From 99d92506acb95c908aceaf23af54f76e2800cabf Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 14 Jun 2015 11:38:30 -0700
Subject: [PATCH] Add support for LOCAL_DETECT_INTEGER_OVERFLOWS

Add build system support for LOCAL_DETECT_INTEGER_OVERFLOWS. When enabled,
an attempt to perform an integer arithmetic operation which overflows
will result in a call to abort(). This is intended for security
sensitive code, where integer overflow operations are not expected
nor desirable.

Two classes of underflows/overflows are detected and blocked:

1) Signed integer underflow/overflow.
2) Unsigned integer underflow/overflows.

Signed integer overflows are undefined behavior, according to the
C standard. Unsigned integer overflows are defined behavior, but
still undesirable in security sensitive code.

Only clang is supported today. gcc has -ftrapv for handling signed
integer overflow, but it's widely considered broken
(https://gcc.gnu.org/bugzilla/show_bug.cgi?id=35412) and we're
deliberately avoiding it's use here.

Change-Id: Ib4918dc84e37e83d4205e5035544545d91671e5f
Vaguely-Related-Bug: 11859726
---
 core/clear_vars.mk        |  1 +
 core/config_sanitizers.mk | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index 48cedce064..21b8294072 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -151,6 +151,7 @@ LOCAL_CTS_TEST_PACKAGE:=
 LOCAL_CTS_TEST_RUNNER:=
 LOCAL_CLANG:=
 LOCAL_ADDRESS_SANITIZER:=
+LOCAL_DETECT_INTEGER_OVERFLOWS:=
 LOCAL_JAR_EXCLUDE_FILES:=
 LOCAL_JAR_PACKAGES:=
 LOCAL_JAR_EXCLUDE_PACKAGES:=
diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk
index b116283ffc..563a33478c 100644
--- a/core/config_sanitizers.mk
+++ b/core/config_sanitizers.mk
@@ -105,3 +105,13 @@ ifneq ($(strip $(LOCAL_SANITIZE_RECOVER)),)
   recover_arg := $(subst $(space),$(comma),$(LOCAL_SANITIZE_RECOVER)),
   my_cflags += -fsanitize-recover=$(recover_arg)
 endif
+
+ifeq ($(strip $(LOCAL_DETECT_INTEGER_OVERFLOWS)),true)
+  ifeq ($(my_clang),true)
+    my_cflags += -fsanitize=signed-integer-overflow,unsigned-integer-overflow
+    my_cflags += -ftrap-function=abort
+    my_cflags += -fsanitize-undefined-trap-on-error
+  else
+    $(error $(LOCAL_MODULE): You must enable LOCAL_CLANG:=true to use LOCAL_DETECT_INTEGER_OVERFLOWS)
+  endif
+endif