Commit Graph

2163 Commits

Author SHA1 Message Date
Elliott Hughes
856512ea9c Use std=gnu99 for the dynamic linker as well as libc.
Change-Id: I76dd78576c5af6eb6282555f069647b6260edc31
2012-07-16 09:43:14 -07:00
Elliott Hughes
fabddfe833 Merge "limits.h: Include page.h when relying on PAGE_SIZE" 2012-07-16 09:39:24 -07:00
Nick Kralevich
b0f0d4276d Merge "FORTIFY_SOURCE: revert memcpy changes." 2012-07-16 08:24:32 -07:00
Nick Kralevich
c37fc1ab6a FORTIFY_SOURCE: revert memcpy changes.
Performance regressions.  Hopefully this is a temporary
rollback.

Bug: 6821003
Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
2012-07-13 17:58:37 -07:00
Nick Kralevich
e1d909f71e Merge "FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro" 2012-07-13 15:06:56 -07:00
Nick Kralevich
147b0690a9 Merge "FORTIFY_SOURCE: strlen check." 2012-07-13 15:06:41 -07:00
Nick Kralevich
ad7f966281 Merge "FORTIFY_SOURCE: restore __memcpy_chk()" 2012-07-13 14:52:26 -07:00
Nick Kralevich
9b6cc223a3 FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro
Replace all occurances of "(size_t) -1" with a
__BIONIC_FORTIFY_UNKNOWN_SIZE macro.

Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
2012-07-13 14:49:33 -07:00
Nick Kralevich
260bf8cfe0 FORTIFY_SOURCE: strlen check.
This test is designed to detect code such as:

int main() {
  char buf[10];
  memcpy(buf, "1234567890", sizeof(buf));
  size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
  printf("%d\n", len);
  return 0;
}

or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.

Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
2012-07-13 13:49:59 -07:00
Nick Kralevich
b2060b027c FORTIFY_SOURCE: restore __memcpy_chk()
In our previous FORTIFY_SOURCE change, we started using a custom
inline for memcpy(), rather than using GCC's __builtin_memcpy_chk().
This allowed us to delete our copy of __memcpy_chk(), and replace it
by __memcpy_chk2().

Apparently GCC uses __memcpy_chk() outside of __builtin_memcpy_chk().
Specifically, __memcpy_chk() is used by __builtin__memMOVE_chk() under
certain optimization levels.

Keep the old __memcpy_chk() function around, and have it call into
__memcpy_chk2().

Change-Id: I2453930b24b8a492a3b6ed860e18d92a6b762b80
2012-07-13 13:49:45 -07:00
Nick Kralevich
88bfc28ac4 Merge "FORTIFY_SOURCE: enhanced memcpy protections." 2012-07-13 07:57:58 -07:00
Nick Kralevich
f3913b5b68 FORTIFY_SOURCE: enhanced memcpy protections.
Two changes:

1) Detect memory read overruns.

For example:

int main() {
  char buf[10];
  memcpy(buf, "abcde", sizeof(buf));
  sprintf("%s\n", buf);
}

because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time.  Other similar
bugs may be detected at runtime.

2) Detect overlapping buffers on memcpy()

It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:

  char buf3[0x800];
  char *first_half  = &buf3[0x400];
  char *second_half = &buf3[1];
  memset(buf3, 0, sizeof(buf3));
  memcpy(first_half, second_half, 0x400);
  printf("1: %s\n", buf3);

We now detect this at compile and run time.

Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
2012-07-12 15:38:15 -07:00
Nick Kralevich
86a4fca0b4 Merge "memmove: Don't call memcpy if regions overlap" 2012-07-12 10:06:28 -07:00
Nick Kralevich
e64259e860 memmove: Don't call memcpy if regions overlap
memmove() unconditionally calls memcpy() if "dst" < "src". For
example, in the code below, memmove() would end up calling memcpy(),
even though the regions of memory overlap.

int main() {
  char buf3[0x800];
  char *dst  = &buf3[1];
  char *src = &buf3[0x400];
  memset(buf3, 0, sizeof(buf3));
  memmove(dst, src, 0x400);
  printf("1: %s\n", buf3);
  return 0;
}

Calling memcpy() on overlaping regions only works if you assume
that memcpy() copies from start to finish. On some architectures,
it's more efficient to call memcpy() from finish to start.

This is also triggering a failure in some of my code.

More reading:
* http://lwn.net/Articles/414467/
* https://bugzilla.redhat.com/show_bug.cgi?id=638477#c31 (comment 31)

Change-Id: I65a51ae3a52dd4af335fe5c278056b8c2cbd8948
2012-07-11 17:46:03 -07:00
Nick Kralevich
6334c662ca Don't use -fstack-protector on ssp.c
libc's stack protector initialization routine (__guard_setup)
is in bionic/ssp.c. This code deliberately modifies the stack
canary.  This code should never be compiled with -fstack-protector-all
otherwise it will crash (mismatched canary value).

