| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This saves a couple of syscalls in the common case, and also lets static
binaries run in a chroot without /dev/null as long as
stdin/stdout/stderr are actually connected to something (which the
toybox maintainer tried to do).
Test: manual with strace
Change-Id: Ic9a28896a07304a3bd428acfd9ddca9d22015f6e
|
| |\
| |
| |
| | |
< S."
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This works around buggy applications that read a few bytes past the
end of their allocation, which would otherwise cause a segfault with
the concurrent Scudo change that aligns large allocations to the right.
Because the implementation of
android_set_application_target_sdk_version() lives in the linker,
we need to introduce a hook so that libc is notified when the target
SDK version changes.
Bug: 181344545
Change-Id: Id4be6645b94fad3f64ae48afd16c0154f1de448f
|
| |/
|
|
|
|
|
|
|
| |
__libc_init_scudo() calls directly into the allocator, bypassing the
normal guest to host transition in the native bridge. Therefore we
need to let the native bridge override it with a no-op.
Bug: 159352723
Change-Id: I642c7a058e483cc09335290f66b9c053150fca06
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scudo_malloc_* for fill contents in __libc_init_scudo calls scudo's
initializers. We haven't told Scudo whether we want MTE-capable (i.e.
mapped with PROT_MTE) size class regions yet, which happens in
SetDefaultHeapTaggingLevel. This can lead to inconsistent mappings,
where processes without ELF notes get the base region with PROT_MTE
(which is undesirable because the performance implications are not
known).
Make sure that scudo is informed of whether regions need to be mapped
PROT_MTE or not by hoising the tagging level up.
Bug: 135772972
Bug: 172365548
Test: On FVP - 'adb shell MEMTAG_OPTIONS=off sanitizer-status' should
have no PROT_MTE mappings (validation by looking for no 'mt' under
'VmFlags:' in /proc/smaps').
Change-Id: Idad64479c4a9459cb40dd211fe942437f8ca16fd
|
| |
|
|
|
|
|
|
|
|
|
| |
Use a note in executables to specify
(none|sync|async) heap tagging level. To be extended with (heap x stack x
globals) in the future. A missing note disables all tagging.
Bug: b/135772972
Test: bionic-unit-tests (in a future change)
Change-Id: Iab145a922c7abe24cdce17323f9e0c1063cc1321
|
| |
|
|
|
|
| |
Bug: 167968941
Test: m
Change-Id: I636fab0bbf8e5565fb017940e6128c4bed3bab30
|
| |
|
|
|
|
|
|
|
|
|
| |
For vanity reasons, this CL should be reverted after b/158870657, since
we want to make sure zero/pattern fill always happen when they are
requested.
Bug: 131355925
Bug: 158870657
Test: check build on normal devices hits USE_SCUDO branch with #error
Change-Id: I22d19dbc75004c8f7437e1247226bc3275cd4df5
|
| |
|
|
|
| |
Test: treehugger
Change-Id: I7ff0496c5c2792a41781e74634247f55b0548213
|
| |
|
|
|
|
|
|
|
|
| |
Add SCUDO_OPTIONS to the list of the environment variables that should
not be preserved across a security boundary.
Bug: 157484128
Test: Builds and boots.
Change-Id: Id8644608114ad2fd49baedbdbbe1c899768bd54d
|
| |
|
|
|
|
|
| |
Bug: 155227507
Test: scudo_unit_tests
Change-Id: I85075acfd85172f6cc7e48f79eeb577e293d0d30
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a hook that's called upon file descriptor creation to libc, and a
library that uses it to capture backtraces for file descriptor creation,
to make it easier to hunt down file descriptor leaks.
Currently, this doesn't capture all of the ways of creating a file
descriptor, but completeness isn't required for this to be useful as
long as leaked file descriptors are created with a function that is
tracked. The primary unhandled case is binder, which receives file
descriptors as a payload in a not-trivially-parsable byte blob, but
there's a chance that the leak we're currently trying to track down
isn't of a file descriptor received over binder, so leave that for
later.
