asan_poisoning.cc revision 541cfb10f5daa17e48eb42365a74233cd551c545
1//===-- asan_poisoning.cc -------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12// Shadow memory poisoning by ASan RTL and by user application. 13//===----------------------------------------------------------------------===// 14 15#include "asan_interceptors.h" 16#include "asan_internal.h" 17#include "asan_mapping.h" 18#include "sanitizer/asan_interface.h" 19#include "sanitizer_common/sanitizer_libc.h" 20 21namespace __asan { 22 23void PoisonShadow(uptr addr, uptr size, u8 value) { 24 if (!flags()->poison_heap) return; 25 CHECK(AddrIsAlignedByGranularity(addr)); 26 CHECK(AddrIsAlignedByGranularity(addr + size)); 27 uptr shadow_beg = MemToShadow(addr); 28 uptr shadow_end = MemToShadow(addr + size - SHADOW_GRANULARITY) + 1; 29 CHECK(REAL(memset) != 0); 30 REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg); 31} 32 33void PoisonShadowPartialRightRedzone(uptr addr, 34 uptr size, 35 uptr redzone_size, 36 u8 value) { 37 if (!flags()->poison_heap) return; 38 CHECK(AddrIsAlignedByGranularity(addr)); 39 u8 *shadow = (u8*)MemToShadow(addr); 40 for (uptr i = 0; i < redzone_size; 41 i += SHADOW_GRANULARITY, shadow++) { 42 if (i + SHADOW_GRANULARITY <= size) { 43 *shadow = 0; // fully addressable 44 } else if (i >= size) { 45 *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value; // unaddressable 46 } else { 47 *shadow = size - i; // first size-i bytes are addressable 48 } 49 } 50} 51 52 53struct ShadowSegmentEndpoint { 54 u8 *chunk; 55 s8 offset; // in [0, SHADOW_GRANULARITY) 56 s8 value; // = *chunk; 57 58 explicit ShadowSegmentEndpoint(uptr address) { 59 chunk = (u8*)MemToShadow(address); 60 offset = address & (SHADOW_GRANULARITY - 1); 61 value = *chunk; 62 } 63}; 64 65} // namespace __asan 66 67// ---------------------- Interface ---------------- {{{1 68using namespace __asan; // NOLINT 69 70// Current implementation of __asan_(un)poison_memory_region doesn't check 71// that user program (un)poisons the memory it owns. It poisons memory 72// conservatively, and unpoisons progressively to make sure asan shadow 73// mapping invariant is preserved (see detailed mapping description here: 74// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm). 75// 76// * if user asks to poison region [left, right), the program poisons 77// at least [left, AlignDown(right)). 78// * if user asks to unpoison region [left, right), the program unpoisons 79// at most [AlignDown(left), right). 80void __asan_poison_memory_region(void const volatile *addr, uptr size) { 81 if (!flags()->allow_user_poisoning || size == 0) return; 82 uptr beg_addr = (uptr)addr; 83 uptr end_addr = beg_addr + size; 84 if (flags()->verbosity >= 1) { 85 Printf("Trying to poison memory region [%p, %p)\n", 86 (void*)beg_addr, (void*)end_addr); 87 } 88 ShadowSegmentEndpoint beg(beg_addr); 89 ShadowSegmentEndpoint end(end_addr); 90 if (beg.chunk == end.chunk) { 91 CHECK(beg.offset < end.offset); 92 s8 value = beg.value; 93 CHECK(value == end.value); 94 // We can only poison memory if the byte in end.offset is unaddressable. 95 // No need to re-poison memory if it is poisoned already. 96 if (value > 0 && value <= end.offset) { 97 if (beg.offset > 0) { 98 *beg.chunk = Min(value, beg.offset); 99 } else { 100 *beg.chunk = kAsanUserPoisonedMemoryMagic; 101 } 102 } 103 return; 104 } 105 CHECK(beg.chunk < end.chunk); 106 if (beg.offset > 0) { 107 // Mark bytes from beg.offset as unaddressable. 108 if (beg.value == 0) { 109 *beg.chunk = beg.offset; 110 } else { 111 *beg.chunk = Min(beg.value, beg.offset); 112 } 113 beg.chunk++; 114 } 115 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk); 116 // Poison if byte in end.offset is unaddressable. 