glibc.git/stdlib/setenv.c, branch master Unnamed repository; edit this file 'description' to name the repository. stdlib: Remove -Wmaybe-uninitialized supression on setenv.c 2025-10-20T14:33:54+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-10-17T19:12:36+00:00 64a0f4b77621a679bae711ec61a7595dcc924a87 It is not required on current supported gcc. Reviewed-by: Florian Weimer <fweimer@redhat.com> 
It is not required on current supported gcc.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
stdlib: Re-implement free (environ) compatibility kludge for setenv 2025-01-24T21:37:49+00:00 Florian Weimer fweimer@redhat.com 2025-01-24T09:40:28+00:00 12b4a1fc6ecfc278a87159164bdf1d682deb18e2 For the originally failing application (userhelper from usermode), it is not actually necessary to call realloc on the environ pointer. Yes, there will be a memory leak because the application assigns a heap-allocated pointer to environ that it never frees, but this leak was always there: the old realloc-based setenv had a hidden internal variable, last_environ, that was used in a similar way to __environ_array_list. The application is not impacted by the leak anyway because the relevant operations do not happen in a loop. The change here just uses a separte heap allocation and points environ to that. This means that if an application calls free (environ) and restores the environ pointer to the value at process start, and does not modify the environment further, nothing bad happens. This change should not invalidate any previous testing that went into the original getenv thread safety change, commit 7a61e7f557a97ab597d6 ("stdlib: Make getenv thread-safe in more cases"). The new test cases are modeled in part on the env -i use case from bug 32588 (with !DO_MALLOC && !DO_EARLY_SETENV), and the previous stdlib/tst-setenv-malloc test. The DO_MALLOC && !DO_EARLY_SETENV case in the new test should approximate what userhelper from the usermode package does. Reviewed-by: Carlos O'Donell <carlos@redhat.com> 
For the originally failing application (userhelper from usermode),
it is not actually necessary to call realloc on the environ
pointer.  Yes, there will be a memory leak because the application
assigns a heap-allocated pointer to environ that it never frees,
but this leak was always there: the old realloc-based setenv had
a hidden internal variable, last_environ, that was used in a similar
way to __environ_array_list.  The application is not impacted by
the leak anyway because the relevant operations do not happen in
a loop.

The change here just uses a separte heap allocation and points
environ to that.  This means that if an application calls
free (environ) and restores the environ pointer to the value
at process start, and does not modify the environment further,
nothing bad happens.

This change should not invalidate any previous testing that went into
the original getenv thread safety change, commit 7a61e7f557a97ab597d6
("stdlib: Make getenv thread-safe in more cases").

The new test cases are modeled in part on the env -i use case from
bug 32588 (with !DO_MALLOC && !DO_EARLY_SETENV), and the previous
stdlib/tst-setenv-malloc test.  The DO_MALLOC && !DO_EARLY_SETENV
case in the new test should approximate what userhelper from the
usermode package does.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Revert "stdlib: Support malloc-managed environ arrays for compatibility" 2025-01-24T11:25:29+00:00 Florian Weimer fweimer@redhat.com 2025-01-24T07:04:23+00:00 36fcdfbbc5463e55581fec67141df3493fb81f7e This reverts commit b62759db04b8ed7f829c06f1d7c3b8fb70616493. Reason for revert: Incompatible with “env -i” and coreutils (bug 32588). Reviewed-by: H.J. Lu <hjl.tools@gmail.com> 
This reverts commit b62759db04b8ed7f829c06f1d7c3b8fb70616493.

Reason for revert: Incompatible with “env -i” and coreutils (bug 32588).

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
stdlib: Support malloc-managed environ arrays for compatibility 2025-01-23T16:43:15+00:00 Florian Weimer fweimer@redhat.com 2025-01-22T12:48:56+00:00 b62759db04b8ed7f829c06f1d7c3b8fb70616493 Some applications set environ to a heap-allocated pointer, call setenv (expecting it to call realloc), free environ, and then restore the original environ pointer. This breaks after commit 7a61e7f557a97ab597d6fca5e2d1f13f65685c61 ("stdlib: Make getenv thread-safe in more cases") because after the setenv call, the environ pointer does not point to the start of a heap allocation. Instead, setenv creates a separate allocation and changes environ to point into that. This means that the free call in the application results in heap corruption. The interim approach was more compatible with other libcs because it does not assume that the incoming environ pointer is allocated as if by malloc (if it was written by the application). However, it seems to be more important to stay compatible with previous glibc version: assume the incoming pointer is heap allocated, and preserve this property after setenv calls. Reviewed-by: Carlos O'Donell <carlos@redhat.com> 
Some applications set environ to a heap-allocated pointer, call
setenv (expecting it to call realloc), free environ, and then
restore the original environ pointer.  This breaks after
commit 7a61e7f557a97ab597d6fca5e2d1f13f65685c61 ("stdlib: Make
getenv thread-safe in more cases") because after the setenv call,
the environ pointer does not point to the start of a heap allocation.
Instead, setenv creates a separate allocation and changes environ
to point into that.  This means that the free call in the application
results in heap corruption.

