Commit Graph

2506 Commits

Author SHA1 Message Date
Elliott Hughes
158ad015c2 am 3069270d: am c2bba24d: Merge "Give the timer_create SIGEV_THREAD helper threads sensible names."
* commit '3069270d8641c7bb57aa308d8f90b4d2dcbf66fc':
  Give the timer_create SIGEV_THREAD helper threads sensible names.
2012-06-06 11:37:25 -07:00
Elliott Hughes
3069270d86 am c2bba24d: Merge "Give the timer_create SIGEV_THREAD helper threads sensible names."
* commit 'c2bba24d0a6b906f00d7b9f20ac9d32d63bb2e9d':
  Give the timer_create SIGEV_THREAD helper threads sensible names.
2012-06-06 11:35:32 -07:00
Elliott Hughes
c2bba24d0a Merge "Give the timer_create SIGEV_THREAD helper threads sensible names." 2012-06-06 10:44:32 -07:00
Elliott Hughes
470631ed79 Give the timer_create SIGEV_THREAD helper threads sensible names.
Bug: 6609676
Change-Id: I286b197c75beee4d9930b0973f2d7dd47c14e91c
2012-06-06 10:32:56 -07:00
Nick Kralevich
204c6e5ff3 Merge "arm: rewrite crtbegin* as C files." 2012-06-06 08:54:22 -07:00
Nick Kralevich
0a2301598c libc: implement some FORTIFY_SOURCE functions
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:

* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat

This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.

If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.

If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check

These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.

Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

for additional details on FORTIFY_SOURCE.

Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.

Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
2012-06-05 15:44:31 -07:00
Ji-Hwan Lee
f186a1819a Support non-zero p_vaddr in first PT_LOAD segment
Before changing mmap() permission to PROT_NONE in alloc_mem_region(),
such libraries once worked with a bug that uses mmap'ed region outside of
memory region allocated by alloc_mem_region().  This possibly incurs
SIGSEGV because it can overwrite memory region of previously loaded
library, but it sometimes worked, depending on loading order.

After PROT_NONE, this caused SIGSEGV earlier during calculation of
si->phdr in load_library(), but this was fixed by:

    75917c84d1  Use mmap to read an ...

Now the behaviour is the same as before applying PROT_NONE in
alloc_mem_region().

This CL fixed the original issue, supporting shared libraries that have
non-zero p_vaddr in first (= with lowest p_vaddr) PT_LOAD segment.

Bug: 6561258
Change-Id: Ib6176dd3e44c4d99a340eb1cbd16fb037586b0bc
2012-06-04 07:44:10 -07:00
The Android Automerger
db2e7a4cb6 merge in jb-release history after reset to jb-dev 2012-06-03 05:59:30 -07:00
Iliyan Malchev
31431f454a am 252a5c85: resolved conflicts for merge of e1dd3c28 to jb-dev-plus-aosp
* commit '252a5c854a08e89fc7337ea679220161fe4ea98f':
  bionic: import heaptracker as chk_malloc
2012-06-02 08:35:07 -07:00
Iliyan Malchev
143ad4cf31 am f0ddaa2f: am 7d2e24eb: bionic: introduce libc.debug.malloc.program
* commit 'f0ddaa2fac00ac20059c0b2c142da9de2838a7b6':
  bionic: introduce libc.debug.malloc.program
2012-06-02 08:20:09 -07:00
Iliyan Malchev
252a5c854a resolved conflicts for merge of e1dd3c28 to jb-dev-plus-aosp
Change-Id: I58b9c13d20771aa39b703ec05cbff8aeaad38fe8
2012-06-02 08:14:36 -07:00
Iliyan Malchev
f0ddaa2fac am 7d2e24eb: bionic: introduce libc.debug.malloc.program
* commit '7d2e24eb167b6257f7935c7bd2023a708704ca1a':
  bionic: introduce libc.debug.malloc.program
2012-06-01 19:03:06 -07:00
Iliyan Malchev
e1dd3c287b bionic: import heaptracker as chk_malloc
This patch is a rewrite of libc.debug.malloc = 10 (chk_malloc).  It provides
the same features as the original (poison freed memory, detect heap overruns
and underruns), except that it provides more debugging information whenever it
detects a problem.

