* commit '1642edb5208fe02ef64d5734fffaf7c4a724fd2f':
bionic: store property names as variable-length strings
bionic: prevent root processes from calling __system_property_add
bionic: revert to a single (larger) property area
bionic: reimplement property area as hybrid trie/binary tree
bionic: add missing memory barriers to system properties
bionic: make property area expandable
d329697 is too complicated. Change the multiple property pages back to
a single 128K property area that's mapped in entirely at initialization
(the memory will not get allocated until the pages are touched).
d329697 has other changes useful for testing (moving property area
initialization inside bionic and adding __system_property_set_filename)
so undo the change manually rather than with git revert.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit 5f05348c18)
Change-Id: I690704552afc07a4dd410277893ca9c40bc13e5f
See the comments for an explanation of how properties are stored.
The trie structure is designed to scale better than the previous
array-based implementation. Searching an array with n properties
required average O(n) string compares of the entire key; searching the
trie requires average O(log n) string compares of each token (substrings
between '.' characters).
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit 6ac8e6a46d)
Change-Id: Icbe31908572f33b4d9b85d5b62ac837cbd0f85e0
The property area is initially one 4K region, automatically expanding as
needed up to 64 regions.
To avoid duplicating code, __system_property_area_init() now allocates
and initializes the first region (previously it was allocated in init's
init_property_area() and initialized in bionic). For testing purposes,
__system_property_set_filename() may be used to override the file used
to map in regions.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit d32969701b)
Change-Id: I038d451fe8849b0c4863663eec6f57f6521bf4a7
The property area is initially one 4K region, automatically expanding as
needed up to 64 regions.
To avoid duplicating code, __system_property_area_init() now allocates
and initializes the first region (previously it was allocated in init's
init_property_area() and initialized in bionic). For testing purposes,
__system_property_set_filename() may be used to override the file used
to map in regions.
Change-Id: Ibe00ef52464bfa590953c4699a6d98383b0142b1
Signed-off-by: Greg Hackmann <ghackmann@google.com>
find_nth() will be inefficient on a trie. Since find_nth() is only used
internally and only for enumerating properties, we can add a foreach()
function to do this directly.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit 577418403d)
Change-Id: Iaca97d1182ce2c28863ba85241cbb5cf6185eb2f
find_nth() will be inefficient on a trie. Since find_nth() is only used
internally and only for enumerating properties, we can add a foreach()
function to do this directly.
Change-Id: I66bde9926c193073d74b244cce9fffd52108fff8
Signed-off-by: Greg Hackmann <ghackmann@google.com>
In 829c089f83, we disabled all
FORTIFY_SOURCE support when compiling under clang. At the time,
we didn't have proper test cases, and couldn't easily create targeted
clang tests.
This change re-enables FORTIFY_SOURCE support under clang for a
limited set of functions, where we have explicit unittests available.
The functions are:
* memcpy
* memmove
* strcpy
* strncpy
* strcat
* strncat
* memset
* strlen (with modifications)
* strchr (with modifications)
* strrchr (with modifications)
It may be possible, in the future, to enable other functions. However,
I need to write unittests first.
For strlen, strchr, and strrchr, clang unconditionally calls the
fortified version of the relevant function. If it doesn't know the
size of the buffer it's dealing with, it passes in ((size_t) -1),
which is the largest possible size_t.
I added two new clang specific unittest files, primarily copied
from fortify?_test.cpp.
I've also rebuild the entire system with these changes, and didn't
observe any obvious problems.
Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
Define __errordecl and replace __attribute__((__error__("foo")))
with __errordecl. Make sure __errordecl is a no-op on clang, as it
generates a compile time warning.
Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
Move the implementation of writing to the system property area
from init to bionic, next to the reader implementation. This
will allow full property testing to be added to bionic tests.
Add new accessor and waiting functions to hide the implementation
from watchprops and various bionic users.
Also hide some of the implementation details of the property area
from init by moving them into _system_properties.h, and other details
from everybody by moving them into system_properties.h.
(cherry picked from commit dc1038b790)
Change-Id: I192d3825ee276c5047bc751039fe6cfe226a7cca
We were missing SIG_ATOMIC_MAX, SIG_ATOMIC_MIN, SIZE_MAX,
WCHAR_MAX, WCHAR_MIN, WINT_MAX, and WINT_MIN.
Change-Id: I2535f36bc220fbaea009b483599b7af811c4cb5c
This reverts commit d8627af159 which caused build breakage:
In file included from bionic/libc/include/limits.h:86:0,
from bionic/libc/include/stdint.h:33,
from bionic/libc/arch-arm/bionic/crtbegin.c:31:
bionic/libc/include/sys/limits.h:30:26: fatal error: linux/limits.h: No such file or directory
compilation terminated.
make: *** [out/target/product/generic/obj/lib/crtbegin_dynamic1.o] Error 1
Change-Id: I128095ecb99df92626e1f57e34c61e08c98a4078
sigismember, sigaddset, and sigdelset had mixed code and declarations
which are not allowed in C90 and before.
