diff options
-rw-r--r-- | sys-libs/glibc/Manifest | 3 | ||||
-rw-r--r-- | sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c | 299 | ||||
-rw-r--r-- | sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c | 2 | ||||
-rw-r--r-- | sys-libs/glibc/files/2.20/glibc-2.20-hardened-inittls-nosysenter.patch | 306 | ||||
-rw-r--r-- | sys-libs/glibc/files/2.25/glibc-2.25-gentoo-chk_fail.c | 303 | ||||
-rw-r--r-- | sys-libs/glibc/files/nscd.service | 15 | ||||
-rw-r--r-- | sys-libs/glibc/files/nscd.tmpfilesd | 4 | ||||
-rw-r--r-- | sys-libs/glibc/glibc-2.26-r1337.ebuild | 836 |
8 files changed, 1768 insertions, 0 deletions
diff --git a/sys-libs/glibc/Manifest b/sys-libs/glibc/Manifest new file mode 100644 index 00000000..5175c8fc --- /dev/null +++ b/sys-libs/glibc/Manifest @@ -0,0 +1,3 @@ +DIST gcc-4.7.3-r1-multilib-bootstrap.tar.bz2 8064097 SHA256 34aec5a59bb4d0ecf908c62fd418461d0f3793238296897687305fd7a1f27299 SHA512 40b93e194ad41a75d649d84d1c49070680f253a13f0617803243bc61c44fed1ca2d0a7572a97ebb79353f312b58b5f6360be916dd7435928cc53935082e15269 WHIRLPOOL bbce19e7fe5c30faa55ddd4e29070f0d1fdfca3a04e8d68e0772260fa9be89ccde63ec92badb490209008df5fee6e53dfdeec4ae51857b90ba298a79315a199f +DIST glibc-2.26-patches-7.tar.bz2 413976 SHA256 840d6ce3dbedbe2f556b6d3dd6abc8f178eca2eba4a9129d6cc9e514aecf7a27 SHA512 0c812a343fcc68c10d92117cb2a0cf1c255470e81f0a7a04d6db2fe35445e410ef37f15162f145c2eb772b08ab55af246f5b52f5e57c2e91038181f6f027abc3 WHIRLPOOL 569eb237576e57266ae3d1b2ecb3858614be4b6b53117fc7785b77d9954ac4b02668b23d120a34d0fa63cf10f292b702747fc417840f3f65f8a1812348de767d +DIST glibc-2.26.tar.xz 14682748 SHA256 e54e0a934cd2bc94429be79da5e9385898d2306b9eaf3c92d5a77af96190f6bd SHA512 6ed368523bc55f00976f96c5177f114e3f714b27273d7bffc252812c8b98fb81970403c1f5b5f0a61da678811532fb446530745492d2b49bfefc0d5bd71ce8c0 WHIRLPOOL 9091c3bccc9b590de6b9595aa391ba01091f0c301bd9199d7c48fbeaeeb013ec9c683c68b65b59c5a69e3905b7f842cca1b0a410431967ecb3a1229b8535486f diff --git a/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c new file mode 100644 index 00000000..a8ab9d8a --- /dev/null +++ b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c @@ -0,0 +1,299 @@ +/* Copyright (C) 2004-2014 Free Software Foundation, Inc. + Copyright (C) 2006-2014 Gentoo Foundation Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, write to the Free + Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + 02111-1307 USA. */ + +/* Hardened Gentoo SSP and FORTIFY handler + + A failure handler that does not use functions from the rest of glibc; + it uses the INTERNAL_SYSCALL methods directly. This helps ensure no + possibility of recursion into the handler. + + Direct all bug reports to http://bugs.gentoo.org/ + + People who have contributed significantly to the evolution of this file: + Ned Ludd - <solar[@]gentoo.org> + Alexander Gabert - <pappy[@]gentoo.org> + The PaX Team - <pageexec[@]freemail.hu> + Peter S. Mazinger - <ps.m[@]gmx.net> + Yoann Vandoorselaere - <yoann[@]prelude-ids.org> + Robert Connolly - <robert[@]linuxfromscratch.org> + Cory Visi <cory[@]visi.name> + Mike Frysinger <vapier[@]gentoo.org> + Magnus Granberg <zorry[@]gentoo.org> + Kevin F. Quinn - <kevquinn[@]gentoo.org> + */ + +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <signal.h> + +#include <sys/types.h> + +#include <sysdep-cancel.h> +#include <sys/syscall.h> + +#include <kernel-features.h> + +#include <alloca.h> +/* from sysdeps */ +#include <socketcall.h> +/* for the stuff in bits/socket.h */ +#include <sys/socket.h> +#include <sys/un.h> + +/* Sanity check on SYSCALL macro names - force compilation + * failure if the names used here do not exist + */ +#if !defined __NR_socketcall && !defined __NR_socket +# error Cannot do syscall socket or socketcall +#endif +#if !defined __NR_socketcall && !defined __NR_connect +# error Cannot do syscall connect or socketcall +#endif +#ifndef __NR_write +# error Cannot do syscall write +#endif +#ifndef __NR_close +# error Cannot do syscall close +#endif +#ifndef __NR_getpid +# error Cannot do syscall getpid +#endif +#ifndef __NR_kill +# error Cannot do syscall kill +#endif +#ifndef __NR_exit +# error Cannot do syscall exit +#endif +#ifdef SSP_SMASH_DUMPS_CORE +# define ENABLE_SSP_SMASH_DUMPS_CORE 1 +# if !defined _KERNEL_NSIG && !defined _NSIG +# error No _NSIG or _KERNEL_NSIG for rt_sigaction +# endif +# if !defined __NR_sigaction && !defined __NR_rt_sigaction +# error Cannot do syscall sigaction or rt_sigaction +# endif +/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size + * of the _kernel_ sigset_t which is not the same as the user sigset_t. + * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for + * some reason. + */ +# ifdef _KERNEL_NSIG +# define _SSP_NSIG _KERNEL_NSIG +# else +# define _SSP_NSIG _NSIG +# endif +#else +# define _SSP_NSIG 0 +# define ENABLE_SSP_SMASH_DUMPS_CORE 0 +#endif + +/* Define DO_SIGACTION - default to newer rt signal interface but + * fallback to old as needed. + */ +#ifdef __NR_rt_sigaction +# define DO_SIGACTION(signum, act, oldact) \ + INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8) +#else +# define DO_SIGACTION(signum, act, oldact) \ + INLINE_SYSCALL(sigaction, 3, signum, act, oldact) +#endif + +/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */ +#if defined(__NR_socket) && defined(__NR_connect) +# define USE_OLD_SOCKETCALL 0 +#else +# define USE_OLD_SOCKETCALL 1 +#endif + +/* stub out the __NR_'s so we can let gcc optimize away dead code */ +#ifndef __NR_socketcall +# define __NR_socketcall 0 +#endif +#ifndef __NR_socket +# define __NR_socket 0 +#endif +#ifndef __NR_connect +# define __NR_connect 0 +#endif +#define DO_SOCKET(result, domain, type, protocol) \ + do { \ + if (USE_OLD_SOCKETCALL) { \ + socketargs[0] = domain; \ + socketargs[1] = type; \ + socketargs[2] = protocol; \ + socketargs[3] = 0; \ + result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \ + } else \ + result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \ + } while (0) +#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \ + do { \ + if (USE_OLD_SOCKETCALL) { \ + socketargs[0] = sockfd; \ + socketargs[1] = (unsigned long int)serv_addr; \ + socketargs[2] = addrlen; \ + socketargs[3] = 0; \ + result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \ + } else \ + result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \ + } while (0) + +#ifndef _PATH_LOG +# define _PATH_LOG "/dev/log" +#endif + +static const char path_log[] = _PATH_LOG; + +/* For building glibc with SSP switched on, define __progname to a + * constant if building for the run-time loader, to avoid pulling + * in more of libc.so into ld.so + */ +#ifdef IS_IN_rtld +static const char *__progname = "<ldso>"; +#else +extern const char *__progname; +#endif + +#ifdef GENTOO_SSP_HANDLER +# define ERROR_MSG "stack smashing" +#else +# define ERROR_MSG "buffer overflow" +#endif + +/* Common handler code, used by chk_fail + * Inlined to ensure no self-references to the handler within itself. + * Data static