CLONE_NEWTIME can only be used with the clone3 and unshare system calls,
see 769071ac9f:
> All available clone flags have been used, so CLONE_NEWTIME uses the highest
> bit of CSIGNAL. It means that it can be used only with the unshare() and
> the clone3() system calls.
The clone3 syscall was added in Linux kernel version 5.3 and
CLONE_NEWTIME was added in version 5.6. However, it was non-functional
until version 6.3 (and stable versions with the corresponding fix [1]).
[1] https://lore.kernel.org/lkml/20230308105126.10107-1-tklauser@distanz.ch/
In case CLONE_NEWTIME is set in SysProcAttr.Cloneflags on an unsupported
kernel version, the fork/exec call will fail.
Fixes#49779
Change-Id: Ic3ecfc2b601bafaab12b1805d7f9512955a8c7e2
Reviewed-on: https://go-review.googlesource.com/c/go/+/474356
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Because each M in Plan 9 runs in a separate OS process with its
own current working directory, a Chdir call in one goroutine needs
to be propagated to other goroutines before a subsequent syscall
with a local pathname (see #9428). This is done by function
syscall.Fixwd, but there is still a race if a goroutine is
preempted and rescheduled on a different M between calling Fixwd
and executing the syscall which it protects. By locking the
goroutine to its OS thread from the start of Fixwd to the end of
the protected syscall, this race can be prevented.
Fixes#58802.
Change-Id: I89c0e43ef4544b5bfb5db7d2158f13f24b42e1f6
Reviewed-on: https://go-review.googlesource.com/c/go/+/474055
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
These directives affect the next declaration, so the existing form is
valid, but can be confusing because it is easy to miss. Move then
directly above the declaration for improved readability.
CL 69120 previously moved the Gosched nosplit away to hide it from
documentation. Since CL 224737, directives are automatically excluded
from documentation.
Change-Id: I8ebf2d47fbb5e77c6f40ed8afdf79eaa4f4e335e
Reviewed-on: https://go-review.googlesource.com/c/go/+/472957
Run-TryBot: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
Go programs can now use the //go:wasmimport module_name function_name
directive to import functions from the WebAssembly runtime.
For now, the directive is restricted to the runtime and syscall/js
packages.
* Derived from CL 350737
* Original work modified to work with changes to the IR conversion code.
* Modification of CL 350737 changes to fully exist in Unified IR path (emp)
* Original work modified to work with changes to the ABI configuration code.
* Fixes#38248
Co-authored-by: Vedant Roy <vroy101@gmail.com>
Co-authored-by: Richard Musiol <mail@richard-musiol.de>
Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Change-Id: I740719735d91c306ac718a435a78e1ee9686bc16
Reviewed-on: https://go-review.googlesource.com/c/go/+/463018
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Reviewed-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
The function was added since go1.17, which is the minimum version for
bootstraping now.
Change-Id: I08b55c3639bb9ff042aabfcdcfbdf2993032ba6b
Reviewed-on: https://go-review.googlesource.com/c/go/+/471436
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This CL marks some netbsd assembly functions as NOFRAME to avoid
relying on the implicit amd64 NOFRAME heuristic, where NOSPLIT functions
without stack were also marked as NOFRAME.
While here, and thanks to CL 466355, `asm_netbsd_amd64.s` can
be deleted in favor of `asm9_unix2_amd64.s`, which makes better
use of the frame pointer.
Updates #58378
Change-Id: Iff554b664ec25f2bb6ec198c0f684590b359c383
Reviewed-on: https://go-review.googlesource.com/c/go/+/466396
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: Quim Muntal <quimmuntal@gmail.com>
This CL marks some dragonfly assembly functions as NOFRAME to avoid
relying on the implicit amd64 NOFRAME heuristic, where NOSPLIT functions
without stack were also marked as NOFRAME.
Updates #58378
Change-Id: I832a1a78d68a49f11df3b03fa9d50d4796bcac03
Reviewed-on: https://go-review.googlesource.com/c/go/+/466355
Run-TryBot: Quim Muntal <quimmuntal@gmail.com>
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
The existing ptrace wrapper accepts pointer argument as an uintptr which
often points to the memory allocated in Go. This violates unsafe.Pointer safety
rules.
Fixes#58387
Change-Id: Iab12122c495953f94ea00c2a61654a818a464205
Reviewed-on: https://go-review.googlesource.com/c/go/+/470299
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Dmitri Goutnik <dgoutnik@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Dmitri Goutnik <dgoutnik@gmail.com>
Introduce a new SysProcAttr member called Jail on FreeBSD. This allows
supplying an existing jail's ID to which the child process is attached
before calling the exec system call.
