| blob | 7bde2f46e4f308fee5f6130c0c93daa6cfc4b305 |
1 /* Copyright (C) 2012-2013
2 Free Software Foundation
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3, or (at your option)
9 any later version.
11 GCC is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 Under Section 7 of GPL version 3, you are granted additional
17 permissions described in the GCC Runtime Library Exception, version
18 3.1, as published by the Free Software Foundation.
20 You should have received a copy of the GNU General Public License and
21 a copy of the GCC Runtime Library Exception along with this program;
22 see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
23 <http://www.gnu.org/licenses/>. */
25 /* This file is part of the vtable security feature implementation.
26 The vtable security feature is designed to detect when a virtual
27 call is about to be made through an invalid vtable pointer
28 (possibly due to data corruption or malicious attacks). The
29 compiler finds every virtual call, and inserts a verification call
30 before the virtual call. The verification call takes the actual
31 vtable pointer value in the object through which the virtual call
32 is being made, and compares the vtable pointer against a set of all
33 valid vtable pointers that the object could contain (this set is
34 based on the declared type of the object). If the pointer is in
35 the valid set, execution is allowed to continue; otherwise the
36 program is halted.
38 There are several pieces needed in order to make this work: 1. For
39 every virtual class in the program (i.e. a class that contains
40 virtual methods), we need to build the set of all possible valid
41 vtables that an object of that class could point to. This includes
42 vtables for any class(es) that inherit from the class under
43 consideration. 2. For every such data set we build up, we need a
44 way to find and reference the data set. This is complicated by the
45 fact that the real vtable addresses are not known until runtime,
46 when the program is loaded into memory, but we need to reference the
47 sets at compile time when we are inserting verification calls into
48 the program. 3. We need to find every virtual call in the program,
49 and insert the verification call (with the appropriate arguments)
50 before the virtual call. 4. We need some runtime library pieces:
51 the code to build up the data sets at runtime; the code to actually
52 perform the verification using the data sets; and some code to set
53 protections on the data sets, so they themselves do not become
54 hacker targets.
56 To find and reference the set of valid vtable pointers for any given
57 virtual class, we create a special global varible for each virtual
58 class. We refer to this as the "vtable map variable" for that
59 class. The vtable map variable has the type "void *", and is
60 initialized by the compiler to NULL. At runtime when the set of
61 valid vtable pointers for a virtual class, e.g. class Foo, is built,
62 the vtable map variable for class Foo is made to point to the set.
63 During compile time, when the compiler is inserting verification
64 calls into the program, it passes the vtable map variable for the
65 appropriate class to the verification call, so that at runtime the
66 verification call can find the appropriate data set.
68 The actual set of valid vtable pointers for a polymorphic class,
69 e.g. class Foo, cannot be built until runtime, when the vtables get
70 loaded into memory and their addresses are known. But the knowledge
71 about which vtables belong in which class' hierarchy is only known
72 at compile time. Therefore at compile time we collect class
73 hierarchy and vtable information about every virtual class, and we
74 generate calls to build up the data sets at runtime. To build the
75 data sets, we call one of the functions we add to the runtime
76 library, __VLTRegisterPair. __VLTRegisterPair takes two arguments,
77 a vtable map variable and the address of a vtable. If the vtable
78 map variable is currently NULL, it creates a new data set (hash
79 table), makes the vtable map variable point to the new data set, and
80 inserts the vtable address into the data set. If the vtable map
81 variable is not NULL, it just inserts the vtable address into the
82 data set. In order to make sure that our data sets are built before
83 any verification calls happen, we create a special constructor
84 initialization function for each compilation unit, give it a very
85 high initialization priority, and insert all of our calls to
86 __VLTRegisterPair into our special constructor initialization
87 function. */
89 /* This file contains the main externally visible runtime library
90 functions for vtable verification: __VLTChangePermission,
91 __VLTRegisterPair, and __VLTVerifyVtablePointer. It also contains
92 debug versions __VLTRegisterPairDebug and
93 __VLTVerifyVtablePointerDebug, which have extra parameters in order
94 to make it easier to debug verification failures.
