search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Move PREFERRED_DEBUGGING_TYPE define in pa64-hpux.h to pa.h
[official-gcc.git] / libsanitizer / asan / asan_poisoning.cpp
blobd97af91e692dcdd243a71ee53cbd3a569a99272a
1 //===-- asan_poisoning.cpp ------------------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file is a part of AddressSanitizer, an address sanity checker.
10 //
11 // Shadow memory poisoning by ASan RTL and by user application.
12 //===----------------------------------------------------------------------===//
13
14 #include "asan_poisoning.h"
15 #include "asan_report.h"
16 #include "asan_stack.h"
17 #include "sanitizer_common/sanitizer_atomic.h"
18 #include "sanitizer_common/sanitizer_libc.h"
19 #include "sanitizer_common/sanitizer_flags.h"
20
21 namespace __asan {
22
23 static atomic_uint8_t can_poison_memory;
24
25 void SetCanPoisonMemory(bool value) {
26 atomic_store(&can_poison_memory, value, memory_order_release);
27 }
28
29 bool CanPoisonMemory() {
30 return atomic_load(&can_poison_memory, memory_order_acquire);
31 }
32
33 void PoisonShadow(uptr addr, uptr size, u8 value) {
34 if (value && !CanPoisonMemory()) return;
35 CHECK(AddrIsAlignedByGranularity(addr));
36 CHECK(AddrIsInMem(addr));
37 CHECK(AddrIsAlignedByGranularity(addr + size));
38 CHECK(AddrIsInMem(addr + size - SHADOW_GRANULARITY));
39 CHECK(REAL(memset));
40 FastPoisonShadow(addr, size, value);
41 }
42
43 void PoisonShadowPartialRightRedzone(uptr addr,
44 uptr size,
45 uptr redzone_size,
46 u8 value) {
47 if (!CanPoisonMemory()) return;
48 CHECK(AddrIsAlignedByGranularity(addr));
49 CHECK(AddrIsInMem(addr));
50 FastPoisonShadowPartialRightRedzone(addr, size, redzone_size, value);
51 }
52
53 struct ShadowSegmentEndpoint {
54 u8 *chunk;
55 s8 offset; // in [0, SHADOW_GRANULARITY)
56 s8 value; // = *chunk;
57
58 explicit ShadowSegmentEndpoint(uptr address) {
59 chunk = (u8*)MemToShadow(address);
60 offset = address & (SHADOW_GRANULARITY - 1);
61 value = *chunk;
62 }
63 };
64
65 void AsanPoisonOrUnpoisonIntraObjectRedzone(uptr ptr, uptr size, bool poison) {
66 uptr end = ptr + size;
67 if (Verbosity()) {
68 Printf("__asan_%spoison_intra_object_redzone [%p,%p) %zd\n",
69 poison ? "" : "un", (void *)ptr, (void *)end, size);
70 if (Verbosity() >= 2)
71 PRINT_CURRENT_STACK();
72 }
73 CHECK(size);
74 CHECK_LE(size, 4096);
75 CHECK(IsAligned(end, SHADOW_GRANULARITY));
76 if (!IsAligned(ptr, SHADOW_GRANULARITY)) {
77 *(u8 *)MemToShadow(ptr) =
78 poison ? static_cast<u8>(ptr % SHADOW_GRANULARITY) : 0;
79 ptr |= SHADOW_GRANULARITY - 1;
80 ptr++;
81 }
82 for (; ptr < end; ptr += SHADOW_GRANULARITY)
83 *(u8*)MemToShadow(ptr) = poison ? kAsanIntraObjectRedzone : 0;
84 }
85
86 } // namespace __asan
87
88 // ---------------------- Interface ---------------- {{{1
89 using namespace __asan;
90
91 // Current implementation of __asan_(un)poison_memory_region doesn't check
92 // that user program (un)poisons the memory it owns. It poisons memory
93 // conservatively, and unpoisons progressively to make sure asan shadow
94 // mapping invariant is preserved (see detailed mapping description here:
95 // https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm).
