add fortified implementations of write/pwrite{,64}
These are just based on the read/pread{,64} implementations with the
function calls and error messages adjusted as appropriate. The only
difference is that the buffer parameters are const.
Change-Id: Ida1597a903807f583f230d74bcedffdb7b24fcf6
diff --git a/libc/Android.mk b/libc/Android.mk
index 0f18ca4..9f28357 100644
--- a/libc/Android.mk
+++ b/libc/Android.mk
@@ -79,6 +79,8 @@
bionic/__poll_chk.cpp \
bionic/__pread64_chk.cpp \
bionic/__pread_chk.cpp \
+ bionic/__pwrite64_chk.cpp \
+ bionic/__pwrite_chk.cpp \
bionic/__read_chk.cpp \
bionic/__readlink_chk.cpp \
bionic/__readlinkat_chk.cpp \
@@ -95,6 +97,7 @@
bionic/__umask_chk.cpp \
bionic/__vsnprintf_chk.cpp \
bionic/__vsprintf_chk.cpp \
+ bionic/__write_chk.cpp
libc_bionic_ndk_src_files := \
bionic/abort.cpp \
diff --git a/libc/bionic/__pwrite64_chk.cpp b/libc/bionic/__pwrite64_chk.cpp
new file mode 100644
index 0000000..e488ca1
--- /dev/null
+++ b/libc/bionic/__pwrite64_chk.cpp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#undef _FORTIFY_SOURCE
+#include <unistd.h>
+#include "private/libc_logging.h"
+
+extern "C" ssize_t __pwrite64_chk(int fd, const void* buf, size_t count, off64_t offset,
+ size_t buf_size) {
+ if (__predict_false(count > buf_size)) {
+ __fortify_chk_fail("pwrite64: prevented read past end of buffer", 0);
+ }
+
+ if (__predict_false(count > SSIZE_MAX)) {
+ __fortify_chk_fail("pwrite64: count > SSIZE_MAX", 0);
+ }
+
+ return pwrite64(fd, buf, count, offset);
+}
diff --git a/libc/bionic/__pwrite_chk.cpp b/libc/bionic/__pwrite_chk.cpp
new file mode 100644
index 0000000..a889ef6
--- /dev/null
+++ b/libc/bionic/__pwrite_chk.cpp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#undef _FORTIFY_SOURCE
+#include <unistd.h>
+#include "private/libc_logging.h"
+
+extern "C" ssize_t __pwrite_chk(int fd, const void* buf, size_t count, off_t offset,
+ size_t buf_size) {
+ if (__predict_false(count > buf_size)) {
+ __fortify_chk_fail("pwrite: prevented read past end of buffer", 0);
+ }
+
+ if (__predict_false(count > SSIZE_MAX)) {
+ __fortify_chk_fail("pwrite: count > SSIZE_MAX", 0);
+ }
+
+ return pwrite(fd, buf, count, offset);
+}
diff --git a/libc/bionic/__write_chk.cpp b/libc/bionic/__write_chk.cpp
new file mode 100644
index 0000000..cbd247a
--- /dev/null
+++ b/libc/bionic/__write_chk.cpp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#undef _FORTIFY_SOURCE
+#include <unistd.h>
+#include "private/libc_logging.h"
+
+extern "C" ssize_t __write_chk(int fd, const void* buf, size_t count, size_t buf_size) {
+ if (__predict_false(count > buf_size)) {
+ __fortify_chk_fail("write: prevented read past end of buffer", 0);
+ }
+
+ if (__predict_false(count > SSIZE_MAX)) {
+ __fortify_chk_fail("write: count > SSIZE_MAX", 0);
+ }
+
+ return write(fd, buf, count);
+}
diff --git a/libc/include/unistd.h b/libc/include/unistd.h
index 904447c..91ae89e 100644
--- a/libc/include/unistd.h
+++ b/libc/include/unistd.h
@@ -238,11 +238,26 @@
__errordecl(__pread64_count_toobig_error, "pread64 called with count > SSIZE_MAX");
extern ssize_t __pread64_real(int, void*, size_t, off64_t) __RENAME(pread64);
+extern ssize_t __pwrite_chk(int, const void*, size_t, off_t, size_t);
+__errordecl(__pwrite_dest_size_error, "pwrite called with size bigger than destination");
