Also delete some fdsan code that attempts to check for the post-fork
state, but never will, because we update the cached pid upon fork.
Bug: http://b/174542867
Test: /data/nativetest64/bionic-unit-tests/bionic-unit-tests
Test: treehugger
Change-Id: I9b748dac9de9b4c741897d93e64d31737e52bf8e
Currently, the initialization of _nres is not thread-saferes_mkquery is not thread-safe,
which might cause memory double free problem if caller ran under multithread.
To fix it, only initialize _nres once.
Also remove the redundant code.
Test: atest DnsResolverTest
Bug: 166235340
Change-Id: I9caa6eab37cb530fc60dae9bcca9650973a4536a
arm64 was already being careful, but x86/x86-64 and 32-bit ARM could be
caught by a signal in a state where the stack pointer was mangled.
For 32-bit ARM I've taken care with the link register too, to avoid
potential issues with unwinding.
Bug: http://b/152210274
Test: treehugger
Change-Id: I1ce285b017a633c732dbe04743368f4cae27af85
This log message exists to provide more context (the property name) to
SELinux denials for the same access check. The SELinux log severity
is 'W' since SELinux denials do not necessarily point to user-visible
errors, therefore this message should be 'W' as well.
Bug: 181269159
Test: build
Change-Id: Ie25091d96214a175b7ca39d5615f9a09b789d1e3
FORTIFY'ed functions try to be as close to possible as 'invisible';
having stack protectors detracts from that.
Don't apply this to functions which clang has no chance of inlining
anyway (like variadic functions)
Bug: 182948263
Test: TreeHugger
Change-Id: I08cfec25464b8ea1e070942e3dc76fc84da73dd0
Resetting PAC keys on fork appears to lead to a number of problems. One
problem is that we are constrained in where we can run C++ code after
forking, and with ART those places are implementation-defined. For
example, in app zygotes, ART turns out to insert "interpreter frames"
in the stack trace. Returning into these interpreter frames may lead
to crashes due to failing the ROP protection check on return.
It seems better to reset keys on thread creation instead. We only need
to reset IA because only this key needs to be reset for reverse-edge
PAC, and resetting the other keys may be incompatible with future ABIs.
Chrome (and potentially other applications) has a sandbox that prevents
the use of the prctl, so we restrict its use to applications targeting
S and above.
Bug: 183024045
Change-Id: I1e6502a7d7df319d424e2b0f653aad9a343ae71b
As far as I can tell, clang never implemented this GCC workaround for
32-bit x86's terrible PIC code. Since the whole point of
__stack_chk_fail_local() requires that it's in the same executable or
library as its callers, any prebuilt with a dependency on this (because
it was built by GCC) already has its own copy anyway. And clang isn't
creating any new ones, so I think this has been dead for several years
now.
Test: treehugger
Change-Id: I96997bbf912bbff506db44c285d9941fef9f86ce
Motivated by the fact that bazel doesn't like #include "../", but this
feels like it could use a deeper clean.
In fact, even after this change, I think we should remove this entirely,
since as far as I can tell Clang never implemented this GCC workaround
for 32-bit x86's awful PIC code.
Test: treehugger
Change-Id: I72715ee46f873f42d5707712aebe246ef78fcde1
This is the second or third time I've scratched my head wondering why
this destructor has no coverage. I was tempted to leave it in with a
comment saying it should never be called, but that seemed sillier than
just replacing it with an assertion.
Test: treehugger
Change-Id: I3442d9f8a391fae668e77c6888a4457ededee494
This makes Bazel conversion easier (because in Bazel package boundaries really matter).
Test: m libc still builds, and m also builds.
Change-Id: I5cfc9d83dffd3110ffad9ce03198e6141c8c5b33
Enable userfaultfd syscall to be used by ART-GC.
Bug: 160737021
Test: manually tested by invoking userfaultfd syscall in ART
Change-Id: I9f98402a96bb8363a1e5fa49dbadbb37dc70d561
Currently there is a pattern of `crtbegin_${type}1` and `crtbegin_${type}` modules, where the former
has sources and the latter depends on the former. The two modules for a type share many properties,
rather than duplicating these, we merge modules, such that each type only has a `crtbegin_${type}`
module.
Test: Treehugger
Change-Id: I7803ea0e97d660f620c334b6bfdfac22cb6e36d7
This works around buggy applications that read a few bytes past the
end of their allocation, which would otherwise cause a segfault with
the concurrent Scudo change that aligns large allocations to the right.
Because the implementation of
android_set_application_target_sdk_version() lives in the linker,
we need to introduce a hook so that libc is notified when the target
SDK version changes.
Bug: 181344545
Change-Id: Id4be6645b94fad3f64ae48afd16c0154f1de448f
Binaries defined in Makefiles that use the SDK need a variant to link
to. Generate a SDK variant of the ELF note as well. This is necessary to
allow makefile-generated binaries and CTS tests to use heap MTE.
Bug: 156029370
Bug: 181133973
Test: atest CtsBionicTestCases on QEMU+MTE, observe previously-failing
tests will now succeed.
Change-Id: I0a8243b0920769a196e7596904259e30c4a93105
Spotted while looking at our shiny new coverage numbers. Though how the
change that removed the code from this file without removing the file
made it through code review... Clearly I wasn't paying attention that
day!
Test: treehugger
Change-Id: Id61bb48bae60660d2e5ba9b26f00a68e51157c6d
Mixed builds can now use the label from an automatically converted
target.
