1 //===-- safestack.cc ------------------------------------------------------===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file implements the runtime support for the safe stack protection
11 // mechanism. The runtime manages allocation/deallocation of the unsafe stack
12 // for the main thread, as well as all pthreads that are created/destroyed
13 // during program execution.
15 //===----------------------------------------------------------------------===//
22 #include <sys/resource.h>
23 #include <sys/types.h>
24 #if !defined(__NetBSD__)
28 #include "interception/interception.h"
29 #include "sanitizer_common/sanitizer_common.h"
31 // TODO: The runtime library does not currently protect the safe stack beyond
32 // relying on the system-enforced ASLR. The protection of the (safe) stack can
33 // be provided by three alternative features:
35 // 1) Protection via hardware segmentation on x86-32 and some x86-64
36 // architectures: the (safe) stack segment (implicitly accessed via the %ss
37 // segment register) can be separated from the data segment (implicitly
38 // accessed via the %ds segment register). Dereferencing a pointer to the safe
39 // segment would result in a segmentation fault.
41 // 2) Protection via software fault isolation: memory writes that are not meant
42 // to access the safe stack can be prevented from doing so through runtime
43 // instrumentation. One way to do it is to allocate the safe stack(s) in the
44 // upper half of the userspace and bitmask the corresponding upper bit of the
45 // memory addresses of memory writes that are not meant to access the safe
48 // 3) Protection via information hiding on 64 bit architectures: the location
49 // of the safe stack(s) can be randomized through secure mechanisms, and the
50 // leakage of the stack pointer can be prevented. Currently, libc can leak the
51 // stack pointer in several ways (e.g. in longjmp, signal handling, user-level
52 // context switching related functions, etc.). These can be fixed in libc and
53 // in other low-level libraries, by either eliminating the escaping/dumping of
54 // the stack pointer (i.e., %rsp) when that's possible, or by using
55 // encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret
56 // we control and protect better, as is already done for setjmp in glibc.)
57 // Furthermore, a static machine code level verifier can be ran after code
58 // generation to make sure that the stack pointer is never written to memory,
59 // or if it is, its written on the safe stack.
61 // Finally, while the Unsafe Stack pointer is currently stored in a thread
62 // local variable, with libc support it could be stored in the TCB (thread
63 // control block) as well, eliminating another level of indirection and making
64 // such accesses faster. Alternatively, dedicating a separate register for
65 // storing it would also be possible.
67 /// Minimum stack alignment for the unsafe stack.
68 const unsigned kStackAlign = 16;
70 /// Default size of the unsafe stack. This value is only used if the stack
71 /// size rlimit is set to infinity.
72 const unsigned kDefaultUnsafeStackSize = 0x2800000;
74 /// Runtime page size obtained through sysconf
75 static unsigned pageSize;
77 // TODO: To make accessing the unsafe stack pointer faster, we plan to
78 // eventually store it directly in the thread control block data structure on
79 // platforms where this structure is pointed to by %fs or %gs. This is exactly
80 // the same mechanism as currently being used by the traditional stack
81 // protector pass to store the stack guard (see getStackCookieLocation()
82 // function above). Doing so requires changing the tcbhead_t struct in glibc
83 // on Linux and tcb struct in libc on FreeBSD.
85 // For now, store it in a thread-local variable.
87 __attribute__((visibility(
88 "default"))) __thread void *__safestack_unsafe_stack_ptr = nullptr;
91 // Per-thread unsafe stack information. It's not frequently accessed, so there
92 // it can be kept out of the tcb in normal thread-local variables.
93 static __thread void *unsafe_stack_start = nullptr;
94 static __thread size_t unsafe_stack_size = 0;
95 static __thread size_t unsafe_stack_guard = 0;
97 using namespace __sanitizer;
99 static inline void *unsafe_stack_alloc(size_t size, size_t guard) {
100 CHECK_GE(size + guard, size);
101 void *addr = MmapOrDie(size + guard, "unsafe_stack_alloc");
102 MprotectNoAccess((uptr)addr, (uptr)guard);
103 return (char *)addr + guard;
106 static inline void unsafe_stack_setup(void *start, size_t size, size_t guard) {
107 CHECK_GE((char *)start + size, (char *)start);
108 CHECK_GE((char *)start + guard, (char *)start);
109 void *stack_ptr = (char *)start + size;
110 CHECK_EQ((((size_t)stack_ptr) & (kStackAlign - 1)), 0);
112 __safestack_unsafe_stack_ptr = stack_ptr;
113 unsafe_stack_start = start;
114 unsafe_stack_size = size;
115 unsafe_stack_guard = guard;
118 static void unsafe_stack_free() {
119 if (unsafe_stack_start) {
120 UnmapOrDie((char *)unsafe_stack_start - unsafe_stack_guard,
121 unsafe_stack_size + unsafe_stack_guard);
123 unsafe_stack_start = nullptr;
126 /// Thread data for the cleanup handler
127 static pthread_key_t thread_cleanup_key;
129 /// Safe stack per-thread information passed to the thread_start function
131 void *(*start_routine)(void *);
132 void *start_routine_arg;
134 void *unsafe_stack_start;
135 size_t unsafe_stack_size;
136 size_t unsafe_stack_guard;
139 /// Wrap the thread function in order to deallocate the unsafe stack when the
140 /// thread terminates by returning from its main function.
