Ben Hutchings [Sun, 2 Oct 2022 01:09:49 +0000 (02:09 +0100)]
klibc (2.0.11-1) unstable; urgency=medium
* New upstream version:
- Kbuild: Properly disable executable stacks in static builds
(Closes: #1020883)
- fcntl: Fix build failure for some architectures with Linux 5.19
(fixes FTBFS on several architectures)
[ Debian Janitor ]
* Remove constraints unnecessary since buster:
+ klibc-utils: Drop versioned constraint on initramfs-tools in Breaks.
[ Ben Hutchings ]
* lintian: Update override in libklibc for lintian 2.115
In an out-of-tree build we currently only install the kernel UAPI
headers and the generated <klibc/havesyscall.h>. Add an extra
command to copy headers from the source tree in an out-of-tree
build.
References: https://bugs.debian.org/1004465 Reported-by: Thorsten Glaser <tg@mirbsd.de> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0001-klibc-Fix-header-installation-from-out-of-tree-build.patch
This was not correctly initializing the timespec array before passing it
on to utimensat.
Tested: Built cpio and extracted an image with `cpio -im` to preserve
mtime. The calls to utime now pass through the correct timestamps.
Signed-off-by: Benjamin Gwin <bgwin@google.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name klibc-fix-implementation-of-utimes.patch
Save and restore the signal mask only if that argument is nonzero,
as required by the standards. (Closes: Debian #988027)
Signed-off-by: mirabilos <tg@debian.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name sig-set-long-jmp-do-not-ignore-sigsetjmp-s-second-ar.patch
Ben Hutchings [Sun, 26 Dec 2021 23:17:05 +0000 (23:17 +0000)]
klibc (2.0.9-1) unstable; urgency=medium
* New upstream version
* armhf: Update compiler options for gcc 11 (Closes: #996906)
* sig{set,long}jmp: do not ignore sigsetjmp's second argument
(Closes: #988027)
* Fix implementation of utimes
copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.
The previous commit made this impossible on 32-bit systems.
CVE-2021-31871
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch
The maximum name and file sizes in the "new" header format are 32-bit
unsigned values. However, the I/O functions mostly use long for sizes
and offsets, so that sizes >= 2^31 are handled wrongly on 32-bit
systems.
The current GNU cpio code doesn't seem to have this problem, but the
divergence between this version and that is large enough that I can't
simply cherry-pick a fix for it.
As a short-term fix, in read_in_new_ascii(), fail if c_namesize or
c_filesize is > LONG_MAX.
CVE-2021-31872
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch
calloc() multiplies its 2 arguments together and passes the result to
malloc(). Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.
CVE-2021-31870
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0037-klibc-calloc-Fail-if-multiplication-overflows.patch
malloc() adds some overhead to the requested size, which may result in
an integer overflow and subsequent buffer overflow if it is close to
SIZE_MAX. It should fail if size is large enough for this to happen.
Further, it's not legal for a C object to be larger than
PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
overflow. So return failure immediately if size is greater than that.
CVE-2021-31873
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch
sparc allows specifiying a signal restorer in the usual way. We
should do this to avoid needing an executable stack.
* Define a __sigreturn() routine that calls rt_sigreturn
* Force the SA_RESTORER flag on for all signal handlers, and set
__sigreturn as the restorer if none is already set
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
always return from them with rt_sigreturn
* Set KLIBCEXECSTACK=n
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch
alpha does not support the SA_RESTORER flag, but allows specifiying a
restorer callback as an additional parameter to rt_sigaction(). We
should do this to avoid needing an executable stack.
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
always return from them with rt_sigreturn
* Define a __sigreturn() routine that calls rt_sigreturn
* Pass that routine as the last argument to rt_sigaction()
* Set KLIBCEXECSTACK=n
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch
s390 allows specifiying a signal restorer in the usual way. We
should do this to avoid needing an executable stack.
* Define a __sigreturn() routine that calls rt_sigreturn
* Force the SA_RESTORER flag on for all signal handlers, and set
__sigreturn as the restorer if none is already set
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
always return from them with rt_sigreturn
* Set KLIBCEXECSTACK=n
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch
On alpha, arm, i386, m68k, powerpc, s390, sh, and sparc (32-bit), the
kernel sets up the signal stack frame differently depending on the
SA_SIGINFO flag, not whether the sigaction() or rt_sigaction() system
call was used to install the handler.
On alpha and sparc, we are going to start providing our own restorer
that will call rt_sigaction(), so will need to ensure this flag is
always set.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch
copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.
The previous commit made this impossible on 32-bit systems.