to avoid putting more than necessary on the stack, + * to aid core debugging. + */ +__attribute__ ((__noreturn__, __always_inline__)) +static inline void +__hardened_gentoo_fail(void) +{ +#define MESSAGE_BUFSIZ 512 + static pid_t pid; + static int plen, i, hlen; + static char message[MESSAGE_BUFSIZ]; + /* <11> is LOG_USER|LOG_ERR. A dummy date for loggers to skip over. */ + static const char msg_header[] = "<11>" __DATE__ " " __TIME__ " glibc-gentoo-hardened-check: "; + static const char msg_ssd[] = "*** " ERROR_MSG " detected ***: "; + static const char msg_terminated[] = " terminated; "; + static const char msg_report[] = "report to " REPORT_BUGS_TO "\n"; + static const char msg_unknown[] = "<unknown>"; + static int log_socket, connect_result; + static struct sockaddr_un sock; + static unsigned long int socketargs[4]; + + /* Build socket address */ + sock.sun_family = AF_UNIX; + i = 0; + while (path_log[i] != '\0' && i < sizeof(sock.sun_path) - 1) { + sock.sun_path[i] = path_log[i]; + ++i; + } + sock.sun_path[i] = '\0'; + + /* Try SOCK_DGRAM connection to syslog */ + connect_result = -1; + DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0); + if (log_socket != -1) + DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock)); + if (connect_result == -1) { + if (log_socket != -1) + INLINE_SYSCALL(close, 1, log_socket); + /* Try SOCK_STREAM connection to syslog */ + DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0); + if (log_socket != -1) + DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock)); + } + + /* Build message. Messages are generated both in the old style and new style, + * so that log watchers that are configured for the old-style message continue + * to work. + */ +#define strconcat(str) \ + ({ \ + i = 0; \ + while ((str[i] != '\0') && ((i + plen) < (MESSAGE_BUFSIZ - 1))) { \ + message[plen + i] = str[i]; \ + ++i; \ + } \ + plen += i; \ + }) + + /* Tersely log the failure */ + plen = 0; + strconcat(msg_header); + hlen = plen; + strconcat(msg_ssd); + if (__progname != NULL) + strconcat(__progname); + else + strconcat(msg_unknown); + strconcat(msg_terminated); + strconcat(msg_report); + + /* Write out error message to STDERR, to syslog if open */ + INLINE_SYSCALL(write, 3, STDERR_FILENO, message + hlen, plen - hlen); + if (connect_result != -1) { + INLINE_SYSCALL(write, 3, log_socket, message, plen); + INLINE_SYSCALL(close, 1, log_socket); + } + + /* Time to kill self since we have no idea what is going on */ + pid = INLINE_SYSCALL(getpid, 0); + + if (ENABLE_SSP_SMASH_DUMPS_CORE) { + /* Remove any user-supplied handler for SIGABRT, before using it. */ +#if 0 + /* + * Note: Disabled because some programs catch & process their + * own crashes. We've already enabled this code path which + * means we want to let core dumps happen. + */ + static struct sigaction default_abort_act; + default_abort_act.sa_handler = SIG_DFL; + default_abort_act.sa_sigaction = NULL; + __sigfillset(&default_abort_act.sa_mask); + default_abort_act.sa_flags = 0; + if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0) +#endif + INLINE_SYSCALL(kill, 2, pid, SIGABRT); + } + + /* SIGKILL is only signal which cannot be caught */ + INLINE_SYSCALL(kill, 2, pid, SIGKILL); + + /* In case the kill didn't work, exit anyway. + * The loop prevents gcc thinking this routine returns. + */ + while (1) + INLINE_SYSCALL(exit, 1, 137); +} + +__attribute__ ((__noreturn__)) +#ifdef GENTOO_SSP_HANDLER +void __stack_chk_fail(void) +#else +void __chk_fail(void) +#endif +{ + __hardened_gentoo_fail(); +} diff --git a/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c new file mode 100644 index 00000000..4a537bb5 --- /dev/null +++ b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c @@ -0,0 +1,2 @@ +#define GENTOO_SSP_HANDLER +#include <debug/chk_fail.c> diff --git a/sys-libs/glibc/files/2.20/glibc-2.20-hardened-inittls-nosysenter.patch b/sys-libs/glibc/files/2.20/glibc-2.20-hardened-inittls-nosysenter.patch new file mode 100644 index 00000000..35eabe94 --- /dev/null +++ b/sys-libs/glibc/files/2.20/glibc-2.20-hardened-inittls-nosysenter.patch @@ -0,0 +1,306 @@ +When building glibc PIE (which is not something upstream support), +several modifications are necessary to the glibc build process. + +First, any syscalls in PIEs must be of the PIC variant, otherwise +textrels ensue. Then, any syscalls made before the initialisation +of the TLS will fail on i386, as the sysenter variant on i386 uses +the TLS, giving rise to a chicken-and-egg situation. This patch +defines a PIC syscall variant that doesn't use sysenter, even when the sysenter +version is normally used, and uses the non-sysenter version for the brk +syscall that is performed by the TLS initialisation. Further, the TLS +initialisation is moved in this case prior to the initialisation of +dl_osversion, as that requires further syscalls. + +csu/libc-start.c: Move initial TLS initialization to before the +initialisation of dl_osversion, when INTERNAL_SYSCALL_PRE_TLS is defined + +csu/libc-tls.c: Use the no-sysenter version of sbrk when +INTERNAL_SYSCALL_PRE_TLS is defined. + +misc/sbrk.c: Define a no-sysenter version of sbrk, using the no-sysenter +version of brk - if INTERNAL_SYSCALL_PRE_TLS is defined. + +misc/brk.c: Define a no-sysenter version of brk if +INTERNAL_SYSCALL_PRE_TLS is defined. + +sysdeps/unix/sysv/linux/i386/sysdep.h: Define INTERNAL_SYSCALL_PRE_TLS +Make INTERNAL_SYSCALL always use the PIC variant, even if not SHARED. + +Patch by Kevin F. Quinn <kevquinn@gentoo.org> +Fixed for 2.10 by Magnus Granberg <zorry@ume.nu> +Fixed for 2.18 by Magnus Granberg <zorry@gentoo.org> +Fixed for 2.20 by Francisco Blas Izquierdo Riera <klondike@gentoo.org> + +--- a/csu/libc-start.c ++++ b/csu/libc-start.c +@@ -28,6 +28,7 @@ + extern int __libc_multiple_libcs; + + #include <tls.h> ++#include <sysdep.h> + #ifndef SHARED + # include <dl-osinfo.h> + extern void __pthread_initialize_minimal (void); +@@ -170,6 +171,11 @@ LIBC_START_MAIN (int (*main) (int, char + } + } + ++# ifdef INTERNAL_SYSCALL_PRE_TLS ++ /* Do the initial TLS initialization before _dl_osversion, ++ since the latter uses the uname syscall. */ ++ __pthread_initialize_minimal (); ++# endif + # ifdef DL_SYSDEP_OSCHECK + if (!