2 * Tiny C Memory and bounds checker
4 * Copyright (c) 2002 Fabrice Bellard
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /* define so that bound array is static (faster, but use memory if
24 bound checking not used) */
25 //#define BOUND_STATIC
27 #define BOUND_T1_BITS 13
28 #define BOUND_T2_BITS 11
29 #define BOUND_T3_BITS (32 - BOUND_T1_BITS - BOUND_T2_BITS)
31 #define BOUND_T1_SIZE (1 << BOUND_T1_BITS)
32 #define BOUND_T2_SIZE (1 << BOUND_T2_BITS)
33 #define BOUND_T3_SIZE (1 << BOUND_T3_BITS)
34 #define BOUND_E_BITS 4
36 #define BOUND_T23_BITS (BOUND_T2_BITS + BOUND_T3_BITS)
37 #define BOUND_T23_SIZE (1 << BOUND_T23_BITS)
40 /* this pointer is generated when bound check is incorrect */
41 #define INVALID_POINTER ((void *)(-2))
42 /* size of an empty region */
43 #define EMPTY_SIZE 0xffffffff
44 /* size of an invalid region */
45 #define INVALID_SIZE 0
47 typedef struct BoundEntry
{
50 struct BoundEntry
*next
;
51 unsigned long is_invalid
; /* true if pointers outside region are invalid */
54 /* external interface */
55 void __bound_init(void);
56 void __bound_new_region(void *p
, unsigned long size
);
57 int __bound_delete_region(void *p
);
59 /* currently, tcc cannot compile that because we use unsupported GNU C
61 #if !defined(__TINYC__)
62 void *__bound_ptr_add(void *p
, int offset
) __attribute__((regparm(2)));
63 void *__bound_ptr_indir1(void *p
, int offset
) __attribute__((regparm(2)));
64 void *__bound_ptr_indir2(void *p
, int offset
) __attribute__((regparm(2)));
65 void *__bound_ptr_indir4(void *p
, int offset
) __attribute__((regparm(2)));
66 void *__bound_ptr_indir8(void *p
, int offset
) __attribute__((regparm(2)));
67 void *__bound_ptr_indir12(void *p
, int offset
) __attribute__((regparm(2)));
68 void *__bound_ptr_indir16(void *p
, int offset
) __attribute__((regparm(2)));
69 void __bound_local_new(void *p
) __attribute__((regparm(1)));
70 void __bound_local_delete(void *p
) __attribute__((regparm(1)));
72 static void *get_caller_pc(int n
);
74 void *__bound_malloc(size_t size
, const void *caller
);
75 void *__bound_memalign(size_t size
, size_t align
, const void *caller
);
76 void __bound_free(void *ptr
, const void *caller
);
77 void *__bound_realloc(void *ptr
, size_t size
, const void *caller
);
78 static void *libc_malloc(size_t size
);
79 static void libc_free(void *ptr
);
80 static void install_malloc_hooks(void);
81 static void restore_malloc_hooks(void);
83 static void *saved_malloc_hook
;
84 static void *saved_free_hook
;
85 static void *saved_realloc_hook
;
86 static void *saved_memalign_hook
;
91 static BoundEntry
*__bound_t1
[BOUND_T1_SIZE
]; /* page table */
93 static BoundEntry
**__bound_t1
; /* page table */
95 static BoundEntry
*__bound_empty_t2
; /* empty page, for unused pages */
96 static BoundEntry
*__bound_invalid_t2
; /* invalid page, for invalid pointers */
98 static BoundEntry
*__bound_find_region(BoundEntry
*e1
, void *p
)
100 unsigned long addr
, tmp
;
105 addr
= (unsigned long)p
;
107 if (addr
<= e
->size
) {
108 /* put region at the head */
110 e1
->start
= e
->start
;
119 /* no entry found: return empty entry or invalid entry */
121 return __bound_invalid_t2
;
123 return __bound_empty_t2
;
126 /* print a bound error and recurse thru 'nb_callers' to get the error
128 static void bound_error(const void *caller
, const char *fmt
, ...)