Test: build/bazel/scripts/milestone-2/demo.sh full
Test: build/bazel/scripts/milestone-2/demo.sh generate
build/bazel/scripts/milestone-2/demo.sh sync
mixed build of libc
build/bazel/scripts/milestone-2/demo.sh cleanup
Change-Id: I1499b75f1348bf342b4cd134606786150b2f8b26
This is the last of remaining cc_objects in the libc package.
Test: go tests.
Test: build/bazel/scripts/milestone-2/demo.sh
Change-Id: Ib9c01be0faae10707305b81e72d3fac22bf96356
__libc_init_scudo() calls directly into the allocator, bypassing the
normal guest to host transition in the native bridge. Therefore we
need to let the native bridge override it with a no-op.
Bug: 159352723
Change-Id: I642c7a058e483cc09335290f66b9c053150fca06
This CL also discovered that a couple of cc_objects include headers from the bionic subdir, without declaring them in the local_include_dirs.
Test: build/bazel/scripts/milestone-2/demo.sh full && build/bazel/scripts/milestone-2/demo.sh cleanup
Change-Id: I943980b1d1c6dab39d3c27da8037e587f97f76e3
This leaf module is selected as the first cc_object module to be converted by
the bp2build converter.
Test: GENERATE_BAZEL_FILES=true m nothing && bp2build-sync write && bazel build //bionic/libc:crt_beginso1
Change-Id: Idf752e7b5251161a4fbd58ba52b52dd85c8fc92b
This matches what we do for arm and arm64. 32-bit x86 is too big a mess
to warrant the effort still, but the more testing is done on cuttlefish,
the more value there is to making every stack frame count.
Before:
#00 pc 00000000000596d8 .../libc.so (syscall+24)
#01 pc 000000000005d072 .../libc.so (abort+194)
#02 pc 000000000005f1f0 .../libc.so (__fortify_fatal(char const*, ...)+160)
After:
#00 pc 000000000005d07d .../libc.so (abort+205)
#01 pc 000000000005f1e0 .../libc.so (__fortify_fatal(char const*, ...)+160)
Test: crasher64 fortify
Change-Id: Ib74cb8b36341093c268872e26020f35eb2d8ef66
This is undefined behavior, but glibc and macOS are both lenient, and
someone hit this in the wild, so we may as well be lenient too. (The
only cost is that it's now slightly easier to write code that works on
everything except old versions of Android.)
Bug: https://issuetracker.google.com/180598400
Test: treehugger
Change-Id: Ia217169ea6283cc53f4fbf71e5abfa08356c2049
Bug: http://b/157081822
If __libc_int0x80 is in a C/C++ file, Clang's coverage instrumentation
adds instructions to count the number of times it gets executed [1].
With coverage instrumentation, __libc_sysinfo, used on 32-bit x86, is
initialized to the wrong value, causing dl.preinit_system_calls to fail.
Moving the function to an assembly file leaves __libc_sysinfo properly
initialized.
[1] We could change clang so it doesn't instrument functions marked
__attribute__((naked)) as a followup.
Test: `m CLANG_COVERAGE=true NATIVE_COVERAGE_PATHS=bionic` and run
bionic-unit-tests
Change-Id: I73558253512392d345de8d5b66d38bb14b308fdf
Kernel headers coming from:
Git: https://android.googlesource.com/kernel/common/
Branch: android-mainline
Tag: android-mainline-5.11
Test: Built cuttlefish and flame images. Ran bionic unit tests on both.
Change-Id: Ie60337aafad4bda55af99b6c8fe9f56bf2fa787f
Auto-generate NOTICE files for all the directories, and for each one
individually rather than mixing libc and libm together.
Test: N/A
Change-Id: I7e251194a8805c4ca78fcc5675c3321bcd5abf0a
With this change we can report memory errors involving secondary
allocations. Update the existing crasher tests to also test
UAF/overflow/underflow on allocations with sizes sufficient to trigger
the secondary allocator.
Bug: 135772972
Change-Id: Ic8925c1f18621a8f272e26d5630e5d11d6d34d38
On LP32, just abort if we're asked to handle an fd that's too big for
the `short` field in `struct FILE`. This is unreachable anyway because
the ulimit is 32Ki, and this will make issues far more noticeable if we
ever do increase that limit (which seems unlikely for LP32 devices).
Also rename __finit() to __FILE_init() to match __FILE_close().
Test: treehugger
Change-Id: I5db4d6c4529a1f558aff135b4dea071d73666be5
This has been in the standard since C99, but we've never supported it
before. It's apparently used by SPIRV-Tools.
I tried implementing this the other way (with fcntl(2)) first, but
eventually realized that that's more complicated and gives worse
results. This implementation assumes that /proc is mounted, but so much
of libc relies on that at this point that I don't think there's any
realistic case where the fcntl(2) implementation would be preferable,
and there are many where it's not.
The fact that no-one's mentioned this until now suggests that it's not a
heavily used feature anyway.
I've also replaced AssertCloseOnExec() with a CloseOnExec()
boolean-valued function instead, because it's really annoying getting
assertion failures that don't point you at the test line in question,
and instead point to some common helper code.
Test: treehugger
Change-Id: Ia2e53bf2664a4f782581042054ecd492830e2aed
Python module names should be lower case and not use hyphens (the
former is a convention, the latter is a requirement for importable
modules).
Also updates the shell script to always use Python 3 so we don't need
to maintain Python 2 compatibility.
Test: repo upload, in both a python 2 and python 3 virtualenv
Bug: None
Change-Id: I486e54a12686b4e528dc6c9c47af5c7a52a7b790
The genseccomp tests haven't been run since at least 2018. Deleted the
ones that are testing APIs that no longer exist or have been
refactored to take very different inputs.
