tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_bionic/libc/bionic/libc_init_common.cpp

370 lines
11 KiB
C++
Raw Normal View History

auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
/*
* Copyright (C) 2008 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
Fix debug malloc. This was broken by the change to use AT_RANDOM for the stack guards. Bug: 7959813 Bug: 8330764 Change-Id: I791900092b72a9a900f16585237fa7ad82aaed9f
2013-03-07 00:03:53 +01:00
#include "libc_init_common.h"
#include <elf.h>
#include <errno.h>
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
#include <fcntl.h>
auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
#include <stddef.h>
Fix debug malloc. This was broken by the change to use AT_RANDOM for the stack guards. Bug: 7959813 Bug: 8330764 Change-Id: I791900092b72a9a900f16585237fa7ad82aaed9f
2013-03-07 00:03:53 +01:00
#include <stdint.h>
auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
#include <stdio.h>
#include <stdlib.h>
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
#include <string.h>
Fix debug malloc. This was broken by the change to use AT_RANDOM for the stack guards. Bug: 7959813 Bug: 8330764 Change-Id: I791900092b72a9a900f16585237fa7ad82aaed9f
2013-03-07 00:03:53 +01:00
#include <sys/auxv.h>
Improve personality initialization 1. Personality parameter should be unsigned int (not long) 2. Do not reset bits outside of PER_MASK when setting personality value. 3. Set personality for static executables. Bug: http://b/21900686 Change-Id: I4c7e34079cbd59b818ce221eed325c05b9bb2303 (cherry picked from commit f643eb38c36eb63f612e20dea09fd43ac6a6b360)
2015-07-01 00:10:51 +02:00
#include <sys/personality.h>
Use kernel default for initial thread size Bug: 10697851 Change-Id: I8d980f5e0b584799536f6e6b891056c968d26cdf
2013-09-13 06:47:20 +02:00
#include <sys/time.h>
Clean up the argc/argv/envp/auxv handling. There's now only one place where we deal with this stuff, it only needs to be parsed once by the dynamic linker (rather than by each recipient), and it's now easier for us to get hold of auxv data early on. Change-Id: I6314224257c736547aac2e2a650e66f2ea53bef5
2013-02-07 19:14:39 +01:00
#include <unistd.h>
auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
Move libc_log code into libasync_safe. This library is used by a number of different libraries in the system. Make it easy for platform libraries to use this library and create an actual exported include file. Change the names of the functions to reflect the new name of the library. Run clang_format on the async_safe_log.cpp file since the formatting is all over the place. Bug: 31919199 Test: Compiled for angler/bullhead, and booted. Test: Ran bionic unit tests. Test: Ran the malloc debug tests. Change-Id: I8071bf690c17b0ea3bc8dc5749cdd5b6ad58478a
2017-04-25 02:48:32 +02:00
#include <async_safe/log.h>
Take the arc4random lock before forking. Bug: http://b/24675038 Test: stepped through a fork call in gdb Change-Id: I09d20ff1d103d0c005f2a0cdd9b0a8710ab2392c
2016-06-24 22:04:09 +02:00
#include "private/WriteProtected.h"
Add __libc_add_main_thread and mark it weak This complements __libc_init_main_thread in setting up main thread under native bridge. Test: run_tests Bug: 77877742 Change-Id: I53efab66f285a1b9f0ab36d44386fa1e2621e4ba (cherry picked from commit 4c9504aa6cb4dad5142056d5e46bcb8409fd476d)
2018-04-19 18:39:48 +02:00
#include "private/bionic_defs.h"
Move VDSO pointers to a shared globals struct. Change-Id: I01cbc9cf0917dc1fac52d9205bda2c68529d12ef
2015-10-06 20:08:13 +02:00
#include "private/bionic_globals.h"
Fix x86_64 build, clean up intermediate libraries. The x86_64 build was failing because clone.S had a call to __thread_entry which was being added to a different intermediate .a on the way to making libc.so, and the linker couldn't guarantee statically that such a relocation would be possible. ld: error: out/target/product/generic_x86_64/obj/STATIC_LIBRARIES/libc_common_intermediates/libc_common.a(clone.o): requires dynamic R_X86_64_PC32 reloc against '__thread_entry' which may overflow at runtime; recompile with -fPIC This patch addresses that by ensuring that the caller and callee end up in the same intermediate .a. While I'm here, I've tried to clean up some of the mess that led to this situation too. In particular, this removes libc/private/ from the default include path (except for the DNS code), and splits out the DNS code into its own library (since it's a weird special case of upstream NetBSD code that's diverged so heavily it's unlikely ever to get back in sync). There's more cleanup of the DNS situation possible, but this is definitely a step in the right direction, and it's more than enough to get x86_64 building cleanly. Change-Id: I00425a7245b7a2573df16cc38798187d0729e7c4
2013-10-10 00:50:50 +02:00
#include "private/bionic_tls.h"
Take the arc4random lock before forking. Bug: http://b/24675038 Test: stepped through a fork call in gdb Change-Id: I09d20ff1d103d0c005f2a0cdd9b0a8710ab2392c
2016-06-24 22:04:09 +02:00
#include "private/thread_private.h"
Fix debug malloc. This was broken by the change to use AT_RANDOM for the stack guards. Bug: 7959813 Bug: 8330764 Change-Id: I791900092b72a9a900f16585237fa7ad82aaed9f
2013-03-07 00:03:53 +01:00
#include "pthread_internal.h"
auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
Clean up the argc/argv/envp/auxv handling. There's now only one place where we deal with this stuff, it only needs to be parsed once by the dynamic linker (rather than by each recipient), and it's now easier for us to get hold of auxv data early on. Change-Id: I6314224257c736547aac2e2a650e66f2ea53bef5
2013-02-07 19:14:39 +01:00
extern "C" int __system_properties_init(void);
Revert "Fix the C library initialization to avoid calling static C++ constructors twice." This reverts commit 03eabfe65e1e2c36f4d26c78a730fa19a3bdada3.
