localtime.c no longer mishandles TZif files that contain a single
transition into a DST regime. Previously, it incorrectly assumed
DST was in effect before the transition too. (Thanks to Alois
Treindl for debugging help.)
localtime.c's timeoff no longer collides with OpenBSD 7.4.
The C code now uses _Generic only if __STDC_VERSION__ says the
compiler is C11 or later.
tzselect now optionally reads zonenow.tab, to simplify when
configuring only for timestamps dated from now on.
tzselect no longer creates temporary files.
tzselect no longer mishandles the following:
Spaces and most other special characters in BUGEMAIL, PACKAGE,
TZDIR, and VERSION.
TZ strings when using mawk 1.4.3, which mishandles regular
expressions of the form /X{2,}/.
ISO 6709 coordinates when using an awk that lacks the GNU
extension of newlines in -v option-arguments.
Non UTF-8 locales when using an iconv command that lacks the GNU
//TRANSLIT extension.
zic no longer mishandles data for Palestine after the year 2075.
Previously, it incorrectly omitted post-2075 transitions that are
predicted for just before and just after Ramadan. (Thanks to Ken
Murchison for debugging help.)
zic now works again on Linux 2.6.16 and 2.6.17 (2006).
getconf(1) add this and SC_PHYS_PAGES.
libc: Use vm.uvmexp2 over vm.meter is it's twice as fast on my setup.
getconf.3: Tidy up wording for SC_PHYS_PAGES.
commit 80bc871bdd4a8254ce19a65a54c8c918dd3ddd11
Author: Konstantin Belousov <kib@FreeBSD.org>
Date: Sat Sep 12 18:16:46 2009 +0000
MFC r196861:
Handle zero size for posix_memalign. Return NULL or unique address
according to the 'V' option.
commit 52d7a117c0fe8bd0226d964f4272131700035f12
Author: Jason Evans <jasone@FreeBSD.org>
Date: Thu Aug 14 17:03:29 2008 +0000
Re-order the terms of an expression in arena_run_reg_dalloc() to correctly
detect whether the integer division table is large enough to handle the
divisor. Before this change, the last two table elements were never used,
thus causing the slow path to be used for those divisors.
- Don't use TLS nor pretend to hash out arenas to reduce lock contention,
because NetBSD uses thr_curcpu() to choose arena (i.e. per-CPU arenas).
- In a single threaded process, don't prepare "ncpus" worth of arenas,
allocate only one.
- Use getpagesize() since it caches the return.
- Sprinkle branch hints.
- Make MALLOC_TRACE and MALLOC_DEBUG work again.
This pushed the ramdisk size, so that needed to be bumped as well.
Otherwise, there were no build issues for either 32 or 64 bit mips.
Sort-of OK'ed by simonb@.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
XXX pullup-10
XXX pullup-9
XXX pullup-8
using 4k pages), query the hypervisor for the real page size of the host
kernel and use that for architectures that do not have compile time
constant page sizes.
Release 2023c - 2023-03-28 12:42:14 -0700
Release 2023b - 2023-03-23 19:50:38 -0700
Release 2023a - 2023-03-22 12:39:33 -0700
Changes to code
You can now tell tzselect local time, to simplify later choices.
Select the 'time' option in its first prompt.
You can now compile with -DTZNAME_MAXIMUM=N to limit time zone
abbreviations to N bytes (default 255). The reference runtime
library now rejects POSIX-style TZ strings that contain longer
abbreviations, treating them as UTC. Previously the limit was
platform dependent and abbreviations were silently truncated to
16 bytes even when the limit was greater than 16.
The code by default is now designed for C99 or later. To build in
a C89 environment, compile with -DPORT_TO_C89. To support C89
callers of the tzcode library, compile with -DSUPPORT_C89. The
two new macros are transitional aids planned to be removed in a
future version, when C99 or later will be required.
The code now builds again on pre-C99 platforms, if you compile
with -DPORT_TO_C89. This fixes a bug introduced in 2022f.
On C23-compatible platforms tzcode no longer uses syntax like
'static [[noreturn]] void usage(void);'. Instead, it uses
'[[noreturn]] static void usage(void);' as strict C23 requires.
(Problem reported by Houge Langley.)
The code's functions now constrain their arguments with the C
'restrict' keyword consistently with their documentation.
This may allow future optimizations.
zdump again builds standalone with ckdadd and without setenv,
fixing a bug introduced in 2022g. (Problem reported by panic.)
leapseconds.awk can now process a leap seconds file that never
expires; this might be useful if leap seconds are discontinued.
Changes to commentary
tz-link.html has a new section "Coordinating with governments and
distributors". (Thanks to Neil Fuller for some of the text.)
