This brings us up to date with FreeBSD HEAD, fixes various bugs, unifies
the set of functions we support on ARM, MIPS, and x86, fixes "long double",
adds ISO C99 support, and adds basic unit tests.
It turns out that our "long double" functions have always been broken
for non-normal numbers. This patch fixes that by not using the upstream
implementations and just forwarding to the regular "double" implementation
instead (since "long double" on Android is just "double" anyway, which is
what BSD doesn't support).
All the tests pass on ARM, MIPS, and x86, plus glibc on x86-64.
Bug: 3169850
Bug: 8012787
Bug: https://code.google.com/p/android/issues/detail?id=6697
Change-Id: If0c343030959c24bfc50d4d21c9530052c581837
Replace a kernel header file dependency with files from NetBSD.
They're more complete, and ELF is ELF, whether you're on Linux or a BSD.
Bug: 7973611
Change-Id: I83ee719e7efdf432ec2ddbe8be271d05b2f558d7
prctl.h uses __BEGIN_DECLS but fails to include sys/cdefs.h
(where it's defined). Code which includes prctl.h without
previously including sys/cdefs.h will fail to compile.
Fixed.
Change-Id: If4c9f3308f08b93596dcd00e351ae786807e9320
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Modify system property handling so that we get the properties
from a root owned properties file, rather than using an
environment variable. Fall back to the environment variable
if the file doesn't exist.
Bug: 8045561
Change-Id: I54f3efa98cf7d63d88788da5ce0d19e34fd7851a
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.
This avoids silliness like calling fortify source on things like:
size_t len = strlen("asdf");
printf("%d\n", len);
and allows the compiler to optimize this code to:
printf("%d\n", 4);
Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.
Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
This property file is used for properties which are set at device
provisioning time or in the factory. They are never touched by
a software update or factory data reset and typically contain
data specific to the particular unit.
Change-Id: I2e7c2fe62cb684cb2449eea917c42b19462e89a5
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add signalfd() call to bionic.
Adding the signalfd call was done in 3 steps:
- add signalfd4 system call (function name and syscall
number) to libc/SYSCALLS.TXT
- generate all necessary headers by calling
libc/tools/gensyscalls.py. This patch is adding
the generated files since the build system
does not call gensyscalls.py.
- create the signalfd wrapper in signalfd.cpp and add
the function prototype to sys/signalfd.h
(cherry-pick of 0c11611c11, modified to
work with older versions of GCC still in use on some branches.)
Change-Id: I4c6c3f12199559af8be63f93a5336851b7e63355
Spotted while running the tests on MIPS, where sigset_t is
actually large enough. The bits in sigset_t are used such that
signal 1 is represented by bit 0, so the range of signals is
actually [1, 8*sizeof(sigset_t)]; it seems clearer to reword
the code in terms of valid bit offsets [0, 8*sizeof(sigset_t)),
which leads to the usual bounds checking idiom.
Change-Id: Id899c288e15ff71c85dd2fd33c47f8e97aa1956f
Previously we'd been relying on getting the machine-specific <endian.h>
instead of the top-level <endian.h>, and <sys/endian.h> was basically broken.
Now, with this patch and the previous patch we should have <endian.h>
and <sys/endian.h> behaving the same. This is basically how NetBSD's endian.h
works, and was probably how ours was originally intended to work.
Bug: http://code.google.com/p/android/issues/detail?id=39824
Change-Id: I71de5a507e633de166013a658b5764df9e1aa09c
These checks haven't been as useful as I hoped, and it's
causing a false positive finding. Remove the overlap
compile time checks.
Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
You could argue that this is hurting people smart enough to have manually
allocated a large-enough sigset_t, but those people are smart enough to
implement their own sigset functions too.
I wonder whether our least unpleasant way out of our self-inflicted 32-bit
cesspool is to have equivalents of _FILE_OFFSET_BITS such as _SIGSET_T_BITS,
so calling code could opt in? You'd have to be careful passing sigset_t
arguments between code compiled with different options.
Bug: 5828899
Change-Id: I0ae60ee8544835b069a2b20568f38ec142e0737b
The near duplicates upset fussier compilers that insist that
typedefs be exactly the same, but the fix isn't to make all
copies identical...
Change-Id: Icfdace41726f36ec33c9ae919dbb5a54d3529cc9
Define the macros ACCESSPERMS, ALLPERMS and DEFFILEMODE.
These macros originates from BSD but has been available in glibc
for quite some time.
Change-Id: I429cd30aa4e73f53b153ee7740070cebba166c57
__WINT_TYPE__ type provided by gcc. It references to unsigned int
type for android and linux. Patch corrects wint_t typedef to
__WINT_TYPE__.
Signed-off-by: Sergey Melnikov <sergey.melnikov@intel.com>
Change-Id: Iabeb9fcb0b7bb303a8b220043e339126f125dd68
The declaration for alphasort() in <dirent.h> used the deprecated:
int alphasort(const void*, const void*);
while both Posix and GLibc use instead:
int alphasort(const struct dirent** a, const struct dirent** b);
See: http://pubs.opengroup.org/onlinepubs/9699919799/functions/alphasort.html
This patch does the following:
- Update the declaration to match Posix/GLibc
- Get rid of the upstream BSD code which isn't compatible with the new
signature.
