|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Move all runtime options into a structure that is made read-only
(via mprotect) after initialisation to protect against attacks that
overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(),
thereby giving it an unpredictable address. Place a PROT_NONE guard
page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when
in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar
ok otto | 
| | 
| 
| 
| | as static const | 
| | |  | 
| | 
| 
| 
| 
| | the page as possible (i.e. make malloc option P a default).
ok art@ millert@ krw@ | 
| | 
| 
| 
| 
| | a page to 0. P default will be changed in a separate commit.
ok millert@ art@ krw@ | 
| | 
| 
| 
| 
| | a separate symbolic constant for the leeway we allow when moving
allocations towards the end of a page. No functional change. | 
| | |  | 
| | 
| 
| 
| 
| 
| | (might catch errors closer to the trouble spot) and junk fill pages just
before reuse instead of immediate (we can't access the page anyway)
since we set PROT_NONE in the F case. ok djm@ | 
| | 
| 
| 
| | ok jmc@ | 
| | |  | 
| | 
| 
| 
| | tried and how many actually succeeded. | 
| | |  | 
| | 
| 
| 
| | threaded case) but much smaller working set; prompted by and ok deraadt@ | 
| | 
| 
| 
| 
| | non-syscalls, there's just too much code not doing the right thing on
error paths; prompted by and ok deraadt@ | 
| | 
| 
| 
| 
| | mapping the region next to the existing one first; there's a pretty
high chance there's a hole there we can use; ok deraadt@ tedu@ | 
| | 
| 
| 
| | too much pressure on the amaps. ok tedu@ deraadt@ | 
| | |  | 
| | 
| 
| 
| | from Thomas Pfaff.  ok millert@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | - provide proper dtoa locks
- use the real strtof implementation
- add strtold, __hdtoa, __hldtoa
- add %a/%A support
- don't lose precision in printf, don't round to double anymore
- implement extended-precision versions of libc functions: fpclassify,
isnan, isinf, signbit, isnormal, isfinite, now that the ieee.h is
fixed
- separate vax versions of strtof, and __hdtoa
- add complex math support.  added functions: cacos, casin, catan,
ccos, csin, ctan, cacosh, casinh, catanh, ccosh, csinh, ctanh, cexp,
clog, cabs, cpow, csqrt, carg, cimag, conj, cproj, creal, cacosf,
casinf, catanf, ccosf, csinf, ctanf, cacoshf, casinhf, catanhf,
ccoshf, csinhf, ctanhf, cexpf, clogf, cabsf, cpowf, csqrtf, cargf,
cimagf, conjf, cprojf, crealf
- add fdim, fmax, fmin
- add log2. (adapted implementation e_log.c.  could be more acruate
& faster, but it's good enough for now)
- remove wrappers & cruft in libm, supposed to work-around mistakes
in SVID, etc.;  use ieee versions.  fixes issues in python 2.6 for
djm@
- make _digittoint static
- proper definitions for i386, and amd64 in ieee.h
- sh, powerpc don't really have extended-precision
- add missing definitions for mips64 (quad), m{6,8}k (96-bit) float.h
for LDBL_*
- merge lead to frac for m{6,8}k, for gdtoa to work properly
- add FRAC*BITS & EXT_TO_ARRAY32 definitions in ieee.h, for hdtoa&ldtoa
to use
- add EXT_IMPLICIT_NBIT definition, which indicates implicit
normalization bit
- add regression tests for libc: fpclassify and printf
- arith.h & gd_qnan.h definitions
- update ieee.h: hppa doesn't have quad-precision, hppa64 does
- add missing prototypes to gdtoaimp
- on 64-bit platforms make sure gdtoa doesn't use a long when it
really wants an int
- etc., what i may have forgotten...
- bump libm major, due to removed&changed symbols
- no libc bump, since this is riding on djm's libc major crank from
a day ago
discussed with / requested by / testing theo, sthen@, djm@, jsg@,
merdely@, jsing@, tedu@, brad@, jakemsr@, and others.
looks good to millert@
parts of the diff ok kettenis@
this commit does not include:
- man page changes | 
| | |  | 
| | 
| 
| 
| | effort as possible in most cases; ok djm@ | 
| | 
| 
| 
| | slightly kludgey solution for until otto fixes it properly; ok otto@ | 
| | 
| 
| 
| 
| | the freshly mmaped pages disrupting their pure zeroness;
ok otto@ deraadt@ | 
| | 
| 
| 
| | case spotted by beck, one by me; ok deraadt@ beck@ | 
| | 
| 
| 
| 
| | returns zero filled pages; remember to replace this function as well if you
provide your own malloc implementation; ok djm@ deraadt@ | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | structure of tracking pages returned by mmap(). Lots of testing by
lots of people, thanks to you all.
ok djm@ (for a slighly earlier version) deraadt@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.
OK deraadt@ | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | call to strtod() with bounding check.
Discussed with pyr@ and otto@
ok otto@ deraadt@ | 
| | |  | 
| | 
| 
| 
| | costs; ok jmc@ for the man page bits; ok millert@ deraadt@ | 
| | 
| 
| 
| 
| 
| 
| | Use arc4random_uniform() when the desired random number upper bound
is not a power of two
ok deraadt@ millert@ | 
| | 
| 
| 
| 
| 
| | calls vfork(2). "untested, but looks OK" marc@
- document vfork(2), popen(3) and system(3) don't call atfork handlers
in multithreaded programs. okay jmc@ | 
| | 
| 
| 
| 
| | prevents a few "cannot free mem because i need mem to free mem"
scenarios (one found by weingart@). ok weingart@ millert@ miod@ | 
| | 
| 
| 
| | OK millert@ | 
| | 
| 
| 
| 
| 
| | Therefore added math.h to SYNPOSIS.
OK millert@ | 
| | 
| 
| 
| 
| 
| | "suggest parentheses around && within ||"
ok millert@ | 
| | 
| 
| 
| | ok millert@ ray@ | 
| | |  | 
| | 
| 
| 
| | Based on a diff from Mike Belopuhov.  OK jmc@ | 
| | 
| 
| 
| | object destructors called at dlclose() time.  Inspired by similar changes in FreeBSD and NetBSD. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | OK otto@ | 
| | 
| 
| 
| 
| 
| 
| 
| | Document that getopt_long(3) can and will accept unique abbreviated long
option names.  This feature has been present since getopt_long(3) was first
released in NetBSD 1.5.  This is also standard GNU getopt_long(3) behavior.
ok millert | 
| | 
| 
| 
| | from FreeBSD.  With help from jmc@. |