search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
compiler: load LHS subexpressions of op= assignment only once
[official-gcc.git] / libsanitizer / hwasan / hwasan_allocator.cpp
blob842455150c7b3362f3940e14e10f69b544c75e4f
1 //===-- hwasan_allocator.cpp ------------------------ ---------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file is a part of HWAddressSanitizer.
10 //
11 // HWAddressSanitizer allocator.
12 //===----------------------------------------------------------------------===//
13
14 #include "sanitizer_common/sanitizer_atomic.h"
15 #include "sanitizer_common/sanitizer_errno.h"
16 #include "sanitizer_common/sanitizer_stackdepot.h"
17 #include "hwasan.h"
18 #include "hwasan_allocator.h"
19 #include "hwasan_checks.h"
20 #include "hwasan_mapping.h"
21 #include "hwasan_malloc_bisect.h"
22 #include "hwasan_thread.h"
23 #include "hwasan_report.h"
24
25 namespace __hwasan {
26
27 static Allocator allocator;
28 static AllocatorCache fallback_allocator_cache;
29 static SpinMutex fallback_mutex;
30 static atomic_uint8_t hwasan_allocator_tagging_enabled;
31
32 static constexpr tag_t kFallbackAllocTag = 0xBB & kTagMask;
33 static constexpr tag_t kFallbackFreeTag = 0xBC;
34
35 enum RightAlignMode {
36 kRightAlignNever,
37 kRightAlignSometimes,
38 kRightAlignAlways
39 };
40
41 // Initialized in HwasanAllocatorInit, an never changed.
42 static ALIGNED(16) u8 tail_magic[kShadowAlignment - 1];
43
44 bool HwasanChunkView::IsAllocated() const {
45 return metadata_ && metadata_->alloc_context_id &&
46 metadata_->get_requested_size();
47 }
48
49 // Aligns the 'addr' right to the granule boundary.
50 static uptr AlignRight(uptr addr, uptr requested_size) {
51 uptr tail_size = requested_size % kShadowAlignment;
52 if (!tail_size) return addr;
53 return addr + kShadowAlignment - tail_size;
54 }
55
56 uptr HwasanChunkView::Beg() const {
57 if (metadata_ && metadata_->right_aligned)
58 return AlignRight(block_, metadata_->get_requested_size());
59 return block_;
60 }
61 uptr HwasanChunkView::End() const {
62 return Beg() + UsedSize();
63 }
64 uptr HwasanChunkView::UsedSize() const {
65 return metadata_->get_requested_size();
66 }
67 u32 HwasanChunkView::GetAllocStackId() const {
68 return metadata_->alloc_context_id;
69 }
70
71 uptr HwasanChunkView::ActualSize() const {
72 return allocator.GetActuallyAllocatedSize(reinterpret_cast<void *>(block_));
73 }
74
75 bool HwasanChunkView::FromSmallHeap() const {
76 return allocator.FromPrimary(reinterpret_cast<void *>(block_));
77 }
78
79 void GetAllocatorStats(AllocatorStatCounters s) {
80 allocator.GetStats(s);
81 }
82
83 uptr GetAliasRegionStart() {
84 #if defined(HWASAN_ALIASING_MODE)
85 constexpr uptr kAliasRegionOffset = 1ULL << (kTaggableRegionCheckShift - 1);
86 uptr AliasRegionStart =
87 __hwasan_shadow_memory_dynamic_address + kAliasRegionOffset;
88
89 CHECK_EQ(AliasRegionStart >> kTaggableRegionCheckShift,
90 __hwasan_shadow_memory_dynamic_address >> kTaggableRegionCheckShift);
91 CHECK_EQ(
92 (AliasRegionStart + kAliasRegionOffset - 1) >> kTaggableRegionCheckShift,
93 __hwasan_shadow_memory_dynamic_address >> kTaggableRegionCheckShift);
94 return AliasRegionStart;
95 #else
96 return 0;
97 #endif
98 }
99
100 void HwasanAllocatorInit() {
101 atomic_store_relaxed(&hwasan_allocator_tagging_enabled,
102 !flags()->disable_allocator_tagging);
103 SetAllocatorMayReturnNull(common_flags()->allocator_may_return_null);
104 allocator.Init(common_flags()->allocator_release_to_os_interval_ms,
105 GetAliasRegionStart());
106 for (uptr i = 0; i < sizeof(tail_magic); i++)
107 tail_magic[i] = GetCurrentThread()->GenerateRandomTag();
108 }
109
110 void HwasanAllocatorLock() { allocator.ForceLock(); }
111
112 void HwasanAllocatorUnlock() { allocator.ForceUnlock(); }
113
114 void AllocatorSwallowThreadLocalCache(AllocatorCache *cache) {
