1//===-- asan_poisoning.cc ---------------------------------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12// Shadow memory poisoning by ASan RTL and by user application. 13//===----------------------------------------------------------------------===// 14 15#include "asan_interceptors.h" 16#include "asan_interface.h" 17#include "asan_internal.h" 18#include "asan_mapping.h" 19 20namespace __asan { 21 22void PoisonShadow(uintptr_t addr, size_t size, uint8_t value) { 23 CHECK(AddrIsAlignedByGranularity(addr)); 24 CHECK(AddrIsAlignedByGranularity(addr + size)); 25 uintptr_t shadow_beg = MemToShadow(addr); 26 uintptr_t shadow_end = MemToShadow(addr + size); 27 CHECK(REAL(memset) != NULL); 28 REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg); 29} 30 31void PoisonShadowPartialRightRedzone(uintptr_t addr, 32 uintptr_t size, 33 uintptr_t redzone_size, 34 uint8_t value) { 35 CHECK(AddrIsAlignedByGranularity(addr)); 36 uint8_t *shadow = (uint8_t*)MemToShadow(addr); 37 for (uintptr_t i = 0; i < redzone_size; 38 i += SHADOW_GRANULARITY, shadow++) { 39 if (i + SHADOW_GRANULARITY <= size) { 40 *shadow = 0; // fully addressable 41 } else if (i >= size) { 42 *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value; // unaddressable 43 } else { 44 *shadow = size - i; // first size-i bytes are addressable 45 } 46 } 47} 48 49 50struct ShadowSegmentEndpoint { 51 uint8_t *chunk; 52 int8_t offset; // in [0, SHADOW_GRANULARITY) 53 int8_t value; // = *chunk; 54 55 explicit ShadowSegmentEndpoint(uintptr_t address) { 56 chunk = (uint8_t*)MemToShadow(address); 57 offset = address & (SHADOW_GRANULARITY - 1); 58 value = *chunk; 59 } 60}; 61 62} // namespace __asan 63 64// ---------------------- Interface ---------------- {{{1 65using namespace __asan; // NOLINT 66 67// Current implementation of __asan_(un)poison_memory_region doesn't check 68// that user program (un)poisons the memory it owns. It poisons memory 69// conservatively, and unpoisons progressively to make sure asan shadow 70// mapping invariant is preserved (see detailed mapping description here: 71// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm). 72// 73// * if user asks to poison region [left, right), the program poisons 74// at least [left, AlignDown(right)). 75// * if user asks to unpoison region [left, right), the program unpoisons 76// at most [AlignDown(left), right). 77void __asan_poison_memory_region(void const volatile *addr, size_t size) { 78 if (!FLAG_allow_user_poisoning || size == 0) return; 79 uintptr_t beg_addr = (uintptr_t)addr; 80 uintptr_t end_addr = beg_addr + size; 81 if (FLAG_v >= 1) { 82 Printf("Trying to poison memory region [%p, %p)\n", beg_addr, end_addr); 83 } 84 ShadowSegmentEndpoint beg(beg_addr); 85 ShadowSegmentEndpoint end(end_addr); 86 if (beg.chunk == end.chunk) { 87 CHECK(beg.offset < end.offset); 88 int8_t value = beg.value; 89 CHECK(value == end.value); 90 // We can only poison memory if the byte in end.offset is unaddressable. 91 // No need to re-poison memory if it is poisoned already. 92 if (value > 0 && value <= end.offset) { 93 if (beg.offset > 0) { 94 *beg.chunk = Min(value, beg.offset); 95 } else { 96 *beg.chunk = kAsanUserPoisonedMemoryMagic; 97 } 98 } 99 return; 100 } 101 CHECK(beg.chunk < end.chunk); 102 if (beg.offset > 0) { 103 // Mark bytes from beg.offset as unaddressable. 104 if (beg.value == 0) { 105 *beg.chunk = beg.offset; 106 } else { 107 *beg.chunk = Min(beg.value, beg.offset); 108 } 109 beg.chunk++; 110 } 111 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk); 112 // Poison if byte in end.offset is unaddressable. 113 if (end.value > 0 && end.value <= end.offset) { 114 *end.chunk = kAsanUserPoisonedMemoryMagic; 115 } 116} 117 118void __asan_unpoison_memory_region(void const volatile *addr, size_t size) { 119 if (!FLAG_allow_user_poisoning || size == 0) return; 120 uintptr_t beg_addr = (uintptr_t)addr; 121 uintptr_t end_addr = beg_addr + size; 122 if (FLAG_v >= 1) { 123 Printf("Trying to unpoison memory region [%p, %p)\n", beg_addr, end_addr); 124 } 125 ShadowSegmentEndpoint beg(beg_addr); 126 ShadowSegmentEndpoint end(end_addr); 127 if (beg.chunk == end.chunk) { 128 CHECK(beg.offset < end.offset); 129 int8_t value = beg.value; 130 CHECK(value == end.value); 131 // We unpoison memory bytes up to enbytes up to end.offset if it is not 132 // unpoisoned already. 133 if (value != 0) { 134 *beg.chunk = Max(value, end.offset); 135 } 136 return; 137 } 138 CHECK(beg.chunk < end.chunk); 139 if (beg.offset > 0) { 140 *beg.chunk = 0; 141 beg.chunk++; 142 } 143 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk); 144 if (end.offset > 0 && end.value != 0) { 145 *end.chunk = Max(end.value, end.offset); 146 } 147} 148 149bool __asan_address_is_poisoned(void const volatile *addr) { 150 return __asan::AddressIsPoisoned((uintptr_t)addr); 151} 152