1//===-- safestack.cpp -----------------------------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file implements the runtime support for the safe stack protection
10// mechanism. The runtime manages allocation/deallocation of the unsafe stack
11// for the main thread, as well as all pthreads that are created/destroyed
12// during program execution.
13//
14//===----------------------------------------------------------------------===//
15
16#define SANITIZER_COMMON_NO_REDEFINE_BUILTINS
17
18#include "safestack_platform.h"
19#include "safestack_util.h"
20#include "sanitizer_common/sanitizer_internal_defs.h"
21
22#include <errno.h>
23#include <string.h>
24#include <sys/resource.h>
25
26#include "interception/interception.h"
27
28// interception.h drags in sanitizer_redefine_builtins.h, which in turn
29// creates references to __sanitizer_internal_memcpy etc. The interceptors
30// aren't needed here, so just forward to libc.
31extern "C" {
32SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memcpy(void *dest,
33 const void *src,
34 size_t n) {
35 return memcpy(dest: dest, src: src, n: n);
36}
37
38SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memmove(
39 void *dest, const void *src, size_t n) {
40 return memmove(dest: dest, src: src, n: n);
41}
42
43SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memset(void *s, int c,
44 size_t n) {
45 return memset(s: s, c: c, n: n);
46}
47} // extern "C"
48
49using namespace safestack;
50
51// TODO: To make accessing the unsafe stack pointer faster, we plan to
52// eventually store it directly in the thread control block data structure on
53// platforms where this structure is pointed to by %fs or %gs. This is exactly
54// the same mechanism as currently being used by the traditional stack
55// protector pass to store the stack guard (see getStackCookieLocation()
56// function above). Doing so requires changing the tcbhead_t struct in glibc
57// on Linux and tcb struct in libc on FreeBSD.
58//
59// For now, store it in a thread-local variable.
60extern "C" {
61__attribute__((visibility(
62 "default"))) __thread void *__safestack_unsafe_stack_ptr = nullptr;
63}
64
65namespace {
66
67// TODO: The runtime library does not currently protect the safe stack beyond
68// relying on the system-enforced ASLR. The protection of the (safe) stack can
69// be provided by three alternative features:
70//
71// 1) Protection via hardware segmentation on x86-32 and some x86-64
72// architectures: the (safe) stack segment (implicitly accessed via the %ss
73// segment register) can be separated from the data segment (implicitly
74// accessed via the %ds segment register). Dereferencing a pointer to the safe
75// segment would result in a segmentation fault.
76//
77// 2) Protection via software fault isolation: memory writes that are not meant
78// to access the safe stack can be prevented from doing so through runtime
79// instrumentation. One way to do it is to allocate the safe stack(s) in the
80// upper half of the userspace and bitmask the corresponding upper bit of the
81// memory addresses of memory writes that are not meant to access the safe
82// stack.
83//
84// 3) Protection via information hiding on 64 bit architectures: the location
85// of the safe stack(s) can be randomized through secure mechanisms, and the
86// leakage of the stack pointer can be prevented. Currently, libc can leak the
87// stack pointer in several ways (e.g. in longjmp, signal handling, user-level
88// context switching related functions, etc.). These can be fixed in libc and
89// in other low-level libraries, by either eliminating the escaping/dumping of
90// the stack pointer (i.e., %rsp) when that's possible, or by using
91// encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret
92// we control and protect better, as is already done for setjmp in glibc.)
93// Furthermore, a static machine code level verifier can be ran after code
94// generation to make sure that the stack pointer is never written to memory,
95// or if it is, its written on the safe stack.
96//
97// Finally, while the Unsafe Stack pointer is currently stored in a thread
98// local variable, with libc support it could be stored in the TCB (thread
99// control block) as well, eliminating another level of indirection and making
100// such accesses faster. Alternatively, dedicating a separate register for
101// storing it would also be possible.
102
103/// Minimum stack alignment for the unsafe stack.
104const unsigned kStackAlign = 16;
105
106/// Default size of the unsafe stack. This value is only used if the stack
107/// size rlimit is set to infinity.
108const unsigned kDefaultUnsafeStackSize = 0x2800000;
109
110// Per-thread unsafe stack information. It's not frequently accessed, so there
111// it can be kept out of the tcb in normal thread-local variables.
