#
1.23 |
|
06-Oct-2023 |
millert |
__swsetup: set error flag and errno on error.
Previously, we set errno to EBADF if the cantwrite() macro (which calls __swsetup()) returns true for POSIX compliance. However, we neglected to also set the error flag, __SERR. Rather than set the error flag in all callers of cantwrite(), set both errno and the error flag in __swsetup(). This matches what FreeBSD does and makes it possible to choose a proper errno value for the second error condition in __swsetup(). OK deraadt@
|
Revision tags: OPENBSD_7_0_BASE OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE OPENBSD_7_4_BASE
|
#
1.22 |
|
08-Sep-2021 |
jca |
Zap _THIS_PORT helper for printf("%n") tracking in ports land
This hack isn't very useful now that libc aborts on printf("%n") calls, it's expected that the resulting error would lead to a build failure, and that the coredump along with the syslog message should be enough to find the culprit.
Hinted by naddy@ and prodded by deraadt@
|
#
1.21 |
|
30-Aug-2021 |
deraadt |
jca and I converted %n to a syslog warning about a year ago, and the ports ecosystem experienced a very good cleanup. Time has arrived to switch (as planned) to syslog + abort, which will result in a coredump thus identifying the remaining culprits in a more visible fashion. vfprintf(3) and vfwprintf(3) man pages still require documentation changes. with jca
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.20 |
|
27-Oct-2020 |
deraadt |
The printf format string component %n is a nearly turning-complete gadget. Largely considered attack surface nowadays. The benefit provided by %n is completely overshadowed by the risk.
New uses of %n don't seem to be entering the C ecosystem, as static tools flag them. And everyone points fingers at those people....
The list of programs (and libraries) which use %n is therefore finite and shrinking. Most of the %n use comes out of the GNU ecosystem. jca@ has convinced gnulib to fix their code (so we need to wait for software including gnulib to make new releases).
A few libraries have moved ahead of us and become more strict. Some n longer permit %n (for instance, andriod bionic). Others log the occurance. Some log and abort if the output location is W|X (MacOS).
Our base tree is clean. The ports tree contains a handful during build time, and unknown count (more) during runtime.
We would like to abort programs on any occurance of %n. Or we could be like MacOS, aborting for W|X pages (but would need a system call which can check that condition, and that introduces addressspace knowledge we don't want attackers to know, and may be a poor tradeoff).
For now, we can syslog, to increase awareness, and involve more people in the greater community to remove %n uses.
[If %n is at the end, use the *printf return value. If it occurs in the middle, split the printf calls into multiples]
Hopefully one day, we can just abort() when %n happens. Help us get there?
ok jca, plus naddy for ports team
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.19 |
|
16-Nov-2017 |
tb |
Add error checking to some calls to __find_arguments(). Matches similar changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:
https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3
ok millert
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.18 |
|
15-Aug-2017 |
deraadt |
fmt0 is a wchar_t *, so use %ls to report
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.17 |
|
17-Aug-2016 |
tedu |
% is escaped with more %, not backslash.
|
#
1.16 |
|
17-Aug-2016 |
deraadt |
Generate syslog warnings for %s fmt strings NULL to "(null)" conversions. Over time we can repair software which performs this non-standard behaviour, and fix bugs along the way. Let's first find out how bad the situation is by deploying this in snapshots.
This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2) is side-effect free enough to be used in the bowels of libc.
ok tedu
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.15 |
|
28-Dec-2015 |
mmcc |
Remove NULL-checks before free() and a few related dead assignments.
ok and valuable input from millert@
|
#
1.14 |
|
29-Sep-2015 |
guenther |
Delete the final, inscrutable NOSTRICT and VARARGS lint comments
ok millert@
|
#
1.13 |
|
31-Aug-2015 |
guenther |
Add framework for resolving (pun intended) libc namespace issues, using wrapper .h files and asm labels to let internal calls resolve directly and not be overridable or use the PLT. Then, apply that framework to most of the functions in stdio.h, string.h, err.h, and wchar.h. Delete the should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.
tests clean on i386, amd64, sparc64, powerpc, and mips64
naming feedback from kettenis@ and millert@ ok kettenis@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.12 |
|
21-Dec-2014 |
daniel |
Show the sign for NaN as per POSIX; from Elliott Hughes.
