1 //===-- asan_poisoning.cc -------------------------------------------------===// 2 // 3 // This file is distributed under the University of Illinois Open Source 4 // License. See LICENSE.TXT for details. 5 // 6 //===----------------------------------------------------------------------===// 7 // 8 // This file is a part of AddressSanitizer, an address sanity checker. 9 // 10 // Shadow memory poisoning by ASan RTL and by user application. 11 //===----------------------------------------------------------------------===// 12 13 #include "asan_poisoning.h" 14 #include "asan_report.h" 15 #include "asan_stack.h" 16 #include "sanitizer_common/sanitizer_atomic.h" 17 #include "sanitizer_common/sanitizer_libc.h" 18 #include "sanitizer_common/sanitizer_flags.h" 19 20 namespace __asan { 21 22 static atomic_uint8_t can_poison_memory; 23 24 void SetCanPoisonMemory(bool value) { 25 atomic_store(&can_poison_memory, value, memory_order_release); 26 } 27 28 bool CanPoisonMemory() { 29 return atomic_load(&can_poison_memory, memory_order_acquire); 30 } 31 32 void PoisonShadow(uptr addr, uptr size, u8 value) { 33 if (value && !CanPoisonMemory()) return; 34 CHECK(AddrIsAlignedByGranularity(addr)); 35 CHECK(AddrIsInMem(addr)); 36 CHECK(AddrIsAlignedByGranularity(addr + size)); 37 CHECK(AddrIsInMem(addr + size - SHADOW_GRANULARITY)); 38 CHECK(REAL(memset)); 39 FastPoisonShadow(addr, size, value); 40 } 41 42 void PoisonShadowPartialRightRedzone(uptr addr, 43 uptr size, 44 uptr redzone_size, 45 u8 value) { 46 if (!CanPoisonMemory()) return; 47 CHECK(AddrIsAlignedByGranularity(addr)); 48 CHECK(AddrIsInMem(addr)); 49 FastPoisonShadowPartialRightRedzone(addr, size, redzone_size, value); 50 } 51 52 struct ShadowSegmentEndpoint { 53 u8 *chunk; 54 s8 offset; // in [0, SHADOW_GRANULARITY) 55 s8 value; // = *chunk; 56 57 explicit ShadowSegmentEndpoint(uptr address) { 58 chunk = (u8*)MemToShadow(address); 59 offset = address & (SHADOW_GRANULARITY - 1); 60 value = *chunk; 61 } 62 }; 63 64 void FlushUnneededASanShadowMemory(uptr p, uptr size) { 65 // Since asan's mapping is compacting, the shadow chunk may be 66 // not page-aligned, so we only flush the page-aligned portion. 67 ReleaseMemoryPagesToOS(MemToShadow(p), MemToShadow(p + size)); 68 } 69 70 void AsanPoisonOrUnpoisonIntraObjectRedzone(uptr ptr, uptr size, bool poison) { 71 uptr end = ptr + size; 72 if (Verbosity()) { 73 Printf("__asan_%spoison_intra_object_redzone [%p,%p) %zd\n", 74 poison ? "" : "un", ptr, end, size); 75 if (Verbosity() >= 2) 76 PRINT_CURRENT_STACK(); 77 } 78 CHECK(size); 79 CHECK_LE(size, 4096); 80 CHECK(IsAligned(end, SHADOW_GRANULARITY)); 81 if (!IsAligned(ptr, SHADOW_GRANULARITY)) { 82 *(u8 *)MemToShadow(ptr) = 83 poison ? static_cast<u8>(ptr % SHADOW_GRANULARITY) : 0; 84 ptr |= SHADOW_GRANULARITY - 1; 85 ptr++; 86 } 87 for (; ptr < end; ptr += SHADOW_GRANULARITY) 88 *(u8*)MemToShadow(ptr) = poison ? kAsanIntraObjectRedzone : 0; 89 } 90 91 } // namespace __asan 92 93 // ---------------------- Interface ---------------- {{{1 94 using namespace __asan; // NOLINT 95 96 // Current implementation of __asan_(un)poison_memory_region doesn't check 97 // that user program (un)poisons the memory it owns. It poisons memory 98 // conservatively, and unpoisons progressively to make sure asan shadow 99 // mapping invariant is preserved (see detailed mapping description here: 100 // https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm). 