Пример #1
0
extern "C" ssize_t __readlink_chk(const char* path, char* buf, size_t size, size_t buf_size) {
  if (__predict_false(size > buf_size)) {
    __fortify_chk_fail("readlink: prevented write past end of buffer", 0);
  }

  if (__predict_false(size > SSIZE_MAX)) {
    __fortify_chk_fail("readlink: size > SSIZE_MAX", 0);
  }

  return readlink(path, buf, size);
}
Пример #2
0
extern "C" void __FD_SET_chk(int fd, fd_set* set, size_t set_size) {
  if (__predict_false(fd < 0)) {
    __fortify_chk_fail("FD_SET: file descriptor < 0", 0);
  }
  if (__predict_false(fd >= FD_SETSIZE)) {
    __fortify_chk_fail("FD_SET: file descriptor >= FD_SETSIZE", 0);
  }
  if (__predict_false(set_size < sizeof(fd_set))) {
    __fortify_chk_fail("FD_SET: set is too small", 0);
  }
  FD_SET(fd, set);
}
Пример #3
0
/*
 * __fgets_chk. Called in place of fgets() when we know the
 * size of the buffer we're writing into.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 * for details.
 *
 * This fgets check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
char* __fgets_chk(char* dest, int supplied_size,
                  FILE* stream, size_t dest_len_from_compiler) {
  if (supplied_size < 0) {
    __fortify_chk_fail("fgets: buffer size < 0", 0);
  }

  if (((size_t) supplied_size) > dest_len_from_compiler) {
    __fortify_chk_fail("fgets: prevented write past end of buffer", 0);
  }

  return fgets(dest, supplied_size, stream);
}
Пример #4
0
extern "C" ssize_t __pwrite64_chk(int fd, const void* buf, size_t count, off64_t offset,
                                  size_t buf_size) {
  if (__predict_false(count > buf_size)) {
    __fortify_chk_fail("pwrite64: prevented read past end of buffer", 0);
  }

  if (__predict_false(count > SSIZE_MAX)) {
    __fortify_chk_fail("pwrite64: count > SSIZE_MAX", 0);
  }

  return pwrite64(fd, buf, count, offset);
}
Пример #5
0
extern "C" void* __memchr_chk(const void* s, int c, size_t n, size_t buf_size) {
  if (__predict_false(n > buf_size)) {
    __fortify_chk_fail("memchr: prevented read past end of buffer", 0);
  }

  return memchr(s, c, n);
}
Пример #6
0
/*
 * Runtime implementation of __builtin____memset_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This memset check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
extern "C" void *__memset_chk (void *dest, int c, size_t n, size_t dest_len) {
    if (__predict_false(n > dest_len)) {
        __fortify_chk_fail("memset buffer overflow",
                             BIONIC_EVENT_MEMSET_BUFFER_OVERFLOW);
    }

    return memset(dest, c, n);
}
Пример #7
0
/*
 * __strlcpy_chk. Called in place of strlcpy() when we know the
 * size of the buffer we're writing into.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This strlcpy check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
extern "C" size_t __strlcpy_chk(char* dest, const char* src,
                                size_t supplied_size, size_t dest_len_from_compiler) {
  if (__predict_false(supplied_size > dest_len_from_compiler)) {
    __fortify_chk_fail("strlcpy: prevented write past end of buffer", 0);
  }

  return strlcpy(dest, src, supplied_size);
}
Пример #8
0
ssize_t __recvfrom_chk(int socket, void* buf, size_t len, size_t buflen, unsigned int flags,
                       const struct sockaddr* src_addr, socklen_t* addrlen) {
  if (__predict_false(len > buflen)) {
    __fortify_chk_fail("recvfrom: prevented write past end of buffer", 0);
  }

  return recvfrom(socket, buf, len, flags, src_addr, addrlen);
}
Пример #9
0
/*
 * Runtime implementation of __strlen_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This strlen check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 *
 * This test is designed to detect code such as:
 *
 * int main() {
 *   char buf[10];
 *   memcpy(buf, "1234567890", sizeof(buf));
 *   size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
 *   printf("%d\n", len);
 *   return 0;
 * }
 *
 * or anytime strlen reads beyond an object boundary.
 */
extern "C" size_t __strlen_chk(const char *s, size_t s_len) {
    size_t ret = strlen(s);

    if (__builtin_expect(ret >= s_len, 0)) {
        __fortify_chk_fail("strlen read overflow", 0);
    }

    return ret;
}
Пример #10
0
/*
 * Runtime implementation of __builtin____memmove_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This memmove check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
extern "C" void* __memmove_chk (void* dest, const void* src,
                                size_t len, size_t dest_len) {
  if (__predict_false(len > dest_len)) {
    __fortify_chk_fail("memmove: prevented write past end of buffer",
                       BIONIC_EVENT_MEMMOVE_BUFFER_OVERFLOW);
  }

  return memmove(dest, src, len);
}
Пример #11
0
/*
 * Runtime implementation of __strlen_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This strlen check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 *
 * This test is designed to detect code such as:
 *
 * int main() {
 *   char buf[10];
 *   memcpy(buf, "1234567890", sizeof(buf));
 *   size_t len = strlen(buf); // segfault here with _FORTIFY_SOURCE
 *   printf("%d\n", len);
 *   return 0;
 * }
 *
 * or anytime strlen reads beyond an object boundary.
 */
size_t __strlen_chk(const char* s, size_t s_len) {
  size_t ret = strlen(s);

