lobase

Linux port of OpenBSDs userland.
Log | Files | Refs | README

commit 8bb3dd2300f887ed2487850cf5e305f1eb09a5f9
parent 00bda52d272cd76e1e2a50d3b2131dbd1acabf1f
Author: Duncaen <mail@duncano.de>
Date:   Thu, 25 May 2017 16:24:41 +0200

lib/libopenbsd: update

Diffstat:
lib/libopenbsd/crypt/arc4random.c | 2+-
lib/libopenbsd/crypt/arc4random_uniform.c | 2+-
lib/libopenbsd/gen/basename.3 | 9+++++----
lib/libopenbsd/gen/dirname.3 | 9+++++----
lib/libopenbsd/gen/errc.c | 1+
lib/libopenbsd/gen/fts.c | 11++++++-----
lib/libopenbsd/gen/glob.c | 55++++++++++++++++++++++++++++++++++---------------------
lib/libopenbsd/gen/verrc.c | 1+
lib/libopenbsd/hash/md5.3 | 10+++++-----
lib/libopenbsd/hash/rmd160.3 | 8++------
lib/libopenbsd/hash/sha1.3 | 14+++++++++-----
lib/libopenbsd/regex/engine.c | 4++--
lib/libopenbsd/regex/regcomp.c | 14+++++---------
lib/libopenbsd/stdio/fgetwln.s | 144-------------------------------------------------------------------------------
lib/libopenbsd/stdlib/malloc.3 | 250+++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------
15 files changed, 252 insertions(+), 282 deletions(-)

diff --git a/lib/libopenbsd/crypt/arc4random.c b/lib/libopenbsd/crypt/arc4random.c @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random.c,v 1.53 2015/09/10 18:53:50 bcook Exp $ */ +/* $OpenBSD: arc4random.c,v 1.54 2015/09/13 08:31:47 guenther Exp $ */ /* * Copyright (c) 1996, David Mazieres <dm@uun.org> diff --git a/lib/libopenbsd/crypt/arc4random_uniform.c b/lib/libopenbsd/crypt/arc4random_uniform.c @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random_uniform.c,v 1.1 2014/07/12 13:24:54 deraadt Exp $ */ +/* $OpenBSD: arc4random_uniform.c,v 1.2 2015/09/13 08:31:47 guenther Exp $ */ /* * Copyright (c) 2008, Damien Miller <djm@openbsd.org> diff --git a/lib/libopenbsd/gen/basename.3 b/lib/libopenbsd/gen/basename.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: basename.3,v 1.22 2013/09/30 12:02:32 millert Exp $ +.\" $OpenBSD: basename.3,v 1.23 2017/05/08 14:45:47 millert Exp $ .\" .\" Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 30 2013 $ +.Dd $Mdocdate: May 8 2017 $ .Dt BASENAME 3 .Os .Sh NAME @@ -70,8 +70,9 @@ The path component to be returned was larger than .Sh STANDARDS The .Fn basename -function conforms to -.St -xpg4.2 . +function conforms to the X/Open System Interfaces option of the +.St -p1003.1-2008 +specification. .Sh HISTORY The .Fn basename diff --git a/lib/libopenbsd/gen/dirname.3 b/lib/libopenbsd/gen/dirname.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: dirname.3,v 1.20 2013/09/30 12:02:32 millert Exp $ +.\" $OpenBSD: dirname.3,v 1.21 2017/05/08 14:45:47 millert Exp $ .\" .\" Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 30 2013 $ +.Dd $Mdocdate: May 8 2017 $ .Dt DIRNAME 3 .Os .Sh NAME @@ -70,8 +70,9 @@ The path component to be returned was larger than .Sh STANDARDS The .Fn dirname -function conforms to -.St -xpg4.2 . +function conforms to the X/Open System Interfaces option of the +.St -p1003.1-2008 +specification. .Sh HISTORY The .Fn dirname diff --git a/lib/libopenbsd/gen/errc.c b/lib/libopenbsd/gen/errc.c @@ -40,3 +40,4 @@ errc(int eval, int