1/*
2 * Copyright (C) 2013 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *  * Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 *  * Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in
12 *    the documentation and/or other materials provided with the
13 *    distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include <private/bionic_asm.h>
30#include <private/libc_events.h>
31
32    .syntax unified
33
34    .thumb
35    .thumb_func
36
37// Get the length of src string, then get the source of the dst string.
38// Check that the two lengths together don't exceed the threshold, then
39// do a memcpy of the data.
40ENTRY(__strcat_chk)
41    pld     [r0, #0]
42    push    {r0, lr}
43    .cfi_def_cfa_offset 8
44    .cfi_rel_offset r0, 0
45    .cfi_rel_offset lr, 4
46    push    {r4, r5}
47    .cfi_adjust_cfa_offset 8
48    .cfi_rel_offset r4, 0
49    .cfi_rel_offset r5, 4
50
51    mov     lr, r2
52
53    // Save the dst register to r5
54    mov     r5, r0
55
56    // Zero out r4
57    eor     r4, r4, r4
58
59    // r1 contains the address of the string to count.
60.L_strlen_start:
61    mov     r0, r1
62    ands    r3, r1, #7
63    beq     .L_mainloop
64
65    // Align to a double word (64 bits).
66    rsb     r3, r3, #8
67    lsls    ip, r3, #31
68    beq     .L_align_to_32
69
70    ldrb    r2, [r1], #1
71    cbz     r2, .L_update_count_and_finish
72
73.L_align_to_32:
74    bcc     .L_align_to_64
75    ands    ip, r3, #2
76    beq     .L_align_to_64
77
78    ldrb    r2, [r1], #1
79    cbz     r2, .L_update_count_and_finish
80    ldrb    r2, [r1], #1
81    cbz     r2, .L_update_count_and_finish
82
83.L_align_to_64:
84    tst     r3, #4
85    beq     .L_mainloop
86    ldr     r3, [r1], #4
87
88    sub     ip, r3, #0x01010101
89    bic     ip, ip, r3
90    ands    ip, ip, #0x80808080
91    bne     .L_zero_in_second_register
92
93    .p2align 2
94.L_mainloop:
95    ldrd    r2, r3, [r1], #8
96
97    pld     [r1, #64]
98
99    sub     ip, r2, #0x01010101
100    bic     ip, ip, r2
101    ands    ip, ip, #0x80808080
102    bne     .L_zero_in_first_register
103
104    sub     ip, r3, #0x01010101
105    bic     ip, ip, r3
106    ands    ip, ip, #0x80808080
107    bne     .L_zero_in_second_register
108    b       .L_mainloop
109
110.L_update_count_and_finish:
111    sub     r3, r1, r0
112    sub     r3, r3, #1
113    b       .L_finish
114
115.L_zero_in_first_register:
116    sub     r3, r1, r0
117    lsls    r2, ip, #17
118    bne     .L_sub8_and_finish
119    bcs     .L_sub7_and_finish
120    lsls    ip, ip, #1
121    bne     .L_sub6_and_finish
122
123    sub     r3, r3, #5
124    b       .L_finish
125
126.L_sub8_and_finish:
127    sub     r3, r3, #8
128    b       .L_finish
129
130.L_sub7_and_finish:
131    sub     r3, r3, #7
132    b       .L_finish
133
134.L_sub6_and_finish:
135    sub     r3, r3, #6
136    b       .L_finish
137
138.L_zero_in_second_register:
139    sub     r3, r1, r0
140    lsls    r2, ip, #17
141    bne     .L_sub4_and_finish
142    bcs     .L_sub3_and_finish
143    lsls    ip, ip, #1
144    bne     .L_sub2_and_finish
145
146    sub     r3, r3, #1
147    b       .L_finish
148
149.L_sub4_and_finish:
150    sub     r3, r3, #4
151    b       .L_finish
152
153.L_sub3_and_finish:
154    sub     r3, r3, #3
155    b       .L_finish
156
157.L_sub2_and_finish:
158    sub     r3, r3, #2
159
160.L_finish:
161    cmp     r4, #0
162    bne     .L_strlen_done
163
164    // Time to get the dst string length.
165    mov     r1, r5
166
167    // Save the original source address to r5.
168    mov     r5, r0
169
170    // Save the current length (adding 1 for the terminator).
171    add     r4, r3, #1
172    b       .L_strlen_start
173
174    // r0 holds the pointer to the dst string.
175    // r3 holds the dst string length.
176    // r4 holds the src string length + 1.
177.L_strlen_done:
178    add     r2, r3, r4
179    cmp     r2, lr
180    bhi     __strcat_chk_failed
181
182    // Set up the registers for the memcpy code.
183    mov     r1, r5
184    pld     [r1, #64]
185    mov     r2, r4
186    add     r0, r0, r3
187    pop     {r4, r5}
188END(__strcat_chk)
189
190#define MEMCPY_BASE         __strcat_chk_memcpy_base
191#define MEMCPY_BASE_ALIGNED __strcat_chk_memcpy_base_aligned
192
193#include "memcpy_base.S"
194
195ENTRY_PRIVATE(__strcat_chk_failed)
196    .cfi_def_cfa_offset 8
197    .cfi_rel_offset r0, 0
198    .cfi_rel_offset lr, 4
199    .cfi_adjust_cfa_offset 8
200    .cfi_rel_offset r4, 0
201    .cfi_rel_offset r5, 4
202
203    ldr     r0, error_message
204    ldr     r1, error_code
2051:
206    add     r0, pc
207    bl      __fortify_chk_fail
208error_code:
209    .word   BIONIC_EVENT_STRCAT_BUFFER_OVERFLOW
210error_message:
211    .word   error_string-(1b+4)
212END(__strcat_chk_failed)
213
214    .data
215error_string:
216    .string "strcat: prevented write past end of buffer"
217