Change-Id: I662af944fc1489e34bed228ce592e41f50d00e17
Signed-off-by: Erik Gilling <konkers@android.com>
__strcat_chk and __strncat_chk are slightly inefficient,
because they end up traversing over the same memory region
two times.
This change optimizes __strcat_chk / __strncat_chk so they
only access the memory once. Although I haven't benchmarked these
changes, it should improve the performance of these functions.
__strlen_chk - expose this function, even if -D_FORTIFY_SOURCE
isn't defined. This is needed to compile libc itself without
-D_FORTIFY_SOURCE.
Change-Id: Id2c70dff55a276b47c59db27a03734d659f84b74
The function should take a 'const void*' parameter, instead of 'void*'.
Note that the implementation in upstream-dlmalloc/malloc.c already does
this.
For context, see http://b.android.com/55725
Change-Id: Iefd55cdb8996699189e0545f9195972490306227
Add CLOCK_MONOTONIC_RAW, CLOCK_REALTIME_COARSE, and CLOCK_MONOTONIC_COARSE
as supported by recent linux kernels.
(cherry-pick of 60e5144ca312b210b54ac8e6966108da0c97ff80.)
Bug: 8895727
Change-Id: If79a4d05d1301108f49a37588f9416c4be19277a
Add support for fortify source level 2 to strncpy.
This will enable detection of more areas where strncpy
is used inappropriately. For example, this would have detected
bug 8727221.
Move the fortify_source tests out of string_test.cpp, and
put it into fortify1_test.cpp.
Create a new fortify2_test.cpp file, which copies all
the tests in fortify1_test.cpp, and adds fortify_source level
2 specific tests.
Change-Id: Ica0fba531cc7d0609e4f23b8176739b13f7f7a83
- eventfd.cpp and eventfd.s will output to the same file when building libc.a
out/target/product/*/obj/STATIC_LIBRARIES/libc_intermediates/WHOLE/libc_common_objs/eventfd.o
- And then `eventfd` will undefined when statically linked to libc.
Also add a unit test.
(cherry-pick of 8baa929d5d3bcf63381cf78ba76168c80c303f5e.)
Change-Id: Icd0eb0f4ce0511fb9ec00a504d491afd47d744d3
- eventfd.cpp and eventfd.s will output to the same file when building libc.a
out/target/product/*/obj/STATIC_LIBRARIES/libc_intermediates/WHOLE/libc_common_objs/eventfd.o
- And then `eventfd` will undefined when statically linked to libc.
Also add a unit test.
Change-Id: Ib310ade3256712ca617a90539e8eb07459c98505
The <asm/unistd.h> files contain the canonical data, and
<sys/glibc-syscalls.h> contain new glibc-compatible names,
and if you #include the standard <sys/syscall.h> you get
both sets of names.
Change-Id: I9919c080931c0ba1660f5e37c6a6265ea716d603
This lets us move all the ARM syscall stubs over to the kernel <asm/unistd.h>.
Our generated <sys/linux-syscalls.h> is now unused, but I'll remove that in a
later change.
Change-Id: Ie5ff2cc4abce1938576af7cbaef615a79c7f310d
Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.
Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
<sys/linux-syscalls.h> only contains constants for the syscalls
we're generating stubs for. We want all the syscalls available
on the architecture in question.
Keep using <sys/linux-syscalls.h> on ARM for now because the
__NR_ARM_set_tls and __NR_ARM_cacheflush values aren't in <asm/unistd.h>.
Change-Id: I66683950d87d9b18d6107d0acc0ed238a4496f44
Fixes the MIPS and x86 builds. strace tests whether syscalls
are supported using #ifdef of the appropriate SYS_ constant.
Change-Id: I90be118dc42abfdaf5b0f9b1e676e8601f55106e
Don't pull in unnecessary header files. AFAIK, I've fixed all
the code which didn't include the correct header files.
Change-Id: If0b7bba74e77cb24a0cf9ce8968aa07400855e58
Per "man capset", sys/capability.h is the appropriate header file
for the capget / capset definition, not unistd.h. Fixed.
As a short term hack, continue to include sys/capability.h in
unistd.h, until we can fix all the code which uses capget / capset.
Change-Id: I6e7cf55955d761ca785a14c5e4b7a44125d8fc15
AFAIK, bionic only ever provided an implementation of bcmp
for x86, and even then, the code was never actually compiled.
