IABSD.fr/src/libexec

Branch :


Log

Author Commit Date CI Message
d3e0725e 2020-08-11 23:32:06 clang 10 now emits calls to __multi3 from libcompiler_rt Hints from kettenis@, ok kettenis@ deraadt@
92e19e77 2020-07-18 16:41:43 Use the same names as the 64-bit PowerPC ELF ABI for the relocations.
122a6b72 2020-07-16 21:26:18 Rewrite loop to match what is written down in the ABI document. ok drahn@
af856e3a 2020-07-16 21:18:09 Make lazy binding work. Committing on behalf of drahn@ who is a bit busy.
bdf34362 2020-07-08 10:41:38 Clarify man page OK sobrado@ jmc@
89c7f3c9 2020-06-28 20:52:05 Disable powerpc64 lazy binding, code was not for 64 bit ABI DT_PPC_GOT is not used on powerpc64, delete.
61dad853 2020-06-28 17:58:40 Powerpc64 ld.so asm code needs to conform to Powerpc64 abi, not 32bit. ok kettenis@
6a2e3db8 2020-06-25 04:00:58 PowerPC64 ld.so code. Mostly ported, code runs far enough to start first symbol string lookup. build with -gdwarf-4 to remove asm warnings. Do not bother supporting 32 bit non-pic relocations in shared libraries. (however leave the code there for now)
da07b1a3 2020-05-27 03:12:06 Remove support for world-writable mail spools. They won't work any more due to pledge restrictions so just print an error and exit if the spool is world-writable. OK beck@
e3568ce2 2020-05-15 17:25:39 Fix handling of passwd entries with an empty password. Initialize "pass" to the empty string instead of NULL, otherwise crypt_checkpass() will dereference NULL. From Yuichiro Naito via yasuoka@. OK deraadt@
c6bdb7a3 2020-05-08 11:04:50 ld.so(1) also ignores LD_LIBRARY_PATH an friends for set-group-ID executables While here, use consistent casing and don't use .Ev for set-user-ID/set-group-ID. from Miod
b3f796b2 2020-05-08 10:57:50 LD_DEBUG is ignored for set-user-ID and set-group-ID executables from Miod
fa9f1946 2020-03-27 22:17:47 Add missing space in stack smash handler error message. ok kettenis@, deraadt@
f74a2b77 2020-03-13 09:31:24 Anthony Steinhauser reports that 32-bit arm cpus have the same speculation problems as 64-bit models. To resolve the syscall speculation, as a first step "nop; nop" was added after all occurances of the syscall ("swi 0") instruction. Then the kernel was changed to jump over the 2 extra instructions. In this final step, those pair of nops are converted into the speculation-blocking sequence ("dsb nsh; isb"). Don't try to build through these multiple steps, use a snapshot instead. Packages matching the new ABI will be out in a while... ok kettenis
ded5ef52 2020-03-13 06:38:55 Anthony Steinhauser reports that 32-bit arm cpus have the same speculation problems as 64-bit models. For the syscall instruction issue, add nop;nop after swi 0, in preparation for jumping over a speculation barrier here later. (a lonely swi 0 was hiding in __asm in this file)
f377c767 2020-03-11 12:53:19 Anthony Steinhauser reports that 32-bit arm cpus have the same speculation problems as 64-bit models. For the syscall instruction issue, add nop;nop after swi 0, in preparation for jumping over a speculation barrier here later. ok kettenis
aed6457b 2020-03-04 20:17:48 Avoid passing a NULL name to retrieve(), use "." instead. Fixes a "vfprintf %s NULL" warning in ftpd. OK deraadt@ tb@
5ecc9681 2020-02-18 12:19:11 Now that the kernel skips the two instructions immediately following a syscall, replace the double nop with a dsb nsh; isb; sequence which stops the CPU from speculating any further. This fix was suggested by Anthony Steinhauser. ok deraadt@
e1869fb3 2020-02-09 14:59:20 Use sysexits.h exit values to distinguish between tempfail and permfail. Unix MTAs use the exit value of the MDA (here mail.local) to determine whether or not a failure to deliver mail should be considered to be a temporary or permanent failure. OK semarie@ beck@
