NetBSD Problem Report #58208
From www@netbsd.org Sun Apr 28 13:45:03 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id B6D501A923A
for <gnats-bugs@gnats.NetBSD.org>; Sun, 28 Apr 2024 13:45:03 +0000 (UTC)
Message-Id: <20240428134432.47C651A923A@mollari.NetBSD.org>
Date: Sun, 28 Apr 2024 13:44:32 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: ctype(3) provides poor runtime feedback of abuse
X-Send-Pr-Version: www-1.0
>Number: 58208
>Category: lib
>Synopsis: ctype(3) provides poor runtime feedback of abuse
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: riastradh
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Apr 28 13:50:00 +0000 2024
>Closed-Date: Mon Feb 02 03:45:38 +0000 2026
>Last-Modified: Mon Feb 02 03:45:38 +0000 2026
>Originator: Taylor R Campbell
>Release: current, 10, 9, ...
>Organization:
The NetBSD isfoundation
>Environment:
>Description:
The ctype(3) functions, such as isprint/isdigit/isalpha and toupper/tolower, have a singularly troublesome specification: Their argument has type int, but they are only defined on inputs that are either (a) the value of the EOF macro (which on NetBSD is -1), or (b) representable by unsigned char. In other words, there are exactly 257 allowed inputs: {-1, 0, 1, 2, 3, ..., 255}. Any other inputs lead to undefined behaviour.
This is because they are meant for use with stdio functions like fgetc(3):
int ch;
while ((ch = fgetc(fp)) != EOF) {
if (isspace(ch))
continue;
...
}
Using them to process arbitrary strings via `char *' requires explicit conversion to `unsigned char':
char *s;
for (s = ...; *s != '\0'; s++) {
if (isspace((unsigned char)*s))
continue;
...
}
Without this conversion, on machines where char is signed such as x86, char values outside the 7-bit US-ASCII range are either (a) undefined behaviour, or (b) in the case of the all-bits-set octet, conflated with EOF.
Our definitions are crafted to trigger a compiler warning to detect this use of char inputs, but it doesn't always work -- it has been broken on netbsd-9. And in C++ it doesn't apply (separate issue). Plus, in a misguided attempt to pacify this legitimate warning, some code is written to do nonsense like isspace((int)*s), which suppresses the warning without fixing the problem, because integers like -7 are preserved instead of being converted to 249.
Currently, when inputs below -1 are passed in, the ctype(3) functions read out whatever memory precedes the ctype/tolower/toupper tables, either statically linked into libc for the C locale, or dynamically allocated for other locales. This may lead to crashes, but more likely it just leads to confusing nondeterministic outputs, like <https://github.com/ledger/ledger/issues/2338>.
>How-To-Repeat:
char s[] = {0xb5, 0};
// optionally: setlocale(LC_ALL, "");
printf("%d\n", isspace(s[0]));
>Fix:
On machines with signed char, we should allocate a guard page before the ctype/tolower/toupper tables so that attempts to pass in negative values other than EOF lead to immediate SIGSEGV rather than to silent corruption of outputs or leakage of unrelated memory.
We can also arrange to have the out-of-line functions check for inputs below -1 and abort another way, but that's not enough because the ABI allows direct access to the tables via ctype_inline.h.
>Release-Note:
>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src
Date: Fri, 28 Mar 2025 18:41:55 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 18:41:55 UTC 2025
Modified Files:
src/distrib/sets/lists/debug: mi
src/distrib/sets/lists/tests: mi
src/tests/lib/libc/gen: Makefile
Added Files:
src/tests/lib/libc/gen: t_ctype.c
Log Message:
t_ctype: New test for ctype(3) functions/macros.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.469 -r1.470 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.1361 -r1.1362 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.57 -r1.58 src/tests/lib/libc/gen/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/tests/lib/libc/gen
Date: Fri, 28 Mar 2025 18:54:10 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 18:54:10 UTC 2025
Modified Files:
src/tests/lib/libc/gen: t_ctype.c
Log Message:
t_ctype: Fix tests on platforms where char is unsigned.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src
Date: Fri, 28 Mar 2025 19:13:23 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 19:13:23 UTC 2025
Modified Files:
src/lib/libc/locale: rune.c
src/tests/lib/libc/gen: t_ctype.c
Log Message:
libc: Put guard pages before locale ctype/tolower/toupper tables.
This way, triggering the undefined behaviour of negative inputs to
the ctype functions leads to instant SIGSEGV, rather than silently
giving bonkers (and likely nondeterministic) answers. (See ctype(3)
man page for details.)
This only affects non-default locales, i.e., locales other than C.
The C locale's tables are statically linked into libc, and the
symbols defining them are baked into the ABI, so putting a guard page
before them will require either some careful elven surgery (which is
a class I must have missed back in university), or copying them into
dynamically allocated memory (which is a cost I'm reluctant to incur
on all programs using libc).
