This is an archive of the discontinued LLVM Phabricator instance.

Differential D139543

[DFSan] Add callback that allows to track which function tainted data reaches
ClosedPublic

Authored by clg on Dec 7 2022, 8:03 AM.

Details

Reviewers
browneee
vitalybuka
Commits
rG5bb06c7cce6b: [DFSan] Add callback that allows to track which function tainted data reaches.

Diff Detail

Event Timeline

clg created this revision.Dec 7 2022, 8:03 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 7 2022, 8:03 AM
Herald added subscribers: Enna1, hiraditya. · View Herald Transcript
clg requested review of this revision.Dec 7 2022, 8:03 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 7 2022, 8:03 AM
Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript
browneee added inline comments.Dec 7 2022, 10:35 AM
compiler-rt/test/dfsan/reaches_function.c
5

Can you make this test build and run a second time with origin tracking enabled?
e.g. https://github.com/llvm/llvm-project/blob/91b38c6aaddefabad2a4c959ea3865e356761ed5/compiler-rt/test/dfsan/flush.c#L3

When origin tracking is enabled (use #ifdef), you could also call dfsan_print_origin_id_trace and add filecheck expectations for that output.

21–22

It may be a better approach to:

  • print the file,line,function here
  • pipe the output into filecheck
  • add filecheck expectations to match for the printed lines, put them at each function and use [[@LINE-1]]

The advantages of this would be:

Harbormaster completed remote builds in B201684: Diff 480884.Dec 7 2022, 4:55 PM
clg updated this revision to Diff 481214.Dec 8 2022, 2:24 AM

addressing comments

clg updated this revision to Diff 481266.Dec 8 2022, 6:51 AM

fix test

clg marked 2 inline comments as done.Dec 8 2022, 9:12 AM
browneee added inline comments.Dec 8 2022, 9:53 AM
compiler-rt/test/dfsan/reaches_function.c
53

To clarify, this is triggered by the tainted value is returned from add?

Should we expect the location to be here-1 because it should be the line number of the containing function, or should the line number be down at 60?

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
1061–1065

Should this attempt to use debug information from Instruction &I (the instruction where this occurs), rather than just using the debug loc for the containing function?

Harbormaster completed remote builds in B201955: Diff 481266.Dec 8 2022, 1:15 PM
clg updated this revision to Diff 481447.Dec 8 2022, 2:25 PM

addressing comments

compiler-rt/test/dfsan/reaches_function.c
53

changed it, see other comment.

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
1061–1065

Sure, we might as well give more fine-grained information on where the access took place.

Harbormaster completed remote builds in B202084: Diff 481447.Dec 8 2022, 9:22 PM
clg marked 2 inline comments as done.Dec 9 2022, 12:04 AM
browneee accepted this revision.Dec 9 2022, 12:36 PM

LGTM.

Test failures look unrelated, but rebasing might make it green again.

Let me know if you'd like me to commit it for you.

This revision is now accepted and ready to land.Dec 9 2022, 12:36 PM
clg added a comment.Dec 9 2022, 3:01 PM

That would be very much appreciated :)

This revision was landed with ongoing or failed builds.Dec 11 2022, 11:10 PM
Closed by commit rG5bb06c7cce6b: [DFSan] Add callback that allows to track which function tainted data reaches. (authored by browneee). · Explain Why
This revision was automatically updated to reflect the committed changes.
browneee added a commit: rG5bb06c7cce6b: [DFSan] Add callback that allows to track which function tainted data reaches..

Revision Contents

PathSize
compiler-rt/
include/
sanitizer/
20 lines
lib/
dfsan/
62 lines
6 lines
test/
dfsan/
Inputs/
6 lines
67 lines
llvm/
lib/
Transforms/
Instrumentation/
106 lines
test/
Instrumentation/
DataFlowSanitizer/
29 lines

