Update.

1998-05-19 15:58  Ulrich Drepper  <drepper@cygnus.com>

	* elf/rtld.c (process_envvars): Fix typo.  Don't handle
	LD_PROFILE_OUTPUT in SUID binaries.
	* intl/dcgettext.c: In SUID binaries don't let language part of
	locale value contain path elements.
	* intl/explodename.h: Define new function _nl_find_language.
	* intl/loadinfo.h: Declare _nl_find_language.
	* locale/findlocale.c (_nl_find_locale): Use _nl_find_locale to get
	language part it drop the value is path element is contained.

	* locale/setlocale.c: Fix typo.

1998-05-18  Philip Blundell  <Philip.Blundell@pobox.com>

	* sysdeps/unix/sysv/linux/arm/socket.S: Correct handling of arguments.

	* sysdeps/arm/strlen.S: Support both big and little endian processors.

	* sysdeps/arm/sysdep.h (ALIGNARG): ELF .align directive uses a
	log, not a byte-count.

	* sysdeps/unix/arm/sysdep.S (syscall_error): Use C_SYMBOL_NAME for
	a.out compatibility.

1998-05-19  Andreas Jaeger  <aj@arthur.rhein-neckar.de>

	* sysdeps/unix/bsd/vax/vfork.S: Fix the "the the" problems.
	* sysdeps/unix/bsd/sun/m68k/vfork.S: Likewise.
	* sysdeps/unix/bsd/hp/m68k/vfork.S: Likewise.
	* posix/unistd.h: Likewise.
	* math/math.h: Likewise.
	* manual/users.texi (Manipulating the Database): Likewise.
	* manual/signal.texi (Job Control Signals): Likewise.
	* manual/message.texi (The gencat program): Likewise.
	* manual/filesys.texi (Hard Links): Likewise.
	* manual/math.texi (SVID Random): Likewise.
	* manual/llio.texi (Waiting for I/O): Likewise.
	* manual/io.texi (File Name Errors): Likewise.
	* manual/conf.texi (String Parameters): Likewise.
	* manual/arith.texi (Infinity): Likewise.
	* malloc/malloc.c: Likewise.
	* hurd/hurdsig.c (_hurd_internal_post_signal): Likewise.
	* csu/Makefile: Likewise.

ChangeLog

@@ -1,3 +1,48 @@
+1998-05-19 15:58  Ulrich Drepper  <drepper@cygnus.com>
+
+	* elf/rtld.c (process_envvars): Fix typo.  Don't handle
+	LD_PROFILE_OUTPUT in SUID binaries.
+	* intl/dcgettext.c: In SUID binaries don't let language part of
+	locale value contain path elements.
+	* intl/explodename.h: Define new function _nl_find_language.
+	* intl/loadinfo.h: Declare _nl_find_language.
+	* locale/findlocale.c (_nl_find_locale): Use _nl_find_locale to get
+	language part it drop the value is path element is contained.
+
+	* locale/setlocale.c: Fix typo.
+
+1998-05-18  Philip Blundell  <Philip.Blundell@pobox.com>
+
+	* sysdeps/unix/sysv/linux/arm/socket.S: Correct handling of arguments.
+
+	* sysdeps/arm/strlen.S: Support both big and little endian processors.
+
+	* sysdeps/arm/sysdep.h (ALIGNARG): ELF .align directive uses a
+	log, not a byte-count.
+
+	* sysdeps/unix/arm/sysdep.S (syscall_error): Use C_SYMBOL_NAME for
+	a.out compatibility.
+
+1998-05-19  Andreas Jaeger  <aj@arthur.rhein-neckar.de>
+
+	* sysdeps/unix/bsd/vax/vfork.S: Fix the "the the" problems.
+	* sysdeps/unix/bsd/sun/m68k/vfork.S: Likewise.
+	* sysdeps/unix/bsd/hp/m68k/vfork.S: Likewise.
+	* posix/unistd.h: Likewise.
+	* math/math.h: Likewise.
+	* manual/users.texi (Manipulating the Database): Likewise.
+	* manual/signal.texi (Job Control Signals): Likewise.
+	* manual/message.texi (The gencat program): Likewise.
+	* manual/filesys.texi (Hard Links): Likewise.
+	* manual/math.texi (SVID Random): Likewise.
+	* manual/llio.texi (Waiting for I/O): Likewise.
+	* manual/io.texi (File Name Errors): Likewise.
+	* manual/conf.texi (String Parameters): Likewise.
+	* manual/arith.texi (Infinity): Likewise.
+	* malloc/malloc.c: Likewise.
+	* hurd/hurdsig.c (_hurd_internal_post_signal): Likewise.
+	* csu/Makefile: Likewise.
+
 1998-05-19 12:16  Ulrich Drepper  <drepper@cygnus.com>
 