Force bionic/ssp.c to be compiled with -fno-stack-protector

Change-Id: Ib95a5736e4bafe1a460d6b4e522ca660b417d8d6
2012-07-10 10:51:41 -07:00
Arun Raghavan
6331db3fd2 limits.h: Include page.h when relying on PAGE_SIZE
limits.h relies on PAGE_SIZE being defined without actually including
page.h. Make sure this is included to avoid compilation failures.

Signed-off-by: Arun Raghavan <arun.raghavan@collabora.co.uk>
2012-07-10 10:36:37 +05:30
Nick Kralevich
8f08e1c902 Merge "FORTIFY_SOURCE: Add openat, fix bug" 2012-07-09 12:55:32 -07:00
Nick Kralevich
a3e230d1fa FORTIFY_SOURCE: Add openat, fix bug
Add fortify_source support for openat(). This change requires that
an argument be supplied when using O_CREAT.

Fix unnecessary call to __open_2. If, at compile time, we know that
"flags" is constant and DOESN'T contain O_CREAT, the call to __open_2
is useless.

Change-Id: Ifcd29c4fb25e25656961d7552d672e161f0cfdbd
2012-07-09 12:30:40 -07:00
Nick Kralevich
a099e8e7d3 Merge "FORTIFY_SOURCE: add fgets support." 2012-07-09 12:28:35 -07:00
Andrew Hsieh
793e6aedf2 am 67636eea: am 40e7ed58: Unhide rtld_db_dlactivity()
* commit '67636eea20f7789e6689ee8cf6017e7d48735ca1':
  Unhide rtld_db_dlactivity()
2012-07-09 11:07:46 -07:00
Andrew Hsieh
67636eea20 am 40e7ed58: Unhide rtld_db_dlactivity()
* commit '40e7ed58d73eae59d0cf2fed61284d16692e307b':
  Unhide rtld_db_dlactivity()
2012-07-09 11:05:16 -07:00
Nick Kralevich
965dbc6405 FORTIFY_SOURCE: add fgets support.
Change-Id: I8c3410a90c71a3336c4ac8581618fa9330edf5e3
2012-07-09 09:57:18 -07:00
Andrew Hsieh
40e7ed58d7 Unhide rtld_db_dlactivity()
Since linker is built with -fvisibility=hidden rtld_db_dlactivity()
if hidden from gdb.  Unhide it otherwise gdb may not know linker
activity and rescan solib

Change-Id: Ia8cd8d9738c6ea5696ba2ef0ebf2cf783f9ca70a
2012-07-02 11:17:04 -07:00
Rebecca Schultz Zavin
2ddf77b377 Merge "Modify ion header" 2012-06-28 14:16:10 -07:00
Nick Kralevich
bd73eede46 Merge "FORTIFY_SOURCE: add open() checks" 2012-06-27 12:56:52 -07:00
Nick Kralevich
cb228fb4a9 libc: cleanups
Prefix private functions with underscores, to prevent name
conflicts.

Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".

Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
2012-06-26 16:05:19 -07:00
Nick Kralevich
8118f62a7d FORTIFY_SOURCE: add open() checks
Add a FORTIFY_SOURCE check which requires that you pass a
"mode" argument when calling open(..., O_CREAT). If a mode isn't
passed, then the file is created with "undefined" permissions.

Change-Id: I4427be4f9ce170c69da01af5b00fb05b03613a28
2012-06-26 15:19:12 -07:00
David 'Digit' Turner
b52e4385c4 linker: improve loadable segment protection.
Use the functions in linker_phdr.c to load the PT_LOAD segments
in memory, and toggle their mapping's writable protection bit
as needed. In particular:

  - when loading a library, load the segments then unprotected
    them to allow relocations to work.

  - when relocating the linker of the executable, unprotect
    the segments loaded by the kernel to make relocations work
    too.

  - after all relocations are done, re-protect the segments,
    and apply GNU RELRO protection if needed.

  - just before calling the destructors, undo the GNU RELRO
    protection.

Change-Id: I50e709f03958204b8d6140c0f51ebe24fe089a1b
2012-06-26 10:39:55 +02:00
David 'Digit' Turner
63f99f4a4e linker: simplify code for dynamic and ARM exidx sections.
This moves the code that determines where the .dynamic and .ARM.exidx
sections are to a single place in soinfo_link_image().