117 if (end.value > 0 && end.value <= end.offset) { 118 *end.chunk = kAsanUserPoisonedMemoryMagic; 119 } 120} 121 122void __asan_unpoison_memory_region(void const volatile *addr, uptr size) { 123 if (!flags()->allow_user_poisoning || size == 0) return; 124 uptr beg_addr = (uptr)addr; 125 uptr end_addr = beg_addr + size; 126 if (flags()->verbosity >= 1) { 127 Printf("Trying to unpoison memory region [%p, %p)\n", 128 (void*)beg_addr, (void*)end_addr); 129 } 130 ShadowSegmentEndpoint beg(beg_addr); 131 ShadowSegmentEndpoint end(end_addr); 132 if (beg.chunk == end.chunk) { 133 CHECK(beg.offset < end.offset); 134 s8 value = beg.value; 135 CHECK(value == end.value); 136 // We unpoison memory bytes up to enbytes up to end.offset if it is not 137 // unpoisoned already. 138 if (value != 0) { 139 *beg.chunk = Max(value, end.offset); 140 } 141 return; 142 } 143 CHECK(beg.chunk < end.chunk); 144 if (beg.offset > 0) { 145 *beg.chunk = 0; 146 beg.chunk++; 147 } 148 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk); 149 if (end.offset > 0 && end.value != 0) { 150 *end.chunk = Max(end.value, end.offset); 151 } 152} 153 154bool __asan_address_is_poisoned(void const volatile *addr) { 155 return __asan::AddressIsPoisoned((uptr)addr); 156} 157 158uptr __asan_region_is_poisoned(uptr beg, uptr size) { 159 if (!size) return 0; 160 uptr end = beg + size; 161 if (!AddrIsInMem(beg)) return beg; 162 if (!AddrIsInMem(end)) return end; 163 uptr aligned_b = RoundUpTo(beg, SHADOW_GRANULARITY); 164 uptr aligned_e = RoundDownTo(end, SHADOW_GRANULARITY); 165 uptr shadow_beg = MemToShadow(aligned_b); 166 uptr shadow_end = MemToShadow(aligned_e); 167 // First check the first and the last application bytes, 168 // then check the SHADOW_GRANULARITY-aligned region by calling 169 // mem_is_zero on the corresponding shadow. 170 if (!__asan::AddressIsPoisoned(beg) && 171 !__asan::AddressIsPoisoned(end - 1) && 172 (shadow_end <= shadow_beg || 173 __sanitizer::mem_is_zero((const char *)shadow_beg, 174 shadow_end - shadow_beg))) 175 return 0; 176 // The fast check failed, so we have a poisoned byte somewhere. 177 // Find it slowly. 178 for (; beg < end; beg++) 179 if (__asan::AddressIsPoisoned(beg)) 180 return beg; 181 UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found"); 182 return 0; 183} 184 185// This is a simplified version of __asan_(un)poison_memory_region, which 186// assumes that left border of region to be poisoned is properly aligned. 187static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) { 188 if (size == 0) return; 189 uptr aligned_size = size & ~(SHADOW_GRANULARITY - 1); 190 PoisonShadow(addr, aligned_size, 191 do_poison ? kAsanStackUseAfterScopeMagic : 0); 192 if (size == aligned_size) 193 return; 194 s8 end_offset = (s8)(size - aligned_size); 195 s8* shadow_end = (s8*)MemToShadow(addr + aligned_size); 196 s8 end_value = *shadow_end; 197 if (do_poison) { 198 // If possible, mark all the bytes mapping to last shadow byte as 199 // unaddressable. 200 if (end_value > 0 && end_value <= end_offset) 201 *shadow_end = (s8)kAsanStackUseAfterScopeMagic; 202 } else { 203 // If necessary, mark few first bytes mapping to last shadow byte 204 // as addressable 205 if (end_value != 0) 206 *shadow_end = Max(end_value, end_offset); 207 } 208} 209 210void __asan_poison_stack_memory(uptr addr, uptr size) { 211 if (flags()->verbosity > 0) 212 Report("poisoning: %p %zx\n", (void*)addr, size); 213 PoisonAlignedStackMemory(addr, size, true); 214} 215 216void __asan_unpoison_stack_memory(uptr addr, uptr size) { 217 if (flags()->verbosity > 0) 218 Report("unpoisoning: %p %zx\n", (void*)addr, size); 219 PoisonAlignedStackMemory(addr, size, false); 220} 221