Remove the prototype.
bcmp() has been obsoleted and replaced by memcmp()
Change-Id: I549d02ab6a9241a9acbbbfade0d98a9a02c2eaee
after change 32822 was rejected, this is the more light-weight
version of the fix: libc/include/sys/types.h already - via
libc/kernel/common/linux/posix_types.h - includes a definition
of __kernel_ssize_t from libc/kernel/arch-*/asm/posix_types.h
which is architecture-specific, toolchain-agnostic and also
gets rid of the gcc -Wformat warning (which it issues correctly,
since this i̲s̲ indeed a bug in bionic)
Change-Id: Ie4503ab16628bc25815a836d07556f665e9795c7
imgtec pointed out that pthread_kill(3) was broken, but most of the
other functions that ought to return ESRCH for invalid/exited threads
were equally broken.
Change-Id: I96347f6195549aee0c72dc39063e6c5d06d2e01f
# By Andrew Boie
# Via Andrew Boie (1) and Gerrit Code Review (1)
* commit '3fa67465365baf87f751bea09847e32f01005788':
add factory property file definition
# Via Android Git Automerger (1) and others
* commit '6b73d13fa414afeecba6718bf724e8ac922bac39':
Revert "Revert "Pull the pthread_key_t functions out of pthread.c.""
# Via Gerrit Code Review (2) and Android Git Automerger (1)
* commit 'e4b08318c13fac774b233a5459427563d2983f79':
Revert "Pull the pthread_key_t functions out of pthread.c."
This was originally motivated by noticing that we were setting the
wrong bits for the well-known tls entries. That was a harmless bug
because none of the well-known tls entries has a destructor, but
it's best not to leave land mines lying around.
Also add some missing POSIX constants, a new test, and fix
pthread_key_create's return value when we hit the limit.
Change-Id: Ife26ea2f4b40865308e8410ec803b20bcc3e0ed1
name server addresses are read from the dns
cache associated wih the interface on which
the request shall be done.
processes which has requested to issue dns request
using specific interface are now proxied to netd.
added methods to attach/detach a process to a specific
dns cache/interface.
added getaddrinfoforinface method which takes an
interface as an argument.
bug:4815099
bug:5465296
Change-Id: I7a8fe1980cdf99d4d296ddc5c6411f0c72162263
Also update the x86 asm.h to support this; we need it for libm assembler
anyway.
Also clean up the _FBSDID hack in <sys/cdefs.h>.
Change-Id: Iababd977b8110ec022bf7c93f4d62ece47630e7c
This brings us up to date with FreeBSD HEAD, fixes various bugs, unifies
the set of functions we support on ARM, MIPS, and x86, fixes "long double",
adds ISO C99 support, and adds basic unit tests.
It turns out that our "long double" functions have always been broken
for non-normal numbers. This patch fixes that by not using the upstream
implementations and just forwarding to the regular "double" implementation
instead (since "long double" on Android is just "double" anyway, which is
what BSD doesn't support).
All the tests pass on ARM, MIPS, and x86, plus glibc on x86-64.
Bug: 3169850
Bug: 8012787
Bug: https://code.google.com/p/android/issues/detail?id=6697
Change-Id: If0c343030959c24bfc50d4d21c9530052c581837
Replace a kernel header file dependency with files from NetBSD.
They're more complete, and ELF is ELF, whether you're on Linux or a BSD.
Bug: 7973611
Change-Id: I83ee719e7efdf432ec2ddbe8be271d05b2f558d7
prctl.h uses __BEGIN_DECLS but fails to include sys/cdefs.h
(where it's defined). Code which includes prctl.h without
previously including sys/cdefs.h will fail to compile.
Fixed.
Change-Id: If4c9f3308f08b93596dcd00e351ae786807e9320
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Modify system property handling so that we get the properties
from a root owned properties file, rather than using an
environment variable. Fall back to the environment variable
if the file doesn't exist.
Bug: 8045561
Change-Id: I54f3efa98cf7d63d88788da5ce0d19e34fd7851a
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.
This avoids silliness like calling fortify source on things like:
size_t len = strlen("asdf");
printf("%d\n", len);
and allows the compiler to optimize this code to:
printf("%d\n", 4);
Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.
Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
This property file is used for properties which are set at device
provisioning time or in the factory. They are never touched by
a software update or factory data reset and typically contain
data specific to the particular unit.
Change-Id: I2e7c2fe62cb684cb2449eea917c42b19462e89a5
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add signalfd() call to bionic.
Adding the signalfd call was done in 3 steps:
- add signalfd4 system call (function name and syscall
number) to libc/SYSCALLS.TXT
- generate all necessary headers by calling
libc/tools/gensyscalls.py. This patch is adding
the generated files since the build system
does not call gensyscalls.py.
- create the signalfd wrapper in signalfd.cpp and add
the function prototype to sys/signalfd.h
(cherry-pick of 0c11611c11, modified to
work with older versions of GCC still in use on some branches.)