Test: treehugger
Test: pytest tools
Bug: None
Change-Id: Iaf6b6b6a2e922b181a457a74eb4b5abe90425dfb
This is a manual refactoring to ensure that the modules respect package boundaries for input files.
Test: m gensseccomp genfunctosyscallnrs
Change-Id: I8ca6cbe85a50e41bfe874a899653c2309c59a822
libc++ still depends on these being declared even if they are
unavailable. This results in a worse error message (a link error
rather than a compiler diagnostic) if these functions end up being
used, but without the decl headers like libc++'s math.h can't be
included because it refers to an undeclared function.
For the cases where weak symbols aren't being used, don't annotate
these functions with their availability information.
Also need to avoid using __builtin_available for this case because the
NDK doesn't have __isOSVersionAtLeast yet.
__ANDROID_UNGUARDED_AVAILABILITY__ is being used as a proxy for
"building for the NDK" here because we don't have a good signal for
that which works for both the NDK proper and the NDK-in-the-platform
case.
Test: imported into the NDK, built and tested NDK
Bug: None
Change-Id: I9ef3e19a8fa083bca0be47b80dfef7ba52a94866
For backwards compatibility (e.g. with old apps), arm32 libc.so and
libm.so export some of the builtins. On 32-bit x86, libc.so also
exports some of the builtins.
The non-exported variant of the builtins will eventually have hidden
symbols but doesn't currently because D93431 hasn't been merged into
our toolchain yet. See:
- https://reviews.llvm.org/D93431
- I44ec79728db92c089e2f39823c35b6f97d24c1ab in toolchain/llvm_android
Bug: http://b/153025717
Test: bionic unit tests
Change-Id: Ic489cb06a07ef61412502fc65a21b0cf630c11ed
Introduces new heap-zero-init API. We've realised that it's better to be
able to individually control MTE and heap zero-init. Having
heap-zero-init not be controllable without affecting MTE affects our
ability to turn off heap-zero-init in zygote-forked applications.
Bug: 135772972
Test: On FVP: atest -s localhost:5555 malloc#zero_init \
Test: malloc#disable_mte heap_tagging_level
Change-Id: I8c6722502733259934c699f4f1269eaf1641a09f
The toolchain is new enough that should be able to use the actual
instructions now...
Test: treehugger
Change-Id: I30aafcdc5386268344c40dc6cc9a22caf591915a
"#" there is incorrect: macro parameter is expected following a hashmark.
Test: build libc with -mbranch-protection=standard
Change-Id: Ib8e7ddf260b4cdbd36246cc70f69970f33dee200
* changes:
crtbegin_static is built with min_sdk_version: "current"
Guard __libc_current_sigrtmin/max with __builtin_available
__INTRODUCED_IN macros add the availability attribute
scudo_malloc_* for fill contents in __libc_init_scudo calls scudo's
initializers. We haven't told Scudo whether we want MTE-capable (i.e.
mapped with PROT_MTE) size class regions yet, which happens in
SetDefaultHeapTaggingLevel. This can lead to inconsistent mappings,
where processes without ELF notes get the base region with PROT_MTE
(which is undesirable because the performance implications are not
known).
Make sure that scudo is informed of whether regions need to be mapped
PROT_MTE or not by hoising the tagging level up.
Bug: 135772972
Bug: 172365548
Test: On FVP - 'adb shell MEMTAG_OPTIONS=off sanitizer-status' should
have no PROT_MTE mappings (validation by looking for no 'mt' under
'VmFlags:' in /proc/smaps').
Change-Id: Idad64479c4a9459cb40dd211fe942437f8ca16fd
Native bridge modules will never compile against stubs, remove
native_bridge_supported: true.
Test: m checkbuild
Change-Id: I0eb93fe1a2c3f6ca34ce4dab17edda8807132ce8
These are available from mallopt() now, and all callers have been
switched over.
Bug: http://b/135772972
Test: treehugger
Change-Id: I90c7a7573b261c27001a2dfd4589b23861ad613b
crtbegin_static is used by static exectuables which are guaranteed to be
with the latest library regardless of their target API level.
This change is in fact not a regression as crtbegin_static has been
built with __ANDROID_API__=10000 before
I645e6bb1234c27ae0a69b7b87a59206cfd350744 when __ANDROID_API__ tracked
sdk_version, not min_sdk_version. sdk_version was not set for crtbegin_*
objects and therefore the default "current" was (incorrectly) used.
With this change, we are recovering the original behavior for the static
variant, while the building of the dynamic variant becomes more correct
- it's now with __ANDROID_API__=16.
Without this change, several static executables fail to build as 1)
crtbegin_static for them is built with __ANDROID_API__=16 and 2)
libc_init_common.cpp uses pthread_atfork which is available only after
API level 23. We hit undefined symbol error when linking.
Bug: 134795810
Test: m
Change-Id: I1430e57302951df33530ea0ae91b0d7a0609bf3d
The two APIs were added for the API level 21 and beyond. Currently, its
existence is tested using the null check which is done regardless of the
min sdk version of the compilation unit. (which in turn required us to
mark the API symbol weak regardless of the min sdk version.)
Now, we have a better way of testing the API availability;
__builtin_available. The null check is replaced with the call to the
compiler-provided macro which determines if the code is running in a
version of OS where the API is known to exist.
Bug: 150860940
Bug: 134795810
Test: m
Change-Id: Ib96c78f8d3cc71d7e755d1eab86051517bbbcc44
__INTRODUCED_IN (and its variants) macro is used to mark the
availability of an API symbol. The macros were used by the versioner
tool for the NDK clients. When the Bionic headers are processed by the
tool, APIs with the macros are guarded with __ANDROID_API__. e.g.,
void foo() __INTRDUCED_IN(30);
is processed into
\#if __ANDROID_API__ >= 30
void foo();
\#endif
by the versioner.
