1 //===-- asan_poisoning.cc -------------------------------------------------===//
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
6 //===----------------------------------------------------------------------===//
8 // This file is a part of AddressSanitizer, an address sanity checker.
10 // Shadow memory poisoning by ASan RTL and by user application.
11 //===----------------------------------------------------------------------===//
13 #include "asan_poisoning.h"
14 #include "asan_report.h"
15 #include "asan_stack.h"
16 #include "sanitizer_common/sanitizer_atomic.h"
17 #include "sanitizer_common/sanitizer_libc.h"
18 #include "sanitizer_common/sanitizer_flags.h"
22 static atomic_uint8_t can_poison_memory
;
24 void SetCanPoisonMemory(bool value
) {
25 atomic_store(&can_poison_memory
, value
, memory_order_release
);
28 bool CanPoisonMemory() {
29 return atomic_load(&can_poison_memory
, memory_order_acquire
);
32 void PoisonShadow(uptr addr
, uptr size
, u8 value
) {
33 if (value
&& !CanPoisonMemory()) return;
34 CHECK(AddrIsAlignedByGranularity(addr
));
35 CHECK(AddrIsInMem(addr
));
36 CHECK(AddrIsAlignedByGranularity(addr
+ size
));
37 CHECK(AddrIsInMem(addr
+ size
- SHADOW_GRANULARITY
));
39 FastPoisonShadow(addr
, size
, value
);
42 void PoisonShadowPartialRightRedzone(uptr addr
,
46 if (!CanPoisonMemory()) return;
47 CHECK(AddrIsAlignedByGranularity(addr
));
48 CHECK(AddrIsInMem(addr
));
49 FastPoisonShadowPartialRightRedzone(addr
, size
, redzone_size
, value
);
52 struct ShadowSegmentEndpoint
{
54 s8 offset
; // in [0, SHADOW_GRANULARITY)
55 s8 value
; // = *chunk;
57 explicit ShadowSegmentEndpoint(uptr address
) {
58 chunk
= (u8
*)MemToShadow(address
);
59 offset
= address
& (SHADOW_GRANULARITY
- 1);
64 void FlushUnneededASanShadowMemory(uptr p
, uptr size
) {
65 // Since asan's mapping is compacting, the shadow chunk may be
66 // not page-aligned, so we only flush the page-aligned portion.
67 ReleaseMemoryPagesToOS(MemToShadow(p
), MemToShadow(p
+ size
));
70 void AsanPoisonOrUnpoisonIntraObjectRedzone(uptr ptr
, uptr size
, bool poison
) {
71 uptr end
= ptr
+ size
;
73 Printf("__asan_%spoison_intra_object_redzone [%p,%p) %zd\n",
74 poison
? "" : "un", ptr
, end
, size
);
76 PRINT_CURRENT_STACK();
80 CHECK(IsAligned(end
, SHADOW_GRANULARITY
));
81 if (!IsAligned(ptr
, SHADOW_GRANULARITY
)) {
82 *(u8
*)MemToShadow(ptr
) =
83 poison
? static_cast<u8
>(ptr
% SHADOW_GRANULARITY
) : 0;
84 ptr
|= SHADOW_GRANULARITY
- 1;
87 for (; ptr
< end
; ptr
+= SHADOW_GRANULARITY
)
88 *(u8
*)MemToShadow(ptr
) = poison
? kAsanIntraObjectRedzone
: 0;
93 // ---------------------- Interface ---------------- {{{1
94 using namespace __asan
; // NOLINT
96 // Current implementation of __asan_(un)poison_memory_region doesn't check
97 // that user program (un)poisons the memory it owns. It poisons memory
98 // conservatively, and unpoisons progressively to make sure asan shadow
99 // mapping invariant is preserved (see detailed mapping description here:
100 // https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm).
102 // * if user asks to poison region [left, right), the program poisons
103 // at least [left, AlignDown(right)).
104 // * if user asks to unpoison region [left, right), the program unpoisons
105 // at most [AlignDown(left), right).
106 void __asan_poison_memory_region(void const volatile *addr
, uptr size
) {
107 if (!flags()->allow_user_poisoning
|| size
== 0) return;
108 uptr beg_addr
= (uptr
)addr
;
109 uptr end_addr
= beg_addr
+ size
;
110 VPrintf(3, "Trying to poison memory region [%p, %p)\n", (void *)beg_addr
,
112 ShadowSegmentEndpoint
beg(beg_addr
);
113 ShadowSegmentEndpoint
end(end_addr
);
114 if (beg
.chunk
== end
.chunk
) {
115 CHECK_LT(beg
.offset
, end
.offset
);
116 s8 value
= beg
.value
;
117 CHECK_EQ(value
, end
.value
);
118 // We can only poison memory if the byte in end.offset is unaddressable.
