Home | History | Annotate | Download | only in bionic
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  * All rights reserved.
      4  *
      5  * Redistribution and use in source and binary forms, with or without
      6  * modification, are permitted provided that the following conditions
      7  * are met:
      8  *  * Redistributions of source code must retain the above copyright
      9  *    notice, this list of conditions and the following disclaimer.
     10  *  * Redistributions in binary form must reproduce the above copyright
     11  *    notice, this list of conditions and the following disclaimer in
     12  *    the documentation and/or other materials provided with the
     13  *    distribution.
     14  *
     15  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     16  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     17  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
     18  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
     19  * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
     20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
     21  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
     22  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
     23  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
     24  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
     25  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     26  * SUCH DAMAGE.
     27  */
     28 
     29 /*
     30  * Copyright (c) 1988 Regents of the University of California.
     31  * All rights reserved.
     32  *
     33  * Redistribution and use in source and binary forms, with or without
     34  * modification, are permitted provided that the following conditions
     35  * are met:
     36  * 1. Redistributions of source code must retain the above copyright
     37  *    notice, this list of conditions and the following disclaimer.
     38  * 2. Redistributions in binary form must reproduce the above copyright
     39  *    notice, this list of conditions and the following disclaimer in the
     40  *    documentation and/or other materials provided with the distribution.
     41  * 3. Neither the name of the University nor the names of its contributors
     42  *    may be used to endorse or promote products derived from this software
     43  *    without specific prior written permission.
     44  *
     45  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
     46  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     47  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     48  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
     49  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     50  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     51  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     52  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     53  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     54  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     55  * SUCH DAMAGE.
     56  */
     57 
     58 #undef _FORTIFY_SOURCE
     59 
     60 #include <poll.h>
     61 #include <stdarg.h>
     62 #include <stddef.h>
     63 #include <stdio.h>
     64 #include <stdlib.h>
     65 #include <string.h>
     66 #include <sys/cdefs.h>
     67 #include <sys/select.h>
     68 #include <sys/socket.h>
     69 #include <sys/stat.h>
     70 #include <unistd.h>
     71 
     72 #include "private/bionic_fortify.h"
     73 
     74 //
     75 // For more about FORTIFY see:
     76 //
     77 //   https://android-developers.googleblog.com/2017/04/fortify-in-android.html
     78 //
     79 //   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
     80 //   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
     81 //
     82 
     83 struct __bionic_zero_size_is_okay_t __bionic_zero_size_is_okay;
     84 
     85 int __FD_ISSET_chk(int fd, fd_set* set, size_t set_size) {
     86   __check_fd_set("FD_ISSET", fd, set_size);
     87   return FD_ISSET(fd, set);
     88 }
     89 
     90 void __FD_CLR_chk(int fd, fd_set* set, size_t set_size) {
     91   __check_fd_set("FD_CLR", fd, set_size);
     92   FD_CLR(fd, set);
     93 }
     94 
     95 void __FD_SET_chk(int fd, fd_set* set, size_t set_size) {
     96   __check_fd_set("FD_SET", fd, set_size);
     97   FD_SET(fd, set);
     98 }
     99 
    100 char* __fgets_chk(char* dst, int supplied_size, FILE* stream, size_t dst_len_from_compiler) {
    101   if (supplied_size < 0) {
    102     __fortify_fatal("fgets: buffer size %d < 0", supplied_size);
    103   }
    104   __check_buffer_access("fgets", "write into", supplied_size, dst_len_from_compiler);
    105   return fgets(dst, supplied_size, stream);
    106 }
    107 
    108 size_t __fread_chk(void* __restrict buf, size_t size, size_t count,
    109                    FILE* __restrict stream, size_t buf_size) {
    110   size_t total;
    111   if (__predict_false(__size_mul_overflow(size, count, &total))) {
    112     // overflow: trigger the error path in fread
    113     return fread(buf, size, count, stream);
    114   }
    115   __check_buffer_access("fread", "write into", total, buf_size);
    116   return fread(buf, size, count, stream);
    117 }
    118 
    119 size_t __fwrite_chk(const void* __restrict buf, size_t size, size_t count,
    120                     FILE* __restrict stream, size_t buf_size) {
    121   size_t total;
    122   if (__predict_false(__size_mul_overflow(size, count, &total))) {
    123     // overflow: trigger the error path in fwrite
    124     return fwrite(buf, size, count, stream);
    125   }
    126   __check_buffer_access("fwrite", "read from", total, buf_size);
    127   return fwrite(buf, size, count, stream);
    128 }
    129 
    130 extern char* __getcwd_chk(char* buf, size_t len, size_t actual_size) {
    131   __check_buffer_access("getcwd", "write into", len, actual_size);
    132   return getcwd(buf, len);
    133 }
    134 
    135 void* __memchr_chk(const void* s, int c, size_t n, size_t actual_size) {
    136   __check_buffer_access("memchr", "read from", n, actual_size);
    137   return const_cast<void*>(memchr(s, c, n));
    138 }
    139 
    140 // Runtime implementation of __builtin____memmove_chk (used directly by compiler, not in headers).