130 rt_error((unsigned long)caller
, "%s", fmt
);
133 static void bound_alloc_error(void)
135 bound_error(NULL
, "not enough memory for bound checking code\n");
138 /* currently, tcc cannot compile that because we use GNUC extensions */
139 #if !defined(__TINYC__)
141 /* return '(p + offset)' for pointer arithmetic (a pointer can reach
142 the end of a region in this case */
143 void *__bound_ptr_add(void *p
, int offset
)
145 unsigned long addr
= (unsigned long)p
;
147 #if defined(BOUND_DEBUG)
148 printf("add: 0x%x %d\n", (int)p
, offset
);
151 e
= __bound_t1
[addr
>> (BOUND_T2_BITS
+ BOUND_T3_BITS
)];
152 e
= (BoundEntry
*)((char *)e
+
153 ((addr
>> (BOUND_T3_BITS
- BOUND_E_BITS
)) &
154 ((BOUND_T2_SIZE
- 1) << BOUND_E_BITS
)));
156 if (addr
> e
->size
) {
157 e
= __bound_find_region(e
, p
);
158 addr
= (unsigned long)p
- e
->start
;
162 return INVALID_POINTER
; /* return an invalid pointer */
166 /* return '(p + offset)' for pointer indirection (the resulting must
167 be strictly inside the region */
168 #define BOUND_PTR_INDIR(dsize) \
169 void *__bound_ptr_indir ## dsize (void *p, int offset) \
171 unsigned long addr = (unsigned long)p; \
174 e = __bound_t1[addr >> (BOUND_T2_BITS + BOUND_T3_BITS)]; \
175 e = (BoundEntry *)((char *)e + \
176 ((addr >> (BOUND_T3_BITS - BOUND_E_BITS)) & \
177 ((BOUND_T2_SIZE - 1) << BOUND_E_BITS))); \
179 if (addr > e->size) { \
180 e = __bound_find_region(e, p); \
181 addr = (unsigned long)p - e->start; \
183 addr += offset + dsize; \
184 if (addr > e->size) \
185 return INVALID_POINTER; /* return an invalid pointer */ \
191 /* return the PC of the N'th caller (N=1: first caller) */
192 static void *get_caller_pc(int n
)
197 __asm__
__volatile__ ("movl %%ebp,%0" :"=g" (fp
));
199 fp
= ((unsigned long *)fp
)[0];
200 return ((void **)fp
)[1];
203 /* return the frame pointer of the caller */
204 #define GET_CALLER_FP(fp)\
207 __asm__ __volatile__ ("movl %%ebp,%0" :"=g" (fp1));\
211 #error put code to extract the calling frame pointer
214 /* called when entering a function to add all the local regions */
215 void __bound_local_new(void *p1
)
217 unsigned long addr
, size
, fp
, *p
= p1
;
226 __bound_new_region((void *)addr
, size
);
230 /* called when leaving a function to delete all the local regions */
231 void __bound_local_delete(void *p1
)
233 unsigned long addr
, fp
, *p
= p1
;
241 __bound_delete_region((void *)addr
);
247 void __bound_local_new(void *p
)
250 void __bound_local_delete(void *p
)
254 void *__bound_ptr_add(void *p
, int offset
)
259 #define BOUND_PTR_INDIR(dsize) \
260 void *__bound_ptr_indir ## dsize (void *p, int offset) \
265 static void *get_caller_pc(int n
)
278 static BoundEntry
*__bound_new_page(void)
283 page
= libc_malloc(sizeof(BoundEntry
) * BOUND_T2_SIZE
);
286 for(i
=0;i
<BOUND_T2_SIZE
;i
++) {
287 /* put empty entries */
289 page
[i
].size
= EMPTY_SIZE
;
291 page
[i
].is_invalid
= 0;
296 /* currently we use malloc(). Should use bound_new_page() */
297 static BoundEntry
*bound_new_entry(void)
300 e
= libc_malloc(sizeof(BoundEntry
));
304 static void bound_free_entry(BoundEntry
*e
)
309 static inline BoundEntry
*get_page(int index
)
312 page
= __bound_t1
[index
];
313 if (page
== __bound_empty_t2
|| page
== __bound_invalid_t2
) {
314 /* create a new page if necessary */
315 page
= __bound_new_page();
316 __bound_t1
[index
] = page
;
