Commit graph

2162 commits

Author SHA1 Message Date
Elliott Hughes
ec9ff04075 Add a hack for a RISC-V bug.
I can't find this documented anywhere, other than people observing that
RISC-V appears to behave in this way. See the LLVM commit making a
similar change to similar code, for example: https://reviews.llvm.org/D87579.

Unsatisfying, but it works, and I suspect we're all too far down this
copy & paste hole to get back out now. See also psabi bug
https://github.com/riscv-non-isa/riscv-elf-psabi-doc/issues/18 for
more discussion.

Change-Id: I9e9d60bf859715895370861b2024deeb1d330577
Signed-off-by: Mao Han <han_mao@linux.alibaba.com>
Signed-off-by: Xia Lifang <lifang_xia@linux.alibaba.com>
Signed-off-by: Chen Guoyin <chenguoyin.cgy@linux.alibaba.com>
Signed-off-by: Wang Chen <wangchen20@iscas.ac.cn>
Signed-off-by: Lu Xufan <luxufan@iscas.ac.cn>
Test: treehugger
2022-11-11 17:12:57 +00:00
Elliott Hughes
00211554a7 Remove strtoq() and strtouq().
These have been aliases for strtoll() and strtoull() since L, by
accident. We've never exposed them in the headers, and they're unused by
any apps. Let's fix the inconsistency between libc.so and its headers by
removing the aliases.

Bug: https://github.com/android/ndk/issues/1803
Test: treehugger
Change-Id: I87de7831c04b3e450a44e9f0386cacb73793e393
2022-11-09 16:15:05 +00:00
Elliott Hughes
c5e588ad37 Merge "riscv64 TLS support." 2022-10-12 00:35:37 +00:00
Elliott Hughes
287f48e6e5 riscv64: more <sys/ucontext.h>.
Actually, we don't want to reuse the kernel struct ucontext because its
uc_mcontext has the wrong type, which means the fields within that end
up with the wrong names. Add the call site that made that evident, and
update <sys/ucontext.h> appropriately.

Signed-off-by: Mao Han <han_mao@linux.alibaba.com>
Signed-off-by: Xia Lifang <lifang_xia@linux.alibaba.com>
Signed-off-by: Chen Guoyin <chenguoyin.cgy@linux.alibaba.com>
Signed-off-by: Wang Chen <wangchen20@iscas.ac.cn>
Signed-off-by: Lu Xufan <luxufan@iscas.ac.cn>
Test: treehugger
Change-Id: If1d079afef0d5953aa22d9b0e049cfb0119c7718
2022-10-11 00:01:35 +00:00
Elliott Hughes
43462707a1 riscv64 TLS support.
Signed-off-by: Mao Han <han_mao@linux.alibaba.com>
Signed-off-by: Xia Lifang <lifang_xia@linux.alibaba.com>
Signed-off-by: Chen Guoyin <chenguoyin.cgy@linux.alibaba.com>
Signed-off-by: Wang Chen <wangchen20@iscas.ac.cn>
Signed-off-by: Lu Xufan <luxufan@iscas.ac.cn>
Test: treehugger
Change-Id: I14efb4a03a3dc2ec736d7e47a3f8859c886eb9d6
2022-10-10 20:30:24 +00:00
Elliott Hughes
6cfd1b59b0 Call out the REL architectures and make RELA the default.
That is: list the two legacy architectures rather than non-legacy ones!

Test: treehugger
Change-Id: I6545a27e740d83e0279b04f161cec179bb0253af
2022-10-05 21:41:48 +00:00
Elliott Hughes
6660d6c00b Rewrite renameat().
risc-v doesn't have renameat(2), only renameat2(2). Similar to other
architectures, let's make sure everyone's on the same code path by
having all implementations of renameat() go via renameat2().

I've also moved the existing rename()-in-terms-of-renameat() to be in
terms of renameat2() to cut out the middleman!