141 static void *thread_start(void *arg) {
142 struct tinfo *tinfo = (struct tinfo *)arg;
144 void *(*start_routine)(void *) = tinfo->start_routine;
145 void *start_routine_arg = tinfo->start_routine_arg;
147 // Setup the unsafe stack; this will destroy tinfo content
148 unsafe_stack_setup(tinfo->unsafe_stack_start, tinfo->unsafe_stack_size,
149 tinfo->unsafe_stack_guard);
151 // Make sure out thread-specific destructor will be called
152 // FIXME: we can do this only any other specific key is set by
153 // intercepting the pthread_setspecific function itself
154 pthread_setspecific(thread_cleanup_key, (void *)1);
156 return start_routine(start_routine_arg);
159 /// Thread-specific data destructor
160 static void thread_cleanup_handler(void *_iter) {
161 // We want to free the unsafe stack only after all other destructors
162 // have already run. We force this function to be called multiple times.
163 // User destructors that might run more then PTHREAD_DESTRUCTOR_ITERATIONS-1
164 // times might still end up executing after the unsafe stack is deallocated.
165 size_t iter = (size_t)_iter;
166 if (iter < PTHREAD_DESTRUCTOR_ITERATIONS) {
167 pthread_setspecific(thread_cleanup_key, (void *)(iter + 1));
169 // This is the last iteration
174 /// Intercept thread creation operation to allocate and setup the unsafe stack
175 INTERCEPTOR(int, pthread_create, pthread_t *thread,
176 const pthread_attr_t *attr,
177 void *(*start_routine)(void*), void *arg) {
183 pthread_attr_getstacksize(attr, &size);
184 pthread_attr_getguardsize(attr, &guard);
186 // get pthread default stack size
187 pthread_attr_t tmpattr;
188 pthread_attr_init(&tmpattr);
189 pthread_attr_getstacksize(&tmpattr, &size);
190 pthread_attr_getguardsize(&tmpattr, &guard);
191 pthread_attr_destroy(&tmpattr);
195 CHECK_EQ((size & (kStackAlign - 1)), 0);
196 CHECK_EQ((guard & (pageSize - 1)), 0);
198 void *addr = unsafe_stack_alloc(size, guard);
199 struct tinfo *tinfo =
200 (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo));
201 tinfo->start_routine = start_routine;
202 tinfo->start_routine_arg = arg;
203 tinfo->unsafe_stack_start = addr;
204 tinfo->unsafe_stack_size = size;
205 tinfo->unsafe_stack_guard = guard;
207 return REAL(pthread_create)(thread, attr, thread_start, tinfo);
210 extern "C" __attribute__((visibility("default")))
211 #if !SANITIZER_CAN_USE_PREINIT_ARRAY
212 // On ELF platforms, the constructor is invoked using .preinit_array (see below)
213 __attribute__((constructor(0)))
215 void __safestack_init() {
216 // Determine the stack size for the main thread.
217 size_t size = kDefaultUnsafeStackSize;
221 if (getrlimit(RLIMIT_STACK, &limit) == 0 && limit.rlim_cur != RLIM_INFINITY)
222 size = limit.rlim_cur;
224 // Allocate unsafe stack for main thread
225 void *addr = unsafe_stack_alloc(size, guard);
227 unsafe_stack_setup(addr, size, guard);
228 pageSize = sysconf(_SC_PAGESIZE);
230 // Initialize pthread interceptors for thread allocation
231 INTERCEPT_FUNCTION(pthread_create);
233 // Setup the cleanup handler
234 pthread_key_create(&thread_cleanup_key, thread_cleanup_handler);
237 #if SANITIZER_CAN_USE_PREINIT_ARRAY
238 // On ELF platforms, run safestack initialization before any other constructors.
239 // On other platforms we use the constructor attribute to arrange to run our
240 // initialization early.
242 __attribute__((section(".preinit_array"),
243 used)) void (*__safestack_preinit)(void) = __safestack_init;
248 __attribute__((visibility("default"))) void *__get_unsafe_stack_start() {
249 return unsafe_stack_start;
253 __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() {
254 return __safestack_unsafe_stack_ptr;