{get,set}domainname aren't in POSIX but are widely-implemented
extensions.
The Linux kernel provides a setdomainname syscall but not a symmetric
getdomainname syscall, since it expects userspace to get the domain name
from uname(2).
Change-Id: I96726c242f4bb646c130b361688328b0b97269a0
Signed-off-by: Greg Hackmann <ghackmann@google.com>
This patch uses __kernel_vsyscall instead of "int 0x80"
as the syscall entry point. AT_SYSINFO points to
an adapter to mask the arch specific difference and gives a
performance boost on i386 architecture.
Change-ID: Ib340c604d02c6c25714a95793737e3cfdc3fc5d7
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
Even though the size parameter to epoll_create(2) is (otherwise) unused,
passing in size <= 0 is explicitly documented as an error.
This change fixes the LTP epoll01 testcase.
Change-Id: I044a38be823c2fa956b57e77cc66571dfae8a4bb
Signed-off-by: Greg Hackmann <ghackmann@google.com>
The clone syscall accepts NULL child stacks, interpreting this to mean
the child gets a copy of the parent's stack with copy-on-write
semantics. However clone(2) is explicitly documented to treat this an
an error.
"Fortunately" every architecture's __bionic_clone implementation pushes
something onto the child stack before making the clone syscall. So we
know fixing this won't break legacy apps, because any app that tried
using a NULL child stack would have died with SIGSEGV.
This change fixes the LTP clone04 testcase.
Change-Id: I663b34f34bc8dad2aa405c46e4eed4418cccca0d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Also guard both these GNU extensions with _GNU_SOURCE.
Also improve the tests to test each case on both the current thread and
another thread, since the code paths are totally different.
Bug: http://b/27810459
Change-Id: I72b05bca5c5b6ca8ba4585b8edfb716a1c252f92
We don't have a compile-time limit on the number of threads,
and we don't have a definite run-time limit either.
Bug: http://b/27617302
Change-Id: I6a6fe083e7b655d24eb9e7ef7f3e0280d483080b
Do not initialize all of the global function pointers associated with
debug malloc until the initialization has completed correctly.
Bug: 27600760
Change-Id: I0621b54bc2d9fab63805d7992d384e550d6fed2a
Don't ask the kernel to copy data to userspace if we don't need it.
(Noticed while cleaning up sysconf to not call clock_getres.)
Change-Id: Icc0f7559775b8a2dcefe638ce831d06b75d67122
There are a hundred other reasons why we can't run on kernels old enough
to not have all the clocks covered by sysconf.
This was causing trouble for jemalloc 4.1.0 in a seccomp-constrained process
because jemalloc 4.1.0 introduced a call to sysconf that caused us to make
clock_getres syscalls for the first time, leading to SIGSYS.
Bug: http://b/27408522
Change-Id: I2eb6986d871bc03cbef278e5617734409c39e057
glibc, FreeBSD, OpenBSD, and Darwin all just leave the fd unchanged and
possibly uninitialized. Setting it to -1 seems friendlier, though.
Bug: http://b/27506278
Change-Id: I7acdc8eecbea4404d5fb4ba0b4d572245a323886
Make it easier to diagnose applications mucking with the contents of
jmp_buf by checksumming its contents.
Bug: http://b/27417786
Change-Id: I9989e2ea3979a36ae0bc4c9e1bacafddbacc731b
This involves actually implementing assembler __memset_chk for arm64,
but that's easily done.
Obviously I'd like this for all architectures (and all the string functions),
but this is low-hanging fruit...
Change-Id: I70ec48c91aafd1f0feb974a2555c51611de9ef82
Also remove an if that implied that IFA_BROADCAST is a possibility for
AF_INET6.
The existing tests fail if you have a point-to-point interface configured,
so no new test necessary.
