diff --git a/compiler-rt/lib/interception/interception.h b/compiler-rt/lib/interception/interception.h --- a/compiler-rt/lib/interception/interception.h +++ b/compiler-rt/lib/interception/interception.h @@ -14,6 +14,7 @@ #ifndef INTERCEPTION_H #define INTERCEPTION_H +#include "sanitizer_common/sanitizer_asm.h" #include "sanitizer_common/sanitizer_internal_defs.h" #if !SANITIZER_LINUX && !SANITIZER_FREEBSD && !SANITIZER_APPLE && \ @@ -67,24 +68,50 @@ // for more details). To intercept such functions you need to use the // INTERCEPTOR_WITH_SUFFIX(...) macro. -// How it works: -// To replace system functions on Linux we just need to declare functions -// with same names in our library and then obtain the real function pointers +// How it works on Linux +// --------------------- +// +// To replace system functions on Linux we just need to declare functions with +// the same names in our library and then obtain the real function pointers // using dlsym(). -// There is one complication. A user may also intercept some of the functions -// we intercept. To resolve this we declare our interceptors with __interceptor_ -// prefix, and then make actual interceptors weak aliases to __interceptor_ -// functions. // -// This is not so on Mac OS, where the two-level namespace makes -// our replacement functions invisible to other libraries. This may be overcomed -// using the DYLD_FORCE_FLAT_NAMESPACE, but some errors loading the shared -// libraries in Chromium were noticed when doing so. +// There is one complication: a user may also intercept some of the functions we +// intercept. To allow for up to 3 interceptors (including ours) of a given +// function "func", the interceptor implementation is in ___interceptor_func, +// which is aliased by a weak function __interceptor_func, which in turn is +// aliased by weak function "func". +// +// Most user interceptors should define a foreign interceptor as follows: +// +// - provide a non-weak function "func" that performs interception; +// - if __interceptor_func exists, call it to perform the real functionality; +// - if it does not exist, figure out the real function and call it instead. +// +// In rare cases, a foreign interceptor (of another dynamic analysis runtime) +// may be defined as follows: +// +// - provide a non-weak function __interceptor_func that performs interception; +// - if ___interceptor_func exists, call it to perform the real functionality; +// - if it does not exist, figure out the real function and call it instead; +// - provide a weak function "func" that is an alias to __interceptor_func. +// +// With this protocol, sanitizer interceptors, foreign user interceptors, and +// foreign interceptors of other dynamic analysis runtimes, or any combination +// thereof, may co-exist simultaneously. +// +// How it works on Mac OS +// ---------------------- +// +// This is not so on Mac OS, where the two-level namespace makes our replacement +// functions invisible to other libraries. This may be overcomed using the +// DYLD_FORCE_FLAT_NAMESPACE, but some errors loading the shared libraries in +// Chromium were noticed when doing so. +// // Instead we create a dylib containing a __DATA,__interpose section that // associates library functions with their wrappers. When this dylib is -// preloaded before an executable using DYLD_INSERT_LIBRARIES, it routes all -// the calls to interposed functions done through