__swsetup: set error flag and errno on error.

Previously, we set errno to EBADF if the cantwrite() macro (which calls
__swsetup()) returns true for POSIX compliance. However, we neglected
to also set the error flag, __SERR. Rather than set the error flag in
all callers of cantwrite(), set both errno and the error flag in
__swsetup(). This matches what FreeBSD does and makes it possible
to choose a proper errno value for the second error condition in
__swsetup(). OK deraadt@

Zap _THIS_PORT helper for printf("%n") tracking in ports land

This hack isn't very useful now that libc aborts on printf("%n") calls,
it's expected that the resulting error would lead to a build
failure, and that the coredump along with the syslog message should be
enough to find the culprit.

Hinted by naddy@ and prodded by deraadt@

jca and I converted %n to a syslog warning about a year ago, and the ports
ecosystem experienced a very good cleanup. Time has arrived to switch (as
planned) to syslog + abort, which will result in a coredump thus identifying
the remaining culprits in a more visible fashion.
vfprintf(3) and vfwprintf(3) man pages still require documentation changes.
with jca

The printf format string component %n is a nearly turning-complete gadget.
Largely considered attack surface nowadays. The benefit provided by %n
is completely overshadowed by the risk.

New uses of %n don't seem to be entering the C ecosystem, as static
tools flag them. And everyone points fingers at those people....

The list of programs (and libraries) which use %n is therefore finite
and shrinking. Most of the %n use comes out of the GNU ecosystem.
jca@ has convinced gnulib to fix their code (so we need to wait for
software including gnulib to make new releases).

A few libraries have moved ahead of us and become more strict. Some n
longer permit %n (for instance, andriod bionic). Others log the occurance.
Some log and abort if the output location is W|X (MacOS).

Our base tree is clean. The ports tree contains a handful during
build time, and unknown count (more) during runtime.

We would like to abort programs on any occurance of %n. Or we could
be like MacOS, aborting for W|X pages (but would need a system call
which can check that condition, and that introduces addressspace
knowledge we don't want attackers to know, and may be a poor tradeoff).

For now, we can syslog, to increase awareness, and involve more people
in the greater community to remove %n uses.

[If %n is at the end, use the *printf return value. If it occurs in
the middle, split the printf calls into multiples]

Hopefully one day, we can just abort() when %n happens. Help us get
there?

ok jca, plus naddy for ports team

Add error checking to some calls to __find_arguments(). Matches similar
changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:

https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3

ok millert

fmt0 is a wchar_t *, so use %ls to report

% is escaped with more %, not backslash.

Generate syslog warnings for %s fmt strings NULL to "(null)" conversions.
Over time we can repair software which performs this non-standard behaviour,
and fix bugs along the way. Let's first find out how bad the situation is
by deploying this in snapshots.

This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2)
is side-effect free enough to be used in the bowels of libc.

ok tedu

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

Delete the final, inscrutable NOSTRICT and VARARGS lint comments

ok millert@

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

Show the sign for NaN as per POSIX; from Elliott Hughes.

ok martynas@, millert@, doug@

Remove assigned but unused local variables and macro from vfwprintf().
Found by Elliott @ google
ok mpi@

Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we
don't use disable %n ourselves. But Google's Android libc is based
on our libc.... Giving them an easy knob to disable this dangerous
feature easily make their job easier without making our job any harder.
Request from Elliott @ google

It's still safe to assumed 'signed' exists

a __fputwc_unlock() prototype was available in fvwrite.h, so use that

Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly

ok deraadt@

add some prototypes, casts, includes, parenthesis, and whatnot to
silence some warnings.

Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in
printf() and avoid calling it unless needed (i.e., when we have a
floating point value to print). This isn't a big concern currently
due to our limited locale support and current localeconv()
implementation, but it's still technically a data race and
implementing POSIX 2008 per-thread locales is likely to make it worse.

nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but
at least our current implementation is thread-safe and it's a simpler
interface to keep that way. Printing floating point values isn't
async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's
not an issue.

ok deraadt, stsp, millert

Always free the multibyte->wchar conversion buffer allocated in __mbsconv().
ok matthew dcoppa miod

Bring back wprintf. We've sorted out what to do for gcc2 and gcc3.
"Yes, go ahead then" deraadt

Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.

Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc.
Based on our vfprintf etc. implementations. Wide character parts based on
NetBSD but with lots of macros expanded. Minor bump for libc.
ok kettenis espie

Zap _THIS_PORT helper for printf("%n") tracking in ports land

This hack isn't very useful now that libc aborts on printf("%n") calls,
it's expected that the resulting error would lead to a build
failure, and that the coredump along with the syslog message should be
enough to find the culprit.

Hinted by naddy@ and prodded by deraadt@

jca and I converted %n to a syslog warning about a year ago, and the ports
ecosystem experienced a very good cleanup. Time has arrived to switch (as
planned) to syslog + abort, which will result in a coredump thus identifying
the remaining culprits in a more visible fashion.
vfprintf(3) and vfwprintf(3) man pages still require documentation changes.
with jca

The printf format string component %n is a nearly turning-complete gadget.
Largely considered attack surface nowadays. The benefit provided by %n
is completely overshadowed by the risk.

New uses of %n don't seem to be entering the C ecosystem, as static
tools flag them. And everyone points fingers at those people....

The list of programs (and libraries) which use %n is therefore finite
and shrinking. Most of the %n use comes out of the GNU ecosystem.
jca@ has convinced gnulib to fix their code (so we need to wait for
software including gnulib to make new releases).

A few libraries have moved ahead of us and become more strict. Some n
longer permit %n (for instance, andriod bionic). Others log the occurance.
Some log and abort if the output location is W|X (MacOS).

Our base tree is clean. The ports tree contains a handful during
build time, and unknown count (more) during runtime.

We would like to abort programs on any occurance of %n. Or we could
be like MacOS, aborting for W|X pages (but would need a system call
which can check that condition, and that introduces addressspace
knowledge we don't want attackers to know, and may be a poor tradeoff).

For now, we can syslog, to increase awareness, and involve more people
in the greater community to remove %n uses.

[If %n is at the end, use the *printf return value. If it occurs in
the middle, split the printf calls into multiples]

Hopefully one day, we can just abort() when %n happens. Help us get
there?

ok jca, plus naddy for ports team

Add error checking to some calls to __find_arguments(). Matches similar
changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:

https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3

ok millert

fmt0 is a wchar_t *, so use %ls to report

% is escaped with more %, not backslash.

Generate syslog warnings for %s fmt strings NULL to "(null)" conversions.
Over time we can repair software which performs this non-standard behaviour,
and fix bugs along the way. Let's first find out how bad the situation is
by deploying this in snapshots.

This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2)
is side-effect free enough to be used in the bowels of libc.

ok tedu

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

Delete the final, inscrutable NOSTRICT and VARARGS lint comments

ok millert@

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

Show the sign for NaN as per POSIX; from Elliott Hughes.

ok martynas@, millert@, doug@

Remove assigned but unused local variables and macro from vfwprintf().
Found by Elliott @ google
ok mpi@

Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we
don't use disable %n ourselves. But Google's Android libc is based
on our libc.... Giving them an easy knob to disable this dangerous
feature easily make their job easier without making our job any harder.
Request from Elliott @ google

It's still safe to assumed 'signed' exists

a __fputwc_unlock() prototype was available in fvwrite.h, so use that

Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly

ok deraadt@

add some prototypes, casts, includes, parenthesis, and whatnot to
silence some warnings.

Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in
printf() and avoid calling it unless needed (i.e., when we have a
floating point value to print). This isn't a big concern currently
due to our limited locale support and current localeconv()
implementation, but it's still technically a data race and
implementing POSIX 2008 per-thread locales is likely to make it worse.

nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but
at least our current implementation is thread-safe and it's a simpler
interface to keep that way. Printing floating point values isn't
async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's
not an issue.

ok deraadt, stsp, millert

Always free the multibyte->wchar conversion buffer allocated in __mbsconv().
ok matthew dcoppa miod

Bring back wprintf. We've sorted out what to do for gcc2 and gcc3.
"Yes, go ahead then" deraadt

Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.

Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc.
Based on our vfprintf etc. implementations. Wide character parts based on
NetBSD but with lots of macros expanded. Minor bump for libc.
ok kettenis espie

jca and I converted %n to a syslog warning about a year ago, and the ports
ecosystem experienced a very good cleanup. Time has arrived to switch (as
planned) to syslog + abort, which will result in a coredump thus identifying
the remaining culprits in a more visible fashion.
vfprintf(3) and vfwprintf(3) man pages still require documentation changes.
with jca

The printf format string component %n is a nearly turning-complete gadget.
Largely considered attack surface nowadays. The benefit provided by %n
is completely overshadowed by the risk.

