glibc.git/posix, branch master Unnamed repository; edit this file 'description' to name the repository. posix: execvpe: fix UMR with file > NAME_MAX [BZ #33627] 2025-11-17T19:57:07+00:00 Pádraig Brady P@draigBrady.com 2025-11-14T13:58:58+00:00 efc8642051e6c4fe5165e8986c1338ba2c180de6 * posix/execvpe.c (__execvpe_common): Since strnlen doesn't inspect beyond NAME_MAX and NAME_MAX does not cover the NUL, we need to explicitly check for the NUL. I.e. the existing check for, file_len-1 > NAME_MAX, was never true. This check is required so that we're guaranteed that file_len includes the NUL, as we depend on that in the following memcpy to properly terminate the file buffer passed to execve(). Otherwise that call will trigger UMR when inspecting the passed file, which can be seen with valgrind. Note returning ENAMETOOLONG early here for FILE names > NAME_MAX will also avoid redundant processing of ENAMETOOLONG on each entry in $PATH, after the change in [BZ #33626] is applied. Reviewed-by: Collin Funk <collin.funk1@gmail.com> 
* posix/execvpe.c (__execvpe_common): Since strnlen doesn't inspect
beyond NAME_MAX and NAME_MAX does not cover the NUL, we need
to explicitly check for the NUL.  I.e. the existing check for,
file_len-1 > NAME_MAX, was never true.  This check is required
so that we're guaranteed that file_len includes the NUL, as we
depend on that in the following memcpy to properly terminate
the file buffer passed to execve().  Otherwise that call will trigger
UMR when inspecting the passed file, which can be seen with valgrind.
Note returning ENAMETOOLONG early here for FILE names > NAME_MAX
will also avoid redundant processing of ENAMETOOLONG on each entry
in $PATH, after the change in [BZ #33626] is applied.

Reviewed-by: Collin Funk <collin.funk1@gmail.com>
Cleanup some recently added whitespace. 2025-10-31T01:56:58+00:00 Collin Funk collin.funk1@gmail.com 2025-10-30T01:34:45+00:00 3fe3f6283302b99b5b2d1615b2a76d20ec791556 Reviewed-by: H.J. Lu <hjl.tools@gmail.com> 
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
Annotate swtich fall-through 2025-10-29T15:54:01+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-10-28T17:08:30+00:00 970364dac00b38333e5b2d91c90d11e80141d265 The clang default to warning for missing fall-through and it does not support all comment-like annotation that gcc does. Use C23 [[fallthrough]] annotation instead. proper attribute instead. Reviewed-by: Collin Funk <collin.funk1@gmail.com> 
The clang default to warning for missing fall-through and it does
not support all comment-like annotation that gcc does.  Use C23
[[fallthrough]] annotation instead.
proper attribute instead.

Reviewed-by: Collin Funk <collin.funk1@gmail.com>
Fix incorrect setrlimit return value checks in tests 2025-10-29T01:51:51+00:00 Osama Abdelkader osama.abdelkader@gmail.com 2025-10-28T20:58:35+00:00 96073e9f34acd58dd419584218351e86ba8cf6d8 The setrlimit(2) function returns 0 on success and -1 on error, but several test files were incorrectly checking for a return value of 1 to detect errors. This means the error checks would never trigger, causing tests to continue silently even when setrlimit() failed. This commit fixes the error checks in five files to correctly test for -1, matching both the documented behavior and the pattern used correctly in other parts of the codebase. Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com> Reviewed-by: Collin Funk <collin.funk1@gmail.com> 
The setrlimit(2) function returns 0 on success and -1 on error, but
several test files were incorrectly checking for a return value of 1
to detect errors.  This means the error checks would never trigger,
causing tests to continue silently even when setrlimit() failed.

This commit fixes the error checks in five files to correctly test
for -1, matching both the documented behavior and the pattern used
correctly in other parts of the codebase.

Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Collin Funk <collin.funk1@gmail.com>
posix: Fix memory leak a memory leak in glob. 2025-10-22T02:09:45+00:00 Bruno Haible bruno@clisp.org 2025-10-22T02:06:05+00:00 1eba0b35ad3e860a0d4fae12579e8399355eee44 Found by Coverity in Gnulib. * posix/glob.c (__glob): Add scratch_buffer_free invocation, to match scratch_buffer_init invocation. Reviewed-by: Collin Funk <collin.funk1@gmail.com> 
Found by Coverity in Gnulib.

* posix/glob.c (__glob): Add scratch_buffer_free invocation, to match
scratch_buffer_init invocation.

Reviewed-by: Collin Funk <collin.funk1@gmail.com>
Suppress -Wmaybe-uninitialized only for gcc 2025-10-21T12:24:05+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-10-17T19:12:40+00:00 76dfd91275c57fa09412436671572337226a90a2 The warning is not supported by clang. Reviewed-by: Sam James <sam@gentoo.org> 
The warning is not supported by clang.

Reviewed-by: Sam James <sam@gentoo.org>
posix: Only enable -Wmaybe-uninitialized suppression on gcc 2025-10-20T14:33:54+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-10-17T19:13:26+00:00 419908e0c559427b3ad34e9a3b0a6cc27a6edb8e clang does not support this option. Reviewed-by: Collin Funk <collin.funk1@gmail.com> 
clang does not support this option.

