Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 2de7983470a04e3037a8993553c3b9533b985952 / . / libc / bionic / fortify.cpp
blob: f68efabf157d3f03a0c9b5b92decacf7e2b66856 [file] [log] [blame]
Elliott Hughesb83d6742016-02-25 20:33:47 -0800[diff] [blame]1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29/*
30 * Copyright (c) 1988 Regents of the University of California.
31 * All rights reserved.
32 *
33 * Redistribution and use in source and binary forms, with or without
34 * modification, are permitted provided that the following conditions
35 * are met:
36 * 1. Redistributions of source code must retain the above copyright
37 * notice, this list of conditions and the following disclaimer.
38 * 2. Redistributions in binary form must reproduce the above copyright
39 * notice, this list of conditions and the following disclaimer in the
40 * documentation and/or other materials provided with the distribution.
41 * 3. Neither the name of the University nor the names of its contributors
42 * may be used to endorse or promote products derived from this software
43 * without specific prior written permission.
44 *
45 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
46 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
49 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
50 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
51 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
53 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
54 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
55 * SUCH DAMAGE.
56 */
57
58#undef _FORTIFY_SOURCE
59
60#include <poll.h>
61#include <stdarg.h>
62#include <stddef.h>
63#include <stdio.h>
64#include <stdlib.h>
65#include <string.h>
66#include <sys/cdefs.h>
67#include <sys/select.h>
68#include <sys/socket.h>
69#include <sys/stat.h>
70#include <unistd.h>
71
72#include "private/bionic_fortify.h"
73
74//
75// For more details see:
76// http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
77// http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
78//
79// TODO: add a link to similar clang documentation?
80//
81
82int __FD_ISSET_chk(int fd, fd_set* set, size_t set_size) {
83 __check_fd_set("FD_ISSET", fd, set_size);
84 return FD_ISSET(fd, set);
85}
86
87void __FD_CLR_chk(int fd, fd_set* set, size_t set_size) {
88 __check_fd_set("FD_CLR", fd, set_size);
89 FD_CLR(fd, set);
90}
91
92void __FD_SET_chk(int fd, fd_set* set, size_t set_size) {
93 __check_fd_set("FD_SET", fd, set_size);
94 FD_SET(fd, set);
95}
96
97char* __fgets_chk(char* dst, int supplied_size, FILE* stream, size_t dst_len_from_compiler) {
98 if (supplied_size < 0) {
99 __fortify_fatal("fgets: buffer size %d < 0", supplied_size);
100 }
101 __check_buffer_access("fgets", "write into", supplied_size, dst_len_from_compiler);
102 return fgets(dst, supplied_size, stream);
103}
104
105size_t __fread_chk(void* __restrict buf, size_t size, size_t count,
106 FILE* __restrict stream, size_t buf_size) {
107 size_t total;
108 if (__predict_false(__size_mul_overflow(size, count, &total))) {
109 // overflow: trigger the error path in fread
110 return fread(buf, size, count, stream);
111 }
112 __check_buffer_access("fread", "write into", total, buf_size);
113 return fread(buf, size, count, stream);
114}
115
116size_t __fwrite_chk(const void* __restrict buf, size_t size, size_t count,
117 FILE* __restrict stream, size_t buf_size) {
118 size_t total;
119 if (__predict_false(__size_mul_overflow(size, count, &total))) {
120 // overflow: trigger the error path in fwrite
121 return fwrite(buf, size, count, stream);
122 }
123 __check_buffer_access("fwrite", "read from", total, buf_size);
124 return fwrite(buf, size, count, stream);
125}
126
127extern char* __getcwd_chk(char* buf, size_t len, size_t actual_size) {
128 __check_buffer_access("getcwd", "write into", len, actual_size);
129 return getcwd(buf, len);
130}
131
132void* __memchr_chk(const void* s, int c, size_t n, size_t actual_size) {
133 __check_buffer_access("memchr", "read from", n, actual_size);
134 return memchr(s, c, n);
135}
136
137// Runtime implementation of __builtin____memmove_chk (used directly by compiler, not in headers).
