Commit graph

1651 commits

Author SHA1 Message Date
Elliott Hughes
2d0b28bc0d Add getloadavg(3).
Lets us build ninja with bionic.

Bug: N/A
Test: ran tests
Change-Id: I97eef1247d794b58a2b9aee4851551632e5a4e48
2018-10-23 11:23:00 -07:00
Tim Murray
ac578f2587 malloc: add M_PURGE mallopt flag
Add a new mallopt flag that purges any pending decaying pages.

Test: boots and works
bug 117795621

Change-Id: Ib250ae2b705b6a368c1efb801d6a7be54e075acb
(cherry pciekd from commit 5083e833a6)
2018-10-22 16:25:28 -07:00
Florian Mayer
f7f71e3c7b Add RT signal to load heapprofd library.
Tests: Ran malloc_debug_unit_tests
Tests: Flashed to walleye, sent signal, observed
  "Unable to open shared library: heapprofd.so".

Change-Id: Ia8ce216837e29e3edbda8789ca28023d53fa1fda
2018-10-18 21:38:06 +01:00
Josh Gao
7ff7d03286 Merge "Properly fail with ESRCH when pthread_killing an exited thread." 2018-10-18 17:47:17 +00:00
Josh Gao
ddf757e35e Properly fail with ESRCH when pthread_killing an exited thread.
Previously, we were callign tgkill(pid, 0, signal) instead, which would
fail with EINVAL instead.

Test: bionic-unit-tests
Change-Id: I25b127dcf347e0223274502b0516a950b6c2093e
2018-10-17 17:35:56 -07:00
Treehugger Robot
ecf0c7515d Merge "strerror: add missing ERFKILL and EHWPOISON." 2018-10-15 23:56:22 +00:00
Elliott Hughes
92a9116100 strerror: add missing ERFKILL and EHWPOISON.
There's little value to having strings for these, but we may as well
for consistency. There's no ELASTERRNO constant we can use to check
whether we've fallen behind again, but these were added in 2009 and
2011 respectively, so we're not likely to have to deal with any more
new errno values any time soon...

Bug: http://b/117755069
Test: ran tests
Change-Id: I5b7155c22cad92c2fe03a0b4c7cae415c37fa186
2018-10-15 13:12:19 -07:00
Greg Hackmann
cc953e08f4 fdsan: reset va_list between varargs traversals
When error_level != ANDROID_FDSAN_ERROR_LEVEL_FATAL, fdsan_error()
traverses the varargs twice.  Each traversal needs its own
va_start()/va_end() pair.  Otherwise async_safe_format_buffer_va_list()
will start consuming arguments where async_safe_format_log_va_list()
stopped, ironically causing the sanitizer runtime to perform bad memory
accesses.

Test: debuggerd_test32
Test: debuggerd_test64

Change-Id: Ic85ca94501e55e9a435410fab89edb273c381a5a
Signed-off-by: Greg Hackmann <ghackmann@google.com>
2018-10-15 10:41:34 -07:00
Treehugger Robot
391af2cefe Merge "Allow invoking the linker on an executable." 2018-10-11 01:04:57 +00:00
Ryan Prichard
8f639a4096 Allow invoking the linker on an executable.
The executable can be inside a zip file using the same syntax used for
shared objects: path.zip!/libentry.so.

The linker currently requires an absolute path. This restriction could be
loosened, but it didn't seem important? If it allowed non-absolute paths,
we'd need to decide how to handle:
 - foo/bar      (relative to CWD?)
 - foo          (search PATH / LD_LIBRARY_PATH, or also relative to CWD?)
 - foo.zip!/bar (normalize_path() requires an absolute path)

The linker adjusts the argc/argv passed to main() and to constructor
functions to hide the initial linker argument, but doesn't adjust the auxv
vector or files like /proc/self/{exe,cmdline,auxv,stat}. Those files will
report that the kernel loaded the linker as an executable.

I think the linker_logger.cpp change guarding against (g_argv == NULL)
isn't actually necessary, but it seemed like a good idea given that I'm
delaying initialization of g_argv until after C++ constructors have run.