Bug: http://b/27442503
Change-Id: I4c5823b32204ae6c15527853414c2a0cef320b53
Our FORTIFY _chk functions' implementations were very repetitive and verbose
but not very helpful. We'd also screwed up and put the SSIZE_MAX checks where
they would never fire unless you actually had a buffer as large as half your
address space, which probably doesn't happen very often.
Factor out the duplication and take the opportunity to actually show details
like how big the overrun buffer was, or by how much it was overrun.
Also remove the obsolete FORTIFY event logging.
Also remove the unused __libc_fatal_no_abort.
This change doesn't improve the diagnostics from the optimized assembler
implementations.
Change-Id: I176a90701395404d50975b547a00bd2c654e1252
...so memset it is, then.
I'll be glad when GCC is dead and we can use "= {}" like it's the 21st century.
Change-Id: I28d820d3926ac9bf44bf7c1e89e184726c840391
The purpose of this change is to silence Valgrind's warning about a
syscall parameter pointing to uninitialised bytes.
Change-Id: I2737235f9ac288dbc8ec4be0c6f1cef181c9b7d7
Add backtrace_string to convert a malloc_debug backtrace to a string.
Also move the backtrace functions to libc_malloc_debug_backtrace so that
libmemunreachable can reuse them.
Change-Id: I5ad67001c0b4d184903c762863a8588181d4873b
Since we set both fields to NULL all the time, we can alias the two
fields together on LP32 to provide build-time compatibility.
BUG=24918750
TEST=python now builds for Brillo boards
Change-Id: I3394aea80c9a5288669389f71d0e4132f2157e3c
Check if thread_id is in fact pthread_self before
locking on g_thread_list_lock in __pthread_internal_find.
The main reason for doing this is not performance but to allow
the linker use raise() which was not working because pthread_kill()
couldn't find pthread_self() thread because the global thread
list is initialized in libc.so and the linker's version of this
list is empty.
Bug: http://b/25867917
Change-Id: I18fe620e8cd465b30f0e1ff45fff32958f3c5c00
Our fopen/freopen/tmpfile are already always O_LARGEFILE, but let's add
the aliases for _LARGEFILE_SOURCE compatibility.
Bug: http://b/24807045
Change-Id: I5d99b3ef3c9f27ce70f13313f6a92e96c7f21f80
This file should have been deleted with the malloc debug rewrite, but
popped back into existence due to a merge conflict.
Change-Id: I74e53daaf3febf650b20e3da5329558ac84c5bcd
If snprintf() is called from the linker, it may erroneously return a
null string. The libc internal __libc_format_buffer() does not have
this problem, so it is now used instead.
Bug: 26756577
Change-Id: I37a97e27f59b3c0a087f54a6603cc3aff7f07522
This has been requested a few times over the years. This is basically
a very late rebase of https://android-review.googlesource.com/45470
which was abandoned years ago. One addition is that this version has
_FILE_OFFSET_BITS=64 support.
POSIX puts this in <unistd.h>. glibc also has it in <fcntl.h>.
Bug: http://b/13077650
Change-Id: I5862b1dc326e326c01ad92438ecc1578d19ba739
Broke the build. There's no such file as bionic_sdk_version.h anywhere in the tree.
This reverts commit 892b61d340.
Change-Id: Iec3f4588edfb1d1524bb5f16451fd05dc6ebe44a
Posix standards says sem_wait is interruptible by the delivery
of a signal. To keep compatiblity with old apps, only fix that
in newer sdk versions.
Bug: 26743454
Change-Id: I924cbb436658e3e0f397c922d866ece99b8241a3
The major components of the rewrite:
- Completely remove the qemu shared library code. Nobody was using it
and it appears to have broken at some point.
- Adds the ability to enable/disable different options independently.
- Adds a new option that can enable the backtrace on alloc/free when
a process gets a specific signal.
- Adds a new way to enable malloc debug. If a special property is
set, and the process has an environment variable set, then debug
malloc will be enabled. This allows something that might be
a derivative of app_process to be started with an environment variable
being enabled.
