1. 15 10月, 2012 3 次提交
    • R
      block uid/gid changes during posix_spawn · d5304147
      Rich Felker 提交于
      usage of vfork creates a situation where a process of lower privilege
      may momentarily have write access to the memory of a process of higher
      privilege.
      
      consider the case of a multi-threaded suid program which is calling
      posix_spawn in one thread while another thread drops the elevated
      privileges then runs untrusted (relative to the elevated privilege)
      code as the original invoking user. this untrusted code can then
      potentially modify the data the child process will use before calling
      exec, for example changing the pathname or arguments that will be
      passed to exec.
      
      note that if vfork is implemented as fork, the lock will not be held
      until the child execs, but since memory is not shared it does not
      matter.
      d5304147
    • R
      fix overlap of thread stacks with thread tls segments · 42c36f95
      Rich Felker 提交于
      42c36f95
    • R
      fix main program TLS alignment for dynamic-linked programs · c62b9f39
      Rich Felker 提交于
      this change brings the behavior in line with the static-linked code,
      which seems to be correct.
      c62b9f39
  2. 14 10月, 2012 4 次提交
    • R
      workaround broken hidden-visibility handling in pcc · 36be5284
      Rich Felker 提交于
      with this change, pcc-built musl libc.so seems to work correctly. the
      problem is that pcc generates GOT lookups for external-linkage symbols
      even if they are hidden, rather than using GOT-relative addressing.
      the entire reason we're using hidden visibility on the __libc object
      is to make it accessible prior to relocations -- not to mention
      inexpensive to access. unfortunately, the workaround makes it even
      more expensive on pcc.
      
      when the pcc issue is fixed, an appropriate version test should be
      added so new pcc can use the much more efficient variant.
      36be5284
    • R
      ensure pointer decay in inline-asm arg for i386 syscall6 · 185a9770
      Rich Felker 提交于
      this is actually a rather subtle issue: do arrays decay to pointers
      when used as inline asm args? gcc says yes, but currently pcc says no.
      hopefully this discrepency in pcc will be fixed, but since the
      behavior is not clearly defined anywhere I can find, I'm using an
      explicit operation to cause the decay to occur.
      185a9770
    • R
      fix namespace clash (libc) in dynlink.c · e23d358f
      Rich Felker 提交于
      this makes it so the #undef libc and __libc name are no longer needed,
      which were problematic because the "accessor function" mode for
      accessing the libc struct could not be used, breaking build on any
      compiler without (working) visibility.
      e23d358f
    • R
      remove dead code from dynamic linker · 31f340a1
      Rich Felker 提交于
      31f340a1
  3. 12 10月, 2012 3 次提交
  4. 08 10月, 2012 3 次提交
    • R
      f2b1f1af
    • R
      clean up and refactor program initialization · 0a96a37f
      Rich Felker 提交于
      the code in __libc_start_main is now responsible for parsing auxv,
      rather than duplicating the parsing all over the place. this should
      shave off a few cycles and some code size. __init_libc is left as an
      external-linkage function despite the fact that it could be static, to
      prevent it from being inlined and permanently wasting stack space when
      main is called.
      
      a few other minor changes are included, like eliminating per-thread
      ssp canaries (they were likely broken when combined with certain
      dlopen usages, and completely unnecessary) and some other unnecessary
      checks. since this code gets linked into every program, it should be
      as small and simple as possible.
      0a96a37f
    • R
      fix breakage due to initializing thread pointer when loading libs · 017bf140
      Rich Felker 提交于
      at initial program load, all libraries must be loaded before the
      thread pointer can be setup, since the TP-relative addresses of all
      initial TLS objects must be constant.
      017bf140
  5. 07 10月, 2012 3 次提交
  6. 06 10月, 2012 4 次提交
    • R
      fix symbol acceptance/rejection rules for TLS · bd17431a
      Rich Felker 提交于
      symbol value of 0 is not "undefined" for TLS; it's the address of the
      first symbol in the TLS segment. however, non-definition TLS
      references also have values of 0, so check the section.
      