115 allocator.SwallowCache(cache);
116 }
117
118 static uptr TaggedSize(uptr size) {
119 if (!size) size = 1;
120 uptr new_size = RoundUpTo(size, kShadowAlignment);
121 CHECK_GE(new_size, size);
122 return new_size;
123 }
124
125 static void *HwasanAllocate(StackTrace *stack, uptr orig_size, uptr alignment,
126 bool zeroise) {
127 if (orig_size > kMaxAllowedMallocSize) {
128 if (AllocatorMayReturnNull()) {
129 Report("WARNING: HWAddressSanitizer failed to allocate 0x%zx bytes\n",
130 orig_size);
131 return nullptr;
132 }
133 ReportAllocationSizeTooBig(orig_size, kMaxAllowedMallocSize, stack);
134 }
135 if (UNLIKELY(IsRssLimitExceeded())) {
136 if (AllocatorMayReturnNull())
137 return nullptr;
138 ReportRssLimitExceeded(stack);
139 }
140
141 alignment = Max(alignment, kShadowAlignment);
142 uptr size = TaggedSize(orig_size);
143 Thread *t = GetCurrentThread();
144 void *allocated;
145 if (t) {
146 allocated = allocator.Allocate(t->allocator_cache(), size, alignment);
147 } else {
148 SpinMutexLock l(&fallback_mutex);
149 AllocatorCache *cache = &fallback_allocator_cache;
150 allocated = allocator.Allocate(cache, size, alignment);
151 }
152 if (UNLIKELY(!allocated)) {
153 SetAllocatorOutOfMemory();
154 if (AllocatorMayReturnNull())
155 return nullptr;
156 ReportOutOfMemory(size, stack);
157 }
158 Metadata *meta =
159 reinterpret_cast<Metadata *>(allocator.GetMetaData(allocated));
160 meta->set_requested_size(orig_size);
161 meta->alloc_context_id = StackDepotPut(*stack);
162 meta->right_aligned = false;
163 if (zeroise) {
164 internal_memset(allocated, 0, size);
165 } else if (flags()->max_malloc_fill_size > 0) {
166 uptr fill_size = Min(size, (uptr)flags()->max_malloc_fill_size);
167 internal_memset(allocated, flags()->malloc_fill_byte, fill_size);
168 }
169 if (size != orig_size) {
170 u8 *tail = reinterpret_cast<u8 *>(allocated) + orig_size;
171 uptr tail_length = size - orig_size;
172 internal_memcpy(tail, tail_magic, tail_length - 1);
173 // Short granule is excluded from magic tail, so we explicitly untag.
174 tail[tail_length - 1] = 0;
175 }
176
177 void *user_ptr = allocated;
178 // Tagging can only be skipped when both tag_in_malloc and tag_in_free are
179 // false. When tag_in_malloc = false and tag_in_free = true malloc needs to
180 // retag to 0.
181 if (InTaggableRegion(reinterpret_cast<uptr>(user_ptr)) &&
182 (flags()->tag_in_malloc || flags()->tag_in_free) &&
183 atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) {
184 if (flags()->tag_in_malloc && malloc_bisect(stack, orig_size)) {
185 tag_t tag = t ? t->GenerateRandomTag() : kFallbackAllocTag;
186 uptr tag_size = orig_size ? orig_size : 1;
187 uptr full_granule_size = RoundDownTo(tag_size, kShadowAlignment);
188 user_ptr =
189 (void *)TagMemoryAligned((uptr)user_ptr, full_granule_size, tag);
190 if (full_granule_size != tag_size) {
191 u8 *short_granule =
192 reinterpret_cast<u8 *>(allocated) + full_granule_size;
193 TagMemoryAligned((uptr)short_granule, kShadowAlignment,
194 tag_size % kShadowAlignment);
195 short_granule[kShadowAlignment - 1] = tag;
196 }
197 } else {
198 user_ptr = (void *)TagMemoryAligned((uptr)user_ptr, size, 0);
199 }
200 }
201
202 RunMallocHooks(user_ptr, size);
203 return user_ptr;
204 }
205
206 static bool PointerAndMemoryTagsMatch(void *tagged_ptr) {
207 CHECK(tagged_ptr);
208 uptr tagged_uptr = reinterpret_cast<uptr>(tagged_ptr);
209 if (!InTaggableRegion(tagged_uptr))
210 return true;
211 tag_t mem_tag = *reinterpret_cast<tag_t *>(
212 MemToShadow(reinterpret_cast<uptr>(UntagPtr(tagged_ptr))));
213 return PossiblyShortTagMatches(mem_tag, tagged_uptr, 1);
214 }
215
216 static bool CheckInvalidFree(StackTrace *stack, void *untagged_ptr,
217 void *tagged_ptr) {
218 // This function can return true if halt_on_error is false.