112__thread void *unsafe_stack_start = nullptr;
113__thread size_t unsafe_stack_size = 0;
114__thread size_t unsafe_stack_guard = 0;
115
116inline void *unsafe_stack_alloc(size_t size, size_t guard) {
117 SFS_CHECK(size + guard >= size);
118 void *addr = Mmap(addr: nullptr, length: size + guard, PROT_READ | PROT_WRITE,
119 MAP_PRIVATE | MAP_ANON, fd: -1, offset: 0);
120 SFS_CHECK(MAP_FAILED != addr);
121 Mprotect(addr, length: guard, PROT_NONE);
122 return (char *)addr + guard;
123}
124
125inline void unsafe_stack_setup(void *start, size_t size, size_t guard) {
126 SFS_CHECK((char *)start + size >= (char *)start);
127 SFS_CHECK((char *)start + guard >= (char *)start);
128 void *stack_ptr = (char *)start + size;
129 SFS_CHECK((((size_t)stack_ptr) & (kStackAlign - 1)) == 0);
130
131 __safestack_unsafe_stack_ptr = stack_ptr;
132 unsafe_stack_start = start;
133 unsafe_stack_size = size;
134 unsafe_stack_guard = guard;
135}
136
137/// Thread data for the cleanup handler
138pthread_key_t thread_cleanup_key;
139
140/// Safe stack per-thread information passed to the thread_start function
141struct tinfo {
142 void *(*start_routine)(void *);
143 void *start_routine_arg;
144
145 void *unsafe_stack_start;
146 size_t unsafe_stack_size;
147 size_t unsafe_stack_guard;
148};
149
150/// Wrap the thread function in order to deallocate the unsafe stack when the
151/// thread terminates by returning from its main function.
152void *thread_start(void *arg) {
153 struct tinfo *tinfo = (struct tinfo *)arg;
154
155 void *(*start_routine)(void *) = tinfo->start_routine;
156 void *start_routine_arg = tinfo->start_routine_arg;
157
158 // Setup the unsafe stack; this will destroy tinfo content
159 unsafe_stack_setup(start: tinfo->unsafe_stack_start, size: tinfo->unsafe_stack_size,
160 guard: tinfo->unsafe_stack_guard);
161
162 // Make sure out thread-specific destructor will be called
163 pthread_setspecific(key: thread_cleanup_key, pointer: (void *)1);
164
165 return start_routine(start_routine_arg);
166}
167
168/// Linked list used to store exiting threads stack/thread information.
169struct thread_stack_ll {
170 struct thread_stack_ll *next;
171 void *stack_base;
172 size_t size;
173 pid_t pid;
174 ThreadId tid;
175};
176
177/// Linked list of unsafe stacks for threads that are exiting. We delay
178/// unmapping them until the thread exits.
179thread_stack_ll *thread_stacks = nullptr;
180pthread_mutex_t thread_stacks_mutex = PTHREAD_MUTEX_INITIALIZER;
181
182/// Thread-specific data destructor. We want to free the unsafe stack only after
183/// this thread is terminated. libc can call functions in safestack-instrumented
184/// code (like free) after thread-specific data destructors have run.
185void thread_cleanup_handler(void *_iter) {
186 SFS_CHECK(unsafe_stack_start != nullptr);
187 pthread_setspecific(key: thread_cleanup_key, NULL);
188
189 pthread_mutex_lock(mutex: &thread_stacks_mutex);
190 // Temporary list to hold the previous threads stacks so we don't hold the
191 // thread_stacks_mutex for long.
192 thread_stack_ll *temp_stacks = thread_stacks;
193 thread_stacks = nullptr;
194 pthread_mutex_unlock(mutex: &thread_stacks_mutex);
195
196 pid_t pid = getpid();
197 ThreadId tid = GetTid();
198
199 // Free stacks for dead threads
200 thread_stack_ll **stackp = &temp_stacks;
201 while (*stackp) {
202 thread_stack_ll *stack = *stackp;
203 if (stack->pid != pid ||
204 (-1 == TgKill(pid: stack->pid, tid: stack->tid, sig: 0) && errno == ESRCH)) {
205 Munmap(addr: stack->stack_base, length: stack->size);
206 *stackp = stack->next;
207 free(ptr: stack);
208 } else
209 stackp = &stack->next;
210 }
211
212 thread_stack_ll *cur_stack =
213 (thread_stack_ll *)malloc(size: sizeof(thread_stack_ll));
214 cur_stack->stack_base = (char *)unsafe_stack_start - unsafe_stack_guard;
215 cur_stack->size = unsafe_stack_size + unsafe_stack_guard;
216 cur_stack->pid = pid;
217 cur_stack->tid = tid;
218
219 pthread_mutex_lock(mutex: &thread_stacks_mutex);
220 // Merge thread_stacks with the current thread's stack and any remaining
221 // temp_stacks
222 *stackp = thread_stacks;
223 cur_stack->next = temp_stacks;
224 thread_stacks = cur_stack;
225 pthread_mutex_unlock(mutex: &thread_stacks_mutex);
226
227 unsafe_stack_start = nullptr;
228}
229
230void EnsureInterceptorsInitialized();
231
232/// Intercept thread creation operation to allocate and setup the unsafe stack
233INTERCEPTOR(int, pthread_create, pthread_t *thread,
234 const pthread_attr_t *attr,
235 void *(*start_routine)(void*), void *arg) {
236 EnsureInterceptorsInitialized();
237 size_t size = 0;
238 size_t guard = 0;
239
240 if (attr) {
241 pthread_attr_getstacksize(attr: attr, stacksize: &size);
242 pthread_attr_getguardsize(attr: attr, guardsize: &guard);
243 } else {
244 // get pthread default stack size
245 pthread_attr_t tmpattr;
246 pthread_attr_init(attr: &tmpattr);
247 pthread_attr_getstacksize(attr: &tmpattr, stacksize: &size);
248 pthread_attr_getguardsize(attr: &tmpattr, guardsize: &guard);
249 pthread_attr_destroy(attr: &tmpattr);
250 }
251
252#if SANITIZER_SOLARIS
253 // Solaris pthread_attr_init initializes stacksize to 0 (the default), so
254 // hardcode the actual values as documented in pthread_create(3C).