96 The final piece of functionality implemented in this file is symbol
97 resolution for multiple instances of the same vtable map variable.
98 If the same virtual class is used in two different compilation
99 units, then each compilation unit will create a vtable map variable
100 for the class. We need all instances of the same vtable map
101 variable to point to the same (single) set of valid vtable
102 pointers for the class, so we wrote our own hashtable-based symbol
103 resolution for vtable map variables (with a tiny optimization in
104 the case where there is only one instance of the variable).
106 There are two other important pieces to the runtime for vtable
107 verification besides the main pieces that go into libstdc++.so: two
108 special tiny shared libraries, libvtv_init.so and libvtv_stubs.so.
109 libvtv_init.so is built from vtv_init.cc. It is designed to help
110 minimize the calls made to mprotect (see the comments in
111 vtv_init.cc for more details). Anything compiled with
112 "-fvtable-verify=std" must be linked with libvtv_init.so (the gcc
113 driver has been modified to do this). vtv_stubs.so is built from
114 vtv_stubs.cc. It replaces the main runtime functions
115 (__VLTChangePermissino, __VLTRegisterPair and
116 __VLTVerifyVtablePointer) with stub functions that do nothing. If
117 a programmer has a library that was built with verification, but
118 wishes to not have verification turned on, the programmer can link
119 in the vtv_stubs.so library. */
121 #include <stdlib.h>
122 #include <stdio.h>
123 #include <string.h>
124 #if defined (__CYGWIN__) || defined (__MINGW32__)
125 #include <windows.h>
126 #include <winternl.h>
127 #include <psapi.h>
128 #else
129 #include <execinfo.h>
130 #endif
132 #include <unistd.h>
133 #if !defined (__CYGWIN__) && !defined (__MINGW32__)
134 #include <sys/mman.h>
135 #include <link.h>
136 #endif
137 #include <errno.h>
138 #include <fcntl.h>
139 #include <limits.h>
141 /* For gthreads suppport */
142 #include <bits/c++config.h>
143 #include <ext/concurrence.h>
154 #if defined (__CYGWIN__) || defined (__MINGW32__)
155 // porting: fix link error to libc
159 }
160 #else
163 /* __fortify_fail is a function in glibc that calls __libc_message,
164 causing it to print out a program termination error message
165 (including the name of the binary being terminated), a stack
166 trace where the error occurred, and a memory map dump. Ideally
167 we would have called __libc_message directly, but that function
168 does not appear to be accessible to functions outside glibc,
169 whereas __fortify_fail is. We call __fortify_fail from
170 __vtv_really_fail. We looked at calling __libc_fatal, which is
171 externally accessible, but it does not do the back trace and
172 memory dump. */
177 #endif
179 /* The following variables are used only for debugging and performance
180 tuning purposes. Therefore they do not need to be "protected".
181 They cannot be used to attack the vtable verification system and if
182 they become corrupted it will not affect the correctness or
183 security of any of the rest of the vtable verification feature. */
192 /* Be careful about initialization of statics in this file. Some of
193 the routines below are called before any runtime initialization for
194 statics in this file will be done. For example, dont try to
195 initialize any of these statics with a runtime call (for ex:
196 sysconf). The initialization will happen after calls to the routines
197 to protect/unprotec the vtabla_map variables */
199 /* No need to mark the following variables with VTV_PROTECTED_VAR.