Bug: http://b/140703823
Test: manual
Change-Id: I308a14c2e234cdba4207157b634ab6b8bc539dd9
(cherry picked from commit b7eccd4b1577c101132e52d4a5313d5322dcae2d)
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes includes in heap tagging to ensure that bionic under MTE builds
successfully.
Thanks Kevin for finding this!
Test: TARGET_EXPERIMENTAL_MTE=true mmma bionic
Bug: N/A
Change-Id: Idd1b9ed3737e48a35f8d8628d13e85f1d58f5c93
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).
We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.
If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.
Bug: 135754954
Bug: 147147490
Test: cd bionic && atest .
Change-Id: Ie424325ba1e3c4443040ac265aeaa28d9e405d28
|
| |/
|
|
|
|
|
|
| |
setprogname() does a basename, but we were initializing __progname
directly. Stop doing that, and add some tests.
Test: treehugger
Change-Id: I06f306ade4161b2f0c7e314a3b1b30c9420117b7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 43d5f9d4dd83d15a859d9be1359c4a4a47381fea.
Bug: 135754954
Bug: 147147490
Exempt-From-Owner-Approval: clean revert
Reason for revert: Breaks ART gtest, see:
https://ci.chromium.org/p/art/builders/ci/angler-armv8-non-gen-cc/561
The crash happens on mprotect of a page, the test crashes with ENOMEM.
Change-Id: I52eea1abbfaf8d8e2226f92d30aa55aba3810528
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces tagged pointers to bionic. We add a static tag to
all pointers on arm64 compatible platforms (needs requisite
top-byte-ignore hardware feature and relevant kernel patches).
We dynamically detect TBI-compatible devices (a device with the TBI feature and
kernel support) at process start time, and insert an implementation-dependent
tag into the top byte of the pointer for all heap allocations. We then check
that the tag has not been truncated when deallocating the memory.
If an application incorrectly writes to the top byte of the pointer, we
terminate the process at time of detection. This will allow MTE-incompatible
applications to be caught early.
Bug: 135754954
Bug: 147147490
Test: cd bionic && atest .
Change-Id: I6e5b809fc81f55dd517f845eaf20f3c0ebd4d86e
|
| |
|
|
|
|
|
|
|
| |
Patch set available here:
https://lore.kernel.org/linux-arm-kernel/20191211184027.20130-1-catalin.marinas@arm.com/
and in my android-experimental-mte branch.
Bug: 135772972
Change-Id: Ib46fd508330b330ef3afc713a9a4e26675ddb857
|
| |
|
|
|
|
|
|
| |
This is a no-op (kernel returns -EINVAL) if the kernel doesn't understand
the prctl.
Bug: 144799191
Change-Id: I8708e92e31d7a60b2847ae2bc242e46dafb77680
|
| |
|
|
|
|
|
|
|
|
| |
pthread_atfork may call malloc() during its once-init. This causes
problems with allocators (GWP-ASan) that require explicit initialisation
before calls to malloc().
Bug: 135634846
Test: atest bionic
Change-Id: I1810a00465db99d5aa34fa6f74dea5908a628d3a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to the way we handle LIBC_DEBUG_MALLOC_OPTIONS
(bug 68003719), filter LIBC_HOOKS_ENABLE when we cross a
security boundary. This prevents modifying the allocation
behavior of a privileged program.
Introduced in
https://android.googlesource.com/platform/bionic/+/db478a627482c73c52df9e3929fe7a39f03e4eeb%5E%21/#F0
(bug 30561479)
Test: compiles and boots
Change-Id: I59a7c224734b0991fd62efb45ab599dab8570723
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For security reasons, when a binary is executed which causes a security
transition (eg, a setuid binary, setgid binary, filesystem capabilities,
or SELinux domain transition), the AT_SECURE flag is set. This causes
certain blacklisted environment variables to be stripped before the
process is executed. The list of blacklisted environment variables is
stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment
variables used internally by libc show up in this list.
