Search code examples
androidc++android-sourceandroid-runtime

When __strlen_chk called?

as part of my project, I try to write a feature inside android art, and for some reason I get exception on __strlen_chk

my trace is:

DEBUG   : Revision: '0'
DEBUG   : ABI: 'arm'
DEBUG   : pid: 969, tid: 1346, name: PackageManager  >>> system_server <<<
DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
DEBUG   :     r0 00000000  r1 00000000  r2 80808080  r3 8f005a30
DEBUG   :     r4 00000000  r5 8f005a4b  r6 0000000a  r7 0000002f
DEBUG   :     r8 ac6add18  r9 0000002f  sl 975f4e20  fp 0000002f
DEBUG   :     ip 00000000  sp 975f4d48  lr ac7fda91  pc ac7c7198  cpsr 40000030
DEBUG   :
DEBUG   : backtrace:
DEBUG   :     #00 pc 00018198  /system/lib/libc.so (strlen+47)
DEBUG   :     #01 pc 0004ea8d  /system/lib/libc.so (__strlen_chk+4)
DEBUG   :     #02 pc 00377bb7  /system/lib/libart.so (my_identifier1+186)
DEBUG   :     #03 pc 000b539f  /system/lib/libart.so (my_art_secret+178)
DEBUG   :     #04 pc 001294b9  /system/lib/libart.so (my_art_secret2+348)
DEBUG   :     #05 pc 002ca3e9  /system/lib/libart.so (my_art_secret3+72)
DEBUG   :     #06 pc 002c7d55  /system/lib/libart.so (my_art_secret4+352)
DEBUG   :     #07 pc 002a3589  /system/lib/libart.so (my_art_secret5+264)

and my code look something like that:

void my_identifier1(const uint8_t* bbbb, size_t sss, const std::string& str) {
  std::string error_msg;

  std::string secret = nullptr;
  if (!str.empty() && !this_my_problem(str, sss)) {
    error_msg = StringPrintf("secret '%s' secret:%zu", str.empty()? "secret secret" : str.c_str(), sss);
    return;
  }
}

but for really understading my problem, I want to know what is __strlen_chk used for, and when it called?

this is his code that I find on the net:

size_t __strlen_chk(const char *s, size_t s_len)
{
    size_t ret = strlen(s);
    if (__builtin_expect(ret >= s_len, 0)) {
        __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
            "*** strlen read overflow detected ***\n");
        abort();
    }
    return ret;
}

seems like it check for buffer overflow, but when it called?

sorry about my ofbuscated code, it's from privacy reasons.

Thanks!

Solution

  • __strlen_chk uses a double underscore, which indicates an internal part of the library. From the context, it's clear that it's called from std::string::string(const char* src).

    Now that's a constructor which takes a null-terminated string as an input. But nullptr is not null-terminated. In fact, it doesn't point to any character at all, and it therfore doesn't even have a string length.