This is an archive of the discontinued LLVM Phabricator instance.

Differential D16098

[cfi] Make the shadow read-only.
AbandonedPublic

Authored by eugenis on Jan 11 2016, 4:49 PM.

Details

Reviewers
kcc
pcc
Summary

Make CFI shadow read-only.
For the updates, prepare new data in a buffer on the side, then,
depending on the platform:

  • (Linux) mprotect + mremap into place.
  • (non-Linux) remove protection from the target region, copy, restore protection, verify contents.

Diff Detail

Repository
rL LLVM

Event Timeline

eugenis updated this revision to Diff 44582.Jan 11 2016, 4:49 PM
eugenis retitled this revision from to [cfi] Make the shadow read-only..
eugenis updated this object.
eugenis added reviewers: pcc, kcc.
eugenis set the repository for this revision to rL LLVM.
eugenis added a subscriber: llvm-commits.
pcc mentioned this in D15728: [cfi] Support for dlopen and dlclose.Jan 12 2016, 6:26 PM
pcc edited edge metadata.Jan 25 2016, 1:59 PM

This should be closed, right?

eugenis abandoned this revision.Jan 25 2016, 2:27 PM

Revision Contents

PathSize
lib/
cfi/
39 lines
sanitizer_common/
1 line
2 lines
10 lines
90 lines
tests/
1 line
81 lines

