62 Commits

Author SHA1 Message Date
Daniel Micay
fed2659869 add fortified implementations of fread/fwrite
A __size_mul_overflow utility is used to take advantage of the checked
overflow intrinsics in Clang and GCC (>= 5). The fallback for older
compilers is the optimized but less than ideal overflow checking pattern
used in OpenBSD.

Change-Id: Ibb0d4fd9b5acb67983e6a9f46844c2fd444f7e69
2015-07-23 18:55:46 -04:00
Yabin Cui
f1b4a5d510 Merge "Make tempnam/mktemp deprecated." 2015-02-26 02:17:17 +00:00
Yabin Cui
9b4f77f5cf Make tempnam/mktemp deprecated.
Bug: 19340053
Change-Id: Ib02c65814ef97cd1758fd8142b73736cc8bc1700
2015-02-25 15:42:01 -08:00
Yabin Cui
4add77b93c Merge "Make gets() deprecated." 2015-02-18 21:33:02 +00:00
Yabin Cui
913fcb274f Make gets() deprecated.
gets is already deprecated in glibc. Others with __warnattr are not deprecated.

Change-Id: I80a276d2b5964630218be47f1c94b146c0d31151
2015-02-18 12:20:32 -08:00
Elliott Hughes
68dc20d411 Implement _FILE_OFFSET_BITS (mostly).
I still don't think we can make stdio's fseeko and ftello work, but we can
have everything else, and very few programs use fseeko/ftello (and they can
just refrain from using _FILE_OFFSET_BITS and be no worse off than they are
today).

Bug: 11865851
Change-Id: Ic3cb409aae6713f4b345de954bcc4241fcd969ec
2015-02-17 19:54:43 -08:00
Yabin Cui
784de4e50a Revert "Move use of __warnattr to __deprecated."
This reverts commit 4645c4f62df49d1ece5aabb7c9fa44ca34d30272.

Change-Id: I6c1062d54a4e2c4f41ce7a403e4e7840e6339146
2015-02-17 23:54:40 +00:00
Yabin Cui
4645c4f62d Move use of __warnattr to __deprecated.
clang don't support warning attribute. Replacing warning attriubte with
deprecated attribute can achieve the same behavior whether compiled by
gcc or clang.

Bug: 19340053
Change-Id: I064432b81cf55212458edbc749eb72dc15a810fb
2015-02-17 14:14:45 -08:00
Elliott Hughes
1ed337dbdf Clean up SEEK_SET definitions.
If we lose the #ifndef, the compiler will tell us if the definitions
of SEEK_SET and friends ever get out of sync.

Change-Id: I357cabec7c9cd451c604342344f210bba20fb6bc
2015-02-02 14:02:09 -08:00
Elliott Hughes
168667c972 Add non-macro stdin/stdout/stderr too.
Various C and C++ standards explicitly say that stdin/stdout/stderr
should be macros, but glibc makes them global variables too. This
means it's possible to write code that uses those names as locals,
but that code (toybox being an example) won't build on bionic.

If we'd done this earlier, we could have hidden __sF for LP64, but
it's too late now.

Change-Id: I90cf8c73f52b66e1760b8fa2e135b9f9f9651230
2014-11-14 14:42:59 -08:00
Dan Albert
658727e111 Inline helpers need to be exported unmangled.
__open_2() is used by the fortify implementation of open(2) in
fcntl.h, and as such needs an unmangled C name. For some reason
(inlining?), this doesn't cause problems at the default optimization
level, but does for -O0.

The rest of these didn't cause build failures, but they look suspect
and probably will, we just haven't caught them yet.

Bug: 17784968
Change-Id: I7391a7a8999ee204eaf6abd14a3d5373ea419d5b
2014-10-07 16:46:47 -07:00
Elliott Hughes
2ad11a96a1 Fix some 32-bit-isms in <stdio.h>.
(cherry-pick of 2d80400a9e8454038a3ec29959436184be0c4c65.)

