1 //===-- asan_poisoning.cc -------------------------------------------------===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file is a part of AddressSanitizer, an address sanity checker.
12 // Shadow memory poisoning by ASan RTL and by user application.
13 //===----------------------------------------------------------------------===//
15 #include "asan_poisoning.h"
16 #include "asan_report.h"
17 #include "asan_stack.h"
18 #include "sanitizer_common/sanitizer_atomic.h"
19 #include "sanitizer_common/sanitizer_libc.h"
20 #include "sanitizer_common/sanitizer_flags.h"
24 static atomic_uint8_t can_poison_memory;
26 void SetCanPoisonMemory(bool value) {
27 atomic_store(&can_poison_memory, value, memory_order_release);
30 bool CanPoisonMemory() {
31 return atomic_load(&can_poison_memory, memory_order_acquire);
34 void PoisonShadow(uptr addr, uptr size, u8 value) {
35 if (!CanPoisonMemory()) return;
36 CHECK(AddrIsAlignedByGranularity(addr));
37 CHECK(AddrIsInMem(addr));
38 CHECK(AddrIsAlignedByGranularity(addr + size));
39 CHECK(AddrIsInMem(addr + size - SHADOW_GRANULARITY));
41 FastPoisonShadow(addr, size, value);
44 void PoisonShadowPartialRightRedzone(uptr addr,
48 if (!CanPoisonMemory()) return;
49 CHECK(AddrIsAlignedByGranularity(addr));
50 CHECK(AddrIsInMem(addr));
51 FastPoisonShadowPartialRightRedzone(addr, size, redzone_size, value);
54 struct ShadowSegmentEndpoint {
56 s8 offset; // in [0, SHADOW_GRANULARITY)
57 s8 value; // = *chunk;
59 explicit ShadowSegmentEndpoint(uptr address) {
60 chunk = (u8*)MemToShadow(address);
61 offset = address & (SHADOW_GRANULARITY - 1);
66 void FlushUnneededASanShadowMemory(uptr p, uptr size) {
67 // Since asan's mapping is compacting, the shadow chunk may be
68 // not page-aligned, so we only flush the page-aligned portion.
69 ReleaseMemoryPagesToOS(MemToShadow(p), MemToShadow(p + size));
72 void AsanPoisonOrUnpoisonIntraObjectRedzone(uptr ptr, uptr size, bool poison) {
73 uptr end = ptr + size;
75 Printf("__asan_%spoison_intra_object_redzone [%p,%p) %zd\n",
76 poison ? "" : "un", ptr, end, size);
78 PRINT_CURRENT_STACK();
82 CHECK(IsAligned(end, SHADOW_GRANULARITY));
83 if (!IsAligned(ptr, SHADOW_GRANULARITY)) {
84 *(u8 *)MemToShadow(ptr) =
85 poison ? static_cast<u8>(ptr % SHADOW_GRANULARITY) : 0;
86 ptr |= SHADOW_GRANULARITY - 1;
89 for (; ptr < end; ptr += SHADOW_GRANULARITY)
90 *(u8*)MemToShadow(ptr) = poison ? kAsanIntraObjectRedzone : 0;
95 // ---------------------- Interface ---------------- {{{1
96 using namespace __asan; // NOLINT
98 // Current implementation of __asan_(un)poison_memory_region doesn't check
99 // that user program (un)poisons the memory it owns. It poisons memory
100 // conservatively, and unpoisons progressively to make sure asan shadow
101 // mapping invariant is preserved (see detailed mapping description here:
102 // https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm).
104 // * if user asks to poison region [left, right), the program poisons
105 // at least [left, AlignDown(right)).
106 // * if user asks to unpoison region [left, right), the program unpoisons
107 // at most [AlignDown(left), right).
108 void __asan_poison_memory_region(void const volatile *addr, uptr size) {
109 if (!flags()->allow_user_poisoning || size == 0) return;
110 uptr beg_addr = (uptr)addr;
111 uptr end_addr = beg_addr + size;
112 VPrintf(3, "Trying to poison memory region [%p, %p)\n", (void *)beg_addr,
114 ShadowSegmentEndpoint beg(beg_addr);
115 ShadowSegmentEndpoint end(end_addr);
116 if (beg.chunk == end.chunk) {
117 CHECK_LT(beg.offset, end.offset);
118 s8 value = beg.value;
119 CHECK_EQ(value, end.value);
120 // We can only poison memory if the byte in end.offset is unaddressable.
