commit 7cc779f15c524e1622f7d5b1c7e82e6ffc6677fd
author George Burgess IV <gbiv@google.com> Thu Feb 09 00:00:31 2017 -0800
committer George Burgess IV <gbiv@google.com> Thu Feb 09 15:49:32 2017 -0800
tree 0f995c0878649447ef160e727505ae81495dcdde
parent 2bfb8c9180603bac97dca2d8e359f71bb11f7126

libc: add clang FORTIFY support

This patch adds clang-style FORTIFY to Bionic. For more information on
FORTIFY, please see https://goo.gl/8HS2dW . This implementation works
for versions of clang that don't support diagnose_if, so please see the
"without diagnose_if" sections. We plan to swap to a diagnose_if-based
FORTIFY later this year (since it doesn't really add any features; it
just simplifies the implementation a lot, and it gives us much prettier
diagnostics)

Bug: 32073964
Test: Builds on angler, bullhead, marlin, sailfish. Bionic CTS tests
pass on Angler and Bullhead.

Change-Id: I607aecbeee81529709b1eee7bef5b0836151eb2b

tests/fortify_compilation_test.cpp

diff --git a/tests/fortify_compilation_test.cpp b/tests/fortify_compilation_test.cpp
index 1326597..1b02d4e 100644
--- a/tests/fortify_compilation_test.cpp
+++ b/tests/fortify_compilation_test.cpp
@@ -33,7 +33,7 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: warning: call to int __builtin___sprintf_chk(char*, int, {{(long )?}}unsigned int, const char*, ...) will always overflow destination buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'sprintf': format string will always overflow destination buffer
   sprintf(buf, "foobar");  // NOLINT(runtime/printf)
 
   // NOLINTNEXTLINE(whitespace/line_length)
@@ -47,7 +47,7 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: warning: call to int __builtin___snprintf_chk(char*, {{(long )?}}unsigned int, int, {{(long )?}}unsigned int, const char*, ...) will always overflow destination buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'snprintf': format string will always overflow destination buffer
   snprintf(buf, 5, "foobar");  // NOLINT(runtime/printf)
 
   // NOLINTNEXTLINE(whitespace/line_length)
@@ -71,8 +71,8 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: warning: call to void* __builtin___memcpy_chk(void*, const void*, {{(long )?}}unsigned int, {{(long )?}}unsigned int) will always overflow destination buffer
-  // clang should emit a warning, but doesn't
-  memcpy(buf, "foobar", sizeof("foobar"));
+  // CLANG: error: call to unavailable function 'memcpy': memcpy called with size bigger than buffer
+  memcpy(buf, "foobar", sizeof("foobar") + 100);
 }
 
 void test_memmove() {
@@ -80,7 +80,7 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: warning: call to void* __builtin___memmove_chk(void*, const void*, {{(long )?}}unsigned int, {{(long )?}}unsigned int) will always overflow destination buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'memmove': memmove called with size bigger than buffer
   memmove(buf, "foobar", sizeof("foobar"));
 }
 
@@ -89,7 +89,7 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: warning: call to void* __builtin___memset_chk(void*, int, {{(long )?}}unsigned int, {{(long )?}}unsigned int) will always overflow destination buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'memset': memset called with size bigger than buffer
   memset(buf, 0, 6);
 }
 
@@ -98,7 +98,7 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: warning: call to {{(char\* __builtin___strcpy_chk\(char\*, const char\*, unsigned int\))|(void\* __builtin___memcpy_chk\(void\*, const void\*, (long )?unsigned int, (long )?unsigned int\))}} will always overflow destination buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'strcpy': strcpy called with string bigger than buffer
   strcpy(buf, "foobar");  // NOLINT(runtime/printf)
 }
 
@@ -107,7 +107,7 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: warning: call to char* __builtin___stpcpy_chk(char*, const char*, {{(long )?}}unsigned int) will always overflow destination buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'stpcpy': stpcpy called with string bigger than buffer
   stpcpy(buf, "foobar");
 }
 
@@ -169,12 +169,12 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__fgets_too_small_error' declared with attribute error: fgets called with size less than zero
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'fgets': size is negative
   fgets(buf, -1, stdin);
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__fgets_too_big_error' declared with attribute error: fgets called with size bigger than buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'fgets': size is larger than the destination buffer
   fgets(buf, 6, stdin);
 }
 
