perform size checks on various operations

Signed-off-by: Tavi <tavi@divested.dev>
Co-authored-by: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>

Author: SkewedZeppelin

Android.bp

@@ -28,6 +28,7 @@ common_cflags = [
     "-DN_ARENA=1",
     "-DCONFIG_STATS=true",
     "-DCONFIG_SELF_INIT=false",
+    "-DCONFIG_BLOCK_OPS_CHECK_SIZE=false",
 ]
 
 cc_defaults {

CREDITS

@@ -23,6 +23,30 @@ h_malloc.c open-addressed hash table (regions_grow, regions_insert, regions_find
     ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
     OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+memcpy.c, memccpy.c, memmove.c, memset.c, swab.c, wmemset.c:
+    Copyright © 2005-2020 Rich Felker, et al.
+
+    Permission is hereby granted, free of charge, to any person obtaining
+    a copy of this software and associated documentation files (the
+    "Software"), to deal in the Software without restriction, including
+    without limitation the rights to use, copy, modify, merge, publish,
+    distribute, sublicense, and/or sell copies of the Software, and to
+    permit persons to whom the Software is furnished to do so, subject to
+    the following conditions:
+
+    The above copyright notice and this permission notice shall be
+    included in all copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+    EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+    MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+    IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+    CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+    TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+    SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+    Contributor list: https://git.musl-libc.org/cgit/musl/tree/COPYRIGHT
+
 libdivide:
 
     Copyright (C) 2010 - 2019 ridiculous_fish, <libdivide@ridiculousfish.com>

Makefile

@@ -40,6 +40,10 @@ CXXFLAGS := $(CXXFLAGS) -std=c++17 -fsized-deallocation $(SHARED_FLAGS)
 LDFLAGS := $(LDFLAGS) -Wl,-O1,--as-needed,-z,defs,-z,relro,-z,now,-z,nodlopen,-z,text
 
 SOURCES := chacha.c h_malloc.c memory.c pages.c random.c util.c
+ifeq ($(CONFIG_BLOCK_OPS_CHECK_SIZE),true)
+    SOURCES += memcpy.c memccpy.c memmove.c memset.c swab.c wmemset.c
+    BOSC_EXTRAS := musl.h
+endif
 OBJECTS := $(SOURCES:.c=.o)
 
 ifeq ($(CONFIG_CXX_ALLOCATOR),true)
@@ -89,6 +93,10 @@ ifeq (,$(filter $(CONFIG_SELF_INIT),true false))
     $(error CONFIG_SELF_INIT must be true or false)
 endif
 
+ifeq (,$(filter $(CONFIG_BLOCK_OPS_CHECK_SIZE),true false))
+    $(error CONFIG_BLOCK_OPS_CHECK_SIZE must be true or false)
+endif
+
 CPPFLAGS += \
     -DCONFIG_SEAL_METADATA=$(CONFIG_SEAL_METADATA) \
     -DZERO_ON_FREE=$(CONFIG_ZERO_ON_FREE) \
@@ -108,7 +116,8 @@ CPPFLAGS += \
     -DCONFIG_CLASS_REGION_SIZE=$(CONFIG_CLASS_REGION_SIZE) \
     -DN_ARENA=$(CONFIG_N_ARENA) \
     -DCONFIG_STATS=$(CONFIG_STATS) \
-    -DCONFIG_SELF_INIT=$(CONFIG_SELF_INIT)
+    -DCONFIG_SELF_INIT=$(CONFIG_SELF_INIT) \
+    -DCONFIG_BLOCK_OPS_CHECK_SIZE=$(CONFIG_BLOCK_OPS_CHECK_SIZE)
 
 $(OUT)/libhardened_malloc$(SUFFIX).so: $(OBJECTS) | $(OUT)
 	$(CC) $(CFLAGS) $(LDFLAGS) -shared $^ $(LDLIBS) -o $@
@@ -118,19 +127,32 @@ $(OUT):
 
 $(OUT)/chacha.o: chacha.c chacha.h util.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) $(OUTPUT_OPTION) $<
-$(OUT)/h_malloc.o: h_malloc.c include/h_malloc.h mutex.h memory.h pages.h random.h util.h $(CONFIG_FILE) | $(OUT)
+$(OUT)/h_malloc.o: h_malloc.c include/h_malloc.h mutex.h memory.h $(BOSC_EXTRAS) pages.h random.h util.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) $(OUTPUT_OPTION) $<
 $(OUT)/memory.o: memory.c memory.h util.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) $(OUTPUT_OPTION) $<
 $(OUT)/new.o: new.cc include/h_malloc.h util.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.cc) $(OUTPUT_OPTION) $<
 $(OUT)/pages.o: pages.c pages.h memory.h util.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) $(OUTPUT_OPTION) $<
-$(OUT)/random.o: random.c random.h chacha.h util.h $(CONFIG_FILE) | $(OUT)
+$(OUT)/random.o: random.c random.h chacha.h $(BOSC_EXTRAS) util.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) $(OUTPUT_OPTION) $<
 $(OUT)/util.o: util.c util.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) $(OUTPUT_OPTION) $<
 