Fixes#46259
Change-Id: Ie282e5b83429131f9a9e1e27cfcb3bcc995d1d4d
Reviewed-on: https://go-review.googlesource.com/c/go/+/458335
Run-TryBot: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Goutnik <dgoutnik@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Samuel Karp <samuelkarp@google.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Avoid passing Go pointers as uintptr in exec_unix_test.go by introducing
syscall.IoctlPtr() which accepts arg as unsafe.Pointer.
For #44834Fixes#58609
Change-Id: I6d0ded023e5f3c9989783aee7075bb88100d9ec2
Reviewed-on: https://go-review.googlesource.com/c/go/+/469675
Run-TryBot: Dmitri Goutnik <dgoutnik@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
CL 416115 added using faccessat2(2) from syscall.Faccessat on Linux
(which is the only true way to implement AT_EACCESS flag handing),
if available. If not available, it uses some heuristics to mimic the
kernel behavior, mostly taken from glibc (see CL 126415).
Next, CL 414824 added using the above call (via unix.Eaccess) to
exec.LookPath in order to check if the binary can really be executed.
As a result, in a very specific scenario, described below,
syscall.Faccessat (and thus exec.LookPath) mistakenly tells that the
binary can not be executed, while in reality it can be. This makes
this bug a regression in Go 1.20.
This scenario involves all these conditions:
- no faccessat2 support available (i.e. either Linux kernel < 5.8,
or a seccomp set up to disable faccessat2);
- the current user is not root (i.e. geteuid() != 0);
- CAP_DAC_OVERRIDE capability is set for the current process;
- the file to be executed does not have executable permission
bit set for either the current EUID or EGID;
- the file to be executed have at least one executable bit set.
Unfortunately, this set of conditions was observed in the wild -- a
container run as a non-root user with the binary file owned by root with
executable permission set for a user only [1]. Essentially it means it
is not as rare as it may seem.
Now, CAP_DAC_OVERRIDE essentially makes the kernel bypass most of the
checks, so execve(2) and friends work the same was as for root user,
i.e. if at least one executable bit it set, the permission to execute
is granted (see generic_permission() function in the Linux kernel).
Modify the code to check for CAP_DAC_OVERRIDE and mimic the kernel
behavior for permission checks.
[1] https://github.com/opencontainers/runc/issues/3715Fixes#58552.
Change-Id: I82a7e757ab3fd3d0193690a65c3b48fee46ff067
Reviewed-on: https://go-review.googlesource.com/c/go/+/468735
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
This CL removes a fallback that used LoadLibraryA when the runtime
was loading system DLLs on Windows 7, Windows Server 2008 R2,
or earlier.
We can safely remove that fallback now, as go1.21 will require at least
Windows 8 or Server 2012.
This CL also saves some syscall initialization time and bytes:
new:
init syscall @2.3 ms, 0 ms clock, 1000 bytes, 18 allocs
old:
init syscall @3.6 ms, 0.52 ms clock, 1744 bytes, 24 allocs
Updates #57003
Change-Id: I7dcc1173537785b6b580e9f78632c0c74da658d4
Reviewed-on: https://go-review.googlesource.com/c/go/+/463842
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Quim Muntal <quimmuntal@gmail.com>
Reviewed-by: Damien Neil <dneil@google.com>
We currently check for at least three different permission bits before
running tests that require root permissions: we look for UID 0, lack
of an LXC container, and lack of a Docker container, and probe a
number of distro-specific files in /proc and /sys.
The sheer number of these checks suggests that we have probably missed
at least one. Per Alan J. Perlis, “If you have a procedure with ten
parameters, you probably missed some.” (And, indeed, we definitely
have: a Debian patch¹ adds one more environment check!)
CL 58170 added some of these container checks, but “decided to go this
way instead of just skipping os.IsPermission errors because many of
those tests were specifically written to check false positive
permission errors.” However, we can't in general distinguish between a
false-positive error and a real one caused by a container: if one is
making a change to the syscall package, they should run the tests with
-v and check for unexpected skips.
Notably:
- TestUnshare already skips itself if the command fails with an error
ending in the string "operation not permitted", which could be caused
by a variety of possible bugs.
- The Unshare tests added in CL 38471 will fail with a permission
error if CLONE_NEWNS is not supported, but it seems to me that if
CLONE_NEWNS is supported — sufficient to start the process! — then
Unmount must also be supported, and the test can at least check that
the two are consistent.
