Enable FORTIFY_SOURCE protections under clang for the following
functions:
* vsprintf
* vsnprintf
and add unittests.
Change-Id: I90f8a27f7b202c78b5dd8ebf53050bf9e33496f7
* commit 'fbec57d46c42460b2381484d1610ff21922d162e':
bionic: add compatibility mode for properties
bionic: use the size of the file to determine property area size
Allow a new bionic to work with an old init property area by supporting
the old format.
(cherry picked from commit ad76c85b9c)
Change-Id: Ib496e818a62a5834d40c71eb4745783d998be893
* commit '1642edb5208fe02ef64d5734fffaf7c4a724fd2f':
bionic: store property names as variable-length strings
bionic: prevent root processes from calling __system_property_add
bionic: revert to a single (larger) property area
bionic: reimplement property area as hybrid trie/binary tree
bionic: add missing memory barriers to system properties
bionic: make property area expandable
d329697 is too complicated. Change the multiple property pages back to
a single 128K property area that's mapped in entirely at initialization
(the memory will not get allocated until the pages are touched).
d329697 has other changes useful for testing (moving property area
initialization inside bionic and adding __system_property_set_filename)
so undo the change manually rather than with git revert.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit 5f05348c18)
Change-Id: I690704552afc07a4dd410277893ca9c40bc13e5f
See the comments for an explanation of how properties are stored.
The trie structure is designed to scale better than the previous
array-based implementation. Searching an array with n properties
required average O(n) string compares of the entire key; searching the
trie requires average O(log n) string compares of each token (substrings
between '.' characters).
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit 6ac8e6a46d)
Change-Id: Icbe31908572f33b4d9b85d5b62ac837cbd0f85e0
The property area is initially one 4K region, automatically expanding as
needed up to 64 regions.
To avoid duplicating code, __system_property_area_init() now allocates
and initializes the first region (previously it was allocated in init's
init_property_area() and initialized in bionic). For testing purposes,
__system_property_set_filename() may be used to override the file used
to map in regions.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit d32969701b)
Change-Id: I038d451fe8849b0c4863663eec6f57f6521bf4a7
The property area is initially one 4K region, automatically expanding as
needed up to 64 regions.
To avoid duplicating code, __system_property_area_init() now allocates
and initializes the first region (previously it was allocated in init's
init_property_area() and initialized in bionic). For testing purposes,
__system_property_set_filename() may be used to override the file used
to map in regions.
Change-Id: Ibe00ef52464bfa590953c4699a6d98383b0142b1
Signed-off-by: Greg Hackmann <ghackmann@google.com>
find_nth() will be inefficient on a trie. Since find_nth() is only used
internally and only for enumerating properties, we can add a foreach()
function to do this directly.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit 577418403d)
Change-Id: Iaca97d1182ce2c28863ba85241cbb5cf6185eb2f
find_nth() will be inefficient on a trie. Since find_nth() is only used
internally and only for enumerating properties, we can add a foreach()
function to do this directly.
Change-Id: I66bde9926c193073d74b244cce9fffd52108fff8
Signed-off-by: Greg Hackmann <ghackmann@google.com>
In 829c089f83, we disabled all
FORTIFY_SOURCE support when compiling under clang. At the time,
we didn't have proper test cases, and couldn't easily create targeted
clang tests.
This change re-enables FORTIFY_SOURCE support under clang for a
limited set of functions, where we have explicit unittests available.
The functions are:
* memcpy
* memmove
* strcpy
* strncpy
* strcat
* strncat
* memset
* strlen (with modifications)
* strchr (with modifications)
* strrchr (with modifications)
It may be possible, in the future, to enable other functions. However,
I need to write unittests first.
For strlen, strchr, and strrchr, clang unconditionally calls the
fortified version of the relevant function. If it doesn't know the
size of the buffer it's dealing with, it passes in ((size_t) -1),
which is the largest possible size_t.
I added two new clang specific unittest files, primarily copied
from fortify?_test.cpp.
I've also rebuild the entire system with these changes, and didn't
observe any obvious problems.
Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
Define __errordecl and replace __attribute__((__error__("foo")))
with __errordecl. Make sure __errordecl is a no-op on clang, as it
generates a compile time warning.
Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
Move the implementation of writing to the system property area
from init to bionic, next to the reader implementation. This
will allow full property testing to be added to bionic tests.
Add new accessor and waiting functions to hide the implementation
from watchprops and various bionic users.
Also hide some of the implementation details of the property area
from init by moving them into _system_properties.h, and other details
from everybody by moving them into system_properties.h.
(cherry picked from commit dc1038b790)
Change-Id: I192d3825ee276c5047bc751039fe6cfe226a7cca
We were missing SIG_ATOMIC_MAX, SIG_ATOMIC_MIN, SIZE_MAX,
WCHAR_MAX, WCHAR_MIN, WINT_MAX, and WINT_MIN.
Change-Id: I2535f36bc220fbaea009b483599b7af811c4cb5c
This reverts commit d8627af159 which caused build breakage:
In file included from bionic/libc/include/limits.h:86:0,
from bionic/libc/include/stdint.h:33,
from bionic/libc/arch-arm/bionic/crtbegin.c:31:
bionic/libc/include/sys/limits.h:30:26: fatal error: linux/limits.h: No such file or directory
compilation terminated.
make: *** [out/target/product/generic/obj/lib/crtbegin_dynamic1.o] Error 1
Change-Id: I128095ecb99df92626e1f57e34c61e08c98a4078
sigismember, sigaddset, and sigdelset had mixed code and declarations
which are not allowed in C90 and before.
Change-Id: I662af944fc1489e34bed228ce592e41f50d00e17
Signed-off-by: Erik Gilling <konkers@android.com>
__strcat_chk and __strncat_chk are slightly inefficient,
because they end up traversing over the same memory region
two times.
This change optimizes __strcat_chk / __strncat_chk so they
only access the memory once. Although I haven't benchmarked these
changes, it should improve the performance of these functions.
__strlen_chk - expose this function, even if -D_FORTIFY_SOURCE
isn't defined. This is needed to compile libc itself without
-D_FORTIFY_SOURCE.
Change-Id: Id2c70dff55a276b47c59db27a03734d659f84b74
The function should take a 'const void*' parameter, instead of 'void*'.
Note that the implementation in upstream-dlmalloc/malloc.c already does
this.
For context, see http://b.android.com/55725
Change-Id: Iefd55cdb8996699189e0545f9195972490306227
Add CLOCK_MONOTONIC_RAW, CLOCK_REALTIME_COARSE, and CLOCK_MONOTONIC_COARSE
as supported by recent linux kernels.
(cherry-pick of 60e5144ca312b210b54ac8e6966108da0c97ff80.)
Bug: 8895727
Change-Id: If79a4d05d1301108f49a37588f9416c4be19277a
Add support for fortify source level 2 to strncpy.
This will enable detection of more areas where strncpy
is used inappropriately. For example, this would have detected
bug 8727221.
Move the fortify_source tests out of string_test.cpp, and
put it into fortify1_test.cpp.
Create a new fortify2_test.cpp file, which copies all
the tests in fortify1_test.cpp, and adds fortify_source level
2 specific tests.
Change-Id: Ica0fba531cc7d0609e4f23b8176739b13f7f7a83
- eventfd.cpp and eventfd.s will output to the same file when building libc.a
out/target/product/*/obj/STATIC_LIBRARIES/libc_intermediates/WHOLE/libc_common_objs/eventfd.o
- And then `eventfd` will undefined when statically linked to libc.
Also add a unit test.
(cherry-pick of 8baa929d5d3bcf63381cf78ba76168c80c303f5e.)
Change-Id: Icd0eb0f4ce0511fb9ec00a504d491afd47d744d3
- eventfd.cpp and eventfd.s will output to the same file when building libc.a
out/target/product/*/obj/STATIC_LIBRARIES/libc_intermediates/WHOLE/libc_common_objs/eventfd.o
- And then `eventfd` will undefined when statically linked to libc.