__libc_multiple_libcs) + { +@@ -138,10 +144,12 @@ + } + # endif + ++# ifndef INTERNAL_SYSCALL_PRE_TLS + /* Initialize the thread library at least a bit since the libgcc + functions are using thread functions if these are available and + we need to setup errno. */ + __pthread_initialize_minimal (); ++# endif + + /* Set up the stack checker's canary. */ + uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (); +--- a/csu/libc-tls.c ++++ b/csu/libc-tls.c +@@ -22,12 +22,17 @@ + #include <unistd.h> + #include <stdio.h> + #include <sys/param.h> ++#include <sysdep.h> + + + #ifdef SHARED + #error makefile bug, this file is for static only + #endif + ++#ifdef INTERNAL_SYSCALL_PRE_TLS ++extern void *__sbrk_nosysenter (intptr_t __delta); ++#endif ++ + dtv_t _dl_static_dtv[2 + TLS_SLOTINFO_SURPLUS]; + + +@@ -139,20 +144,29 @@ __libc_setup_tls (size_t tcbsize, size_t + + The initialized value of _dl_tls_static_size is provided by dl-open.c + to request some surplus that permits dynamic loading of modules with +- IE-model TLS. */ ++ IE-model TLS. ++ ++ Where the normal sbrk would use a syscall that needs the TLS (i386) ++ use the special non-sysenter version instead. */ ++#ifdef INTERNAL_SYSCALL_PRE_TLS ++# define __sbrk __sbrk_nosysenter ++#endif + #if TLS_TCB_AT_TP + tcb_offset = roundup (memsz + GL(dl_tls_static_size), tcbalign); + tlsblock = __sbrk (tcb_offset + tcbsize + max_align); + #elif TLS_DTV_AT_TP + tcb_offset = roundup (tcbsize, align ?: 1); + tlsblock = __sbrk (tcb_offset + memsz + max_align + + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size)); + tlsblock += TLS_PRE_TCB_SIZE; + #else + /* In case a model with a different layout for the TCB and DTV + is defined add another #elif here and in the following #ifs. */ + # error "Either TLS_TCB_AT_TP or TLS_DTV_AT_TP must be defined" + #endif ++#ifdef INTERNAL_SYSCALL_PRE_TLS ++# undef __sbrk ++#endif + + /* Align the TLS block. */ + tlsblock = (void *) (((uintptr_t) tlsblock + max_align - 1) +--- a/misc/sbrk.c ++++ b/misc/sbrk.c +@@ -18,6 +18,7 @@ + #include <errno.h> + #include <stdint.h> + #include <unistd.h> ++#include <sysdep.h> + + /* Defined in brk.c. */ + extern void *__curbrk; +@@ -29,6 +30,35 @@ + /* Extend the process's data space by INCREMENT. + If INCREMENT is negative, shrink data space by - INCREMENT. + Return start of new space allocated, or -1 for errors. */ ++#ifdef INTERNAL_SYSCALL_PRE_TLS ++/* This version is used by csu/libc-tls.c whem initialising the TLS ++ if the SYSENTER version requires the TLS (which it does on i386). ++ Obviously using the TLS before it is initialised is broken. */ ++extern int __brk_nosysenter (void *addr); ++void * ++__sbrk_nosysenter (intptr_t increment) ++{ ++ void *oldbrk; ++ ++ /* If this is not part of the dynamic library or the library is used via ++ dynamic loading in a statically linked program update __curbrk from the ++ kernel's brk value. That way two separate instances of __brk and __sbrk ++ can share the heap, returning interleaved pieces of it. */ ++ if (__curbrk == NULL || __libc_multiple_libcs) ++ if (__brk_nosysenter (0) < 0) /* Initialize the break. */ ++ return (void *) -1; ++ ++ if (increment == 0) ++ return __curbrk; ++ ++ oldbrk = __curbrk; ++ if (__brk_nosysenter (oldbrk + increment) < 0) ++ return (void *) -1; ++ ++ return oldbrk; ++} ++#endif ++ + void * + __sbrk (intptr_t increment) + { +--- a/sysdeps/unix/sysv/linux/i386/brk.c ++++ b/sysdeps/unix/sysv/linux/i386/brk.c +@@ -31,6 +31,30 @@ + linker. */ + weak_alias (__curbrk, ___brk_addr) + ++#ifdef INTERNAL_SYSCALL_PRE_TLS ++/* This version is used by csu/libc-tls.c whem initialising the TLS ++ if the SYSENTER version requires the TLS (which it does on i386). ++ Obviously using the TLS before it is initialised is broken. */ ++int ++__brk_nosysenter (void *addr) ++{ ++ void *newbrk; ++ ++ INTERNAL_SYSCALL_DECL (err); ++ newbrk = (void *) INTERNAL_SYSCALL_PRE_TLS (brk, err, 1, addr); ++ ++ __curbrk = newbrk; ++ ++ if (newbrk < addr) ++ { ++ __set_errno (ENOMEM); ++ return -1; ++ } ++ ++ return 0; ++} ++#endif ++ + int + __brk (void *addr) + { +--- a/sysdeps/unix/sysv/linux/i386/sysdep.h ++++ b/sysdeps/unix/sysv/linux/i386/sysdep.h +@@ -187,7 +187,7 @@ + /* The original calling convention for system calls on Linux/i386 is + to use int $0x80. */ + #ifdef I386_USE_SYSENTER +-# ifdef SHARED ++# ifdef __PIC__ + # define ENTER_KERNEL call *%gs:SYSINFO_OFFSET + # else + # define ENTER_KERNEL call *_dl_sysinfo +@@ -358,7 +358,7 @@ + possible to use more than four parameters. */ + #undef INTERNAL_SYSCALL + #ifdef I386_USE_SYSENTER +-# ifdef SHARED ++# ifdef __PIC__ + # define INTERNAL_SYSCALL(name, err, nr, args...) \ + ({ \ + register unsigned int resultvar; \ +@@ -384,6 +384,18 @@ + : "0" (name), "i" (offsetof (tcbhead_t, sysinfo)) \ + ASMFMT_##nr(args) : "memory", "cc"); \ + (int) resultvar; }) ++# define INTERNAL_SYSCALL_PRE_TLS(name, err, nr, args...) \ ++ ({ \ ++ register unsigned int resultvar; \ ++ EXTRAVAR_##nr \ ++ asm volatile ( \ ++ LOADARGS_NOSYSENTER_##nr \ ++ "movl %1, %%eax\n\t" \ ++ "int $0x80\n\t" \ ++ RESTOREARGS_NOSYSENTER_##nr \ ++ : "=a" (resultvar) \ ++ : "i" (__NR_##name) ASMFMT_##nr(args) : "memory", "cc"); \ ++ (int) resultvar; }) + # else + # define INTERNAL_SYSCALL(name, err, nr, args...) \ + ({ \ +@@ -447,12 +459,20 @@ + + #define LOADARGS_0 + #ifdef __PIC__ +-# if defined I386_USE_SYSENTER && defined SHARED ++# if defined I386_USE_SYSENTER && defined __PIC__ + # define LOADARGS_1 \ + "bpushl .L__X'%k3, %k3\n\t" + # define LOADARGS_5 \ + "movl %%ebx, %4\n\t" \ + "movl %3, %%ebx\n\t" ++# define LOADARGS_NOSYSENTER_1 \ ++ "bpushl .L__X'%k2, %k2\n\t" ++# define LOADARGS_NOSYSENTER_2 LOADARGS_NOSYSENTER_1 ++# define LOADARGS_NOSYSENTER_3 LOADARGS_3 ++# define LOADARGS_NOSYSENTER_4 LOADARGS_3 ++# define LOADARGS_NOSYSENTER_5 \ ++ "movl %%ebx, %3\n\t" \ ++ "movl %2, %%ebx\n\t" + # else + # define LOADARGS_1 \ + "bpushl .L__X'%k2, %k2\n\t" +@@ -474,11 +494,18 @@ + + #define RESTOREARGS_0 + #ifdef __PIC__ +-# if defined I386_USE_SYSENTER && defined SHARED ++# if defined I386_USE_SYSENTER && defined __PIC__ + # define RESTOREARGS_1 \ + "bpopl .L__X'%k3, %k3\n\t" + # define RESTOREARGS_5 \ + "movl %4, %%ebx" ++# define RESTOREARGS_NOSYSENTER_1 \ ++ "bpopl .L__X'%k2, %k2\n\t" ++# define RESTOREARGS_NOSYSENTER_2 RESTOREARGS_NOSYSENTER_1 ++# define RESTOREARGS_NOSYSENTER_3 RESTOREARGS_3 ++# define RESTOREARGS_NOSYSENTER_4 RESTOREARGS_3 ++# define RESTOREARGS_NOSYSENTER_5 \ ++ "movl %3, %%ebx" + # else + # define RESTOREARGS_1 \ + "bpopl .L__X'%k2, %k2\n\t" +--- a/sysdeps/i386/nptl/tls.h ++++ b/sysdeps/i386/nptl/tls.h +@@ -189,6 +189,15 @@ + desc->vals[3] = 0x51; + } + ++/* We have no sysenter until the tls is initialized which is a ++ problem for PIC. Thus we need to do the right call depending ++ on the situation. */ ++#ifndef INTERNAL_SYSCALL_PRE_TLS ++# define TLS_INIT_SYSCALL INTERNAL_SYSCALL ++#else ++# define TLS_INIT_SYSCALL INTERNAL_SYSCALL_PRE_TLS ++#endif ++ + /* Code to initially initialize the thread pointer. This might need + special attention since 'errno' is not yet available and if the + operation can cause a failure 'errno' must not be touched. */ +@@ -209,7 +218,7 @@ + \ + /* Install the TLS. */ \ + INTERNAL_SYSCALL_DECL (err); \ +- _result = INTERNAL_SYSCALL (set_thread_area, err, 1, &_segdescr.desc); \ ++ _result = TLS_INIT_SYSCALL (set_thread_area, err, 1, &_segdescr.desc); \ + \ + if (_result == 0) \ + /* We know the index in the GDT, now load the segment register. \ diff --git a/sys-libs/glibc/files/2.25/glibc-2.25-gentoo-chk_fail.c b/sys-libs/glibc/files/2.25/glibc-2.25-gentoo-chk_fail.c new file mode 100644 index 00000000..2ef96b75 --- /dev/null +++ b/sys-libs/glibc/files/2.25/glibc-2.25-gentoo-chk_fail.c @@ -0,0 +1,303 @@ +/* Copyright (C) 2004-2014 Free Software Foundation, Inc. + Copyright (C) 2006-2014 Gentoo Foundation Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, write to the Free + Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + 02111-1307 USA. */ + +/* Hardened Gentoo SSP and FORTIFY handler + + A failure handler that does not use functions from the rest of glibc; + it uses the INTERNAL_SYSCALL methods directly. This helps ensure no + possibility of recursion into the handler. + + Direct all bug reports to http://bugs.gentoo.org/ + + People who have contributed significantly to the evolution of this file: + Ned Ludd - <solar[@]gentoo.org> + Alexander Gabert - <pappy[@]gentoo.org> + The PaX Team - <pageexec[@]freemail.hu> + Peter S. Mazinger - <ps.m[@]gmx.net> + Yoann Vandoorselaere - <yoann[@]prelude-ids.org> + Robert Connolly - <robert[@]linuxfromscratch.org> + Cory Visi <cory[@]visi.name> + Mike Frysinger <vapier[@]gentoo.org> + Magnus Granberg <zorry[@]gentoo.org> + Kevin F. Quinn - <kevquinn[@]gentoo.org> + */ + +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <signal.h> + +#include <sys/types.h> + +#include <sysdep-cancel.h> +#include <sys/syscall.h> + +#include <kernel-features.h> + +#include <alloca.h> +/* from sysdeps */ +#include <socketcall.h> +/* for the stuff in bits/socket.h */ +#include <sys/socket.h> +#include <sys/un.h> + +/* Sanity check on SYSCALL macro names - force compilation + * failure if the names used here do not exist + */ +#if !defined __NR_socketcall && !defined __NR_socket +# error Cannot do syscall socket or socketcall +#endif +#if !defined __NR_socketcall && !defined __NR_connect +# error Cannot do syscall connect or socketcall +#endif +#ifndef __NR_write +# error Cannot do syscall write +#endif +#ifndef __NR_close +# error Cannot do syscall close +#endif +#ifndef __NR_getpid +# error Cannot do syscall getpid +#endif +#ifndef __NR_kill +# error Cannot do syscall kill +#endif +#ifndef __NR_exit +# error Cannot do syscall exit +#endif +#ifdef SSP_SMASH_DUMPS_CORE +# define ENABLE_SSP_SMASH_DUMPS_CORE 1 +# if !defined _KERNEL_NSIG && !defined _NSIG +# error No _NSIG or _KERNEL_NSIG for rt_sigaction +# endif +# if !defined __NR_sigaction && !defined __NR_rt_sigaction +# error Cannot do syscall sigaction or rt_sigaction +# endif +/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size + * of the _kernel_ sigset_t which is not the same as the user sigset_t. + * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for + * some reason. + */ +# ifdef _KERNEL_NSIG +# define _SSP_NSIG _KERNEL_NSIG +# else +# define _SSP_NSIG _NSIG +# endif +#else +# define _SSP_NSIG 0 +# define ENABLE_SSP_SMASH_DUMPS_CORE 0 +#endif + +/* Define DO_SIGACTION - default to newer rt signal interface but + * fallback to old as needed. + */ +#ifdef __NR_rt_sigaction +# define DO_SIGACTION(signum, act, oldact) \ + INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8) +#else +# define DO_SIGACTION(signum, act, oldact) \ + INLINE_SYSCALL(sigaction, 3, signum, act, oldact) +#endif + +/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */ +#if defined(__NR_socket) && defined(__NR_connect) +# define USE_OLD_SOCKETCALL 0 +#else +# define USE_OLD_SOCKETCALL 1 +#endif + +/* stub out the __NR_'s so we can let gcc optimize away dead code */ +#ifndef __NR_socketcall +# define __NR_socketcall 0 +#endif +#ifndef __NR_socket +# define __NR_socket 0 +#endif +#ifndef __NR_connect +# define __NR_connect 0 +#endif +#define DO_SOCKET(result, domain, type, protocol) \ + do { \ + if (USE_OLD_SOCKETCALL) { \ + socketargs[0] = domain; \ + socketargs[1] = type; \ + socketargs[2] = protocol; \ + socketargs[3] = 0; \ + result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \ + } else \ + result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \ + } while (0) +#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \ + do { \ + if (USE_OLD_SOCKETCALL) { \ + socketargs[0] = sockfd; \ + socketargs[1] = (unsigned long int)serv_addr; \ + socketargs[2] = addrlen; \ + socketargs[3] = 0; \ + result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \ + } else \ + result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \ + } while (0) + +#ifndef _PATH_LOG +# define _PATH_LOG "/dev/log" +#endif + +static const char path_log[] = _PATH_LOG; + +/* For building glibc with SSP switched on, define __progname to a + * constant if building for the run-time loader, to avoid pulling + * in more of libc.so into ld.so + */ +#ifdef IS_IN_rtld +static const char *__progname = "<ldso>"; +#else +extern const char *__progname; +#endif + +#ifdef GENTOO_SSP_HANDLER +# define ERROR_MSG "stack smashing" +#else +# define ERROR_MSG "buffer overflow" +#endif + +/* Common handler code, used by chk_fail + * Inlined to ensure no self-references to the handler within itself. + * Data static to avoid putting more than necessary on the stack, + * to aid core debugging. + */ +__attribute__ ((__noreturn__, __always_inline__)) +static inline void +__hardened_gentoo_fail(void) +{ +#define MESSAGE_BUFSIZ 512 + static pid_t pid; + static int plen, i, hlen; + static char message[MESSAGE_BUFSIZ]; + /* <11> is LOG_USER|LOG_ERR. A dummy date for loggers to skip over. */ + static const char msg_header[] = "<11>" __DATE__ " " __TIME__ " glibc-gentoo-hardened-check: "; + static const char msg_ssd[] = "*** " ERROR_MSG " detected ***: "; + static const char msg_terminated[] = " terminated; "; + static const char msg_report[] = "report to " REPORT_BUGS_TO "\n"; + static const char msg_unknown[] = "<unknown>"; + static int log_socket, connect_result; + static struct sockaddr_un sock; + static unsigned long int socketargs[4]; + + /* Build socket address */ + sock.sun_family = AF_UNIX; + i = 0; + while (path_log[i] != '\0' && i < sizeof(sock.sun_path) - 1) { + sock.sun_path[i] = path_log[i]; + ++i; + } + sock.sun_path[i] = '\0'; + + /* Try SOCK_DGRAM connection to syslog */ + connect_result = -1; + DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0); + if (log_socket != -1) + DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock)); + if (connect_result == -1) { + if (log_socket != -1) + INLINE_SYSCALL(close, 1, log_socket); + /* Try SOCK_STREAM connection to syslog */ + DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0); + if (log_socket != -1) + DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock)); + } + + /* Build message. Messages are generated both in the old style and new style, + * so that log watchers that are configured for the old-style message continue + * to work. + */ +#define strconcat(str) \ + ({ \ + i = 0; \ + while ((str[i] != '\0') && ((i + plen) < (MESSAGE_BUFSIZ - 1))) { \ + message[plen + i] = str[i]; \ + ++i; \ + } \ + plen += i; \ + }) + + /* Tersely log the failure */ + plen = 0; + strconcat(msg_header); + hlen = plen; + strconcat(msg_ssd); + if (__progname != NULL) + strconcat(__progname); + else + strconcat(msg_unknown); + strconcat(msg_terminated); + strconcat(msg_report); + + /* Write