The paragraphs about the *_r and *_z/rz functions belong at the end of
the section (or somewhere like that), not affixed to the description of
difftime in the middle of the list of functions.
Both .mul and .umul are defined to return the most significant 32 bits
of the result in %o1, but v8 multiplication instructions put them in
%y. Move them to %o1. Nothing in the gcc generated code depends on
this, but hand-written assembly can rely on this and e.g. Self does.
Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.
(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)
I reviewed libkrb5 for homedir access checks. There are three:
1. krb5_config_parse_file_multi, called only by:
- verify_krb5_conf -- not relevant
- krb5_config_parse_file -- not used here as far as I can tell,
only by libhdb ldap logic and test code in heimdal
- krb5_set_config_files -- used here only via krb5_init_context,
which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
which shouldn't be happening at this point, so this is almost
certainly unreachable; also it only appears to control whether
some old plugin API can be used, long after we have read the krb5
config controlling which plugins are available, so this is
probably harmless
3. krb5_kuserok, which is the one we want to allow
Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.
XXX pullup-10
XXX pullup-9
XXX pullup-8
This way, update builds track shlib major bumps correctly.
For example, suppose you had built Heimdal's libkrb5.so.27 and
libgssapi.so.11 linked against it, and then you updated past the recent
shlib major bump raising them to libkrb5.so.28 and libgssapi.so.12.
Without this change, the build will make the following sequence of
targets (interleaved with some others):
1. make dependall in libkrb5
2. make dependall in libgssapi
3. make install in libkrb5
4. make install in libgssapi
The existing .WAIT tags in SUBDIR ensure that (1) happens before (2)
and (3) happens before (4). Unfortunately, this sequence is wrong,
because it will produce the following effect:
1. make dependall in libkrb5 builds libkrb5.so.28
2. make dependall in libgssapi builds libgssapi.so.12, linked against
libkrb5.so.27
3. make install in libkrb5 installs libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12
Why the out-of-date libkrb5.so.27 in step (2)? Because we just pass
-L${DESTDIR}/usr/lib -lkrb5 to the linker (or the equivalent with
--sysroot and implied -L/usr/lib), and ${DESTDIR}/usr/lib still has
only libkrb5.so.27 by the time of step (2), not libkrb5.so.28.
Now any applications that link against libkrb5.so _and_ libgssapi.so
will get libkrb5.so.28 and libgssapi.so.12 -- but transitively, via
libgssapi.so.12, they will also get libkrb5.so.27, which is a recipe
for disaster.
Splicing the Heimdal library subdirectories into lib/Makefile, as
this does, ensures that we run make dependall _and_ make install in
libkrb5 _before_ make dependall in libgssapi, giving the following
correct sequence:
1. make dependall in libkrb5 builds libkrb5.so.28
2. make install in libkrb5 installs libkrb5.so.28
3. make dependall in libgssapi builds libgssapi.so.12, linked against
libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12
Note that LIBDPLIBS isn't enough here, as implemented. LIBDPLIBS
ensures that the incremental build will remake libgssapi.so. But it
doesn't ensure that the new libkrb5.so.28 is available before then,
so it doesn't prevent this problem.
We use the same mechanism for crypto/external/bsd/openssl/lib
already; this just extends it to other external library collections.
As an alternative, in principle perhaps we could teach LIBDPLIBS to
ensure that libkrb5.so comes out of the libkrb5 objdir, and not out
of ${DESTDIR}/usr/lib. But that requires some work to make happen,
and make it reliable, whereas this approach we've already confirmed
works without other adverse consequences (besides leaving
grody-looking mechanism lying around) for the libcrypto major bump
already. We need to get this pulled up to the branch so all the
other major bumps it required are handled correctly by update builds.
XXX pullup-10
Otherwise any existing software linked against the openssl11
libcrypto.so.14 and any of these libraries will suddenly start
pulling in libcrypto.so.15 at the same time, leading to mayhem in the
address space.
