From f359548bf1cf41e1f5390276e84e259cbbf30667 Mon Sep 17 00:00:00 2001 From: George Burgess IV Date: Thu, 7 Nov 2019 07:07:38 +0000 Subject: [PATCH] Revert "fortify: allow diagnostics without run-time checks" This reverts commit d7e11b88531665de59de466bbc9ee6c480b00a4f. Reason for revert: Breaks aosp_x86_64-eng. Will look into it and unbreak when it's not almost midnight. :) Change-Id: I21f76efe4d19c70d0b14630e441376d359a45b49 --- libc/include/bits/fortify/fcntl.h | 16 ++++---- libc/include/bits/fortify/poll.h | 10 ++--- libc/include/bits/fortify/socket.h | 8 ++-- libc/include/bits/fortify/stat.h | 4 +- libc/include/bits/fortify/stdio.h | 20 +++++----- libc/include/bits/fortify/string.h | 62 ++++++++++++++--------------- libc/include/bits/fortify/strings.h | 8 ++-- libc/include/bits/fortify/unistd.h | 36 ++++++++--------- libc/include/sys/cdefs.h | 15 ++++--- tests/Android.bp | 20 ++++++---- tests/clang_fortify_asan.cpp | 46 --------------------- 11 files changed, 100 insertions(+), 145 deletions(-) delete mode 100644 tests/clang_fortify_asan.cpp diff --git a/libc/include/bits/fortify/fcntl.h b/libc/include/bits/fortify/fcntl.h index 3c5a0379f..ded62ee85 100644 --- a/libc/include/bits/fortify/fcntl.h +++ b/libc/include/bits/fortify/fcntl.h @@ -59,11 +59,11 @@ __BIONIC_FORTIFY_INLINE int open(const char* const __pass_object_size pathname, int flags) __overloadable __clang_error_if(__open_modes_useful(flags), "'open' " __open_too_few_args_error) { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ return __open_2(pathname, flags); #else return __open_real(pathname, flags); -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ } __BIONIC_FORTIFY_INLINE @@ -83,11 +83,11 @@ __BIONIC_FORTIFY_INLINE int openat(int dirfd, const char* const __pass_object_size pathname, int flags) __overloadable __clang_error_if(__open_modes_useful(flags), "'openat' " __open_too_few_args_error) { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ return __openat_2(dirfd, pathname, flags); #else return __openat_real(dirfd, pathname, flags); -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ } __BIONIC_FORTIFY_INLINE @@ -109,7 +109,7 @@ __BIONIC_FORTIFY_INLINE int open64(const char* const __pass_object_size pathname, int flags) __overloadable __clang_error_if(__open_modes_useful(flags), "'open64' " __open_too_few_args_error) { - return open(pathname, flags); + return __open_2(pathname, flags); } __BIONIC_FORTIFY_INLINE @@ -117,7 +117,7 @@ int open64(const char* const __pass_object_size pathname, int flags, mode_t mode __overloadable __clang_warning_if(!__open_modes_useful(flags) && modes, "'open64' " __open_useless_modes_warning) { - return open(pathname, flags, modes); + return __open_real(pathname, flags, modes); } __BIONIC_ERROR_FUNCTION_VISIBILITY @@ -129,7 +129,7 @@ __BIONIC_FORTIFY_INLINE int openat64(int dirfd, const char* const __pass_object_size pathname, int flags) __overloadable __clang_error_if(__open_modes_useful(flags), "'openat64' " __open_too_few_args_error) { - return openat(dirfd, pathname, flags); + return __openat_2(dirfd, pathname, flags); } __BIONIC_FORTIFY_INLINE @@ -137,7 +137,7 @@ int openat64(int dirfd, const char* const __pass_object_size pathname, int flags __overloadable __clang_warning_if(!__open_modes_useful(flags) && modes, "'openat64' " __open_useless_modes_warning) { - return openat(dirfd, pathname, flags, modes); + return __openat_real(dirfd, pathname, flags, modes); } #endif /* __ANDROID_API__ >= __ANDROID_API_L__ */ diff --git a/libc/include/bits/fortify/poll.h b/libc/include/bits/fortify/poll.h index 30fdce409..7a727a45b 100644 --- a/libc/include/bits/fortify/poll.h +++ b/libc/include/bits/fortify/poll.h @@ -44,13 +44,13 @@ int poll(struct pollfd* const fds __pass_object_size, nfds_t fd_count, int timeo __overloadable __clang_error_if(__bos_unevaluated_lt(__bos(fds), sizeof(*fds) * fd_count), "in call to 'poll', fd_count is larger than the given buffer") { -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ size_t bos_fds = __bos(fds); if (!