- Implement a new trivial alphasort() with the right signature, and
ensure that it uses strcoll() instead of strcmp().
- Remove Bionic-specific #ifdef .. #else .. #endif block in
dirent_test.cpp which uses alphasort().
Even through strcoll() currently uses strcmp(), this does the right
thing in the case where we decide to update strcoll() to properly
implement locale-specific ordered comparison.
Change-Id: I4fd45604d8a940aaf2eb0ecd7d73e2f11c9bca96
This patch updates the C library headers to provide ucontext_t
definitions for three architectures.
+ Fix <signal.h> to always define 'struct sigcontext'.
The new declarations are announced with new macros defined in
<sys/cdefs.h> in order to make it easier to adapt client code
that already defines its own, incompatible, versions of the
structures seen here.
http://code.google.com/p/android/issues/detail?id=34784
Change-Id: Ie78c48690a4ce61c50593f6c39639be7fead3596
LONG_LONG_MIN, LONG_LONG_MAX and ULONG_LONG_MAX are
GLibc-specific macros that are better defined in <limits.h>
instead of the current exotic location (<pthread.h>).
Note that GCC's <limits.h> only defines these macros
when __GNU_LIBRARY__ is also defined. This is only the
case when building against GLibc, so manually redefine
the macros here.
Note that using LLONG_MIN/LLONG_MAX/ULLONG_MAX is the
C99-compliant way to get these values, but it's easier
to define these compatibility macros for the sake of
porting existing code.
Change-Id: I8023918d73b4685238054932f94a4006c1ca7d03
perf_event_open syscall has a different syscall number for
the 3 supported architectures: arm, x86 and mips. Currenlty
only the arm syscall number is defined for all architectures.
Tracing tools like perf will not work on other architectures
than arm.
Add the different values for perf_event_open on x86 and mips
and run gensyscalls.py to update generated headers.
Change-Id: I2ed78bd42c0e5df8dbc51d784be49cccda5fab30
Author: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Shuo Gao <shuo.gao@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
Signed-off-by: Jack Ren <jack.ren@intel.com>
There's a (bad) definition of NULL in <linux/stddef.h>, and this
definition of NULL, and the One True definition in the <stddef.h> provided
by the compiler. This change at least kills one of the bad duplicates.
Killing the <linux/stddef.h> one is harder, because it's in a generated
file.
Change-Id: Iea4ccb12d6758199f312ea9cd753b84322d5c471
Some userspace programs (e.g. perf) need getline.
Changes:
() add getdelim.c, getline.c from NetBSD (http://netbsd.org/) under the
NetBSD Foundation's (TNF) license ("2 clause" Berkeley-style license).
() add stub for reentrant.h header that is needed by getdelim.c
() add tests for getdelim(3) and getline(3).
() update NOTICE file.
Change-Id: I22ed82dd5904b9d7a3695535c04f502be3c27c5d
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
This makes the constants correspond to those in the Linux kernel's
include/linux/syslog.h, but keeping our old badly-named constants for
source compatibility.
Change-Id: Ia47d1299205754cbfffd29ed48b497b53d1edaae
Please see "man 3 ftw" for a description of the
ftw / nftw functions.
This code is taken directly from netbsd unmodified.
Change-Id: Ia4879ac57212b424adf5281b5e92858e216d0f14
Note that the Linux kernel handed over responsibility for most of the
socket constants to glibc some time ago. Someone had updated our
external/kernel-headers file but not regenerated the bionic headers,
so this change copies the missing stuff from the old bionic <linux/socket.h>
into <sys/socket.h>. This is what glibc does.
I've hacked a few of the other files to #include <sys/socket.h> for
backward compatibility, but even so this requires numerous other
changes to switch people over from direct inclusion of <linux/...> headers.
Change-Id: I0e4af64e631d3cef911a31d90f2f806e058278a0
Add ttydefaults.h bionic. Some userspace programs (e.g. perf) need the
definitions from this file. This header file is copied from NetBSD
(http://netbsd.org/) under the NetBSD Foundation's (TNF) license (“2 clause”
Berkeley-style license).
Change-Id: I9c862415b52b710f25adb1629a699627cd715775
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Add getsid() system call to bionic for
all architectures. This is needed for various tools
(e.g. perf).
Adding the getsid system call was done in 3 steps:
() add getsid system call (function name and syscall
number) to libc/SYSCALLS.TXT
() generate all necessary headers by calling
libc/tools/gensyscalls.py. This patch is adding
the generated files since the build system
does not call gensyscalls.py.