121 // No need to re-poison memory if it is poisoned already.
122 if (value > 0 && value <= end.offset) {
123 if (beg.offset > 0) {
124 *beg.chunk = Min(value, beg.offset);
126 *beg.chunk = kAsanUserPoisonedMemoryMagic;
131 CHECK_LT(beg.chunk, end.chunk);
132 if (beg.offset > 0) {
133 // Mark bytes from beg.offset as unaddressable.
134 if (beg.value == 0) {
135 *beg.chunk = beg.offset;
137 *beg.chunk = Min(beg.value, beg.offset);
141 REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk);
142 // Poison if byte in end.offset is unaddressable.
143 if (end.value > 0 && end.value <= end.offset) {
144 *end.chunk = kAsanUserPoisonedMemoryMagic;
148 void __asan_unpoison_memory_region(void const volatile *addr, uptr size) {
149 if (!flags()->allow_user_poisoning || size == 0) return;
150 uptr beg_addr = (uptr)addr;
151 uptr end_addr = beg_addr + size;
152 VPrintf(3, "Trying to unpoison memory region [%p, %p)\n", (void *)beg_addr,
154 ShadowSegmentEndpoint beg(beg_addr);
155 ShadowSegmentEndpoint end(end_addr);
156 if (beg.chunk == end.chunk) {
157 CHECK_LT(beg.offset, end.offset);
158 s8 value = beg.value;
159 CHECK_EQ(value, end.value);
160 // We unpoison memory bytes up to enbytes up to end.offset if it is not
161 // unpoisoned already.
163 *beg.chunk = Max(value, end.offset);
167 CHECK_LT(beg.chunk, end.chunk);
168 if (beg.offset > 0) {
172 REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk);
173 if (end.offset > 0 && end.value != 0) {
174 *end.chunk = Max(end.value, end.offset);
178 int __asan_address_is_poisoned(void const volatile *addr) {
179 return __asan::AddressIsPoisoned((uptr)addr);
182 uptr __asan_region_is_poisoned(uptr beg, uptr size) {
184 uptr end = beg + size;
185 if (!AddrIsInMem(beg)) return beg;
186 if (!AddrIsInMem(end)) return end;
188 uptr aligned_b = RoundUpTo(beg, SHADOW_GRANULARITY);
189 uptr aligned_e = RoundDownTo(end, SHADOW_GRANULARITY);
190 uptr shadow_beg = MemToShadow(aligned_b);
191 uptr shadow_end = MemToShadow(aligned_e);
192 // First check the first and the last application bytes,
193 // then check the SHADOW_GRANULARITY-aligned region by calling
194 // mem_is_zero on the corresponding shadow.
195 if (!__asan::AddressIsPoisoned(beg) &&
196 !__asan::AddressIsPoisoned(end - 1) &&
197 (shadow_end <= shadow_beg ||
198 __sanitizer::mem_is_zero((const char *)shadow_beg,
199 shadow_end - shadow_beg)))
201 // The fast check failed, so we have a poisoned byte somewhere.