Diff 482002

compiler-rt/include/sanitizer/dfsan_interface.h

Show All 25 Lines
/// Signature of the callback argument to dfsan_set_write_callback(). /// Signature of the callback argument to dfsan_set_write_callback().
typedef void (*dfsan_write_callback_t)(int fd, const void *buf, size_t count); typedef void (*dfsan_write_callback_t)(int fd, const void *buf, size_t count);
/// Signature of the callback argument to dfsan_set_conditional_callback(). /// Signature of the callback argument to dfsan_set_conditional_callback().
typedef void (*dfsan_conditional_callback_t)(dfsan_label label, typedef void (*dfsan_conditional_callback_t)(dfsan_label label,
dfsan_origin origin); dfsan_origin origin);
/// Signature of the callback argument to dfsan_set_reaches_function_callback().
/// The description is intended to hold the name of the variable.
typedef void (*dfsan_reaches_function_callback_t)(dfsan_label label,
dfsan_origin origin,
const char *file,
unsigned int line,
const char *function);
/// Computes the union of \c l1 and \c l2, resulting in a union label. /// Computes the union of \c l1 and \c l2, resulting in a union label.
dfsan_label dfsan_union(dfsan_label l1, dfsan_label l2); dfsan_label dfsan_union(dfsan_label l1, dfsan_label l2);
/// Sets the label for each address in [addr,addr+size) to \c label. /// Sets the label for each address in [addr,addr+size) to \c label.
void dfsan_set_label(dfsan_label label, void *addr, size_t size); void dfsan_set_label(dfsan_label label, void *addr, size_t size);
/// Sets the label for each address in [addr,addr+size) to the union of the /// Sets the label for each address in [addr,addr+size) to the union of the
/// current label for that address and \c label. /// current label for that address and \c label.
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines
/// Conditional expressions occur during signal handlers. /// Conditional expressions occur during signal handlers.
/// Making callbacks that handle signals well is tricky, so when /// Making callbacks that handle signals well is tricky, so when
/// -dfsan-conditional-callbacks=true, conditional expressions used in signal /// -dfsan-conditional-callbacks=true, conditional expressions used in signal
/// handlers will add the labels they see into a global (bitwise-or together). /// handlers will add the labels they see into a global (bitwise-or together).
/// This function returns all label bits seen in signal handler conditions. /// This function returns all label bits seen in signal handler conditions.
dfsan_label dfsan_get_labels_in_signal_conditional(); dfsan_label dfsan_get_labels_in_signal_conditional();
/// Sets a callback to be invoked when tainted data reaches a function.
/// This could occur at function entry, or at a load instruction.
/// These callbacks will only be added if -dfsan-reaches-function-callbacks=1.
void dfsan_set_reaches_function_callback(
dfsan_reaches_function_callback_t callback);
/// Making callbacks that handle signals well is tricky, so when
/// -dfsan-reaches-function-callbacks=true, functions reached in signal
/// handlers will add the labels they see into a global (bitwise-or together).
/// This function returns all label bits seen during signal handlers.
dfsan_label dfsan_get_labels_in_signal_reaches_function();
/// Interceptor hooks. /// Interceptor hooks.
/// Whenever a dfsan's custom function is called the corresponding /// Whenever a dfsan's custom function is called the corresponding
/// hook is called it non-zero. The hooks should be defined by the user. /// hook is called it non-zero. The hooks should be defined by the user.
/// The primary use case is taint-guided fuzzing, where the fuzzer /// The primary use case is taint-guided fuzzing, where the fuzzer
/// needs to see the parameters of the function and the labels. /// needs to see the parameters of the function and the labels.
/// FIXME: implement more hooks. /// FIXME: implement more hooks.
void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2, void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
size_t n, dfsan_label s1_label, size_t n, dfsan_label s1_label,
▲ Show 20 LinesShow All 86 LinesShow Last 20 Lines

compiler-rt/lib/dfsan/dfsan.cpp

Show First 20 LinesShow All 712 Lines▼ Show 20 Linesextern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_set_conditional_callback(
__dfsan::conditional_callback = callback; __dfsan::conditional_callback = callback;
} }
extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label
dfsan_get_labels_in_signal_conditional() { dfsan_get_labels_in_signal_conditional() {
return __dfsan::labels_in_signal_conditional; return __dfsan::labels_in_signal_conditional;
} }
namespace __dfsan {
typedef void (*dfsan_reaches_function_callback_t)(dfsan_label label,
dfsan_origin origin,
const char *file,
unsigned int line,
const char *function);
static dfsan_reaches_function_callback_t reaches_function_callback = nullptr;
static dfsan_label labels_in_signal_reaches_function = 0;
static void ReachesFunctionCallback(dfsan_label label, dfsan_origin origin,
const char *file, unsigned int line,
const char *function) {
if (label == 0) {
return;
}
if (reaches_function_callback == nullptr) {
return;
}
// This initial ReachesFunctionCallback handler needs to be in here in dfsan
// runtime (rather than being an entirely user implemented hook) so that it
// has access to dfsan thread information.
DFsanThread *t = GetCurrentThread();
// A callback operation which does useful work (like record the flow) will
// likely be too long executed in a signal handler.
if (t && t->InSignalHandler()) {
// Record set of labels used in signal handler for completeness.
labels_in_signal_reaches_function |= label;
return;
}
reaches_function_callback(label, origin, file, line, function);
}
} // namespace __dfsan
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
__dfsan_reaches_function_callback_origin(dfsan_label label, dfsan_origin origin,
const char *file, unsigned int line,
const char *function) {
__dfsan::ReachesFunctionCallback(label, origin, file, line, function);
}
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
__dfsan_reaches_function_callback(dfsan_label label, const char *file,
unsigned int line, const char *function) {
__dfsan::ReachesFunctionCallback(label, 0, file, line, function);
}
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
dfsan_set_reaches_function_callback(
__dfsan::dfsan_reaches_function_callback_t callback) {
__dfsan::reaches_function_callback = callback;
}
extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label
dfsan_get_labels_in_signal_reaches_function() {
return __dfsan::labels_in_signal_reaches_function;
}
class Decorator : public __sanitizer::SanitizerCommonDecorator { class Decorator : public __sanitizer::SanitizerCommonDecorator {
public: public:
Decorator() : SanitizerCommonDecorator() {} Decorator() : SanitizerCommonDecorator() {}
const char *Origin() const { return Magenta(); } const char *Origin() const { return Magenta(); }
}; };
namespace { namespace {
▲ Show 20 LinesShow All 297 Lines▼ Show 20 Lines if (start >= maxVirtualAddress)
continue; continue;
if (!MmapFixedSuperNoReserve(start, size, kMemoryLayout[i].name)) { if (!MmapFixedSuperNoReserve(start, size, kMemoryLayout[i].name)) {
Printf("FATAL: DataFlowSanitizer: failed to clear memory region\n"); Printf("FATAL: DataFlowSanitizer: failed to clear memory region\n");
Die(); Die();
} }
} }
__dfsan::labels_in_signal_conditional = 0; __dfsan::labels_in_signal_conditional = 0;
__dfsan::labels_in_signal_reaches_function = 0;
} }
// TODO: CheckMemoryLayoutSanity is based on msan. // TODO: CheckMemoryLayoutSanity is based on msan.
// Consider refactoring these into a shared implementation. // Consider refactoring these into a shared implementation.
static void CheckMemoryLayoutSanity() { static void CheckMemoryLayoutSanity() {
uptr prev_end = 0; uptr prev_end = 0;
for (unsigned i = 0; i < kMemoryLayoutSize; ++i) { for (unsigned i = 0; i < kMemoryLayoutSize; ++i) {
uptr start = kMemoryLayout[i].start; uptr start = kMemoryLayout[i].start;
▲ Show 20 LinesShow All 159 LinesShow Last 20 Lines

