We've updated the corresponding glibc headers so we don't need these
hacks any more.
Bug: http://b/318541070
Test: treehugger
Change-Id: Ic1974f30f9edb2589cc93041822706bc89909882
When annotating the netinet directory aosp/2552567, we realize the
argment s for vsnprintf family can be null only if the buffer size is 0.
So we correct them and add some tests to verify our assumption.
Bugs: b/245972273
Test: adb shell
Change-Id: I51063286272be0daee0d7c1453a374b1f5674481
bionic/tests/fortify_test.cpp:207:31: error: format specifies type 'char *' but the argument has type 'void *' [-Werror,-Wformat]
ASSERT_FORTIFY(printf("%s", memchr(myfoo.a, 'a', asize)));
~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~
Bug: http://b/155835175
Test: atest for bionic
Change-Id: I0fa4e63deadffb7391e66ab834ff11e4f1d6dba6
The comment and pragma for GCC genuinely don't seem to be needed for
Clang.
Clarify the comment about the two ways in which clang_fortify_tests.cpp
is used.
Test: treehugger
Change-Id: Icb48a5848c005104ab2d2456da3978bbaf7e158c
We don't support GCC here anymore. More importantly: `#ifdef foo &&
bar` is apparently parsed as `#ifdef foo` with extra tokens at the end.
Oops.
Bug: None
Test: Treehugger
Change-Id: I63d09b0fbad688d3b68a3327a52b3bb55627272f
I've deliberately not bothered with the GCC implementation because we'll
have removed GCC from the NDK before anyone gets to use this.
Bug: http://b/72493232
Test: ran tests
Change-Id: Icfc2a3b214739ab53aa41bacacc11b5c67498fb4
Strictly, the mode isn't really meaningful unless you supply O_EXCL,
but the kernel will take it and fstat will return it even if you
never give the file a name.
Also warn for O_TMPFILE without a mode at compile time where possible.
Bug: N/A
Test: ran tests
Change-Id: I729b6d6e6190676fd017a1190b6200bf9abdbfd8
After the new rebase of Clang, we now support the alloc_size attribute,
so we can remove the warning about switching to alloc_size once Clang
has support.
Also fix an issue where 'false' is returned in a main method.
Test: make cts
Bug: 37752547
Change-Id: I32ee814aaa0338567cb8174a68d7ee1bfece2f75
And add a thing to remind us to enable the malloc FORTIFY test when we
pull a new clang in.
Bug: 34747525
Test: vts -m BionicUnitTests on bullhead
Change-Id: If341a27756d608a0fa77ba6518e9bcc725f7632c
libcxx provides const-correct overloads for a few string.h functions.
These overloads use clang's enable_if attribute, so they're preferred
over our FORTIFY'ed equivalents.
This weakens _FORTIFY_SOURCE=2 when used with some of these functions,
since clang needs to see __pass_object_size in order to pass an accurate
result for __builtin_object_size(s, 1) at a callsite. Since those
functions don't have __pass_object_size on their params, clang can't do
that. This makes LLVM lower the __builtin_object_size calls, which means
we get the same result as __builtin_object_size(s, 0).
We have to provide all of the overloads in Bionic, since enable_if is
only used to disambiguate overloads with (otherwise) the same type. In
other words:
// overload 1
char *strchr(const char *, int s) __attribute__((enable_if(1, "")));
// overload 2
char *strchr(char *, int s);
void foo() {
char cs[1] = {};
strchr(static_cast<const char *>(cs), '\0'); // calls overload #1.
strchr(cs, '\0'); // calls overload #2.
}
Bug: 34747525
Test: m checkbuild on bullhead internal master + AOSP. vts -m
BionicUnitTests passes on both. Surprisingly, the only code that this
seems to break is contained in Bionic.
Change-Id: Ie406f42fb3d1c5bf940dc857889876fc39b57c90
These are just based on the read/pread{,64} implementations with the
function calls and error messages adjusted as appropriate. The only
difference is that the buffer parameters are const.