CVE-2021-31871
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch
The maximum name and file sizes in the "new" header format are 32-bit
unsigned values. However, the I/O functions mostly use long for sizes
and offsets, so that sizes >= 2^31 are handled wrongly on 32-bit
systems.
The current GNU cpio code doesn't seem to have this problem, but the
divergence between this version and that is large enough that I can't
simply cherry-pick a fix for it.
As a short-term fix, in read_in_new_ascii(), fail if c_namesize or
c_filesize is > LONG_MAX.
CVE-2021-31872
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch
calloc() multiplies its 2 arguments together and passes the result to
malloc(). Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.
CVE-2021-31870
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0037-klibc-calloc-Fail-if-multiplication-overflows.patch
malloc() adds some overhead to the requested size, which may result in
an integer overflow and subsequent buffer overflow if it is close to
SIZE_MAX. It should fail if size is large enough for this to happen.
Further, it's not legal for a C object to be larger than
PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
overflow. So return failure immediately if size is greater than that.
CVE-2021-31873
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch
sparc allows specifiying a signal restorer in the usual way. We
should do this to avoid needing an executable stack.
* Define a __sigreturn() routine that calls rt_sigreturn
* Force the SA_RESTORER flag on for all signal handlers, and set
__sigreturn as the restorer if none is already set
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
always return from them with rt_sigreturn
* Set KLIBCEXECSTACK=n
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch
alpha does not support the SA_RESTORER flag, but allows specifiying a
restorer callback as an additional parameter to rt_sigaction(). We
should do this to avoid needing an executable stack.
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
always return from them with rt_sigreturn
* Define a __sigreturn() routine that calls rt_sigreturn
* Pass that routine as the last argument to rt_sigaction()
* Set KLIBCEXECSTACK=n
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch
s390 allows specifiying a signal restorer in the usual way. We
should do this to avoid needing an executable stack.
* Define a __sigreturn() routine that calls rt_sigreturn
* Force the SA_RESTORER flag on for all signal handlers, and set
__sigreturn as the restorer if none is already set
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
always return from them with rt_sigreturn
* Set KLIBCEXECSTACK=n
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch
On alpha, arm, i386, m68k, powerpc, s390, sh, and sparc (32-bit), the
kernel sets up the signal stack frame differently depending on the
SA_SIGINFO flag, not whether the sigaction() or rt_sigaction() system
call was used to install the handler.
On alpha and sparc, we are going to start providing our own restorer
that will call rt_sigaction(), so will need to ensure this flag is
always set.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch
Ben Hutchings [Fri, 30 Apr 2021 01:05:23 +0000 (02:05 +0100)]
klibc (2.0.8-6) unstable; urgency=medium
* Upload to unstable
* malloc: Set errno on failure
* malloc: Fail if requested size > PTRDIFF_MAX (CVE-2021-31873)
* calloc: Fail if multiplication overflows (CVE-2021-31870)
* cpio: Fix possible integer overflow on 32-bit systems (CVE-2021-31872)
* cpio: Fix possible crash on 64-bit systems (CVE-2021-31871)
Ben Hutchings [Fri, 21 Aug 2020 00:34:13 +0000 (01:34 +0100)]
klibc (2.0.8-1) unstable; urgency=medium
[ Ben Hutchings ]
* New upstream version:
- ipconfig: Ignore NTP server address and any additional fields
(Closes: #931416)
- Kbuild: Add "-fcommon" for clang builds (Closes: #957405)
- Kbuild: Add a per-architecture option to disable exectable stacks
- arch: Explicitly disable or enable executable stacks (Closes: #959070)
* debian/control: Use my debian.org email in Uploaders field
* Use debhelper compatibility level 12:
- Build-Depend on debhelper-compat and remove debian/compat
- debian/klibc-utils.triggers: Delete as redundant
* debian/rules: Really disable stripping libc.so in libklibc-dev
[ Debian Janitor ]
* Trim trailing whitespace.
* Set upstream metadata fields: Repository.
Ben Hutchings [Mon, 7 Oct 2019 19:39:46 +0000 (20:39 +0100)]
fstype: Drop obsolete support for "ext4dev"
This is obsolete since Linux 2.6.28, and it's now causing problems for
people using compressed modules because we don't recognise the ext4
module with a .gz or .xz extension.