Diff 44582

lib/cfi/cfi.cc

Show All 22 Lines
#include <string.h> #include <string.h>
typedef ElfW(Phdr) Elf_Phdr; typedef ElfW(Phdr) Elf_Phdr;
typedef ElfW(Ehdr) Elf_Ehdr; typedef ElfW(Ehdr) Elf_Ehdr;
#include "interception/interception.h" #include "interception/interception.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_flag_parser.h" #include "sanitizer_common/sanitizer_flag_parser.h"
#include "sanitizer_common/sanitizer_platform_limits_posix.h"
#include "sanitizer_common/sanitizer_readonlyupdate.h"
#include "ubsan/ubsan_init.h" #include "ubsan/ubsan_init.h"
#include "ubsan/ubsan_flags.h" #include "ubsan/ubsan_flags.h"
typedef __sanitizer::ReadOnlyUpdate<uint16_t> ShadowWrite;
static uptr __cfi_shadow; static uptr __cfi_shadow;
static constexpr uptr kShadowGranularity = 12; static constexpr uptr kShadowGranularity = 12;
static constexpr uptr kShadowAlign = 1UL << kShadowGranularity; // 4096 static constexpr uptr kShadowAlign = 1UL << kShadowGranularity; // 4096
static constexpr uint16_t kInvalidShadow = 0; static constexpr uint16_t kInvalidShadow = 0;
static constexpr uint16_t kUncheckedShadow = 0xFFFFU; static constexpr uint16_t kUncheckedShadow = 0xFFFFU;
static uint16_t *mem_to_shadow(uptr x) { static uint16_t *mem_to_shadow(uptr x) {
Show All 24 Lines static const ShadowValue load(uptr addr) {
return ShadowValue(addr, *mem_to_shadow(addr)); return ShadowValue(addr, *mem_to_shadow(addr));
} }
}; };
static void fill_shadow_constant(uptr begin, uptr end, uint16_t v) { static void fill_shadow_constant(uptr begin, uptr end, uint16_t v) {
assert(v == kInvalidShadow || v == kUncheckedShadow); assert(v == kInvalidShadow || v == kUncheckedShadow);
uint16_t *shadow_begin = mem_to_shadow(begin); uint16_t *shadow_begin = mem_to_shadow(begin);
uint16_t *shadow_end = mem_to_shadow(end - 1) + 1; uint16_t *shadow_end = mem_to_shadow(end - 1) + 1;
memset(shadow_begin, v, (shadow_end - shadow_begin) * sizeof(*shadow_begin));
const auto sw = ShadowWrite::start(shadow_begin, shadow_end);
memset(sw.begin(), v, (sw.end() - sw.begin()) * sizeof(uint16_t));
sw.commit();
} }
static void fill_shadow(uptr begin, uptr end, uptr cfi_check) { static void fill_shadow(uptr begin, uptr end, uptr cfi_check) {
assert((cfi_check & (kShadowAlign - 1)) == 0); assert((cfi_check & (kShadowAlign - 1)) == 0);
// Don't fill anything below cfi_check. We can not represent those addresses // Don't fill anything below cfi_check. We can not represent those addresses
// in the shadow, and must make sure at codegen to place all valid call // in the shadow, and must make sure at codegen to place all valid call
// targets above cfi_check. // targets above cfi_check.
uptr p = Max(begin, cfi_check); uptr p = Max(begin, cfi_check);
uint16_t *s = mem_to_shadow(p); uint16_t *s = mem_to_shadow(p);
uint16_t *s_end = mem_to_shadow(end - 1) + 1; uint16_t *s_end = mem_to_shadow(end - 1) + 1;
uint16_t sv = ((p - cfi_check) >> kShadowGranularity) + 1; uint16_t sv = ((p - cfi_check) >> kShadowGranularity) + 1;
for (; s < s_end; s++, sv++)
*s = sv; const auto sw = ShadowWrite::start(s, s_end);
for (uint16_t *dst = sw.begin(); dst < sw.end(); ++dst, ++sv)
*dst = sv;
sw.commit();
// Sanity checks. // Sanity checks.
uptr q = p & ~(kShadowAlign - 1); uptr q = p & ~(kShadowAlign - 1);
for (; q < end; q += kShadowAlign) { for (; q < end; q += kShadowAlign) {
assert((uptr)ShadowValue::load(q).get_cfi_check() == cfi_check); assert((uptr)ShadowValue::load(q).get_cfi_check() == cfi_check);
assert((uptr)ShadowValue::load(q + kShadowAlign / 2).get_cfi_check() == assert((uptr)ShadowValue::load(q + kShadowAlign / 2).get_cfi_check() ==
cfi_check); cfi_check);
assert((uptr)ShadowValue::load(q + kShadowAlign - 1).get_cfi_check() == assert((uptr)ShadowValue::load(q + kShadowAlign - 1).get_cfi_check() ==
▲ Show 20 LinesShow All 134 Lines▼ Show 20 Lines#endif
if (Verbosity()) ReportUnrecognizedFlags(); if (Verbosity()) ReportUnrecognizedFlags();
if (common_flags()->help) { if (common_flags()->help) {
cfi_parser.PrintFlagDescriptions(); cfi_parser.PrintFlagDescriptions();
} }
} }
static void map_shadow() {
uptr vma = GetMaxVirtualAddress();
// Shadow is 2 -> 2**kShadowGranularity.
uptr shadow_size = (vma >> (kShadowGranularity - 1)) + 1;
VReport(1, "CFI: VMA size %zx, shadow size %zx\n", vma, shadow_size);
void *shadow = MmapNoReserveOrDie(shadow_size, "CFI shadow");
VReport(1, "CFI: shadow at %zx .. %zx\n", shadow,
reinterpret_cast<uptr>(shadow) + shadow_size);
MprotectReadOnly((uptr)shadow, shadow_size);
__cfi_shadow = (uptr)shadow;
}
extern "C" SANITIZER_INTERFACE_ATTRIBUTE extern "C" SANITIZER_INTERFACE_ATTRIBUTE
#if !SANITIZER_CAN_USE_PREINIT_ARRAY #if !SANITIZER_CAN_USE_PREINIT_ARRAY
// On ELF platforms, the constructor is invoked using .preinit_array (see below) // On ELF platforms, the constructor is invoked using .preinit_array (see below)
__attribute__((constructor(0))) __attribute__((constructor(0)))
#endif #endif
void __cfi_init() { void __cfi_init() {
SanitizerToolName = "CFI"; SanitizerToolName = "CFI";
InitializeFlags(); InitializeFlags();
uptr vma = GetMaxVirtualAddress(); map_shadow();
// Shadow is 2 -> 2**kShadowGranularity.
uptr shadow_size = (vma >> (kShadowGranularity - 1)) + 1;
VReport(1, "CFI: VMA size %zx, shadow size %zx\n", vma, shadow_size);
void *shadow = MmapNoReserveOrDie(shadow_size, "CFI shadow");
VReport(1, "CFI: shadow at %zx .. %zx\n", shadow,
reinterpret_cast<uptr>(shadow) + shadow_size);
__cfi_shadow = (uptr)shadow;
init_shadow(); init_shadow();
#ifdef CFI_ENABLE_DIAG #ifdef CFI_ENABLE_DIAG
__ubsan::InitAsPlugin(); __ubsan::InitAsPlugin();
#endif #endif
} }
#if SANITIZER_CAN_USE_PREINIT_ARRAY #if SANITIZER_CAN_USE_PREINIT_ARRAY
// On ELF platforms, run cfi initialization before any other constructors. // On ELF platforms, run cfi initialization before any other constructors.
// On other platforms we use the constructor attribute to arrange to run our // On other platforms we use the constructor attribute to arrange to run our
// initialization early. // initialization early.
extern "C" { extern "C" {
__attribute__((section(".preinit_array"), __attribute__((section(".preinit_array"),
used)) void (*__cfi_preinit)(void) = __cfi_init; used)) void (*__cfi_preinit)(void) = __cfi_init;
} }
#endif #endif