Test: treehugger
Change-Id: Ibe5e69aca5b39ea014001540bcd4fd3003e665cb
2022-10-04 20:13:49 +00:00
Benjamin Lerman
27a37e70a7 fdsan: fix overflow in FdTableImpl::at
Change-Id: Ia687eb52a9c5469225550316f884c229a2218724
2022-09-27 11:39:04 +02:00
Florian Mayer
cc61ad895e Add android_mallopt to query MTE stack state
Bug: 244364391
Change-Id: Ie6267201f0c2e293b27c71cd160a2311c9de8091
2022-09-07 23:38:42 +00:00
Brian Duddie
5cfca6b832 Add fdsan owner type for native_handle_t
Bug: 244214188
Test: validated alongside sensor service change
Change-Id: Ia576b551012c50def8a8ebe82115ceac35070dcb
2022-08-29 21:29:45 +00:00
Florian Mayer
af24941d48 Merge "[MTE] Never upgrade MTE mode for zygote." 2022-08-16 16:23:50 +00:00
Florian Mayer
14cbb7963a [MTE] Never upgrade MTE mode for zygote.
Bug: 169277947
Change-Id: I90e9f3d2084b0ef5d035b5ae3e5101e365038f26
2022-08-15 14:34:49 -07:00
Elliott Hughes
f9fac36f15 Merge "Add C23's memset_explicit()." 2022-08-11 22:01:28 +00:00
Elliott Hughes
d1c3d4a454 Merge "Add %b and %B support to the scanf/wscanf and strto*/wcsto* families." 2022-08-11 21:22:23 +00:00
Elliott Hughes
1f462dec34 Add %b and %B support to the scanf/wscanf and strto*/wcsto* families.
Coming to C23 via WG14 N2630.

This one is a little interesting, because it actually changes existing
behavior. Previously "0b101" would be parsed as "0", "b", "101" by these
functions. I'm led to believe that glibc plans to actually have separate
versions of these functions for C23 and pre-C23, so callers can have the
behavior they (implicitly) specify by virtue of which -std= they compile
with. Android has never really done anything like that, and I'm pretty
sure app developers have more than enough to worry about with API levels
without having to deal with the cartesian product of API level and C
standard.

Therefore, my plan A is "if you're running on Android >= U, you get C23
behavior". My plan B in the (I think unlikely) event that that actually
causes trouble for anyone is "if you're _targeting_ Android >= U, you
get C23 behavior". I don't think we'd actually want to have two versions
of each of these functions under any circumstances --- that seems by far
the most confusing option.

Test: treehugger
Change-Id: I0bbb30315d3fabd306905ad1484361f5d8745935
2022-08-11 00:25:08 +00:00
Elliott Hughes
0d64243407 Add C23's memset_explicit().
https://open-std.org/jtc1/sc22/wg14/www/docs/n2897.htm

Test: treehugger
Change-Id: Ia0cfc72bdf3c22eda6a4fc9adaa4c0ca0ff9a7c8
2022-08-10 23:36:16 +00:00
Florian Mayer
408e1700f8 Allow init to upgrade MTE to sync.
Bug: 169277947
Test: see other change in topic
Change-Id: I9f5820ffaeb23a4f5539bdbe3db1b455e45d84d8
2022-08-10 10:11:08 -07:00
Florian Mayer
4ff089f82a Merge "[MTE] Allow remote mode override for process." 2022-08-02 00:17:05 +00:00
Treehugger Robot
c7bf4d419c Merge "[MTE] use static buffer for per-process property name." 2022-08-01 23:51:07 +00:00
Florian Mayer
dee80d515f [MTE] Allow remote mode override for process.
Test: setprop persist.device_config.memory_safety_native.mode_override.process.mte_crash sync
Test: setprop persist.device_config.memory_safety_native.mode_override.process.mte_crash off
Change-Id: I5b167a30a56f56e3f292088f116f398afde65644
2022-08-01 15:17:46 -07:00
Florian Mayer
27914298f5 [MTE] use static buffer for per-process property name.
Change-Id: I3b0d0fdffe72aef7d66544fecac18f7a097ddbaf
2022-08-01 15:02:47 -07:00
Florian Mayer
85eb6fd243 [style] [MTE] remove unnecessary condition.
Change-Id: I186cc82d827c75a9a6e68d081ded2e9dba1dd168
2022-08-01 19:00:59 +00:00
Elliott Hughes
f305560b12 Always free after getline().
Noticed by "NRK": https://www.openwall.com/lists/musl/2022/07/29/5

We don't have this problem elsewhere in bionic because it's so rare to
call getline() without a loop, and the free() is always outside the loop
because that's a handy optimization.