This also only affects machines where char is signed for now. (But
maybe it would be worth doing unconditionally; users could still try
to pass in explicit `signed char' inputs.)
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 src/lib/libc/locale/rune.c
cvs rdiff -u -r1.2 -r1.3 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/tests/lib/libc/gen
Date: Fri, 28 Mar 2025 19:24:03 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 19:24:03 UTC 2025
Modified Files:
src/tests/lib/libc/gen: t_ctype.c
Log Message:
t_ctype: Test explicit setlocale(LC_CTYPE, "C").
And do so after other setlocales -- just in case this behaves
differently from the default environment before any setlocale.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/tests/lib/libc/gen
Date: Fri, 28 Mar 2025 22:51:58 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 22:51:58 UTC 2025
Modified Files:
src/tests/lib/libc/gen: t_ctype.c
Log Message:
t_ctype: Include UCHAR_MAX in the range of inputs tested.
It should definitely be included because it is important to distinguish
it from EOF!
Noted by rillig@.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/tests/lib/libc/gen
Date: Fri, 28 Mar 2025 22:52:35 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 22:52:35 UTC 2025
Modified Files:
src/tests/lib/libc/gen: t_ctype.c
Log Message:
t_ctype: Test some more code points with potential for EOF confusion.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/tests/lib/libc/gen
Date: Fri, 28 Mar 2025 23:01:51 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 23:01:51 UTC 2025
Modified Files:
src/tests/lib/libc/gen: t_ctype.c
Log Message:
t_ctype: Factor loop out of macro-generated functions.
No functional change intended.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/tests/lib/libc/gen
Date: Fri, 28 Mar 2025 23:30:34 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 28 23:30:34 UTC 2025
Modified Files:
src/tests/lib/libc/gen: t_ctype.c
Log Message:
t_ctype: More const is more better!
No functional change intended -- we never intended to write to this
array anyway.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src
Date: Sat, 29 Mar 2025 01:06:37 +0000
Module Name: src
Committed By: riastradh
Date: Sat Mar 29 01:06:37 UTC 2025
Modified Files:
src/lib/libc/gen: isctype.c
src/tests/lib/libc/gen: t_ctype.c
Log Message:
ctype(3): Summon a demon from caller's nose if abused out-of-line.
This way, applications which opt for the out-of-line functions will
crash with a potentially meaningful message to stderr if they pass
inputs on which the ctype(3) functions are undefined. (If fd 2 is
something else, tough -- this is nasal demon country, and they fly
where they please, application intent be damned.)
This probably won't catch many applications -- but it might catch C++
applications at runtime that can't be caught at build-time because
they eschew the macros.
The cost is a single predicted-not-taken branch -- it's checking c
for membership in the interval [-1,0xff] when we're already computing
c + 1, so it can be a single unsigned-compare. By deferring the
message and abort to an out-of-line function we avoid a stack frame
in the good case. And this is for the unlikely, out-of-line versions
of the ctype(3) functions -- most applications get the inline macros.
So I'm not concerned by the prospect of a performance impact.
Update the tests so they recognize SIGABRT as noisy failure too, not
just SIGSEGV.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/lib/libc/gen/isctype.c
cvs rdiff -u -r1.8 -r1.9 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc:
Subject: Re: PR/58208 CVS commit: src
Date: Sat, 29 Mar 2025 02:53:12 +0000
This is a multi-part message in MIME format.
--=_ml7q+P8YFLTA7qSAPcDHHBHCSIXmg0yj
The attached patch fixes the remaining xfail tests by allocating a
guard page before each of the
C ctype
C compat ctype
C tolower
C toupper
tables in libc initializers.
With this patch, any attempt to pass a negative char value into the
ctype(3) functions in any locale will be detected noisily and trigger
SIGSEGV or SIGABRT, rather than yield bogus and nondeterministic
answers.
This is tempting. But I'm not sure this is worth the cost, because
the cost is incurred at _every_ program startup with libc. So it
needs some measurement, at least.
--=_ml7q+P8YFLTA7qSAPcDHHBHCSIXmg0yj
Content-Type: text/plain; charset="ISO-8859-1"; name="pr58208-staticctypeguardpage-v4"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="pr58208-staticctypeguardpage-v4.patch"
# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1743186173 0
# Fri Mar 28 18:22:53 2025 +0000
# Branch trunk
# Node ID 44cc0fea499139f79fe235456e01559239ede6b8
# Parent 2f58eca9ae23856391bac5cbd7a9dc4d8581c1c9
# EXP-Topic riastradh-pr58208-runtimectypeabusedetection
libc: Put guard pages before the C ctype/tolower/toupper tables.
This may incur some overhead from additional mmap/mprotect calls on
every program startup in libc.