2009-06-03 19:32:37 +02:00
Move VDSO pointers to a shared globals struct. Change-Id: I01cbc9cf0917dc1fac52d9205bda2c68529d12ef
2015-10-06 20:08:13 +02:00
__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
Use VDSO for clock_gettime(2) and gettimeofday(2). Bug: 15387103 Change-Id: Ifc3608ea65060c1dc38120b10b6e79874f182a36
2014-07-16 01:53:13 +02:00
Clean up the argc/argv/envp/auxv handling. There's now only one place where we deal with this stuff, it only needs to be parsed once by the dynamic linker (rather than by each recipient), and it's now easier for us to get hold of auxv data early on. Change-Id: I6314224257c736547aac2e2a650e66f2ea53bef5
2013-02-07 19:14:39 +01:00
// Not public, but well-known in the BSDs.
__progname should be const char*, not char*. Change-Id: I8e846872c30a712fbc05c8da59ffa1cec1be31a4
2013-02-07 21:06:44 +01:00
const char* __progname;
auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
Replace TLS_SLOT_BIONIC_PREINIT w/ shared globals Instead of passing the address of a KernelArgumentBlock to libc.so for initialization, use __loader_shared_globals() to initialize globals. Most of the work happened in the previous CLs. This CL switches a few KernelArgumentBlock::getauxval calls to [__bionic_]getauxval and stops routing the KernelArgumentBlock address through the libc init functions. Bug: none Test: bionic unit tests Change-Id: I96c7b02c21d55c454558b7a5a9243c682782f2dd Merged-In: I96c7b02c21d55c454558b7a5a9243c682782f2dd (cherry picked from commit 746ad15912cfa82271424747e94d8125acc43d8c)
2018-11-22 12:16:06 +01:00
void __libc_init_globals() {
Move VDSO pointers to a shared globals struct. Change-Id: I01cbc9cf0917dc1fac52d9205bda2c68529d12ef
2015-10-06 20:08:13 +02:00
// Initialize libc globals that are needed in both the linker and in libc.
// In dynamic binaries, this is run at least twice for different copies of the
// globals, once for the linker's copy and once for the one in libc.so.
__libc_globals.initialize();
Replace TLS_SLOT_BIONIC_PREINIT w/ shared globals Instead of passing the address of a KernelArgumentBlock to libc.so for initialization, use __loader_shared_globals() to initialize globals. Most of the work happened in the previous CLs. This CL switches a few KernelArgumentBlock::getauxval calls to [__bionic_]getauxval and stops routing the KernelArgumentBlock address through the libc init functions. Bug: none Test: bionic unit tests Change-Id: I96c7b02c21d55c454558b7a5a9243c682782f2dd Merged-In: I96c7b02c21d55c454558b7a5a9243c682782f2dd (cherry picked from commit 746ad15912cfa82271424747e94d8125acc43d8c)
2018-11-22 12:16:06 +01:00
__libc_globals.mutate([](libc_globals* globals) {
__libc_init_vdso(globals);
__libc_init_setjmp_cookie(globals);
Move VDSO pointers to a shared globals struct. Change-Id: I01cbc9cf0917dc1fac52d9205bda2c68529d12ef
2015-10-06 20:08:13 +02:00
});
}
Check current pid at libc initialization for 32-bit build. Although there is a test pthread.pthread_mutex_owner_tid_limit to check pid_max, but bionic-unit-tests hangs before reaching that test. So abort at libc initialization if not able to reach the test when running bionic-unit-tests32. It is more friendly for debugging. Bug: 24016357 Change-Id: Ia70c2e36fd8a3a040d41ea5722c7b48a6134e102
2016-03-29 21:25:12 +02:00
#if !defined(__LP64__)
static void __check_max_thread_id() {
if (gettid() > 65535) {
Move libc_log code into libasync_safe. This library is used by a number of different libraries in the system. Make it easy for platform libraries to use this library and create an actual exported include file. Change the names of the functions to reflect the new name of the library. Run clang_format on the async_safe_log.cpp file since the formatting is all over the place. Bug: 31919199 Test: Compiled for angler/bullhead, and booted. Test: Ran bionic unit tests. Test: Ran the malloc debug tests. Change-Id: I8071bf690c17b0ea3bc8dc5749cdd5b6ad58478a
2017-04-25 02:48:32 +02:00
async_safe_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts "
"pid <= 65535, but current pid is %d", gettid());
Check current pid at libc initialization for 32-bit build. Although there is a test pthread.pthread_mutex_owner_tid_limit to check pid_max, but bionic-unit-tests hangs before reaching that test. So abort at libc initialization if not able to reach the test when running bionic-unit-tests32. It is more friendly for debugging. Bug: 24016357 Change-Id: Ia70c2e36fd8a3a040d41ea5722c7b48a6134e102
2016-03-29 21:25:12 +02:00
}
}
#endif
Defer registration of the arc4random fork-detect handler. Previously, arc4random would register a fork-detecting pthread_atfork handler to not have to call getpid() after a fork. pthread_atfork uses pthread_mutex_lock, which requires the current thread to be initialized, preventing the use of arc4random for initializing the global stack guard, which needs to happen before the main thread has been initialized. Extract the arc4random fork-detection flag and use the existing arc4random fork handler to set it. Bug: http://b/29622562 Change-Id: I98c9329fa0e489c3f78cad52747eaaf2f5226b80
2016-06-25 01:18:21 +02:00
static void arc4random_fork_handler() {
_rs_forked = 1;
_thread_arc4_lock();
}
Add __libc_add_main_thread and mark it weak This complements __libc_init_main_thread in setting up main thread under native bridge. Test: run_tests Bug: 77877742 Change-Id: I53efab66f285a1b9f0ab36d44386fa1e2621e4ba (cherry picked from commit 4c9504aa6cb4dad5142056d5e46bcb8409fd476d)
2018-04-19 18:39:48 +02:00
__BIONIC_WEAK_FOR_NATIVE_BRIDGE
void __libc_add_main_thread() {
// Get the main thread from TLS and add it to the thread list.
