When using a FILE object for some malloc debug functions, calling
fprintf will trigger an allocation to be put in the object. The problem
is that these allocations were not allocated by the malloc debug
wrapper and they get freed during the fclose as if they are malloc
debug allocation. In most cases, the code will detect the bad pointer
and leak the memory, but it might also cause a crash.
The fix is to avoid using fprintf so that no allocations are made
in the object that survive and need to be freed in the fclose call.
Change the MallocXmlElem.h to use a file decsriptor not a FILE object.
Add new unit and system tests to detect this case.
Bug: 143742907
Test: Ran unit and system tests.
Test: Ran bionic unit tests.
Change-Id: I524392de822a29483aa5be8f14c680e70033eba2
This will activate code in bionic that uses the experimental MTE
userspace interface.
Bug: 135772972
Change-Id: I9ac641b9528de5376cdb920bee0e900a1b1fa9c2
This is actually for the new change I'm working on, but let's retrofit
it first to separate any bugs in these changes from those in the new
change...
Test: treehugger
Change-Id: I890aeb61f9792810a77ad0da3f9674c9cc5db7bb
This flag prevents the compiler from inserting calls to libc functions in
the ifunc resolver code, which will definitely cause problems if the libc
function is itself an ifunc, but other calls that use the PLT may also be
affected, since libc may not have been fully resolved yet. As it turns out,
newer versions of clang will insert calls to memcmp in the body of the
init_cpu_variant() function in arch-arm/dynamic_function_dispatch.cpp.
Change-Id: I91f18d450835adc4b74565e9f48d5834f594a0c4
r334928 | kib | 2018-06-10 10:54:44 -0700 (Sun, 10 Jun 2018) | 16 lines
libc qsort(3): stop aliasing.
Qsort swap code aliases the sorted array elements to ints and longs in
order to do swap by machine words. Unfortunately this breaks with the
full code optimization, e.g. LTO.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83201 which seems to
reference code directly copied from libc/stdlib/qsort.c.
PR: 228780
Reported by: mliska@suse.cz
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D15714
Test: treehugger
Change-Id: Iac608b13bbf8a2dcb48c935a7871c0d2f05bff79
As it turns out, our "generic" arm64 implementations of certain string.h
functions are not actually generic, since they will eagerly read memory
possibly outside of the bounds of an MTE granule, which may lead to a segfault
on MTE-enabled hardware. Therefore, move the implementations into a "default"
directory and use ifuncs to select between them and a new set of "mte"
implementations, conditional on whether the hardware and kernel support MTE.
The MTE implementations are currently naive implementations written in C
but will later be replaced with a set of optimized assembly implementations.
Bug: 135772972
Change-Id: Ife37c4e0e6fd60ff20a34594cc09c541af4d1dd7
r293856 | brooks | 2016-01-13 13:50:08 -0800 (Wed, 13 Jan 2016) | 10 lines
Avoid reading pass the end of the source buffer when it is not NUL
terminated.
If this buffer is adjacent to an unmapped page or a version of C with
bounds checked is used this may result in a crash.
PR: 206178
Submitted by: Alexander Cherepanov <cherepan@mccme.ru>
MFC after: 1 week
and
r293855 | brooks | 2016-01-13 13:49:01 -0800 (Wed, 13 Jan 2016) | 10 lines
Avoid reading pass the end of the source buffer when it is not NUL
terminated.
If this buffer is adjacent to an unmapped page or a version of C with
bounds checked is used this may result in a crash.
PR: 206177
Submitted by: Alexander Cherepanov <cherepan@mccme.ru>
MFC after: 1 week
Test: treehugger
Change-Id: I3f7b9e6d0648574d2836f7721dfe47c1bae146de
r342757 | kevans | 2019-01-03 19:13:24 -0800 (Thu, 03 Jan 2019) | 19 lines
getopt_long(3): fix case of malformed long opt
When presented with an arg string like '-l-', getopt_long will successfully
parse out the 'l' short option, then proceed to match '--' against the first
longopts entry as it later does a strncmp with len=0. This latter bit is
arguably another bug in itself, but presumably not a practical issue as all
callers of parse_long_options are already doing the right thing (except this
one pointed out).
An opt string like '-l-' should be considered malformed and throw a bad
argument rather than behaving as if '--' were passed. It cannot possibly do
what the invoker expects, and it's probably the result of a typo (ls -l- a)
rather than any intent.
Reported by: Tony Overfield <toverfield@yahoo.com>
Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D18616
Test: treehugger
Change-Id: I593713bc35d70eb1975c9d7587528f2b3f9731af
r325389 | kib | 2017-11-04 03:52:58 -0700 (Sat, 04 Nov 2017) | 7 lines
C++17 requires quick_exit(3) to be async-signal safe.
Make it safe, and update man page with the useful information.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Test: treehugger
Change-Id: Idf84b1f1e360c031b0e39d5f6e80d17308db1940
Upstream keeps rearranging the deckchairs for these, so let's just
switch to the [roughly] one-liners rather than track that...