out error message to STDERR, to syslog if open */ + INLINE_SYSCALL(write, 3, STDERR_FILENO, message + hlen, plen - hlen); + if (connect_result != -1) { + INLINE_SYSCALL(write, 3, log_socket, message, plen); + INLINE_SYSCALL(close, 1, log_socket); + } + + /* Time to kill self since we have no idea what is going on */ + pid = INLINE_SYSCALL(getpid, 0); + + if (ENABLE_SSP_SMASH_DUMPS_CORE) { + /* Remove any user-supplied handler for SIGABRT, before using it. */ +#if 0 + /* + * Note: Disabled because some programs catch & process their + * own crashes. We've already enabled this code path which + * means we want to let core dumps happen. + */ + static struct sigaction default_abort_act; + default_abort_act.sa_handler = SIG_DFL; + default_abort_act.sa_sigaction = NULL; + __sigfillset(&default_abort_act.sa_mask); + default_abort_act.sa_flags = 0; + if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0) +#endif + INLINE_SYSCALL(kill, 2, pid, SIGABRT); + } + + /* SIGKILL is only signal which cannot be caught */ + INLINE_SYSCALL(kill, 2, pid, SIGKILL); + + /* In case the kill didn't work, exit anyway. + * The loop prevents gcc thinking this routine returns. + */ + while (1) + INLINE_SYSCALL(exit, 1, 137); +} + +__attribute__ ((__noreturn__)) +#ifdef GENTOO_SSP_HANDLER +void __stack_chk_fail(void) +#else +void __chk_fail(void) +#endif +{ + __hardened_gentoo_fail(); +} + +#ifdef GENTOO_SSP_HANDLER +strong_alias (__stack_chk_fail, __stack_chk_fail_local) +#endif diff --git a/sys-libs/glibc/files/nscd.service b/sys-libs/glibc/files/nscd.service new file mode 100644 index 00000000..25a3b1d9 --- /dev/null +++ b/sys-libs/glibc/files/nscd.service @@ -0,0 +1,15 @@ +[Unit] +Description=Name Service Cache Daemon +After=network.target + +[Service] +ExecStart=/usr/sbin/nscd -F +ExecStop=/usr/sbin/nscd --shutdown +ExecReload=/usr/sbin/nscd -i passwd +ExecReload=/usr/sbin/nscd -i group +ExecReload=/usr/sbin/nscd -i hosts +ExecReload=/usr/sbin/nscd -i services +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/sys-libs/glibc/files/nscd.tmpfilesd b/sys-libs/glibc/files/nscd.tmpfilesd new file mode 100644 index 00000000..52edbba6 --- /dev/null +++ b/sys-libs/glibc/files/nscd.tmpfilesd @@ -0,0 +1,4 @@ +# Configuration to create /run/nscd directory +# Used as part of systemd's tmpfiles + +d /run/nscd 0755 root root diff --git a/sys-libs/glibc/glibc-2.26-r1337.ebuild b/sys-libs/glibc/glibc-2.26-r1337.ebuild new file mode 100644 index 00000000..e04e8dd3 --- /dev/null +++ b/sys-libs/glibc/glibc-2.26-r1337.ebuild @@ -0,0 +1,836 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit prefix toolchain-glibc + +DESCRIPTION="GNU libc C library" +HOMEPAGE="https://www.gnu.org/software/libc/" + +LICENSE="LGPL-2.1+ BSD HPND ISC inner-net rc PCRE" +RESTRICT="strip" # Strip ourself #46186 +EMULTILIB_PKG="true" + +# Configuration variables + +if [[ ${PV} == 9999* ]]; then + EGIT_REPO_URI="git://sourceware.org/git/glibc.git" + inherit git-r3 +else + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" + SRC_URI="mirror://gnu/glibc/${P}.tar.xz" +fi + +RELEASE_VER=${PV} + +GCC_BOOTSTRAP_VER="4.7.3-r1" + +# Gentoo patchset +PATCH_VER=7 + +SRC_URI+=" https://dev.gentoo.org/~dilfridge/distfiles/${P}-patches-${PATCH_VER}.tar.bz2" +SRC_URI+=" multilib? ( https://dev.gentoo.org/~dilfridge/distfiles/gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2 )" + +IUSE="audit caps debug doc gd hardened multilib nscd selinux systemtap profile suid vanilla headers-only" + +# Min kernel version glibc requires +: ${NPTL_KERN_VER:="3.2.0"} + +# Here's how the cross-compile logic breaks down ... +# CTARGET - machine that will target the binaries +# CHOST - machine that will host the binaries +# CBUILD - machine that will build the binaries +# If CTARGET != CHOST, it means you want a libc for cross-compiling. +# If CHOST != CBUILD, it means you want to cross-compile the libc. +# CBUILD = CHOST = CTARGET - native build/install +# CBUILD != (CHOST = CTARGET) - cross-compile a native build +# (CBUILD = CHOST) != CTARGET - libc for cross-compiler +# CBUILD != CHOST != CTARGET - cross-compile a libc for a cross-compiler +# For install paths: +# CHOST = CTARGET - install into / +# CHOST != CTARGET - install into /usr/CTARGET/ + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} +if [[ ${CTARGET} == ${CHOST} ]] ; then + if [[ ${CATEGORY} == cross-* ]] ; then + export CTARGET=${CATEGORY#cross-} + fi +fi + +is_crosscompile() { + [[ ${CHOST} != ${CTARGET} ]] +} + +SLOT="2.2" + +# General: We need a new-enough binutils/gcc to match upstream baseline. +# arch: we need to make sure our binutils/gcc supports TLS. +COMMON_DEPEND=" + nscd? ( selinux? ( + audit? ( sys-process/audit ) + caps? ( sys-libs/libcap ) + ) ) + suid? ( caps? ( sys-libs/libcap ) ) + selinux? ( sys-libs/libselinux ) + systemtap? ( dev-util/systemtap ) +" +DEPEND="${COMMON_DEPEND} + >=app-misc/pax-utils-0.1.10 + !<sys-apps/sandbox-1.6 + !<sys-apps/portage-2.1.2 + doc? ( sys-apps/texinfo ) +" +RDEPEND="${COMMON_DEPEND} + !sys-kernel/ps3-sources + sys-apps/gentoo-functions + !sys-libs/nss-db +" + +if [[ ${CATEGORY} == cross-* ]] ; then + DEPEND+=" !headers-only? ( + >=${CATEGORY}/binutils-2.24 + >=${CATEGORY}/gcc-4.9 + )" + [[ ${CATEGORY} == *-linux* ]] && DEPEND+=" ${CATEGORY}/linux-headers" +else + DEPEND+=" + >=sys-devel/binutils-2.24 + >=sys-devel/gcc-4.9 + virtual/os-headers + " + RDEPEND+=" vanilla? ( !sys-libs/timezone-data )" + PDEPEND+=" !vanilla? ( sys-libs/timezone-data )" +fi + +# +# the phases +# + +pkg_pretend() { + # Make sure devpts is mounted correctly for use w/out setuid pt_chown + check_devpts + + # Prevent native builds from downgrading + if [[ ${MERGE_TYPE} != "buildonly" ]] && \ + [[ ${ROOT} == "/" ]] && \ + [[ ${CBUILD} == ${CHOST} ]] && \ + [[ ${CHOST} == ${CTARGET} ]] ; then + # The high rev # is to allow people to downgrade between -r# versions. + # We want to block 2.20->2.19, but 2.20-r3->2.20-r2 should be fine. + # Hopefully we never actually use a r# this high. + if has_version ">${CATEGORY}/${P}-r10000" ; then + eerror "Sanity check to keep you from breaking your system:" + eerror " Downgrading glibc is not supported and a sure way to destruction" + die "Aborting to save your system" + fi + + if ! glibc_run_test '#include <pwd.h>\nint main(){return getpwuid(0)==0;}\n' + then + eerror "Your patched vendor kernel is broken. You need to get an" + eerror "update from whoever is providing the kernel to you." + eerror "https://sourceware.org/bugzilla/show_bug.cgi?id=5227" + eerror "https://bugs.gentoo.org/262698" + die "Keeping your system alive, say thank you" + fi + + if ! glibc_run_test '#include <unistd.h>\n#include <sys/syscall.h>\nint main(){return syscall(1000)!