    141 extern "C" void* __memmove_chk(void* dst, const void* src, size_t len, size_t dst_len) {
    142   __check_buffer_access("memmove", "write into", len, dst_len);
    143   return memmove(dst, src, len);
    144 }
    145 
    146 // memcpy is performance-critical enough that we have assembler __memcpy_chk implementations.
    147 // This function is used to give better diagnostics than we can easily do from assembler.
    148 extern "C" void* __memcpy_chk_fail(void* /*dst*/, const void* /*src*/, size_t count, size_t dst_len) {
    149   __check_count("memcpy", "count", count);
    150   __check_buffer_access("memcpy", "write into", count, dst_len);
    151   abort(); // One of the above is supposed to have failed, otherwise we shouldn't have been called.
    152 }
    153 
    154 void* __memrchr_chk(const void* s, int c, size_t n, size_t actual_size) {
    155   __check_buffer_access("memrchr", "read from", n, actual_size);
    156   return memrchr(s, c, n);
    157 }
    158 
    159 // memset is performance-critical enough that we have assembler __memset_chk implementations.
    160 // This function is used to give better diagnostics than we can easily do from assembler.
    161 extern "C" void* __memset_chk_fail(void* /*dst*/, int /*byte*/, size_t count, size_t dst_len) {
    162   __check_count("memset", "count", count);
    163   __check_buffer_access("memset", "write into", count, dst_len);
    164   abort(); // One of the above is supposed to have failed, otherwise we shouldn't have been called.
    165 }
    166 
    167 int __poll_chk(pollfd* fds, nfds_t fd_count, int timeout, size_t fds_size) {
    168   __check_pollfd_array("poll", fds_size, fd_count);
    169   return poll(fds, fd_count, timeout);
    170 }
    171 
    172 int __ppoll_chk(pollfd* fds, nfds_t fd_count, const timespec* timeout,
    173                 const sigset_t* mask, size_t fds_size) {
    174   __check_pollfd_array("ppoll", fds_size, fd_count);
    175   return ppoll(fds, fd_count, timeout, mask);
    176 }
    177 
    178 ssize_t __pread64_chk(int fd, void* buf, size_t count, off64_t offset, size_t buf_size) {
    179   __check_count("pread64", "count", count);
    180   __check_buffer_access("pread64", "write into", count, buf_size);
    181   return pread64(fd, buf, count, offset);
    182 }
    183 
    184 ssize_t __pread_chk(int fd, void* buf, size_t count, off_t offset, size_t buf_size) {
    185   __check_count("pread", "count", count);
    186   __check_buffer_access("pread", "write into", count, buf_size);
    187   return pread(fd, buf, count, offset);
    188 }
    189 
    190 ssize_t __pwrite64_chk(int fd, const void* buf, size_t count, off64_t offset,
    191                                   size_t buf_size) {
    192   __check_count("pwrite64", "count", count);
    193   __check_buffer_access("pwrite64", "read from", count, buf_size);
    194   return pwrite64(fd, buf, count, offset);
    195 }
    196 
    197 ssize_t __pwrite_chk(int fd, const void* buf, size_t count, off_t offset,
    198                                 size_t buf_size) {
    199   __check_count("pwrite", "count", count);
    200   __check_buffer_access("pwrite", "read from", count, buf_size);
    201   return pwrite(fd, buf, count, offset);
    202 }
    203 
    204 ssize_t __read_chk(int fd, void* buf, size_t count, size_t buf_size) {
    205   __check_count("read", "count", count);
    206   __check_buffer_access("read", "write into", count, buf_size);
