From c2d7db1c7d650ec6b1ca006812404c8fd4bcf01e Mon Sep 17 00:00:00 2001
From: Ivan Lozano <ivanlozano@google.com>
Date: Tue, 9 Jan 2018 09:56:54 -0800
Subject: [PATCH] Overflow sanitization in frameworks/ and system/.

Enables signed and unsigned integer overflow sanitization on-by-default
for modules in frameworks/ and system/ by using the integer_overflow
sanitization setting. This applies sanitization to dynamically linked
binaries and shared libraries, and comes with a default set of regex for
functions to exclude from sanitization.
(see build/soong/cc/config/integer_overflow_blacklist.txt)

Prepare to enable minimal runtime diagnostics for integer overflow
sanitization on userdebug and eng builds.

Adds an additional Make and product variable pair to apply integer
overflow sanitization by default to additional code paths.

Bug: 30969751
Bug: 63927620

Test: Included paths are being sanitized.

Test: CTS test suite run on Pixel, runtime errors resolved.
Test: Performance impact in benchmarks acceptable.
Test: Boot-up successful on current Google devices.
Test: Teamfooded in diagnostics mode on Pixel for a month.

Test: Phone calls, camera photos + videos, bluetooth pairing.
Test: Wifi, work profiles, streaming videos, app installation.
Test: Split-screen, airplane mode, battery saver.
Test: Toggling accessibility settings.

Change-Id: Icc7a558c86f8655267afb4ca01b316773325c91a
---
 core/config_sanitizers.mk | 35 ++++++++++++++++++++++++++++++++++-
 core/envsetup.mk          |  5 +++++
 core/product.mk           |  1 +
 core/product_config.mk    |  5 +++++
 core/soong_config.mk      |  1 +
 5 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk
index 94151430f..2064d8dda 100644
--- a/core/config_sanitizers.mk
+++ b/core/config_sanitizers.mk
@@ -34,6 +34,26 @@ ifneq ($(filter integer_overflow, $(my_global_sanitize)),)
   endif
 endif
 
+# Enable integer overflow sanitizer in included paths.
+# (includes override excludes)
+ifeq ($(my_clang),true)
+  ifndef LOCAL_IS_HOST_MODULE
+    ifeq ($(filter integer_overflow, $(my_sanitize)),)
+      combined_include_paths := $(DEFAULT_INTEGER_OVERFLOW_PATHS) \
+                            $(INTEGER_OVERFLOW_INCLUDE_PATHS) \
+                            $(PRODUCT_INTEGER_OVERFLOW_INCLUDE_PATHS)
+      ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
+             $(filter $(dir)%,$(LOCAL_PATH)))),)
+        my_global_sanitize := integer_overflow $(my_sanitize)
+        # Ensure default paths do not run in diagnostics unless SANITIZE_TARGET_DIAG
+        ifneq ($(filter integer_overflow, $(SANITIZE_TARGET_DIAG)),)
+          my_global_sanitize_diag := integer_overflow $(my_sanitize_diag)
+        endif
+      endif
+    endif
+  endif
+endif
+
 # Disable global CFI in excluded paths
 ifneq ($(filter cfi, $(my_global_sanitize)),)
   combined_exclude_paths := $(CFI_EXCLUDE_PATHS) \
@@ -211,6 +231,19 @@ ifneq ($(filter coverage,$(my_sanitize)),)
   my_sanitize := $(filter-out coverage,$(my_sanitize))
 endif
 
+# Use minimal diagnostics when integer overflow is enabled on userdebug and eng
+# and full diagnostics not enabled.
+ifneq ($(findstring integer,$(my_sanitize)),)
+  ifeq ($(findstring integer,$(my_sanitize_diag)),)
+    ifeq ($(filter address,$(my_sanitize)),)
+      # TODO(ivanlozano): uncomment after switch to clang-4536805
+      ifneq ($(filter $(TARGET_BUILD_VARIANT),userdebug eng),)
+        # my_cflags += -fsanitize-minimal-runtime
+      endif
+    endif
+  endif
+endif
+
 ifneq ($(filter integer_overflow,$(my_sanitize)),)
   ifneq ($(filter SHARED_LIBRARIES EXECUTABLES,$(LOCAL_MODULE_CLASS)),)
     ifneq ($(LOCAL_FORCE_STATIC_EXECUTABLE),true)
@@ -226,7 +259,7 @@ ifneq ($(filter integer_overflow,$(my_sanitize)),)
       my_cflags += -ftrap-function=abort
       my_cflags += $(INTEGER_OVERFLOW_EXTRA_CFLAGS)
 