pthread_internal_t* main_thread = __get_thread();
__pthread_internal_add(main_thread);
}
Use shared globals to init __progname + environ Initialize the __progname and environ global variables using libc_shared_globals rather than KernelArgumentBlock. Also: suppose the linker is invoked on an executable: linker prog [args...] The first argument passed to main() and constructor functions is "prog" rather than "linker". For consistency, this CL changes the BSD __progname global from "linker" to "prog". Bug: none Test: bionic unit tests Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
2018-11-22 11:41:36 +01:00
void __libc_init_common() {
Clean up the argc/argv/envp/auxv handling. There's now only one place where we deal with this stuff, it only needs to be parsed once by the dynamic linker (rather than by each recipient), and it's now easier for us to get hold of auxv data early on. Change-Id: I6314224257c736547aac2e2a650e66f2ea53bef5
2013-02-07 19:14:39 +01:00
// Initialize various globals.
Use shared globals to init __progname + environ Initialize the __progname and environ global variables using libc_shared_globals rather than KernelArgumentBlock. Also: suppose the linker is invoked on an executable: linker prog [args...] The first argument passed to main() and constructor functions is "prog" rather than "linker". For consistency, this CL changes the BSD __progname global from "linker" to "prog". Bug: none Test: bionic unit tests Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
2018-11-22 11:41:36 +01:00
environ = __libc_shared_globals()->init_environ;
Clean up the argc/argv/envp/auxv handling. There's now only one place where we deal with this stuff, it only needs to be parsed once by the dynamic linker (rather than by each recipient), and it's now easier for us to get hold of auxv data early on. Change-Id: I6314224257c736547aac2e2a650e66f2ea53bef5
2013-02-07 19:14:39 +01:00
errno = 0;
Use shared globals to init __progname + environ Initialize the __progname and environ global variables using libc_shared_globals rather than KernelArgumentBlock. Also: suppose the linker is invoked on an executable: linker prog [args...] The first argument passed to main() and constructor functions is "prog" rather than "linker". For consistency, this CL changes the BSD __progname global from "linker" to "prog". Bug: none Test: bionic unit tests Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
2018-11-22 11:41:36 +01:00
__progname = __libc_shared_globals()->init_progname ?: "<unknown>";
auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
Check current pid at libc initialization for 32-bit build. Although there is a test pthread.pthread_mutex_owner_tid_limit to check pid_max, but bionic-unit-tests hangs before reaching that test. So abort at libc initialization if not able to reach the test when running bionic-unit-tests32. It is more friendly for debugging. Bug: 24016357 Change-Id: Ia70c2e36fd8a3a040d41ea5722c7b48a6134e102
2016-03-29 21:25:12 +02:00
#if !defined(__LP64__)
__check_max_thread_id();
#endif
Add __libc_add_main_thread and mark it weak This complements __libc_init_main_thread in setting up main thread under native bridge. Test: run_tests Bug: 77877742 Change-Id: I53efab66f285a1b9f0ab36d44386fa1e2621e4ba (cherry picked from commit 4c9504aa6cb4dad5142056d5e46bcb8409fd476d)
2018-04-19 18:39:48 +02:00
__libc_add_main_thread();
Revert "Remove the global thread list." This reverts commit b0e8c565a622b5519e03d4416b0b5b1a5f20d7f5. Breaks swiftshader (http:/b/34883464). Change-Id: I7b21193ba8a78f07d7ac65e41d0fe8516940a83b
2017-02-02 03:41:38 +01:00
Take the arc4random lock before forking. Bug: http://b/24675038 Test: stepped through a fork call in gdb Change-Id: I09d20ff1d103d0c005f2a0cdd9b0a8710ab2392c
2016-06-24 22:04:09 +02:00
// Register atfork handlers to take and release the arc4random lock.
