Commit Graph

23 Commits

Author SHA1 Message Date
Elliott Hughes
890c8ed6ef Fix builds where _FORTIFY_SOURCE is off.
Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.

Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
2013-03-22 10:58:55 -07:00
Elliott Hughes
538f6fc202 Stop advertising rindex(3), which is both deprecated and unimplemented.
Change-Id: I3c775d9974e49c3f76a53e46e022659657b89034
2013-02-21 17:39:06 -08:00
Nick Kralevich
a44e9afdd1 FORTIFY_SOURCE: optimize
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.

This avoids silliness like calling fortify source on things like:

  size_t len = strlen("asdf");
  printf("%d\n", len);

and allows the compiler to optimize this code to:

  printf("%d\n", 4);

Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.

Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
2013-01-17 15:41:33 -08:00
Nick Kralevich
5787475390 FORTIFY_SOURCE: remove memcpy overlap checks
These checks haven't been as useful as I hoped, and it's
causing a false positive finding.  Remove the overlap
compile time checks.

Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
2012-12-07 09:57:01 -08:00
Nick Kralevich
9a4d305340 FORTIFY_SOURCE: fortify strrchr
This change compliments 049e58369c

Change-Id: I27d015d70a520713c7472558a3c427f546d36ee4
2012-12-03 10:39:16 -08:00
Nick Kralevich
049e58369c FORTIFY_SOURCE: fortify strchr
Detect when strchr reads off the end of a buffer.

Change-Id: I0e952eedcff5c36d646a9c3bc4e1337b959224f2
2012-11-30 15:19:15 -08:00
Nick Kralevich
829c089f83 disable _FORTIFY_SOURCE under clang
Clang and _FORTIFY_SOURCE are just plain incompatible with
each other.  First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)

Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.

Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
2012-08-29 12:47:41 -07:00
Shih-wei Liao
d600617645 When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.

Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
2012-08-06 10:57:37 -07:00
Shih-wei Liao
9a3d53fad0 When compiling with clang, don't "fortify_source" the strlen.
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.

Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
2012-08-06 09:50:56 -07:00
Nick Kralevich
c37fc1ab6a FORTIFY_SOURCE: revert memcpy changes.
Performance regressions.  Hopefully this is a temporary
rollback.

Bug: 6821003
Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
2012-07-13 17:58:37 -07:00
Nick Kralevich
9b6cc223a3 FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro
Replace all occurances of "(size_t) -1" with a
__BIONIC_FORTIFY_UNKNOWN_SIZE macro.

Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
2012-07-13 14:49:33 -07:00
Nick Kralevich
260bf8cfe0 FORTIFY_SOURCE: strlen check.
This test is designed to detect code such as:

int main() {
  char buf[10];
  memcpy(buf, "1234567890", sizeof(buf));
  size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
  printf("%d\n", len);
  return 0;
}

or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.

Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
2012-07-13 13:49:59 -07:00
Nick Kralevich
f3913b5b68 FORTIFY_SOURCE: enhanced memcpy protections.
Two changes:

1) Detect memory read overruns.

For example:

int main() {
  char buf[10];
  memcpy(buf, "abcde", sizeof(buf));
  sprintf("%s\n", buf);
}

because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time.  Other similar
bugs may be detected at runtime.

2) Detect overlapping buffers on memcpy()

It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:

  char buf3[0x800];
  char *first_half  = &buf3[0x400];
  char *second_half = &buf3[1];
  memset(buf3, 0, sizeof(buf3));
  memcpy(first_half, second_half, 0x400);
  printf("1: %s\n", buf3);

We now detect this at compile and run time.

Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
2012-07-12 15:38:15 -07:00
Nick Kralevich
cb228fb4a9 libc: cleanups
Prefix private functions with underscores, to prevent name
conflicts.

Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".

Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
2012-06-26 16:05:19 -07:00
Nick Kralevich
8df49ad246 FORTIFY_SOURCE: add strlcpy / strlcat support
Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.

Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.

Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
2012-06-14 12:52:42 -07:00
Nick Kralevich
71a18dd435 _FORTIFY_SOURCE: add memset / bzero support
Add _FORTIFY_SOURCE support for the following functions:

* memset
* bzero

Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.

Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
2012-06-07 14:19:52 -07:00
Nick Kralevich
0a2301598c libc: implement some FORTIFY_SOURCE functions
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:

* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat

This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.

If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.

If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check

These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.

Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

for additional details on FORTIFY_SOURCE.

Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.

Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
2012-06-05 15:44:31 -07:00
Nick Kralevich
a677907ee8 string.h: add __attribute__ ((pure)) to string functions
cdefs.h: Introduce the __purefunc attribute, which allows us to mark
certain functions as being "pure".

http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

  Many functions have no effects except the return value and their
  return value depends only on the parameters and/or global variables.
  Such a function can be subject to common subexpression elimination
  and loop optimization just as an arithmetic operator would be.

string.h: Mark many commently used string functions as "pure", to
allow for additional compiler optimizations.

Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
2012-03-21 08:54:54 -07:00
The Android Open Source Project
1dc9e472e1 auto import from //depot/cupcake/@135843 2009-03-03 19:28:35 -08:00
The Android Open Source Project
1767f908af auto import from //depot/cupcake/@135843 2009-03-03 18:28:13 -08:00
The Android Open Source Project
9f65adf2ba auto import from //branches/cupcake/...@130745 2009-02-10 15:43:56 -08:00
The Android Open Source Project
6d6c82c7a0 auto import from //branches/cupcake/...@125939 2009-01-09 17:50:54 -08:00
The Android Open Source Project
a27d2baa0c Initial Contribution 2008-10-21 07:00:00 -07:00