From 9101b00400cfb20b96112682169c5da67e065ff2 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 20 May 2015 15:31:26 -0400 Subject: [PATCH] add a fortified implementation of getcwd Change-Id: Ice3e6d3e1ff07788305dc85f8ee4059baad5fac4 --- libc/Android.mk | 1 + libc/bionic/__getcwd_chk.cpp | 40 ++++++++++++++++++++++++++++++ libc/bionic/getcwd.cpp | 1 + libc/include/unistd.h | 35 ++++++++++++++++++++++++++ libc/libc.map | 1 + tests/fortify_compilation_test.cpp | 8 ++++++ tests/fortify_test.cpp | 6 +++++ 7 files changed, 92 insertions(+) create mode 100644 libc/bionic/__getcwd_chk.cpp diff --git a/libc/Android.mk b/libc/Android.mk index 2f0c7239d..0f18ca4a0 100644 --- a/libc/Android.mk +++ b/libc/Android.mk @@ -72,6 +72,7 @@ libc_common_src_files += \ bionic/__fgets_chk.cpp \ bionic/__fread_chk.cpp \ bionic/__fwrite_chk.cpp \ + bionic/__getcwd_chk.cpp \ bionic/__memchr_chk.cpp \ bionic/__memmove_chk.cpp \ bionic/__memrchr_chk.cpp \ diff --git a/libc/bionic/__getcwd_chk.cpp b/libc/bionic/__getcwd_chk.cpp new file mode 100644 index 000000000..b53ab5c35 --- /dev/null +++ b/libc/bionic/__getcwd_chk.cpp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#undef _FORTIFY_SOURCE + +#include +#include "private/libc_logging.h" + +extern char* __getcwd_chk(char* buf, size_t len, size_t buflen) { + if (__predict_false(len > buflen)) { + __fortify_chk_fail("getcwd: prevented write past end of buffer", 0); + } + + return getcwd(buf, len); +} diff --git a/libc/bionic/getcwd.cpp b/libc/bionic/getcwd.cpp index a8bbcf31b..bcd6a5784 100644 --- a/libc/bionic/getcwd.cpp +++ b/libc/bionic/getcwd.cpp @@ -26,6 +26,7 @@ * SUCH DAMAGE. */ +#undef _FORTIFY_SOURCE #include #include #include diff --git a/libc/include/unistd.h b/libc/include/unistd.h index f0de29e2a..904447ce3 100644 --- a/libc/include/unistd.h +++ b/libc/include/unistd.h @@ -224,6 +224,10 @@ extern int tcsetpgrp(int fd, pid_t _pid); } while (_rc == -1 && errno == EINTR); \ _rc; }) +extern char* __getcwd_chk(char*, size_t, size_t); +__errordecl(__getcwd_dest_size_error, "getcwd called with size bigger than destination"); +extern char* __getcwd_real(char*, size_t) __RENAME(getcwd); + extern ssize_t __pread_chk(int, void*, size_t, off_t, size_t); __errordecl(__pread_dest_size_error, "pread called with size bigger than destination"); __errordecl(__pread_count_toobig_error, "pread called with count > SSIZE_MAX"); @@ -251,6 +255,37 @@ extern ssize_t __readlinkat_real(int dirfd, const char*, char*, size_t) __RENAME #if defined(__BIONIC_FORTIFY) +__BIONIC_FORTIFY_INLINE +char* getcwd(char* buf, size_t size) { + size_t bos = __bos(buf); + +#if defined(__clang__) + /* + * Work around LLVM's incorrect __builtin_object_size implementation here + * to avoid needing the workaround in the __getcwd_chk ABI forever. + * + * https://llvm.org/bugs/show_bug.cgi?id=23277 + */ + if (buf == NULL) { + bos = __BIONIC_FORTIFY_UNKNOWN_SIZE; + } +#else + if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) { + return __getcwd_real(buf, size); + } + + if (__builtin_constant_p(size) && (size > bos)) { + __getcwd_dest_size_error(); + } + + if (__builtin_constant_p(size) && (size <= bos)) { + return __getcwd_real(buf, size); + } +#endif + + return __getcwd_chk(buf, size, bos); +} + #if defined(__USE_FILE_OFFSET64) #define __PREAD_PREFIX(x) __pread64_ ## x #else diff --git a/libc/libc.map b/libc/libc.map index 8c3ac9e72..6117d539b 100644 --- a/libc/libc.map +++ b/libc/libc.map @@ -1336,6 +1336,7 @@ LIBC_N { global: __fread_chk; __fwrite_chk; + __getcwd_chk; getgrgid_r; getgrnam_r; } LIBC; diff --git a/tests/fortify_compilation_test.cpp b/tests/fortify_compilation_test.cpp index 166e8d9f9..072006ea5 100644 --- a/tests/fortify_compilation_test.cpp +++ b/tests/fortify_compilation_test.cpp @@ -262,3 +262,11 @@ void test_fwrite_too_big() { // clang should emit a warning, but doesn't fwrite(buf, 1, 5, stdout); } + +void test_getcwd() { + char buf[4]; + // NOLINTNEXTLINE(whitespace/line_length) + // GCC: error: call to '__getcwd_dest_size_error' declared with attribute error: getcwd called with size bigger than destination + // clang should emit a warning, but doesn't + getcwd(buf, 5); +} diff --git a/tests/fortify_test.cpp b/tests/fortify_test.cpp index 664e057a6..8f66cc823 100644 --- a/tests/fortify_test.cpp +++ b/tests/fortify_test.cpp @@ -623,6 +623,12 @@ TEST_F(DEATHTEST, FD_ISSET_2_fortified) { ASSERT_FORTIFY(FD_ISSET(0, set)); } +TEST_F(DEATHTEST, getcwd_fortified) { + char buf[1]; + size_t ct = atoi("2"); // prevent optimizations + ASSERT_FORTIFY(getcwd(buf, ct)); +} + TEST_F(DEATHTEST, pread_fortified) { char buf[1]; size_t ct = atoi("2"); // prevent optimizations