stubs to the wrapper -// functions. +// preloaded before an executable using DYLD_INSERT_LIBRARIES, it routes all the +// calls to interposed functions done through stubs to the wrapper functions. +// // As it's decided at compile time which functions are to be intercepted on Mac, // INTERCEPT_FUNCTION() is effectively a no-op on this system. @@ -131,8 +158,8 @@ # define DECLARE_WRAPPER_WINAPI(ret_type, func, ...) \ extern "C" __declspec(dllimport) ret_type __stdcall func(__VA_ARGS__); #elif !SANITIZER_FUCHSIA // LINUX, FREEBSD, NETBSD, SOLARIS -# define WRAP(x) __interceptor_ ## x -# define TRAMPOLINE(x) WRAP(x) +# define WRAP(x) ___interceptor_ ## x +# define TRAMPOLINE(x) __interceptor_trampoline_ ## x # define INTERCEPTOR_ATTRIBUTE __attribute__((visibility("default"))) # if SANITIZER_FREEBSD || SANITIZER_NETBSD // FreeBSD's dynamic linker (incompliantly) gives non-weak symbols higher @@ -142,9 +169,21 @@ # else // SANITIZER_FREEBSD || SANITIZER_NETBSD # define OVERRIDE_ATTRIBUTE __attribute__((weak)) # endif // SANITIZER_FREEBSD || SANITIZER_NETBSD +// Weak aliases of weak aliases do not work, therefore we need to set up a +// trampoline function. The function "func" is a weak alias to the trampoline, +// which calls the weak function _interceptor_func, which in turn calls the +// actual interceptor implementation __interceptor_func. To check if "func" was +// overridden by a foreign interceptor, we need another intermediate function +// __interceptor_trampoline_func. # define DECLARE_WRAPPER(ret_type, func, ...) \ extern "C" ret_type func(__VA_ARGS__) INTERCEPTOR_ATTRIBUTE \ - OVERRIDE_ATTRIBUTE ALIAS(WRAP(func)); + OVERRIDE_ATTRIBUTE ALIAS(TRAMPOLINE(func)); \ + extern "C" __attribute__((naked)) ret_type TRAMPOLINE(func)(__VA_ARGS__) { \ + asm volatile( \ + SANITIZER_STRINGIFY(ASM_TAIL_CALL) " __interceptor_" #func); \ + } \ + extern "C" ret_type __interceptor_##func(__VA_ARGS__) \ + INTERCEPTOR_ATTRIBUTE __attribute__((weak)) ALIAS(WRAP(func)); #endif #if SANITIZER_FUCHSIA diff --git a/compiler-rt/lib/interception/tests/CMakeLists.txt b/compiler-rt/lib/interception/tests/CMakeLists.txt --- a/compiler-rt/lib/interception/tests/CMakeLists.txt +++ b/compiler-rt/lib/interception/tests/CMakeLists.txt @@ -4,6 +4,7 @@ set(INTERCEPTION_UNITTESTS interception_linux_test.cpp + interception_linux_foreign_test.cpp interception_test_main.cpp interception_win_test.cpp ) @@ -18,6 +19,10 @@ -I${COMPILER_RT_SOURCE_DIR}/lib -I${COMPILER_RT_SOURCE_DIR}/lib/interception -fno-rtti + -fno-builtin-isdigit + -fno-builtin-isalpha + -fno-builtin-isalnum + -fno-builtin-islower -O2 -Werror=sign-compare) diff --git a/compiler-rt/lib/interception/tests/interception_linux_foreign_test.cpp b/compiler-rt/lib/interception/tests/interception_linux_foreign_test.cpp new file mode 100644 --- /dev/null +++ b/compiler-rt/lib/interception/tests/interception_linux_foreign_test.cpp @@ -0,0 +1,88 @@ +//===-- interception_linux_foreign_test.cpp -------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file is a part of ThreadSanitizer/AddressSanitizer runtime. +// +// Tests that foreign interceptors work. +// +//===----------------------------------------------------------------------===// + +// Do not declare functions in ctype.h. +#define __NO_CTYPE + +#include "gtest/gtest.h" +#include "sanitizer_common/sanitizer_internal_defs.h" + +#if SANITIZER_LINUX + +extern "C" int isalnum(int d); +extern "C" int __interceptor_isalpha(int d); +extern "C" int ___interceptor_isalnum(int d); // the sanitizer interceptor +extern "C" int ___interceptor_islower(int d); // the sanitizer interceptor + +namespace __interception { +extern int isalpha_called; +extern int isalnum_called; +extern int islower_called; +} // namespace __interception +using namespace __interception; + +// Direct foreign interceptor. This is the "normal" protocol that other +// interceptors should follow. +extern "C" int isalpha(int d) { + // Use non-commutative arithmetic to verify order of calls. + isalpha_called *= isalpha_called + 1; + return __interceptor_isalpha(d); +} + +// Indirect foreign interceptor. This pattern should only be used to co-exist +// with direct foreign interceptors and sanitizer interceptors. +extern "C" int __interceptor_isalnum(int d) { + isalnum_called *= isalnum_called + 1; + return ___interceptor_isalnum(d); +} + +extern "C" int __interceptor_islower(int d) { + islower_called *= islower_called + 2; + return ___interceptor_islower(d); +} + +extern "C" int islower(int d) { + islower_called *= islower_called + 1; + return __interceptor_islower(d); +} + +namespace __interception { + +TEST(ForeignInterception, ForeignOverrideDirect) { + isalpha_called = 1; + EXPECT_NE(0, isalpha('a')); + EXPECT_EQ(10, isalpha_called); + EXPECT_EQ(0, isalpha('_')); + EXPECT_EQ(12430, isalpha_called); +} + +TEST(ForeignInterception, ForeignOverrideIndirect) { + isalnum_called = 1; + EXPECT_NE(0, isalnum('a')); + EXPECT_EQ(10, isalnum_called); + EXPECT_EQ(0, isalnum('_')); + EXPECT_EQ(12430, isalnum_called); +} + +TEST(ForeignInterception, ForeignOverrideThree) { + islower_called = 1; + EXPECT_NE(0, islower('a')); + EXPECT_EQ(88, islower_called); + EXPECT_EQ(0, islower('_')); + EXPECT_EQ(2046424912, islower_called); +} + +} // namespace __interception + +#endif // SANITIZER_LINUX diff --git a/compiler-rt/lib/interception/tests/interception_linux_test.cpp b/compiler-rt/lib/interception/tests/interception_linux_test.cpp --- a/compiler-rt/lib/interception/tests/interception_linux_test.cpp +++ b/compiler-rt/lib/interception/tests/interception_linux_test.cpp @@ -11,36 +11,67 @@ // //===----------------------------------------------------------------------===// -// Do not declare isdigit in ctype.h. +// Do not declare functions in ctype.h. #define __NO_CTYPE #include "interception/interception.h" +#include + #include "gtest/gtest.h" -// Too slow for debug build -#if !SANITIZER_DEBUG #if SANITIZER_LINUX -static int InterceptorFunctionCalled; +static int isdigit_called; +namespace __interception { +int isalpha_called; +int isalnum_called; +int islower_called; +} // namespace __interception +using namespace __interception; DECLARE_REAL(int, isdigit, int); +DECLARE_REAL(int, isalpha, int); +DECLARE_REAL(int, isalnum, int); +DECLARE_REAL(int, islower, int); + +INTERCEPTOR(void *, malloc, SIZE_T s) { return calloc(1, s); } +INTERCEPTOR(void, dummy_doesnt_exist__, ) { __builtin_trap(); } INTERCEPTOR(int, isdigit, int d) { - ++InterceptorFunctionCalled; + ++isdigit_called; return d >= '0' && d <= '9'; } +INTERCEPTOR(int, isalpha, int d) { + isalpha_called *= isalpha_called + 3; + return (d >= 'a' && d <= 'z') || (d >= 'A' && d <= 'Z'); +} + +INTERCEPTOR(int, isalnum, int d) { + isalnum_called *= isalnum_called + 3; + return __interceptor_isalpha(d) || __interceptor_isdigit(d); +} + +INTERCEPTOR(int, islower, int