01c04610 2020-02-08 01:09:57 correct Research Unix edition "appeared in" use in HISTORY Starting from "Combined Table of Contents" in Doug McIlroy's "A Research UNIX Reader" a table of which edition manuals appeared in. Checked against manuals from bitsavers/TUHS and source from TUHS where available. Ingo points out there are cases where something is included but not documented until a later release. bcd(6) v6 v7 printf(3) v2 v4 abort(3) v5 v6 system(3) v6 v7 fmod(3) v5 v6 ok schwarze@
8bc1a323 2020-02-07 02:27:37 Remove backward compatibility for obsolete -H flag. The -H flag was deprecated in 1998. OK jung@
c711e483 2020-02-02 23:17:09 Allow mail.local to be run as non-root. If mail.local is invoked by a non-root user, open a pipe to lockspool(1) for file locking. It is only possible to delivery to a pre-existing mail spool when running mail.local as non-root. OK gilles@ deraadt@
0c401ffc 2020-01-26 02:19:43 Insert two nop instructions after each svc #0 instruction in userland. The will be replaced by a speculation barrier as soon as we teach the kernel to skip over these two instructions when returning from a system call. ok patrick@, deraadt@
bca58876 2020-01-15 22:06:59 Simplify globbing of ftpd(8)s list and nlst commands. Also avoid command option injection for ls(1). OK martijn@
d89a8fc2 2019-12-24 13:13:33 Merge two missed fixes from login.c to login_passwd.c. - use the correct length when checking for "-v lastchance=yes" - don't try to zero pass if it is NULL From miod@
d8f5a4ae 2019-12-21 18:56:27 Replace modular version with origin BSDi version with our updates. In 2001 login_passwd was made modular so we could use the same source for passwd and kerberos auth. Now that we no longer have kerberos integrated we can simplify login_passwd. OK deraadt@
3d8e19a1 2019-12-17 17:16:32 Eliminate failure returns from _dl_split_path(): if malloc fails just _dl_oom() Prompted by Qualys's leveraging malloc failure in _dl_split_path() to get stuff past. ok deraadt@ millert@
4b65c70c 2019-12-17 03:16:07 Don't look up env variables until we know we'll trust them. Otherwise, just delete them without looking. ok millert@
b4d71eb7 2019-12-14 15:22:48 Return BI_SILENT not BI_AUTH if the challenge service is requested. This bug was introduced in the login_passwd rewrite back in 2001. From Tom Longshine.
eee3c75f 2019-12-11 18:27:54 ld.so may fail to remove the LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID executables in low memory conditions. Reported by Qualys
f7d771ca 2019-12-09 23:15:03 When loading a library, mmap(2) may fail. Then everything gets unmapped and ld.so tries again with different random address layout. In this case, use the new libc executable address for msyscall(2), not one from the first try. Fixes sporadic bogus syscall on i386. OK deraadt@
e5659a93 2019-12-09 22:15:15 print addresses upon msyscall failure, for now
d9337de3 2019-12-07 22:57:47 Disable ltrace for objects linked with -znow, as at least on amd64, linking that was deletes the lazy relocation trampoline which ltrace currently depends on problem reported by tb@ directional feedback kettenis@ ok mpi@
93a664f2 2019-12-02 17:19:25 It is not always clear what ld.so was backed up to ld.so.backup, and better that folk doing development in here use their own cp tooling.
488dc415 2019-11-30 23:06:02 Sigh, fix i386 msyscall() case to permission the correct address range.
29ab13eb 2019-11-29 19:30:56 As additional paranoia, make a copy of system ld.so into obj/ld.so.backup We don't want to CLEANFILES this one. On occasion this comes in useful.
e5041725 2019-11-29 06:34:44 Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like. This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read. For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2) For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon. We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface. This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations. ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
e8e9ef5b 2019-11-28 16:57:17 Unrevert: this change was unrelated
c8754c30 2019-11-28 16:54:29 Revert yesterday's _dl_md_reloc() and _dl_md_reloc_got() changes: something's broken on at least i386.
