Thank you, that's working as well. The additional shared lib I use from an Android 4.2 build (call it libext.so) has undef deps on the libc functionsit uses, but now this includes __strlen_chk , __strcat_chk and __strncpy_chk, which are indeed in libc.so from my 4.2, but not in the NDK.
I'm wondering why libext.so does not have undefs on strlen, strcat and strncpy instead (as they are those that are finally called). Does it have to do with the inlining used in fortifying? Ie. is it normal that shared libs built with the toolchain have direct dependencies on the fortified functions, or is my libext.so wrongly built? Just trying out to figure a clean workaround (e.g. how to mix this libext.so with *any* NDK version) On Saturday, January 26, 2013 3:58:22 PM UTC+1, nnk wrote: > > > You're running into a couple of different problems here. > > 1) AFAIK, FORTIFY_SOURCE support isn't in the NDK yet. > 2) Some of the FORTIFY_SOURCE extensions (i.e., fortified strlen(), > strchr(), strrchr(), maybe umask()) were committed after the code freeze > for the 4.2* series. They'll be available in a future Android release. > > To hack around your problem, you can supply your own implementation of > __strlen_chk() in your code. Android's implementation can be found at > https://android.googlesource.com/platform/bionic/+/master/libc/bionic/__strlen_chk.cpp > > > > > On Sat, Jan 26, 2013 at 4:29 AM, Herve Sibert > <herve....@gmail.com<javascript:> > > wrote: > >> Hi, >> >> It seems that the latest NDK version does not support this, as building a >> native app using the NDK and shared libs from an Android 4.2 device (i.e. >> compiled with FORTIFY_SOURCE enabled) fails, mentioning undef references to >> some of the related functions (e.g. __strlen_chk). >> >> Do you confirm this, and if so when will there be an Android NDK that is >> compatible with FORTIFY_SOURCE (I can always replace the original libs of >> the NDK with those I got from the device, but that's rather a temporary fix) >> >> Cheers >> Hervé >> >> >> On Sunday, November 18, 2012 7:01:58 PM UTC+1, Jeffrey Walton wrote: >> >>> Awesome job. Thanks. >>> >>> On Sun, Nov 18, 2012 at 10:40 AM, Nick Kralevich <n...@google.com> >>> wrote: >>> > >>> > -D_FORTIFY_SOURCE=1 protections were added in Android in 4.2, and >>> almost all >>> > programs on 4.2 are compiled with FORTIFY_SOURCE enabled. >>> > >>> > Some implementation notes, for those curious: >>> > >>> > FORTIFY_SOURCE protections are only enabled for applications compiled >>> with >>> > gcc. In particiular, llvm does not support the gnu_inline function >>> attribute >>> > necessary for FORTIFY_SOURCE to work. >>> > FORTIFY_SOURCE protections are only enabled on ARM based systems. MIPS >>> and >>> > x86 Android systems do not currently have it enabled. >>> > >>> > The following Android libc functions are fortified: >>> > >>> > bzero >>> > memcpy >>> > memmove >>> > strcpy >>> > strncpy >>> > strcat >>> > strncat >>> > memset >>> > strlcpy (not in GLIBC) >>> > strlcat (not in GLIBC) >>> > strlen (bionic FORTIFY_SOURCE extension. Detect strlen calls on >>> non-null >>> > terminated character arrays.) >>> > umask (bionic FORTIFY_SOURCE extension. Detect invalid umask calls. >>> For >>> > example: umask(777) instead of umask(0777)) >>> > open >>> > openat >>> > vsnprintf >>> > vsprintf >>> > snprintf >>> > sprintf >>> > fgets >>> > >>> > FORTIFY_SOURCE was just one of the security hardening measures added >>> in 4.2. >>> > A more complete list can be found at >>> > http://developer.android.com/**about/versions/jelly-bean.html<http://developer.android.com/about/versions/jelly-bean.html> >>> > >>> > >>> > -- Nick >>> > >>> > On Sun, Nov 18, 2012 at 3:55 AM, Pau Oliva Fora <p...@eslack.org> >>> wrote: >>> >> >>> >> I believe yes, but not sure if support is completed. >>> >> >>> >> You can check through the git commits for tag android-4.2_r1 here: >>> >> >>> >> https://android.googlesource.**com/platform/bionic.git/+/** >>> android-4.2_r1<https://android.googlesource.com/platform/bionic.git/+/android-4.2_r1> >>> >>> >> >>> >> Cheers, >>> >> >>> >> pof >>> >> >>> >> >>> >> On 11/18/2012 11:05 AM, Jeffrey Walton wrote: >>> >>> >>> >>> Did Android 4.2 add support for FORTIFY_SOURCE=1? >>> >>> >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups >>> >> "Android Security Discussions" group. >>> >> To post to this group, send email to >>> >> android-secu...@**googlegroups.com. >>> >> To unsubscribe from this group, send email to >>> >> android-security-discuss+**unsubscr...@googlegroups.com. >>> >> For more options, visit this group at >>> >> http://groups.google.com/**group/android-security-**discuss?hl=en<http://groups.google.com/group/android-security-discuss?hl=en>. >>> >> >>> >>> >> >>> > >>> > >>> > >>> > -- >>> > Nick Kralevich | Android Security | n...@google.com | 650.214.4037 >>> > >>> >> > > > -- > Nick Kralevich | Android Security | n...@google.com <javascript:> | > 650.214.4037 > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
