Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/llvm-project/compiler-rt/lib/asan/asan_fake_stack.cpp
35233 views
1
//===-- asan_fake_stack.cpp -----------------------------------------------===//

2
//

3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

4
// See https://llvm.org/LICENSE.txt for license information.

5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

6
//

7
//===----------------------------------------------------------------------===//

8
//

9
// This file is a part of AddressSanitizer, an address sanity checker.

10
//

11
// FakeStack is used to detect use-after-return bugs.

12
//===----------------------------------------------------------------------===//

13


14
#include "asan_allocator.h"

15
#include "asan_poisoning.h"

16
#include "asan_thread.h"

17


18
namespace __asan {

19


20
static const u64 kMagic1 = kAsanStackAfterReturnMagic;

21
static const u64 kMagic2 = (kMagic1 << 8) | kMagic1;

22
static const u64 kMagic4 = (kMagic2 << 16) | kMagic2;

23
static const u64 kMagic8 = (kMagic4 << 32) | kMagic4;

24


25
static const u64 kAllocaRedzoneSize = 32UL;

26
static const u64 kAllocaRedzoneMask = 31UL;

27


28
// For small size classes inline PoisonShadow for better performance.

29
ALWAYS_INLINE void SetShadow(uptr ptr, uptr size, uptr class_id, u64 magic) {

30
  u64 *shadow = reinterpret_cast<u64*>(MemToShadow(ptr));

31
  if (ASAN_SHADOW_SCALE == 3 && class_id <= 6) {

32
    // This code expects ASAN_SHADOW_SCALE=3.

33
    for (uptr i = 0; i < (((uptr)1) << class_id); i++) {

34
      shadow[i] = magic;

35
      // Make sure this does not become memset.

36
      SanitizerBreakOptimization(nullptr);

37
    }

38
  } else {

39
    // The size class is too big, it's cheaper to poison only size bytes.

40
    PoisonShadow(ptr, size, static_cast<u8>(magic));

41
  }

42
}

43


44
FakeStack *FakeStack::Create(uptr stack_size_log) {

45
  static uptr kMinStackSizeLog = 16;

46
  static uptr kMaxStackSizeLog = FIRST_32_SECOND_64(24, 28);

47
  if (stack_size_log < kMinStackSizeLog)

48
    stack_size_log = kMinStackSizeLog;

49
  if (stack_size_log > kMaxStackSizeLog)

50
    stack_size_log = kMaxStackSizeLog;

51
  uptr size = RequiredSize(stack_size_log);

52
  FakeStack *res = reinterpret_cast<FakeStack *>(

53
      flags()->uar_noreserve ? MmapNoReserveOrDie(size, "FakeStack")

54
                             : MmapOrDie(size, "FakeStack"));

55
  res->stack_size_log_ = stack_size_log;

56
  u8 *p = reinterpret_cast<u8 *>(res);

57
  VReport(1,

58
          "T%d: FakeStack created: %p -- %p stack_size_log: %zd; "

59
          "mmapped %zdK, noreserve=%d \n",

60
          GetCurrentTidOrInvalid(), (void *)p,

61
          (void *)(p + FakeStack::RequiredSize(stack_size_log)), stack_size_log,

62
          size >> 10, flags()->uar_noreserve);

63
  return res;

64
}

65


66
void FakeStack::Destroy(int tid) {

67
  PoisonAll(0);

68
  if (Verbosity() >= 2) {

69
    InternalScopedString str;

70
    for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++)

71
      str.AppendF("%zd: %zd/%zd; ", class_id, hint_position_[class_id],

72
                  NumberOfFrames(stack_size_log(), class_id));

73
    Report("T%d: FakeStack destroyed: %s\n", tid, str.data());

74
  }

75
  uptr size = RequiredSize(stack_size_log_);

76
  FlushUnneededASanShadowMemory(reinterpret_cast<uptr>(this), size);

77
  UnmapOrDie(this, size);

78
}

79


80
void FakeStack::PoisonAll(u8 magic) {

81
  PoisonShadow(reinterpret_cast<uptr>(this), RequiredSize(stack_size_log()),

82
               magic);

