Commit Graph

27 Commits

Author SHA1 Message Date
Nick Kralevich
c37fc1ab6a FORTIFY_SOURCE: revert memcpy changes.
Performance regressions.  Hopefully this is a temporary
rollback.

Bug: 6821003
Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
2012-07-13 17:58:37 -07:00
Nick Kralevich
260bf8cfe0 FORTIFY_SOURCE: strlen check.
This test is designed to detect code such as:

int main() {
  char buf[10];
  memcpy(buf, "1234567890", sizeof(buf));
  size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
  printf("%d\n", len);
  return 0;
}

or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.

Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
2012-07-13 13:49:59 -07:00
Nick Kralevich
b2060b027c FORTIFY_SOURCE: restore __memcpy_chk()
In our previous FORTIFY_SOURCE change, we started using a custom
inline for memcpy(), rather than using GCC's __builtin_memcpy_chk().
This allowed us to delete our copy of __memcpy_chk(), and replace it
by __memcpy_chk2().

Apparently GCC uses __memcpy_chk() outside of __builtin_memcpy_chk().
Specifically, __memcpy_chk() is used by __builtin__memMOVE_chk() under
certain optimization levels.

Keep the old __memcpy_chk() function around, and have it call into
__memcpy_chk2().

Change-Id: I2453930b24b8a492a3b6ed860e18d92a6b762b80
2012-07-13 13:49:45 -07:00
Nick Kralevich
f3913b5b68 FORTIFY_SOURCE: enhanced memcpy protections.
Two changes:

1) Detect memory read overruns.

For example:

int main() {
  char buf[10];
  memcpy(buf, "abcde", sizeof(buf));
  sprintf("%s\n", buf);
}

because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time.  Other similar
bugs may be detected at runtime.

2) Detect overlapping buffers on memcpy()

It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:

  char buf3[0x800];
  char *first_half  = &buf3[0x400];
  char *second_half = &buf3[1];
  memset(buf3, 0, sizeof(buf3));
  memcpy(first_half, second_half, 0x400);
  printf("1: %s\n", buf3);

We now detect this at compile and run time.

Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
2012-07-12 15:38:15 -07:00
Nick Kralevich
e64259e860 memmove: Don't call memcpy if regions overlap
memmove() unconditionally calls memcpy() if "dst" < "src". For
example, in the code below, memmove() would end up calling memcpy(),
even though the regions of memory overlap.

int main() {
  char buf3[0x800];
  char *dst  = &buf3[1];
  char *src = &buf3[0x400];
  memset(buf3, 0, sizeof(buf3));
  memmove(dst, src, 0x400);
  printf("1: %s\n", buf3);
  return 0;
}

Calling memcpy() on overlaping regions only works if you assume
that memcpy() copies from start to finish. On some architectures,
it's more efficient to call memcpy() from finish to start.

This is also triggering a failure in some of my code.

More reading:
* http://lwn.net/Articles/414467/
* https://bugzilla.redhat.com/show_bug.cgi?id=638477#c31 (comment 31)

Change-Id: I65a51ae3a52dd4af335fe5c278056b8c2cbd8948
2012-07-11 17:46:03 -07:00
Nick Kralevich
8df49ad246 FORTIFY_SOURCE: add strlcpy / strlcat support
Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.

Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.

Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
2012-06-14 12:52:42 -07:00
Geremy Condra
009f38478e Added actual event logging calls to the FORTIFY_SOURCE methods.
Change-Id: I3bf4fa8678c33187cb8ce4b75e666ddcd24403ab
2012-06-11 11:30:56 -07:00
Nick Kralevich
76656afc6d _FORTIFY_SOURCE: check for integer overflows
Ensure that strcat / strncat check for integer overflows
when computing the length of the resulting string.

Change-Id: Ib806ad33a0d3b50876f384bc17787a28f0dddc37
2012-06-08 20:18:19 -07:00
Nick Kralevich
71a18dd435 _FORTIFY_SOURCE: add memset / bzero support
Add _FORTIFY_SOURCE support for the following functions:

* memset
* bzero

Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.

Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
2012-06-07 14:19:52 -07:00
Nick Kralevich
0a2301598c libc: implement some FORTIFY_SOURCE functions
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:

* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat

This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.

If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.

If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check

These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.

Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

for additional details on FORTIFY_SOURCE.

Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.

Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
2012-06-05 15:44:31 -07:00
Bruce Beare
cb1df91616 string: Fix wrong comparison semantics
Chars are signed for x86 -- correct the comparison semantics.

Change-Id: I2049e98eb063c0b4e83ea973d3fcae49c6817dde
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
2011-12-05 18:37:10 -08:00
Elliott Hughes
bf018299bd Fix strerror(3) for errno 0.
Everyone else's C library says "Success". We say "Unknown error: 0", which
isn't really true.

Change-Id: I9f9054779123eda996634e5f7a277789b6805809
2011-05-13 10:54:34 -07:00
Johannes Carlsson
0f67de14e6 Use more optimized version of memmove
On ARM there is currently no assembler optimized memmove in libc.
There is however a more optimized bcopy which copies long instead
of bytes where possible. This almost doubles the performance in
best case.

Change-Id: I1f1cd27529443358047c385730deaf938ce4e642
2011-02-03 15:17:13 +01:00
David 'Digit' Turner
5b81b91817 libc: optimize memmove() with memcpy() if possible.
Change-Id: I90e578fdc82e427caee8fa4157ce3f8c6c99926d
2010-10-07 11:03:32 +02:00
Marco Nelissen
af00228b70 Revert "libc: memmove(): non-overlapping block optim."
This reverts commit 80fba9a2fe,
which caused the system to not boot anymore, aborting with:
"java.lang.RuntimeException: Missing static main on com.android.server.SystemServer".

Change-Id: I745e0a23c728cccf5f95a3c7642d544478a4e57e
2010-09-28 10:24:20 -07:00
David 'Digit' Turner
80fba9a2fe libc: memmove(): non-overlapping block optim.
Change-Id: I5652f4f97ca59d95176443fc27c737ef76258183
2010-09-27 17:34:41 +02:00
rich cannings
e44cb1a35c Fix return value.
Return a valid pointer (not NULL) when the character "c" is at the end of "src".

Change-Id: Iab0b677943f2c8a9fbb255c44689f5d6dc3535d7
Example:
  memccpy(dest, "xzy", 'y', 3) should return dest+3 rather than null.
2010-08-31 15:19:38 -07:00
David Turner
d791da7943 Merge "string: tidy up strndup()" 2010-05-10 14:52:02 -07:00
David Turner
8ab5b02b5f Merge changes Ibdc6e3c8,I9bcb91a2
* changes:
  Correct generic memset implementation
  Generic memcpy should define MEMCOPY before including bcopy.c
2010-03-29 15:05:47 -07:00
Chris Dearman
bdc6e3c83f Correct generic memset implementation
Signed-off-by: Chris Dearman <chris@mips.com>
2010-02-05 15:13:55 -08:00
Chris Dearman
9bcb91a212 Generic memcpy should define MEMCOPY before including bcopy.c
Signed-off-by: Chris Dearman <chris@mips.com>
2010-02-05 15:13:55 -08:00
André Goddard Rosa
aba3ee7d32 string: tidy up strndup()
It decreases code size:
   text    data     bss     dec     hex filename
    161       0       0     161      a1 strndup-BEFORE.o
    153       0       0     153      99 strndup-AFTER.o

Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com>
2010-01-30 22:29:59 -02:00
André Goddard Rosa
30a419afc3 improve readability of string: fix indentation and remove trailing spaces
Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com>
2010-01-30 22:28:49 -02:00
The Android Open Source Project
1dc9e472e1 auto import from //depot/cupcake/@135843 2009-03-03 19:28:35 -08:00
The Android Open Source Project
1767f908af auto import from //depot/cupcake/@135843 2009-03-03 18:28:13 -08:00
The Android Open Source Project
9f65adf2ba auto import from //branches/cupcake/...@130745 2009-02-10 15:43:56 -08:00
The Android Open Source Project
a27d2baa0c Initial Contribution 2008-10-21 07:00:00 -07:00