=-1;}\n' + then + eerror "Your old kernel is broken. You need to update it to" + eerror "a newer version as syscall(<bignum>) will break." + eerror "https://bugs.gentoo.org/279260" + die "Keeping your system alive, say thank you" + fi + fi + + # Users have had a chance to phase themselves, time to give em the boot + if [[ -e ${EROOT}/etc/locale.gen ]] && [[ -e ${EROOT}/etc/locales.build ]] ; then + eerror "You still haven't deleted ${EROOT}/etc/locales.build." + eerror "Do so now after making sure ${EROOT}/etc/locale.gen is kosher." + die "Lazy upgrader detected" + fi + + if [[ ${CTARGET} == i386-* ]] ; then + eerror "i386 CHOSTs are no longer supported." + eerror "Chances are you don't actually want/need i386." + eerror "Please read https://www.gentoo.org/doc/en/change-chost.xml" + die "Please fix your CHOST" + fi + + if [[ -e /proc/xen ]] && [[ $(tc-arch) == "x86" ]] && ! is-flag -mno-tls-direct-seg-refs ; then + ewarn "You are using Xen but don't have -mno-tls-direct-seg-refs in your CFLAGS." + ewarn "This will result in a 50% performance penalty when running with a 32bit" + ewarn "hypervisor, which is probably not what you want." + fi + + use hardened && ! tc-enables-pie && \ + ewarn "PIE hardening not applied, as your compiler doesn't default to PIE" + + # Make sure host system is up to date #394453 + if has_version '<sys-libs/glibc-2.13' && \ + [[ -n $(scanelf -qys__guard -F'#s%F' "${EROOT}"/lib*/l*-*.so) ]] + then + ebegin "Scanning system for __guard to see if you need to rebuild first ..." + local files=$( + scanelf -qys__guard -F'#s%F' \ + "${EROOT}"/*bin/ \ + "${EROOT}"/lib* \ + "${EROOT}"/usr/*bin/ \ + "${EROOT}"/usr/lib* | \ + egrep -v \ + -e "^${EROOT}/lib.*/(libc|ld)-2.*.so$" \ + -e "^${EROOT}/sbin/(ldconfig|sln)$" + ) + [[ -z ${files} ]] + if ! eend $? ; then + eerror "Your system still has old SSP __guard symbols. You need to" + eerror "rebuild all the packages that provide these files first:" + eerror "${files}" + die "old __guard detected" + fi + fi + + # Check for sanity of /etc/nsswitch.conf + if [[ -e ${EROOT}/etc/nsswitch.conf ]] ; then + local entry + for entry in passwd group shadow; do + if ! egrep -q "^[ \t]*${entry}:.*files" "${EROOT}"/etc/nsswitch.conf; then + eerror "Your ${EROOT}/etc/nsswitch.conf is out of date." + eerror "Please make sure you have 'files' entries for" + eerror "'passwd:', 'group:' and 'shadow:' databases." + eerror "For more details see:" + eerror " https://wiki.gentoo.org/wiki/Project:Toolchain/nsswitch.conf_in_glibc-2.26" + die "nsswitch.conf has no 'files' provider in '${entry}'." + fi + done + fi +} + +src_unpack() { + use multilib && unpack gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2 + + setup_env + + # Check NPTL support _before_ we unpack things to save some time + check_nptl_support + + if [[ -n ${EGIT_REPO_URI} ]] ; then + git-r3_src_unpack + else + unpack ${P}.tar.xz + fi + + cd "${S}" + touch locale/C-translit.h #185476 #218003 + + cd "${WORKDIR}" + unpack glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.bz2 +} + +src_prepare() { + if ! use vanilla ; then + elog "Applying Gentoo Glibc Patchset ${RELEASE_VER}-${PATCH_VER}" + eapply "${WORKDIR}"/patches + einfo "Done." + fi + + if just_headers ; then + if [[ -e ports/sysdeps/mips/preconfigure ]] ; then + # mips peeps like to screw with us. if building headers, + # we don't have a real compiler, so we can't let them + # insert -mabi on us. + sed -i '/CPPFLAGS=.*-mabi/s|.*|:|' ports/sysdeps/mips/preconfigure || die + find ports/sysdeps/mips/ -name Makefile -exec sed -i '/^CC.*-mabi=/s:-mabi=.*:-D_MIPS_SZPTR=32:' {} + + fi + fi + + default + + gnuconfig_update + + cd "${WORKDIR}" + find . -name configure -exec touch {} + + + eprefixify extra/locale/locale-gen + + # Fix permissions on some of the scripts. + chmod u+x "${S}"/scripts/*.sh + + cd "${S}" + + if use hardened ; then + # We don't enable these for non-hardened as the output is very terse -- + # it only states that a crash happened. The default upstream behavior + # includes backtraces and symbols. + einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler" + cp "${FILESDIR}"/2.20/glibc-2.20-gentoo-stack_chk_fail.c debug/stack_chk_fail.c || die + cp "${FILESDIR}"/2.25/glibc-2.25-gentoo-chk_fail.c debug/chk_fail.c || die + + if use debug ; then + # Allow SIGABRT to dump core on non-hardened systems, or when debug is requested. + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCPPFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + -e '/^CFLAGS-backtrace.c/ iCPPFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile || die + fi + fi +} + +glibc_do_configure() { + # Glibc does not work with gold (for various reasons) #269274. + tc-ld-disable-gold + + # CXX isnt handled by the multilib system, so if we dont unset here + # we accumulate crap across abis + unset CXX + + einfo "Configuring glibc for $1" + + if use doc ; then + export MAKEINFO=makeinfo + else + export MAKEINFO=/dev/null + fi + + local v + for v in ABI CBUILD CHOST CTARGET CBUILD_OPT CTARGET_OPT CC CXX LD {AS,C,CPP,CXX,LD}FLAGS MAKEINFO ; do + einfo " $(printf '%15s' ${v}:) ${!v}" + done + + # The glibc configure script doesn't properly use LDFLAGS all the time. + export CC="$(tc-getCC ${CTARGET}) ${LDFLAGS}" + einfo " $(printf '%15s' 'Manual CC:') ${CC}" + + # Some of the tests are written in C++, so we need to force our multlib abis in, bug 623548 + export CXX="$(tc-getCXX ${CTARGET}) $(get_abi_CFLAGS)" + einfo " $(printf '%15s' 'Manual CXX:') ${CXX}" + + echo + + local myconf=() + + # set addons + pushd "${S}" > /dev/null + local addons=$(echo */configure | sed \ + -e 's:/configure::g' \ + -e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\)\( \|$\)::g' \ + -e 's: \+$::' \ + -e 's! !,!g' \ + -e 's!^!,!' \ + -e '/^,\*$/d') + [[ -d ports ]] && addons+=",ports" + popd > /dev/null + + case ${CTARGET} in + powerpc-*) + # Currently gcc on powerpc32 generates invalid code for + # __builtin_return_address(0) calls. Normally programs + # don't do that but malloc hooks in glibc do: + # https://gcc.gnu.org/PR81996 + # https://bugs.gentoo.org/629054 + myconf+=( --enable-stack-protector=no ) + ;; + *) + myconf+=( --enable-stack-protector=all ) + ;; + esac + myconf+=( --enable-stackguard-randomization ) + + # Keep a whitelist of targets supporing IFUNC. glibc's ./configure + # is not robust enough to detect proper support: + # https://bugs.gentoo.org/641216 + # https://sourceware.org/PR22634#c0 + case $(tc-arch ${CTARGET}) in + # Keep whitelist of targets where autodetection mostly works. + amd64|x86|sparc|ppc|ppc64|arm|arm64|s390) ;; + # Blacklist everywhere else + *) myconf+=( libc_cv_ld_gnu_indirect_function=no ) ;; + esac + + [[ $(tc-is-softfloat) == "yes" ]] && myconf+=( --without-fp ) + + if [[ $1 == "nptl" ]] ; then + myconf+=( --enable-kernel=${NPTL_KERN_VER} ) + else + die "invalid pthread option" + fi + myconf+=( --enable-add-ons="${addons#,}" ) + + # Since SELinux support is only required for nscd, only enable it if: + # 1. USE selinux + # 2. only for the primary ABI on multilib systems + # 3. Not a crosscompile + if ! is_crosscompile && use selinux ; then + if use multilib ; then + if is_final_abi ; then + myconf+=( --with-selinux ) + else + myconf+=( --without-selinux ) + fi + else + myconf+=( --with-selinux ) + fi + else + myconf+=( --without-selinux ) + fi + + # Force a few tests where we always know the answer but + # configure is incapable of finding it. + if is_crosscompile ; then + export \ + libc_cv_c_cleanup=yes \ + libc_cv_forced_unwind=yes + fi + + myconf+=( + --without-cvs + --disable-werror + --enable-bind-now + --build=${CBUILD_OPT:-${CBUILD}} + --host=${CTARGET_OPT:-${CTARGET}} + $(use_enable profile) + $(use_with gd) + --with-headers=$(alt_build_headers) + --prefix="${EPREFIX}/usr" + --sysconfdir="${EPREFIX}/etc" + --localstatedir="${EPREFIX}/var" + --libdir='$(prefix)'/$(get_libdir) + --mandir='$(prefix)'/share/man + --infodir='$(prefix)'/share/info + --libexecdir='$(libdir)'/misc/glibc + --with-bugurl=https://bugs.gentoo.org/ + --with-pkgversion="$(glibc_banner)" + $(use_multiarch || echo --disable-multi-arch) + $(in_iuse systemtap && use_enable systemtap) + $(in_iuse nscd && use_enable nscd) + ${EXTRA_ECONF} + ) + + # We rely on sys-libs/timezone-data for timezone tools normally. + myconf+=( $(use_enable vanilla timezone-tools) ) + + # These libs don't have configure flags. + ac_cv_lib_audit_audit_log_user_avc_message=$(in_iuse audit && usex audit || echo no) + ac_cv_lib_cap_cap_init=$(in_iuse caps && usex caps || echo no) + + # There is no configure option for this and we need to export it + # since the glibc build will re-run configure on itself + export libc_cv_rootsbindir="${EPREFIX}/sbin" + export libc_cv_slibdir="${EPREFIX}/$(get_libdir)" + + # We take care of patching our binutils to use both hash styles, + # and many people like to force gnu hash style only, so disable + # this overriding check. #347761 + export libc_cv_hashstyle=no + + local builddir=$(builddir "$1") + mkdir -p "${builddir}" + cd "${builddir}" + set -- "${S}"/configure "${myconf[@]}" + echo "$@" + "$@" || die "failed to configure glibc" + + # ia64 static cross-compilers are a pita in so much that they + # can't produce static ELFs (as the libgcc.a is broken). so + # disable building of the programs for those targets if it + # doesn't work. + # XXX: We could turn this into a compiler test, but ia64 is + # the only one that matters, so this should be fine for now. + if is_crosscompile && [[ ${CTARGET} == ia64* ]] ; then + sed -i '1i+link-static = touch $@' config.make + fi + + # If we're trying to migrate between ABI sets, we need + # to lie and use a local copy of gcc. Like if the system + # is built with MULTILIB_ABIS="amd64 x86" but we want to + # add x32 to it, gcc/glibc don't yet support x32. + if [[ -n ${GCC_BOOTSTRAP_VER} ]] && use multilib ; then + echo 'main(){}' > "${T}"/test.c + if ! $(tc-getCC ${CTARGET}) ${CFLAGS} ${LDFLAGS} "${T}"/test.c -Wl,-emain -lgcc 2>/dev/null ; then + sed -i -e '/^CC = /s:$: -B$(objdir)/../'"gcc-${GCC_BOOTSTRAP_VER}/${ABI}:" config.make || die + fi + fi +} + +glibc_headers_configure() { + export ABI=default + + local builddir=$(builddir "headers") + mkdir -p "${builddir}" + cd "${builddir}" + + # if we don't have a compiler yet, we can't really test it now ... + # hopefully they don't affect header generation, so let's hope for + # the best here ... + local v vars=( + ac_cv_header_cpuid_h=yes + libc_cv_{386,390,alpha,arm,hppa,ia64,mips,{powerpc,sparc}{,32,64},sh,x86_64}_tls=yes + libc_cv_asm_cfi_directives=yes + libc_cv_broken_visibility_attribute=no + libc_cv_c_cleanup=yes + libc_cv_forced_unwind=yes + libc_cv_gcc___thread=yes + libc_cv_mlong_double_128=yes + libc_cv_mlong_double_128ibm=yes + libc_cv_ppc_machine=yes + libc_cv_ppc_rel16=yes + libc_cv_predef_fortify_source=no + libc_cv_visibility_attribute=yes + libc_cv_z_combreloc=yes + libc_cv_z_execstack=yes + libc_cv_z_initfirst=yes + libc_cv_z_nodelete=yes + libc_cv_z_nodlopen=yes + libc_cv_z_relro=yes + libc_mips_abi=${ABI} + libc_mips_float=$([[ $(tc-is-softfloat) == "yes" ]] && echo soft || echo hard) + # These libs don't have configure flags. + ac_cv_lib_audit_audit_log_user_avc_message=no + ac_cv_lib_cap_cap_init=no + ) + + einfo "Forcing cached settings:" + for v in "${vars[@]}" ; do + einfo " ${v}" + export ${v} + done + + # Blow away some random CC settings that screw things up. #550192 + if [[ -d ${S}/sysdeps/mips ]]; then + pushd "${S}"/sysdeps/mips >/dev/null + sed -i -e '/^CC +=/s:=.*:= -D_MIPS_SZPTR=32:' mips32/Makefile mips64/n32/Makefile || die + sed -i -e '/^CC +=/s:=.*:= -D_MIPS_SZPTR=64:' mips64/n64/Makefile || die + + # Force the mips ABI to the default. This is OK because the set of + # installed headers in this phase is the same between the 3 ABIs. + # If this ever changes, this hack will break, but that's unlikely + # as glibc discourages that behavior. + # https://crbug.com/647033 + sed -i -e 's:abiflag=.*:abiflag=_ABIO32:' preconfigure || die + + popd >/dev/null + fi + + local myconf=() + myconf+=( + --disable-sanity-checks + --enable-hacker-mode + --without-cvs + --disable-werror + --enable-bind-now + --build=${CBUILD_OPT:-${CBUILD}} + --host=${CTARGET_OPT:-${CTARGET}} + --with-headers=$(alt_build_headers) + --prefix="${EPREFIX}/usr" + ${EXTRA_ECONF} + ) + + local addons + [[ -d ${S}/ports ]] && addons+=",ports" + myconf+=( --enable-add-ons="${addons#,}" ) + + # Nothing is compiled here which would affect the headers for the target. + # So forcing CC/CFLAGS is sane. + set -- "${S}"/configure "${myconf[@]}" + echo "$@" + CC="$(tc-getBUILD_CC)" \ + CFLAGS="-O1 -pipe" \ + CPPFLAGS="-U_FORTIFY_SOURCE" \ + LDFLAGS="" \ + "$@" || die "failed to configure glibc" +} + +do_src_configure() { + if just_headers ; then + glibc_headers_configure + else + glibc_do_configure nptl + fi +} + +src_configure() { + foreach_abi do_src_configure +} + +do_src_compile() { + emake -C "$(builddir nptl)" || die "make nptl for ${ABI} failed" +} + +src_compile() { + if just_headers ; then + return + fi + + foreach_abi do_src_compile +} + +glibc_src_test() { + cd "$(builddir $1)" + emake check +} + +do_src_test() { + local ret=0 + + glibc_src_test nptl + : $(( ret |= $? )) + + return ${ret} +} + +src_test() { + # Give tests more time to complete. + export TIMEOUTFACTOR=5 + + foreach_abi do_src_test || die "tests failed" +} + +glibc_do_src_install() { + local builddir=$(builddir nptl) + cd "${builddir}" + + emake install_root="${D}$(alt_prefix)" install || die + + # This version (2.26) provides some compatibility libraries for the NIS/NIS+ support + # which come without headers etc. Only needed for binary packages since the + # external net-libs/libnsl has increased soversion. Keep only versioned libraries. + find "${D}" -name "libnsl.a" -delete + find "${D}" -name "libnsl.so" -delete + + # Normally upstream_pv is ${PV}. Live ebuilds are exception, there we need + # to infer upstream version: + # '#define VERSION "2.26.90"' -> '2.26.90' + local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h) + + if [[ -e ${ED}$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then + # Move versioned .a file out of libdir to evade portage QA checks + # instead of using gen_usr_ldscript(). We fix