Change-Id: I4c6c3f12199559af8be63f93a5336851b7e63355
Spotted while running the tests on MIPS, where sigset_t is
actually large enough. The bits in sigset_t are used such that
signal 1 is represented by bit 0, so the range of signals is
actually [1, 8*sizeof(sigset_t)]; it seems clearer to reword
the code in terms of valid bit offsets [0, 8*sizeof(sigset_t)),
which leads to the usual bounds checking idiom.
Change-Id: Id899c288e15ff71c85dd2fd33c47f8e97aa1956f
Previously we'd been relying on getting the machine-specific <endian.h>
instead of the top-level <endian.h>, and <sys/endian.h> was basically broken.
Now, with this patch and the previous patch we should have <endian.h>
and <sys/endian.h> behaving the same. This is basically how NetBSD's endian.h
works, and was probably how ours was originally intended to work.
Bug: http://code.google.com/p/android/issues/detail?id=39824
Change-Id: I71de5a507e633de166013a658b5764df9e1aa09c
These checks haven't been as useful as I hoped, and it's
causing a false positive finding. Remove the overlap
compile time checks.
Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
You could argue that this is hurting people smart enough to have manually
allocated a large-enough sigset_t, but those people are smart enough to
implement their own sigset functions too.
I wonder whether our least unpleasant way out of our self-inflicted 32-bit
cesspool is to have equivalents of _FILE_OFFSET_BITS such as _SIGSET_T_BITS,
so calling code could opt in? You'd have to be careful passing sigset_t
arguments between code compiled with different options.
Bug: 5828899
Change-Id: I0ae60ee8544835b069a2b20568f38ec142e0737b
The near duplicates upset fussier compilers that insist that
typedefs be exactly the same, but the fix isn't to make all
copies identical...
Change-Id: Icfdace41726f36ec33c9ae919dbb5a54d3529cc9
Define the macros ACCESSPERMS, ALLPERMS and DEFFILEMODE.
These macros originates from BSD but has been available in glibc
for quite some time.
Change-Id: I429cd30aa4e73f53b153ee7740070cebba166c57
__WINT_TYPE__ type provided by gcc. It references to unsigned int
type for android and linux. Patch corrects wint_t typedef to
__WINT_TYPE__.
Signed-off-by: Sergey Melnikov <sergey.melnikov@intel.com>
Change-Id: Iabeb9fcb0b7bb303a8b220043e339126f125dd68
The declaration for alphasort() in <dirent.h> used the deprecated:
int alphasort(const void*, const void*);
while both Posix and GLibc use instead:
int alphasort(const struct dirent** a, const struct dirent** b);
See: http://pubs.opengroup.org/onlinepubs/9699919799/functions/alphasort.html
This patch does the following:
- Update the declaration to match Posix/GLibc
- Get rid of the upstream BSD code which isn't compatible with the new
signature.
- Implement a new trivial alphasort() with the right signature, and
ensure that it uses strcoll() instead of strcmp().
- Remove Bionic-specific #ifdef .. #else .. #endif block in
dirent_test.cpp which uses alphasort().
Even through strcoll() currently uses strcmp(), this does the right
thing in the case where we decide to update strcoll() to properly
implement locale-specific ordered comparison.
Change-Id: I4fd45604d8a940aaf2eb0ecd7d73e2f11c9bca96
This patch updates the C library headers to provide ucontext_t
definitions for three architectures.
+ Fix <signal.h> to always define 'struct sigcontext'.
The new declarations are announced with new macros defined in
<sys/cdefs.h> in order to make it easier to adapt client code
that already defines its own, incompatible, versions of the
structures seen here.
http://code.google.com/p/android/issues/detail?id=34784
Change-Id: Ie78c48690a4ce61c50593f6c39639be7fead3596
LONG_LONG_MIN, LONG_LONG_MAX and ULONG_LONG_MAX are
GLibc-specific macros that are better defined in <limits.h>
instead of the current exotic location (<pthread.h>).
Note that GCC's <limits.h> only defines these macros
when __GNU_LIBRARY__ is also defined. This is only the
case when building against GLibc, so manually redefine
the macros here.
Note that using LLONG_MIN/LLONG_MAX/ULLONG_MAX is the
C99-compliant way to get these values, but it's easier
to define these compatibility macros for the sake of
porting existing code.
Change-Id: I8023918d73b4685238054932f94a4006c1ca7d03
perf_event_open syscall has a different syscall number for
the 3 supported architectures: arm, x86 and mips. Currenlty
only the arm syscall number is defined for all architectures.
Tracing tools like perf will not work on other architectures
than arm.
Add the different values for perf_event_open on x86 and mips
and run gensyscalls.py to update generated headers.
Change-Id: I2ed78bd42c0e5df8dbc51d784be49cccda5fab30
Author: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Shuo Gao <shuo.gao@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
Signed-off-by: Jack Ren <jack.ren@intel.com>
There's a (bad) definition of NULL in <linux/stddef.h>, and this
definition of NULL, and the One True definition in the <stddef.h> provided
by the compiler. This change at least kills one of the bad duplicates.
