Merge changes I33957ad4,I02f8f87d,Iba04e486

* changes:
  fortify: replace bzero/bcmp defines
  fortify: add __mempcpy_chk
  fortify: fix overflow checks in unistd

libc/bionic/fortify.cpp

@@ -500,3 +500,10 @@ extern "C" void* __memcpy_chk(void* dst, const void* src, size_t count, size_t d
   return memcpy(dst, src, count);
 }
 #endif // NO___MEMCPY_CHK
+
+// Runtime implementation of __mempcpy_chk (used directly by compiler, not in headers).
+extern "C" void* __mempcpy_chk(void* dst, const void* src, size_t count, size_t dst_len) {
+  __check_count("mempcpy", "count", count);
+  __check_buffer_access("mempcpy", "write into", count, dst_len);
+  return mempcpy(dst, src, count);
+}

libc/bionic/ndk_cruft.cpp

@@ -243,15 +243,23 @@ sighandler_t bsd_signal(int signum, sighandler_t handler) {
   return signal(signum, handler);
 }
 
+// bcopy/bzero were previously `#define`d, so we only have `static` wrappers in
+// Bionic headers. Since we have header definitions, we need some way to
+// overload these implementations; __never_call will ensure that any calls to
+// bcopy/bzero call the in-header implementation. Since the implementations
+// should end up functionally identical, it doesn't matter which we actually
+// call.
+#define __never_call __attribute__((enable_if(false, "never selected")))
+
 // This was removed from POSIX 2008.
-#undef bcopy
-void bcopy(const void* src, void* dst, size_t n) {
+void bcopy(const void* src, void* dst, size_t n) __never_call __RENAME(bcopy);
+void bcopy(const void* src, void* dst, size_t n) __never_call {
   memmove(dst, src, n);
 }
 
 // This was removed from POSIX 2008.
-#undef bzero
-void bzero(void* dst, size_t n) {
+void bzero(void* dst, size_t n) __never_call __RENAME(bzero);
+void bzero(void* dst, size_t n) __never_call {
   memset(dst, 0, n);
 }
 

libc/include/bits/fortify/string.h

@@ -66,6 +66,22 @@ void* memmove(void* const dst __pass_object_size0, const void* src, size_t len)
 }
 #endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
 
+#if defined(__USE_GNU)
+#if __ANDROID_API__ >= __ANDROID_API_R__
+__BIONIC_FORTIFY_INLINE
+void* mempcpy(void* const dst __pass_object_size0, const void* src, size_t copy_amount)
+        __overloadable
+        __clang_error_if(__bos_unevaluated_lt(__bos0(dst), copy_amount),
+                         "'mempcpy' called with size bigger than buffer") {
+    size_t bos_dst = __bos0(dst);
+    if (__bos_trivially_not_lt(bos_dst, copy_amount)) {
+        return __builtin_mempcpy(dst, src, copy_amount);
+    }
+    return __builtin___mempcpy_chk(dst, src, copy_amount, bos_dst);
+}
+#endif /* __ANDROID_API__ >= __ANDROID_API_R__ */
+#endif
+
 #if __ANDROID_API__ >= __ANDROID_API_L__
 __BIONIC_FORTIFY_INLINE
 char* stpcpy(char* const dst __pass_object_size, const char* src)

libc/include/bits/fortify/strings.h

@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *  * Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *  * Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(__BIONIC_FORTIFY)
+
+#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
+__BIONIC_FORTIFY_INLINE
+void bcopy(const void *src, void* const dst __pass_object_size0, size_t len)
+        __overloadable
+        __clang_error_if(__bos_unevaluated_lt(__bos0(dst), len),
+                         "'bcopy' called with size bigger than buffer") {
+    size_t bos = __bos0(dst);
+    if (__bos_trivially_not_lt(bos, len)) {
+        __builtin_memmove(dst, src, len);
+    } else {
+        __builtin___memmove_chk(dst, src, len, bos);
+    }
+}
+
+__BIONIC_FORTIFY_INLINE
+void bzero(void* const b __pass_object_size0, size_t len)
+        __overloadable
+        __clang_error_if(__bos_unevaluated_lt(__bos0(b), len),
+                         "'bzero' called with size bigger than buffer") {
+    size_t bos = __bos0(b);
+    if (__bos_trivially_not_lt(bos, len)) {
+        __builtin_memset(b, 0, len);
+    } else {
+        __builtin___memset_chk(b, 0, len, bos);
+    }
+}
+#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
+
+#endif /* defined(__BIONIC_FORTIFY) */

libc/include/bits/fortify/unistd.h

@@ -67,7 +67,8 @@ ssize_t __readlinkat_chk(int dirfd, const char*, char*, size_t, size_t) __INTROD
                      "in call to '" #fn "', '" #what "' bytes overflows the given object")
 
