From 260bf8cfe00f83bc579dfe81c78b75bd9973f051 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Fri, 13 Jul 2012 11:27:06 -0700 Subject: [PATCH] FORTIFY_SOURCE: strlen check. This test is designed to detect code such as: int main() { char buf[10]; memcpy(buf, "1234567890", sizeof(buf)); size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE printf("%d\n", len); return 0; } or anytime strlen reads beyond an object boundary. This should help address memory leakage vulnerabilities and make other unrelated vulnerabilities harder to exploit. Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182 --- libc/Android.mk | 1 + libc/include/string.h | 13 ++++++++ libc/string/__strlen_chk.c | 67 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+) create mode 100644 libc/string/__strlen_chk.c diff --git a/libc/Android.mk b/libc/Android.mk index 0c4fa6a00..4ceb12f20 100644 --- a/libc/Android.mk +++ b/libc/Android.mk @@ -217,6 +217,7 @@ libc_common_src_files := \ string/__strcpy_chk.c \ string/__strlcat_chk.c \ string/__strlcpy_chk.c \ + string/__strlen_chk.c \ string/__strncat_chk.c \ string/__strncpy_chk.c \ wchar/wcpcpy.c \ diff --git a/libc/include/string.h b/libc/include/string.h index 269f7ac4e..842aa3922 100644 --- a/libc/include/string.h +++ b/libc/include/string.h @@ -216,6 +216,19 @@ size_t strlcat(char *dest, const char *src, size_t size) { return __strlcat_chk(dest, src, size, bos); } +__purefunc extern size_t __strlen_real(const char *) + __asm__(__USER_LABEL_PREFIX__ "strlen"); +extern size_t __strlen_chk(const char *, size_t); + +__BIONIC_FORTIFY_INLINE +size_t strlen(const char *s) { + size_t bos = __builtin_object_size(s, 0); + if (bos == (size_t) -1) { + return __strlen_real(s); + } + return __strlen_chk(s, bos); +} + #endif /* defined(__BIONIC_FORTIFY_INLINE) */ diff --git a/libc/string/__strlen_chk.c b/libc/string/__strlen_chk.c new file mode 100644 index 000000000..43e7e80e8 --- /dev/null +++ b/libc/string/__strlen_chk.c @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2012 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +#include +#include + +/* + * Runtime implementation of __strlen_chk. + * + * See + * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html + * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html + * for details. + * + * This strlen check is called if _FORTIFY_SOURCE is defined and + * greater than 0. + * + * This test is designed to detect code such as: + * + * int main() { + * char buf[10]; + * memcpy(buf, "1234567890", sizeof(buf)); + * size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE + * printf("%d\n", len); + * return 0; + * } + * + * or anytime strlen reads beyond an object boundary. + */ +size_t __strlen_chk(const char *s, size_t s_len) +{ + size_t ret = strlen(s); + + if (__builtin_expect(ret >= s_len, 0)) { + __libc_android_log_print(ANDROID_LOG_FATAL, "libc", + "*** strlen read overflow detected ***\n"); + abort(); + } + + return ret; +}