Killing the <linux/stddef.h> one is harder, because it's in a generated
file.
Change-Id: Iea4ccb12d6758199f312ea9cd753b84322d5c471
Some userspace programs (e.g. perf) need getline.
Changes:
() add getdelim.c, getline.c from NetBSD (http://netbsd.org/) under the
NetBSD Foundation's (TNF) license ("2 clause" Berkeley-style license).
() add stub for reentrant.h header that is needed by getdelim.c
() add tests for getdelim(3) and getline(3).
() update NOTICE file.
Change-Id: I22ed82dd5904b9d7a3695535c04f502be3c27c5d
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
This makes the constants correspond to those in the Linux kernel's
include/linux/syslog.h, but keeping our old badly-named constants for
source compatibility.
Change-Id: Ia47d1299205754cbfffd29ed48b497b53d1edaae
Please see "man 3 ftw" for a description of the
ftw / nftw functions.
This code is taken directly from netbsd unmodified.
Change-Id: Ia4879ac57212b424adf5281b5e92858e216d0f14
Note that the Linux kernel handed over responsibility for most of the
socket constants to glibc some time ago. Someone had updated our
external/kernel-headers file but not regenerated the bionic headers,
so this change copies the missing stuff from the old bionic <linux/socket.h>
into <sys/socket.h>. This is what glibc does.
I've hacked a few of the other files to #include <sys/socket.h> for
backward compatibility, but even so this requires numerous other
changes to switch people over from direct inclusion of <linux/...> headers.
Change-Id: I0e4af64e631d3cef911a31d90f2f806e058278a0
Add ttydefaults.h bionic. Some userspace programs (e.g. perf) need the
definitions from this file. This header file is copied from NetBSD
(http://netbsd.org/) under the NetBSD Foundation's (TNF) license (“2 clause”
Berkeley-style license).
Change-Id: I9c862415b52b710f25adb1629a699627cd715775
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Add getsid() system call to bionic for
all architectures. This is needed for various tools
(e.g. perf).
Adding the getsid system call was done in 3 steps:
() add getsid system call (function name and syscall
number) to libc/SYSCALLS.TXT
() generate all necessary headers by calling
libc/tools/gensyscalls.py. This patch is adding
the generated files since the build system
does not call gensyscalls.py.
() add the system call signature to libc/include/unistd.h
Change-Id: Id69a257e13ec02e1a44085a6b217a3f19ab025b1
Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Clang and _FORTIFY_SOURCE are just plain incompatible with
each other. First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)
Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.
Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
Move dlmalloc code to upstream-dlmalloc to make pulling upstream changes
easier.
Declare pvalloc and malloc_usable_size routines present in malloc.h but with
missing implementations. Remove other functions from malloc.h that have
no implementation nor use in Android.
Change-Id: Ia6472ec6cbebc9ad1ef99f4669de9d33fcc2efb4
These preprocessor tricks have caused trouble for -std=gnu99 and -ansi, and
both netbsd's libc and glibc seem to unconditionally define these types.
Change-Id: Ib8dffa341a8ca88f80d275ba2b7f93a4c910ee32
This header is used on bionic build and should be propagated into
sysroot on toolchain rebuild. Discussion re. this header is here:
http://gcc.gnu.org/ml/gcc-patches/2012-08/msg00936.html
It is available already in mips NDK platforms:
development/ndk/platforms/android-9/arch-mips/include/link.h
Change-Id: I39ff467cdac9f448e31c11ee3e14a6200e82ab57
Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.
Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
Recent clang compiler doesn't have gnu_inline working. When frameworks/rs
is compiled with clang instead of gcc, it no longer works. Will be fixed
by this patch.
Change-Id: I8b281a1305151909e18958b73914ea27343cb4cd
Use the system supplied error numbers when mapping error numbers to messages.
Change-Id: I520556fa3e2ff668fdc4eda36ad31491fbb48ea8
Signed-off-by: Chris Dearman <chris@mips.com>
Signed-off-by: Raghu Gandham <raghu@mips.com>
This test is designed to detect code such as:
int main() {
char buf[10];
memcpy(buf, "1234567890", sizeof(buf));
size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
printf("%d\n", len);
return 0;
}
or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.
Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
Two changes:
1) Detect memory read overruns.
For example:
int main() {
char buf[10];
memcpy(buf, "abcde", sizeof(buf));
sprintf("%s\n", buf);
}
because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time. Other similar
bugs may be detected at runtime.
2) Detect overlapping buffers on memcpy()
It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:
char buf3[0x800];
char *first_half = &buf3[0x400];
char *second_half = &buf3[1];
memset(buf3, 0, sizeof(buf3));
memcpy(first_half, second_half, 0x400);
printf("1: %s\n", buf3);
We now detect this at compile and run time.
Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
limits.h relies on PAGE_SIZE being defined without actually including
page.h. Make sure this is included to avoid compilation failures.
Signed-off-by: Arun Raghavan <arun.raghavan@collabora.co.uk>
Add fortify_source support for openat(). This change requires that
an argument be supplied when using O_CREAT.
Fix unnecessary call to __open_2. If, at compile time, we know that
"flags" is constant and DOESN'T contain O_CREAT, the call to __open_2
is useless.
Change-Id: Ifcd29c4fb25e25656961d7552d672e161f0cfdbd
Prefix private functions with underscores, to prevent name
conflicts.
Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".
Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
Add a FORTIFY_SOURCE check which requires that you pass a
"mode" argument when calling open(..., O_CREAT). If a mode isn't
passed, then the file is created with "undefined" permissions.
Change-Id: I4427be4f9ce170c69da01af5b00fb05b03613a28
Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.
Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.
Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
According to
http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
realloc should NOT be marked with __attribute__((malloc)). Quoting:
realloc-like functions do not have this property as the memory
pointed to does not have undefined content.
For reference, __mallocfunc is defined in sys/cdefs.h as:
#define __mallocfunc __attribute__((malloc))
Change-Id: I56083542ba92e4608dd7c55fb5596a138eb50cc9
sprintf FORTIFY_SOURCE protections are not available
on clang.
Also add various __attribute__s to stdio functions.
Change-Id: I936d1f9e55fe53a68885c4524b7b59e68fed218d
Add _FORTIFY_SOURCE support for snprintf, vsnprintf
At this time, we opt out of these protections for clang, as clang
does not implement __builtin_va_arg_pack().
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc
Change-Id: I73ebe5ec8dad1dca8898a76d6afb693a25f75375
This was misleading 'configure' into thinking we actually support AF_LINK,
but we're Linux, so we don't, and we never implemented the functions we
declared here either.
Reported to AOSP by Jun-ya Kato.
(cherry-pick of 5056f1fad1187cd67729bb04ba72397d78256f03.)
Change-Id: Ic67f674d2221497c8166994812bb5fc7f0831066
This was misleading 'configure' into thinking we actually support AF_LINK,
but we're Linux, so we don't, and we never implemented the functions we
declared here either.
Reported to AOSP by Jun-ya Kato.
Change-Id: I111f9887f3812469b411b9cf5124d9dd624f19f7
Add _FORTIFY_SOURCE support for the following functions:
* memset
* bzero
Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.
Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:
* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat
This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.
If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.
If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check
These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.
Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
for additional details on FORTIFY_SOURCE.
Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.
Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
/dev/kmsg is a character device already used for different purposes.
Most distribution use /dev/log for _PATH_LOG but this path is already used
by logcat.
I suggest using /dev/syslog.
This change was tested with busybox's syslogd.
Change-Id: I75b428123c7a0b3ca4bea656ce06860f6f727dde
The posix_memalign(3) function is very similar to the traditional
memalign(3) function, but with better error reporting and a guarantee
that the memory it allocates can be freed. In bionic, memalign(3)
allocated memory can be freed, so posix_memalign(3) is just a wrapper
around memalign(3).
Change-Id: I62ee908aa5ba6b887d8446a00d8298d080a6a299
In bionic/libc/SYSCALLS.TXT, the prototype of system call
clock_nanosleep is incorrect.
According to man page:
int clock_nanosleep(clockid_t clock_id, int flags,
const struct timespec *request,
struct timespec *remain);
Change-Id: Ic44c6db3d632293aa17998035554eacd664c2d57
Signed-off-by: Jin Wei <wei.a.jin@intel.com>
Signed-off-by: Jack Ren <jack.ren@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
In bionic/libc/SYSCALLS.TXT, the prototypes of system call
getresuid/getresgid are incorrect.
According to man page, they should be:
int getresuid(uid_t *ruid, uid_t *euid, uid_t *suid);
int getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid);
Change-Id: I676098868bb05a9e1fe45419b234cf397626fdad
Signed-off-by: Jin Wei <wei.a.jin@intel.com>
Signed-off-by: Jack Ren <jack.ren@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
cdefs.h: Introduce the __purefunc attribute, which allows us to mark
certain functions as being "pure".
http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
Many functions have no effects except the return value and their
return value depends only on the parameters and/or global variables.
Such a function can be subject to common subexpression elimination
and loop optimization just as an arithmetic operator would be.
string.h: Mark many commently used string functions as "pure", to
allow for additional compiler optimizations.
Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
New functions:
tfind
tsearch
tdelete
twalk
tdestroy (GNU extension)
Bug fix: the current implementation for realpath would crash
if the second argument (resolved_path) is NULL.
