perform size checks on various operations

Signed-off-by: Tavi <tavi@divested.dev>
Co-authored-by: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>

CREDITS

@@ -23,7 +23,7 @@ h_malloc.c open-addressed hash table (regions_grow, regions_insert, regions_find
     ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
     OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-memcpy.c, memccpy.c, memmove.c, memset.c, wmemset.c:
+memcpy.c, memccpy.c, memmove.c, memset.c, swab.c, wmemset.c:
     Copyright © 2005-2020 Rich Felker, et al.
 
     Permission is hereby granted, free of charge, to any person obtaining

LICENSE

@@ -1,4 +1,4 @@
-Copyright © 2018-2024 GrapheneOS
+Copyright © 2018-2025 GrapheneOS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -41,7 +41,7 @@ LDFLAGS := $(LDFLAGS) -Wl,-O1,--as-needed,-z,defs,-z,relro,-z,now,-z,nodlopen,-z
 
 SOURCES := chacha.c h_malloc.c memory.c pages.c random.c util.c
 ifeq ($(CONFIG_BLOCK_OPS_CHECK_SIZE),true)
-    SOURCES += memcpy.c memccpy.c memmove.c memset.c wmemset.c
+    SOURCES += memcpy.c memccpy.c memmove.c memset.c swab.c wmemset.c
     BOSC_EXTRAS := musl.h
 endif
 OBJECTS := $(SOURCES:.c=.o)
@@ -148,6 +148,8 @@ $(OUT)/memmove.o: memmove.c musl.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
 $(OUT)/memset.o: memset.c musl.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
+$(OUT)/swab.o: swab.c musl.h $(CONFIG_FILE) | $(OUT)
+	$(COMPILE.c) -Wno-cast-align $(OUTPUT_OPTION) $<
 $(OUT)/wmemset.o: wmemset.c musl.h $(CONFIG_FILE) | $(OUT)
 	$(COMPILE.c) $(OUTPUT_OPTION) $<
 

chacha.c

@@ -41,7 +41,7 @@ static const unsigned rounds = 8;
     a = PLUS(a, b); d = ROTATE(XOR(d, a), 8); \
     c = PLUS(c, d); b = ROTATE(XOR(b, c), 7);
 
-static const char sigma[16] = "expand 32-byte k";
+static const char sigma[16] NONSTRING = "expand 32-byte k";
 
 void chacha_keysetup(chacha_ctx *x, const u8 *k) {
     x->input[0] = U8TO32_LITTLE(sigma + 0);

h_malloc.c

@@ -1902,7 +1902,7 @@ EXPORT void *memccpy(void *restrict dst, const void *restrict src, int value, si
     if (unlikely(dst < (src + len) && (dst + len) > src)) {
         fatal_error("memccpy overlap");
     }
-    if (unlikely(len > malloc_object_size(src))) {
+    if (unlikely(len > malloc_object_size(src) && value != 0)) {
         fatal_error("memccpy read overflow");
     }
     if (unlikely(len > malloc_object_size(dst))) {
@@ -1924,6 +1924,10 @@ EXPORT void *memmove(void *dst, const void *src, size_t len) {
     return musl_memmove(dst, src, len);
 }
 
+EXPORT void *mempcpy(void *restrict dst, const void *restrict src, size_t len) {
+    return memcpy(dst, src, len) + len;
+}
+
 EXPORT void *memset(void *dst, int value, size_t len) {
     if (unlikely(len == 0)) {
         return dst;
@@ -1934,6 +1938,27 @@ EXPORT void *memset(void *dst, int value, size_t len) {
     return musl_memset(dst, value, len);
 }
 
+EXPORT void bcopy(const void *src, void *dst, size_t len) {
+    memmove(dst, src, len);
+}
+
+EXPORT void swab(const void *restrict src, void *restrict dst, ssize_t len) {
+    if (unlikely(len <= 0)) {
+        return;
+    }
+    size_t length = len;
+    if (unlikely(dst < (src + length) && (dst + length) > src)) {
+        fatal_error("swab overlap");
+    }
+    if (unlikely(length > malloc_object_size(src))) {
+        fatal_error("swab read overflow");
+    }
+    if (unlikely(length > malloc_object_size(dst))) {
+        fatal_error("swab buffer overflow");
+    }
+    return musl_swab(src, dst, len);
+}
+
 EXPORT wchar_t *wmemcpy(wchar_t *restrict dst, const wchar_t *restrict src, size_t len) {
     if (unlikely(dst == src || len == 0)) {
         return dst;
@@ -1965,6 +1990,10 @@ EXPORT wchar_t *wmemmove(wchar_t *dst, const wchar_t *src, size_t len) {
     return (wchar_t *)musl_memmove((char *)dst, (const char *)src, lenAdj);
 }
 
+EXPORT wchar_t *wmempcpy(wchar_t *restrict dst, const wchar_t *restrict src, size_t len) {
+    return wmemcpy(dst, src, len) + len;
+}
+
 EXPORT wchar_t *wmemset(wchar_t *dst, wchar_t value, size_t len) {
     if (unlikely(len == 0)) {
         return dst;

include/h_malloc.h

@@ -59,9 +59,13 @@ void h_free(void *ptr);
 void *memcpy(void *dst, const void *src, size_t len);
 void *memccpy(void *dst, const void *src, int value, size_t len);
 void *memmove(void *dst, const void *src, size_t len);
+void *mempcpy(void *dst, const void *src, size_t len);
 void *memset(void *dst, int value, size_t len);
+void bcopy(const void *src, void *dst, size_t len);
+void swab(const void *src, void *dst, ssize_t len);
 wchar_t *wmemcpy(wchar_t *dst, const wchar_t *src, size_t len);
 wchar_t *wmemmove(wchar_t *dst, const wchar_t *src, size_t len);
+wchar_t *wmempcpy(wchar_t *dst, const wchar_t *src, size_t len);
 wchar_t *wmemset(wchar_t *dst, wchar_t value, size_t len);
 #define h_memcpy_internal musl_memcpy
 #define h_memmove_internal musl_memmove

musl.h

@@ -1,9 +1,11 @@
 #pragma once
 
 #include <stddef.h>
+#include <sys/types.h>
 
 void *musl_memcpy(void *dst, const void *src, size_t len);
 void *musl_memccpy(void *restrict dest, const void *restrict src, int c, size_t n);
 void *musl_memmove(void *dst, const void *src, size_t len);
 void *musl_memset(void *dst, int value, size_t len);
+void musl_swab(const void *_src, void *_dest, ssize_t n);
 wchar_t *musl_wmemset(wchar_t *dst, wchar_t value, size_t len);

swab.c

@@ -0,0 +1,17 @@
+#include "musl.h"
+
+/* Copied from musl libc version 1.2.5 licensed under the MIT license */
+
+#include <unistd.h>
+
+void musl_swab(const void *restrict _src, void *restrict _dest, ssize_t n)
+{
+       const char *src = _src;
+       char *dest = _dest;
+       for (; n>1; n-=2) {
+               dest[0] = src[1];
+               dest[1] = src[0];
+               dest += 2;
+               src += 2;
+       }
+}

util.h

@@ -32,6 +32,13 @@
 #define STRINGIFY(s) #s
 #define ALIAS(f) __attribute__((alias(STRINGIFY(f))))
 
+// supported since GCC 15
+#if __has_attribute (nonstring)
+#  define NONSTRING __attribute__ ((nonstring))
+#else
+#  define NONSTRING
+#endif
+
 typedef uint8_t u8;
 typedef uint16_t u16;
 typedef uint32_t u32;