Defer registration of the arc4random fork-detect handler. Previously, arc4random would register a fork-detecting pthread_atfork handler to not have to call getpid() after a fork. pthread_atfork uses pthread_mutex_lock, which requires the current thread to be initialized, preventing the use of arc4random for initializing the global stack guard, which needs to happen before the main thread has been initialized. Extract the arc4random fork-detection flag and use the existing arc4random fork handler to set it. Bug: http://b/29622562 Change-Id: I98c9329fa0e489c3f78cad52747eaaf2f5226b80
2016-06-25 01:18:21 +02:00
pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock);
Take the arc4random lock before forking. Bug: http://b/24675038 Test: stepped through a fork call in gdb Change-Id: I09d20ff1d103d0c005f2a0cdd9b0a8710ab2392c
2016-06-24 22:04:09 +02:00
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
__system_properties_init(); // Requires 'environ'.
Introduce api to track fd ownership in libc. Add two functions to allow objects that own a file descriptor to enforce that only they can close their file descriptor. Use them in FILE* and DIR*. Bug: http://b/110100358 Test: bionic_unit_tests Test: aosp/master boots without errors Test: treehugger Change-Id: Iecd6e8b26c62217271e0822dc3d2d7888b091a45
2018-06-02 00:30:54 +02:00
__libc_init_fdsan(); // Requires system properties (for debug.fdsan).
auto import from //depot/cupcake/@135843
2009-03-04 04:28:35 +01:00
}
libc: fix executable destruction support. This change allows an executable to call its destructor functions (declared with __attribute__((destructor))) to be properly called when it normally exits. Note that this is different from calling the destructors of a shared library when it is unloaded with dlclose() or through program exit, which are already supported. Bug: 3106500 Change-Id: I1412ef5407f13b613fc6cb6103e0a691dbee4b1a
2010-10-21 04:16:50 +02:00
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
__noreturn static void __early_abort(int line) {
// We can't write to stdout or stderr because we're aborting before we've checked that
// it's safe for us to use those file descriptors. We probably can't strace either, so
// we rely on the fact that if we dereference a low address, either debuggerd or the
// kernel's crash dump will show the fault address.
*reinterpret_cast<int*>(line) = 0;
_exit(EXIT_FAILURE);
}
// Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
static void __nullify_closed_stdio() {
int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
if (dev_null == -1) {
// init won't have /dev/null available, but SELinux provides an equivalent.
dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
}
if (dev_null == -1) {
__early_abort(__LINE__);
}
// If any of the stdio file descriptors is valid and not associated
// with /dev/null, dup /dev/null to it.
for (int i = 0; i < 3; i++) {
// If it is /dev/null already, we are done.
if (i == dev_null) {
continue;
}
// Is this fd already open?
int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
if (status != -1) {
continue;
}
// The only error we allow is that the file descriptor does not
// exist, in which case we dup /dev/null to it.
if (errno == EBADF) {
// Try dupping /dev/null to this stdio file descriptor and
// repeat if there is a signal. Note that any errors in closing
// the stdio descriptor are lost.
status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
if (status == -1) {
__early_abort(__LINE__);
}
} else {
__early_abort(__LINE__);
}
}
// If /dev/null is not one of the stdio file descriptors, close it.
if (dev_null > 2) {
if (close(dev_null) == -1) {
__early_abort(__LINE__);
}
}
}
// Check if the environment variable definition at 'envstr'
// starts with '<name>=', and if so return the address of the
// first character after the equal sign. Otherwise return null.
static const char* env_match(const char* envstr, const char* name) {
size_t i = 0;
while (envstr[i] == name[i] && name[i] != '\0') {
++i;
}
if (name[i] == '\0' && envstr[i] == '=') {
return envstr + i + 1;
}
return nullptr;
}
static bool __is_valid_environment_variable(const char* name) {
// According to the kernel source, by default the kernel uses 32*PAGE_SIZE
// as the maximum size for an environment variable definition.
const int MAX_ENV_LEN = 32*4096;
if (name == nullptr) {
return false;
}
// Parse the string, looking for the first '=' there, and its size.
int pos = 0;
int first_equal_pos = -1;
while (pos < MAX_ENV_LEN) {
if (name[pos] == '\0') {
break;
}
if (name[pos] == '=' && first_equal_pos < 0) {
first_equal_pos = pos;
}
pos++;
}
// Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
if (pos >= MAX_ENV_LEN) {
return false;
}
// Check that it contains at least one equal sign that is not the first character
if (first_equal_pos < 1) {
return false;
}
return true;
}
static bool __is_unsafe_environment_variable(const char* name) {
libc_init_common.cpp: Clarify when environment stripping occurs The current comment implies that we only strip sensitive environment variables on executing a setuid program. This is true but incomplete. The AT_SECURE flag is set whenever a security transition occurs, such as executing a setuid program, SELinux security transition, executing a file with file capabilities, etc... Fixup the comments. Change-Id: I30a73992adfde14d6e5f642b3a1ead2ee56726be
2015-11-11 01:39:29 +01:00
// None of these should be allowed when the AT_SECURE auxv
// flag is set. This flag is set to inform userspace that a
// security transition has occurred, for example, as a result
// of executing a setuid program or the result of an SELinux
// security transition.