+__errordecl(__pwrite_count_toobig_error, "pwrite called with count > SSIZE_MAX");
+extern ssize_t __pwrite_real(int, const void*, size_t, off_t) __RENAME(pwrite);
+
+extern ssize_t __pwrite64_chk(int, const void*, size_t, off64_t, size_t);
+__errordecl(__pwrite64_dest_size_error, "pwrite64 called with size bigger than destination");
+__errordecl(__pwrite64_count_toobig_error, "pwrite64 called with count > SSIZE_MAX");
+extern ssize_t __pwrite64_real(int, const void*, size_t, off64_t) __RENAME(pwrite64);
+
extern ssize_t __read_chk(int, void*, size_t, size_t);
__errordecl(__read_dest_size_error, "read called with size bigger than destination");
__errordecl(__read_count_toobig_error, "read called with count > SSIZE_MAX");
extern ssize_t __read_real(int, void*, size_t) __RENAME(read);
+extern ssize_t __write_chk(int, const void*, size_t, size_t);
+__errordecl(__write_dest_size_error, "write called with size bigger than destination");
+__errordecl(__write_count_toobig_error, "write called with count > SSIZE_MAX");
+extern ssize_t __write_real(int, const void*, size_t) __RENAME(write);
+
extern ssize_t __readlink_chk(const char*, char*, size_t, size_t);
__errordecl(__readlink_dest_size_error, "readlink called with size bigger than destination");
__errordecl(__readlink_size_toobig_error, "readlink called with size > SSIZE_MAX");
@@ -342,6 +357,62 @@
return __pread64_chk(fd, buf, count, offset, bos);
}
+#if defined(__USE_FILE_OFFSET64)
+#define __PWRITE_PREFIX(x) __pwrite64_ ## x
+#else
+#define __PWRITE_PREFIX(x) __pwrite_ ## x
+#endif
+
+__BIONIC_FORTIFY_INLINE
+ssize_t pwrite(int fd, const void* buf, size_t count, off_t offset) {
+ size_t bos = __bos0(buf);
+
+#if !defined(__clang__)
+ if (__builtin_constant_p(count) && (count > SSIZE_MAX)) {
+ __PWRITE_PREFIX(count_toobig_error)();
+ }
+
+ if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ return __PWRITE_PREFIX(real)(fd, buf, count, offset);
+ }
+
+ if (__builtin_constant_p(count) && (count > bos)) {
+ __PWRITE_PREFIX(dest_size_error)();
+ }
+
+ if (__builtin_constant_p(count) && (count <= bos)) {
+ return __PWRITE_PREFIX(real)(fd, buf, count, offset);
+ }
+#endif
+
+ return __PWRITE_PREFIX(chk)(fd, buf, count, offset, bos);
+}
+
+__BIONIC_FORTIFY_INLINE
+ssize_t pwrite64(int fd, const void* buf, size_t count, off64_t offset) {
+ size_t bos = __bos0(buf);
+
+#if !defined(__clang__)
+ if (__builtin_constant_p(count) && (count > SSIZE_MAX)) {
+ __pwrite64_count_toobig_error();
+ }
+
+ if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ return __pwrite64_real(fd, buf, count, offset);
+ }
+
+ if (__builtin_constant_p(count) && (count > bos)) {
+ __pwrite64_dest_size_error();
+ }
+
+ if (__builtin_constant_p(count) && (count <= bos)) {
+ return __pwrite64_real(fd, buf, count, offset);
+ }
+#endif
+
+ return __pwrite64_chk(fd, buf, count, offset, bos);
+}
+
__BIONIC_FORTIFY_INLINE
ssize_t read(int fd, void* buf, size_t count) {
size_t bos = __bos0(buf);
@@ -368,6 +439,33 @@
}
__BIONIC_FORTIFY_INLINE
+ssize_t write(int fd, const void* buf, size_t count) {
+ size_t bos = __bos0(buf);
+
+#if !defined(__clang__)
+#if 0 /* work around a false positive due to a missed optimization */
+ if (__builtin_constant_p(count) && (count > SSIZE_MAX)) {
+ __write_count_toobig_error();
+ }
+#endif
+
+ if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
+ return __write_real(fd, buf, count);