138extern "C" void* __memmove_chk(void* dst, const void* src, size_t len, size_t dst_len) {
139 __check_buffer_access("memmove", "write into", len, dst_len);
140 return memmove(dst, src, len);
141}
142
143void* __memrchr_chk(const void* s, int c, size_t n, size_t actual_size) {
144 __check_buffer_access("memrchr", "read from", n, actual_size);
145 return memrchr(s, c, n);
146}
147
148int __poll_chk(pollfd* fds, nfds_t fd_count, int timeout, size_t fds_size) {
149 __check_pollfd_array("poll", fds_size, fd_count);
150 return poll(fds, fd_count, timeout);
151}
152
153int __ppoll_chk(pollfd* fds, nfds_t fd_count, const timespec* timeout,
154 const sigset_t* mask, size_t fds_size) {
155 __check_pollfd_array("ppoll", fds_size, fd_count);
156 return ppoll(fds, fd_count, timeout, mask);
157}
158
159ssize_t __pread64_chk(int fd, void* buf, size_t count, off64_t offset, size_t buf_size) {
160 __check_count("pread64", "count", count);
161 __check_buffer_access("pread64", "write into", count, buf_size);
162 return pread64(fd, buf, count, offset);
163}
164
165ssize_t __pread_chk(int fd, void* buf, size_t count, off_t offset, size_t buf_size) {
166 __check_count("pread", "count", count);
167 __check_buffer_access("pread", "write into", count, buf_size);
168 return pread(fd, buf, count, offset);
169}
170
171ssize_t __pwrite64_chk(int fd, const void* buf, size_t count, off64_t offset,
172 size_t buf_size) {
173 __check_count("pwrite64", "count", count);
174 __check_buffer_access("pwrite64", "read from", count, buf_size);
175 return pwrite64(fd, buf, count, offset);
176}
177
178ssize_t __pwrite_chk(int fd, const void* buf, size_t count, off_t offset,
179 size_t buf_size) {
180 __check_count("pwrite", "count", count);
181 __check_buffer_access("pwrite", "read from", count, buf_size);
182 return pwrite(fd, buf, count, offset);
183}
184
185ssize_t __read_chk(int fd, void* buf, size_t count, size_t buf_size) {
186 __check_count("read", "count", count);
187 __check_buffer_access("read", "write into", count, buf_size);
188 return read(fd, buf, count);
189}
190
191ssize_t __readlinkat_chk(int dirfd, const char* path, char* buf, size_t size, size_t buf_size) {
192 __check_count("readlinkat", "size", size);
193 __check_buffer_access("readlinkat", "write into", size, buf_size);
194 return readlinkat(dirfd, path, buf, size);
195}
196
197ssize_t __readlink_chk(const char* path, char* buf, size_t size, size_t buf_size) {
198 __check_count("readlink", "size", size);
199 __check_buffer_access("readlink", "write into", size, buf_size);
200 return readlink(path, buf, size);
201}
202
203ssize_t __recvfrom_chk(int socket, void* buf, size_t len, size_t buf_size,
204 int flags, const sockaddr* src_addr,
205 socklen_t* addrlen) {
206 __check_buffer_access("recvfrom", "write into", len, buf_size);
207 return recvfrom(socket, buf, len, flags, src_addr, addrlen);
208}
209
210// Runtime implementation of __builtin____stpcpy_chk (used directly by compiler, not in headers)..
211extern "C" char* __stpcpy_chk(char* dst, const char* src, size_t dst_len) {
212 // TODO: optimize so we don't scan src twice.
213 size_t src_len = strlen(src) + 1;
214 __check_buffer_access("stpcpy", "write into", src_len, dst_len);
215 return stpcpy(dst, src);
216}
217
218// Runtime implementation of __builtin____stpncpy_chk (used directly by compiler, not in headers).
