1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 /* 30 * Copyright (c) 1988 Regents of the University of California. 31 * All rights reserved. 32 * 33 * Redistribution and use in source and binary forms, with or without 34 * modification, are permitted provided that the following conditions 35 * are met: 36 * 1. Redistributions of source code must retain the above copyright 37 * notice, this list of conditions and the following disclaimer. 38 * 2. Redistributions in binary form must reproduce the above copyright 39 * notice, this list of conditions and the following disclaimer in the 40 * documentation and/or other materials provided with the distribution. 41 * 3. Neither the name of the University nor the names of its contributors 42 * may be used to endorse or promote products derived from this software 43 * without specific prior written permission. 44 * 45 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 46 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 48 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 49 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 50 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 51 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 53 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 54 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 55 * SUCH DAMAGE. 56 */ 57 58 #undef _FORTIFY_SOURCE 59 60 #include <poll.h> 61 #include <stdarg.h> 62 #include <stddef.h> 63 #include <stdio.h> 64 #include <stdlib.h> 65 #include <string.h> 66 #include <sys/cdefs.h> 67 #include <sys/select.h> 68 #include <sys/socket.h> 69 #include <sys/stat.h> 70 #include <unistd.h> 71 72 #include "private/bionic_fortify.h" 73 74 // 75 // For more about FORTIFY see: 76 // 77 // https://android-developers.googleblog.com/2017/04/fortify-in-android.html 78 // 79 // http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html 80 // http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html 81 // 82 83 struct __bionic_zero_size_is_okay_t __bionic_zero_size_is_okay; 84 85 int __FD_ISSET_chk(int fd, fd_set* set, size_t set_size) { 86 __check_fd_set("FD_ISSET", fd, set_size); 87 return FD_ISSET(fd, set); 88 } 89 90 void __FD_CLR_chk(int fd, fd_set* set, size_t set_size) { 91 __check_fd_set("FD_CLR", fd, set_size); 92 FD_CLR(fd, set); 93 } 94 95 void __FD_SET_chk(int fd, fd_set* set, size_t set_size) { 96 __check_fd_set("FD_SET", fd, set_size); 97 FD_SET(fd, set); 98 } 99 100 char* __fgets_chk(char* dst, int supplied_size, FILE* stream, size_t dst_len_from_compiler) { 101 if (supplied_size < 0) { 102 __fortify_fatal("fgets: buffer size %d < 0", supplied_size); 103 } 104 __check_buffer_access("fgets", "write into", supplied_size, dst_len_from_compiler); 105 return fgets(dst, supplied_size, stream); 106 } 107 108 size_t __fread_chk(void* __restrict buf, size_t size, size_t count, 109 FILE* __restrict stream, size_t buf_size) { 110 size_t total; 111 if (__predict_false(__size_mul_overflow(size, count, &total))) { 112 // overflow: trigger the error path in fread 113 return fread(buf, size, count, stream); 114 } 115 __check_buffer_access("fread", "write into", total, buf_size); 116 return fread(buf, size, count, stream); 117 } 118 119 size_t __fwrite_chk(const void* __restrict buf, size_t size, size_t count, 120 FILE* __restrict stream, size_t buf_size) { 121 size_t total; 122 if (__predict_false(__size_mul_overflow(size, count, &total))) { 123 // overflow: trigger the error path in fwrite 124 return fwrite(buf, size, count, stream); 125 } 126 __check_buffer_access("fwrite", "read from", total, buf_size); 127 return fwrite(buf, size, count, stream); 128 } 129 130 extern char* __getcwd_chk(char* buf, size_t len, size_t actual_size) { 131 __check_buffer_access("getcwd", "write into", len, actual_size); 132 return getcwd(buf, len); 133 } 134 135 void* __memchr_chk(const void* s, int c, size_t n, size_t actual_size) { 136 __check_buffer_access("memchr", "read from", n, actual_size); 137 return const_cast<void*>(memchr(s, c, n)); 138 } 139 140 // Runtime implementation of __builtin____memmove_chk (used directly by compiler, not in headers). 