Your library is built correctly. FORTIFY_SOURCE works by substituting, at
compile time, different versions of libc functions depending on whether or
not the compiler knows the size of the buffer you're dealing with. The
implementation of those functions continues to be in libc.
Consider the following code:
1: int main(int argc, char ** argv) {
2: char buf[10];
3: memcpy(buf, "0123456789", sizeof(buf));
4: // The next line will segfault with Android's FORTIFY_SOURCE extensions
5: size_t buf_len = strlen(buf);
6: size_t argv0_len = strlen(argv[0]);
7: printf("%d %d\n", buf_len, argv0_len);
8: return 0;
9: }
When -D_FORTIFY_SOURCE=1 is enabled, the code essentially gets rewritten to:
1: int main(int argc, char ** argv) {
2: char buf[10];
3: memcpy(buf, "0123456789", sizeof(buf));
4: // The next line will segfault with Android's FORTIFY_SOURCE extensions
*5: size_t buf_len = __strlen_chk(buf, sizeof(buf));*
6: size_t argv0_len = strlen(argv[0]);
7: printf("%d %d\n", buf_len, argv0_len);
8: return 0;
9: }
Note the substitution on line 5, but not on line 6. That's because, on
line 5, we know the length of the buffer we're dealing with, whereas line 6
has no compile time information about the size of argv[0].
Because the implementation of these functions remains in libc, attempting
to run programs compiled with FORTIFY_SOURCE on older Android releases will
result in dynamic linking errors. Older Android libc versions just don't
implement the various __*_chk functions. This isn't a problem for binaries
that ship with the platform, but is problematic for developers looking to
create binaries that work across all Android releases.
You have a few options:
1) Don't use FORTIFY_SOURCE.
2) Statically link a copy of libc into your libext.so
3) Supply an implementation of the various __*_chk methods in your code.
In theory, it might be possible to implement FORTIFY_SOURCE entirely as
inline functions, so that there's no need for __*_chk functions in libc.
Neither Android's libc nor GNU's libc have taken that route.
Hope this helps.
-- Nick
On Sat, Jan 26, 2013 at 10:17 AM, Herve Sibert <[email protected]>wrote:
> Thank you, that's working as well.
>
> The additional shared lib I use from an Android 4.2 build (call it
> libext.so) has undef deps on the libc functionsit uses, but now this
> includes __strlen_chk , __strcat_chk and __strncpy_chk, which are indeed in
> libc.so from my 4.2, but not in the NDK.
>
> I'm wondering why libext.so does not have undefs on strlen, strcat and
> strncpy instead (as they are those that are finally called). Does it have
> to do with the inlining used in fortifying? Ie. is it normal that shared
> libs built with the toolchain have direct dependencies on the fortified
> functions, or is my libext.so wrongly built?
>
> Just trying out to figure a clean workaround (e.g. how to mix this
> libext.so with *any* NDK version)
>
>
> On Saturday, January 26, 2013 3:58:22 PM UTC+1, nnk wrote:
>
>>
>> You're running into a couple of different problems here.
>>
>> 1) AFAIK, FORTIFY_SOURCE support isn't in the NDK yet.
>> 2) Some of the FORTIFY_SOURCE extensions (i.e., fortified strlen(),
>> strchr(), strrchr(), maybe umask()) were committed after the code freeze
>> for the 4.2* series. They'll be available in a future Android release.
>>
>> To hack around your problem, you can supply your own implementation of
>> __strlen_chk() in your code. Android's implementation can be found at
>> https://android.**googlesource.com/platform/**
>> bionic/+/master/libc/bionic/__**strlen_chk.cpp<https://android.googlesource.com/platform/bionic/+/master/libc/bionic/__strlen_chk.cpp>
>>
>>
>>
>>
>> On Sat, Jan 26, 2013 at 4:29 AM, Herve Sibert <[email protected]>wrote:
>>
>>> Hi,
>>>
>>> It seems that the latest NDK version does not support this, as building
>>> a native app using the NDK and shared libs from an Android 4.2 device (i.e.
>>> compiled with FORTIFY_SOURCE enabled) fails, mentioning undef references to
>>> some of the related functions (e.g. __strlen_chk).
