7aa27e1c1a53afe28f6180fd1fc50d096cabea7b |
|
06-Aug-2014 |
Dehao Chen <dehao@google.com> |
Workaround b/16818336 which fails build under aggressive inlining. Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
|
dfb5ce42bcc5a275af49211c0bbe64c5ec3d2668 |
|
10-Jul-2014 |
Dan Albert <danalbert@google.com> |
Revert "Revert "Add locale aware APIs."" This reverts commit 063e20c26943ec82ef1d53a544545e79054e93d3. Change-Id: Ib8c9004efefe75a5346b3af50dfe37952d91eb21
|
e087eac404b0e30de427392065e2750acf92bd4a |
|
09-Jul-2014 |
Dan Albert <danalbert@google.com> |
Add locale aware APIs. Since we only support the C locale, we can just forward all of these to their non-locale equivalents for correct behavior. Change-Id: Ib7be71b7f636309c0cc3be1096a4c1f693f04fbb
|
063e20c26943ec82ef1d53a544545e79054e93d3 |
|
10-Jul-2014 |
Dan Albert <danalbert@google.com> |
Revert "Add locale aware APIs." Accidentally verified against a dirty tree. Needs the companion change to libc++ to land upstream before I can submit this. This reverts commit e087eac404b0e30de427392065e2750acf92bd4a. Change-Id: I317ecd0923114f415eaad7603002f77feffb5e3f
|
40fca0f08b1eb87e283d6f634d9759ed3161f517 |
|
04-Jun-2014 |
Dan Albert <danalbert@google.com> |
Removes index() from bionic. This function has been removed from POSIX. Unfortunately, we can't leave #define index(a, b) strchr((a), (b)) in its place because defining a preprocessor macro for index() breaks a whole lot of code. Bug: 13935372 Change-Id: Ifda348acde06da61c12e7ee2f8fe6950a3174dd1
|
950a58e24d1019eb9d814dbb16f111a6b61e3f23 |
|
04-Apr-2014 |
Christopher Ferris <cferris@google.com> |
Add stpcpy/stpncpy. Add tests for the above. Add the fortify implementations of __stpcpy_chk and __stpncpy_chk. Modify the strncpy test to cover more cases and use this template for stpncpy. Add all of the fortify test cases. Bug: 13746695 Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
|
152b9de19ade833ada124390ef153e53d3d3e2ed |
|
10-Mar-2014 |
Elliott Hughes <enh@google.com> |
Remove non-standard memswap. Change-Id: I06548dda339987b755ef7139c590ca3e1f9fe0a9
|
53e43292aac91bf62995788cd5ca2ceb7caea283 |
|
25-Feb-2014 |
Elliott Hughes <enh@google.com> |
More OpenBSD cleanup (primarily string). This patch removes the string/ and wchar/ directories. Change-Id: Ia489904bc67047e4bc79acb1f3eec21aa3fe5f0d
|
d13c2b1ba6681fdbee73a044d988c3f9e1172d30 |
|
27-Sep-2013 |
Nick Kralevich <nnk@google.com> |
Fix unnecessary call to __strncpy_chk2 If "n" is smaller than the size of "src", then we'll never read off the end of src. It makes no sense to call __strncpy_chk2 in those circumstances. For example, consider the following code: int main() { char src[10]; char dst[5]; memcpy(src, "0123456789", sizeof(src)); strncpy(dst, src, sizeof(dst)); dst[4] = '\0'; printf("%s\n", dst); return 0; } In this code, it's clear that the strncpy will never read off the end of src. Change-Id: I9cf58857a0c5216b4576d21d3c1625e2913ccc03
|
3c4b50fd8cce143d9ba8f03a93f0fccba4e54d14 |
|
26-Jul-2013 |
Pavel Chupin <pavel.v.chupin@intel.com> |
Fix strchr for basic non-sse case on x86 Fix source location. Move declaration of __strchr_chk out of ifdef __BIONIC_FORTIFY which should be available for strchr.cpp compilation when __BIONIC_FORTIFY is not defined. Change-Id: I552a6e16656e59b276b322886cfbf57bbfb2e6a7 Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
|
bd8e6749b78567af62ec126d7cc057386ebee25a |
|
28-Aug-2013 |
Nick Kralevich <nnk@google.com> |
cdefs.h: introduce __bos0 Introduce __bos0 as a #define for __builtin_object_size((s), 0). This macro is intended to be used for places where the standard __bos macro isn't appropriate. memcpy, memmove, and memset deliberately use __bos0. This is done for two reasons: 1) I haven't yet tested to see if __bos is safe to use. 2) glibc uses __bos0 for these methods. Change-Id: Ifbe02efdb10a72fe3529dbcc47ff647bde6feeca
|
93501d3ab81156bcef251bb817a49e9ca46a6ec1 |
|