    207   return read(fd, buf, count);
    208 }
    209 
    210 ssize_t __readlinkat_chk(int dirfd, const char* path, char* buf, size_t size, size_t buf_size) {
    211   __check_count("readlinkat", "size", size);
    212   __check_buffer_access("readlinkat", "write into", size, buf_size);
    213   return readlinkat(dirfd, path, buf, size);
    214 }
    215 
    216 ssize_t __readlink_chk(const char* path, char* buf, size_t size, size_t buf_size) {
    217   __check_count("readlink", "size", size);
    218   __check_buffer_access("readlink", "write into", size, buf_size);
    219   return readlink(path, buf, size);
    220 }
    221 
    222 ssize_t __recvfrom_chk(int socket, void* buf, size_t len, size_t buf_size,
    223                        int flags, sockaddr* src_addr, socklen_t* addrlen) {
    224   __check_buffer_access("recvfrom", "write into", len, buf_size);
    225   return recvfrom(socket, buf, len, flags, src_addr, addrlen);
    226 }
    227 
    228 ssize_t __sendto_chk(int socket, const void* buf, size_t len, size_t buflen,
    229                      int flags, const struct sockaddr* dest_addr,
    230                      socklen_t addrlen) {
    231   __check_buffer_access("sendto", "read from", len, buflen);
    232   return sendto(socket, buf, len, flags, dest_addr, addrlen);
    233 }
    234 
    235 // Runtime implementation of __builtin____stpcpy_chk (used directly by compiler, not in headers)..
    236 extern "C" char* __stpcpy_chk(char* dst, const char* src, size_t dst_len) {
    237   // TODO: optimize so we don't scan src twice.
    238   size_t src_len = strlen(src) + 1;
    239   __check_buffer_access("stpcpy", "write into", src_len, dst_len);
    240   return stpcpy(dst, src);
    241 }
    242 
    243 // Runtime implementation of __builtin____stpncpy_chk (used directly by compiler, not in headers).
    244 extern "C" char* __stpncpy_chk(char* __restrict dst, const char* __restrict src,
    245                                size_t len, size_t dst_len) {
    246   __check_buffer_access("stpncpy", "write into", len, dst_len);
    247   return stpncpy(dst, src, len);
    248 }
    249 
    250 // This is a variant of __stpncpy_chk, but it also checks to make
    251 // sure we don't read beyond the end of "src". The code for this is
    252 // based on the original version of stpncpy, but modified to check
    253 // how much we read from "src" at the end of the copy operation.
    254 char* __stpncpy_chk2(char* __restrict dst, const char* __restrict src,
    255                      size_t n, size_t dst_len, size_t src_len) {
    256   __check_buffer_access("stpncpy", "write into", n, dst_len);
    257   if (n != 0) {
    258     char* d = dst;
    259     const char* s = src;
    260 
    261     do {
    262       if ((*d++ = *s++) == 0) {
    263         // NUL pad the remaining n-1 bytes.
    264         while (--n != 0) {
    265           *d++ = 0;
    266         }
    267         break;
    268       }
    269     } while (--n != 0);
    270 
    271     size_t s_copy_len = static_cast<size_t>(s - src);
    272     if (__predict_false(s_copy_len > src_len)) {
    273       __fortify_fatal("stpncpy: detected read past end of %zu-byte buffer", src_len);
    274     }
    275   }
    276 
    277   return dst;
    278 }
    279 
    280 // strcat is performance-critical enough that we have assembler __strcat_chk implementations.