@@ -184,14 +184,14 @@
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__recvfrom_error' declared with attribute error: recvfrom called with size bigger than buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'recvfrom': size is larger than the destination buffer
   recvfrom(0, buf, 6, 0, reinterpret_cast<sockaddr*>(&addr), NULL);
 }
 
 void test_umask() {
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__umask_invalid_mode' declared with attribute error: umask called with invalid mode
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'umask': umask called with invalid mode
   umask(01777);
 }
 
@@ -199,19 +199,19 @@
   char buf[4];
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__read_dest_size_error' declared with attribute error: read called with size bigger than destination
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'read': 'count' bytes overflows the given object
   read(0, buf, 6);
 }
 
 void test_open() {
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__creat_missing_mode' declared with attribute error: called with O_CREAT, but missing mode
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'open': called with O_CREAT, but missing mode
   open("/dev/null", O_CREAT);
 
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__creat_too_many_args' declared with attribute error: too many arguments
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'open': too many arguments
   open("/dev/null", O_CREAT, 0, 0);
 }
 
@@ -219,7 +219,7 @@
   pollfd fds[1];
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__poll_too_small_error' declared with attribute error: poll: pollfd array smaller than fd count
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'poll': too many fds specified
   poll(fds, 2, 0);
 }
 
@@ -228,7 +228,7 @@
   timespec timeout;
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__ppoll_too_small_error' declared with attribute error: ppoll: pollfd array smaller than fd count
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'ppoll': too many fds specified
   ppoll(fds, 2, &timeout, NULL);
 }
 
@@ -236,7 +236,7 @@
   char buf[4];
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__fread_overflow' declared with attribute error: fread called with overflowing size * count
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'fread': size * count overflows
   fread(buf, 2, (size_t)-1, stdin);
 }
 
@@ -244,7 +244,7 @@
   char buf[4];
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__fread_too_big_error' declared with attribute error: fread called with size * count bigger than buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'fread': size * count is too large
   fread(buf, 1, 5, stdin);
 }
 
@@ -252,7 +252,7 @@
   char buf[4] = {0};
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__fwrite_overflow' declared with attribute error: fwrite called with overflowing size * count
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'fwrite': size * count overflows
   fwrite(buf, 2, (size_t)-1, stdout);
 }
 
@@ -260,7 +260,7 @@
   char buf[4] = {0};
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__fwrite_too_big_error' declared with attribute error: fwrite called with size * count bigger than buffer
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'fwrite': size * count is too large
   fwrite(buf, 1, 5, stdout);
 }
 
@@ -268,7 +268,7 @@
   char buf[4];
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__getcwd_dest_size_error' declared with attribute error: getcwd called with size bigger than destination
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'getcwd': 'size' bytes overflows the given object
   getcwd(buf, 5);
 }
 
@@ -276,15 +276,23 @@
   char buf[4] = {0};
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__pwrite64_dest_size_error' declared with attribute error: pwrite64 called with size bigger than destination
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'pwrite64': 'count' bytes overflows the given object
   pwrite64(STDOUT_FILENO, buf, 5, 0);
 }
 
-void test_pwrite64_too_big() {
+void test_pwrite64_too_big_malloc() {
   void *buf = calloc(atoi("5"), 1);
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__pwrite64_count_toobig_error' declared with attribute error: pwrite64 called with count > SSIZE_MAX
-  // clang should emit a warning, but doesn't
+  // clang should emit a warning, but probably never will.
+  pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0);
+}
+
+void test_pwrite64_too_big() {
+  char buf[4] = {0};
+  // NOLINTNEXTLINE(whitespace/line_length)
+  // GCC: error: call to '__pwrite64_count_toobig_error' declared with attribute error: pwrite64 called with count > SSIZE_MAX
+  // CLANG: error: call to unavailable function 'pwrite64': count must be <= SSIZE_MAX
   pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0);
 }
 
@@ -292,6 +300,13 @@
   char buf[4] = {0};
   // NOLINTNEXTLINE(whitespace/line_length)
   // GCC: error: call to '__write_dest_size_error' declared with attribute error: write called with size bigger than destination
-  // clang should emit a warning, but doesn't
+  // CLANG: error: call to unavailable function 'write': 'count' bytes overflows the given object
   write(STDOUT_FILENO, buf, 5);
 }
+
+void test_memset_args_flipped() {
+  char from[4] = {0};
+  // NOLINTNEXTLINE(whitespace/line_length)
+  // CLANG: 'memset' is deprecated: will set 0 bytes; maybe the arguments got flipped? (Add __bionic_zero_size_is_okay as a fourth argument to silence this.)
+  memset(from, sizeof(from), 0);
+}