| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Fix readpassphrase(3) when it's called with stdin being closed.
Approved by: re (delphij)
|
| |
|
|
|
|
|
|
|
|
|
| |
fails.
This bug could be reproduced easily by calling sem_open() with O_CREAT |
O_EXCL on a semaphore that is already open in the process. The struct
sem_nameinfo would be freed while still in sem_list and later calls to
sem_open() or sem_close() could access freed memory.
PR: 206396
|
| |
|
|
|
|
|
|
| |
Move fdopen() up near other resource allocation like malloc(); do proper
deallocation on failure later on in the function.
Approved by: jhb
Sponsored by: Panasas, Inc.
|
| |
|
|
| |
Fix lockf(3) cancellation behaviour.
|
| |
|
|
| |
contain cwd.
|
| |
|
|
|
|
|
| |
Unbreak compiling getnetgrent.c with -DDEBUG after r236402 by adding a
missing "}"
Sponsored by: EMC / Isilon Storage Division
|
| |
|
|
|
|
| |
Remove a set but unused variable in __getgroupmembership to fix a gcc 4.9+ warning
Sponsored by: EMC / Isilon Storage Division
|
| |
|
|
|
|
| |
The old code was exponential in the number of asterisks in the pattern.
However, once a match has been found upto the next asterisk, the previous
asterisks are no longer relevant.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Shell syntax is too complicated to detect command substitution and unquoted
operators reliably without implementing much of sh's parser. Therefore, have
sh do this detection.
While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.
The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
"", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);
The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().
The new we_check() is an optimistic check that all the characters
<newline> | & ; < > ( ) { }
are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.
Although many implementations of WRDE_NOCMD erroneously allow some command
substitutions (and ours even documented this), there appears to be code that
relies on its security (codesearch.debian.net shows quite a few uses).
Passing untrusted data to wordexp() still exposes a denial of service
possibility and a fairly large attack surface.
This is also a MFC of r286830 to reduce conflicts. I changed the code
somewhat to avoid changes from r286941; in particular, WRDE_BADVAL can still
only be returned if WRDE_UNDEF was passed.
Relnotes: yes
Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
|
| |
|
|
|
|
|
|
|
|
| |
Switch libc from using _sig{procmask,action,suspend} symbols, which
are aliases for the syscall stubs and are plt-interposed, to the
libc-private aliases of internally interposed sigprocmask() etc.
MFC r287300:
Use libthr interposed functions instead of syscalls, in posix_spawn()'
child.
|
| |
|
|
|
|
|
|
|
| |
if possible.
The kern.proc.umask.<pid> sysctl allows querying the umask without
temporarily modifying it.
r280713 is the actual change, while r279084 is a whitespace change.
|
| |
|
|
|
| |
PR: 200942
Submitted by: Conrad Meyer
|
| |
|
|
|
|
|
|
| |
Fix sysctl(3) so it returns the intended values for all mib names in
the 'user' sysctl tree, which have all been coming back 0 or empty
since r240176.
Approved by: re
|
| |
|
|
|
| |
Reassign copyright statements on several files from Advanced
Computing Technologies LLC to Hudson River Trading LLC.
|
| |
|
|
|
| |
Remove the note about seekdir() removing telldir() cookies. That was
removed back in r269204.
|
| |
|
|
| |
Remove the write-only variable phent.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tweak seekdir, telldir and readdir so that when htere are deletes going on,
as seek to teh last location saved will still work. This is needed for Samba
to be able to correctly handle delete requests from windows. This does not
completely fix seekdir when deletes are present but fixes the worst of the
problems. The real solution must involve some changes to the API for eh VFS
and getdirentries(2).
Obtained from: Panzura inc
MFH: r282550 (jhb@)
A few style fixes and expand the comment a bit on what _fixtelldir() is
doing.
MFH: r282560 (jhb@)
Tweak the comment here some more. In particular, the previous opening
sentence was a bit confusing.
Noted by: kib
|
| |
|
|
|
| |
Remove code to support the top of the stack layout for FreeBSD 1.x/2.x
kernel.
|
| |
|
|
| |
Make wait6(2), waitid(3) and ppoll(2) cancellation points.
|
| |
|
|
|
|
|
|
|
| |
Per Austin group issue #884, sh should not import IFS from the environment
but always set it to $' \t\n'. For wordexp(), however, it is documented and
useful for it to use IFS from the environment.
