Commit graph

12 commits

Author SHA1 Message Date
George Burgess IV
8a4414ef9c fortify: remove pragma diagnostic error from tests
This was necessary because we weren't doing -Werror=fortify-source
everywhere. As of I2715ea411ef067f801534dab4d306fef5431f290, we should
be doing this.

Bug: 131861088
Test: mma
Change-Id: I00d499938ae24c3870760470576d6be603fbecd1
2019-09-19 15:23:45 -07:00
George Burgess IV
36926f4ca8 fortify: account for new clang diagnostics
Clang recently grew its own diagnostics for memcpy and such. These are
generally higher-quality than what we can do with diagnose_if, since
clang is happy to include e.g., sizes of things per-callsite. Move to
those instead where applicable.

Bug: 131861088, 123644155
Test: blueline internal-master checkbuild; treehugger
Change-Id: I701f5a8b247ba2948ca47fdc60ff5198b564c03e
2019-09-16 12:48:04 -07:00
Yi Kong
bf67ea5426 Adapt tests due to the new Clang fortify-source warning
https://reviews.llvm.org/D58797 added several new compile time
_FORTIFY_SOURCE diagnostics. This broke clang_fortify_tests:

FAILED: out/target/product/walleye/obj/STATIC_LIBRARIES/bionic-compile-time-tests2-clang++_intermediates/clang_fortify_tests.o
error: 'warning' diagnostics seen but not expected:
  Line 159: 'memcpy' will always overflow; destination buffer has size 8, but size argument is 9
  Line 161: 'memmove' will always overflow; destination buffer has size 8, but size argument is 9
  Line 165: 'memset' will always overflow; destination buffer has size 8, but size argument is 9
  Line 183: 'strncpy' size argument is too large; destination buffer has size 8, but size argument is 9
  Line 185: 'stpncpy' size argument is too large; destination buffer has size 8, but size argument is 9
  Line 189: 'strncat' size argument is too large; destination buffer has size 8, but size argument is 9
  Line 227: 'strncpy' size argument is too large; destination buffer has size 4, but size argument is 5
  Line 232: 'stpncpy' size argument is too large; destination buffer has size 4, but size argument is 5
  Line 242: 'strncat' size argument is too large; destination buffer has size 4, but size argument is 5
  Line 490: 'snprintf' size argument is too large; destination buffer has size 8, but size argument is 9
  Line 495: 'vsnprintf' size argument is too large; destination buffer has size 8, but size argument is 9
error: 'note' diagnostics seen but not expected:
  File bionic/libc/include/bits/fortify/fcntl.h Line 50: 'open' has been explicitly marked unavailable here
  File bionic/libc/include/bits/fortify/fcntl.h Line 102: 'open64' has been explicitly marked unavailable here
  File bionic/libc/include/bits/fortify/fcntl.h Line 75: 'openat' has been explicitly marked unavailable here
  File bionic/libc/include/bits/fortify/fcntl.h Line 121: 'openat64' has been explicitly marked unavailable here
  File bionic/libc/include/bits/fortify/stdio.h Line 68: 'sprintf' has been explicitly marked unavailable here
16 errors generated.

Bug: 131328001
Bug: 138701853
Test: Build with r365631 toolchain
Change-Id: I103ecb7b3abcf4b5cfc4f36ccab69e03d0976275
2019-08-05 11:48:47 -07:00
George Burgess IV
261b7f4867 fortify: replace bzero/bcmp defines
__builtin_*_chk will emit warnings when things are trivially broken.
Emitting errors instead is probably better (and we can be a bit smarter
about how we emit code for trivially safe cases.)

Bug: 131861088
Test: checkbuild + bionic-unit-tests on blueline
Change-Id: I33957ad419922d0760304758ecb9bc8ad33e0b64
2019-06-20 13:05:23 -07:00
George Burgess IV
849c0b9f51 fortify: add __mempcpy_chk
Bug: 131861088
Test: mma + bionic-unit-tests on blueline
Change-Id: I02f8f87d5db0ba5fecec410da32f6ffa2c98ef57
2019-06-13 23:29:37 -07:00
George Burgess IV
74519e7aa5 fortify: fix overflow checks in unistd
We should only be calling _real versions of the functions that use this
if the input size is verifiably <= SSIZE_MAX. Otherwise, just fall
through to _chk and let that handle it.

Bug: 131861088
Test: mma && bionic-unit-tests
Change-Id: Iba04e486ef91ea1b3539ab6df6260429264e66b4
2019-06-13 23:26:02 -07:00
George Burgess IV
26d25a22e2 fortify: add even more warnings
Bug: 131861088
Test: mma
Change-Id: I557309b3e25b54321ee1fe0207f18b6e840bf76e
2019-06-13 23:26:02 -07:00
George Burgess IV
8c0ec114c5 fortify: fix up a few diagnostics; add __wur to realpath
As it says on the box.

Since realpath isn't a function definition, any attributes it provides
here just add to the "regular" realpath.

__wur is being added to realpath because it returns NULL on failure, and
the contents of the input buffer are undefined in that case. A blueline
checkbuild showed 0 complaints about this new __wur, so it seems
harmless to add.

Bug: 131861088
Test: mma
Change-Id: If5f47e0e290d86df69c0888711e29775c390fca4
2019-06-13 23:26:02 -07:00
George Burgess IV
2356c93d39 fortify: add bit checking for open(at)?64 functions
This also adds _2-variants for these functions, for extra glorious
checking

Bug: 131861088
Test: mma
Change-Id: I80475ff4bb220c0c47894e9532426f53412f176f
2019-06-13 23:26:02 -07:00
George Burgess IV
77f99aaf58 fortify: add diagnostics for str* functions
This CL allows us to diagnose string functions that get an explicit size
passed into them, and string functions that are trivially misused.

Bug: 131861088
Test: mma
Change-Id: I894aec99420a75c6474cfd7d5010f0cf2f10ab21
2019-06-13 23:26:02 -07:00
George Burgess IV
06bb4ce8de fortify: fix tests on x86_64
My declval hack failed on x86_64 with:

```
substitution failure [with T = __va_list_tag [1]]: function cannot
return array type '__va_list_tag [1]'
```

...Because the type of va_list is compiler magic, it's fine for it to be
whatever the compiler wants it to be. Thankfully, pointers to arrays can
be returned, so let's use those instead.

Bug: 135210098
Test: mma on aosp_blueline-eng and aosp_x86_64-eng; the latter was
      failing before this patch.

Change-Id: Iefd57c0f8e823653fd70633fb6ee75cfc0022430
2019-06-13 15:18:16 -07:00
George Burgess IV
9a2741010a fortify: import tests from Chrome OS
Chrome OS has a fairly extensive FORTIFY test suite for both
compile-time and run-time diagnostics. It covers tons of edge cases, and
conveniently centralizes diagnostic and death testing.

A fair amount of it has been ifdef'ed out, since Bionic doesn't yet
diagnose (or crash on) some of these things. The intent is to explicitly
declare defeat on the things we don't care to FORTIFY, and slowly fix
the rest in easier-to-digest CLs.

Once that's done, we might be able to look into retiring some of the
FORTIFY testing that we don't share with the CrOS folks.

Bug: 131861088
Test: mma + bionic-unit-tests on blueline

Change-Id: I16734ea0769e03cf658ef10532d64f28fdb36a89
2019-06-10 12:46:49 -07:00