add fortified implementations of write/pwrite{,64}

These are just based on the read/pread{,64} implementations with the
function calls and error messages adjusted as appropriate. The only
difference is that the buffer parameters are const.

Change-Id: Ida1597a903807f583f230d74bcedffdb7b24fcf6
This commit is contained in:
Daniel Micay 2015-07-20 21:37:29 -04:00
parent 7e919daeaa
commit afdd15456a
8 changed files with 285 additions and 1 deletions

View File

@ -79,6 +79,8 @@ libc_common_src_files += \
bionic/__poll_chk.cpp \
bionic/__pread64_chk.cpp \
bionic/__pread_chk.cpp \
bionic/__pwrite64_chk.cpp \
bionic/__pwrite_chk.cpp \
bionic/__read_chk.cpp \
bionic/__readlink_chk.cpp \
bionic/__readlinkat_chk.cpp \
@ -95,6 +97,7 @@ libc_common_src_files += \
bionic/__umask_chk.cpp \
bionic/__vsnprintf_chk.cpp \
bionic/__vsprintf_chk.cpp \
bionic/__write_chk.cpp
libc_bionic_ndk_src_files := \
bionic/abort.cpp \

View File

@ -0,0 +1,44 @@
/*
* Copyright (C) 2015 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#undef _FORTIFY_SOURCE
#include <unistd.h>
#include "private/libc_logging.h"
extern "C" ssize_t __pwrite64_chk(int fd, const void* buf, size_t count, off64_t offset,
size_t buf_size) {
if (__predict_false(count > buf_size)) {
__fortify_chk_fail("pwrite64: prevented read past end of buffer", 0);
}
if (__predict_false(count > SSIZE_MAX)) {
__fortify_chk_fail("pwrite64: count > SSIZE_MAX", 0);
}
return pwrite64(fd, buf, count, offset);
}

View File

@ -0,0 +1,44 @@
/*
* Copyright (C) 2015 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#undef _FORTIFY_SOURCE
#include <unistd.h>
#include "private/libc_logging.h"
extern "C" ssize_t __pwrite_chk(int fd, const void* buf, size_t count, off_t offset,
size_t buf_size) {
if (__predict_false(count > buf_size)) {
__fortify_chk_fail("pwrite: prevented read past end of buffer", 0);
}
if (__predict_false(count > SSIZE_MAX)) {
__fortify_chk_fail("pwrite: count > SSIZE_MAX", 0);
}
return pwrite(fd, buf, count, offset);
}

View File

@ -0,0 +1,43 @@
/*
* Copyright (C) 2015 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#undef _FORTIFY_SOURCE
#include <unistd.h>
#include "private/libc_logging.h"
extern "C" ssize_t __write_chk(int fd, const void* buf, size_t count, size_t buf_size) {
if (__predict_false(count > buf_size)) {
__fortify_chk_fail("write: prevented read past end of buffer", 0);
}
if (__predict_false(count > SSIZE_MAX)) {
__fortify_chk_fail("write: count > SSIZE_MAX", 0);
}
return write(fd, buf, count);
}

View File

@ -238,11 +238,26 @@ __errordecl(__pread64_dest_size_error, "pread64 called with size bigger than des
__errordecl(__pread64_count_toobig_error, "pread64 called with count > SSIZE_MAX");
extern ssize_t __pread64_real(int, void*, size_t, off64_t) __RENAME(pread64);
extern ssize_t __pwrite_chk(int, const void*, size_t, off_t, size_t);
__errordecl(__pwrite_dest_size_error, "pwrite called with size bigger than destination");
__errordecl(__pwrite_count_toobig_error, "pwrite called with count > SSIZE_MAX");
extern ssize_t __pwrite_real(int, const void*, size_t, off_t) __RENAME(pwrite);
extern ssize_t __pwrite64_chk(int, const void*, size_t, off64_t, size_t);
__errordecl(__pwrite64_dest_size_error, "pwrite64 called with size bigger than destination");
__errordecl(__pwrite64_count_toobig_error, "pwrite64 called with count > SSIZE_MAX");
extern ssize_t __pwrite64_real(int, const void*, size_t, off64_t) __RENAME(pwrite64);
extern ssize_t __read_chk(int, void*, size_t, size_t);
__errordecl(__read_dest_size_error, "read called with size bigger than destination");
__errordecl(__read_count_toobig_error, "read called with count > SSIZE_MAX");
extern ssize_t __read_real(int, void*, size_t) __RENAME(read);
extern ssize_t __write_chk(int, const void*, size_t, size_t);
__errordecl(__write_dest_size_error, "write called with size bigger than destination");
__errordecl(__write_count_toobig_error, "write called with count > SSIZE_MAX");
extern ssize_t __write_real(int, const void*, size_t) __RENAME(write);
extern ssize_t __readlink_chk(const char*, char*, size_t, size_t);
__errordecl(__readlink_dest_size_error, "readlink called with size bigger than destination");
__errordecl(__readlink_size_toobig_error, "readlink called with size > SSIZE_MAX");
@ -342,6 +357,62 @@ ssize_t pread64(int fd, void* buf, size_t count, off64_t offset) {
return __pread64_chk(fd, buf, count, offset, bos);
}
#if defined(__USE_FILE_OFFSET64)
#define __PWRITE_PREFIX(x) __pwrite64_ ## x
#else
#define __PWRITE_PREFIX(x) __pwrite_ ## x
#endif
__BIONIC_FORTIFY_INLINE
ssize_t pwrite(int fd, const void* buf, size_t count, off_t offset) {
size_t bos = __bos0(buf);
#if !defined(__clang__)
if (__builtin_constant_p(count) && (count > SSIZE_MAX)) {
__PWRITE_PREFIX(count_toobig_error)();
}
if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
return __PWRITE_PREFIX(real)(fd, buf, count, offset);
}
if (__builtin_constant_p(count) && (count > bos)) {
__PWRITE_PREFIX(dest_size_error)();
}
if (__builtin_constant_p(count) && (count <= bos)) {
return __PWRITE_PREFIX(real)(fd, buf, count, offset);
}
#endif
return __PWRITE_PREFIX(chk)(fd, buf, count, offset, bos);
}
__BIONIC_FORTIFY_INLINE
ssize_t pwrite64(int fd, const void* buf, size_t count, off64_t offset) {
size_t bos = __bos0(buf);
#if !defined(__clang__)
if (__builtin_constant_p(count) && (count > SSIZE_MAX)) {
__pwrite64_count_toobig_error();
}
if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
return __pwrite64_real(fd, buf, count, offset);
}
if (__builtin_constant_p(count) && (count > bos)) {
__pwrite64_dest_size_error();
}
if (__builtin_constant_p(count) && (count <= bos)) {
return __pwrite64_real(fd, buf, count, offset);
}
#endif
return __pwrite64_chk(fd, buf, count, offset, bos);
}
__BIONIC_FORTIFY_INLINE
ssize_t read(int fd, void* buf, size_t count) {
size_t bos = __bos0(buf);
@ -367,6 +438,33 @@ ssize_t read(int fd, void* buf, size_t count) {
return __read_chk(fd, buf, count, bos);
}
__BIONIC_FORTIFY_INLINE
ssize_t write(int fd, const void* buf, size_t count) {
size_t bos = __bos0(buf);
#if !defined(__clang__)
#if 0 /* work around a false positive due to a missed optimization */
if (__builtin_constant_p(count) && (count > SSIZE_MAX)) {
__write_count_toobig_error();
}
#endif
if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
return __write_real(fd, buf, count);
}
if (__builtin_constant_p(count) && (count > bos)) {
__write_dest_size_error();
}
if (__builtin_constant_p(count) && (count <= bos)) {
return __write_real(fd, buf, count);
}
#endif
return __write_chk(fd, buf, count, bos);
}
__BIONIC_FORTIFY_INLINE
ssize_t readlink(const char* path, char* buf, size_t size) {
size_t bos = __bos(buf);