Reported-by: Greg Edwards <gedwards@ddn.com>
References: https://bugs.debian.org/932926 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name klibc-fstype-drop-obsolete-support-for-ext4dev.patch
Ben Hutchings [Tue, 8 Oct 2019 01:14:11 +0000 (02:14 +0100)]
klibc (2.0.7-1) unstable; urgency=medium
[ Ben Hutchings ]
* New upstream version:
- klcc: Enable stripping even if CONFIG_DEBUG_INFO is enabled
- run-init: Allow the initramfs to be persisted across root changes
(thanks to Matthew Garrett)
- ipconfig: Implement support -d ...:dns0:dns1 options (Closes: #931416)
- Kbuild: Work around broken "ar s" in binutils 2.32 (see #941921)
* debian/rules: Reorganise make flags variables
* debian/rules: Define ARCH for klibc, for all architectures
* debian/rules: Delete redundant architecture mappings
* debian/rules: Delete redundant export
* klibc-utils: Trigger update-initramfs on install/upgrade
* initramfs-tools: Don't install commands that already exist in /sbin
* initramfs-tools: Exclude kinit and zcat commands earlier
* initramfs-tools: Exclude gzip command
* Drop "resume: Backward compatibility for resume_offset", which will
not be needed in the next release
* [klibc] fstype: Drop obsolete support for "ext4dev" (Closes: #932926)
* debian/control: Set Maintainer to Debian Kernel Team; move maks to
Uploaders
[ James Clarke ]
* debian/control: Restrict m4 build dependency to just sparc
[ Helmut Grohne ]
* Honour DEB_BUILD_OPTIONS=nocheck. (Closes: #922814)
Ben Hutchings [Thu, 19 Jul 2018 20:34:08 +0000 (21:34 +0100)]
resume: Backward compatibility for resume_offset
In Debian we will need to maintain backward compatibility with Linux
4.9 at least until after the "buster" release. Therefore we need to
accept that /sys/power/resume_offset might not exist.
If we can't open that file because it doesn't exist, we should check
whether the offset we are trying to set is the offset that the kernel
would use anyway. In that case, continue.
Gbp-Pq: Name resume-backward-compatibility-for-resume_offset.patch
Ben Hutchings [Fri, 1 Feb 2019 05:00:57 +0000 (05:00 +0000)]
klibc (2.0.6-1) unstable; urgency=medium
* New upstream version:
- ia64: Fix shared build (thanks to James Clarke)
- Drop nearly all patches, which are either included or obsoleted
* debian/control: Change Architecture of all packages to linux-any
* debian/control: Mark libklibc as M-A: same (suggested by Matthias Klose)
* debian/control: Mark klibc-utils as M-A: foreign
* initramfs-tools: Remove checks for shell installed as "sh.shared"
* debian/rules: Change override_dh_auto_test rule to actually run tests
Ben Hutchings [Sun, 6 Jan 2019 03:44:40 +0000 (03:44 +0000)]
Disable PIE
We link all executables as non-relocatable, so it makes no sense to
generate PIE code. In addition, PIE code on i386 requires a working
GOT which we don't generate.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name disable-pie.patch
Ben Hutchings [Sun, 6 Jan 2019 03:19:51 +0000 (03:19 +0000)]
i386: Use -Ttext-segment to avoid address collision
Building klibc for i386 with binutils 2.31 adds an extra
.note.gnu.property section to klibc.so, the address of which is not
affected by the -Ttext option. Loading a klibc executable then
fails with the following kernel log message:
9409 (sh.shared): Uhuuh, elf segment at 0000000000600000 requested but the memory is mapped already
I don't exactly see why this is happening, but it is triggered by the
new section and the collision can be avoided by passing -Ttext-segment
instead of -Ttext, similarly to x86_64.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name i386-use-ttext-segment-to-avoid-address-collision.patch
Ben Hutchings [Thu, 19 Jul 2018 20:34:08 +0000 (21:34 +0100)]
resume: Backward compatibility for resume_offset
In Debian we will need to maintain backward compatibility with Linux
4.9 at least until after the "buster" release. Therefore we need to
accept that /sys/power/resume_offset might not exist.
If we can't open that file because it doesn't exist, we should check
whether the offset we are trying to set is the offset that the kernel
would use anyway. In that case, continue.
Gbp-Pq: Name resume-backward-compatibility-for-resume_offset.patch
James Clarke [Wed, 18 Jul 2018 21:30:42 +0000 (22:30 +0100)]
Fix sparc assembly when compiled as PIC
Some distributions default to PIE for their compilers, which on sparc is passed
on to the assembler. Since the behaviour of %hi/%lo changes under PIC to become
GOT offsets, the current assembly files need adapting to not try to use a GOT
offset as an absolute address.
Ben Hutchings [Tue, 17 Jul 2018 01:55:19 +0000 (02:55 +0100)]
Add RISC-V (RV64) port
RISC-V is pretty boring. I've cribbed most of this from the MIPS and
AArch64 ports.