200 These are either const or are only used for debugging/tracing.
201 debugging/tracing will not be ON on production environments */
205 #ifdef VTV_DEBUG
209 #else
213 #endif
215 /* Global file descriptor variables for logging, tracing and debugging. */
220 /* This holds a formatted error logging message, to be written to the
221 vtable verify failures log. */
225 #ifdef __GTHREAD_MUTEX_INIT
227 #else
229 #endif
232 #ifndef VTV_STATS
233 #define VTV_STATS 0
234 #endif
236 #if VTV_STATS
240 {
242 }
246 {
249 }
253 {
255 }
257 #else
261 {
263 }
268 {
269 /* Do nothing. */
270 }
274 {
275 /* Do nothing. */
276 }
278 #endif
280 /* Types needed by insert_only_hash_sets. */
283 /* The set of valid vtable pointers for each virtual class is stored
284 in a hash table. This is the hashing function used for the hash
285 table. For more information on the implementation of the hash
286 table, see the class insert_only_hash_sets in vtv_set.h. */
288 struct vptr_hash
289 {
290 /* Hash function, used to convert vtable pointer, V, (a memory
291 address) into an index into the hash table. */
292 size_t
294 {
299 }
300 };
302 /* This is the memory allocator used to create the hash table data
303 sets of valid vtable pointers. We use VTV_malloc in order to keep
304 track of which pages have been allocated, so we can update the
305 protections on those pages appropriately. See the class
306 insert_only_hash_sets in vtv_set.h for more information. */
308 struct vptr_set_alloc
309 {
310 /* Memory allocator operator. N is the number of bytes to be
311 allocated. */
314 {
316 }
317 };
319 /* Instantiate the template classes (in vtv_set.h) for our particular
320 hash table needs. */
326 /* Records for caching the section header information that we have
327 read out of the file(s) on disk (in dl_iterate_phdr_callback), to
328 avoid having to re-open and re-read the same file multiple
329 times. */
331 struct sect_hdr_data
332 {
333 #if defined (__CYGWIN__) || defined (__MINGW32__)
335 passed in from dl_iterate_phdr. */
337 section in memory. */
338 #else
340 passed in from dl_iterate_phdr. */
342 section in memory. */
343 #endif
345 memory. */
346 };
348 /* Array for caching the section header information, read from file,
349 to avoid re-opening and re-reading the same file over-and-over
350 again. */
352 #define MAX_ENTRIES 250
357 /* This function takes the LOAD_ADDR for an object opened by the
358 dynamic loader, and checks the array of cached file data to see if
359 there is an entry with the same addres. If it finds such an entry,
360 it returns the record for that entry; otherwise it returns
361 NULL. */
363 #if defined (__CYGWIN__) || defined (__MINGW32__)
366 #else
369 #endif
370 {
373 {
376 }
379 }
381 /* This function tries to read COUNT bytes out of the file referred to
382 by FD into the buffer BUF. It returns the actual number of bytes
383 it succeeded in reading. */
385 static size_t
387 {
391 {
399 }
402 }
404 /* This function tries to read COUNT bytes, starting at OFFSET from
405 the file referred to by FD, and put them into BUF. It calls
406 ReadPersistent to help it do so. It returns the actual number of
407 bytes read, or -1 if it fails altogether. */
409 static size_t
411 {
416 }
418 /* The function takes a MESSAGE and attempts to write it to the vtable
419 memory protection log (for debugging purposes). If the file is not
420 open, it attempts to open the file first. */
422 static void
424 {
431 }
433 #if defined (__CYGWIN__) || defined (__MINGW32__)
434 static void
441 {
445 /* Check to see if we already have the data for this file. */
449 {
453 }
455 // check for DOS Header magic bytes
457 {
461 /* Attempt to open the binary file on disk. */
463 {
465 }
466 else
470 {
471 /* Find the section header information in memory. */
480 PIMAGE_SECTION_HEADER sect_hdr =
484 /* Loop through all the section headers, looking for one whose
485 name is ".vtable_map_vars". */
488 {
491 /* Check if we have to get the section name from the COFF string
492 table. */
494 {
496 {
498 }
500 off_t name_offset = PointerToStringTable
504 name_offset);
507 }
508 else
509 {
512 }
515 {
516 /* We found the section; get its load offset and
517 size. */
522 else
525 }
526 }
528 }
529 }
532 {
533 /* Calculate the page location in memory, making sure the
534 address is page-aligned. */
539 /* Since we got this far, we must not have found these pages in
540 the cache, so add them to it. NOTE: We could get here either
541 while making everything read-only or while making everything
542 read-write. We will only update the cache if we get here on
543 a read-write (to make absolutely sure the cache is writable
544 -- also the read-write pass should come before the read-only
545 pass). */
548 {
552 num_cache_entries++;
553 }
554 }
555 }
556 #else
557 static void