lib/sanitizer_common/CMakeLists.txt

Show First 20 LinesShow All 84 Lines▼ Show 20 Linesset(SANITIZER_HEADERS
sanitizer_mutex.h sanitizer_mutex.h
sanitizer_persistent_allocator.h sanitizer_persistent_allocator.h
sanitizer_placement_new.h sanitizer_placement_new.h
sanitizer_platform.h sanitizer_platform.h
sanitizer_platform_interceptors.h sanitizer_platform_interceptors.h
sanitizer_platform_limits_posix.h sanitizer_platform_limits_posix.h
sanitizer_posix.h sanitizer_posix.h
sanitizer_procmaps.h sanitizer_procmaps.h
sanitizer_readonlyupdate.h
sanitizer_quarantine.h sanitizer_quarantine.h
sanitizer_report_decorator.h sanitizer_report_decorator.h
sanitizer_stackdepot.h sanitizer_stackdepot.h
sanitizer_stackdepotbase.h sanitizer_stackdepotbase.h
sanitizer_stacktrace.h sanitizer_stacktrace.h
sanitizer_stacktrace_printer.h sanitizer_stacktrace_printer.h
sanitizer_stoptheworld.h sanitizer_stoptheworld.h
sanitizer_suppressions.h sanitizer_suppressions.h
▲ Show 20 LinesShow All 58 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 87 Lines▼ Show 20 Lines
void *MmapNoReserveOrDie(uptr size, const char *mem_type); void *MmapNoReserveOrDie(uptr size, const char *mem_type);
void *MmapFixedOrDie(uptr fixed_addr, uptr size); void *MmapFixedOrDie(uptr fixed_addr, uptr size);
void *MmapNoAccess(uptr fixed_addr, uptr size, const char *name = nullptr); void *MmapNoAccess(uptr fixed_addr, uptr size, const char *name = nullptr);
// Map aligned chunk of address space; size and alignment are powers of two. // Map aligned chunk of address space; size and alignment are powers of two.
void *MmapAlignedOrDie(uptr size, uptr alignment, const char *mem_type); void *MmapAlignedOrDie(uptr size, uptr alignment, const char *mem_type);
// Disallow access to a memory range. Use MmapNoAccess to allocate an // Disallow access to a memory range. Use MmapNoAccess to allocate an
// unaccessible memory. // unaccessible memory.
bool MprotectNoAccess(uptr addr, uptr size); bool MprotectNoAccess(uptr addr, uptr size);
bool MprotectReadOnly(uptr addr, uptr size);
bool MprotectReadWrite(uptr addr, uptr size);
// Used to check if we can map shadow memory to a fixed location. // Used to check if we can map shadow memory to a fixed location.
bool MemoryRangeIsAvailable(uptr range_start, uptr range_end); bool MemoryRangeIsAvailable(uptr range_start, uptr range_end);
void FlushUnneededShadowMemory(uptr addr, uptr size); void FlushUnneededShadowMemory(uptr addr, uptr size);
void IncreaseTotalMmap(uptr size); void IncreaseTotalMmap(uptr size);
void DecreaseTotalMmap(uptr size); void DecreaseTotalMmap(uptr size);
uptr GetRSS(); uptr GetRSS();
void NoHugePagesInRegion(uptr addr, uptr length); void NoHugePagesInRegion(uptr addr, uptr length);
▲ Show 20 LinesShow All 646 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_posix.cc