This also only affects machines where char is signed for now. (But
maybe it would be worth doing unconditionally; users could still try
to pass in explicit `signed char' inputs.)
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/citrus/citrus_lc_ctype.c
--- a/lib/libc/citrus/citrus_lc_ctype.c Sat Mar 29 01:40:59 2025 +0000
+++ b/lib/libc/citrus/citrus_lc_ctype.c Fri Mar 28 18:22:53 2025 +0000
@@ -102,12 +102,32 @@ static __inline void
_DIAGASSERT(data !=3D NULL);
=20
__mb_cur_max =3D _citrus_ctype_get_mb_cur_max(data->rl_citrus_ctype);
- _ctype_tab_ =3D data->rl_ctype_tab;
- _tolower_tab_ =3D data->rl_tolower_tab;
- _toupper_tab_ =3D data->rl_toupper_tab;
+#ifndef __CHAR_UNSIGNED__
+ if (__predict_false(data->rl_ctype_tab =3D=3D _C_ctype_tab_))
+ _ctype_tab_ =3D _C_ctype_tab_guarded;
+ else
+#endif
+ _ctype_tab_ =3D data->rl_ctype_tab;
+#ifndef __CHAR_UNSIGNED__
+ if (__predict_false(data->rl_tolower_tab =3D=3D _C_tolower_tab_))
+ _tolower_tab_ =3D _C_tolower_tab_guarded;
+ else
+#endif
+ _tolower_tab_ =3D data->rl_tolower_tab;
+#ifndef __CHAR_UNSIGNED__
+ if (__predict_false(data->rl_toupper_tab =3D=3D _C_toupper_tab_))
+ _toupper_tab_ =3D _C_toupper_tab_guarded;
+ else
+#endif
+ _toupper_tab_ =3D data->rl_toupper_tab;
=20
#ifdef __BUILD_LEGACY
- _ctype_ =3D data->rl_compat_bsdctype;
+#ifndef __CHAR_UNSIGNED__
+ if (__predict_false(data->rl_compat_bsdctype =3D=3D _C_compat_bsdctype))
+ _ctype_ =3D _C_compat_bsdctype_guarded;
+ else
+#endif
+ _ctype_ =3D data->rl_compat_bsdctype;
#endif
}
=20
diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/gen/ctype_.c
--- a/lib/libc/gen/ctype_.c Sat Mar 29 01:40:59 2025 +0000
+++ b/lib/libc/gen/ctype_.c Fri Mar 28 18:22:53 2025 +0000
@@ -44,8 +44,14 @@
#endif /* LIBC_SCCS and not lint */
=20
#include <sys/ctype_bits.h>
+#include <sys/mman.h>
+
#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
#include "ctype_local.h"
+#include "runetype_local.h"
=20
#if EOF !=3D -1
#error "EOF !=3D -1"
@@ -158,3 +164,52 @@ const unsigned short _C_ctype_tab_[1 + _
#undef _X
=20
const unsigned short *_ctype_tab_ =3D &_C_ctype_tab_[0];
+
+#ifndef __CHAR_UNSIGNED__
+
+#define roundup(X, N) ((((X) + ((N) - 1))/(N))*(N))
+
+__dso_hidden
+const void *
+guard_ctype(const void *tab, size_t size)
+{
+ const unsigned page_size =3D sysconf(_SC_PAGESIZE);
+ size_t nbytes =3D 0;
+ void *p =3D MAP_FAILED, *q =3D NULL;
+
+ nbytes =3D page_size + roundup(size, page_size);
+ p =3D mmap(NULL, nbytes, PROT_READ|PROT_WRITE, MAP_ANON,
+ /*fd*/-1, /*offset*/0);
+ if (p =3D=3D MAP_FAILED)
+ goto fail;
+ if (mprotect(p, page_size, PROT_NONE) =3D=3D -1)
+ goto fail;
+ q =3D (char *)p + page_size;
+ memcpy(q, tab, size);
+ memset((char *)q + size, 0xff, nbytes - size - page_size);
+ return q;
+
+fail: if (p !=3D MAP_FAILED)
+ (void)munmap(p, nbytes);
+ return tab;
+}
+
+#ifdef __BUILD_LEGACY
+__dso_hidden const unsigned char *_C_compat_bsdctype_guarded =3D
+ &_C_compat_bsdctype[0];
+#endif
+__dso_hidden const unsigned short *_C_ctype_tab_guarded =3D &_C_ctype_tab_=
[0];
+
+static void __attribute__((constructor))
+ctype_guard_init(void)
+{
+
+#ifdef __BUILD_LEGACY
+ _ctype_ =3D _C_compat_bsdctype_guarded =3D
+ guard_ctype(_C_compat_bsdctype, sizeof(_C_compat_bsdctype));
+#endif
+ _ctype_tab_ =3D _C_ctype_tab_guarded =3D
+ guard_ctype(_C_ctype_tab_, sizeof(_C_ctype_tab_));
+}
+
+#endif /* __CHAR_UNSIGNED__ */
diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/gen/tolower_.c