119 // No need to re-poison memory if it is poisoned already.
120 if (value
> 0 && value
<= end
.offset
) {
121 if (beg
.offset
> 0) {
122 *beg
.chunk
= Min(value
, beg
.offset
);
124 *beg
.chunk
= kAsanUserPoisonedMemoryMagic
;
129 CHECK_LT(beg
.chunk
, end
.chunk
);
130 if (beg
.offset
> 0) {
131 // Mark bytes from beg.offset as unaddressable.
132 if (beg
.value
== 0) {
133 *beg
.chunk
= beg
.offset
;
135 *beg
.chunk
= Min(beg
.value
, beg
.offset
);
139 REAL(memset
)(beg
.chunk
, kAsanUserPoisonedMemoryMagic
, end
.chunk
- beg
.chunk
);
140 // Poison if byte in end.offset is unaddressable.
141 if (end
.value
> 0 && end
.value
<= end
.offset
) {
142 *end
.chunk
= kAsanUserPoisonedMemoryMagic
;
146 void __asan_unpoison_memory_region(void const volatile *addr
, uptr size
) {
147 if (!flags()->allow_user_poisoning
|| size
== 0) return;
148 uptr beg_addr
= (uptr
)addr
;
149 uptr end_addr
= beg_addr
+ size
;
150 VPrintf(3, "Trying to unpoison memory region [%p, %p)\n", (void *)beg_addr
,
152 ShadowSegmentEndpoint
beg(beg_addr
);
153 ShadowSegmentEndpoint
end(end_addr
);
154 if (beg
.chunk
== end
.chunk
) {
155 CHECK_LT(beg
.offset
, end
.offset
);
156 s8 value
= beg
.value
;
157 CHECK_EQ(value
, end
.value
);
158 // We unpoison memory bytes up to enbytes up to end.offset if it is not
159 // unpoisoned already.
161 *beg
.chunk
= Max(value
, end
.offset
);
165 CHECK_LT(beg
.chunk
, end
.chunk
);
166 if (beg
.offset
> 0) {
170 REAL(memset
)(beg
.chunk
, 0, end
.chunk
- beg
.chunk
);
171 if (end
.offset
> 0 && end
.value
!= 0) {
172 *end
.chunk
= Max(end
.value
, end
.offset
);
176 int __asan_address_is_poisoned(void const volatile *addr
) {
177 return __asan::AddressIsPoisoned((uptr
)addr
);
180 uptr
__asan_region_is_poisoned(uptr beg
, uptr size
) {
182 uptr end
= beg
+ size
;
183 if (SANITIZER_MYRIAD2
) {
184 // On Myriad, address not in DRAM range need to be treated as
186 if (!AddrIsInMem(beg
) && !AddrIsInShadow(beg
)) return 0;
187 if (!AddrIsInMem(end
) && !AddrIsInShadow(end
)) return 0;
189 if (!AddrIsInMem(beg
)) return beg
;
190 if (!AddrIsInMem(end
)) return end
;
193 uptr aligned_b
= RoundUpTo(beg
, SHADOW_GRANULARITY
);
194 uptr aligned_e
= RoundDownTo(end
, SHADOW_GRANULARITY
);
195 uptr shadow_beg
= MemToShadow(aligned_b
);
196 uptr shadow_end
= MemToShadow(aligned_e
);
197 // First check the first and the last application bytes,
198 // then check the SHADOW_GRANULARITY-aligned region by calling
199 // mem_is_zero on the corresponding shadow.
200 if (!__asan::AddressIsPoisoned(beg
) &&
201 !__asan::AddressIsPoisoned(end
- 1) &&
202 (shadow_end
<= shadow_beg
||
203 __sanitizer::mem_is_zero((const char *)shadow_beg
,
204 shadow_end
- shadow_beg
)))
206 // The fast check failed, so we have a poisoned byte somewhere.
