| blob | ea4daf1528a038de5cd6cc808b62848aa91af9d3 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 */
8 /* Code in this file needs to be kept in sync with code in nsPresArena.cpp.
9 *
10 * We want to use a fixed address for frame poisoning so that it is readily
11 * identifiable in crash dumps. Whether such an address is available
12 * without any special setup depends on the system configuration.
13 *
14 * All current 64-bit CPUs (with the possible exception of PowerPC64)
15 * reserve the vast majority of the virtual address space for future
16 * hardware extensions; valid addresses must be below some break point
17 * between 2**48 and 2**54, depending on exactly which chip you have. Some
18 * chips (notably amd64) also allow the use of the *highest* 2**48 -- 2**54
19 * addresses. Thus, if user space pointers are 64 bits wide, we can just
20 * use an address outside this range, and no more is required. To
21 * accommodate the chips that allow very high addresses to be valid, the
22 * value chosen is close to 2**63 (that is, in the middle of the space).
23 *
24 * In most cases, a purely 32-bit operating system must reserve some
25 * fraction of the address space for its own use. Contemporary 32-bit OSes
26 * tend to take the high gigabyte or so (0xC000_0000 on up). If we can
27 * prove that high addresses are reserved to the kernel, we can use an
28 * address in that region. Unfortunately, not all 32-bit OSes do this;
29 * OSX 10.4 might not, and it is unclear what mobile OSes are like
30 * (some 32-bit CPUs make it very easy for the kernel to exist in its own
31 * private address space).
32 *
33 * Furthermore, when a 32-bit user space process is running on a 64-bit
34 * kernel, the operating system has no need to reserve any of the space that
35 * the process can see, and generally does not do so. This is the scenario
36 * of greatest concern, since it covers all contemporary OSX iterations
37 * (10.5+) as well as Windows Vista and 7 on newer amd64 hardware. Linux on
38 * amd64 is generally run as a pure 64-bit environment, but its 32-bit
39 * compatibility mode also has this property.
40 *
41 * Thus, when user space pointers are 32 bits wide, we need to validate
42 * our chosen address, and possibly *make* it a good poison address by
43 * allocating a page around it and marking it inaccessible. The algorithm
44 * for this is:
45 *
46 * 1. Attempt to make the page surrounding the poison address a reserved,
47 * inaccessible memory region using OS primitives. On Windows, this is
48 * done with VirtualAlloc(MEM_RESERVE); on Unix, mmap(PROT_NONE).
49 *
50 * 2. If mmap/VirtualAlloc failed, there are two possible reasons: either
51 * the region is reserved to the kernel and no further action is
52 * required, or there is already usable memory in this area and we have
53 * to pick a different address. The tricky part is knowing which case
54 * we have, without attempting to access the region. On Windows, we
55 * rely on GetSystemInfo()'s reported upper and lower bounds of the
56 * application memory area. On Unix, there is nothing devoted to the
57 * purpose, but seeing if madvise() fails is close enough (it *might*
58 * disrupt someone else's use of the memory region, but not by as much
59 * as anything else available).
60 *
61 * Be aware of these gotchas:
62 *
63 * 1. We cannot use mmap() with MAP_FIXED. MAP_FIXED is defined to
64 * _replace_ any existing mapping in the region, if necessary to satisfy
65 * the request. Obviously, as we are blindly attempting to acquire a
66 * page at a constant address, we must not do this, lest we overwrite
67 * someone else's allocation.
68 *
69 * 2. For the same reason, we cannot blindly use mprotect() if mmap() fails.
70 *
71 * 3. madvise() may fail when applied to a 'magic' memory region provided as
72 * a kernel/user interface. Fortunately, the only such case I know about
73 * is the "vsyscall" area (not to be confused with the "vdso" area) for
74 * *64*-bit processes on Linux - and we don't even run this code for
75 * 64-bit processes.
76 *
77 * 4. VirtualQuery() does not produce any useful information if
78 * applied to kernel memory - in fact, it doesn't write its output
79 * at all. Thus, it is not used here.
80 */
85 // MAP_ANON(YMOUS) is not in any standard. Add defines as necessary.
86 #define _GNU_SOURCE 1
87 #define _DARWIN_C_SOURCE 1
89 #include <stddef.h>
91 #include <errno.h>
92 #include <stdio.h>
93 #include <stdlib.h>
94 #include <string.h>
96 #ifdef _WIN32
97 #include <windows.h>
98 #else
99 #include <sys/types.h>
100 #include <fcntl.h>
101 #include <signal.h>
102 #include <unistd.h>
103 #include <sys/stat.h>
104 #include <sys/wait.h>
106 #include <sys/mman.h>
107 #ifndef MAP_ANON
108 #ifdef MAP_ANONYMOUS
109 #define MAP_ANON MAP_ANONYMOUS
110 #else
112 #endif
113 #endif
114 #endif
116 #define SIZxPTR ((int)(sizeof(uintptr_t)*2))
118 /* This program assumes that a whole number of return instructions fit into
119 * 32 bits, and that 32-bit alignment is sufficient for a branch destination.