() add the system call signature to libc/include/unistd.h
Change-Id: Id69a257e13ec02e1a44085a6b217a3f19ab025b1
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Clang and _FORTIFY_SOURCE are just plain incompatible with
each other. First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)
Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.
Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
Move dlmalloc code to upstream-dlmalloc to make pulling upstream changes
easier.
Declare pvalloc and malloc_usable_size routines present in malloc.h but with
missing implementations. Remove other functions from malloc.h that have
no implementation nor use in Android.
Change-Id: Ia6472ec6cbebc9ad1ef99f4669de9d33fcc2efb4
These preprocessor tricks have caused trouble for -std=gnu99 and -ansi, and
both netbsd's libc and glibc seem to unconditionally define these types.
Change-Id: Ib8dffa341a8ca88f80d275ba2b7f93a4c910ee32
This header is used on bionic build and should be propagated into
sysroot on toolchain rebuild. Discussion re. this header is here:
http://gcc.gnu.org/ml/gcc-patches/2012-08/msg00936.html
It is available already in mips NDK platforms:
development/ndk/platforms/android-9/arch-mips/include/link.h
Change-Id: I39ff467cdac9f448e31c11ee3e14a6200e82ab57
Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.
Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
Recent clang compiler doesn't have gnu_inline working. When frameworks/rs
is compiled with clang instead of gcc, it no longer works. Will be fixed
by this patch.
Change-Id: I8b281a1305151909e18958b73914ea27343cb4cd
Use the system supplied error numbers when mapping error numbers to messages.
Change-Id: I520556fa3e2ff668fdc4eda36ad31491fbb48ea8
Signed-off-by: Chris Dearman <chris@mips.com>
Signed-off-by: Raghu Gandham <raghu@mips.com>
This test is designed to detect code such as:
int main() {
char buf[10];
memcpy(buf, "1234567890", sizeof(buf));
size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
printf("%d\n", len);
return 0;
}
or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.
Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
Two changes:
1) Detect memory read overruns.
For example:
int main() {
char buf[10];
memcpy(buf, "abcde", sizeof(buf));
sprintf("%s\n", buf);
}
because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time. Other similar
bugs may be detected at runtime.
2) Detect overlapping buffers on memcpy()
It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:
char buf3[0x800];
char *first_half = &buf3[0x400];
char *second_half = &buf3[1];
memset(buf3, 0, sizeof(buf3));
memcpy(first_half, second_half, 0x400);
printf("1: %s\n", buf3);
We now detect this at compile and run time.
Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
limits.h relies on PAGE_SIZE being defined without actually including
page.h. Make sure this is included to avoid compilation failures.
Signed-off-by: Arun Raghavan <arun.raghavan@collabora.co.uk>
Add fortify_source support for openat(). This change requires that
an argument be supplied when using O_CREAT.
Fix unnecessary call to __open_2. If, at compile time, we know that
"flags" is constant and DOESN'T contain O_CREAT, the call to __open_2
is useless.
Change-Id: Ifcd29c4fb25e25656961d7552d672e161f0cfdbd
Prefix private functions with underscores, to prevent name
conflicts.
Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".
Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
Add a FORTIFY_SOURCE check which requires that you pass a
"mode" argument when calling open(..., O_CREAT). If a mode isn't
passed, then the file is created with "undefined" permissions.
Change-Id: I4427be4f9ce170c69da01af5b00fb05b03613a28
Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.
Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.
Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
According to
http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
realloc should NOT be marked with __attribute__((malloc)). Quoting:
realloc-like functions do not have this property as the memory
pointed to does not have undefined content.
For reference, __mallocfunc is defined in sys/cdefs.h as:
#define __mallocfunc __attribute__((malloc))
Change-Id: I56083542ba92e4608dd7c55fb5596a138eb50cc9
sprintf FORTIFY_SOURCE protections are not available
on clang.
Also add various __attribute__s to stdio functions.
Change-Id: I936d1f9e55fe53a68885c4524b7b59e68fed218d
Add _FORTIFY_SOURCE support for snprintf, vsnprintf
At this time, we opt out of these protections for clang, as clang
does not implement __builtin_va_arg_pack().
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc
Change-Id: I73ebe5ec8dad1dca8898a76d6afb693a25f75375
This was misleading 'configure' into thinking we actually support AF_LINK,
but we're Linux, so we don't, and we never implemented the functions we
declared here either.
Reported to AOSP by Jun-ya Kato.
(cherry-pick of 5056f1fad1187cd67729bb04ba72397d78256f03.)
Change-Id: Ic67f674d2221497c8166994812bb5fc7f0831066
This was misleading 'configure' into thinking we actually support AF_LINK,
but we're Linux, so we don't, and we never implemented the functions we
declared here either.
Reported to AOSP by Jun-ya Kato.
Change-Id: I111f9887f3812469b411b9cf5124d9dd624f19f7
Add _FORTIFY_SOURCE support for the following functions:
* memset
* bzero
Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.
Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:
* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat
This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.
If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.
If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check
These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.
Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
for additional details on FORTIFY_SOURCE.
Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.
Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc