Improve FORTIFY failure diagnostics.
Our FORTIFY _chk functions' implementations were very repetitive and verbose
but not very helpful. We'd also screwed up and put the SSIZE_MAX checks where
they would never fire unless you actually had a buffer as large as half your
address space, which probably doesn't happen very often.
Factor out the duplication and take the opportunity to actually show details
like how big the overrun buffer was, or by how much it was overrun.
Also remove the obsolete FORTIFY event logging.
Also remove the unused __libc_fatal_no_abort.
This change doesn't improve the diagnostics from the optimized assembler
implementations.
Change-Id: I176a90701395404d50975b547a00bd2c654e1252
diff --git a/libc/private/bionic_fortify.h b/libc/private/bionic_fortify.h
new file mode 100644
index 0000000..df810ca
--- /dev/null
+++ b/libc/private/bionic_fortify.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "private/libc_logging.h"
+
+#include <poll.h> // For struct pollfd.
+#include <sys/select.h> // For struct fd_set.
+
+//
+// Common helpers.
+//
+
+static inline void __check_fd_set(const char* fn, int fd, size_t set_size) {
+ if (__predict_false(fd < 0)) {
+ __fortify_fatal("%s: file descriptor %d < 0", fn, fd);
+ }
+ if (__predict_false(fd >= FD_SETSIZE)) {
+ __fortify_fatal("%s: file descriptor %d >= FD_SETSIZE %zu", fn, fd, set_size);
+ }
+ if (__predict_false(set_size < sizeof(fd_set))) {
+ __fortify_fatal("%s: set size %zu is too small to be an fd_set", fn, set_size);
+ }
+}
+
+static inline void __check_pollfd_array(const char* fn, size_t fds_size, nfds_t fd_count) {
+ size_t pollfd_array_length = fds_size / sizeof(pollfd);
+ if (__predict_false(pollfd_array_length < fd_count)) {
+ __fortify_fatal("%s: %zu-element pollfd array too small for %u fds",
+ fn, pollfd_array_length, fd_count);
+ }
+}
+
+static inline void __check_count(const char* fn, const char* identifier, size_t value) {
+ if (__predict_false(value > SSIZE_MAX)) {
+ __fortify_fatal("%s: %s %zu > SSIZE_MAX", fn, identifier, value);
+ }
+}
+
+static inline void __check_buffer_access(const char* fn, const char* action,
+ size_t claim, size_t actual) {
+ if (__predict_false(claim > actual)) {
+ __fortify_fatal("%s: prevented %zu-byte %s %zu-byte buffer", fn, claim, action, actual);
+ }
+}
diff --git a/libc/private/libc_events.h b/libc/private/libc_events.h
deleted file mode 100644
index f2b973d..0000000
--- a/libc/private/libc_events.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2013 The Android Open Source Project
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
- * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
- * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _LIBC_EVENTS_H
-#define _LIBC_EVENTS_H
-
-
-// This is going to be included in assembler code so only allow #define
-// values instead of defining an enum.
-
-#define BIONIC_EVENT_MEMCPY_BUFFER_OVERFLOW 80100
-#define BIONIC_EVENT_STRCAT_BUFFER_OVERFLOW 80105
-#define BIONIC_EVENT_MEMMOVE_BUFFER_OVERFLOW 80110
-#define BIONIC_EVENT_STRNCAT_BUFFER_OVERFLOW 80115
-#define BIONIC_EVENT_STRNCPY_BUFFER_OVERFLOW 80120
-#define BIONIC_EVENT_MEMSET_BUFFER_OVERFLOW 80125
-#define BIONIC_EVENT_STRCPY_BUFFER_OVERFLOW 80130
-#define BIONIC_EVENT_STPCPY_BUFFER_OVERFLOW 80135
-#define BIONIC_EVENT_STPNCPY_BUFFER_OVERFLOW 80140
-
-#define BIONIC_EVENT_RESOLVER_OLD_RESPONSE 80300
-#define BIONIC_EVENT_RESOLVER_WRONG_SERVER 80305
-#define BIONIC_EVENT_RESOLVER_WRONG_QUERY 80310
-
-#endif // _LIBC_EVENTS_H
diff --git a/libc/private/libc_logging.h b/libc/private/libc_logging.h
index e389565..4aa3ece 100644
--- a/libc/private/libc_logging.h
+++ b/libc/private/libc_logging.h
@@ -36,8 +36,6 @@
__BEGIN_DECLS
-#include "libc_events.h"
-
enum {
ANDROID_LOG_UNKNOWN = 0,
ANDROID_LOG_DEFAULT, /* only for SetMinPriority() */
@@ -69,20 +67,11 @@
char msg[0];
};
-//
// Formats a message to the log (priority 'fatal'), then aborts.
-//
+__LIBC_HIDDEN__ __noreturn void __libc_fatal(const char* fmt, ...) __printflike(1, 2);
-__LIBC_HIDDEN__ __noreturn void __libc_fatal(const char* format, ...) __printflike(1, 2);
-
-//
-// Formats a message to the log (priority 'fatal'), but doesn't abort.
-// Used by the malloc implementation to ensure that debuggerd dumps memory
-// around the bad address.
-//
-
-__LIBC_HIDDEN__ void __libc_fatal_no_abort(const char* format, ...)
- __printflike(1, 2);
+// Formats a message to the log (priority 'fatal'), prefixed by "FORTIFY: ", then aborts.
+__LIBC_HIDDEN__ __noreturn void __fortify_fatal(const char* fmt, ...) __printflike(1, 2);
//
// Formatting routines for the C library's internal debugging.
@@ -103,15 +92,6 @@
__LIBC_HIDDEN__ int __libc_write_log(int priority, const char* tag, const char* msg);
-//
-// Event logging.
-//
-
-__LIBC_HIDDEN__ void __libc_android_log_event_int(int32_t tag, int value);
-__LIBC_HIDDEN__ void __libc_android_log_event_uid(int32_t tag);
-
-__LIBC_HIDDEN__ __noreturn void __fortify_chk_fail(const char* msg, uint32_t event_tag);
-
__END_DECLS
#endif