In addition to the original features, the new chk_malloc() implementation
detects multiple frees within a given range of the last N allocations, N being
configurable via the system property libc.debug.malloc.backlog.

Finally, this patch keeps track of all outstanding memory allocations.  On
program exit, we walk that list and report each outstanding allocation.

(There is support (not enabled) for a scanner thread periodically walks over
the list of outstanding allocations as well as the backlog of recently-freed
allocations, checking for heap-usage errors.)

Feature overview:

  1) memory leaks
  2) multiple frees
  3) use after free
  4) overrun

Implementation:

-- for each allocation, there is a:
  1) stack trace at the time the allocation is made
  2) if the memory is freed, there is also a stack trace at the point
  3) a front and rear guard (fence)
  4) the stack traces are kept together with the allocation

-- the following lists and maintained

  1) all outstanding memory allocations
  3) a backlog of allocations what are freed; when you call free(), instead of
     actually freed, the allocation is moved to this backlog;
  4) when the backlog of allocations gets full, the oldest entry gets evicted
     from it; at that point, the allocation is checked for overruns or
     use-after-free errors, and then actually freed.
  5) when the program exits, the list of outstanding allocations and the
     backlog are inspected for errors, then freed;

To use this, set the following system properties before running the process or
processes you want to inspect:

libc.malloc.debug.backlog # defaults to 100
libc.malloc.debug 10

When a problem is detected, you will see the following on logcat for a multiple
free:

E/libc    ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 BYTES MULTIPLY FREED!
E/libc    ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 ALLOCATED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c658  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d80  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 4009647c  /system/bin/malloctest
E/libc    ( 7233):      #04  pc 00016f24  /system/lib/libc.so
E/libc    ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 FIRST FREED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c7d2  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d94  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 40096490  /system/bin/malloctest
E/libc    ( 7233):      #04  pc 00016f24  /system/lib/libc.so
E/libc    ( 7233): +++ ALLOCATION 0x404b9278 SIZE 10 NOW BEING FREED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c6ac  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d94  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 400964a0  /system/bin/malloctest
E/libc    ( 7233):      #04  pc 00016f24  /system/lib/libc.so

The following for a heap overrun and underrun:

E/libc    ( 7233): +++ REAR GUARD MISMATCH [10, 11)
E/libc    ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 HAS A CORRUPTED REAR GUARD
E/libc    ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 ALLOCATED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c658  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d80  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 40096438  /system/bin/malloctest
E/libc    ( 7233):      #04  pc 00016f24  /system/lib/libc.so
E/libc    ( 7233): +++ ALLOCATION 0x404b9198 SIZE 10 FREED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c7d2  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d94  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 40096462  /system/bin/malloctest
E/libc    ( 7233):      #04  pc 00016f24  /system/lib/libc.so
E/libc    ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 HAS A CORRUPTED FRONT GUARD
E/libc    ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 ALLOCATED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c658  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d80  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 400964ba  /system/bin/malloctest
E/libc    ( 7233):      #04  pc 00016f24  /system/lib/libc.so
E/libc    ( 7233): +++ ALLOCATION 0x404b9358 SIZE 10 FREED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c7d2  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d94  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 400964e4  /system/bin/malloctest
E/libc    ( 7233):      #04  pc 00016f24  /system/lib/libc.so

The following for a memory leak:

E/libc    ( 7233): +++ THERE ARE 1 LEAKED ALLOCATIONS
E/libc    ( 7233): +++ DELETING 4096 BYTES OF LEAKED MEMORY AT 0x404b95e8 (1 REMAINING)
E/libc    ( 7233): +++ ALLOCATION 0x404b95e8 SIZE 4096 ALLOCATED HERE:
E/libc    ( 7233): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/libc    ( 7233):      #00  pc 0000c35a  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #01  pc 0000c658  /system/lib/libc_malloc_debug_leak.so
E/libc    ( 7233):      #02  pc 00016d80  /system/lib/libc.so
E/libc    ( 7233):      #03  pc 0001bc94  /system/lib/libc.so
E/libc    ( 7233):      #04  pc 0001edf6  /system/lib/libc.so
E/libc    ( 7233):      #05  pc 0001b80a  /system/lib/libc.so
E/libc    ( 7233):      #06  pc 0001c086  /system/lib/libc.so
E/libc    ( 7233):      #07  pc 40096402  /system/bin/malloctest
E/libc    ( 7233):      #08  pc 00016f24  /system/lib/libc.so