code, const char *fmt, ...) verrc(eval, code, fmt, ap); va_end(ap); } +DEF_WEAK(errc); diff --git a/lib/libopenbsd/gen/fts.c b/lib/libopenbsd/gen/fts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fts.c,v 1.57 2017/02/15 15:58:40 schwarze Exp $ */ +/* $OpenBSD: fts.c,v 1.58 2017/03/17 15:14:40 deraadt Exp $ */ /*- * Copyright (c) 1990, 1993, 1994 @@ -881,14 +881,14 @@ fts_sort(FTS *sp, FTSENT *head, int nitems) if (nitems > sp->fts_nitems) { struct _ftsent **a; - sp->fts_nitems = nitems + 40; if ((a = reallocarray(sp->fts_array, - sp->fts_nitems, sizeof(FTSENT *))) == NULL) { + nitems + 40, sizeof(FTSENT *))) == NULL) { free(sp->fts_array); sp->fts_array = NULL; sp->fts_nitems = 0; return (head); } + sp->fts_nitems = nitems + 40; sp->fts_array = a; } for (ap = sp->fts_array, p = head; p; p = p->fts_link) @@ -963,13 +963,14 @@ fts_palloc(FTS *sp, size_t more) errno = ENAMETOOLONG; return (1); } - sp->fts_pathlen += more; - p = realloc(sp->fts_path, sp->fts_pathlen); + p = recallocarray(sp->fts_path, sp->fts_pathlen, + sp->fts_pathlen + more, 1); if (p == NULL) { free(sp->fts_path); sp->fts_path = NULL; return (1); } + sp->fts_pathlen += more; sp->fts_path = p; return (0); } diff --git a/lib/libopenbsd/gen/glob.c b/lib/libopenbsd/gen/glob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: glob.c,v 1.46 2015/12/28 22:08:18 mmcc Exp $ */ +/* $OpenBSD: glob.c,v 1.47 2017/05/08 14:53:27 millert Exp $ */ /* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. @@ -126,9 +126,6 @@ typedef char Char; #define GLOB_LIMIT_STAT 2048 #define GLOB_LIMIT_READDIR 16384 -/* Limit of recursion during matching attempts. */ -#define GLOB_LIMIT_RECUR 64 - struct glob_lim { size_t glim_malloc; size_t glim_stat; @@ -161,7 +158,7 @@ static const Char * static int globexp1(const Char *, glob_t *, struct glob_lim *); static int globexp2(const Char *, const Char *, glob_t *, struct glob_lim *); -static int match(Char *, Char *, Char *, int); +static int match(Char *, Char *, Char *); #ifdef DEBUG static void qprintf(const char *, Char *); #endif @@ -753,7 +750,7 @@ glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last, break; } - if (!match(pathend, pattern, restpattern, GLOB_LIMIT_RECUR)) { + if (!match(pathend, pattern, restpattern)) { *pathend = EOS; continue; } @@ -883,17 +880,24 @@ globextend(const Char *path, glob_t *pglob, struct glob_lim *limitp, /* * pattern matching function for filenames. Each occurrence of the * - * pattern causes a recursion level. + * pattern causes an iteration. + * + * Note, this function differs from the original as per the discussion + * here: https://research.swtch.com/glob + * + * Basically we removed the recursion and made it use the algorithm + * from Russ Cox to not go quadratic on cases like a file called + * ("a" x 100) . "x" matched against a pattern like "a*a*a*a*a*a*a*y". */ static int -match(Char *name, Char *pat, Char *patend, int recur) +match(Char *name, Char *pat, Char *patend) { int ok, negate_range; Char c, k; + Char *nextp = NULL; + Char *nextn = NULL; - if (recur-- == 0) - return(GLOB_NOSPACE); - +loop: while (pat < patend) { c = *pat++; switch (c & M_MASK) { @@ -902,19 +906,19 @@ match(Char *name, Char *pat, Char *patend, int recur) pat++; /* eat consecutive '*' */ if (pat == patend) return(1); - do { - if (match(name, pat, patend, recur)) - return(1); - } while (*name++ != EOS); - return(0); + if (*name == EOS) + return(0); + nextn = name + 1; + nextp = pat - 1; + break; case M_ONE: if (*name++ == EOS) - return(0); + goto fail; break; case M_SET: ok = 0; if ((k = *name++) == EOS) - return(0); + goto fail; if ((negate_range = ((*pat & M_MASK) == M_NOT)) != EOS) ++pat; while (((c = *pat++) & M_MASK) != M_END) { @@ -933,15 +937,24 @@ match(Char *name, Char *pat, Char *patend, int recur) ok = 1; } if (ok == negate_range) - return(0); + goto fail; break; default: if (*name++ != c) - return(0); + goto fail; break; } } - return(*name == EOS); + if (*name == EOS) + return(1); + +fail: + if (nextn) { + pat = nextp; + name = nextn; + goto loop; + } + return(0); } /* Free allocated data belonging to a glob_t structure. */ diff --git a/lib/libopenbsd/gen/verrc.c b/lib/libopenbsd/gen/verrc.c @@ -45,3 +45,4 @@ verrc(int eval, int code, const char *fmt, va_list ap) (void)fprintf(stderr, "%s\n", strerror(code)); exit(eval); } +DEF_WEAK(verrc); diff --git a/lib/libopenbsd/hash/md5.3 b/lib/libopenbsd/hash/md5.3 @@ -16,9 +16,9 @@ .\" If we meet some day, and you think this stuff is worth it, you .\" can buy me a beer in return. Poul-Henning Kamp .\" -.\" $OpenBSD: md5.3,v 1.5 2015/11/10 23:48:18 jmc Exp $ +.\" $OpenBSD: md5.3,v 1.6 2017/02/23 20:29:17 daniel Exp $ .\" -.Dd $Mdocdate: November 10 2015 $ +.Dd $Mdocdate: February 23 2017 $ .Dt MD5INIT 3 .Os .Sh NAME @@ -67,9 +67,9 @@ MD5 has been broken; it should only be used where necessary for backward compatibility. The attack on MD5 is in the nature of finding .Dq collisions -\- that is, multiple -inputs which hash to the same value; it is still unlikely for an attacker -to be able to determine the exact original input given a hash value. +\(em that is, multiple inputs which hash to the same value. +It is still unlikely for an attacker to be able to determine the exact +original input given a hash value. .Pp The .Fn MD5Init , diff --git a/lib/libopenbsd/hash/rmd160.3 b/lib/libopenbsd/hash/rmd160.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rmd160.3,v 1.37 2016/07/28 03:52:41 tedu Exp $ +.\" $OpenBSD: rmd160.3,v 1.38 2016/09/04 09:24:38 tedu Exp $ .\" .\" Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com> .\" @@ -17,7 +17,7 @@ .\" See http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html .\" for detailed information about RIPEMD-160. .\" -.Dd $Mdocdate: July 28 2016 $ +.Dd $Mdocdate: September 4 2016 $ .Dt RMD160INIT 3 .Os .Sh NAME @@ -234,7 +234,3 @@ and .Fn RMD160Data helper functions are derived from code written by .An Poul-Henning Kamp . -.Sh CAVEATS -If a message digest is to be copied to a multi-byte type (ie: -an array of five 32-bit integers) it will be necessary to -perform byte swapping on little endian machines such as the i386 and alpha. diff --git a/lib/libopenbsd/hash/sha1.3 b/lib/libopenbsd/hash/sha1.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sha1.3,v 1.44 2016/09/04 09:24:38 tedu Exp $ +.