do not allow allocations that overflow ptrdiff_t; fix some overflow
checks that were not quite right but didn't matter due to address
layout implementation.
this is needed in the long term for ABI compatibility anyway, and in
the immediate, it helps with building broken programs like GNU screen
that try to prototype the functions themselves rather than using the
header.
this is a nonstandard header used only by backwards programs, but for
some reason it's extremely popular. the recent namespace cleanup fixes
broke it, because PATH_MAX and NAME_MAX will not be defined unless an
approriate feature test macro has been defined. moreover, it's too
late to just #define _GNU_SOURCE in param.h, since limits.h may have
already been included.
let's just hard-code standard values and be done with it.
the existence of a (kernelspace) thread must never have observable
effects after the thread count is decremented. if signals are not
blocked, it could end up handling the signal for rsyscall and
contributing towards the count of threads which have changed ids,
causing a thread to be missed. this could lead to one thread retaining
unwanted privilege level.
this change may also address other subtle race conditions in
application code that uses signals.
the historic mktemp is supposed to blank the template string on
failure, rather than returning 0. just zero the first character so
that mkstemp and mkdtemp can still retry with O(1) space requirement.
only the structures, not the functions from ucontext.h, are supported
at this point. the main goal of this commit is to make modern gcc with
dwarf2 unwinding build without errors.
honestly, it probably doesn't matter how we define these as long as
they have members with the right names to prevent errors while
compiling libgcc. the only time they will be used is for propagating
exceptions across signal-handler boundaries, which invokes undefined
behavior anyway. but as-is, they're probably correct and may be useful
to various low-level applications dealing with virtualization, jit
code generation, and so on...
note that this presently does not handle consistency of the libc's own
global state during forking. as per POSIX 2008, if the parent process
was threaded, the child process may only call async-signal-safe
functions until one of the exec-family functions is called, so the
current behavior is believed to be conformant even if non-ideal. it
may be improved at some later time.
use current time in nanoseconds and some potentially-random (if aslr
is enabled) pointer values for the initial tempfile name generation,
and step via a cheap linear prng on collisions. limit the number of
retry attempts to prevent denial of service attacks even if an
attacker can guess the filenames.
this allows sys/types.h to provide the pthread types, as required by
POSIX. this design also facilitates forcing ABI-compatible sizes in
the arch-specific alltypes.h, while eliminating the need for
developers changing the internals of the pthread types to poke around
with arch-specific headers they may not be able to test.
Rich Felker