ok martynas@, millert@, doug@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.11 |
|
04-Jun-2014 |
stsp |
Remove assigned but unused local variables and macro from vfwprintf(). Found by Elliott @ google ok mpi@
|
#
1.10 |
|
03-May-2014 |
deraadt |
Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we don't use disable %n ourselves. But Google's Android libc is based on our libc.... Giving them an easy knob to disable this dangerous feature easily make their job easier without making our job any harder. Request from Elliott @ google
|
#
1.9 |
|
19-Mar-2014 |
guenther |
It's still safe to assumed 'signed' exists
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.8 |
|
12-Nov-2013 |
deraadt |
a __fputwc_unlock() prototype was available in fvwrite.h, so use that
|
#
1.7 |
|
01-Nov-2013 |
guenther |
Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.6 |
|
17-Apr-2013 |
tedu |
add some prototypes, casts, includes, parenthesis, and whatnot to silence some warnings.
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.5 |
|
26-Jun-2012 |
matthew |
Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in printf() and avoid calling it unless needed (i.e., when we have a floating point value to print). This isn't a big concern currently due to our limited locale support and current localeconv() implementation, but it's still technically a data race and implementing POSIX 2008 per-thread locales is likely to make it worse.
nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but at least our current implementation is thread-safe and it's a simpler interface to keep that way. Printing floating point values isn't async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's not an issue.
ok deraadt, stsp, millert
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.4 |
|
09-May-2011 |
stsp |
Always free the multibyte->wchar conversion buffer allocated in __mbsconv(). ok matthew dcoppa miod
|
#
1.3 |
|
28-Apr-2011 |
stsp |
Bring back wprintf. We've sorted out what to do for gcc2 and gcc3. "Yes, go ahead then" deraadt
|
#
1.2 |
|
24-Apr-2011 |
stsp |
Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.
|
#
1.1 |
|
24-Apr-2011 |
stsp |
Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc. Based on our vfprintf etc. implementations. Wide character parts based on NetBSD but with lots of macros expanded. Minor bump for libc. ok kettenis espie
|
#
1.22 |
|
08-Sep-2021 |
jca |
Zap _THIS_PORT helper for printf("%n") tracking in ports land
This hack isn't very useful now that libc aborts on printf("%n") calls, it's expected that the resulting error would lead to a build failure, and that the coredump along with the syslog message should be enough to find the culprit.
Hinted by naddy@ and prodded by deraadt@
|
#
1.21 |
|
30-Aug-2021 |
deraadt |
jca and I converted %n to a syslog warning about a year ago, and the ports ecosystem experienced a very good cleanup. Time has arrived to switch (as planned) to syslog + abort, which will result in a coredump thus identifying the remaining culprits in a more visible fashion. vfprintf(3) and vfwprintf(3) man pages still require documentation changes. with jca
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.20 |
|
27-Oct-2020 |
deraadt |
The printf format string component %n is a nearly turning-complete gadget. Largely considered attack surface nowadays. The benefit provided by %n is completely overshadowed by the risk.
New uses of %n don't seem to be entering the C ecosystem, as static tools flag them. And everyone points fingers at those people....
The list of programs (and libraries) which use %n is therefore finite and shrinking. Most of the %n use comes out of the GNU ecosystem. jca@ has convinced gnulib to fix their code (so we need to wait for software including gnulib to make new releases).
A few libraries have moved ahead of us and become more strict. Some n longer permit %n (for instance, andriod bionic). Others log the occurance. Some log and abort if the output location is W|X (MacOS).
Our base tree is clean. The ports tree contains a handful during build time, and unknown count (more) during runtime.
We would like to abort programs on any occurance of %n. Or we could be like MacOS, aborting for W|X pages (but would need a system call which can check that condition, and that introduces addressspace knowledge we don't want attackers to know, and may be a poor tradeoff).
For now, we can syslog, to increase awareness, and involve more people in the greater community to remove %n uses.
[If %n is at the end, use the *printf return value. If it occurs in the middle, split the printf calls into multiples]
Hopefully one day, we can just abort() when %n happens. Help us get there?
ok jca, plus naddy for ports team
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.19 |
|
16-Nov-2017 |
tb |
Add error checking to some calls to __find_arguments(). Matches similar changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:
https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3
ok millert
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.18 |
|
15-Aug-2017 |
deraadt |
fmt0 is a wchar_t *, so use %ls to report
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.17 |
|
17-Aug-2016 |
tedu |
% is escaped with more %, not backslash.
|
#
1.16 |
|
17-Aug-2016 |
deraadt |
Generate syslog warnings for %s fmt strings NULL to "(null)" conversions. Over time we can repair software which performs this non-standard behaviour, and fix bugs along the way. Let's first find out how bad the situation is by deploying this in snapshots.