--- a/lib/libc/gen/tolower_.c Sat Mar 29 01:40:59 2025 +0000
+++ b/lib/libc/gen/tolower_.c Fri Mar 28 18:22:53 2025 +0000
@@ -61,3 +61,17 @@ const short _C_tolower_tab_[1 + _CTYPE_N
#endif
=20
const short *_tolower_tab_ =3D &_C_tolower_tab_[0];
+
+#ifndef __CHAR_UNSIGNED__
+
+__dso_hidden const short *_C_tolower_tab_guarded =3D &_C_tolower_tab_[0];
+
+static void __attribute__((constructor))
+tolower_guard_init(void)
+{
+
+ _tolower_tab_ =3D _C_tolower_tab_guarded =3D
+ guard_ctype(_C_tolower_tab_, sizeof(_C_tolower_tab_));
+}
+
+#endif /* __CHAR_UNSIGNED__ */
diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/gen/toupper_.c
--- a/lib/libc/gen/toupper_.c Sat Mar 29 01:40:59 2025 +0000
+++ b/lib/libc/gen/toupper_.c Fri Mar 28 18:22:53 2025 +0000
@@ -61,3 +61,17 @@ const short _C_toupper_tab_[1 + _CTYPE_N
#endif
=20
const short *_toupper_tab_ =3D &_C_toupper_tab_[0];
+
+#ifndef __CHAR_UNSIGNED__
+
+__dso_hidden const short *_C_toupper_tab_guarded =3D &_C_toupper_tab_[0];
+
+static void __attribute__((constructor))
+toupper_guard_init(void)
+{
+
+ _toupper_tab_ =3D _C_toupper_tab_guarded =3D
+ guard_ctype(_C_toupper_tab_, sizeof(_C_toupper_tab_));
+}
+
+#endif /* __CHAR_UNSIGNED__ */
diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/locale/ctype_local.h
--- a/lib/libc/locale/ctype_local.h Sat Mar 29 01:40:59 2025 +0000
+++ b/lib/libc/locale/ctype_local.h Fri Mar 28 18:22:53 2025 +0000
@@ -49,6 +49,16 @@ extern const short _C_tolower_tab_[];
#ifdef __BUILD_LEGACY
extern const unsigned char *_ctype_;
extern const unsigned char _C_compat_bsdctype[];
+#ifndef __CHAR_UNSIGNED__
+__dso_hidden extern const unsigned char *_C_compat_bsdctype_guarded;
+#endif
+#endif
+
+#ifndef __CHAR_UNSIGNED__
+__dso_hidden const void *guard_ctype(const void *, size_t);
+__dso_hidden extern const unsigned short *_C_ctype_tab_guarded;
+__dso_hidden extern const short *_C_tolower_tab_guarded;
+__dso_hidden extern const short *_C_toupper_tab_guarded;
#endif
=20
#endif /*_CTYPE_LOCAL_H_*/
diff -r 2f58eca9ae23 -r 44cc0fea4991 tests/lib/libc/gen/t_ctype.c
--- a/tests/lib/libc/gen/t_ctype.c Sat Mar 29 01:40:59 2025 +0000
+++ b/tests/lib/libc/gen/t_ctype.c Fri Mar 28 18:22:53 2025 +0000
@@ -112,13 +112,7 @@ test_abuse_in_locales(const char *name,=20
ATF_REQUIRE_MSG(setlocale(LC_CTYPE, locales[i]) !=3D NULL,
"locales[i]=3D%s", locales[i]);
snprintf(buf, sizeof(buf), "[%s]%s", locales[i], name);
- if (macro && strcmp(locales[i], "C") =3D=3D 0) {
- atf_tc_expect_fail("PR lib/58208: ctype(3)"
- " provides poor runtime feedback of abuse");
- }
test_abuse(buf, ctypefn);
- if (strcmp(locales[i], "C") =3D=3D 0)
- atf_tc_expect_pass();
}
}
=20
@@ -789,8 +783,6 @@ ATF_TC_BODY(abuse_##FN##_macro_c, tc) =09
atf_tc_skip("runtime ctype(3) abuse is impossible with" \
" unsigned char"); \
} \
- atf_tc_expect_fail("PR lib/58208:" \
- " ctype(3) provides poor runtime feedback of abuse"); \
test_abuse(#FN, &FN##_wrapper); \
} \
ATF_TC(abuse_##FN##_function_c); \
--=_ml7q+P8YFLTA7qSAPcDHHBHCSIXmg0yj--
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src
Date: Sat, 29 Mar 2025 19:40:42 +0000
Module Name: src
Committed By: riastradh
Date: Sat Mar 29 19:40:42 UTC 2025
Modified Files:
src/lib/libc/gen: ctype_.c tolower_.c toupper_.c
src/tests/lib/libc/gen: t_ctype.c
Added Files:
src/lib/libc/gen: ctype_guard.h
Log Message:
ctype(3): Put guard pages before the C ctype/tolower/toupper tables.