PR lib/57603
XXX pullup-10
also, don't cast to a type that includes an extra, unused, member.
while here, replace the hard coded offsets in setjmp.S and some
asserts in longjmp.c with assym.h and shared structures for all
the movings parts, and asserts based upon those structures.
avoids GCC 12 warnings.
sign-extension (really it would have been better for PEEK*() and GETNEXT()
to return unsigned char; this would have removed a ton of (uch) casts, but
it is too intrusive for now).
- fix an isalpha that should have been iswalpha
Sprinkle assertions and comments justifying the proposition that it
would never go negative if signed.
Obviates need to worry about mblength > SSIZE_MAX.
Prompted by PR lib/57573.
XXX pullup-10
XXX pullup-9
XXX pullup-8
It is initialized once either to *dlen, which is unsigned size_t, or
to wcslen(start) * MB_MAX_LEN + 1, and wcslen returns unsigned size_t
too. So there appears to have never been any reason for this to be
signed.
Part of PR lib/57573.
XXX pullup-10
XXX pullup-9
XXX pullup-8
Let's be consistent within these man pages. (If someone else really
likes the unpronounceable `.Ql \e0' better, that's fine, you can go
through and systematically change all the man pages to use that after
we're done clarifying strcpy(3), strncpy(3), and strlcpy(3).)
These are for substantively different purposes (fixed-width fields
with optional NUL padding vs NUL-terminated strings), so they don't
belong together.
Be more specific about the security issues.
this was triggering sh3 GCC 12 to fail compiles because of ssp.h's memcpy()
frontend having the always_inline attribute that didn't match -O0 or so.
tested with pkgsrc gcc9 to confirm it hangs there, but newer versions are fine.
also known as PR#55668, which now has a real fix (gcc 10 :-).
create a ptrdiff_t offset between the start of an allocation region and
some interesting pointer, so it can be adjusted with this offset after
realloc() returns.
found by GCC 12.
This is a string of _up to_ 16 bytes, used with strncpy(..., 16).
Specifying `const char descr[16]', while formally equivalent to
`const char *descr' in standard C, now provokes the ire of gcc when
the caller does not provide a buffer of at least 16 bytes.
if __kernel_rem_pio2() or __kernel_rem_pio2f() are called with "nx" less
than 2, the local variable fq[0] may be accessed uninitialised.
__kernel_rem_pio2() has direct calls with nx = 1, and __kernel_rem_pio2f()
is called with a value starting at 3, but may be decreased to less than 2,
implied by this code , if not actually avoided by the tx[] setup above:
nx = 3;
while(tx[nx-1]==zero) nx--; /* skip zero term */
n = __kernel_rem_pio2f(tx,y,e0,nx,2,two_over_pi);
found by GCC 12.
These are pretty bad -- these aren't transcendental functions; not
rocket science to make them correctly rounded -- but let's just make
sure they're available in libm for netbsd-10.
XXX pullup-10
overflow checked snprintf(). for res_debug.c and res_query.c, convert
from sprintf() to snprintf().
tested scp and rcp fail properly with too-long paths.
tested getaddrinfo fails as expected for too-long domains.
tested dig and ping for similar (res_debug.c/res_query.c).
created a temporary fs with quotas to test edquota with a long EDITOR.
did not test ypserv directly, but it's the same pattern.
avoids GCC 12 snprintf() warnings, and reduces total code size.
most of these are like, eg
void foo(int[2]);
with either of these
void foo(int*) { ... }
void foo(int[]) { ... }
in some cases (such as stat or utimes* calls found in our header files),
we now match standard definition from opengroup.
found by GCC 12.
This was a quite common trick to able to load executables with a.out
headers stripped. Now, the system boots successfully into multi-user
mode without this trick.
Thanks ragge@ for kind explanation:
https://mail-index.netbsd.org/port-vax/2023/07/28/msg004397.html
Use "build-aux" instead of the non-existant "m4" as the
directory for AC_CONFIG_MACRO_DIR.
Avoids autoreconf warning:
aclocal: warning: couldn't open directory 'm4': No such file or directory
No change to generated files.
Link to https://github.com/rumpkernel/ instead of
a site now taken over by an SEO squatter.
Per discussion on github.com/rumpkernel issues with pooka.
PR misc/57501
These API versions were completely missing from refuse/fs.c. User programs
could request these versions and build fine, but they couldn't even
initialize a FUSE context at run time.
Update mk.conf(5) with the rump variables from
- lib/librumpuser/README.compileopts
- sys/rump/README.compileopts
Add cross-references back to mk.conf(5) in those files.
Ensure that the Default: is listed last in a description,
for consistency with the convention in this file.
Front ends:
- aligned_alloc
- calloc
- posix_memalign
Fork hooks:
- _malloc_prefork
- _malloc_postfork
- _malloc_postfork_child
Otherwise these will pull in the jemalloc definitions from libc,
which (a) defeats the purpose, and (b) won't work correctly with
fork and threads.
Thanks to kre@ and the thread on tech-userlevel for pointing me in
the right direction to making this actually work to override
jemalloc:
https://mail-index.netbsd.org/tech-userlevel/2023/06/30/msg013957.html
Note: libbsdmalloc doesn't set errno=ENOMEM on malloc failure, but
these front ends do (even aligned_alloc, which is from C11, which
doesn't define ENOMEM at all, but this pacifies our aligned_alloc
tests in t_posix_memalign.c). Might want to fix that.
XXX pullup-10
Make supportable promises. Omit needless verbiage. Give caveats
with cross-references to entropy(7). Emphasize that security is
necessarily relative to system configuration.
XXX pullup-10
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.htmlhttps://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
On second thought, convert the list of type flags back to -tag, but
don't make it -compact. This way it's easier to see that it's related
to the list above.
Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.
GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH
Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
Provide a single variable
CC_WNO_ADDRESS_OF_PACKED_MEMBER
with options for both clang and gcc, to replace
CLANG_NO_ADDR_OF_PACKED_MEMBER
CC_NO_ADDR_OF_PACKED_MEMBER
GCC_NO_ADDR_OF_PACKED_MEMBER
Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
List all alternative forms recognized by string_to_flags(3).
Both "dump" and "nonodump" are the negative of "nodump".
string_to_flags does not recognize "snap".
Provide xrefs for flag descriptions where applicable.
This is now distinct from pthread__smt_pause, which is for spin lock
backoff with no paired wakeup.
On Arm, there is a single-bit event register per CPU, and there are two
instructions to manage it:
- wfe, wait for event -- if event register is clear, enter low power
mode and wait until event register is set; then exit low power mode
and clear event register
- sev, signal event -- sets event register on all CPUs (other
circumstances like interrupts also set the event register and cause
wfe to wake)
These can be used to reduce the power consumption of spinning for a
lock, but only if they are actually paired -- if there's no sev, wfe
might hang indefinitely. Currently only pthread_spin(3) actually
pairs them; the other lock primitives (internal lock, mutex, rwlock)
do not -- they have spin lock backoff loops, but no corresponding
wakeup to cancel a wfe.
It may be worthwhile to teach the other lock primitives to pair
wfe/sev, but that requires some performance measurement to verify
it's actually worthwhile. So for now, we just make sure not to use
wfe when there's no sev, and keep everything else the same -- this
should fix severe performance degredation in libpthread on Arm
without hurting anything else.
No change in the generated code on amd64 and i386. No change in the
generated code for pthread_spin.c on arm and aarch64 -- changes only
the generated code for pthread_lock.c, pthread_mutex.c, and
pthread_rwlock.c, as intended.
PR port-arm/57437
XXX pullup-10
No functional change intended -- just safer to do it this way in case
the macros are used in if branches or comma expressions.
PR port-arm/57437 (pthread__smt_pause/wake issue)
XXX pullup-10
endian machines. When long double support was added, the old code was kept
for the regular double code. This code was never used because WIDE_DOUBLE
was always defined in the Makefile. Remove that old code, and conditionalize
the WIDE_DOUBLE code based on if long doubles are different than doubles on
the specific platform.
This is the size of dst, not of src. The size of src is determined
by the address family.
Fix markup while here: .Fa for function arguments, not .Ar which is
for command arguments.
And make the tests work, and exercise all lengths up to 100.
Evidently the previous definition, presumably tightly optimized for
1980s-era compilers and CPUs, was too hard to understand, because it
was incorrectly tested for two decades and broken for years.