The macros however didn't play a role for other cases, e.g. OS
components.
This is too strict for NDK clients and too loose for the non-NDK
clients. For the former, this completely hides the APIs that are newer
than the min sdk version (__ANDROID_API__). For the latter, a call to
such an API can be made without being guarded.
This change is the first step towards a better way of handling the
native APIs availability. The plan is that every NDK APIs are annotated
with the availability attribute and callers are required to guard their
API calls with a runtime check if the API is newer than the min sdk
version of the caller.
In this change, the macros now emits the availability attribute for the
non-NDK clients (i.e. when not processed by versioner).
Bug: 163288375
Bug: 134795810
Test: m
Change-Id: I6eb2bce2bc2770cbfd69815e6816b6f25b3d6127
For libc.so, use a special build of libunwind.a whose symbols aren't
hidden ("libunwind-exported"), because libc.so exports the _Unwind_*
APIs.
Bug: http://b/153025717
Test: bionic unit tests
Change-Id: I7435e076ec8cc4410e3e6086d3cf5d2c6011c80c
These were only available internally via android_mallopt(), but they're
likely to be needed by more code in future, so move them into mallopt().
This change leaves the android_mallopt() options for now, but I plan on
coming back to remove them after I've switched the handful of callers
over to mallopt() instead.
Bug: http://b/135772972
Test: treehugger
Change-Id: Ia154614069a7623c6aca85975a91e6a156f04759
These two options allow for ARM MTE to be enabled dynamically (instead
of at compile time via the ELF note). They are settable from a non-root
shell to allow device owners to test system binaries with MTE.
The following values may be set:
1. 'off' -> No MTE, uses TBI on compatible devices.
2. 'sync' -> SYNC MTE.
3. 'async' -> ASYNC MTE.
The following methods can be used to launch a process (sanitizer-status)
with configurable values:
1. adb shell MEMTAG_OPTIONS=async sanitizer-status
2. adb shell setprop arm64.memtag.process.sanitizer-status async && \
adb shell sanitizer-status
Note: The system server will require some special handing in the zygote
pre-fork to check the sysprops. The zygote should always have the ELF
note. TODO in a subsequent patch.
Bug: 135772972
Bug: 172365548
Test: Launching sanitizer-status above using both the settings.
Change-Id: Ic1dbf3985a3f23521ec86725ec482c8f6739c182
Android S devices must support eBPF.
Test: builds, atest, TreeHugger
Bug: 167500195
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I84a8d00f786fca8113dd3d555af279a1029f66f2
Now that the feature guarded by this flag has landed in Linux 5.10
we no longer need the flag, so we can remove it.
Bug: 135772972
Change-Id: I02fa50848cbd0486c23c8a229bb8f1ab5dd5a56f
I realize that we can probably clean up more of our half-forked code by
reusing the same *-compat.h headers we use for the clean upstream code,
but I'll come back and do that later.
Bug: http://b/177003648
Test: treehugger
Change-Id: I081255aaafd62718b85956c5502911a1cc80225d
Technically, std::atomic does not have an operator(). Previously, this
code was relying on an implicit behavior of our C++ standard library in
order to compile. When compiling this code against a different C++
standard library, I encountered a compiler error on these lines.
This CL makes the std::atomic load() operation explicit, makes it
clearer what this code is actually doing and makes it conform better to
the C++ standard library spec rather than a particular implmentation.
Change-Id: I7f255dffc0a3d8e07c973c18e9ba4098c4b5843e
Technically, C requires that all source files end with a newline. In
practice, most compilers will accept source files without a newline, but
it does trigger the -Wnewline-eof warning.
Change-Id: I64a92b82f4d5724cd8b45821cfd59eb3de39514b
Use a note in executables to specify
(none|sync|async) heap tagging level. To be extended with (heap x stack x
globals) in the future. A missing note disables all tagging.
Bug: b/135772972
Test: bionic-unit-tests (in a future change)
Change-Id: Iab145a922c7abe24cdce17323f9e0c1063cc1321
Test: source build/envsetup.sh && lunch 16 && source
build/soong/bazel/bazelenv.sh && m, then verify ninja
file was based on intermediates from bazel-out
Change-Id: I89f320dd58083710012ea1f8e3902e723602ea37
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.
This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.
Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.
If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.
Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Test: Call bind() on a AF_UNIX socket with its protocol set to
NETLINK_ROUTE, confirm it can succeed.
Test: Verify that previously broken apps are no longer broken.
Change-Id: I8738f7912fdc816e0d30205557728ff9e84bf7e6
Kernel headers coming from:
Git: https://android.googlesource.com/kernel/common/
Branch: android-mainline
Tag: android-mainline-5.10
Test: Built cuttlefish and flame images. Ran bionic unit tests on both.
Change-Id: I37ffc850970adcce1febbe2269c202632fce763a
Revert "Updates CTS tests for MAC address restrictions."
Revert submission 1518603-soft-restrict-mac
Reason for revert: Missing type check
Reverted Changes:
I0488932de:Soft-enable MAC address restrictions with allowlis...
Idb9d940e4:Updates CTS tests for MAC address restrictions.
I9461f287e:Return anonymized MAC for apps targeting SDK < 30
Change-Id: I7e8e593518088ff5c8f6083b34e6966852475b9b
This was a little confusing because a quick glance suggested that
'err' was getting the value of getsockopt(), when actually it was
getting the result of the '<' operation. Since 'err' wasn't
being used, we clarify by just removing it altogether.
Test: TreeHugger
Change-Id: I1ff80812b460973e9d512a558623e0c44c2ecf09
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.