New uses of %n don't seem to be entering the C ecosystem, as static
tools flag them. And everyone points fingers at those people....

The list of programs (and libraries) which use %n is therefore finite
and shrinking. Most of the %n use comes out of the GNU ecosystem.
jca@ has convinced gnulib to fix their code (so we need to wait for
software including gnulib to make new releases).

A few libraries have moved ahead of us and become more strict. Some n
longer permit %n (for instance, andriod bionic). Others log the occurance.
Some log and abort if the output location is W|X (MacOS).

Our base tree is clean. The ports tree contains a handful during
build time, and unknown count (more) during runtime.

We would like to abort programs on any occurance of %n. Or we could
be like MacOS, aborting for W|X pages (but would need a system call
which can check that condition, and that introduces addressspace
knowledge we don't want attackers to know, and may be a poor tradeoff).

For now, we can syslog, to increase awareness, and involve more people
in the greater community to remove %n uses.

[If %n is at the end, use the *printf return value. If it occurs in
the middle, split the printf calls into multiples]

Hopefully one day, we can just abort() when %n happens. Help us get
there?

ok jca, plus naddy for ports team

Add error checking to some calls to __find_arguments(). Matches similar
changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:

https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3

ok millert

fmt0 is a wchar_t *, so use %ls to report

% is escaped with more %, not backslash.

Generate syslog warnings for %s fmt strings NULL to "(null)" conversions.
Over time we can repair software which performs this non-standard behaviour,
and fix bugs along the way. Let's first find out how bad the situation is
by deploying this in snapshots.

This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2)
is side-effect free enough to be used in the bowels of libc.

ok tedu

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

Delete the final, inscrutable NOSTRICT and VARARGS lint comments

ok millert@

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

Show the sign for NaN as per POSIX; from Elliott Hughes.

ok martynas@, millert@, doug@

Remove assigned but unused local variables and macro from vfwprintf().
Found by Elliott @ google
ok mpi@

Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we
don't use disable %n ourselves. But Google's Android libc is based
on our libc.... Giving them an easy knob to disable this dangerous
feature easily make their job easier without making our job any harder.
Request from Elliott @ google

It's still safe to assumed 'signed' exists

a __fputwc_unlock() prototype was available in fvwrite.h, so use that

Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly

ok deraadt@

add some prototypes, casts, includes, parenthesis, and whatnot to
silence some warnings.

Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in
printf() and avoid calling it unless needed (i.e., when we have a
floating point value to print). This isn't a big concern currently
due to our limited locale support and current localeconv()
implementation, but it's still technically a data race and
implementing POSIX 2008 per-thread locales is likely to make it worse.

nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but
at least our current implementation is thread-safe and it's a simpler
interface to keep that way. Printing floating point values isn't
async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's
not an issue.

ok deraadt, stsp, millert

Always free the multibyte->wchar conversion buffer allocated in __mbsconv().
ok matthew dcoppa miod

Bring back wprintf. We've sorted out what to do for gcc2 and gcc3.
"Yes, go ahead then" deraadt

Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.

Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc.
Based on our vfprintf etc. implementations. Wide character parts based on
NetBSD but with lots of macros expanded. Minor bump for libc.
ok kettenis espie

The printf format string component %n is a nearly turning-complete gadget.
Largely considered attack surface nowadays. The benefit provided by %n
is completely overshadowed by the risk.

New uses of %n don't seem to be entering the C ecosystem, as static
tools flag them. And everyone points fingers at those people....

The list of programs (and libraries) which use %n is therefore finite
and shrinking. Most of the %n use comes out of the GNU ecosystem.
jca@ has convinced gnulib to fix their code (so we need to wait for
software including gnulib to make new releases).

A few libraries have moved ahead of us and become more strict. Some n
longer permit %n (for instance, andriod bionic). Others log the occurance.
Some log and abort if the output location is W|X (MacOS).

Our base tree is clean. The ports tree contains a handful during
build time, and unknown count (more) during runtime.

We would like to abort programs on any occurance of %n. Or we could
be like MacOS, aborting for W|X pages (but would need a system call
which can check that condition, and that introduces addressspace
knowledge we don't want attackers to know, and may be a poor tradeoff).

