15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be
35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file.
45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "linux_shadow_stacks.h"
65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <stdio.h>
85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <stdlib.h>
95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string.h>
105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <unistd.h>
115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static const int kMaxShadowIndex = 2048;
135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static const char kOverflowMessage[] = "Shadow stack overflow\n";
145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Thread-local vars.
165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)__thread
175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)int shadow_index = -1;
185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)__thread
195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void *shadow_ip_stack[kMaxShadowIndex];
205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)__thread
215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void *shadow_sp_stack[kMaxShadowIndex];
225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)enum Status {UNINITIALIZED = -1, DISABLED, ENABLED};
245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)Status status = UNINITIALIZED;
255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void init() {
275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  if (!getenv("KEEP_SHADOW_STACKS")) {
285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    status = DISABLED;
295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    return;
305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  }
315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  status = ENABLED;
325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}
335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void __cyg_profile_func_enter(void *this_fn, void *call_site) {
355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  if (status == DISABLED) return;
365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  if (status == UNINITIALIZED) {
375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    init();
385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    if (status == DISABLED) return;
395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  }
405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  shadow_index++;
415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  if (shadow_index > kMaxShadowIndex) {
425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    // Avoid memory allocation when reporting an error.
435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    write(2, kOverflowMessage, sizeof(kOverflowMessage));
445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    int a = 0;
455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)    a = a / a;
465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  }
475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // Update the shadow IP stack
485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  shadow_ip_stack[shadow_index] = this_fn;
495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // Update the shadow SP stack. The code for obtaining the frame address was
505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // borrowed from Google Perftools, http://code.google.com/p/google-perftools/
515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //
525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // Copyright (c) 2005, Google Inc.
535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // All rights reserved.
545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //
555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // Redistribution and use in source and binary forms, with or without
565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // modification, are permitted provided that the following conditions are
575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // met:
585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //
595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //     * Redistributions of source code must retain the above copyright
605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // notice, this list of conditions and the following disclaimer.
615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //     * Redistributions in binary form must reproduce the above
625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // copyright notice, this list of conditions and the following disclaimer
635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // in the documentation and/or other materials provided with the
645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // distribution.
655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //     * Neither the name of Google Inc. nor the names of its
665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // contributors may be used to endorse or promote products derived from
675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // this software without specific prior written permission.
685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //
695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  void **sp;
815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if (__GNUC__ > 4) || (__GNUC__ == 4 && __GNUC_MINOR__ >= 2) || __llvm__
825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // __builtin_frame_address(0) can return the wrong address on gcc-4.1.0-k8.
835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // It's always correct on llvm, and the techniques below aren't (in
845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // particular, llvm-gcc will make a copy of this_fn, so it's not in sp[2]),
855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // so we also prefer __builtin_frame_address when running under llvm.
865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  sp = reinterpret_cast<void**>(__builtin_frame_address(0));
875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(__i386__)
885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // Stack frame format:
895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //    sp[0]   pointer to previous frame
905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //    sp[1]   caller address
915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //    sp[2]   first argument
925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //    ...
935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // NOTE: This will break under llvm, since result is a copy and not in sp[2]
945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  sp = (void **)&this_fn - 2;
955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(__x86_64__)
965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  unsigned long rbp;
975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // Move the value of the register %rbp into the local variable rbp.
985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // We need 'volatile' to prevent this instruction from getting moved
995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // around during optimization to before function prologue is done.
1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // An alternative way to achieve this
1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // would be (before this __asm__ instruction) to call Noop() defined as
1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //   static void Noop() __attribute__ ((noinline));  // prevent inlining
1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  //   static void Noop() { asm(""); }  // prevent optimizing-away
1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  __asm__ volatile ("mov %%rbp, %0" : "=r" (rbp));
1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // Arguments are passed in registers on x86-64, so we can't just
1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  // offset from &result
1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  sp = (void **) rbp;
1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else
1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# error Cannot obtain SP (possibly compiling on a non x86 architecture)
1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif
1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  shadow_sp_stack[shadow_index] = (void*)sp;
1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  return;
1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}
1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void __cyg_profile_func_exit(void *this_fn, void *call_site) {
1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  if (status == DISABLED) return;
1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  shadow_index--;
1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}
1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void *get_shadow_ip_stack(int *index /*OUT*/) {
1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  *index = shadow_index;
1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  return shadow_ip_stack;
1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}
1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)
1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void *get_shadow_sp_stack(int *index /*OUT*/) {
1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  *index = shadow_index;
1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)  return shadow_sp_stack;
1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}
129