New headers:
ar.h
search.h
Change-Id: Ib6c1e42fc186a6d597a6e5a9692b16acaa155804
Add support for PT_GNU_RELRO. This allows the static linker to
indicate that certain regions of memory should be marked as
"read-only" after dynamic linking is complete.
See:
* http://www.akkadia.org/drepper/nonselsec.pdf (section 6)
* http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html
Note that this change has no effect on Android right now, because
we don't compile our code with relro enabled.
Change-Id: I6541f8775367e8558b4388f7d105b1ae6e8f046b
include/elf.h contains basically the same values as
linux/auxvec.h. Eliminate dups.
include/sys/exec_elf.h contains basically the same
values as linux/elf.h. Eliminate dups.
Change-Id: I66b8358161bb52223bb657f8f73ba28b324f4fa3
include/elf.h contains basically the same values as
linux/auxvec.h. Eliminate dups.
include/sys/exec_elf.h contains basically the same
values as linux/elf.h. Eliminate dups.
Change-Id: I66b8358161bb52223bb657f8f73ba28b324f4fa3
This patch defines a few new macros that can be used to control the
visibility of symbols exported by the C library:
- ENTRY_PRIVATE() can be used in assembly sources to indicate
that an assembler function should have "hidden" visibility, i.e.
will never be exported by the C library's shared library.
This is the equivalent of using __LIBC_HIDDEN__ for a C function,
but ENTRY_PRIVATE() works like ENTRY(), and must be used with
END() to tag the end of the function.
- __LIBC_ABI_PUBLIC__ can be used to tag a C functions as being
part of the C library's public ABI. This is important for a
few functions that must be exposed by the NDK to maintain
binary compatibility.
Once a symbol has been tagged with this macro, it shall
*never* be removed from the library, even if it becomes
directly unused due to implementation changes
(e.g. __is_threaded).
- __LIBC_ABI_PRIVATE__ can be used for C functions that should
always be exported by the C library because they are used by
other libraries in the platform, but should not be exposed
by the NDK. It is possible to remove such symbols from the
implementation if all callers are also modified.
+ Add missing END() assembly macro for x86
Change-Id: Ia96236ea0dbec41d57bea634b39d246b30e5e234
We don't have a toolchain anymore, we don't have working original
kernel headers, and nobody is maintaining this so there is really
no point in keeping this here. Details of the patch:
- removed code paths from Android.mk files related to the SuperH
architecture ("sh")
- removed libc/arch-sh, linker/arch-sh, libc/kernel/arch-sh
- simplified libc/SYSCALLS.TXT
- simplified the scripts in libc/tools/ and libc/kernel/tools
Change-Id: I26b0e1422bdc347489e4573e2fbec0e402f75560
Signed-off-by: David 'Digit' Turner <digit@android.com>
The xattr system calls are required for the SE Android userspace in
order to get and set file security contexts. In particular, libselinux
requires these calls.
Change-Id: I78f5eb3d8f3384aed0a5e7c6a6f001781d982017
linux-unistd.h was here for reference purposes, but shouldn't
have been accessible to client code. Delete it.
Change-Id: I60c264ff6ca489a48117914bdf6daa486737af8c
This patch is used to remove private C library declarations from the
public headers (that are exported to the NDK). It should *only* be
submitted after all other patches modifying the users of said
private functions have been submitted to the tree, to avoid
breakages.
Change-Id: I0a5e3014f8e3ac9ed8df86a5cdae506337c23252
This patch is the first in a series that aims at cleaning up the
public C library headers (which end up being distributed with the NDK).
<resolv.h> and <time.h> contain declarations that should not be public.
They are used by other parts of the platform, but NDK applications should
not use or rely on them.
So copy them to private <bionic_time.h> and <resolv_iface.h> headers
and use a guard macro to avoid conflicts when both headers are included
at the same time.
The idea is that we're going to fix the other platform modules to
include these private headers. After this is done, we will remove the
duplicate definitions from <resolv.h> and <time.h>
Change-Id: I121c11936951c98ca7165e811126ed8a4a3a394d
Add bionic libc to support readahead system call.
This is needed to enable sreadahead to work.
Change-Id: I3856e1a3833db82e6cf42fd34af7631bd40cc723
Author: Winson Yung <winson.w.yung@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
The posix_memalign(3) function is very similar to the traditional
memalign(3) function, but with better error reporting and a guarantee
that the memory it allocates can be freed. In bionic, memalign(3)
allocated memory can be freed, so posix_memalign(3) is just a wrapper
around memalign(3).
Change-Id: I62ee908aa5ba6b887d8446a00d8298d080a6a299
Use tgkill instead of tkill to implement pthread_kill.
This is safer in the event that the thread has already terminated
and its id has been reused by a different process.
Change-Id: Ied715e11d7eadeceead79f33db5e2b5722954ac9
__atomic_cmpxchg and other related atomic operations did not
provide memory barriers, which can be a problem for non-platform
code that links against them when it runs on multi-core devices.