101 // 102 // * if user asks to poison region [left, right), the program poisons 103 // at least [left, AlignDown(right)). 104 // * if user asks to unpoison region [left, right), the program unpoisons 105 // at most [AlignDown(left), right). 106 void __asan_poison_memory_region(void const volatile *addr, uptr size) { 107 if (!flags()->allow_user_poisoning || size == 0) return; 108 uptr beg_addr = (uptr)addr; 109 uptr end_addr = beg_addr + size; 110 VPrintf(3, "Trying to poison memory region [%p, %p)\n", (void *)beg_addr, 111 (void *)end_addr); 112 ShadowSegmentEndpoint beg(beg_addr); 113 ShadowSegmentEndpoint end(end_addr); 114 if (beg.chunk == end.chunk) { 115 CHECK_LT(beg.offset, end.offset); 116 s8 value = beg.value; 117 CHECK_EQ(value, end.value); 118 // We can only poison memory if the byte in end.offset is unaddressable. 119 // No need to re-poison memory if it is poisoned already. 120 if (value > 0 && value <= end.offset) { 121 if (beg.offset > 0) { 122 *beg.chunk = Min(value, beg.offset); 123 } else { 124 *beg.chunk = kAsanUserPoisonedMemoryMagic; 125 } 126 } 127 return; 128 } 129 CHECK_LT(beg.chunk, end.chunk); 130 if (beg.offset > 0) { 131 // Mark bytes from beg.offset as unaddressable. 132 if (beg.value == 0) { 133 *beg.chunk = beg.offset; 134 } else { 135 *beg.chunk = Min(beg.value, beg.offset); 136 } 137 beg.chunk++; 138 } 139 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk); 140 // Poison if byte in end.offset is unaddressable. 141 if (end.value > 0 && end.value <= end.offset) { 142 *end.chunk = kAsanUserPoisonedMemoryMagic; 143 } 144 } 145 146 void __asan_unpoison_memory_region(void const volatile *addr, uptr size) { 147 if (!flags()->allow_user_poisoning || size == 0) return; 148 uptr beg_addr = (uptr)addr; 149 uptr end_addr = beg_addr + size; 150 VPrintf(3, "Trying to unpoison memory region [%p, %p)\n", (void *)beg_addr, 151 (void *)end_addr); 152 ShadowSegmentEndpoint beg(beg_addr); 153 ShadowSegmentEndpoint end(end_addr); 154 if (beg.chunk == end.chunk) { 155 CHECK_LT(beg.offset, end.offset); 156 s8 value = beg.value; 157 CHECK_EQ(value, end.value); 158 // We unpoison memory bytes up to enbytes up to end.offset if it is not 159 // unpoisoned already. 160 if (value != 0) { 161 *beg.chunk = Max(value, end.offset); 162 } 163 return; 164 } 165 CHECK_LT(beg.chunk, end.chunk); 166 if (beg.offset > 0) { 167 *beg.chunk = 0; 168 beg.chunk++; 169 } 170 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk); 171 if (end.offset > 0 && end.value != 0) { 172 *end.chunk = Max(end.value, end.offset); 173 } 174 } 175 176 int __asan_address_is_poisoned(void const volatile *addr) { 177 return __asan::AddressIsPoisoned((uptr)addr); 178 } 179 180 uptr __asan_region_is_poisoned(uptr beg, uptr size) { 181 if (!size) return 0; 182 uptr end = beg + size; 183 if (SANITIZER_MYRIAD2) { 184 // On Myriad, address not in DRAM range need to be treated as 185 // unpoisoned. 