141 extern "C" void* __memmove_chk(void* dst, const void* src, size_t len, size_t dst_len) { 142 __check_buffer_access("memmove", "write into", len, dst_len); 143 return memmove(dst, src, len); 144 } 145 146 // memcpy is performance-critical enough that we have assembler __memcpy_chk implementations. 147 // This function is used to give better diagnostics than we can easily do from assembler. 148 extern "C" void* __memcpy_chk_fail(void* /*dst*/, const void* /*src*/, size_t count, size_t dst_len) { 149 __check_count("memcpy", "count", count); 150 __check_buffer_access("memcpy", "write into", count, dst_len); 151 abort(); // One of the above is supposed to have failed, otherwise we shouldn't have been called. 152 } 153 154 void* __memrchr_chk(const void* s, int c, size_t n, size_t actual_size) { 155 __check_buffer_access("memrchr", "read from", n, actual_size); 156 return memrchr(s, c, n); 157 } 158 159 // memset is performance-critical enough that we have assembler __memset_chk implementations. 160 // This function is used to give better diagnostics than we can easily do from assembler. 161 extern "C" void* __memset_chk_fail(void* /*dst*/, int /*byte*/, size_t count, size_t dst_len) { 162 __check_count("memset", "count", count); 163 __check_buffer_access("memset", "write into", count, dst_len); 164 abort(); // One of the above is supposed to have failed, otherwise we shouldn't have been called. 165 } 166 167 int __poll_chk(pollfd* fds, nfds_t fd_count, int timeout, size_t fds_size) { 168 __check_pollfd_array("poll", fds_size, fd_count); 169 return poll(fds, fd_count, timeout); 170 } 171 172 int __ppoll_chk(pollfd* fds, nfds_t fd_count, const timespec* timeout, 173 const sigset_t* mask, size_t fds_size) { 174 __check_pollfd_array("ppoll", fds_size, fd_count); 175 return ppoll(fds, fd_count, timeout, mask); 176 } 177 178 ssize_t __pread64_chk(int fd, void* buf, size_t count, off64_t offset, size_t buf_size) { 179 __check_count("pread64", "count", count); 180 __check_buffer_access("pread64", "write into", count, buf_size); 181 return pread64(fd, buf, count, offset); 182 } 183 184 ssize_t __pread_chk(int fd, void* buf, size_t count, off_t offset, size_t buf_size) { 185 __check_count("pread", "count", count); 186 __check_buffer_access("pread", "write into", count, buf_size); 187 return pread(fd, buf, count, offset); 188 } 189 190 ssize_t __pwrite64_chk(int fd, const void* buf, size_t count, off64_t offset, 191 size_t buf_size) { 192 __check_count("pwrite64", "count", count); 193 __check_buffer_access("pwrite64", "read from", count, buf_size); 194 return pwrite64(fd, buf, count, offset); 195 } 196 197 ssize_t __pwrite_chk(int fd, const void* buf, size_t count, off_t offset, 198 size_t buf_size) { 199 __check_count("pwrite", "count", count); 200 __check_buffer_access("pwrite", "read from", count, buf_size); 201 return pwrite(fd, buf, count, offset); 202 } 203 204 ssize_t __read_chk(int fd, void* buf, size_t count, size_t buf_size) { 205 __check_count("read", "count", count); 206 __check_buffer_access("read", "write into", count, buf_size); 207 return read(fd, buf, count); 208 } 209 210 ssize_t __readlinkat_chk(int dirfd, const char* path, char* buf, size_t size, size_t buf_size) { 211 __check_count("readlinkat", "size", size); 212 __check_buffer_access("readlinkat", "write into", size, buf_size); 213 return readlinkat(dirfd, path, buf, size); 214 } 215 216 ssize_t __readlink_chk(const char* path, char* buf, size_t size, size_t buf_size) { 217 __check_count("readlink", "size", size); 218 __check_buffer_access("readlink", "write into", size, buf_size); 219 return readlink(path, buf, size); 220 } 221 222 ssize_t __recvfrom_chk(int socket, void* buf, size_t len, size_t buf_size, 223 int flags, sockaddr* src_addr, socklen_t* addrlen) { 224 __check_buffer_access("recvfrom", "write into", len, buf_size); 225 return recvfrom(socket, buf, len, flags, src_addr, addrlen); 226 } 227 228 ssize_t __sendto_chk(int socket, const void* buf, size_t len, size_t buflen, 229 int flags, const struct sockaddr* dest_addr, 230 socklen_t addrlen) { 231 __check_buffer_access("sendto", "read from", len, buflen); 232 return sendto(socket, buf, len, flags, dest_addr, addrlen); 233 } 234 235 // Runtime implementation of __builtin____stpcpy_chk (used directly by compiler, not in headers).. 