This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.
Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.
If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.
Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Change-Id: I0488932deea2a7211e55a24bc33bfa3cfb16fba2
They're both obsolescent in POSIX.1-2008, and you really shouldn't be
using them, but since we can't actually delete them...
This change makes them both obey $TMPDIR if set, and fall back to
/data/local/tmp otherwise. That's as good as we've managed for anything
else such as tmpfile(3).
Also add some tests.
Bug: http://b/174682340
Test: treehugger
Change-Id: Ieef99dcc2062f84b2b7cbae046787fdfe975e772
We can sometimes fail to link a static executable because of
duplicate definitions of std::nothrow in bionic/libc/bionic/new.cpp
and external/libcxx/src/new.cpp. Fix it by making our definition
weak since it doesn't matter which one ends up being chosen.
Change-Id: Iec02ae89f4a3d2ffe298817240f404e54b109a52
Add a make distclean for each supported arch before generating headers
and at the end so these files are not left hanging around in the
kernel directory.
Bug: 174795055
Test: Verified all generated files are deleted after running.
Test: Verified this generates the exact same files as before this change.
Change-Id: I0f66f580af2ea50c190eb532032017e782d7cae6
aosp/1484976 introduced a breaking change where
DisableMemoryMitigations() now indiscriminately turns tagged pointers
off. When android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) is called, the
correct behaviour is:
- In SYNC/ASYNC MTE mode -> disable all tagged pointers.
- If all tagged pointers are already disabled -> nop.
- If we're in TBI mode -> nop (keep the TBI mode as-is).
In order to do that we have to allow probing of the current heap tagging
mode. In order to prevent TOCTOU between GetHeapTaggingLevel() and
SetHeapTaggingLevel(), we expose a global mutex that should be held when
calling these functions.
Bug: 174263432
Test: atest CtsTaggingHostTestCases on Flame
Change-Id: Ia96f7269d542c9041270458806aee36766d2fbbb
Unnecessary include, and the file was deleted with upstream changes.
Bug: N/A
Test: cd external/gwp_asan && atest
Change-Id: Id8facff0c5e382aa639ce158b7b5862ce157aa25
- Make it apply to every thread, and thus remove the restriction
that it must be called while the program is single threaded.
- Make it change TCF0 itself (on all threads), instead of requiring
callers to do it themselves, which can be error prone.
And update all of the call sites.
Change the implementation of
android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) to call
android_mallopt(M_SET_HEAP_TAGGING_LEVEL) internally. This avoids
crashes during startup that were observed when the two mallopts
updated TCF0 unaware of each other.
I wouldn't expect there to be any out-of-tree callers at this point,
but it's worth noting that the new interface is backwards compatible
with the old one because it strictly expands the set of situations in
which the API can be used (i.e. situations where there are multiple
threads running or where TCF0 hadn't been updated beforehand).
Bug: 135772972
Change-Id: I7746707898ff31ef2e0af01c4f55ba90b72bef51
259776d8ff
The original change was reverted due to InterfaceParamsTest failing.
This test has now been fixed in r.android.com/1498525.
The original change message is below.
Updates getifaddrs() to behave as if RTM_GETLINK requests are not
allowed for non-system apps. This is different from previous behavior,
where apps targeting an API level < 30 were exempted from this
restriction.
Actual enforcement happens in SELinux. This change:
- Soft-enables the behavior until SELinux changes are in place
- Prevents logspam from SELinux denials after they are in place
Bug: 170188668
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Change-Id: Ia9f61819f8fdf878c0e67e57de7e893fb3b1c233
Revert "Enforce RTM_GETLINK restrictions on all 3p apps"
Revert "Updates tests for untrusted app MAC address restrictions"
Revert submission 1450615-mac-address-restrictions
Reason for revert: DroidMonitor: Potential culprit for Bug 173243616 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted
Reverted Changes:
I08c709b2b:Enforce RTM_GETLINK restrictions on all 3p apps
I95d124ae8:Soft-enables new MAC address restrictions.
I5392f8339:Updates tests for untrusted app MAC address restri...
I9d214c5d0:Return anonymized MAC for apps targeting SDK < 30
Change-Id: If09920b24370077d647d60cfda7fc0a110b77851
"vendor_available" modules were available to product modules.
However, not all "vendor_available" modules are required to be
available to product modules. Some modules want to be available only
to product modules but not vendor modules.
To cover the requirement, we separate "product_available" from
"vendor_available".
"vendor_available" will not provide product available module.
Bug: 150902910
Test: build
Change-Id: I13b8222e191333c6c2cb7794ef3344fdcc6ebe98
A constructor or destructor function with an integral priority is
placed in an .init_array or .fini_array section with the priority
suffixed to the section name:
- __attribute__((constructor)) ==> .init_array
- __attribute__((constructor(42))) ==> .init_array.42
The suffixed init/fini sections appear before the unsuffixed sections,
so the prioritized functions appeared before the __{INIT,FINI}_ARRAY__
symbols and were dropped when the symbols were used.
The (static) linker doesn't recognize priority suffixes on
.preinit_array.
This bug affected .init_array and .fini_array for static executables.
For dynamic executables, only .fini_array was affected, because
.init_array is handled by the dynamic loader instead, which uses
DT_INIT_ARRAY[SZ]. For DSOs, neither is affected, because the two
sections are only handled by the dynamic loader.
This patch also fixes a minor inconsistency where dynamic init/preinit
were passed argc/argv/envp, but static were not.
Bug: http://b/170983066
Test: bionic-unit-tests
Change-Id: I0fffa776e5d9bdb6f8af06b4c1af148236742fef
The functions now read /etc/group and /etc/passwd on host machines.
