Commit graph

28647 commits

Author SHA1 Message Date
Elliott Hughes
7ac0023c2d Remove reference to obsolete script.
Test: N/A
Change-Id: I3f4b8574d82cf6b2faedd03a256bc75130f3c016
2019-06-17 13:16:45 -07:00
George Burgess IV
849c0b9f51 fortify: add __mempcpy_chk
Bug: 131861088
Test: mma + bionic-unit-tests on blueline
Change-Id: I02f8f87d5db0ba5fecec410da32f6ffa2c98ef57
2019-06-13 23:29:37 -07:00
George Burgess IV
26d25a22e2 fortify: add even more warnings
Bug: 131861088
Test: mma
Change-Id: I557309b3e25b54321ee1fe0207f18b6e840bf76e
2019-06-13 23:26:02 -07:00
George Burgess IV
2356c93d39 fortify: add bit checking for open(at)?64 functions
This also adds _2-variants for these functions, for extra glorious
checking

Bug: 131861088
Test: mma
Change-Id: I80475ff4bb220c0c47894e9532426f53412f176f
2019-06-13 23:26:02 -07:00
George Burgess IV
74519e7aa5 fortify: fix overflow checks in unistd
We should only be calling _real versions of the functions that use this
if the input size is verifiably <= SSIZE_MAX. Otherwise, just fall
through to _chk and let that handle it.

Bug: 131861088
Test: mma && bionic-unit-tests
Change-Id: Iba04e486ef91ea1b3539ab6df6260429264e66b4
2019-06-13 23:26:02 -07:00
George Burgess IV
8c0ec114c5 fortify: fix up a few diagnostics; add __wur to realpath
As it says on the box.

Since realpath isn't a function definition, any attributes it provides
here just add to the "regular" realpath.

__wur is being added to realpath because it returns NULL on failure, and
the contents of the input buffer are undefined in that case. A blueline
checkbuild showed 0 complaints about this new __wur, so it seems
harmless to add.

Bug: 131861088
Test: mma
Change-Id: If5f47e0e290d86df69c0888711e29775c390fca4
2019-06-13 23:26:02 -07:00
George Burgess IV
77f99aaf58 fortify: add diagnostics for str* functions
This CL allows us to diagnose string functions that get an explicit size
passed into them, and string functions that are trivially misused.

Bug: 131861088
Test: mma
Change-Id: I894aec99420a75c6474cfd7d5010f0cf2f10ab21
2019-06-13 23:26:02 -07:00
George Burgess IV
1eb5976d75 Merge "fortify: fix tests on x86_64" 2019-06-13 22:28:13 +00:00
George Burgess IV
06bb4ce8de fortify: fix tests on x86_64
My declval hack failed on x86_64 with:

```
substitution failure [with T = __va_list_tag [1]]: function cannot
return array type '__va_list_tag [1]'
```

...Because the type of va_list is compiler magic, it's fine for it to be
whatever the compiler wants it to be. Thankfully, pointers to arrays can
be returned, so let's use those instead.

Bug: 135210098
Test: mma on aosp_blueline-eng and aosp_x86_64-eng; the latter was
      failing before this patch.

Change-Id: Iefd57c0f8e823653fd70633fb6ee75cfc0022430
2019-06-13 15:18:16 -07:00
George Burgess IV
9894ec4596 Merge "fortify: import tests from Chrome OS" 2019-06-13 20:16:31 +00:00
Ryan Prichard
7493673e4f Merge "Use PT_INTERP as the linker's l_name path" 2019-06-12 19:40:19 +00:00
Vic Yang
13cc09cc1b Merge "linker: Speed up find_loaded_library_by_inode()" 2019-06-11 17:05:52 +00:00
George Burgess IV
9a2741010a fortify: import tests from Chrome OS
Chrome OS has a fairly extensive FORTIFY test suite for both
compile-time and run-time diagnostics. It covers tons of edge cases, and
conveniently centralizes diagnostic and death testing.

A fair amount of it has been ifdef'ed out, since Bionic doesn't yet
diagnose (or crash on) some of these things. The intent is to explicitly
declare defeat on the things we don't care to FORTIFY, and slowly fix
the rest in easier-to-digest CLs.

Once that's done, we might be able to look into retiring some of the
FORTIFY testing that we don't share with the CrOS folks.