This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2) is side-effect free enough to be used in the bowels of libc.
ok tedu
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.15 |
|
28-Dec-2015 |
mmcc |
Remove NULL-checks before free() and a few related dead assignments.
ok and valuable input from millert@
|
#
1.14 |
|
29-Sep-2015 |
guenther |
Delete the final, inscrutable NOSTRICT and VARARGS lint comments
ok millert@
|
#
1.13 |
|
31-Aug-2015 |
guenther |
Add framework for resolving (pun intended) libc namespace issues, using wrapper .h files and asm labels to let internal calls resolve directly and not be overridable or use the PLT. Then, apply that framework to most of the functions in stdio.h, string.h, err.h, and wchar.h. Delete the should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.
tests clean on i386, amd64, sparc64, powerpc, and mips64
naming feedback from kettenis@ and millert@ ok kettenis@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.12 |
|
21-Dec-2014 |
daniel |
Show the sign for NaN as per POSIX; from Elliott Hughes.
ok martynas@, millert@, doug@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.11 |
|
04-Jun-2014 |
stsp |
Remove assigned but unused local variables and macro from vfwprintf(). Found by Elliott @ google ok mpi@
|
#
1.10 |
|
03-May-2014 |
deraadt |
Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we don't use disable %n ourselves. But Google's Android libc is based on our libc.... Giving them an easy knob to disable this dangerous feature easily make their job easier without making our job any harder. Request from Elliott @ google
|
#
1.9 |
|
19-Mar-2014 |
guenther |
It's still safe to assumed 'signed' exists
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.8 |
|
12-Nov-2013 |
deraadt |
a __fputwc_unlock() prototype was available in fvwrite.h, so use that
|
#
1.7 |
|
01-Nov-2013 |
guenther |
Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.6 |
|
17-Apr-2013 |
tedu |
add some prototypes, casts, includes, parenthesis, and whatnot to silence some warnings.
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.5 |
|
26-Jun-2012 |
matthew |
Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in printf() and avoid calling it unless needed (i.e., when we have a floating point value to print). This isn't a big concern currently due to our limited locale support and current localeconv() implementation, but it's still technically a data race and implementing POSIX 2008 per-thread locales is likely to make it worse.
nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but at least our current implementation is thread-safe and it's a simpler interface to keep that way. Printing floating point values isn't async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's not an issue.
ok deraadt, stsp, millert
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.4 |
|
09-May-2011 |
stsp |
Always free the multibyte->wchar conversion buffer allocated in __mbsconv(). ok matthew dcoppa miod
|
#
1.3 |
|
28-Apr-2011 |
stsp |
Bring back wprintf. We've sorted out what to do for gcc2 and gcc3. "Yes, go ahead then" deraadt
|
#
1.2 |
|
24-Apr-2011 |
stsp |
Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.
|
#
1.1 |
|
24-Apr-2011 |
stsp |
Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc. Based on our vfprintf etc. implementations. Wide character parts based on NetBSD but with lots of macros expanded. Minor bump for libc. ok kettenis espie
|
#
1.21 |
|
30-Aug-2021 |
deraadt |
jca and I converted %n to a syslog warning about a year ago, and the ports ecosystem experienced a very good cleanup. Time has arrived to switch (as planned) to syslog + abort, which will result in a coredump thus identifying the remaining culprits in a more visible fashion. vfprintf(3) and vfwprintf(3) man pages still require documentation changes. with jca
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.20 |
|
27-Oct-2020 |
deraadt |
The printf format string component %n is a nearly turning-complete gadget. Largely considered attack surface nowadays. The benefit provided by %n is completely overshadowed by the risk.
New uses of %n don't seem to be entering the C ecosystem, as static tools flag them. And everyone points fingers at those people....
The list of programs (and libraries) which use %n is therefore finite and shrinking. Most of the %n use comes out of the GNU ecosystem. jca@ has convinced gnulib to fix their code (so we need to wait for software including gnulib to make new releases).
A few libraries have moved ahead of us and become more strict. Some n longer permit %n (for instance, andriod bionic). Others log the occurance. Some log and abort if the output location is W|X (MacOS).