96 //
97 // * if user asks to poison region [left, right), the program poisons
98 // at least [left, AlignDown(right)).
99 // * if user asks to unpoison region [left, right), the program unpoisons
100 // at most [AlignDown(left), right).
101 void __asan_poison_memory_region(void const volatile *addr, uptr size) {
102 if (!flags()->allow_user_poisoning || size == 0) return;
103 uptr beg_addr = (uptr)addr;
104 uptr end_addr = beg_addr + size;
105 VPrintf(3, "Trying to poison memory region [%p, %p)\n", (void *)beg_addr,
106 (void *)end_addr);
107 ShadowSegmentEndpoint beg(beg_addr);
108 ShadowSegmentEndpoint end(end_addr);
109 if (beg.chunk == end.chunk) {
110 CHECK_LT(beg.offset, end.offset);
111 s8 value = beg.value;
112 CHECK_EQ(value, end.value);
113 // We can only poison memory if the byte in end.offset is unaddressable.
114 // No need to re-poison memory if it is poisoned already.
115 if (value > 0 && value <= end.offset) {
116 if (beg.offset > 0) {
117 *beg.chunk = Min(value, beg.offset);
118 } else {
119 *beg.chunk = kAsanUserPoisonedMemoryMagic;
120 }
121 }
122 return;
123 }
124 CHECK_LT(beg.chunk, end.chunk);
125 if (beg.offset > 0) {
126 // Mark bytes from beg.offset as unaddressable.
127 if (beg.value == 0) {
128 *beg.chunk = beg.offset;
129 } else {
130 *beg.chunk = Min(beg.value, beg.offset);
131 }
132 beg.chunk++;
133 }
134 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk);
135 // Poison if byte in end.offset is unaddressable.
136 if (end.value > 0 && end.value <= end.offset) {
137 *end.chunk = kAsanUserPoisonedMemoryMagic;
138 }
139 }
140
141 void __asan_unpoison_memory_region(void const volatile *addr, uptr size) {
142 if (!flags()->allow_user_poisoning || size == 0) return;
143 uptr beg_addr = (uptr)addr;
144 uptr end_addr = beg_addr + size;
145 VPrintf(3, "Trying to unpoison memory region [%p, %p)\n", (void *)beg_addr,
146 (void *)end_addr);
147 ShadowSegmentEndpoint beg(beg_addr);
148 ShadowSegmentEndpoint end(end_addr);
149 if (beg.chunk == end.chunk) {
150 CHECK_LT(beg.offset, end.offset);
151 s8 value = beg.value;
152 CHECK_EQ(value, end.value);
153 // We unpoison memory bytes up to enbytes up to end.offset if it is not
154 // unpoisoned already.
155 if (value != 0) {
156 *beg.chunk = Max(value, end.offset);
157 }
158 return;
159 }
160 CHECK_LT(beg.chunk, end.chunk);
161 if (beg.offset > 0) {
162 *beg.chunk = 0;
163 beg.chunk++;
164 }
165 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk);
166 if (end.offset > 0 && end.value != 0) {
167 *end.chunk = Max(end.value, end.offset);
168 }
169 }
170
171 int __asan_address_is_poisoned(void const volatile *addr) {
172 return __asan::AddressIsPoisoned((uptr)addr);
173 }
174
175 uptr __asan_region_is_poisoned(uptr beg, uptr size) {
176 if (!size)
177 return 0;
178 uptr end = beg + size;
179 if (!AddrIsInMem(beg))
180 return beg;
181 if (!AddrIsInMem(end))
182 return end;
183 CHECK_LT(beg, end);
184 uptr aligned_b = RoundUpTo(beg, SHADOW_GRANULARITY);
185 uptr aligned_e = RoundDownTo(end, SHADOW_GRANULARITY);
186 uptr shadow_beg = MemToShadow(aligned_b);
187 uptr shadow_end = MemToShadow(aligned_e);
188 // First check the first and the last application bytes,
189 // then check the SHADOW_GRANULARITY-aligned region by calling
190 // mem_is_zero on the corresponding shadow.
