1/* 2 * Copyright (C) 2013 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <private/bionic_asm.h> 30#include <private/libc_events.h> 31 32 .syntax unified 33 .fpu neon 34 .thumb 35 .thumb_func 36 37// Get the length of src string, then get the source of the dst string. 38// Check that the two lengths together don't exceed the threshold, then 39// do a memcpy of the data. 40ENTRY(__strcat_chk) 41 pld [r0, #0] 42 push {r0, lr} 43 .cfi_def_cfa_offset 8 44 .cfi_rel_offset r0, 0 45 .cfi_rel_offset lr, 4 46 push {r4, r5} 47 .cfi_adjust_cfa_offset 8 48 .cfi_rel_offset r4, 0 49 .cfi_rel_offset r5, 4 50 51 mov lr, r2 52 53 // Save the dst register to r5 54 mov r5, r0 55 56 // Zero out r4 57 eor r4, r4, r4 58 59 // r1 contains the address of the string to count. 60.L_strlen_start: 61 mov r0, r1 62 63 ands r3, r0, #7 64 bne .L_align_src 65 66 .p2align 2 67.L_mainloop: 68 ldmia r1!, {r2, r3} 69 70 pld [r1, #64] 71 72 sub ip, r2, #0x01010101 73 bic ip, ip, r2 74 ands ip, ip, #0x80808080 75 bne .L_zero_in_first_register 76 77 sub ip, r3, #0x01010101 78 bic ip, ip, r3 79 ands ip, ip, #0x80808080 80 bne .L_zero_in_second_register 81 b .L_mainloop 82 83.L_zero_in_first_register: 84 sub r3, r1, r0 85 // Check for zero in byte 0. 86 lsls r2, ip, #17 87 beq .L_check_byte1_reg1 88 89 sub r3, r3, #8 90 b .L_finish 91 92.L_check_byte1_reg1: 93 bcc .L_check_byte2_reg1 94 95 sub r3, r3, #7 96 b .L_finish 97 98.L_check_byte2_reg1: 99 // Check for zero in byte 2. 100 tst ip, #0x800000 101 it ne 102 subne r3, r3, #6 103 bne .L_finish 104 sub r3, r3, #5 105 b .L_finish 106 107.L_zero_in_second_register: 108 sub r3, r1, r0 109 // Check for zero in byte 0. 110 lsls r2, ip, #17 111 beq .L_check_byte1_reg2 112 113 sub r3, r3, #4 114 b .L_finish 115 116.L_check_byte1_reg2: 117 bcc .L_check_byte2_reg2 118 119 sub r3, r3, #3 120 b .L_finish 121 122.L_check_byte2_reg2: 123 // Check for zero in byte 2. 124 tst ip, #0x800000 125 it ne 126 subne r3, r3, #2 127 bne .L_finish 128 sub r3, r3, #1 129 b .L_finish 130 131.L_align_src: 132 // Align to a double word (64 bits). 133 rsb r3, r3, #8 134 lsls ip, r3, #31 135 beq .L_align_to_32 136 137 ldrb r2, [r1], #1 138 cbz r2, .L_done 139 140.L_align_to_32: 141 bcc .L_align_to_64 142 143 ldrb r2, [r1], #1 144 cbz r2, .L_done 145 ldrb r2, [r1], #1 146 cbz r2, .L_done 147 148.L_align_to_64: 149 tst r3, #4 150 beq .L_mainloop 151 ldr r2, [r1], #4 152 153 sub ip, r2, #0x01010101 154 bic ip, ip, r2 155 ands ip, ip, #0x80808080 156 bne .L_zero_in_second_register 157 b .L_mainloop 158 159.L_done: 160 sub r3, r1, r0 161 sub r3, r3, #1 162 163.L_finish: 164 cmp r4, #0 165 bne .L_strlen_done 166 167 // Time to get the dst string length. 168 mov r1, r5 169 170 // Save the original source address to r5. 171 mov r5, r0 172 173 // Save the current length (adding 1 for the terminator). 174 add r4, r3, #1 175 b .L_strlen_start 176 177 // r0 holds the pointer to the dst string. 178 // r3 holds the dst string length. 179 // r4 holds the src string length + 1. 180.L_strlen_done: 181 add r2, r3, r4 182 cmp r2, lr 183 bhi __strcat_chk_fail 184 185 // Set up the registers for the memcpy code. 186 mov r1, r5 187 pld [r1, #64] 188 mov r2, r4 189 add r0, r0, r3 190 pop {r4, r5} 191 192 // Fall through into the memcpy_base function. 193END(__strcat_chk) 194 195#define MEMCPY_BASE __strcat_chk_memcpy_base 196#define MEMCPY_BASE_ALIGNED __strcat_chk_memcpy_base_aligned 197#include "memcpy_base.S" 198 199ENTRY_PRIVATE(__strcat_chk_fail) 200 .cfi_def_cfa_offset 8 201 .cfi_rel_offset r0, 0 202 .cfi_rel_offset lr, 4 203 .cfi_adjust_cfa_offset 8 204 .cfi_rel_offset r4, 0 205 .cfi_rel_offset r5, 4 206 207 ldr r0, error_message 208 ldr r1, error_code 2091: 210 add r0, pc 211 bl __fortify_chk_fail 212error_code: 213 .word BIONIC_EVENT_STRCAT_BUFFER_OVERFLOW 214error_message: 215 .word error_string-(1b+4) 216END(__strcat_chk_fail) 217 218 .data 219error_string: 220 .string "strcat: prevented write past end of buffer" 221