PR lib/57141
XXX pullup-8
XXX pullup-9
XXX pullup-10
the number of bytes to add - for multibyte characters n will be > 1.
Fix __slk_draw to pass in the actual length of the label instead of
the default label length because wide characters may make the
actual string length longer than the slk display length.
Although tzcode still works with C89, bugs found in recent routine
maintenance indicate that bitrot has set in and that in practice
C89 is no longer used to build tzcode. As it is a maintenance
burden, support for C89 is planned to be removed soon. Instead,
please use compilers compatible with C99, C11, C17, or C23.
timegm, which tzcode implemented in 1989, will finally be
standardized 34 years later as part of C23, so timegm is now
supported even if STD_INSPIRED is not defined.
Fix bug in zdump's tzalloc emulation on hosts that lack tm_zone.
(Problem reported by Đoàn Trần Công Danh.)
Fix bug in zic on hosts where malloc(0) yields NULL on success.
(Problem reported by Tim McBrayer for AIX 6.1.)
Fix zic configuration to avoid linkage failures on some platforms.
(Problems reported by Gilmore Davidson and Igor Ivanov.)
Work around MS-Windows nmake incompatibility with POSIX.
(Problem reported by Manuela Friedrich.)
Port mktime and strftime to debugging platforms where accessing
uninitialized data has undefined behavior (strftime problem
reported by Robert Elz).
Check more carefully for unlikely integer overflows, preferring
C23 <stdckdint.h> to overflow checking by hand, as the latter has
had obscure bugs.
The first paragraph could use some rewording. While BRE may be
obsolete, it's still the default for regcomp(3) and the default for
grep(1), sed(1), etc.
Use .Rv where possible. Some manual pages claimed that the error "is
returned", but RTFS and some quick testing indicate that this is wrong.
The commit message from 2003 says that:
Note our current implementation mis-matches [man pages] slightly
(error codes are stuffed into errno, where they should simply be
returned by these calls). This will be addressed shortly.
That hasn't happened in the 20 years, so we might as well make the man
pages reflect the reality.
While here, don't claim that null pointer is zero.
We should probably just pick the wording from POSIX, but that yak is a
bit too big for me to shave at the moment.
on virtscr and curscr because the indexes past are supposed to be
one *past* the last matching line (they may actually match if the line is
at the bottom of the screen). Iff they don't match reduce the scroll
region size by one so we don't scroll non-matching lines, also check
if the region is then 0 after the decrement and just return if it was.
This fixes observed behviour in the PR. Allow the cursor to be
moved one past the EOL, if postitioned here then set ISPASTEOL.
also protect out of range access if win->cury is past maxy.
Changes to code
zic now supports links to links regardless of input line order.
For example, if Australia/Sydney is a Zone, the lines
Link Australia/Canberra Australia/ACT
Link Australia/Sydney Australia/Canberra
now work correctly, even though the shell commands
ln Australia/Canberra Australia/ACT
ln Australia/Sydney Australia/Canberra
would fail because the first command attempts to use a link
Australia/Canberra that does not exist until after the second
command is executed. Previously, zic had unspecified behavior if
a Link line's target was another link, and zic often misbehaved if
a Link line's target was a later Link line.
Fix line number in zic's diagnostic for a link to a link.
Fix a bug that caused localtime to mishandle timestamps starting
in the year 2438 when reading data generated by 'zic -b fat' when
distant-future DST transitions occur at times given in standard
time or in UT, not the usual case of local time. This occurs when
the corresponding .zi Rule lines specify DST transitions with TO
columns of 'max' and AT columns that end in 's' or 'u'. The
number 2438 comes from the 32-bit limit in the year 2038, plus the
400-year Gregorian cycle. (Problem reported by Bradley White.)
On glibc 2.34 and later, which optionally supports 64-bit time_t
on platforms like x86 where time_t was traditionally 32 bits,
default time_t to 64 instead of 32 bits. This lets functions like
localtime support timestamps after the year 2038, and fixes
year-2038 problems in zic when accessing files dated after 2038.
To continue to limit time_t to 32 bits on these platforms, use
"make CFLAGS='-D_TIME_BITS=32'".