Since sh currently imports IFS from the environment, this change has no
functional effect.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When following symlinks, fts returned FTS_SLNONE when fstatat(flag=0)
failed, but a subsequent fstatat(flag=AT_SYMLINK_NOFOLLOW) succeeded. This
incorrectly triggered if a filename existed to be read from the directory,
was deleted before the fstatat(flag=0) and created again after the
fstatat(flag=0).
Fix this by only returning FTS_SLNONE if the result from
fstatat(flag=AT_SYMLINK_NOFOLLOW) is actually a symlink. If it is not a
symlink, treat it as if fstatat(flag=0) succeeded.
PR: 196724
|
| |
|
|
|
|
|
|
|
| |
As a result, the kernel needs to process shorter pathnames if fts is not
changing directories (if fts follows symlinks (-L option to utilities), fts
cannot open "." or FTS_NOCHDIR was specified).
Side effect: If pathnames exceed PATH_MAX, [ENAMETOOLONG] is not hit at the
stat stage but later (opendir or application fts_accpath) or not at all.
|
| |
|
|
|
|
|
|
|
|
|
| |
setmode(3): Make sure that setmode sets errno on failure.
Our man page already documented this partially but now
we provide more consistent behavior.
PR: 136669
Obtained from: NetBSD (CVS rev. 1.31, 1.33)
Relnotes: yes
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Update most userspace consumers of capability.h to use capsicum.h instead.
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.
Note that a significant fraction does not apply, as FreeBSD 10 doesn't
contain a Capsicumised ping, casperd, libcasper, etc. When these features
are merged, the capsicum.h change will need to be merged with them.
Sponsored by: Google, Inc.
|
| |
|
|
|
|
| |
Update system man pages for s/capability.h/capsicum.h/.
Sponsored by: Google, Inc.
|
| |
|
|
| |
Fix typo.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ulimit(3): Fix broken check.
The existing implementation had a broken comparison that could
overflow and return confusing values. Replace this with a check
that avoids the overflow before it happens.
Consistently return a maximum value also on the case of negative
arguments since negative is considered an overflow and means
infinity for our current setrlimit().
New revamped version is credited to Bruce Evans.
CID: 1199295
|
| |
|
|
|
|
|
|
|
|
|
| |
getdiskbyname(): plug resource leak
Variable cq going out of scope leaks the storage it points to.
CID: 270511
Phabric: D1775
Reviewed by: imp
Obtained from: NetBSD (CVS rev. 1.34)
|
| |
|
|
| |
Properly interpose libc spinlocks, was missed in r276630.
|
| |
|
|
|
|
|
| |
Also, make sure to document the return values and errors for all three
functions in the man page.
PR: 191931
|
| |
|
|
|
|
| |
Adjust the test that used to fail because of this bug.
PR: 191936
|
| |
|
|
|
|
|
|
| |
The error code is per Austin Group issue #315.
I provided different wording for the manual page change.
Submitted by: pluknet
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(or loading a dso linked to libthr.so into process which was not
linked against threading library).
MFC r276630:
Remove interposing, fix malloc, reinstall signal handlers wrappers on
libthr load.
MFC r276681:
Avoid calling internal libc function through PLT or accessing data
though GOT.
MFC r277032:
Reduce the size of the interposing table and amount of
cancellation-handling code in the libthr.
MFC note:
r276646 ("do not erronously export 'openat' symbol from rtld") is not
applicable to stable/10 yet, since PATHFDS support was not merged.
|
| |
|
|
|
| |
Add rtld private interface for dso to detect dynamic loading
vs. static linking.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Reinstitate send() after syslogd restarts.
In r228193 the test of CONNPRIV have been moved to before the _usleep
and send in vsyslog(). When syslogd restarts, this would prevent the
message being logged after the disconnect/connect dance for
scenario #1.
PR: 194751
Submitted by: Peter Creath <pjcreath+freebsd gmail com>
Reviewed By: glebius
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Linux LD_ITERATE_PHDR(3):
The dlpi_name field is a null-terminated string giving the
pathname from which the shared object was loaded.
That functionality is much more useful than returning just the short
name.
Update dl_iterate_phdr(3) to follow r272842
MFC of r272842 and r272848
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Always seek back to the beginning of a regular directory, even if the
previous seek location was 0. Without this, readdir() would see
dd_loc of zero and call getdirentries() which would start reading
entries at the current seek location of the directory ignoring the
first batch of entries. Also, rewinddir() should always seek so that
it reads the directory from the beginning to get updated entries.