- get_malloc_leak_info() used to return one element for each pointer that
had the exact same backtrace. The new version returns information for
every one of the pointers with same backtrace. It turns out ddms already
automatically coalesces these, so the old method simply hid the fact
that there where multiple pointers with the same amount of backtrace.
- Moved all of the malloc debug specific code into the library.
Nothing related to the malloc debug data structures remains in libc.
- Removed the calls to the debug malloc cleanup routine. Instead, I
added an atexit call with the debug malloc cleanup routine. This gets
around most problems related to the timing of doing the cleanup.
The new properties and environment variables:
libc.debug.malloc.options
Set by option name (such as "backtrace"). Setting this to a bad value
will cause a usage statement to be printed to the log.
libc.debug.malloc.program
Same as before. If this is set, then only the program named will
be launched with malloc debug enabled. This is not a complete match,
but if any part of the property is in the program name, malloc debug is
enabled.
libc.debug.malloc.env_enabled
If set, then malloc debug is only enabled if the running process has the
environment variable LIBC_DEBUG_MALLOC_ENABLE set.
Bug: 19145921
Change-Id: I7b0e58cc85cc6d4118173fe1f8627a391b64c0d7
This is just a subset of the recently-implemented getifaddrs(3), though if
we want to handle interfaces (such as "rmnet_*") that don't have an address,
we need to either expose ifaddrs_storage and keep track of which interfaces
we've already seen (which is pretty messy), or refactor the netlink code so
we can reuse it and just extract the information we need for if_nameindex(3).
This patch goes the latter route.
Also clean up if_nametoindex(3) and if_indextoname(3).
Change-Id: I5ffc5df0bab62286cdda2e7af06f032c767119a8
Also fix a bug where we were mutating the address/broadcast address
of an existing entry rather than the new entry, and use 'const' to
ensure we don't make that mistake again.
Change-Id: I31c127a5d21879b52c85cd0f7ed2e66554a21e39
Exactly which functions get a stack protector is up to the compiler, so
let's separate the code that sets up the environment stack protection
requires and explicitly build it with -fno-stack-protector.
Bug: http://b/26276517
Change-Id: I8719e23ead1f1e81715c32c1335da868f68369b5
Currently, reads of ro.* properties are treated differently than
writes of ro.* properties. When writing an ro.* property, we ignore
the "ro." portion of the property, and base the security decision
on the label of the remaining portion.
See e7a9e52740/init/property_service.cpp
line 120-126
For example, for writing, the label associated with
"ro.build.fingerprint" comes from the /property_contexts file
entry:
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
build.fingerprint u:object_r:fingerprint_prop:s0
However, we fail to follow this same special case when sorting
properties into files. Instead, ro.build.fingerprint is assigned
u:object_r:default_prop:s0 instead of u:object_r:fingerprint_prop:s0
Ignore the "ro." portion when sorting properties into files.
This will make reads and writes of properties use the same label.
Bug: 21852512
Change-Id: Ie88ffc6b78b31fc8ddf370ae27c218546fb25a83
This reverts commit 76814a8250.
This differs from the original in fixing the GCC -Werror build:
bionic/libc/bionic/ifaddrs.cpp: In function 'void __handle_netlink_response(ifaddrs**, nlmsghdr*)':
bionic/libc/bionic/ifaddrs.cpp:113:62: error: use of old-style cast [-Werror=old-style-cast]
ifinfomsg* ifi = reinterpret_cast<ifinfomsg*>(NLMSG_DATA(hdr));
This appears to be a GCC bug; the GCC command-line correctly uses -isystem,
and manually adding #pragma GCC system_header doesn't help. So just turn the
warning off for GCC for now. We won't need to worry about building with GCC
soon anyway.
Bug: http://b/26238832
Change-Id: I01615bd335edf11baf487b1c83a9157cd780f4a1
Time to dust off the old libcore implementation from gingerbread and add it
to bionic. Unlike the original, this actually looks at both RTM_NEWLINK and
RTM_NEWADDR.