  if (__predict_false(ret >= s_len)) {
    __fortify_chk_fail("strlen: prevented read past end of buffer", 0);
  }

  return ret;
}
Пример #12
0
/*
 * Runtime implementation of __builtin____strcpy_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This strcpy check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
char *__strcpy_chk (char *dest, const char *src, size_t dest_len) {
    // TODO: optimize so we don't scan src twice.
    size_t src_len = strlen(src) + 1;
    if (__predict_false(src_len > dest_len)) {
        __fortify_chk_fail("strcpy prevented write past end of buffer",
                             BIONIC_EVENT_STRCPY_BUFFER_OVERFLOW);
    }

    return strcpy(dest, src);
}
Пример #13
0
/*
 * Runtime implementation of __builtin____memmove_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This memmove check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
extern "C" void *__memmove_chk (void *dest, const void *src,
              size_t len, size_t dest_len)
{
    if (len > dest_len) {
        __fortify_chk_fail("memmove buffer overflow",
                             BIONIC_EVENT_MEMMOVE_BUFFER_OVERFLOW);
    }

    return memmove(dest, src, len);
}
Пример #14
0
/*
 * Runtime implementation of __builtin____strncpy_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This strncpy check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
extern "C" char *__strncpy_chk (char *dest, const char *src,
              size_t len, size_t dest_len)
{
    if (__predict_false(len > dest_len)) {
        __fortify_chk_fail("strncpy buffer overflow",
                             BIONIC_EVENT_STRNCPY_BUFFER_OVERFLOW);
    }

    return strncpy(dest, src, len);
}
Пример #15
0
char* __strchr_chk(const char* p, int ch, size_t s_len) {
  for (;; ++p, s_len--) {
    if (__predict_false(s_len == 0)) {
      __fortify_chk_fail("strchr prevented read past end of buffer", 0);
    }
    if (*p == (char)(ch)) {
      return (char*)(p);
    }
    if (*p == '\0') {
      return NULL;
    }
  }
  /* NOTREACHED */
}
Пример #16
0
/*
 * Runtime implementation of __builtin____vsnprintf_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This vsnprintf check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
extern "C" int __vsnprintf_chk(
        char *dest,
        size_t supplied_size,
        int /*flags*/,
        size_t dest_len_from_compiler,
        const char *format,
        va_list va)
{
    if (__predict_false(supplied_size > dest_len_from_compiler)) {
        __fortify_chk_fail("vsnprintf buffer overflow", 0);
    }

    return vsnprintf(dest, supplied_size, format, va);
}
Пример #17
0
extern "C" char* __strrchr_chk(const char *p, int ch, size_t s_len)
{
    char *save;

    for (save = NULL;; ++p, s_len--) {
        if (s_len == 0)
            __fortify_chk_fail("strrchr prevented read past end of buffer", 0);
        if (*p == (char) ch)
            save = (char *)p;
        if (!*p)
            return(save);
    }
    /* NOTREACHED */
}
Пример #18
0
/*
 * Runtime implementation of __builtin____vsnprintf_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This vsnprintf check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
int __vsnprintf_chk(
        char *dest,
        size_t supplied_size,
        int flags UNUSED,
        size_t dest_len_from_compiler,
        const char *format,
        va_list va)
{
    if (supplied_size > dest_len_from_compiler) {
        __fortify_chk_fail("vsnprintf buffer overflow", 0);
    }

    return vsnprintf(dest, supplied_size, format, va);
}
Пример #19
0
/*
 * Runtime implementation of __builtin____vsprintf_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This vsprintf check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
int __vsprintf_chk(
        char *dest,
        int flags __unused,
        size_t dest_len_from_compiler,
        const char *format,
        va_list va)
{
    int ret = vsnprintf(dest, dest_len_from_compiler, format, va);

    if ((size_t) ret >= dest_len_from_compiler) {
        __fortify_chk_fail("vsprintf prevented write past end of buffer", 0);
    }

    return ret;
}
Пример #20
0
char *
__strrchr_chk(const char *p, int ch, size_t s_len)
{
	char *save;

	for (save = NULL;; ++p, s_len--) {
		if (s_len == 0)
			__fortify_chk_fail("strrchr read beyond buffer", 0);
		if (*p == (char) ch)
			save = (char *)p;
		if (!*p)
			return(save);
	}
	/* NOTREACHED */
}
Пример #21
0
/*
 * Runtime implementation of __builtin____strncat_chk.
 *
 * See
 *   http://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
 *   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
 * for details.
 *
 * This strncat check is called if _FORTIFY_SOURCE is defined and
 * greater than 0.
 */
char *__strncat_chk (char *dest, const char *src,
              size_t len, size_t dest_buf_size)
{
    // TODO: optimize so we don't scan src/dest twice.
    size_t dest_len = strlen(dest);
    size_t src_len = strlen(src);
    if (src_len > len) {
        src_len = len;
    }

    size_t sum;
    // sum = src_len + dest_len + 1 (with overflow protection)
    if (!safe_add3(&sum, src_len, dest_len, 1U)) {
        __fortify_chk_fail("strncat integer overflow",
                             BIONIC_EVENT_STRNCAT_INTEGER_OVERFLOW);
    }

    if (sum > dest_buf_size) {
        __fortify_chk_fail("strncat buffer overflow",
                             BIONIC_EVENT_STRNCAT_BUFFER_OVERFLOW);
    }

    return strncat(dest, src, len);
}