__bos_fd_count_trivially_safe(bos_fds, fds, fd_count)) { return __poll_chk(fds, fd_count, timeout, bos_fds); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */ return __call_bypassing_fortify(poll)(fds, fd_count, timeout); } @@ -60,13 +60,13 @@ int ppoll(struct pollfd* const fds __pass_object_size, nfds_t fd_count, const st __overloadable __clang_error_if(__bos_unevaluated_lt(__bos(fds), sizeof(*fds) * fd_count), "in call to 'ppoll', fd_count is larger than the given buffer") { -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ size_t bos_fds = __bos(fds); if (!__bos_fd_count_trivially_safe(bos_fds, fds, fd_count)) { return __ppoll_chk(fds, fd_count, timeout, mask, bos_fds); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */ return __call_bypassing_fortify(ppoll)(fds, fd_count, timeout, mask); } #endif /* __ANDROID_API__ >= __ANDROID_API_L__ */ @@ -77,13 +77,11 @@ int ppoll64(struct pollfd* const fds __pass_object_size, nfds_t fd_count, const __overloadable __clang_error_if(__bos_unevaluated_lt(__bos(fds), sizeof(*fds) * fd_count), "in call to 'ppoll64', fd_count is larger than the given buffer") { -#if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED size_t bos_fds = __bos(fds); if (!__bos_fd_count_trivially_safe(bos_fds, fds, fd_count)) { return __ppoll64_chk(fds, fd_count, timeout, mask, bos_fds); } -#endif return __call_bypassing_fortify(ppoll64)(fds, fd_count, timeout, mask); } #endif /* __ANDROID_API__ >= __ANDROID_API_P__ */ diff --git a/libc/include/bits/fortify/socket.h b/libc/include/bits/fortify/socket.h index 30fe0d79c..cf5f18973 100644 --- a/libc/include/bits/fortify/socket.h +++ b/libc/include/bits/fortify/socket.h @@ -42,13 +42,13 @@ ssize_t recvfrom(int fd, void* const buf __pass_object_size0, size_t len, int fl __overloadable __clang_error_if(__bos_unevaluated_lt(__bos0(buf), len), "'recvfrom' called with size bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_N__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N__ size_t bos = __bos0(buf); if (!__bos_trivially_ge(bos, len)) { return __recvfrom_chk(fd, buf, len, bos, flags, src_addr, addr_len); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */ return __call_bypassing_fortify(recvfrom)(fd, buf, len, flags, src_addr, addr_len); } @@ -57,13 +57,13 @@ ssize_t sendto(int fd, const void* const buf __pass_object_size0, size_t len, in __overloadable __clang_error_if(__bos_unevaluated_lt(__bos0(buf), len), "'sendto' called with size bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_N_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N_MR1__ size_t bos = __bos0(buf); if (!__bos_trivially_ge(bos, len)) { return __sendto_chk(fd, buf, len, bos, flags, dest_addr, addr_len); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N_MR1__ */ return __call_bypassing_fortify(sendto)(fd, buf, len, flags, dest_addr, addr_len); } diff --git a/libc/include/bits/fortify/stat.h b/libc/include/bits/fortify/stat.h index 43fc69c9a..6a2e822cf 100644 --- a/libc/include/bits/fortify/stat.h +++ b/libc/include/bits/fortify/stat.h @@ -41,11 +41,11 @@ mode_t umask(mode_t mode) __overloadable __enable_if(1, "") __clang_error_if(mode & ~0777, "'umask' called with invalid mode") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR2__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR2__ return __umask_chk(mode); #else return __umask_real(mode); -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR2__ */ } #endif /* defined(__BIONIC_FORTIFY) */ diff --git a/libc/include/bits/fortify/stdio.h b/libc/include/bits/fortify/stdio.h index fb503c333..528d5fb06 100644 --- a/libc/include/bits/fortify/stdio.h +++ b/libc/include/bits/fortify/stdio.h @@ -36,7 +36,7 @@ size_t __fwrite_chk(const void*, size_t, size_t, FILE*, size_t) __INTRODUCED_IN( #if