563 {
574 /* Get the name of the main executable. This may or may not include
575 arguments passed to the program. Find the first space, assume it
576 is the start of the argument list, and change it to a '\0'. */
579 /* Check to see if we already have the data for this file. */
583 {
587 }
589 /* Find the first non-escaped space in the program name and make it
590 the end of the string. */
597 {
601 /* Attempt to open the binary file on disk. */
603 {
604 /* If the constructor initialization function was put into
605 the preinit array, then this function will get called
606 while handling preinit array stuff, in which case
607 program_invocation_name has not been initialized. In
608 that case we can get the filename of the executable from
609 "/proc/self/exe". */
611 {
614 }
615 else
617 }
618 else
622 {
623 /* Find the section header information in the file. */
629 shstrtab_offset);
634 /* This code will be needed once we have crated libvtv.so. */
637 /*
638 if (strstr (info->dlpi_name, "libvtv.so"))
639 is_libvtv = true;
640 */
642 /* Loop through all the section headers, looking for one whose
643 name is ".vtable_map_vars". */
646 {
650 offset);
662 {
663 /* We found the section; get its load offset and
664 size. */
668 else
671 }
672 }
674 }
675 }
678 {
679 /* Calculate the page location in memory, making sure the
680 address is page-aligned. */
686 /* Since we got this far, we must not have found these pages in
687 the cache, so add them to it. NOTE: We could get here either
688 while making everything read-only or while making everything
689 read-write. We will only update the cache if we get here on
690 a read-write (to make absolutely sure the cache is writable
691 -- also the read-write pass should come before the read-only
692 pass). */
695 {
699 num_cache_entries++;
700 }
701 }
702 }
703 #endif
705 #if defined (__CYGWIN__) || defined (__MINGW32__)
706 /* This function is used to iterate over all loaded modules and searches
707 for a section called ".vtable_map_vars". The only interaction with
708 the binary file on disk of the module is to read section names in the
709 COFF string table. If the module contains a ".vtable_map_vars" section,
710 read section offset and size from the section header of the loaded module.
711 Call 'mprotect' on those pages, setting the protection either to
712 read-only or read-write, depending on what's in data.
713 The calls to change the protection occur in vtv_unprotect_vtable_vars
714 and vtv_protect_vtable_vars. */
716 static int
718 {
725 HANDLE hProcess;
726 DWORD cbNeeded;
734 {
735 /* Iterate over all loaded modules. */
737 {
742 {
747 map_sect_name,
753 {
756 szModName,
759 }
761 /* See if we actually found the section. */
763 {
768 {
771 szModName,
775 }
777 /* Change the protections on the pages for the section. */
784 {
786 {
793 }
795 }
796 else
797 {
799 {
805 }
806 }
808 /* num_pages_protected += (map_sect_len + VTV_PAGE_SIZE - 1)
809 / VTV_PAGE_SIZE; */
812 }
813 }
814 }
815 }
820 }
821 #else
822 /* This is the callback function used by dl_iterate_phdr (which is
823 called from vtv_unprotect_vtable_vars and vtv_protect_vtable_vars).
824 It attempts to find the binary file on disk for the INFO record
825 that dl_iterate_phdr passes in; open the binary file, and read its
826 section header information. If the file contains a
827 ".vtable_map_vars" section, read the section offset and size. Use
828 the section offset and size, in conjunction with the data in INFO
829 to locate the pages in memory where the section is. Call
830 'mprotect' on those pages, setting the protection either to
831 read-only or read-write, depending on what's in DATA. */
833 static int
835 {
843 /* Check to see if this is the record for the Linux Virtual Dynamic
844 Shared Object (linux-vdso.so.1), which exists only in memory (and
845 therefore cannot be read from disk). */
854 /* Get the name of the main executable. This may or may not include
855 arguments passed to the program. Find the first space, assume it
856 is the start of the argument list, and change it to a '\0'. */
863 {
870 }
872 /* See if we actually found the section. */
874 {
879 {
887 }
889 /* Change the protections on the pages for the section. */
896 {
898 {
905 }
907 }
908 else
909 {
911 {
917 }
918 }
920 /* num_pages_protected += (map_sect_len + VTV_PAGE_SIZE - 1) / VTV_PAGE_SIZE; */
922 }
925 }
926 #endif
928 /* This function explicitly changes the protection (read-only or read-write)
929 on the vtv_sect_info_cache, which is used for speeding up look ups in the
930 function dl_iterate_phdr_callback. This data structure needs to be
931 explicitly made read-write before any calls to dl_iterate_phdr_callback,
932 because otherwise it may still be read-only when dl_iterate_phdr_callback
933 attempts to write to it.