To improve tzselect diagnostics, zone1970.tab's comments column is
now limited to countries that have multiple timezones.
Note that leap seconds are planned to be discontinued by 2035.
The paragraphs about the *_r and *_z/rz functions belong at the end of
the section (or somewhere like that), not affixed to the description of
difftime in the middle of the list of functions.
Both .mul and .umul are defined to return the most significant 32 bits
of the result in %o1, but v8 multiplication instructions put them in
%y. Move them to %o1. Nothing in the gcc generated code depends on
this, but hand-written assembly can rely on this and e.g. Self does.
Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.
(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)
I reviewed libkrb5 for homedir access checks. There are three:
1. krb5_config_parse_file_multi, called only by:
- verify_krb5_conf -- not relevant
- krb5_config_parse_file -- not used here as far as I can tell,
only by libhdb ldap logic and test code in heimdal
- krb5_set_config_files -- used here only via krb5_init_context,
which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
which shouldn't be happening at this point, so this is almost
certainly unreachable; also it only appears to control whether
some old plugin API can be used, long after we have read the krb5
config controlling which plugins are available, so this is
probably harmless
3. krb5_kuserok, which is the one we want to allow
Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.
XXX pullup-10
XXX pullup-9
XXX pullup-8
This way, update builds track shlib major bumps correctly.
For example, suppose you had built Heimdal's libkrb5.so.27 and
libgssapi.so.11 linked against it, and then you updated past the recent
shlib major bump raising them to libkrb5.so.28 and libgssapi.so.12.
Without this change, the build will make the following sequence of
targets (interleaved with some others):
1. make dependall in libkrb5
2. make dependall in libgssapi
3. make install in libkrb5
4. make install in libgssapi
The existing .WAIT tags in SUBDIR ensure that (1) happens before (2)
and (3) happens before (4). Unfortunately, this sequence is wrong,
because it will produce the following effect:
1. make dependall in libkrb5 builds libkrb5.so.28
2. make dependall in libgssapi builds libgssapi.so.12, linked against
libkrb5.so.27
3. make install in libkrb5 installs libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12
Why the out-of-date libkrb5.so.27 in step (2)? Because we just pass
-L${DESTDIR}/usr/lib -lkrb5 to the linker (or the equivalent with
--sysroot and implied -L/usr/lib), and ${DESTDIR}/usr/lib still has
only libkrb5.so.27 by the time of step (2), not libkrb5.so.28.
Now any applications that link against libkrb5.so _and_ libgssapi.so
will get libkrb5.so.28 and libgssapi.so.12 -- but transitively, via
libgssapi.so.12, they will also get libkrb5.so.27, which is a recipe
for disaster.
Splicing the Heimdal library subdirectories into lib/Makefile, as
this does, ensures that we run make dependall _and_ make install in
libkrb5 _before_ make dependall in libgssapi, giving the following
correct sequence:
1. make dependall in libkrb5 builds libkrb5.so.28
2. make install in libkrb5 installs libkrb5.so.28
3. make dependall in libgssapi builds libgssapi.so.12, linked against
libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12
Note that LIBDPLIBS isn't enough here, as implemented. LIBDPLIBS
ensures that the incremental build will remake libgssapi.so. But it
doesn't ensure that the new libkrb5.so.28 is available before then,
so it doesn't prevent this problem.
We use the same mechanism for crypto/external/bsd/openssl/lib
already; this just extends it to other external library collections.
As an alternative, in principle perhaps we could teach LIBDPLIBS to
ensure that libkrb5.so comes out of the libkrb5 objdir, and not out
of ${DESTDIR}/usr/lib. But that requires some work to make happen,
and make it reliable, whereas this approach we've already confirmed
works without other adverse consequences (besides leaving
grody-looking mechanism lying around) for the libcrypto major bump
already. We need to get this pulled up to the branch so all the
other major bumps it required are handled correctly by update builds.
XXX pullup-10
Otherwise any existing software linked against the openssl11
libcrypto.so.14 and any of these libraries will suddenly start
pulling in libcrypto.so.15 at the same time, leading to mayhem in the
address space.
PR lib/57603
XXX pullup-10
also, don't cast to a type that includes an extra, unused, member.
while here, replace the hard coded offsets in setjmp.S and some
asserts in longjmp.c with assym.h and shared structures for all
the movings parts, and asserts based upon those structures.
avoids GCC 12 warnings.
sign-extension (really it would have been better for PEEK*() and GETNEXT()
to return unsigned char; this would have removed a ton of (uch) casts, but
it is too intrusive for now).
- fix an isalpha that should have been iswalpha
Sprinkle assertions and comments justifying the proposition that it
would never go negative if signed.