203 for (; beg < end; beg++)
204 if (__asan::AddressIsPoisoned(beg))
206 UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found");
210 #define CHECK_SMALL_REGION(p, size, isWrite) \
212 uptr __p = reinterpret_cast<uptr>(p); \
213 uptr __size = size; \
214 if (UNLIKELY(__asan::AddressIsPoisoned(__p) || \
215 __asan::AddressIsPoisoned(__p + __size - 1))) { \
216 GET_CURRENT_PC_BP_SP; \
217 uptr __bad = __asan_region_is_poisoned(__p, __size); \
218 __asan_report_error(pc, bp, sp, __bad, isWrite, __size, 0);\
223 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
224 u16 __sanitizer_unaligned_load16(const uu16 *p) {
225 CHECK_SMALL_REGION(p, sizeof(*p), false);
229 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
230 u32 __sanitizer_unaligned_load32(const uu32 *p) {
231 CHECK_SMALL_REGION(p, sizeof(*p), false);
235 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
236 u64 __sanitizer_unaligned_load64(const uu64 *p) {
237 CHECK_SMALL_REGION(p, sizeof(*p), false);
241 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
242 void __sanitizer_unaligned_store16(uu16 *p, u16 x) {
243 CHECK_SMALL_REGION(p, sizeof(*p), true);
247 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
248 void __sanitizer_unaligned_store32(uu32 *p, u32 x) {
249 CHECK_SMALL_REGION(p, sizeof(*p), true);
253 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
254 void __sanitizer_unaligned_store64(uu64 *p, u64 x) {
255 CHECK_SMALL_REGION(p, sizeof(*p), true);
259 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
260 void __asan_poison_cxx_array_cookie(uptr p) {
261 if (SANITIZER_WORDSIZE != 64) return;
262 if (!flags()->poison_array_cookie) return;
263 uptr s = MEM_TO_SHADOW(p);
264 *reinterpret_cast<u8*>(s) = kAsanArrayCookieMagic;
267 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
268 uptr __asan_load_cxx_array_cookie(uptr *p) {
269 if (SANITIZER_WORDSIZE != 64) return *p;
270 if (!flags()->poison_array_cookie) return *p;
271 uptr s = MEM_TO_SHADOW(reinterpret_cast<uptr>(p));
272 u8 sval = *reinterpret_cast<u8*>(s);
273 if (sval == kAsanArrayCookieMagic) return *p;
274 // If sval is not kAsanArrayCookieMagic it can only be freed memory,
275 // which means that we are going to get double-free. So, return 0 to avoid
276 // infinite loop of destructors. We don't want to report a double-free here
277 // though, so print a warning just in case.
278 // CHECK_EQ(sval, kAsanHeapFreeMagic);
279 if (sval == kAsanHeapFreeMagic) {
280 Report("AddressSanitizer: loaded array cookie from free-d memory; "
281 "expect a double-free report\n");
284 // The cookie may remain unpoisoned if e.g. it comes from a custom
285 // operator new defined inside a class.
289 // This is a simplified version of __asan_(un)poison_memory_region, which
290 // assumes that left border of region to be poisoned is properly aligned.
291 static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) {
292 if (size == 0) return;
293 uptr aligned_size = size & ~(SHADOW_GRANULARITY - 1);
294 PoisonShadow(addr, aligned_size,
295 do_poison ? kAsanStackUseAfterScopeMagic : 0);
296 if (size == aligned_size)
298 s8 end_offset = (s8)(size - aligned_size);
299 s8* shadow_end = (s8*)MemToShadow(addr + aligned_size);
300 s8 end_value = *shadow_end;
302 // If possible, mark all the bytes mapping to last shadow byte as
304 if (end_value > 0 && end_value <= end_offset)
305 *shadow_end = (s8)kAsanStackUseAfterScopeMagic;
307 // If necessary, mark few first bytes mapping to last shadow byte
310 *shadow_end = Max(end_value, end_offset);
314 void __asan_set_shadow_00(uptr addr, uptr size) {
315 REAL(memset)((void *)addr, 0, size);
318 void __asan_set_shadow_f1(uptr addr, uptr size) {
319 REAL(memset)((void *)addr, 0xf1, size);
322 void __asan_set_shadow_f2(uptr addr, uptr size) {
323 REAL(memset)((void *)addr, 0xf2, size);
326 void __asan_set_shadow_f3(uptr addr, uptr size) {
327 REAL(memset)((void *)addr, 0xf3, size);
330 void __asan_set_shadow_f5(uptr addr, uptr size) {
331 REAL(memset)((void *)addr, 0xf5, size);
334 void __asan_set_shadow_f8(uptr addr, uptr size) {
335 REAL(memset)((void *)addr, 0xf8, size);
338 void __asan_poison_stack_memory(uptr addr, uptr size) {
339 VReport(1, "poisoning: %p %zx\n", (void *)addr, size);
340 PoisonAlignedStackMemory(addr, size, true);
343 void __asan_unpoison_stack_memory(uptr addr, uptr size) {
344 VReport(1, "unpoisoning: %p %zx\n", (void *)addr, size);
345 PoisonAlignedStackMemory(addr, size, false);
348 void __sanitizer_annotate_contiguous_container(const void *beg_p,
350 const void *old_mid_p,
351 const void *new_mid_p) {
352 if (!flags()->detect_container_overflow) return;
353 VPrintf(2, "contiguous_container: %p %p %p %p\n", beg_p, end_p, old_mid_p,
355 uptr beg = reinterpret_cast<uptr>(beg_p);
356 uptr end = reinterpret_cast<uptr>(end_p);
357 uptr old_mid = reinterpret_cast<uptr>(old_mid_p);
358 uptr new_mid = reinterpret_cast<uptr>(new_mid_p);
359 uptr granularity = SHADOW_GRANULARITY;
360 if (!(beg <= old_mid && beg <= new_mid && old_mid <= end && new_mid <= end &&