    281 // This function is used to give better diagnostics than we can easily do from assembler.
    282 extern "C" void __strcat_chk_fail(size_t dst_buf_size) {
    283   __fortify_fatal("strcat: prevented write past end of %zu-byte buffer", dst_buf_size);
    284 }
    285 
    286 char* __strchr_chk(const char* p, int ch, size_t s_len) {
    287   for (;; ++p, s_len--) {
    288     if (__predict_false(s_len == 0)) {
    289       __fortify_fatal("strchr: prevented read past end of buffer");
    290     }
    291     if (*p == static_cast<char>(ch)) {
    292       return const_cast<char*>(p);
    293     }
    294     if (*p == '\0') {
    295       return NULL;
    296     }
    297   }
    298 }
    299 
    300 // strcpy is performance-critical enough that we have assembler __strcpy_chk implementations.
    301 // This function is used to give better diagnostics than we can easily do from assembler.
    302 extern "C" void __strcpy_chk_fail(size_t dst_buf_size) {
    303   __fortify_fatal("strcpy: prevented write past end of %zu-byte buffer", dst_buf_size);
    304 }
    305 
    306 size_t __strlcat_chk(char* dst, const char* src,
    307                      size_t supplied_size, size_t dst_len_from_compiler) {
    308   __check_buffer_access("strlcat", "write into", supplied_size, dst_len_from_compiler);
    309   return strlcat(dst, src, supplied_size);
    310 }
    311 
    312 size_t __strlcpy_chk(char* dst, const char* src,
    313                      size_t supplied_size, size_t dst_len_from_compiler) {
    314   __check_buffer_access("strlcpy", "write into", supplied_size, dst_len_from_compiler);
    315   return strlcpy(dst, src, supplied_size);
    316 }
    317 
    318 size_t __strlen_chk(const char* s, size_t s_len) {
    319   // TODO: "prevented" here would be a lie because this strlen can run off the end.
    320   // strlen is too important to be expensive, so we wanted to be able to call the optimized
    321   // implementation, but I think we need to implement optimized assembler __strlen_chk routines.
    322   size_t ret = strlen(s);
    323   if (__predict_false(ret >= s_len)) {
    324     __fortify_fatal("strlen: detected read past end of buffer");
    325   }
    326   return ret;
    327 }
    328 
    329 // Runtime implementation of __builtin____strncat_chk (used directly by compiler, not in headers).
    330 extern "C" char* __strncat_chk(char* __restrict dst, const char* __restrict src,
    331                                size_t len, size_t dst_buf_size) {
    332   if (len == 0) {
    333     return dst;
    334   }
    335 
    336   size_t dst_len = __strlen_chk(dst, dst_buf_size);
    337   char* d = dst + dst_len;
    338   dst_buf_size -= dst_len;
    339 
    340   while (*src != '\0') {
    341     *d++ = *src++;
    342     len--; dst_buf_size--;
    343 
    344     if (__predict_false(dst_buf_size == 0)) {
    345       __fortify_fatal("strncat: prevented write past end of buffer");
    346     }
    347 
    348     if (len == 0) {
    349       break;
    350     }
    351   }
    352 
    353   *d = '\0';
    354   return dst;
    355 }
    356 
    357 // Runtime implementation of __builtin____strncpy_chk (used directly by compiler, not in headers).
    358 extern "C" char* __strncpy_chk(char* __restrict dst, const char* __restrict src,
    359                                size_t len, size_t dst_len) {
    360   __check_buffer_access("strncpy", "write into", len, dst_len);
    361   return strncpy(dst, src, len);
    362 }
    363 
    364 // This is a variant of __strncpy_chk, but it also checks to make
    365 // sure we don't read beyond the end of "src". The code for this is
    366 // based on the original version of strncpy, but modified to check
    367 // how much we read from "src" at the end of the copy operation.