219extern "C" char* __stpncpy_chk(char* __restrict dst, const char* __restrict src,
220 size_t len, size_t dst_len) {
221 __check_buffer_access("stpncpy", "write into", len, dst_len);
222 return stpncpy(dst, src, len);
223}
224
225// This is a variant of __stpncpy_chk, but it also checks to make
226// sure we don't read beyond the end of "src". The code for this is
227// based on the original version of stpncpy, but modified to check
228// how much we read from "src" at the end of the copy operation.
229char* __stpncpy_chk2(char* __restrict dst, const char* __restrict src,
230 size_t n, size_t dst_len, size_t src_len) {
231 __check_buffer_access("stpncpy", "write into", n, dst_len);
232 if (n != 0) {
233 char* d = dst;
234 const char* s = src;
235
236 do {
237 if ((*d++ = *s++) == 0) {
238 // NUL pad the remaining n-1 bytes.
239 while (--n != 0) {
240 *d++ = 0;
241 }
242 break;
243 }
244 } while (--n != 0);
245
246 size_t s_copy_len = static_cast<size_t>(s - src);
247 if (__predict_false(s_copy_len > src_len)) {
248 __fortify_fatal("stpncpy: detected read past end of %zu-byte buffer", src_len);
249 }
250 }
251
252 return dst;
253}
254
255char* __strchr_chk(const char* p, int ch, size_t s_len) {
256 for (;; ++p, s_len--) {
257 if (__predict_false(s_len == 0)) {
258 __fortify_fatal("strchr: prevented read past end of buffer");
259 }
260 if (*p == static_cast<char>(ch)) {
261 return const_cast<char*>(p);
262 }
263 if (*p == '\0') {
264 return NULL;
265 }
266 }
267}
268
269size_t __strlcat_chk(char* dst, const char* src,
270 size_t supplied_size, size_t dst_len_from_compiler) {
271 __check_buffer_access("strlcat", "write into", supplied_size, dst_len_from_compiler);
272 return strlcat(dst, src, supplied_size);
273}
274
275size_t __strlcpy_chk(char* dst, const char* src,
276 size_t supplied_size, size_t dst_len_from_compiler) {
277 __check_buffer_access("strlcpy", "write into", supplied_size, dst_len_from_compiler);
278 return strlcpy(dst, src, supplied_size);
279}
280
281size_t __strlen_chk(const char* s, size_t s_len) {
282 // TODO: "prevented" here would be a lie because this strlen can run off the end.
283 // strlen is too important to be expensive, so we wanted to be able to call the optimized
284 // implementation, but I think we need to implement optimized assembler __strlen_chk routines.
285 size_t ret = strlen(s);
286 if (__predict_false(ret >= s_len)) {
287 __fortify_fatal("strlen: detected read past end of buffer");
288 }
289 return ret;
290}
291
292// Runtime implementation of __builtin____strncat_chk (used directly by compiler, not in headers).
293extern "C" char* __strncat_chk(char* __restrict dst, const char* __restrict src,
294 size_t len, size_t dst_buf_size) {
295 if (len == 0) {
296 return dst;
297 }
298
299 size_t dst_len = __strlen_chk(dst, dst_buf_size);
300 char* d = dst + dst_len;
301 dst_buf_size -= dst_len;
302
303 while (*src != '\0') {
304 *d++ = *src++;
305 len--; dst_buf_size--;
306
307 if (__predict_false(dst_buf_size == 0)) {
308 __fortify_fatal("strncat: prevented write past end of buffer");
309 }
310
311 if (len == 0) {
312 break;
313 }
314 }
315
316 *d = '\0';
317 return dst;
318}
319
320// Runtime implementation of __builtin____strncpy_chk (used directly by compiler, not in headers).