219 if (!MemIsApp(reinterpret_cast<uptr>(untagged_ptr)) ||
220 !PointerAndMemoryTagsMatch(tagged_ptr)) {
221 ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr));
222 return true;
223 }
224 return false;
225 }
226
227 static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
228 CHECK(tagged_ptr);
229 RunFreeHooks(tagged_ptr);
230
231 bool in_taggable_region =
232 InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr));
233 void *untagged_ptr = in_taggable_region ? UntagPtr(tagged_ptr) : tagged_ptr;
234
235 if (CheckInvalidFree(stack, untagged_ptr, tagged_ptr))
236 return;
237
238 void *aligned_ptr = reinterpret_cast<void *>(
239 RoundDownTo(reinterpret_cast<uptr>(untagged_ptr), kShadowAlignment));
240 tag_t pointer_tag = GetTagFromPointer(reinterpret_cast<uptr>(tagged_ptr));
241 Metadata *meta =
242 reinterpret_cast<Metadata *>(allocator.GetMetaData(aligned_ptr));
243 if (!meta) {
244 ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr));
245 return;
246 }
247 uptr orig_size = meta->get_requested_size();
248 u32 free_context_id = StackDepotPut(*stack);
249 u32 alloc_context_id = meta->alloc_context_id;
250
251 // Check tail magic.
252 uptr tagged_size = TaggedSize(orig_size);
253 if (flags()->free_checks_tail_magic && orig_size &&
254 tagged_size != orig_size) {
255 uptr tail_size = tagged_size - orig_size - 1;
256 CHECK_LT(tail_size, kShadowAlignment);
257 void *tail_beg = reinterpret_cast<void *>(
258 reinterpret_cast<uptr>(aligned_ptr) + orig_size);
259 tag_t short_granule_memtag = *(reinterpret_cast<tag_t *>(
260 reinterpret_cast<uptr>(tail_beg) + tail_size));
261 if (tail_size &&
262 (internal_memcmp(tail_beg, tail_magic, tail_size) ||
263 (in_taggable_region && pointer_tag != short_granule_memtag)))
264 ReportTailOverwritten(stack, reinterpret_cast<uptr>(tagged_ptr),
265 orig_size, tail_magic);
266 }
267
268 meta->set_requested_size(0);
269 meta->alloc_context_id = 0;
270 // This memory will not be reused by anyone else, so we are free to keep it
271 // poisoned.
272 Thread *t = GetCurrentThread();
273 if (flags()->max_free_fill_size > 0) {
274 uptr fill_size =
275 Min(TaggedSize(orig_size), (uptr)flags()->max_free_fill_size);
276 internal_memset(aligned_ptr, flags()->free_fill_byte, fill_size);
277 }
278 if (in_taggable_region && flags()->tag_in_free && malloc_bisect(stack, 0) &&
279 atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) {
280 // Always store full 8-bit tags on free to maximize UAF detection.
281 tag_t tag;
282 if (t) {
283 // Make sure we are not using a short granule tag as a poison tag. This
284 // would make us attempt to read the memory on a UaF.
285 // The tag can be zero if tagging is disabled on this thread.
