1 //===-- asan_poisoning.cc -------------------------------------------------===// 2 // 3 // This file is distributed under the University of Illinois Open Source 4 // License. See LICENSE.TXT for details. 5 // 6 //===----------------------------------------------------------------------===// 7 // 8 // This file is a part of AddressSanitizer, an address sanity checker. 9 // 10 // Shadow memory poisoning by ASan RTL and by user application. 11 //===----------------------------------------------------------------------===// 12 13 #include "asan_interceptors.h" 14 #include "asan_internal.h" 15 #include "asan_mapping.h" 16 #include "sanitizer_common/sanitizer_libc.h" 17 18 namespace __asan { 19 20 void PoisonShadow(uptr addr, uptr size, u8 value) { 21 if (!flags()->poison_heap) return; 22 CHECK(AddrIsAlignedByGranularity(addr)); 23 CHECK(AddrIsAlignedByGranularity(addr + size)); 24 uptr shadow_beg = MemToShadow(addr); 25 uptr shadow_end = MemToShadow(addr + size - SHADOW_GRANULARITY) + 1; 26 CHECK(REAL(memset) != 0); 27 REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg); 28 } 29 30 void PoisonShadowPartialRightRedzone(uptr addr, 31 uptr size, 32 uptr redzone_size, 33 u8 value) { 34 if (!flags()->poison_heap) return; 35 CHECK(AddrIsAlignedByGranularity(addr)); 36 u8 *shadow = (u8*)MemToShadow(addr); 37 for (uptr i = 0; i < redzone_size; 38 i += SHADOW_GRANULARITY, shadow++) { 39 if (i + SHADOW_GRANULARITY <= size) { 40 *shadow = 0; // fully addressable 41 } else if (i >= size) { 42 *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value; // unaddressable 43 } else { 44 *shadow = size - i; // first size-i bytes are addressable 45 } 46 } 47 } 48 49 50 struct ShadowSegmentEndpoint { 51 u8 *chunk; 52 s8 offset; // in [0, SHADOW_GRANULARITY) 53 s8 value; // = *chunk; 54 55 explicit ShadowSegmentEndpoint(uptr address) { 56 chunk = (u8*)MemToShadow(address); 57 offset = address & (SHADOW_GRANULARITY - 1); 58 value = *chunk; 59 } 60 }; 61 62 } // namespace __asan 63 64 // ---------------------- Interface ---------------- {{{1 65 using namespace __asan; // NOLINT 66 67 // Current implementation of __asan_(un)poison_memory_region doesn't check 68 // that user program (un)poisons the memory it owns. It poisons memory 69 // conservatively, and unpoisons progressively to make sure asan shadow 70 // mapping invariant is preserved (see detailed mapping description here: 71 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm). 72 // 73 // * if user asks to poison region [left, right), the program poisons 74 // at least [left, AlignDown(right)). 75 // * if user asks to unpoison region [left, right), the program unpoisons 76 // at most [AlignDown(left), right). 77 void __asan_poison_memory_region(void const volatile *addr, uptr size) { 78 if (!flags()->allow_user_poisoning || size == 0) return; 79 uptr beg_addr = (uptr)addr; 80 uptr end_addr = beg_addr + size; 81 if (flags()->verbosity >= 1) { 82 Printf("Trying to poison memory region [%p, %p)\n", 83 (void*)beg_addr, (void*)end_addr); 84 } 85 ShadowSegmentEndpoint beg(beg_addr); 86 ShadowSegmentEndpoint end(end_addr); 87 if (beg.chunk == end.chunk) { 88 CHECK(beg.offset < end.offset); 89 s8 value = beg.value; 90 CHECK(value == end.value); 91 // We can only poison memory if the byte in end.offset is unaddressable. 92 // No need to re-poison memory if it is poisoned already. 93 if (value > 0 && value <= end.offset) { 94 if (beg.offset > 0) { 95 *beg.chunk = Min(value, beg.offset); 96 } else { 97 *beg.chunk = kAsanUserPoisonedMemoryMagic; 98 } 99 } 100 return; 101 } 102 CHECK(beg.chunk < end.chunk); 103 if (beg.offset > 0) { 104 // Mark bytes from beg.offset as unaddressable. 105 if (beg.value == 0) { 106 *beg.chunk = beg.offset; 107 } else { 108 *beg.chunk = Min(beg.value, beg.offset); 109 } 110 beg.chunk++; 111 } 112 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk); 113 // Poison if byte in end.offset is unaddressable. 