83
}

84


85
#if !defined(_MSC_VER) || defined(__clang__)

86
ALWAYS_INLINE USED

87
#endif

88
FakeFrame *FakeStack::Allocate(uptr stack_size_log, uptr class_id,

89
                               uptr real_stack) {

90
  CHECK_LT(class_id, kNumberOfSizeClasses);

91
  if (needs_gc_)

92
    GC(real_stack);

93
  uptr &hint_position = hint_position_[class_id];

94
  const int num_iter = NumberOfFrames(stack_size_log, class_id);

95
  u8 *flags = GetFlags(stack_size_log, class_id);

96
  for (int i = 0; i < num_iter; i++) {

97
    uptr pos = ModuloNumberOfFrames(stack_size_log, class_id, hint_position++);

98
    // This part is tricky. On one hand, checking and setting flags[pos]

99
    // should be atomic to ensure async-signal safety. But on the other hand,

100
    // if the signal arrives between checking and setting flags[pos], the

101
    // signal handler's fake stack will start from a different hint_position

102
    // and so will not touch this particular byte. So, it is safe to do this

103
    // with regular non-atomic load and store (at least I was not able to make

104
    // this code crash).

105
    if (flags[pos]) continue;

106
    flags[pos] = 1;

107
    FakeFrame *res = reinterpret_cast<FakeFrame *>(

108
        GetFrame(stack_size_log, class_id, pos));

109
    res->real_stack = real_stack;

110
    *SavedFlagPtr(reinterpret_cast<uptr>(res), class_id) = &flags[pos];

111
    return res;

112
  }

113
  return nullptr; // We are out of fake stack.

114
}

115


116
uptr FakeStack::AddrIsInFakeStack(uptr ptr, uptr *frame_beg, uptr *frame_end) {

117
  uptr stack_size_log = this->stack_size_log();

118
  uptr beg = reinterpret_cast<uptr>(GetFrame(stack_size_log, 0, 0));

119
  uptr end = reinterpret_cast<uptr>(this) + RequiredSize(stack_size_log);

120
  if (ptr < beg || ptr >= end) return 0;

121
  uptr class_id = (ptr - beg) >> stack_size_log;

122
  uptr base = beg + (class_id << stack_size_log);

123
  CHECK_LE(base, ptr);

124
  CHECK_LT(ptr, base + (((uptr)1) << stack_size_log));

125
  uptr pos = (ptr - base) >> (kMinStackFrameSizeLog + class_id);

126
  uptr res = base + pos * BytesInSizeClass(class_id);

127
  *frame_end = res + BytesInSizeClass(class_id);

128
  *frame_beg = res + sizeof(FakeFrame);

129
  return res;

130
}

131


132
void FakeStack::HandleNoReturn() {

133
  needs_gc_ = true;

134
}

135


136
// Hack: The statement below is not true if we take into account sigaltstack or

137
// makecontext. It should be possible to make GC to discard wrong stack frame if

138
// we use these tools. For now, let's support the simplest case and allow GC to

139
// discard only frames from the default stack, assuming there is no buffer on

140
// the stack which is used for makecontext or sigaltstack.

141
//

142
// When throw, longjmp or some such happens we don't call OnFree() and

143
// as the result may leak one or more fake frames, but the good news is that

144
// we are notified about all such events by HandleNoReturn().

145
// If we recently had such no-return event we need to collect garbage frames.

146
// We do it based on their 'real_stack' values -- everything that is lower

147
// than the current real_stack is garbage.

148
NOINLINE void FakeStack::GC(uptr real_stack) {

149
  AsanThread *curr_thread = GetCurrentThread();

150
  if (!curr_thread)

151
    return;  // Try again when we have a thread.

152
  auto top = curr_thread->stack_top();

153
  auto bottom = curr_thread->stack_bottom();

154
  if (real_stack < bottom || real_stack > top)

155
    return;  // Not the default stack.