This also only affects machines where char is signed for now. (But
maybe it would be worth doing unconditionally; users could still try
to pass in explicit `signed char' inputs.)
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/lib/libc/gen/ctype_.c
cvs rdiff -u -r0 -r1.1 src/lib/libc/gen/ctype_guard.h
cvs rdiff -u -r1.14 -r1.15 src/lib/libc/gen/tolower_.c \
src/lib/libc/gen/toupper_.c
cvs rdiff -u -r1.9 -r1.10 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/gen
Date: Sat, 29 Mar 2025 20:57:58 +0000
Module Name: src
Committed By: riastradh
Date: Sat Mar 29 20:57:58 UTC 2025
Modified Files:
src/lib/libc/gen: ctype_.c ctype_guard.h tolower_.c toupper_.c
Log Message:
libc: Restore ELF symbol sizes for _C_ctype_tab_ &c.
This is needed for dynamic position-dependent executables that refer
directly to _C_type_tab_ to get correct copy relocations to see the
table content.
Unfortunately, such executables won't get a guard page.
Fortunately, referring to _C_ctype_tab_ directly (and not the
indirection _ctype_tab_ as the ctype(3) macros do) is very weird and
unlikely to happen in the real world (none of the public interfaces
use it; it is exported for libc++.so/libstdc++.so to use, but those
aren't pies). So missing the guard page in this case is probably not
so bad.
The symbol sizes are also needed for, e.g., gdb to nicely identify
addresses that lie in the table.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/lib/libc/gen/ctype_.c
cvs rdiff -u -r1.1 -r1.2 src/lib/libc/gen/ctype_guard.h
cvs rdiff -u -r1.15 -r1.16 src/lib/libc/gen/tolower_.c \
src/lib/libc/gen/toupper_.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/gen
Date: Sat, 29 Mar 2025 21:45:09 +0000
Module Name: src
Committed By: riastradh
Date: Sat Mar 29 21:45:09 UTC 2025
Modified Files:
src/lib/libc/gen: isctype.c
Log Message:
libc/isctype.c: Omit needless #include <assert.h>.
Crept in during an earlier revision when I wrote this with
_DIAGASSERT. (I opted to unconditionally abort so that you get the
feedback about undefined behaviour even if you don't run with
LIBC_DIAGASSERT set in the environment. Since it's undefined
behaviour we are allowed to do this unconditionally, of course!)
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/lib/libc/gen/isctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/gen
Date: Sun, 30 Mar 2025 00:07:52 +0000
Module Name: src
Committed By: riastradh
Date: Sun Mar 30 00:07:52 UTC 2025
Modified Files:
src/lib/libc/gen: ctype_.c ctype_guard.h tolower_.c toupper_.c
Log Message:
ctype(3): Simplify definitions of ctype/tolower/toupper tables.
Clarify comment while here.
No functional change intended. No change to `readelf -a' output on
amd64 or aarch64.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/lib/libc/gen/ctype_.c
cvs rdiff -u -r1.2 -r1.3 src/lib/libc/gen/ctype_guard.h
cvs rdiff -u -r1.16 -r1.17 src/lib/libc/gen/tolower_.c \
src/lib/libc/gen/toupper_.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src
Date: Sun, 30 Mar 2025 15:38:39 +0000
Module Name: src
Committed By: riastradh
Date: Sun Mar 30 15:38:38 UTC 2025
Modified Files:
src/lib/libc/gen: ctype_guard.h
src/tests/lib/libc/gen: Makefile t_ctype.c
Log Message:
ctype(3): Disable guard page in static libc.
Adding the guard page may have overflown several small installation
media. Let's try to keep this case small.
Update the tests to detect the cases where we will be running against
a libc without a guard page on the LC_CTYPE=C tables, and skip
testing abuse detection when it would rely on the guard page.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/lib/libc/gen/ctype_guard.h
cvs rdiff -u -r1.58 -r1.59 src/tests/lib/libc/gen/Makefile
cvs rdiff -u -r1.10 -r1.11 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc
Date: Sun, 30 Mar 2025 16:17:05 +0000
Module Name: src
Committed By: riastradh
Date: Sun Mar 30 16:17:05 UTC 2025
Modified Files:
src/lib/libc: Makefile
src/lib/libc/gen: ctype_guard.h
Log Message:
ctype(3): Actually conditionalize guard page on shared libc.