114 if (end.value > 0 && end.value <= end.offset) { 115 *end.chunk = kAsanUserPoisonedMemoryMagic; 116 } 117 } 118 119 void __asan_unpoison_memory_region(void const volatile *addr, uptr size) { 120 if (!flags()->allow_user_poisoning || size == 0) return; 121 uptr beg_addr = (uptr)addr; 122 uptr end_addr = beg_addr + size; 123 if (flags()->verbosity >= 1) { 124 Printf("Trying to unpoison memory region [%p, %p)\n", 125 (void*)beg_addr, (void*)end_addr); 126 } 127 ShadowSegmentEndpoint beg(beg_addr); 128 ShadowSegmentEndpoint end(end_addr); 129 if (beg.chunk == end.chunk) { 130 CHECK(beg.offset < end.offset); 131 s8 value = beg.value; 132 CHECK(value == end.value); 133 // We unpoison memory bytes up to enbytes up to end.offset if it is not 134 // unpoisoned already. 135 if (value != 0) { 136 *beg.chunk = Max(value, end.offset); 137 } 138 return; 139 } 140 CHECK(beg.chunk < end.chunk); 141 if (beg.offset > 0) { 142 *beg.chunk = 0; 143 beg.chunk++; 144 } 145 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk); 146 if (end.offset > 0 && end.value != 0) { 147 *end.chunk = Max(end.value, end.offset); 148 } 149 } 150 151 bool __asan_address_is_poisoned(void const volatile *addr) { 152 return __asan::AddressIsPoisoned((uptr)addr); 153 } 154 155 uptr __asan_region_is_poisoned(uptr beg, uptr size) { 156 if (!size) return 0; 157 uptr end = beg + size; 158 if (!AddrIsInMem(beg)) return beg; 159 if (!AddrIsInMem(end)) return end; 160 uptr aligned_b = RoundUpTo(beg, SHADOW_GRANULARITY); 161 uptr aligned_e = RoundDownTo(end, SHADOW_GRANULARITY); 162 uptr shadow_beg = MemToShadow(aligned_b); 163 uptr shadow_end = MemToShadow(aligned_e); 164 // First check the first and the last application bytes, 165 // then check the SHADOW_GRANULARITY-aligned region by calling 166 // mem_is_zero on the corresponding shadow. 167 if (!__asan::AddressIsPoisoned(beg) && 168 !__asan::AddressIsPoisoned(end - 1) && 169 (shadow_end <= shadow_beg || 170 __sanitizer::mem_is_zero((const char *)shadow_beg, 171 shadow_end - shadow_beg))) 172 return 0; 173 // The fast check failed, so we have a poisoned byte somewhere. 174 // Find it slowly. 175 for (; beg < end; beg++) 176 if (__asan::AddressIsPoisoned(beg)) 177 return beg; 178 UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found"); 179 return 0; 180 } 181 182 // This is a simplified version of __asan_(un)poison_memory_region, which 183 // assumes that left border of region to be poisoned is properly aligned. 184 static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) { 185 if (size == 0) return; 186 uptr aligned_size = size & ~(SHADOW_GRANULARITY - 1); 187 PoisonShadow(addr, aligned_size, 188 do_poison ? kAsanStackUseAfterScopeMagic : 0); 189 if (size == aligned_size) 190 return; 191 s8 end_offset = (s8)(size - aligned_size); 192 s8* shadow_end = (s8*)MemToShadow(addr + aligned_size); 193 s8 end_value = *shadow_end; 194 if (do_poison) { 195 // If possible, mark all the bytes mapping to last shadow byte as 196 // unaddressable. 197 if (end_value > 0 && end_value <= end_offset) 198 *shadow_end = (s8)kAsanStackUseAfterScopeMagic; 199 } else { 200 // If necessary, mark few first bytes mapping to last shadow byte 201 // as addressable 202 if (end_value != 0) 203 *shadow_end = Max(end_value, end_offset); 204 } 205 } 206 207 void __asan_poison_stack_memory(uptr addr, uptr size) { 208 if (flags()->verbosity > 0) 209 Report("poisoning: %p %zx\n", (void*)addr, size); 210 PoisonAlignedStackMemory(addr, size, true); 211 } 212 213 void __asan_unpoison_stack_memory(uptr addr, uptr size) { 214 if (flags()->verbosity > 0) 215 Report("unpoisoning: %p %zx\n", (void*)addr, size); 216 PoisonAlignedStackMemory(addr, size, false); 217 } 218