 	* manual/memory.texi: Add back accidently removed line.

csu/Makefile

@@ -121,7 +121,7 @@ endef
 ifndef start-installed-name-rule
 ifeq (yes,$(elf))
 # We link the ELF startfile along with a SHT_NOTE section indicating
-# the the kernel ABI the binaries linked with this library will require.
+# the kernel ABI the binaries linked with this library will require.
 $(objpfx)$(start-installed-name): $(objpfx)start.o $(objpfx)abi-note.o \
 				  $(objpfx)init.o
 	$(link-relocatable)

elf/rtld.c

@@ -1113,7 +1113,7 @@ process_envvars (enum mode *modep, int *lazyp)
 	  break;
 
 	case 10:
-	  /* mask for the important hardware capabilities.  */
+	  /* Mask for the important hardware capabilities.  */
 	  if (memcmp (&envline[3], "HWCAP_MASK", 10) == 0)
 	    _dl_hwcap_mask = strtoul (&envline[14], NULL, 0);
 	  break;
@@ -1133,7 +1133,8 @@ process_envvars (enum mode *modep, int *lazyp)
 
 	case 14:
 	  /* Where to place the profiling data file.  */
-	  if (memcmp (&envline[3], "PROFILE_OUTPUT", 14) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (&envline[3], "PROFILE_OUTPUT", 14) == 0)
 	    {
 	      _dl_profile_output = &envline[18];
 	      if (*_dl_profile_output == '\0')

hurd/hurdsig.c

@@ -818,7 +818,7 @@ _hurd_internal_post_signal (struct hurd_sigstate *ss,
 				      /* In a critical section, any RPC
 					 should be cancelled instead of
 					 restarted, regardless of
-					 SA_RESTART, so the the entire
+					 SA_RESTART, so the entire
 					 "atomic" operation can be aborted
 					 as a unit.  */
 				      crit ? 0 : signo, 1,

intl/dcgettext.c

@@ -221,6 +221,24 @@ struct block_list
 # define DCGETTEXT dcgettext__
 #endif
 
+/* Checking whether the binaries runs SUID must be done and glibc provides
+   easier methods therefore we make a difference here.  */
+#ifdef _LIBC
+# define ENABLE_SECURE __libc_enable_secure
+# define DETERMINE_SECURE
+#else
+static int enable_secure;
+# define ENABLE_SECURE (enable_secure == 1)
+# define DETERMINE_SECURE \
+  if (enable_secure == 0)						      \
+    {									      \
+      if (getuid () != geteuid () || getgid () != getegid ())		      \
+	enable_secure = 1;						      \
+      else								      \
+	enable_secure = -1;						      \
+    }
+#endif
+
 /* Look up MSGID in the DOMAINNAME message catalog for the current CATEGORY
    locale.  */
 char *
@@ -245,9 +263,12 @@ DCGETTEXT (domainname, msgid, category)
   if (msgid == NULL)
     return NULL;
 
+  /* See whether this is a SUID binary or not.  */
+  DETERMINE_SECURE;
+
   /* If DOMAINNAME is NULL, we are interested in the default domain.  If
      CATEGORY is not LC_MESSAGES this might not make much sense but the
-     defintion left this undefined.  */
+     definition left this undefined.  */
   if (domainname == NULL)
     domainname = _nl_current_default_domain;
 
@@ -322,7 +343,7 @@ DCGETTEXT (domainname, msgid, category)
 
 
   /* Search for the given string.  This is a loop because we perhaps
-     got an ordered list of languages to consider for th translation.  */
+     got an ordered list of languages to consider for the translation.  */
   while (1)
     {
       /* Make CATEGORYVALUE point to the next element of the list.  */
@@ -343,6 +364,15 @@ DCGETTEXT (domainname, msgid, category)
 	  while (categoryvalue[0] != '\0' && categoryvalue[0] != ':')
 	    *cp++ = *categoryvalue++;
 	  *cp = '\0';
+
+	  /* When this is a SUID binary we must not allow accessing files
+	     outside the dedicated directories.  */
+	  if (ENABLE_SECURE
+	      && (memchr (single_locale, '/',
+			  _nl_find_language (single_locale) - single_locale)
+		  != NULL))
+	    /* Ingore this entry.  */
+	    continue;
 	}
 