\" $OpenBSD: sha1.3,v 1.45 2017/02/23 20:46:08 daniel Exp $ .\" .\" Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com> .\" @@ -17,7 +17,7 @@ .\" See http://csrc.nist.gov/publications/fips/fips180-1/fip180-1.txt .\" for the detailed standard .\" -.Dd $Mdocdate: September 4 2016 $ +.Dd $Mdocdate: February 23 2017 $ .Dt SHA1INIT 3 .Os .Sh NAME @@ -61,9 +61,13 @@ The algorithm takes a message less than 2^64 bits as input and produces a 160-bit digest suitable for use as a digital signature. .Pp -The SHA1 functions are considered to be more secure than the -.Xr md5 3 -functions with which they share a similar interface. +SHA-1 has been broken; it should only be used where necessary for +backward compatibility. +The attack on SHA-1 is in the nature of finding +.Dq collisions +\(em that is, multiple inputs which hash to the same value. +It is still unlikely for an attacker to be able to determine the exact +original input given a hash value. .Pp The .Fn SHA1Init diff --git a/lib/libopenbsd/regex/engine.c b/lib/libopenbsd/regex/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.23 2016/05/26 05:46:44 martijn Exp $ */ +/* $OpenBSD: engine.c,v 1.24 2016/09/21 04:38:56 guenther Exp $ */ /*- * Copyright (c) 1992, 1993, 1994 Henry Spencer. @@ -156,7 +156,7 @@ matcher(struct re_guts *g, char *string, size_t nmatch, regmatch_t pmatch[], if (g->must != NULL) { for (dp = start; dp < stop; dp++) if (*dp == g->must[0] && stop - dp >= g->mlen && - memcmp(dp, g->must, (size_t)g->mlen) == 0) + memcmp(dp, g->must, g->mlen) == 0) break; if (dp == stop) /* we didn't find g->must */ return(REG_NOMATCH); diff --git a/lib/libopenbsd/regex/regcomp.c b/lib/libopenbsd/regex/regcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: regcomp.c,v 1.28 2015/12/28 22:08:18 mmcc Exp $ */ +/* $OpenBSD: regcomp.c,v 1.31 2016/12/22 00:09:07 krw Exp $ */ /*- * Copyright (c) 1992, 1993, 1994 Henry Spencer. * Copyright (c) 1992, 1993, 1994 @@ -124,10 +124,7 @@ static char nuls[10]; /* place to point scanner in event of error */ #define NEXTn(n) (p->next += (n)) #define GETNEXT() (*p->next++) #define SETERROR(e) seterr(p, (e)) -#define REQUIRE(co, e) ((co) || SETERROR(e)) -#define MUSTSEE(c, e) (REQUIRE(MORE() && PEEK() == (c), e)) -#define MUSTEAT(c, e) (REQUIRE(MORE() && GETNEXT() == (c), e)) -#define MUSTNOTSEE(c, e) (REQUIRE(!MORE() || PEEK() != (c), e)) +#define REQUIRE(co, e) (void) ((co) || SETERROR(e)) #define EMIT(op, sopnd) doemit(p, (sop)(op), (size_t)(sopnd)) #define INSERT(op, pos) doinsert(p, (sop)(op), HERE()-(pos)+1, pos) #define AHEAD(pos) dofwd(p, pos, HERE()-(pos)) @@ -317,7 +314,7 @@ p_ere_exp(struct parse *p) assert(p->pend[subno] != 0); } EMIT(ORPAREN, subno); - MUSTEAT(')', REG_EPAREN); + REQUIRE(MORE() && GETNEXT() == ')', REG_EPAREN); break; case '^': EMIT(OBOL, 0); @@ -648,7 +645,7 @@ p_bracket(struct parse *p) p_b_term(p, cs); if (EAT('-')) CHadd(cs, '-'); - MUSTEAT(']', REG_EBRACK); + REQUIRE(MORE() && GETNEXT() == ']', REG_EBRACK); if (p->error != 0) { /* don't mess things up further */ freeset(p, cs); @@ -1294,8 +1291,7 @@ dupl(struct parse *p, return(ret); if (!enlarge(p, p->ssize + len)) /* this many unexpected additions */ return(ret); - (void) memcpy((char *)(p->strip + p->slen), - (char *)(p->strip + start), (size_t)len*sizeof(sop)); + (void) memcpy(p->strip + p->slen, p->strip + start, len * sizeof(sop)); p->slen += len; return(ret); } diff --git a/lib/libopenbsd/stdio/fgetwln.s b/lib/libopenbsd/stdio/fgetwln.s @@ -1,144 +0,0 @@ - .file "fgetwln.c" - .local fb_pool - .comm fb_pool,768,32 - .local fb_pool_cur - .comm fb_pool_cur,4,4 - .text - .globl fgetwln - .type fgetwln, @function -fgetwln: -.LFB5: - .cfi_startproc - pushq %rbp - .cfi_def_cfa_offset 16 - .cfi_offset 6, -16 - movq %rsp, %rbp - .cfi_def_cfa_register 6 - subq $48, %rsp - movq %rdi, -40(%rbp) - movq %rsi, -48(%rbp) - movq $0, -16(%rbp) - movl fb_pool_cur(%rip), %eax - movslq %eax, %rdx - movq %rdx, %rax - addq %rax, %rax - addq %rdx, %rax - salq $3, %rax - addq $fb_pool, %rax - movq %rax, -8(%rbp) - movq -8(%rbp), %rax - movq (%rax), %rax - cmpq -40(%rbp), %rax - je .L2 - movq -8(%rbp), %rax - movq (%rax), %rax - testq %rax, %rax - je .L2 - movl fb_pool_cur(%rip), %eax - addl $1, %eax - movl %eax, fb_pool_cur(%rip) - movl fb_pool_cur(%rip), %eax - cltd - shrl $27, %edx - addl %edx, %eax - andl $31, %eax - subl %edx, %eax - movl %eax, fb_pool_cur(%rip) - movl fb_pool_cur(%rip), %eax - movslq %eax, %rdx - movq %rdx, %rax - addq %rax, %rax - addq %rdx, %rax - salq $3, %rax - addq $fb_pool, %rax - movq %rax, -8(%rbp) -.L2: - movq -8(%rbp), %rax - movq -40(%rbp), %rdx - movq %rdx, (%rax) - jmp .L3 -.L10: - movq -8(%rbp), %rax - movq 16(%rax), %rax - testq %rax, %rax - je .L4 - movq -8(%rbp), %rax - movq 16(%rax), %rax - cmpq -16(%rbp), %rax - ja .L5 -.L4: - movq -8(%rbp), %rax - movq 16(%rax), %rax - testq %rax, %rax - je .L6 - movq -8(%rbp), %rax - movq 16(%rax), %rax - leaq (%rax,%rax), %rdx - movq -8(%rbp), %rax - movq %rdx, 16(%rax) - jmp .L7 -.L6: - movq -8(%rbp), %rax - movq $128, 16(%rax) -.L7: - movq -8(%rbp), %rax - movq 16(%rax), %rcx - movq -8(%rbp), %rax - movq 8(%rax), %rax - movl $4, %edx - movq %rcx, %rsi - movq %rax, %rdi - movl $0, %eax - call reallocarray - cltq - movq %rax, -32(%rbp) - cmpq $0, -32(%rbp) - jne .L8 - movq $0, -16(%rbp) - jmp .L9 -.L8: - movq -8(%rbp), %rax - movq -32(%rbp), %rdx - movq %rdx, 8(%rax) -.L5: - movq -8(%rbp), %rax - movq 8(%rax), %rcx - movq -16(%rbp), %rax - leaq 1(%rax), %rdx - movq %rdx, -16(%rbp) - salq $2, %rax - leaq (%rcx,%rax), %rdx - movl -20(%rbp), %eax - movl %eax, (%rdx) - cmpl $10, -20(%rbp) - je .L14 -.L3: - movq -40(%rbp), %rax - movq %rax, %rdi - call fgetwc - movl %eax, -20(%rbp) - cmpl $-1, -20(%rbp) - jne .L10 - jmp .L9 -.L14: - nop -.L9: - movq -48(%rbp), %rax - movq -16(%rbp), %rdx - movq %rdx, (%rax) - cmpq $0, -16(%rbp) - je .L11 - movq -8(%rbp), %rax - movq 8(%rax), %rax - jmp .L13 -.L11: - movl $0, %eax -.L13: - leave - .cfi_def_cfa 7, 8 - ret - .cfi_endproc -.LFE5: - .size fgetwln, .-fgetwln - .ident "GCC: (GNU) 6.3.0" - .section .note.GNU-stack,"",@progbits diff --git a/lib/libopenbsd/stdlib/malloc.3 b/lib/libopenbsd/stdlib/malloc.3 @@ -30,17 +30,19 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $OpenBSD: malloc.3,v 1.101 2017/02/12 10:46:09 otto Exp $ +.\" $OpenBSD: malloc.3,v 1.115 2017/05/15 18:05:34 tb Exp $ .