Bug: http://b/112050209
Test: bionic unit tests
Change-Id: I846faf98b16fd34218946f6167e8b451897debe5
2018-10-10 14:31:06 -07:00
Josh Gao
baf20fc912 Block TIMER_SIGNAL in sigprocmask(SIG_SETMASK, ...).
Previously, we were zeroing out the reserved signals, when we actually
wanted to have TIMER_SIGNAL always be blocked, and the other signals
always be unblocked. This resulted in process termination when a
SIGEV_THREAD timer callback calls sigprocmask(SIG_SETMASK, ...) with
any signal mask value, and then subsequently fails to complete its
callback and reach the sigtimedwait in bionic before the next timer
iteration triggers.

Add a how argument to filter_reserved_signals to appropriately
block/unblock our reserved signals.

Bug: http://b/116783733
Test: bionic-unit-tests32/64
Change-Id: Ie5339682cdeb914711cd4089cd26ee395704d0df
2018-10-09 16:27:22 -07:00
Treehugger Robot
ddf92a1ba5 Merge "Always return /vendor/bin/sh as shell for OEM ids in getpwnam() etc." 2018-09-27 23:23:34 +00:00
Tom Cherry
fa5f61c8d9 Always return /vendor/bin/sh as shell for OEM ids in getpwnam() etc.
During the review of the script that generates /vendor/etc/passwd, it
was suggested that the shell be /vendor/bin/sh instead of the typical
/system/bin/sh.  This has subsequently caused bionic unit tests to
fail, since they always check that the shell is set to /system/bin/sh.

In the spirit of that review, libc is modified to return
/vendor/bin/sh for the OEM AID ranges and the test is updated to
expect this.

Test: bionic unit tests
Change-Id: Ie7c1c48fde8a71b3df1aa0ef112d42ab7bd3baec
2018-09-27 20:29:49 +00:00
Elliott Hughes
b177085ce7 Add reallocarray(3).
Originally a BSD extension, now in glibc too. We've used it internally
for a while.

(cherry-pick of e4b13f7e3ca68edfcc5faedc5e7d4e13c4e8edb9.)

Bug: http://b/112163459
Test: ran tests
Change-Id: I813c3a62b13ddb91ba41e32a5a853d09207ea6bc
Merged-In: I813c3a62b13ddb91ba41e32a5a853d09207ea6bc
2018-09-26 14:24:18 -07:00
Evgenii Stepanov
8d11bea6c5 Merge "[hwasan] Tweak process and thread initialization." 2018-09-20 21:39:55 +00:00
Josh Gao
ce9d653b38 Merge changes from topics "fdsan_ziparchive_type", "fdsan_java_socket"
* changes:
  fdsan: improve documentation.
  fdsan: add type for libziparchive's ZipArchive.
  fdsan: add types for Java sockets.
2018-09-20 19:22:03 +00:00
Evgenii Stepanov
13e8dcbdc9 [hwasan] Tweak process and thread initialization.
Make sure that TLS_SLOT_TSAN is always available and correctly set up in
HWASan-instrumented functions by setting up the tls register and running hwasan
initialization (__hwasan_init in the main thread and __hwasan_thread_enter in
secondary) early enough.

This is needed to accomodate a change in HWASan: https://reviews.llvm.org/D52249

Bug: 112438058
Test: boot with SANITIZE_TARGET=hwaddress, run bionic-tests
Change-Id: Icd909a4ea0da6c6c1095522bcc28debef5f2c63d
2018-09-20 12:20:12 -07:00
Josh Gao
5fa9df8efc fdsan: add type for libziparchive's ZipArchive.
Test: debuggerd `pidof system_server` | grep " fd "
Change-Id: I6a9a4306ecffe3899e4cc7285a0eb33efaa62616
2018-09-18 13:23:31 -07:00
Josh Gao
d527cf1f99 fdsan: add types for Java sockets.
Test: art/tools/run-libcore-tests.sh
Change-Id: If61211bc4ae225c3f89db989a167f9dc4fce375a
2018-09-17 17:31:58 -07:00
Bernie Innocenti
fb4eaa019e Improve netd detection
The alleged improvement consists in making the detection actually work
when netd is spawned by init, which of course uses the full path.
I had tested the previous logic by running netd from the shell, which
worked because argv[0] was just set to "netd". My bad -_-