321 /* mark a region as being invalid (can only be used during init) */
322 static void mark_invalid(unsigned long addr
, unsigned long size
)
324 unsigned long start
, end
;
326 int t1_start
, t1_end
, i
, j
, t2_start
, t2_end
;
331 t2_start
= (start
+ BOUND_T3_SIZE
- 1) >> BOUND_T3_BITS
;
333 t2_end
= end
>> BOUND_T3_BITS
;
335 t2_end
= 1 << (BOUND_T1_BITS
+ BOUND_T2_BITS
);
338 printf("mark_invalid: start = %x %x\n", t2_start
, t2_end
);
341 /* first we handle full pages */
342 t1_start
= (t2_start
+ BOUND_T2_SIZE
- 1) >> BOUND_T2_BITS
;
343 t1_end
= t2_end
>> BOUND_T2_BITS
;
345 i
= t2_start
& (BOUND_T2_SIZE
- 1);
346 j
= t2_end
& (BOUND_T2_SIZE
- 1);
348 if (t1_start
== t1_end
) {
349 page
= get_page(t2_start
>> BOUND_T2_BITS
);
351 page
[i
].size
= INVALID_SIZE
;
352 page
[i
].is_invalid
= 1;
356 page
= get_page(t2_start
>> BOUND_T2_BITS
);
357 for(; i
< BOUND_T2_SIZE
; i
++) {
358 page
[i
].size
= INVALID_SIZE
;
359 page
[i
].is_invalid
= 1;
362 for(i
= t1_start
; i
< t1_end
; i
++) {
363 __bound_t1
[i
] = __bound_invalid_t2
;
366 page
= get_page(t1_end
);
367 for(i
= 0; i
< j
; i
++) {
368 page
[i
].size
= INVALID_SIZE
;
369 page
[i
].is_invalid
= 1;
375 void __bound_init(void)
379 unsigned long start
, size
;
381 /* save malloc hooks and install bound check hooks */
382 install_malloc_hooks();
385 __bound_t1
= libc_malloc(BOUND_T1_SIZE
* sizeof(BoundEntry
*));
389 __bound_empty_t2
= __bound_new_page();
390 for(i
=0;i
<BOUND_T1_SIZE
;i
++) {
391 __bound_t1
[i
] = __bound_empty_t2
;
394 page
= __bound_new_page();
395 for(i
=0;i
<BOUND_T2_SIZE
;i
++) {
396 /* put invalid entries */
398 page
[i
].size
= INVALID_SIZE
;
400 page
[i
].is_invalid
= 1;
402 __bound_invalid_t2
= page
;
404 /* invalid pointer zone */
405 start
= (unsigned long)INVALID_POINTER
& ~(BOUND_T23_SIZE
- 1);
406 size
= BOUND_T23_SIZE
;
407 mark_invalid(start
, size
);
409 #if !defined(__TINYC__)
410 /* malloc zone is also marked invalid */
411 start
= (unsigned long)&_end
;
412 size
= 128 * 0x100000;
413 mark_invalid(start
, size
);
417 static inline void add_region(BoundEntry
*e
,
418 unsigned long start
, unsigned long size
)
422 /* no region : add it */
426 /* already regions in the list: add it at the head */
427 e1
= bound_new_entry();
428 e1
->start
= e
->start
;
437 /* create a new region. It should not already exist in the region list */
438 void __bound_new_region(void *p
, unsigned long size
)
440 unsigned long start
, end
;
441 BoundEntry
*page
, *e
, *e2
;
442 int t1_start
, t1_end
, i
, t2_start
, t2_end
;
444 start
= (unsigned long)p
;
446 t1_start
= start
>> (BOUND_T2_BITS
+ BOUND_T3_BITS
);
447 t1_end
= end
>> (BOUND_T2_BITS
+ BOUND_T3_BITS
);
450 page
= get_page(t1_start
);
451 t2_start
= (start
>> (BOUND_T3_BITS
- BOUND_E_BITS
)) &
452 ((BOUND_T2_SIZE
- 1) << BOUND_E_BITS
);
453 t2_end
= (end
>> (BOUND_T3_BITS
- BOUND_E_BITS
)) &
454 ((BOUND_T2_SIZE
- 1) << BOUND_E_BITS
);
456 printf("new %lx %lx %x %x %x %x\n",
457 start
, end
, t1_start
, t1_end
, t2_start
, t2_end
);
460 e
= (BoundEntry
*)((char *)page
+ t2_start
);
461 add_region(e
, start
, size
);
463 if (t1_end
== t1_start
) {
464 /* same ending page */
465 e2
= (BoundEntry
*)((char *)page
+ t2_end
);
472 add_region(e
, start
, size
);
475 /* mark until end of page */
476 e2
= page
+ BOUND_T2_SIZE
;
482 /* mark intermediate pages, if any */
483 for(i
=t1_start
+1;i
<t1_end
;i
++) {