321extern "C" char* __strncpy_chk(char* __restrict dst, const char* __restrict src,
322 size_t len, size_t dst_len) {
323 __check_buffer_access("strncpy", "write into", len, dst_len);
324 return strncpy(dst, src, len);
325}
326
327// This is a variant of __strncpy_chk, but it also checks to make
328// sure we don't read beyond the end of "src". The code for this is
329// based on the original version of strncpy, but modified to check
330// how much we read from "src" at the end of the copy operation.
331char* __strncpy_chk2(char* __restrict dst, const char* __restrict src,
332 size_t n, size_t dst_len, size_t src_len) {
333 __check_buffer_access("strncpy", "write into", n, dst_len);
334 if (n != 0) {
335 char* d = dst;
336 const char* s = src;
337
338 do {
339 if ((*d++ = *s++) == 0) {
340 // NUL pad the remaining n-1 bytes.
341 while (--n != 0) {
342 *d++ = 0;
343 }
344 break;
345 }
346 } while (--n != 0);
347
348 size_t s_copy_len = static_cast<size_t>(s - src);
349 if (__predict_false(s_copy_len > src_len)) {
350 __fortify_fatal("strncpy: detected read past end of %zu-byte buffer", src_len);
351 }
352 }
353
354 return dst;
355}
356
357char* __strrchr_chk(const char* p, int ch, size_t s_len) {
358 for (const char* save = NULL;; ++p, s_len--) {
359 if (s_len == 0) {
360 __fortify_fatal("strrchr: prevented read past end of buffer");
361 }
362 if (*p == static_cast<char>(ch)) {
363 save = p;
364 }
365 if (!*p) {
366 return const_cast<char*>(save);
367 }
368 }
369}
370
371mode_t __umask_chk(mode_t mode) {
372 if (__predict_false((mode & 0777) != mode)) {
373 __fortify_fatal("umask: called with invalid mask %o", mode);
374 }
375
376 return umask(mode);
377}
378
379// Runtime implementation of __builtin____vsnprintf_chk (used directly by compiler, not in headers).
380extern "C" int __vsnprintf_chk(char* dst, size_t supplied_size, int /*flags*/,
381 size_t dst_len_from_compiler, const char* format, va_list va) {
382 __check_buffer_access("vsnprintf", "write into", supplied_size, dst_len_from_compiler);
383 return vsnprintf(dst, supplied_size, format, va);
384}
385
386// Runtime implementation of __builtin____snprintf_chk (used directly by compiler, not in headers).
387extern "C" int __snprintf_chk(char* dst, size_t supplied_size, int flags,
388 size_t dst_len_from_compiler, const char* format, ...) {
389 va_list va;
390 va_start(va, format);
391 int result = __vsnprintf_chk(dst, supplied_size, flags, dst_len_from_compiler, format, va);
392 va_end(va);
393 return result;
394}
395
396// Runtime implementation of __builtin____vsprintf_chk (used directly by compiler, not in headers).
397extern "C" int __vsprintf_chk(char* dst, int /*flags*/,
398 size_t dst_len_from_compiler, const char* format, va_list va) {
399 int result = vsnprintf(dst, dst_len_from_compiler, format, va);
400 __check_buffer_access("vsprintf", "write into", result + 1, dst_len_from_compiler);
401 return result;
402}
403
404// Runtime implementation of __builtin____sprintf_chk (used directly by compiler, not in headers).
405extern "C" int __sprintf_chk(char* dst, int flags, size_t dst_len_from_compiler,
406 const char* format, ...) {
407 va_list va;
408 va_start(va, format);
409 int result = __vsprintf_chk(dst, flags, dst_len_from_compiler, format, va);
410 va_end(va);
411 return result;
412}
413
414ssize_t __write_chk(int fd, const void* buf, size_t count, size_t buf_size) {
415 __check_count("write", "count", count);
416 __check_buffer_access("write", "read from", count, buf_size);
417 return write(fd, buf, count);
418}