d) { + islower_called *= islower_called + 3; + return d >= 'a' && d <= 'z'; +} + namespace __interception { TEST(Interception, InterceptFunction) { uptr malloc_address = 0; - EXPECT_TRUE(InterceptFunction("malloc", &malloc_address, 0, 0)); + EXPECT_TRUE(InterceptFunction("malloc", &malloc_address, (uptr)&malloc, + (uptr)&__interceptor_trampoline_malloc)); EXPECT_NE(0U, malloc_address); - EXPECT_FALSE(InterceptFunction("malloc", &malloc_address, 0, 1)); + EXPECT_FALSE(InterceptFunction("malloc", &malloc_address, (uptr)&calloc, + (uptr)&__interceptor_trampoline_malloc)); uptr dummy_address = 0; - EXPECT_FALSE(InterceptFunction("dummy_doesnt_exist__", &dummy_address, 0, 0)); + EXPECT_FALSE(InterceptFunction( + "dummy_doesnt_exist__", &dummy_address, (uptr)&dummy_doesnt_exist__, + (uptr)&__interceptor_trampoline_dummy_doesnt_exist__)); EXPECT_EQ(0U, dummy_address); } @@ -48,20 +79,67 @@ EXPECT_TRUE(INTERCEPT_FUNCTION(isdigit)); // After interception, the counter should be incremented. - InterceptorFunctionCalled = 0; + isdigit_called = 0; EXPECT_NE(0, isdigit('1')); - EXPECT_EQ(1, InterceptorFunctionCalled); + EXPECT_EQ(1, isdigit_called); EXPECT_EQ(0, isdigit('a')); - EXPECT_EQ(2, InterceptorFunctionCalled); + EXPECT_EQ(2, isdigit_called); // Calling the REAL function should not affect the counter. - InterceptorFunctionCalled = 0; + isdigit_called = 0; EXPECT_NE(0, REAL(isdigit)('1')); EXPECT_EQ(0, REAL(isdigit)('a')); - EXPECT_EQ(0, InterceptorFunctionCalled); + EXPECT_EQ(0, isdigit_called); +} + +TEST(Interception, ForeignOverrideDirect) { + // Actual interceptor is overridden. + EXPECT_FALSE(INTERCEPT_FUNCTION(isalpha)); + + isalpha_called = 1; + EXPECT_NE(0, isalpha('a')); + EXPECT_EQ(10, isalpha_called); + EXPECT_EQ(0, isalpha('_')); + EXPECT_EQ(12430, isalpha_called); + + isalpha_called = 1; + EXPECT_NE(0, REAL(isalpha)('a')); + EXPECT_EQ(0, REAL(isalpha)('_')); + EXPECT_EQ(1, isalpha_called); +} + +TEST(Interception, ForeignOverrideIndirect) { + // Actual interceptor is _not_ overridden. + EXPECT_TRUE(INTERCEPT_FUNCTION(isalnum)); + + isalnum_called = 1; + EXPECT_NE(0, isalnum('a')); + EXPECT_EQ(10, isalnum_called); + EXPECT_EQ(0, isalnum('_')); + EXPECT_EQ(12430, isalnum_called); + + isalnum_called = 1; + EXPECT_NE(0, REAL(isalnum)('a')); + EXPECT_EQ(0, REAL(isalnum)('_')); + EXPECT_EQ(1, isalnum_called); +} + +TEST(Interception, ForeignOverrideThree) { + // Actual interceptor is overridden. + EXPECT_FALSE(INTERCEPT_FUNCTION(islower)); + + islower_called = 1; + EXPECT_NE(0, islower('a')); + EXPECT_EQ(88, islower_called); + EXPECT_EQ(0, islower('A')); + EXPECT_EQ(2046424912, islower_called); + + islower_called = 1; + EXPECT_NE(0, REAL(islower)('a')); + EXPECT_EQ(0, REAL(islower)('A')); + EXPECT_EQ(1, islower_called); } } // namespace __interception #endif // SANITIZER_LINUX -#endif // #if !SANITIZER_DEBUG diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_asm.h b/compiler-rt/lib/sanitizer_common/sanitizer_asm.h --- a/compiler-rt/lib/sanitizer_common/sanitizer_asm.h +++ b/compiler-rt/lib/sanitizer_common/sanitizer_asm.h @@ -42,17 +42,39 @@ # define CFI_RESTORE(reg) #endif +#if defined(__x86_64__) || defined(__i386__) || defined(__sparc__) +# define ASM_TAIL_CALL jmp +#elif defined(__arm__) || defined(__aarch64__) || defined(__mips__) || \ + defined(__powerpc__) || defined(__loongarch_lp64) +# define ASM_TAIL_CALL b +#elif defined(__s390__) +# define ASM_TAIL_CALL jg +#elif defined(__riscv) +# define ASM_TAIL_CALL tail +#else +# error "ASM_TAIL_CALL: Unimplemented architecture" +#endif + #if !defined(__APPLE__) # define ASM_HIDDEN(symbol) .hidden symbol # define ASM_TYPE_FUNCTION(symbol) .type symbol, %function # define ASM_SIZE(symbol) .size symbol, .