Also add a unit test.
Change-Id: Ib310ade3256712ca617a90539e8eb07459c98505
The <asm/unistd.h> files contain the canonical data, and
<sys/glibc-syscalls.h> contain new glibc-compatible names,
and if you #include the standard <sys/syscall.h> you get
both sets of names.
Change-Id: I9919c080931c0ba1660f5e37c6a6265ea716d603
This lets us move all the ARM syscall stubs over to the kernel <asm/unistd.h>.
Our generated <sys/linux-syscalls.h> is now unused, but I'll remove that in a
later change.
Change-Id: Ie5ff2cc4abce1938576af7cbaef615a79c7f310d
Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.
Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
<sys/linux-syscalls.h> only contains constants for the syscalls
we're generating stubs for. We want all the syscalls available
on the architecture in question.
Keep using <sys/linux-syscalls.h> on ARM for now because the
__NR_ARM_set_tls and __NR_ARM_cacheflush values aren't in <asm/unistd.h>.
Change-Id: I66683950d87d9b18d6107d0acc0ed238a4496f44
Fixes the MIPS and x86 builds. strace tests whether syscalls
are supported using #ifdef of the appropriate SYS_ constant.
Change-Id: I90be118dc42abfdaf5b0f9b1e676e8601f55106e
Don't pull in unnecessary header files. AFAIK, I've fixed all
the code which didn't include the correct header files.
Change-Id: If0b7bba74e77cb24a0cf9ce8968aa07400855e58
Per "man capset", sys/capability.h is the appropriate header file
for the capget / capset definition, not unistd.h. Fixed.
As a short term hack, continue to include sys/capability.h in
unistd.h, until we can fix all the code which uses capget / capset.
Change-Id: I6e7cf55955d761ca785a14c5e4b7a44125d8fc15
AFAIK, bionic only ever provided an implementation of bcmp
for x86, and even then, the code was never actually compiled.
Remove the prototype.
bcmp() has been obsoleted and replaced by memcmp()
Change-Id: I549d02ab6a9241a9acbbbfade0d98a9a02c2eaee
after change 32822 was rejected, this is the more light-weight
version of the fix: libc/include/sys/types.h already - via
libc/kernel/common/linux/posix_types.h - includes a definition
of __kernel_ssize_t from libc/kernel/arch-*/asm/posix_types.h
which is architecture-specific, toolchain-agnostic and also
gets rid of the gcc -Wformat warning (which it issues correctly,
since this i̲s̲ indeed a bug in bionic)
Change-Id: Ie4503ab16628bc25815a836d07556f665e9795c7
imgtec pointed out that pthread_kill(3) was broken, but most of the
other functions that ought to return ESRCH for invalid/exited threads
were equally broken.
Change-Id: I96347f6195549aee0c72dc39063e6c5d06d2e01f
# By Andrew Boie
# Via Andrew Boie (1) and Gerrit Code Review (1)
* commit '3fa67465365baf87f751bea09847e32f01005788':
add factory property file definition
# Via Android Git Automerger (1) and others
* commit '6b73d13fa414afeecba6718bf724e8ac922bac39':
Revert "Revert "Pull the pthread_key_t functions out of pthread.c.""
# Via Gerrit Code Review (2) and Android Git Automerger (1)
* commit 'e4b08318c13fac774b233a5459427563d2983f79':
Revert "Pull the pthread_key_t functions out of pthread.c."
This was originally motivated by noticing that we were setting the
wrong bits for the well-known tls entries. That was a harmless bug
because none of the well-known tls entries has a destructor, but
it's best not to leave land mines lying around.
Also add some missing POSIX constants, a new test, and fix
pthread_key_create's return value when we hit the limit.