Bug: 131861088
Test: mma + bionic-unit-tests on blueline

Change-Id: I16734ea0769e03cf658ef10532d64f28fdb36a89
2019-06-10 12:46:49 -07:00
Neil Fuller
b8dace7339 Merge "Remove bionic refs to runtime module tz files" 2019-06-10 17:21:19 +00:00
Neil Fuller
41636ca1ac Remove bionic refs to runtime module tz files
The tzdata file is being removed from the runtime mainline module
in an upcoming commit. This commit removes the bionic references
to it.

This commit also contains general comment tidy-ups.

Bug: 132168458
Test: build only
Change-Id: I83cd9ff756b36e1d1222b7830f97c8bde2885ce4
2019-06-10 15:09:15 +01:00
Elliott Hughes
1069236349 Merge "<arpa/nameser.h>: fix INTRODUCED_IN API level." 2019-06-06 21:13:14 +00:00
Elliott Hughes
738a6c92e5 <arpa/nameser.h>: fix INTRODUCED_IN API level.
Historical research (see bug) suggests that these functions were all in
22. The map file believed this with one (presumably typoed) exception,
but the header file didn't match the map file. It looks like the map was
correct (modulo the one typo), so fix up all the disagreement.

Bug: http://b/113618851
Test: treehugger
Change-Id: Ia579f4e6163206abfac79aa54dc98c792f00ee86
2019-06-06 09:57:54 -07:00
Ryan Prichard
cf9ed12d10 Use PT_INTERP as the linker's l_name path
Ordinary executables have a PT_INTERP path of /system/bin/linker[64], but:
 - executables using bootstrap Bionic use /system/bin/bootstrap/linker[64]
 - ASAN executables use /system/bin/linker_asan[64]

gdb appears to use the PT_INTERP path for debugging the dynamic linker
before the linker has initialized the r_debug module list. If the linker's
l_name differs from PT_INTERP, then gdb assumes that the linker has been
unloaded and searches for a new solib using the linker's l_name path.

gdb may print a warning like:

warning: Temporarily disabling breakpoints for unloaded shared library "$OUT/symbols/system/bin/linker64"

If I'm currently debugging the linker when this happens, gdb apparently
doesn't load debug symbols for the linker. This can be worked around with
gdb's "sharedlibrary" command, but it's better to avoid it.

Previously, when PT_INTERP was the bootstrap linker, but l_name was
"/system/bin/linker[64]", gdb would find the default non-bootstrap linker
binary and (presumably) get confused about symbol addresses.

(Also, remove the "static std::string exe_path" variable because the
soinfo::realpath_ field is a std::string that already lasts until exit. We
already use it for link_map_head.l_name in notify_gdb_of_load.)

Bug: http://b/134183407
Test: manual
Change-Id: I9a95425a3a5e9fd01e9dd272273c6ed3667dbb9a
2019-06-05 18:02:40 -07:00
Treehugger Robot
400b073ee3 Merge "[PATCH] Document the LD_PRELOAD workaround." 2019-06-05 22:36:35 +00:00
Elliott Hughes
8e4b6b695e [PATCH] Document the LD_PRELOAD workaround.
Bug: N/A
Test: N/A
Change-Id: Ifbc6eb3c7f77e3f2e5a29b505b982880d96c5ab0
2019-06-05 08:28:55 -07:00
Vic Yang
3ec16be2bc linker: Speed up find_loaded_library_by_inode()
Rearrange the st_dev and st_ino checks to reduce the number of
comparison needed.

Test: Ran cameraserver on a Go device. Measured time spent in the linker
      and saw ~1% speed-up.

Change-Id: I8e977ff37925eae3ba8348e7c4a01ce8af3b9b6d
2019-06-04 21:01:04 -07:00
Yi Kong
6cfd9a1071 Merge "Clean up no_libgcc" 2019-06-05 00:58:35 +00:00
Treehugger Robot
94a68e1274 Merge "Build 32-bit ARM assembler with -mno-restrict-it." 2019-06-04 23:16:19 +00:00
Elliott Hughes
1b61d78fc1 Build 32-bit ARM assembler with -mno-restrict-it.
We're not going to change this code, ARM's not going to break it.
Silence the warnings.

Bug: http://b/114120867
Test: treehugger
Change-Id: Ie25ef44706c952efc5d54012391bee19af095818
2019-06-04 10:38:34 -07:00
Yi Kong
cd3155dd17 Clean up no_libgcc
This property is getting removed.

