Under the condition of MKLIBCSANITIZER==yes link ubsan.c into libc.
This is a clean-room reimplementation from scratch of the Undefined
Behavior runtime called micro-UBSan (or uBSan - user-UBSan).
Do not change the signedness bit with a left shift operation.
Cast to unsigned integer to prevent this.
ftok.c:56:10, left shift of 123456789 by 24 places cannot be represented in type 'int'
ftok.c:56:10, left shift of 4160 by 24 places cannot be represented in type 'int'
Detected with micro-UBSan in the user mode.
Do not change the signedness bit with a left shift operation.
Switch to unsigned integer to prevent this in the LAST_FRAG symbol.
xdr_rec.c:559:39, left shift of 1 by 31 places cannot be represented in type 'int'
xdr_rec.c:572:26, left shift of 1 by 31 places cannot be represented in type 'int'
xdr_rec.c:573:25, left shift of 1 by 31 places cannot be represented in type 'int'
xdr_rec.c:632:37, left shift of 1 by 31 places cannot be represented in type 'int'
xdr_rec.c:711:32, left shift of 1 by 31 places cannot be represented in type 'int'
xdr_rec.c:722:28, left shift of 1 by 31 places cannot be represented in type 'int'
Detected with micro-UBSan in the user mode.
Change the type of shifted value to unsigned to prevent altering the
signedness bit.
jemalloc.c:1707:14, left shift of 1 by 31 places cannot be represented in type 'int'
jemalloc.c:1724:15, left shift of 1 by 31 places cannot be represented in type 'int'
jemalloc.c:1840:28, left shift of 1 by 31 places cannot be represented in type 'int'
Detected with micro-UBSan in the user mode.
These changes should make no practical effect - but because external
data is being examined, it would be possible to contrive a situation
(perhaps) where uninit'd vars could actually be used (unless the format
has been checked elsewhere earlier - I did not look ... we have to
appease gcc anyway).
Joerg: Please review (& fix)
The basic glue works with mininal changes for other architectures as
well, but those require linker changes first to avoid leaking dynamic
relocations into the binary.
This change:
* Removes "options PERFCTRS", the associated includes, and the associated
ifdefs. In doing so, it removes several XXXSMPs in the MI code, which is
good.
* Removes the PMC code of ARM XSCALE.
* Removes all the pmc.h files. They were all empty, except for ARM XSCALE.
* Reorders the x86 PMC code not to rely on the legacy pmc.h file. The
definitions are put in sysarch.h.
* Removes the kern/sys_pmc.c file, and along with it, the sys_pmc_control
and sys_pmc_get_info syscalls. They are marked as OBSOL in kern,
netbsd32 and rump.
* Removes the pmc_evid_t and pmc_ctr_t types.
* Removes all the associated man pages. The sets are marked as obsolete.
support for only one ARM CPU. It used to have x86 support, but it was broken
and I removed it. The legacy PMC interface will be removed from the kernel
too. Sent on tech-kern@ yesterday, thorpej was fine.
The pt variable's elements are used after the end of the pt scope.
A move of pt to outer scope fixes this.
Detected with MKSANITIZER/ASan with tmux(1), a forkpty(3) user.
If a string is empty or contains only white characters, the algorithm of
removal of white characters at the end of the passed string will read
buffer at index -1 and keep iterating backward.
Detected with MKSANITIZER/ASan when executing passwd(1).
The sanitizers are designed to use pristine OS versions of these libraries,
install interceptors for public symbols in them and link with them in every
sanitized executable.
Having unmodified base libraries (c, m, rt, pthread) also makes the system
usable with programs linking with them and without sanitization, as there
are no fatal issues during the resolving of missing symbols.
The remaining libraries like libutil, libintl etc are prebuilt with
sanitization and all their users in the MKSANITIZER=yes distribution are
required to use the same sanitizer.
libc and libpthread are already marked with the NOSANITIZER flag.
Unportable left shift reported with MKSANITIZER=yes USE_SANITIZER=undefined:
# nm /usr/lib/libc.so|grep sanit
/public/src.git/lib/libc/citrus/modules/citrus_mapper_std.c:173:8: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Sponsored by <The NetBSD Foundation>