+$(OUT)/memcpy.o: memcpy.c musl.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
+$(OUT)/memccpy.o: memccpy.c musl.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
+$(OUT)/memmove.o: memmove.c musl.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
+$(OUT)/memset.o: memset.c musl.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
+$(OUT)/swab.o: swab.c musl.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
+$(OUT)/wmemset.o: wmemset.c musl.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) $(OUTPUT_OPTION) $<
+
 check: tidy
 
 tidy:

README.md

@@ -279,6 +279,9 @@ The following boolean configuration options are available:
   hardware, which may become drastically lower in the future. Whether or not
   this feature is enabled, the metadata is all contained within an isolated
   memory region with high entropy random guard regions around it.
+* `CONFIG_BLOCK_OPS_CHECK_SIZE`: `true` or `false` (default) to ensure length
+  parameter of the memcpy/memccpy/memmove/memset block operations and their
+  wide variants are within approximate bounds to minimize buffer overflows.
 
 The following integer configuration options are available:
 

config/default.mk

@@ -21,3 +21,4 @@ CONFIG_CLASS_REGION_SIZE := 34359738368 # 32GiB
 CONFIG_N_ARENA := 4
 CONFIG_STATS := false
 CONFIG_SELF_INIT := true
+CONFIG_BLOCK_OPS_CHECK_SIZE := false

config/light.mk

@@ -21,3 +21,4 @@ CONFIG_CLASS_REGION_SIZE := 34359738368 # 32GiB
 CONFIG_N_ARENA := 4
 CONFIG_STATS := false
 CONFIG_SELF_INIT := true
+CONFIG_BLOCK_OPS_CHECK_SIZE := false

h_malloc.c

@@ -20,6 +20,10 @@
 #include "random.h"
 #include "util.h"
 
+#if CONFIG_BLOCK_OPS_CHECK_SIZE && !defined(HAS_ARM_MTE)
+#include "musl.h"
+#endif
+
 #ifdef USE_PKEY
 #include <sys/mman.h>
 #endif
@@ -537,7 +541,7 @@ static void set_canary(UNUSED const struct slab_metadata *metadata, UNUSED void
     }
 #endif
 
-    memcpy((char *)p + size - canary_size, &metadata->canary_value, canary_size);
+    h_memcpy_internal((char *)p + size - canary_size, &metadata->canary_value, canary_size);
 #endif
 }
 
@@ -550,7 +554,7 @@ static void check_canary(UNUSED const struct slab_metadata *metadata, UNUSED con
 #endif
 
     u64 canary_value;
-    memcpy(&canary_value, (const char *)p + size - canary_size, canary_size);
+    h_memcpy_internal(&canary_value, (const char *)p + size - canary_size, canary_size);
 
 #ifdef HAS_ARM_MTE
     if (unlikely(canary_value == 0)) {
@@ -837,7 +841,7 @@ static inline void deallocate_small(void *p, const size_t *expected_size) {
 #endif
 
         if (ZERO_ON_FREE && !skip_zero) {
-            memset(p, 0, size - canary_size);
+            h_memset_internal(p, 0, size - canary_size);
         }
     }
 
@@ -1513,7 +1517,7 @@ EXPORT void *h_calloc(size_t nmemb, size_t size) {
     total_size = adjust_size_for_canary(total_size);
     void *p = alloc(total_size);
     if (!ZERO_ON_FREE && likely(p != NULL) && total_size && total_size <= max_slab_size_class) {
-        memset(p, 0, total_size - canary_size);
+        h_memset_internal(p, 0, total_size - canary_size);
     }
 #ifdef HAS_ARM_MTE
     // use an assert instead of adding a conditional to memset() above (freed memory is always
@@ -1636,7 +1640,7 @@ EXPORT void *h_realloc(void *old, size_t size) {
                 mutex_unlock(&ra->lock);
 