98a91d89 2019-11-27 01:24:35 Delete now obsolete comments
29c3eac4 2019-11-27 00:58:59 unifdef: hppa does HAVE_JMPREL and does not have DT_PROCNUM
4411ad54 2019-11-27 00:11:49 armv7 and aarch64 specify GLOB_DAT as having an addend, so treat it exactly like the ABS{32,64} relocation there. noted by and ok kettenis@
0e51d825 2019-11-26 23:38:52 Clean up _dl_md_reloc(): instead of having tables and piles of conditionals that handle a dozen relocation types for each, just have a nice little switch for the four specific relocations that actually occur. Besides being smaller and easier to understand, this fixes the COPY relocation handling to only do one symbol lookup, instead of looking up the symbol and then immediately looking it up again (with the correct flags to find the instance it needs). ok kettenis@
51a0cd2b 2019-11-26 02:50:11 Make aarch64, amd64, arm, and i386 more like sparc64: move non-lazy relocation from _dl_md_reloc() to _dl_md_reloc_all_plt() which has the minimal code to do it. Also, avoid division on PLTRELSZ; just use it to offset to the end. ok kettenis@
b883d3d1 2019-11-10 22:21:54 Simplify the handling of the explicit relocations based on ld.so only have NONE and REL32_64 relocations w/o symbol. ok visa@
5b60b03c 2019-11-10 22:20:10 unifdef HAVE_JMPREL, delete dt_pltrelsz handling (which was only used in the HAVE_JMPREL case anyway), and reduce #includes to match boot.c ok visa@
63ffa0e7 2019-11-10 22:18:14 Recommit CHECK_LDSO bits for mips64, verified on both loongson and octeon. ok visa@
2f142762 2019-10-24 22:11:10 Delete unused support for relocations that don't require alignment. ok mpi@ kettenis@
e3b0f1d9 2019-10-23 19:55:08 Prefer the size-independent ELF identifiers over the size-specific ones. Strip superfluous parens from return statements while here. Done programatically with two perl invocations idea ok kettenis@ drahn@ ok visa@
106b12d0 2019-10-21 02:36:43 Whoops: backout mips64+hppa CHECK_LDSO bits: they weren't done and weren't part of the review. My fail for forgetting to diff my tree against what was reviewed problem noted by deraadt@
17fa8871 2019-10-20 03:44:49 For more archs, ld.so itself only needs/uses the arch's "just add load offset" 'relative' relocation. Take advantage of that to simplify ld.so's self-reloc code: * give the exceptional archs (hppa and mips64) copies of the current boot.c as boot_md.c * teach the Makefile to use boot_md.c when present * reduce boot.c down to the minimum necessary to handle just relative reloc * teach the Makefile to fail if the built ld.so has other types of relocs ok visa@ kettenis@
d4afc0cd 2019-10-05 20:49:48 Tighten handling of pure relative DIR32 relocations and those referencing sections; despite being a RELA arch, ld.so was making assumptions about the initialization of the targeted location. Add the relative relocation optimization, handling relocations covered by the DT_RELACOUNT value in a tight loop. ok mpi@ deraadt@
d6b8755e 2019-10-05 00:08:50 Delete some obsolete debugging #ifdefs blocks ok mlarkin@, mpi@, krw@, deraadt@
d937a926 2019-10-04 17:42:16 Convert the child_list member from a linked list to a vector. ok mpi@
bae526ee 2019-10-03 06:10:53 Use a better algorithm for calculating the grpsym library order. The existing code did a full recursive walk for O(horrible). Instead, keep a single list of nodes plus the index of the first node whose children haven't been scanned; lookup until that index catches the end, appending the unscanned children of the node at the index. This also makes the grpsym list order match that calculated by FreeBSD and glibc in dependency trees with inconsistent ordering of dependent libs. To make this easier and more cache friendly, convert grpsym_list to a vector: the size is bounded by the number of objects currently loaded. Other, related fixes: * increment the grpsym generation number _after_ pushing the loading object onto its grpsym list, to avoid double counting it * increment the grpsym generation number when building the grpsym list for an already loaded object that's being dlopen()ed, to avoid incomplete grpsym lists * use a more accurate test of whether an object already has a grpsym list Prompted by a diff from Nathanael Rensen (nathanael (at) list.polymorpheus.com) that pointed to _dl_cache_grpsym_list() as a performance bottleneck. Much proding from robert@, sthen@, aja@, jca@ no problem reports after being in snaps ok mpi@