935 More detailed explanation: dl_iterate_phdr_callback finds all the
936 .vtable_map_vars sections in all loaded objects (including the main program)
937 and (depending on where it was called from) either makes all the pages in the
938 sections read-write or read-only. The vtv_sect_info_cache should be in the
939 .vtable_map_vars section for libstdc++.so, which means that normally it would
940 be read-only until libstdc++.so is processed by dl_iterate_phdr_callback
941 (on the read-write pass), after which it will be writable. But if any loaded
942 object gets processed before libstdc++.so, it will attempt to update the
943 data cache, which will still be read-only, and cause a seg fault. Hence
944 we need a special function, called before dl_iterate_phdr_callback, that
945 will make the data cache writable. */
947 static void
949 {
957 }
959 /* Unprotect all the vtable map vars and other side data that is used
960 to keep the core hash_map data. All of these data have been put
961 into relro sections */
963 static void
965 {
970 #if defined (__CYGWIN__) || defined (__MINGW32__)
972 #else
974 #endif
975 }
977 /* Protect all the vtable map vars and other side data that is used
978 to keep the core hash_map data. All of these data have been put
979 into relro sections */
981 static void
983 {
987 #if defined (__CYGWIN__) || defined (__MINGW32__)
989 #else
991 #endif
993 }
995 #ifndef __GTHREAD_MUTEX_INIT
996 static void
998 {
1000 }
1001 #endif
1003 /* Variables needed for getting the statistics about the hashtable set. */
1004 #if HASHTABLE_STATS
1031 #endif
1032 /* Record statistics about the hash table sets, for debugging. */
1034 static void
1036 {
1037 #if HASHTABLE_STATS
1043 #endif
1044 }
1046 /* Change the permissions on all the pages we have allocated for the
1047 data sets and all the ".vtable_map_var" sections in memory (which
1048 contain our vtable map variables). PERM indicates whether to make
1049 the permissions read-only or read-write. */
1052 void
1054 {
1056 {
1062 else
1064 }
1066 #ifndef __GTHREAD_MUTEX_INIT
1070 #endif
1072 /* Ordering of these unprotect/protect calls is very important.