compiler-rt/lib/dfsan/done_abilist.txt

Show First 20 LinesShow All 44 Lines▼ Show 20 Lines
fun:dfsan_get_init_origin=uninstrumented fun:dfsan_get_init_origin=uninstrumented
fun:dfsan_get_init_origin=discard fun:dfsan_get_init_origin=discard
fun:dfsan_get_track_origins=uninstrumented fun:dfsan_get_track_origins=uninstrumented
fun:dfsan_get_track_origins=discard fun:dfsan_get_track_origins=discard
fun:dfsan_set_conditional_callback=uninstrumented fun:dfsan_set_conditional_callback=uninstrumented
fun:dfsan_set_conditional_callback=discard fun:dfsan_set_conditional_callback=discard
fun:dfsan_get_labels_in_signal_conditional=uninstrumented fun:dfsan_get_labels_in_signal_conditional=uninstrumented
fun:dfsan_get_labels_in_signal_conditional=discard fun:dfsan_get_labels_in_signal_conditional=discard
fun:dfsan_set_reaches_function_callback=uninstrumented
fun:dfsan_set_reaches_function_callback=discard
fun:dfsan_get_labels_in_signal_reaches_function=uninstrumented
fun:dfsan_get_labels_in_signal_reaches_function=discard
fun:dfsan_reaches_function_callback=uninstrumented
fun:dfsan_reaches_function_callback=discard
############################################################################### ###############################################################################
# glibc # glibc
############################################################################### ###############################################################################
# Functions of memory allocators # Functions of memory allocators
fun:__libc_memalign=discard fun:__libc_memalign=discard
fun:aligned_alloc=discard fun:aligned_alloc=discard
fun:calloc=discard fun:calloc=discard
▲ Show 20 LinesShow All 406 LinesShow Last 20 Lines

compiler-rt/test/dfsan/Inputs/flags_abilist.txt

fun:f=uninstrumented fun:f=uninstrumented
fun:function_to_force_zero=force_zero_labels fun:function_to_force_zero=force_zero_labels
fun:main=uninstrumented fun:main=uninstrumented
fun:main=discard fun:main=discard
fun:dfsan_set_label=uninstrumented fun:dfsan_set_label=uninstrumented
fun:dfsan_set_label=discard fun:dfsan_set_label=discard
fun:my_dfsan_conditional_callback=uninstrumented fun:my_dfsan_conditional_callback=uninstrumented
fun:my_dfsan_conditional_callback=discard fun:my_dfsan_conditional_callback=discard
fun:dfsan_set_conditional_callback=uninstrumented fun:dfsan_set_conditional_callback=uninstrumented
fun:dfsan_set_conditional_callback=discard fun:dfsan_set_conditional_callback=discard
fun:my_dfsan_reaches_function_callback=uninstrumented
fun:my_dfsan_reaches_function_callback=discard
fun:dfsan_set_reaches_function_callback=uninstrumented
fun:dfsan_set_reaches_function_callback=discard

compiler-rt/test/dfsan/reaches_function.c

  • This file was added.
// RUN: %clang_dfsan -fno-sanitize=dataflow -O2 -fPIE -DCALLBACKS -c %s -o %t-callbacks.o
// RUN: %clang_dfsan -gmlt -fsanitize-ignorelist=%S/Inputs/flags_abilist.txt -O2 -mllvm -dfsan-reaches-function-callbacks=1 %s %t-callbacks.o -o %t
// RUN: %run %t 2>&1 | FileCheck %s
// RUN: %clang_dfsan -fno-sanitize=dataflow -O2 -fPIE -DCALLBACKS -DORIGIN_TRACKING -c %s -o %t-callbacks.o
browneeeUnsubmitted
Done
ReplyInline Actions

Can you make this test build and run a second time with origin tracking enabled?
e.g. https://github.com/llvm/llvm-project/blob/91b38c6aaddefabad2a4c959ea3865e356761ed5/compiler-rt/test/dfsan/flush.c#L3

When origin tracking is enabled (use #ifdef), you could also call dfsan_print_origin_id_trace and add filecheck expectations for that output.

browneee: Can you make this test build and run a second time with origin tracking enabled? e.g. https…
// RUN: %clang_dfsan -gmlt -fsanitize-ignorelist=%S/Inputs/flags_abilist.txt -O2 -mllvm -dfsan-reaches-function-callbacks=1 -mllvm -dfsan-track-origins=2 %s %t-callbacks.o -o %t
// RUN: %run %t 2>&1 | FileCheck --check-prefix=CHECK-ORIGIN-TRACKING %s
// REQUIRES: x86_64-target-arch
// Tests that callbacks are inserted for reached functions when
// -dfsan-reaches-function-callbacks is specified.
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <sanitizer/dfsan_interface.h>
#ifdef CALLBACKS
// Compile this code without DFSan to avoid recursive instrumentation.
void my_dfsan_reaches_function_callback(dfsan_label label, dfsan_origin origin,
browneeeUnsubmitted
Done
ReplyInline Actions

It may be a better approach to:

  • print the file,line,function here
  • pipe the output into filecheck
  • add filecheck expectations to match for the printed lines, put them at each function and use [[@LINE-1]]