Use foreach loop to match setuid unsafe env vars. Change-Id: I1e94daefac8e601281f38c7ce29ba3172a4a60bb
2015-10-02 00:50:16 +02:00
static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
Cleanup ANDROID_DNS_MODE and BIONIC_DNSCACHE For security reasons, when a binary is executed which causes a security transition (eg, a setuid binary, setgid binary, filesystem capabilities, or SELinux domain transition), the AT_SECURE flag is set. This causes certain blacklisted environment variables to be stripped before the process is executed. The list of blacklisted environment variables is stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment variables used internally by libc show up in this list. Add ANDROID_DNS_MODE to the list of unsafe variables. Similar to RESOLV_HOST_CONF and RES_OPTIONS (which are already blacklisted), this variable controls how name resolution requests are handled. Allowing ANDROID_DNS_MODE to be set across a security boundary could induce resolution failures or otherwise impact name resolution. Remove BIONIC_DNSCACHE. This does not appear to be used, and setting this variable across a security boundary could cause name resolution problems. Test: Android compiles and runs with no obvious problems. Change-Id: I835a7b42d6afbc9c67866594c7951cfd9b355d81
2017-04-01 18:54:19 +02:00
"ANDROID_DNS_MODE",
Use foreach loop to match setuid unsafe env vars. Change-Id: I1e94daefac8e601281f38c7ce29ba3172a4a60bb
2015-10-02 00:50:16 +02:00
"GCONV_PATH",
"GETCONF_DIR",
"HOSTALIASES",
"JE_MALLOC_CONF",
"LD_AOUT_LIBRARY_PATH",
"LD_AOUT_PRELOAD",
"LD_AUDIT",
Don't honor LD_CONFIG_FILE across security transitions For security reasons, when a binary is executed which causes a security transition (eg, a setuid binary, setgid binary, filesystem capabilities, or SELinux domain transition), the AT_SECURE flag is set. This causes certain blacklisted environment variables to be stripped before the process is executed. The list of blacklisted environment variables is stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment variables used internally by libc show up in this list. Commit 02586a2a34e6acfccf359b94db840f422b6c0231 ("linker: the global group is added to all built-in namespaces", Aug 2017) added support for the environment variable LD_CONFIG_FILE. This debug build only feature allows the caller to specify the path to the loader configuration file. Like other linker environment variables, setting this variable allows the calling process to control executed code of the called process, which has security implications (on debuggable builds only). Add LD_CONFIG_FILE to UNSAFE_VARIABLE_NAMES. This has the effect of stripping, on all build types, the LD_CONFIG_FILE environment variable. This has three advantages: 1) Prevents security bugs should LD_CONFIG_FILE ever be inadvertantly exposed on a production build. 2) Makes the behavior of userdebug and user builds more similar, helping prevent build-type dependent bugs where someone may come to rely on this debug-only feature. 3) Protect droidfood users against malicious applications which can trigger a security transition, eg, the execution of crash_dump or the renderscript compiler. Alternative considered but rejected: If we treated LD_CONFIG_FILE like LD_PRELOAD, we could expose this on all build types, and remove the build-type dependent behavior. But this is contrary to enh's Aug 02 2017 guidance at https://android-review.googlesource.com/c/platform/bionic/+/449956 i'm still uncomfortable about LD_CONFIG_FILE because i'd like to be reducing the number of environment variables that affect the linker in P rather than increasing them. Test: atest CtsBionicTestCases Test: atest linker-unit-tests Change-Id: I82d286546ee079b5cde04428dc89941c253c2d20
2019-04-26 20:25:02 +02:00
"LD_CONFIG_FILE",
Use foreach loop to match setuid unsafe env vars. Change-Id: I1e94daefac8e601281f38c7ce29ba3172a4a60bb
2015-10-02 00:50:16 +02:00
"LD_DEBUG",
"LD_DEBUG_OUTPUT",
"LD_DYNAMIC_WEAK",
"LD_LIBRARY_PATH",
"LD_ORIGIN_PATH",
"LD_PRELOAD",
"LD_PROFILE",
"LD_SHOW_AUXV",
"LD_USE_LOAD_BIAS",
Don't allow LIBC_DEBUG_MALLOC_OPTIONS to cross security boundaries. Bug: http://b/68003719 Test: LIBC_DEBUG_MALLOC_OPTIONS=isbad1 MALLOC_CONF=isbad2 su 0 /system/bin/sh -c '/system/bin/echo opt=$LIBC_DEBUG_MALLOC_OPTIONS conf=$MALLOC_CONF' Change-Id: I796cc21b230a96cb0ed87d02ddcb1706a7749a90
2017-10-27 03:22:43 +02:00
"LIBC_DEBUG_MALLOC_OPTIONS",
Don't honor LIBC_HOOKS_ENABLE across a security boundary Similar to the way we handle LIBC_DEBUG_MALLOC_OPTIONS (bug 68003719), filter LIBC_HOOKS_ENABLE when we cross a security boundary. This prevents modifying the allocation behavior of a privileged program. Introduced in https://android.googlesource.com/platform/bionic/+/db478a627482c73c52df9e3929fe7a39f03e4eeb%5E%21/#F0 (bug 30561479) Test: compiles and boots Change-Id: I59a7c224734b0991fd62efb45ab599dab8570723
2019-04-26 21:53:40 +02:00
"LIBC_HOOKS_ENABLE",
Use foreach loop to match setuid unsafe env vars. Change-Id: I1e94daefac8e601281f38c7ce29ba3172a4a60bb
2015-10-02 00:50:16 +02:00
"LOCALDOMAIN",
"LOCPATH",
"MALLOC_CHECK_",
"MALLOC_CONF",
"MALLOC_TRACE",
"NIS_PATH",
"NLSPATH",
"RESOLV_HOST_CONF",
"RES_OPTIONS",
"TMPDIR",
"TZDIR",
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
};
Use foreach loop to match setuid unsafe env vars. Change-Id: I1e94daefac8e601281f38c7ce29ba3172a4a60bb
2015-10-02 00:50:16 +02:00
for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
if (env_match(name, unsafe_variable_name) != nullptr) {
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
return true;
}
}
return false;
}
static void __sanitize_environment_variables(char** env) {
char** src = env;
char** dst = env;
for (; src[0] != nullptr; ++src) {
if (!__is_valid_environment_variable(src[0])) {
continue;
}
// Remove various unsafe environment variables if we're loading a setuid program.