defined(__BIONIC_FORTIFY) && !defined(__BIONIC_NO_STDIO_FORTIFY) -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ /* No diag -- clang diagnoses misuses of this on its own. */ __BIONIC_FORTIFY_INLINE __printflike(3, 0) int vsnprintf(char* const __pass_object_size dest, size_t size, const char* format, va_list ap) @@ -48,7 +48,7 @@ __BIONIC_FORTIFY_INLINE __printflike(2, 0) int vsprintf(char* const __pass_object_size dest, const char* format, va_list ap) __overloadable { return __builtin___vsprintf_chk(dest, 0, __bos(dest), format, ap); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ __BIONIC_ERROR_FUNCTION_VISIBILITY int sprintf(char* dest, const char* format) @@ -57,7 +57,7 @@ int sprintf(char* dest, const char* format) "format string will always overflow destination buffer") __errorattr("format string will always overflow destination buffer"); -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ __BIONIC_FORTIFY_VARIADIC __printflike(2, 3) int sprintf(char* const __pass_object_size dest, const char* format, ...) __overloadable { va_list va; @@ -77,7 +77,7 @@ int snprintf(char* const __pass_object_size dest, size_t size, const char* forma va_end(va); return result; } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ #define __bos_trivially_ge_mul(bos_val, size, count) \ __bos_dynamic_check_impl_and(bos_val, >=, (size) * (count), \ @@ -90,13 +90,13 @@ size_t fread(void* const __pass_object_size0 buf, size_t size, size_t count, FIL "in call to 'fread', size * count overflows") __clang_error_if(__bos_unevaluated_lt(__bos0(buf), size * count), "in call to 'fread', size * count is too large for the given buffer") { -#if __ANDROID_API__ >= __ANDROID_API_N__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_mul(bos, size, count)) { return __fread_chk(buf, size, count, stream, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */ return __call_bypassing_fortify(fread)(buf, size, count, stream); } @@ -107,13 +107,13 @@ size_t fwrite(const void* const __pass_object_size0 buf, size_t size, size_t cou "in call to 'fwrite', size * count overflows") __clang_error_if(__bos_unevaluated_lt(__bos0(buf), size * count), "in call to 'fwrite', size * count is too large for the given buffer") { -#if __ANDROID_API__ >= __ANDROID_API_N__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_mul(bos, size, count)) { return __fwrite_chk(buf, size, count, stream, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */ return __call_bypassing_fortify(fwrite)(buf, size, count, stream); } #undef __bos_trivially_ge_mul @@ -124,13 +124,13 @@ char* fgets(char* const __pass_object_size dest, int size, FILE* stream) __clang_error_if(size < 0, "in call to 'fgets', size should not be negative") __clang_error_if(__bos_unevaluated_lt(__bos(dest), size), "in call to 'fgets', size is larger than the destination buffer") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ size_t bos = __bos(dest); if (!__bos_dynamic_check_impl_and(bos, >=, (size_t)size, size >= 0)) { return __fgets_chk(dest, size, stream, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ return __call_bypassing_fortify(fgets)(dest, size, stream); } diff --git a/libc/include/bits/fortify/string.h b/libc/include/bits/fortify/string.h index 3bfbfe9c4..bd36483aa 100644 --- a/libc/include/bits/fortify/string.h +++ b/libc/include/bits/fortify/string.h @@ -40,7 +40,7 @@ size_t __strlcat_chk(char*, const char*, size_t, size_t) __INTRODUCED_IN(17); #if defined(__BIONIC_FORTIFY) extern void* __memrchr_real(const void*, int, size_t) __RENAME(memrchr); -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ /* No diag -- clang diagnoses misuses of this on its own. */ __BIONIC_FORTIFY_INLINE void* memcpy(void* const dst __pass_object_size0, const void* src, size_t copy_amount) @@ -61,7 +61,7 @@ void* memmove(void* const dst __pass_object_size0, const void* src, size_t len) } return __builtin___memmove_chk(dst, src, len, bos_dst); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ #if defined(__USE_GNU) #if __ANDROID_API__ >= __ANDROID_API_R__ @@ -70,13 +70,11 @@ void* mempcpy(void* const dst __pass_object_size0, const void* src, size_t copy_ __overloadable __clang_error_if(__bos_unevaluated_lt(__bos0(dst), copy_amount), "'mempcpy' called with size bigger than buffer") { -#if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED size_t bos_dst = __bos0(dst); - if (!