Commit 02586a2a34e6acfccf359b94db840f422b6c0231 ("linker: the
global group is added to all built-in namespaces", Aug 2017) added
support for the environment variable LD_CONFIG_FILE. This debug build
only feature allows the caller to specify the path to the loader
configuration file. Like other linker environment variables, setting
this variable allows the calling process to control executed code of the
called process, which has security implications (on debuggable builds
only).
Add LD_CONFIG_FILE to UNSAFE_VARIABLE_NAMES. This has the effect of
stripping, on all build types, the LD_CONFIG_FILE environment variable.
This has three advantages:
1) Prevents security bugs should LD_CONFIG_FILE ever be inadvertantly
exposed on a production build.
2) Makes the behavior of userdebug and user builds more similar, helping
prevent build-type dependent bugs where someone may come to rely on this
debug-only feature.
3) Protect droidfood users against malicious applications which can
trigger a security transition, eg, the execution of crash_dump or the
renderscript compiler.
Alternative considered but rejected:
If we treated LD_CONFIG_FILE like LD_PRELOAD, we could expose this on
all build types, and remove the build-type dependent behavior. But this
is contrary to enh's Aug 02 2017 guidance at
https://android-review.googlesource.com/c/platform/bionic/+/449956
i'm still uncomfortable about LD_CONFIG_FILE because i'd like
to be reducing the number of environment variables that affect
the linker in P rather than increasing them.
Test: atest CtsBionicTestCases
Test: atest linker-unit-tests
Change-Id: I82d286546ee079b5cde04428dc89941c253c2d20
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
File descriptor confusion can result if a process is exec()d and
STDIN/STDOUT/STDERR do not exist. In those situations, the first,
second, and third files opened by the exec()d application will have FD
0, 1, and 2 respectively. Code which reads / writes to these STD* file
descriptors may end up reading / writing to unintended files.
To prevent this, guarantee that FDs 0, 1, and 2 always exist. Bionic
only currently guarantees this for AT_SECURE programs (eg, a setuid
binary, setgid binary, filesystem capabilities, or SELinux domain
transition).
Extending this to all exec()s adds robustness against this class of
bugs. Additionally, it allows a caller to do:
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);
and know that the exec()d process will reopen these file descriptors on
its own. This has the potential to simplify other parts of Android, eg
https://android-review.googlesource.com/c/platform/system/apex/+/915694
Steps to reproduce:
sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID
Expected:
$ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID
[1] 3154
total 0
dr-x------ 2 shell shell 0 1970-04-17 12:15 .
dr-xr-xr-x 9 shell shell 0 1970-04-17 12:15 ..
lrwx------ 1 shell shell 64 1970-04-17 12:15 0 -> /dev/null
lrwx------ 1 shell shell 64 1970-04-17 12:15 1 -> /dev/null
lrwx------ 1 shell shell 64 1970-04-17 12:15 2 -> /dev/null
$
[1] + Terminated \sleep 100 <&- >&- 2>&-
Actual:
$ sleep 100 <&- >&- 2>&- & BGPID=$! && ls -la /proc/$BGPID/fd && kill $BGPID
[1] 16345
total 0
dr-x------ 2 shell shell 0 2019-02-28 20:22 .
dr-xr-xr-x 9 shell shell 0 2019-02-28 20:22 ..
$
[1] + Terminated \sleep 100 <&- >&- 2>&-
Test: manual (see above)
Change-Id: I3e05700a1e8ebc7fc9d192211dd9fc030cc40139
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of passing the address of a KernelArgumentBlock to libc.so for
initialization, use __loader_shared_globals() to initialize globals.
Most of the work happened in the previous CLs. This CL switches a few
KernelArgumentBlock::getauxval calls to [__bionic_]getauxval and stops
routing the KernelArgumentBlock address through the libc init functions.
Bug: none
Test: bionic unit tests
Change-Id: I96c7b02c21d55c454558b7a5a9243c682782f2dd
Merged-In: I96c7b02c21d55c454558b7a5a9243c682782f2dd
(cherry picked from commit 746ad15912cfa82271424747e94d8125acc43d8c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make getauxval() work in .preinit_array. It still won't be usable for
ifuncs unless we can guarantee that the __loader_shared_globals relocation
is resolved before the ifunc calls [__bionic_]getauxval.
