libsanitizer/asan/asan_poisoning.cc

   1 //===-- asan_poisoning.cc -------------------------------------------------===//
   2 //
   3 // This file is distributed under the University of Illinois Open Source
   4 // License. See LICENSE.TXT for details.
   5 //
   6 //===----------------------------------------------------------------------===//
   7 //
   8 // This file is a part of AddressSanitizer, an address sanity checker.
   9 //
  10 // Shadow memory poisoning by ASan RTL and by user application.
  11 //===----------------------------------------------------------------------===//
  12
  13 #include "asan_interceptors.h"
  14 #include "asan_internal.h"
  15 #include "asan_mapping.h"
  16 #include "sanitizer/asan_interface.h"
  17
  18 namespace __asan {
  19
  20 void PoisonShadow(uptr addr, uptr size, u8 value) {
  21   CHECK(AddrIsAlignedByGranularity(addr));
  22   CHECK(AddrIsAlignedByGranularity(addr + size));
  23   uptr shadow_beg = MemToShadow(addr);
  24   uptr shadow_end = MemToShadow(addr + size);
  25   CHECK(REAL(memset) != 0);
  26   REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg);
  27 }
  28
  29 void PoisonShadowPartialRightRedzone(uptr addr,
  30                                      uptr size,
  31                                      uptr redzone_size,
  32                                      u8 value) {
  33   CHECK(AddrIsAlignedByGranularity(addr));
  34   u8 *shadow = (u8*)MemToShadow(addr);
  35   for (uptr i = 0; i < redzone_size;
  36        i += SHADOW_GRANULARITY, shadow++) {
  37     if (i + SHADOW_GRANULARITY <= size) {
  38       *shadow = 0;  // fully addressable
  39     } else if (i >= size) {
  40       *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value;  // unaddressable
  41     } else {
  42       *shadow = size - i;  // first size-i bytes are addressable
  43     }
  44   }
  45 }
  46
  47
  48 struct ShadowSegmentEndpoint {
  49   u8 *chunk;
  50   s8 offset;  // in [0, SHADOW_GRANULARITY)
  51   s8 value;  // = *chunk;
  52
  53   explicit ShadowSegmentEndpoint(uptr address) {
  54     chunk = (u8*)MemToShadow(address);
  55     offset = address & (SHADOW_GRANULARITY - 1);
  56     value = *chunk;
  57   }
  58 };
  59
  60 }  // namespace __asan
  61
  62 // ---------------------- Interface ---------------- {{{1
  63 using namespace __asan;  // NOLINT
  64
  65 // Current implementation of __asan_(un)poison_memory_region doesn't check
  66 // that user program (un)poisons the memory it owns. It poisons memory
  67 // conservatively, and unpoisons progressively to make sure asan shadow
  68 // mapping invariant is preserved (see detailed mapping description here:
  69 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm).
  70 //
  71 // * if user asks to poison region [left, right), the program poisons
  72 // at least [left, AlignDown(right)).
  73 // * if user asks to unpoison region [left, right), the program unpoisons
  74 // at most [AlignDown(left), right).
  75 void __asan_poison_memory_region(void const volatile *addr, uptr size) {
  76   if (!flags()->allow_user_poisoning || size == 0) return;
  77   uptr beg_addr = (uptr)addr;
  78   uptr end_addr = beg_addr + size;
  79   if (flags()->verbosity >= 1) {
  80     Printf("Trying to poison memory region [%p, %p)\n",
  81            (void*)beg_addr, (void*)end_addr);
  82   }
  83   ShadowSegmentEndpoint beg(beg_addr);
  84   ShadowSegmentEndpoint end(end_addr);
  85   if (beg.chunk == end.chunk) {
  86     CHECK(beg.offset < end.offset);
  87     s8 value = beg.value;
  88     CHECK(value == end.value);
  89     // We can only poison memory if the byte in end.offset is unaddressable.
  90     // No need to re-poison memory if it is poisoned already.
  91     if (value > 0 && value <= end.offset) {
  92       if (beg.offset > 0) {
  93         *beg.chunk = Min(value, beg.offset);
  94       } else {
  95         *beg.chunk = kAsanUserPoisonedMemoryMagic;
  96       }
  97     }
  98     return;
  99   }
 100   CHECK(beg.chunk < end.chunk);
 101   if (beg.offset > 0) {
 102     // Mark bytes from beg.offset as unaddressable.
 103     if (beg.value == 0) {
 104       *beg.chunk = beg.offset;
 105     } else {
 106       *beg.chunk = Min(beg.value, beg.offset);
 107     }
 108     beg.chunk++;
 109   }
 110   REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk);
 111   // Poison if byte in end.offset is unaddressable.
 112   if (end.value > 0 && end.value <= end.offset) {
 113     *end.chunk = kAsanUserPoisonedMemoryMagic;
 114   }
 115 }
 116
 117 void __asan_unpoison_memory_region(void const volatile *addr, uptr size) {
 118   if (!flags()->allow_user_poisoning || size == 0) return;
 119   uptr beg_addr = (uptr)addr;
 120   uptr end_addr = beg_addr + size;
 121   if (flags()->verbosity >= 1) {
 122     Printf("Trying to unpoison memory region [%p, %p)\n",
 123            (void*)beg_addr, (void*)end_addr);
 124   }
 125   ShadowSegmentEndpoint beg(beg_addr);
 126   ShadowSegmentEndpoint end(end_addr);
 127   if (beg.chunk == end.chunk) {
 128     CHECK(beg.offset < end.offset);
 129     s8 value = beg.value;
 130     CHECK(value == end.value);
 131     // We unpoison memory bytes up to enbytes up to end.offset if it is not
 132     // unpoisoned already.
 133     if (value != 0) {
 134       *beg.chunk = Max(value, end.offset);
 135     }
 136     return;
 137   }
 138   CHECK(beg.chunk < end.chunk);
 139   if (beg.offset > 0) {
 140     *beg.chunk = 0;
 141     beg.chunk++;
 142   }
 143   REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk);
 144   if (end.offset > 0 && end.value != 0) {
 145     *end.chunk = Max(end.value, end.offset);
 146   }
 147 }
 148
 149 bool __asan_address_is_poisoned(void const volatile *addr) {
 150   return __asan::AddressIsPoisoned((uptr)addr);
 151 }