156


157
  for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) {

158
    u8 *flags = GetFlags(stack_size_log(), class_id);

159
    for (uptr i = 0, n = NumberOfFrames(stack_size_log(), class_id); i < n;

160
         i++) {

161
      if (flags[i] == 0) continue;  // not allocated.

162
      FakeFrame *ff = reinterpret_cast<FakeFrame *>(

163
          GetFrame(stack_size_log(), class_id, i));

164
      // GC only on the default stack.

165
      if (bottom < ff->real_stack && ff->real_stack < real_stack) {

166
        flags[i] = 0;

167
        // Poison the frame, so the any access will be reported as UAR.

168
        SetShadow(reinterpret_cast<uptr>(ff), BytesInSizeClass(class_id),

169
                  class_id, kMagic8);

170
      }

171
    }

172
  }

173
  needs_gc_ = false;

174
}

175


176
void FakeStack::ForEachFakeFrame(RangeIteratorCallback callback, void *arg) {

177
  for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) {

178
    u8 *flags = GetFlags(stack_size_log(), class_id);

179
    for (uptr i = 0, n = NumberOfFrames(stack_size_log(), class_id); i < n;

180
         i++) {

181
      if (flags[i] == 0) continue;  // not allocated.

182
      FakeFrame *ff = reinterpret_cast<FakeFrame *>(

183
          GetFrame(stack_size_log(), class_id, i));

184
      uptr begin = reinterpret_cast<uptr>(ff);

185
      callback(begin, begin + FakeStack::BytesInSizeClass(class_id), arg);

186
    }

187
  }

188
}

189


190
#if (SANITIZER_LINUX && !SANITIZER_ANDROID) || SANITIZER_FUCHSIA

191
static THREADLOCAL FakeStack *fake_stack_tls;

192


193
FakeStack *GetTLSFakeStack() {

194
  return fake_stack_tls;

195
}

196
void SetTLSFakeStack(FakeStack *fs) {

197
  fake_stack_tls = fs;

198
}

199
#else

200
FakeStack *GetTLSFakeStack() { return 0; }

201
void SetTLSFakeStack(FakeStack *fs) { }

202
#endif  // (SANITIZER_LINUX && !SANITIZER_ANDROID) || SANITIZER_FUCHSIA

203


204
static FakeStack *GetFakeStack() {

205
  AsanThread *t = GetCurrentThread();

206
  if (!t) return nullptr;

207
  return t->get_or_create_fake_stack();

208
}

209


210
static FakeStack *GetFakeStackFast() {

211
  if (FakeStack *fs = GetTLSFakeStack())

212
    return fs;

213
  if (!__asan_option_detect_stack_use_after_return)

214
    return nullptr;

215
  return GetFakeStack();

216
}

217


218
static FakeStack *GetFakeStackFastAlways() {

219
  if (FakeStack *fs = GetTLSFakeStack())

220
    return fs;

221
  return GetFakeStack();

222
}

223


224
static ALWAYS_INLINE uptr OnMalloc(uptr class_id, uptr size) {

225
  FakeStack *fs = GetFakeStackFast();

226
  if (!fs)

227
    return 0;

228
  FakeFrame *ff =

229
      fs->Allocate(fs->stack_size_log(), class_id, GET_CURRENT_FRAME());

230
  if (!ff)

231
    return 0;  // Out of fake stack.

232
  uptr ptr = reinterpret_cast<uptr>(ff);

233
  SetShadow(ptr, size, class_id, 0);

234
  return ptr;

235
}

236


237
static ALWAYS_INLINE uptr OnMallocAlways(uptr class_id, uptr size) {

238
  FakeStack *fs = GetFakeStackFastAlways();

239
  if (!fs)

240
    return 0;

241
  FakeFrame *ff =

242
      fs->Allocate(fs->stack_size_log(), class_id, GET_CURRENT_FRAME());

243
  if (!ff)

244
    return 0;  // Out of fake stack.