ldscript as: + # "GROUP ( /usr/lib64/libm-<pv>.a ..." -> "GROUP ( /usr/lib64/glibc-<pv>/libm-<pv>.a ..." + sed -i "s@\(libm-${upstream_pv}.a\)@${P}/\1@" "${ED}"$(alt_usrlibdir)/libm.a || die + dodir $(alt_usrlibdir)/${P} + mv "${ED}"$(alt_usrlibdir)/libm-${upstream_pv}.a "${ED}"$(alt_usrlibdir)/${P}/libm-${upstream_pv}.a || die + fi + + # We'll take care of the cache ourselves + rm -f "${ED}"/etc/ld.so.cache + + # Everything past this point just needs to be done once ... + is_final_abi || return 0 + + # Make sure the non-native interp can be found on multilib systems even + # if the main library set isn't installed into the right place. Maybe + # we should query the active gcc for info instead of hardcoding it ? + local i ldso_abi ldso_name + local ldso_abi_list=( + # x86 + amd64 /lib64/ld-linux-x86-64.so.2 + x32 /libx32/ld-linux-x32.so.2 + x86 /lib/ld-linux.so.2 + # mips + o32 /lib/ld.so.1 + n32 /lib32/ld.so.1 + n64 /lib64/ld.so.1 + # powerpc + ppc /lib/ld.so.1 + ppc64 /lib64/ld64.so.1 + # s390 + s390 /lib/ld.so.1 + s390x /lib/ld64.so.1 + # sparc + sparc32 /lib/ld-linux.so.2 + sparc64 /lib64/ld-linux.so.2 + ) + case $(tc-endian) in + little) + ldso_abi_list+=( + # arm + arm64 /lib/ld-linux-aarch64.so.1 + ) + ;; + big) + ldso_abi_list+=( + # arm + arm64 /lib/ld-linux-aarch64_be.so.1 + ) + ;; + esac + if [[ ${SYMLINK_LIB} == "yes" ]] && [[ ! -e ${ED}/$(alt_prefix)/lib ]] ; then + dosym $(get_abi_LIBDIR ${DEFAULT_ABI}) $(alt_prefix)/lib + fi + for (( i = 0; i < ${#ldso_abi_list[@]}; i += 2 )) ; do + ldso_abi=${ldso_abi_list[i]} + has ${ldso_abi} $(get_install_abis) || continue + + ldso_name="$(alt_prefix)${ldso_abi_list[i+1]}" + if [[ ! -L ${ED}/${ldso_name} && ! -e ${ED}/${ldso_name} ]] ; then + dosym ../$(get_abi_LIBDIR ${ldso_abi})/${ldso_name##*/} ${ldso_name} + fi + done + + # With devpts under Linux mounted properly, we do not need the pt_chown + # binary to be setuid. This is because the default owners/perms will be + # exactly what we want. + if in_iuse suid && ! use suid ; then + find "${ED}" -name pt_chown -exec chmod -s {} + + fi + + ################################################################# + # EVERYTHING AFTER THIS POINT IS FOR NATIVE GLIBC INSTALLS ONLY # + # Make sure we install some symlink hacks so that when we build + # a 2nd stage cross-compiler, gcc finds the target system + # headers correctly. See gcc/doc/gccinstall.info + if is_crosscompile ; then + # We need to make sure that /lib and /usr/lib always exists. + # gcc likes to use relative paths to get to its multilibs like + # /usr/lib/../lib64/. So while we don't install any files into + # /usr/lib/, we do need it to exist. + cd "${ED}"$(alt_libdir)/.. + [[ -e lib ]] || mkdir lib + cd "${ED}"$(alt_usrlibdir)/.. + [[ -e lib ]] || mkdir lib + + dosym usr/include $(alt_prefix)/sys-include + return 0 + fi + + # Files for Debian-style locale updating + dodir /usr/share/i18n + sed \ + -e "/^#/d" \ + -e "/SUPPORTED-LOCALES=/d" \ + -e "s: \\\\::g" -e "s:/: :g" \ + "${S}"/localedata/SUPPORTED > "${ED}"/usr/share/i18n/SUPPORTED \ + || die "generating /usr/share/i18n/SUPPORTED failed" + cd "${WORKDIR}"/extra/locale + dosbin locale-gen + doman *.[0-8] + insinto /etc + doins locale.gen + + # Make sure all the ABI's can find the locales and so we only + # have to generate one set + local a + keepdir /usr/$(get_libdir)/locale + for a in $(get_install_abis) ; do + if [[ ! -e ${ED}/usr/$(get_abi_LIBDIR ${a})/locale ]] ; then + dosym ../$(get_libdir)/locale /usr/$(get_abi_LIBDIR ${a})/locale + fi + done + + cd "${S}" + + # Install misc network config files + insinto /etc + doins nscd/nscd.conf posix/gai.conf nss/nsswitch.conf + doins "${WORKDIR}"/extra/etc/*.conf + + if use nscd ; then + doinitd "$(prefixify_ro "${WORKDIR}"/extra/etc/nscd)" + + local nscd_args=( + -e "s:@PIDFILE@:$(strings "${ED}"/usr/sbin/nscd | grep nscd.pid):" + ) + + sed -i "${nscd_args[@]}" "${ED}"/etc/init.d/nscd + + systemd_dounit nscd/nscd.service + systemd_newtmpfilesd nscd/nscd.tmpfiles nscd.conf + else + # Do this since extra/etc/*.conf above might have nscd.conf. + rm -f "${ED}"/etc/nscd.conf + fi + + echo 'LDPATH="include ld.so.conf.d/*.conf"' > "${T}"/00glibc + doenvd "${T}"/00glibc + + for d in BUGS ChangeLog* CONFORMANCE FAQ NEWS NOTES PROJECTS README* ; do + [[ -s ${d} ]] && dodoc ${d} + done + + # Prevent overwriting of the /etc/localtime symlink. We'll handle the + # creation of the "factory" symlink in pkg_postinst(). + rm -f "${ED}"/etc/localtime +} + +glibc_headers_install() { + local builddir=$(builddir "headers") + cd "${builddir}" + emake install_root="${D}$(alt_prefix)" install-headers + + insinto $(alt_headers)/gnu + doins "${S}"/include/gnu/stubs.h + + # Make sure we install the sys-include symlink so that when + # we build a 2nd stage cross-compiler, gcc finds the target + # system headers correctly. See gcc/doc/gccinstall.info + dosym usr/include $(alt_prefix)/sys-include +} + +src_install() { + if just_headers ; then + export ABI=default + glibc_headers_install + return + fi + + foreach_abi glibc_do_src_install + src_strip +} + +pkg_preinst() { + # nothing to do if just installing headers + just_headers && return + + # prepare /etc/ld.so.conf.d/ for files + mkdir -p "${EROOT}"/etc/ld.so.conf.d + + # Default /etc/hosts.conf:multi to on for systems with small dbs. + if [[ $(wc -l < "${EROOT}"/etc/hosts) -lt 1000 ]] ; then + sed -i '/^multi off/s:off:on:' "${ED}"/etc/host.conf + einfo "Defaulting /etc/host.conf:multi to on" + fi + + [[ ${ROOT} != "/" ]] && return 0 + [[ -d ${ED}/$(get_libdir) ]] || return 0 + [[ -z ${BOOTSTRAP_RAP} ]] && glibc_sanity_check +} + +pkg_postinst() { + # nothing to do if just installing headers + just_headers && return + + if ! tc-is-cross-compiler && [[ -x ${EROOT}/usr/sbin/iconvconfig ]] ; then + # Generate fastloading iconv module configuration file. + "${EROOT}"/usr/sbin/iconvconfig --prefix="${ROOT}" + fi + + if ! is_crosscompile && [[ ${ROOT} == "/" ]] ; then + # Reload init ... if in a chroot or a diff init package, ignore + # errors from this step #253697 + /sbin/telinit U 2>/dev/null + + # if the host locales.gen contains no entries, we'll install everything + local locale_list="${EROOT}etc/locale.gen" + if [[ -z $(locale-gen --list --config "${locale_list}") ]] ; then + ewarn "Generating all locales; edit /etc/locale.gen to save time/space" + locale_list="${EROOT}usr/share/i18n/SUPPORTED" + fi + locale-gen -j $(makeopts_jobs) --config "${locale_list}" + fi + + # Check for sanity of /etc/nsswitch.conf, take 2 + if [[ -e ${EROOT}/etc/nsswitch.conf ]] && ! has_version sys-auth/libnss-nis ; then + local entry + for entry in passwd group shadow; do + if egrep -q "^[ \t]*${entry}:.*nis" "${EROOT}"/etc/nsswitch.conf; then + ewarn "" + ewarn "Your ${EROOT}/etc/nsswitch.conf uses NIS. Support for that has been" + ewarn "removed from glibc and is now provided by the package" + ewarn " sys-auth/libnss-nis" + ewarn "Install it now to keep your NIS setup working." + ewarn "" + fi + done + fi +} |