Test: flash, boot and grep logcat for "Skipping libnetd_client init"
Change-Id: Ie5f11436dfa2a9347721147dc2b980144452404a
2018-09-07 10:29:18 -07:00
Elliott Hughes
431d2ff141 Merge "Add android_get_device_api_level." 2018-09-07 15:40:45 +00:00
Treehugger Robot
dc91d900ae Merge "bionic: Add magic to abort message" 2018-09-07 01:32:14 +00:00
Luis Hector Chavez
6d93c60778 bionic: Add magic to abort message
This change adds a 128-bit magic value just before the abort message
(and its length). This allows Chrome OS crash collector (which cannot
reliably correlate a crash with its corresponding tombstone) to extract
the abort message from the core dump.

Bug: 62387553
Test: /data/nativetest{,64}/debuggerd_test/*
Test: /data/nativetest{,64}/bionic-unit-tests{,-static}/*

Change-Id: I69ff021d773b3a10081ab16ddf6f23233320fb02
2018-09-06 15:18:21 -07:00
Elliott Hughes
ce934e3d9b Add android_get_device_api_level.
Bug: http://b/113615412
Test: ran tests
Change-Id: I0a7ae336c96c9ed6543b6935cbc242d14d4a4a67
2018-09-06 14:19:46 -07:00
Elliott Hughes
74934aaf10 Merge "Add the %m GNU extension to printf/wprintf." 2018-09-05 18:47:44 +00:00
Treehugger Robot
198fb7b6df Merge "Prevent netd from using the libnetd_client wrappers" 2018-09-05 15:22:59 +00:00
Bernie Innocenti
1b2ecee5da Prevent netd from using the libnetd_client wrappers
Netd looping connections to itself via the libnetd_client connect()
wrapper has always unintended, although it worked until now. Once we
move the resolver into netd, the frequency of connect() calls will
increase, which makes it less acceptable.

There are several ways to detect if the calling process is netd.
Checking both uid == 0 and the argv[0] == netd makes it hard for
non-system components to spoof as netd.

Test: flash a device and check that netd logs the "Skipping..." message
Test: atest netd_integration_test
Change-Id: I9506facb4aa3094b16a98a913a1e2394056ce91a
2018-09-05 17:43:42 +09:00
Josh Gao
f5693c688d Generalize abort's inline_tgkill, use it in fdsan.
Convert abort's inline_tgkill to do the equivalent of
pthread_sigqueue(pthread_self(), ...), so that we can use it in fdsan
as well.

Test: bionic-unit-tests
Test: debuggerd_test32
Test: debuggerd_test64
Change-Id: I92a7b84e2f00ce021b4043ed8a3bd8683d77fe9c
2018-08-31 16:39:23 -07:00
Josh Gao
ab6a0802af fdsan: add type for ART's FdFile.
Bug: http://b/113558485
Test: none
Change-Id: I9bc874d8689cc54563f2a5878d324b27ad85060e
2018-08-30 17:37:52 -07:00
Elliott Hughes
654cd8331b Add the %m GNU extension to printf/wprintf.
And remove the local hack from syslog(3).

Bug: http://b/112776560
Test: ran tests
Change-Id: I5807e729a978df26187ea0ee255bba4ca74220c8
2018-08-30 16:00:42 -07:00
Josh Gao
be66a06412 fdsan: provide abort message in warning tombstones.
Bug: http://b/112770187
Test: debuggerd_test
Test: bionic-unit-tests
Test: crasher fdsan_file
Change-Id: I55e18eafaee8b0c35bacd2795b7830bcb9d59291
2018-08-27 16:48:17 -07:00
Josh Gao
726b63f725 Implement pthread_sigqueue.
Bug: http://b/112770187
Test: bionic-unit-tests
Change-Id: I03382cd5df2490b2e87265dba9007e2cb1b14cd2
2018-08-27 16:48:17 -07:00
Josh Gao
b6b3a1d4f9 fdsan: expose functions to get and interpret tags.
Make it easier to write tests in users of fdsan by exposing functions
to allow users to get and interpret the tags.