-      # Check for diagnostics mode (on by default).
+      # Check for diagnostics mode.
       ifneq ($(filter integer_overflow,$(my_sanitize_diag)),)
         my_cflags += -fno-sanitize-trap=signed-integer-overflow,unsigned-integer-overflow
         my_shared_libraries := $($(LOCAL_2ND_ARCH_VAR_PREFIX)UBSAN_RUNTIME_LIBRARY) $(my_shared_libraries)
diff --git a/core/envsetup.mk b/core/envsetup.mk
index 05add605d..a945b6228 100644
--- a/core/envsetup.mk
+++ b/core/envsetup.mk
@@ -657,3 +657,8 @@ endif
 ifeq ($(CALLED_FROM_SETUP),true)
 PRINT_BUILD_CONFIG ?= true
 endif
+
+# Set default integer overflow sanitization paths.
+# Separate from INTEGER_OVERFLOW_INCLUDE_PATHS to ensure this is not overridden.
+DEFAULT_INTEGER_OVERFLOW_PATHS := frameworks/ \
+                                  system/
diff --git a/core/product.mk b/core/product.mk
index f15f6b370..725d15b8d 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -146,6 +146,7 @@ _product_var_list := \
     PRODUCT_SYSTEM_HEADROOM \
     PRODUCT_MINIMIZE_JAVA_DEBUG_INFO \
     PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS \
+    PRODUCT_INTEGER_OVERFLOW_INCLUDE_PATHS \
     PRODUCT_ADB_KEYS \
     PRODUCT_CFI_INCLUDE_PATHS \
     PRODUCT_CFI_EXCLUDE_PATHS \
diff --git a/core/product_config.mk b/core/product_config.mk
index 5b0e2574e..5bc85f04e 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -463,6 +463,11 @@ PRODUCT_MINIMIZE_JAVA_DEBUG_INFO := \
 PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS := \
     $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS))
 
+# Paths that should have integer overflow sanitization applied by default
+# (overrides excludes)
+PRODUCT_INTEGER_OVERFLOW_INCLUDE_PATHS := \
+    $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_INTEGER_OVERFLOW_INCLUDE_PATHS))
+
 # ADB keys for debuggable builds
 PRODUCT_ADB_KEYS :=
 ifneq ($(filter eng userdebug,$(TARGET_BUILD_VARIANT)),)
diff --git a/core/soong_config.mk b/core/soong_config.mk
index c7eefc987..cd5a5934d 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -94,6 +94,7 @@ $(call add_json_bool, Safestack,                         $(filter true,$(USE_SAF
 $(call add_json_bool, EnableCFI,                         $(call invert_bool,$(filter false,$(ENABLE_CFI))))
 $(call add_json_list, CFIExcludePaths,                   $(CFI_EXCLUDE_PATHS) $(PRODUCT_CFI_EXCLUDE_PATHS))
 $(call add_json_list, CFIIncludePaths,                   $(CFI_INCLUDE_PATHS) $(PRODUCT_CFI_INCLUDE_PATHS))
+$(call add_json_list, IntegerOverflowIncludePaths,       $(DEFAULT_INTEGER_OVERFLOW_PATHS) $(INTEGER_OVERFLOW_INCLUDE_PATHS) $(PRODUCT_INTEGER_OVERFLOW_INCLUDE_PATHS))
 $(call add_json_list, IntegerOverflowExcludePaths,       $(INTEGER_OVERFLOW_EXCLUDE_PATHS) $(PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS))
 
 $(call add_json_bool, ClangTidy,                         $(filter 1 true,$(WITH_TIDY)))