Reuse the top bits of _JB_SIGFLAG field previously used to store a
boolean to store a cookie that's validated by [sig]longjmp to make it
harder to use as a ROP gadget. Additionally, encrypt saved registers
with the cookie so that an attacker can't modify a register's value to
a specific value without knowing the cookie.
Bug: http://b/23942752
Change-Id: Id0eb8d06916e89d5d776bfcaa9458f8826717ba3
For previous way to get the stack using the [stack] string from
/proc/self/task/<pid>/maps is not enough. On x86/x86_64, if an
alternative signal stack is used while a task switch happens,
the [stack] indicator may no longer be correct.
Instead, stack_start from /proc/self/stat which is always inside
the main stack, is used to find the main stack in /proc/self/maps.
Change-Id: Ieb010e71518b57560d541cd3b3563e5aa9660750
Signed-off-by: Nitzan Mor-sarid <nitzan.mor-sarid@intel.com>
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
The debug malloc code unconditionally closes stdin/stdout/stderr,
which means that other atexit functions cannot use them. Only
close these if there is a debug malloc final function to call.
This doesn't appear to be a problem on most normal applications or the
atexit_exit bionic unit test would be failing. However, if you
enable stat dumping in jemalloc, nothing prints. Most likely trying
to add an atexit function from within libc is causing that atexit
to run after the debug malloc atexit function.
Change-Id: I963720d4ccaaa511e44af07a7461f17eb3f84e8e
These are just based on the read/pread{,64} implementations with the
function calls and error messages adjusted as appropriate. The only
difference is that the buffer parameters are const.
Change-Id: Ida1597a903807f583f230d74bcedffdb7b24fcf6
The ip values being reported are always pointing at the next
instruction to execute, not the currently executing instruction.
Change the ip address to point at the currently executing instruction.
This fixes a problem where the next instruction is not actually
part of the same function, so if an addr2line is used, it reports
the wrong value.
This does not modify the ip for mips.
Bug: 22565486
Change-Id: Ie0df4c9727f62ce06948b9a2b0e4b7956eb6e752
It turns out that everyone's still getting PAGE_SIZE from <sys/user.h> via
<sys/ucontext.h> via <signal.h> anyway.
glibc has PAGE_SIZE in <sys/user.h> rather than <limits.h> so this part is
good. The bad part is that we have such wide transitive inclusion of
<sys/user.h>!
Bug: http://b/22735893
Change-Id: I363adffe4a27b4ca1eedf695ea621f5dd2d5ca10
I'm removing the TODO on the assumption that being compatible with glibc
is more useful than BSD. The new internal "bionic_page.h" header factors
out some duplication between libc and the linker.
Bug: http://b/22735893
Change-Id: I4aec4dcba5886fb6f6b9290a8f85660643261321
A __size_mul_overflow utility is used to take advantage of the checked
overflow intrinsics in Clang and GCC (>= 5). The fallback for older
compilers is the optimized but less than ideal overflow checking pattern
used in OpenBSD.
Change-Id: Ibb0d4fd9b5acb67983e6a9f46844c2fd444f7e69
This patch give the possibility of time vdso support on 32bit kernel.
If the 32bit x86 kernel provides gettimeofday() and clock_gettime()
primitives in vdso. In this case make bionic use them. If the kernel
doesn't provide them, fallback to the legacy system call versions.
Change-Id: I87b772a9486fa356903e1f98f486ab9eb0b6f6f7
Signed-off-by: Robert Jarzmik <robert.jarzmik@intel.com>
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
This reverts commit 1946856b1f.
This goes back to the original scheme of PROT_NONEing a page within
libc. Allocating a new page didn't fail safe for cases where these
functions are called from the dynamic linker.
Bug: http://b/22568628
Change-Id: I3e7241c8b54c27ea4a898bc952375c1e9ae38c80
Global, writable function pointers are low-hanging fruit for hijacking
control flow with an overflow from a global buffer or an arbitrary write
vulnerability. This moves the function pointer table into a dedicated
page and makes it read-only at runtime, similar to RELRO.
