This is an archive of the discontinued LLVM Phabricator instance.

Differential D29657

[safestack] Add runtime support for MPX-based hardening
Needs ReviewPublic

Authored by mlemay-intel on Feb 7 2017, 8:36 AM.

Details

Reviewers
zvi
eugenis
pcc
Summary

This patch adds support for the separate stack segment feature on 64-bit
platforms with Intel MPX support. It initializes MPX and allocates safe stacks
at high addresses so that BNDCU instructions inserted by the compiler can block
stray writes to safe stacks.

Diff Detail

Event Timeline

mlemay-intel created this revision.Feb 7 2017, 8:36 AM
Herald added a subscriber: mgorny. · View Herald TranscriptFeb 7 2017, 8:36 AM
kcc added a subscriber: kcc.Feb 7 2017, 1:55 PM

Michael ,
Please excuse me if I missed some email thread on llvm-dev describing at the high level what you are doing with MPX.
If there was no such thread I encourage you to start one.

I am personally extremely skeptical about anything related to MPX
(see https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions and the more recent and detailed intel-mpx.github.io).
Now, from a quick glance it looks like you are using the MPX instructions for something else,
but it deserves a discussion before we look at the patches.

mlemay-intel added a comment.Feb 7 2017, 2:07 PM
In D29657#669919, @kcc wrote:

Michael ,
Please excuse me if I missed some email thread on llvm-dev describing at the high level what you are doing with MPX.
If there was no such thread I encourage you to start one.

I am personally extremely skeptical about anything related to MPX
(see https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions and the more recent and detailed intel-mpx.github.io).
Now, from a quick glance it looks like you are using the MPX instructions for something else,
but it deserves a discussion before we look at the patches.

Hi Kostya,

You haven't missed anything; I'm in the middle of writing the llvm-dev post now. :) Thanks for your feedback. Very briefly, I'm using MPX to enforce something analogous to a coarse-grained segment limit rather than fine-grained per-object bounds.

mlemay-intel updated this revision to Diff 87931.Feb 9 2017, 6:08 PM
  • Reserve space during runtime library initialization for safe stacks to be allocated later. This helps to prevent ordinary data from being allocated at addresses that could lead to bound check violations.
  • Protect the variable that records the address of the most recent safe stack by moving it above the bound.
  • Add MprotectReadWrite to sanitizer_posix.cc.
Herald added a subscriber: kubamracek. · View Herald TranscriptFeb 9 2017, 6:08 PM

Revision Contents

PathSize
lib/
safestack/
17 lines
25 lines
192 lines
sanitizer_common/
1 line
4 lines

Diff 87931

lib/safestack/CMakeLists.txt

add_compiler_rt_component(safestack) add_compiler_rt_component(safestack)
add_compiler_rt_component(safestacksepseg)
set(SAFESTACK_SOURCES safestack.cc) set(SAFESTACK_SOURCES safestack.cc)
set(SAFESTACKMPX_SOURCES safestackmpx.cc)
include_directories(..) include_directories(..)
set(SAFESTACK_CFLAGS ${SANITIZER_COMMON_CFLAGS}) set(SAFESTACK_CFLAGS ${SANITIZER_COMMON_CFLAGS})
# CPUID will be used to check for XSAVEC support at runtime
set(SAFESTACKMPX_CFLAGS ${SANITIZER_COMMON_CFLAGS} -mxsavec)
if(APPLE) if(APPLE)
# Build universal binary on APPLE. # Build universal binary on APPLE.
add_compiler_rt_runtime(clang_rt.safestack add_compiler_rt_runtime(clang_rt.safestack
STATIC STATIC
OS osx OS osx
ARCHS ${SAFESTACK_SUPPORTED_ARCH} ARCHS ${SAFESTACK_SUPPORTED_ARCH}
SOURCES ${SAFESTACK_SOURCES} SOURCES ${SAFESTACK_SOURCES}
Show All 10 Lines add_compiler_rt_runtime(clang_rt.safestack
ARCHS ${arch} ARCHS ${arch}
SOURCES ${SAFESTACK_SOURCES} SOURCES ${SAFESTACK_SOURCES}
$<TARGET_OBJECTS:RTInterception.${arch}> $<TARGET_OBJECTS:RTInterception.${arch}>
$<TARGET_OBJECTS:RTSanitizerCommon.${arch}> $<TARGET_OBJECTS:RTSanitizerCommon.${arch}>
$<TARGET_OBJECTS:RTSanitizerCommonNoLibc.${arch}> $<TARGET_OBJECTS:RTSanitizerCommonNoLibc.${arch}>
CFLAGS ${SAFESTACK_CFLAGS} CFLAGS ${SAFESTACK_CFLAGS}
PARENT_TARGET safestack) PARENT_TARGET safestack)
endforeach() endforeach()
add_compiler_rt_runtime(clang_rt.safestacksepseg
STATIC
ARCHS x86_64
# Build safestack sources into this library instead of linking both
# libraries, because RTSanitizerCommonNoLibc and RTSanitizerCommonLibc define
# some identical symbols.
SOURCES ${SAFESTACK_SOURCES}
${SAFESTACKMPX_SOURCES}
$<TARGET_OBJECTS:RTInterception.x86_64>
$<TARGET_OBJECTS:RTSanitizerCommon.x86_64>
$<TARGET_OBJECTS:RTSanitizerCommonLibc.x86_64>
CFLAGS ${SAFESTACKMPX_CFLAGS}
PARENT_TARGET safestacksepseg)
endif() endif()