                 if (memory_remap_fixed(old, old_size, new, size)) {
-                    memcpy(new, old, copy_size);
+                    h_memcpy_internal(new, old, copy_size);
                     deallocate_pages(old, old_size, old_guard_size);
                 } else {
                     memory_unmap((char *)old - old_guard_size, old_guard_size);
@@ -1658,7 +1662,7 @@ EXPORT void *h_realloc(void *old, size_t size) {
     if (copy_size > 0 && copy_size <= max_slab_size_class) {
         copy_size -= canary_size;
     }
-    memcpy(new, old_orig, copy_size);
+    h_memcpy_internal(new, old_orig, copy_size);
     if (old_in_slab_region) {
         deallocate_small(old, NULL);
     } else {
@@ -1882,6 +1886,133 @@ EXPORT size_t h_malloc_object_size_fast(const void *p) {
     return SIZE_MAX;
 }
 
+#if CONFIG_BLOCK_OPS_CHECK_SIZE && !defined(HAS_ARM_MTE)
+EXPORT void *memcpy(void *restrict dst, const void *restrict src, size_t len) {
+    if (unlikely(dst == src || len == 0)) {
+        return dst;
+    }
+    if (unlikely(dst < (src + len) && (dst + len) > src)) {
+        fatal_error("memcpy overlap");
+    }
+    if (unlikely(len > malloc_object_size(src))) {
+        fatal_error("memcpy read overflow");
+    }
+    if (unlikely(len > malloc_object_size(dst))) {
+        fatal_error("memcpy buffer overflow");
+    }
+    return musl_memcpy(dst, src, len);
+}
+
+EXPORT void *memccpy(void *restrict dst, const void *restrict src, int value, size_t len) {
+    if (unlikely(dst == src || len == 0)) {
+        return dst;
+    }
+    if (unlikely(dst < (src + len) && (dst + len) > src)) {
+        fatal_error("memccpy overlap");
+    }
+    if (unlikely(len > malloc_object_size(src) && value != 0)) {
+        fatal_error("memccpy read overflow");
+    }
+    if (unlikely(len > malloc_object_size(dst))) {
+        fatal_error("memccpy buffer overflow");
+    }
+    return musl_memccpy(dst, src, value, len);
+}
+
+EXPORT void *memmove(void *dst, const void *src, size_t len) {
+    if (unlikely(dst == src || len == 0)) {
+        return dst;
+    }
+    if (unlikely(len > malloc_object_size(src))) {
+        fatal_error("memmove read overflow");
+    }
+    if (unlikely(len > malloc_object_size(dst))) {
+        fatal_error("memmove buffer overflow");
+    }
+    return musl_memmove(dst, src, len);
+}
+
+EXPORT void *mempcpy(void *restrict dst, const void *restrict src, size_t len) {
+    return memcpy(dst, src, len) + len;
+}
+
+EXPORT void *memset(void *dst, int value, size_t len) {
+    if (unlikely(len == 0)) {
+        return dst;
+    }
+    if (unlikely(len > malloc_object_size(dst))) {
+        fatal_error("memset buffer overflow");
+    }
+    return musl_memset(dst, value, len);
+}
+
+EXPORT void bcopy(const void *src, void *dst, size_t len) {
+    memmove(dst, src, len);
+}
+
+EXPORT void swab(const void *restrict src, void *restrict dst, ssize_t len) {
+    if (unlikely(len <= 0)) {
+        return;
+    }
+    size_t length = len;
+    if (unlikely(dst < (src + length) && (dst + length) > src)) {
+        fatal_error("swab overlap");
+    }
+    if (unlikely(length > malloc_object_size(src))) {
+        fatal_error("swab read overflow");
+    }
+    if (unlikely(length > malloc_object_size(dst))) {
+        fatal_error("swab buffer overflow");
+    }
+    return musl_swab(src, dst, len);
+}
+
+EXPORT wchar_t *wmemcpy(wchar_t *restrict dst, const wchar_t *restrict src, size_t len) {
+    if (unlikely(dst == src || len == 0)) {
+        return dst;
+    }
+    if (unlikely(dst < (src + len) && (dst + len) > src)) {
+        fatal_error("wmemcpy overlap");
+    }
+    size_t lenAdj = len * sizeof(wchar_t);
+    if (unlikely(lenAdj > malloc_object_size(src))) {
+        fatal_error("wmemcpy read overflow");
+    }
+    if (unlikely(lenAdj > malloc_object_size(dst))) {
+        fatal_error("wmemcpy buffer overflow");
+    }
+    return (wchar_t *)musl_memcpy((char *)dst, (const char *)src, lenAdj);
+}
+
+EXPORT wchar_t *wmemmove(wchar_t *dst, const wchar_t *src, size_t len) {
+    if (unlikely(dst == src || len == 0)) {
+        return dst;
+    }
+    size_t lenAdj = len * sizeof(wchar_t);
+    if (unlikely(lenAdj > malloc_object_size(src))) {
+        fatal_error("wmemmove read overflow");
+    }
+    if (unlikely(lenAdj > malloc_object_size(dst))) {
+        fatal_error("wmemmove buffer overflow");
+    }
+    return (wchar_t *)musl_memmove((char *)dst, (const char *)src, lenAdj);
+}
+
+EXPORT wchar_t *wmempcpy(wchar_t *restrict dst, const wchar_t *restrict src, size_t len) {
+    return wmemcpy(dst, src, len) + len;
+}
+
+EXPORT wchar_t *wmemset(wchar_t *dst, wchar_t value, size_t len) {
+    if (unlikely(len == 0)) {
+        return dst;
+    }
+    if (unlikely((len * sizeof(wchar_t)) > malloc_object_size(dst))) {
+        fatal_error("wmemset buffer overflow");
+    }
+    return musl_wmemset(dst, value, len);
+}
+#endif /* CONFIG_BLOCK_OPS_CHECK_SIZE && !defined(HAS_ARM_MTE) */
+
 EXPORT int h_mallopt(UNUSED int param, UNUSED int value) {
 #ifdef __ANDROID__
     if (param == M_PURGE) {