- The AmbientCaps tests should fail to start the subprocess with
EINVAL or similar (not produce bogus output) if the kernel does not
support ambient caps for any reason, which we can then detect.
(If the subprocess fails in the way the test is concerned about, it
will exit with status 2, not fail to start in the first place.)
By executing the system calls and checking for permission errors,
this change exposed an existing bug for AmbientCaps (filed as #57208),
which was detected by the linux-arm-aws builder.
For #57208.
Updates #21379.
Updates #14693.
¹https://sources.debian.org/patches/golang-1.19/1.19.3-1/0006-skip-userns-test-in-schroot-as-well.patch/
Change-Id: I9b167661fa1bb823168c8b50d8bbbf9643e49f76
Reviewed-on: https://go-review.googlesource.com/c/go/+/456375
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Alexander Morozov <lk4d4math@gmail.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
The various forkAndExecInChild implementations have comments
explaining that they pre-declare variables to force allocations
to occur before forking, but then later use ":=" declarations
for additional variables.
To make it clearer that those ":=" declarations do not allocate,
we move their declarations up to the predeclared blocks.
For #57208.
Change-Id: Ie8cb577fa7180b51b64d6dc398169053fdf8ea97
Reviewed-on: https://go-review.googlesource.com/c/go/+/456516
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This brings the exported field names on these GOARCHes
in line with the other supported linux platforms.
Fixes#57313.
Change-Id: I2107a7116ba60dc0c0a27f776318e3eb69e51682
Reviewed-on: https://go-review.googlesource.com/c/go/+/457557
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
Change-Id: I3e9f05d221990b1ae464545d6d8b2e22c35bca21
Reviewed-on: https://go-review.googlesource.com/c/go/+/463077
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
An Apple engineer suggests that since __fork is not public API,
it would be better to use a different fix. With the benefit of source code,
they suggest using xpc_date_create_from_current instead of
xpc_atfork_child. The latter sets some flags that disable certain
functionality for the remainder of the process lifetime (expecting exec),
while the former should do the necessary setup.
Reverting the __fork fix in order to prepare a clean fix based
on CL 451735 using xpc_date_create_from_current.
This reverts commit c61d322d5f.
Change-Id: I2da293ff537237ffd2d40ad756d827c95c84635b
Reviewed-on: https://go-review.googlesource.com/c/go/+/460475
Auto-Submit: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
When building in schroot (for building Debian package),
the cgroupfs is not mounted in schroot (only sysfs is mounted).
Change-Id: Ieddac7b2f334d58d832f5d84d81af812badf3720
Reviewed-on: https://go-review.googlesource.com/c/go/+/460539
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Issues #33565 and #56784 were caused by hangs in the child process
after fork, while it ran atfork handlers that ran into slow paths that
didn't work in the child.
CL 451735 worked around those two issues by calling a couple functions
at startup to try to warm up those child paths. That mostly worked,
but it broke programs using cgo with certain macOS frameworks (#57263).
CL 459175 reverted CL 451735.
This CL introduces a different fix: bypass the atfork child handlers
entirely. For a general fork call where the child and parent are both
meant to keep executing the original program, atfork handlers can be
necessary to fix any state that would otherwise be tied to the parent
process. But Go only uses fork as preparation for exec, and it takes
care to limit what it attempts to do in the child between the fork and
exec. In particular it doesn't use any of the things that the macOS
atfork handlers are trying to fix up (malloc, xpc, others). So we can
use the low-level fork system call (__fork) instead of the
atfork-wrapped one.
The full list of functions that can be called in a child after fork in
exec_libc2.go is:
- ptrace
- setsid
- setpgid
- getpid
- ioctl
- chroot
- setgroups
- setgid
- setuid
- chdir
- dup2
- fcntl
- close
- execve
- write
- exit
I disassembled all of these while attached to a hung exec.test binary
and confirmed that nearly all of them are making direct kernel calls,
not using anything that the atfork handler needs to fix up.
The exceptions are ioctl, fcntl, and exit.
The ioctl and fcntl implementations do some extra work around the
kernel call but don't call any other functions, so they should still
be OK. (If not, we could use __ioctl and __fcntl instead, but without
a good reason, we should keep using the standard entry points.)
The exit implementation calls atexit handlers. That is almost
certainly inappropriate in a failed fork child, so this CL changes
that call to __exit on darwin. To avoid making unnecessary changes at
this point in the release cycle, this CL leaves OpenBSD calling plain
exit, even though that is probably a bug in the OpenBSD port
(filed #57446).