Android-specific IDs are not recognized in the host.
getpwent and getgrent are still not working though. They require a
bigger refactoring to sequentially advance in the database files.
Bug: 171718702
Test: run assemble_cvd in aosp_cf_arm64_phone
Change-Id: Ie8da382a467bbd0bffac7b4b8592cd871db80181
/system/bin/sh exists only on Android. When Bionic is built for the
host, use the standard /bin/sh.
Bug: 159685774
Test: run aosp_cf_arm64_phone on rockpi4
Change-Id: Idf4028c134abc128f203fc4d3be591f06b8fe8ff
When an array element is added or removed, make only the relevant page
writable, rather than the entire array. The entire array is still made
writable during recompaction and expansion.
This change fixes most of a large regression in __cxa_atexit runtime
(blueline, taskset 10, performance governor, 100000 registrations,
times are in seconds)
- Q: _Exit=0.292380, exit=0.626801
- R: _Exit=28.435082, exit=95.785110
- new: _Exit=0.352285, exit=0.713893
Test: bionic unit tests
Test: adb shell taskset 10 \
/data/benchmarktest64/bionic-spawn-benchmarks/bionic-spawn-benchmarks \
--benchmark_filter='atexit' \
--benchmark_display_aggregates_only=true \
--benchmark_repetitions=10
Bug: http://b/168043760
Change-Id: I88cc15c29c9890b422b7f621f29f98a03ca1f886
Instead of assuming a module with the .llndk suffix exists, add an
llndk_stubs property to every cc_library module that has a
corresponding llndk_library. Also rename the llndk_library to have
an explicit .llndk suffix.
Bug: 170784825
Test: no changes to build.ninja (excluding comments) or Android-${TARGET_PRODUCT}.mk
Change-Id: Ib5453472a09ebc64818ceb69bcbe1184720ce86a
pthread_cond_pulse would unconditionally call futex, which meant that
a number of processes were spending a significant amount of time in
pthread_cond_broadcast and pthread_cond_signal when there were no
threads waiting on that pthread_cond_t.
This change adds a counter to the 64-bit pthread_cond_t struct and
only calls futex() in cases where there is a nonzero waiter count. The
32-bit pthread_cond_t is unchanged due to compatibility reasons.
Test: no pthread_cond_broadcast/signal stacks without try_to_wake_up
in SurfaceFlinger
bug: 168831708
Change-Id: I105e1345cd2a3a75f98cd0acf316e790ba1716f0
In order to disable memory initialization for a process, the following
command can be used:
android_mallopt(M_DISABLE_MEMORY_MITIGATIONS, nullptr, 0);
Since this is needed in vendor processes, this is exposing this
functionality to llndk. For convenience (and adding standard logging),
a helper function is being added into libcutils in order to use this,
w/o having to get into so many details.
Bug: 166675194
Test: use function from libcutils
Change-Id: Ia816089a9f3469c50c70afaa7244abeac5a51dcd
Introduce an android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) API call
that may be used to disable zero- or pattern-init on non-MTE hardware,
or memory tagging on MTE hardware. The intent is that this function
may be called at any time, including when there are multiple threads
running.
Disabling zero- or pattern-init is quite trivial, we just need to set
a global variable to 0 via a Scudo API call (although there will be
some separate work required on the Scudo side to make this operation
thread-safe).
It is a bit more tricky to disable MTE across a process, because
the kernel does not provide an API for disabling tag checking in all
threads in a process, only per-thread. We need to send a signal to each
of the process's threads with a handler that issues the required prctl
call, and lock thread creation for the duration of the API call to
avoid races between thread enumeration and calls to pthread_create().
Bug: 135772972
Change-Id: I81ece86ace916eb6b435ab516cd431ec4b48a3bf
Updates getifaddrs() to behave as if RTM_GETLINK requests are not
allowed for non-system apps. This is different from previous behavior,
where apps targeting an API level < 30 were exempted from this
restriction.
Actual enforcement happens in SELinux. This change:
- Soft-enables the behavior until SELinux changes are in place
- Prevents logspam from SELinux denials after they are in place
Bug: 170188668
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Change-Id: I95d124ae81bcb26583db5ad01d95d441d52f973c
There are multiple build breakages with bionic when we enable ThinLTO
globally. Opt bionic out of ThinLTO for now.
#global-thinlto-opt-out
Test: TreeHugger
Bug: 169004486
Change-Id: I546a8074f9c3e0ddbd01d3b7cd730e215e3c0c49
In native build of libc it would be inlined and in native bridge mode
it's noinline, extern "C" and thus could be easily intercepted.
Test: m (without weak symbols in native bridge mode x86+arm build would be broken)
Change-Id: I67759858a5bc2174dce1db9732fdbd89ba7689cc
Now, when we can detect native bridge mode is sources we can do that.
Test: m (without weak symbols in native bridge mode x86+arm build would be broken)
Change-Id: I360e7df8211d03636bbe716dc14655ee8d765493
malloc_debug can use libunwind and libunwindstck to unwind backtrace,
if libc.debug.malloc.options contains the string of "backtrace_full",
malloc_debug will use libunwindstck, and if libc.debug.malloc.options
contains the string of "backtrace=*", malloc_debug will use libunwind.
The result of libunwindstck is normal, but the result of libuniwnd
is abnormal, there is a offset between the rel_cp and the correct value,
so addr2line can't decode the right line number.
Libunwind and libunbiwndpack calculate load_bias is different, so malloc_debug
get load_bias alignment with libunwindstack.
