libc: implement some FORTIFY_SOURCE functions
Add initial support for -D_FORTIFY_SOURCE to bionic for the
following functions:
* memcpy
* memmove
* strcpy
* strcat
* strncpy
* strncat
This change adds a new version of the above functions which passes
the size of the destination buffer to __builtin___*_chk.
If the compiler can determine, at compile time, that the destination
buffer is large enough, or the destination buffer can point to an object
of unknown size, then the check call is bypassed.
If the compiler can't make a compile time decision, then it calls
the __*_chk() function, which does a runtime buffer size check
These options are only enabled if the code is compiled with
-D_FORTIFY_SOURCE=1 or 2, and only when optimizations are enabled.
Please see
* http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
* http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
for additional details on FORTIFY_SOURCE.
Testing: Compiled the entire Android tree with -D_FORTIFY_SOURCE=1,
and verified that everything appears to be working properly.
Also created a test buffer overflow, and verified that it was
caught by this change.
Change-Id: I4fddb445bafe92b16845b22458d72e6dedd24fbc
diff --git a/libc/Android.mk b/libc/Android.mk
index 95ff1ec..0133a05 100644
--- a/libc/Android.mk
+++ b/libc/Android.mk
@@ -205,6 +205,12 @@
string/strtok.c \
string/strtotimeval.c \
string/strxfrm.c \
+ string/__memcpy_chk.c \
+ string/__memmove_chk.c \
+ string/__strcat_chk.c \
+ string/__strcpy_chk.c \
+ string/__strncat_chk.c \
+ string/__strncpy_chk.c \
wchar/wcpcpy.c \
wchar/wcpncpy.c \
wchar/wcscasecmp.c \
diff --git a/libc/include/string.h b/libc/include/string.h
index 6e6c8e6..12c9500 100644
--- a/libc/include/string.h
+++ b/libc/include/string.h
@@ -85,6 +85,47 @@
extern int strcoll(const char *, const char *) __purefunc;
extern size_t strxfrm(char *, const char *, size_t);
+#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 && defined(__OPTIMIZE__) && __OPTIMIZE__ > 0
+
+#define __BIONIC_FORTIFY_INLINE \
+ extern inline \
+ __attribute__ ((always_inline)) \
+ __attribute__ ((gnu_inline)) \
+ __attribute__ ((artificial))
+
+__BIONIC_FORTIFY_INLINE
+void *memcpy (void *dest, const void *src, size_t len) {
+ return __builtin___memcpy_chk (dest, src, len, __builtin_object_size (dest, 0));
+}
+
+__BIONIC_FORTIFY_INLINE
+void *memmove (void *dest, const void *src, size_t len) {
+ return __builtin___memmove_chk (dest, src, len, __builtin_object_size (dest, 0));
+}
+
+__BIONIC_FORTIFY_INLINE
+char *strcpy(char *dest, const char *src) {
+ return __builtin___strcpy_chk (dest, src, __builtin_object_size (dest, 0));
+}
+
+__BIONIC_FORTIFY_INLINE
+char *strncpy(char *dest, const char *src, size_t n) {
+ return __builtin___strncpy_chk(dest, src, n, __builtin_object_size (dest, 0));
+}
+
+__BIONIC_FORTIFY_INLINE
+char *strcat(char *dest, const char *src) {
+ return __builtin___strcat_chk (dest, src, __builtin_object_size (dest, 0));
+}
+
+__BIONIC_FORTIFY_INLINE
+char *strncat(char *dest, const char *src, size_t n) {
+ return __builtin___strncat_chk(dest, src, n, __builtin_object_size (dest, 0));
+}
+
+#undef __BIONIC_FORTIFY_INLINE
+#endif
+
__END_DECLS
#endif /* _STRING_H_ */
diff --git a/libc/string/__memcpy_chk.c b/libc/string/__memcpy_chk.c
new file mode 100644
index 0000000..aed3ec2
--- /dev/null
+++ b/libc/string/__memcpy_chk.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <private/logd.h>
+
+/*
+ * Runtime implementation of __builtin____memcpy_chk.
+ *
+ * See
+ * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
+ * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
+ * for details.
+ *
+ * This memcpy check is called if _FORTIFY_SOURCE is defined and
+ * greater than 0.