Change-Id: Ic440e9d05a01e2ea86b25e8998714e88bc2d16e0
Signed-off-by: Iliyan Malchev <malchev@google.com>
2012-06-01 15:54:34 -07:00
Nick Kralevich
9d40326830 arm: rewrite crtbegin* as C files.
Rewrite
 crtbegin.S     -> crtbegin.c
 crtbegin_so.S  -> crtbegin_so.c

This change allows us to generate PIC code without relying
on text relocations.

As a consequence of this rewrite, also rewrite
  __dso_handle.S    -> __dso_handle.c
  __dso_handle_so.S -> __dso_handle_so.c
  atexit.S          -> atexit.c

In crtbegin.c _start, place the __PREINIT_ARRAY__, __INIT_ARRAY__,
__FINI_ARRAY__, and __CTOR_LIST__ variables onto the stack, instead of
passing a pointer to the text section of the binary.

This change appears sorta wonky, as I attempted to preserve,
as much as possible, the structure of the original assembly.
As a result, you have C files including other C files, and other
programming uglyness.

Result: This change reduces the number of files with text-relocations
from 315 to 19 on my Android build.

Before:
  $ scanelf -aR $OUT/system | grep TEXTREL | wc -l
  315

After:
  $ scanelf -aR $OUT/system | grep TEXTREL | wc -l
  19

Change-Id: Ib9f98107c0eeabcb606e1ddc7ed7fc4eba01c9c4
2012-06-01 14:41:27 -07:00
The Android Automerger
e1d591540e merge in jb-release history after reset to jb-dev 2012-05-31 06:59:25 -07:00
Iliyan Malchev
7d2e24eb16 bionic: introduce libc.debug.malloc.program
libc.debug.malloc.program  provides an additional level of control over which
processes to enable libc.debug.malloc functionality for.  The string value of
libc.debug.malloc.program is matched against the program name; if the value of
libc.debug.malloc.program is a substring of the program name, then malloc debug
is applied to that program at whatever level libc.debug.malloc specifies.

If lib.debug.malloc.program is not specified, then libc.debug.malloc has the
same effect as before.

For example, to enable libc.deubug.malloc = 10 only to the mediaserver, do the
following:

   adb root # necessary for setprop
   adb setprop libc.debug.malloc.program mediaserver
   adb setprop libc.debug.malloc 10
   adb kill -9 $(pid mediaserver)

Change-Id: I6f01c12f033c8e2e015d73025369d7f1685ba200
Signed-off-by: Iliyan Malchev <malchev@google.com>
2012-05-30 20:03:47 -07:00
Nick Kralevich
857fc9eab9 Merge "crtbegin: eliminate duplicate code" 2012-05-30 13:29:58 -07:00
Nick Kralevich
83a73d1afe crtbegin: eliminate duplicate code
crtbegin_dynamic and crtbegin_static are essentially identical,
minus a few trivial differences (comments and whitespace).

Eliminate duplicates.