Obviates need to worry about mblength > SSIZE_MAX.
Prompted by PR lib/57573.
XXX pullup-10
XXX pullup-9
XXX pullup-8
It is initialized once either to *dlen, which is unsigned size_t, or
to wcslen(start) * MB_MAX_LEN + 1, and wcslen returns unsigned size_t
too. So there appears to have never been any reason for this to be
signed.
Part of PR lib/57573.
XXX pullup-10
XXX pullup-9
XXX pullup-8
Let's be consistent within these man pages. (If someone else really
likes the unpronounceable `.Ql \e0' better, that's fine, you can go
through and systematically change all the man pages to use that after
we're done clarifying strcpy(3), strncpy(3), and strlcpy(3).)
These are for substantively different purposes (fixed-width fields
with optional NUL padding vs NUL-terminated strings), so they don't
belong together.
Be more specific about the security issues.
this was triggering sh3 GCC 12 to fail compiles because of ssp.h's memcpy()
frontend having the always_inline attribute that didn't match -O0 or so.
tested with pkgsrc gcc9 to confirm it hangs there, but newer versions are fine.
also known as PR#55668, which now has a real fix (gcc 10 :-).
create a ptrdiff_t offset between the start of an allocation region and
some interesting pointer, so it can be adjusted with this offset after
realloc() returns.
found by GCC 12.
This is a string of _up to_ 16 bytes, used with strncpy(..., 16).
Specifying `const char descr[16]', while formally equivalent to
`const char *descr' in standard C, now provokes the ire of gcc when
the caller does not provide a buffer of at least 16 bytes.
if __kernel_rem_pio2() or __kernel_rem_pio2f() are called with "nx" less
than 2, the local variable fq[0] may be accessed uninitialised.
__kernel_rem_pio2() has direct calls with nx = 1, and __kernel_rem_pio2f()
is called with a value starting at 3, but may be decreased to less than 2,
implied by this code , if not actually avoided by the tx[] setup above:
nx = 3;
while(tx[nx-1]==zero) nx--; /* skip zero term */
n = __kernel_rem_pio2f(tx,y,e0,nx,2,two_over_pi);
found by GCC 12.
These are pretty bad -- these aren't transcendental functions; not
rocket science to make them correctly rounded -- but let's just make
sure they're available in libm for netbsd-10.
XXX pullup-10
overflow checked snprintf(). for res_debug.c and res_query.c, convert
from sprintf() to snprintf().
tested scp and rcp fail properly with too-long paths.
tested getaddrinfo fails as expected for too-long domains.
tested dig and ping for similar (res_debug.c/res_query.c).
created a temporary fs with quotas to test edquota with a long EDITOR.
did not test ypserv directly, but it's the same pattern.
avoids GCC 12 snprintf() warnings, and reduces total code size.
most of these are like, eg
void foo(int[2]);
with either of these
void foo(int*) { ... }
void foo(int[]) { ... }
in some cases (such as stat or utimes* calls found in our header files),
we now match standard definition from opengroup.
found by GCC 12.
This was a quite common trick to able to load executables with a.out
headers stripped. Now, the system boots successfully into multi-user
mode without this trick.
Thanks ragge@ for kind explanation:
https://mail-index.netbsd.org/port-vax/2023/07/28/msg004397.html
Use "build-aux" instead of the non-existant "m4" as the
directory for AC_CONFIG_MACRO_DIR.
Avoids autoreconf warning:
aclocal: warning: couldn't open directory 'm4': No such file or directory
No change to generated files.
Link to https://github.com/rumpkernel/ instead of
a site now taken over by an SEO squatter.
Per discussion on github.com/rumpkernel issues with pooka.
PR misc/57501
These API versions were completely missing from refuse/fs.c. User programs
could request these versions and build fine, but they couldn't even
initialize a FUSE context at run time.
Update mk.conf(5) with the rump variables from
- lib/librumpuser/README.compileopts
- sys/rump/README.compileopts
Add cross-references back to mk.conf(5) in those files.
Ensure that the Default: is listed last in a description,
for consistency with the convention in this file.
Front ends:
- aligned_alloc
- calloc
- posix_memalign
Fork hooks:
- _malloc_prefork
- _malloc_postfork
- _malloc_postfork_child
Otherwise these will pull in the jemalloc definitions from libc,
which (a) defeats the purpose, and (b) won't work correctly with
fork and threads.
Thanks to kre@ and the thread on tech-userlevel for pointing me in
the right direction to making this actually work to override
jemalloc:
https://mail-index.netbsd.org/tech-userlevel/2023/06/30/msg013957.html
Note: libbsdmalloc doesn't set errno=ENOMEM on malloc failure, but
these front ends do (even aligned_alloc, which is from C11, which
doesn't define ENOMEM at all, but this pacifies our aligned_alloc
tests in t_posix_memalign.c). Might want to fix that.