Cleanup: __libc_init_AT_SECURE, auxv, sysinfo __sanitize_environment_variables is only called when getauxval(AT_SECURE) is true. Instead of scanning __libc_auxv, reuse getauxval. If the entry is missing, getauxval will set errno to ENOENT. Reduce the number of times that __libc_sysinfo and __libc_auxv are initialized. (Previously, __libc_sysinfo was initialized 3 times for the linker's copy). The two variables are initialized in these places: - __libc_init_main_thread for libc.a (including the linker copy) - __libc_preinit_impl for libc.so - __linker_init: the linker's copy of __libc_sysinfo is still initialized twice, because __libc_init_main_thread runs after relocation. A later CL consolidates the linker's two initializations. Bug: none Test: bionic unit tests Change-Id: I196f4c9011b0d803ee85c07afb415fcb146f4d65
2018-11-22 01:23:03 +01:00
if (__is_unsafe_environment_variable(src[0])) {
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
continue;
}
dst[0] = src[0];
++dst;
}
dst[0] = nullptr;
}
Improve personality initialization 1. Personality parameter should be unsigned int (not long) 2. Do not reset bits outside of PER_MASK when setting personality value. 3. Set personality for static executables. Bug: http://b/21900686 Change-Id: I4c7e34079cbd59b818ce221eed325c05b9bb2303 (cherry picked from commit f643eb38c36eb63f612e20dea09fd43ac6a6b360)
2015-07-01 00:10:51 +02:00
static void __initialize_personality() {
#if !defined(__LP64__)
int old_value = personality(0xffffffff);
if (old_value == -1) {
Move libc_log code into libasync_safe. This library is used by a number of different libraries in the system. Make it easy for platform libraries to use this library and create an actual exported include file. Change the names of the functions to reflect the new name of the library. Run clang_format on the async_safe_log.cpp file since the formatting is all over the place. Bug: 31919199 Test: Compiled for angler/bullhead, and booted. Test: Ran bionic unit tests. Test: Ran the malloc debug tests. Change-Id: I8071bf690c17b0ea3bc8dc5749cdd5b6ad58478a
2017-04-25 02:48:32 +02:00
async_safe_fatal("error getting old personality value: %s", strerror(errno));
Improve personality initialization 1. Personality parameter should be unsigned int (not long) 2. Do not reset bits outside of PER_MASK when setting personality value. 3. Set personality for static executables. Bug: http://b/21900686 Change-Id: I4c7e34079cbd59b818ce221eed325c05b9bb2303 (cherry picked from commit f643eb38c36eb63f612e20dea09fd43ac6a6b360)
2015-07-01 00:10:51 +02:00
}
if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
Move libc_log code into libasync_safe. This library is used by a number of different libraries in the system. Make it easy for platform libraries to use this library and create an actual exported include file. Change the names of the functions to reflect the new name of the library. Run clang_format on the async_safe_log.cpp file since the formatting is all over the place. Bug: 31919199 Test: Compiled for angler/bullhead, and booted. Test: Ran bionic unit tests. Test: Ran the malloc debug tests. Change-Id: I8071bf690c17b0ea3bc8dc5749cdd5b6ad58478a
2017-04-25 02:48:32 +02:00
async_safe_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
Improve personality initialization 1. Personality parameter should be unsigned int (not long) 2. Do not reset bits outside of PER_MASK when setting personality value. 3. Set personality for static executables. Bug: http://b/21900686 Change-Id: I4c7e34079cbd59b818ce221eed325c05b9bb2303 (cherry picked from commit f643eb38c36eb63f612e20dea09fd43ac6a6b360)
2015-07-01 00:10:51 +02:00
}
#endif
}
Use shared globals to init __progname + environ Initialize the __progname and environ global variables using libc_shared_globals rather than KernelArgumentBlock. Also: suppose the linker is invoked on an executable: linker prog [args...] The first argument passed to main() and constructor functions is "prog" rather than "linker". For consistency, this CL changes the BSD __progname global from "linker" to "prog". Bug: none Test: bionic unit tests Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
2018-11-22 11:41:36 +01:00
void __libc_init_AT_SECURE(char** env) {
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
// Check that the kernel provided a value for AT_SECURE.
