| 7aa27e1c1a53afe28f6180fd1fc50d096cabea7b |
|
06-Aug-2014 |
Dehao Chen <dehao@google.com> |
Workaround b/16818336 which fails build under aggressive inlining.
Change-Id: Ifcd596714c427a2ec39502b9c0af9082ded91884
|
| dfb5ce42bcc5a275af49211c0bbe64c5ec3d2668 |
|
10-Jul-2014 |
Dan Albert <danalbert@google.com> |
Revert "Revert "Add locale aware APIs.""
This reverts commit 063e20c26943ec82ef1d53a544545e79054e93d3.
Change-Id: Ib8c9004efefe75a5346b3af50dfe37952d91eb21
|
| e087eac404b0e30de427392065e2750acf92bd4a |
|
09-Jul-2014 |
Dan Albert <danalbert@google.com> |
Add locale aware APIs.
Since we only support the C locale, we can just forward all of these to
their non-locale equivalents for correct behavior.
Change-Id: Ib7be71b7f636309c0cc3be1096a4c1f693f04fbb
|
| 063e20c26943ec82ef1d53a544545e79054e93d3 |
|
10-Jul-2014 |
Dan Albert <danalbert@google.com> |
Revert "Add locale aware APIs."
Accidentally verified against a dirty tree. Needs the companion change to libc++ to land upstream before I can submit this.
This reverts commit e087eac404b0e30de427392065e2750acf92bd4a.
Change-Id: I317ecd0923114f415eaad7603002f77feffb5e3f
|
| 40fca0f08b1eb87e283d6f634d9759ed3161f517 |
|
04-Jun-2014 |
Dan Albert <danalbert@google.com> |
Removes index() from bionic.
This function has been removed from POSIX.
Unfortunately, we can't leave #define index(a, b) strchr((a), (b)) in its place
because defining a preprocessor macro for index() breaks a whole lot of code.
Bug: 13935372
Change-Id: Ifda348acde06da61c12e7ee2f8fe6950a3174dd1
|
| 950a58e24d1019eb9d814dbb16f111a6b61e3f23 |
|
04-Apr-2014 |
Christopher Ferris <cferris@google.com> |
Add stpcpy/stpncpy.
Add tests for the above.
Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.
Modify the strncpy test to cover more cases and use this template for
stpncpy.
Add all of the fortify test cases.
Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
|
| 152b9de19ade833ada124390ef153e53d3d3e2ed |
|
10-Mar-2014 |
Elliott Hughes <enh@google.com> |
Remove non-standard memswap.
Change-Id: I06548dda339987b755ef7139c590ca3e1f9fe0a9
|
| 53e43292aac91bf62995788cd5ca2ceb7caea283 |
|
25-Feb-2014 |
Elliott Hughes <enh@google.com> |
More OpenBSD cleanup (primarily string).
This patch removes the string/ and wchar/ directories.
Change-Id: Ia489904bc67047e4bc79acb1f3eec21aa3fe5f0d
|
| d13c2b1ba6681fdbee73a044d988c3f9e1172d30 |
|
27-Sep-2013 |
Nick Kralevich <nnk@google.com> |
Fix unnecessary call to __strncpy_chk2
If "n" is smaller than the size of "src", then we'll
never read off the end of src. It makes no sense to call
__strncpy_chk2 in those circumstances.
For example, consider the following code:
int main() {
char src[10];
char dst[5];
memcpy(src, "0123456789", sizeof(src));
strncpy(dst, src, sizeof(dst));
dst[4] = '\0';
printf("%s\n", dst);
return 0;
}
In this code, it's clear that the strncpy will never read off
the end of src.
Change-Id: I9cf58857a0c5216b4576d21d3c1625e2913ccc03
|
| 3c4b50fd8cce143d9ba8f03a93f0fccba4e54d14 |
|
26-Jul-2013 |
Pavel Chupin <pavel.v.chupin@intel.com> |
Fix strchr for basic non-sse case on x86
Fix source location. Move declaration of __strchr_chk out of
ifdef __BIONIC_FORTIFY which should be available for strchr.cpp
compilation when __BIONIC_FORTIFY is not defined.