-symbol # define ASM_SYMBOL(symbol) symbol # define ASM_SYMBOL_INTERCEPTOR(symbol) symbol -# define ASM_WRAPPER_NAME(symbol) __interceptor_##symbol +# define ASM_WRAPPER_NAME(symbol) ___interceptor_##symbol # define ASM_TRAMPOLINE_ALIAS(symbol, name) \ .weak symbol; \ - .set symbol, ASM_WRAPPER_NAME(name) -# define ASM_INTERCEPTOR_TRAMPOLINE(name) + .set symbol, __interceptor_trampoline_##name +# define ASM_INTERCEPTOR_TRAMPOLINE(name) \ + .weak __interceptor_##name; \ + .set __interceptor_##name, ASM_WRAPPER_NAME(name); \ + .globl __interceptor_trampoline_##name; \ + ASM_TYPE_FUNCTION(__interceptor_trampoline_##name); \ + __interceptor_trampoline_##name: \ + CFI_STARTPROC; \ + ASM_TAIL_CALL __interceptor_##name; \ + CFI_ENDPROC; \ + ASM_SIZE(__interceptor_trampoline_##name) #else # define ASM_HIDDEN(symbol) # define ASM_TYPE_FUNCTION(symbol) diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_printer.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_printer.cpp --- a/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_printer.cpp +++ b/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_printer.cpp @@ -33,6 +33,8 @@ if (const char *s = try_strip("wrap_")) return s; } else { + if (const char *s = try_strip("___interceptor_")) + return s; if (const char *s = try_strip("__interceptor_")) return s; } diff --git a/compiler-rt/lib/sanitizer_common/scripts/gen_dynamic_list.py b/compiler-rt/lib/sanitizer_common/scripts/gen_dynamic_list.py --- a/compiler-rt/lib/sanitizer_common/scripts/gen_dynamic_list.py +++ b/compiler-rt/lib/sanitizer_common/scripts/gen_dynamic_list.py @@ -100,7 +100,7 @@ result.append(func) continue # Export interceptors. - match = re.match('__interceptor_(.*)', func) + match = re.match('_*_interceptor_(.*)', func) if match: result.append(func) # We have to avoid exporting the interceptors for versioned library diff --git a/compiler-rt/test/msan/Linux/b64.cpp b/compiler-rt/test/msan/Linux/b64.cpp --- a/compiler-rt/test/msan/Linux/b64.cpp +++ b/compiler-rt/test/msan/Linux/b64.cpp @@ -60,7 +60,7 @@ char dst[dst_len]; int res = b64_ntop(reinterpret_cast(src), src_len, dst, dst_len); - // NTOP_READ: Uninitialized bytes in __interceptor___b64_ntop + // NTOP_READ: Uninitialized bytes in ___interceptor___b64_ntop return 0; } @@ -73,7 +73,7 @@ __msan_poison(src, src_len); unsigned char target[src_len]; int res = b64_pton(src, target, src_len); - // PTON_READ: Uninitialized bytes in __interceptor___b64_pton + // PTON_READ: Uninitialized bytes in ___interceptor___b64_pton return 0; } diff --git a/compiler-rt/test/msan/Linux/sendmsg.cpp b/compiler-rt/test/msan/Linux/sendmsg.cpp --- a/compiler-rt/test/msan/Linux/sendmsg.cpp +++ b/compiler-rt/test/msan/Linux/sendmsg.cpp @@ -75,7 +75,7 @@ #if defined(SEND) sent = send(sockfd[0], buf, kBufSize, 0); - // SEND: Uninitialized bytes in __interceptor_send at offset 7 inside [{{.*}}, 10) + // SEND: Uninitialized bytes in ___interceptor_send at offset 7 inside [{{.