Commit graph

53 commits

Author SHA1 Message Date
Elliott Hughes
5038b19cef Break two incorrect transitive includes.
Change-Id: I95519caa5258cf5c6b8053f1c7e08ade2a824e49
2015-01-29 20:12:13 -08:00
Elliott Hughes
76f8916b90 Clean up <stdlib.h> slightly.
Interestingly, this mostly involves cleaning up our implementation of
various <string.h> functions.

Change-Id: Ifaef49b5cb997134f7bc0cc31bdac844bdb9e089
2015-01-26 14:28:41 -08:00
Elliott Hughes
b20c24456e Implement all the POSIX _l functions.
Strictly speaking, this only implements the _l variants of the functions
we actually have. We're still missing nl_langinfo_l, for example, but we
don't have nl_langinfo either.

Change-Id: Ie711c7b04e7b9100932a13f5a5d5b28847eb4c12
2014-11-06 15:52:22 -08:00
Dan Albert
658727e111 Inline helpers need to be exported unmangled.
__open_2() is used by the fortify implementation of open(2) in
fcntl.h, and as such needs an unmangled C name. For some reason
(inlining?), this doesn't cause problems at the default optimization
level, but does for -O0.

The rest of these didn't cause build failures, but they look suspect
and probably will, we just haven't caught them yet.

Bug: 17784968
Change-Id: I7391a7a8999ee204eaf6abd14a3d5373ea419d5b
2014-10-07 16:46:47 -07:00
Nick Kralevich
b84f667e93 further cleanup memcpy fortify implementation
Change-Id: I0380f3c8ca8f9bb8a206accd839c32c9daf13c56
2014-10-05 06:52:24 -07:00
Nick Kralevich
48be71d02b string.h: remove unused variable
Change-Id: I08b7dab1b374ad427fcbee4183f2c7d93d0199a9
2014-10-04 15:20:00 -07:00
Elliott Hughes
416d7ddaff Add GNU-compatible strerror_r.
We already had the POSIX strerror_r, but some third-party code defines
_GNU_SOURCE and expects to get the GNU strerror_r instead.

This exposed a bug in the libc internal logging functions where unlike
their standard brethren they wouldn't return the number of bytes they'd
have liked to have written.

Bug: 16243479
Change-Id: I1745752ccbdc569646d34f5071f6df2be066d5f4
2014-08-28 16:37:09 -07:00
Elliott Hughes
09c39d6df0 Implement the GNU basename(3) in addition to the POSIX one.
Code like perf(1) needs this.

Bug: 11860789
Change-Id: I907eb448052a7b165e4012d74303330d32328cb2
2014-08-19 14:30:30 -07:00
Elliott Hughes
2cfb4e8e2e Improve <sys/cdefs.h>.
Fix and use __RENAME (and lose ___RENAME --- two underscores should be
enough for anybody). This was the point of this change, because I want
to use __RENAME to support the two basename variants and the two
strerror_r variants.

Lose a bunch of macros that weren't being used.

Lose three dead files from the DNS code.

Change-Id: I3ef645c566b16a52217bc2e68c7d54b37c7c9522
2014-08-18 14:45:42 -07:00
Dehao Chen
28285f85a1 Workaround b/16818336 which fails build under aggressive inlining.
(cherry-pick of 7aa27e1c1a53afe28f6180fd1fc50d096cabea7b.)

Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
2014-08-06 11:43:38 -07:00
Dan Albert
dfb5ce42bc Revert "Revert "Add locale aware APIs.""
This reverts commit 063e20c269.

Change-Id: Ib8c9004efefe75a5346b3af50dfe37952d91eb21
2014-07-11 16:21:31 +00:00
Dan Albert
063e20c269 Revert "Add locale aware APIs."
Accidentally verified against a dirty tree. Needs the companion change to libc++ to land upstream before I can submit this.

This reverts commit e087eac404.

Change-Id: I317ecd0923114f415eaad7603002f77feffb5e3f
2014-07-09 22:50:43 +00:00
Dan Albert
e087eac404 Add locale aware APIs.
Since we only support the C locale, we can just forward all of these to
their non-locale equivalents for correct behavior.

