search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2013-02-04 Paul Thomas <pault@gcc.gnu.org>
[official-gcc.git] / libsanitizer / asan / asan_poisoning.cc
blob11edca57ae0a938aef406aa7b914fb77a73f1875
1 //===-- asan_poisoning.cc -------------------------------------------------===//
2 //
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
5 //
6 //===----------------------------------------------------------------------===//
7 //
8 // This file is a part of AddressSanitizer, an address sanity checker.
9 //
10 // Shadow memory poisoning by ASan RTL and by user application.
11 //===----------------------------------------------------------------------===//
12
13 #include "asan_interceptors.h"
14 #include "asan_internal.h"
15 #include "asan_mapping.h"
16 #include "sanitizer/asan_interface.h"
17 #include "sanitizer_common/sanitizer_libc.h"
18
19 namespace __asan {
20
21 void PoisonShadow(uptr addr, uptr size, u8 value) {
22 if (!flags()->poison_heap) return;
23 CHECK(AddrIsAlignedByGranularity(addr));
24 CHECK(AddrIsAlignedByGranularity(addr + size));
25 uptr shadow_beg = MemToShadow(addr);
26 uptr shadow_end = MemToShadow(addr + size - SHADOW_GRANULARITY) + 1;
27 CHECK(REAL(memset) != 0);
28 REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg);
29 }
30
31 void PoisonShadowPartialRightRedzone(uptr addr,
32 uptr size,
33 uptr redzone_size,
34 u8 value) {
35 if (!flags()->poison_heap) return;
36 CHECK(AddrIsAlignedByGranularity(addr));
37 u8 *shadow = (u8*)MemToShadow(addr);
38 for (uptr i = 0; i < redzone_size;
39 i += SHADOW_GRANULARITY, shadow++) {
40 if (i + SHADOW_GRANULARITY <= size) {
41 *shadow = 0; // fully addressable
42 } else if (i >= size) {
43 *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value; // unaddressable
44 } else {
45 *shadow = size - i; // first size-i bytes are addressable
46 }
47 }
48 }
49
50
51 struct ShadowSegmentEndpoint {
52 u8 *chunk;
53 s8 offset; // in [0, SHADOW_GRANULARITY)
54 s8 value; // = *chunk;
55
56 explicit ShadowSegmentEndpoint(uptr address) {
57 chunk = (u8*)MemToShadow(address);
58 offset = address & (SHADOW_GRANULARITY - 1);
59 value = *chunk;
60 }
61 };
62
63 } // namespace __asan
64
65 // ---------------------- Interface ---------------- {{{1
66 using namespace __asan; // NOLINT
67
68 // Current implementation of __asan_(un)poison_memory_region doesn't check
69 // that user program (un)poisons the memory it owns. It poisons memory
70 // conservatively, and unpoisons progressively to make sure asan shadow
71 // mapping invariant is preserved (see detailed mapping description here:
72 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm).
73 //
74 // * if user asks to poison region [left, right), the program poisons
75 // at least [left, AlignDown(right)).
76 // * if user asks to unpoison region [left, right), the program unpoisons
77 // at most [AlignDown(left), right).
78 void __asan_poison_memory_region(void const volatile *addr, uptr size) {
79 if (!flags()->allow_user_poisoning || size == 0) return;
80 uptr beg_addr = (uptr)addr;
81 uptr end_addr = beg_addr + size;
82 if (flags()->verbosity >= 1) {
83 Printf("Trying to poison memory region [%p, %p)\n",
84 (void*)beg_addr, (void*)end_addr);
85 }
86 ShadowSegmentEndpoint beg(beg_addr);
87 ShadowSegmentEndpoint end(end_addr);
88 if (beg.chunk == end.chunk) {
89 CHECK(beg.offset < end.offset);
90 s8 value = beg.value;
91 CHECK(value == end.value);
92 // We can only poison memory if the byte in end.offset is unaddressable.
93 // No need to re-poison memory if it is poisoned already.
94 if (value > 0 && value <= end.offset) {
95 if (beg.offset > 0) {
96 *beg.chunk = Min(value, beg.offset);
97 } else {
98 *beg.chunk = kAsanUserPoisonedMemoryMagic;
99 }
100 }
101 return;
102 }
103 CHECK(beg.chunk < end.chunk);
104 if (beg.offset > 0) {
105 // Mark bytes from beg.offset as unaddressable.
106 if (beg.value == 0) {
107 *beg.chunk = beg.offset;
108 } else {
109 *beg.chunk = Min(beg.value, beg.offset);
110 }
111 beg.chunk++;
112 }
113 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk);
114 // Poison if byte in end.offset is unaddressable.