lib/safestack/safestack.cc

Show First 20 LinesShow All 128 Lines▼ Show 20 Linesstruct tinfo {
void *(*start_routine)(void *); void *(*start_routine)(void *);
void *start_routine_arg; void *start_routine_arg;
void *unsafe_stack_start; void *unsafe_stack_start;
size_t unsafe_stack_size; size_t unsafe_stack_size;
size_t unsafe_stack_guard; size_t unsafe_stack_guard;
}; };
__attribute__((weak))
void __safestack_sepseg_thread_start() {}
/// Wrap the thread function in order to deallocate the unsafe stack when the /// Wrap the thread function in order to deallocate the unsafe stack when the
/// thread terminates by returning from its main function. /// thread terminates by returning from its main function.
static void *thread_start(void *arg) { static void *thread_start(void *arg) {
struct tinfo *tinfo = (struct tinfo *)arg; struct tinfo *tinfo = (struct tinfo *)arg;
void *(*start_routine)(void *) = tinfo->start_routine; void *(*start_routine)(void *) = tinfo->start_routine;
void *start_routine_arg = tinfo->start_routine_arg; void *start_routine_arg = tinfo->start_routine_arg;
Show All 19 Linesstatic void thread_cleanup_handler(void *_iter) {
if (iter < PTHREAD_DESTRUCTOR_ITERATIONS) { if (iter < PTHREAD_DESTRUCTOR_ITERATIONS) {
pthread_setspecific(thread_cleanup_key, (void *)(iter + 1)); pthread_setspecific(thread_cleanup_key, (void *)(iter + 1));
} else { } else {
// This is the last iteration // This is the last iteration
unsafe_stack_free(); unsafe_stack_free();
} }
} }
// The SafeStack separate segment library overrides this to modify the
// attributes.
__attribute__((weak))
void __safestack_sepseg_pthread_create(const pthread_attr_t **attr,
pthread_attr_t *tmpattr,
size_t size, size_t guard) {}
/// Intercept thread creation operation to allocate and setup the unsafe stack /// Intercept thread creation operation to allocate and setup the unsafe stack
INTERCEPTOR(int, pthread_create, pthread_t *thread, INTERCEPTOR(int, pthread_create, pthread_t *thread,
const pthread_attr_t *attr, const pthread_attr_t *attr,
void *(*start_routine)(void*), void *arg) { void *(*start_routine)(void*), void *arg) {
size_t size = 0; size_t size = 0;
size_t guard = 0; size_t guard = 0;
Show All 17 LinesINTERCEPTOR(int, pthread_create, pthread_t *thread,
struct tinfo *tinfo = struct tinfo *tinfo =
(struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo)); (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo));
tinfo->start_routine = start_routine; tinfo->start_routine = start_routine;
tinfo->start_routine_arg = arg; tinfo->start_routine_arg = arg;
tinfo->unsafe_stack_start = addr; tinfo->unsafe_stack_start = addr;
tinfo->unsafe_stack_size = size; tinfo->unsafe_stack_size = size;
tinfo->unsafe_stack_guard = guard; tinfo->unsafe_stack_guard = guard;
return REAL(pthread_create)(thread, attr, thread_start, tinfo); pthread_attr_t tmpattr;
__safestack_sepseg_pthread_create(&attr, &tmpattr, size, guard);
int result = REAL(pthread_create)(thread, attr, thread_start, tinfo);
if (attr == &tmpattr)
CHECK_EQ(pthread_attr_destroy(&tmpattr), 0);
return result;
} }
__attribute__((weak))
void __safestack_sepseg_init(unsigned pageSize) {}
extern "C" __attribute__((visibility("default"))) extern "C" __attribute__((visibility("default")))
#if !SANITIZER_CAN_USE_PREINIT_ARRAY #if !SANITIZER_CAN_USE_PREINIT_ARRAY
// On ELF platforms, the constructor is invoked using .preinit_array (see below) // On ELF platforms, the constructor is invoked using .preinit_array (see below)
__attribute__((constructor(0))) __attribute__((constructor(0)))
#endif #endif
void __safestack_init() { void __safestack_init() {
// Determine the stack size for the main thread. // Determine the stack size for the main thread.
size_t size = kDefaultUnsafeStackSize; size_t size = kDefaultUnsafeStackSize;
Show All 9 Linesvoid __safestack_init() {
unsafe_stack_setup(addr, size, guard); unsafe_stack_setup(addr, size, guard);
pageSize = sysconf(_SC_PAGESIZE); pageSize = sysconf(_SC_PAGESIZE);
// Initialize pthread interceptors for thread allocation // Initialize pthread interceptors for thread allocation
INTERCEPT_FUNCTION(pthread_create); INTERCEPT_FUNCTION(pthread_create);
// Setup the cleanup handler // Setup the cleanup handler
pthread_key_create(&thread_cleanup_key, thread_cleanup_handler); pthread_key_create(&thread_cleanup_key, thread_cleanup_handler);
__safestack_sepseg_init(pageSize);
} }
#if SANITIZER_CAN_USE_PREINIT_ARRAY #if SANITIZER_CAN_USE_PREINIT_ARRAY
// On ELF platforms, run safestack initialization before any other constructors. // On ELF platforms, run safestack initialization before any other constructors.
// On other platforms we use the constructor attribute to arrange to run our // On other platforms we use the constructor attribute to arrange to run our
// initialization early. // initialization early.
extern "C" { extern "C" {
__attribute__((section(".preinit_array"), __attribute__((section(".preinit_array"),
Show All 13 Lines