>>>
>>> Do you confirm this, and if so when will there be an Android NDK that is
>>> compatible with FORTIFY_SOURCE (I can always replace the original libs of
>>> the NDK with those I got from the device, but that's rather a temporary fix)
>>>
>>> Cheers
>>> Hervé
>>>
>>>
>>> On Sunday, November 18, 2012 7:01:58 PM UTC+1, Jeffrey Walton wrote:
>>>
>>>> Awesome job. Thanks.
>>>>
>>>> On Sun, Nov 18, 2012 at 10:40 AM, Nick Kralevich <[email protected]>
>>>> wrote:
>>>> >
>>>> > -D_FORTIFY_SOURCE=1 protections were added in Android in 4.2, and
>>>> almost all
>>>> > programs on 4.2 are compiled with FORTIFY_SOURCE enabled.
>>>> >
>>>> > Some implementation notes, for those curious:
>>>> >
>>>> > FORTIFY_SOURCE protections are only enabled for applications compiled
>>>> with
>>>> > gcc. In particiular, llvm does not support the gnu_inline function
>>>> attribute
>>>> > necessary for FORTIFY_SOURCE to work.
>>>> > FORTIFY_SOURCE protections are only enabled on ARM based systems.
>>>> MIPS and
>>>> > x86 Android systems do not currently have it enabled.
>>>> >
>>>> > The following Android libc functions are fortified:
>>>> >
>>>> > bzero
>>>> > memcpy
>>>> > memmove
>>>> > strcpy
>>>> > strncpy
>>>> > strcat
>>>> > strncat
>>>> > memset
>>>> > strlcpy (not in GLIBC)
>>>> > strlcat (not in GLIBC)
>>>> > strlen (bionic FORTIFY_SOURCE extension. Detect strlen calls on
>>>> non-null
>>>> > terminated character arrays.)
>>>> > umask (bionic FORTIFY_SOURCE extension. Detect invalid umask calls.
>>>> For
>>>> > example: umask(777) instead of umask(0777))
>>>> > open
>>>> > openat
>>>> > vsnprintf
>>>> > vsprintf
>>>> > snprintf
>>>> > sprintf
>>>> > fgets
>>>> >
>>>> > FORTIFY_SOURCE was just one of the security hardening measures added
>>>> in 4.2.
>>>> > A more complete list can be found at
>>>> > http://developer.android.com/**a**bout/versions/jelly-bean.html<http://developer.android.com/about/versions/jelly-bean.html>
>>>> >
>>>> > -- Nick
>>>> >
>>>> > On Sun, Nov 18, 2012 at 3:55 AM, Pau Oliva Fora <[email protected]>
>>>> wrote:
>>>> >>
>>>> >> I believe yes, but not sure if support is completed.
>>>> >>
>>>> >> You can check through the git commits for tag android-4.2_r1 here:
>>>> >>
>>>> >> https://android.googlesource.**c**om/platform/bionic.git/+/**andro**
>>>> id-4.2_r1<https://android.googlesource.com/platform/bionic.git/+/android-4.2_r1>
>>>> >>
>>>> >> Cheers,
>>>> >>
>>>> >> pof
>>>> >>
>>>> >>
>>>> >> On 11/18/2012 11:05 AM, Jeffrey Walton wrote:
>>>> >>>
>>>> >>> Did Android 4.2 add support for FORTIFY_SOURCE=1?
>>>> >>>
>>>> >>
>>>> >> --
>>>> >> You received this message because you are subscribed to the Google
>>>> Groups
>>>> >> "Android Security Discussions" group.
>>>> >> To post to this group, send email to
>>>> >> android-secu...@**googlegroups.**com.
>>>> >> To unsubscribe from this group, send email to
>>>> >> android-security-discuss+**unsub**[email protected].
>>>> >> For more options, visit this group at
>>>> >> http://groups.google.com/**group**/android-security-**discuss?hl=**
>>>> en <http://groups.google.com/group/android-security-discuss?hl=en>.
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Nick Kralevich | Android Security | [email protected] | 650.214.4037
>>>> >
>>>>
>>>
>>
>>
>> --
>> Nick Kralevich | Android Security | [email protected] | 650.214.4037
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To post to this group, send email to
> [email protected].
>
> To unsubscribe from this group, send email to
> [email protected].
> Visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
Nick Kralevich | Android Security | [email protected] | 650.214.4037
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