361 IsAligned(beg, granularity))) {
362 GET_STACK_TRACE_FATAL_HERE;
363 ReportBadParamsToAnnotateContiguousContainer(beg, end, old_mid, new_mid,
367 FIRST_32_SECOND_64(1UL << 30, 1ULL << 34)); // Sanity check.
369 uptr a = RoundDownTo(Min(old_mid, new_mid), granularity);
370 uptr c = RoundUpTo(Max(old_mid, new_mid), granularity);
371 uptr d1 = RoundDownTo(old_mid, granularity);
372 // uptr d2 = RoundUpTo(old_mid, granularity);
373 // Currently we should be in this state:
374 // [a, d1) is good, [d2, c) is bad, [d1, d2) is partially good.
375 // Make a quick sanity check that we are indeed in this state.
377 // FIXME: Two of these three checks are disabled until we fix
378 // https://github.com/google/sanitizers/issues/258.
380 // CHECK_EQ(*(u8*)MemToShadow(d1), old_mid - d1);
381 if (a + granularity <= d1)
382 CHECK_EQ(*(u8*)MemToShadow(a), 0);
383 // if (d2 + granularity <= c && c <= end)
384 // CHECK_EQ(*(u8 *)MemToShadow(c - granularity),
385 // kAsanContiguousContainerOOBMagic);
387 uptr b1 = RoundDownTo(new_mid, granularity);
388 uptr b2 = RoundUpTo(new_mid, granularity);
390 // [a, b1) is good, [b2, c) is bad, [b1, b2) is partially good.
391 PoisonShadow(a, b1 - a, 0);
392 PoisonShadow(b2, c - b2, kAsanContiguousContainerOOBMagic);
394 CHECK_EQ(b2 - b1, granularity);
395 *(u8*)MemToShadow(b1) = static_cast<u8>(new_mid - b1);
399 const void *__sanitizer_contiguous_container_find_bad_address(
400 const void *beg_p, const void *mid_p, const void *end_p) {
401 if (!flags()->detect_container_overflow)
403 uptr beg = reinterpret_cast<uptr>(beg_p);
404 uptr end = reinterpret_cast<uptr>(end_p);
405 uptr mid = reinterpret_cast<uptr>(mid_p);
408 // Check some bytes starting from beg, some bytes around mid, and some bytes
410 uptr kMaxRangeToCheck = 32;
412 uptr r1_end = Min(beg + kMaxRangeToCheck, mid);
413 uptr r2_beg = Max(beg, mid - kMaxRangeToCheck);
414 uptr r2_end = Min(end, mid + kMaxRangeToCheck);
415 uptr r3_beg = Max(end - kMaxRangeToCheck, mid);
417 for (uptr i = r1_beg; i < r1_end; i++)
418 if (AddressIsPoisoned(i))
419 return reinterpret_cast<const void *>(i);
420 for (uptr i = r2_beg; i < mid; i++)
421 if (AddressIsPoisoned(i))
422 return reinterpret_cast<const void *>(i);
423 for (uptr i = mid; i < r2_end; i++)
424 if (!AddressIsPoisoned(i))
425 return reinterpret_cast<const void *>(i);
426 for (uptr i = r3_beg; i < r3_end; i++)
427 if (!AddressIsPoisoned(i))
428 return reinterpret_cast<const void *>(i);
432 int __sanitizer_verify_contiguous_container(const void *beg_p,
435 return __sanitizer_contiguous_container_find_bad_address(beg_p, mid_p,
439 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
440 void __asan_poison_intra_object_redzone(uptr ptr, uptr size) {
441 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, true);
444 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
445 void __asan_unpoison_intra_object_redzone(uptr ptr, uptr size) {
446 AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, false);
449 // --- Implementation of LSan-specific functions --- {{{1
451 bool WordIsPoisoned(uptr addr) {
452 return (__asan_region_is_poisoned(addr, sizeof(uptr)) != 0);