This increases the memory usage of the library by just under one page.
This could be avoided by having the linker load the vdso by replacing
weak symbols. It's not significant within the Zygote spawning model
though because it's read-only after early init.
Change-Id: Id7a49c96c1b15c2e1926528304b3c54a81e78caf
If a map has a non-zero vaddr then it needs to be added to the
computed relative offset.
Bug: 22532054
Change-Id: If55015165d25ecc4b530f674b481c8c7ef760a23
There is a deadlock if holding the hash table lock while trying to do
a backtrace. Change the code so that the hash table lock is only held
while actually modifying either g_hash_table, or while modifying an
entry from g_hash_table.
Bug: 22423683
(cherry picked from commit 9fee99b060)
Change-Id: I72173bfe6f824ceaceea625c24e7851b87467135
LP64 is immune because basename_r is hidden there, but on LP32 a basename_r
defined in the executable breaks basename because its call to basename_r
will resolve to that one rather than the one in libc.
Bug: http://b/22415484
Change-Id: Ied3ca7ad3fb0e744eb705fc924743f893b4ad490
1. Personality parameter should be unsigned int (not long)
2. Do not reset bits outside of PER_MASK when setting
personality value.
3. Set personality for static executables.
Bug: http://b/21900686
Change-Id: I4c7e34079cbd59b818ce221eed325c05b9bb2303
(cherry picked from commit f643eb38c3)
The pthread_mutex_lock and pthread_mutex_unlock were allowed to
fail silently on L 32 bit devices when passed a NULL. We changed
this to a crash on 32 bit devices, but there are still games that make
these calls and are not likely to be updated. Therefore, once again
allow NULL to be passed in on 32 bit devices.
Bug: 19995172
(cherry picked from commit 511cfd9dc8)
Change-Id: I159a99a941cff94297ef3fffda7075f8ef1ae252
A continuation of commit 2825f10b7f.
Add O_PATH compatibility support for flistxattr(). This allows
a process to list out all the extended attributes associated with
O_PATH file descriptors.
Change-Id: Ie2285ac7ad2e4eac427ddba6c2d182d41b130f75
The functions dlmalloc_inspect_all and dlmalloc_trim get
exported on devices that use dlmalloc, so be consistent and
export them everywhere.
Bug: 21640784
Change-Id: I5b8796cd03c8f401d37d9c22823144f766f9c4c7
It turns out that apportable apps expect that the DIR structure is
the same as in L and below. Modify the structure to have the same
order, and move the new variable to the end of the structure.
Bug: 21037208
(cherry picked from commit 5edb0f40f6)
Change-Id: I0c1ab5e295ec8bef638daa4cfea5830aeea602e6
Support O_PATH file descriptors when handling fgetxattr and fsetxattr.
This avoids requiring file read access to pull extended attributes.
This is needed to support O_PATH file descriptors when calling
SELinux's fgetfilecon() call. In particular, this allows the querying
and setting of SELinux file context by using something like the following
code:
int dirfd = open("/path/to/dir", O_DIRECTORY);
int fd = openat(dirfd, "file", O_PATH | O_NOFOLLOW);
char *context;
fgetfilecon(fd, &context);
This change was motivated by a comment in
https://android-review.googlesource.com/#/c/152680/1/toys/posix/ls.c
Change-Id: Ic0cdf9f9dd0e35a63b44a4c4a08400020041eddf
Adds a new _internal_ function. Provide a global serial number to
support more efficient private caching algorithms. This allows
to skip re-running the __system_property_find() call on misses until
there is a global change in the properties. This call is a read
barrier, the property data to be read following this call will be
read sequentially and up to date.
Bug: 19544788
Change-Id: I58e6a92baa0f3e8e7b9ec79b10af6d56407dab48