191 if (!__asan::AddressIsPoisoned(beg) && !__asan::AddressIsPoisoned(end - 1) &&
192 (shadow_end <= shadow_beg ||
193 __sanitizer::mem_is_zero((const char *)shadow_beg,
194 shadow_end - shadow_beg)))
195 return 0;
196 // The fast check failed, so we have a poisoned byte somewhere.
197 // Find it slowly.
198 for (; beg < end; beg++)
199 if (__asan::AddressIsPoisoned(beg))
200 return beg;
201 UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found");
202 return 0;
203 }
204
205 #define CHECK_SMALL_REGION(p, size, isWrite) \
206 do { \
207 uptr __p = reinterpret_cast<uptr>(p); \
208 uptr __size = size; \
209 if (UNLIKELY(__asan::AddressIsPoisoned(__p) || \
210 __asan::AddressIsPoisoned(__p + __size - 1))) { \
211 GET_CURRENT_PC_BP_SP; \
212 uptr __bad = __asan_region_is_poisoned(__p, __size); \
213 __asan_report_error(pc, bp, sp, __bad, isWrite, __size, 0);\
214 } \
215 } while (false)
216
217
218 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
219 u16 __sanitizer_unaligned_load16(const uu16 *p) {
220 CHECK_SMALL_REGION(p, sizeof(*p), false);
221 return *p;
222 }
223
224 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
225 u32 __sanitizer_unaligned_load32(const uu32 *p) {
226 CHECK_SMALL_REGION(p, sizeof(*p), false);
227 return *p;
228 }
229
230 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
231 u64 __sanitizer_unaligned_load64(const uu64 *p) {
232 CHECK_SMALL_REGION(p, sizeof(*p), false);
233 return *p;
234 }
235
236 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
237 void __sanitizer_unaligned_store16(uu16 *p, u16 x) {
238 CHECK_SMALL_REGION(p, sizeof(*p), true);
239 *p = x;
240 }
241
242 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
243 void __sanitizer_unaligned_store32(uu32 *p, u32 x) {
244 CHECK_SMALL_REGION(p, sizeof(*p), true);
245 *p = x;
246 }
247
248 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
249 void __sanitizer_unaligned_store64(uu64 *p, u64 x) {
250 CHECK_SMALL_REGION(p, sizeof(*p), true);
251 *p = x;
252 }
253
254 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
255 void __asan_poison_cxx_array_cookie(uptr p) {
256 if (SANITIZER_WORDSIZE != 64) return;
257 if (!flags()->poison_array_cookie) return;
258 uptr s = MEM_TO_SHADOW(p);
259 *reinterpret_cast<u8*>(s) = kAsanArrayCookieMagic;
260 }
261
262 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
263 uptr __asan_load_cxx_array_cookie(uptr *p) {
264 if (SANITIZER_WORDSIZE != 64) return *p;
265 if (!flags()->poison_array_cookie) return *p;
266 uptr s = MEM_TO_SHADOW(reinterpret_cast<uptr>(p));
267 u8 sval = *reinterpret_cast<u8*>(s);
268 if (sval == kAsanArrayCookieMagic) return *p;
269 // If sval is not kAsanArrayCookieMagic it can only be freed memory,
270 // which means that we are going to get double-free. So, return 0 to avoid
271 // infinite loop of destructors. We don't want to report a double-free here
272 // though, so print a warning just in case.
273 // CHECK_EQ(sval, kAsanHeapFreeMagic);
274 if (sval == kAsanHeapFreeMagic) {
275 Report("AddressSanitizer: loaded array cookie from free-d memory; "
276 "expect a double-free report\n");
277 return 0;
278 }
279 // The cookie may remain unpoisoned if e.g. it comes from a custom
280 // operator new defined inside a class.