Test: treehugger
Change-Id: Iff8845aa226d87357b38cf4a285fc1be3cac5659
2022-07-29 19:28:37 +00:00
Elliott Hughes
d771a7cde3 Simplify the implementation of get_nproc().
It came up on the musl mailing list that there's not actually any need
to iterate over the directory entries:

https://www.openwall.com/lists/musl/2022/07/27/1

This lets us reuse the code for "online" processors in the
implementation of "configured" processors. The question of whether
"configured" should correspond to Linux's "possible" or "present" isn't
obvious to me, but the distinction seems unlikely to matter on mobile
devices anyway, and that's a trivial change should it ever be needed.
Plus the motivating argument from the person who brought this up was
that callers asking for "configured" processors are probably asking for
an upper bound, which sounds convincing to me.

Test: treehugger
Change-Id: I0d4e13538dc6b09a6dba520d9ac24f436906f7c0
2022-07-28 17:52:46 +00:00
Mitch Phillips
9634c36565 Add persistent GWP-ASan sysprops.
Adds persistent sysprops for test infra usage, and adds the tests for
the sysprops.

The test does some fancy flocking in order to restore any existing
GWP-ASan sysprop usage in the test cleanup.

Bug: 236738714
Test: atest bionic-unit-tests
Change-Id: I8956296d39c98ce8c7dd0a703b240530d8ad48db
2022-06-29 09:25:13 -07:00
Ryan Prichard
bcb9715b63 Avoid using new/delete in locale.cpp
This file is included in libandroid_support.a, where using new/delete
breaks libc++ tests that assume that libc++ makes no extraneous
new/delete calls.

This CL changes newlocale/duplocale to return NULL on out-of-memory.
Previously, the behavior varied:
 - libc.so: aborted using async_safe_fatal
 - libandroid_support.a: throws std::bad_alloc

Bug: none
Test: std/input.output/filesystems/class.path/path.member/path.assign/move.pass.cpp
Test: libcxx/localization/locales/locale/locale.types/locale.facet/no_allocation.pass.cpp
Test: std/input.output/filesystems/class.path/path.member/path.construct/move.pass.cpp
Change-Id: I38c772f249f32322afb9402ebeeb4bb65a908b59
2022-06-13 17:39:32 -07:00
Almaz Mingaleev
0219fe82c6 Merge "Bump tzcode from 2016g to 2022a*." 2022-06-08 07:53:40 +00:00
Almaz Mingaleev
5411aff6bb Bump tzcode from 2016g to 2022a*.
Upstream has renamed tzsetlcl to tzset_unlocked. As bionic's
implementation of tzset_unlock differs from upstream, these changes were
skipped.

Also, upstream has removed constants (SECSPERMIN, etc) from tzfile.h. As
they are used in strptime.c, I've decided to leave them in tzfile.h and
to not bring them into strptime.c.

HAVE_TZNAME and USG_COMPAT flags semantics were updated, thus setting
their values to 2 in Android.bp file. See
1a27ec76bc

* 4742526b7e
and 0e8f0b06ac
were picked up, which are not part of 2022a.

Changes were applied using following commands:
  1) Checkout tzcode repo
  2) Prepare patches for all tzcode file using
    git diff 2016g 2021e -- <file-name> > <file-name-patch>
  3) Apply these patches to files in bionic using
    patch -p1 <file-name> <file-name-patch>

Bug: 25413083
Test: CtsLibcoreTestCases
Test: CtsLibcoreOjTestCases
Test: CtsBionicTestCases

Change-Id: I9aba4cbeab30171a32f94d20c8e4057804a4c01f
2022-06-07 09:59:16 +01:00
Evgenii Stepanov
3031a7e45e memtag_stack: vfork and longjmp support.
With memtag_stack, each function is responsible for cleaning up
allocation tags for its stack frame. Allocation tags for anything below
SP must match the address tag in SP.