       /* If the current locale value is C (or POSIX) we don't load a

intl/explodename.c

@@ -47,6 +47,17 @@
 
 /* @@ end of prolog @@ */
 
+char *
+_nl_find_language (const char *name)
+{
+  while (name[0] != '\0' && name[0] != '_' && name[0] != '@'
+	 && name[0] != '+' && name[0] != ',')
+    ++name;
+
+  return (char *) name;
+}
+
+
 int
 _nl_explode_name (name, language, modifier, territory, codeset,
 		  normalized_codeset, special, sponsor, revision)
@@ -78,9 +89,7 @@ _nl_explode_name (name, language, modifier, territory, codeset,
   mask = 0;
   syntax = undecided;
   *language = cp = name;
-  while (cp[0] != '\0' && cp[0] != '_' && cp[0] != '@'
-	 && cp[0] != '+' && cp[0] != ',')
-    ++cp;
+  cp = _nl_find_language (*language);
 
   if (*language == cp)
     /* This does not make sense: language has to be specified.  Use

intl/loadinfo.h

@@ -75,3 +75,5 @@ extern int _nl_explode_name PARAMS ((char *name, const char **language,
 				     const char **special,
 				     const char **sponsor,
 				     const char **revision));
+
+extern char *_nl_find_language PARAMS ((const char *name));

locale/findlocale.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 1996, 1997 Free Software Foundation, Inc.
+/* Copyright (C) 1996, 1997, 1998 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Ulrich Drepper <drepper@gnu.ai.mit.edu>, 1996.
 
@@ -20,6 +20,7 @@
 #include <locale.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 #include <sys/mman.h>
 
 #include "localeinfo.h"
@@ -51,7 +52,11 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
   const char *revision;
   struct loaded_l10nfile *locale_file;
 
-  if ((*name)[0] == '\0')
+  if ((*name)[0] == '\0'
+      /* In SUID binaries we must not allow people to access files
+	 outside the dedicated locale directories.  */
+      || (__libc_enable_secure
+	  && memchr (*name, '/', _nl_find_language (*name) - *name) != NULL))
     {
       /* The user decides which locale to use by setting environment
 	 variables.  */

locale/setlocale.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 1991, 1992, 1995, 1996, 1997 Free Software Foundation, Inc.
+/* Copyright (C) 1991, 92, 95, 96, 97, 98 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -360,7 +360,7 @@ setlocale (int category, const char *locale)
 	  /* We must not simply free a global locale since we have no
 	     control over the usage.  So we mark it as un-deletable.
 
-	     Note: do ont remove the `if', it's necessary to copy with
+	     Note: do not remove the `if', it's necessary to copy with
 	     the builtin locale data.  */
 	  if (newdata->usage_count != UNDELETABLE)
 	    newdata->usage_count = UNDELETABLE;

malloc/malloc.c

@@ -2555,7 +2555,7 @@ malloc_extend_top(ar_ptr, nb) arena *ar_ptr; INTERNAL_SIZE_T nb;
          mallocs with other sbrk calls.
 
 
-      All allocations are made from the the `lowest' part of any found
+      All allocations are made from the `lowest' part of any found
       chunk. (The implementation invariant is that prev_inuse is
       always true of any allocated chunk; i.e., that each allocated
       chunk borders either a previously allocated and still in-use chunk,

manual/arith.texi

@@ -78,7 +78,7 @@ handle values like this.
 Beside @code{INFINITY} also the value @code{-INFINITY} is representable
 and it is handled differently if needed.  It is possible to test a
 value for infiniteness using a simple comparison but the
-recommended way is to use the the @code{isinf} function.
+recommended way is to use the @code{isinf} function.
 
 This macro was introduced in the @w{ISO C 9X} standard.
 @end deftypevr

manual/conf.texi

@@ -1623,7 +1623,7 @@ to the application if a source is compiled using the
 @comment Unix98
 @item _CS_LFS_LINTFLAGS
 The returned string specifies which additional flags must be given to
-the the lint tool if a source is compiled using the
+the lint tool if a source is compiled using the
 @code{_LARGEFILE_SOURCE} feature select macro; @pxref{Feature Test Macros}.
 
 @comment unistd.h
@@ -1651,7 +1651,7 @@ to the application if a source is compiled using the
 @comment Unix98
 @item _CS_LFS64_LINTFLAGS
 The returned string specifies which additional flags must be given to
-the the lint tool if a source is compiled using the
+the lint tool if a source is compiled using the
 @code{_LARGEFILE64_SOURCE} feature select macro; @pxref{Feature Test Macros}.
 @end table
 

manual/filesys.texi

@@ -780,7 +780,7 @@ file does not copy the contents of the file; it simply makes a new name
 by which the file can be known, in addition to the file's existing name
 or names.
 