XXX pullup-10
Make supportable promises. Omit needless verbiage. Give caveats
with cross-references to entropy(7). Emphasize that security is
necessarily relative to system configuration.
XXX pullup-10
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.htmlhttps://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
On second thought, convert the list of type flags back to -tag, but
don't make it -compact. This way it's easier to see that it's related
to the list above.
Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.
GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH
Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
Provide a single variable
CC_WNO_ADDRESS_OF_PACKED_MEMBER
with options for both clang and gcc, to replace
CLANG_NO_ADDR_OF_PACKED_MEMBER
CC_NO_ADDR_OF_PACKED_MEMBER
GCC_NO_ADDR_OF_PACKED_MEMBER
Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
List all alternative forms recognized by string_to_flags(3).
Both "dump" and "nonodump" are the negative of "nodump".
string_to_flags does not recognize "snap".
Provide xrefs for flag descriptions where applicable.
This is now distinct from pthread__smt_pause, which is for spin lock
backoff with no paired wakeup.
On Arm, there is a single-bit event register per CPU, and there are two
instructions to manage it:
- wfe, wait for event -- if event register is clear, enter low power
mode and wait until event register is set; then exit low power mode
and clear event register
- sev, signal event -- sets event register on all CPUs (other
circumstances like interrupts also set the event register and cause
wfe to wake)
These can be used to reduce the power consumption of spinning for a
lock, but only if they are actually paired -- if there's no sev, wfe
might hang indefinitely. Currently only pthread_spin(3) actually
pairs them; the other lock primitives (internal lock, mutex, rwlock)
do not -- they have spin lock backoff loops, but no corresponding
wakeup to cancel a wfe.
It may be worthwhile to teach the other lock primitives to pair
wfe/sev, but that requires some performance measurement to verify
it's actually worthwhile. So for now, we just make sure not to use
wfe when there's no sev, and keep everything else the same -- this
should fix severe performance degredation in libpthread on Arm
without hurting anything else.
No change in the generated code on amd64 and i386. No change in the
generated code for pthread_spin.c on arm and aarch64 -- changes only
the generated code for pthread_lock.c, pthread_mutex.c, and
pthread_rwlock.c, as intended.
PR port-arm/57437
XXX pullup-10
No functional change intended -- just safer to do it this way in case
the macros are used in if branches or comma expressions.
PR port-arm/57437 (pthread__smt_pause/wake issue)
XXX pullup-10
endian machines. When long double support was added, the old code was kept
for the regular double code. This code was never used because WIDE_DOUBLE
was always defined in the Makefile. Remove that old code, and conditionalize
the WIDE_DOUBLE code based on if long doubles are different than doubles on
the specific platform.
This is the size of dst, not of src. The size of src is determined
by the address family.
Fix markup while here: .Fa for function arguments, not .Ar which is
for command arguments.
And make the tests work, and exercise all lengths up to 100.
Evidently the previous definition, presumably tightly optimized for
1980s-era compilers and CPUs, was too hard to understand, because it
was incorrectly tested for two decades and broken for years.
PR lib/57141
XXX pullup-8
XXX pullup-9
XXX pullup-10
the number of bytes to add - for multibyte characters n will be > 1.
Fix __slk_draw to pass in the actual length of the label instead of
the default label length because wide characters may make the
actual string length longer than the slk display length.
Although tzcode still works with C89, bugs found in recent routine
maintenance indicate that bitrot has set in and that in practice
C89 is no longer used to build tzcode. As it is a maintenance
burden, support for C89 is planned to be removed soon. Instead,
please use compilers compatible with C99, C11, C17, or C23.
timegm, which tzcode implemented in 1989, will finally be
standardized 34 years later as part of C23, so timegm is now
supported even if STD_INSPIRED is not defined.
Fix bug in zdump's tzalloc emulation on hosts that lack tm_zone.
(Problem reported by Đoàn Trần Công Danh.)
Fix bug in zic on hosts where malloc(0) yields NULL on success.
(Problem reported by Tim McBrayer for AIX 6.1.)
Fix zic configuration to avoid linkage failures on some platforms.
(Problems reported by Gilmore Davidson and Igor Ivanov.)
Work around MS-Windows nmake incompatibility with POSIX.
(Problem reported by Manuela Friedrich.)
Port mktime and strftime to debugging platforms where accessing
uninitialized data has undefined behavior (strftime problem
reported by Robert Elz).
Check more carefully for unlikely integer overflows, preferring
C23 <stdckdint.h> to overflow checking by hand, as the latter has
had obscure bugs.