asan_poisoning.cc revision 9aead37421a6e4bf43265e5195c6ac31fc519982 
1//===-- asan_poisoning.cc ---------------------------------------*- C++ -*-===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file is a part of AddressSanitizer, an address sanity checker.
11//
12// Shadow memory poisoning by ASan RTL and by user application.
13//===----------------------------------------------------------------------===//
14
15#include "asan_interceptors.h"
16#include "asan_interface.h"
17#include "asan_internal.h"
18#include "asan_mapping.h"
19
20namespace __asan {
21
22void PoisonShadow(uintptr_t addr, size_t size, uint8_t value) {
23  CHECK(AddrIsAlignedByGranularity(addr));
24  CHECK(AddrIsAlignedByGranularity(addr + size));
25  uintptr_t shadow_beg = MemToShadow(addr);
26  uintptr_t shadow_end = MemToShadow(addr + size);
27  CHECK(REAL(memset) != NULL);
28  REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg);
29}
30
31void PoisonShadowPartialRightRedzone(uintptr_t addr,
32                                     uintptr_t size,
33                                     uintptr_t redzone_size,
34                                     uint8_t value) {
35  CHECK(AddrIsAlignedByGranularity(addr));
36  uint8_t *shadow = (uint8_t*)MemToShadow(addr);
37  for (uintptr_t i = 0; i < redzone_size;
38       i += SHADOW_GRANULARITY, shadow++) {
39    if (i + SHADOW_GRANULARITY <= size) {
40      *shadow = 0;  // fully addressable
41    } else if (i >= size) {
42      *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value;  // unaddressable
43    } else {
44      *shadow = size - i;  // first size-i bytes are addressable
45    }
46  }
47}
48
49
50struct ShadowSegmentEndpoint {
51  uint8_t *chunk;
52  int8_t offset;  // in [0, SHADOW_GRANULARITY)
53  int8_t value;  // = *chunk;
54
55  explicit ShadowSegmentEndpoint(uintptr_t address) {
56    chunk = (uint8_t*)MemToShadow(address);
57    offset = address & (SHADOW_GRANULARITY - 1);
58    value = *chunk;
59  }
60};
61
62}  // namespace __asan
63
64// ---------------------- Interface ---------------- {{{1
65using namespace __asan;  // NOLINT
66
67// Current implementation of __asan_(un)poison_memory_region doesn't check
68// that user program (un)poisons the memory it owns. It poisons memory
69// conservatively, and unpoisons progressively to make sure asan shadow
70// mapping invariant is preserved (see detailed mapping description here:
71// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm).
72//
73// * if user asks to poison region [left, right), the program poisons
74// at least [left, AlignDown(right)).
75// * if user asks to unpoison region [left, right), the program unpoisons
76// at most [AlignDown(left), right).
77void __asan_poison_memory_region(void const volatile *addr, uptr size) {
78  if (!FLAG_allow_user_poisoning || size == 0) return;
79  uintptr_t beg_addr = (uintptr_t)addr;
80  uintptr_t end_addr = beg_addr + size;
81  if (FLAG_v >= 1) {
82    Printf("Trying to poison memory region [%p, %p)\n", beg_addr, end_addr);
83  }
84  ShadowSegmentEndpoint beg(beg_addr);
85  ShadowSegmentEndpoint end(end_addr);
86  if (beg.chunk == end.chunk) {
87    CHECK(beg.offset < end.offset);
88    int8_t value = beg.value;
89    CHECK(value == end.value);
90    // We can only poison memory if the byte in end.offset is unaddressable.
91    // No need to re-poison memory if it is poisoned already.
92    if (value > 0 && value <= end.offset) {
93      if (beg.offset > 0) {
94        *beg.chunk = Min(value, beg.offset);
95      } else {
96        *beg.chunk = kAsanUserPoisonedMemoryMagic;
97      }
98    }
99    return;
100  }
101  CHECK(beg.chunk < end.chunk);
102  if (beg.offset > 0) {
103    // Mark bytes from beg.offset as unaddressable.
104    if (beg.value == 0) {
105      *beg.chunk = beg.offset;
106    } else {
107      *beg.chunk = Min(beg.value, beg.offset);
108    }
109    beg.chunk++;
110  }
111  REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk);
112  // Poison if byte in end.offset is unaddressable.
113  if (end.value > 0 && end.value <= end.offset) {
114    *end.chunk = kAsanUserPoisonedMemoryMagic;
115  }
116}
117
118void __asan_unpoison_memory_region(void const volatile *addr, uptr size) {
119  if (!FLAG_allow_user_poisoning || size == 0) return;
120  uintptr_t beg_addr = (uintptr_t)addr;
121  uintptr_t end_addr = beg_addr + size;
122  if (FLAG_v >= 1) {
123    Printf("Trying to unpoison memory region [%p, %p)\n", beg_addr, end_addr);
124  }
125  ShadowSegmentEndpoint beg(beg_addr);
126  ShadowSegmentEndpoint end(end_addr);
127  if (beg.chunk == end.chunk) {
128    CHECK(beg.offset < end.offset);
129    int8_t value = beg.value;
130    CHECK(value == end.value);
131    // We unpoison memory bytes up to enbytes up to end.offset if it is not
132    // unpoisoned already.
133    if (value != 0) {
134      *beg.chunk = Max(value, end.offset);
135    }
136    return;
137  }
138  CHECK(beg.chunk < end.chunk);
139  if (beg.offset > 0) {
140    *beg.chunk = 0;
141    beg.chunk++;
142  }
143  REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk);
144  if (end.offset > 0 && end.value != 0) {
145    *end.chunk = Max(end.value, end.offset);
146  }
147}
148
149bool __asan_address_is_poisoned(void const volatile *addr) {
150  return __asan::AddressIsPoisoned((uintptr_t)addr);
151}
152