28-Aug-2013 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: introduce __strncpy_chk2 This change detects programs reading beyond the end of "src" when calling strncpy. Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
|
a6cde392765eb955cb4be5faa6ee62dcf77e8aa5 |
|
29-Jun-2013 |
Nick Kralevich <nnk@google.com> |
More FORTIFY_SOURCE functions under clang * bzero * umask * strlcat Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
|
8bafa7452ec0892572b0b49f86022ce945c5e908 |
|
20-Jun-2013 |
Nick Kralevich <nnk@google.com> |
libc: enable FORTIFY_SOURCE clang strlcpy Change-Id: Idcfe08f5afc3dde592416df9eba83f64e130c7c2
|
16d1af167f8e36a9aa4a07ae77034ad519b00463 |
|
17-Jun-2013 |
Nick Kralevich <nnk@google.com> |
libc: add limited FORTIFY_SOURCE support for clang In 829c089f83ddee37203b52bcb294867a9ae7bdbc, we disabled all FORTIFY_SOURCE support when compiling under clang. At the time, we didn't have proper test cases, and couldn't easily create targeted clang tests. This change re-enables FORTIFY_SOURCE support under clang for a limited set of functions, where we have explicit unittests available. The functions are: * memcpy * memmove * strcpy * strncpy * strcat * strncat * memset * strlen (with modifications) * strchr (with modifications) * strrchr (with modifications) It may be possible, in the future, to enable other functions. However, I need to write unittests first. For strlen, strchr, and strrchr, clang unconditionally calls the fortified version of the relevant function. If it doesn't know the size of the buffer it's dealing with, it passes in ((size_t) -1), which is the largest possible size_t. I added two new clang specific unittest files, primarily copied from fortify?_test.cpp. I've also rebuild the entire system with these changes, and didn't observe any obvious problems. Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
|
b24c0637d06fe0980b9e13a8d0c3e6f4dbda9cd5 |
|
18-Jun-2013 |
Nick Kralevich <nnk@google.com> |
libc: Introduce __errordecl() Define __errordecl and replace __attribute__((__error__("foo"))) with __errordecl. Make sure __errordecl is a no-op on clang, as it generates a compile time warning. Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
|
cf870199d576bdfc339b7fb016c9f6fe7f2c87ed |
|
31-May-2013 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: strcat / strncat optimize __strcat_chk and __strncat_chk are slightly inefficient, because they end up traversing over the same memory region two times. This change optimizes __strcat_chk / __strncat_chk so they only access the memory once. Although I haven't benchmarked these changes, it should improve the performance of these functions. __strlen_chk - expose this function, even if -D_FORTIFY_SOURCE isn't defined. This is needed to compile libc itself without -D_FORTIFY_SOURCE. Change-Id: Id2c70dff55a276b47c59db27a03734d659f84b74
|
1c462b7a04fc6afc99d8544728dd6d8f2a471fa2 |
|
07-May-2013 |
Nick Kralevich <nnk@google.com> |
Use restrict pointers for various libc functions. All the cool kids say this is the best thing since sliced bread. http://cellperformance.beyond3d.com/articles/2006/05/demystifying-the-restrict-keyword.html For the most part, these changes match what glibc does. Change-Id: I176268f27f82800162fe5f2515b08d5469ea2dfe
|
3b2e6bc9acf5223db6e9967e46066219c76ee56f |
|
30-Apr-2013 |
Nick Kralevich <nnk@google.com> |
libc: upgrade strrchr to FORTIFY_SOURCE=2 Change-Id: I4c34c2ce22c5092c4446dc1ab55f37604c1c223f
|
9020fd503c9eb073f70dbc239a212f8ece19359d |
|
30-Apr-2013 |
Nick Kralevich <nnk@google.com> |
libc: upgrade some libc functions to _FORTIFY_SOURCE=2 Upgrade the following functions: * vsnprintf * vsprintf * snprintf * fgets * strcpy * strcat * strncat * strlcpy * strlcat * strlen * strchr Change-Id: Icc036fc7f0bb317e05f7c051617887a1601271aa
|
1aae9bd170883805f2e7975cd3dbd2502b083cc1 |
|
29-Apr-2013 |
Nick Kralevich <nnk@google.com> |
