__strcat_chk.S revision 5f45d583b0cfb4f7bed1447e8eed003a529cc69e
1/* 2 * Copyright (C) 2013 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <machine/asm.h> 30#include "libc_events.h" 31 32 .syntax unified 33 .fpu neon 34 .thumb 35 .thumb_func 36 37// Get the length of src string, then get the source of the dst string. 38// Check that the two lengths together don't exceed the threshold, then 39// do a memcpy of the data. 40ENTRY(__strcat_chk) 41 .cfi_startproc 42 pld [r0, #0] 43 push {r0, lr} 44 .cfi_def_cfa_offset 8 45 .cfi_rel_offset r0, 0 46 .cfi_rel_offset lr, 4 47 push {r4, r5} 48 .cfi_adjust_cfa_offset 8 49 .cfi_rel_offset r4, 0 50 .cfi_rel_offset r5, 4 51 52 mov lr, r2 53 54 // Save the dst register to r5 55 mov r5, r0 56 57 // Zero out r4 58 eor r4, r4, r4 59 60 // r1 contains the address of the string to count. 61.L_strlen_start: 62 mov r0, r1 63 64 ands r3, r0, #7 65 bne .L_align_src 66 67 .p2align 2 68.L_mainloop: 69 ldmia r1!, {r2, r3} 70 71 pld [r1, #64] 72 73 sub ip, r2, #0x01010101 74 bic ip, ip, r2 75 ands ip, ip, #0x80808080 76 bne .L_zero_in_first_register 77 78 sub ip, r3, #0x01010101 79 bic ip, ip, r3 80 ands ip, ip, #0x80808080 81 bne .L_zero_in_second_register 82 b .L_mainloop 83 84.L_zero_in_first_register: 85 sub r3, r1, r0 86 // Check for zero in byte 0. 87 lsls r2, ip, #17 88 beq .L_check_byte1_reg1 89 90 sub r3, r3, #8 91 b .L_finish 92 93.L_check_byte1_reg1: 94 bcc .L_check_byte2_reg1 95 96 sub r3, r3, #7 97 b .L_finish 98 99.L_check_byte2_reg1: 100 // Check for zero in byte 2. 101 tst ip, #0x800000 102 it ne 103 subne r3, r3, #6 104 bne .L_finish 105 sub r3, r3, #5 106 b .L_finish 107 108.L_zero_in_second_register: 109 sub r3, r1, r0 110 // Check for zero in byte 0. 111 lsls r2, ip, #17 112 beq .L_check_byte1_reg2 113 114 sub r3, r3, #4 115 b .L_finish 116 117.L_check_byte1_reg2: 118 bcc .L_check_byte2_reg2 119 120 sub r3, r3, #3 121 b .L_finish 122 123.L_check_byte2_reg2: 124 // Check for zero in byte 2. 125 tst ip, #0x800000 126 it ne 127 subne r3, r3, #2 128 bne .L_finish 129 sub r3, r3, #1 130 b .L_finish 131 132.L_align_src: 133 // Align to a double word (64 bits). 134 rsb r3, r3, #8 135 lsls ip, r3, #31 136 beq .L_align_to_32 137 138 ldrb r2, [r1], #1 139 cbz r2, .L_done 140 141.L_align_to_32: 142 bcc .L_align_to_64 143 144 ldrb r2, [r1], #1 145 cbz r2, .L_done 146 ldrb r2, [r1], #1 147 cbz r2, .L_done 148 149.L_align_to_64: 150 tst r3, #4 151 beq .L_mainloop 152 ldr r2, [r1], #4 153 154 sub ip, r2, #0x01010101 155 bic ip, ip, r2 156 ands ip, ip, #0x80808080 157 bne .L_zero_in_second_register 158 b .L_mainloop 159 160.L_done: 161 sub r3, r1, r0 162 sub r3, r3, #1 163 164.L_finish: 165 cmp r4, #0 166 bne .L_strlen_done 167 168 // Time to get the dst string length. 169 mov r1, r5 170 171 // Save the original source address to r5. 172 mov r5, r0 173 174 // Save the current length (adding 1 for the terminator). 175 add r4, r3, #1 176 b .L_strlen_start 177 178 // r0 holds the pointer to the dst string. 179 // r3 holds the dst string length. 180 // r4 holds the src string length + 1. 181.L_strlen_done: 182 add r2, r3, r4 183 cmp r2, lr 184 bgt .L_fortify_check_failed 185 186 // Set up the registers for the memcpy code. 187 mov r1, r5 188 pld [r1, #64] 189 mov r2, r4 190 add r0, r0, r3 191 pop {r4, r5} 192 .cfi_adjust_cfa_offset -8 193 .cfi_restore r4 194 .cfi_restore r5 195 196 #include "memcpy_base.S" 197 198.L_fortify_check_failed: 199 .cfi_adjust_cfa_offset 8 200 .cfi_rel_offset r4, 0 201 .cfi_rel_offset r5, 4 202 203 ldr r0, error_message 204 ldr r1, error_code 2051: 206 add r0, pc 207 bl __fortify_chk_fail 208error_code: 209 .word BIONIC_EVENT_STRCAT_BUFFER_OVERFLOW 210error_message: 211 .word error_string-(1b+4) 212 213 .cfi_endproc 214END(__strcat_chk) 215 216 .data 217error_string: 218 .string "strcat buffer overflow" 219