Bug: 17157793
Change-Id: I8290e240b92e5617f4c12c0eacad6e622e677b6a
2014-09-17 15:21:10 -07:00
Elliott Hughes
6b841db2ba Add POSIX-2008 fmemopen, open_memstream, and open_wmemstream.
Bug: 17164505
Change-Id: I59e28a08ff8b6ab632230b11a5807cfd5278aeb5
2014-08-20 17:03:46 -07:00
Elliott Hughes
2b021e1066 Add <stdio_ext.h> for elfutils.
Bug: 17139679
Change-Id: I1605ac382dbb6f23b2d874dbb9769f3cde4a6a99
2014-08-20 10:23:52 -07:00
Elliott Hughes
2cfb4e8e2e Improve <sys/cdefs.h>.
Fix and use __RENAME (and lose ___RENAME --- two underscores should be
enough for anybody). This was the point of this change, because I want
to use __RENAME to support the two basename variants and the two
strerror_r variants.

Lose a bunch of macros that weren't being used.

Lose three dead files from the DNS code.

Change-Id: I3ef645c566b16a52217bc2e68c7d54b37c7c9522
2014-08-18 14:45:42 -07:00
Elliott Hughes
df85f50b82 Add an obvious comment to <stdio.h> for fixincludes.
We don't want GCC's fixincludes to touch our <stdio.h> because we
want to support multiple platform versions with one toolchain. Give
them a nice easy unambiguous string to look for.

Bug: http://code.google.com/p/android/issues/detail?id=73728
Change-Id: I15cb9a2c9eb0a44b0965dc2139f224f2b6e68ea1
2014-08-06 09:03:52 -07:00
Elliott Hughes
f4c1a36a45 Remove declarations for things that don't exist.
The <grp.h> ones prevent gdb from building out of the box.

Change-Id: I0efbffad2215cfcd75b4d442dfc972444b51d97c
2014-07-29 16:57:47 -07:00
Dan Albert
9635046e53 Hide declaration of gets(3) for C11 and later.
gets(3) was removed from C11.

This reverts commit 1291680c2a0c23b2163198d27e00261ca206298b.

Bug: 14500800
Change-Id: I5e5146bdbb80f2be818a17f287b112bab37d1f6d
2014-06-17 17:37:06 -07:00
Dan Albert
1291680c2a Revert "Hide declaration of gets(3) for C11 and later."
Breaks stlport. checkbuild lied to me?

This reverts commit c0ce5908277a9bf18628946629dba4277e9a2281.

Change-Id: I72fb21aba7eaea96a7c3208236fd03411527fa5e
2014-06-17 23:28:38 +00:00
Dan Albert
c0ce590827 Hide declaration of gets(3) for C11 and later.
gets(3) was removed from C11.

Change-Id: I4040a8a6c6d5d2a86878e8a80ca67964fbbb82a8
2014-06-17 15:52:07 -07:00
Dan Albert
37b845f9e4 Merge "Remove declaration for putw(3)/getw(3)." 2014-06-12 05:34:11 +00:00
Dan Albert
8e613cf342 Remove declaration for putw(3)/getw(3).
These were both removed from POSIX 2004, and we don't define an
implementation for getw(3). Keep the definition of put(3) on LP32 for
binary compatibility.

Bug: 13935372
Change-Id: Iba384b45093ac6d2d7c2d81f7980cd7701dd6f56
2014-06-11 14:41:45 -07:00
Dan Albert
cd32219c5b Remove declarations related to cuserid(3).
cuserid(3) was removed from POSIX 2004, and we don't have an
implementation anyway.

Bug: 13935372
Change-Id: I7ac7cde931ba802d0d5b917c22f5116618b21d2f
2014-06-11 13:20:18 -07:00
Elliott Hughes
fcac8ff97f Switch to POSIX dprintf/vdprintf.
Bug: 11156955
Change-Id: I734bd02db514367ab119a48304aae9767958e367
2014-05-22 11:27:06 +01:00
Nick Kralevich
7eb28b59c7 FORTIFY_SOURCE: don't define s?printf macros if already defined
Clang specific: Don't #define sprintf and snprintf macros if they
are already defined.

Change-Id: I30fc507d898377e1b8a57a65a147926229e0f9e2
2014-03-18 17:03:38 -07:00
Elliott Hughes
f2cea021ab Clean up <stdio.h> macros.
Also neuter __isthreaded.

We should come back to try to hide struct FILE's internals for LP64.

Bug: 3453512
Bug: 3453550
Change-Id: I7e115329fb4579246a72fea367b9fc8cb6055d18
2014-03-13 14:54:53 -07:00
Elliott Hughes
cd0609f4fc Allow GCC-built fortified code to run on a clang-built bionic.
Even though code built with clang won't be fully fortified
and won't contain calls to our various helpers, binaries built
with GCC will.

