this adds kernel & libroot stack protector hooks. it uses /dev/random in userspace.
A configure option --enable-stack-protector is added to activate -fstack-protector
on selected system components (ATM apps, kits, servers).
Change-Id: If3a2920ba9aa0a85eaff4ba6778947f8c76ade31
Reviewed-on: https://review.haiku-os.org/c/haiku/+/3895
Reviewed-by: Adrien Destugues <pulkomandy@gmail.com>
The goal here is to avoid potentially expensive fork()ing.
The time for a fork() is (for a process with no real heap usage
and thus few areas) 300-400us on my system. load_image() takes
3000us (3ms) or so, but this of course includes exec() time.
Overall, for compiling HaikuDepot (with a tweaked jam to use
posix_spawn on Haiku, not just on Linux) there is a slight
decrease in time:
before:
real 1m21.727s
user 1m2.131s
sys 0m43.029s
after:
real 1m19.472s
user 1m1.752s
sys 0m41.740s
Which is probably within the realm of "noise", so more benchmarks
are needed. Likely if we tweak our jam usage to not need as many
shells when running commands, this would be a much more noticeable
change.
Change-Id: I217f2476b1ed9aa18322b3c2bc8986571d89549a
Use the gcc builtin instead, which generates more efficient code (it
saves a function call) and means less platform specific code to write
for us.
Change-Id: I1d55b5703027b2ea4ecde2438ea306bd4850eb32
Reviewed-on: https://review.haiku-os.org/c/haiku/+/1859
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
Refactored out of execvpe. Originally I did this for my attempted
change to posix_spawn, but that change turned out to be wrong and
actually not that beneficial. This bit seems potentially useful,
though, so here it is.
This allows heap implementations to initialize and clean up any thread
specific structures. The current default hoard heap does not use these.
Note that the thread exit hook will not be called for the main thread as
the heap may be needed during process termination (__cxa_finalize for
example).
Change-Id: I703fbd34dec0d9029d619a2125c5b19d8c1933aa
Reviewed-on: https://review.haiku-os.org/799
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
* Also defer signals while registering fork hooks.
* While malloc provides fork heap hooks which lock the heaps and unlock/reinit,
malloc_debug provides empty hooks.
* Ideas suggested by Ingo, patch reviewed by him. Thanks a lot!
* Also call fork parent hooks on failure.
* Solve locks-up when combining multithreading and process forking, should help
with #13111.
The individual debug heap implementations are now exposed via a
structure of function pointers and a common frontend dispatches the
malloc and malloc_debug APIs through them.
The MALLOC_DEBUG environment variable can be used to select the guarded
heap by adding 'g', otherwise the debug heap is used as the default.
Consequently the separate libroot_guarded is not needed anymore and has
been removed.
To allow the use of environment variables this early, init_env_post_heap
has been added and the heap dependent atfork() moved there. This allowed
to fold the code of init_heap_post_env into init_heap so the former has
been removed.
It can be used to get a stack trace of the current thread. Note that
this works by walking frame pointers and will not produce anything
useful if an application is compiled with the frame pointers omitted.
The stack base and end addresses have to be provided as arguments and
are used to check that the frame pointers fall within that range. These
values are thread specific and can be retrieved with get_thread_info().
No other sanity checks (like checking for loops in the linked list) are
done.
This is a simplified rewrite of the stack trace code from the kernel
debugger.
As this code is common to x86 and x86_64 but is not generic across
architectures I introduced x86_common as a directory to put such
sources.
When enabled (using heap_debug_dump_allocations_on_exit(true) or
MALLOC_DEBUG=e) this causes a dump of all remaining allocations when
libroot_debug is unloaded. It uses terminate_after to be called as
late as possible.
When combined with alloc stack traces this makes for a nice if a bit
crude leak checker. Note that a lot of allocations usually remain
even at that stage due to statically, lazyly and globally allocated
stuff from the various system libraries where it isn't necessarily
worth the overhead to free them when the program terminates anyway.
