1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #ifndef _STRING_H
30 #error "Never include this file directly; instead, include <string.h>"
31 #endif
32
33
34 #if __BIONIC_AVAILABILITY_GUARD(23)
35 void* _Nullable __memchr_chk(const void* _Nonnull, int, size_t, size_t) __INTRODUCED_IN(23);
36 void* _Nullable __memrchr_chk(const void* _Nonnull, int, size_t, size_t) __INTRODUCED_IN(23);
37 #endif /* __BIONIC_AVAILABILITY_GUARD(23) */
38
39 char* _Nonnull __stpncpy_chk2(char* _Nonnull, const char* _Nonnull, size_t, size_t, size_t);
40 char* _Nonnull __strncpy_chk2(char* _Nonnull, const char* _Nonnull, size_t, size_t, size_t);
41 size_t __strlcpy_chk(char* _Nonnull, const char* _Nonnull, size_t, size_t);
42 size_t __strlcat_chk(char* _Nonnull, const char* _Nonnull, size_t, size_t);
43
44 #if defined(__BIONIC_FORTIFY)
45
46 /* hwasan intercepts memcpy() but not the _chk variant. */
47 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED && !__has_feature(hwaddress_sanitizer)
48 /* No diag -- clang diagnoses misuses of this on its own. */
49 __BIONIC_FORTIFY_INLINE
memcpy(void * _Nonnull const dst __pass_object_size0,const void * _Nonnull src,size_t copy_amount)50 void* _Nonnull memcpy(void* _Nonnull const dst __pass_object_size0, const void* _Nonnull src, size_t copy_amount)
51 __diagnose_as_builtin(__builtin_memcpy, 1, 2, 3)
52 __overloadable {
53 return __builtin___memcpy_chk(dst, src, copy_amount, __bos0(dst));
54 }
55 #endif
56
57 /* hwasan intercepts memmove() but not the _chk variant. */
58 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED && !__has_feature(hwaddress_sanitizer)
59 /* No diag -- clang diagnoses misuses of this on its own. */
60 __BIONIC_FORTIFY_INLINE
memmove(void * _Nonnull const dst __pass_object_size0,const void * _Nonnull src,size_t len)61 void* _Nonnull memmove(void* _Nonnull const dst __pass_object_size0, const void* _Nonnull src, size_t len)
62 __diagnose_as_builtin(__builtin_memmove, 1, 2, 3)
63 __overloadable {
64 return __builtin___memmove_chk(dst, src, len, __bos0(dst));
65 }
66 #endif
67
68 /* TODO: remove __clang_warning_if when https://issuetracker.google.com/400937647 is fixed. */
69 __BIONIC_FORTIFY_INLINE
memset(void * _Nonnull const s __pass_object_size0,int c,size_t n)70 void* _Nonnull memset(void* _Nonnull const s __pass_object_size0, int c, size_t n)
71 __diagnose_as_builtin(__builtin_memset, 1, 2, 3)
72 __overloadable
73 /* If you're a user who wants this warning to go away: use `(&memset)(foo, bar, baz)`. */
74 __clang_warning_if(c && !n, "'memset' will set 0 bytes; maybe the arguments got flipped?") {
75 /* hwasan intercepts memset() but not the _chk variant. */
76 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED && !__has_feature(hwaddress_sanitizer)
77 return __builtin___memset_chk(s, c, n, __bos0(s));
78 #else
79 return __builtin_memset(s, c, n);
80 #endif
81 }
82
83 #if defined(__USE_GNU)
84 #if __ANDROID_API__ >= 30
85 __BIONIC_FORTIFY_INLINE
mempcpy(void * _Nonnull const dst __pass_object_size0,const void * _Nonnull src,size_t copy_amount)86 void* _Nonnull mempcpy(void* _Nonnull const dst __pass_object_size0, const void* _Nonnull src, size_t copy_amount)
87 __diagnose_as_builtin(__builtin_mempcpy, 1, 2, 3)
88 __overloadable
89 __clang_error_if(__bos_unevaluated_lt(__bos0(dst), copy_amount),
90 "'mempcpy' called with size bigger than buffer") {
91 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
92 size_t bos_dst = __bos0(dst);
93 if (!__bos_trivially_ge(bos_dst, copy_amount)) {
94 return __builtin___mempcpy_chk(dst, src, copy_amount, bos_dst);
95 }
96 #endif
97 return __builtin_mempcpy(dst, src, copy_amount);
98 }
99 #endif /* __ANDROID_API__ >= 30 */
100 #endif /* __USE_GNU */
101
102 __BIONIC_FORTIFY_INLINE
stpcpy(char * _Nonnull const dst __pass_object_size,const char * _Nonnull src)103 char* _Nonnull stpcpy(char* _Nonnull const dst __pass_object_size, const char* _Nonnull src)
104 __overloadable