Change-Id: Ife26ea2f4b40865308e8410ec803b20bcc3e0ed1
name server addresses are read from the dns
cache associated wih the interface on which
the request shall be done.
processes which has requested to issue dns request
using specific interface are now proxied to netd.
added methods to attach/detach a process to a specific
dns cache/interface.
added getaddrinfoforinface method which takes an
interface as an argument.
bug:4815099
bug:5465296
Change-Id: I7a8fe1980cdf99d4d296ddc5c6411f0c72162263
Also update the x86 asm.h to support this; we need it for libm assembler
anyway.
Also clean up the _FBSDID hack in <sys/cdefs.h>.
Change-Id: Iababd977b8110ec022bf7c93f4d62ece47630e7c
This brings us up to date with FreeBSD HEAD, fixes various bugs, unifies
the set of functions we support on ARM, MIPS, and x86, fixes "long double",
adds ISO C99 support, and adds basic unit tests.
It turns out that our "long double" functions have always been broken
for non-normal numbers. This patch fixes that by not using the upstream
implementations and just forwarding to the regular "double" implementation
instead (since "long double" on Android is just "double" anyway, which is
what BSD doesn't support).
All the tests pass on ARM, MIPS, and x86, plus glibc on x86-64.
Bug: 3169850
Bug: 8012787
Bug: https://code.google.com/p/android/issues/detail?id=6697
Change-Id: If0c343030959c24bfc50d4d21c9530052c581837
Replace a kernel header file dependency with files from NetBSD.
They're more complete, and ELF is ELF, whether you're on Linux or a BSD.
Bug: 7973611
Change-Id: I83ee719e7efdf432ec2ddbe8be271d05b2f558d7
prctl.h uses __BEGIN_DECLS but fails to include sys/cdefs.h
(where it's defined). Code which includes prctl.h without
previously including sys/cdefs.h will fail to compile.
Fixed.
Change-Id: If4c9f3308f08b93596dcd00e351ae786807e9320
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Modify system property handling so that we get the properties
from a root owned properties file, rather than using an
environment variable. Fall back to the environment variable
if the file doesn't exist.
Bug: 8045561
Change-Id: I54f3efa98cf7d63d88788da5ce0d19e34fd7851a
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.
This avoids silliness like calling fortify source on things like:
size_t len = strlen("asdf");
printf("%d\n", len);
and allows the compiler to optimize this code to:
printf("%d\n", 4);
Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.
Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
This property file is used for properties which are set at device
provisioning time or in the factory. They are never touched by
a software update or factory data reset and typically contain
data specific to the particular unit.
Change-Id: I2e7c2fe62cb684cb2449eea917c42b19462e89a5
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add signalfd() call to bionic.
Adding the signalfd call was done in 3 steps:
- add signalfd4 system call (function name and syscall
number) to libc/SYSCALLS.TXT
- generate all necessary headers by calling
libc/tools/gensyscalls.py. This patch is adding
the generated files since the build system
does not call gensyscalls.py.
- create the signalfd wrapper in signalfd.cpp and add
the function prototype to sys/signalfd.h
(cherry-pick of 0c11611c11, modified to
work with older versions of GCC still in use on some branches.)
Change-Id: I4c6c3f12199559af8be63f93a5336851b7e63355
Spotted while running the tests on MIPS, where sigset_t is
actually large enough. The bits in sigset_t are used such that
signal 1 is represented by bit 0, so the range of signals is
actually [1, 8*sizeof(sigset_t)]; it seems clearer to reword
the code in terms of valid bit offsets [0, 8*sizeof(sigset_t)),
which leads to the usual bounds checking idiom.
Change-Id: Id899c288e15ff71c85dd2fd33c47f8e97aa1956f
Previously we'd been relying on getting the machine-specific <endian.h>
instead of the top-level <endian.h>, and <sys/endian.h> was basically broken.
Now, with this patch and the previous patch we should have <endian.h>
and <sys/endian.h> behaving the same. This is basically how NetBSD's endian.h
works, and was probably how ours was originally intended to work.
Bug: http://code.google.com/p/android/issues/detail?id=39824
Change-Id: I71de5a507e633de166013a658b5764df9e1aa09c
These checks haven't been as useful as I hoped, and it's
causing a false positive finding. Remove the overlap
compile time checks.
Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea