|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | 
| 
| 
| | feedback jmc@ ok deraadt@ schwarze@ | 
| | 
| 
| 
| | ok millert@ schwarze@ | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | "Make exit(), fclose(), fflush(), and freopen() comply with POSIX-2008
 requirements for setting the underlying file position when flushing
 read-mode streams, and make an fseek()-after-fflush() not change the
 underlying file position."
Something isn't correct about it and it breaks at least initdb from
the postgresql-server package.
discussed with tb@, semarie@, and deraadt@ | 
| | 
| 
| 
| 
| 
| 
| | declarations to reduce <stdio.h> pollution.  Declare __isthreaded
in thread_private.h where it's really needed.
ok deraadt@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | requirements for setting the underlying file position when flushing
read-mode streams, and make an fseek()-after-fflush() not change the
underlying file position.
Much testing, review, and assistance from tb@
ok tb@ millert@ | 
| | 
| 
| 
| 
| 
| | and manpages and add restrict qualifiers.
ok millert@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | memmem(3) was also added.  Update #include visibility and manpages
and add restrict qualifiers.
"never thought I'd see this day" millert@ | 
| | 
| 
| 
| 
| 
| | adjust #include visibility and update the reallocarray(3) manpage
ok millert@ | 
| | 
| 
| 
| | Missing function hit by fcambus@ some time ago.  ok millert@ | 
| | 
| 
| 
| 
| | The comment probably made sense before guenther restricted the symbols
exported by libc in 2015. | 
| | 
| 
| 
| | ok kettenis@ deraadt@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Userland code compiled in a normal fashion picks up the htonl(),
htons(), ntohl(), ntohs() macros implemented by endian.h.  The
functions in libc are effectively unused.  Keep the MI functions
in case something looks for the symbols in libc or plays games
with #undef, but change them to wrap the implementation from
endian.h.
tweaks suggested by claudio@, ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | page size, rather than relying upon mprotect to round up to the actual mmu
page size.
This repairs malloc operation on systems where the malloc page size
(1 << _MAX_PAGE_SHIFT) is larger than the mmu page size.
ok otto@ | 
| | 
| 
| 
| | ok deraadt@ jmc@ | 
| | 
| 
| 
| | OK deraadt@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| | consistant regarding bcrypt,a instead of blowfish,a.  "blowfish"
is a historical alias which we don't need to document as firmly
as "bcrypt".
report about difficult manual page discovery from ataraxia937
ok millert | 
| | 
| 
| 
| 
| 
| | Previously, calling any of the mktemp(3) family would pull in
lstat(2), open(2) and mkdir(2).  Now, only the necessary system
calls will be reachable from the binary.  OK deraadt@ guenther@ | 
| | 
| 
| 
| | OK deraadt@ | 
| | 
| 
| 
| | bit of optimization; ok tb@ asou@ | 
| | |  | 
| | 
| 
| 
| 
| | malloc option D (aka 1), 2, 3 or 4.  No performance impact if not
used.  ok asou@ | 
| | 
| 
| 
| | not real problems) | 
| | 
| 
| 
| 
| | Otherwise, the prototypes for timespec_get() and aligned_alloc()
are not visible.  OK guenther@ | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | the 0x0 call sites for leak reports. Also display more info on
detected write of free chunks: print the info about where the chunk
was allocated, and for the preceding chunk as well.
ok asou@ | 
| | 
| 
| 
| | ok otto. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | malloc options"
Now only enabled for platforms where it's know to work and written
as a inline functions instead of a macro. | 
| | 
| 
| 
| | __builtin_return_address(a) with a != 0. | 
| | 
| 
| 
| | ok deraadt@ | 
| | 
| 
| 
| 
| 
| | unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | On free, chunks (the pieces of a pages used for smaller allocations)
are junked and then validated after they leave the delayed free
list.  So after free, a chunk always contains junk bytes. This means
that if we start with the right contents for a new page of chunks,
we can *validate* instead of *write* junk bytes when (re)-using a
chunk.
With this, we can detect write-after-free when a chunk is recycled,
not justy when a chunk is in the delayed free list.  We do a little
bit more work on initial allocation of a page of chunks and when
re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes
in error messages to make them more consistent, with man page bits.
Plus regress additions. | 
| | 
| 
| 
| | ok guenther@ | 
| | 
| 
| 
| 
| 
| 
| 
| | future, inadvertant PLT entries.  Move the __getcwd and __realpath
declarations to hidden/{stdlib,unistd}.h to consolidate and remove
duplication.
ok tb@ otto@ deraadt@ | 
| | 
| 
| 
| 
| | unlock-lock dance it serves no real purpose any more. Confirmed
by a small performance increase in tests.  ok @tb | 
| | 
| 
| 
| | ok otto@ | 
| | 
| 
| 
| | (sorry, otto, for not spotting in the updated diff) | 
| | 
| 
| 
| 
| | except for bootblocks. This way we have built-in leak detecction
always (if enable by malloc flags). See man pages for details. | 
| | |  | 
| | 
| 
| 
| | Should catch more of them and closer (in time) to the WAF.  ok tb@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The basic idea is simple: one of the reasons the recent sshd bug
is potentially exploitable is that a (erroneously) freed malloc
chunk gets re-used in a different role. malloc has power of two
chunk sizes and so one page of chunks holds many different types
of allocations. Userland malloc has no knowledge of types, we only
know about sizes. So I changed that to use finer-grained chunk
sizes.
This has some performance impact as we need to allocate chunk pages
in more cases. Gain it back by allocation chunk_info pages in a
bundle, and use less buckets is !malloc option S. The chunk sizes
used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320,
384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a
few more for sparc64 with its 8k sized pages and loongson with its
16k pages).
If malloc option S (or rather cache size 0) is used we use strict
multiple of 16 sized chunks, to get as many buckets as possible.
ssh(d) enabled malloc option S, in general security sensitive
programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch
for pointing me to code to compute nice bucket sizes.
ok tb@ | 
| | 
| 
| 
| | Originally from djm@.  OK deraadt@ florian@ bluhm@ | 
| | 
| 
| 
| | freeing; ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | can be made immutable to provide extra protection.  Also init pools
on-demand: only pools that are actually used are initialized.
Tested by many |