Define __bionic_getauxval for use in replacing calls to
KernelArgumentBlock::getauxval, which doesn't (and sometimes isn't allowed
to) access TLS variables like errno.
Bug: http://b/25751302
Test: bionic unit tests
Change-Id: I461feeaed7f43cfa2a2b6c34147194f0df82b516
Merged-In: I461feeaed7f43cfa2a2b6c34147194f0df82b516
(cherry picked from commit bdab4a2b97c53af0205788875342ec08e6901376)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initialize the __progname and environ global variables using
libc_shared_globals rather than KernelArgumentBlock.
Also: suppose the linker is invoked on an executable:
linker prog [args...]
The first argument passed to main() and constructor functions is "prog"
rather than "linker". For consistency, this CL changes the BSD
__progname global from "linker" to "prog".
Bug: none
Test: bionic unit tests
Change-Id: I376d76953c9436706dbc53911ef6585c1acc1c31
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
__libc_shared_globals() is available in dynamic modules as soon as
relocation has finished (i.e. after ifuncs run). Before ifuncs have run,
the android_set_abort_message() function already doesn't work because it
calls public APIs via the PLT. (If this matters, we can use a static
bool variable to enable android_set_abort_message after libc
initialization).
__libc_shared_globals() is hidden, so it's available in the linker
immediately (i.e. before relocation). TLS memory (e.g. errno) currently
isn't accessible until after relocation, but a later patch fixes that.
Bug: none
Test: bionic unit tests
Change-Id: Ied4433758ed2da9ee404c6158e319cf502d05a53
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the address of the global variable was communicated from the
dynamic linker to libc.so using a field of KernelArgumentBlock, which is
communicated using the TLS_SLOT_BIONIC_PREINIT slot.
As long as this function isn't called during relocations (i.e. while
executing an ifunc), it always return a non-NULL value. If it's called
before its PLT entry is relocated, I expect a crash.
I removed the __libc_init_shared_globals function. It's currently empty,
and I don't think there's one point in libc's initialization where
shared globals should be initialized.
Bug: http://b/25751302
Test: bionic unit tests
Change-Id: I614d25e7ef5e0d2ccc40d5c821dee10f1ec61c2e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
__sanitize_environment_variables is only called when getauxval(AT_SECURE)
is true.
Instead of scanning __libc_auxv, reuse getauxval. If the entry is missing,
getauxval will set errno to ENOENT.
Reduce the number of times that __libc_sysinfo and __libc_auxv are
initialized. (Previously, __libc_sysinfo was initialized 3 times for the
linker's copy). The two variables are initialized in these places:
- __libc_init_main_thread for libc.a (including the linker copy)
- __libc_preinit_impl for libc.so
- __linker_init: the linker's copy of __libc_sysinfo is still initialized
twice, because __libc_init_main_thread runs after relocation. A later
CL consolidates the linker's two initializations.
Bug: none
Test: bionic unit tests
Change-Id: I196f4c9011b0d803ee85c07afb415fcb146f4d65
|
| |
|
|
|
|
|
|
| |
Fixes -Wzero-as-null-pointer-constant warning.
Test: m
Bug: 68236239
Change-Id: I5b4123bc6709641315120a191e36cc57541349b2
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add two functions to allow objects that own a file descriptor to
enforce that only they can close their file descriptor.
Use them in FILE* and DIR*.
Bug: http://b/110100358
Test: bionic_unit_tests
Test: aosp/master boots without errors
Test: treehugger
Change-Id: Iecd6e8b26c62217271e0822dc3d2d7888b091a45
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
__libc_sysinfo is hidden, so accessing it doesn't require a relocated GOT.
It is important not to have a relocatable initializer on __libc_sysinfo,
because if it did have one, and if we initialized it before relocating the
linker, then on 32-bit x86 (which uses REL rather than RELA), the
relocation step would calculate the wrong addend and overwrite
__libc_sysinfo with garbage.
Asides:
* It'd be simpler to keep the __libc_sysinfo initializer for static
executables, but the loader pulls in libc_init_static (even though it
uses almost none of the code in that file, like __libc_init).