Change-Id: Ib7be71b7f636309c0cc3be1096a4c1f693f04fbb
2014-07-09 15:41:53 -07:00
Dan Albert
40fca0f08b Removes index() from bionic.
This function has been removed from POSIX.

Unfortunately, we can't leave #define index(a, b) strchr((a), (b)) in its place
because defining a preprocessor macro for index() breaks a whole lot of code.

Bug: 13935372
Change-Id: Ifda348acde06da61c12e7ee2f8fe6950a3174dd1
2014-06-05 11:05:10 -07:00
Christopher Ferris
950a58e24d Add stpcpy/stpncpy.
Add tests for the above.

Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.

Modify the strncpy test to cover more cases and use this template for
stpncpy.

Add all of the fortify test cases.

Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
2014-04-07 16:41:53 -07:00
Elliott Hughes
152b9de19a Remove non-standard memswap.
Change-Id: I06548dda339987b755ef7139c590ca3e1f9fe0a9
2014-03-10 15:54:40 -07:00
Elliott Hughes
53e43292aa More OpenBSD cleanup (primarily string).
This patch removes the string/ and wchar/ directories.

Change-Id: Ia489904bc67047e4bc79acb1f3eec21aa3fe5f0d
2014-02-24 18:02:05 -08:00
Nick Kralevich
d13c2b1ba6 Fix unnecessary call to __strncpy_chk2
If "n" is smaller than the size of "src", then we'll
never read off the end of src. It makes no sense to call
__strncpy_chk2 in those circumstances.

For example, consider the following code:

int main() {
  char src[10];
  char dst[5];
  memcpy(src, "0123456789", sizeof(src));
  strncpy(dst, src, sizeof(dst));
  dst[4] = '\0';
  printf("%s\n", dst);
  return 0;
}

In this code, it's clear that the strncpy will never read off
the end of src.

Change-Id: I9cf58857a0c5216b4576d21d3c1625e2913ccc03
2013-09-27 13:21:24 -07:00
Pavel Chupin
3c4b50fd8c Fix strchr for basic non-sse case on x86
Fix source location. Move declaration of __strchr_chk out of
ifdef __BIONIC_FORTIFY which should be available for strchr.cpp
compilation when __BIONIC_FORTIFY is not defined.

Change-Id: I552a6e16656e59b276b322886cfbf57bbfb2e6a7
Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
2013-09-03 16:20:52 +04:00
Nick Kralevich
bd8e6749b7 cdefs.h: introduce __bos0
Introduce __bos0 as a #define for __builtin_object_size((s), 0).
This macro is intended to be used for places where the standard
__bos macro isn't appropriate.

memcpy, memmove, and memset deliberately use __bos0. This is done
for two reasons:

1) I haven't yet tested to see if __bos is safe to use.
2) glibc uses __bos0 for these methods.

Change-Id: Ifbe02efdb10a72fe3529dbcc47ff647bde6feeca
2013-08-28 14:27:14 -07:00
Nick Kralevich
93501d3ab8 FORTIFY_SOURCE: introduce __strncpy_chk2
This change detects programs reading beyond the end of "src" when
calling strncpy.

Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
2013-08-28 12:39:06 -07:00
Nick Kralevich
a6cde39276 More FORTIFY_SOURCE functions under clang
* bzero
* umask
* strlcat

Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
2013-06-29 08:16:22 -07:00
Nick Kralevich
8bafa7452e libc: enable FORTIFY_SOURCE clang strlcpy
Change-Id: Idcfe08f5afc3dde592416df9eba83f64e130c7c2
2013-06-20 12:17:44 -07:00
Nick Kralevich
16d1af167f libc: add limited FORTIFY_SOURCE support for clang
In 829c089f83, we disabled all
FORTIFY_SOURCE support when compiling under clang. At the time,
we didn't have proper test cases, and couldn't easily create targeted
clang tests.

This change re-enables FORTIFY_SOURCE support under clang for a
limited set of functions, where we have explicit unittests available.
The functions are:

* memcpy
* memmove
* strcpy
* strncpy
* strcat
* strncat
* memset
* strlen (with modifications)
* strchr (with modifications)
* strrchr (with modifications)

It may be possible, in the future, to enable other functions. However,
I need to write unittests first.