255 if (size == 0)
256# if defined(_LP64)
257 size = 2 * 1024 * 1024;
258# else
259 size = 1024 * 1024;
260# endif
261#endif
262
263 SFS_CHECK(size);
264 size = RoundUpTo(size, boundary: kStackAlign);
265
266 void *addr = unsafe_stack_alloc(size, guard);
267 // Put tinfo at the end of the buffer. guard may be not page aligned.
268 // If that is so then some bytes after addr can be mprotected.
269 struct tinfo *tinfo =
270 (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo));
271 tinfo->start_routine = start_routine;
272 tinfo->start_routine_arg = arg;
273 tinfo->unsafe_stack_start = addr;
274 tinfo->unsafe_stack_size = size;
275 tinfo->unsafe_stack_guard = guard;
276
277 return REAL(pthread_create)(thread, attr, thread_start, tinfo);
278}
279
280pthread_mutex_t interceptor_init_mutex = PTHREAD_MUTEX_INITIALIZER;
281bool interceptors_inited = false;
282
283void EnsureInterceptorsInitialized() {
284 MutexLock lock(interceptor_init_mutex);
285 if (interceptors_inited)
286 return;
287
288 // Initialize pthread interceptors for thread allocation
289 INTERCEPT_FUNCTION(pthread_create);
290
291 interceptors_inited = true;
292}
293
294} // namespace
295
296extern "C" __attribute__((visibility("default")))
297#if !SANITIZER_CAN_USE_PREINIT_ARRAY
298// On ELF platforms, the constructor is invoked using .preinit_array (see below)
299__attribute__((constructor(0)))
300#endif
301void __safestack_init() {
302 // Determine the stack size for the main thread.
303 size_t size = kDefaultUnsafeStackSize;
304 size_t guard = 4096;
305
306 struct rlimit limit;
307 if (getrlimit(RLIMIT_STACK, rlimits: &limit) == 0 && limit.rlim_cur != RLIM_INFINITY)
308 size = limit.rlim_cur;
309
310 // Allocate unsafe stack for main thread
311 void *addr = unsafe_stack_alloc(size, guard);
312 unsafe_stack_setup(start: addr, size, guard);
313
314 // Setup the cleanup handler
315 pthread_key_create(key: &thread_cleanup_key, destr_function: thread_cleanup_handler);
316}
317
318#if SANITIZER_CAN_USE_PREINIT_ARRAY
319// On ELF platforms, run safestack initialization before any other constructors.
320// On other platforms we use the constructor attribute to arrange to run our
321// initialization early.
322extern "C" {
323__attribute__((section(".preinit_array"),
324 used)) void (*__safestack_preinit)(void) = __safestack_init;
325}
326#endif
327
328extern "C"
329 __attribute__((visibility("default"))) void *__get_unsafe_stack_bottom() {
330 return unsafe_stack_start;
331}
332
333extern "C"
334 __attribute__((visibility("default"))) void *__get_unsafe_stack_top() {
335 return (char*)unsafe_stack_start + unsafe_stack_size;
336}
337
338extern "C"
339 __attribute__((visibility("default"))) void *__get_unsafe_stack_start() {
340 return unsafe_stack_start;
341}
342
343extern "C"
344 __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() {
345 return __safestack_unsafe_stack_ptr;
346}
347