Bug: http://b/26238832
Change-Id: I7bb4b432deb766065b66b9c9ff36ed68249aba82
It actually means "crash immediately". Well, it's an error. And callers are
much more likely to realize their mistake if we crash immediately rather
than return EINVAL. Historically, glibc has crashed and bionic -- before
the recent changes -- returned EINVAL, so this is a behavior change.
Change-Id: I0c2373a6703b20b8a97aacc1e66368a5885e8c51
This change removes endpwent, dlmalloc_inspect_all, dlmalloc_trim
from lp64 libc.so. It also removed necessety of having brillo
version scripts for lp64 platforms.
Bug: http://b/26164862
Change-Id: I4e9b38907bb1dc410f0eb6d2f5d5944fe713da51
Treat subsequent calls to __system_properties_init() as a
reinitialization of system properties and revoke access to prop files
that have been previously mapped but that the process's current context
does not have access to. Additionally reset the no_access_ flag in
case permissions have loosened and previously unaccessible files can now
be accessed.
This is meant to work around an issue that setcon() does not revoke
mmap() mappings, so we must manually revoke them after a successful
setcon() call.
Bug 26114086
Change-Id: I4d690abb6817283ca64ac26ea4c1dad398a98fbc
Currently, if the debug.atrace.tags.enableflags property is not found,
it is set to a safe value such that a pointer to this property can be
stored for later access. This may result in selinux denials because not
all processes write permissions for this property or permission to
connect to the property write socket at all.
Change I6d953c0c281fd72ad3eba8a479fd258023579b5b writes this property to
a safe value upon boot, which greatly decreases the cases in which this
property will not be accessible and removes the need to write it here.
This commit removes this write.
Bug 26115803
Change-Id: Ief72c5f731d3a1231b5080eb531fa0a491a8b1d1
We need to ensure %gs:20 is set up early enough for -fstack-protector-strong
on x86, and that __set_tls doesn't get stack protector checks because it's a
prerequisite for them. x86 devices/emulators won't boot without this.
Bug: http://b/26073874
Change-Id: Icf0d34294648cc0c8cb406a3617befe0d45c525a
POSIX defined bcopy to handle overlapping memory akin to memmove and
bionic appears to have always done so.
Change-Id: I2599113411e3532913270ba1c1b49e35cbc5f106
This reverts commit c8bae05f3f.
We were breaking init (ueventd) because we initialize system properties
before we initialize stdio. The new system property implementation uses
stdio to read from /property_contexts, so we end up touching stdio data
structures before they've been initialized.
This second attempt takes things further by removing the stdio initialization
function altogether. The data structures for stdin/stdout/stderr can be
statically initialized as data, and -- since we already had to give the
atexit implementation a backdoor for stdio -- we can just admit that we
need to clean up stdio, and that we always do so last.
This patch also removes the 17 statically pre-allocated file structures,
so the first fopen will now allocate a block of 10 (the usual overflow
behavior). I did this just to make my life simpler, but it's not actually
necessary to remove it if we want it back.
Change-Id: I936b2eb5e88e4ebaf5516121872b71fc88e5609c
This reverts commit 4371961e00.
This broke booting; ueventd crashes with a null pointer dereference
somewhere in __sfp (but the kernel doesn't unwind, so I don't know
what was calling __sfp).
Change-Id: I65375fdfdf1d339a06558b4057b580cacd6324e2
Primarily a debug feature that can be switched at runtime to permit
developer to have the option of high-resolution Android logs with
either CLOCK_REALTIME (default) or CLOCK_MONOTONIC to correlate with
other system activities like kernel logs or systrace.
Bug: 23668800
Change-Id: Ib29024899540f51a72cad5dde25517a7134d68f7
If a __system_property* function is called before
__system_properties_init() then the app will will abort. This commit
returns either an error code or a safe return value instead.