lib/safestack/safestackmpx.cc

  • This file was added.
//===-- safestackmpx.cc ---------------------------------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file implements the runtime support for safe stack hardening based on
// Intel MPX. The runtime initializes MPX and manages allocation of the safe
// stack for each pthread created during program execution.
//
//===----------------------------------------------------------------------===//
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <x86intrin.h>
#include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_libc.h"
#include "sanitizer_common/sanitizer_mutex.h"
// Cap on amount of virtual address space that can be used beneath initial stack
// to allocate new safe stacks.
#define MAX_SAFE_STACK_CAPACITY 0x10000000
using namespace __sanitizer;
// FIXME: Free safe stack when thread is destroyed.
#define PAGE_SIZE 4096
// Aligned to fill a whole page, since this page will be marked read-only to
// prevent an adversary from modifying this to disable the hardening.
struct ro_settings {
/// Set to true to indicate that MPX-based hardening is enabled.
bool enabled;
} __attribute__((aligned(PAGE_SIZE)));
static ro_settings locked_settings = { false };
struct rw_settings {
private:
/// It is necessary to protect this variable to prevent an adversary from
/// modifying it to cause safe stacks to overlap or to be allocated in
/// vulnerable locations.
uptr safe_stack_last_alloc;
/// The associated mutex also needs to be protected.
StaticSpinMutex safe_stack_last_alloc_mutex;
public:
void init(uptr safe_stack_last_alloc_) {
safe_stack_last_alloc = safe_stack_last_alloc_;
safe_stack_last_alloc_mutex.Init();
}
/// Compute the base address of a new safe stack with the given size.
uptr alloc(size_t size) {
safe_stack_last_alloc_mutex.Lock();
uptr new_alloc = safe_stack_last_alloc - size;
safe_stack_last_alloc = new_alloc;
safe_stack_last_alloc_mutex.Unlock();
return new_alloc;
}
} __attribute__((aligned(PAGE_SIZE)));
static uptr mpx_get_bnd0_ub() {
uptr bnd0[2];
__asm__ __volatile__("bndmov %%bnd0, %0" : "=m"(bnd0));
return ~bnd0[1];
}
static void mpx_set_bnd0_ub(uptr ub) {
__asm__ __volatile__("bndmk %0, %%bnd0" :: "m"(*(char *)ub));
}
static inline void *safe_stack_alloc(size_t size, size_t guard) {
uptr bnd = mpx_get_bnd0_ub();
rw_settings *protected_settings = reinterpret_cast<rw_settings *>(bnd);
size_t alloc_size = size + guard;
CHECK_GE(alloc_size, size);
uptr req_addr = protected_settings->alloc(alloc_size);
// This check can be triggered by a program creating a large number of threads
// or a large stack. An alternative approach to avoid that limitation could
// be to allow the program to keep running even when its safe stacks protrude
// below the bound. Of course, the protruding portions of the safe stacks
// would be vulnerable. Another alternative could be to treat the MPX bounds
// registers as per-program state rather than per-thread state. BND0 could
// then be adjusted downwards as necessary when new safe stacks are allocated.