Both vfork and longjmp implement non-local control transfer which
abandons part of the stack without proper cleanup. Update allocation
tags:
* For longjmp, we know both source and destination values of SP.
* For vfork, save the value of SP before exit() or exec*() - the only
  valid ways of ending the child process according to POSIX - and reset
  tags from there to SP-in-parent.

This is not 100% solid and can be confused by a number of hopefully
uncommon conditions:
* Segmented stacks.
* Longjmp from sigaltstack into the main stack.
* Some kind of userspace thread implementation using longjmp (that's UB,
  longjmp can only return to the caller on the current stack).
* and other strange things.

This change adds a sanity limit on the size of the tag cleanup. Also,
this logic is only activated in the binaries that carry the
NT_MEMTAG_STACK note (set by -fsanitize=memtag-stack) which is meant as
a debugging configuration, is not compatible with pre-armv9 CPUs, and
should not be set on production code.

Bug: b/174878242
Test: fvp_mini with ToT LLVM (more test in a separate change)

Change-Id: Ibef8b2fc5a6ce85c8e562dead1019964d9f6b80b
2022-05-27 13:19:34 -07:00
Treehugger Robot
39de8b944e Merge "Basic support for MTE stack tagging." 2022-05-27 02:15:53 +00:00
Evgenii Stepanov
f9fa32acf3 Basic support for MTE stack tagging.
Map all stacks (primary, thread, and sigaltstack) as PROT_MTE when the
binary requests it through the ELF note.

For the reference, the note is produced by the following toolchain changes:
https://reviews.llvm.org/D118948
https://reviews.llvm.org/D119384
https://reviews.llvm.org/D119381

Bug: b/174878242
Test: fvp_mini with ToT LLVM (more tests in a separate change)

Change-Id: I04a4e21c966e7309b47b1f549a2919958d93a872
2022-05-26 16:18:53 -07:00
Elliott Hughes
f2d59f93e6 Merge "Remove the KSM hack in mmap()." 2022-05-18 23:15:47 +00:00
Florian Mayer
e54a0525e7 Remove unused function.
Change-Id: Iac7b16278868e1d5d267eb9637de6dbcb6bdacfb
2022-05-17 22:54:09 +00:00
Elliott Hughes
b3b0eb6f0e Remove the KSM hack in mmap().
We've been telling people not to use KSM since 2018.

Bug: http://b/115637122
Test: treehugger
Change-Id: Iaa4e0e31e449a74700b6ed47881b9625556f0982
2022-05-17 12:38:38 -07:00
Florian Mayer
3c0f0969b9 Remove unnecessary static variable.
Change-Id: I1e0049895fc493f5e8b728707a076d5ad022f8c1
2022-05-10 20:57:13 +00:00
Maciej Żenczykowski
b65e105047 add new Linux close_range() system call to bionic
See:
  https://man7.org/linux/man-pages/man2/close_range.2.html

Note: 'man close_range' documents 'flags' as unsigned int,
while glibc unistd.h as just 'int'.  Picking 'int' to match glibc,
though it probably doesn't matter.

BYPASS_INCLUSIVE_LANGUAGE_REASON=man is a cli command
Test: TreeHugger
Bug: 229913920
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1e2d1c8edc2ea28922d60f3ce3e534a784622cd1
2022-05-06 10:33:04 +00:00
Maciej Żenczykowski
c9c0ebde3c allowlist new Linux close_range() system call, use it in posix_spawn()
Linux kernel's close_range() system call (currently) allows:
  close() unshare() fcntl(F_SETFD, FD_CLOEXEC)
to be performed on ranges of fds.

All 3 of these are already allowed by seccomp bpf:
as such this doesn't allow you to do anything you can't already do.

We can't add close_range() properly to bionic because we'd need to
fiddle about with ltp and it's too late to add new T API anyway,
so let's just make the direct syscall() call.

We'll add proper support in U.