In C code, do not enable large-file support on platforms like AIX
and macOS that no longer need it now that tzcode does not use
off_t or related functions like 'stat'. Large-file support is
still enabled by default on GNU/Linux, as it is needed for 64-bit
time_t support.
In C code, prefer C23 keywords to pre-C23 macros for alignof,
bool, false, and true. Also, use the following C23 features if
available: __has_include, unreachable.
zic no longer works around Qt bug 53071, as the relevant Qt
releases have been out of support since 2019. This change affects
only fat TZif files, as thin files never had the workaround.
zdump no longer modifies the environ vector when compiled on
platforms lacking tm_zone or when compiled with -DUSE_LTZ=0.
This avoid undefined behavior on POSIX platforms.
reallocarray() will be part of the next POSIX release, see
https://austingroupbugs.net/view.php?id=1218
adapt an errno value to match POSIX expectations
As discussed on tech-userlevel
(meaningless macro in mdoc) followed by the first line of the
real BUGS section somehow ended up inserted after the first
word of the STANDARDS section. Delete the noise.
- plod now correctly accounts for wide characters when plodding
- use erase line when in color mode if the terminal has the capability
- ensure that the CA_CONTINUATION flag is applied consistently to the
subsequent characters in a wide character.
- fix a bunch of refresh bugs that caused inconsistent placement of
wide characters.
The old definitions in qp.c being all grouped together in one file
causes problems when static linking with libgcc (i.e. cc --static-libgcc)
due to functions like __trunctfdf2 conflicting with libgcc, as seen in
PR 57021
We can also add some missing functions like __fixdfti for converting
a double to an int128_t, the lack of which is currently preventing webkit
from linking on aarch64, as seen in PR 57022
Unclear to me if libc is the right place for these functions, but
we can avoid breaking compatibility right now and maintain the status
quo while avoiding some obvious immediate problems.
nm output for libc shows no functions being removed by this change.
Some flags are now accepted, others are still ignored. (E.g., other
BSDs would return EINVAL if O_RDWR wasn't passed, and we now accept
O_NONBLOCK but not O_CLOEXEC.)
This doesn't affect the calls to the atfork handlers -- it only
protects access to the lists of handlers from interruption by a
signal, in case the signal handler calls fork(2).
The NetBSD implementation differs from other BSDs in that it does not
return EINVAL if invalid oflags are submitted, since it completely
ignores them. This is surprising to upstream projects that may expect
otherwise.
Work around a bug in onetrueawk that broke commands like
'make traditional_tarballs' on FreeBSD, macOS, etc.
(Problem reported by Deborah Goldsmith.)
Add code to tzselect that uses experimental structured comments in
zone1970.tab to clarify whether Zones like Africa/Abidjan and
Europe/Istanbul cross continent or ocean boundaries.
(Inspired by a problem reported by Peter Krefting.)
Fix bug with 'zic -d /a/b/c' when /a is unwritable but the
directory /a/b already exists.
Remove zoneinfo2tdf.pl, as it was unused and triggered false
malware alarms on some email servers.
zic has a new option '-R @N' to output explicit transitions < N.
(Need suggested by Almaz Mingaleev.)
'zic -r @N' no longer outputs bad data when N < first transition.
(Problem introduced in 2021d and reported by Peter Krefting.)
zic now checks its input for NUL bytes and unterminated lines, and
now supports input line lengths up to 2048 (not 512) bytes.
gmtime and related code now use the abbreviation "UTC" not "GMT".
POSIX is being revised to require this.
When tzset and related functions set vestigial static variables
like tzname, they now prefer specified timestamps to unspecified ones.
(Problem reported by Almaz Mingaleev.)
zic no longer complains "can't determine time zone abbreviation to
use just after until time" when a transition to a new standard
time occurs simultanously with the first DST fallback transition.
For now this builds the C version, for completeness, so
that e.g. lang/ocaml can be configured & built. However,
googling reveals that powerpc does have a "fused multiply add"
instruction, ref.
https://www.ibm.com/docs/en/aix/7.1?topic=set-fmadd-fma-floating-multiply-add-instruction
so this could probably be taken advantage of for a more
optimized version.
rin