Test: build
Change-Id: Ib7b8cb189b21b55da6305f6644b0b029b41e8e4b
2019-06-03 16:04:01 -07:00
Mitch Phillips
44c29535cc Merge "Change SANITIZE_TARGET refs from 'coverage' to 'fuzzer'." 2019-05-30 22:24:06 +00:00
Tom Cherry
f6bac59447 Merge "Make 'app' users/groups more accurate" 2019-05-30 19:50:48 +00:00
Mitch Phillips
dfde0eeee1 Change SANITIZE_TARGET refs from 'coverage' to 'fuzzer'.
Cleanup of references to 'coverage' in build files. Part of a larger
cleanup to make fuzzing work again in the Android build tree.

Also fixed a test issue with emulated TLS with the new changes, and
removed libc.so fuzzer support until a linked bug is fixed
(b/132640749).

Bug: 121042685
Test: With all patches in the bug merged: mmma bionic
Change-Id: I592352fe9210ff811a2660a88cbbfe48d70a1e57
Merged-In: I592352fe9210ff811a2660a88cbbfe48d70a1e57
2019-05-30 16:49:13 +00:00
Treehugger Robot
424eb11e43 Merge "Staticlly allocate string buffers for realpath_fd()" 2019-05-30 10:42:20 +00:00
Tom Cherry
6b116d1bbf Make 'app' users/groups more accurate
In an attempt to make bionic's reporting of users and groups more
accurate, this change makes the user / group functions do the
following:

1) Fail to query a uid/gid for a secondary user when the uid/gid
   doesn't exist.  Currently bionic would return successfully but with
   a empty string for the name.
2) Fail to query a platform uid/gid, except a limited pre-allocated
   set for a secondary user, as these are not used by second users.
3) Fail to query uids for all users for the GID-only app ranges:
   CACHE_GID, EXT_GID, EXT_CACHE_GID, SHARED_GID.
4) Fail to query gids in SHARED_GID range for secondary users, as
   these GIDs are only allocated for the first user.
5) Use "u#_a#_ext" and u#_a#_ext_cache" for EXT_GID and EXT_CACHE_GID
   ranges.  This both allows querying based on these names and
   returning these names for the appropriate uids/gids.

This also consolidates the tests for better readability.

Test: these unit tests, boot

Change-Id: I59a1af0792e7806d423439582e56ce7f9f801c94
2019-05-29 15:54:50 -07:00
Treehugger Robot
c3c4929659 Merge "Log when trying to profile non profilable app." 2019-05-29 19:12:30 +00:00
Florian Mayer
9fc9509b52 Log when trying to profile non profilable app.
Change-Id: I91b489d3ff78ab7153ae1a7854ae448e87a6e8da
2019-05-29 10:31:17 +01:00
Ryan Prichard
fc5535074d Merge "Overalign the TLS segment using crtbegin" 2019-05-28 23:34:11 +00:00
Treehugger Robot
cfede4fdd1 Merge changes Ic2d48c93,I981ac9bd
* changes:
  fortify: s/([gl])eq/\1e/g
  fortify: more use of __builtin_constant_p
2019-05-24 06:48:27 +00:00
Christopher Ferris
497d7169d4 Merge "Disable malloc debug when asan enabled." 2019-05-24 05:44:56 +00:00
Treehugger Robot
30d4c6fb06 Merge "fortify: use __builtin_constant_p for more short-circuits" 2019-05-24 02:29:06 +00:00
Treehugger Robot
c2e2ebda5a Merge "linker namespace name is duped when the namespace is created" 2019-05-24 01:11:35 +00:00
George Burgess IV
a743f31981 Merge "fortify: Migrate trivial cases to dynamic check macros" 2019-05-24 00:43:26 +00:00
George Burgess IV
c03d5964d0 fortify: s/([gl])eq/\1e/g
Follow-up from review comments in
https://android-review.googlesource.com/c/platform/bionic/+/961600

Bug: 131861088
Test: mma
Change-Id: Ic2d48c935ced3c7e875923810f4e9970e7439e51
2019-05-23 15:22:01 -07:00
George Burgess IV
d9865e7734 fortify: more use of __builtin_constant_p
This converts all of stdio to short-circuit _chk functions in trivially
safe cases.

Bug: 131861088
Test: checkbuild on internal master. blueline bionic tests pass + it
      boots.
Change-Id: I981ac9bd19112492d5a47dc5277526426b9af710
2019-05-23 15:01:55 -07:00
George Burgess IV
a1a09b211e fortify: use __builtin_constant_p for more short-circuits
This also lets us retire our |__enable_if| version of |strlen|, which
should catch strictly fewer cases where we can fold the string's length
to a constant than |__builtin_constant_p| inside of |strlen|.