281 return *p;
282 }
283
284 // This is a simplified version of __asan_(un)poison_memory_region, which
285 // assumes that left border of region to be poisoned is properly aligned.
286 static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) {
287 if (size == 0) return;
288 uptr aligned_size = size & ~(SHADOW_GRANULARITY - 1);
289 PoisonShadow(addr, aligned_size,
290 do_poison ? kAsanStackUseAfterScopeMagic : 0);
291 if (size == aligned_size)
292 return;
293 s8 end_offset = (s8)(size - aligned_size);
294 s8* shadow_end = (s8*)MemToShadow(addr + aligned_size);
295 s8 end_value = *shadow_end;
296 if (do_poison) {
297 // If possible, mark all the bytes mapping to last shadow byte as
298 // unaddressable.
299 if (end_value > 0 && end_value <= end_offset)
300 *shadow_end = (s8)kAsanStackUseAfterScopeMagic;
301 } else {
302 // If necessary, mark few first bytes mapping to last shadow byte
303 // as addressable
304 if (end_value != 0)
305 *shadow_end = Max(end_value, end_offset);
306 }
307 }
308
309 void __asan_set_shadow_00(uptr addr, uptr size) {
310 REAL(memset)((void *)addr, 0, size);
311 }
312
313 void __asan_set_shadow_f1(uptr addr, uptr size) {
314 REAL(memset)((void *)addr, 0xf1, size);
315 }
316
317 void __asan_set_shadow_f2(uptr addr, uptr size) {
318 REAL(memset)((void *)addr, 0xf2, size);
319 }
320
321 void __asan_set_shadow_f3(uptr addr, uptr size) {
322 REAL(memset)((void *)addr, 0xf3, size);
323 }
324
325 void __asan_set_shadow_f5(uptr addr, uptr size) {
326 REAL(memset)((void *)addr, 0xf5, size);
327 }
328
329 void __asan_set_shadow_f8(uptr addr, uptr size) {
330 REAL(memset)((void *)addr, 0xf8, size);
331 }
332
333 void __asan_poison_stack_memory(uptr addr, uptr size) {
334 VReport(1, "poisoning: %p %zx\n", (void *)addr, size);
335 PoisonAlignedStackMemory(addr, size, true);
336 }
337
338 void __asan_unpoison_stack_memory(uptr addr, uptr size) {
339 VReport(1, "unpoisoning: %p %zx\n", (void *)addr, size);
340 PoisonAlignedStackMemory(addr, size, false);
341 }
342
343 void __sanitizer_annotate_contiguous_container(const void *beg_p,
344 const void *end_p,
345 const void *old_mid_p,
346 const void *new_mid_p) {
347 if (!flags()->detect_container_overflow) return;
348 VPrintf(2, "contiguous_container: %p %p %p %p\n", beg_p, end_p, old_mid_p,
349 new_mid_p);
350 uptr beg = reinterpret_cast<uptr>(beg_p);
351 uptr end = reinterpret_cast<uptr>(end_p);
352 uptr old_mid = reinterpret_cast<uptr>(old_mid_p);
353 uptr new_mid = reinterpret_cast<uptr>(new_mid_p);
354 uptr granularity = SHADOW_GRANULARITY;
355 if (!(beg <= old_mid && beg <= new_mid && old_mid <= end && new_mid <= end &&
356 IsAligned(beg, granularity))) {
357 GET_STACK_TRACE_FATAL_HERE;
358 ReportBadParamsToAnnotateContiguousContainer(beg, end, old_mid, new_mid,
359 &stack);
360 }
361 CHECK_LE(end - beg,
362 FIRST_32_SECOND_64(1UL << 30, 1ULL << 40)); // Sanity check.
363
364 uptr a = RoundDownTo(Min(old_mid, new_mid), granularity);
365 uptr c = RoundUpTo(Max(old_mid, new_mid), granularity);
366 uptr d1 = RoundDownTo(old_mid, granularity);
367 // uptr d2 = RoundUpTo(old_mid, granularity);
368 // Currently we should be in this state:
369 // [a, d1) is good, [d2, c) is bad, [d1, d2) is partially good.