Bug 26027140
Change-Id: I95ffd143e9563658ab67a397991e84fb4c46ab77
Several parts in pthread_internal_t should be initialized
to zero, like tls, key_data and thread_local_dtors. So
just clear the whole pthread_internal_t is more convenient.
Bug: 25990348
Change-Id: Ibb6d1200ea5e6e1afbc77971f179197e8239f6ea
The purpose of this change is to add read access control to the property
space.
In the current design, a process either has access to the single
/dev/__properties__ file and therefore all properties that it contains
or it has access to no properties. This change separates properties
into multiple property files based on their selabel, which allows
creation of sepolicies that allow read access of only specific sets of
properties to specific domains.
Bug 21852512
Change-Id: Ice265db79201ca811c6b6cf6d851703f53224f03
Previously we call __sinit() lazily. But it is likely to cause data
races like in https://android-review.googlesource.com/#/c/183237/. So
we prefer to call __sinit() explicitly at libc initialization.
Bug: 25392375
Change-Id: I181ea7a4b2e4c7350b45f2e6c86886ea023e80b8
Currently we use __thread variable to store thread_local_dtors,
which makes tsan test fork_atexit.cc hang. The problem is as below:
The main thread creates a worker thread, the worker thread calls
pthread_exit() -> __cxa_thread_finalize() -> __emutls_get_address()
-> pthread_once(emutls_init) -> emutls_init().
Then the main thread calls fork(), the child process cals
exit() -> __cxa_thread_finalize() -> __emutls_get_address()
-> pthread_once(emutls_init).
So the child process is waiting for pthread_once(emutls_init)
to finish which will never occur.
It might be the test's fault because POSIX standard says if a
multi-threaded process calls fork(), the new process may only
execute async-signal-safe operations until exec functions are
called. And exit() is not async-signal-safe. But we can make
bionic more reliable by not using __thread in
__cxa_thread_finalize().
Bug: 25392375
Change-Id: Ife403dd7379dad8ddf1859c348c1c0adea07afb3
It is reported by tsan that funlockfile() can unlock an unlocked mutex.
It happens when printf() is called before fopen() or other stdio stuff.
As FLOCKFILE(fp) is called before __sinit(), _stdio_handles_locking is false,
and _FLOCK(fp) will not be locked. But then cantwrite(fp) in __vfprintf()
calls__sinit(), which makes _stdio_handles_locking become true, and
FUNLOCKFILE(fp) unlocks _FLOCK(fp).
Change _stdio_handles_locking into _caller_handles_locking,
so __sinit() won't change its value. Add test due to my previous fault.
Bug: 25392375
Change-Id: I483e3c3cdb28da65e62f1fd9615bf58c5403b4dd
Currently is_private_anonymous is calculated as true if _either_
MAP_PRIVATE or MAP_ANONYMOUS is set, which is a mistake.
According to Documentation/vm/ksm.txt, "KSM only merges anonymous
(private) pages, never pagecache (file) pages". MAP_PRIVATE can
still be set on file cache pages so in order to not redundantly
set MADV_MERGEABLE on pages that are not fitted for it, both
MAP_PRIVATE and MAP_ANONYMOUS should be set.
Along with this fix, add an extra check that the mapped page is
not a stack page before setting MADV_MERGEABLE for it. Stack pages
change too quickly and always end up in KSM 'page_volatile' list.
Change-Id: If4954142852f17cc61f02985ea1cb625a7f3dec6
If tsan is used, the following callchain can happen:
__libc_preinit() -> __libc_init_globals() ->
__libc_init_vdso() -> strcmp() -> __tsan_init()
-> sysconf(_SC_PAGE_SIZE) -> getauxval().
But __libc_auxv is initialized in __libc_init_common(),
after __libc_init_globals(). One simple way to fix
this is to initialize __libc_auxv at __libc_init_globals().