__bos_trivially_ge(bos_dst, copy_amount)) { - return __builtin___mempcpy_chk(dst, src, copy_amount, bos_dst); + if (__bos_trivially_ge(bos_dst, copy_amount)) { + return __builtin_mempcpy(dst, src, copy_amount); } -#endif - return __builtin_mempcpy(dst, src, copy_amount); + return __builtin___mempcpy_chk(dst, src, copy_amount, bos_dst); } #endif /* __ANDROID_API__ >= __ANDROID_API_R__ */ #endif /* __USE_GNU */ @@ -86,12 +84,12 @@ char* stpcpy(char* const dst __pass_object_size, const char* src) __overloadable __clang_error_if(__bos_unevaluated_le(__bos(dst), __builtin_strlen(src)), "'stpcpy' called with string bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_L__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_L__ size_t bos_dst = __bos(dst); if (!__bos_trivially_gt(bos_dst, __builtin_strlen(src))) { return __builtin___stpcpy_chk(dst, src, bos_dst); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_L__ */ return __builtin_stpcpy(dst, src); } @@ -100,12 +98,12 @@ char* strcpy(char* const dst __pass_object_size, const char* src) __overloadable __clang_error_if(__bos_unevaluated_le(__bos(dst), __builtin_strlen(src)), "'strcpy' called with string bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ size_t bos_dst = __bos(dst); if (!__bos_trivially_gt(bos_dst, __builtin_strlen(src))) { return __builtin___strcpy_chk(dst, src, bos_dst); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ return __builtin_strcpy(dst, src); } @@ -114,36 +112,36 @@ char* strcat(char* const dst __pass_object_size, const char* src) __overloadable __clang_error_if(__bos_unevaluated_le(__bos(dst), __builtin_strlen(src)), "'strcat' called with string bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ return __builtin___strcat_chk(dst, src, __bos(dst)); #else return __builtin_strcat(dst, src); -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ } -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ /* No diag -- clang diagnoses misuses of this on its own. */ __BIONIC_FORTIFY_INLINE char* strncat(char* const dst __pass_object_size, const char* src, size_t n) __overloadable { return __builtin___strncat_chk(dst, src, n, __bos(dst)); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ /* No diag -- clang diagnoses misuses of this on its own. */ __BIONIC_FORTIFY_INLINE void* memset(void* const s __pass_object_size0, int c, size_t n) __overloadable /* If you're a user who wants this warning to go away: use `(&memset)(foo, bar, baz)`. */ __clang_warning_if(c && !n, "'memset' will set 0 bytes; maybe the arguments got flipped?") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ size_t bos = __bos0(s); if (!__bos_trivially_ge(bos, n)) { return __builtin___memset_chk(s, c, n, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ return __builtin_memset(s, c, n); } -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ __BIONIC_FORTIFY_INLINE void* memchr(const void* const s __pass_object_size, int c, size_t n) __overloadable { size_t bos = __bos(s); @@ -165,9 +163,9 @@ void* __memrchr_fortify(const void* const __pass_object_size s, int c, size_t n) return __memrchr_chk(s, c, n, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */ -#if __ANDROID_API__ >= __ANDROID_API_L__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_L__ /* No diag -- clang diagnoses misuses of this on its own. */ __BIONIC_FORTIFY_INLINE char* stpncpy(char* const dst __pass_object_size, const char* const src __pass_object_size, size_t n) @@ -197,20 +195,20 @@ char* strncpy(char* const dst __pass_object_size, const char* const