-One file can have names in several directories, so the the organization
+One file can have names in several directories, so the organization
 of the file system is not a strict hierarchy or tree.
 
 In most implementations, it is not possible to have hard links to the

manual/io.texi

@@ -327,7 +327,7 @@ The process does not have search permission for a directory component
 of the file name.
 
 @item ENAMETOOLONG
-This error is used when either the the total length of a file name is
+This error is used when either the total length of a file name is
 greater than @code{PATH_MAX}, or when an individual file name component
 has a length greater than @code{NAME_MAX}.  @xref{Limits for Files}.
 

manual/llio.texi

@@ -1025,7 +1025,7 @@ This macro removes @var{filedes} from the file descriptor set @var{set}.
 @comment BSD
 @deftypefn Macro int FD_ISSET (int @var{filedes}, fd_set *@var{set})
 This macro returns a nonzero value (true) if @var{filedes} is a member
-of the the file descriptor set @var{set}, and zero (false) otherwise.
+of the file descriptor set @var{set}, and zero (false) otherwise.
 @end deftypefn
 
 Next, here is the description of the @code{select} function itself.

manual/math.texi

@@ -1786,7 +1786,7 @@ congruential formula.
 
 From the seven elements in the array @var{param} the least significant
 16 bits of the entries @code{@var{param}[0]} to @code{@var{param}[2]}
-determine the the initial state, the least 16 bits of
+determine the initial state, the least 16 bits of
 @code{@var{param}[3]} to @code{@var{param}[5]} determine the 48 bit
 constant @code{a} and @code{@var{param}[6]} determines the 16 bit value
 @code{c}.

manual/message.texi

@@ -460,7 +460,7 @@ these source files to learn about the file format.
 The @code{gencat} program is specified in the X/Open standard and the
 GNU implementation follows this specification and so allows to process
 all correctly formed input files.  Additionally some extension are
-implemented which help to work in a more reasonable way with the the
+implemented which help to work in a more reasonable way with the
 @code{catgets} functions.
 
 The @code{gencat} program can be invoked in two ways:

manual/signal.texi

@@ -720,7 +720,7 @@ support, see @ref{Special Characters}.
 @comment signal.h
 @comment POSIX.1
 @deftypevr Macro int SIGTTIN
-A process cannot read from the the user's terminal while it is running
+A process cannot read from the user's terminal while it is running
 as a background job.  When any process in a background job tries to
 read from the terminal, all of the processes in the job are sent a
 @code{SIGTTIN} signal.  The default action for this signal is to

manual/users.texi

@@ -1002,7 +1002,7 @@ for an entry that matches @var{id}.  If the @code{ut_type} member of the
 @code{OLD_TIME} or @code{NEW_TIME} the entries match if the
 @code{ut_type} members are identical.  If the @code{ut_type} member of
 the @var{id} structure is @code{INIT_PROCESS}, @code{LOGIN_PROCESS},
-@code{USER_PROCESS} or @code{DEAD_PROCESS}, the entries match if the the
+@code{USER_PROCESS} or @code{DEAD_PROCESS}, the entries match if the
 @code{ut_type} member of the entry read from the database is one of
 these four, and the @code{ut_id} members match.  However if the
 @code{ut_id} member of either the @var{id} structure or the entry read

math/math.h

@@ -135,7 +135,7 @@ extern int signgam;
     FP_FAST_FMA
     FP_FAST_FMAF
     FP_FAST_FMAL
-		If defined it indicates that the the `fma' function
+		If defined it indicates that the `fma' function
 		generally executes about as fast as a multiply and an add.
 		This macro is defined only iff the `fma' function is
 		implemented directly with a hardware multiply-add instructions.

posix/unistd.h

@@ -689,7 +689,7 @@ extern __pid_t fork __P ((void));
 
 #if defined __USE_BSD || defined __USE_XOPEN_EXTENDED
 /* Clone the calling process, but without copying the whole address space.
-   The the calling process is suspended until the the new process exits or is
+   The calling process is suspended until the the new process exits or is
    replaced by a call to `execve'.  Return -1 for errors, 0 to the new process,
    and the process ID of the new process to the old process.  */
 extern __pid_t __vfork __P ((void));