208 for (; beg
< end
; beg
++)
209 if (__asan::AddressIsPoisoned(beg
))
211 UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found");
215 #define CHECK_SMALL_REGION(p, size, isWrite) \
217 uptr __p = reinterpret_cast<uptr>(p); \
218 uptr __size = size; \
219 if (UNLIKELY(__asan::AddressIsPoisoned(__p) || \
220 __asan::AddressIsPoisoned(__p + __size - 1))) { \
221 GET_CURRENT_PC_BP_SP; \
222 uptr __bad = __asan_region_is_poisoned(__p, __size); \
223 __asan_report_error(pc, bp, sp, __bad, isWrite, __size, 0);\
228 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
229 u16
__sanitizer_unaligned_load16(const uu16
*p
) {
230 CHECK_SMALL_REGION(p
, sizeof(*p
), false);
234 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
235 u32
__sanitizer_unaligned_load32(const uu32
*p
) {
236 CHECK_SMALL_REGION(p
, sizeof(*p
), false);
240 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
241 u64
__sanitizer_unaligned_load64(const uu64
*p
) {
242 CHECK_SMALL_REGION(p
, sizeof(*p
), false);
246 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
247 void __sanitizer_unaligned_store16(uu16
*p
, u16 x
) {
248 CHECK_SMALL_REGION(p
, sizeof(*p
), true);
252 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
253 void __sanitizer_unaligned_store32(uu32
*p
, u32 x
) {
254 CHECK_SMALL_REGION(p
, sizeof(*p
), true);
258 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
259 void __sanitizer_unaligned_store64(uu64
*p
, u64 x
) {
260 CHECK_SMALL_REGION(p
, sizeof(*p
), true);
264 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
265 void __asan_poison_cxx_array_cookie(uptr p
) {
266 if (SANITIZER_WORDSIZE
!= 64) return;
267 if (!flags()->poison_array_cookie
) return;
268 uptr s
= MEM_TO_SHADOW(p
);
269 *reinterpret_cast<u8
*>(s
) = kAsanArrayCookieMagic
;
272 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
273 uptr
__asan_load_cxx_array_cookie(uptr
*p
) {
274 if (SANITIZER_WORDSIZE
!= 64) return *p
;
275 if (!flags()->poison_array_cookie
) return *p
;
276 uptr s
= MEM_TO_SHADOW(reinterpret_cast<uptr
>(p
));
277 u8 sval
= *reinterpret_cast<u8
*>(s
);
278 if (sval
== kAsanArrayCookieMagic
) return *p
;
279 // If sval is not kAsanArrayCookieMagic it can only be freed memory,
280 // which means that we are going to get double-free. So, return 0 to avoid
281 // infinite loop of destructors. We don't want to report a double-free here
282 // though, so print a warning just in case.
283 // CHECK_EQ(sval, kAsanHeapFreeMagic);
284 if (sval
== kAsanHeapFreeMagic
) {
285 Report("AddressSanitizer: loaded array cookie from free-d memory; "
286 "expect a double-free report\n");
289 // The cookie may remain unpoisoned if e.g. it comes from a custom
290 // operator new defined inside a class.
294 // This is a simplified version of __asan_(un)poison_memory_region, which
295 // assumes that left border of region to be poisoned is properly aligned.
296 static void PoisonAlignedStackMemory(uptr addr
, uptr size
, bool do_poison
) {
297 if (size
== 0) return;
298 uptr aligned_size
= size
& ~(SHADOW_GRANULARITY
- 1);
299 PoisonShadow(addr
, aligned_size
,
300 do_poison
? kAsanStackUseAfterScopeMagic
: 0);
301 if (size
== aligned_size
)
303 s8 end_offset
= (s8
)(size
- aligned_size
);
304 s8
* shadow_end
= (s8
*)MemToShadow(addr
+ aligned_size
);
305 s8 end_value
= *shadow_end
;
307 // If possible, mark all the bytes mapping to last shadow byte as
309 if (end_value
> 0 && end_value
<= end_offset
)
310 *shadow_end
= (s8
)kAsanStackUseAfterScopeMagic
;
312 // If necessary, mark few first bytes mapping to last shadow byte
315 *shadow_end
= Max(end_value
, end_offset
);
319 void __asan_set_shadow_00(uptr addr
, uptr size
) {
320 REAL(memset
)((void *)addr
, 0, size
);
323 void __asan_set_shadow_f1(uptr addr
, uptr size
) {
324 REAL(memset
)((void *)addr
, 0xf1, size
);
327 void __asan_set_shadow_f2(uptr addr
, uptr size
) {
328 REAL(memset
)((void *)addr
, 0xf2, size
);
331 void __asan_set_shadow_f3(uptr addr
, uptr size
) {
332 REAL(memset
)((void *)addr
, 0xf3, size
);
335 void __asan_set_shadow_f5(uptr addr
, uptr size
) {
336 REAL(memset
)((void *)addr
, 0xf5, size
);
339 void __asan_set_shadow_f8(uptr addr
, uptr size
) {
340 REAL(memset
)((void *)addr
, 0xf8, size
);
343 void __asan_poison_stack_memory(uptr addr
, uptr size
) {
344 VReport(1, "poisoning: %p %zx\n", (void *)addr
, size
);
345 PoisonAlignedStackMemory(addr
, size
, true);
348 void __asan_unpoison_stack_memory(uptr addr
, uptr size
) {
349 VReport(1, "unpoisoning: %p %zx\n", (void *)addr
, size
);
350 PoisonAlignedStackMemory(addr
, size
, false);
353 void __sanitizer_annotate_contiguous_container(const void *beg_p
,
355 const void *old_mid_p
,
356 const void *new_mid_p
) {
357 if (!flags()->detect_container_overflow
) return;
358 VPrintf(2, "contiguous_container: %p %p %p %p\n", beg_p
, end_p
, old_mid_p
,
360 uptr beg
= reinterpret_cast<uptr
>(beg_p
);
361 uptr end
= reinterpret_cast<uptr
>(end_p
);
362 uptr old_mid
= reinterpret_cast<uptr
>(old_mid_p
);
363 uptr new_mid
= reinterpret_cast<uptr
>(new_mid_p
);
364 uptr granularity
= SHADOW_GRANULARITY
;
365 if (!(beg
<= old_mid
&& beg
<= new_mid
&& old_mid
<= end
&& new_mid
<= end
&&
366 IsAligned(beg
, granularity
))) {
367 GET_STACK_TRACE_FATAL_HERE
;