Change-Id: I552a6e16656e59b276b322886cfbf57bbfb2e6a7
Signed-off-by: Pavel Chupin <pavel.v.chupin@intel.com>
|
| bd8e6749b78567af62ec126d7cc057386ebee25a |
|
28-Aug-2013 |
Nick Kralevich <nnk@google.com> |
cdefs.h: introduce __bos0
Introduce __bos0 as a #define for __builtin_object_size((s), 0).
This macro is intended to be used for places where the standard
__bos macro isn't appropriate.
memcpy, memmove, and memset deliberately use __bos0. This is done
for two reasons:
1) I haven't yet tested to see if __bos is safe to use.
2) glibc uses __bos0 for these methods.
Change-Id: Ifbe02efdb10a72fe3529dbcc47ff647bde6feeca
|
| 93501d3ab81156bcef251bb817a49e9ca46a6ec1 |
|
28-Aug-2013 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: introduce __strncpy_chk2
This change detects programs reading beyond the end of "src" when
calling strncpy.
Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
|
| a6cde392765eb955cb4be5faa6ee62dcf77e8aa5 |
|
29-Jun-2013 |
Nick Kralevich <nnk@google.com> |
More FORTIFY_SOURCE functions under clang
* bzero
* umask
* strlcat
Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
|
| 8bafa7452ec0892572b0b49f86022ce945c5e908 |
|
20-Jun-2013 |
Nick Kralevich <nnk@google.com> |
libc: enable FORTIFY_SOURCE clang strlcpy
Change-Id: Idcfe08f5afc3dde592416df9eba83f64e130c7c2
|
| 16d1af167f8e36a9aa4a07ae77034ad519b00463 |
|
17-Jun-2013 |
Nick Kralevich <nnk@google.com> |
libc: add limited FORTIFY_SOURCE support for clang
In 829c089f83ddee37203b52bcb294867a9ae7bdbc, we disabled all
FORTIFY_SOURCE support when compiling under clang. At the time,
we didn't have proper test cases, and couldn't easily create targeted
clang tests.
This change re-enables FORTIFY_SOURCE support under clang for a
limited set of functions, where we have explicit unittests available.
The functions are:
* memcpy
* memmove
* strcpy
* strncpy
* strcat
* strncat
* memset
* strlen (with modifications)
* strchr (with modifications)
* strrchr (with modifications)
It may be possible, in the future, to enable other functions. However,
I need to write unittests first.
For strlen, strchr, and strrchr, clang unconditionally calls the
fortified version of the relevant function. If it doesn't know the
size of the buffer it's dealing with, it passes in ((size_t) -1),
which is the largest possible size_t.
I added two new clang specific unittest files, primarily copied
from fortify?_test.cpp.
I've also rebuild the entire system with these changes, and didn't
observe any obvious problems.
Change-Id: If12a15089bb0ffe93824b485290d05b14355fcaa
|
| b24c0637d06fe0980b9e13a8d0c3e6f4dbda9cd5 |
|
18-Jun-2013 |
Nick Kralevich <nnk@google.com> |
libc: Introduce __errordecl()
Define __errordecl and replace __attribute__((__error__("foo")))
with __errordecl. Make sure __errordecl is a no-op on clang, as it
generates a compile time warning.
Change-Id: Ifa1a2d3afd6881de9d479fc2adac6737871a2949
|
| cf870199d576bdfc339b7fb016c9f6fe7f2c87ed |
|
31-May-2013 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: strcat / strncat optimize
__strcat_chk and __strncat_chk are slightly inefficient,
because they end up traversing over the same memory region
two times.
This change optimizes __strcat_chk / __strncat_chk so they
only access the memory once. Although I haven't benchmarked these
changes, it should improve the performance of these functions.
__strlen_chk - expose this function, even if -D_FORTIFY_SOURCE
isn't defined. This is needed to compile libc itself without
-D_FORTIFY_SOURCE.
Change-Id: Id2c70dff55a276b47c59db27a03734d659f84b74
|
| 1c462b7a04fc6afc99d8544728dd6d8f2a471fa2 |
|
07-May-2013 |
Nick Kralevich <nnk@google.com> |
Use restrict pointers for various libc functions.