strncpy: implement _FORTIFY_SOURCE=2 Add support for fortify source level 2 to strncpy. This will enable detection of more areas where strncpy is used inappropriately. For example, this would have detected bug 8727221. Move the fortify_source tests out of string_test.cpp, and put it into fortify1_test.cpp. Create a new fortify2_test.cpp file, which copies all the tests in fortify1_test.cpp, and adds fortify_source level 2 specific tests. Change-Id: Ica0fba531cc7d0609e4f23b8176739b13f7f7a83
|
890c8ed6ef773160cd6840a92e0d469fe530871f |
|
22-Mar-2013 |
Elliott Hughes <enh@google.com> |
Fix builds where _FORTIFY_SOURCE is off. Also add a more intention-revealing guard so we don't have loads of places checking whether our inlining macro is defined. Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
|
538f6fc202b07219ce78de54c0e05ab81e937154 |
|
22-Feb-2013 |
Elliott Hughes <enh@google.com> |
Stop advertising rindex(3), which is both deprecated and unimplemented. Change-Id: I3c775d9974e49c3f76a53e46e022659657b89034
|
a44e9afdd16105d6f36319cb538666d9cc78435a |
|
18-Jan-2013 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: optimize Don't do the fortify_source checks if we can determine, at compile time, that the provided operation is safe. This avoids silliness like calling fortify source on things like: size_t len = strlen("asdf"); printf("%d\n", len); and allows the compiler to optimize this code to: printf("%d\n", 4); Defer to gcc's builtin functions instead of pointing our code to the libc implementation. Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
|
57874753900865312d7d265d2ca15cb4edb00ef2 |
|
07-Dec-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: remove memcpy overlap checks These checks haven't been as useful as I hoped, and it's causing a false positive finding. Remove the overlap compile time checks. Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
|
9a4d305340e6ce2fc6c3f371f2d7ede446f8c6d4 |
|
03-Dec-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: fortify strrchr This change compliments 049e58369c37fdeacd0380a6bf1e078d9baf819f Change-Id: I27d015d70a520713c7472558a3c427f546d36ee4
|
049e58369c37fdeacd0380a6bf1e078d9baf819f |
|
01-Dec-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: fortify strchr Detect when strchr reads off the end of a buffer. Change-Id: I0e952eedcff5c36d646a9c3bc4e1337b959224f2
|
829c089f83ddee37203b52bcb294867a9ae7bdbc |
|
29-Aug-2012 |
Nick Kralevich <nnk@google.com> |
disable _FORTIFY_SOURCE under clang Clang and _FORTIFY_SOURCE are just plain incompatible with each other. First of all, clang doesn't understand the __attribute__((gnu_inline)) header. Second of all, Clang doesn't have support for __builtin_va_arg_pack() and __builtin_va_arg_pack_len() (see http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc) Until we can resolve these issues, don't even try using _FORTIFY_SOURCE under clang. Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
|
f4497e15b78383b06d59ce244255fc7625beaec5 |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and strlcat. Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
a72246d67e309de62c26aca970fff65dfb86eb7c |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen. At this point, FORTIFY_SOURCE and clang are just plain incompatible. Need to solve the underlying incompatibility first. Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
d600617645e85435cf98fc30139a6945aaadc1ca |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and strlcat. Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
9a3d53fad062cdadb4df81f6998a5e09336c637b |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen. At this point, FORTIFY_SOURCE and clang are just plain incompatible. Need to solve the underlying incompatibility first. Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
761ba27d62a67c098a3323fb37175a7274ee5f19 |
|
16-Jul-2012 |
Nick Kralevich <nnk@google.com> |
Merge "FORTIFY_SOURCE: revert memcpy changes."
