glibc-audit

The patches have been updated to glibc-2.3.2-101.4, with the recently-revised regex implementation receiving special attention.  The patches themselves have been separated into three groups by subject: third argument to open(), r_brk enhancement, and uninitialized don't-care values.

glibc-audit is a modified glibc for application developers who check their code with an automatic memory access checker such as Purify, Insure++, or memcheck (valgrind).  glibc-audit has been audited and cleaned up so that reports from the developer's use of a memory access checker are more likely to be interesting to the developer, with less "noise" from the C library itself.  Typically, glibc-audit initializes all of its local variables and structs before use.  Ordinary glibc uses uninitialized dummy variables that are "don't-care" to its logic but reported by the memory access checker.

Also, the r_debug.r_brk protocol has been enhanced to co-operate with a co-resident auditor.  If the auditor sets .r_brk, then the runtime loader will call the auditor directly whenever a shared library event occurs.  This is much more convenient than using breakpoints.  By default the old breakpoint protocol works just like before.  The new protocol is binary compatible with the old on machines where a pointer to a function is the same size as an ordinary pointer.  Platforms where a pointer to a function is larger (such as HP-PA RISC, Alpha processor, or PowerPC) are not binary backward compatible, and will have to increment r_debug.r_version.  Exising clients (such as gdb) also will see an ignorable type mismatch error when they are built. But for now, it is worth more not to antagonize gdb at runtime on x86.

The patch modifies 91 files.  Compared to glibc-2.3.2-27.9, the additional code occupies 18 more bytes of .text, and 24 fewer bytes in the .so.  On a nano-scopic scale, the typical execution cost is 0 to 3 CPU cycles per affected routine; the estimated median total impact is less than 1 second per machine per day.  In the case of *printf(), glibc-audit is faster than glibc because the cleaned-up source helps gcc-3.2 avoid generating atrocious code when initializing printf_spec.info for parse_one_spec() in stdio-common/printf-parse.h.

Glibc-audit was constructed by running a memory access checker on the internal testcases of glibc, then analyzing the reported errors and modifying the source.  The process revealed 10 memory access bugs in glibc-2.3.2-11.9.  Seven were fixed in glibc-2.3.2-27.9, two more have been fixed in CVS, and one is a design flaw that probably will not be fixed.

Predecessor patches to glibc-audit-1 were submitted to the glibc project, but those patches were ignored [user "guest", password "guest"], declined, or rejected. There is enough improvement in usability and reliability to publish glibc-audit-1 separately.

Like glibc, the patch for glibc-audit-1 is licensed under the GNU Lesser General Public License (LGPL v2.1).  The unmodified glibc-2.3.2-27.9.src.rpm is available from RedHat mirrors.  rpmbuild -ba --target i686 took about 4 hours and 2.5GB of disk space on a machine with 1.1GHz CPU, 384MB RAM, UDMA100 disk.