| blob | 9df3929834f9e0702ee23559d93db1b953581932 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 */
8 /* Code in this file needs to be kept in sync with code in nsPresArena.cpp.
9 *
10 * We want to use a fixed address for frame poisoning so that it is readily
11 * identifiable in crash dumps. Whether such an address is available
12 * without any special setup depends on the system configuration.
13 *
14 * All current 64-bit CPUs (with the possible exception of PowerPC64)
15 * reserve the vast majority of the virtual address space for future
16 * hardware extensions; valid addresses must be below some break point
17 * between 2**48 and 2**54, depending on exactly which chip you have. Some
18 * chips (notably amd64) also allow the use of the *highest* 2**48 -- 2**54
19 * addresses. Thus, if user space pointers are 64 bits wide, we can just
20 * use an address outside this range, and no more is required. To
21 * accommodate the chips that allow very high addresses to be valid, the
22 * value chosen is close to 2**63 (that is, in the middle of the space).
23 *
24 * In most cases, a purely 32-bit operating system must reserve some
25 * fraction of the address space for its own use. Contemporary 32-bit OSes
26 * tend to take the high gigabyte or so (0xC000_0000 on up). If we can
27 * prove that high addresses are reserved to the kernel, we can use an
28 * address in that region. Unfortunately, not all 32-bit OSes do this;
29 * OSX 10.4 might not, and it is unclear what mobile OSes are like
30 * (some 32-bit CPUs make it very easy for the kernel to exist in its own
31 * private address space).
32 *
33 * Furthermore, when a 32-bit user space process is running on a 64-bit
34 * kernel, the operating system has no need to reserve any of the space that
35 * the process can see, and generally does not do so. This is the scenario
36 * of greatest concern, since it covers all contemporary OSX iterations
37 * (10.5+) as well as Windows Vista and 7 on newer amd64 hardware. Linux on
38 * amd64 is generally run as a pure 64-bit environment, but its 32-bit
39 * compatibility mode also has this property.
40 *
41 * Thus, when user space pointers are 32 bits wide, we need to validate
42 * our chosen address, and possibly *make* it a good poison address by
43 * allocating a page around it and marking it inaccessible. The algorithm
44 * for this is:
45 *
46 * 1. Attempt to make the page surrounding the poison address a reserved,
47 * inaccessible memory region using OS primitives. On Windows, this is
48 * done with VirtualAlloc(MEM_RESERVE); on Unix, mmap(PROT_NONE).
49 *
50 * 2. If mmap/VirtualAlloc failed, there are two possible reasons: either
51 * the region is reserved to the kernel and no further action is
52 * required, or there is already usable memory in this area and we have
53 * to pick a different address. The tricky part is knowing which case
54 * we have, without attempting to access the region. On Windows, we
55 * rely on GetSystemInfo()'s reported upper and lower bounds of the
56 * application memory area. On Unix, there is nothing devoted to the
57 * purpose, but seeing if madvise() fails is close enough (it *might*
58 * disrupt someone else's use of the memory region, but not by as much
59 * as anything else available).
60 *
61 * Be aware of these gotchas:
62 *
63 * 1. We cannot use mmap() with MAP_FIXED. MAP_FIXED is defined to
64 * _replace_ any existing mapping in the region, if necessary to satisfy
65 * the request. Obviously, as we are blindly attempting to acquire a
66 * page at a constant address, we must not do this, lest we overwrite
67 * someone else's allocation.
68 *
69 * 2. For the same reason, we cannot blindly use mprotect() if mmap() fails.
70 *
71 * 3. madvise() may fail when applied to a 'magic' memory region provided as
72 * a kernel/user interface. Fortunately, the only such case I know about
73 * is the "vsyscall" area (not to be confused with the "vdso" area) for
74 * *64*-bit processes on Linux - and we don't even run this code for
75 * 64-bit processes.
76 *
77 * 4. VirtualQuery() does not produce any useful information if
78 * applied to kernel memory - in fact, it doesn't write its output
79 * at all. Thus, it is not used here.
80 */
82 // MAP_ANON(YMOUS) is not in any standard. Add defines as necessary.