*}}, 10) assert(sent > 0); ret = recv(sockfd[1], rbuf, kRecvBufSize, 0); @@ -83,7 +83,7 @@ assert(__msan_test_shadow(rbuf, kRecvBufSize) == sent); #elif defined(SENDTO) sent = sendto(sockfd[0], buf, kBufSize, 0, nullptr, 0); - // SENDTO: Uninitialized bytes in __interceptor_sendto at offset 7 inside [{{.*}}, 10) + // SENDTO: Uninitialized bytes in ___interceptor_sendto at offset 7 inside [{{.*}}, 10) assert(sent > 0); struct sockaddr_storage ss; diff --git a/compiler-rt/test/msan/fgets_fputs.cpp b/compiler-rt/test/msan/fgets_fputs.cpp --- a/compiler-rt/test/msan/fgets_fputs.cpp +++ b/compiler-rt/test/msan/fgets_fputs.cpp @@ -43,5 +43,5 @@ return 0; } -// CHECK-FPUTS: Uninitialized bytes in __interceptor_fputs at offset 0 inside -// CHECK-PUTS: Uninitialized bytes in __interceptor_puts at offset 0 inside +// CHECK-FPUTS: Uninitialized bytes in ___interceptor_fputs at offset 0 inside +// CHECK-PUTS: Uninitialized bytes in ___interceptor_puts at offset 0 inside diff --git a/compiler-rt/test/msan/fread_fwrite.cpp b/compiler-rt/test/msan/fread_fwrite.cpp --- a/compiler-rt/test/msan/fread_fwrite.cpp +++ b/compiler-rt/test/msan/fread_fwrite.cpp @@ -31,4 +31,4 @@ return 0; } -// CHECK: Uninitialized bytes in __interceptor_fwrite at offset 0 inside +// CHECK: Uninitialized bytes in ___interceptor_fwrite at offset 0 inside diff --git a/compiler-rt/test/msan/getaddrinfo-positive.cpp b/compiler-rt/test/msan/getaddrinfo-positive.cpp --- a/compiler-rt/test/msan/getaddrinfo-positive.cpp +++ b/compiler-rt/test/msan/getaddrinfo-positive.cpp @@ -16,7 +16,7 @@ int res = getaddrinfo("localhost", NULL, NULL, &ai); if (ai) z = 1; // OK res = getaddrinfo("localhost", NULL, &hint, &ai); - // CHECK: Uninitialized bytes in __interceptor_getaddrinfo at offset 0 inside [0x{{.*}}, 48) + // CHECK: Uninitialized bytes in ___interceptor_getaddrinfo at offset 0 inside [0x{{.*}}, 48) // CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value // CHECK: #0 {{.*}} in main {{.*}}getaddrinfo-positive.cpp:[[@LINE-3]] return 0; diff --git a/compiler-rt/test/msan/scoped-interceptors.cpp b/compiler-rt/test/msan/scoped-interceptors.cpp --- a/compiler-rt/test/msan/scoped-interceptors.cpp +++ b/compiler-rt/test/msan/scoped-interceptors.cpp @@ -26,13 +26,13 @@ char *copy = strndup(uninit, sizeof(uninit)); // BOOM free(copy); break; - // CASE-0: Uninitialized bytes in __interceptor_strndup + // CASE-0: Uninitialized bytes in ___interceptor_strndup } case '1': { puts(uninit); // BOOM puts(uninit); // Ensure previous call did not enable interceptor checks. break; - // CASE-1: Uninitialized bytes in __interceptor_puts + // CASE-1: Uninitialized bytes in ___interceptor_puts } case '2': { int cmp = memcmp(uninit, uninit, sizeof(uninit)); // BOOM @@ -42,7 +42,7 @@ case '3': { size_t len = strlen(uninit); // BOOM break; - // CASE-3: Uninitialized bytes in __interceptor_strlen + // CASE-3: Uninitialized bytes in ___interceptor_strlen } default: assert(0); } diff --git a/compiler-rt/test/msan/strndup.cpp b/compiler-rt/test/msan/strndup.cpp --- a/compiler-rt/test/msan/strndup.cpp +++ b/compiler-rt/test/msan/strndup.cpp @@ -18,7 +18,7 @@ assert(__msan_test_shadow(copy, 4) == 2); // Poisoning is preserved. free(copy); return 0; - // ON: Uninitialized bytes in __interceptor_{{(__)?}}strndup at offset 2 inside [{{.*}}, 4) + // ON: Uninitialized bytes in ___interceptor_{{(__)?}}strndup at offset 2 inside [{{.*}}, 4) // ON: MemorySanitizer: use-of-uninitialized-value // ON: #0 {{.*}}main {{.*}}strndup.cpp:[[@LINE-6]] // ON-LABEL: SUMMARY