    368 char* __strncpy_chk2(char* __restrict dst, const char* __restrict src,
    369                                 size_t n, size_t dst_len, size_t src_len) {
    370   __check_buffer_access("strncpy", "write into", n, dst_len);
    371   if (n != 0) {
    372     char* d = dst;
    373     const char* s = src;
    374 
    375     do {
    376       if ((*d++ = *s++) == 0) {
    377         // NUL pad the remaining n-1 bytes.
    378         while (--n != 0) {
    379           *d++ = 0;
    380         }
    381         break;
    382       }
    383     } while (--n != 0);
    384 
    385     size_t s_copy_len = static_cast<size_t>(s - src);
    386     if (__predict_false(s_copy_len > src_len)) {
    387       __fortify_fatal("strncpy: detected read past end of %zu-byte buffer", src_len);
    388     }
    389   }
    390 
    391   return dst;
    392 }
    393 
    394 char* __strrchr_chk(const char* p, int ch, size_t s_len) {
    395   for (const char* save = NULL;; ++p, s_len--) {
    396     if (s_len == 0) {
    397       __fortify_fatal("strrchr: prevented read past end of buffer");
    398     }
    399     if (*p == static_cast<char>(ch)) {
    400       save = p;
    401     }
    402     if (!*p) {
    403       return const_cast<char*>(save);
    404     }
    405   }
    406 }
    407 
    408 mode_t __umask_chk(mode_t mode) {
    409   if (__predict_false((mode & 0777) != mode)) {
    410     __fortify_fatal("umask: called with invalid mask %o", mode);
    411   }
    412 
    413   return umask(mode);
    414 }
    415 
    416 // Runtime implementation of __builtin____vsnprintf_chk (used directly by compiler, not in headers).
    417 extern "C" int __vsnprintf_chk(char* dst, size_t supplied_size, int /*flags*/,
    418                                size_t dst_len_from_compiler, const char* format, va_list va) {
    419   __check_buffer_access("vsnprintf", "write into", supplied_size, dst_len_from_compiler);
    420   return vsnprintf(dst, supplied_size, format, va);
    421 }
    422 
    423 // Runtime implementation of __builtin____snprintf_chk (used directly by compiler, not in headers).
    424 extern "C" int __snprintf_chk(char* dst, size_t supplied_size, int flags,
    425                               size_t dst_len_from_compiler, const char* format, ...) {
    426   va_list va;
    427   va_start(va, format);
    428   int result = __vsnprintf_chk(dst, supplied_size, flags, dst_len_from_compiler, format, va);
    429   va_end(va);
    430   return result;
    431 }
    432 
    433 // Runtime implementation of __builtin____vsprintf_chk (used directly by compiler, not in headers).
    434 extern "C" int __vsprintf_chk(char* dst, int /*flags*/,
    435                               size_t dst_len_from_compiler, const char* format, va_list va) {
    436   // The compiler uses SIZE_MAX to mean "no idea", but our vsnprintf rejects sizes that large.
    437   int result = vsnprintf(dst,
    438                          dst_len_from_compiler == SIZE_MAX ? SSIZE_MAX : dst_len_from_compiler,
    439                          format, va);
    440 
    441   // Try to catch failures after the fact...
    442   __check_buffer_access("vsprintf", "write into", result + 1, dst_len_from_compiler);
    443   return result;
    444 }
    445 
    446 // Runtime implementation of __builtin____sprintf_chk (used directly by compiler, not in headers).
    447 extern "C" int __sprintf_chk(char* dst, int flags, size_t dst_len_from_compiler,
    448                              const char* format, ...) {
    449   va_list va;
    450   va_start(va, format);
    451   int result = __vsprintf_chk(dst, flags, dst_len_from_compiler, format, va);
    452   va_end(va);
    453   return result;
    454 }
    455 
    456 ssize_t __write_chk(int fd, const void* buf, size_t count, size_t buf_size) {
    457   __check_count("write", "count", count);
    458   __check_buffer_access("write", "read from", count, buf_size);
    459   return write(fd, buf, count);
    460 }
    461