src __pass_o return __strncpy_chk2(dst, src, n, bos_dst, bos_src); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_L__ */ __BIONIC_FORTIFY_INLINE size_t strlcpy(char* const dst __pass_object_size, const char* src, size_t size) __overloadable __clang_error_if(__bos_unevaluated_lt(__bos(dst), size), "'strlcpy' called with size bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ size_t bos = __bos(dst); if (bos != __BIONIC_FORTIFY_UNKNOWN_SIZE) { return __strlcpy_chk(dst, src, size, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ return __call_bypassing_fortify(strlcpy)(dst, src, size); } @@ -219,13 +217,13 @@ size_t strlcat(char* const dst __pass_object_size, const char* src, size_t size) __overloadable __clang_error_if(__bos_unevaluated_lt(__bos(dst), size), "'strlcat' called with size bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ size_t bos = __bos(dst); if (bos != __BIONIC_FORTIFY_UNKNOWN_SIZE) { return __strlcat_chk(dst, src, size, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ return __call_bypassing_fortify(strlcat)(dst, src, size); } @@ -233,39 +231,39 @@ __BIONIC_FORTIFY_INLINE size_t strlen(const char* const s __pass_object_size0) __overloadable { size_t bos = __bos0(s); -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ if (!__bos_trivially_gt(bos, __builtin_strlen(s))) { return __strlen_chk(s, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ return __builtin_strlen(s); } __BIONIC_FORTIFY_INLINE char* strchr(const char* const s __pass_object_size, int c) __overloadable { -#if __ANDROID_API__ >= __ANDROID_API_J_MR2__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR2__ size_t bos = __bos(s); if (bos != __BIONIC_FORTIFY_UNKNOWN_SIZE) { return __strchr_chk(s, c, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR2__ */ return __builtin_strchr(s, c); } __BIONIC_FORTIFY_INLINE char* strrchr(const char* const s __pass_object_size, int c) __overloadable { -#if __ANDROID_API__ >= __ANDROID_API_J_MR2__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR2__ size_t bos = __bos(s); if (bos != __BIONIC_FORTIFY_UNKNOWN_SIZE) { return __strrchr_chk(s, c, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR2__ */ return __builtin_strrchr(s, c); } -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ #if defined(__cplusplus) extern "C++" { __BIONIC_FORTIFY_INLINE diff --git a/libc/include/bits/fortify/strings.h b/libc/include/bits/fortify/strings.h index 1ebaf39e4..cc268dbcf 100644 --- a/libc/include/bits/fortify/strings.h +++ b/libc/include/bits/fortify/strings.h @@ -33,13 +33,13 @@ void __bionic_bcopy(const void *src, void* const dst __pass_object_size0, size_t __overloadable __clang_error_if(__bos_unevaluated_lt(__bos0(dst), len), "'bcopy' called with size bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ size_t bos = __bos0(dst); if (!__bos_trivially_ge(bos, len)) { __builtin___memmove_chk(dst, src, len, bos); return; } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ __builtin_memmove(dst, src, len); } @@ -48,13 +48,13 @@ void __bionic_bzero(void* const b __pass_object_size0, size_t len) __overloadable __clang_error_if(__bos_unevaluated_lt(__bos0(b), len), "'bzero' called with size bigger than buffer") { -#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_J_MR1__ size_t bos = __bos0(b); if (!__bos_trivially_ge(bos, len)) { __builtin___memset_chk(b, 0, len, bos); return; } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */ __builtin_memset(b, 0, len); } diff --git a/libc/include/bits/fortify/unistd.h b/libc/include/bits/fortify/unistd.h index f1580ce3e..45ed2cfe4 100644 --- a/libc/include/bits/fortify/unistd.h +++ b/libc/include/bits/fortify/unistd.h @@ -73,13 +73,13 @@ __BIONIC_FORTIFY_INLINE char* getcwd(char* const __pass_object_size buf, size_t size) __overloadable __error_if_overflows_objectsize(size, __bos(buf), getcwd) { -#if __ANDROID_API__ >= __ANDROID_API_N__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N__ size_t bos = __bos(buf); if (!