1
//===-- safestack.cpp -----------------------------------------------------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This file implements the runtime support for the safe stack protection
10
// mechanism. The runtime manages allocation/deallocation of the unsafe stack
11
// for the main thread, as well as all pthreads that are created/destroyed
12
// during program execution.
13
//
14
//===----------------------------------------------------------------------===//
15

16
#define SANITIZER_COMMON_NO_REDEFINE_BUILTINS
17

18
#include "safestack_platform.h"
19
#include "safestack_util.h"
20
#include "sanitizer_common/sanitizer_internal_defs.h"
21

22
#include <errno.h>
23
#include <string.h>
24
#include <sys/resource.h>
25

26
#include "interception/interception.h"
27

28
// interception.h drags in sanitizer_redefine_builtins.h, which in turn
29
// creates references to __sanitizer_internal_memcpy etc.  The interceptors
30
// aren't needed here, so just forward to libc.
31
extern "C" {
32
SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memcpy(void *dest,
33
                                                                const void *src,
34
                                                                size_t n) {
35
  return memcpy(dest, src, n);
36
}
37

38
SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memmove(
39
    void *dest, const void *src, size_t n) {
40
  return memmove(dest, src, n);
41
}
42

43
SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memset(void *s, int c,
44
                                                                size_t n) {
45
  return memset(s, c, n);
46
}
47
}  // extern "C"
48

49
using namespace safestack;
50

51
// TODO: To make accessing the unsafe stack pointer faster, we plan to
52
// eventually store it directly in the thread control block data structure on
53
// platforms where this structure is pointed to by %fs or %gs. This is exactly
54
// the same mechanism as currently being used by the traditional stack
55
// protector pass to store the stack guard (see getStackCookieLocation()
56
// function above). Doing so requires changing the tcbhead_t struct in glibc
57
// on Linux and tcb struct in libc on FreeBSD.
58
//
59
// For now, store it in a thread-local variable.
60
extern "C" {
61
__attribute__((visibility(
62
    "default"))) __thread void *__safestack_unsafe_stack_ptr = nullptr;
63
}
64

65
namespace {
66

67
// TODO: The runtime library does not currently protect the safe stack beyond
68
// relying on the system-enforced ASLR. The protection of the (safe) stack can
69
// be provided by three alternative features:
70
//
71
// 1) Protection via hardware segmentation on x86-32 and some x86-64
72
// architectures: the (safe) stack segment (implicitly accessed via the %ss
73
// segment register) can be separated from the data segment (implicitly
74
// accessed via the %ds segment register). Dereferencing a pointer to the safe
75
// segment would result in a segmentation fault.
76
//
77
// 2) Protection via software fault isolation: memory writes that are not meant
78
// to access the safe stack can be prevented from doing so through runtime
79
// instrumentation. One way to do it is to allocate the safe stack(s) in the
80
// upper half of the userspace and bitmask the corresponding upper bit of the
81
// memory addresses of memory writes that are not meant to access the safe
82
// stack.
83
//
84
// 3) Protection via information hiding on 64 bit architectures: the location
85
// of the safe stack(s) can be randomized through secure mechanisms, and the
86
// leakage of the stack pointer can be prevented. Currently, libc can leak the
87
// stack pointer in several ways (e.g. in longjmp, signal handling, user-level
88
// context switching related functions, etc.). These can be fixed in libc and
89
// in other low-level libraries, by either eliminating the escaping/dumping of
90
// the stack pointer (i.e., %rsp) when that's possible, or by using
91
// encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret
92
// we control and protect better, as is already done for setjmp in glibc.)
93
// Furthermore, a static machine code level verifier can be ran after code
94
// generation to make sure that the stack pointer is never written to memory,
95
// or if it is, its written on the safe stack.
96
//
97
// Finally, while the Unsafe Stack pointer is currently stored in a thread
98
// local variable, with libc support it could be stored in the TCB (thread
99
// control block) as well, eliminating another level of indirection and making
100
// such accesses faster. Alternatively, dedicating a separate register for
101
// storing it would also be possible.
102

103
/// Minimum stack alignment for the unsafe stack.
104
const unsigned kStackAlign = 16;
105

106
/// Default size of the unsafe stack. This value is only used if the stack
107
/// size rlimit is set to infinity.
108
const unsigned kDefaultUnsafeStackSize = 0x2800000;
109

110
// Per-thread unsafe stack information. It's not frequently accessed, so there
111
// it can be kept out of the tcb in normal thread-local variables.
112
__thread void *unsafe_stack_start = nullptr;
113
__thread size_t unsafe_stack_size = 0;
114
__thread size_t unsafe_stack_guard = 0;
115

