fortify: add diagnostics for str* functions
This CL allows us to diagnose string functions that get an explicit size
passed into them, and string functions that are trivially misused.
Bug: 131861088
Test: mma
Change-Id: I894aec99420a75c6474cfd7d5010f0cf2f10ab21
diff --git a/libc/include/bits/fortify/string.h b/libc/include/bits/fortify/string.h
index 1e12986..0e205d3 100644
--- a/libc/include/bits/fortify/string.h
+++ b/libc/include/bits/fortify/string.h
@@ -94,12 +94,18 @@
}
__BIONIC_FORTIFY_INLINE
-char* strcat(char* const dst __pass_object_size, const char* src) __overloadable {
+char* strcat(char* const dst __pass_object_size, const char* src)
+ __overloadable
+ __clang_error_if(__bos_unevaluated_le(__bos(dst), __builtin_strlen(src)),
+ "'strcat' called with string bigger than buffer") {
return __builtin___strcat_chk(dst, src, __bos(dst));
}
__BIONIC_FORTIFY_INLINE
-char* strncat(char* const dst __pass_object_size, const char* src, size_t n) __overloadable {
+char* strncat(char* const dst __pass_object_size, const char* src, size_t n)
+ __overloadable
+ __clang_error_if(__bos_unevaluated_lt(__bos(dst), n),
+ "'strncat' called with size bigger than buffer") {
return __builtin___strncat_chk(dst, src, n, __bos(dst));
}
@@ -145,7 +151,9 @@
#if __ANDROID_API__ >= __ANDROID_API_L__
__BIONIC_FORTIFY_INLINE
char* stpncpy(char* const dst __pass_object_size, const char* const src __pass_object_size, size_t n)
- __overloadable {
+ __overloadable
+ __clang_error_if(__bos_unevaluated_lt(__bos(dst), n),
+ "'stpncpy' called with size bigger than buffer") {
size_t bos_dst = __bos(dst);
size_t bos_src = __bos(src);
@@ -159,7 +167,9 @@
__BIONIC_FORTIFY_INLINE
char* strncpy(char* const dst __pass_object_size, const char* const src __pass_object_size, size_t n)
- __overloadable {
+ __overloadable
+ __clang_error_if(__bos_unevaluated_lt(__bos(dst), n),
+ "'strncpy' called with size bigger than buffer") {
size_t bos_dst = __bos(dst);
size_t bos_src = __bos(src);
@@ -174,7 +184,10 @@
#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
__BIONIC_FORTIFY_INLINE
-size_t strlcpy(char* const dst __pass_object_size, const char* src, size_t size) __overloadable {
+size_t strlcpy(char* const dst __pass_object_size, const char* src, size_t size)
+ __overloadable
+ __clang_error_if(__bos_unevaluated_lt(__bos(dst), size),
+ "'strlcpy' called with size bigger than buffer") {
size_t bos = __bos(dst);
if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
@@ -185,7 +198,10 @@
}
__BIONIC_FORTIFY_INLINE
-size_t strlcat(char* const dst __pass_object_size, const char* src, size_t size) __overloadable {
+size_t strlcat(char* const dst __pass_object_size, const char* src, size_t size)
+ __overloadable
+ __clang_error_if(__bos_unevaluated_lt(__bos(dst), size),
+ "'strlcat' called with size bigger than buffer") {
size_t bos = __bos(dst);
if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
diff --git a/tests/Android.bp b/tests/Android.bp
index a55d08b..97712d3 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -286,6 +286,7 @@
"-Wno-builtin-memcpy-chk-size",
"-Wno-format-zero-length",
"-Wno-memset-transposed-args",
+ "-Wno-strlcpy-strlcat-size",
"-Wno-strncat-size",
],
}
diff --git a/tests/clang_fortify_tests.cpp b/tests/clang_fortify_tests.cpp
index 0c09d36..fa0797c 100644
--- a/tests/clang_fortify_tests.cpp
+++ b/tests/clang_fortify_tests.cpp
@@ -177,22 +177,18 @@
EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
// expected-error@+1{{string bigger than buffer}}
EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
-#if 0
- // expected-error@+1{{called with bigger length than the destination}}
-#endif
+ // expected-error@+1{{size bigger than buffer}}
EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
-#if 0
- // expected-error@+1{{called with bigger length than the destination}}
-#endif
+ // expected-error@+1{{size bigger than buffer}}
EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
-#if 0
- // expected-error@+1{{destination buffer will always be overflown}}
-#endif
+ // expected-error@+1{{string bigger than buffer}}
EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
-#if 0
- // expected-error@+1{{destination buffer will always be overflown}}
-#endif
+ // expected-error@+1{{size bigger than buffer}}
EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
+ // expected-error@+1{{size bigger than buffer}}
+ EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
+ // expected-error@+1{{size bigger than buffer}}
+ EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
}
{
@@ -224,32 +220,34 @@
EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
#if _FORTIFY_SOURCE > 1
-#if 0
- // expected-error@+2{{called with bigger length than the destination}}
-#endif
+ // expected-error@+2{{size bigger than buffer}}
#endif
EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
#if _FORTIFY_SOURCE > 1
-#if 0
- // expected-error@+2{{called with bigger length than the destination}}
-#endif
+ // expected-error@+2{{size bigger than buffer}}
#endif
EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
#if _FORTIFY_SOURCE > 1
-#if 0
- // expected-error@+2{{destination buffer will always be overflown}}
-#endif
+ // expected-error@+2{{string bigger than buffer}}
#endif
EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
#if _FORTIFY_SOURCE > 1
-#if 0
- // expected-error@+2{{destination buffer will always be overflown}}
-#endif
+ // expected-error@+2{{size bigger than buffer}}
#endif
EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
+
+#if _FORTIFY_SOURCE > 1
+ // expected-error@+2{{size bigger than buffer}}
+#endif
+ EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
+
+#if _FORTIFY_SOURCE > 1
+ // expected-error@+2{{size bigger than buffer}}
+#endif
+ EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
}
}