+ }
+
+ if (__builtin_constant_p(count) && (count > bos)) {
+ __write_dest_size_error();
+ }
+
+ if (__builtin_constant_p(count) && (count <= bos)) {
+ return __write_real(fd, buf, count);
+ }
+#endif
+
+ return __write_chk(fd, buf, count, bos);
+}
+
+__BIONIC_FORTIFY_INLINE
ssize_t readlink(const char* path, char* buf, size_t size) {
size_t bos = __bos(buf);
diff --git a/libc/libc.map b/libc/libc.map
index 6117d53..4670079 100644
--- a/libc/libc.map
+++ b/libc/libc.map
@@ -1337,6 +1337,9 @@
__fread_chk;
__fwrite_chk;
__getcwd_chk;
+ __pwrite_chk;
+ __pwrite64_chk;
+ __write_chk;
getgrgid_r;
getgrnam_r;
} LIBC;
diff --git a/tests/fortify_compilation_test.cpp b/tests/fortify_compilation_test.cpp
index 072006e..1326597 100644
--- a/tests/fortify_compilation_test.cpp
+++ b/tests/fortify_compilation_test.cpp
@@ -21,6 +21,7 @@
#include <poll.h>
#include <stdarg.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
@@ -248,7 +249,7 @@
}
void test_fwrite_overflow() {
- char buf[4];
+ char buf[4] = {0};
// NOLINTNEXTLINE(whitespace/line_length)
// GCC: error: call to '__fwrite_overflow' declared with attribute error: fwrite called with overflowing size * count
// clang should emit a warning, but doesn't
@@ -270,3 +271,27 @@
// clang should emit a warning, but doesn't
getcwd(buf, 5);
}
+
+void test_pwrite64_size() {
+ char buf[4] = {0};
+ // NOLINTNEXTLINE(whitespace/line_length)
+ // GCC: error: call to '__pwrite64_dest_size_error' declared with attribute error: pwrite64 called with size bigger than destination
+ // clang should emit a warning, but doesn't
+ pwrite64(STDOUT_FILENO, buf, 5, 0);
+}
+
+void test_pwrite64_too_big() {
+ void *buf = calloc(atoi("5"), 1);
+ // NOLINTNEXTLINE(whitespace/line_length)
+ // GCC: error: call to '__pwrite64_count_toobig_error' declared with attribute error: pwrite64 called with count > SSIZE_MAX
+ // clang should emit a warning, but doesn't
+ pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0);
+}
+
+void test_write_size() {
+ char buf[4] = {0};
+ // NOLINTNEXTLINE(whitespace/line_length)
+ // GCC: error: call to '__write_dest_size_error' declared with attribute error: write called with size bigger than destination
+ // clang should emit a warning, but doesn't
+ write(STDOUT_FILENO, buf, 5);
+}
diff --git a/tests/fortify_test.cpp b/tests/fortify_test.cpp
index 8f66cc8..a349da9 100644
--- a/tests/fortify_test.cpp
+++ b/tests/fortify_test.cpp
@@ -645,6 +645,22 @@
close(fd);
}
+TEST_F(DEATHTEST, pwrite_fortified) {
+ char buf[1] = {0};
+ size_t ct = atoi("2"); // prevent optimizations
+ int fd = open("/dev/null", O_WRONLY);
+ ASSERT_FORTIFY(pwrite(fd, buf, ct, 0));
+ close(fd);
+}
+
+TEST_F(DEATHTEST, pwrite64_fortified) {
+ char buf[1] = {0};
+ size_t ct = atoi("2"); // prevent optimizations
+ int fd = open("/dev/null", O_WRONLY);
+ ASSERT_FORTIFY(pwrite64(fd, buf, ct, 0));
+ close(fd);
+}
+
TEST_F(DEATHTEST, read_fortified) {
char buf[1];
size_t ct = atoi("2"); // prevent optimizations
@@ -653,6 +669,14 @@
close(fd);
}
+TEST_F(DEATHTEST, write_fortified) {
+ char buf[1] = {0};
+ size_t ct = atoi("2"); // prevent optimizations
+ int fd = open("/dev/null", O_WRONLY);
+ ASSERT_EXIT(write(fd, buf, ct), testing::KilledBySignal(SIGABRT), "");
+ close(fd);
+}
+
TEST_F(DEATHTEST, fread_fortified) {
char buf[1];
size_t ct = atoi("2"); // prevent optimizations