| 829c089f83ddee37203b52bcb294867a9ae7bdbc |
|
29-Aug-2012 |
Nick Kralevich <nnk@google.com> |
disable _FORTIFY_SOURCE under clang
Clang and _FORTIFY_SOURCE are just plain incompatible with
each other. First of all, clang doesn't understand the
__attribute__((gnu_inline)) header. Second of all,
Clang doesn't have support for __builtin_va_arg_pack()
and __builtin_va_arg_pack_len() (see
http://clang.llvm.org/docs/UsersManual.html#c_unimpl_gcc)
Until we can resolve these issues, don't even try using
_FORTIFY_SOURCE under clang.
Change-Id: I81c2b8073bb3276fa9a4a6b93c427b641038356a
|
| f4497e15b78383b06d59ce244255fc7625beaec5 |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.
Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
| a72246d67e309de62c26aca970fff65dfb86eb7c |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen.
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.
Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
| d600617645e85435cf98fc30139a6945aaadc1ca |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlcpy and
strlcat.
Change-Id: I91f58322f28e425ab9d22b51c23fcd6b772ede97
|
| 9a3d53fad062cdadb4df81f6998a5e09336c637b |
|
06-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
When compiling with clang, don't "fortify_source" the strlen.
At this point, FORTIFY_SOURCE and clang are just plain incompatible.
Need to solve the underlying incompatibility first.
Change-Id: I3366477d19461e1ec93b1c30e0c7e8145b391b9b
|
| c37fc1ab6a3ac3956a8c9ba3ac089d41969815ed |
|
14-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: revert memcpy changes.
Performance regressions. Hopefully this is a temporary
rollback.
Bug: 6821003
Change-Id: I84abbb89e1739d506b583f2f1668f31534127764
|
| 9b6cc223a36835c4367a036d4cfeff14d25bc742 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: introduce __BIONIC_FORTIFY_UNKNOWN_SIZE macro
Replace all occurances of "(size_t) -1" with a
__BIONIC_FORTIFY_UNKNOWN_SIZE macro.
Change-Id: I0b188f6cf31417d2dbef0e1bd759de3f9782873a
|
| 260bf8cfe00f83bc579dfe81c78b75bd9973f051 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: strlen check.
This test is designed to detect code such as:
int main() {
char buf[10];
memcpy(buf, "1234567890", sizeof(buf));
size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
printf("%d\n", len);
return 0;
}
or anytime strlen reads beyond an object boundary. This should
help address memory leakage vulnerabilities and make other
unrelated vulnerabilities harder to exploit.
Change-Id: I354b425be7bef4713c85f6bab0e9738445e00182
|
| f3913b5b68347ce9a4cb17977df2c33f1e8f6000 |
|
13-Jul-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: enhanced memcpy protections.
Two changes:
1) Detect memory read overruns.
For example:
int main() {
char buf[10];
memcpy(buf, "abcde", sizeof(buf));
sprintf("%s\n", buf);
}
because "abcde" is only 6 bytes, copying 10 bytes from it is a bug.
This particular bug will be detected at compile time. Other similar
bugs may be detected at runtime.
2) Detect overlapping buffers on memcpy()
It is a bug to call memcpy() on buffers which overlap. For
example, the following code is buggy:
char buf3[0x800];
char *first_half = &buf3[0x400];
char *second_half = &buf3[1];
memset(buf3, 0, sizeof(buf3));
memcpy(first_half, second_half, 0x400);
printf("1: %s\n", buf3);
We now detect this at compile and run time.
Change-Id: I092bd89f11f18e08e8a9dda0ca903aaea8e06d91
|
| cb228fb4a91bdccfd974b8a4f45e2b6002e90728 |
|
27-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: cleanups
Prefix private functions with underscores, to prevent name
conflicts.
Use __error__ instead of error, since occasionally programs will
create their own "#define error ...".
Change-Id: I7bb171df58aec5627e61896032a140db547fd95d
|
| 8df49ad2467ec2d48f94a925162185c34bf6e68b |
|
14-Jun-2012 |
Nick Kralevich <nnk@google.com> |
FORTIFY_SOURCE: add strlcpy / strlcat support
Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.
Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.
Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22
|
| 71a18dd435e96564539b5af71b8ea5093a2109a1 |
|
07-Jun-2012 |
Nick Kralevich <nnk@google.com> |
_FORTIFY_SOURCE: add memset / bzero support
Add _FORTIFY_SOURCE support for the following functions:
* memset
* bzero
Move the __BIONIC_FORTIFY_INLINE definition to cdefs.h so it
can be used from multiple header files.
Change-Id: Iead4d5e35de6ec97786d58ee12573f9b11135bb7
|
| 0a2301598c207fd1b50015984942fee5e8511593 |
|
05-Jun-2012 |
Nick Kralevich <nnk@google.com> |
libc: implement some FORTIFY_SOURCE functions
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:
* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat
This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.
If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.
If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check
These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.
Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
for additional details on FORTIFY_SOURCE.
Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.
Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
|
| a677907ee8ecca034318fdb97902fa73e7392c4f |
|
21-Mar-2012 |
Nick Kralevich <nnk@google.com> |
string.h: add __attribute__ ((pure)) to string functions
cdefs.h: Introduce the __purefunc attribute, which allows us to mark
certain functions as being "pure".
http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
Many functions have no effects except the return value and their
return value depends only on the parameters and/or global variables.
Such a function can be subject to common subexpression elimination
and loop optimization just as an arithmetic operator would be.
string.h: Mark many commently used string functions as "pure", to
allow for additional compiler optimizations.
Change-Id: I42961f90f822b6dbcbc3fd72cdbe774a7adc8785
|
| 1dc9e472e19acfe6dc7f41e429236e7eef7ceda1 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
| 1767f908af327fa388b1c66883760ad851267013 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
|
| 9f65adf2ba3bb15feb8b7a7b3eef788df3fd270e |
|
11-Feb-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@130745
|
| 6d6c82c7a0a6b9a89f61b61c66f9b90d9c7177dc |
|
10-Jan-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //branches/cupcake/...@125939
|
| a27d2baa0c1a2ec70f47ea9199b1dd6762c8a349 |
|
21-Oct-2008 |
The Android Open Source Project <initial-contribution@android.com> |
Initial Contribution
|