1073 You first need to unprotect all the map vars and side
1074 structures before you do anything with the core data
1075 structures (hash_maps) */
1078 {
1079 /* TODO: Need to revisit this code for dlopen. It most probably
1080 is not unlocking the protected vtable vars after for load
1081 module that is not the first load module. */
1088 }
1090 {
1098 }
1099 }
1101 /* This is the memory allocator used to create the hash table that
1102 maps from vtable map variable name to the data set that vtable map
1103 variable should point to. This is part of our vtable map variable
1104 symbol resolution, which is necessary because the same vtable map
1105 variable may be created by multiple compilation units and we need a
1106 method to make sure that all vtable map variables for a particular
1107 class point to the same data set at runtime. */
1109 struct insert_only_hash_map_allocator
1110 {
1111 /* N is the number of bytes to allocate. */
1114 {
1116 }
1118 /* P points to the memory to be deallocated; N is the number of
1119 bytes to deallocate. */
1120 void
1122 {
1124 }
1125 };
1127 /* Explicitly instantiate this class since this file is compiled with
1128 -fno-implicit-templates. These are for the hash table that is used
1129 to do vtable map variable symbol resolution. */
1131 insert_only_hash_map_allocator >;
1140 /* In the case where a vtable map variable is the only instance of the
1141 variable we have seen, it points directly to the set of valid
1142 vtable pointers. All subsequent instances of the 'same' vtable map
1143 variable point to the first vtable map variable. This function,
1144 given a vtable map variable PTR, checks a bit to see whether it's
1145 pointing directly to the data set or to the first vtable map
1146 variable. */
1150 {
1153 }
1155 /* Returns the actual pointer value of a vtable map variable, PTR (see
1156 comments for is_set_handle_handle for more details). */
1160 {
1162 }
1164 /* Given a vtable map variable, PTR, this function sets the bit that
1165 says this is the second (or later) instance of a vtable map
1166 variable. */
1170 {
1172 }
1177 {
1178 /* Now figure out what pointer to use for the set pointer, for the
1179 inserts. */
1187 else
1190 /* Now we've got the set and it's initialized, add the vtable
1191 pointers. */
1193 {
1196 }
1197 }
1203 {
1204 /* Now we've got the set and it's initialized, add the vtable
1205 pointer (assuming that it's not NULL...It may be NULL, as we may
1206 have called this function merely to initialize the set
1207 pointer). */
1210 {
1216 else
1220 }
1223 {
1231 }
1232 }
1234 /* This routine initializes a set handle to a vtable set. It makes
1235 sure that there is only one set handle for a particular set by
1236 using a map from set name to pointer to set handle. Since there
1237 will be multiple copies of the pointer to the set handle (one per
1238 compilation unit that uses it), it makes sure to initialize all the
1239 pointers to the set handle so that the set handle is unique. To
1240 make this a little more efficient and avoid a level of indirection
1241 in some cases, the first pointer to handle for a particular handle
1242 becomes the handle itself and the other pointers will point to the
1243 set handle. This is the debug version of this function, so it
1244 outputs extra debugging messages and logging. SET_HANDLE_PTR is
1245 the address of the vtable map variable, SET_SYMBOL_KEY is the hash
1246 table key (containing the name of the map variable and the hash
1247 value) and SIZE_HINT is a guess for the best initial size for the
1248 set of vtable pointers that SET_HANDLE_POINTER will point to. */
1253 {
1257 {
1258 /* TODO: For now we have chosen 1024, but we need to come up with a
1259 better initial size for this. */
1262 }
1271 {
1273 {
1275 "*** Found non-NULL local set ptr %p missing for symbol"
1280 }
1281 }
1285 {
1288 "*** Found diffence between local set ptr %p and set ptr %p"
1294 }
1296 {
1297 /* Execution should not reach this point. */
1298 }
1301 {
1304 else
1308 }
1312 {
1315 else
1316 {
1317 /* The one level handle to the set already exists. So, we
1318 are adding one level of indirection here and we will
1319 store a pointer to the one level handle here. */
1326 /* The handle can itself be NULL if the set has only
1327 been initiazlied with size hint == 1. */
1329 }
1330 }
1331 else
1332 {
1333 /* We will create a new set. So, in this case handle_ptr is the
1334 one level pointer to the set handle. Create copy of map name
1335 in case the memory where this comes from gets unmapped by
1336 dlclose. */
1343 vtv_symbol_unification_map =
1348 /* TODO: We should verify the return value. */
1351 }
1354 {
1359 "Init handle:%p for symbol:%.*s hash:%u size_hint:%lu"
1364 }
1365 }
1368 /* This routine initializes a set handle to a vtable set. It makes
1369 sure that there is only one set handle for a particular set by
1370 using a map from set name to pointer to set handle. Since there
1371 will be multiple copies of the pointer to the set handle (one per
1372 compilation unit that uses it), it makes sure to initialize all the
1373 pointers to the set handle so that the set handle is unique. To
1374 make this a little more efficient and avoid a level of indirection
1375 in some cases, the first pointer to handle for a particular handle
1376 becomes the handle itself and the other pointers will point to the
1377 set handle. This is the debug version of this function, so it
1378 outputs extra debugging messages and logging. SET_HANDLE_PTR is
1379 the address of the vtable map variable, SET_SYMBOL_KEY is the hash
1380 table key (containing the name of the map variable and the hash
1381 value) and SIZE_HINT is a guess for the best initial size for the
1382 set of vtable pointers that SET_HANDLE_POINTER will point to. */
1384 void
1388 {
1398 }
1400 /* This function takes a the address of a vtable map variable
1401 (SET_HANDLE_PTR), a VTABLE_PTR to add to the data set, the name of
1402 the vtable map variable (SET_SYMBOL_NAME) and the name of the
1403 vtable (VTABLE_NAME) being pointed to. If the vtable map variable
1404 is NULL it creates a new data set and initializes the variable,
1405 otherwise it uses our symbol unification to find the right data
1406 set; in either case it then adds the vtable pointer to the set.