See also:
  https://man7.org/linux/man-pages/man2/close_range.2.html

Test: TreeHugger
Bug: 229913920
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I85586d544fc23bed6aee59f00bdb79ee7a8150d1
2022-04-28 23:33:38 +00:00
Maciej Żenczykowski
520e2d3490 Merge "posix_spawn - implement support for POSIX_SPAWN_CLOEXEC_DEFAULT" 2022-04-26 22:45:51 +00:00
Mitch Phillips
3865c8f942 Merge "[GWP-ASan] Provide runtime configuration through an env var + sysprop." 2022-04-21 18:12:43 +00:00
Maciej Żenczykowski
262b873dea posix_spawn - implement support for POSIX_SPAWN_CLOEXEC_DEFAULT
This new posix_spawn attribute flag marks all file descriptors
(except stdin/out/err) as close-on-exec before executing any user
registered file actions (posix_spawn_file_actions_addopen/adddup2).

Test: TreeHugger
Bug: 229913920
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If458100d6a253a9b0348d4e93a9a610225f89615
2022-04-21 07:09:55 -07:00
Mitch Phillips
e6997d52de [GWP-ASan] Provide runtime configuration through an env var + sysprop.
This patch introduces GWP-ASan system properties and environment
variables to control the internal sampling rates of GWP-ASan. This can
be used for:

 1. "Torture testing" the system, i.e. running it under an extremely
    high sampling rate under GWP-ASan.
 2. Increasing sampling remotely to allow further crash report
    collection of rare issues.

There are three sets of system properites:
 1. libc.debug.gwp_asan.*.system_default: Default values for native
    executables and system apps.
 2. libc.debug.gwp_asan.*.app_default: Default values for non-system
    apps, and
 3. libc.debug.gwp_asan.*.<basename/app_name>: Default values for an
    individual app or native process.

There are three variables that can be changed:
 1. The allocation sampling rate (default: 2500) - using the environment
    variable GWP_ASAN_SAMPLE_RATE or the libc.debug.gwp_asan.sample_rate.*
    system property.
 2. The process sampling rate (default: 128 for system apps/processes, 1
    for opted-in apps) - using the environment variable
    GWP_ASAN_PROCESS_SAMPLING or the libc.debug.gwp_asan.process_sampling.*
    system property,
 3. The number of slots available (default: 32) - using the environment
    variable GWP_ASAN_MAX_ALLOCS or the libc.debug.gwp_asan.max_allocs.*
    system property.

If not specified, #3 will be calculated as a ratio of the default
|2500 SampleRate : 32 slots|. So, a sample rate of "1250" (i.e. twice as
frequent sampling) will result in a doubling of the max_allocs to "64".

Bug: 219651032
Test: atest bionic-unit-tests
Change-Id: Idb40a2a4d074e01ce3c4e635ad639a91a32d570f
2022-04-20 11:26:00 -07:00
Christopher Ferris
8cfc318a87 Merge "In android_set_abort_message, check for nullptr." 2022-04-12 23:33:59 +00:00
Christopher Ferris
bbf9cd86ca In android_set_abort_message, check for nullptr.
If a process is failing due to out of memory, some code calls
android_set_abort_message with a nullptr. Specifically, the libc++
library std::terminate can call do this. In this case, put a
null in the abort message.

Test: Call with nullptr and verify the code does not crash.
Test: Modified crasher to set an abort message and set a null abort
Test: message. Ran both, verified the abort message displays in
Test: first case, and doesn't display in the second case.
Change-Id: Ia9250f47e4537853ce93bbb20b35915a78caa502
2022-04-12 13:46:48 -07:00
Mitch Phillips
c70311c296 [GWP-ASan] Fix bugs in realloc().
Two edge cases were found in aosp/2038947:
 1. realloc(p, 0) == free() and returns nullptr. Previously, we just
    returned a new pointer.
 2. If the malloc() part of realloc() fails (e.g. when the size of the
    allocation is 1 << 56), then the old memory shouldn't be destroyed.