* The loader has called __libc_init_sysinfo three times by the time it
has relocated itself. A static executable calls it twice, while libc.so
calls it only once.
Bug: none
Test: lunch aosp_x86-userdebug ; emulator
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
Test: adb shell /data/nativetest/bionic-unit-tests-static/bionic-unit-tests-static
Change-Id: I5944f57847db7191608f4f83dde22b49e279e6cb
|
| |
|
|
|
|
|
|
|
|
| |
This complements __libc_init_main_thread in setting up main thread
under native bridge.
Test: run_tests
Bug: 77877742
Change-Id: I53efab66f285a1b9f0ab36d44386fa1e2621e4ba
(cherry picked from commit 4c9504aa6cb4dad5142056d5e46bcb8409fd476d)
|
| |
|
|
|
|
| |
Bug: http://b/68003719
Test: LIBC_DEBUG_MALLOC_OPTIONS=isbad1 MALLOC_CONF=isbad2 su 0 /system/bin/sh -c '/system/bin/echo opt=$LIBC_DEBUG_MALLOC_OPTIONS conf=$MALLOC_CONF'
Change-Id: I796cc21b230a96cb0ed87d02ddcb1706a7749a90
|
| |
|
|
|
|
|
|
|
|
| |
Test: build statically the example program below
char** environ;
int main() {
}
Change-Id: I3f01652da1d5063d92ba7cbff7fb09bd0a89325c
|
| |
|
|
|
|
| |
Bug: http://b/38034461
Test: ran dexdump under valgrind on x86
Change-Id: I6a54c7ed4fe4e68731e099d9569ab788379820f8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This library is used by a number of different libraries in the system.
Make it easy for platform libraries to use this library and create
an actual exported include file.
Change the names of the functions to reflect the new name of the library.
Run clang_format on the async_safe_log.cpp file since the formatting is
all over the place.
Bug: 31919199
Test: Compiled for angler/bullhead, and booted.
Test: Ran bionic unit tests.
Test: Ran the malloc debug tests.
Change-Id: I8071bf690c17b0ea3bc8dc5749cdd5b6ad58478a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For security reasons, when a binary is executed which causes a security
transition (eg, a setuid binary, setgid binary, filesystem capabilities,
or SELinux domain transition), the AT_SECURE flag is set. This causes
certain blacklisted environment variables to be stripped before the
process is executed. The list of blacklisted environment variables is
stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment
variables used internally by libc show up in this list.
Add ANDROID_DNS_MODE to the list of unsafe variables.
Similar to RESOLV_HOST_CONF and RES_OPTIONS (which are already
blacklisted), this variable controls how name resolution requests are
handled. Allowing ANDROID_DNS_MODE to be set across a security
boundary could induce resolution failures or otherwise impact
name resolution.
Remove BIONIC_DNSCACHE. This does not appear to be used, and setting
this variable across a security boundary could cause name resolution
problems.
Test: Android compiles and runs with no obvious problems.
Change-Id: I835a7b42d6afbc9c67866594c7951cfd9b355d81
|
| |
|
|
|
|
|
|
|
|
| |
Used by CFI, so broke cfi_test#early_init@x86, but I've added a specific
test for this (and a similar test for getauxval from preinit, which this
patch does not fix).
Bug: http://b/35885875
Test: ran tests
Change-Id: I43885bedfb88c0a26b4474bd3c27a87dec7bbc97
|
| |
|
|
|
|
|
|
| |
This reverts commit b0e8c565a622b5519e03d4416b0b5b1a5f20d7f5.
Breaks swiftshader (http:/b/34883464).
Change-Id: I7b21193ba8a78f07d7ac65e41d0fe8516940a83b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Another release, another attempt to fix this bug.
This change affects pthread_detach, pthread_getcpuclockid,
pthread_getschedparam/pthread_setschedparam, pthread_join, and pthread_kill:
instead of returning ESRCH when passed an invalid pthread_t, they'll now SEGV.