include/h_malloc.h

@@ -55,6 +55,27 @@ __attribute__((malloc)) __attribute__((alloc_size(2))) __attribute__((alloc_alig
 void *h_aligned_alloc(size_t alignment, size_t size);
 void h_free(void *ptr);
 
+#if CONFIG_BLOCK_OPS_CHECK_SIZE && !defined(HAS_ARM_MTE)
+void *memcpy(void *dst, const void *src, size_t len);
+void *memccpy(void *dst, const void *src, int value, size_t len);
+void *memmove(void *dst, const void *src, size_t len);
+void *mempcpy(void *dst, const void *src, size_t len);
+void *memset(void *dst, int value, size_t len);
+void bcopy(const void *src, void *dst, size_t len);
+void swab(const void *src, void *dst, ssize_t len);
+wchar_t *wmemcpy(wchar_t *dst, const wchar_t *src, size_t len);
+wchar_t *wmemmove(wchar_t *dst, const wchar_t *src, size_t len);
+wchar_t *wmempcpy(wchar_t *dst, const wchar_t *src, size_t len);
+wchar_t *wmemset(wchar_t *dst, wchar_t value, size_t len);
+#define h_memcpy_internal musl_memcpy
+#define h_memmove_internal musl_memmove
+#define h_memset_internal musl_memset
+#else
+#define h_memcpy_internal memcpy
+#define h_memmove_internal memmove
+#define h_memset_internal memset
+#endif
+
 // POSIX
 int h_posix_memalign(void **memptr, size_t alignment, size_t size);
 

memccpy.c

@@ -0,0 +1,38 @@
+#include "musl.h"
+
+/* Copied from musl libc version 1.2.5 licensed under the MIT license */
+
+#include <string.h>
+#include <stdint.h>
+#include <limits.h>
+
+#define ALIGN (sizeof(size_t)-1)
+#define ONES ((size_t)-1/UCHAR_MAX)
+#define HIGHS (ONES * (UCHAR_MAX/2+1))
+#define HASZERO(x) (((x)-ONES) & ~(x) & HIGHS)
+
+void *musl_memccpy(void *restrict dest, const void *restrict src, int c, size_t n)
+{
+	unsigned char *d = dest;
+	const unsigned char *s = src;
+
+	c = (unsigned char)c;
+#ifdef __GNUC__
+	typedef size_t __attribute__((__may_alias__)) word;
+	word *wd;
+	const word *ws;
+	if (((uintptr_t)s & ALIGN) == ((uintptr_t)d & ALIGN)) {
+		for (; ((uintptr_t)s & ALIGN) && n && (*d=*s)!=c; n--, s++, d++);
+		if ((uintptr_t)s & ALIGN) goto tail;
+		size_t k = ONES * c;
+		wd=(void *)d; ws=(const void *)s;
+		for (; n>=sizeof(size_t) && !HASZERO(*ws^k);
+		       n-=sizeof(size_t), ws++, wd++) *wd = *ws;
+		d=(void *)wd; s=(const void *)ws;
+	}
+#endif
+	for (; n && (*d=*s)!=c; n--, s++, d++);
+tail:
+	if (n) return d+1;
+	return 0;
+}