\" -.Dd $Mdocdate: February 12 2017 $ +.Dd $Mdocdate: May 15 2017 $ .Dt MALLOC 3 .Os .Sh NAME .Nm malloc , .Nm calloc , -.Nm reallocarray , .Nm realloc , -.Nm free +.Nm free , +.Nm reallocarray , +.Nm recallocarray , +.Nm freezero .Nd memory allocation and deallocation .Sh SYNOPSIS .In stdlib.h @@ -49,21 +51,33 @@ .Ft void * .Fn calloc "size_t nmemb" "size_t size" .Ft void * -.Fn reallocarray "void *ptr" "size_t nmemb" "size_t size" -.Ft void * .Fn realloc "void *ptr" "size_t size" .Ft void .Fn free "void *ptr" +.Ft void * +.Fn reallocarray "void *ptr" "size_t nmemb" "size_t size" +.Ft void * +.Fn recallocarray "void *ptr" "size_t oldnmemb" "size_t nmemb" "size_t size" +.Ft void +.Fn freezero "void *ptr" "size_t size" .Vt char *malloc_options ; .Sh DESCRIPTION +The standard functions +.Fn malloc , +.Fn calloc , +and +.Fn realloc +allocate +.Em objects , +regions of memory to store values. The .Fn malloc function allocates uninitialized space for an object of the specified .Fa size . .Fn malloc -maintains multiple lists of free blocks according to size, allocating -space from the appropriate list. +maintains multiple lists of free objects according to size, allocating +from the appropriate list or requesting memory from the kernel. The allocated space is suitably aligned (after possible pointer coercion) for storage of any type of object. .Pp @@ -82,6 +96,12 @@ function changes the size of the object pointed to by to .Fa size bytes and returns a pointer to the (possibly moved) object. +If +.Fa ptr +is not +.Dv NULL , +it must be a pointer returned by an earlier call to an allocation or +reallocation function that was not freed in between. The contents of the object are unchanged up to the lesser of the new and old sizes. If the new size is larger, the value of the newly allocated portion @@ -100,6 +120,26 @@ behaves like and allocates a new object. .Pp The +.Fn free +function causes the space pointed to by +.Fa ptr +to be either placed on a list of free blocks to make it available for future +allocation or, when appropriate, to be returned to the kernel using +.Xr munmap 2 . +If +.Fa ptr +is +.Dv NULL , +no action occurs. +If +.Fa ptr +was previously freed by +.Fn free +or a reallocation function, +the behavior is undefined and the double free is a security concern. +.Pp +Designed for safe allocation of arrays, +the .Fn reallocarray function is similar to .Fn realloc @@ -112,44 +152,82 @@ and checks for integer overflow in the calculation * .Fa size . .Pp +Used for the allocation of memory holding sensitive data, +the +.Fn recallocarray +and +.Fn freezero +functions guarantee that memory becoming unallocated is explicitly +.Em discarded , +meaning pages of memory are disposed via +.Xr munmap 2 +and cached free objects are cleared with +.Xr explicit_bzero 3 . +.Pp The -.Fn free -function causes the space pointed to by +.Fn recallocarray +function is similar to +.Fn reallocarray +except it ensures newly allocated memory is cleared similar to +.Fn calloc . +If .Fa ptr -to be either placed on a list of free pages to make it available for future -allocation or, if required, to be returned