PR: 192935
Approved by: re (gjb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix various edge cases with rewinddir(), seekdir(), and telldir():
- In the unionfs case, opendir() and fdopendir() read the directory's full
contents and cache it. This cache is not refreshed when rewinddir() is
called, so rewinddir() will not notice updates to a directory. Fix this
by splitting the code to fetch a directory's contents out of
__opendir_common() into a new _filldir() function and call this from
rewinddir() when operating on a unionfs directory.
- If rewinddir() is called on a directory opened with fdopendir() before
any directory entries are fetched, rewinddir() will not adjust the seek
location of the backing file descriptor. If the file descriptor passed
to fdopendir() had a non-zero offset, the rewinddir() will not rewind to
the beginning. Fix this by always seeking back to 0 in rewinddir().
This means the dd_rewind hack can also be removed.
- Add missing locking to rewinddir()
- POSIX says that passing a location returned by telldir() to seekdir()
after an intervening call to rewinddir() is undefined, so reclaim any
pending telldir() cookies in the directory when rewinddir() is called.
- If telldir() is called immediately after a call to seekdir(), POSIX
requires the return value of telldir() to equal the value passed to
seekdir(). The current seekdir code with SINGLEUSE enabled breaks
this case as each call to telldir() allocates a new cookie. Instead,
remove the SINGLEUSE code and change telldir() to look for an existing
cookie for the directory's current location rather than always creating
a new cookie.
PR: 121656
|
| |
|
|
|
|
| |
a 0 status with a NULL pointer for the login name (result).
Obtained from: Juniper Networks, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libc/gen: small updates to code originating at OpenBSD
arc4random.c
- CVS rev. 1.22
Change arc4random_uniform() to calculate ``2**32 % upper_bound'' as
``-upper_bound % upper_bound''. Simplifies the code and makes it the
same on both ILP32 and LP64 architectures, and also slightly faster on
LP64 architectures by using a 32-bit remainder instead of a 64-bit
remainder.
- CVS rev. 1.23
Spacing
readpassphrase.c
-CVS rev. v 1.24
most obvious unsigned char casts for ctype
Obtained from: OpenBSD
|
| |
|
|
| |
Implement sysconf(_SC_GETGR_R_SIZE_MAX) and sysconf(_SC_GETPW_R_SIZE_MAX).
|
| |
|
|
| |
Add MLINK for fdclosedir.3 to directory.3 and sort fdopendir(3) entry.
|
| |
|
|
|
|
|
|
|
|
| |
Add a new flag to /etc/ttys: onifconsole. This is equivalent to "on" if the
device is an active kernel console and "off" otherwise. This is designed to
allow serial-booting x86 systems to provide a login prompt on the serial line
by default without providing one on all systems by default. Set this flag
on x86 systems for ttyu0.
Comments and suggestions by: grehan, dteske, jilles
|
| |
|
|
|
|
| |
Fix sem_unlink(3) to properly invalidate the semaphores name cache.
PR: standards/189353
|
| |
|
|
| |
Style.
|
| |
|
|
|
|
|
|
|
|
| |
Make fts_open(3) treat an empty pathname like any other pathname that cannot
be lstatted because of [ENOENT].
It is rather confusing if rm -rf file1 "" file2 does not remove file1 and
file2.
PR: bin/187264
|
| |
|
|
|
|
|
| |
To avoid missing a chance to cancel thread, call _pthread_testcancel at the
beginning of _sem_timedwait.
Submitted by: Eric van Gyzen < eric at vangyzen dot net >
|
| |
|
|
|
|
|
| |
If rare conditions such as concurrent conflicting manipulation of the
filesystem occur, fts_read() frees the current FTSENT without adjusting
the pointers in the FTS accordingly. A later fts_close() then frees the
same FTSENT again.
|
| |
|
|
|
|
|
|
|
| |
The posix_fallocate(2) syscall should return error number on error,
without modifying errno.
MFC r261290:
The posix_madvise(3) and posix_fadvise(2) should return error on
failure, same as posix_fallocate(2).
|
| |
|
|
|
|
|
|
|
|
| |
- Add manual pages for capability rights (rights(4)), cap_rights_init(3)
family of functions and cap_rights_get(3) function.
- Update remaining Capsicum-related manual pages.
Sponsored by: The FreeBSD Foundation
Reviewed by: bdrewery
Approved by: re (glebius)
|