Bug: 131861088
Test: checkbuild on internal master. blueline bionic tests pass + it
      boots.
Change-Id: I21b750a24f7d1825591a88d12a385be03a0a7ca3
2019-05-23 15:01:54 -07:00
Ryan Prichard
cc9b100e97 Overalign the TLS segment using crtbegin
Android's current lld build has a hack that overaligns TLS segments, but
it broke glibc when it produced TLS segments where (p_vaddr % p_align) was
non-zero. Move the hack into Bionic's crtbegin instead. It will emit a
0-sized, 64-byte alignment TLS segment into executables that don't use
TLS, but that should be harmless.

This variant of the hack is compatible with the gold and lld linkers. The
ld.bfd linker will optimize the .tdata output section out if its size is
zero, preventing the overalignment in an executable that only has .tbss
sections. This problem could be fixed by adding a ". = .;" statement
inside .tdata in ld.bfd's linker script.

See discussion on https://reviews.llvm.org/D61824.

Bug: https://bugs.llvm.org/show_bug.cgi?id=41527
Test: bionic unit tests, boot a device
Change-Id: I34df8b5594b6518d4590e4861e3d0b74d6fa754e
2019-05-23 14:21:55 -07:00
Treehugger Robot
32e8d4fa71 Merge "fortify: inline #defined strings" 2019-05-23 21:17:31 +00:00
Treehugger Robot
b07c1973d1 Merge "fortify: use a macro in diagnose_if" 2019-05-23 21:17:22 +00:00
George Burgess IV
5da5dd5215 fortify: Migrate trivial cases to dynamic check macros
|__builtin_constant_p| has become more flexible in clang. In particular,
it's no longer forcibly lowered before inlining, so we can actually use
it on function parameters (or |__bos(param)|).

This CL tweaks things so that trivially safe calls to FORTIFY'ed
functions compile into direct calls to those functions, rather than to
their _chk counterparts. This will be the most impactful with things
like |memset|, |memcpy|, etc., since clang has way more flexibility
about how to lower those than it does with |__memset_chk|,
|__memcpy_chk|, ...

As noted in the comments, the spelling of the new macros is meant to
match closely with the spelling of our |__bos_static| macros used in
|diagnose_if|.

This isn't a full cleanup of all of the cases in which we can do this.
Just a start on the super simple cases.

Bug: 131861088
Test: m checkbuild; blueline boots.

Change-Id: I696f42ce4a65231e0c4a78a4c5133a6be1cb7708
2019-05-23 13:39:04 -07:00
George Burgess IV
ff7179350a fortify: inline #defined strings
These were originally #defined so we could share them between our
GCC and clang FORTIFY implementations. Since we no longer have a GCC
FORTIFY, #defining them is sort of pointless.

Bug: 131861088
Test: mma
Change-Id: I2ae4e0bdebbed16c946f5df7cc38c471881b481e
2019-05-23 13:38:09 -07:00
George Burgess IV
5273dc588a fortify: use a macro in diagnose_if
Our diagnose_if conditions are repetitive. It's potentially convenient
to hide that behind a macro. There's an upcoming refactor to our
run-time checks; having static checks look super similar is convenient,
and makes correctness (hopefully) slightly more obvious.

Bug: 131861088
Test: checkbuild on internal master.
Change-Id: Ic39a3b6bf020734c1bef6be144f61ef81466aafe
2019-05-23 13:38:09 -07:00
Elliott Hughes
0c0afe17e9 Merge "Move off the Next ZipString overload." 2019-05-23 17:55:27 +00:00
Treehugger Robot
1b7d236e56 Merge "Disable native_coverage for scudo-related libraries" 2019-05-23 17:19:32 +00:00
Jiyong Park
b66a78b2aa linker namespace name is duped when the namespace is created
A linker namespace lives longer than its caller. It is never deleted
once created in a process. Currently, the pointer to the name is simply
copied which results dangling reference when the name is actually from
temporary objects like std::object. Fixing the issue by strdup'ing the
name upon namespace creation.

Bug: 130388701
Test: atest CtsJniTestCases; the log does not show broken error messages
like
unexpected dlerror: dlopen failed: library "/system/lib64/android.frameworks.cameraservice.common@2.0.so" needed or dlopened by "/data/app/android.jni.cts-HP6GyGXYy5honHQAffUXgw==/lib/arm64/libjnitest.so" is not accessible for the namespace " mT?"

Change-Id: I25d9d76f8520f490755c189ded5659e6c9741f79
2019-05-23 23:58:12 +09:00