Test: bionic_unit_tests
Change-Id: Iafa9bcaeb5e4db230f3dfec6f483274f34602694
2018-08-23 23:10:52 -07:00
Josh Gao
27cc4bc414 Add fdsan owner type for sqlite.
Test: none
Change-Id: Ib331d108e7e0431250eba3609f3557d8e4665aba
2018-08-23 23:10:52 -07:00
Elliott Hughes
99d54656bd Add PR_SET_VMA and PR_SET_VMA_ANON_NAME to <sys/prctl.h>.
We've copied & pasted these to too many places. And if we're going to
have another go at upstreaming these, that's probably yet another reason
to have the *values* in just one place. (Even if upstream wants different
names, we'll likely keep the legacy names around for a while for source
compatibility.)

Bug: http://b/111903542
Test: ran tests
Change-Id: I8ccc557453d69530e5b74f865cbe0b458c84e3ba
2018-08-22 10:36:23 -07:00
Evgenii Stepanov
be551f596f HWASan support in bionic.
* Allow sanitization of libc (excluding existing global sanitizers)
  and disallow sanitization of linker. The latter has not been
  necessary before because HWASan is the first sanitizer to support
  static binaries (with the exception of CFI, which is not used
  globally).
* Static binary startup: initialize HWASan shadow very early so that
  almost entire libc can be sanitized. The rest of initialization is
  done in a global constructor; until that is done sanitized code can
  run but can't report errors (will simply crash with SIGTRAP).
* Switch malloc_common from je_*  to __sanitizer_*.
* Call hwasan functions when entering and leaving threads. We can not
  intercept pthread_create when libc depends on libclang_rt.hwasan.
  An alternative to this would be a callback interface like requested
  here:
    https://sourceware.org/glibc/wiki/ThreadPropertiesAPI

All of the above is behind a compile-time check
__has_feature(hwaddress_sanitizer). This means that HWASan actually
requires libc to be instrumented, and would not work otherwise. It's
an implementation choice that greatly reduces complexity of the tool.
Instrumented libc also guarantees that hwasan is present and
initialized in every process, which allows piecemeal sanitization
(i.e. library w/o main executable, or even individual static
libraries), unlike ASan.

Change-Id: If44c46b79b15049d1745ba46ec910ae4f355d19c
2018-08-21 00:15:47 +00:00
George Burgess IV
fa5410fdb7 libc: enable -Wimplicit-fallthrough
libc had some -Wimplicit-fallthrough warnings. They all seem to be
benign. We're trying to enable this flag globally, so we need to
annotate these breaks here.

Bug: 112564944
Test: Builds
Change-Id: I5afae694cc4cf26ad1a61e2c8ae91f00cda7c733
2018-08-15 10:11:08 -07:00
Josh Gao
e16082f717 fdsan: expose the address of the table to the platform.
Let the debuggerd handler get the address of the fdsan table so that
crash_dump can parse it and print it out in tombstones.

Test: debuggerd `pidof adbd`
Change-Id: I2297200cae52d0ff24479dba55d1ab4938583501
2018-08-06 18:48:52 -07:00
Josh Gao
e6dab7b55f fdsan: minor refactoring.
Make it easier for other code to parse the fdsan table themselves by
making it so that they can include the bionic_fdsan.h header to get a
struct definition with the layout without bringing in other
dependencies.

Test: treehugger
Change-Id: I3583ef113991234aa83cd193a4eb139ad06737c7
2018-08-06 18:47:29 -07:00
Josh Gao
4b7c1cc13f fdsan: enable by default.
Test: adb shell crasher fdsan_file
Change-Id: I6be0f7372ddb9d622a0bd8d1eeb80a4f747c99e3
2018-08-06 15:11:08 -07:00
Josh Gao
08b7a4008f fdsan: improve errors some more.
Add handling for all 4 cases of failure of exchange_owner_tag. Also,
mask off and sign extend the type byte of the owner tag, and add a
test for that.

Test: bionic_unit_tests
Change-Id: Ic7c49f0ee5498623f05c49b5b4cd055db48a4b9f
2018-08-03 15:03:41 -07:00
Yi Kong
32bc0fcf69 Modernize codebase by replacing NULL with nullptr
Fixes -Wzero-as-null-pointer-constant warning.