For strlen, strchr, and strrchr, clang unconditionally calls the
fortified version of the relevant function. If it doesn't know the
size of the buffer it's dealing with, it passes in ((size_t) -1),
which is the largest possible size_t.

I added two new clang specific unittest files, primarily copied
from fortify?_test.cpp.

I've also rebuild the entire system with these changes, and didn't
observe any obvious problems.

Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
2013-06-18 12:14:20 -07:00
Nick Kralevich
b24c0637d0 libc: Introduce __errordecl()
Define __errordecl and replace __attribute__((__error__("foo")))
with __errordecl. Make sure __errordecl is a no-op on clang, as it
generates a compile time warning.

Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
2013-06-18 12:13:52 -07:00
Nick Kralevich
cf870199d5 FORTIFY_SOURCE: strcat / strncat optimize
__strcat_chk and __strncat_chk are slightly inefficient,
because they end up traversing over the same memory region
two times.

This change optimizes __strcat_chk / __strncat_chk so they
only access the memory once. Although I haven't benchmarked these
changes, it should improve the performance of these functions.

__strlen_chk - expose this function, even if -D_FORTIFY_SOURCE
isn't defined. This is needed to compile libc itself without
-D_FORTIFY_SOURCE.

Change-Id: Id2c70dff55a276b47c59db27a03734d659f84b74
2013-05-31 09:07:46 -07:00
Nick Kralevich
1c462b7a04 Use restrict pointers for various libc functions.
All the cool kids say this is the best thing since sliced bread.
http://cellperformance.beyond3d.com/articles/2006/05/demystifying-the-restrict-keyword.html

For the most part, these changes match what glibc does.

Change-Id: I176268f27f82800162fe5f2515b08d5469ea2dfe
2013-05-07 10:00:21 -07:00
Nick Kralevich
3b2e6bc9ac libc: upgrade strrchr to FORTIFY_SOURCE=2
Change-Id: I4c34c2ce22c5092c4446dc1ab55f37604c1c223f
2013-04-30 14:19:23 -07:00
Nick Kralevich
9020fd503c libc: upgrade some libc functions to _FORTIFY_SOURCE=2
Upgrade the following functions:

* vsnprintf
* vsprintf
* snprintf
* fgets
* strcpy
* strcat
* strncat
* strlcpy
* strlcat
* strlen
* strchr

Change-Id: Icc036fc7f0bb317e05f7c051617887a1601271aa
2013-04-30 11:31:35 -07:00
Nick Kralevich
1aae9bd170 strncpy: implement _FORTIFY_SOURCE=2
Add support for fortify source level 2 to strncpy.
This will enable detection of more areas where strncpy
is used inappropriately. For example, this would have detected
bug 8727221.

Move the fortify_source tests out of string_test.cpp, and
put it into fortify1_test.cpp.

Create a new fortify2_test.cpp file, which copies all
the tests in fortify1_test.cpp, and adds fortify_source level
2 specific tests.

Change-Id: Ica0fba531cc7d0609e4f23b8176739b13f7f7a83
2013-04-29 15:22:10 -07:00
Elliott Hughes
890c8ed6ef Fix builds where _FORTIFY_SOURCE is off.
Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.

Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
2013-03-22 10:58:55 -07:00
Elliott Hughes
538f6fc202 Stop advertising rindex(3), which is both deprecated and unimplemented.
Change-Id: I3c775d9974e49c3f76a53e46e022659657b89034
2013-02-21 17:39:06 -08:00
Nick Kralevich
a44e9afdd1 FORTIFY_SOURCE: optimize
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.

This avoids silliness like calling fortify source on things like:

  size_t len = strlen("asdf");
  printf("%d\n", len);

and allows the compiler to optimize this code to:

  printf("%d\n", 4);

Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.

Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
2013-01-17 15:41:33 -08:00
Nick Kralevich
5787475390 FORTIFY_SOURCE: remove memcpy overlap checks
These checks haven't been as useful as I hoped, and it's
causing a false positive finding.  Remove the overlap
compile time checks.

Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
2012-12-07 09:57:01 -08:00
Nick Kralevich
9a4d305340 FORTIFY_SOURCE: fortify strrchr
This change compliments 049e58369c

Change-Id: I27d015d70a520713c7472558a3c427f546d36ee4
2012-12-03 10:39:16 -08:00
Nick Kralevich
049e58369c FORTIFY_SOURCE: fortify strchr
Detect when strchr reads off the end of a buffer.

Change-Id: I0e952eedcff5c36d646a9c3bc4e1337b959224f2
2012-11-30 15:19:15 -08:00
Nick Kralevich
829c089f83 disable _FORTIFY_SOURCE under clang
Clang and _FORTIFY_SOURCE are just plain incompatible with
each other.  First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)

Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.

Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
2012-08-29 12:47:41 -07:00
Shih-wei Liao
d600617645 When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.

Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
2012-08-06 10:57:37 -07:00
Shih-wei Liao
9a3d53fad0 When compiling with clang, don't "fortify_source" the strlen.
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.

Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
2012-08-06 09:50:56 -07:00
Nick Kralevich
c37fc1ab6a FORTIFY_SOURCE: revert memcpy changes.
Performance regressions.  Hopefully this is a temporary
rollback.

Bug: 6821003
Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
2012-07-13 17:58:37 -07:00
Nick Kralevich
9b6cc223a3 FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro
Replace all occurances of "(size_t) -1" with a
__BIONIC_FORTIFY_UNKNOWN_SIZE macro.

Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
2012-07-13 14:49:33 -07:00
Nick Kralevich
260bf8cfe0 FORTIFY_SOURCE: strlen check.
This test is designed to detect code such as:

int main() {
  char buf[10];
  memcpy(buf, "1234567890", sizeof(buf));
  size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
  printf("%d\n", len);
  return 0;
}

or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.

Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
2012-07-13 13:49:59 -07:00
Nick Kralevich
f3913b5b68 FORTIFY_SOURCE: enhanced memcpy protections.
Two changes:

1) Detect memory read overruns.

For example:

int main() {
  char buf[10];
  memcpy(buf, "abcde", sizeof(buf));
  sprintf("%s\n", buf);
}

because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time.  Other similar
bugs may be detected at runtime.

2) Detect overlapping buffers on memcpy()

It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:

  char buf3[0x800];
  char *first_half  = &buf3[0x400];
  char *second_half = &buf3[1];
  memset(buf3, 0, sizeof(buf3));
  memcpy(first_half, second_half, 0x400);
  printf("1: %s\n", buf3);

We now detect this at compile and run time.

Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
2012-07-12 15:38:15 -07:00
Nick Kralevich
cb228fb4a9 libc: cleanups
Prefix private functions with underscores, to prevent name
conflicts.

Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".

Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
2012-06-26 16:05:19 -07:00
Nick Kralevich
8df49ad246 FORTIFY_SOURCE: add strlcpy / strlcat support
Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.

Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.

Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
2012-06-14 12:52:42 -07:00
Nick Kralevich
71a18dd435 _FORTIFY_SOURCE: add memset / bzero support
Add _FORTIFY_SOURCE support for the following functions:

* memset
* bzero

Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.

Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
2012-06-07 14:19:52 -07:00
Nick Kralevich
0a2301598c libc: implement some FORTIFY_SOURCE functions
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:

* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat

This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.

If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.

If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check

These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.

Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

for additional details on FORTIFY_SOURCE.

Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.

Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
2012-06-05 15:44:31 -07:00
Nick Kralevich
a677907ee8 string.h: add __attribute__ ((pure)) to string functions
cdefs.h: Introduce the __purefunc attribute, which allows us to mark
certain functions as being "pure".

http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

  Many functions have no effects except the return value and their
  return value depends only on the parameters and/or global variables.
  Such a function can be subject to common subexpression elimination
  and loop optimization just as an arithmetic operator would be.

string.h: Mark many commently used string functions as "pure", to
allow for additional compiler optimizations.

Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
2012-03-21 08:54:54 -07:00
The Android Open Source Project
1dc9e472e1 auto import from //depot/cupcake/@135843 2009-03-03 19:28:35 -08:00
The Android Open Source Project
1767f908af auto import from //depot/cupcake/@135843 2009-03-03 18:28:13 -08:00