105 __clang_error_if(__bos_unevaluated_le(__bos(dst), __builtin_strlen(src)),
106 "'stpcpy' called with string bigger than buffer") {
107 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
108 return __builtin___stpcpy_chk(dst, src, __bos(dst));
109 #else
110 return __builtin_stpcpy(dst, src);
111 #endif
112 }
113
114 __BIONIC_FORTIFY_INLINE
strcpy(char * _Nonnull const dst __pass_object_size,const char * _Nonnull src)115 char* _Nonnull strcpy(char* _Nonnull const dst __pass_object_size, const char* _Nonnull src)
116 __diagnose_as_builtin(__builtin_strcpy, 1, 2)
117 __overloadable
118 __clang_error_if(__bos_unevaluated_le(__bos(dst), __builtin_strlen(src)),
119 "'strcpy' called with string bigger than buffer") {
120 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
121 return __builtin___strcpy_chk(dst, src, __bos(dst));
122 #else
123 return __builtin_strcpy(dst, src);
124 #endif
125 }
126
127 __BIONIC_FORTIFY_INLINE
strcat(char * _Nonnull const dst __pass_object_size,const char * _Nonnull src)128 char* _Nonnull strcat(char* _Nonnull const dst __pass_object_size, const char* _Nonnull src)
129 __overloadable
130 __clang_error_if(__bos_unevaluated_le(__bos(dst), __builtin_strlen(src)),
131 "'strcat' called with string bigger than buffer") {
132 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
133 return __builtin___strcat_chk(dst, src, __bos(dst));
134 #else
135 return __builtin_strcat(dst, src);
136 #endif
137 }
138
139 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
140 /* No diag -- clang diagnoses misuses of this on its own. */
141 __BIONIC_FORTIFY_INLINE
strncat(char * _Nonnull const dst __pass_object_size,const char * _Nonnull src,size_t n)142 char* _Nonnull strncat(char* _Nonnull const dst __pass_object_size, const char* _Nonnull src, size_t n)
143 __diagnose_as_builtin(__builtin_strncat, 1, 2, 3)
144 __overloadable {
145 return __builtin___strncat_chk(dst, src, n, __bos(dst));
146 }
147 #endif
148
149 #if __ANDROID_API__ >= 23 && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
150 __BIONIC_FORTIFY_INLINE
memchr(const void * _Nonnull const s __pass_object_size,int c,size_t n)151 void* _Nullable memchr(const void* _Nonnull const s __pass_object_size, int c, size_t n) __overloadable {
152 size_t bos = __bos(s);
153
154 if (__bos_trivially_ge(bos, n)) {
155 return __builtin_memchr(s, c, n);
156 }
157
158 return __memchr_chk(s, c, n, bos);
159 }
160
161 void* _Nullable __memrchr_real(const void* _Nonnull, int, size_t) __RENAME(memrchr);
162
163 __BIONIC_FORTIFY_INLINE
__memrchr_fortify(const void * _Nonnull const __pass_object_size s,int c,size_t n)164 void* _Nullable __memrchr_fortify(const void* _Nonnull const __pass_object_size s, int c, size_t n) __overloadable {
165 size_t bos = __bos(s);
166
167 if (__bos_trivially_ge(bos, n)) {
168 return __memrchr_real(s, c, n);
169 }
170
171 return __memrchr_chk(s, c, n, bos);
172 }
173 #endif
174
175 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
176 /* No diag -- clang diagnoses misuses of this on its own. */
177 __BIONIC_FORTIFY_INLINE
stpncpy(char * _Nonnull const dst __pass_object_size,const char * _Nonnull const src __pass_object_size,size_t n)178 char* _Nonnull stpncpy(char* _Nonnull const dst __pass_object_size, const char* _Nonnull const src __pass_object_size, size_t n)
179 __diagnose_as_builtin(__builtin_stpncpy, 1, 2, 3)
180 __overloadable {
181 size_t bos_dst = __bos(dst);
182 size_t bos_src = __bos(src);
183
184 /* Ignore dst size checks; they're handled in strncpy_chk */
185 if (bos_src == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
186 return __builtin___stpncpy_chk(dst, src, n, bos_dst);
187 }
188
189 return __stpncpy_chk2(dst, src, n, bos_dst, bos_src);
190 }
191
192 /* No diag -- clang diagnoses misuses of this on its own. */
193 __BIONIC_FORTIFY_INLINE
strncpy(char * _Nonnull const dst __pass_object_size,const char * _Nonnull const src __pass_object_size,size_t n)194 char* _Nonnull strncpy(char* _Nonnull const dst __pass_object_size, const char* _Nonnull const src __pass_object_size, size_t n)