__bos_trivially_ge(bos, size)) { return __getcwd_chk(buf, size, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */ return __call_bypassing_fortify(getcwd)(buf, size); } @@ -89,13 +89,13 @@ ssize_t pread(int fd, void* const __pass_object_size0 buf, size_t count, off_t o __overloadable __error_if_overflows_ssizet(count, pread) __error_if_overflows_objectsize(count, __bos0(buf), pread) { -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_no_overflow(bos, count)) { return __PREAD_PREFIX(chk)(fd, buf, count, offset, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */ return __PREAD_PREFIX(real)(fd, buf, count, offset); } #endif /* !defined(__USE_FILE_OFFSET64) */ @@ -105,13 +105,13 @@ ssize_t pread64(int fd, void* const __pass_object_size0 buf, size_t count, off64 __overloadable __error_if_overflows_ssizet(count, pread64) __error_if_overflows_objectsize(count, __bos0(buf), pread64) { -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_no_overflow(bos, count)) { return __pread64_chk(fd, buf, count, offset, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */ return __pread64_real(fd, buf, count, offset); } @@ -121,13 +121,13 @@ ssize_t pwrite(int fd, const void* const __pass_object_size0 buf, size_t count, __overloadable __error_if_overflows_ssizet(count, pwrite) __error_if_overflows_objectsize(count, __bos0(buf), pwrite) { -#if __ANDROID_API__ >= __ANDROID_API_N__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_no_overflow(bos, count)) { return __PWRITE_PREFIX(chk)(fd, buf, count, offset, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */ return __PWRITE_PREFIX(real)(fd, buf, count, offset); } #endif /* !defined(__USE_FILE_OFFSET64) */ @@ -137,13 +137,13 @@ ssize_t pwrite64(int fd, const void* const __pass_object_size0 buf, size_t count __overloadable __error_if_overflows_ssizet(count, pwrite64) __error_if_overflows_objectsize(count, __bos0(buf), pwrite64) { -#if __ANDROID_API__ >= __ANDROID_API_N__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_no_overflow(bos, count)) { return __pwrite64_chk(fd, buf, count, offset, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */ return __pwrite64_real(fd, buf, count, offset); } @@ -152,13 +152,13 @@ ssize_t read(int fd, void* const __pass_object_size0 buf, size_t count) __overloadable __error_if_overflows_ssizet(count, read) __error_if_overflows_objectsize(count, __bos0(buf), read) { -#if __ANDROID_API__ >= __ANDROID_API_L__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_L__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_no_overflow(bos, count)) { return __read_chk(fd, buf, count, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_L__ */ return __call_bypassing_fortify(read)(fd, buf, count); } @@ -167,13 +167,13 @@ ssize_t write(int fd, const void* const __pass_object_size0 buf, size_t count) __overloadable __error_if_overflows_ssizet(count, write) __error_if_overflows_objectsize(count, __bos0(buf), write) { -#if __ANDROID_API__ >= __ANDROID_API_N__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_N__ size_t bos = __bos0(buf); if (!__bos_trivially_ge_no_overflow(bos, count)) { return __write_chk(fd, buf, count, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */ return __call_bypassing_fortify(write)(fd, buf, count); } @@ -182,13 +182,13 @@ ssize_t readlink(const char* path, char* const __pass_object_size buf, size_t si __overloadable __error_if_overflows_ssizet(size, readlink) __error_if_overflows_objectsize(size, __bos(buf), readlink) { -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ size_t bos = __bos(buf); if (!__bos_trivially_ge_no_overflow(bos, size)) { return __readlink_chk(path, buf, size, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */ return __call_bypassing_fortify(readlink)(path, buf, size); } @@ -198,13 +198,13 @@ ssize_t readlinkat(int dirfd, const char* path, char* const __pass_object_size b __overloadable __error_if_overflows_ssizet(size, readlinkat) __error_if_overflows_objectsize(size, __bos(buf), readlinkat) { -#if __ANDROID_API__ >= __ANDROID_API_M__ && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED +#if __ANDROID_API__ >= __ANDROID_API_M__ size_t bos = __bos(buf); if (!