Note that this doesn't change behavior as much as you might think: the old
lookup only held the global thread list lock for the duration of the lookup,
so there was still a race between that and the dereference in the caller,
given that callers actually need the tid to pass to some syscall or other,
and sometimes update fields in the pthread_internal_t struct too.
We can't check thread->tid against 0 to see whether a pthread_t is still
valid because a dead thread gets its thread struct unmapped along with its
stack, so the dereference isn't safe.
Taking the affected functions one by one:
* pthread_getcpuclockid and pthread_getschedparam/pthread_setschedparam
should be fine. Unsafe calls to those seem highly unlikely.
* Unsafe pthread_detach callers probably want to switch to
pthread_attr_setdetachstate instead, or using pthread_detach(pthread_self())
from the new thread's start routine rather than doing the detach in the
parent.
* pthread_join calls should be safe anyway, because a joinable thread won't
actually exit and unmap until it's joined. If you're joining an
unjoinable thread, the fix is to stop marking it detached. If you're
joining an already-joined thread, you need to rethink your design.
* Unsafe pthread_kill calls aren't portably fixable. (And are obviously
inherently non-portable as-is.) The best alternative on Android is to
use pthread_gettid_np at some point that you know the thread to be alive,
and then call kill/tgkill directly. That's still not completely safe
because if you're too late, the tid may have been reused, but then your
code is inherently unsafe anyway.
If we find too much code is still broken, we can come back and disable
the global thread list lookups for anything targeting >= O and then have
another go at really removing this in P...
Bug: http://b/19636317
Test: N6P boots, bionic tests pass
Change-Id: Ia92641212f509344b99ee2a9bfab5383147fcba6
|
| |
|
|
|
|
|
|
|
|
| |
The linker calls to __libc_fatal resulted in tombstones
with missing abort message. This commit fixes it by
initializing __abort_message_ptr for the linker's copy
of libc.
Bug: http://b/31095185
Change-Id: I883d654d7fd0ef309c80f8021202b6bfd5d5cea5
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Before, dynamic executables would initialize the global stack protector
twice, once for the linker, and once for the executable. This worked
because the result was the same for both initializations, because it
used getauxval(AT_RANDOM), which won't be the case once arc4random gets
used for it.
Bug: http://b/29622562
Change-Id: I7718b1ba8ee8fac7127ab2360cb1088e510fef5c
Test: ran the stack protector tests on angler (32/64bit, static/dynamic)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, arc4random would register a fork-detecting pthread_atfork
handler to not have to call getpid() after a fork. pthread_atfork uses
pthread_mutex_lock, which requires the current thread to be initialized,
preventing the use of arc4random for initializing the global stack guard,
which needs to happen before the main thread has been initialized.
Extract the arc4random fork-detection flag and use the existing
arc4random fork handler to set it.
Bug: http://b/29622562
Change-Id: I98c9329fa0e489c3f78cad52747eaaf2f5226b80
|
| |
|
|
|
|
| |
Bug: http://b/24675038
Test: stepped through a fork call in gdb
Change-Id: I09d20ff1d103d0c005f2a0cdd9b0a8710ab2392c
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Although there is a test pthread.pthread_mutex_owner_tid_limit
to check pid_max, but bionic-unit-tests hangs before reaching
that test. So abort at libc initialization if not able to reach
the test when running bionic-unit-tests32. It is more friendly
for debugging.
Bug: 24016357
Change-Id: Ia70c2e36fd8a3a040d41ea5722c7b48a6134e102
|
| |/
|
|
|
|
|
|
|
|
| |
This patch uses __kernel_vsyscall instead of "int 0x80"
as the syscall entry point. AT_SYSINFO points to
an adapter to mask the arch specific difference and gives a
performance boost on i386 architecture.
Change-ID: Ib340c604d02c6c25714a95793737e3cfdc3fc5d7
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
|
| |
|
|
|
| |
Bug: http://b/26888853
Change-Id: I505dbf7d5934f7247fb639f55dd6a9341df3947b
|