1407 The other two parameters are used for debugging information. */
1409 void
1413 {
1424 }
1427 /* This is the debug version of the verification function. It takes
1428 the address of a vtable map variable (SET_HANDLE_PTR) and a
1429 VTABLE_PTR to validate, as well as the name of the vtable map
1430 variable (SET_SYMBOL_NAME) and VTABLE_NAME, which are used for
1431 debugging messages. It checks to see if VTABLE_PTR is in the set
1432 pointed to by SET_HANDLE_PTR. If so, it returns VTABLE_PTR,
1433 otherwise it calls __vtv_verify_fail, which usually logs error
1434 messages and calls abort. */
1440 {
1449 else
1453 {
1455 {
1461 }
1462 }
1463 else
1464 {
1465 /* We failed to find the vtable pointer in the set of valid
1466 pointers. Log the error data and call the failure
1467 function. */
1472 /* Normally __vtv_verify_fail_debug will call abort, so we won't
1473 execute the return below. If we get this far, the assumption
1474 is that the programmer has replaced __vtv_verify_fail_debug
1475 with some kind of secondary verification AND this secondary
1476 verification succeeded, so the vtable pointer is valid. */
1477 }
1481 }
1483 /* This routine initializes a set handle to a vtable set. It makes
1484 sure that there is only one set handle for a particular set by
1485 using a map from set name to pointer to set handle. Since there
1486 will be multiple copies of the pointer to the set handle (one per
1487 compilation unit that uses it), it makes sure to initialize all the
1488 pointers to the set handle so that the set handle is unique. To
1489 make this a little more efficient and avoid a level of indirection
1490 in some cases, the first pointer to handle for a particular handle
1491 becomes the handle itself and the other pointers will point to the
1492 set handle. SET_HANDLE_PTR is the address of the vtable map
1493 variable, SET_SYMBOL_KEY is the hash table key (containing the name
1494 of the map variable and the hash value) and SIZE_HINT is a guess
1495 for the best initial size for the set of vtable pointers that
1496 SET_HANDLE_POINTER will point to.*/
1501 {
1505 {
1508 else
1512 }
1522 {
1525 else
1526 {
1527 /* The one level handle to the set already exists. So, we
1528 are adding one level of indirection here and we will
1529 store a pointer to the one level pointer here. */
1534 }
1535 }
1536 else
1537 {
1538 /* We will create a new set. So, in this case handle_ptr is the
1539 one level pointer to the set handle. Create copy of map name
1540 in case the memory where this comes from gets unmapped by
1541 dlclose. */
1547 vtv_symbol_unification_map =
1553 /* TODO: We should verify the return value. */
1555 }
1556 }
1558 /* This routine initializes a set handle to a vtable set. It makes
1559 sure that there is only one set handle for a particular set by
1560 using a map from set name to pointer to set handle. Since there
1561 will be multiple copies of the pointer to the set handle (one per
1562 compilation unit that uses it), it makes sure to initialize all the
1563 pointers to the set handle so that the set handle is unique. To
1564 make this a little more efficient and avoid a level of indirection
1565 in some cases, the first pointer to handle for a particular handle
1566 becomes the handle itself and the other pointers will point to the
1567 set handle. SET_HANDLE_PTR is the address of the vtable map
1568 variable, SET_SYMBOL_KEY is the hash table key (containing the name
1569 of the map variable and the hash value) and SIZE_HINT is a guess
1570 for the best initial size for the set of vtable pointers that
1571 SET_HANDLE_POINTER will point to.*/
1574 void
1577 {
1585 }
1589 /* This function takes a the address of a vtable map variable
1590 (SET_HANDLE_PTR) and a VTABLE_PTR. If the vtable map variable is
1591 NULL it creates a new data set and initializes the variable,
1592 otherwise it uses our symbol unification to find the right data
1593 set; in either case it then adds the vtable pointer to the set. */
1595 void
1598 {
1606 }
1608 /* This is the main verification function. It takes the address of a
1609 vtable map variable (SET_HANDLE_PTR) and a VTABLE_PTR to validate.