Test: m
Bug: 68236239
Change-Id: I5b4123bc6709641315120a191e36cc57541349b2
2018-08-02 18:09:44 -07:00
Treehugger Robot
3e98d88823 Merge "fdsan: improve diagnostics." 2018-07-25 00:40:29 +00:00
Tom Cherry
0fe2203309 Fixup an out of date comment.
Test: n/a
Change-Id: Ieb5d18d479becb8c92cbf71a8bb7cd67f7c27dba
2018-07-24 13:34:34 -07:00
Josh Gao
fe380887c8 fdsan: improve diagnostics.
Generate a tombstone instead of just a log message when warning. Also,
don't use async_safe_fatal_va_list when we're not calling abort, as
this will permanently set the abort message.

Test: bionic_unit_tests
Test: setprop debug.fdsan warn; crasher fdsan_file
Change-Id: I2fe271da9004c8fd1f50ad3d8280be254eeaf656
2018-07-23 18:36:16 -07:00
Josh Gao
f6e5b58260 Introduce api to track fd ownership in libc.
Add two functions to allow objects that own a file descriptor to
enforce that only they can close their file descriptor.

Use them in FILE* and DIR*.

Bug: http://b/110100358
Test: bionic_unit_tests
Test: aosp/master boots without errors
Test: treehugger
Change-Id: Iecd6e8b26c62217271e0822dc3d2d7888b091a45
2018-07-19 14:28:54 -07:00
Elliott Hughes
f98d87b831 Add C11 timespec_get.
Bug: https://github.com/android-ndk/ndk/issues/744
Test: ran tests
Change-Id: Iad9514946e06d55b6a3aa0f945d9a63bff900881
2018-07-17 13:21:05 -07:00
Elliott Hughes
468efc80da Reimplement popen(3)/pclose(3).
pclose(3) is now an alias for fclose(3). We could add a FORTIFY check
that you use pclose(3) if and only if you used popen(3), but there seems
little value to that when we can just do the right thing.

This patch also adds the missing locking to _fwalk --- we need to lock
both the global list of FILE*s and also each FILE* we touch. POSIX says
that "The popen() function shall ensure that any streams from previous
popen() calls that remain open in the parent process are closed in the
new child process", which we implement via _fwalk(fclose) in the child,
but we might want to just make *all* popen(3) file descriptors O_CLOEXEC
in all cases.

Ignore fewer errors in popen(3) failure cases.

Improve popen(3) test coverage.

Bug: http://b/72470344
Test: ran tests
Change-Id: Ic937594bf28ec88b375f7e5825b9c05f500af438
2018-07-11 12:15:26 -07:00
Elliott Hughes
402c762fc9 Fix some long-standing UTF-8 bugs.
We we incorrectly rejecting U+fffe and U+ffff, and incorrectly accepting
characters above U+10ffff (see https://tools.ietf.org/html/rfc3629
section 12 for that restriction).

Bug: http://lists.landley.net/pipermail/toybox-landley.net/2017-September/009146.html
Test: ran tests
Test: also ran the exhaustive test from that email thread
Change-Id: I8ae8e41cef01b02933bd4f653ee07791932b79a5
2018-07-06 17:18:05 -07:00
Christopher Ferris
2e1a40a203 Change heap dump format slightly.
Bump the version from v1.1 to v1.2 and add a build fingerprint line.

Update the heap dump documentation to match the new format and reflect
what made it in P and what made it in Q.

Update the unit tests for this change.

Add -O0 to unit test code to make it easier to debug.

Add an external function that can be used by the framework code
so that there is only one way to dump the heap.

Bug: 110095681

Test: Ran unit tests.
Test: Did a dump of a real process and verified fingerprint.
Test: Did a dump of a process without malloc debug enabled.
Change-Id: I769a476cbeaf4c85c5d75bd6d6385f0e3add948c
Merged-In: I769a476cbeaf4c85c5d75bd6d6385f0e3add948c
(cherry picked from commit c84a2a2601)
2018-06-15 12:29:13 -07:00