      hopefully the new logic is more clear, too.
      bd17431a
    • R
      TLS fixes, mainly alignment handling · cf3fd3d0
      Rich Felker 提交于
      compute offsets from the thread pointer statically when loading the
      library, rather than repeating the logic on each thread creation. not
      only is the latter less efficient at runtime; it also fails to provide
      solid guarantees that the offsets will remain the same when the
      initial alignment of memory is different. the new alignment handling
      is both more rigorous and simpler.
      
      the old code was also clobbering TLS bss with random image data in
      some cases due to using tls_size (size of TLS segment) instead of
      tls_len (length of the TLS data image).
      cf3fd3d0
    • R
      fix/improve shared library ctor/dtor handling, allow recursive dlopen · f4f77c06
      Rich Felker 提交于
      some libraries call dlopen from their constructors, resulting in
      recursive calls to dlopen. previously, this resulted in deadlock. I'm
      now unlocking the dlopen lock before running constructors (this is
      especially important since the lock also blocked pthread_create and
      was being held while application code runs!) and using a separate
      recursive mutex protecting the ctor/dtor state instead.
      
      in order to prevent the same ctor from being called more than once, a
      module is considered "constructed" just before the ctor runs.
      
      also, switch from using atexit to register each dtor to using a single
      atexit call to register the dynamic linker's dtor processing as just
      one handler. this is necessary because atexit performs allocation and
      may fail, but the library has already been loaded and cannot be
      backed-out at the time dtor registration is performed. this change
      also ensures that all dtors run after all atexit functions, rather
      than in mixed order.
      f4f77c06
    • R
      small dynamic linker module search fix · 5f88c0ed
      Rich Felker 提交于
      libraries loaded more than once by pathname should not get shortnames
      that would cause them to later be used to satisfy non-pathname load
      requests.
      5f88c0ed
  7. 05 10月, 2012 8 次提交
    • R
      support for TLS in dynamic-loaded (dlopen) modules · dcd60371
      Rich Felker 提交于
      unlike other implementations, this one reserves memory for new TLS in
      all pre-existing threads at dlopen-time, and dlopen will fail with no
      resources consumed and no new libraries loaded if memory is not
      available. memory is not immediately distributed to running threads;
      that would be too complex and too costly. instead, assurances are made
      that threads needing the new TLS can obtain it in an async-signal-safe
      way from a buffer belonging to the dynamic linker/new module (via
      atomic fetch-and-add based allocator).
      
      I've re-appropriated the lock that was previously used for __synccall
      (synchronizing set*id() syscalls between threads) as a general
      pthread_create lock. it's a "backwards" rwlock where the "read"
      operation is safe atomic modification of the live thread count, which
      multiple threads can perform at the same time, and the "write"
      operation is making sure the count does not increase during an
      operation that depends on it remaining bounded (__synccall or dlopen).
      in static-linked programs that don't use __synccall, this lock is a
      no-op and has no cost.
      dcd60371
    • R
      fix race condition in dlopen · 642b7593
      Rich Felker 提交于
      orig_tail was being saved before the lock was obtained, allowing
      dlopen failure to roll-back other dlopens that had succeeded.
      642b7593
    • R
      fix incorrect TLS reloc macro names in x86_64 reloc.h · 99a2af6f
      Rich Felker 提交于
      99a2af6f
    • R
      dynamic-linked TLS support for everything but dlopen'd libs · 9c74856a
      Rich Felker 提交于
      currently, only i386 is tested. x86_64 and arm should probably work.
      the necessary relocation types for mips and microblaze have not been
      added because I don't understand how they're supposed to work, and I'm
      not even sure if it's defined yet on microblaze. I may be able to
      reverse engineer the requirements out of gcc/binutils output.
      9c74856a
    • R
      remove freeing of dynamic linker data when dlopen/dlsym are not used · c91aa03d
      Rich Felker 提交于
      this was an optimization to save/recover a minimal amount of extra
      memory for use by malloc, that's becoming increasingly costly to keep
      around. freeing this data:
      