236 extern "C" char* __stpcpy_chk(char* dst, const char* src, size_t dst_len) { 237 // TODO: optimize so we don't scan src twice. 238 size_t src_len = strlen(src) + 1; 239 __check_buffer_access("stpcpy", "write into", src_len, dst_len); 240 return stpcpy(dst, src); 241 } 242 243 // Runtime implementation of __builtin____stpncpy_chk (used directly by compiler, not in headers). 244 extern "C" char* __stpncpy_chk(char* __restrict dst, const char* __restrict src, 245 size_t len, size_t dst_len) { 246 __check_buffer_access("stpncpy", "write into", len, dst_len); 247 return stpncpy(dst, src, len); 248 } 249 250 // This is a variant of __stpncpy_chk, but it also checks to make 251 // sure we don't read beyond the end of "src". The code for this is 252 // based on the original version of stpncpy, but modified to check 253 // how much we read from "src" at the end of the copy operation. 254 char* __stpncpy_chk2(char* __restrict dst, const char* __restrict src, 255 size_t n, size_t dst_len, size_t src_len) { 256 __check_buffer_access("stpncpy", "write into", n, dst_len); 257 if (n != 0) { 258 char* d = dst; 259 const char* s = src; 260 261 do { 262 if ((*d++ = *s++) == 0) { 263 // NUL pad the remaining n-1 bytes. 264 while (--n != 0) { 265 *d++ = 0; 266 } 267 break; 268 } 269 } while (--n != 0); 270 271 size_t s_copy_len = static_cast<size_t>(s - src); 272 if (__predict_false(s_copy_len > src_len)) { 273 __fortify_fatal("stpncpy: detected read past end of %zu-byte buffer", src_len); 274 } 275 } 276 277 return dst; 278 } 279 280 // strcat is performance-critical enough that we have assembler __strcat_chk implementations. 281 // This function is used to give better diagnostics than we can easily do from assembler. 282 extern "C" void __strcat_chk_fail(size_t dst_buf_size) { 283 __fortify_fatal("strcat: prevented write past end of %zu-byte buffer", dst_buf_size); 284 } 285 286 char* __strchr_chk(const char* p, int ch, size_t s_len) { 287 for (;; ++p, s_len--) { 288 if (__predict_false(s_len == 0)) { 289 __fortify_fatal("strchr: prevented read past end of buffer"); 290 } 291 if (*p == static_cast<char>(ch)) { 292 return const_cast<char*>(p); 293 } 294 if (*p == '\0') { 295 return NULL; 296 } 297 } 298 } 299 300 // strcpy is performance-critical enough that we have assembler __strcpy_chk implementations. 301 // This function is used to give better diagnostics than we can easily do from assembler. 302 extern "C" void __strcpy_chk_fail(size_t dst_buf_size) { 303 __fortify_fatal("strcpy: prevented write past end of %zu-byte buffer", dst_buf_size); 304 } 305 306 size_t __strlcat_chk(char* dst, const char* src, 307 size_t supplied_size, size_t dst_len_from_compiler) { 308 __check_buffer_access("strlcat", "write into", supplied_size, dst_len_from_compiler); 309 return strlcat(dst, src, supplied_size); 310 } 311 312 size_t __strlcpy_chk(char* dst, const char* src, 313 size_t supplied_size, size_t dst_len_from_compiler) { 314 __check_buffer_access("strlcpy", "write into", supplied_size, dst_len_from_compiler); 315 return strlcpy(dst, src, supplied_size); 316 } 317 318 size_t __strlen_chk(const char* s, size_t s_len) { 319 // TODO: "prevented" here would be a lie because this strlen can run off the end. 320 // strlen is too important to be expensive, so we wanted to be able to call the optimized 321 // implementation, but I think we need to implement optimized assembler __strlen_chk routines. 322 size_t ret = strlen(s); 323 if (__predict_false(ret >= s_len)) { 324 __fortify_fatal("strlen: detected read past end of buffer"); 325 } 326 return ret; 327 } 328 329 // Runtime implementation of __builtin____strncat_chk (used directly by compiler, not in headers). 