829c089f83ddee37203b52bcb294867a9ae7bdbc |
|
29-Aug-2012 |
Nick Kralevich <nnk@google.com> |
disable _FORTIFY_SOURCE under clang Clang and _FORTIFY_SOURCE are just plain incompatible with each other. First of all, clang doesn't understand the __attribute__((gnu_inline)) header. Second of all, Clang doesn't have support for __builtin_va_arg_pack() and __builtin_va_arg_pack_len() (see http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc) Until we can resolve these issues, don't even try using _FORTIFY_SOURCE under clang. Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
|
f4497e15b78383b06d59ce244255fc7625beaec5 |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and strlcat. Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
a72246d67e309de62c26aca970fff65dfb86eb7c |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen. At this point, FORTIFY_SOURCE and clang are just plain incompatible. Need to solve the underlying incompatibility first. Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
d600617645e85435cf98fc30139a6945aaadc1ca |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and strlcat. Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
9a3d53fad062cdadb4df81f6998a5e09336c637b |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen. At this point, FORTIFY_SOURCE and clang are just plain incompatible. Need to solve the underlying incompatibility first. Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
c37fc1ab6a3ac3956a8c9ba3ac089d41969815ed |
|
14-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: revert memcpy changes. Performance regressions. Hopefully this is a temporary rollback. Bug: 6821003 Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
|
9b6cc223a36835c4367a036d4cfeff14d25bc742 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro Replace all occurances of "(size_t) -1" with a __BIONIC_FORTIFY_UNKNOWN_SIZE macro. Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
|
260bf8cfe00f83bc579dfe81c78b75bd9973f051 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: strlen check. This test is designed to detect code such as: int main() { char buf[10]; memcpy(buf, "1234567890", sizeof(buf)); size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE printf("%d\n", len); return 0; } or anytime strlen reads beyond an object boundary. This should help address memory leakage vulnerabilities and make other unrelated vulnerabilities harder to exploit. Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
|
f3913b5b68347ce9a4cb17977df2c33f1e8f6000 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: enhanced memcpy protections. Two changes: 1) Detect memory read overruns. For example: int main() { char buf[10]; memcpy(buf, "abcde", sizeof(buf)); sprintf("%s\n", buf); } because "abcde" is only 6 bytes, copying 10 bytes from it is a bug. This particular bug will be detected at compile time. Other similar bugs may be detected at runtime. 2) Detect overlapping buffers on memcpy() It is a bug to call memcpy() on buffers which overlap. For example, the following code is buggy: char buf3[0x800]; char *first_half = &buf3[0x400]; char *second_half = &buf3[1]; memset(buf3, 0, sizeof(buf3)); memcpy(first_half, second_half, 0x400); printf("1: %s\n", buf3); We now detect this at compile and run time. Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
|
cb228fb4a91bdccfd974b8a4f45e2b6002e90728 |
|
27-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: cleanups Prefix private functions with underscores, to prevent name conflicts. Use __error__ instead of error, since occasionally programs will create their own "#define error ...". Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
|
8df49ad2467ec2d48f94a925162185c34bf6e68b |
|
14-Jun-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: add strlcpy / strlcat support Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows us to do consistency checks on to ensure we don't overflow buffers when the compiler is able to tell us the size of the buffer we're dealing with. Unlike previous changes, this change DOES NOT use the compiler's builtin support. Instead, we do everything the compiler would normally do. Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
|
71a18dd435e96564539b5af71b8ea5093a2109a1 |
|
07-Jun-2012 |
Nick Kralevich <nnk@google.com> |
_FORTIFY_SOURCE: add memset / bzero support Add _FORTIFY_SOURCE support for the following functions: * memset * bzero Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it can be used from multiple header files. Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
|
0a2301598c207fd1b50015984942fee5e8511593 |
|
05-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: implement some FORTIFY_SOURCE functions Add initial support for -D_FORTIFY_SOURCE to bionic for the following functions: * memcpy * memmove * strcpy * strcat * strncpy * strncat This change adds a new version of the above functions which passes the size of the destination buffer to __builtin___*_chk. If the compiler can determine, at compile time, that the destination buffer is large enough, or the destination buffer can point to an object of unknown size, then the check call is bypassed. If the compiler can't make a compile time decision, then it calls the __*_chk() function, which does a runtime buffer size check These options are only enabled if the code is compiled with -D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled. Please see * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html for additional details on FORTIFY_SOURCE. Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1, and verified that everything appears to be working properly. Also created a test buffer overflow, and verified that it was caught by this change. Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
|
a677907ee8ecca034318fdb97902fa73e7392c4f |
|
21-Mar-2012 |
Nick Kralevich <nnk@google.com> |
string.h: add __attribute__ ((pure)) to string functions cdefs.h: Introduce the __purefunc attribute, which allows us to mark certain functions as being "pure". http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html Many functions have no effects except the return value and their return value depends only on the parameters and/or global variables. Such a function can be subject to common subexpression elimination and loop optimization just as an arithmetic operator would be. string.h: Mark many commently used string functions as "pure", to allow for additional compiler optimizations. Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
|
1dc9e472e19acfe6dc7f41e429236e7eef7ceda1 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
1767f908af327fa388b1c66883760ad851267013 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
9f65adf2ba3bb15feb8b7a7b3eef788df3fd270e |
|
11-Feb-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@130745
|
6d6c82c7a0a6b9a89f61b61c66f9b90d9c7177dc |
|
10-Jan-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@125939
|
a27d2baa0c1a2ec70f47ea9199b1dd6762c8a349 |
|
21-Oct-2008 |
The Android Open Source Project <initial-contribution@android.com> |
Initial Contribution
|