Change-Id: I98adcb440577bed86442349f03f3c629c945efec
2012-06-26 10:39:55 +02:00
David 'Digit' Turner
8941cfa17a Merge "linker: rename load_offset to load_bias." 2012-06-26 01:34:41 -07:00
David 'Digit' Turner
ff9ff758ad Merge "linker: avoid mapping the whole library before load." 2012-06-26 01:34:31 -07:00
David 'Digit' Turner
48d6c8ed23 Merge "linker: Add PAGE_START/OFFSET/END convenience macros" 2012-06-26 01:34:18 -07:00
David 'Digit' Turner
c6025b6047 Merge "linker: New sources to manage the ELF program header table." 2012-06-26 01:34:07 -07:00
Elliott Hughes
0ff08d22f0 am 5af97ca8: am c7bab8cb: Merge "Enable sqrtf() x86 assembly code"
* commit '5af97ca8514d9fb4175bff3a79abf26889b94530':
  Enable sqrtf() x86 assembly code
2012-06-25 14:09:42 -07:00
Elliott Hughes
5af97ca851 am c7bab8cb: Merge "Enable sqrtf() x86 assembly code"
* commit 'c7bab8cb8483e7869eabdbd4add7c9e5beeecc80':
  Enable sqrtf() x86 assembly code
2012-06-25 14:06:06 -07:00
Elliott Hughes
c7bab8cb84 Merge "Enable sqrtf() x86 assembly code" 2012-06-25 10:46:41 -07:00
David 'Digit' Turner
bea23e59f7 linker: rename load_offset to load_bias.
This patch changes the definition of the 'load_offset' field
in struct soinfo. The field is renamed because it is not the
basic load bias to add to every p_vaddr value read from the ELF
file to get the corresponding memory address.

This also slightly simplifies the relocation code.

+ Fix for proper load_bias computation for relocatable executables.

Change-Id: I72502c75a70751cba324deee7d313ae61f96609e
2012-06-25 11:52:40 +02:00
David 'Digit' Turner
23363ed750 linker: avoid mapping the whole library before load.
This patch changes the load_library() function in the
dynamic linker to avoid reserving a huge read-only
address-space range just to read the ELF header and
program header (which are typically very small and easily
fit in the first page).

Instead, we use the functions in linker_phdr.c to only
load the data that we need in a temporary mmap-allocated
page of memory, which we release when the function exits.

This avoids issues when loading very large libraries, or
simply debug versions that only need to load a tiny percentage
of their overall file content in RAM.

Change-Id: Id3a189fad2119a870a1b3d43dd81380c54ea6044
2012-06-25 11:52:40 +02:00
David 'Digit' Turner
a6545f4678 linker: Add PAGE_START/OFFSET/END convenience macros
This patch adds a few macros related to memory pages to help
clarify some of the code in linker.c

Change-Id: I36c727132d257b1497398dd0a9e8a5a4505467ca
2012-06-25 11:52:40 +02:00
David 'Digit' Turner
c1bd559d5b linker: New sources to manage the ELF program header table.
This patch introduces two new source files containing a set of functions
to manage the program header table in an ELF binary, including the ability
to load PT_LOAD segments, and apply PT_GNU_RELRO protection.

Note: the files are not used currently, this will appear in a series
      of future patches that will gradually modify linker.c to use
      the phdr_table_xxx functions properly.

Change-Id: Ia3d4c1ff5fc3e265d8258b64b492f4e643f51bdc
2012-06-25 11:52:40 +02:00
xqian6
29aa009924 Enable sqrtf() x86 assembly code
This patch can improve the sqrtf() performance.

Change-Id: Ic9d11d6a9ecd9b263f54d4878e13595e136b95ce
2012-06-25 16:20:09 +08:00
Evgeniy Stepanov
20bc061dc7 Add module base to main executable's ARM_exidx.
BUG:6697872

Change-Id: I448f4b86397307086231776da38a7af334a75fe5
2012-06-22 14:56:01 +04:00
Andrew Hsieh
63d0ceec75 am fa136e8c: am a5948157: Merge "Define __stack_chk_fail_local.S"
* commit 'fa136e8ca71cb20956cd1792251869cac8bed257':
  Define __stack_chk_fail_local.S
2012-06-20 19:00:55 -07:00
Andrew Hsieh
fa136e8ca7 am a5948157: Merge "Define __stack_chk_fail_local.S"
* commit 'a5948157fd34acb2b1d1bfaf129901af865ab5fc':
  Define __stack_chk_fail_local.S
2012-06-20 18:58:18 -07:00
Andrew Hsieh
a5948157fd Merge "Define __stack_chk_fail_local.S" 2012-06-20 18:37:48 -07:00
Andrew Hsieh
6973e3da87 Define __stack_chk_fail_local.S
With -fstack-protector, x86 -m32 needs __stack_chk_fail_local
defined in crtbegin_*.o.

Include __stack_chk_fail_local.S in begin.S otherwise linker
(which is built w/o crt*) may not link.

Change-Id: Id242fcf3eff157264afe3b04f27288ab7991220a
2012-06-21 09:26:33 +08:00
The Android Open Source Project
214feeba19 am effc607e: Reconcile with jb-release
* commit 'effc607e87add0aec14fefb4ac1c00d36559149a':
2012-06-20 08:28:23 -07:00
The Android Open Source Project
effc607e87 Reconcile with jb-release
Change-Id: Ia5de9692e507a605d3b6937ec65da26169a3ea8e
2012-06-20 08:25:32 -07:00
The Android Automerger
77093f2a8b merge in jb-release history after reset to jb-dev 2012-06-20 06:59:21 -07:00
David 'Digit' Turner
823aeb9294 Merge "linker: reduce size by nearly 20KB" 2012-06-19 14:51:28 -07:00