Change-Id: I389b2f1e22a3e89b22aadedc46397bf704f9ca79
2013-12-19 14:20:22 -08:00
Elliott Hughes
c13fb75cea Move bionic over to GCC's 'warning' attribute.
This is a better solution than the old __warn_references because it's
a compile-time rather than link-time warning, it doesn't rely on something
that doesn't appear to be supported by gold (which is why you only used
to see these warnings on mips builds), and the errors refer to the exact
call site(s) rather than just telling you which object file contains a
reference to the bad function.

This is primarily so we can build bionic for aarch64; building libc.so
caused these warnings to fire (because link time is the wrong time) and
warnings are errors.

Change-Id: I5df9281b2a9d98b164a9b11807ea9472c6faa9e3
2013-12-17 20:43:30 -08:00
Elliott Hughes
f8fcfbc85a Move away from the __ARCH_WANT_SYSCALL_NO_AT system calls.
Modern architectures only get the *at(2) system calls. For example,
aarch64 doesn't have open(2), and expects userspace to use openat(2)
instead.

Change-Id: I87b4ed79790cb8a80844f5544ac1a13fda26c7b5
2013-10-22 16:31:01 -07:00
Stephen Hines
6e38072add Wrap sprintf()/snprintf() macros to prevent expansion errors.
Previously, FORTIFY_SOURCE used single macros to define these standard
functions for use with clang. This can cause conflicts with other macros used
to call these functions, particularly when those macros expand the number of
arguments to the function. This change wraps our macro definitions, so that
expansion properly takes place for programmer arguments first.

Change-Id: I55929b1fd2a643b9d14a17631c4bcab3b0b712cf
2013-10-11 12:14:49 -07:00
Nick Kralevich
c8ae8bd941 stdio.h: enable vs?printf clang FORTIFY_SOURCE
Enable FORTIFY_SOURCE protections under clang for the following
functions:

  * vsprintf
  * vsnprintf

and add unittests.

Change-Id: I90f8a27f7b202c78b5dd8ebf53050bf9e33496f7
2013-06-27 09:17:48 -07:00
Nick Kralevich
621b19dddb libc: enable FORTIFY_SOURCE snprintf under clang
Change-Id: I8b8059782a720104722b0841994b38f873ed02aa
2013-06-25 10:02:35 -07:00
Nick Kralevich
c6eb985454 libc: enable sprintf FORTIFY_SOURCE under clang
clang doesn't support __builtin_va_arg_pack(), so we have
to use #define instead.

Change-Id: I2ee75e6267d60cdf997fee6b9b0547bf68f062a1
2013-06-24 14:10:29 -07:00
Nick Kralevich
16d1af167f libc: add limited FORTIFY_SOURCE support for clang
In 829c089f83ddee37203b52bcb294867a9ae7bdbc, we disabled all
FORTIFY_SOURCE support when compiling under clang. At the time,
we didn't have proper test cases, and couldn't easily create targeted
clang tests.

This change re-enables FORTIFY_SOURCE support under clang for a
limited set of functions, where we have explicit unittests available.
The functions are:

* memcpy
* memmove
* strcpy
* strncpy
* strcat
* strncat
* memset
* strlen (with modifications)
* strchr (with modifications)
* strrchr (with modifications)

It may be possible, in the future, to enable other functions. However,
I need to write unittests first.

For strlen, strchr, and strrchr, clang unconditionally calls the
fortified version of the relevant function. If it doesn't know the
size of the buffer it's dealing with, it passes in ((size_t) -1),
which is the largest possible size_t.

I added two new clang specific unittest files, primarily copied
from fortify?_test.cpp.

I've also rebuild the entire system with these changes, and didn't
observe any obvious problems.

Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
2013-06-18 12:14:20 -07:00
Nick Kralevich
b24c0637d0 libc: Introduce __errordecl()
Define __errordecl and replace __attribute__((__error__("foo")))
with __errordecl. Make sure __errordecl is a no-op on clang, as it
generates a compile time warning.

Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
2013-06-18 12:13:52 -07:00
Elliott Hughes
d04c183979 Add more __restricts, clean up __format__ attributes.
Change-Id: I7e2d270cc722d339d221eaea92747eaff3b51403
2013-05-14 16:08:43 -07:00
Nick Kralevich
9020fd503c libc: upgrade some libc functions to _FORTIFY_SOURCE=2
Upgrade the following functions:

* vsnprintf
* vsprintf
* snprintf
* fgets
* strcpy
* strcat
* strncat
* strlcpy
* strlcat
* strlen
* strchr

Change-Id: Icc036fc7f0bb317e05f7c051617887a1601271aa
2013-04-30 11:31:35 -07:00
Nick Kralevich
78d6d9888c libc: upgrade sprintf to _FORTIFY_SOURCE=2
Upgrade sprintf to fortify_source level 2, to catch
additional security bugs.

Change-Id: Ibc957d65e4cb96152de84b3745a04e00fa22659e
2013-04-29 16:41:54 -07:00
Elliott Hughes
890c8ed6ef Fix builds where _FORTIFY_SOURCE is off.
Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.

Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
2013-03-22 10:58:55 -07:00
Elliott Hughes
41b3179c9e Unit tests for formatting code, fix %%.
Also fix <signal.h> and <stdio.h> so they don't cause compiler warnings.

Change-Id: Ib1a746bf01de22d47dbd964de0e6af80a7c96303
2013-01-28 10:36:31 -08:00
Elliott Hughes
3975cec694 Remove (near-)duplicate definitions of size_t and ssize_t.
The near duplicates upset fussier compilers that insist that
typedefs be exactly the same, but the fix isn't to make all
copies identical...

Change-Id: Icfdace41726f36ec33c9ae919dbb5a54d3529cc9
2012-11-29 17:25:23 -08:00
Elliott Hughes
ce45fea03d Add missing BEGIN_DECLS/END_DECLS for FORTIFY_SOURCE stdio prototypes.
Change-Id: I35ceb09fedf873c5e98e1e26efce5e4f00a17e74
2012-10-22 16:10:27 -07:00
Elliott Hughes
7d56ccbfaa Always take GCC's definition of NULL.
There's a (bad) definition of NULL in <linux/stddef.h>, and this
definition of NULL, and the One True definition in the <stddef.h> provided
by the compiler. This change at least kills one of the bad duplicates.
Killing the <linux/stddef.h> one is harder, because it's in a generated
file.

Change-Id: Iea4ccb12d6758199f312ea9cd753b84322d5c471
2012-10-01 17:56:58 -07:00
Elliott Hughes
0cc0d250fd Remove useless #defines and incorrect claims from header files.
The various __need_* macros were write-only.

Change-Id: Id3cca34188e0801fdf93a038b22f2817226ad9c2
2012-10-01 15:12:40 -07:00
Elliott Hughes
422b6ef92c Define ssize_t if necessary.
Change-Id: I63801cc1f09be5e4ca20a6da7ec3366ba6441afd
2012-09-28 10:15:52 -07:00
Irina Tirdea
eac9eb462e Add getdelim(3) and getline(3) to bionic
Some userspace programs (e.g. perf) need getline.

Changes:
() add getdelim.c, getline.c from NetBSD (http://netbsd.org/) under the
NetBSD Foundation's (TNF) license ("2 clause" Berkeley-style license).
() add stub for reentrant.h header that is needed by getdelim.c
() add tests for getdelim(3) and getline(3).
() update NOTICE file.

Change-Id: I22ed82dd5904b9d7a3695535c04f502be3c27c5d
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
2012-09-27 11:38:57 -07:00
Nick Kralevich
829c089f83 disable _FORTIFY_SOURCE under clang
Clang and _FORTIFY_SOURCE are just plain incompatible with
each other.  First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)

Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.

Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
2012-08-29 12:47:41 -07:00
Nick Kralevich
9b6cc223a3 FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro
Replace all occurances of "(size_t) -1" with a
__BIONIC_FORTIFY_UNKNOWN_SIZE macro.

Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
2012-07-13 14:49:33 -07:00
Nick Kralevich
965dbc6405 FORTIFY_SOURCE: add fgets support.
Change-Id: I8c3410a90c71a3336c4ac8581618fa9330edf5e3
2012-07-09 09:57:18 -07:00
Nick Kralevich
9b549c39c9 FORTIFY_SOURCE: add sprintf / vsprintf support
sprintf FORTIFY_SOURCE protections are not available
on clang.

Also add various __attribute__s to stdio functions.

Change-Id: I936d1f9e55fe53a68885c4524b7b59e68fed218d
2012-06-13 09:14:30 -07:00