1 /* 2 * Copyright (C) 2013 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <private/bionic_asm.h> 30 #include <private/libc_events.h> 31 32 .syntax unified 33 34 .thumb 35 .thumb_func 36 37 // Get the length of src string, then get the source of the dst string. 38 // Check that the two lengths together don't exceed the threshold, then 39 // do a memcpy of the data. 40 ENTRY(__strcat_chk) 41 pld [r0, #0] 42 push {r0, lr} 43 .cfi_def_cfa_offset 8 44 .cfi_rel_offset r0, 0 45 .cfi_rel_offset lr, 4 46 push {r4, r5} 47 .cfi_adjust_cfa_offset 8 48 .cfi_rel_offset r4, 0 49 .cfi_rel_offset r5, 4 50 51 mov lr, r2 52 53 // Save the dst register to r5 54 mov r5, r0 55 56 // Zero out r4 57 eor r4, r4, r4 58 59 // r1 contains the address of the string to count. 60 .L_strlen_start: 61 mov r0, r1 62 ands r3, r1, #7 63 beq .L_mainloop 64 65 // Align to a double word (64 bits). 66 rsb r3, r3, #8 67 lsls ip, r3, #31 68 beq .L_align_to_32 69 70 ldrb r2, [r1], #1 71 cbz r2, .L_update_count_and_finish 72 73 .L_align_to_32: 74 bcc .L_align_to_64 75 ands ip, r3, #2 76 beq .L_align_to_64 77 78 ldrb r2, [r1], #1 79 cbz r2, .L_update_count_and_finish 80 ldrb r2, [r1], #1 81 cbz r2, .L_update_count_and_finish 82 83 .L_align_to_64: 84 tst r3, #4 85 beq .L_mainloop 86 ldr r3, [r1], #4 87 88 sub ip, r3, #0x01010101 89 bic ip, ip, r3 90 ands ip, ip, #0x80808080 91 bne .L_zero_in_second_register 92 93 .p2align 2 94 .L_mainloop: 95 ldrd r2, r3, [r1], #8 96 97 pld [r1, #64] 98 99 sub ip, r2, #0x01010101 100 bic ip, ip, r2 101 ands ip, ip, #0x80808080 102 bne .L_zero_in_first_register 103 104 sub ip, r3, #0x01010101 105 bic ip, ip, r3 106 ands ip, ip, #0x80808080 107 bne .L_zero_in_second_register 108 b .L_mainloop 109 110 .L_update_count_and_finish: 111 sub r3, r1, r0 112 sub r3, r3, #1 113 b .L_finish 114 115 .L_zero_in_first_register: 116 sub r3, r1, r0 117 lsls r2, ip, #17 118 bne .L_sub8_and_finish 119 bcs .L_sub7_and_finish 120 lsls ip, ip, #1 121 bne .L_sub6_and_finish 122 123 sub r3, r3, #5 124 b .L_finish 125 126 .L_sub8_and_finish: 127 sub r3, r3, #8 128 b .L_finish 129 130 .L_sub7_and_finish: 131 sub r3, r3, #7 132 b .L_finish 133 134 .L_sub6_and_finish: 135 sub r3, r3, #6 136 b .L_finish 137 138 .L_zero_in_second_register: 139 sub r3, r1, r0 140 lsls r2, ip, #17 141 bne .L_sub4_and_finish 142 bcs .L_sub3_and_finish 143 lsls ip, ip, #1 144 bne .L_sub2_and_finish 145 146 sub r3, r3, #1 147 b .L_finish 148 149 .L_sub4_and_finish: 150 sub r3, r3, #4 151 b .L_finish 152 153 .L_sub3_and_finish: 154 sub r3, r3, #3 155 b .L_finish 156 157 .L_sub2_and_finish: 158 sub r3, r3, #2 159 160 .L_finish: 161 cmp r4, #0 162 bne .L_strlen_done 163 164 // Time to get the dst string length. 165 mov r1, r5 166 167 // Save the original source address to r5. 168 mov r5, r0 169 170 // Save the current length (adding 1 for the terminator). 171 add r4, r3, #1 172 b .L_strlen_start 173 174 // r0 holds the pointer to the dst string. 175 // r3 holds the dst string length. 176 // r4 holds the src string length + 1. 177 .L_strlen_done: 178 add r2, r3, r4 179 cmp r2, lr 180 bhi __strcat_chk_failed 181 182 // Set up the registers for the memcpy code. 183 mov r1, r5 184 pld [r1, #64] 185 mov r2, r4 186 add r0, r0, r3 187 pop {r4, r5} 188 END(__strcat_chk) 189 190 #define MEMCPY_BASE __strcat_chk_memcpy_base 191 #define MEMCPY_BASE_ALIGNED __strcat_chk_memcpy_base_aligned 192 193 #include "memcpy_base.S" 194 195 ENTRY_PRIVATE(__strcat_chk_failed) 196 .cfi_def_cfa_offset 8 197 .cfi_rel_offset r0, 0 198 .cfi_rel_offset lr, 4 199 .cfi_adjust_cfa_offset 8 200 .cfi_rel_offset r4, 0 201 .cfi_rel_offset r5, 4 202 203 ldr r0, error_message 204 ldr r1, error_code 205 1: 206 add r0, pc 207 bl __fortify_chk_fail 208 error_code: 209 .word BIONIC_EVENT_STRCAT_BUFFER_OVERFLOW 210 error_message: 211 .word error_string-(1b+4) 212 END(__strcat_chk_failed) 213 214 .data 215 error_string: 216 .string "strcat: prevented write past end of buffer" 217