Show First 20 LinesShow All 162 Lines▼ Show 20 Lines internal_snprintf(mem_type, sizeof(mem_type), "memory at address 0x%zx",
fixed_addr); fixed_addr);
ReportMmapFailureAndDie(size, mem_type, "allocate", reserrno); ReportMmapFailureAndDie(size, mem_type, "allocate", reserrno);
} }
IncreaseTotalMmap(size); IncreaseTotalMmap(size);
return (void *)p; return (void *)p;
} }
bool MprotectNoAccess(uptr addr, uptr size) { bool MprotectNoAccess(uptr addr, uptr size) {
return 0 == internal_mprotect((void*)addr, size, PROT_NONE); return 0 == internal_mprotect((void *)addr, size, PROT_NONE);
} }
bool MprotectReadOnly(uptr addr, uptr size) {
return 0 == internal_mprotect((void *)addr, size, PROT_READ);
}
bool MprotectReadWrite(uptr addr, uptr size) {
return 0 == internal_mprotect((void *)addr, size, PROT_READ | PROT_WRITE);
}
fd_t OpenFile(const char *filename, FileAccessMode mode, error_t *errno_p) { fd_t OpenFile(const char *filename, FileAccessMode mode, error_t *errno_p) {
int flags; int flags;
switch (mode) { switch (mode) {
case RdOnly: flags = O_RDONLY; break; case RdOnly: flags = O_RDONLY; break;
case WrOnly: flags = O_WRONLY | O_CREAT; break; case WrOnly: flags = O_WRONLY | O_CREAT; break;
case RdWr: flags = O_RDWR | O_CREAT; break; case RdWr: flags = O_RDWR | O_CREAT; break;
} }
fd_t res = internal_open(filename, flags, 0660); fd_t res = internal_open(filename, flags, 0660);
▲ Show 20 LinesShow All 145 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_readonlyupdate.h

  • This file was added.
//===-------- sanitizer_readonlyupdate.h ------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// A helper class for updating a read-only memory region via mremap.
//===----------------------------------------------------------------------===//
#ifndef CFI_SHADOW_H
#define CFI_SHADOW_H
#include <sys/mman.h>
#include "sanitizer_common.h"
namespace __sanitizer {
// Update the read-only shadow w/o ever making it writable.
// Works by preparing the data in a writable buffer on the side, then
// moving it in place with mprotect + mremap.
template <typename T>
struct ReadOnlyUpdate {
// The updated region.
uptr shadow_start, shadow_end;
// The updated region, extended to the nearest page boundaries.
uptr aligned_start, aligned_end;
// Temporary write buffer matching the extended shadow region.
uptr copy_start, copy_size;
// Get the start of the temporary buffer.
T *begin() const {
return (T *)(copy_start + (shadow_start - aligned_start));
}
// Get the end of the temporary buffer.
T *end() const { return (T *)(copy_start + (shadow_end - aligned_start)); }
// Finalize the operation, atomically (when possible) moving the temporary
// buffer to the requested shadow region.
#if SANITIZER_LINUX
void commit() const {
MprotectReadOnly(copy_start, copy_size);
void *res = mremap((void *)copy_start, copy_size, copy_size,
MREMAP_MAYMOVE | MREMAP_FIXED, (void *)aligned_start);
CHECK(res != MAP_FAILED);
}
#else
void commit() const {
MprotectReadWrite(aligned_start, copy_size);
internal_memcpy((void *)aligned_start, (void *)copy_start, copy_size);
MprotectReadOnly(aligned_start, copy_size);
CHECK_EQ(0, internal_memcmp((void *)aligned_start, (void *)copy_start,
copy_size));
UnmapOrDie((void *)copy_start, copy_size);
}
#endif
// Prepare to update a shadow region.
// Current contents of the region are not preserved.
static ReadOnlyUpdate<T> start(T *start, T *end) {
CHECK(end >= start);
return ReadOnlyUpdate<T>((uptr)start, (uptr)end);
}
private:
ReadOnlyUpdate(uptr start, uptr end) {
shadow_start = start;
shadow_end = end;
uptr page_size = GetPageSizeCached();
aligned_start = shadow_start & ~(page_size - 1);
aligned_end = (shadow_end + page_size - 1) & ~(page_size - 1);
copy_size = aligned_end - aligned_start;
copy_start = (uptr)MmapOrDie(copy_size, "CFI shadow update");
uptr copy_end = copy_start + copy_size;
uptr left_copy_size = shadow_start - aligned_start;
uptr right_copy_size = aligned_end - shadow_end;
internal_memcpy((void *)copy_start, (void *)aligned_start, left_copy_size);
internal_memcpy((void *)(copy_end - right_copy_size),
(void *)(aligned_end - right_copy_size), right_copy_size);
}
};
} // namespace __sanitizer
#endif // CFI_SHADOW_H