to the kernel using -.Xr munmap 2 . +is +.Dv NULL , +.Fa oldnmemb +is ignored and the call is equivalent to +.Fn calloc . If .Fa ptr -is a -.Dv NULL -pointer, no action occurs. +is not +.Dv NULL , +.Fa oldnmemb +must be a value such that +.Fa oldnmemb +* +.Fa size +is the size of the earlier allocation that returned +.Fa ptr , +otherwise the behaviour is undefined. +.Pp +The +.Fn freezero +function is similar to the +.Fn free +function except it ensures memory is explicitly discarded. If .Fa ptr -was previously freed by -.Fn free , -.Fn realloc , -or -.Fn reallocarray , -the behavior is undefined and the double free is a security concern. +is +.Dv NULL , +no action occurs. +If +.Fa ptr +is not +.Dv NULL , +the +.Fa size +argument must be equal or smaller than the size of the earlier allocation +that returned +.Fa ptr . +.Fn freezero +guarantees the memory range starting at +.Fa ptr +with length +.Fa size +is discarded while deallocating the whole object originally allocated. .Sh RETURN VALUES -Upon successful completion, the functions -.Fn malloc , -.Fn calloc , -.Fn realloc , -and -.Fn reallocarray -return a pointer to the allocated space; otherwise, a +Upon successful completion, the allocation functions +return a pointer to the allocated space; otherwise, .Dv NULL -pointer is returned and +is returned and .Va errno is set to .Er ENOMEM . .Pp If -.Fa size -or .Fa nmemb +or +.Fa size is equal to 0, a unique pointer to an access protected, zero sized object is returned. Access via this pointer will generate a @@ -161,20 +239,40 @@ If multiplying and .Fa size results in integer overflow, -.Fn calloc -and +.Fn calloc , .Fn reallocarray +and +.Fn recallocarray return .Dv NULL and set .Va errno to .Er ENOMEM . +.Pp +If +.Fa ptr +is not +.Dv NULL +and multiplying +.Fa oldnmemb +and +.Fa size +results in integer overflow +.Fn recallocarray +returns +.Dv NULL +and sets +.Va errno +to +.Er EINVAL . .Sh IDIOMS Consider .Fn calloc -or the extension +or the extensions .Fn reallocarray +and +.Fn recallocarray when there is multiplication in the .Fa size argument of @@ -264,6 +362,15 @@ Use the following: .Bd -literal -offset indent newp = realloc(p, newsize); .Ed +.Pp +The +.Fn recallocarray +function should be used for resizing objects containing sensitive data like +keys. +To avoid leaking information, +it guarantees memory is cleared before placing it on the internal free list. +Deallocation of such an object should be done by calling +.Fn freezero . .Sh ENVIRONMENT .Bl -tag -width "/etc/malloc.conf" .It Ev MALLOC_OPTIONS @@ -287,7 +394,7 @@ size_t num, size; if (size && num > SIZE_MAX / size) errc(1, EOVERFLOW, "overflow"); -if ((p = malloc(size * num)) == NULL) +if ((p = malloc(num * size)) == NULL) err(1, NULL); .Ed .Pp @@ -305,16 +412,17 @@ if (size < 0 || num < 0) if (size && num > INT_MAX / size) errc(1, EOVERFLOW, "overflow"); -if ((p = malloc(size * num)) == NULL) +if ((p = malloc(num * size)) == NULL) err(1, NULL); .Ed .Pp Assuming the implementation checks for integer overflow as .Ox does, it is much easier to use -.Fn calloc +.Fn calloc , +.Fn reallocarray , or -.Fn reallocarray . +.Fn recallocarray . .Pp