1//===-- asan_poisoning.cc -------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12// Shadow memory poisoning by ASan RTL and by user application. 13//===----------------------------------------------------------------------===// 14 15#include "asan_interceptors.h" 16#include "asan_internal.h" 17#include "asan_mapping.h" 18#include "sanitizer/asan_interface.h" 19 20namespace __asan { 21 22void PoisonShadow(uptr addr, uptr size, u8 value) { 23 CHECK(AddrIsAlignedByGranularity(addr)); 24 CHECK(AddrIsAlignedByGranularity(addr + size)); 25 uptr shadow_beg = MemToShadow(addr); 26 uptr shadow_end = MemToShadow(addr + size); 27 CHECK(REAL(memset) != 0); 28 REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg); 29} 30 31void PoisonShadowPartialRightRedzone(uptr addr, 32 uptr size, 33 uptr redzone_size, 34 u8 value) { 35 CHECK(AddrIsAlignedByGranularity(addr)); 36 u8 *shadow = (u8*)MemToShadow(addr); 37 for (uptr i = 0; i < redzone_size; 38 i += SHADOW_GRANULARITY, shadow++) { 39 if (i + SHADOW_GRANULARITY <= size) { 40 *shadow = 0; // fully addressable 41 } else if (i >= size) { 42 *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value; // unaddressable 43 } else { 44 *shadow = size - i; // first size-i bytes are addressable 45 } 46 } 47} 48 49 50struct ShadowSegmentEndpoint { 51 u8 *chunk; 52 s8 offset; // in [0, SHADOW_GRANULARITY) 53 s8 value; // = *chunk; 54 55 explicit ShadowSegmentEndpoint(uptr address) { 56 chunk = (u8*)MemToShadow(address); 57 offset = address & (SHADOW_GRANULARITY - 1); 58 value = *chunk; 59 } 60}; 61 62} // namespace __asan 63 64// ---------------------- Interface ---------------- {{{1 65using namespace __asan; // NOLINT 66 67// Current implementation of __asan_(un)poison_memory_region doesn't check 68// that user program (un)poisons the memory it owns. It poisons memory 69// conservatively, and unpoisons progressively to make sure asan shadow 70// mapping invariant is preserved (see detailed mapping description here: 71// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm). 72// 73// * if user asks to poison region [left, right), the program poisons 74// at least [left, AlignDown(right)). 75// * if user asks to unpoison region [left, right), the program unpoisons 76// at most [AlignDown(left), right). 77void __asan_poison_memory_region(void const volatile *addr, uptr size) { 78 if (!flags()->allow_user_poisoning || size == 0) return; 79 uptr beg_addr = (uptr)addr; 80 uptr end_addr = beg_addr + size; 81 if (flags()->verbosity >= 1) { 82 Printf("Trying to poison memory region [%p, %p)\n", 83 (void*)beg_addr, (void*)end_addr); 84 } 85 ShadowSegmentEndpoint beg(beg_addr); 86 ShadowSegmentEndpoint end(end_addr); 87 if (beg.chunk == end.chunk) { 88 CHECK(beg.offset < end.offset); 89 s8 value = beg.value; 90 CHECK(value == end.value); 91 // We can only poison memory if the byte in end.offset is unaddressable. 92 // No need to re-poison memory if it is poisoned already. 93 if (value > 0 && value <= end.offset) { 94 if (beg.offset > 0) { 95 *beg.chunk = Min(value, beg.offset); 96 } else { 97 *beg.chunk = kAsanUserPoisonedMemoryMagic; 98 } 99 } 100 return; 101 } 102 CHECK(beg.chunk < end.chunk); 103 if (beg.offset > 0) { 104 // Mark bytes from beg.offset as unaddressable. 105 if (beg.value == 0) { 106 *beg.chunk = beg.offset; 107 } else { 108 *beg.chunk = Min(beg.value, beg.offset); 109 } 110 beg.chunk++; 111 } 112 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk); 113 // Poison if byte in end.offset is unaddressable. 114 if (end.value > 0 && end.value <= end.offset) { 115 *end.chunk = kAsanUserPoisonedMemoryMagic; 116 } 117} 118 119void __asan_unpoison_memory_region(void const volatile *addr, uptr size) { 120 if (!flags()->allow_user_poisoning || size == 0) return; 121 uptr beg_addr = (uptr)addr; 122 uptr end_addr = beg_addr + size; 123 if (flags()->verbosity >= 1) { 124 Printf("Trying to unpoison memory region [%p, %p)\n", 125 (void*)beg_addr, (void*)end_addr); 126 } 127 ShadowSegmentEndpoint beg(beg_addr); 128 ShadowSegmentEndpoint end(end_addr); 129 if (beg.chunk == end.chunk) { 130 CHECK(beg.offset < end.offset); 131 s8 value = beg.value; 132 CHECK(value == end.value); 133 // We unpoison memory bytes up to enbytes up to end.offset if it is not 134 // unpoisoned already. 135 if (value != 0) { 136 *beg.chunk = Max(value, end.offset); 137 } 138 return; 139 } 140 CHECK(beg.chunk < end.chunk); 141 if (beg.offset > 0) { 142 *beg.chunk = 0; 143 beg.chunk++; 144 } 145 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk); 146 if (end.offset > 0 && end.value != 0) { 147 *end.chunk = Max(end.value, end.offset); 148 } 149} 150 151bool __asan_address_is_poisoned(void const volatile *addr) { 152 return __asan::AddressIsPoisoned((uptr)addr); 153} 154