The advantages of this would be:

browneee: It may be a better approach to: - print the file,line,function here - pipe the output into…
const char *file, unsigned int line,
const char *function) {
#ifdef ORIGIN_TRACKING
dfsan_print_origin_id_trace(origin);
#else
printf("%s:%d %s\n", file, line, function);
#endif
}
#else
__attribute__((noinline)) uint64_t add(uint64_t *a, uint64_t *b) {
return *a + *b;
// CHECK: {{.*}}compiler-rt/test/dfsan/reaches_function.c:[[# @LINE - 1]] add.dfsan
// CHECK-ORIGIN-TRACKING: Origin value: 0x10000002, Taint value was stored to memory at
// CHECK-ORIGIN-TRACKING: #0 {{.*}} in add.dfsan {{.*}}compiler-rt/test/dfsan/reaches_function.c:[[# @LINE - 3]]:{{.*}}
// CHECK-ORIGIN-TRACKING: Origin value: 0x1, Taint value was created at
// CHECK-ORIGIN-TRACKING: #0 {{.*}} in main {{.*}}compiler-rt/test/dfsan/reaches_function.c:{{.*}}
}
extern void my_dfsan_reaches_function_callback(dfsan_label label,
dfsan_origin origin,
const char *file,
unsigned int line,
const char *function);
int main(int argc, char *argv[]) {
dfsan_set_reaches_function_callback(my_dfsan_reaches_function_callback);
browneeeUnsubmitted
Done
ReplyInline Actions

To clarify, this is triggered by the tainted value is returned from add?

Should we expect the location to be here-1 because it should be the line number of the containing function, or should the line number be down at 60?

browneee: To clarify, this is triggered by the tainted value is returned from add? Should we expect the…
clgAuthorUnsubmitted
Done
ReplyInline Actions

changed it, see other comment.

clg: changed it, see other comment.
uint64_t a = 0;
uint64_t b = 0;
dfsan_set_label(8, &a, sizeof(a));
uint64_t c = add(&a, &b);
// CHECK: {{.*}}compiler-rt/test/dfsan/reaches_function.c:[[# @LINE - 1]] main
// CHECK-ORIGIN-TRACKING: Origin value: 0x10000002, Taint value was stored to memory at
// CHECK-ORIGIN-TRACKING: #0 {{.*}} in add.dfsan {{.*}}compiler-rt/test/dfsan/reaches_function.c:{{.*}}
// CHECK-ORIGIN-TRACKING: Origin value: 0x1, Taint value was created at
// CHECK-ORIGIN-TRACKING: #0 {{.*}} in main {{.*}}compiler-rt/test/dfsan/reaches_function.c:[[# @LINE - 6]]:{{.*}}
return c;
}
#endif // #ifdef CALLBACKS