Fixes#33565.
Fixes#56784.
Fixes#57263.
Change-Id: I26812c26a72bdd7fcf72ec41899ba11cf6b9c4ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/459176
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
The Android seccomp policy does not allow faccessat2, so attempting to
use it results in a SIGSYS. Avoid it and go straight to the fallback.
Fixes#57393.
Change-Id: I8d4e12a6f46cea5642d3b5b5a02c682529882f29
Reviewed-on: https://go-review.googlesource.com/c/go/+/458495
Reviewed-by: Austin Clements <austin@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Changkun Ou <mail@changkun.de>
Run-TryBot: Michael Pratt <mpratt@google.com>
Our minimum Linux version is 2.6.32, and the accept4 system call was
introduced in 2.6.28, so we use accept4 everywhere. Unfortunately,
it turns out that the accept4 system call was only added to
linux-arm in 2.6.36, so for linux-arm only we need to try the accept4
system call and then fall back to accept if it doesn't work.
The code we use on linux-arm is the code we used in Go 1.17.
On non-arm platforms we continue using the simpler code introduced
in Go 1.18.
Adding accept4 to the ARM Linux kernel was:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21d93e2e29722d7832f61cc56d73fb953ee6578eFixes#57333
Change-Id: I6680cb54dd4d3514a6887dda8906e6708c64459d
Reviewed-on: https://go-review.googlesource.com/c/go/+/457995
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
After dup'ing file descriptors in syscall.ProcAttr.Files to pass
to the exec'ed process, the logic for closing the old descriptors
was incorrect and could close the new descriptor instead.
Fixes#57180
Change-Id: I7725f21a465ffba57050fe4e36f3d36ba181cfb2
Reviewed-on: https://go-review.googlesource.com/c/go/+/457115
Run-TryBot: David du Colombier <0intro@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: David du Colombier <0intro@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
The skipping logic should also trigger if /sys/fs/cgroup is
mounted read-only too. This is how it is mounted on the
ppc64le/p10 containers today.
Fixes#57262
Change-Id: Idc0ab050052ebf5777ac09f9519215b437b0ee7c
Reviewed-on: https://go-review.googlesource.com/c/go/+/456835
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
Run-TryBot: Paul Murphy <murp@ibm.com>
All mips variant perform syscalls similarly. R2 (v0) holds r1 and R3
(v1) holds r2 of a syscall. The latter is only used by 2-ret syscalls.
A 1-ret syscall would not touch R3 but keeps it as is, making r2 be a
random value. Always reset it to 0 before SYSCALL to fix the issue.
Fixes#56426
Change-Id: Ie49965c0c3c224c4a895703ac659205cd040ff56
Reviewed-on: https://go-review.googlesource.com/c/go/+/452975
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Meng Zhuo <mzh@golangcn.org>
Reviewed-by: Austin Clements <austin@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Meng Zhuo <mzh@golangcn.org>
Change-Id: I69065f8adf101fdb28682c55997f503013a50e29
Reviewed-on: https://go-review.googlesource.com/c/go/+/449757
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Joedian Reid <joedian@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Updates syscall.Open to support opening directories via CreateFileW.
CreateFileW handles are more versatile than FindFirstFile handles.
They can be used in Win32 APIs like GetFileInformationByHandle and
SetFilePointerEx, which are needed by some Go APIs.
Fixes#52747Fixes#36019
Change-Id: I26a00cef9844fb4abeeb18d2f9d854162a146651
Reviewed-on: https://go-review.googlesource.com/c/go/+/405275
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Patrik Nyblom <pnyb@google.com>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Quim Muntal <quimmuntal@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Check for and reject environment variables containing NULs.
The conventions for passing environment variables to subprocesses
cause most or all systems to interpret a NUL as a separator. The
syscall package rejects environment variables containing a NUL
on most systems, but erroniously did not do so on Windows. This
causes an environment variable such as "FOO=a\x00BAR=b" to be
interpreted as "FOO=a", "BAR=b".
Check for and reject NULs in environment variables passed to
syscall.StartProcess on Windows.
Add a redundant check to os/exec as extra insurance.
Fixes#56284
Fixes CVE-2022-41716
Change-Id: I2950e2b0cb14ebd26e5629be1521858f66a7d4ae
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1609434
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/446916
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
The immediate reason is that we want to use godebug from math/rand,
and math/rand importing godebug importing os causes an import cycle
in package testing.