Change-Id: Ic9fae6bc9695004974493b53bfc07cd3bb904480
2012-05-30 11:45:12 -07:00
Geremy Condra
207d7673e5 am 5a095ef2: am 03539a36: Merge "Ensure that the port number and TXID are properly randomized." into jb-dev
* commit '5a095ef28716b54f86d9c1727b9a2493ba775255':
  Ensure that the port number and TXID are properly randomized.
2012-05-30 11:11:33 -07:00
Geremy Condra
5a095ef287 am 03539a36: Merge "Ensure that the port number and TXID are properly randomized." into jb-dev
* commit '03539a36b634bdfa61c06277cf25e0ca8e3105ba':
  Ensure that the port number and TXID are properly randomized.
2012-05-30 11:09:05 -07:00
Geremy Condra
03539a36b6 Merge "Ensure that the port number and TXID are properly randomized." into jb-dev 2012-05-30 11:06:54 -07:00
The Android Open Source Project
1ebb243d1a am cb9ba3c8: Reconcile with jb-release
* commit 'cb9ba3c88a97f34784559a55317ff5970d4c4dba':
  Print the corrupted address passed to free().
2012-05-29 09:41:51 -07:00
The Android Open Source Project
cb9ba3c88a Reconcile with jb-release
Change-Id: Id0b365ef6729dc36b88193f1675d3819e56bd426
2012-05-29 09:39:17 -07:00
Elliott Hughes
1dd9efc541 Merge "Use mmap to read an initial ELF header of library" 2012-05-25 15:11:35 -07:00
Ji-Hwan Lee
75917c84d1 Use mmap to read an initial ELF header of library
Also, fixes SIGSEV during calculation of si->phdr in load_library(),
which is caused by accessing PHDR area, which is not guaranteed to be
loaded.

Note that this usually does not happen because program header area is
covered by immediately following PT_LOAD entry.  But it does not hold
always.

Bug: 6561258
Change-Id: Ie376253c773b5420279ca89044e81b1aad5a5736
2012-05-26 06:15:50 +09:00
Ben Cheng
2481468f22 Print the corrupted address passed to free().
For example:

@@@ ABORTING: INVALID HEAP ADDRESS IN dlfree addr=0x5c3bfbd0
Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 2942

The addr=0x5c3bfbd0 part is new.

Change-Id: I8670144b2b0a3a6182384150d762c97dfee5452f
2012-05-25 11:14:20 -07:00
Ben Cheng
41c2a112c2 am d7b60b20: am c84ff11d: Print the corrupted address passed to free().
* commit 'd7b60b207be79513b99faf2ef576db333f9c7a78':
  Print the corrupted address passed to free().
2012-05-24 17:23:43 -07:00
Ben Cheng
d7b60b207b am c84ff11d: Print the corrupted address passed to free().
* commit 'c84ff11dad26435dc5760bceda18e8f1175a6061':
  Print the corrupted address passed to free().
2012-05-24 17:21:03 -07:00
Ben Cheng
c84ff11dad Print the corrupted address passed to free().
For example:

@@@ ABORTING: INVALID HEAP ADDRESS IN dlfree addr=0x5c3bfbd0
Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 2942

The addr=0x5c3bfbd0 part is new.

Change-Id: I8670144b2b0a3a6182384150d762c97dfee5452f
2012-05-24 17:06:43 -07:00
Geremy Condra
b23f193dcc Ensure that the port number and TXID are properly randomized.
This fix reads from /dev/urandom to get the required entropy.

