same speculation problems as 64-bit models. To resolve the syscall speculation, as a first step "nop; nop" was added after all occurances of the syscall ("swi 0") instruction. Then the kernel was changed to jump over the 2 extra instructions. In this final step, those pair of nops are converted into the speculation-blocking sequence ("dsb nsh; isb"). Don't try to build through these multiple steps, use a snapshot instead. Packages matching the new ABI will be out in a while... ok kettenis
ded5ef52 2020-03-13 06:38:55 Anthony Steinhauser reports that 32-bit arm cpus have the same speculation problems as 64-bit models. For the syscall instruction issue, add nop;nop after swi 0, in preparation for jumping over a speculation barrier here later. (a lonely swi 0 was hiding in __asm in this file)
f377c767 2020-03-11 12:53:19 Anthony Steinhauser reports that 32-bit arm cpus have the same speculation problems as 64-bit models. For the syscall instruction issue, add nop;nop after swi 0, in preparation for jumping over a speculation barrier here later. ok kettenis
aed6457b 2020-03-04 20:17:48 Avoid passing a NULL name to retrieve(), use "." instead. Fixes a "vfprintf %s NULL" warning in ftpd. OK deraadt@ tb@
5ecc9681 2020-02-18 12:19:11 Now that the kernel skips the two instructions immediately following a syscall, replace the double nop with a dsb nsh; isb; sequence which stops the CPU from speculating any further. This fix was suggested by Anthony Steinhauser. ok deraadt@
e1869fb3 2020-02-09 14:59:20 Use sysexits.h exit values to distinguish between tempfail and permfail. Unix MTAs use the exit value of the MDA (here mail.local) to determine whether or not a failure to deliver mail should be considered to be a temporary or permanent failure. OK semarie@ beck@
01c04610 2020-02-08 01:09:57 correct Research Unix edition "appeared in" use in HISTORY Starting from "Combined Table of Contents" in Doug McIlroy's "A Research UNIX Reader" a table of which edition manuals appeared in. Checked against manuals from bitsavers/TUHS and source from TUHS where available. Ingo points out there are cases where something is included but not documented until a later release. bcd(6) v6 v7 printf(3) v2 v4 abort(3) v5 v6 system(3) v6 v7 fmod(3) v5 v6 ok schwarze@
8bc1a323 2020-02-07 02:27:37 Remove backward compatibility for obsolete -H flag. The -H flag was deprecated in 1998. OK jung@
c711e483 2020-02-02 23:17:09 Allow mail.local to be run as non-root. If mail.local is invoked by a non-root user, open a pipe to lockspool(1) for file locking. It is only possible to delivery to a pre-existing mail spool when running mail.local as non-root. OK gilles@ deraadt@
0c401ffc 2020-01-26 02:19:43 Insert two nop instructions after each svc #0 instruction in userland. The will be replaced by a speculation barrier as soon as we teach the kernel to skip over these two instructions when returning from a system call. ok patrick@, deraadt@
bca58876 2020-01-15 22:06:59 Simplify globbing of ftpd(8)s list and nlst commands. Also avoid command option injection for ls(1). OK martijn@
d89a8fc2 2019-12-24 13:13:33 Merge two missed fixes from login.c to login_passwd.c. - use the correct length when checking for "-v lastchance=yes" - don't try to zero pass if it is NULL From miod@
d8f5a4ae 2019-12-21 18:56:27 Replace modular version with origin BSDi version with our updates. In 2001 login_passwd was made modular so we could use the same source for passwd and kerberos auth. Now that we no longer have kerberos integrated we can simplify login_passwd. OK deraadt@
3d8e19a1 2019-12-17 17:16:32 Eliminate failure returns from _dl_split_path(): if malloc fails just _dl_oom() Prompted by Qualys's leveraging malloc failure in _dl_split_path() to get stuff past. ok deraadt@ millert@
4b65c70c 2019-12-17 03:16:07 Don't look up env variables until we know we'll trust them. Otherwise, just delete them without looking. ok millert@
b4d71eb7 2019-12-14 15:22:48 Return BI_SILENT not BI_AUTH if the challenge service is requested. This bug was introduced in the login_passwd rewrite back in 2001. From Tom Longshine.
eee3c75f 2019-12-11 18:27:54 ld.so may fail to remove the LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID executables in low memory conditions. Reported by Qualys
f7d771ca 2019-12-09 23:15:03 When loading a library, mmap(2) may fail. Then everything gets unmapped and ld.so tries again with different random address layout. In this case, use the new libc executable address for msyscall(2), not one from the first try. Fixes sporadic bogus syscall on i386. OK deraadt@
e5659a93 2019-12-09 22:15:15 print addresses upon msyscall failure, for now
d9337de3 2019-12-07 22:57:47 Disable ltrace for objects linked with -znow, as at least on amd64, linking that was deletes the lazy relocation trampoline which ltrace currently depends on problem reported by tb@ directional feedback kettenis@ ok mpi@
93a664f2 2019-12-02 17:19:25 It is not always clear what ld.so was backed up to ld.so.backup, and better that folk doing development in here use their own cp tooling.
488dc415 2019-11-30 23:06:02 Sigh, fix i386 msyscall() case to permission the correct address range.
29ab13eb 2019-11-29 19:30:56 As additional paranoia, make a copy of system ld.so into obj/ld.so.backup We don't want to CLEANFILES this one. On occasion this comes in useful.
e5041725 2019-11-29 06:34:44 Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like. This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read. For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2) For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon. We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface. This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations. ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
e8e9ef5b 2019-11-28 16:57:17 Unrevert: this change was unrelated
c8754c30 2019-11-28 16:54:29 Revert yesterday's _dl_md_reloc() and _dl_md_reloc_got() changes: something's broken on at least i386.
98a91d89 2019-11-27 01:24:35 Delete now obsolete comments
29c3eac4 2019-11-27 00:58:59 unifdef: hppa does HAVE_JMPREL and does not have DT_PROCNUM
4411ad54 2019-11-27 00:11:49 armv7 and aarch64 specify GLOB_DAT as having an addend, so treat it exactly like the ABS{32,64} relocation there. noted by and ok kettenis@