1610 It checks to see if VTABLE_PTR is in the set pointed to by
1611 SET_HANDLE_PTR. If so, it returns VTABLE_PTR, otherwise it calls
1612 __vtv_verify_fail, which usually logs error messages and calls
1613 abort. Since this function gets called VERY frequently, it is
1614 important for it to be as efficient as possible. */
1618 {
1626 else
1630 {
1632 /* Normally __vtv_verify_fail will call abort, so we won't
1633 execute the return below. If we get this far, the assumption
1634 is that the programmer has replaced __vtv_verify_fail with
1635 some kind of secondary verification AND this secondary
1636 verification succeeded, so the vtable pointer is valid. */
1637 }
1641 }
1645 #if !defined (__CYGWIN__) && !defined (__MINGW32__)
1646 static int
1650 {
1656 /* Check to see if this is the record for the Linux Virtual Dynamic
1657 Shared Object (linux-vdso.so.1), which exists only in memory (and
1658 therefore cannot be read from disk). */
1670 /* See if we actually found the section. */
1675 }
1676 #endif
1678 static void
1680 {
1686 #if defined (__CYGWIN__) || defined (__MINGW32__)
1688 #else
1690 #endif
1692 }
1694 void
1696 {
1700 {
1703 "Calls: mprotect (%d) regset (%d) regpair (%d)"
1708 "Cycles: mprotect (%lld) regset (%lld) "
1711 verify_vtable_cycles);
1717 }
1718 }
1720 /* This function is called from __VLTVerifyVtablePointerDebug; it
1721 sends as much debugging information as it can to the error log
1722 file, then calls __vtv_verify_fail. SET_HANDLE_PTR is the pointer
1723 to the set of valid vtable pointers, VTBL_PTR is the pointer that
1724 was not found in the set, and DEBUG_MSG is the message to be
1725 written to the log file before failing. n */
1727 void
1730 {
1733 /* Call the public interface in case it has been overwritten by
1734 user. */
1739 }
1741 /* This function calls __fortify_fail with a FAILURE_MSG and then
1742 calls abort. */
1744 void
1746 {
1749 /* We should never get this far; __fortify_fail calls __libc_message
1750 which prints out a back trace and a memory dump and then is
1751 supposed to call abort, but let's play it safe anyway and call abort
1752 ourselves. */
1754 }
1756 /* This function takes an error MSG, a vtable map variable
1757 (DATA_SET_PTR) and a vtable pointer (VTBL_PTR). It is called when
1758 an attempt to verify VTBL_PTR with the set pointed to by
1759 DATA_SET_PTR failed. It outputs a failure message with the
1760 addresses involved, and calls __vtv_really_fail. */
1762 static void
1764 {
1775 /* Send this to to stderr. */
1778 #ifndef VTV_NO_ABORT
1780 #endif
1781 }
1783 /* Send information about what we were trying to do when verification
1784 failed to the error log, then call vtv_fail. This function can be
1785 overwritten/replaced by the user, to implement a secondary
1786 verification function instead. DATA_SET_PTR is the vtable map
1787 variable used for the failed verification, and VTBL_PTR is the
1788 vtable pointer that was not found in the set. */
1790 void
1792 {
1795 vtbl_ptr,
1809 }