Apparently we build the libc .o files with -fPIC too (I guess this is
so that libc.a works in position-independent executables? but why
don't they just use libc_pic.a?), so use a purpose-built cpp macro
_CTYPE_DYNAMIC for this instead of using __PIC__.
Now this shows the right symbol sizes:
$ readelf -s ctype_.pico | grep _C_ctype_tab_guarded_
3: 0000000000000000 4610 OBJECT LOCAL DEFAULT 11 _C_ctype_tab_guarded_
$ readelf -s ctype_.po | grep _C_ctype_tab_guarded_
3: 0000000000000000 514 OBJECT LOCAL DEFAULT 7 _C_ctype_tab_guarded_
$ readelf -s ctype_.o | grep _C_ctype_tab_guarded_
3: 0000000000000000 514 OBJECT LOCAL DEFAULT 7 _C_ctype_tab_guarded_
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.174 -r1.175 src/lib/libc/Makefile
cvs rdiff -u -r1.4 -r1.5 src/lib/libc/gen/ctype_guard.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/gen
Date: Sun, 30 Mar 2025 16:23:13 +0000
Module Name: src
Committed By: riastradh
Date: Sun Mar 30 16:23:13 UTC 2025
Modified Files:
src/lib/libc/gen: ctype_guard.h
Log Message:
ctype(3): Sprinkle _C_LABEL_STRING in a few more places.
Mostly for hygiene and to avoid raising questions about inconsistent
usage; this doesn't actually affect the build any more.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/lib/libc/gen/ctype_guard.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/gen
Date: Mon, 31 Mar 2025 23:48:06 +0000
Module Name: src
Committed By: riastradh
Date: Mon Mar 31 23:48:06 UTC 2025
Modified Files:
src/lib/libc/gen: ctype_guard.h
Log Message:
ctype(3): __strong_alias takes no semicolon, apparently.
Pacifies lint complaint:
/home/riastradh/netbsd/current/src/lib/libc/gen/ctype_.c(90): warning: empty declaration [0]
/home/riastradh/netbsd/current/src/lib/libc/gen/ctype_.c(158): warning: empty declaration [0]
(Maybe we should change __strong_alias and __weak_alias so they do
take semicolons like other top-level declarations...)
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/lib/libc/gen/ctype_guard.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: lib-bug-people->riastradh
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Tue, 01 Apr 2025 01:36:48 +0000
Responsible-Changed-Why:
mine
fixed in HEAD, worth contemplating pullup-10, not worth pullup-9
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Tue, 01 Apr 2025 01:36:48 +0000
State-Changed-Why:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/locale
Date: Fri, 4 Apr 2025 21:52:19 +0000
Module Name: src
Committed By: riastradh
Date: Fri Apr 4 21:52:19 UTC 2025
Modified Files:
src/lib/libc/locale: rune.c
Log Message:
libc/locale/rune.c: Pacify lint.
sysconf(_SC_PAGESIZE) returns long. In principle it could fail but
in reality it will never fail on NetBSD unless something is severely
broken, so it's better not to clutter callers with error branches.
And the result will always fit in int, but lint doesn't know that, so
just say unsigned long to match the size of what sysconf returns.
This way, lint won't complain about possible integer truncation
(which is not, in fact, possible).
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/lib/libc/locale/rune.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/libexec/ld.elf_so
Date: Fri, 2 May 2025 23:05:11 +0000
Module Name: src
Committed By: riastradh
Date: Fri May 2 23:05:11 UTC 2025
Modified Files:
src/libexec/ld.elf_so: Makefile
Log Message:
ld.elf_so(1): Skip the ctype(3) guard pages.
These came in via libc_pic.a. They aren't very useful because
nothing mprotects them in ld.elf_so -- ld.elf_so ignores its own
constructors. We could fill them with gibberish in a feeble attempt
to highlight ctype(3) abuse...or we could just audit ld.elf_so and
save on the memory by.
This uses a .PATH.c reachover for the ctype_.c file rather than
pulling ctype_.pico out of libc_pic.a.
Sampling of space savings:
(amd64)
$ size ld.elf_so.{before,after}/ld.elf_so
text data bss dec hex filename
81168 2456 1928 85552 14e30 ld.elf_so.before/ld.elf_so
65068 2408 1928 69404 10f1c ld.elf_so.after/ld.elf_so
(mips64)
$ size ld.elf_so.{before,after}/ld.elf_so
text data bss dec hex filename
131729 752 1408 133889 20b01 ld.elf_so.before/ld.elf_so
73185 748 1408 75341 1264d ld.elf_so.after/ld.elf_so
(alpha)
$ size ld.elf_so.{before,after}/ld.elf_so
text data bss dec hex filename
113893 1096 1860 116849 1c871 ld.elf_so.before/ld.elf_so
79680 1048 1860 82588 1429c ld.elf_so.after/ld.elf_so
20-50% reduction in ld.elf_so size isn't too shabby (except this was
all just bloat I had inadvertently caused last month, oops).