115 if (end.value > 0 && end.value <= end.offset) {
116 *end.chunk = kAsanUserPoisonedMemoryMagic;
117 }
118 }
119
120 void __asan_unpoison_memory_region(void const volatile *addr, uptr size) {
121 if (!flags()->allow_user_poisoning || size == 0) return;
122 uptr beg_addr = (uptr)addr;
123 uptr end_addr = beg_addr + size;
124 if (flags()->verbosity >= 1) {
125 Printf("Trying to unpoison memory region [%p, %p)\n",
126 (void*)beg_addr, (void*)end_addr);
127 }
128 ShadowSegmentEndpoint beg(beg_addr);
129 ShadowSegmentEndpoint end(end_addr);
130 if (beg.chunk == end.chunk) {
131 CHECK(beg.offset < end.offset);
132 s8 value = beg.value;
133 CHECK(value == end.value);
134 // We unpoison memory bytes up to enbytes up to end.offset if it is not
135 // unpoisoned already.
136 if (value != 0) {
137 *beg.chunk = Max(value, end.offset);
138 }
139 return;
140 }
141 CHECK(beg.chunk < end.chunk);
142 if (beg.offset > 0) {
143 *beg.chunk = 0;
144 beg.chunk++;
145 }
146 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk);
147 if (end.offset > 0 && end.value != 0) {
148 *end.chunk = Max(end.value, end.offset);
149 }
150 }
151
152 bool __asan_address_is_poisoned(void const volatile *addr) {
153 return __asan::AddressIsPoisoned((uptr)addr);
154 }
155
156 uptr __asan_region_is_poisoned(uptr beg, uptr size) {
157 if (!size) return 0;
158 uptr end = beg + size;
159 if (!AddrIsInMem(beg)) return beg;
160 if (!AddrIsInMem(end)) return end;
161 uptr aligned_b = RoundUpTo(beg, SHADOW_GRANULARITY);
162 uptr aligned_e = RoundDownTo(end, SHADOW_GRANULARITY);
163 uptr shadow_beg = MemToShadow(aligned_b);
164 uptr shadow_end = MemToShadow(aligned_e);
165 // First check the first and the last application bytes,
166 // then check the SHADOW_GRANULARITY-aligned region by calling
167 // mem_is_zero on the corresponding shadow.
168 if (!__asan::AddressIsPoisoned(beg) &&
169 !__asan::AddressIsPoisoned(end - 1) &&
170 (shadow_end <= shadow_beg ||
171 __sanitizer::mem_is_zero((const char *)shadow_beg,
172 shadow_end - shadow_beg)))
173 return 0;
174 // The fast check failed, so we have a poisoned byte somewhere.
175 // Find it slowly.
176 for (; beg < end; beg++)
177 if (__asan::AddressIsPoisoned(beg))
178 return beg;
179 UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found");
180 return 0;
181 }
182
183 // This is a simplified version of __asan_(un)poison_memory_region, which
184 // assumes that left border of region to be poisoned is properly aligned.
185 static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) {
186 if (size == 0) return;
187 uptr aligned_size = size & ~(SHADOW_GRANULARITY - 1);
188 PoisonShadow(addr, aligned_size,
189 do_poison ? kAsanStackUseAfterScopeMagic : 0);
190 if (size == aligned_size)
191 return;
192 s8 end_offset = (s8)(size - aligned_size);
193 s8* shadow_end = (s8*)MemToShadow(addr + aligned_size);
194 s8 end_value = *shadow_end;
195 if (do_poison) {
196 // If possible, mark all the bytes mapping to last shadow byte as
197 // unaddressable.
198 if (end_value > 0 && end_value <= end_offset)
199 *shadow_end = (s8)kAsanStackUseAfterScopeMagic;
200 } else {
201 // If necessary, mark few first bytes mapping to last shadow byte
202 // as addressable
203 if (end_value != 0)
204 *shadow_end = Max(end_value, end_offset);
205 }
206 }
207
208 void __asan_poison_stack_memory(uptr addr, uptr size) {
209 if (flags()->verbosity > 0)
210 Report("poisoning: %p %zx\n", (void*)addr, size);
211 PoisonAlignedStackMemory(addr, size, true);
212 }
213
214 void __asan_unpoison_stack_memory(uptr addr, uptr size) {
215 if (flags()->verbosity > 0)
216 Report("unpoisoning: %p %zx\n", (void*)addr, size);
217 PoisonAlignedStackMemory(addr, size, false);
218 }
Mirror of the offical gcc git repository hosted at gcc.gnu.org