485 e2
= page
+ BOUND_T2_SIZE
;
486 for(e
=page
;e
<e2
;e
++) {
492 page
= get_page(t2_end
);
493 e2
= (BoundEntry
*)((char *)page
+ t2_end
);
494 for(e
=page
;e
<e2
;e
++) {
498 add_region(e
, start
, size
);
502 /* delete a region */
503 static inline void delete_region(BoundEntry
*e
,
504 void *p
, unsigned long empty_size
)
509 addr
= (unsigned long)p
;
511 if (addr
<= e
->size
) {
512 /* region found is first one */
515 /* no more region: mark it empty */
517 e
->size
= empty_size
;
519 /* copy next region in head */
520 e
->start
= e1
->start
;
523 bound_free_entry(e1
);
526 /* find the matching region */
530 /* region not found: do nothing */
533 addr
= (unsigned long)p
- e
->start
;
534 if (addr
<= e
->size
) {
535 /* found: remove entry */
544 /* WARNING: 'p' must be the starting point of the region. */
545 /* return non zero if error */
546 int __bound_delete_region(void *p
)
548 unsigned long start
, end
, addr
, size
, empty_size
;
549 BoundEntry
*page
, *e
, *e2
;
550 int t1_start
, t1_end
, t2_start
, t2_end
, i
;
552 start
= (unsigned long)p
;
553 t1_start
= start
>> (BOUND_T2_BITS
+ BOUND_T3_BITS
);
554 t2_start
= (start
>> (BOUND_T3_BITS
- BOUND_E_BITS
)) &
555 ((BOUND_T2_SIZE
- 1) << BOUND_E_BITS
);
557 /* find region size */
558 page
= __bound_t1
[t1_start
];
559 e
= (BoundEntry
*)((char *)page
+ t2_start
);
560 addr
= start
- e
->start
;
562 e
= __bound_find_region(e
, p
);
563 /* test if invalid region */
564 if (e
->size
== EMPTY_SIZE
|| (unsigned long)p
!= e
->start
)
566 /* compute the size we put in invalid regions */
568 empty_size
= INVALID_SIZE
;
570 empty_size
= EMPTY_SIZE
;
574 /* now we can free each entry */
575 t1_end
= end
>> (BOUND_T2_BITS
+ BOUND_T3_BITS
);
576 t2_end
= (end
>> (BOUND_T3_BITS
- BOUND_E_BITS
)) &
577 ((BOUND_T2_SIZE
- 1) << BOUND_E_BITS
);
579 delete_region(e
, p
, empty_size
);
580 if (t1_end
== t1_start
) {
581 /* same ending page */
582 e2
= (BoundEntry
*)((char *)page
+ t2_end
);
587 e
->size
= empty_size
;
589 delete_region(e
, p
, empty_size
);
592 /* mark until end of page */
593 e2
= page
+ BOUND_T2_SIZE
;
597 e
->size
= empty_size
;
599 /* mark intermediate pages, if any */
600 /* XXX: should free them */
601 for(i
=t1_start
+1;i
<t1_end
;i
++) {
603 e2
= page
+ BOUND_T2_SIZE
;
604 for(e
=page
;e
<e2
;e
++) {
606 e
->size
= empty_size
;
610 page
= get_page(t2_end
);
611 e2
= (BoundEntry
*)((char *)page
+ t2_end
);
612 for(e
=page
;e
<e2
;e
++) {
614 e
->size
= empty_size
;
616 delete_region(e
, p
, empty_size
);
621 /* return the size of the region starting at p, or EMPTY_SIZE if non
623 static unsigned long get_region_size(void *p
)
625 unsigned long addr
= (unsigned long)p
;
628 e
= __bound_t1
[addr
>> (BOUND_T2_BITS
+ BOUND_T3_BITS
)];
629 e
= (BoundEntry
*)((char *)e
+
630 ((addr
>> (BOUND_T3_BITS
- BOUND_E_BITS
)) &
631 ((BOUND_T2_SIZE
- 1) << BOUND_E_BITS
)));
634 e
= __bound_find_region(e
, p
);
635 if (e
->start
!= (unsigned long)p
)
640 /* patched memory functions */
642 static void install_malloc_hooks(void)
644 saved_malloc_hook
= __malloc_hook
;
645 saved_free_hook
= __free_hook
;
646 saved_realloc_hook
= __realloc_hook
;
647 saved_memalign_hook
= __memalign_hook
;
648 __malloc_hook
= __bound_malloc
;
649 __free_hook
= __bound_free
;
650 __realloc_hook
= __bound_realloc
;
651 __memalign_hook
= __bound_memalign
;
654 static void restore_malloc_hooks(void)