The interim approach was more compatible with other libcs because
it does not assume that the incoming environ pointer is allocated
as if by malloc (if it was written by the application).  However,
it seems to be more important to stay compatible with previous
glibc version: assume the incoming pointer is heap allocated,
and preserve this property after setenv calls.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Update copyright dates with scripts/update-copyrights 2025-01-01T19:22:09+00:00 Paul Eggert eggert@cs.ucla.edu 2025-01-01T18:14:45+00:00 2642002380aafb71a1d3b569b6d7ebeab3284816 






stdlib: Make getenv thread-safe in more cases
2024-11-21T20:10:52+00:00

Florian Weimer
fweimer@redhat.com

2024-11-21T20:10:52+00:00

7a61e7f557a97ab597d6fca5e2d1f13f65685c61

Async-signal-safety is preserved, too.  In fact, getenv is fully
reentrant and can be called from the malloc call in setenv
(if a replacement malloc uses getenv during its initialization).

This is relatively easy to implement because even before this change,
setenv, unsetenv, clearenv, putenv do not deallocate the environment
strings themselves as they are removed from the environment.

The main changes are:

* Use release stores for environment array updates, following
  the usual pattern for safely publishing immutable data
  (in this case, the environment strings).

* Do not deallocate the environment array.  Instead, keep older
  versions around and adopt an  exponential resizing policy.  This
  results in an amortized constant space leak per active environment
  variable, but there already is such a leak for the variable itself
  (and that is even length-dependent, and includes no-longer used
  values).

* Add a seqlock-like mechanism to retry getenv if a concurrent
  unsetenv is observed.  Without that, it is possible that
  getenv returns NULL for a variable that is never unset.  This
  is visible on some AArch64 implementations with the newly
  added stdlib/tst-getenv-unsetenv test case.  The mechanism
  is not a pure seqlock because it tolerates one write from
  unsetenv.  This avoids the need for a second copy of the
  environ array that getenv can read from a signal handler
  that happens to interrupt an unsetenv call.

No manual updates are included with this patch because environ
usage with execve, posix_spawn, system is still not thread-safe
relative unsetenv.  The new process may end up with an environment
that misses entries that were never unset.  This is the same issue
described above for getenv.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>





Async-signal-safety is preserved, too.  In fact, getenv is fully
reentrant and can be called from the malloc call in setenv
(if a replacement malloc uses getenv during its initialization).

This is relatively easy to implement because even before this change,
setenv, unsetenv, clearenv, putenv do not deallocate the environment
strings themselves as they are removed from the environment.

The main changes are:

* Use release stores for environment array updates, following
  the usual pattern for safely publishing immutable data
  (in this case, the environment strings).

* Do not deallocate the environment array.  Instead, keep older
  versions around and adopt an  exponential resizing policy.  This
  results in an amortized constant space leak per active environment
  variable, but there already is such a leak for the variable itself
  (and that is even length-dependent, and includes no-longer used
  values).

* Add a seqlock-like mechanism to retry getenv if a concurrent
  unsetenv is observed.  Without that, it is possible that
  getenv returns NULL for a variable that is never unset.  This
  is visible on some AArch64 implementations with the newly
  added stdlib/tst-getenv-unsetenv test case.  The mechanism
  is not a pure seqlock because it tolerates one write from
  unsetenv.  This avoids the need for a second copy of the
  environ array that getenv can read from a signal handler
  that happens to interrupt an unsetenv call.

No manual updates are included with this patch because environ
usage with execve, posix_spawn, system is still not thread-safe
relative unsetenv.  The new process may end up with an environment
that misses entries that were never unset.  This is the same issue
described above for getenv.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>







Update copyright dates with scripts/update-copyrights
2024-01-01T18:53:40+00:00

Paul Eggert
eggert@cs.ucla.edu

2024-01-01T18:12:26+00:00

dff8da6b3e89b986bb7f6b1ec18cf65d5972e307












setenv.c: Get rid of alloca.
2023-06-30T14:31:45+00:00

Joe Simmons-Talbott
josimmon@redhat.com

2023-06-30T14:31:45+00:00

9401024e5e6be0e1c3870e185daae865cd4501f4

Use malloc rather than alloca to avoid potential stack overflow.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>





Use malloc rather than alloca to avoid potential stack overflow.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>







Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions
2023-03-27T16:57:55+00:00

Adhemerval Zanella Netto
adhemerval.zanella@linaro.org

2022-12-27T21:11:42+00:00

88677348b4de73874ca7d5a47451f42880f65f07

They are both used by __libc_freeres to free all library malloc
allocated resources to help tooling like mtrace or valgrind with
memory leak tracking.

The current scheme uses assembly markers and linker script entries
to consolidate the free routine function pointers in the RELRO segment
and to be freed buffers in BSS.

This patch changes it to use specific free functions for
libc_freeres_ptrs buffers and call the function pointer array directly
with call_function_static_weak.

It allows the removal of both the internal macros and the linker
script sections.

Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>





They are both used by __libc_freeres to free all library malloc
allocated resources to help tooling like mtrace or valgrind with
memory leak tracking.

The current scheme uses assembly markers and linker script entries
to consolidate the free routine function pointers in the RELRO segment
and to be freed buffers in BSS.

This patch changes it to use specific free functions for
libc_freeres_ptrs buffers and call the function pointer array directly
with call_function_static_weak.

It allows the removal of both the internal macros and the linker
script sections.

Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>







Update copyright dates with scripts/update-copyrights
2023-01-06T21:14:39+00:00

Joseph Myers
joseph@codesourcery.com

2023-01-06T21:08:04+00:00

6d7e8eda9b85b08f207a6dc6f187e94e4817270f