Two changes:
1) Detect memory read overruns.
For example:
int main() {
char buf[10];
memcpy(buf, "abcde", sizeof(buf));
sprintf("%s\n", buf);
}
because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time. Other similar
bugs may be detected at runtime.
2) Detect overlapping buffers on memcpy()
It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:
char buf3[0x800];
char *first_half = &buf3[0x400];
char *second_half = &buf3[1];
memset(buf3, 0, sizeof(buf3));
memcpy(first_half, second_half, 0x400);
printf("1: %s\n", buf3);
We now detect this at compile and run time.
Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
memmove() unconditionally calls memcpy() if "dst" < "src". For
example, in the code below, memmove() would end up calling memcpy(),
even though the regions of memory overlap.
int main() {
char buf3[0x800];
char *dst = &buf3[1];
char *src = &buf3[0x400];
memset(buf3, 0, sizeof(buf3));
memmove(dst, src, 0x400);
printf("1: %s\n", buf3);
return 0;
}
Calling memcpy() on overlaping regions only works if you assume
that memcpy() copies from start to finish. On some architectures,
it's more efficient to call memcpy() from finish to start.
This is also triggering a failure in some of my code.
More reading:
* http://lwn.net/Articles/414467/
* https://bugzilla.redhat.com/show_bug.cgi?id=638477#c31 (comment 31)
Change-Id: I65a51ae3a52dd4af335fe5c278056b8c2cbd8948
libc's stack protector initialization routine (__guard_setup)
is in bionic/ssp.c. This code deliberately modifies the stack
canary. This code should never be compiled with -fstack-protector-all
otherwise it will crash (mismatched canary value).
Force bionic/ssp.c to be compiled with -fno-stack-protector
Change-Id: Ib95a5736e4bafe1a460d6b4e522ca660b417d8d6
limits.h relies on PAGE_SIZE being defined without actually including
page.h. Make sure this is included to avoid compilation failures.
Signed-off-by: Arun Raghavan <arun.raghavan@collabora.co.uk>
Add fortify_source support for openat(). This change requires that
an argument be supplied when using O_CREAT.
Fix unnecessary call to __open_2. If, at compile time, we know that
"flags" is constant and DOESN'T contain O_CREAT, the call to __open_2
is useless.
Change-Id: Ifcd29c4fb25e25656961d7552d672e161f0cfdbd
Since linker is built with -fvisibility=hidden rtld_db_dlactivity()
if hidden from gdb. Unhide it otherwise gdb may not know linker
activity and rescan solib
Change-Id: Ia8cd8d9738c6ea5696ba2ef0ebf2cf783f9ca70a
Prefix private functions with underscores, to prevent name
conflicts.
Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".
Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
Add a FORTIFY_SOURCE check which requires that you pass a
"mode" argument when calling open(..., O_CREAT). If a mode isn't
passed, then the file is created with "undefined" permissions.
Change-Id: I4427be4f9ce170c69da01af5b00fb05b03613a28
Use the functions in linker_phdr.c to load the PT_LOAD segments
in memory, and toggle their mapping's writable protection bit
as needed. In particular:
- when loading a library, load the segments then unprotected
them to allow relocations to work.
- when relocating the linker of the executable, unprotect
the segments loaded by the kernel to make relocations work
too.
- after all relocations are done, re-protect the segments,
and apply GNU RELRO protection if needed.
- just before calling the destructors, undo the GNU RELRO
protection.
Change-Id: I50e709f03958204b8d6140c0f51ebe24fe089a1b
This moves the code that determines where the .dynamic and .ARM.exidx
sections are to a single place in soinfo_link_image().
Change-Id: I98adcb440577bed86442349f03f3c629c945efec
This patch changes the definition of the 'load_offset' field
in struct soinfo. The field is renamed because it is not the
basic load bias to add to every p_vaddr value read from the ELF
file to get the corresponding memory address.
This also slightly simplifies the relocation code.
+ Fix for proper load_bias computation for relocatable executables.
Change-Id: I72502c75a70751cba324deee7d313ae61f96609e
This patch changes the load_library() function in the
dynamic linker to avoid reserving a huge read-only
address-space range just to read the ELF header and
program header (which are typically very small and easily
fit in the first page).
Instead, we use the functions in linker_phdr.c to only
load the data that we need in a temporary mmap-allocated
page of memory, which we release when the function exits.
This avoids issues when loading very large libraries, or
simply debug versions that only need to load a tiny percentage
of their overall file content in RAM.
Change-Id: Id3a189fad2119a870a1b3d43dd81380c54ea6044
This patch introduces two new source files containing a set of functions
to manage the program header table in an ELF binary, including the ability
to load PT_LOAD segments, and apply PT_GNU_RELRO protection.
Note: the files are not used currently, this will appear in a series
of future patches that will gradually modify linker.c to use
the phdr_table_xxx functions properly.
Change-Id: Ia3d4c1ff5fc3e265d8258b64b492f4e643f51bdc
Update headers for MSM MDP, MSM KGSL and MSM
rotator to match the version in the Linux
3.4 kernel baseline
Change-Id: I37052486be8c8862e65cac1f6934368ecc055a76
With -fstack-protector, x86 -m32 needs __stack_chk_fail_local
defined in crtbegin_*.o.
Include __stack_chk_fail_local.S in begin.S otherwise linker
(which is built w/o crt*) may not link.
Change-Id: Id242fcf3eff157264afe3b04f27288ab7991220a