Cleanup: __libc_init_AT_SECURE, auxv, sysinfo __sanitize_environment_variables is only called when getauxval(AT_SECURE) is true. Instead of scanning __libc_auxv, reuse getauxval. If the entry is missing, getauxval will set errno to ENOENT. Reduce the number of times that __libc_sysinfo and __libc_auxv are initialized. (Previously, __libc_sysinfo was initialized 3 times for the linker's copy). The two variables are initialized in these places: - __libc_init_main_thread for libc.a (including the linker copy) - __libc_preinit_impl for libc.so - __linker_init: the linker's copy of __libc_sysinfo is still initialized twice, because __libc_init_main_thread runs after relocation. A later CL consolidates the linker's two initializations. Bug: none Test: bionic unit tests Change-Id: I196f4c9011b0d803ee85c07afb415fcb146f4d65
2018-11-22 01:23:03 +01:00
errno = 0;
unsigned long is_AT_SECURE = getauxval(AT_SECURE);
if (errno != 0) __early_abort(__LINE__);
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
Ensure STDIN/STDOUT/STDERR always exist File descriptor confusion can result if a process is exec()d and STDIN/STDOUT/STDERR do not exist. In those situations, the first, second, and third files opened by the exec()d application will have FD 0, 1, and 2 respectively. Code which reads / writes to these STD* file descriptors may end up reading / writing to unintended files. To prevent this, guarantee that FDs 0, 1, and 2 always exist. Bionic only currently guarantees this for AT_SECURE programs (eg, a setuid binary, setgid binary, filesystem capabilities, or SELinux domain transition). Extending this to all exec()s adds robustness against this class of bugs. Additionally, it allows a caller to do: close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); and know that the exec()d process will reopen these file descriptors on its own. This has the potential to simplify other parts of Android, eg https://android-review.googlesource.com/c/platform/system/apex/+/915694 Steps to reproduce: sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID Expected: $ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID [1] 3154 total 0 dr-x------ 2 shell shell 0 1970-04-17 12:15 . dr-xr-xr-x 9 shell shell 0 1970-04-17 12:15 .. lrwx------ 1 shell shell 64 1970-04-17 12:15 0 -> /dev/null lrwx------ 1 shell shell 64 1970-04-17 12:15 1 -> /dev/null lrwx------ 1 shell shell 64 1970-04-17 12:15 2 -> /dev/null $ [1] + Terminated \sleep 100 <&- >&- 2>&- Actual: $ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID [1] 16345 total 0 dr-x------ 2 shell shell 0 2019-02-28 20:22 . dr-xr-xr-x 9 shell shell 0 2019-02-28 20:22 .. $ [1] + Terminated \sleep 100 <&- >&- 2>&- Test: manual (see above) Change-Id: I3e05700a1e8ebc7fc9d192211dd9fc030cc40139
2019-02-28 21:57:24 +01:00
// Always ensure that STDIN/STDOUT/STDERR exist. This prevents file
// descriptor confusion bugs where a parent process closes
// STD*, the exec()d process calls open() for an unrelated reason,
// the newly created file descriptor is assigned
// 0<=FD<=2, and unrelated code attempts to read / write to the STD*
// FDs.
// In particular, this can be a security bug for setuid/setgid programs.
// For example:
// https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
// However, for robustness reasons, we don't limit these protections to
// just security critical executables.
//
// Init is excluded from these protections unless AT_SECURE is set, as
// /dev/null and/or /sys/fs/selinux/null will not be available at
// early boot.
if ((getpid() != 1) || is_AT_SECURE) {
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
__nullify_closed_stdio();
Ensure STDIN/STDOUT/STDERR always exist File descriptor confusion can result if a process is exec()d and STDIN/STDOUT/STDERR do not exist. In those situations, the first, second, and third files opened by the exec()d application will have FD 0, 1, and 2 respectively. Code which reads / writes to these STD* file descriptors may end up reading / writing to unintended files. To prevent this, guarantee that FDs 0, 1, and 2 always exist. Bionic only currently guarantees this for AT_SECURE programs (eg, a setuid binary, setgid binary, filesystem capabilities, or SELinux domain transition). Extending this to all exec()s adds robustness against this class of bugs. Additionally, it allows a caller to do: close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); and know that the exec()d process will reopen these file descriptors on its own. This has the potential to simplify other parts of Android, eg https://android-review.googlesource.com/c/platform/system/apex/+/915694 Steps to reproduce: sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID Expected: $ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID [1] 3154 total 0 dr-x------ 2 shell shell 0 1970-04-17 12:15 . dr-xr-xr-x 9 shell shell 0 1970-04-17 12:15 .. lrwx------ 1 shell shell 64 1970-04-17 12:15 0 -> /dev/null lrwx------ 1 shell shell 64 1970-04-17 12:15 1 -> /dev/null lrwx------ 1 shell shell 64 1970-04-17 12:15 2 -> /dev/null $ [1] + Terminated \sleep 100 <&- >&- 2>&- Actual: $ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID [1] 16345 total 0 dr-x------ 2 shell shell 0 2019-02-28 20:22 . dr-xr-xr-x 9 shell shell 0 2019-02-28 20:22 .. $ [1] + Terminated \sleep 100 <&- >&- 2>&- Test: manual (see above) Change-Id: I3e05700a1e8ebc7fc9d192211dd9fc030cc40139
2019-02-28 21:57:24 +01:00
}
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
Ensure STDIN/STDOUT/STDERR always exist File descriptor confusion can result if a process is exec()d and STDIN/STDOUT/STDERR do not exist. In those situations, the first, second, and third files opened by the exec()d application will have FD 0, 1, and 2 respectively. Code which reads / writes to these STD* file descriptors may end up reading / writing to unintended files. To prevent this, guarantee that FDs 0, 1, and 2 always exist. Bionic only currently guarantees this for AT_SECURE programs (eg, a setuid binary, setgid binary, filesystem capabilities, or SELinux domain transition). Extending this to all exec()s adds robustness against this class of bugs. Additionally, it allows a caller to do: close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); and know that the exec()d process will reopen these file descriptors on its own. This has the potential to simplify other parts of Android, eg https://android-review.googlesource.com/c/platform/system/apex/+/915694 Steps to reproduce: sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID Expected: $ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID [1] 3154 total 0 dr-x------ 2 shell shell 0 1970-04-17 12:15 . dr-xr-xr-x 9 shell shell 0 1970-04-17 12:15 .. lrwx------ 1 shell shell 64 1970-04-17 12:15 0 -> /dev/null lrwx------ 1 shell shell 64 1970-04-17 12:15 1 -> /dev/null lrwx------ 1 shell shell 64 1970-04-17 12:15 2 -> /dev/null $ [1] + Terminated \sleep 100 <&- >&- 2>&- Actual: $ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID [1] 16345 total 0 dr-x------ 2 shell shell 0 2019-02-28 20:22 . dr-xr-xr-x 9 shell shell 0 2019-02-28 20:22 .. $ [1] + Terminated \sleep 100 <&- >&- 2>&- Test: manual (see above) Change-Id: I3e05700a1e8ebc7fc9d192211dd9fc030cc40139
2019-02-28 21:57:24 +01:00
if (is_AT_SECURE) {
Use shared globals to init __progname + environ Initialize the __progname and environ global variables using libc_shared_globals rather than KernelArgumentBlock. Also: suppose the linker is invoked on an executable: linker prog [args...] The first argument passed to main() and constructor functions is "prog" rather than "linker". For consistency, this CL changes the BSD __progname global from "linker" to "prog". Bug: none Test: bionic unit tests Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
2018-11-22 11:41:36 +01:00
__sanitize_environment_variables(env);
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
}
// Now the environment has been sanitized, make it available.