368 ReportBadParamsToAnnotateContiguousContainer(beg
, end
, old_mid
, new_mid
,
372 FIRST_32_SECOND_64(1UL << 30, 1ULL << 34)); // Sanity check.
374 uptr a
= RoundDownTo(Min(old_mid
, new_mid
), granularity
);
375 uptr c
= RoundUpTo(Max(old_mid
, new_mid
), granularity
);
376 uptr d1
= RoundDownTo(old_mid
, granularity
);
377 // uptr d2 = RoundUpTo(old_mid, granularity);
378 // Currently we should be in this state:
379 // [a, d1) is good, [d2, c) is bad, [d1, d2) is partially good.
380 // Make a quick sanity check that we are indeed in this state.
382 // FIXME: Two of these three checks are disabled until we fix
383 // https://github.com/google/sanitizers/issues/258.
385 // CHECK_EQ(*(u8*)MemToShadow(d1), old_mid - d1);
386 if (a
+ granularity
<= d1
)
387 CHECK_EQ(*(u8
*)MemToShadow(a
), 0);
388 // if (d2 + granularity <= c && c <= end)
389 // CHECK_EQ(*(u8 *)MemToShadow(c - granularity),
390 // kAsanContiguousContainerOOBMagic);
392 uptr b1
= RoundDownTo(new_mid
, granularity
);
393 uptr b2
= RoundUpTo(new_mid
, granularity
);
395 // [a, b1) is good, [b2, c) is bad, [b1, b2) is partially good.
396 PoisonShadow(a
, b1
- a
, 0);
397 PoisonShadow(b2
, c
- b2
, kAsanContiguousContainerOOBMagic
);
399 CHECK_EQ(b2
- b1
, granularity
);
400 *(u8
*)MemToShadow(b1
) = static_cast<u8
>(new_mid
- b1
);
404 const void *__sanitizer_contiguous_container_find_bad_address(
405 const void *beg_p
, const void *mid_p
, const void *end_p
) {
406 if (!flags()->detect_container_overflow
)
408 uptr beg
= reinterpret_cast<uptr
>(beg_p
);
409 uptr end
= reinterpret_cast<uptr
>(end_p
);
410 uptr mid
= reinterpret_cast<uptr
>(mid_p
);
413 // Check some bytes starting from beg, some bytes around mid, and some bytes
415 uptr kMaxRangeToCheck
= 32;
417 uptr r1_end
= Min(beg
+ kMaxRangeToCheck
, mid
);
418 uptr r2_beg
= Max(beg
, mid
- kMaxRangeToCheck
);
419 uptr r2_end
= Min(end
, mid
+ kMaxRangeToCheck
);
420 uptr r3_beg
= Max(end
- kMaxRangeToCheck
, mid
);
422 for (uptr i
= r1_beg
; i
< r1_end
; i
++)
423 if (AddressIsPoisoned(i
))
424 return reinterpret_cast<const void *>(i
);
425 for (uptr i
= r2_beg
; i
< mid
; i
++)
426 if (AddressIsPoisoned(i
))
427 return reinterpret_cast<const void *>(i
);
428 for (uptr i
= mid
; i
< r2_end
; i
++)
429 if (!AddressIsPoisoned(i
))
430 return reinterpret_cast<const void *>(i
);
431 for (uptr i
= r3_beg
; i
< r3_end
; i
++)
432 if (!AddressIsPoisoned(i
))
433 return reinterpret_cast<const void *>(i
);
437 int __sanitizer_verify_contiguous_container(const void *beg_p
,
440 return __sanitizer_contiguous_container_find_bad_address(beg_p
, mid_p
,
444 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
445 void __asan_poison_intra_object_redzone(uptr ptr
, uptr size
) {
446 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr
, size
, true);
449 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
450 void __asan_unpoison_intra_object_redzone(uptr ptr
, uptr size
) {
451 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr
, size
, false);
454 // --- Implementation of LSan-specific functions --- {{{1
456 bool WordIsPoisoned(uptr addr
) {
457 return (__asan_region_is_poisoned(addr
, sizeof(uptr
)) != 0);