__flatten_process_args() does now have the executable path as an
additional (optional) parameter. If specified, the function will read
the file's SYS:ENV attribute (if set) and use its value to modified the
environment it is preparing for the new process. Currently supported
attribute values are strings consisting of "<var>=<value>" substrings
separated by "\0" (backslash zero), with '\' being used as an escape
character. The environment will be altered to contain the specified
"<var>=<value>" elements, replacing a preexisting <var> element (if
any).
A possible use case would be setting a SYS:ENV attribute with value
"DISABLE_ASLR=1" on an executable that needs ASLR disabled.
* If at least one image is either B_HAIKU_ABI_GCC_2_ANCIENT or
B_HAIKU_ABI_GCC_2_BEOS almost all areas are marked as executable.
* B_EXECUTE_AREA and B_STACK_AREA are made public. The former is enforced since
the introduction of DEP and apps need it to correctly set area protection.
The latter is currently needed only to recognize stack areas and fix their
protection in compatibility mode, but may also be useful if an app wants
to use sigaltstack from POSIX API.
This patch introduces randomization of commpage position. From now on commpage
table contains offsets from begining to of the commpage to the particular
commpage entry. Similary addresses of symbols in ELF memory image "commpage"
are just offsets from the begining of the commpage.
This patch also updates KDL so that commpage entries are recognized and shown
correctly in stack trace. An update of Debugger is yet to be done.
* Reorganized the kernel locking related to threads and teams.
* We now discriminate correctly between process and thread signals. Signal
handlers have been moved to teams. Fixes#5679.
* Implemented real-time signal support, including signal queuing, SA_SIGINFO
support, sigqueue(), sigwaitinfo(), sigtimedwait(), waitid(), and the addition
of the real-time signal range. Closes#1935 and #2695.
* Gave SIGBUS a separate signal number. Fixes#6704.
* Implemented <time.h> clock and timer support, and fixed/completed alarm() and
[set]itimer(). Closes#5682.
* Implemented support for thread cancellation. Closes#5686.
* Moved send_signal() from <signal.h> to <OS.h>. Fixes#7554.
* Lots over smaller more or less related changes.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@42116 a95241bf-73f2-0310-859d-f6bbb57e9c96
using libroot_debug.so, instead of having to hardcode them in the application
via calling private heap functions.
* The following options are implemented: 'p' turns on paranoid validation,
'w' triggers periodic wall checking every 500ms ('W' does the same, but every
100ms), 'g' to use guard pages (beware, this will dramatically increase
memory usage), and 'r' which forbids reusing of memory, freed memory is never
actually freed.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@40514 a95241bf-73f2-0310-859d-f6bbb57e9c96
- Reimplemented mutex to use the _kern_mutex*() syscalls.
- The initializer functions cannot fail anymore -- changed their return type
to void.
- Changed the initializer function semantics to not copy the name by default
anymore (as in the kernel). Also added *_etc() versions of them that take an
additional flags.
- Added static initializer macros.
- Made the mutex (and thus recursive_lock) lock functions non-interruptable.
- Got rid of the "lazy" version. They are no longer needed, since the
initialization of the standard types can be done statically and cannot fail.
* Adjusted libroot, runtime loader, and other code using the private libroot
locking primitives to the new semantics.
* pthreads mutexes and condition variables:
- Reimplemented using the _kern_mutex*() syscalls.
- Consistently use POSIX error codes.
- Fixed some not quite POSIX compliant behavior.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@36323 a95241bf-73f2-0310-859d-f6bbb57e9c96
a flattened argument/environment buffer now. This simplifies the work
for the kernel a bit, since it can just copy the buffer and check
whether it looks OK instead of messing around with individual strings.
The runtime loader also gets a flattened array.
* Set the maximum size of the arguments/environment buffer to 128 KB.
When more arguments are passed, we fail with a proper error code
(instead of just truncating the arguments as before).
* On exec*() the first argument was silently replaced by the given path
name, which is not correct.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@26119 a95241bf-73f2-0310-859d-f6bbb57e9c96
<libroot_private.h> to <user_group.h>.