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.150 -r1.151 src/libexec/ld.elf_so/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src
Date: Mon, 15 Sep 2025 00:11:55 +0000
Module Name: src
Committed By: riastradh
Date: Mon Sep 15 00:11:55 UTC 2025
Modified Files:
src/distrib/sets/lists/debug: mi
src/distrib/sets/lists/tests: mi
src/lib/libc/gen: ctype_.c ctype_guard.h isctype.c tolower_.c
toupper_.c
src/lib/libc/locale: Makefile.inc rune.c
src/tests/lib/libc/gen: Makefile t_ctype.c
Added Files:
src/tests/lib/libc/gen: h_ctype_abuse.c
Log Message:
ctype(3): New environment variable LIBC_ALLOWCTYPEABUSE.
If set, this does not force the ctype(3) functions to crash when
passed invalid inputs -- instead, they will return nonsense results,
and possibly print warnings to stderr, as is their right in
implementing undefined behaviour.
The nature of the nonsense results is unspecified. Currently, is*()
will always return true (even if that leads to mutually contradictory
conclusions, like isalpha and isdigit, or isgraph and isblank), and
tolower/toupper() will always return EOF. But perhaps in the future
the results may be randomized.
This way, if an application like firefox crashes on ctype abuse, you
can opt to accept the consequences of nonsense results instead by
running `env LIBC_ALLOWCTYPEABUSE= firefox' until the application is
fixed.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.485 -r1.486 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.1393 -r1.1394 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.23 -r1.24 src/lib/libc/gen/ctype_.c
cvs rdiff -u -r1.7 -r1.8 src/lib/libc/gen/ctype_guard.h
cvs rdiff -u -r1.28 -r1.29 src/lib/libc/gen/isctype.c
cvs rdiff -u -r1.17 -r1.18 src/lib/libc/gen/tolower_.c \
src/lib/libc/gen/toupper_.c
cvs rdiff -u -r1.68 -r1.69 src/lib/libc/locale/Makefile.inc
cvs rdiff -u -r1.49 -r1.50 src/lib/libc/locale/rune.c
cvs rdiff -u -r1.60 -r1.61 src/tests/lib/libc/gen/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/lib/libc/gen/h_ctype_abuse.c
cvs rdiff -u -r1.11 -r1.12 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/gen
Date: Mon, 15 Sep 2025 11:59:38 +0000
Module Name: src
Committed By: riastradh
Date: Mon Sep 15 11:59:38 UTC 2025
Modified Files:
src/lib/libc/gen: ctype.3
Log Message:
ctype(3): Document LIBC_ALLOWCTYPEABUSE.
If this is pulled up to netbsd-11, we should tweak the text to make
it apply to 11 too.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/lib/libc/gen/ctype.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/tests/lib/libc/gen
Date: Mon, 15 Sep 2025 17:32:02 +0000
Module Name: src
Committed By: riastradh
Date: Mon Sep 15 17:32:02 UTC 2025
Modified Files:
src/tests/lib/libc/gen: h_ctype_abuse.c
Log Message:
ctype(3): Fix build of tests on machines with unsigned char.
Could maybe phrase this better but this'll do for now.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/tests/lib/libc/gen/h_ctype_abuse.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: [netbsd-11] src
Date: Wed, 1 Oct 2025 17:41:16 +0000
Module Name: src
Committed By: martin
Date: Wed Oct 1 17:41:15 UTC 2025
Modified Files:
src/distrib/sets/lists/debug [netbsd-11]: mi
src/distrib/sets/lists/tests [netbsd-11]: mi
src/lib/libc/gen [netbsd-11]: ctype.3 ctype_.c ctype_guard.h isctype.c
tolower_.c toupper_.c
src/lib/libc/locale [netbsd-11]: Makefile.inc rune.c
src/tests/lib/libc/gen [netbsd-11]: Makefile t_ctype.c
Added Files:
src/tests/lib/libc/gen [netbsd-11]: h_ctype_abuse.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #45):
tests/lib/libc/gen/t_ctype.c: revision 1.12
lib/libc/gen/ctype_.c: revision 1.24
lib/libc/locale/rune.c: revision 1.50
tests/lib/libc/gen/Makefile: revision 1.61
lib/libc/gen/tolower_.c: revision 1.18
lib/libc/gen/isctype.c: revision 1.29
distrib/sets/lists/tests/mi: revision 1.1394
lib/libc/gen/toupper_.c: revision 1.18
lib/libc/gen/ctype_guard.h: revision 1.8
lib/libc/locale/Makefile.inc: revision 1.69
lib/libc/gen/ctype.3: revision 1.32
lib/libc/gen/ctype.3: revision 1.33
distrib/sets/lists/debug/mi: revision 1.486
tests/lib/libc/gen/h_ctype_abuse.c: revision 1.1
tests/lib/libc/gen/h_ctype_abuse.c: revision 1.2
ctype(3): New environment variable LIBC_ALLOWCTYPEABUSE.