      1. breaks debugging with gdb (it can't find library symbols)
      2. breaks thread-local storage in shared libraries
      
      it would be possible to disable freeing when TLS is used, but in
      addition to the above breakages, tracking whether dlopen/dlsym is used
      adds a cost to every symbol lookup, possibly making program startup
      slower for large programs. combined with the complexity, it's not
      worth it. we already save/recover plenty of memory in the dynamic
      linker with reclaim_gaps.
      c91aa03d
    • R
      beginnings of full TLS support in shared libraries · 9b153c04
      Rich Felker 提交于
      this code will not work yet because the necessary relocations are not
      supported, and cannot be supported without some internal changes to
      how relocation processing works (coming soon).
      9b153c04
    • R
      partial TLS support for dynamic-linked programs · bc6a35fb
      Rich Felker 提交于
      only TLS in the main program is supported so far; TLS defined in
      shared libraries will not work yet.
      bc6a35fb
    • R
      TLS (GNU/C11 thread-local storage) support for static-linked programs · 8431d797
      Rich Felker 提交于
      the design for TLS in dynamic-linked programs is mostly complete too,
      but I have not yet implemented it. cost is nonzero but still low for
      programs which do not use TLS and/or do not use threads (a few hundred
      bytes of new code, plus dependency on memcpy). i believe it can be
      made smaller at some point by merging __init_tls and __init_security
      into __libc_start_main and avoiding duplicate auxv-parsing code.
      
      at the same time, I've also slightly changed the logic pthread_create
      uses to allocate guard pages to ensure that guard pages are not
      counted towards commit charge.
      8431d797
  8. 03 10月, 2012 1 次提交
    • R
      tell the assembler to mark all files as not requiring executable stack · adefe830
      Rich Felker 提交于
      for some reason this option is undocumented. not sure when it was
      added, so I'm using a configure test. gcc was already setting the mark
      correctly for C files, but assembler source files would need ugly
      .note boilerplate in every single file to achieve this without the
      option to the assembler.
      
      blame whoever thought it would be a good idea to make the stack
      executable by default rather than doing it the other way around...
      adefe830
  9. 01 10月, 2012 4 次提交
    • R
      add getopt reset support · 030e5263
      Rich Felker 提交于
      based on proposed patches by Daniel Cegiełka, with minor changes:
      - use a weak symbol for optreset so it doesn't clash with namespace
      - also reset optpos (position in multi-option arg like -lR)
      - also make getopt_long support reset
      030e5263
    • R
      protect sem_open against cancellation · e44849f5
      Rich Felker 提交于
      also fix one minor bug: failure to free the early-reserved slot when
      the semaphore later found to already be mapped.
      e44849f5
    • R
      overhaul sem_open · bf258341
      Rich Felker 提交于
      this function was overly complicated and not even obviously correct.
      avoid using openat/linkat just like in shm_open, and instead expand
      pathname using code shared with shm_open. remove bogus (and dangerous,
      with priorities) use of spinlocks.
      
      this commit also heavily streamlines the code and ensures there are no
      failure cases that can happen after a new semaphore has been created
      in the filesystem, since that case is unreportable.
      bf258341
    • R
      clean up, bugfixes, and general improvement for shm_open/shm_unlink · 6e2372a8
      Rich Felker 提交于
      1. don't make non-cloexec file descriptors
      2. cancellation safety (cleanup handlers were missing, now unneeded)
      3. share name validation/mapping code between open/unlink functions
      4. avoid wasteful/slow syscalls
      6e2372a8
  10. 30 9月, 2012 7 次提交