8d5943eb 2019-09-30 03:35:09 Oops: the call to ofree() in orealloc() was misconverted into a call to _dl_free(), which would trigger a "recursive call" assertion...if we had ever realloced in ld.so ok deraadt@
1a49fa34 2019-09-28 17:30:07 Add where missing and harmonize PATH to be _PATH_DEFPATH (without local nor X11R6). Suggested by tb@ ok deraadt@ tb@ millert@
447a4a13 2019-09-02 12:43:54 Remove some duplicate symbol definitions. ok visa@ guenther@
e83568d5 2019-08-31 04:22:12 Delete the last argument to fit recent _dl_find_symbol change. ok guenther@
88157d21 2019-08-23 04:38:55 update tradcpp to 0.5.3
1a3f6550 2019-08-09 22:52:13 Use NULL for second gettimeofday(2) argument; ok deraadt@ kettenis@
5bec4ecb 2019-08-09 21:31:07 Fix pointless cast: (struct timezone *)0 -> NULL
0256fee7 2019-08-06 13:34:36 By now we are already confident that pledge(2) "just works(tm)" and that it can be used to effectively remove filesystem access. That being said, in spamd(8) when I pledge(2)d it the main priv process got "stdio inet" which means there's no fs access at all so calling chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove them. OK deraadt@ and no objections from schwarze@
90273bfb 2019-08-06 04:01:41 Factor out TEXTREL mprotecting from the per-arch files into _dl_rtld(), hiding the actual grotty bits in inline functions ok mpi@
143e5acc 2019-08-04 23:51:45 Simplify _dl_find_symbol(). Currently, it returns three values: - the symbol it found, returned via the second argument - the base offset of the the object it was found in, via the return value - optionally: the object it was found in, returned via the last argument Instead, return a struct with the symbol and object pointers and let the caller get the base offset from the object's obj_base member. On at least aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this is passed in registers. ok mpi@, kettenis@
715d984b 2019-08-03 19:56:40 The ABI says JUMP_SLOT relocations don't have an addend, so don't add it in ok kettenis@
8f3b0808 2019-08-03 19:36:55 Suppress DWARF2 warnings on clang archs by building with -gdwarf-4 ok deraadt@, kettenis@
75866a61 2019-07-30 13:44:00 shorten the failure message, it should not wrap a line.
49f581ec 2019-07-25 17:32:33 Fix copy pasto, re-add missing goto in error path.
4053af61 2019-07-25 14:53:21 Yet another workaround for crappy libpcap API design Add an internal version of pcap_open_live that ensures bpf(4) devices are opened read-only before locking. Neither pflogd(8) or spamlogd(8) require write access to bpf(4). Inspired by similar solution in OpenBSD tcpdump(8). pflogd(8) was safe since being unveiled last year, but spamlogd(8) was having /dev/bpf opened O_RDWR. Issue discovered by bluhm@'s unveil(2) accounting commit. ok deraadt@, mestre@ (thanks for testing spamlogd!)
fd9fa3ac 2019-07-24 18:41:05 Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if running in default, cannot get anywhere near the filesystem since its only promises are "stdio inet". Furthermore, in blacklist mode this same codepath is not chroot'ed but once again it gets the same pledge(2). Therefore we can remove the BUGS section from spamd(8)'s manpage. OK millert@ deraadt@
518321a8 2019-07-21 03:54:16 In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default. In 2013, I implemented the single-entry LRU cache that gets the maximal symbol reuse from combreloc. Since then, the ld.so generic relocation symcache has been a waste of CPU and memory with 0% hit-rate, so kill it. ok mpi@
6eb4f976 2019-07-14 03:23:12 ld.so's $ORIGIN handling when argv[0] is a relative path was broken by the change in __getcwd(2)'s return value. Fix it by switching to the __realpath(2) syscall, eliminating the ld.so copy of realpath(). problem caught by regress and noted by bluhm@ ok deraadt@
515e489c 2019-07-03 03:24:01 snprintf/vsnprintf return < 0 on error, rather than -1.