Our base tree is clean. The ports tree contains a handful during build time, and unknown count (more) during runtime.
We would like to abort programs on any occurance of %n. Or we could be like MacOS, aborting for W|X pages (but would need a system call which can check that condition, and that introduces addressspace knowledge we don't want attackers to know, and may be a poor tradeoff).
For now, we can syslog, to increase awareness, and involve more people in the greater community to remove %n uses.
[If %n is at the end, use the *printf return value. If it occurs in the middle, split the printf calls into multiples]
Hopefully one day, we can just abort() when %n happens. Help us get there?
ok jca, plus naddy for ports team
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.19 |
|
16-Nov-2017 |
tb |
Add error checking to some calls to __find_arguments(). Matches similar changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:
https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3
ok millert
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.18 |
|
15-Aug-2017 |
deraadt |
fmt0 is a wchar_t *, so use %ls to report
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.17 |
|
17-Aug-2016 |
tedu |
% is escaped with more %, not backslash.
|
#
1.16 |
|
17-Aug-2016 |
deraadt |
Generate syslog warnings for %s fmt strings NULL to "(null)" conversions. Over time we can repair software which performs this non-standard behaviour, and fix bugs along the way. Let's first find out how bad the situation is by deploying this in snapshots.
This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2) is side-effect free enough to be used in the bowels of libc.
ok tedu
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.15 |
|
28-Dec-2015 |
mmcc |
Remove NULL-checks before free() and a few related dead assignments.
ok and valuable input from millert@
|
#
1.14 |
|
29-Sep-2015 |
guenther |
Delete the final, inscrutable NOSTRICT and VARARGS lint comments
ok millert@
|
#
1.13 |
|
31-Aug-2015 |
guenther |
Add framework for resolving (pun intended) libc namespace issues, using wrapper .h files and asm labels to let internal calls resolve directly and not be overridable or use the PLT. Then, apply that framework to most of the functions in stdio.h, string.h, err.h, and wchar.h. Delete the should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.
tests clean on i386, amd64, sparc64, powerpc, and mips64
naming feedback from kettenis@ and millert@ ok kettenis@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.12 |
|
21-Dec-2014 |
daniel |
Show the sign for NaN as per POSIX; from Elliott Hughes.
ok martynas@, millert@, doug@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.11 |
|
04-Jun-2014 |
stsp |
Remove assigned but unused local variables and macro from vfwprintf(). Found by Elliott @ google ok mpi@
|
#
1.10 |
|
03-May-2014 |
deraadt |
Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we don't use disable %n ourselves. But Google's Android libc is based on our libc.... Giving them an easy knob to disable this dangerous feature easily make their job easier without making our job any harder. Request from Elliott @ google
|
#
1.9 |
|
19-Mar-2014 |
guenther |
It's still safe to assumed 'signed' exists
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.8 |
|
12-Nov-2013 |
deraadt |
a __fputwc_unlock() prototype was available in fvwrite.h, so use that
|
#
1.7 |
|
01-Nov-2013 |
guenther |
Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.6 |
|
17-Apr-2013 |
tedu |
add some prototypes, casts, includes, parenthesis, and whatnot to silence some warnings.
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.5 |
|
26-Jun-2012 |
matthew |
Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in printf() and avoid calling it unless needed (i.e., when we have a floating point value to print). This isn't a big concern currently due to our limited locale support and current localeconv() implementation, but it's still technically a data race and implementing POSIX 2008 per-thread locales is likely to make it worse.
nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but at least our current implementation is thread-safe and it's a simpler interface to keep that way. Printing floating point values isn't async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's not an issue.
ok deraadt, stsp, millert
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.4 |
|
09-May-2011 |
stsp |
Always free the multibyte->wchar conversion buffer allocated in __mbsconv(). ok matthew dcoppa miod
|
#
1.3 |
|
28-Apr-2011 |
stsp |
Bring back wprintf. We've sorted out what to do for gcc2 and gcc3. "Yes, go ahead then" deraadt
|
#
1.2 |
|
24-Apr-2011 |
stsp |
Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.
|
#
1.1 |
|
24-Apr-2011 |
stsp |
Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc. Based on our vfprintf etc. implementations. Wide character parts based on NetBSD but with lots of macros expanded. Minor bump for libc. ok kettenis espie
|
#
1.20 |
|
27-Oct-2020 |
deraadt |
The printf format string component %n is a nearly turning-complete gadget. Largely considered attack surface nowadays. The benefit provided by %n is completely overshadowed by the risk.