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp

Show First 20 LinesShow All 217 Lines▼ Show 20 Lines
// Experimental feature that inserts callbacks for conditionals, including: // Experimental feature that inserts callbacks for conditionals, including:
// conditional branch, switch, select. // conditional branch, switch, select.
// This must be true for dfsan_set_conditional_callback() to have effect. // This must be true for dfsan_set_conditional_callback() to have effect.
static cl::opt<bool> ClConditionalCallbacks( static cl::opt<bool> ClConditionalCallbacks(
"dfsan-conditional-callbacks", "dfsan-conditional-callbacks",
cl::desc("Insert calls to callback functions on conditionals."), cl::Hidden, cl::desc("Insert calls to callback functions on conditionals."), cl::Hidden,
cl::init(false)); cl::init(false));
// Experimental feature that inserts callbacks for data reaching a function,
// either via function arguments and loads.
// This must be true for dfsan_set_reaches_function_callback() to have effect.
static cl::opt<bool> ClReachesFunctionCallbacks(
"dfsan-reaches-function-callbacks",
cl::desc("Insert calls to callback functions on data reaching a function."),
cl::Hidden, cl::init(false));
// Controls whether the pass tracks the control flow of select instructions. // Controls whether the pass tracks the control flow of select instructions.
static cl::opt<bool> ClTrackSelectControlFlow( static cl::opt<bool> ClTrackSelectControlFlow(
"dfsan-track-select-control-flow", "dfsan-track-select-control-flow",
cl::desc("Propagate labels from condition values of select instructions " cl::desc("Propagate labels from condition values of select instructions "
"to results."), "to results."),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
// TODO: This default value follows MSan. DFSan may use a different value. // TODO: This default value follows MSan. DFSan may use a different value.
▲ Show 20 LinesShow All 207 Lines▼ Show 20 Linesclass DataFlowSanitizer {
FunctionType *DFSanLoadLabelAndOriginFnTy; FunctionType *DFSanLoadLabelAndOriginFnTy;
FunctionType *DFSanUnimplementedFnTy; FunctionType *DFSanUnimplementedFnTy;
FunctionType *DFSanWrapperExternWeakNullFnTy; FunctionType *DFSanWrapperExternWeakNullFnTy;
FunctionType *DFSanSetLabelFnTy; FunctionType *DFSanSetLabelFnTy;
FunctionType *DFSanNonzeroLabelFnTy; FunctionType *DFSanNonzeroLabelFnTy;
FunctionType *DFSanVarargWrapperFnTy; FunctionType *DFSanVarargWrapperFnTy;
FunctionType *DFSanConditionalCallbackFnTy; FunctionType *DFSanConditionalCallbackFnTy;
FunctionType *DFSanConditionalCallbackOriginFnTy; FunctionType *DFSanConditionalCallbackOriginFnTy;
FunctionType *DFSanReachesFunctionCallbackFnTy;
FunctionType *DFSanReachesFunctionCallbackOriginFnTy;
FunctionType *DFSanCmpCallbackFnTy; FunctionType *DFSanCmpCallbackFnTy;
FunctionType *DFSanLoadStoreCallbackFnTy; FunctionType *DFSanLoadStoreCallbackFnTy;
FunctionType *DFSanMemTransferCallbackFnTy; FunctionType *DFSanMemTransferCallbackFnTy;
FunctionType *DFSanChainOriginFnTy; FunctionType *DFSanChainOriginFnTy;
FunctionType *DFSanChainOriginIfTaintedFnTy; FunctionType *DFSanChainOriginIfTaintedFnTy;
FunctionType *DFSanMemOriginTransferFnTy; FunctionType *DFSanMemOriginTransferFnTy;
FunctionType *DFSanMemShadowOriginTransferFnTy; FunctionType *DFSanMemShadowOriginTransferFnTy;
FunctionType *DFSanMemShadowOriginConditionalExchangeFnTy; FunctionType *DFSanMemShadowOriginConditionalExchangeFnTy;
FunctionType *DFSanMaybeStoreOriginFnTy; FunctionType *DFSanMaybeStoreOriginFnTy;
FunctionCallee DFSanUnionLoadFn; FunctionCallee DFSanUnionLoadFn;
FunctionCallee DFSanLoadLabelAndOriginFn; FunctionCallee DFSanLoadLabelAndOriginFn;
FunctionCallee DFSanUnimplementedFn; FunctionCallee DFSanUnimplementedFn;
FunctionCallee DFSanWrapperExternWeakNullFn; FunctionCallee DFSanWrapperExternWeakNullFn;
FunctionCallee DFSanSetLabelFn; FunctionCallee DFSanSetLabelFn;
FunctionCallee DFSanNonzeroLabelFn; FunctionCallee DFSanNonzeroLabelFn;
FunctionCallee DFSanVarargWrapperFn; FunctionCallee DFSanVarargWrapperFn;
FunctionCallee DFSanLoadCallbackFn; FunctionCallee DFSanLoadCallbackFn;
FunctionCallee DFSanStoreCallbackFn; FunctionCallee DFSanStoreCallbackFn;
FunctionCallee DFSanMemTransferCallbackFn; FunctionCallee DFSanMemTransferCallbackFn;
FunctionCallee DFSanConditionalCallbackFn; FunctionCallee DFSanConditionalCallbackFn;
FunctionCallee DFSanConditionalCallbackOriginFn; FunctionCallee DFSanConditionalCallbackOriginFn;
FunctionCallee DFSanReachesFunctionCallbackFn;
FunctionCallee DFSanReachesFunctionCallbackOriginFn;
FunctionCallee DFSanCmpCallbackFn; FunctionCallee DFSanCmpCallbackFn;
FunctionCallee DFSanChainOriginFn; FunctionCallee DFSanChainOriginFn;
FunctionCallee DFSanChainOriginIfTaintedFn; FunctionCallee DFSanChainOriginIfTaintedFn;
FunctionCallee DFSanMemOriginTransferFn; FunctionCallee DFSanMemOriginTransferFn;
FunctionCallee DFSanMemShadowOriginTransferFn; FunctionCallee DFSanMemShadowOriginTransferFn;
FunctionCallee DFSanMemShadowOriginConditionalExchangeFn; FunctionCallee DFSanMemShadowOriginConditionalExchangeFn;
FunctionCallee DFSanMaybeStoreOriginFn; FunctionCallee DFSanMaybeStoreOriginFn;
SmallPtrSet<Value *, 16> DFSanRuntimeFunctions; SmallPtrSet<Value *, 16> DFSanRuntimeFunctions;
▲ Show 20 LinesShow All 190 Lines▼ Show 20 Lines void storeZeroPrimitiveShadow(Value *Addr, uint64_t Size, Align ShadowAlign,
Instruction *Pos); Instruction *Pos);
Align getShadowAlign(Align InstAlignment); Align getShadowAlign(Align InstAlignment);
// If ClConditionalCallbacks is enabled, insert a callback after a given // If ClConditionalCallbacks is enabled, insert a callback after a given
// branch instruction using the given conditional expression. // branch instruction using the given conditional expression.
void addConditionalCallbacksIfEnabled(Instruction &I, Value *Condition); void addConditionalCallbacksIfEnabled(Instruction &I, Value *Condition);
// If ClReachesFunctionCallbacks is enabled, insert a callback for each
// argument and load instruction.
void addReachesFunctionCallbacksIfEnabled(IRBuilder<> &IRB, Instruction &I,
Value *Data);
bool isLookupTableConstant(Value *P); bool isLookupTableConstant(Value *P);
private: private:
/// Collapses the shadow with aggregate type into a single primitive shadow /// Collapses the shadow with aggregate type into a single primitive shadow
/// value. /// value.
template <class AggregateType> template <class AggregateType>
Value *collapseAggregateShadow(AggregateType *AT, Value *Shadow, Value *collapseAggregateShadow(AggregateType *AT, Value *Shadow,
IRBuilder<> &IRB); IRBuilder<> &IRB);
▲ Show 20 LinesShow All 336 Lines▼ Show 20 Lines if (DFS.shouldTrackOrigins()) {
Value *CondOrigin = getOrigin(Condition); Value *CondOrigin = getOrigin(Condition);
IRB.CreateCall(DFS.DFSanConditionalCallbackOriginFn, IRB.CreateCall(DFS.DFSanConditionalCallbackOriginFn,
{CondShadow, CondOrigin}); {CondShadow, CondOrigin});
} else { } else {
IRB.CreateCall(DFS.DFSanConditionalCallbackFn, {CondShadow}); IRB.CreateCall(DFS.DFSanConditionalCallbackFn, {CondShadow});
} }
} }
void DFSanFunction::addReachesFunctionCallbacksIfEnabled(IRBuilder<> &IRB,
Instruction &I,
Value *Data) {
if (!ClReachesFunctionCallbacks) {
return;
}
const DebugLoc &dbgloc = I.getDebugLoc();
Value *DataShadow = collapseToPrimitiveShadow(getShadow(Data), IRB);
ConstantInt *CILine;
llvm::Value *FilePathPtr;
if (dbgloc.get() == nullptr) {
CILine = llvm::ConstantInt::get(I.getContext(), llvm::APInt(32, 0, false));
FilePathPtr = IRB.CreateGlobalStringPtr(
I.getFunction()->getParent()->getSourceFileName());
} else {
CILine = llvm::ConstantInt::get(I.getContext(),
llvm::APInt(32, dbgloc.getLine(), false));
FilePathPtr =
IRB.CreateGlobalStringPtr(dbgloc->getFilename());
}
browneeeUnsubmitted
Done
ReplyInline Actions