195 __diagnose_as_builtin(__builtin_strncpy, 1, 2, 3)
196 __overloadable {
197 size_t bos_dst = __bos(dst);
198 size_t bos_src = __bos(src);
199
200 /* Ignore dst size checks; they're handled in strncpy_chk */
201 if (bos_src == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
202 return __builtin___strncpy_chk(dst, src, n, bos_dst);
203 }
204
205 return __strncpy_chk2(dst, src, n, bos_dst, bos_src);
206 }
207 #endif
208
209 __BIONIC_FORTIFY_INLINE
strlcpy(char * _Nonnull const dst __pass_object_size,const char * _Nonnull src,size_t size)210 size_t strlcpy(char* _Nonnull const dst __pass_object_size, const char* _Nonnull src, size_t size)
211 __overloadable
212 __clang_error_if(__bos_unevaluated_lt(__bos(dst), size),
213 "'strlcpy' called with size bigger than buffer") {
214 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
215 return __strlcpy_chk(dst, src, size, __bos(dst));
216 #else
217 return __call_bypassing_fortify(strlcpy)(dst, src, size);
218 #endif
219 }
220
221 __BIONIC_FORTIFY_INLINE
strlcat(char * _Nonnull const dst __pass_object_size,const char * _Nonnull src,size_t size)222 size_t strlcat(char* _Nonnull const dst __pass_object_size, const char* _Nonnull src, size_t size)
223 __overloadable
224 __clang_error_if(__bos_unevaluated_lt(__bos(dst), size),
225 "'strlcat' called with size bigger than buffer") {
226 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
227 return __strlcat_chk(dst, src, size, __bos(dst));
228 #else
229 return __call_bypassing_fortify(strlcat)(dst, src, size);
230 #endif
231 }
232
233 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
234 /*
235 * Clang, when parsing C, can fold strlen to a constant without LLVM's help.
236 * This doesn't apply to overloads of strlen, so write this differently. We
237 * can't use `__pass_object_size0` here, but that's fine: it doesn't help much
238 * on __always_inline functions.
239 */
strlen(const char * _Nonnull s)240 extern __always_inline __inline__ __attribute__((gnu_inline)) size_t strlen(const char* _Nonnull s) {
241 return __strlen_chk(s, __bos0(s));
242 }
243 #endif
244
245 __BIONIC_FORTIFY_INLINE
strchr(const char * _Nonnull const s __pass_object_size,int c)246 char* _Nullable strchr(const char* _Nonnull const s __pass_object_size, int c) __overloadable {
247 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
248 size_t bos = __bos(s);
249
250 if (bos != __BIONIC_FORTIFY_UNKNOWN_SIZE) {
251 return __strchr_chk(s, c, bos);
252 }
253 #endif
254 return __builtin_strchr(s, c);
255 }
256
257 __BIONIC_FORTIFY_INLINE
strrchr(const char * _Nonnull const s __pass_object_size,int c)258 char* _Nullable strrchr(const char* _Nonnull const s __pass_object_size, int c) __overloadable {
259 #if __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
260 size_t bos = __bos(s);
261
262 if (bos != __BIONIC_FORTIFY_UNKNOWN_SIZE) {
263 return __strrchr_chk(s, c, bos);
264 }
265 #endif
266 return __builtin_strrchr(s, c);
267 }
268
269 #if __ANDROID_API__ >= 23 && __BIONIC_FORTIFY_RUNTIME_CHECKS_ENABLED
270 #if defined(__cplusplus)
271 extern "C++" {
272 __BIONIC_FORTIFY_INLINE
memrchr(void * _Nonnull const __pass_object_size s,int c,size_t n)273 void* _Nullable memrchr(void* _Nonnull const __pass_object_size s, int c, size_t n) {
274 return __memrchr_fortify(s, c, n);
275 }
276
277 __BIONIC_FORTIFY_INLINE
memrchr(const void * _Nonnull const __pass_object_size s,int c,size_t n)278 const void* _Nullable memrchr(const void* _Nonnull const __pass_object_size s, int c, size_t n) {
279 return __memrchr_fortify(s, c, n);
280 }
281 }
282 #else
283 __BIONIC_FORTIFY_INLINE
memrchr(const void * _Nonnull const __pass_object_size s,int c,size_t n)284 void* _Nullable memrchr(const void* _Nonnull const __pass_object_size s, int c, size_t n) __overloadable {
285 return __memrchr_fortify(s, c, n);
286 }
287 #endif
288 #endif /* __ANDROID_API__ >= 23 */
289
290 #endif /* defined(__BIONIC_FORTIFY) */
291