Bug: 25392375
Change-Id: I3893b1f567d5f3b7a8c881c0c1b8234b06b7751b
This removes another way to obtain objects larger than PTRDIFF_MAX. The
only known remaining hole is now jemalloc's merging of virtual memory
spans.
Technically this could be wrapped in an __LP64__ ifndef since it can't
occur on 64-bit due to the 1:1 split. It doesn't really matter either
way.
Change-Id: Iab2af242b775bc98a59421994d87aca0433215bd
In order to run tsan unit tests, we need to support pthread spin APIs.
Bug: 18623621
Bug: 25392375
Change-Id: Icbb4a74e72e467824b3715982a01600031868e29
If calling pthread_mutex_trylock from pthread_mutex_destroy, tsan
warns about an attempt to destroy a locked mutex.
Bug: 25392375
Change-Id: I5feee20e7a0d0915adad24da874ec1ccce241381
The current comment implies that we only strip sensitive
environment variables on executing a setuid program. This is
true but incomplete. The AT_SECURE flag is set whenever a
security transition occurs, such as executing a setuid program,
SELinux security transition, executing a file with file capabilities,
etc...
Fixup the comments.
Change-Id: I30a73992adfde14d6e5f642b3a1ead2ee56726be
The mremap definition was incorrect (unsigned long instead of int) and
it was missing the optional new_address parameter.
Change-Id: Ib9d0675aaa098c21617cedc9b2b8cf267be3aec4
_signal was static in 64 bit, and hidden on 32 bit. There is no
reason to have this distinction, so make it hidden in all cases.
Change-Id: I09d5d93ac8cab4fe14dc7bdfeb25aa46a3b7413d
These don't work, aren't thread-safe, aren't in POSIX (or our header
files), and are only used by one app (whose developers I've contacted).
But the presence of these symbols causes configure to be confused, which
is a pain for Brillo.
Bug: http://b/24812426
Change-Id: I7fa6ef82864d5563929d9b8a7f8fcacb30b26d45
It removes calling to pthread_mutex_lock() at the beginning of new
thread, which helps to support thread sanitizer.
Change-Id: Ia3601c476de7976a9177b792bd74bb200cee0e13
Rewrite inet_addr and inet_network in terms of inet_aton, and reimplement
that to include all the missing error checks.
Bug: http://b/24754503
Change-Id: I5dfa971c87201968985a0894df419f0fbf54768a
Read /proc/stat to count online cpus is not correct for all android
kernels. Change to reading /sys/devices/system/cpu/online instead.
Bug: 24376925
Change-Id: I3785a6c7aa15a467022a9a261b457194d688fb38
Bug: 24492248
Shifting sign bits left is considered undefined behavior, so we need to
switch these uses to unsigned equivalents. The time_t-related code is
updated relative to upstream sources.
Change-Id: I226e5a929a10f5c57dfcb90c748fdac34eb377c2
Until we implement full support for passwd/group files, add a simple
way to use the new OEM UID/GID range (5000-5999).
oem_XXX -> 5000 + XXX iff 0 <= XXX < 1000.
Bug: 23225475
Change-Id: If48b88135d5df538313414f747d6c4c63bf0a103
Reuse the top bits of _JB_SIGFLAG field previously used to store a
boolean to store a cookie that's validated by [sig]longjmp to make it
harder to use as a ROP gadget. Additionally, encrypt saved registers
with the cookie so that an attacker can't modify a register's value to
a specific value without knowing the cookie.
Bug: http://b/23942752
Change-Id: Id0eb8d06916e89d5d776bfcaa9458f8826717ba3
For previous way to get the stack using the [stack] string from
/proc/self/task/<pid>/maps is not enough. On x86/x86_64, if an
alternative signal stack is used while a task switch happens,
the [stack] indicator may no longer be correct.
Instead, stack_start from /proc/self/stat which is always inside
the main stack, is used to find the main stack in /proc/self/maps.