Bug: N/A
Test: Covered using atest bionic-unit-tests using aosp/2038947.
Change-Id: Ibafc752787129922a1e0323ffa14221d6a14f108
2022-04-11 13:36:39 -07:00
Elliott Hughes
93f3017e03 Merge "Revert "Disable pointer authentication in app processes."" 2022-03-14 21:09:31 +00:00
Elliott Hughes
7309177235 Revert "Disable pointer authentication in app processes."
Revert submission 1954983-master-I3030c47be9d02a27505bd4775c1982a20755758c

Reason for revert: PAC has shipped with S, and we're going with app compat outreach rather than regressing security.
Reverted Changes:
I3030c47be:Disable pointer authentication in app processes.
I3030c47be:Disable pointer authentication in app processes.

Change-Id: I8761f08ddbd9077ff98b1a9a0c323de968792778
2022-03-10 18:01:04 +00:00
Elliott Hughes
62d49fd8e1 posix_spawn: always clear O_CLOEXEC for dup'ed fds.
dup2(2) is a no-op if the new and old fds are equal, but it's pretty
clear that any useful caller in the posix_spawn(3) context wants us to
clear O_CLOEXEC even if we don't actually "move" the fd.

Bug: https://www.austingroupbugs.net/view.php?id=411
Test: treehugger
Change-Id: I5ce1a1f9216df5afd295cc9e35b84527873e9541
2022-02-16 14:39:07 -08:00
Ryan Savitski
d4aa14d9dd profiling: override dumpability while opening /proc/self/mem,maps
For the perf profiling signal handler to succeed in opening
/proc/self/mem, the process needs to be marked as dumpable in posix
terms. This patch addresses a scenario since Android S where the process
is considered profileable, but is not dumpable on "user" builds. The
solution is to mark the process as dumpable while opening the procfs
descriptors, restoring the original value afterwards. This is the same
approach as the heapprofd heap profiler, which performs the override
within the loaded client library [1].

The particular scenario being addressed is:
* user build
* app does not explicitly opt into being profiled by shell
* app does not explicitly opt out of all profiling
In this case, the app is considered profileable by the platform (but NOT
shell). Therefore ActivityThread marks the process as profileable [2],
but the zygote keeps the process as undumpable as it considers the
profileability from the shell domain [3]. We could change the logic in
the zygote to leave such processes in the dumpable state, but the
override within the signal handler is considered to be more contained as
the dumpability is only needed temporarily.

This override would also apply for any non-dumpable native services that
are signalled for profiling, which is also desireable for profiling
coverage.

This change does not elide any of the existing profileability
checks by the signal handler's preamble and the profiler itself.

[1]
https://cs.android.com/android/platform/superproject/+/master:external/perfetto/src/profiling/memory/client.cc;l=184;drc=78cd82ba31233ce810618e07d349fd34efdb861d
[2]
https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/android/app/ActivityThread.java;l=6610;drc=de9cf3392d7872c2bee69b65a614e77bb166b26e
[3]
https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/jni/com_android_internal_os_Zygote.cpp;l=1680;drc=master

Tested: clock app on barbet-user succeeds in opening the procfs
descriptors within the signal handler.
Tested: systemwide profiling on sargo-userdebug works as before.
Bug: 196810669
BYPASS_INCLUSIVE_LANGUAGE_REASON=referencing the name of a cmdline utility
Change-Id: Id621d4312418ff0736c97065e9ee577ff67f40da
2022-02-11 16:31:24 +00:00
Mitch Phillips
9425b16978 [MTE] Relax ELF note.
Currently, the ELF note parsing in the loader is not permissive. This
patch relaxes the restrictions on the bits of the ELF note that could be
extended in the future.

This may allow more MTE options in apexes. If we add some extra metadata
bit (say, in bit 5) in the future, and then build MTE into every apex,
we don't want it to crash on Android 13 devices (we'd much rather it
just be a no-op).

Remove the (unused anywhere) NT_MEMTAG_DEFAULT and call it
NT_MEMTAG_NONE.

And finally, make the tests work on bionic-unit-tests-static. We
previously didn't deploy the test binaries, so add them as a data
dependency.

Bug: N/A
Test: atest bionic-unit-tests-static
Change-Id: I13530faad55c719c6eb848297f8ce378e18afbfc
2022-02-08 13:17:18 -08:00
Treehugger Robot
2be3e92943 Merge "[MTE] add sysprop to set mte state globally" 2022-02-08 16:47:32 +00:00