Bug: 169539402
Change-Id: I640fb5db39af622a0bb52abf2c107984065a89d5
Let the assembler handle the low-level details of generating .eh_frame,
and use .cfi_escape to output the DWARF3 DW_CFA_def_cfa_expression and
DW_CFA_expression instructions.
Explicitly output a nop instruction between the FDE start
(.cfi_startproc) and the trampoline symbol.
x86_64: remove the rsp instruction, which is redundant with the CFA
itself.
Bug: http://b/169383888
Test: compare `objdump -Wf` output before and after
Test: bionic-unit-tests
Change-Id: Ie2a6d111cb473596be8c9f4fd64534e91d88f2a1
* changes:
libc: Add Armv8.3-A PAuth and Armv8.5-A BTI compatibility to *.S
Update crtbegin.c and crt*.S to support Armv8.5-A BTI
libm: Add Armv8.3-A PAuth and Armv8.5-A BTI support to assembly files
libc: Prepare support for Armv8.3-A PAuth and Armv8.5-A BTI in *.S
Every architecture that uses .eh_frame needs a terminator at the end to
ensure that an unwinder library doesn't read past the end of the
section. This can happen when the unwinder looks up a PC that doesn't
have a matching FDE. Both LLVM libunwind and libgcc fall back to an
.eh_frame scan if the .eh_frame_hdr search table scan fails.
By convention, this terminator section is aligned to 4, even on 64-bit
targets. e.g. Both libgcc and compiler-rt have a crtend with 4-byte
.eh_frame alignment on arm64 and x86_64.
In practice, lld strips off the terminator from input object files and
adds one unconditionally to the output, but bfd/gold still require a
crtend with a terminator.
References:
- https://reviews.llvm.org/D86256
- https://reviews.llvm.org/D87750
- https://sourceware.org/bugzilla/show_bug.cgi?id=2655
Test: examine crtend.o and crtend_so.o with `readelf -SW` and \
`objdump -Wf`
Change-Id: Ib8478ee446ad806898aa7147a6208d384c7516d5
The latest LLVM update to r399163 has exposed an issue with optimization
of `aligned_alloc()` at -O2. Invalid inputs are treated as valid, which
results in assertions being hit. This WAR is to make sure that the test
keeps running while we fix the issue upstream.
Bug: http://b/169206016
Bug: http://b/155835175
Test: atest malloc_hooks_system_tests:malloc_hooks_system_tests.MallocHooksTest#aligned_alloc_hook_error -- --abi x86
Change-Id: I74b290b73826481c62db3a99ac1a690c8a8a8db3
This patch adds support to load BTI-enabled objects.
According to the ABI, BTI is recorded in the .note.gnu.property section.
The new parser evaluates the property section, if exists.
It searches for .note section with NT_GNU_PROPERTY_TYPE_0.
Once found it tries to find GNU_PROPERTY_AARCH64_FEATURE_1_AND.
The results are cached.
The main change in linker is when protection of loaded ranges gets
applied. When BTI is requested and the platform also supports it
the prot flags have to be amended with PROT_BTI for executable ranges.
Failing to add PROT_BTI flag would disable BTI protection.
Moreover, adding the new PROT flag for shared objects without BTI
compatibility would break applications.
Kernel does not add PROT_BTI to a loaded ELF which has interpreter.
Linker handles this case too.
Test: 1. Flame boots
2. Tested on FVP with BTI enabled
Change-Id: Iafdf223b74c6e75d9f17ca90500e6fe42c4c1218
android_filesystem_config.h is found since system/core/include is on
the include path for all projects and contains a symlink to the real
android_filesystem_config.h. This is fragile and the below bug seeks
to remove this symlink and have users correctly depend on
libcutils_headers.
In bionic, libcutils_headers header library cannot be used due to
cyclic dependencies, so it gets the actual include path instead, which
is less bad than depending on the build system injecting the for all
modules.
Bug: 165825252
Test: build
Change-Id: Id43bdea9553b1174ceb3efc2a3ed505888619c62
It was originally based on fdlibm, but it's been through two different
projects since then, and `git blame` shows basically nothing remaining
from those days. Seems worth leaving something to explain the unusual
copyright header though!
Test: treehugger
Change-Id: I8e7252a755704b866e7f36c8e97adc021fa3cdad
This value indicates whether memory tagging is enabled on a thread,
the mode (sync or async) and the set of excluded tags. This information
can sometimes be important for understanding an MTE related crash,
so include it in the per-thread tombstone output.
Bug: 135772972
Change-Id: I25a16e10ac7fbb2b1ab2a961a5279f787039000b
This is already covered by the existing test by virtue of being used for
all threads.
Bug: http://b/168258494
Test: treehugger
Change-Id: I5c872fd7f30a4c79de1d70e7702f4b12d4e94cd3
An upcoming change to Scudo will change how we use the TLS slot
in tsd_shared.h, which will be a little easier to deal with if
we can remove the code path that calls pthread_getspecific and
pthread_setspecific. The only known user of this code path is Fuchsia.
We can't eliminate this code path by making Fuchsia use ELF TLS
because although Fuchsia supports ELF TLS, it is not supported within
libc itself. To address this, Roland McGrath on the Fuchsia team has
proposed that Scudo will optionally call a platform-provided function
to access a TLS slot reserved for Scudo. Android also has a reserved
TLS slot, but the code that accesses the TLS slot lives in Scudo.
We can eliminate some complexity and duplicated code by having Android
implement the same mechanism that was proposed for Fuchsia, which is
what this change does. A separate change to Scudo will make use of it.
Bug: 163630045
Change-Id: I4678105c9c47a23feb5a5e80a314416de4556d9c
Except they are the same on arm32/arm64, so we hadn't really noticed. x86
and x86-64 are quite different though, presumably by historical accident.