Test: treehugger
Change-Id: If655cf7a7f316657de44d41fadd43a8c55ee6f23
In order for an ifunc resolver to detect the presence of certain CPU features,
access to getauxval(AT_HWCAP) or getauxval(AT_HWCAP2) may be required. In order
for getauxval() to work, it needs to access the pointer to the auxiliary vector
stored by the linker in the libc shared globals data structure. Accessing the
shared globals requires libc to call the __libc_shared_globals() function
exported by the linker. However, in order to call this function, libc must
be fully relocated, which is not guaranteed to be the case at the point when
ifunc resolvers are called.
glibc solves this problem by passing the values of getauxval(AT_HWCAP)
(and getauxval(AT_HWCAP2) on aarch64) as arguments to the ifunc resolver.
Since this seems to be not only the most straightforward way to solve the
problem but also improves our compatibility with glibc, we adopt their
calling convention.
This change is ABI compatible with old resolvers because the arguments are
passed in registers, so the old resolvers will simply ignore the new arguments.
Bug: 135772972
Change-Id: Ie65bd6e7067f0c878df3d348c815fda61dc12de2
arm32 has two special APIs to find exidx exception handling info,
dl_unwind_find_exidx and __gnu_Unwind_Find_exdix. The two functions have
identical behavior and function prototypes. libgcc's arm32 unwinder calls
__gnu_Unwind_Find_exdix, whereas LLVM's libunwind previously called
__gnu_Unwind_Find_exdix, but switched to dl_unwind_find_exidx as a result
of three patches (D30306, D30681, D39468).
In Bionic, for dynamic linking, __gnu_Unwind_Find_exdix in libc.so calls
dl_unwind_find_exidx in libdl.so.
For static executables, though, __gnu_Unwind_Find_exdix in libc.a used the
__exidx_* symbols, while dl_unwind_find_exidx in libdl.a(libdl_static.o)
was a return-0 no-op.
To fix the LLVM unwinder, replace the no-op dl_unwind_find_exidx in
libdl.a with a real function in libc.a(exidx_static.o), and have the GNU
function call the dl function for more consistency with dynamic linking.
dl_iterate_phdr follows a similar pattern, where the function exists in
libc.a and libdl.so (not libc.so or libdl.a).
This change makes unwinding work with an updated libunwind_llvm on arm32,
and it helps to allow unwinding in static executables without libdl.a.
Bug: https://github.com/android/ndk/issues/1094
Bug: http://b/141485154
Test: NDK tests, bionic unit tests
Change-Id: Ieeeb9b39a0e28544e21f9afe6fe51ef10d7c828c
At heart a revert of "Don't #define __ANDROID_NDK__ for the platform build!",
which was commit eb61430374.
The original change was insufficiently motivated, and meant that the
NDK -- not just the platform -- no longer defines __ANDROID_NDK__. Which
then broke at least building toybox with NDK r19.
Change-Id: Ic616688e4d17d25714a9ef381269d7431deac9b0
* changes:
libc: remove now-unused FORTIFY functions
fortify: remove last uses of __bos_trivially_not*
fortify(string): emit diagnostics regardless of API level
fortify(fcntl): emit diagnostics regardless of API level
As of I2037548cc2061e46c379931588194c21dfe234b4, these are no longer
used. Since they're new in R, we can remove them instead of keeping
backwards compat 'forever'. Take that opportunity now.
Bug: 141267932
Test: TreeHugger
Change-Id: I13f94cdcff6e75ad19b964be76445f113f79559b
Since we're using the gt/ge ones a lot now, having `not` versions
probably just adds to confusion. Swap out their remaining uses and
delete them.
Bug: 141267932
Test: m checkbuild on internal-master
Change-Id: I2107ae65007a4995e4fa23371fefe4db7547f43b
HWASan-instrumented code needs TLS_SLOT_SANITIZER set up to run, and
that is not done until the new thread calls __hwasan_thread_enter. Block
all signals until that time to prevent hwasan-instrumented signal
handlers running (and crashing) on the new thread.
Bug: 141893397
Test: seq 0 10000000 | xargs -n 1 -P 200 adb shell am instrument \
-w -r -e command grant-all \
com.android.permissionutils/.PermissionInstrumentation
(cherry picked from commit d181585dd5)
Change-Id: Id65fae836edcacdf057327ccf16cf0b5e0f9474a
The libs are not available for platform. Thus removing
'//apex_available:platform' from the apex_available property. However,
since there are test modules that statically links the libs, we
exceptionally make the static variant of the libs available to the
platform.
Test: m
Test: mm under bionic does not create
out/target/product/<name>/system/lib[64]/libc_malloc_[debug|hooks].so
Change-Id: Ia6d473658c4231b04b5db511f9dacbbdf0f207b0
The bionic libs are now restricted to be in the runtime APEX and the
platform (for bootstrapping). It can still be referenced from other
APEXes but can't be included there.
Bug: 139870423
Test: m
Change-Id: I7f99eef27ccf75844ca5c9a7ea866496841b738f
The NDK doesn't support anything older than API level 16, so remove some
more clutter.
Test: builds
Change-Id: If257a27841396af001b089b7ae0fbd8c3e0128e4
The NDK only supports >= 16, so remove anything older than that to avoid
giving the misleading impression that such old targets are still
supported.
(This change doesn't touch <unistd.h>. I'll follow up with that once the
outstanding FORTIFY changes to that file are in.)
Test: builds
Change-Id: I6cc6ecdb99fe228a4afa71f78e5fd45309ba9786