If set, this does not force the ctype(3) functions to crash when
passed invalid inputs -- instead, they will return nonsense results,
and possibly print warnings to stderr, as is their right in
implementing undefined behaviour.
The nature of the nonsense results is unspecified. Currently, is*()
will always return true (even if that leads to mutually contradictory
conclusions, like isalpha and isdigit, or isgraph and isblank), and
tolower/toupper() will always return EOF. But perhaps in the future
the results may be randomized.
This way, if an application like firefox crashes on ctype abuse, you
can opt to accept the consequences of nonsense results instead by
running `env LIBC_ALLOWCTYPEABUSE= firefox' until the application is
fixed.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
ctype(3): Document LIBC_ALLOWCTYPEABUSE.
If this is pulled up to netbsd-11, we should tweak the text to make
it apply to 11 too.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
ctype(3): Fix build of tests on machines with unsigned char.
Could maybe phrase this better but this'll do for now.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.485 -r1.485.2.1 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.1387 -r1.1387.2.1 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.31 -r1.31.14.1 src/lib/libc/gen/ctype.3
cvs rdiff -u -r1.23 -r1.23.2.1 src/lib/libc/gen/ctype_.c
cvs rdiff -u -r1.7 -r1.7.2.1 src/lib/libc/gen/ctype_guard.h
cvs rdiff -u -r1.28 -r1.28.2.1 src/lib/libc/gen/isctype.c
cvs rdiff -u -r1.17 -r1.17.2.1 src/lib/libc/gen/tolower_.c \
src/lib/libc/gen/toupper_.c
cvs rdiff -u -r1.68 -r1.68.2.1 src/lib/libc/locale/Makefile.inc
cvs rdiff -u -r1.49 -r1.49.2.1 src/lib/libc/locale/rune.c
cvs rdiff -u -r1.60 -r1.60.2.1 src/tests/lib/libc/gen/Makefile
cvs rdiff -u -r0 -r1.2.2.2 src/tests/lib/libc/gen/h_ctype_abuse.c
cvs rdiff -u -r1.11 -r1.11.2.1 src/tests/lib/libc/gen/t_ctype.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: src/lib/libc/gen
Date: Sun, 5 Oct 2025 00:35:47 +0000
Module Name: src
Committed By: riastradh
Date: Sun Oct 5 00:35:47 UTC 2025
Modified Files:
src/lib/libc/gen: ctype.3
Log Message:
ctype(3): Fix versions and clarify what LIBC_ALLOWCTYPEABUSE does.
Both the extra diagnostics _and_ LIBC_ALLOWCTYPEABUSE are new in 11.
The extra diagnostics were not added in 10 (unless someone went ahead
and pulled them up while I wasn't looking!).
LIBC_ALLOWCTYPEABUSE doesn't guarantee that the program won't crash;
it just makes that depend on factors such as address space layout
randomization -- where the ctype tables appear in memory relative to
non-readable pages.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/lib/libc/gen/ctype.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 18 Oct 2025 23:02:02 +0000
State-Changed-Why:
pullup-11 #59
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58208 CVS commit: [netbsd-11] src/lib/libc/gen
Date: Sun, 19 Oct 2025 10:21:19 +0000
Module Name: src
Committed By: martin
Date: Sun Oct 19 10:21:19 UTC 2025
Modified Files:
src/lib/libc/gen [netbsd-11]: ctype.3
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #59):
lib/libc/gen/ctype.3: revision 1.34
lib/libc/gen/ctype.3: revision 1.35
ctype(3): Clarify test program output. Update compiler warning.
Should be a little easier to read. The fact that isprint returns
_any_ nonzero value, not necessarily 1, isn't germane to the point
here, so showing it return 5 or 2 doesn't really help to illustrate
anything.
ctype(3): Fix versions and clarify what LIBC_ALLOWCTYPEABUSE does.
Both the extra diagnostics _and_ LIBC_ALLOWCTYPEABUSE are new in 11.
The extra diagnostics were not added in 10 (unless someone went ahead
and pulled them up while I wasn't looking!).
LIBC_ALLOWCTYPEABUSE doesn't guarantee that the program won't crash;
it just makes that depend on factors such as address space layout
randomization -- where the ctype tables appear in memory relative to
non-readable pages.
PR lib/58208: ctype(3) provides poor runtime feedback of abuse
To generate a diff of this commit:
cvs rdiff -u -r1.31.14.1 -r1.31.14.2 src/lib/libc/gen/ctype.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 02 Feb 2026 03:45:38 +0000
State-Changed-Why:
pulled up to 11, not worth it for <=10
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home