245
  uptr ptr = reinterpret_cast<uptr>(ff);

246
  SetShadow(ptr, size, class_id, 0);

247
  return ptr;

248
}

249


250
static ALWAYS_INLINE void OnFree(uptr ptr, uptr class_id, uptr size) {

251
  FakeStack::Deallocate(ptr, class_id);

252
  SetShadow(ptr, size, class_id, kMagic8);

253
}

254


255
} // namespace __asan

256


257
// ---------------------- Interface ---------------- {{{1

258
using namespace __asan;

259
#define DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(class_id)                      \

260
  extern "C" SANITIZER_INTERFACE_ATTRIBUTE uptr                               \

261
      __asan_stack_malloc_##class_id(uptr size) {                             \

262
    return OnMalloc(class_id, size);                                          \

263
  }                                                                           \

264
  extern "C" SANITIZER_INTERFACE_ATTRIBUTE uptr                               \

265
      __asan_stack_malloc_always_##class_id(uptr size) {                      \

266
    return OnMallocAlways(class_id, size);                                    \

267
  }                                                                           \

268
  extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __asan_stack_free_##class_id( \

269
      uptr ptr, uptr size) {                                                  \

270
    OnFree(ptr, class_id, size);                                              \

271
  }

272


273
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(0)

274
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(1)

275
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(2)

276
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(3)

277
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(4)

278
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(5)

279
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(6)

280
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(7)

281
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(8)

282
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(9)

283
DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(10)

284


285
extern "C" {

286
// TODO: remove this method and fix tests that use it by setting

287
// -asan-use-after-return=never, after modal UAR flag lands

288
// (https://github.com/google/sanitizers/issues/1394)

289
SANITIZER_INTERFACE_ATTRIBUTE

290
void *__asan_get_current_fake_stack() { return GetFakeStackFast(); }

291


292
SANITIZER_INTERFACE_ATTRIBUTE

293
void *__asan_addr_is_in_fake_stack(void *fake_stack, void *addr, void **beg,

294
                                   void **end) {

295
  FakeStack *fs = reinterpret_cast<FakeStack*>(fake_stack);

296
  if (!fs) return nullptr;

297
  uptr frame_beg, frame_end;

298
  FakeFrame *frame = reinterpret_cast<FakeFrame *>(fs->AddrIsInFakeStack(

299
      reinterpret_cast<uptr>(addr), &frame_beg, &frame_end));

300
  if (!frame) return nullptr;

301
  if (frame->magic != kCurrentStackFrameMagic)

302
    return nullptr;

303
  if (beg) *beg = reinterpret_cast<void*>(frame_beg);

304
  if (end) *end = reinterpret_cast<void*>(frame_end);

305
  return reinterpret_cast<void*>(frame->real_stack);

306
}

307


308
SANITIZER_INTERFACE_ATTRIBUTE

309
void __asan_alloca_poison(uptr addr, uptr size) {

310
  uptr LeftRedzoneAddr = addr - kAllocaRedzoneSize;

311
  uptr PartialRzAddr = addr + size;

312
  uptr RightRzAddr = (PartialRzAddr + kAllocaRedzoneMask) & ~kAllocaRedzoneMask;

313
  uptr PartialRzAligned = PartialRzAddr & ~(ASAN_SHADOW_GRANULARITY - 1);

314
  FastPoisonShadow(LeftRedzoneAddr, kAllocaRedzoneSize, kAsanAllocaLeftMagic);

315
  FastPoisonShadowPartialRightRedzone(

316
      PartialRzAligned, PartialRzAddr % ASAN_SHADOW_GRANULARITY,

317
      RightRzAddr - PartialRzAligned, kAsanAllocaRightMagic);

318
  FastPoisonShadow(RightRzAddr, kAllocaRedzoneSize, kAsanAllocaRightMagic);

319
}

320


321
SANITIZER_INTERFACE_ATTRIBUTE

322
void __asan_allocas_unpoison(uptr top, uptr bottom) {

323
  if ((!top) || (top > bottom)) return;

324
  REAL(memset)

325
  (reinterpret_cast<void *>(MemToShadow(top)), 0,

326
   (bottom - top) / ASAN_SHADOW_GRANULARITY);

327
}

328
} // extern "C"

329


330