286 do {
287 tag = t->GenerateRandomTag(/*num_bits=*/8);
288 } while (
289 UNLIKELY((tag < kShadowAlignment || tag == pointer_tag) && tag != 0));
290 } else {
291 static_assert(kFallbackFreeTag >= kShadowAlignment,
292 "fallback tag must not be a short granule tag.");
293 tag = kFallbackFreeTag;
294 }
295 TagMemoryAligned(reinterpret_cast<uptr>(aligned_ptr), TaggedSize(orig_size),
296 tag);
297 }
298 if (t) {
299 allocator.Deallocate(t->allocator_cache(), aligned_ptr);
300 if (auto *ha = t->heap_allocations())
301 ha->push({reinterpret_cast<uptr>(tagged_ptr), alloc_context_id,
302 free_context_id, static_cast<u32>(orig_size)});
303 } else {
304 SpinMutexLock l(&fallback_mutex);
305 AllocatorCache *cache = &fallback_allocator_cache;
306 allocator.Deallocate(cache, aligned_ptr);
307 }
308 }
309
310 static void *HwasanReallocate(StackTrace *stack, void *tagged_ptr_old,
311 uptr new_size, uptr alignment) {
312 void *untagged_ptr_old =
313 InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr_old))
314 ? UntagPtr(tagged_ptr_old)
315 : tagged_ptr_old;
316 if (CheckInvalidFree(stack, untagged_ptr_old, tagged_ptr_old))
317 return nullptr;
318 void *tagged_ptr_new =
319 HwasanAllocate(stack, new_size, alignment, false /*zeroise*/);
320 if (tagged_ptr_old && tagged_ptr_new) {
321 Metadata *meta =
322 reinterpret_cast<Metadata *>(allocator.GetMetaData(untagged_ptr_old));
323 internal_memcpy(
324 UntagPtr(tagged_ptr_new), untagged_ptr_old,
325 Min(new_size, static_cast<uptr>(meta->get_requested_size())));
326 HwasanDeallocate(stack, tagged_ptr_old);
327 }
328 return tagged_ptr_new;
329 }
330
331 static void *HwasanCalloc(StackTrace *stack, uptr nmemb, uptr size) {
332 if (UNLIKELY(CheckForCallocOverflow(size, nmemb))) {
333 if (AllocatorMayReturnNull())
334 return nullptr;
335 ReportCallocOverflow(nmemb, size, stack);
336 }
337 return HwasanAllocate(stack, nmemb * size, sizeof(u64), true);
338 }
339
340 HwasanChunkView FindHeapChunkByAddress(uptr address) {
341 if (!allocator.PointerIsMine(reinterpret_cast<void *>(address)))
342 return HwasanChunkView();
343 void *block = allocator.GetBlockBegin(reinterpret_cast<void*>(address));
344 if (!block)
345 return HwasanChunkView();
346 Metadata *metadata =
347 reinterpret_cast<Metadata*>(allocator.GetMetaData(block));
348 return HwasanChunkView(reinterpret_cast<uptr>(block), metadata);
349 }
350
351 static uptr AllocationSize(const void *tagged_ptr) {
352 const void *untagged_ptr = UntagPtr(tagged_ptr);
353 if (!untagged_ptr) return 0;
354 const void *beg = allocator.GetBlockBegin(untagged_ptr);
355 Metadata *b = (Metadata *)allocator.GetMetaData(untagged_ptr);
356 if (b->right_aligned) {
357 if (beg != reinterpret_cast<void *>(RoundDownTo(
358 reinterpret_cast<uptr>(untagged_ptr), kShadowAlignment)))
359 return 0;
360 } else {
361 if (beg != untagged_ptr) return 0;
362 }
363 return b->get_requested_size();
364 }
365
366 void *hwasan_malloc(uptr size, StackTrace *stack) {
367 return SetErrnoOnNull(HwasanAllocate(stack, size, sizeof(u64), false));
368 }
369
370 void *hwasan_calloc(uptr nmemb, uptr size, StackTrace *stack) {
371 return SetErrnoOnNull(HwasanCalloc(stack, nmemb, size));
372 }
373
374 void *hwasan_realloc(void *ptr, uptr size, StackTrace *stack) {
375 if (!ptr)
376 return SetErrnoOnNull(HwasanAllocate(stack, size, sizeof(u64), false));
377 if (size == 0) {
378 HwasanDeallocate(stack, ptr);
379 return nullptr;
380 }
381 return SetErrnoOnNull(HwasanReallocate(stack, ptr, size, sizeof(u64)));
382 }
383
384 void *hwasan_reallocarray(void *ptr, uptr nmemb, uptr size, StackTrace *stack) {
385 if (UNLIKELY(CheckForCallocOverflow(size, nmemb))) {
386 errno = errno_ENOMEM;
387 if (AllocatorMayReturnNull())
388 return nullptr;
389 ReportReallocArrayOverflow(nmemb, size, stack);
390 }
391 return hwasan_realloc(ptr, nmemb * size, stack);
392 }
393
394 void *hwasan_valloc(uptr size, StackTrace *stack) {
395 return SetErrnoOnNull(
396 HwasanAllocate(stack, size, GetPageSizeCached(), false));
397 }
398
399 void *hwasan_pvalloc(uptr size, StackTrace *stack) {
400 uptr PageSize = GetPageSizeCached();
401 if (UNLIKELY(CheckForPvallocOverflow(size, PageSize))) {
402 errno = errno_ENOMEM;
403 if (AllocatorMayReturnNull())
404 return nullptr;
405 ReportPvallocOverflow(size, stack);
406 }
407 // pvalloc(0) should allocate one page.