656 __malloc_hook
= saved_malloc_hook
;
657 __free_hook
= saved_free_hook
;
658 __realloc_hook
= saved_realloc_hook
;
659 __memalign_hook
= saved_memalign_hook
;
662 static void *libc_malloc(size_t size
)
665 restore_malloc_hooks();
667 install_malloc_hooks();
671 static void libc_free(void *ptr
)
673 restore_malloc_hooks();
675 install_malloc_hooks();
678 /* XXX: we should use a malloc which ensure that it is unlikely that
679 two malloc'ed data have the same address if 'free' are made in
681 void *__bound_malloc(size_t size
, const void *caller
)
685 /* we allocate one more byte to ensure the regions will be
686 separated by at least one byte. With the glibc malloc, it may
687 be in fact not necessary */
688 ptr
= libc_malloc(size
+ 1);
692 __bound_new_region(ptr
, size
);
696 void *__bound_memalign(size_t size
, size_t align
, const void *caller
)
700 restore_malloc_hooks();
702 /* we allocate one more byte to ensure the regions will be
703 separated by at least one byte. With the glibc malloc, it may
704 be in fact not necessary */
705 ptr
= memalign(size
+ 1, align
);
707 install_malloc_hooks();
711 __bound_new_region(ptr
, size
);
715 void __bound_free(void *ptr
, const void *caller
)
719 if (__bound_delete_region(ptr
) != 0)
720 bound_error(caller
, "freeing invalid region");
725 void *__bound_realloc(void *ptr
, size_t size
, const void *caller
)
731 __bound_free(ptr
, caller
);
734 ptr1
= __bound_malloc(size
, caller
);
735 if (ptr
== NULL
|| ptr1
== NULL
)
737 old_size
= get_region_size(ptr
);
738 if (old_size
== EMPTY_SIZE
)
739 bound_error(caller
, "realloc'ing invalid pointer");
740 memcpy(ptr1
, ptr
, old_size
);
741 __bound_free(ptr
, caller
);
747 static void bound_dump(void)
749 BoundEntry
*page
, *e
;
752 printf("region dump:\n");
753 for(i
=0;i
<BOUND_T1_SIZE
;i
++) {
754 page
= __bound_t1
[i
];
755 for(j
=0;j
<BOUND_T2_SIZE
;j
++) {
757 /* do not print invalid or empty entries */
758 if (e
->size
!= EMPTY_SIZE
&& e
->start
!= 0) {
760 (i
<< (BOUND_T2_BITS
+ BOUND_T3_BITS
)) +
761 (j
<< BOUND_T3_BITS
));
763 printf(" %08lx:%08lx", e
->start
, e
->start
+ e
->size
);
773 /* some useful checked functions */
775 /* check that (p ... p + size - 1) lies inside 'p' region, if any */
776 static void __bound_check(const void *p
, ssize_t size
)
780 p
= __bound_ptr_add((void *)p
, size
);
781 if (p
== INVALID_POINTER
)
782 bound_error(get_caller_pc(2), "invalid pointer");
785 void *__bound_memcpy(void *dst
, const void *src
, size_t size
)
787 __bound_check(dst
, size
);
788 __bound_check(src
, size
);
789 /* check also region overlap */
790 if (src
>= dst
&& src
< dst
+ size
)
791 bound_error(get_caller_pc(1), "memcpy: overlapping regions");
792 return memcpy(dst
, src
, size
);
795 void *__bound_memmove(void *dst
, const void *src
, size_t size
)
797 __bound_check(dst
, size
);
798 __bound_check(src
, size
);
799 return memmove(dst
, src
, size
);
802 void *__bound_memset(void *dst
, int c
, size_t size
)
804 __bound_check(dst
, size
);
805 return memset(dst
, c
, size
);
808 /* resolve check check syms */
809 typedef struct BCSyms
{
814 static BCSyms bcheck_syms
[] = {
815 { "memcpy", __bound_memcpy
},
816 { "memmove", __bound_memmove
},
817 { "memset", __bound_memset
},
821 static void *bound_resolve_sym(const char *sym
)
825 while (p
->str
!= NULL
) {
826 if (!strcmp(p
->str
, sym
))