This patch does two things to fix this:
- It modifies the existing implementation of the functions
that are exported by the C library to always provide
full memory barriers. We need to keep them exported by
the C library to prevent breaking existing application
machine code.
- It also modifies <sys/atomics.h> to only export
always-inlined versions of the functions, to ensure that
any application code compiled against the new header will
not rely on the platform version of the functions.
This ensure that said machine code will run properly on
all multi-core devices.
This is based on the GCC built-in sync primitives.
The end result should be only slightly slower than the
previous implementation.
Note that the platform code does not use these functions
at all. A previous patch completely removed their usage in
the pthread and libstdc++ code.
+ rename arch-arm/bionic/atomics_arm.S to futex_arm.S
+ rename arch-x86/bionic/atomics_x86.S to futex_x86.S
+ remove arch-x86/include/sys/atomics.h which already
provided inlined functions to the x86 platform.
Change-Id: I752a594475090cf37fa926bb38209c2175dda539
For Honeycomb, we added proper file thread-safety for
all FILE* operations. However, we did implement that by
using an out-of-band hash table to map FILE* pointers
to phtread_mutex_t mutexes, because we couldn't change
the size of 'struct _sFILE' without breaking the ABI.
It turns out that our BSD-derived code already has
some support code to extend FILE* objects, so use it
instead. See libc/stdio/fileext.h
This patch gets rid of the hash table, and put the
mutex directly into the sFILE extension.
Change-Id: If1c3fe0a0a89da49c568e9a7560b7827737ff4d0
Initial commit for dns cache per interface.
Added a type that holds a reference to a
cache and name of associated interface,
address of interface, name server(s)
associated with an interface etc.
New functions to set default interface,
address of name servers etc.
Change-Id: Ie991bc5592fd998409853d8bf77d7fe69035dac5
Make netinet/ip.h have IPTOS_MINCOST which matches what
kernel/common/linux/ip.h has to say.
Fixup gethostbyaddr() 1st arg to match what man has to say.
Change-Id: Iff9647d4a46ea88b1fc32163eb69bb9b27cdf370
This change fixes the prctl() declaration to match GLibc, and allow us
to build gcc-4.6 for Android (among other things). Note that this does
not change the source and binary interfaces.
Change-Id: I3900c957f0da8b3548cbe9da8c41d50099dc19d6
Make netinet/ip.h have IPTOS_MINCOST which matches what
kernel/common/linux/ip.h has to say.
Fixup gethostbyaddr() 1st arg to match what man has to say.
Change-Id: Iff9647d4a46ea88b1fc32163eb69bb9b27cdf370
The kernel has supported this syscall for quite some time now,
but bionic did not. Now that there is a need for it, let's
add it to bionic.
Change-Id: Ifcef3e46f1438d79435b600c4e6063857ab16903
Backport I110b653a58f3
All the other property stuff is already here. Property setting was
only in libcutils previously to leverage a utility function / constant
or two.
Unfortunately in the process of fixing a race condition we would've
had to do break abstraction boundaries and put some libc-internal
details into libcutils so instead of that we'll just move this
into bionic.
Along with Iee1ca9b7, this now passes:
$ adb shell am instrument -w -e class android.os.SystemPropertiesTest \
com.android.frameworks.coretests.systemproperties/android.test.InstrumentationTestRunner
Bug: 3511230
Change-Id: I1b588db3344169621e1279ecc0b660cf4e1015d7
Backport I110b653a58f3
All the other property stuff is already here. Property setting was
only in libcutils previously to leverage a utility function / constant
or two.
Unfortunately in the process of fixing a race condition we would've
had to do break abstraction boundaries and put some libc-internal
details into libcutils so instead of that we'll just move this
into bionic.
Along with Iee1ca9b7, this now passes:
$ adb shell am instrument -w -e class android.os.SystemPropertiesTest \
com.android.frameworks.coretests.systemproperties/android.test.InstrumentationTestRunner
Bug: 3511230
Change-Id: I1b588db3344169621e1279ecc0b660cf4e1015d7
All the other property stuff is already here. Property setting was
only in libcutils previously to leverage a utility function / constant
or two.
Unfortunately in the process of fixing a race condition we would've
had to do break abstraction boundaries and put some libc-internal
details into libcutils so instead of that we'll just move this
into bionic.
Along with Iee1ca9b7, this now passes:
$ adb shell am instrument -w -e class android.os.SystemPropertiesTest \
com.android.frameworks.coretests.systemproperties/android.test.InstrumentationTestRunner
Bug: 3511230
Change-Id: I110b653a58f312fbe069dca59892a877ae9bc911
* commit '638608b11afbd255ddbd15e739f0f638791a4305':
libc: <stdint.h>: Don't make __STD_CONSTANT_MACROS available if only __STD_LIMIT_MACROS is defined.