Change-Id: Ida1597a903807f583f230d74bcedffdb7b24fcf6
A __size_mul_overflow utility is used to take advantage of the checked
overflow intrinsics in Clang and GCC (>= 5). The fallback for older
compilers is the optimized but less than ideal overflow checking pattern
used in OpenBSD.
Change-Id: Ibb0d4fd9b5acb67983e6a9f46844c2fd444f7e69
Otherwise the gcc compiler warning doesn't show up.
Delete some unittests. These unittests no longer compile cleanly
using -Wall -Werror, and rewriting them to compile cleanly
isn't feasible.
Bug: 17784968
Change-Id: I9bbdc7b6a1c2ac75754f5d0f90782e0dfae66721
PR_GET_DUMPABLE is used by an application to indicate whether or
not core dumps / PTRACE_ATTACH should work.
Security sensitive applications often set PR_SET_DUMPABLE to 0 to
disable core dumps, to avoid leaking sensitive memory to persistent
storage. Similarly, they also set PR_SET_DUMPABLE to zero to prevent
PTRACE_ATTACH from working, again to avoid leaking the contents
of sensitive memory.
Honor PR_GET_DUMPABLE when connecting to debuggerd. If an application
has said it doesn't want its memory dumped, then we shouldn't
ask debuggerd to dump memory on its behalf.
FORTIFY_SOURCE tests: Modify the fortify_source tests to set
PR_SET_DUMPABLE=0. This reduces the total runtime of
/data/nativetest/bionic-unit-tests/bionic-unit-tests32 from approx
53 seconds to 25 seconds. There's no need to connect to debuggerd
when running these tests.
Bug: 16513137
Change-Id: Idc7857b089f3545758f4d9b436b783d580fb653f
I've also switched some tests to be positive rather than negative,
because !defined is slightly harder to reason about and there are
only two cases: bionic and glibc.
Change-Id: I8d3ac40420ca5aead3e88c69cf293f267273c8ef
Add tests for the above.
Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.
Modify the strncpy test to cover more cases and use this template for
stpncpy.
Add all of the fortify test cases.
Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
In order to be able to generate a list of tests for cts, the same set of
tests must exist across all platforms. This CL adds empty tests where a
test was conditionally compiled out.
This CL creates a single library libBionicTests that includes all of
the tests found in bionic-unit-tests-static.
Also fix a few missing include files in some test files.
Tested by running and compiling the tests for every platform and
verifying the same number of tests are on each platform.
Change-Id: I9989d4bfebb0f9c409a0ce7e87169299eac605a2
Previously, FORTIFY_SOURCE used single macros to define these standard
functions for use with clang. This can cause conflicts with other macros used
to call these functions, particularly when those macros expand the number of
arguments to the function. This change wraps our macro definitions, so that
expansion properly takes place for programmer arguments first.
Change-Id: I55929b1fd2a643b9d14a17631c4bcab3b0b712cf
Make sure the buffer we're dealing with has enough room.
Might as well check for memory issues while we're here,
even though I don't imagine they'll happen in practice.
Change-Id: I0ae1f0f06aca9ceb91e58c70183bb14e275b92b5
malloc and family were not declared with __attribute__((alloc_size)).
This was (sometimes) preventing FORTIFY_SOURCE related functions
from knowing the size of the buffer it's dealing with, inhibiting
FORTIFY_SOURCE protections.
Add __attribute__((alloc_size))
Information about the alloc_size attribute can be found
at http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
Change-Id: Ia2f0a445f0170a7325f69259b5e7fb35a9f14921
Fortify calls to recv() and recvfrom().
We use __bos0 to match glibc's behavior, and because I haven't
tested using __bos.
Change-Id: Iad6ae96551a89af17a9c347b80cdefcf2020c505
I accidentally did a signed comparison of the size_t values passed in
for three of the _chk functions. Changing them to unsigned compares.
Add three new tests to verify this failure is fixed.
Bug: 10691831
Merge from internal master.
(cherry-picked from 883ef2499c)
Change-Id: Id9a96b549435f5d9b61dc132cf1082e0e30889f5