186 if (!AddrIsInMem(beg) && !AddrIsInShadow(beg)) return 0; 187 if (!AddrIsInMem(end) && !AddrIsInShadow(end)) return 0; 188 } else { 189 if (!AddrIsInMem(beg)) return beg; 190 if (!AddrIsInMem(end)) return end; 191 } 192 CHECK_LT(beg, end); 193 uptr aligned_b = RoundUpTo(beg, SHADOW_GRANULARITY); 194 uptr aligned_e = RoundDownTo(end, SHADOW_GRANULARITY); 195 uptr shadow_beg = MemToShadow(aligned_b); 196 uptr shadow_end = MemToShadow(aligned_e); 197 // First check the first and the last application bytes, 198 // then check the SHADOW_GRANULARITY-aligned region by calling 199 // mem_is_zero on the corresponding shadow. 200 if (!__asan::AddressIsPoisoned(beg) && 201 !__asan::AddressIsPoisoned(end - 1) && 202 (shadow_end <= shadow_beg || 203 __sanitizer::mem_is_zero((const char *)shadow_beg, 204 shadow_end - shadow_beg))) 205 return 0; 206 // The fast check failed, so we have a poisoned byte somewhere. 207 // Find it slowly. 208 for (; beg < end; beg++) 209 if (__asan::AddressIsPoisoned(beg)) 210 return beg; 211 UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found"); 212 return 0; 213 } 214 215 #define CHECK_SMALL_REGION(p, size, isWrite) \ 216 do { \ 217 uptr __p = reinterpret_cast<uptr>(p); \ 218 uptr __size = size; \ 219 if (UNLIKELY(__asan::AddressIsPoisoned(__p) || \ 220 __asan::AddressIsPoisoned(__p + __size - 1))) { \ 221 GET_CURRENT_PC_BP_SP; \ 222 uptr __bad = __asan_region_is_poisoned(__p, __size); \ 223 __asan_report_error(pc, bp, sp, __bad, isWrite, __size, 0);\ 224 } \ 225 } while (false) 226 227 228 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 229 u16 __sanitizer_unaligned_load16(const uu16 *p) { 230 CHECK_SMALL_REGION(p, sizeof(*p), false); 231 return *p; 232 } 233 234 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 235 u32 __sanitizer_unaligned_load32(const uu32 *p) { 236 CHECK_SMALL_REGION(p, sizeof(*p), false); 237 return *p; 238 } 239 240 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 241 u64 __sanitizer_unaligned_load64(const uu64 *p) { 242 CHECK_SMALL_REGION(p, sizeof(*p), false); 243 return *p; 244 } 245 246 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 247 void __sanitizer_unaligned_store16(uu16 *p, u16 x) { 248 CHECK_SMALL_REGION(p, sizeof(*p), true); 249 *p = x; 250 } 251 252 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 253 void __sanitizer_unaligned_store32(uu32 *p, u32 x) { 254 CHECK_SMALL_REGION(p, sizeof(*p), true); 255 *p = x; 256 } 257 258 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 259 void __sanitizer_unaligned_store64(uu64 *p, u64 x) { 260 CHECK_SMALL_REGION(p, sizeof(*p), true); 261 *p = x; 262 } 263 264 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 265 void __asan_poison_cxx_array_cookie(uptr p) { 266 if (SANITIZER_WORDSIZE != 64) return; 267 if (!flags()->poison_array_cookie) return; 268 uptr s = MEM_TO_SHADOW(p); 269 *reinterpret_cast<u8*>(s) = kAsanArrayCookieMagic; 270 } 271 272 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 273 uptr __asan_load_cxx_array_cookie(uptr *p) { 274 if (SANITIZER_WORDSIZE != 64) return *p; 275 if (!flags()->poison_array_cookie) return *p; 276 uptr s = MEM_TO_SHADOW(reinterpret_cast<uptr>(p)); 277 u8 sval = *reinterpret_cast<u8*>(s); 278 if (sval == kAsanArrayCookieMagic) return *p; 279 // If sval is not kAsanArrayCookieMagic it can only be freed memory, 280 // which means that we are going to get double-free. So, return 0 to avoid 281 // infinite loop of destructors. We don't want to report a double-free here 282 // though, so print a warning just in case. 283 // CHECK_EQ(sval, kAsanHeapFreeMagic); 284 if (sval == kAsanHeapFreeMagic) { 285 Report("AddressSanitizer: loaded array cookie from free-d memory; " 286 "expect a double-free report\n"); 287 return 0; 288 } 289 // The cookie may remain unpoisoned if e.g. it comes from a custom 290 // operator new defined inside a class. 