Global, writable function pointers are low-hanging fruit for hijacking
control flow with an overflow from a global buffer or an arbitrary write
vulnerability. This moves the function pointer table into a dedicated
page and makes it read-only at runtime, similar to RELRO.
This increases the memory usage of the library by just under one page.
This could be avoided by having the linker load the vdso by replacing
weak symbols. It's not significant within the Zygote spawning model
though because it's read-only after early init.
Change-Id: Id7a49c96c1b15c2e1926528304b3c54a81e78caf
If a map has a non-zero vaddr then it needs to be added to the
computed relative offset.
Bug: 22532054
Change-Id: If55015165d25ecc4b530f674b481c8c7ef760a23
The __libc_init_tls function in libc_init_common.cpp takes a reference
to a local variable so it ends up being protected. Since this happens
before TLS and the stack guard value are initialized, it breaks.
The libc_init_common code needs to be compiled with -fno-stack-protector
and can then be merged into libc_bionic.
Change-Id: Ie95ea2ff533d4af1cfad1c9bc59e49f20a8e119d
Sorry, I undertested my previous change and these guys somehow sneaked in.
This only affects SANITIZE_TARGET builds.
Change-Id: Id6986d89fa3d4965339f7b6fe973e9db73b380da
Setup a /system/bin/linker_asan as a symlink to "linker".
Read the linker name from PT_INTERP, and if it is linker_asan,
switch default library lookup paths to the ASan set, which
starts with the path to the instrumented libraries
(/data/lib), followed by /system/lib as a fallback.
This ensures that ASan binaries prefer ASan libraries, when
available. This approach is way better then RPATH/RUNPATH and even
better than LD_LIBRARY_PATH:
- RUNPATH is per-DSO, while default paths are global.
- LD_LIBRARY_PATH is overwritten by android_update_LD_LIBRARY_PATH.
- neither RUNPATH nor LD_LIBRARY_PATH appear in
android_get_LD_LIBRARY_PATH which is used to build java.lang.path.
Having ASan libraries in java.lang.path is a good thing.
Bug: 22355945
Change-Id: I1d2791fbf5740618f18f71a3ae3d873714669d3f
There is a deadlock if holding the hash table lock while trying to do
a backtrace. Change the code so that the hash table lock is only held
while actually modifying either g_hash_table, or while modifying an
entry from g_hash_table.
Bug: 22423683
(cherry picked from commit 9fee99b06013787054a312449b94115038e2ad7c)
Change-Id: I72173bfe6f824ceaceea625c24e7851b87467135
There is a deadlock if holding the hash table lock while trying to do
a backtrace. Change the code so that the hash table lock is only held
while actually modifying either g_hash_table, or while modifying an
entry from g_hash_table.
Bug: 22423683
Change-Id: I604ea56f940f22e99da41ea4dcdf97bedaac268d
LP64 is immune because basename_r is hidden there, but on LP32 a basename_r
defined in the executable breaks basename because its call to basename_r
will resolve to that one rather than the one in libc.
Bug: http://b/22415484
Change-Id: Ied3ca7ad3fb0e744eb705fc924743f893b4ad490