I ran into difficulty with initialisation of the gp,register, which I
think has to be process-global - the psABI says that signal handlers
can rely on it, and they could come from any module. This means that
klibc.so and the executable using it need to agree on a single value.
Currently they don't, and this causes gp-relative addressing to go
wrong.
gp-relative addressing is introduced by "relaxation" in the linker,
so I've disabled that for now.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name add-riscv-rv64-port.patch
Ben Hutchings [Mon, 16 Jul 2018 17:24:08 +0000 (18:24 +0100)]
rename, renameat: Use renameat2() system call
New architectures only define the renameat2() system call, which was
added in Linux 3.15. Define rename() and renameat() as wrappers for
it if necessary.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name rename-renameat-use-rename2-system-call.patch
Ben Hutchings [Sat, 5 Jan 2019 20:59:33 +0000 (20:59 +0000)]
x86_64: Use -Ttext-segment to avoid address collision
Building klibc for x86_64 with binutils 2.31 adds an extra
.note.gnu.property section to klibc.so, the address of which is not
affected by the -Ttext option. Loading a klibc executable then
fails with the following kernel log message:
9409 (sh.shared): Uhuuh, elf segment at 0000000000200000 requested but the memory is mapped already
I don't exactly see why this is happening, but it is triggered by the
new section and the collision can be avoided by passing -Ttext-segment
instead of -Ttext. A similar change was applied to MIPS recently.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name x86_64-use-ttext-segment-to-avoid-address-collision.patch
The .text and .rodata sections have each been padded to the specified
maximum page size of 1 MB, causing the following sections to overlap
the executable.
This causes all klibc executables to crash immediately.
Since there's no architectural page size betwen 4 KB and 2MB, set
max-page-size to 4 KB.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name x86_64-reduce-ld-max-page-size-option-again.patch
James Cowgill [Fri, 2 Mar 2018 14:48:21 +0000 (14:48 +0000)]
mips64: compile with -mno-abicalls
By default, the MIPS toolchain compiles all code as PIC. Since klibc
links everything at static addresses, we don't need PIC code so use
-mno-abicalls to disable it. To fix subsequent link errors, use
-Ttext-segment to adjust the base address of klibc to a more sensible
location.
This fixes a bug in the shared library form of klibc where programs
would segfault in the syscall handler because we tried to store into the
"errno" variable without setting up the gp register. This is only required
under the PIC ABI.
Signed-off-by: James Cowgill <james.cowgill@mips.com>
Gbp-Pq: Name mips64-compile-with-mno-abicalls.patch
Benjamin Drung [Wed, 13 Jun 2018 09:48:39 +0000 (11:48 +0200)]
mount_main: Fix empty string check
gcc 7.3.0 complains:
```
usr/utils/mount_main.c: In function ‘print_mount’:
usr/utils/mount_main.c:46:46: warning: comparison between pointer and zero character constant [-Wpointer-compare]
if (mnt->mnt_type != NULL && mnt->mnt_type != '\0')
^~
usr/utils/mount_main.c:46:32: note: did you mean to dereference the pointer?
if (mnt->mnt_type != NULL && mnt->mnt_type != '\0')
^
usr/utils/mount_main.c:48:46: warning: comparison between pointer and zero character constant [-Wpointer-compare]
if (mnt->mnt_opts != NULL && mnt->mnt_opts != '\0')
^~
usr/utils/mount_main.c:48:32: note: did you mean to dereference the pointer?
if (mnt->mnt_opts != NULL && mnt->mnt_opts != '\0')
^
```
Gbp-Pq: Name mount_main-Fix-empty-string-check.patch
H. Peter Anvin [Wed, 6 Jan 2016 02:31:40 +0000 (18:31 -0800)]
Add accept4(), handle fallback from accept() to accept4()
Add support for the accept4() system call.
Some architectures now have accept4() but not accept(), so introduce a
standard fallback. However, since accept() is a socketcall, we have
to do some special hacks.
While we are at it, handle conditional socketcall stubs based on
their existence <linux/net.h>, analogous to <asm/unistd.h>.
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Gbp-Pq: Name klibc-add-accept4-handle-fallback-from-accept-to-acc.patch
H. Peter Anvin [Wed, 6 Jan 2016 00:43:50 +0000 (16:43 -0800)]
i386: remove special handling of socketcall
As of kernel 4.3, i386 now has direct system calls for sockets, so
drop the special handling for i386 socketcall. If built on older
kernels, it will still generate socketcall stubs although they will be
less efficient.
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
[bwh: Backported to 2.0.4: adjust context]
Gbp-Pq: Name klibc-i386-remove-special-handling-of-socketcall.patch
projects / klibc.git / log