291 return *p; 292 } 293 294 // This is a simplified version of __asan_(un)poison_memory_region, which 295 // assumes that left border of region to be poisoned is properly aligned. 296 static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) { 297 if (size == 0) return; 298 uptr aligned_size = size & ~(SHADOW_GRANULARITY - 1); 299 PoisonShadow(addr, aligned_size, 300 do_poison ? kAsanStackUseAfterScopeMagic : 0); 301 if (size == aligned_size) 302 return; 303 s8 end_offset = (s8)(size - aligned_size); 304 s8* shadow_end = (s8*)MemToShadow(addr + aligned_size); 305 s8 end_value = *shadow_end; 306 if (do_poison) { 307 // If possible, mark all the bytes mapping to last shadow byte as 308 // unaddressable. 309 if (end_value > 0 && end_value <= end_offset) 310 *shadow_end = (s8)kAsanStackUseAfterScopeMagic; 311 } else { 312 // If necessary, mark few first bytes mapping to last shadow byte 313 // as addressable 314 if (end_value != 0) 315 *shadow_end = Max(end_value, end_offset); 316 } 317 } 318 319 void __asan_set_shadow_00(uptr addr, uptr size) { 320 REAL(memset)((void *)addr, 0, size); 321 } 322 323 void __asan_set_shadow_f1(uptr addr, uptr size) { 324 REAL(memset)((void *)addr, 0xf1, size); 325 } 326 327 void __asan_set_shadow_f2(uptr addr, uptr size) { 328 REAL(memset)((void *)addr, 0xf2, size); 329 } 330 331 void __asan_set_shadow_f3(uptr addr, uptr size) { 332 REAL(memset)((void *)addr, 0xf3, size); 333 } 334 335 void __asan_set_shadow_f5(uptr addr, uptr size) { 336 REAL(memset)((void *)addr, 0xf5, size); 337 } 338 339 void __asan_set_shadow_f8(uptr addr, uptr size) { 340 REAL(memset)((void *)addr, 0xf8, size); 341 } 342 343 void __asan_poison_stack_memory(uptr addr, uptr size) { 344 VReport(1, "poisoning: %p %zx\n", (void *)addr, size); 345 PoisonAlignedStackMemory(addr, size, true); 346 } 347 348 void __asan_unpoison_stack_memory(uptr addr, uptr size) { 349 VReport(1, "unpoisoning: %p %zx\n", (void *)addr, size); 350 PoisonAlignedStackMemory(addr, size, false); 351 } 352 353 void __sanitizer_annotate_contiguous_container(const void *beg_p, 354 const void *end_p, 355 const void *old_mid_p, 356 const void *new_mid_p) { 357 if (!flags()->detect_container_overflow) return; 358 VPrintf(2, "contiguous_container: %p %p %p %p\n", beg_p, end_p, old_mid_p, 359 new_mid_p); 360 uptr beg = reinterpret_cast<uptr>(beg_p); 361 uptr end = reinterpret_cast<uptr>(end_p); 362 uptr old_mid = reinterpret_cast<uptr>(old_mid_p); 363 uptr new_mid = reinterpret_cast<uptr>(new_mid_p); 364 uptr granularity = SHADOW_GRANULARITY; 365 if (!(beg <= old_mid && beg <= new_mid && old_mid <= end && new_mid <= end && 366 IsAligned(beg, granularity))) { 367 GET_STACK_TRACE_FATAL_HERE; 368 ReportBadParamsToAnnotateContiguousContainer(beg, end, old_mid, new_mid, 369 &stack); 370 } 371 CHECK_LE(end - beg, 372 FIRST_32_SECOND_64(1UL << 30, 1ULL << 34)); // Sanity check. 