View File

@ -1337,6 +1337,9 @@ LIBC_N {
__fread_chk;
__fwrite_chk;
__getcwd_chk;
__pwrite_chk;
__pwrite64_chk;
__write_chk;
getgrgid_r;
getgrnam_r;
} LIBC;

View File

@ -21,6 +21,7 @@
#include <poll.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
@ -248,7 +249,7 @@ void test_fread_too_big() {
}
void test_fwrite_overflow() {
char buf[4];
char buf[4] = {0};
// NOLINTNEXTLINE(whitespace/line_length)
// GCC: error: call to '__fwrite_overflow' declared with attribute error: fwrite called with overflowing size * count
// clang should emit a warning, but doesn't
@ -270,3 +271,27 @@ void test_getcwd() {
// clang should emit a warning, but doesn't
getcwd(buf, 5);
}
void test_pwrite64_size() {
char buf[4] = {0};
// NOLINTNEXTLINE(whitespace/line_length)
// GCC: error: call to '__pwrite64_dest_size_error' declared with attribute error: pwrite64 called with size bigger than destination
// clang should emit a warning, but doesn't
pwrite64(STDOUT_FILENO, buf, 5, 0);
}
void test_pwrite64_too_big() {
void *buf = calloc(atoi("5"), 1);
// NOLINTNEXTLINE(whitespace/line_length)
// GCC: error: call to '__pwrite64_count_toobig_error' declared with attribute error: pwrite64 called with count > SSIZE_MAX
// clang should emit a warning, but doesn't
pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0);
}
void test_write_size() {
char buf[4] = {0};
// NOLINTNEXTLINE(whitespace/line_length)
// GCC: error: call to '__write_dest_size_error' declared with attribute error: write called with size bigger than destination
// clang should emit a warning, but doesn't
write(STDOUT_FILENO, buf, 5);
}

View File

@ -645,6 +645,22 @@ TEST_F(DEATHTEST, pread64_fortified) {
close(fd);
}
TEST_F(DEATHTEST, pwrite_fortified) {
char buf[1] = {0};
size_t ct = atoi("2"); // prevent optimizations
int fd = open("/dev/null", O_WRONLY);
ASSERT_FORTIFY(pwrite(fd, buf, ct, 0));
close(fd);
}
TEST_F(DEATHTEST, pwrite64_fortified) {
char buf[1] = {0};
size_t ct = atoi("2"); // prevent optimizations
int fd = open("/dev/null", O_WRONLY);
ASSERT_FORTIFY(pwrite64(fd, buf, ct, 0));
close(fd);
}
TEST_F(DEATHTEST, read_fortified) {
char buf[1];
size_t ct = atoi("2"); // prevent optimizations
@ -653,6 +669,14 @@ TEST_F(DEATHTEST, read_fortified) {
close(fd);
}
TEST_F(DEATHTEST, write_fortified) {
char buf[1] = {0};
size_t ct = atoi("2"); // prevent optimizations
int fd = open("/dev/null", O_WRONLY);
ASSERT_EXIT(write(fd, buf, ct), testing::KilledBySignal(SIGABRT), "");
close(fd);
}
TEST_F(DEATHTEST, fread_fortified) {
char buf[1];
size_t ct = atoi("2"); // prevent optimizations