 #define __bos_trivially_not_lt_no_overflow(bos_val, index)  \
-      __bos_dynamic_check_impl_and((bos_val), >=, (index), (bos_val) <= SSIZE_MAX)
+      ((__bos_dynamic_check_impl_and((bos_val), >=, (index), (bos_val) <= SSIZE_MAX) && \
+        __builtin_constant_p(index) && (index) <= SSIZE_MAX))
 
 #if __ANDROID_API__ >= __ANDROID_API_N__
 __BIONIC_FORTIFY_INLINE

libc/include/strings.h

@@ -51,17 +51,15 @@
 
 __BEGIN_DECLS
 
-#if defined(__BIONIC_FORTIFY)
 /** Deprecated. Use memmove() instead. */
-#define bcopy(b1, b2, len) (void)(__builtin___memmove_chk((b2), (b1), (len), __bos0(b2)))
+static __inline__ __always_inline void bcopy(const void* b1, void* b2, size_t len) {
+  __builtin_memmove(b2, b1, len);
+}
+
 /** Deprecated. Use memset() instead. */
-#define bzero(b, len) (void)(__builtin___memset_chk((b), '\0', (len), __bos0(b)))
-#else
-/** Deprecated. Use memmove() instead. */
-#define bcopy(b1, b2, len) (void)(__builtin_memmove((b2), (b1), (len)))
-/** Deprecated. Use memset() instead. */
-#define bzero(b, len) (void)(__builtin_memset((b), '\0', (len)))
-#endif
+static __inline__ __always_inline void bzero(void* b, size_t len) {
+  __builtin_memset(b, 0, len);
+}
 
 #if !defined(__i386__) || __ANDROID_API__ >= __ANDROID_API_J_MR2__
 /**
@@ -72,6 +70,10 @@ __BEGIN_DECLS
 int ffs(int __i) __INTRODUCED_IN_X86(18);
 #endif
 
+#if defined(__BIONIC_INCLUDE_FORTIFY_HEADERS)
+#include <bits/fortify/strings.h>
+#endif
+
 __END_DECLS
 
 #include <android/legacy_strings_inlines.h>

libc/libc.map.txt

@@ -1482,6 +1482,7 @@ LIBC_Q { # introduced=Q
 
 LIBC_R { # introduced=R
   global:
+    __mempcpy_chk;
     __open64_2;
     __openat64_2;
     call_once;

tests/clang_fortify_tests.cpp

@@ -159,19 +159,15 @@ FORTIFY_TEST(string) {
     EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
     // expected-error@+1{{size bigger than buffer}}
     EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
-    // FIXME: this should be EXPECT_FORTIFY_DEATH
-#if 0
-    // expected-error@+1{{called with bigger length than the destination}}
-#endif
-    EXPECT_NO_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
     // expected-error@+1{{size bigger than buffer}}
     EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
     // expected-warning@+1{{arguments got flipped?}}
     EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
-    // FIXME: Should these be warnings?
-    // expected-warning@+1{{will always overflow}}
+    // expected-error@+1{{size bigger than buffer}}
     EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
-    // expected-warning@+1{{will always overflow}}
+    // expected-error@+1{{size bigger than buffer}}
     EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
   }
 
@@ -591,8 +587,6 @@ FORTIFY_TEST(unistd) {
   EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
 
   {
-    // FIXME: These should all die in FORTIFY. Headers are bugged.
-#ifdef COMPILATION_TESTS
     char* volatile unknown = small_buffer;
     const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
     // expected-error@+1{{'count' must be <= SSIZE_MAX}}
@@ -607,7 +601,6 @@ FORTIFY_TEST(unistd) {
     EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
     // expected-error@+1{{'count' must be <= SSIZE_MAX}}
     EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
-#endif
   }
 }
 

tests/fortify_test.cpp

@@ -926,6 +926,24 @@ TEST(TEST_NAME, strcat_chk_max_int_size) {
   ASSERT_EQ('\0', buf[9]);
 }
 
+TEST(TEST_NAME, mempcpy_chk) {
+  const char input_str[] = "abcdefg";
+  size_t input_str_size = strlen(input_str) + 1;
+
+  char buf1[10] = {};
+  char buf2[10] = {};
+
+  __builtin_mempcpy(buf1, input_str, input_str_size);
+  __builtin___mempcpy_chk(buf2, input_str, input_str_size, __bos0(buf2));
+
+  ASSERT_EQ(memcmp(buf1, buf2, sizeof(buf2)), 0);
+
+  void *builtin_ptr = __builtin_mempcpy(buf1, input_str, input_str_size);
+  void *fortify_ptr = __builtin___mempcpy_chk(buf1, input_str, input_str_size, __bos0(buf2));
+
+  ASSERT_EQ(builtin_ptr, fortify_ptr);
+}
+
 extern "C" char* __stpcpy_chk(char*, const char*, size_t);
 
 TEST(TEST_NAME, stpcpy_chk_max_int_size) {