370 // Make a quick sanity check that we are indeed in this state.
371 //
372 // FIXME: Two of these three checks are disabled until we fix
373 // https://github.com/google/sanitizers/issues/258.
374 // if (d1 != d2)
375 // CHECK_EQ(*(u8*)MemToShadow(d1), old_mid - d1);
376 if (a + granularity <= d1)
377 CHECK_EQ(*(u8*)MemToShadow(a), 0);
378 // if (d2 + granularity <= c && c <= end)
379 // CHECK_EQ(*(u8 *)MemToShadow(c - granularity),
380 // kAsanContiguousContainerOOBMagic);
381
382 uptr b1 = RoundDownTo(new_mid, granularity);
383 uptr b2 = RoundUpTo(new_mid, granularity);
384 // New state:
385 // [a, b1) is good, [b2, c) is bad, [b1, b2) is partially good.
386 PoisonShadow(a, b1 - a, 0);
387 PoisonShadow(b2, c - b2, kAsanContiguousContainerOOBMagic);
388 if (b1 != b2) {
389 CHECK_EQ(b2 - b1, granularity);
390 *(u8*)MemToShadow(b1) = static_cast<u8>(new_mid - b1);
391 }
392 }
393
394 const void *__sanitizer_contiguous_container_find_bad_address(
395 const void *beg_p, const void *mid_p, const void *end_p) {
396 if (!flags()->detect_container_overflow)
397 return nullptr;
398 uptr beg = reinterpret_cast<uptr>(beg_p);
399 uptr end = reinterpret_cast<uptr>(end_p);
400 uptr mid = reinterpret_cast<uptr>(mid_p);
401 CHECK_LE(beg, mid);
402 CHECK_LE(mid, end);
403 // Check some bytes starting from beg, some bytes around mid, and some bytes
404 // ending with end.
405 uptr kMaxRangeToCheck = 32;
406 uptr r1_beg = beg;
407 uptr r1_end = Min(beg + kMaxRangeToCheck, mid);
408 uptr r2_beg = Max(beg, mid - kMaxRangeToCheck);
409 uptr r2_end = Min(end, mid + kMaxRangeToCheck);
410 uptr r3_beg = Max(end - kMaxRangeToCheck, mid);
411 uptr r3_end = end;
412 for (uptr i = r1_beg; i < r1_end; i++)
413 if (AddressIsPoisoned(i))
414 return reinterpret_cast<const void *>(i);
415 for (uptr i = r2_beg; i < mid; i++)
416 if (AddressIsPoisoned(i))
417 return reinterpret_cast<const void *>(i);
418 for (uptr i = mid; i < r2_end; i++)
419 if (!AddressIsPoisoned(i))
420 return reinterpret_cast<const void *>(i);
421 for (uptr i = r3_beg; i < r3_end; i++)
422 if (!AddressIsPoisoned(i))
423 return reinterpret_cast<const void *>(i);
424 return nullptr;
425 }
426
427 int __sanitizer_verify_contiguous_container(const void *beg_p,
428 const void *mid_p,
429 const void *end_p) {
430 return __sanitizer_contiguous_container_find_bad_address(beg_p, mid_p,
431 end_p) == nullptr;
432 }
433
434 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
435 void __asan_poison_intra_object_redzone(uptr ptr, uptr size) {
436 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, true);
437 }
438
439 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
440 void __asan_unpoison_intra_object_redzone(uptr ptr, uptr size) {
441 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, false);
442 }
443
444 // --- Implementation of LSan-specific functions --- {{{1
445 namespace __lsan {
446 bool WordIsPoisoned(uptr addr) {
447 return (__asan_region_is_poisoned(addr, sizeof(uptr)) != 0);
448 }
449 }
Mirror of the offical gcc git repository hosted at gcc.gnu.org