New uses of %n don't seem to be entering the C ecosystem, as static tools flag them. And everyone points fingers at those people....
The list of programs (and libraries) which use %n is therefore finite and shrinking. Most of the %n use comes out of the GNU ecosystem. jca@ has convinced gnulib to fix their code (so we need to wait for software including gnulib to make new releases).
A few libraries have moved ahead of us and become more strict. Some n longer permit %n (for instance, andriod bionic). Others log the occurance. Some log and abort if the output location is W|X (MacOS).
Our base tree is clean. The ports tree contains a handful during build time, and unknown count (more) during runtime.
We would like to abort programs on any occurance of %n. Or we could be like MacOS, aborting for W|X pages (but would need a system call which can check that condition, and that introduces addressspace knowledge we don't want attackers to know, and may be a poor tradeoff).
For now, we can syslog, to increase awareness, and involve more people in the greater community to remove %n uses.
[If %n is at the end, use the *printf return value. If it occurs in the middle, split the printf calls into multiples]
Hopefully one day, we can just abort() when %n happens. Help us get there?
ok jca, plus naddy for ports team
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.19 |
|
16-Nov-2017 |
tb |
Add error checking to some calls to __find_arguments(). Matches similar changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:
https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3
ok millert
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.18 |
|
15-Aug-2017 |
deraadt |
fmt0 is a wchar_t *, so use %ls to report
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.17 |
|
17-Aug-2016 |
tedu |
% is escaped with more %, not backslash.
|
#
1.16 |
|
17-Aug-2016 |
deraadt |
Generate syslog warnings for %s fmt strings NULL to "(null)" conversions. Over time we can repair software which performs this non-standard behaviour, and fix bugs along the way. Let's first find out how bad the situation is by deploying this in snapshots.
This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2) is side-effect free enough to be used in the bowels of libc.
ok tedu
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.15 |
|
28-Dec-2015 |
mmcc |
Remove NULL-checks before free() and a few related dead assignments.
ok and valuable input from millert@
|
#
1.14 |
|
29-Sep-2015 |
guenther |
Delete the final, inscrutable NOSTRICT and VARARGS lint comments
ok millert@
|
#
1.13 |
|
31-Aug-2015 |
guenther |
Add framework for resolving (pun intended) libc namespace issues, using wrapper .h files and asm labels to let internal calls resolve directly and not be overridable or use the PLT. Then, apply that framework to most of the functions in stdio.h, string.h, err.h, and wchar.h. Delete the should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.
tests clean on i386, amd64, sparc64, powerpc, and mips64
naming feedback from kettenis@ and millert@ ok kettenis@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.12 |
|
21-Dec-2014 |
daniel |
Show the sign for NaN as per POSIX; from Elliott Hughes.
ok martynas@, millert@, doug@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.11 |
|
04-Jun-2014 |
stsp |
Remove assigned but unused local variables and macro from vfwprintf(). Found by Elliott @ google ok mpi@
|
#
1.10 |
|
03-May-2014 |
deraadt |
Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we don't use disable %n ourselves. But Google's Android libc is based on our libc.... Giving them an easy knob to disable this dangerous feature easily make their job easier without making our job any harder. Request from Elliott @ google
|
#
1.9 |
|
19-Mar-2014 |
guenther |
It's still safe to assumed 'signed' exists
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.8 |
|
12-Nov-2013 |
deraadt |
a __fputwc_unlock() prototype was available in fvwrite.h, so use that
|
#
1.7 |
|
01-Nov-2013 |
guenther |
Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.6 |
|
17-Apr-2013 |
tedu |
add some prototypes, casts, includes, parenthesis, and whatnot to silence some warnings.