__bos_trivially_ge_no_overflow(bos, size)) { return __readlinkat_chk(dirfd, path, buf, size, bos); } -#endif +#endif /* __ANDROID_API__ >= __ANDROID_API_M__ */ return __call_bypassing_fortify(readlinkat)(dirfd, path, buf, size); } #endif /* __ANDROID_API__ >= __ANDROID_API_L__ */ diff --git a/libc/include/sys/cdefs.h b/libc/include/sys/cdefs.h index eb3069003..8078bda9f 100644 --- a/libc/include/sys/cdefs.h +++ b/libc/include/sys/cdefs.h @@ -237,15 +237,14 @@ #define __BIONIC_FORTIFY_UNKNOWN_SIZE ((size_t) -1) #if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 -/* FORTIFY can interfere with pattern-matching of clang-tidy/the static analyzer. */ -# if !defined(__clang_analyzer__) +/* + * FORTIFY's _chk functions effectively disable ASAN's stdlib interceptors. + * Additionally, the static analyzer/clang-tidy try to pattern match some + * standard library functions, and FORTIFY sometimes interferes with this. So, + * we turn FORTIFY off in both cases. + */ +# if !__has_feature(address_sanitizer) && !defined(__clang_analyzer__) # define __BIONIC_FORTIFY 1 -/* ASAN has interceptors that FORTIFY's _chk functions can break. */ -# if __has_feature(address_sanitizer) -# define __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED 0 -# else -# define __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED 1 -# endif # endif #endif diff --git a/tests/Android.bp b/tests/Android.bp index ee4f02e27..175505376 100644 --- a/tests/Android.bp +++ b/tests/Android.bp @@ -312,20 +312,26 @@ cc_defaults { }, } -// Ensures that FORTIFY checks aren't run when ASAN is on. -cc_test { - name: "bionic-fortify-runtime-asan-test", +// If building this fails, then we have both FORTIFY and ASAN enabled, which +// isn't desirable. (Ideally, we'd emit FORTIFY diagnostics even with ASAN +// enabled, but that's not a reality today.) This is meant to be otherwise +// unused. +cc_test_library { + name: "fortify_disabled_for_asan", defaults: [ "bionic_clang_fortify_tests_w_flags", ], cflags: [ "-Werror", "-D_FORTIFY_SOURCE=2", + // "sanitize: address" doesn't work on platforms where libasan isn't + // enabled. Since the intent is just to build this, we can get away with + // passing this flag on its own. + "-fsanitize=address", ], - sanitize: { - address: true, - }, - srcs: ["clang_fortify_asan.cpp"], + // Ignore that we don't have ASAN symbols linked in. + allow_undefined_symbols: true, + srcs: ["clang_fortify_tests.cpp"], } // Ensure we don't use FORTIFY'ed functions with the static analyzer/clang-tidy: diff --git a/tests/clang_fortify_asan.cpp b/tests/clang_fortify_asan.cpp deleted file mode 100644 index 51656ebcf..000000000 --- a/tests/clang_fortify_asan.cpp +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2019 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* - * This test ensures that ensures that FORTIFY's run-time bits aren't enabled with ASAN on. Most - * ways of getting FORTIFY to break turn into UB unless you get creative. Rather than remaking the - * entire FORTIFY test-suite with this added constraint, we pick a function with well-defined - * behavior when a FORTIFY check would fail (umask), and hope that the success of that is indicative - * of the rest working. - */ - -#ifndef __clang__ -#error "Non-clang isn't supported" -#endif - -#ifndef _FORTIFY_SOURCE -#error "_FORTIFY_SOURCE must be defined" -#endif - -#include - -#if defined(__BIONIC__) && __has_feature(address_sanitizer) -#include -#include - -TEST(ClangFortifyASAN, NoRuntimeChecksAreEnabled) { - volatile mode_t unknown = 01000; - mode_t previous = umask(unknown); - - // Not necessary, but polite. - umask(previous); -} -#endif