Should this attempt to use debug information from Instruction &I (the instruction where this occurs), rather than just using the debug loc for the containing function?

browneee: Should this attempt to use debug information from `Instruction &I` (the instruction where this…
clgAuthorUnsubmitted
Done
ReplyInline Actions

Sure, we might as well give more fine-grained information on where the access took place.

clg: Sure, we might as well give more fine-grained information on where the access took place.
llvm::Value *FunctionNamePtr =
IRB.CreateGlobalStringPtr(I.getFunction()->getName());
CallInst *CB;
std::vector<Value *> args;
if (DFS.shouldTrackOrigins()) {
Value *DataOrigin = getOrigin(Data);
args = { DataShadow, DataOrigin, FilePathPtr, CILine, FunctionNamePtr };
CB = IRB.CreateCall(DFS.DFSanReachesFunctionCallbackOriginFn, args);
} else {
args = { DataShadow, FilePathPtr, CILine, FunctionNamePtr };
CB = IRB.CreateCall(DFS.DFSanReachesFunctionCallbackFn, args);
}
CB->setDebugLoc(dbgloc);
}
Type *DataFlowSanitizer::getShadowTy(Type *OrigTy) { Type *DataFlowSanitizer::getShadowTy(Type *OrigTy) {
if (!OrigTy->isSized()) if (!OrigTy->isSized())
return PrimitiveShadowTy; return PrimitiveShadowTy;
if (isa<IntegerType>(OrigTy)) if (isa<IntegerType>(OrigTy))
return PrimitiveShadowTy; return PrimitiveShadowTy;
if (isa<VectorType>(OrigTy)) if (isa<VectorType>(OrigTy))
return PrimitiveShadowTy; return PrimitiveShadowTy;
if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy))
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines DFSanVarargWrapperFnTy = FunctionType::get(
Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
DFSanConditionalCallbackFnTy = DFSanConditionalCallbackFnTy =
FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy, FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy,
/*isVarArg=*/false); /*isVarArg=*/false);
Type *DFSanConditionalCallbackOriginArgs[2] = {PrimitiveShadowTy, OriginTy}; Type *DFSanConditionalCallbackOriginArgs[2] = {PrimitiveShadowTy, OriginTy};
DFSanConditionalCallbackOriginFnTy = FunctionType::get( DFSanConditionalCallbackOriginFnTy = FunctionType::get(
Type::getVoidTy(*Ctx), DFSanConditionalCallbackOriginArgs, Type::getVoidTy(*Ctx), DFSanConditionalCallbackOriginArgs,
/*isVarArg=*/false); /*isVarArg=*/false);
Type *DFSanReachesFunctionCallbackArgs[4] = {PrimitiveShadowTy, Int8Ptr,
OriginTy, Int8Ptr};
DFSanReachesFunctionCallbackFnTy =
FunctionType::get(Type::getVoidTy(*Ctx), DFSanReachesFunctionCallbackArgs,
/*isVarArg=*/false);
Type *DFSanReachesFunctionCallbackOriginArgs[5] = {
PrimitiveShadowTy, OriginTy, Int8Ptr, OriginTy, Int8Ptr};
DFSanReachesFunctionCallbackOriginFnTy = FunctionType::get(
Type::getVoidTy(*Ctx), DFSanReachesFunctionCallbackOriginArgs,
/*isVarArg=*/false);
DFSanCmpCallbackFnTy = DFSanCmpCallbackFnTy =
FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy, FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy,
/*isVarArg=*/false); /*isVarArg=*/false);
DFSanChainOriginFnTy = DFSanChainOriginFnTy =
FunctionType::get(OriginTy, OriginTy, /*isVarArg=*/false); FunctionType::get(OriginTy, OriginTy, /*isVarArg=*/false);
Type *DFSanChainOriginIfTaintedArgs[2] = {PrimitiveShadowTy, OriginTy}; Type *DFSanChainOriginIfTaintedArgs[2] = {PrimitiveShadowTy, OriginTy};
DFSanChainOriginIfTaintedFnTy = FunctionType::get( DFSanChainOriginIfTaintedFnTy = FunctionType::get(
OriginTy, DFSanChainOriginIfTaintedArgs, /*isVarArg=*/false); OriginTy, DFSanChainOriginIfTaintedArgs, /*isVarArg=*/false);
▲ Show 20 LinesShow All 212 Lines▼ Show 20 Lines DFSanRuntimeFunctions.insert(
DFSanStoreCallbackFn.getCallee()->stripPointerCasts()); DFSanStoreCallbackFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
DFSanMemTransferCallbackFn.getCallee()->stripPointerCasts()); DFSanMemTransferCallbackFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
DFSanConditionalCallbackFn.getCallee()->stripPointerCasts()); DFSanConditionalCallbackFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
DFSanConditionalCallbackOriginFn.getCallee()->stripPointerCasts()); DFSanConditionalCallbackOriginFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
DFSanReachesFunctionCallbackFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert(
DFSanReachesFunctionCallbackOriginFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert(
DFSanCmpCallbackFn.getCallee()->stripPointerCasts()); DFSanCmpCallbackFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
DFSanChainOriginFn.getCallee()->stripPointerCasts()); DFSanChainOriginFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
DFSanChainOriginIfTaintedFn.getCallee()->stripPointerCasts()); DFSanChainOriginIfTaintedFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
DFSanMemOriginTransferFn.getCallee()->stripPointerCasts()); DFSanMemOriginTransferFn.getCallee()->stripPointerCasts());
DFSanRuntimeFunctions.insert( DFSanRuntimeFunctions.insert(
Show All 16 Linesvoid DataFlowSanitizer::initializeCallbackFunctions(Module &M) {
DFSanCmpCallbackFn = DFSanCmpCallbackFn =
Mod->getOrInsertFunction("__dfsan_cmp_callback", DFSanCmpCallbackFnTy); Mod->getOrInsertFunction("__dfsan_cmp_callback", DFSanCmpCallbackFnTy);
DFSanConditionalCallbackFn = Mod->getOrInsertFunction( DFSanConditionalCallbackFn = Mod->getOrInsertFunction(
"__dfsan_conditional_callback", DFSanConditionalCallbackFnTy); "__dfsan_conditional_callback", DFSanConditionalCallbackFnTy);
DFSanConditionalCallbackOriginFn = DFSanConditionalCallbackOriginFn =
Mod->getOrInsertFunction("__dfsan_conditional_callback_origin", Mod->getOrInsertFunction("__dfsan_conditional_callback_origin",
DFSanConditionalCallbackOriginFnTy); DFSanConditionalCallbackOriginFnTy);
DFSanReachesFunctionCallbackFn = Mod->getOrInsertFunction(
"__dfsan_reaches_function_callback", DFSanReachesFunctionCallbackFnTy);
DFSanReachesFunctionCallbackOriginFn =
Mod->getOrInsertFunction("__dfsan_reaches_function_callback_origin",
DFSanReachesFunctionCallbackOriginFnTy);
} }
void DataFlowSanitizer::injectMetadataGlobals(Module &M) { void DataFlowSanitizer::injectMetadataGlobals(Module &M) {
// These variables can be used: // These variables can be used:
// - by the runtime (to discover what the shadow width was, during // - by the runtime (to discover what the shadow width was, during
// compilation) // compilation)
// - in testing (to avoid hardcoding the shadow width and type but instead // - in testing (to avoid hardcoding the shadow width and type but instead
// extract them by pattern matching) // extract them by pattern matching)
▲ Show 20 LinesShow All 212 Lines▼ Show 20 Lines for (Function *F : FnsToInstrument) {
if (!F || F->isDeclaration()) if (!F || F->isDeclaration())
continue; continue;
removeUnreachableBlocks(*F); removeUnreachableBlocks(*F);
DFSanFunction DFSF(*this, F, FnsWithNativeABI.count(F), DFSanFunction DFSF(*this, F, FnsWithNativeABI.count(F),
FnsWithForceZeroLabel.count(F), GetTLI(*F)); FnsWithForceZeroLabel.count(F), GetTLI(*F));
if (ClReachesFunctionCallbacks) {
// Add callback for arguments reaching this function.
for (auto &FArg : F->args()) {
Instruction *Next = &F->getEntryBlock().front();
Value *FArgShadow = DFSF.getShadow(&FArg);
if (isZeroShadow(FArgShadow))
continue;
if (Instruction *FArgShadowInst = dyn_cast<Instruction>(FArgShadow)) {
Next = FArgShadowInst->getNextNode();
}
if (shouldTrackOrigins()) {
if (Instruction *Origin =
dyn_cast<Instruction>(DFSF.getOrigin(&FArg))) {
// Ensure IRB insertion point is after loads for shadow and origin.
Instruction *OriginNext = Origin->getNextNode();
if (Next->comesBefore(OriginNext)) {
Next = OriginNext;
}
}
}
IRBuilder<> IRB(Next);
DFSF.addReachesFunctionCallbacksIfEnabled(IRB, *Next, &FArg);
}
}
// DFSanVisitor may create new basic blocks, which confuses df_iterator. // DFSanVisitor may create new basic blocks, which confuses df_iterator.
// Build a copy of the list before iterating over it. // Build a copy of the list before iterating over it.
SmallVector<BasicBlock *, 4> BBList(depth_first(&F->getEntryBlock())); SmallVector<BasicBlock *, 4> BBList(depth_first(&F->getEntryBlock()));
for (BasicBlock *BB : BBList) { for (BasicBlock *BB : BBList) {
Instruction *Inst = &BB->front(); Instruction *Inst = &BB->front();
while (true) { while (true) {
// DFSanVisitor may split the current basic block, changing the current // DFSanVisitor may split the current basic block, changing the current
▲ Show 20 LinesShow All 666 Lines▼ Show 20 Linesvoid DFSanVisitor::visitLoadInst(LoadInst &LI) {
// When an application load is atomic, increase atomic ordering between // When an application load is atomic, increase atomic ordering between
// atomic application loads and stores to ensure happen-before order; load // atomic application loads and stores to ensure happen-before order; load
// shadow data after application data; store zero shadow data before // shadow data after application data; store zero shadow data before
// application data. This ensure shadow loads return either labels of the // application data. This ensure shadow loads return either labels of the
// initial application data or zeros. // initial application data or zeros.
if (LI.isAtomic()) if (LI.isAtomic())
LI.setOrdering(addAcquireOrdering(LI.getOrdering())); LI.setOrdering(addAcquireOrdering(LI.getOrdering()));
Instruction *AfterLi = LI.getNextNode();
Instruction *Pos = LI.isAtomic() ? LI.getNextNode() : &LI; Instruction *Pos = LI.isAtomic() ? LI.getNextNode() : &LI;
std::vector<Value *> Shadows; std::vector<Value *> Shadows;
std::vector<Value *> Origins; std::vector<Value *> Origins;
Value *PrimitiveShadow, *Origin; Value *PrimitiveShadow, *Origin;
std::tie(PrimitiveShadow, Origin) = std::tie(PrimitiveShadow, Origin) =
DFSF.loadShadowOrigin(LI.getPointerOperand(), Size, LI.getAlign(), Pos); DFSF.loadShadowOrigin(LI.getPointerOperand(), Size, LI.getAlign(), Pos);
const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins();
if (ShouldTrackOrigins) { if (ShouldTrackOrigins) {
Show All 21 Lines if (ShouldTrackOrigins) {
DFSF.setOrigin(&LI, DFSF.combineOrigins(Shadows, Origins, Pos)); DFSF.setOrigin(&LI, DFSF.combineOrigins(Shadows, Origins, Pos));
} }
if (ClEventCallbacks) { if (ClEventCallbacks) {
IRBuilder<> IRB(Pos); IRBuilder<> IRB(Pos);
Value *Addr8 = IRB.CreateBitCast(LI.getPointerOperand(), DFSF.DFS.Int8Ptr); Value *Addr8 = IRB.CreateBitCast(LI.getPointerOperand(), DFSF.DFS.Int8Ptr);
IRB.CreateCall(DFSF.DFS.DFSanLoadCallbackFn, {PrimitiveShadow, Addr8}); IRB.CreateCall(DFSF.DFS.DFSanLoadCallbackFn, {PrimitiveShadow, Addr8});
} }
IRBuilder<> IRB(AfterLi);
DFSF.addReachesFunctionCallbacksIfEnabled(IRB, LI, &LI);
} }
Value *DFSanFunction::updateOriginIfTainted(Value *Shadow, Value *Origin, Value *DFSanFunction::updateOriginIfTainted(Value *Shadow, Value *Origin,
IRBuilder<> &IRB) { IRBuilder<> &IRB) {
assert(DFS.shouldTrackOrigins()); assert(DFS.shouldTrackOrigins());
return IRB.CreateCall(DFS.DFSanChainOriginIfTaintedFn, {Shadow, Origin}); return IRB.CreateCall(DFS.DFSanChainOriginIfTaintedFn, {Shadow, Origin});
} }
▲ Show 20 LinesShow All 983 Lines▼ Show 20 Lines if (!CB.getType()->isVoidTy()) {
} }
if (ShouldTrackOrigins) { if (ShouldTrackOrigins) {
LoadInst *LI = NextIRB.CreateLoad(DFSF.DFS.OriginTy, LoadInst *LI = NextIRB.CreateLoad(DFSF.DFS.OriginTy,
DFSF.getRetvalOriginTLS(), "_dfsret_o"); DFSF.getRetvalOriginTLS(), "_dfsret_o");
DFSF.SkipInsts.insert(LI); DFSF.SkipInsts.insert(LI);
DFSF.setOrigin(&CB, LI); DFSF.setOrigin(&CB, LI);
} }
DFSF.addReachesFunctionCallbacksIfEnabled(NextIRB, CB, &CB);
} }
} }
void DFSanVisitor::visitPHINode(PHINode &PN) { void DFSanVisitor::visitPHINode(PHINode &PN) {
Type *ShadowTy = DFSF.DFS.getShadowTy(&PN); Type *ShadowTy = DFSF.DFS.getShadowTy(&PN);
PHINode *ShadowPN = PHINode *ShadowPN =
PHINode::Create(ShadowTy, PN.getNumIncomingValues(), "", &PN); PHINode::Create(ShadowTy, PN.getNumIncomingValues(), "", &PN);
Show All 37 Lines

llvm/test/Instrumentation/DataFlowSanitizer/reaches_function.ll

  • This file was added.
; RUN: opt < %s -passes=dfsan -dfsan-reaches-function-callbacks=1 -S | FileCheck %s
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"
declare i32 @f()
define void @load(i32) {
; CHECK-LABEL: define void @load.dfsan
; CHECK: call{{.*}}@__dfsan_reaches_function_callback
%i = alloca i32
store i32 %0, ptr %i
ret void
}
define void @store(ptr) {
; CHECK-LABEL: define void @store.dfsan
; CHECK: call{{.*}}@__dfsan_reaches_function_callback
%load = load i32, ptr %0
ret void
}
define void @call() {
; CHECK-LABEL: define void @call.dfsan
; CHECK: call{{.*}}@__dfsan_reaches_function_callback
%ret = call i32 @f()
ret void
}
; CHECK-LABEL: @__dfsan_reaches_function_callback(i8, ptr, i32, ptr)