Change-Id: Ieb010e71518b57560d541cd3b3563e5aa9660750
Signed-off-by: Nitzan Mor-sarid <nitzan.mor-sarid@intel.com>
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
Allocations larger than PTRDIFF_MAX can be successfully created on
32-bit with a 3:1 split, or in 32-bit processes running on 64-bit.
Allowing these allocations to succeed is dangerous, as it introduces
overflows for `end - start` and isn't compatible with APIs (mis)using
ssize_t to report either the size or an error. POSIX is guilty of this,
as are many other Android APIs. LLVM even considers the `ptr + size`
case to be undefined, as all pointer arithmetic compiles down to signed
operations and overflow is treated as undefined for standard C pointer
arithmetic (GNU C `void *` arithmetic works differently).
This also prevents dlmalloc from allocating > PTRDIFF_MAX as it doesn't
merge mappings like jemalloc. A similar check will need to be added in
jemalloc's code path for huge allocations.
The musl libc implementation also performs this sanity check.
Change-Id: I5f849543f94a39719f5d27b00cef3079bb5933e9
The debug malloc code unconditionally closes stdin/stdout/stderr,
which means that other atexit functions cannot use them. Only
close these if there is a debug malloc final function to call.
This doesn't appear to be a problem on most normal applications or the
atexit_exit bionic unit test would be failing. However, if you
enable stat dumping in jemalloc, nothing prints. Most likely trying
to add an atexit function from within libc is causing that atexit
to run after the debug malloc atexit function.
Change-Id: I963720d4ccaaa511e44af07a7461f17eb3f84e8e
These are just based on the read/pread{,64} implementations with the
function calls and error messages adjusted as appropriate. The only
difference is that the buffer parameters are const.
Change-Id: Ida1597a903807f583f230d74bcedffdb7b24fcf6
The ip values being reported are always pointing at the next
instruction to execute, not the currently executing instruction.
Change the ip address to point at the currently executing instruction.
This fixes a problem where the next instruction is not actually
part of the same function, so if an addr2line is used, it reports
the wrong value.
This does not modify the ip for mips.
Bug: 22565486
Change-Id: Ie0df4c9727f62ce06948b9a2b0e4b7956eb6e752
It turns out that everyone's still getting PAGE_SIZE from <sys/user.h> via
<sys/ucontext.h> via <signal.h> anyway.
glibc has PAGE_SIZE in <sys/user.h> rather than <limits.h> so this part is
good. The bad part is that we have such wide transitive inclusion of
<sys/user.h>!
Bug: http://b/22735893
Change-Id: I363adffe4a27b4ca1eedf695ea621f5dd2d5ca10
I'm removing the TODO on the assumption that being compatible with glibc
is more useful than BSD. The new internal "bionic_page.h" header factors
out some duplication between libc and the linker.
Bug: http://b/22735893
Change-Id: I4aec4dcba5886fb6f6b9290a8f85660643261321
A __size_mul_overflow utility is used to take advantage of the checked
overflow intrinsics in Clang and GCC (>= 5). The fallback for older
compilers is the optimized but less than ideal overflow checking pattern
used in OpenBSD.
Change-Id: Ibb0d4fd9b5acb67983e6a9f46844c2fd444f7e69
This patch give the possibility of time vdso support on 32bit kernel.
If the 32bit x86 kernel provides gettimeofday() and clock_gettime()
primitives in vdso. In this case make bionic use them. If the kernel
doesn't provide them, fallback to the legacy system call versions.
Change-Id: I87b772a9486fa356903e1f98f486ab9eb0b6f6f7
Signed-off-by: Robert Jarzmik <robert.jarzmik@intel.com>
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
This reverts commit 1946856b1f.
This goes back to the original scheme of PROT_NONEing a page within
libc. Allocating a new page didn't fail safe for cases where these
functions are called from the dynamic linker.
