Commit Graph

29 Commits

Author SHA1 Message Date
Daniel Micay
afdd15456a add fortified implementations of write/pwrite{,64}
These are just based on the read/pread{,64} implementations with the
function calls and error messages adjusted as appropriate. The only
difference is that the buffer parameters are const.

Change-Id: Ida1597a903807f583f230d74bcedffdb7b24fcf6
2015-08-20 13:46:51 -04:00
Daniel Micay
9101b00400 add a fortified implementation of getcwd
Change-Id: Ice3e6d3e1ff07788305dc85f8ee4059baad5fac4
2015-08-01 00:42:30 -04:00
Daniel Micay
fed2659869 add fortified implementations of fread/fwrite
A __size_mul_overflow utility is used to take advantage of the checked
overflow intrinsics in Clang and GCC (>= 5). The fallback for older
compilers is the optimized but less than ideal overflow checking pattern
used in OpenBSD.

Change-Id: Ibb0d4fd9b5acb67983e6a9f46844c2fd444f7e69
2015-07-23 18:55:46 -04:00
Daniel Micay
42281880a8 add fortified readlink/readlinkat implementations
Change-Id: Ia4b1824d20cad3a072b9162047492dade8576779
2015-04-17 18:49:12 -04:00
Daniel Micay
e7e1c875b0 add fortified implementations of pread/pread64
Change-Id: Iec39c3917e0bc94371bd81541619392f5abe29b9
2015-04-16 10:33:35 -04:00
Yabin Cui
f4fe6937aa Fix poll/ppoll fortify test to avoid hanging in failed fortify clang test.
Bug: 19220800
Change-Id: Ie75c640183c4a41a499556fefb4f824a134a5fb1
2015-02-04 12:27:06 -08:00
Elliott Hughes
d036e94bb3 Explicitly check that the reason fortify tests abort is fortify.
Change-Id: I95291e2febf7b497c1d9f37fd7fa9acdd21e86a4
2015-02-02 11:18:58 -08:00
Elliott Hughes
4674e3899a Fortify poll and ppoll.
And remove the test for FD_ZERO fortification, which never made much
sense anyway.

Change-Id: Id1009c5298d461fa4722189e8ecaf22f0c529536
2015-02-02 09:15:19 -08:00
Yabin Cui
9df70403d9 make all bionic death tests not dumpable
Bug: 18067305

Change-Id: Ia1ecacf47eddecc9bc58aaac779e0c218f463179
2014-11-06 11:09:03 -08:00
Nick Kralevich
884a3de60f Revert "cdefs.h: add artificial attribute to FORTIFY_SOURCE functions"
Broke the build.

In file included from frameworks/rs/cpu_ref/rsCpuCore.cpp:36:
system/core/include/cutils/properties.h:118:1: error: unknown attribute '__artificial__' ignored [-Werror,-Wunknown-attributes]
__BIONIC_FORTIFY_INLINE
^
bionic/libc/include/sys/cdefs.h:537:110: note: expanded from macro '__BIONIC_FORTIFY_INLINE'
#define __BIONIC_FORTIFY_INLINE extern __inline__ __always_inline __attribute__((gnu_inline)) __attribute__((__artificial__))
                                                                                                             ^
1 error generated.
make: *** [out/target/product/generic/obj/SHARED_LIBRARIES/libRSCpuRef_intermediates/rsCpuCore.o] Error 1
This reverts commit 9b543ffeac.

Change-Id: I6a1198747505dcb402b722887c1bfbc3a628a8b8
2014-10-06 00:39:47 +00:00
Nick Kralevich
9b543ffeac cdefs.h: add artificial attribute to FORTIFY_SOURCE functions
Otherwise the gcc compiler warning doesn't show up.

Delete some unittests. These unittests no longer compile cleanly
using -Wall -Werror, and rewriting them to compile cleanly
isn't feasible.

Bug: 17784968
Change-Id: I9bbdc7b6a1c2ac75754f5d0f90782e0dfae66721
2014-10-04 22:01:41 -07:00
Nick Kralevich
be0e43b776 debuggerd: if PR_GET_DUMPABLE=0, don't ask for dumping
PR_GET_DUMPABLE is used by an application to indicate whether or
not core dumps / PTRACE_ATTACH should work.

Security sensitive applications often set PR_SET_DUMPABLE to 0 to
disable core dumps, to avoid leaking sensitive memory to persistent
storage. Similarly, they also set PR_SET_DUMPABLE to zero to prevent
PTRACE_ATTACH from working, again to avoid leaking the contents
of sensitive memory.

Honor PR_GET_DUMPABLE when connecting to debuggerd. If an application
has said it doesn't want its memory dumped, then we shouldn't
ask debuggerd to dump memory on its behalf.

FORTIFY_SOURCE tests: Modify the fortify_source tests to set
PR_SET_DUMPABLE=0. This reduces the total runtime of
/data/nativetest/bionic-unit-tests/bionic-unit-tests32 from approx
53 seconds to 25 seconds. There's no need to connect to debuggerd
when running these tests.

Bug: 16513137
Change-Id: Idc7857b089f3545758f4d9b436b783d580fb653f
2014-07-23 15:48:49 -07:00
Elliott Hughes
063525c61d Consistently use #if defined(__BIONIC__) in tests.
I've also switched some tests to be positive rather than negative,
because !defined is slightly harder to reason about and there are
only two cases: bionic and glibc.

