FORTIFY_SOURCE: add umask check

Verify that the call to umask makes sense. While this wouldn't
have detected bug 7094213 (because the low order bits were all zero),
it might detect other similar bugs.

References: https://code.google.com/p/android-source-browsing/source/detail?r=acba45cc4b1f98f67fcdeda2f7c13ed57659b92a&repo=platform--libcore

Change-Id: I966a531d6b3cf8e1c5eacd69bd3cbec475b5fa58

libc/Android.mk

@@ -257,6 +257,7 @@ libc_common_src_files := \
 	tzcode/strftime.c \
 	tzcode/strptime.c \
 	bionic/__set_errno.c \
+	bionic/__umask_chk.c \
 	bionic/bionic_clone.c \
 	bionic/cpuacct.c \
 	bionic/arc4random.c \

libc/bionic/__umask_chk.c

@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *  * Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *  * Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#undef _FORTIFY_SOURCE
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <private/logd.h>
+#include <stdlib.h>
+
+/*
+ * Runtime implementation of __umask_chk.
+ *
+ * Validate that umask is called with sane mode.
+ *
+ * This umask check is called if _FORTIFY_SOURCE is defined and
+ * greater than 0.
+ */
+mode_t __umask_chk(mode_t mode)
+{
+    if ((mode & 0777) != mode) {
+        __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+            "*** FORTIFY_SOURCE: umask called with invalid mask ***\n");
+        abort();
+    }
+
+    return umask(mode);
+}

libc/include/sys/stat.h

@@ -122,6 +122,27 @@ extern int    lstat(const char *, struct stat *);
 extern int    mknod(const char *, mode_t, dev_t);
 extern mode_t umask(mode_t);
 
+#if defined(__BIONIC_FORTIFY_INLINE)
+
+extern mode_t __umask_chk(mode_t);
+extern mode_t __umask_real(mode_t)
+    __asm__(__USER_LABEL_PREFIX__ "umask");
+extern void __umask_error()
+    __attribute__((__error__("umask called with invalid mode")));
+
+__BIONIC_FORTIFY_INLINE
+mode_t umask(mode_t mode) {
+  if (__builtin_constant_p(mode)) {
+    if ((mode & 0777) != mode) {
+      __umask_error();
+    }
+    return __umask_real(mode);
+  }
+  return __umask_chk(mode);
+}
+#endif /* defined(__BIONIC_FORTIFY_INLINE) */
+
+
 #define  stat64    stat
 #define  fstat64   fstat
 #define  lstat64   lstat