373 374 uptr a = RoundDownTo(Min(old_mid, new_mid), granularity); 375 uptr c = RoundUpTo(Max(old_mid, new_mid), granularity); 376 uptr d1 = RoundDownTo(old_mid, granularity); 377 // uptr d2 = RoundUpTo(old_mid, granularity); 378 // Currently we should be in this state: 379 // [a, d1) is good, [d2, c) is bad, [d1, d2) is partially good. 380 // Make a quick sanity check that we are indeed in this state. 381 // 382 // FIXME: Two of these three checks are disabled until we fix 383 // https://github.com/google/sanitizers/issues/258. 384 // if (d1 != d2) 385 // CHECK_EQ(*(u8*)MemToShadow(d1), old_mid - d1); 386 if (a + granularity <= d1) 387 CHECK_EQ(*(u8*)MemToShadow(a), 0); 388 // if (d2 + granularity <= c && c <= end) 389 // CHECK_EQ(*(u8 *)MemToShadow(c - granularity), 390 // kAsanContiguousContainerOOBMagic); 391 392 uptr b1 = RoundDownTo(new_mid, granularity); 393 uptr b2 = RoundUpTo(new_mid, granularity); 394 // New state: 395 // [a, b1) is good, [b2, c) is bad, [b1, b2) is partially good. 396 PoisonShadow(a, b1 - a, 0); 397 PoisonShadow(b2, c - b2, kAsanContiguousContainerOOBMagic); 398 if (b1 != b2) { 399 CHECK_EQ(b2 - b1, granularity); 400 *(u8*)MemToShadow(b1) = static_cast<u8>(new_mid - b1); 401 } 402 } 403 404 const void *__sanitizer_contiguous_container_find_bad_address( 405 const void *beg_p, const void *mid_p, const void *end_p) { 406 if (!flags()->detect_container_overflow) 407 return nullptr; 408 uptr beg = reinterpret_cast<uptr>(beg_p); 409 uptr end = reinterpret_cast<uptr>(end_p); 410 uptr mid = reinterpret_cast<uptr>(mid_p); 411 CHECK_LE(beg, mid); 412 CHECK_LE(mid, end); 413 // Check some bytes starting from beg, some bytes around mid, and some bytes 414 // ending with end. 415 uptr kMaxRangeToCheck = 32; 416 uptr r1_beg = beg; 417 uptr r1_end = Min(beg + kMaxRangeToCheck, mid); 418 uptr r2_beg = Max(beg, mid - kMaxRangeToCheck); 419 uptr r2_end = Min(end, mid + kMaxRangeToCheck); 420 uptr r3_beg = Max(end - kMaxRangeToCheck, mid); 421 uptr r3_end = end; 422 for (uptr i = r1_beg; i < r1_end; i++) 423 if (AddressIsPoisoned(i)) 424 return reinterpret_cast<const void *>(i); 425 for (uptr i = r2_beg; i < mid; i++) 426 if (AddressIsPoisoned(i)) 427 return reinterpret_cast<const void *>(i); 428 for (uptr i = mid; i < r2_end; i++) 429 if (!AddressIsPoisoned(i)) 430 return reinterpret_cast<const void *>(i); 431 for (uptr i = r3_beg; i < r3_end; i++) 432 if (!AddressIsPoisoned(i)) 433 return reinterpret_cast<const void *>(i); 434 return nullptr; 435 } 436 437 int __sanitizer_verify_contiguous_container(const void *beg_p, 438 const void *mid_p, 439 const void *end_p) { 440 return __sanitizer_contiguous_container_find_bad_address(beg_p, mid_p, 441 end_p) == nullptr; 442 } 443 444 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 445 void __asan_poison_intra_object_redzone(uptr ptr, uptr size) { 446 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, true); 447 } 448 449 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 450 void __asan_unpoison_intra_object_redzone(uptr ptr, uptr size) { 451 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, false); 452 } 453 454 // --- Implementation of LSan-specific functions --- {{{1 455 namespace __lsan { 456 bool WordIsPoisoned(uptr addr) { 457 return (__asan_region_is_poisoned(addr, sizeof(uptr)) != 0); 458 } 459 } 460