395f4ca8 2019-07-01 15:58:38 Compile with -fno-jump-tables to avoid relocations in _dl_boot_bind() when building with clang. ok deraadt@, visa@
f4b4f15b 2019-07-01 15:57:34 Remove stray comma. ok deraadt@, visa@
696e08c4 2019-06-28 13:47:33 When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
df69c215 2019-06-28 13:32:41 When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
9e74ecfa 2019-06-23 18:54:24 Explicitly lock unveil. Noticed when testing the recent ps(1) commit exposing the unveil state of running processes. ok deraadt@
b6ddd2f4 2019-06-20 20:53:56 after installing new kernel, do a sync(8) to encourage lazy buffers to make it to disk (discussion with tedu)
9dfb6b44 2019-06-07 16:27:47 make gc workaround compile on non-clang
549b7b61 2019-06-04 02:35:40 Disable the unmapping of ld.so's boot data for now, as boehm-gc apparently follows some pointer into the middle of it. Best to keep things working while tracking down the wonkiness. problem noted by naddy@
de26657e 2019-05-12 23:32:42 Indentation fix
5c3b452c 2019-05-11 21:02:35 Prune visited leaves when walking dependencies to call init functions in topological sort order, reducing it to O(n) from O(2^n) (ouch!) diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com) Much testing and pleading by robert@ and ajacoutot@ ok drahn@ mpi@
c0197e40 2019-05-10 13:29:21 ld.so boot cleanup support: - put functions and data which are only used before calling the executable's start function into their own page-aligned segments for unmapping (only done on amd64, arm64, armv7, powerpc, and sparc64 so far) - pass .init_array and .preinit_array functions an addition argument which is a callback to get a structure which includes a function that frees the boot text and data - sometimes delay doing RELRO processing: for a shared-object marked DF_1_INITFIRST do it after the object's .init_array, for the executable do it after the .preinit_array - improve test-ld.so to link against libpthread and trigger its initialization late libc changes to use this will come later ok kettenis@
7a7d71fb 2019-05-08 23:56:48 rm dead code and simplify ftpd_popen. this code has only called its statically linked ls_main for some time now. from Jan Klemkow ok deraadt
466246de 2019-05-08 22:15:48 On retguard systems, remove the ld.so-local stack-protector handling functions because retguard uses hard-traps instead. ok mortimer.
9542d0df 2019-05-01 14:13:12 Pull tname initialization up since it's used in an error path. Pointed out by jsg, just fix it deraadt@
9d9b0c10 2019-04-21 04:11:42 Now that all Elf_foo types are correct, we don't need to use Elf32_Word anywhere and can use Elf_Word instead. ok guenther
4e986f76 2019-04-21 03:41:13 On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes. This was previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h> vary, but that doesn't match the spec and breaks libelf so it's gone away. Implement the variation here by defining our own type locally for this. ok deraadt@
aadc5739 2019-04-19 08:59:40 Prevent clang from using builtins and jump tables in _dl_boot_bind() on mips64. They need relocation and consequently cannot be used in that function. OK kettenis@
87311ea8 2019-02-14 07:26:31 spelling/consistency fix; from nam nguyen
1afb3ec2 2019-02-10 21:11:42 Simplify NFS check Instead of getting all filesystems with df(1), filter /usr/share/ and check with mount(1) whether it's NFS, make df error out directly if the filesystem type matches nfs. OK sthen tb
6e31582a 2019-02-03 03:44:06 _dl_cerror is trivial on powerpc; just inline the handling into the stubs based on a diff from miod@
d7a24b57 2019-02-03 02:20:36 _dl_cerror is trivial on alpha and m88k; just inline the hanlding into the stubs noted by miod@
c00e8a00 2019-01-25 18:13:13 On i386, ensure that the first PT_LOAD segment is below the W^X line unless it is writable. lld places read-only sections below the gap so this is needed to be able to retain W^X with lld. Note however the read-only sections below the W^X line are now executable on pre-NX machines and a possible source of gadgets. This is a change from Gnu ld where RO sections were ordered above the W^X line and not executable. okay drahn@ kettenis@ deraadt@
bf198cc6 2019-01-25 00:19:25 I am retiring my old email address; replace it with my OpenBSD one.
89807220 2018-12-11 18:19:55 Flip snprintf(3) error check to align it with the man page example. No functional change. suggested by tb@; from Jan Klemkow
83b130e1 2018-12-11 18:03:11 Convert some variables with non-negative values to unsigned type to avoid comparison of integers of different signs. from Jan Klemkow; OK tb@
522be859 2018-12-05 04:28:32 Delete an unused struct member that has hid out here for 17 years