116
inline void *unsafe_stack_alloc(size_t size, size_t guard) {
117
  SFS_CHECK(size + guard >= size);
118
  void *addr = Mmap(nullptr, size + guard, PROT_READ | PROT_WRITE,
119
                    MAP_PRIVATE | MAP_ANON, -1, 0);
120
  SFS_CHECK(MAP_FAILED != addr);
121
  Mprotect(addr, guard, PROT_NONE);
122
  return (char *)addr + guard;
123
}
124

125
inline void unsafe_stack_setup(void *start, size_t size, size_t guard) {
126
  SFS_CHECK((char *)start + size >= (char *)start);
127
  SFS_CHECK((char *)start + guard >= (char *)start);
128
  void *stack_ptr = (char *)start + size;
129
  SFS_CHECK((((size_t)stack_ptr) & (kStackAlign - 1)) == 0);
130

131
  __safestack_unsafe_stack_ptr = stack_ptr;
132
  unsafe_stack_start = start;
133
  unsafe_stack_size = size;
134
  unsafe_stack_guard = guard;
135
}
136

137
/// Thread data for the cleanup handler
138
pthread_key_t thread_cleanup_key;
139

140
/// Safe stack per-thread information passed to the thread_start function
141
struct tinfo {
142
  void *(*start_routine)(void *);
143
  void *start_routine_arg;
144

145
  void *unsafe_stack_start;
146
  size_t unsafe_stack_size;
147
  size_t unsafe_stack_guard;
148
};
149

150
/// Wrap the thread function in order to deallocate the unsafe stack when the
151
/// thread terminates by returning from its main function.
152
void *thread_start(void *arg) {
153
  struct tinfo *tinfo = (struct tinfo *)arg;
154

155
  void *(*start_routine)(void *) = tinfo->start_routine;
156
  void *start_routine_arg = tinfo->start_routine_arg;
157

158
  // Setup the unsafe stack; this will destroy tinfo content
159
  unsafe_stack_setup(tinfo->unsafe_stack_start, tinfo->unsafe_stack_size,
160
                     tinfo->unsafe_stack_guard);
161

162
  // Make sure out thread-specific destructor will be called
163
  pthread_setspecific(thread_cleanup_key, (void *)1);
164

165
  return start_routine(start_routine_arg);
166
}
167

168
/// Linked list used to store exiting threads stack/thread information.
169
struct thread_stack_ll {
170
  struct thread_stack_ll *next;
171
  void *stack_base;
172
  size_t size;
173
  pid_t pid;
174
  ThreadId tid;
175
};
176

177
/// Linked list of unsafe stacks for threads that are exiting. We delay
178
/// unmapping them until the thread exits.
179
thread_stack_ll *thread_stacks = nullptr;
180
pthread_mutex_t thread_stacks_mutex = PTHREAD_MUTEX_INITIALIZER;
181

182
/// Thread-specific data destructor. We want to free the unsafe stack only after
183
/// this thread is terminated. libc can call functions in safestack-instrumented
184
/// code (like free) after thread-specific data destructors have run.
185
void thread_cleanup_handler(void *_iter) {
186
  SFS_CHECK(unsafe_stack_start != nullptr);
187
  pthread_setspecific(thread_cleanup_key, NULL);
188

189
  pthread_mutex_lock(&thread_stacks_mutex);
190
  // Temporary list to hold the previous threads stacks so we don't hold the
191
  // thread_stacks_mutex for long.
192
  thread_stack_ll *temp_stacks = thread_stacks;
193
  thread_stacks = nullptr;
194
  pthread_mutex_unlock(&thread_stacks_mutex);
195

196
  pid_t pid = getpid();
197
  ThreadId tid = GetTid();
198

199
  // Free stacks for dead threads
200
  thread_stack_ll **stackp = &temp_stacks;
201
  while (*stackp) {
202
    thread_stack_ll *stack = *stackp;
203
    if (stack->pid != pid ||
204
        (-1 == TgKill(stack->pid, stack->tid, 0) && errno == ESRCH)) {
205
      Munmap(stack->stack_base, stack->size);
206
      *stackp = stack->next;
207
      free(stack);
208
    } else
209
      stackp = &stack->next;
210
  }
211

212
  thread_stack_ll *cur_stack =
213
      (thread_stack_ll *)malloc(sizeof(thread_stack_ll));
214
  cur_stack->stack_base = (char *)unsafe_stack_start - unsafe_stack_guard;
215
  cur_stack->size = unsafe_stack_size + unsafe_stack_guard;
216
  cur_stack->pid = pid;
217
  cur_stack->tid = tid;
218

219
  pthread_mutex_lock(&thread_stacks_mutex);
220
  // Merge thread_stacks with the current thread's stack and any remaining
221
  // temp_stacks
222
  *stackp = thread_stacks;
223
  cur_stack->next = temp_stacks;
224
  thread_stacks = cur_stack;
225
  pthread_mutex_unlock(&thread_stacks_mutex);
226