More generally, the new approach to backward compatibility outlined
in discussion #55090 will require using this package from other similarly
sensitive places, perhaps even package os itself. Best to remove all
dependencies.
Preparation for #54880.
Change-Id: Ia01657a2d90e707a8121a336c9db3b7247c0198f
Reviewed-on: https://go-review.googlesource.com/c/go/+/439418
Auto-Submit: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Move the writev definition for solaris from package
internal/syscall/unix to package syscall. This corresponds to where
writev is defined on aix, darwin and openbsd as well and is
go:linkname'ed from internal/poll. This also allows updating the
generated wrappers more easily if needed.
Change-Id: I671ed8232d25319f8e63f549f786d77a17602148
Reviewed-on: https://go-review.googlesource.com/c/go/+/436597
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
egrep and fgrep are obsolescent now.
This PR updates all egrep and fgrep commands to grep -E and grep -F.
Running egrep/fgrep command with grep v3.8 will output the following warning to stderr:
egrep: warning: egrep is obsolescent; using grep -E
see also:
https://www.phoronix.com/news/GNU-Grep-3.8-Stop-egrep-fgrephttps://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html
Change-Id: Iea1ca9ae72264530c67727b5e27cf1b7a362dd97
GitHub-Last-Rev: 3584884bd4
GitHub-Pull-Request: golang/go#55299
Reviewed-on: https://go-review.googlesource.com/c/go/+/432256
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Change-Id: Iae290216687fd1ce8be720600157fb78cc2446d0
GitHub-Last-Rev: 4fba64ecb1
GitHub-Pull-Request: golang/go#55959
Reviewed-on: https://go-review.googlesource.com/c/go/+/436881
Auto-Submit: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Convert a few occurrences that were submitted after CL 389935.
For #20322
For #51572
Change-Id: I0047361916c402f8e37f515e6b09d451bd499e6e
Reviewed-on: https://go-review.googlesource.com/c/go/+/437235
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
to is an optional pointer to sockaddr, as written in the doc:
https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasendto
For #55845
Change-Id: Ia685cec8d9bc9ff313f598db9d2213a1f409757a
Reviewed-on: https://go-review.googlesource.com/c/go/+/434535
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: xie cui <523516579@qq.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Fixes#55845
Change-Id: If30263b7d34829c40e6606846115ec520f351f2c
Reviewed-on: https://go-review.googlesource.com/c/go/+/433504
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Andy Pan <panjf2000@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Use fcntl(oldfd, F_DUP2FD_CLOEXEC, newfd) to duplicate the file
descriptor and mark is as close-on-exec instead of dup2 & fcntl.
DragonFly BSD implements dup3 like this in libc since version 5.4.
Change-Id: I80c765faa288add8ffb236284c9e8c4f8e6c6769
Reviewed-on: https://go-review.googlesource.com/c/go/+/430535
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Auto-Submit: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Use fcntl(oldfd, F_DUP2FD_CLOEXEC, newfd) to duplicate the file
descriptor and mark is as close-on-exec instead of dup2 & fcntl.
Note that the value for F_DUP2FD_CLOEXEC is different on Solaris and
Illumos and thus the definition is moved from zerrors_solaris_amd64.go
to solaris/illumos specific files.
Change-Id: I9a52801d1a01471ec3f065520575e3fafee92855
Reviewed-on: https://go-review.googlesource.com/c/go/+/428375
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Auto-Submit: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
CL 413374 added syscall.Mmap on solaris. Use it in cmd/compile and
cmd/link if the bootstrap toolchain is Go ≥ 1.20.
For #52875
For #54265
Change-Id: I9a0534bf97926eecf0c6f1f9218e855344ba158f
Reviewed-on: https://go-review.googlesource.com/c/go/+/430496
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Direct syscalls should no longer be used on darwin. Instead, directly
call libc's msync when using Go ≥ 1.20 for bootstrap.
For #54265
Change-Id: Ie3f1e6ccd1a06e7f0ddd88cdef5067393a69e8db
Reviewed-on: https://go-review.googlesource.com/c/go/+/430336
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Tobias Klauser
miller
Michael Pratt
Evan Phoenix
Cuong Manh Le
qmuntal
Dmitri Goutnik
Harald Böhm
Kir Kolyshkin
Bryan C. Mills
cui fliter
Russ Cox
Shengjing Zhu
Ian Lance Taylor
Paul E. Murphy
Rongrong
Damien Neil
kxxt
Mikael Urankar
cuiweixie
Andy Pan
Yuval Pavel Zholkover