408 size = size ? RoundUpTo(size, PageSize) : PageSize;
409 return SetErrnoOnNull(HwasanAllocate(stack, size, PageSize, false));
410 }
411
412 void *hwasan_aligned_alloc(uptr alignment, uptr size, StackTrace *stack) {
413 if (UNLIKELY(!CheckAlignedAllocAlignmentAndSize(alignment, size))) {
414 errno = errno_EINVAL;
415 if (AllocatorMayReturnNull())
416 return nullptr;
417 ReportInvalidAlignedAllocAlignment(size, alignment, stack);
418 }
419 return SetErrnoOnNull(HwasanAllocate(stack, size, alignment, false));
420 }
421
422 void *hwasan_memalign(uptr alignment, uptr size, StackTrace *stack) {
423 if (UNLIKELY(!IsPowerOfTwo(alignment))) {
424 errno = errno_EINVAL;
425 if (AllocatorMayReturnNull())
426 return nullptr;
427 ReportInvalidAllocationAlignment(alignment, stack);
428 }
429 return SetErrnoOnNull(HwasanAllocate(stack, size, alignment, false));
430 }
431
432 int hwasan_posix_memalign(void **memptr, uptr alignment, uptr size,
433 StackTrace *stack) {
434 if (UNLIKELY(!CheckPosixMemalignAlignment(alignment))) {
435 if (AllocatorMayReturnNull())
436 return errno_EINVAL;
437 ReportInvalidPosixMemalignAlignment(alignment, stack);
438 }
439 void *ptr = HwasanAllocate(stack, size, alignment, false);
440 if (UNLIKELY(!ptr))
441 // OOM error is already taken care of by HwasanAllocate.
442 return errno_ENOMEM;
443 CHECK(IsAligned((uptr)ptr, alignment));
444 *memptr = ptr;
445 return 0;
446 }
447
448 void hwasan_free(void *ptr, StackTrace *stack) {
449 return HwasanDeallocate(stack, ptr);
450 }
451
452 } // namespace __hwasan
453
454 using namespace __hwasan;
455
456 void __hwasan_enable_allocator_tagging() {
457 atomic_store_relaxed(&hwasan_allocator_tagging_enabled, 1);
458 }
459
460 void __hwasan_disable_allocator_tagging() {
461 atomic_store_relaxed(&hwasan_allocator_tagging_enabled, 0);
462 }
463
464 uptr __sanitizer_get_current_allocated_bytes() {
465 uptr stats[AllocatorStatCount];
466 allocator.GetStats(stats);
467 return stats[AllocatorStatAllocated];
468 }
469
470 uptr __sanitizer_get_heap_size() {
471 uptr stats[AllocatorStatCount];
472 allocator.GetStats(stats);
473 return stats[AllocatorStatMapped];
474 }
475
476 uptr __sanitizer_get_free_bytes() { return 1; }
477
478 uptr __sanitizer_get_unmapped_bytes() { return 1; }
479
480 uptr __sanitizer_get_estimated_allocated_size(uptr size) { return size; }
481
482 int __sanitizer_get_ownership(const void *p) { return AllocationSize(p) != 0; }
483
484 uptr __sanitizer_get_allocated_size(const void *p) { return AllocationSize(p); }
Mirror of the offical gcc git repository hosted at gcc.gnu.org