The above examples could be simplified to: .Bd -literal -offset indent @@ -328,14 +436,7 @@ if ((p = calloc(num, size)) == NULL) err(1, NULL); .Ed .Sh DIAGNOSTICS -If -.Fn malloc , -.Fn calloc , -.Fn realloc , -.Fn reallocarray , -or -.Fn free -detect an error condition, +If any of the functions detect an error condition, a message will be printed to file descriptor 2 (not using stdio). Errors will result in the process being aborted. @@ -345,40 +446,36 @@ Here is a brief description of the error messages and what they mean: .It Dq out of memory If the .Cm X -option is specified it is an error for -.Fn malloc , -.Fn calloc , -.Fn realloc , -or -.Fn reallocarray +option is specified it is an error for the allocation functions to return .Dv NULL . -.It Dq malloc init mmap failed -This is a rather weird condition that is most likely to indicate a -seriously overloaded system or a ulimit restriction. .It Dq bogus pointer (double free?) An attempt to -.Fn free , -.Fn realloc , +.Fn free or -.Fn reallocarray -an unallocated pointer was made. +reallocate an unallocated pointer was made. .It Dq chunk is already free There was an attempt to free a chunk that had already been freed. .It Dq use after free A chunk has been modified after it was freed. .It Dq modified chunk-pointer The pointer passed to -.Fn free , -.Fn realloc , -or -.Fn reallocarray -has been modified. +.Fn free +or a reallocation function has been modified. .It Dq chunk canary corrupted address offset@length A byte after the requested size has been overwritten, indicating a heap overflow. The offset at which corruption was detected is printed before the @, and the requested length of the allocation after the @. +.It Dq recorded old size oldsize != size +.Fn recallocarray +has detected that the given old size does not equal the recorded size in its +meta data. +Enabling option +.Cm C +allows +.Fn recallocarray +to catch more of these cases. .It Dq recursive call An attempt was made to call recursively into these functions, i.e., from a signal handler. @@ -394,12 +491,6 @@ functions nor utilize any other functions which may call routines). .It Dq unknown char in MALLOC_OPTIONS We found something we didn't understand. -.It Dq malloc cache overflow/underflow -The internal malloc page cache has been corrupted. -.It Dq malloc free slot lost -The internal malloc page cache has been corrupted. -.It Dq guard size -An inconsistent guard size was detected. .It any other error .Fn malloc detected an internal error; @@ -425,9 +516,9 @@ functions conform to .St -ansiC . .Pp If -.Fa size -or .Fa nmemb +or +.Fa size are 0, the return value is implementation defined; other conforming implementations may return .Dv NULL @@ -489,6 +580,14 @@ The .Fn reallocarray function appeared in .Ox 5.6 . +The +.Fn recallocarray +function appeared in +.Ox 6.1 . +The +.Fn freezero +function appeared in +.Ox 6.2 . .Sh CAVEATS When using .Fn malloc , @@ -515,9 +614,10 @@ An attacker may be able to leverage this heap corruption to execute arbitrary code. .Pp Consider using -.Fn calloc -or +.Fn calloc , .Fn reallocarray +or +.Fn recallocarray instead of using multiplication in .Fn malloc and