* Added support in the registrar for adding and modifying users.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@25040 a95241bf-73f2-0310-859d-f6bbb57e9c96
registrar provides access to the DBs via a port message based
protocol. The functions in libroot just ask the registrar now.
* Added Linuxish shadow passwd support. No putspent() though -- we'll
provide private functions.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@25002 a95241bf-73f2-0310-859d-f6bbb57e9c96
functions by ones reading /etc/{group,passwd}.
* Added quasi-standard getpwent_r() and getgrent_r().
* Added _SC_GETGR_R_SIZE_MAX and _SC_GETPW_R_SIZE_MAX sysconf()
constants.
* Moved initgroups() and getgrouplist() definition to grp.cpp. They use
the same backend as the <grp.h> functions.
* Set the permissions of files created by the build system to what they
should be on the image (executables: 755, others: 644). Otherwise only
root could do anything under Haiku.
* Added build system variables HAIKU_ROOT_USER_NAME and
HAIKU_ROOT_USER_REAL_NAME to customize name and real name of Haiku's
root user.
* Added build system rules AddUserToHaikuImage and AddGroupToHaikuImage
for adding additional users and groups (by default only root user and
group and a "users" group are created).
* Adjusted BIND port and coreutils config.h files according to what
features have become available.
* Fixed HAIKU_DOCUMENTATION_OBJECT_DIR definition. Untested, but it used
a wrong variable name before.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@24750 a95241bf-73f2-0310-859d-f6bbb57e9c96
for _kern_load_image().
* Added KMessage to the runtime_loader (a bit hacky, though) - it will use
it to deliver the above mentioned functionality.
* load_dependencies() did return the wrong status code in case a library
was missing; now it returns B_MISSING_LIBRARY.
* load_dependencies() will now try to load all dependencies when a report
message is requested; therefore, all missing libraries are listed.
* Renamed uspace_program_args to user_space_program_args.
* The kernel filled in various members of the user_space_program_args structure
unsafely, ie. was not using user_memcpy().
* Renamed some local variables in team.c to better fit our style guide (ie.
uargs to userArgs).
* Changed Tracker to use the new _kern_load_image() variant on Haiku to retrieve
and report all missing libraries. This fixes bug #1324.
* Adapted kernel_cpp.cpp to the runtime loader as well; the latter will now
compile with _LOADER_MODE defined.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@21715 a95241bf-73f2-0310-859d-f6bbb57e9c96
to determine linkage of libnet.so vs. libsocket.so/libbind.so in the libnetwork.so.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@19008 a95241bf-73f2-0310-859d-f6bbb57e9c96
now run under BeOS as well (as long as they don't use any functions that are not
available under R5).
The solution is a bit messy, but we have to live with it :-)
The runtime loader now patches the __gRuntimeLoader symbol in libroot.so to point
to its exported structure instead of passing it to the init functions as an
argument.
(Hax0red by axeld and bonefish on stippi's assimilated machine -- resistence is futile)
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@15848 a95241bf-73f2-0310-859d-f6bbb57e9c96
substructure now (that's the only member actually). The system time
offset is therefore accessed via architecture specific accessor
functions.
Note, that this commit breaks the PPC build. Since I want to rename at
least one file I've already changed, I can't avoid that.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@15835 a95241bf-73f2-0310-859d-f6bbb57e9c96
Also, when the line is too long, E2BIG is returned.
Thanks to Korli who pointed me to this: http://homepages.cwi.nl/~aeb/std/shebang/
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@13114 a95241bf-73f2-0310-859d-f6bbb57e9c96
now as well.
Also, both functions will now test if the executable exists and is valid; that
way, load_image()/exec*() can catch many errors without having to create a new
team (or erase the current one - an exec*("my invalid app") might now return
with an error).
The runtime linker now exports a function to test executables that is aware
of the search paths, and will also check user permissions upfront.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@13113 a95241bf-73f2-0310-859d-f6bbb57e9c96
that we no longer need an initialize_after().
Put the architecture dependent hoard functions into the BPrivate namespace
as well. Minor cleanup.
git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@11956 a95241bf-73f2-0310-859d-f6bbb57e9c96