Use shared globals to init __progname + environ Initialize the __progname and environ global variables using libc_shared_globals rather than KernelArgumentBlock. Also: suppose the linker is invoked on an executable: linker prog [args...] The first argument passed to main() and constructor functions is "prog" rather than "linker". For consistency, this CL changes the BSD __progname global from "linker" to "prog". Bug: none Test: bionic unit tests Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
2018-11-22 11:41:36 +01:00
environ = __libc_shared_globals()->init_environ = env;
Improve personality initialization 1. Personality parameter should be unsigned int (not long) 2. Do not reset bits outside of PER_MASK when setting personality value. 3. Set personality for static executables. Bug: http://b/21900686 Change-Id: I4c7e34079cbd59b818ce221eed325c05b9bb2303 (cherry picked from commit f643eb38c36eb63f612e20dea09fd43ac6a6b360)
2015-07-01 00:10:51 +02:00
__initialize_personality();
Statically linked executables should honor AT_SECURE. Bug: http://b/19647373 Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
2015-06-09 03:04:00 +02:00
}
libc: fix executable destruction support. This change allows an executable to call its destructor functions (declared with __attribute__((destructor))) to be properly called when it normally exits. Note that this is different from calling the destructors of a shared library when it is unloaded with dlclose() or through program exit, which are already supported. Bug: 3106500 Change-Id: I1412ef5407f13b613fc6cb6103e0a691dbee4b1a
2010-10-21 04:16:50 +02:00
/* This function will be called during normal program termination
* to run the destructors that are listed in the .fini_array section
* of the executable, if any.
*
* 'fini_array' points to a list of function addresses. The first
* entry in the list has value -1, the last one has value 0.
*/
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
void __libc_fini(void* array) {
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
typedef void (*Dtor)();
Dtor* fini_array = reinterpret_cast<Dtor*>(array);
const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
// Sanity check - first entry must be -1.
Modernize codebase by replacing NULL with nullptr Fixes -Wzero-as-null-pointer-constant warning. Test: m Bug: 68236239 Change-Id: I5b4123bc6709641315120a191e36cc57541349b2
2018-08-03 02:31:13 +02:00
if (array == nullptr || fini_array[0] != minus1) {
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
return;
}
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
// Skip over it.
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
fini_array += 1;
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
// Count the number of destructors.
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
int count = 0;
Modernize codebase by replacing NULL with nullptr Fixes -Wzero-as-null-pointer-constant warning. Test: m Bug: 68236239 Change-Id: I5b4123bc6709641315120a191e36cc57541349b2
2018-08-03 02:31:13 +02:00
while (fini_array[count] != nullptr) {
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
++count;
}
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
// Now call each destructor in reverse order.
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
while (count > 0) {
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
Dtor dtor = fini_array[--count];
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
// Sanity check, any -1 in the list is ignored.
if (dtor == minus1) {
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
continue;
libc: fix executable destruction support. This change allows an executable to call its destructor functions (declared with __attribute__((destructor))) to be properly called when it normally exits. Note that this is different from calling the destructors of a shared library when it is unloaded with dlclose() or through program exit, which are already supported. Bug: 3106500 Change-Id: I1412ef5407f13b613fc6cb6103e0a691dbee4b1a
2010-10-21 04:16:50 +02:00
}
Turn on -Wold-style-cast and fix the errors. A couple of dodgy cases where we cast away const, but otherwise pretty boring. Change-Id: Ibc39ebd525377792b5911464be842121c20f03b9
2015-01-22 01:19:07 +01:00
dtor();
Don't corrupt the thread list if the main thread exits. ...and don't pass a non-heap pointer to free(3), either. This patch replaces the "node** prev" with the clearer "node* prev" style and fixes the null pointer dereference in the old code. That's not sufficient to fix the reporter's bug, though. The pthread_internal_t* for the main thread isn't heap-allocated --- __libc_init_tls causes a pointer to a statically-allocated pthread_internal_t to be added to the thread list. Bug: http://code.google.com/p/android/issues/detail?id=37410 Change-Id: I112b7f22782fc789d58f9c783f7b323bda8fb8b7
2012-11-02 00:33:29 +01:00
}
libc: fix executable destruction support. This change allows an executable to call its destructor functions (declared with __attribute__((destructor))) to be properly called when it normally exits. Note that this is different from calling the destructors of a shared library when it is unloaded with dlclose() or through program exit, which are already supported. Bug: 3106500 Change-Id: I1412ef5407f13b613fc6cb6103e0a691dbee4b1a
2010-10-21 04:16:50 +02:00
}
Reference in a new issue Copy permalink