For now, we can syslog, to increase awareness, and involve more people
in the greater community to remove %n uses.

[If %n is at the end, use the *printf return value. If it occurs in
the middle, split the printf calls into multiples]

Hopefully one day, we can just abort() when %n happens. Help us get
there?

ok jca, plus naddy for ports team

Add error checking to some calls to __find_arguments(). Matches similar
changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:

https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3

ok millert

fmt0 is a wchar_t *, so use %ls to report

% is escaped with more %, not backslash.

Generate syslog warnings for %s fmt strings NULL to "(null)" conversions.
Over time we can repair software which performs this non-standard behaviour,
and fix bugs along the way. Let's first find out how bad the situation is
by deploying this in snapshots.

This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2)
is side-effect free enough to be used in the bowels of libc.

ok tedu

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

Delete the final, inscrutable NOSTRICT and VARARGS lint comments

ok millert@

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

Show the sign for NaN as per POSIX; from Elliott Hughes.

ok martynas@, millert@, doug@

Remove assigned but unused local variables and macro from vfwprintf().
Found by Elliott @ google
ok mpi@

Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we
don't use disable %n ourselves. But Google's Android libc is based
on our libc.... Giving them an easy knob to disable this dangerous
feature easily make their job easier without making our job any harder.
Request from Elliott @ google

It's still safe to assumed 'signed' exists

a __fputwc_unlock() prototype was available in fvwrite.h, so use that

Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly

ok deraadt@

add some prototypes, casts, includes, parenthesis, and whatnot to
silence some warnings.

Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in
printf() and avoid calling it unless needed (i.e., when we have a
floating point value to print). This isn't a big concern currently
due to our limited locale support and current localeconv()
implementation, but it's still technically a data race and
implementing POSIX 2008 per-thread locales is likely to make it worse.

nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but
at least our current implementation is thread-safe and it's a simpler
interface to keep that way. Printing floating point values isn't
async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's
not an issue.

ok deraadt, stsp, millert

Always free the multibyte->wchar conversion buffer allocated in __mbsconv().
ok matthew dcoppa miod

Bring back wprintf. We've sorted out what to do for gcc2 and gcc3.
"Yes, go ahead then" deraadt

Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.

Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc.
Based on our vfprintf etc. implementations. Wide character parts based on
NetBSD but with lots of macros expanded. Minor bump for libc.
ok kettenis espie

Add error checking to some calls to __find_arguments(). Matches similar
changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:

https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3

ok millert

fmt0 is a wchar_t *, so use %ls to report

% is escaped with more %, not backslash.

Generate syslog warnings for %s fmt strings NULL to "(null)" conversions.
Over time we can repair software which performs this non-standard behaviour,
and fix bugs along the way. Let's first find out how bad the situation is
by deploying this in snapshots.

This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2)
is side-effect free enough to be used in the bowels of libc.

ok tedu

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

Delete the final, inscrutable NOSTRICT and VARARGS lint comments

ok millert@

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

Show the sign for NaN as per POSIX; from Elliott Hughes.

ok martynas@, millert@, doug@

Remove assigned but unused local variables and macro from vfwprintf().
Found by Elliott @ google
ok mpi@

Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we
don't use disable %n ourselves. But Google's Android libc is based
on our libc.... Giving them an easy knob to disable this dangerous
feature easily make their job easier without making our job any harder.
Request from Elliott @ google

It's still safe to assumed 'signed' exists

a __fputwc_unlock() prototype was available in fvwrite.h, so use that

Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly

ok deraadt@

add some prototypes, casts, includes, parenthesis, and whatnot to
silence some warnings.

Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in
printf() and avoid calling it unless needed (i.e., when we have a
floating point value to print). This isn't a big concern currently
due to our limited locale support and current localeconv()
implementation, but it's still technically a data race and
implementing POSIX 2008 per-thread locales is likely to make it worse.

nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but
at least our current implementation is thread-safe and it's a simpler
interface to keep that way. Printing floating point values isn't
async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's
not an issue.

ok deraadt, stsp, millert

Always free the multibyte->wchar conversion buffer allocated in __mbsconv().
ok matthew dcoppa miod

Bring back wprintf. We've sorted out what to do for gcc2 and gcc3.
"Yes, go ahead then" deraadt

Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.

Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc.
Based on our vfprintf etc. implementations. Wide character parts based on
NetBSD but with lots of macros expanded. Minor bump for libc.
ok kettenis espie