|
c37fc1ab6a3ac3956a8c9ba3ac089d41969815ed |
|
14-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: revert memcpy changes. Performance regressions. Hopefully this is a temporary rollback. Bug: 6821003 Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
|
9b6cc223a36835c4367a036d4cfeff14d25bc742 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro Replace all occurances of "(size_t) -1" with a __BIONIC_FORTIFY_UNKNOWN_SIZE macro. Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
|
260bf8cfe00f83bc579dfe81c78b75bd9973f051 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: strlen check. This test is designed to detect code such as: int main() { char buf[10]; memcpy(buf, "1234567890", sizeof(buf)); size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE printf("%d\n", len); return 0; } or anytime strlen reads beyond an object boundary. This should help address memory leakage vulnerabilities and make other unrelated vulnerabilities harder to exploit. Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
|
f3913b5b68347ce9a4cb17977df2c33f1e8f6000 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: enhanced memcpy protections. Two changes: 1) Detect memory read overruns. For example: int main() { char buf[10]; memcpy(buf, "abcde", sizeof(buf)); sprintf("%s\n", buf); } because "abcde" is only 6 bytes, copying 10 bytes from it is a bug. This particular bug will be detected at compile time. Other similar bugs may be detected at runtime. 2) Detect overlapping buffers on memcpy() It is a bug to call memcpy() on buffers which overlap. For example, the following code is buggy: char buf3[0x800]; char *first_half = &buf3[0x400]; char *second_half = &buf3[1]; memset(buf3, 0, sizeof(buf3)); memcpy(first_half, second_half, 0x400); printf("1: %s\n", buf3); We now detect this at compile and run time. Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
|
cb228fb4a91bdccfd974b8a4f45e2b6002e90728 |
|
27-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: cleanups Prefix private functions with underscores, to prevent name conflicts. Use __error__ instead of error, since occasionally programs will create their own "#define error ...". Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
|
8df49ad2467ec2d48f94a925162185c34bf6e68b |
|
14-Jun-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: add strlcpy / strlcat support Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows us to do consistency checks on to ensure we don't overflow buffers when the compiler is able to tell us the size of the buffer we're dealing with. Unlike previous changes, this change DOES NOT use the compiler's builtin support. Instead, we do everything the compiler would normally do. Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
|
71a18dd435e96564539b5af71b8ea5093a2109a1 |
|
07-Jun-2012 |
Nick Kralevich <nnk@google.com> |
_FORTIFY_SOURCE: add memset / bzero support Add _FORTIFY_SOURCE support for the following functions: * memset * bzero Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it can be used from multiple header files. Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
|
0a2301598c207fd1b50015984942fee5e8511593 |
|
05-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: implement some FORTIFY_SOURCE functions Add initial support for -D_FORTIFY_SOURCE to bionic for the following functions: * memcpy * memmove * strcpy * strcat * strncpy * strncat This change adds a new version of the above functions which passes the size of the destination buffer to __builtin___*_chk. If the compiler can determine, at compile time, that the destination buffer is large enough, or the destination buffer can point to an object of unknown size, then the check call is bypassed. If the compiler can't make a compile time decision, then it calls the __*_chk() function, which does a runtime buffer size check These options are only enabled if the code is compiled with -D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled. Please see * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html for additional details on FORTIFY_SOURCE. Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1, and verified that everything appears to be working properly. Also created a test buffer overflow, and verified that it was caught by this change. Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
|
a677907ee8ecca034318fdb97902fa73e7392c4f |
|
21-Mar-2012 |
Nick Kralevich <nnk@google.com> |
string.h: add __attribute__ ((pure)) to string functions cdefs.h: Introduce the __purefunc attribute, which allows us to mark certain functions as being "pure". http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html Many functions have no effects except the return value and their return value depends only on the parameters and/or global variables. Such a function can be subject to common subexpression elimination and loop optimization just as an arithmetic operator would be. string.h: Mark many commently used string functions as "pure", to allow for additional compiler optimizations. Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
|
1dc9e472e19acfe6dc7f41e429236e7eef7ceda1 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
1767f908af327fa388b1c66883760ad851267013 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
9f65adf2ba3bb15feb8b7a7b3eef788df3fd270e |
|
11-Feb-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@130745
|
6d6c82c7a0a6b9a89f61b61c66f9b90d9c7177dc |
|
10-Jan-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@125939
|
a27d2baa0c1a2ec70f47ea9199b1dd6762c8a349 |
|
21-Oct-2008 |
The Android Open Source Project <initial-contribution@android.com> |
Initial Contribution
|