lib/sanitizer_common/tests/CMakeLists.txt

Show All 20 Linesset(SANITIZER_UNITTESTS
sanitizer_libc_test.cc sanitizer_libc_test.cc
sanitizer_linux_test.cc sanitizer_linux_test.cc
sanitizer_list_test.cc sanitizer_list_test.cc
sanitizer_mutex_test.cc sanitizer_mutex_test.cc
sanitizer_nolibc_test.cc sanitizer_nolibc_test.cc
sanitizer_posix_test.cc sanitizer_posix_test.cc
sanitizer_printf_test.cc sanitizer_printf_test.cc
sanitizer_procmaps_test.cc sanitizer_procmaps_test.cc
sanitizer_readonlyupdate_test.cc
sanitizer_stackdepot_test.cc sanitizer_stackdepot_test.cc
sanitizer_stacktrace_printer_test.cc sanitizer_stacktrace_printer_test.cc
sanitizer_stacktrace_test.cc sanitizer_stacktrace_test.cc
sanitizer_stoptheworld_test.cc sanitizer_stoptheworld_test.cc
sanitizer_suppressions_test.cc sanitizer_suppressions_test.cc
sanitizer_symbolizer_test.cc sanitizer_symbolizer_test.cc
sanitizer_test_main.cc sanitizer_test_main.cc
sanitizer_thread_registry_test.cc) sanitizer_thread_registry_test.cc)
▲ Show 20 LinesShow All 175 LinesShow Last 20 Lines

lib/sanitizer_common/tests/sanitizer_readonlyupdate_test.cc

  • This file was added.
//===-- sanitizer_readonlyupdate_test.cc ----------------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "sanitizer_readonlyupdate.h"
#include "gtest/gtest.h"
class ReadOnlyUpdateTest : public ::testing::Test {
protected:
virtual void SetUp() {
page = GetPageSizeCached();
sz = page * 10;
p = (char *)MmapOrDie(sz, nullptr);
ASSERT_NE(p, (char *)-1);
}
virtual void TearDown() {
UnmapOrDie(p, sz);
}
uptr page;
uptr sz;
char *p;
};
TEST_F(ReadOnlyUpdateTest, PageAligned) {
p[page + 10] = 1;
const auto w = ReadOnlyUpdate<char>::start(p + page, p + page * 2);
ASSERT_EQ(w.end() - w.begin(), (sptr)page);
for (char *q = (char *)w.begin(); q != (char *)w.end(); ++q) EXPECT_EQ(*q, 0);
*w.begin() = 42;
*(w.end() - 1) = 43;
w.commit();
EXPECT_EQ(p[page - 1], 0);
EXPECT_EQ(p[page], 42);
EXPECT_EQ(p[page + 1], 0);
EXPECT_EQ(p[page + 10], 0); // original contents lost
EXPECT_EQ(p[2 * page - 1], 43);
EXPECT_EQ(p[2 * page], 0);
// Still read only.
EXPECT_DEATH(p[page + 14] = 0, "");
}
TEST_F(ReadOnlyUpdateTest, Unaligned) {
p[page + 110] = 1;
const auto w =
ReadOnlyUpdate<char>::start(p + page + 100, p + page * 3 - 200);
for (char *q = (char *)w.begin(); q != (char *)w.end(); ++q) EXPECT_EQ(*q, 0);
*w.begin() = 42;
*(w.end() - 1) = 43;
w.commit();
EXPECT_EQ(p[page - 1], 0);
EXPECT_EQ(p[page + 99], 0);
EXPECT_EQ(p[page + 100], 42);
EXPECT_EQ(p[page + 101], 0);
EXPECT_EQ(p[page + 110], 0);
EXPECT_EQ(p[page * 3 - 202], 0);
EXPECT_EQ(p[page * 3 - 201], 43);
EXPECT_EQ(p[page * 3 - 200], 0);
EXPECT_DEATH(p[page + 105] = 0, "");
EXPECT_DEATH(p[page * 3 - 207] = 0, "");
}
TEST_F(ReadOnlyUpdateTest, Empty) {
const auto w = ReadOnlyUpdate<char>::start(p + page + 100, p + page + 100);
CHECK(w.begin() == w.end());
w.commit();
for (char *q = p; q != p + sz; ++q) EXPECT_EQ(*q, 0);
}