Bug: 6535492
Change-Id: Ibc2fec3f71a67607b608ad9b767b0b6504993c1d
2012-05-24 15:26:12 -07:00
Jean-Baptiste Queru
15ed08d065 am d155ba57: am c7882ab2: Merge "bionic: add clean kernel header ucontext.h"
* commit 'd155ba57a32ce3182d8a5b79ff27bc5e7fa55df9':
  bionic: add clean kernel header ucontext.h
2012-05-21 12:41:30 -07:00
Elliott Hughes
7cce04381a resolved conflicts for merge of dc6c2b77 to master
Change-Id: Ifab4573a825cf5caa7158d8888243bb8d5d01148
2012-05-17 17:15:01 -07:00
Jean-Baptiste Queru
d155ba57a3 am c7882ab2: Merge "bionic: add clean kernel header ucontext.h"
* commit 'c7882ab2a99a74c8f772ab03fdfd9a3b53515e46':
  bionic: add clean kernel header ucontext.h
2012-05-17 13:28:10 -07:00
Jean-Baptiste Queru
c7882ab2a9 Merge "bionic: add clean kernel header ucontext.h" 2012-05-17 12:25:02 -07:00
Elliott Hughes
dc6c2b779b am 70cf0bc0: Merge "Remove the last references to SuperH."
* commit '70cf0bc0496a1d4c0e83fe3f1933f667ab66c148':
  Remove the last references to SuperH.
2012-05-16 17:18:23 -07:00
Elliott Hughes
70cf0bc049 Merge "Remove the last references to SuperH." 2012-05-16 09:56:37 -07:00
Nick Kralevich
d8f9198644 am 1727a041: am cf8e554c: (-s ours) Merge "Make the linker relocatable."
* commit '1727a041b59995b00c1d497022600be929bcaf3e':
  Make the linker relocatable.
2012-05-16 09:17:32 -07:00
Nick Kralevich
38e81b4294 am 574e8ec2: am 36e0345a: Merge "linker: set LOCAL_NO_CRT := true"
* commit '574e8ec28fac106a5e9b2c98b7b5a4e9532ecf5c':
  linker: set LOCAL_NO_CRT := true
2012-05-16 09:15:15 -07:00
Nick Kralevich
ed434302f0 am ee6916c0: am 1adc7c03: Merge "linker: Fix the computation of si->base"
* commit 'ee6916c00718185df3930a18050e5b47685ef524':
  linker: Fix the computation of si->base
2012-05-16 09:15:14 -07:00
Nick Kralevich
82576526e3 am c62d55cb: am cd6b2007: (-s ours) Merge "Add linker support for PIE"
* commit 'c62d55cbaef8001c7eb0a8d5e85e2fc72283063a':
  Add linker support for PIE
2012-05-16 09:15:07 -07:00
Nick Kralevich
1727a041b5 am cf8e554c: (-s ours) Merge "Make the linker relocatable."
* commit 'cf8e554c72af1dd634d4f36a9065e34e853f8714':
  Make the linker relocatable.
2012-05-16 09:14:22 -07:00
Nick Kralevich
574e8ec28f am 36e0345a: Merge "linker: set LOCAL_NO_CRT := true"
* commit '36e0345af89e2ed768ed38dcdf016a7640cf8ba5':
  linker: set LOCAL_NO_CRT := true
2012-05-16 09:11:52 -07:00
Nick Kralevich
ee6916c007 am 1adc7c03: Merge "linker: Fix the computation of si->base"
* commit '1adc7c03898ee1f6a4c7f8cffa3c07507b9da5a9':
  linker: Fix the computation of si->base
2012-05-16 09:11:50 -07:00
Nick Kralevich
c62d55cbae am cd6b2007: (-s ours) Merge "Add linker support for PIE"
* commit 'cd6b2007b851f1cfa47d8bcc7ec859dfa7557382':
  Add linker support for PIE
2012-05-16 09:11:49 -07:00
The Android Open Source Project
75931ee6e1 am 918e6a73: Reconcile with jb-release nakasi-factoryrom-release
* commit '918e6a730cd059392ee6d8b5c5a0f5fa0e5bbd93':
  Revert "linker: remove STB_LOCAL hack"
  Revert "Reference __dso_handle in PIC way"
  Revert "Use the new NativeDaemonConnector style."
  libc: Add __aeabi_llsl and __aeabi_llsr to libgcc_compat
2012-05-16 08:34:13 -07:00
The Android Open Source Project
918e6a730c Reconcile with jb-release nakasi-factoryrom-release
Change-Id: I5a5b95da6c33afbc36893e162f3b57c09c161ee2
2012-05-16 08:31:49 -07:00
Elliott Hughes
e33af61c70 Remove the last references to SuperH.
Change-Id: Icb44c1f94cb178d90b4c2b1e8f6d175586aec4e1
2012-05-15 17:08:41 -07:00
Ying Wang
fc9e525fe0 Rename the misleading var name TARGET_OUT_STATIC_LIBRARIES
TARGET_OUT_STATIC_LIBRARIES is actually the same as
TARGET_OUT_INTERMEDIATE_LIBRARIES.

Change-Id: I11ac35256031d461d20156cd4c19ed7eae781d22
2012-05-15 15:15:11 -07:00
Nick Kralevich
cf8e554c72 Merge "Make the linker relocatable." 2012-05-15 15:10:24 -07:00
Nick Kralevich
36e0345af8 Merge "linker: set LOCAL_NO_CRT := true" 2012-05-15 15:10:12 -07:00