All the cool kids say this is the best thing since sliced bread.
http://cellperformance.beyond3d.com/articles/2006/05/demystifying-the-restrict-keyword.html
For the most part, these changes match what glibc does.
Change-Id: I176268f27f82800162fe5f2515b08d5469ea2dfe
|
| 3b2e6bc9acf5223db6e9967e46066219c76ee56f |
|
30-Apr-2013 |
Nick Kralevich <nnk@google.com> |
libc: upgrade strrchr to FORTIFY_SOURCE=2
Change-Id: I4c34c2ce22c5092c4446dc1ab55f37604c1c223f
|
| 9020fd503c9eb073f70dbc239a212f8ece19359d |
|
30-Apr-2013 |
Nick Kralevich <nnk@google.com> |
libc: upgrade some libc functions to _FORTIFY_SOURCE=2
Upgrade the following functions:
* vsnprintf
* vsprintf
* snprintf
* fgets
* strcpy
* strcat
* strncat
* strlcpy
* strlcat
* strlen
* strchr
Change-Id: Icc036fc7f0bb317e05f7c051617887a1601271aa
|
| 1aae9bd170883805f2e7975cd3dbd2502b083cc1 |
|
29-Apr-2013 |
Nick Kralevich <nnk@google.com> |
strncpy: implement _FORTIFY_SOURCE=2
Add support for fortify source level 2 to strncpy.
This will enable detection of more areas where strncpy
is used inappropriately. For example, this would have detected
bug 8727221.
Move the fortify_source tests out of string_test.cpp, and
put it into fortify1_test.cpp.
Create a new fortify2_test.cpp file, which copies all
the tests in fortify1_test.cpp, and adds fortify_source level
2 specific tests.
Change-Id: Ica0fba531cc7d0609e4f23b8176739b13f7f7a83
|
| 890c8ed6ef773160cd6840a92e0d469fe530871f |
|
22-Mar-2013 |
Elliott Hughes <enh@google.com> |
Fix builds where _FORTIFY_SOURCE is off.
Also add a more intention-revealing guard so we don't have loads of
places checking whether our inlining macro is defined.
Change-Id: I168860cedcfc798b07a5145bc48a125700265e47
|
| 538f6fc202b07219ce78de54c0e05ab81e937154 |
|
22-Feb-2013 |
Elliott Hughes <enh@google.com> |
Stop advertising rindex(3), which is both deprecated and unimplemented.
Change-Id: I3c775d9974e49c3f76a53e46e022659657b89034
|
| a44e9afdd16105d6f36319cb538666d9cc78435a |
|
18-Jan-2013 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: optimize
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.
This avoids silliness like calling fortify source on things like:
size_t len = strlen("asdf");
printf("%d\n", len);
and allows the compiler to optimize this code to:
printf("%d\n", 4);
Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.
Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
|
| 57874753900865312d7d265d2ca15cb4edb00ef2 |
|
07-Dec-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: remove memcpy overlap checks
These checks haven't been as useful as I hoped, and it's
causing a false positive finding. Remove the overlap
compile time checks.
Change-Id: I5d45dde10ae4663d728230d41fa904adf20acaea
|
| 9a4d305340e6ce2fc6c3f371f2d7ede446f8c6d4 |
|
03-Dec-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: fortify strrchr
This change compliments 049e58369c37fdeacd0380a6bf1e078d9baf819f
Change-Id: I27d015d70a520713c7472558a3c427f546d36ee4
|
| 049e58369c37fdeacd0380a6bf1e078d9baf819f |
|
01-Dec-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: fortify strchr
Detect when strchr reads off the end of a buffer.
Change-Id: I0e952eedcff5c36d646a9c3bc4e1337b959224f2
|
| 829c089f83ddee37203b52bcb294867a9ae7bdbc |
|
29-Aug-2012 |
Nick Kralevich <nnk@google.com> |
disable _FORTIFY_SOURCE under clang
Clang and _FORTIFY_SOURCE are just plain incompatible with
each other. First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)
Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.
Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
|
| f4497e15b78383b06d59ce244255fc7625beaec5 |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.
Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
| a72246d67e309de62c26aca970fff65dfb86eb7c |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen.
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.
Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
| d600617645e85435cf98fc30139a6945aaadc1ca |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.
Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
| 9a3d53fad062cdadb4df81f6998a5e09336c637b |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen.
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.
Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
| 761ba27d62a67c098a3323fb37175a7274ee5f19 |
|
16-Jul-2012 |
Nick Kralevich <nnk@google.com> |
Merge "FORTIFY_SOURCE: revert memcpy changes."
|
| c37fc1ab6a3ac3956a8c9ba3ac089d41969815ed |
|
14-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: revert memcpy changes.
Performance regressions. Hopefully this is a temporary
rollback.
Bug: 6821003
Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
|
| 9b6cc223a36835c4367a036d4cfeff14d25bc742 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro
Replace all occurances of "(size_t) -1" with a
__BIONIC_FORTIFY_UNKNOWN_SIZE macro.
Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
|
| 260bf8cfe00f83bc579dfe81c78b75bd9973f051 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: strlen check.
This test is designed to detect code such as:
int main() {
char buf[10];
memcpy(buf, "1234567890", sizeof(buf));
size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
printf("%d\n", len);
return 0;
}
or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.
Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
|
| f3913b5b68347ce9a4cb17977df2c33f1e8f6000 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: enhanced memcpy protections.
Two changes:
1) Detect memory read overruns.
For example:
int main() {
char buf[10];
memcpy(buf, "abcde", sizeof(buf));
sprintf("%s\n", buf);
}
because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time. Other similar
bugs may be detected at runtime.
2) Detect overlapping buffers on memcpy()
It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:
char buf3[0x800];
char *first_half = &buf3[0x400];
char *second_half = &buf3[1];
memset(buf3, 0, sizeof(buf3));
memcpy(first_half, second_half, 0x400);
printf("1: %s\n", buf3);
We now detect this at compile and run time.
Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
|
| cb228fb4a91bdccfd974b8a4f45e2b6002e90728 |
|
27-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: cleanups
Prefix private functions with underscores, to prevent name
conflicts.
Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".
Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
|
| 8df49ad2467ec2d48f94a925162185c34bf6e68b |
|
14-Jun-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: add strlcpy / strlcat support
Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.
Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.
Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
|
| 71a18dd435e96564539b5af71b8ea5093a2109a1 |
|
07-Jun-2012 |
Nick Kralevich <nnk@google.com> |
_FORTIFY_SOURCE: add memset / bzero support
Add _FORTIFY_SOURCE support for the following functions:
* memset
* bzero
Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.
Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
|
| 0a2301598c207fd1b50015984942fee5e8511593 |
|
05-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: implement some FORTIFY_SOURCE functions
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:
* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat
This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.
If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.
If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check
These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.
Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
for additional details on FORTIFY_SOURCE.
Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.
Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
|
| a677907ee8ecca034318fdb97902fa73e7392c4f |
|
21-Mar-2012 |
Nick Kralevich <nnk@google.com> |
string.h: add __attribute__ ((pure)) to string functions
cdefs.h: Introduce the __purefunc attribute, which allows us to mark
certain functions as being "pure".
http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
Many functions have no effects except the return value and their
return value depends only on the parameters and/or global variables.
Such a function can be subject to common subexpression elimination
and loop optimization just as an arithmetic operator would be.
string.h: Mark many commently used string functions as "pure", to
allow for additional compiler optimizations.
Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
|
| 1dc9e472e19acfe6dc7f41e429236e7eef7ceda1 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
| 1767f908af327fa388b1c66883760ad851267013 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
| 9f65adf2ba3bb15feb8b7a7b3eef788df3fd270e |
|
11-Feb-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@130745
|
| 6d6c82c7a0a6b9a89f61b61c66f9b90d9c7177dc |
|
10-Jan-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@125939
|
| a27d2baa0c1a2ec70f47ea9199b1dd6762c8a349 |
|
21-Oct-2008 |
The Android Open Source Project <initial-contribution@android.com> |
Initial Contribution
|