227
  unsafe_stack_start = nullptr;
228
}
229

230
void EnsureInterceptorsInitialized();
231

232
/// Intercept thread creation operation to allocate and setup the unsafe stack
233
INTERCEPTOR(int, pthread_create, pthread_t *thread,
234
            const pthread_attr_t *attr,
235
            void *(*start_routine)(void*), void *arg) {
236
  EnsureInterceptorsInitialized();
237
  size_t size = 0;
238
  size_t guard = 0;
239

240
  if (attr) {
241
    pthread_attr_getstacksize(attr, &size);
242
    pthread_attr_getguardsize(attr, &guard);
243
  } else {
244
    // get pthread default stack size
245
    pthread_attr_t tmpattr;
246
    pthread_attr_init(&tmpattr);
247
    pthread_attr_getstacksize(&tmpattr, &size);
248
    pthread_attr_getguardsize(&tmpattr, &guard);
249
    pthread_attr_destroy(&tmpattr);
250
  }
251

252
#if SANITIZER_SOLARIS
253
  // Solaris pthread_attr_init initializes stacksize to 0 (the default), so
254
  // hardcode the actual values as documented in pthread_create(3C).
255
  if (size == 0)
256
#  if defined(_LP64)
257
    size = 2 * 1024 * 1024;
258
#  else
259
    size = 1024 * 1024;
260
#  endif
261
#endif
262

263
  SFS_CHECK(size);
264
  size = RoundUpTo(size, kStackAlign);
265

266
  void *addr = unsafe_stack_alloc(size, guard);
267
  // Put tinfo at the end of the buffer. guard may be not page aligned.
268
  // If that is so then some bytes after addr can be mprotected.
269
  struct tinfo *tinfo =
270
      (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo));
271
  tinfo->start_routine = start_routine;
272
  tinfo->start_routine_arg = arg;
273
  tinfo->unsafe_stack_start = addr;
274
  tinfo->unsafe_stack_size = size;
275
  tinfo->unsafe_stack_guard = guard;
276

277
  return REAL(pthread_create)(thread, attr, thread_start, tinfo);
278
}
279

280
pthread_mutex_t interceptor_init_mutex = PTHREAD_MUTEX_INITIALIZER;
281
bool interceptors_inited = false;
282

283
void EnsureInterceptorsInitialized() {
284
  MutexLock lock(interceptor_init_mutex);
285
  if (interceptors_inited)
286
    return;
287

288
  // Initialize pthread interceptors for thread allocation
289
  INTERCEPT_FUNCTION(pthread_create);
290

291
  interceptors_inited = true;
292
}
293

294
}  // namespace
295

296
extern "C" __attribute__((visibility("default")))
297
#if !SANITIZER_CAN_USE_PREINIT_ARRAY
298
// On ELF platforms, the constructor is invoked using .preinit_array (see below)
299
__attribute__((constructor(0)))
300
#endif
301
void __safestack_init() {
302
  // Determine the stack size for the main thread.
303
  size_t size = kDefaultUnsafeStackSize;
304
  size_t guard = 4096;
305

306
  struct rlimit limit;
307
  if (getrlimit(RLIMIT_STACK, &limit) == 0 && limit.rlim_cur != RLIM_INFINITY)
308
    size = limit.rlim_cur;
309

310
  // Allocate unsafe stack for main thread
311
  void *addr = unsafe_stack_alloc(size, guard);
312
  unsafe_stack_setup(addr, size, guard);
313

314
  // Setup the cleanup handler
315
  pthread_key_create(&thread_cleanup_key, thread_cleanup_handler);
316
}
317

318
#if SANITIZER_CAN_USE_PREINIT_ARRAY
319
// On ELF platforms, run safestack initialization before any other constructors.
320
// On other platforms we use the constructor attribute to arrange to run our
321
// initialization early.
322
extern "C" {
323
__attribute__((section(".preinit_array"),
324
               used)) void (*__safestack_preinit)(void) = __safestack_init;
325
}
326
#endif
327

328
extern "C"
329
    __attribute__((visibility("default"))) void *__get_unsafe_stack_bottom() {
330
  return unsafe_stack_start;
331
}
332

333
extern "C"
334
    __attribute__((visibility("default"))) void *__get_unsafe_stack_top() {
335
  return (char*)unsafe_stack_start + unsafe_stack_size;
336
}
337

338
extern "C"
339
    __attribute__((visibility("default"))) void *__get_unsafe_stack_start() {
340
  return unsafe_stack_start;
341
}
342

343
extern "C"
344
    __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() {
345
  return __safestack_unsafe_stack_ptr;
346
}
347

348