sysdeps/arm/strlen.S

@@ -31,11 +31,19 @@ ENTRY(strlen)
 	rsb     r0, r3, $0              @ get - that number into counter.
 	beq     Laligned                @ skip into main check routine if no
 					@ more
+#ifdef __ARMEB__
 	orr     r2, r2, $0xff000000     @ set this byte to non-zero
 	subs    r3, r3, $1              @ any more to do?
 	orrgt   r2, r2, $0x00ff0000     @ if so, set this byte
 	subs    r3, r3, $1              @ more?
 	orrgt   r2, r2, $0x0000ff00     @ then set.
+#else
+	orr     r2, r2, $0x000000ff     @ set this byte to non-zero
+	subs    r3, r3, $1              @ any more to do?
+	orrgt   r2, r2, $0x0000ff00     @ if so, set this byte
+	subs    r3, r3, $1              @ more?
+	orrgt   r2, r2, $0x00ff0000     @ then set.
+#endif
 Laligned:				@ here, we have a word in r2.  Does it
 	tst     r2, $0x000000ff         @ contain any zeroes?
 	tstne   r2, $0x0000ff00         @

sysdeps/arm/sysdep.h

@@ -25,8 +25,7 @@
 
 #ifdef HAVE_ELF
 
-/* ELF uses byte-counts for .align, most others use log2 of count of bytes.  */
-#define ALIGNARG(log2) 1<<log2
+#define ALIGNARG(log2) log2
 /* For ELF we need the `.type' directive to make shared libs work right.  */
 #define ASM_TYPE_DIRECTIVE(name,typearg) .type name,%##typearg;
 #define ASM_SIZE_DIRECTIVE(name) .size name,.-name

sysdeps/unix/arm/sysdep.S

@@ -43,7 +43,7 @@ syscall_error:
 #ifdef _LIBC_REENTRANT
 	stmdb sp!, {r0, lr}
 	/* put another copy of r0 at a specific errno location */
-	bl __errno_location
+	bl C_SYMBOL_NAME(__errno_location)
 	ldmia sp!, {r1, lr}
 	str r1, [r0]
 #endif

sysdeps/unix/bsd/hp/m68k/vfork.S

@@ -23,7 +23,7 @@
 #endif
 
 /* Clone the calling process, but without copying the whole address space.
-   The the calling process is suspended until the the new process exits or is
+   The calling process is suspended until the the new process exits or is
    replaced by a call to `execve'.  Return -1 for errors, 0 to the new process,
    and the process ID of the new process to the old process.  */
 .globl ___vfork

sysdeps/unix/bsd/sun/m68k/vfork.S

@@ -23,7 +23,7 @@
 #endif
 
 /* Clone the calling process, but without copying the whole address space.
-   The the calling process is suspended until the the new process exits or is
+   The calling process is suspended until the the new process exits or is
    replaced by a call to `execve'.  Return -1 for errors, 0 to the new process,
    and the process ID of the new process to the old process.  */
 .globl ___vfork

sysdeps/unix/bsd/vax/vfork.S

@@ -23,7 +23,7 @@
 #endif
 
 /* Clone the calling process, but without copying the whole address space.
-   The the calling process is suspended until the the new process exits or is
+   The calling process is suspended until the the new process exits or is
    replaced by a call to `execve'.  Return -1 for errors, 0 to the new process,
    and the process ID of the new process to the old process.  */
 .globl ___vfork

sysdeps/unix/sysv/linux/arm/socket.S

@@ -35,10 +35,26 @@
 #define __socket P(__,socket)
 #endif
 
+#define PUSHARGS_1	stmfd ip!, {a1}
+#define PUSHARGS_2	stmfd ip!, {a1, a2}
+#define PUSHARGS_3	stmfd ip!, {a1, a2, a3}
+#define PUSHARGS_4	stmfd ip!, {a1, a2, a3, a4}
+#define PUSHARGS_5	stmfd ip!, {a1, a2, a3, a4}	/* Caller has already pushed arg 5 */
+#define PUSHARGS_6	stmfd ip!, {a1, a2, a3, a4}
+
+#ifndef NARGS
+#define NARGS 3			/* If we were called with no wrapper, this is really socket() */
+#endif
+
 .globl __socket
 ENTRY (__socket)
+	/* Push args onto the stack.  */
+	mov ip, sp
+	P(PUSHARGS_,NARGS)
 
         /* Do the system call trap.  */
+	mov a1, $P(SOCKOP_,socket)
+	mov a2, ip
 	swi SYS_ify(socketcall)
 
 	/* r0 is < 0 if there was an error.  */
@@ -46,7 +62,7 @@ ENTRY (__socket)
 	bhs PLTJMP(syscall_error)
 
 	/* Successful; return the syscall's value.  */
-	RETINSTR(mov,pc,r14)
+	ret
 
 PSEUDO_END (__socket)