330 extern "C" char* __strncat_chk(char* __restrict dst, const char* __restrict src, 331 size_t len, size_t dst_buf_size) { 332 if (len == 0) { 333 return dst; 334 } 335 336 size_t dst_len = __strlen_chk(dst, dst_buf_size); 337 char* d = dst + dst_len; 338 dst_buf_size -= dst_len; 339 340 while (*src != '\0') { 341 *d++ = *src++; 342 len--; dst_buf_size--; 343 344 if (__predict_false(dst_buf_size == 0)) { 345 __fortify_fatal("strncat: prevented write past end of buffer"); 346 } 347 348 if (len == 0) { 349 break; 350 } 351 } 352 353 *d = '\0'; 354 return dst; 355 } 356 357 // Runtime implementation of __builtin____strncpy_chk (used directly by compiler, not in headers). 358 extern "C" char* __strncpy_chk(char* __restrict dst, const char* __restrict src, 359 size_t len, size_t dst_len) { 360 __check_buffer_access("strncpy", "write into", len, dst_len); 361 return strncpy(dst, src, len); 362 } 363 364 // This is a variant of __strncpy_chk, but it also checks to make 365 // sure we don't read beyond the end of "src". The code for this is 366 // based on the original version of strncpy, but modified to check 367 // how much we read from "src" at the end of the copy operation. 368 char* __strncpy_chk2(char* __restrict dst, const char* __restrict src, 369 size_t n, size_t dst_len, size_t src_len) { 370 __check_buffer_access("strncpy", "write into", n, dst_len); 371 if (n != 0) { 372 char* d = dst; 373 const char* s = src; 374 375 do { 376 if ((*d++ = *s++) == 0) { 377 // NUL pad the remaining n-1 bytes. 378 while (--n != 0) { 379 *d++ = 0; 380 } 381 break; 382 } 383 } while (--n != 0); 384 385 size_t s_copy_len = static_cast<size_t>(s - src); 386 if (__predict_false(s_copy_len > src_len)) { 387 __fortify_fatal("strncpy: detected read past end of %zu-byte buffer", src_len); 388 } 389 } 390 391 return dst; 392 } 393 394 char* __strrchr_chk(const char* p, int ch, size_t s_len) { 395 for (const char* save = NULL;; ++p, s_len--) { 396 if (s_len == 0) { 397 __fortify_fatal("strrchr: prevented read past end of buffer"); 398 } 399 if (*p == static_cast<char>(ch)) { 400 save = p; 401 } 402 if (!*p) { 403 return const_cast<char*>(save); 404 } 405 } 406 } 407 408 mode_t __umask_chk(mode_t mode) { 409 if (__predict_false((mode & 0777) != mode)) { 410 __fortify_fatal("umask: called with invalid mask %o", mode); 411 } 412 413 return umask(mode); 414 } 415 416 // Runtime implementation of __builtin____vsnprintf_chk (used directly by compiler, not in headers). 417 extern "C" int __vsnprintf_chk(char* dst, size_t supplied_size, int /*flags*/, 418 size_t dst_len_from_compiler, const char* format, va_list va) { 419 __check_buffer_access("vsnprintf", "write into", supplied_size, dst_len_from_compiler); 420 return vsnprintf(dst, supplied_size, format, va); 421 } 422 423 // Runtime implementation of __builtin____snprintf_chk (used directly by compiler, not in headers). 424 extern "C" int __snprintf_chk(char* dst, size_t supplied_size, int flags, 425 size_t dst_len_from_compiler, const char* format, ...) { 426 va_list va; 427 va_start(va, format); 428 int result = __vsnprintf_chk(dst, supplied_size, flags, dst_len_from_compiler, format, va); 429 va_end(va); 430 return result; 431 } 432 433 // Runtime implementation of __builtin____vsprintf_chk (used directly by compiler, not in headers). 434 extern "C" int __vsprintf_chk(char* dst, int /*flags*/, 435 size_t dst_len_from_compiler, const char* format, va_list va) { 436 // The compiler uses SIZE_MAX to mean "no idea", but our vsnprintf rejects sizes that large. 437 int result = vsnprintf(dst, 438 dst_len_from_compiler == SIZE_MAX ? SSIZE_MAX : dst_len_from_compiler, 439 format, va); 440 441 // Try to catch failures after the fact... 442 __check_buffer_access("vsprintf", "write into", result + 1, dst_len_from_compiler); 443 return result; 444 } 445 446 // Runtime implementation of __builtin____sprintf_chk (used directly by compiler, not in headers). 447 extern "C" int __sprintf_chk(char* dst, int flags, size_t dst_len_from_compiler, 448 const char* format, ...) { 449 va_list va; 450 va_start(va, format); 451 int result = __vsprintf_chk(dst, flags, dst_len_from_compiler, format, va); 452 va_end(va); 453 return result; 454 } 455 456 ssize_t __write_chk(int fd, const void* buf, size_t count, size_t buf_size) { 457 __check_count("write", "count", count); 458 __check_buffer_access("write", "read from", count, buf_size); 459 return write(fd, buf, count); 460 } 461