83 #define _GNU_SOURCE 1
84 #define _DARWIN_C_SOURCE 1
86 #include <errno.h>
87 #include <inttypes.h>
88 #include <stdio.h>
89 #include <stdlib.h>
90 #include <string.h>
92 #ifdef _WIN32
93 # include <windows.h>
94 #else
95 # include <sys/types.h>
96 # include <unistd.h>
97 # include <sys/wait.h>
99 # include <sys/mman.h>
100 # ifndef MAP_ANON
101 # ifdef MAP_ANONYMOUS
102 # define MAP_ANON MAP_ANONYMOUS
103 # else
105 # endif
106 # endif
107 #endif
109 #define SIZxPTR ((int)(sizeof(uintptr_t) * 2))
111 /* This program assumes that a whole number of return instructions fit into
112 * 32 bits, and that 32-bit alignment is sufficient for a branch destination.
113 * For architectures where this is not true, fiddling with RETURN_INSTR_TYPE
114 * can be enough.
115 */
117 #if defined __i386__ || defined __x86_64__ || defined __i386 || \
118 defined __x86_64 || defined _M_IX86 || defined _M_AMD64
121 #elif defined __arm__ || defined _M_ARM
124 // PPC has its own style of CPU-id #defines. There is no Windows for
125 // PPC as far as I know, so no _M_ variant.
126 #elif defined _ARCH_PPC || defined _ARCH_PWR || defined _ARCH_PWR2
129 #elif defined __m68k__
132 #elif defined __riscv
135 #elif defined __sparc || defined __sparcv9
138 #elif defined __alpha
141 #elif defined __hppa
144 #elif defined __mips
147 # ifdef __MIPSEL
148 /* On mipsel, jr ra needs to be followed by a nop.
149 0x03e00008 as a 64 bits integer just does that */
150 # define RETURN_INSTR_TYPE uint64_t
151 # endif
153 #elif defined __s390__
156 #elif defined __sh__
159 #elif defined __aarch64__ || defined _M_ARM64
162 #elif defined __loongarch64
165 #elif defined __ia64
168 };
172 # define RETURN_INSTR _return_instr
173 # define RETURN_INSTR_TYPE ia64_instr
175 #else
177 #endif
179 #ifndef RETURN_INSTR_TYPE
180 # define RETURN_INSTR_TYPE uint32_t
181 #endif
183 // Miscellaneous Windows/Unix portability gumph
185 #ifdef _WIN32
186 // Uses of this function deliberately leak the string.
188 LPSTR errmsg;
190 FORMAT_MESSAGE_IGNORE_INSERTS,
194 // FormatMessage puts an unwanted newline at the end of the string
197 n--;
198 }
201 }
202 # define LastErrMsg() (StrW32Error(GetLastError()))
204 // Because we use VirtualAlloc in MEM_RESERVE mode, the "page size" we want
205 // is the allocation granularity.
214 }
218 }
223 }
227 # undef MAP_FAILED
228 # define MAP_FAILED 0
232 # define LastErrMsg() (strerror(errno))
242 }
247 # ifdef XP_SOLARIS
249 POSIX_MADV_NORMAL);
250 # else
252 # endif
253 }
258 }
260 #endif
264 // Use the hardware-inaccessible region.
265 // We have to avoid 64-bit constants and shifts by 32 bits, since this
266 // code is compiled in 32-bit mode, although it is never executed there.
272 }
274 // First see if we can allocate the preferred poison address from the OS.
278 // success - inaccessible page allocated
283 }
285 // That didn't work, so see if the preferred address is within a range
286 // of permanently inacessible memory.
288 // success - selected page cannot be usable memory
291 }
295 }
297 // The preferred address is already in use. Did the OS give us a
298 // consolation prize?
305 }
307 // It didn't, so try to allocate again, without any constraint on
308 // the address.
315 }
319 }
321 /* The "positive control" area confirms that we can allocate a page with the
322 * proper characteristics.
323 */
329 }
333 }
335 /* The "negative control" area confirms that our probe logic does detect a
336 * page that is readable, writable, or executable.
337 */
343 }
345 // Fill the page with return instructions.
351 }
353 // Now mark it executable as well as readable and writable.
354 // (mmap(PROT_EXEC) may fail when applied to anonymous memory.)
359 }
364 }
366 #ifndef _WIN32
368 # ifdef __ia64
373 aOpaddr,
374 };
376 # else
378 # endif
379 }
380 #endif
382 /* Test each page. */
391 // The execute test must be done before the write test, because the
392 // write test will clobber memory at the target address.
407 }
409 #ifdef _WIN32
411 MEMORY_BASIC_INFORMATION mbi = {};
421 badptr =
429 }
430 }
438 }
440 // if control reaches this point the probe succeeded
446 }
447 }
448 #else
467 }
475 }
484 }
497 }
502 }
503 }
504 #endif
505 }
507 }
510 #ifdef _WIN32
512 #else
514 #endif
522 }
530 }