Reviewed-by: Collin Funk <collin.funk1@gmail.com>
posix: Avoid a stack overflow when glob is given many slashes [BZ #30635] 2025-10-14T01:19:18+00:00 Collin Funk collin.funk1@gmail.com 2025-10-12T02:01:05+00:00 bb1d27b94a3614c7e48212a04a0b28ec66fb4c49 * posix/glob.c (__glob): Strip trailing slashes before the recursive call, so it is not called for every slash in the pattern. * posix/tst-glob-bz30635.c: Add two test cases that would previously segmentation fault. The first test has many trailing slashes and the second has many slashes following a wildcard character. * posix/Makefile (tests): Add the new test. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> 
* posix/glob.c (__glob): Strip trailing slashes before the recursive
call, so it is not called for every slash in the pattern.
* posix/tst-glob-bz30635.c: Add two test cases that would previously
segmentation fault. The first test has many trailing slashes and the
second has many slashes following a wildcard character.
* posix/Makefile (tests): Add the new test.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
shm-directory: Truncated struct member name length 2025-10-01T17:49:10+00:00 Prasanna Paithankar paithankarprasanna@gmail.com 2025-09-04T23:24:34+00:00 4ae9b660486c719f40b39a00619890c4aeeee881 The struct shmdir_name in include/shm-directory.h has name field to contains the full path of the POSIX IPC object (shm and sem). The size was previously set to sizeof (SHMDIR) + 4 + NAME_MAX, where 4 bytes were reserved for the optional "sem." prefix. This led to incorrect execution of the __shm_get_name function in posix/shm-directory.c which is used accross in shm_[open/unlink] and sem_[open/unlink] functions. For shm_[open/unlink]: This is because the name field was large enough to hold 268 characters (255 + 4 + 9) instead of the maximum allowed 263 characters (255 + 9). This caused the __shm_get_name to not throw ENAMETOOLONG error when the name length exceeded NAME_MAX (255) upto 259 characters. For sem_[open/unlink]: Similarly, the __shm_get_name incorrectly returned success for names of length 255 instead of 251 (255 - 4). This was overlooked as finally these functions throw the correct ENAMETOOLONG error; which was thrown by the openat syscall, which is called later in the shm_* and sem_* functions. This patch corrects the size of name field in struct shmdir_name to sizeof (SHMDIR) + NAME_MAX. The __shm_get_name function return ENAMETOOLONG if alloc_buffer_has_failed returns true (which only happens when copy length > alloc_buffer_size (buffer)). Relevant runtime monitoring were done in gdb to confirm the same. Signed-off-by: Prasanna Paithankar <paithankarprasanna@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> 
The struct shmdir_name in include/shm-directory.h has name field to
contains the full path of the POSIX IPC object (shm and sem).
The size was previously set to sizeof (SHMDIR) + 4 + NAME_MAX, where 4
bytes were reserved for the optional "sem." prefix.

This led to incorrect execution of the __shm_get_name function
in posix/shm-directory.c which is used accross in shm_[open/unlink] and
sem_[open/unlink] functions.

For shm_[open/unlink]:
This is because the name field was large enough to hold 268 characters
(255 + 4 + 9) instead of the maximum allowed 263 characters (255 + 9).
This caused the __shm_get_name to not throw ENAMETOOLONG error when the
name length exceeded NAME_MAX (255) upto 259 characters.

For sem_[open/unlink]:
Similarly, the __shm_get_name incorrectly returned success for names of
length 255 instead of 251 (255 - 4).

This was overlooked as finally these functions throw the correct
ENAMETOOLONG error; which was thrown by the openat syscall, which is
called later in the shm_* and sem_* functions.

This patch corrects the size of name field in struct shmdir_name to
sizeof (SHMDIR) + NAME_MAX. The __shm_get_name function return
ENAMETOOLONG if alloc_buffer_has_failed returns true (which only happens
when copy length > alloc_buffer_size (buffer)).

Relevant runtime monitoring were done in gdb to confirm the same.

Signed-off-by: Prasanna Paithankar <paithankarprasanna@gmail.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
assert: Refactor assert/assert_perror 2025-09-23T13:29:24+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-08-21T11:48:13+00:00 c1016b727ad0955a9c72806d6cfb4596264b6c1e It now calls __libc_assert, which contains similar logic. The assert call only requires memory allocation for the message translation, so test-assert2.c is adapted to handle it. It also removes the fxprintf from assert/assert_perror; although it is not 100% backwards-compatible (write message only if there is a file descriptor associated with the stderr). It now writes bytes directly without going through the wide stream state. Checked on aarch64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com> 
It now calls __libc_assert, which contains similar logic. The assert
call only requires memory allocation for the message translation, so
test-assert2.c is adapted to handle it.

It also removes the fxprintf from assert/assert_perror; although it
is not 100% backwards-compatible (write message only if there is a
file descriptor associated with the stderr). It now writes bytes
directly without going through the wide stream state.

Checked on aarch64-linux-gnu.

Reviewed-by: Florian Weimer <fweimer@redhat.com>