120 * For architectures where this is not true, fiddling with RETURN_INSTR_TYPE
121 * can be enough.
122 */
124 #if defined __i386__ || defined __x86_64__ || \
125 defined __i386 || defined __x86_64 || \
126 defined _M_IX86 || defined _M_AMD64
129 #elif defined __arm__ || defined _M_ARM
132 // PPC has its own style of CPU-id #defines. There is no Windows for
133 // PPC as far as I know, so no _M_ variant.
134 #elif defined _ARCH_PPC || defined _ARCH_PWR || defined _ARCH_PWR2
137 #elif defined __sparc || defined __sparcv9
140 #elif defined __alpha
143 #elif defined __hppa
146 #elif defined __mips
149 #ifdef __MIPSEL
150 /* On mipsel, jr ra needs to be followed by a nop.
151 0x03e00008 as a 64 bits integer just does that */
152 #define RETURN_INSTR_TYPE uint64_t
153 #endif
155 #elif defined __s390__
158 #elif defined __aarch64__
161 #elif defined __ia64
166 #define RETURN_INSTR _return_instr
167 #define RETURN_INSTR_TYPE ia64_instr
169 #else
171 #endif
173 #ifndef RETURN_INSTR_TYPE
174 #define RETURN_INSTR_TYPE uint32_t
175 #endif
177 // Miscellaneous Windows/Unix portability gumph
179 #ifdef _WIN32
180 // Uses of this function deliberately leak the string.
181 static LPSTR
183 {
184 LPSTR errmsg;
186 FORMAT_MESSAGE_FROM_SYSTEM |
187 FORMAT_MESSAGE_IGNORE_INSERTS,
191 // FormatMessage puts an unwanted newline at the end of the string
194 n--;
195 }
198 }
199 #define LastErrMsg() (StrW32Error(GetLastError()))
201 // Because we use VirtualAlloc in MEM_RESERVE mode, the "page size" we want
202 // is the allocation granularity.
207 {
209 }
213 {
217 }
219 static void
221 {
223 }
225 static bool
227 {
230 }
232 static bool
234 {
236 }
238 #undef MAP_FAILED
239 #define MAP_FAILED 0
243 #define LastErrMsg() (strerror(errno))
249 {
251 }
255 {
259 }
261 static void
263 {
265 }
267 static bool
269 {
271 }
273 static int
275 {
277 }
279 #endif
281 static uintptr_t
283 {
285 // Use the hardware-inaccessible region.
286 // We have to avoid 64-bit constants and shifts by 32 bits, since this
287 // code is compiled in 32-bit mode, although it is never executed there.
293 }
295 // First see if we can allocate the preferred poison address from the OS.
299 // success - inaccessible page allocated
303 }
305 // That didn't work, so see if the preferred address is within a range
306 // of permanently inacessible memory.
308 // success - selected page cannot be usable memory
311 }
315 }
317 // The preferred address is already in use. Did the OS give us a
318 // consolation prize?
324 }
326 // It didn't, so try to allocate again, without any constraint on
327 // the address.
334 }
338 }
340 /* The "positive control" area confirms that we can allocate a page with the
341 * proper characteristics.
342 */
343 static uintptr_t
345 {
351 }
355 }
357 /* The "negative control" area confirms that our probe logic does detect a
358 * page that is readable, writable, or executable.
359 */
360 static uintptr_t
362 {
367 }
369 // Fill the page with return instructions.
376 }
378 // Now mark it executable as well as readable and writable.
379 // (mmap(PROT_EXEC) may fail when applied to anonymous memory.)
384 }
389 }
391 static void
393 {
394 #ifdef __ia64
395 struct func_call
396 {
401 #else
403 #endif
404 }
406 #ifdef _WIN32
407 static BOOL
409 {
412 #if defined(_MSC_VER) && !defined(__clang__)
413 __try {
417 }
418 #else
420 // We do our best
422 #endif
424 }
425 #endif
427 /* Test each page. */
428 static bool
430 {
437 // The execute test must be done before the write test, because the
438 // write test will clobber memory at the target address.
443 }
445 #ifdef _WIN32
446 BOOL badptr;
453 }
461 }
463 // if control reaches this point the probe succeeded
469 }
470 }
471 #else
484 }
493 }
502 }
515 }
520 }
521 }
522 #endif
523 }
525 }
527 int
529 {
530 #ifdef _WIN32
532 #else
534 #endif
542 }
550 }