Fix the definitions and add some static asserts.
Bug: https://github.com/android/ndk/issues/1347
Test: treehugger
Change-Id: Ic27b172066cf3443749463b9b73c912d204f9516
The most notable change is in sigsetjmp/siglongjmp. The former
stores LR signed with the current SP into jmp_buf. Calling siglongjmp
reads a signed LR and the corresponding SP from jmp_buf. This way not
only the checksum provides some means of integrity protection but
Pointer Authentication too.
Test: Tested on FVP with BTI enabled.
Change-Id: I9d720239775f8d2829a677901f546c4b14b5cbe5
These files are linked to all ELF files therefore they must support BTI.
Test: Tested on FVP with BTI enabled using a patched clang.
Co-authored-by: Gabor Kertesz <gabor.kertesz@arm.com>
Co-authored-by: Daniel Kiss <daniel.kiss@arm.com>
Co-authored-by: Tamas Petz <tamas.petz@arm.com>
Change-Id: If5df0722e649bcdb8c4afb0531831dff42103c9c
The instruction "bti c" is added through ENTRY*() macro,
using __bionic_asm_custom_entry(f).
The .note.gnu.property section is added with the new macro
NOTE_GNU_PROPERTY(). BTI and PAuth features are automatically
selected based on the presence of __ARM_FEATURE_* macros.
Furthermore, gensyscalls.py got updated to append the new
macro to the generated syscalls-arm64.S.
Test: Tested on FVP with BTI enabled.
Change-Id: I40ffe294b8426421125fffd0a9758567d919a09d
This benchmarks mapping property prefixes to property contexts with
two algorithms: the 'Legacy' method used before Android P and the
'Trie' used afterwards (the code in this directory).
It uses input mappings from both Oreo and the latest in AOSP ('S').
Note that there is nearly a 10x increase in the number of mappings in
S as there was in Oreo, which was predicted when the trie was
designed.
Results on cuttlefish:
-----------------------------------------------------------
Benchmark Time CPU Iterations
-----------------------------------------------------------
LegacyLookupOreo 683576 ns 673538 ns 1060
LegacyLookupS 5683109 ns 5596982 ns 124
TrieLookupOreo 299851 ns 295696 ns 2378
TrieLookupS 584831 ns 576801 ns 1204
The results show that the legacy look up uses 8.3x more CPU time to
handle the number of mappings added through S, whereas the Trie lookup
uses less than 2x more CPU time, showing that the trie scales better
with added mappings.
Test: run this benchmark
Change-Id: I35c3aa4429f049e327a891f9cbe1901d8855d7ba
I made toybox use strptime %Z recently (so that it can parse the default
POSIX date(1) output), forgetting that bionic's strptime(3) doesn't
support %Z. Neither does glibc, for that matter; the toybox change works
on glibc effectively by accident --- glibc just ignores the next word
when parsing %Z and assumes that the current time zone ($TZ) is
appropriate. Which it is for the only obvious use case of "round trip
date(1) output".
The related %z is potentially quite a bit more useful in general (parsing
any valid RFC822 time zone), though sadly not useful for the toybox case
that prompted.
Every time I touch this file I promise that I'll actually get us back in
sync with upstream, and every time I fail to get round to it. Maybe
2020 or 2021 will finally be the year...
Also add corresponding tests.
Bug: https://b/167455975
Test: treehugger
Change-Id: I13a7fb7e3ad01ae855750b9314d2eec661fe034f
Some global static variables are only used within a single function,
so moving them inside the function which requires them. This also
ensures those static variables of class types are initialized before
they are being used.
For example, this is needed for CachedProperty(), as some of the
member method, e.g., CachedProperty().Get(), might be invoked,
e.g., in __libc_preinit(), before the constructor is invoked.
This happens after we added property trace points in commit
Id2b93acb2ce02b308c0e4889f836159151af3b46.
For g_lock, we don't move them because it can be initialized by setting
its memory to 0. And it's used in two functions.
https://android.googlesource.com/platform/bionic/+/refs/heads/master/libc/private/bionic_lock.h
Bug: 147275573
Test: atest CtsBionicTestCases
Test: adb shell perfetto -o /data/misc/perfetto-traces/test_trace -t 10s bionic sysprop
Change-Id: I99565ce2442d34f33830778915c737eed834f8b3
Like with close, socket is no longer a simple syscall, so we can get
recursive calls that deadlock.
Bug: http://b/165206592
Test: bionic-unit-tests on cuttlefish
Test: treehugger
Change-Id: I2ba77d733d1ebf08a91afd6ca179e7ae6ae3866e
Introducing a new systrace tag, TRACE_TAG_SYSPROP, for use with
system property.
For property set, the tracing is added in __system_property_set() instead of
__system_property_update() / __system_property_add() so we can record
control properties like ctl.*, sys.powerctl.*, etc.., which won't be
updated via the latter two functions.
Bug: 147275573
Test: atest CtsBionicTestCases
Test: adb shell perfetto -o /data/misc/perfetto-traces/test_trace -t 10s bionic
Test: adb shell perfetto -o /data/misc/perfetto-traces/test_trace -t 10s sysprop
Test: adb shell /data/benchmarktest64/bionic-benchmarks/bionic-benchmarks \
--benchmark_filter=BM_property --bionic_cpu=4, then compares the results
of property benchmarks before and after the change, didn't see
significant difference.
Change-Id: Id2b93acb2ce02b308c0e4889f836159151af3b46
Merged-In: Id2b93acb2ce02b308c0e4889f836159151af3b46
(cherry picked from commit 26970c3493)