Bug: http://b/22568628
Change-Id: I3e7241c8b54c27ea4a898bc952375c1e9ae38c80
Global, writable function pointers are low-hanging fruit for hijacking
control flow with an overflow from a global buffer or an arbitrary write
vulnerability. This moves the function pointer table into a dedicated
page and makes it read-only at runtime, similar to RELRO.
This increases the memory usage of the library by just under one page.
This could be avoided by having the linker load the vdso by replacing
weak symbols. It's not significant within the Zygote spawning model
though because it's read-only after early init.
Change-Id: Id7a49c96c1b15c2e1926528304b3c54a81e78caf
If a map has a non-zero vaddr then it needs to be added to the
computed relative offset.
Bug: 22532054
Change-Id: If55015165d25ecc4b530f674b481c8c7ef760a23
There is a deadlock if holding the hash table lock while trying to do
a backtrace. Change the code so that the hash table lock is only held
while actually modifying either g_hash_table, or while modifying an
entry from g_hash_table.
Bug: 22423683
(cherry picked from commit 9fee99b060)
Change-Id: I72173bfe6f824ceaceea625c24e7851b87467135
LP64 is immune because basename_r is hidden there, but on LP32 a basename_r
defined in the executable breaks basename because its call to basename_r
will resolve to that one rather than the one in libc.
Bug: http://b/22415484
Change-Id: Ied3ca7ad3fb0e744eb705fc924743f893b4ad490
1. Personality parameter should be unsigned int (not long)
2. Do not reset bits outside of PER_MASK when setting
personality value.
3. Set personality for static executables.
Bug: http://b/21900686
Change-Id: I4c7e34079cbd59b818ce221eed325c05b9bb2303
(cherry picked from commit f643eb38c3)
The pthread_mutex_lock and pthread_mutex_unlock were allowed to
fail silently on L 32 bit devices when passed a NULL. We changed
this to a crash on 32 bit devices, but there are still games that make
these calls and are not likely to be updated. Therefore, once again
allow NULL to be passed in on 32 bit devices.
Bug: 19995172
(cherry picked from commit 511cfd9dc8)
Change-Id: I159a99a941cff94297ef3fffda7075f8ef1ae252
A continuation of commit 2825f10b7f.
Add O_PATH compatibility support for flistxattr(). This allows
a process to list out all the extended attributes associated with
O_PATH file descriptors.
Change-Id: Ie2285ac7ad2e4eac427ddba6c2d182d41b130f75
The functions dlmalloc_inspect_all and dlmalloc_trim get
exported on devices that use dlmalloc, so be consistent and
export them everywhere.
Bug: 21640784
Change-Id: I5b8796cd03c8f401d37d9c22823144f766f9c4c7
It turns out that apportable apps expect that the DIR structure is
the same as in L and below. Modify the structure to have the same
order, and move the new variable to the end of the structure.
Bug: 21037208
(cherry picked from commit 5edb0f40f6)
Change-Id: I0c1ab5e295ec8bef638daa4cfea5830aeea602e6
Support O_PATH file descriptors when handling fgetxattr and fsetxattr.
This avoids requiring file read access to pull extended attributes.
This is needed to support O_PATH file descriptors when calling
SELinux's fgetfilecon() call. In particular, this allows the querying
and setting of SELinux file context by using something like the following
code:
int dirfd = open("/path/to/dir", O_DIRECTORY);
int fd = openat(dirfd, "file", O_PATH | O_NOFOLLOW);
char *context;
fgetfilecon(fd, &context);
This change was motivated by a comment in
https://android-review.googlesource.com/#/c/152680/1/toys/posix/ls.c
Change-Id: Ic0cdf9f9dd0e35a63b44a4c4a08400020041eddf
Adds a new _internal_ function. Provide a global serial number to
support more efficient private caching algorithms. This allows
to skip re-running the __system_property_find() call on misses until
there is a global change in the properties. This call is a read
barrier, the property data to be read following this call will be
read sequentially and up to date.
Bug: 19544788
Change-Id: I58e6a92baa0f3e8e7b9ec79b10af6d56407dab48