+ */
+void *__memcpy_chk (void *dest, const void *src,
+ size_t len, size_t dest_len)
+{
+ if (len > dest_len) {
+ __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+ "*** memcpy buffer overflow detected ***\n");
+ abort();
+ }
+
+ return memcpy(dest, src, len);
+}
diff --git a/libc/string/__memmove_chk.c b/libc/string/__memmove_chk.c
new file mode 100644
index 0000000..5a6eb4d
--- /dev/null
+++ b/libc/string/__memmove_chk.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <private/logd.h>
+
+/*
+ * Runtime implementation of __builtin____memmove_chk.
+ *
+ * See
+ * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
+ * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
+ * for details.
+ *
+ * This memmove check is called if _FORTIFY_SOURCE is defined and
+ * greater than 0.
+ */
+void *__memmove_chk (void *dest, const void *src,
+ size_t len, size_t dest_len)
+{
+ if (len > dest_len) {
+ __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+ "*** memmove buffer overflow detected ***\n");
+ abort();
+ }
+
+ return memmove(dest, src, len);
+}
diff --git a/libc/string/__strcat_chk.c b/libc/string/__strcat_chk.c
new file mode 100644
index 0000000..3e02052
--- /dev/null
+++ b/libc/string/__strcat_chk.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <private/logd.h>
+
+/*
+ * Runtime implementation of __builtin____strcat_chk.
+ *
+ * See
+ * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
+ * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
+ * for details.
+ *
+ * This strcat check is called if _FORTIFY_SOURCE is defined and
+ * greater than 0.
+ */
+char *__strcat_chk (char *dest, const char *src, size_t dest_buf_size)
+{
+ // TODO: optimize so we don't scan src/dest twice.
+ size_t src_len = strlen(src);
+ size_t dest_len = strlen(dest);
+
+ if (src_len + dest_len + 1 > dest_buf_size) {
+ __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+ "*** strcat buffer overflow detected ***\n");
+ abort();
+ }
+
+ return strcat(dest, src);
+}
diff --git a/libc/string/__strcpy_chk.c b/libc/string/__strcpy_chk.c
new file mode 100644
index 0000000..85aa19d
--- /dev/null
+++ b/libc/string/__strcpy_chk.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <private/logd.h>
+
+/*
+ * Runtime implementation of __builtin____strcpy_chk.
+ *
+ * See
+ * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
+ * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
+ * for details.
+ *
+ * This strcpy check is called if _FORTIFY_SOURCE is defined and
+ * greater than 0.
+ */
+char *__strcpy_chk (char *dest, const char *src, size_t dest_len)
+{
+ // TODO: optimize so we don't scan src twice.
+ size_t src_len = strlen(src) + 1;
+ if (src_len > dest_len) {
+ __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+ "*** strcpy buffer overflow detected ***\n");
+ abort();
+ }
+
+ return strcpy(dest, src);
+}
diff --git a/libc/string/__strncat_chk.c b/libc/string/__strncat_chk.c
new file mode 100644
index 0000000..9b0b84a
--- /dev/null
+++ b/libc/string/__strncat_chk.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <private/logd.h>
+
+/*
+ * Runtime implementation of __builtin____strncat_chk.
+ *
+ * See
+ * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
+ * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
+ * for details.
+ *
+ * This strncat check is called if _FORTIFY_SOURCE is defined and
+ * greater than 0.
+ */
+char *__strncat_chk (char *dest, const char *src,
+ size_t len, size_t dest_buf_size)
+{
+ // TODO: optimize so we don't scan src/dest twice.
+ size_t dest_len = strlen(dest);
+ size_t src_len = strlen(src);
+ if (src_len > len) {
+ src_len = len;
+ }
+
+ if (dest_len + src_len + 1 > dest_buf_size) {
+ __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+ "*** strncat buffer overflow detected ***\n");
+ abort();
+ }
+
+ return strncat(dest, src, len);
+}
diff --git a/libc/string/__strncpy_chk.c b/libc/string/__strncpy_chk.c
new file mode 100644
index 0000000..b87ef4b
--- /dev/null
+++ b/libc/string/__strncpy_chk.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <private/logd.h>
+
+/*
+ * Runtime implementation of __builtin____strncpy_chk.
+ *
+ * See
+ * http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
+ * http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
+ * for details.
+ *
+ * This strncpy check is called if _FORTIFY_SOURCE is defined and
+ * greater than 0.
+ */
+char *__strncpy_chk (char *dest, const char *src,
+ size_t len, size_t dest_len)
+{
+ if (len > dest_len) {
+ __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
+ "*** strncpy buffer overflow detected ***\n");
+ abort();
+ }
+
+ return strncpy(dest, src, len);
+}