Change-Id: I8d3ac40420ca5aead3e88c69cf293f267273c8ef
2014-05-13 11:19:57 -07:00
Elliott Hughes
409588cdae Fix fallout from host GCC upgrade.
I'll raise a bug for the FD_ISSET fortification; we should do better too.

Change-Id: Id2bf277890ad06b010dc952e270d746714c2bea7
2014-04-23 23:02:43 -07:00
Christopher Ferris
950a58e24d Add stpcpy/stpncpy.
Add tests for the above.

Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.

Modify the strncpy test to cover more cases and use this template for
stpncpy.

Add all of the fortify test cases.

Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
2014-04-07 16:41:53 -07:00
Christopher Ferris
f04935c85e Make sure that the same tests are on all platforms.
In order to be able to generate a list of tests for cts, the same set of
tests must exist across all platforms. This CL adds empty tests where a
test was conditionally compiled out.

This CL creates a single library libBionicTests that includes all of
the tests found in bionic-unit-tests-static.

Also fix a few missing include files in some test files.

Tested by running and compiling the tests for every platform and
verifying the same number of tests are on each platform.

Change-Id: I9989d4bfebb0f9c409a0ce7e87169299eac605a2
2014-02-06 20:12:21 -08:00
Stephen Hines
6e38072add Wrap sprintf()/snprintf() macros to prevent expansion errors.
Previously, FORTIFY_SOURCE used single macros to define these standard
functions for use with clang. This can cause conflicts with other macros used
to call these functions, particularly when those macros expand the number of
arguments to the function. This change wraps our macro definitions, so that
expansion properly takes place for programmer arguments first.

Change-Id: I55929b1fd2a643b9d14a17631c4bcab3b0b712cf
2013-10-11 12:14:49 -07:00
Nick Kralevich
b036b5ca36 FORTIFY_SOURCE: fortify read()
Change-Id: Ic7de163fe121db13e00560adb257331bc709814d
2013-10-09 20:17:03 -07:00
Nick Kralevich
8d25327639 Revert "FORTIFY_SOURCE: fortify read()"
This change reverts
* fb3f956d07.
* 65c99de2cb

Change-Id: Id5774eeede41130579115cf67a72ee914f2b47d5
2013-10-09 16:46:25 -07:00
Nick Kralevich
65c99de2cb FORTIFY_SOURCE: fortify read()
Change-Id: I3d7b4ec86d04efb865117ce7629a2e26917f3331
2013-10-09 13:44:38 -07:00
Nick Kralevich
7943df62f7 Check memory size on FD_* functions
Make sure the buffer we're dealing with has enough room.
Might as well check for memory issues while we're here,
even though I don't imagine they'll happen in practice.

Change-Id: I0ae1f0f06aca9ceb91e58c70183bb14e275b92b5
2013-10-03 15:45:10 -07:00
Elliott Hughes
5b9310e502 Fix 32-bit issues in tests, and add a trivial test for the FD_* macros.
Change-Id: Ia3f21ce1f0ed9236527fe44d36ccb7de6bf63113
2013-10-02 16:59:05 -07:00
Nick Kralevich
90201d5eca FORTIFY_SOURCE: Add __FD_* checks
Add FORTIFY_SOURCE checks for the following macros:

* FD_CLR
* FD_ISSET
* FD_SET

Bug: 11047121
Change-Id: I3c5952136aec9eff3288b91b1318677ff971525c
2013-10-02 16:11:30 -07:00
Nick Kralevich
b91791d71c Use alloc_size attribute on *alloc functions
malloc and family were not declared with __attribute__((alloc_size)).
This was (sometimes) preventing FORTIFY_SOURCE related functions
from knowing the size of the buffer it's dealing with, inhibiting
FORTIFY_SOURCE protections.

Add __attribute__((alloc_size))

Information about the alloc_size attribute can be found
at http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

Change-Id: Ia2f0a445f0170a7325f69259b5e7fb35a9f14921
2013-10-02 14:14:40 -07:00
Nick Kralevich
60f4f9a5b9 libc: fortify recvfrom()
Fortify calls to recv() and recvfrom().

We use __bos0 to match glibc's behavior, and because I haven't
tested using __bos.

Change-Id: Iad6ae96551a89af17a9c347b80cdefcf2020c505
2013-09-24 16:45:01 -07:00
Christopher Ferris
16e185c908 __memcpy_chk: Fix signed cmp of unsigned values.
I accidentally did a signed comparison of the size_t values passed in
for three of the _chk functions. Changing them to unsigned compares.

Add three new tests to verify this failure is fixed.

Bug: 10691831

Merge from internal master.

(cherry-picked from 883ef2499c)

Change-Id: Id9a96b549435f5d9b61dc132cf1082e0e30889f5
2013-09-20 20:12:09 -07:00
Nick Kralevich
93501d3ab8 FORTIFY_SOURCE: introduce __strncpy_chk2
This change detects programs reading beyond the end of "src" when
calling strncpy.

Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
2013-08-28 12:39:06 -07:00
Nick Kralevich
a6cde39276 More FORTIFY_SOURCE functions under clang
* bzero
* umask
* strlcat

Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
2013-06-29 08:16:22 -07:00
Nick Kralevich
5bcf39842e Reorganize FORTIFY_SOURCE tests.
Get rid of a lot of the duplication in the various FORTIFY_SOURCE
tests. Instead, we build 4 separate static libraries, with
4 different compile time options, and link them into the final test
binary.

Change-Id: Idb0b7cccc8dd837adb037bf4ddfe8942ae138230
2013-06-28 11:54:29 -07:00