__strcat_chk.S revision 5f45d583b0cfb4f7bed1447e8eed003a529cc69e 
1/*
2 * Copyright (C) 2013 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *  * Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 *  * Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in
12 *    the documentation and/or other materials provided with the
13 *    distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include <machine/asm.h>
30#include "libc_events.h"
31
32    .syntax unified
33    .fpu    neon
34    .thumb
35    .thumb_func
36
37// Get the length of src string, then get the source of the dst string.
38// Check that the two lengths together don't exceed the threshold, then
39// do a memcpy of the data.
40ENTRY(__strcat_chk)
41    .cfi_startproc
42    pld     [r0, #0]
43    push    {r0, lr}
44    .cfi_def_cfa_offset 8
45    .cfi_rel_offset r0, 0
46    .cfi_rel_offset lr, 4
47    push    {r4, r5}
48    .cfi_adjust_cfa_offset 8
49    .cfi_rel_offset r4, 0
50    .cfi_rel_offset r5, 4
51
52    mov     lr, r2
53
54    // Save the dst register to r5
55    mov     r5, r0
56
57    // Zero out r4
58    eor     r4, r4, r4
59
60    // r1 contains the address of the string to count.
61.L_strlen_start:
62    mov     r0, r1
63
64    ands    r3, r0, #7
65    bne     .L_align_src
66
67    .p2align 2
68.L_mainloop:
69    ldmia   r1!, {r2, r3}
70
71    pld     [r1, #64]
72
73    sub     ip, r2, #0x01010101
74    bic     ip, ip, r2
75    ands    ip, ip, #0x80808080
76    bne     .L_zero_in_first_register
77
78    sub     ip, r3, #0x01010101
79    bic     ip, ip, r3
80    ands    ip, ip, #0x80808080
81    bne     .L_zero_in_second_register
82    b       .L_mainloop
83
84.L_zero_in_first_register:
85    sub     r3, r1, r0
86    // Check for zero in byte 0.
87    lsls    r2, ip, #17
88    beq     .L_check_byte1_reg1
89
90    sub     r3, r3, #8
91    b       .L_finish
92
93.L_check_byte1_reg1:
94    bcc     .L_check_byte2_reg1
95
96    sub     r3, r3, #7
97    b       .L_finish
98
99.L_check_byte2_reg1:
100    // Check for zero in byte 2.
101    tst     ip, #0x800000
102    it      ne
103    subne   r3, r3, #6
104    bne     .L_finish
105    sub     r3, r3, #5
106    b       .L_finish
107
108.L_zero_in_second_register:
109    sub     r3, r1, r0
110    // Check for zero in byte 0.
111    lsls    r2, ip, #17
112    beq     .L_check_byte1_reg2
113
114    sub     r3, r3, #4
115    b       .L_finish
116
117.L_check_byte1_reg2:
118    bcc     .L_check_byte2_reg2
119
120    sub     r3, r3, #3
121    b       .L_finish
122
123.L_check_byte2_reg2:
124    // Check for zero in byte 2.
125    tst     ip, #0x800000
126    it      ne
127    subne   r3, r3, #2
128    bne     .L_finish
129    sub     r3, r3, #1
130    b       .L_finish
131
132.L_align_src:
133    // Align to a double word (64 bits).
134    rsb     r3, r3, #8
135    lsls    ip, r3, #31
136    beq     .L_align_to_32
137
138    ldrb    r2, [r1], #1
139    cbz     r2, .L_done
140
141.L_align_to_32:
142    bcc     .L_align_to_64
143
144    ldrb    r2, [r1], #1
145    cbz     r2, .L_done
146    ldrb    r2, [r1], #1
147    cbz     r2, .L_done
148
149.L_align_to_64:
150    tst     r3, #4
151    beq     .L_mainloop
152    ldr     r2, [r1], #4
153
154    sub     ip, r2, #0x01010101
155    bic     ip, ip, r2
156    ands    ip, ip, #0x80808080
157    bne     .L_zero_in_second_register
158    b       .L_mainloop
159
160.L_done:
161    sub     r3, r1, r0
162    sub     r3, r3, #1
163
164.L_finish:
165    cmp     r4, #0
166    bne     .L_strlen_done
167
168    // Time to get the dst string length.
169    mov     r1, r5
170
171    // Save the original source address to r5.
172    mov     r5, r0
173
174    // Save the current length (adding 1 for the terminator).
175    add     r4, r3, #1
176    b       .L_strlen_start
177
178    // r0 holds the pointer to the dst string.
179    // r3 holds the dst string length.
180    // r4 holds the src string length + 1.
181.L_strlen_done:
182    add     r2, r3, r4
183    cmp     r2, lr
184    bgt     .L_fortify_check_failed
185
186    // Set up the registers for the memcpy code.
187    mov     r1, r5
188    pld     [r1, #64]
189    mov     r2, r4
190    add     r0, r0, r3
191    pop     {r4, r5}
192    .cfi_adjust_cfa_offset -8
193    .cfi_restore r4
194    .cfi_restore r5
195
196    #include "memcpy_base.S"
197
198.L_fortify_check_failed:
199    .cfi_adjust_cfa_offset 8
200    .cfi_rel_offset r4, 0
201    .cfi_rel_offset r5, 4
202
203    ldr     r0, error_message
204    ldr     r1, error_code
2051:
206    add     r0, pc
207    bl      __fortify_chk_fail
208error_code:
209    .word   BIONIC_EVENT_STRCAT_BUFFER_OVERFLOW
210error_message:
211    .word   error_string-(1b+4)
212
213    .cfi_endproc
214END(__strcat_chk)
215
216    .data
217error_string:
218    .string "strcat buffer overflow"
219