// Both options would require relocating the rw_settings object.
CHECK_GE(req_addr, protected_settings + 1);
uptr rw_base = req_addr + guard;
CHECK_EQ(MprotectReadWrite(rw_base, size), true);
return (char *)rw_base;
}
void __safestack_sepseg_pthread_create(const pthread_attr_t **attr,
pthread_attr_t *tmpattr,
size_t size, size_t guard) {
if (!locked_settings.enabled)
return;
void *safe_stack_addr = safe_stack_alloc(size, guard);
CHECK_EQ(pthread_attr_init(tmpattr), 0);
// FIXME: If attr is non-null, copy other settings into tmpattr.
CHECK_EQ(pthread_attr_setstack(tmpattr, safe_stack_addr, size), 0);
*attr = tmpattr;
}
void __safestack_sepseg_init(unsigned pageSize) {
// This file implements the runtime support for protecting safe stacks against
// stray writes using MPX. The runtime initializes MPX, intercepts the creation
// of new safe stacks to place them at high addresses, and configures the BND0
// register to have an upper bound below all safe stacks.
unsigned cpuid_res;
__asm__ __volatile__("cpuid" : "=b"(cpuid_res) : "a"(7), "c"(0) : "rdx");
if (((cpuid_res >> 14) & 1) != 1)
// No MPX support
return;
__asm__ __volatile__("cpuid" : "=a"(cpuid_res) : "a"(0xD), "c"(0) : "rbx", "rdx");
if (((cpuid_res >> 3) & 3) != 3)
// Insufficient MPX support
return;
__asm__ __volatile__("cpuid" : "=a"(cpuid_res) : "a"(0xD), "c"(1) : "rbx", "rdx");
if (((cpuid_res >> 1) & 1) != 1)
// No XSAVEC support
return;
struct {
char pad[512];
uint64_t xstate_bv;
uint64_t xcomp_bv;
char pad1[48];
struct {
uint64_t en : 1;
uint64_t bprv : 1;
uint64_t : 10;
uint64_t tblbase : 52;
} bndcfgu;
uint64_t bndstatus;
} xsave_area __attribute__((aligned(64)));
memset(&xsave_area, 0, sizeof(xsave_area));
xsave_area.bndcfgu.en = 1;
xsave_area.bndcfgu.bprv = 1;
xsave_area.xcomp_bv = 0x8000000000000010ull;
xsave_area.xstate_bv = 0x10;
_xrstor(&xsave_area, 1 << 4);
pthread_attr_t attr;
void *safe_stack = nullptr;
size_t size = 0;
CHECK_EQ(pthread_getattr_np(pthread_self(), &attr), 0);
CHECK_EQ(pthread_attr_getstack(&attr, &safe_stack, &size), 0);
CHECK_EQ(pthread_attr_destroy(&attr), 0);
// This assumes that a single page is used as the guard:
uptr guard_base = (uptr)safe_stack - pageSize;
uptr safe_stack_cap = MAX_SAFE_STACK_CAPACITY;
auto below_safe_stacks = [&]() {
return guard_base - (safe_stack_cap + sizeof(rw_settings));
};
while (!MemoryRangeIsAvailable(below_safe_stacks(), guard_base - 1)) {
safe_stack_cap >>= 1;
CHECK_GT(safe_stack_cap, pageSize);
}
mpx_set_bnd0_ub(below_safe_stacks());
uptr future_safe_stacks = below_safe_stacks() + sizeof(rw_settings);
// Reserve space for additional safe stacks.
CHECK_EQ(MmapFixedNoAccess(future_safe_stacks, safe_stack_cap, nullptr),
future_safe_stacks);
// Reserve space for protected settings just above the bound.
MmapFixedOrDie(below_safe_stacks(), sizeof(rw_settings));
rw_settings *protected_settings =
reinterpret_cast<rw_settings *>(below_safe_stacks());
protected_settings->init(guard_base);
locked_settings.enabled = true;
CHECK_EQ(MprotectReadOnly((uptr)&locked_settings, PAGE_SIZE), true);
}

lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 91 Lines▼ Show 20 Lines
void *MmapFixedNoAccess(uptr fixed_addr, uptr size, const char *name = nullptr); void *MmapFixedNoAccess(uptr fixed_addr, uptr size, const char *name = nullptr);
void *MmapNoAccess(uptr size); void *MmapNoAccess(uptr size);
// Map aligned chunk of address space; size and alignment are powers of two. // Map aligned chunk of address space; size and alignment are powers of two.
void *MmapAlignedOrDie(uptr size, uptr alignment, const char *mem_type); void *MmapAlignedOrDie(uptr size, uptr alignment, const char *mem_type);
// Disallow access to a memory range. Use MmapFixedNoAccess to allocate an // Disallow access to a memory range. Use MmapFixedNoAccess to allocate an
// unaccessible memory. // unaccessible memory.
bool MprotectNoAccess(uptr addr, uptr size); bool MprotectNoAccess(uptr addr, uptr size);
bool MprotectReadOnly(uptr addr, uptr size); bool MprotectReadOnly(uptr addr, uptr size);
bool MprotectReadWrite(uptr addr, uptr size);
// Find an available address space. // Find an available address space.
uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding); uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding);
// Used to check if we can map shadow memory to a fixed location. // Used to check if we can map shadow memory to a fixed location.
bool MemoryRangeIsAvailable(uptr range_start, uptr range_end); bool MemoryRangeIsAvailable(uptr range_start, uptr range_end);
// Releases memory pages entirely within the [beg, end] address range. Noop if // Releases memory pages entirely within the [beg, end] address range. Noop if
// the provided range does not contain at least one entire page. // the provided range does not contain at least one entire page.
▲ Show 20 LinesShow All 812 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_posix.cc

Show First 20 LinesShow All 199 Lines▼ Show 20 Lines
bool MprotectNoAccess(uptr addr, uptr size) { bool MprotectNoAccess(uptr addr, uptr size) {
return 0 == internal_mprotect((void*)addr, size, PROT_NONE); return 0 == internal_mprotect((void*)addr, size, PROT_NONE);
} }
bool MprotectReadOnly(uptr addr, uptr size) { bool MprotectReadOnly(uptr addr, uptr size) {
return 0 == internal_mprotect((void *)addr, size, PROT_READ); return 0 == internal_mprotect((void *)addr, size, PROT_READ);
} }
bool MprotectReadWrite(uptr addr, uptr size) {
return 0 == internal_mprotect((void *)addr, size, PROT_READ | PROT_WRITE);
}
fd_t OpenFile(const char *filename, FileAccessMode mode, error_t *errno_p) { fd_t OpenFile(const char *filename, FileAccessMode mode, error_t *errno_p) {
int flags; int flags;
switch (mode) { switch (mode) {
case RdOnly: flags = O_RDONLY; break; case RdOnly: flags = O_RDONLY; break;
case WrOnly: flags = O_WRONLY | O_CREAT; break; case WrOnly: flags = O_WRONLY | O_CREAT; break;
case RdWr: flags = O_RDWR | O_CREAT; break; case RdWr: flags = O_RDWR | O_CREAT; break;
} }
fd_t res = internal_open(filename, flags, 0660); fd_t res = internal_open(filename, flags, 0660);
▲ Show 20 LinesShow All 148 LinesShow Last 20 Lines