commit b91791d71c58d14309cd4d842d222f5d36b3a5a8
author Nick Kralevich <nnk@google.com> Wed Oct 02 14:14:40 2013 -0700
committer Nick Kralevich <nnk@google.com> Wed Oct 02 14:14:40 2013 -0700
tree f4ff8e8fbbe7fa01b34f6b2bf82ec0a78146607e
parent 4bbf3a8b558ea8b5ce62f2d1ee2599a8e95c21c0

Use alloc_size attribute on *alloc functions

malloc and family were not declared with __attribute__((alloc_size)).
This was (sometimes) preventing FORTIFY_SOURCE related functions
from knowing the size of the buffer it's dealing with, inhibiting
FORTIFY_SOURCE protections.

Add __attribute__((alloc_size))

Information about the alloc_size attribute can be found
at http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

Change-Id: Ia2f0a445f0170a7325f69259b5e7fb35a9f14921

libc/include/malloc.h

diff --git a/libc/include/malloc.h b/libc/include/malloc.h
index eaedc49..9a4e324 100644
--- a/libc/include/malloc.h
+++ b/libc/include/malloc.h
@@ -27,16 +27,16 @@
 
 __BEGIN_DECLS
 
-extern void* malloc(size_t byte_count) __mallocfunc __wur;
-extern void* calloc(size_t item_count, size_t item_size) __mallocfunc __wur;
-extern void* realloc(void* p, size_t byte_count) __wur;
+extern void* malloc(size_t byte_count) __mallocfunc __wur __attribute__((alloc_size(1)));
+extern void* calloc(size_t item_count, size_t item_size) __mallocfunc __wur __attribute__((alloc_size(1,2)));
+extern void* realloc(void* p, size_t byte_count) __wur __attribute__((alloc_size(2)));
 extern void free(void* p);
 
-extern void* memalign(size_t alignment, size_t byte_count) __mallocfunc __wur;
+extern void* memalign(size_t alignment, size_t byte_count) __mallocfunc __wur __attribute__((alloc_size(2)));
 extern size_t malloc_usable_size(const void* p);
 
-extern void* valloc(size_t byte_count) __mallocfunc __wur;
-extern void* pvalloc(size_t byte_count) __mallocfunc __wur;
+extern void* valloc(size_t byte_count) __mallocfunc __wur __attribute__((alloc_size(1)));
+extern void* pvalloc(size_t byte_count) __mallocfunc __wur __attribute__((alloc_size(1)));
 
 #ifndef STRUCT_MALLINFO_DECLARED
 #define STRUCT_MALLINFO_DECLARED 1

tests/fortify_test.cpp

diff --git a/tests/fortify_test.cpp b/tests/fortify_test.cpp
index 4ea868b..b131fbe 100644
--- a/tests/fortify_test.cpp
+++ b/tests/fortify_test.cpp
@@ -20,6 +20,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
+#include <malloc.h>
 
 // We have to say "DeathTest" here so gtest knows to run this test (which exits)
 // in its own process. Unfortunately, the C preprocessor doesn't give us an
@@ -395,6 +396,19 @@
   ASSERT_EXIT(sprintf(buf, "%s", source_buf), testing::KilledBySignal(SIGABRT), "");
 }
 
+#ifndef __clang__
+// This test is disabled in clang because clang doesn't properly detect
+// this buffer overflow. TODO: Fix clang.
+TEST(DEATHTEST, sprintf_malloc_fortified) {
+  ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+  char* buf = (char *) malloc(10);
+  char source_buf[11];
+  memcpy(source_buf, "1234567890", 11);
+  ASSERT_EXIT(sprintf(buf, "%s", source_buf), testing::KilledBySignal(SIGABRT), "");
+  free(buf);
+}
+#endif
+
 TEST(DEATHTEST, sprintf2_fortified) {
   ::testing::FLAGS_gtest_death_test_style = "threadsafe";
   char buf[5];