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.5 |
|
26-Jun-2012 |
matthew |
Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in printf() and avoid calling it unless needed (i.e., when we have a floating point value to print). This isn't a big concern currently due to our limited locale support and current localeconv() implementation, but it's still technically a data race and implementing POSIX 2008 per-thread locales is likely to make it worse.
nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but at least our current implementation is thread-safe and it's a simpler interface to keep that way. Printing floating point values isn't async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's not an issue.
ok deraadt, stsp, millert
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.4 |
|
09-May-2011 |
stsp |
Always free the multibyte->wchar conversion buffer allocated in __mbsconv(). ok matthew dcoppa miod
|
#
1.3 |
|
28-Apr-2011 |
stsp |
Bring back wprintf. We've sorted out what to do for gcc2 and gcc3. "Yes, go ahead then" deraadt
|
#
1.2 |
|
24-Apr-2011 |
stsp |
Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.
|
#
1.1 |
|
24-Apr-2011 |
stsp |
Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc. Based on our vfprintf etc. implementations. Wide character parts based on NetBSD but with lots of macros expanded. Minor bump for libc. ok kettenis espie
|
#
1.19 |
|
16-Nov-2017 |
tb |
Add error checking to some calls to __find_arguments(). Matches similar changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:
https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3
ok millert
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.18 |
|
15-Aug-2017 |
deraadt |
fmt0 is a wchar_t *, so use %ls to report
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.17 |
|
17-Aug-2016 |
tedu |
% is escaped with more %, not backslash.
|
#
1.16 |
|
17-Aug-2016 |
deraadt |
Generate syslog warnings for %s fmt strings NULL to "(null)" conversions. Over time we can repair software which performs this non-standard behaviour, and fix bugs along the way. Let's first find out how bad the situation is by deploying this in snapshots.
This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2) is side-effect free enough to be used in the bowels of libc.
ok tedu
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.15 |
|
28-Dec-2015 |
mmcc |
Remove NULL-checks before free() and a few related dead assignments.
ok and valuable input from millert@
|
#
1.14 |
|
29-Sep-2015 |
guenther |
Delete the final, inscrutable NOSTRICT and VARARGS lint comments
ok millert@
|
#
1.13 |
|
31-Aug-2015 |
guenther |
Add framework for resolving (pun intended) libc namespace issues, using wrapper .h files and asm labels to let internal calls resolve directly and not be overridable or use the PLT. Then, apply that framework to most of the functions in stdio.h, string.h, err.h, and wchar.h. Delete the should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.
tests clean on i386, amd64, sparc64, powerpc, and mips64
naming feedback from kettenis@ and millert@ ok kettenis@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.12 |
|
21-Dec-2014 |
daniel |
Show the sign for NaN as per POSIX; from Elliott Hughes.
ok martynas@, millert@, doug@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.11 |
|
04-Jun-2014 |
stsp |
Remove assigned but unused local variables and macro from vfwprintf(). Found by Elliott @ google ok mpi@
|
#
1.10 |
|
03-May-2014 |
deraadt |
Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, we don't use disable %n ourselves. But Google's Android libc is based on our libc.... Giving them an easy knob to disable this dangerous feature easily make their job easier without making our job any harder. Request from Elliott @ google
|
#
1.9 |
|
19-Mar-2014 |
guenther |
It's still safe to assumed 'signed' exists
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.8 |
|
12-Nov-2013 |
deraadt |
a __fputwc_unlock() prototype was available in fvwrite.h, so use that
|
#
1.7 |
|
01-Nov-2013 |
guenther |
Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directly
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.6 |
|
17-Apr-2013 |
tedu |
add some prototypes, casts, includes, parenthesis, and whatnot to silence some warnings.
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.5 |
|
26-Jun-2012 |
matthew |
Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point in printf() and avoid calling it unless needed (i.e., when we have a floating point value to print). This isn't a big concern currently due to our limited locale support and current localeconv() implementation, but it's still technically a data race and implementing POSIX 2008 per-thread locales is likely to make it worse.
nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but at least our current implementation is thread-safe and it's a simpler interface to keep that way. Printing floating point values isn't async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's not an issue.
ok deraadt, stsp, millert
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.4 |
|
09-May-2011 |
stsp |
Always free the multibyte->wchar conversion buffer allocated in __mbsconv(). ok matthew dcoppa miod
|
#
1.3 |
|
28-Apr-2011 |
stsp |
Bring back wprintf. We've sorted out what to do for gcc2 and gcc3. "Yes, go ahead then" deraadt
|
#
1.2 |
|
24-Apr-2011 |
stsp |
Back out wprintf until we've determined what to do for gcc2 and gcc3 arches.
|
#
1.1 |
|
24-Apr-2011 |
stsp |
Add fwprintf, swprintf, vfwprintf, vswprintf, vwprintf, and wprintf to libc. Based on our vfprintf etc. implementations. Wide character parts based on NetBSD but with lots of macros expanded. Minor bump for libc. ok kettenis espie
|