| 1 | //===-- safestack.cpp -----------------------------------------------------===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // |
| 9 | // This file implements the runtime support for the safe stack protection |
| 10 | // mechanism. The runtime manages allocation/deallocation of the unsafe stack |
| 11 | // for the main thread, as well as all pthreads that are created/destroyed |
| 12 | // during program execution. |
| 13 | // |
| 14 | //===----------------------------------------------------------------------===// |
| 15 | |
| 16 | #define SANITIZER_COMMON_NO_REDEFINE_BUILTINS |
| 17 | |
| 18 | #include "safestack_platform.h" |
| 19 | #include "safestack_util.h" |
| 20 | #include "sanitizer_common/sanitizer_internal_defs.h" |
| 21 | |
| 22 | #include <errno.h> |
| 23 | #include <string.h> |
| 24 | #include <sys/resource.h> |
| 25 | |
| 26 | #include "interception/interception.h" |
| 27 | |
| 28 | // interception.h drags in sanitizer_redefine_builtins.h, which in turn |
| 29 | // creates references to __sanitizer_internal_memcpy etc. The interceptors |
| 30 | // aren't needed here, so just forward to libc. |
| 31 | extern "C"{ |
| 32 | SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memcpy(void *dest, |
| 33 | const void *src, |
| 34 | size_t n) { |
| 35 | return memcpy(dest: dest, src: src, n: n); |
| 36 | } |
| 37 | |
| 38 | SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memmove( |
| 39 | void *dest, const void *src, size_t n) { |
| 40 | return memmove(dest: dest, src: src, n: n); |
| 41 | } |
| 42 | |
| 43 | SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memset(void *s, int c, |
| 44 | size_t n) { |
| 45 | return memset(s: s, c: c, n: n); |
| 46 | } |
| 47 | } // extern "C" |
| 48 | |
| 49 | using namespace safestack; |
| 50 | |
| 51 | // TODO: To make accessing the unsafe stack pointer faster, we plan to |
| 52 | // eventually store it directly in the thread control block data structure on |
| 53 | // platforms where this structure is pointed to by %fs or %gs. This is exactly |
| 54 | // the same mechanism as currently being used by the traditional stack |
| 55 | // protector pass to store the stack guard (see getStackCookieLocation() |
| 56 | // function above). Doing so requires changing the tcbhead_t struct in glibc |
| 57 | // on Linux and tcb struct in libc on FreeBSD. |
| 58 | // |
| 59 | // For now, store it in a thread-local variable. |
| 60 | extern "C"{ |
| 61 | __attribute__((visibility( |
| 62 | "default"))) __thread void *__safestack_unsafe_stack_ptr = nullptr; |
| 63 | } |
| 64 | |
| 65 | namespace { |
| 66 | |
| 67 | // TODO: The runtime library does not currently protect the safe stack beyond |
| 68 | // relying on the system-enforced ASLR. The protection of the (safe) stack can |
| 69 | // be provided by three alternative features: |
| 70 | // |
| 71 | // 1) Protection via hardware segmentation on x86-32 and some x86-64 |
| 72 | // architectures: the (safe) stack segment (implicitly accessed via the %ss |
| 73 | // segment register) can be separated from the data segment (implicitly |
| 74 | // accessed via the %ds segment register). Dereferencing a pointer to the safe |
| 75 | // segment would result in a segmentation fault. |
| 76 | // |
| 77 | // 2) Protection via software fault isolation: memory writes that are not meant |
| 78 | // to access the safe stack can be prevented from doing so through runtime |
| 79 | // instrumentation. One way to do it is to allocate the safe stack(s) in the |
| 80 | // upper half of the userspace and bitmask the corresponding upper bit of the |
| 81 | // memory addresses of memory writes that are not meant to access the safe |
| 82 | // stack. |
| 83 | // |
| 84 | // 3) Protection via information hiding on 64 bit architectures: the location |
| 85 | // of the safe stack(s) can be randomized through secure mechanisms, and the |
| 86 | // leakage of the stack pointer can be prevented. Currently, libc can leak the |
| 87 | // stack pointer in several ways (e.g. in longjmp, signal handling, user-level |
| 88 | // context switching related functions, etc.). These can be fixed in libc and |
| 89 | // in other low-level libraries, by either eliminating the escaping/dumping of |
| 90 | // the stack pointer (i.e., %rsp) when that's possible, or by using |
| 91 | // encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret |
| 92 | // we control and protect better, as is already done for setjmp in glibc.) |
| 93 | // Furthermore, a static machine code level verifier can be ran after code |
| 94 | // generation to make sure that the stack pointer is never written to memory, |
| 95 | // or if it is, its written on the safe stack. |
| 96 | // |
| 97 | // Finally, while the Unsafe Stack pointer is currently stored in a thread |
| 98 | // local variable, with libc support it could be stored in the TCB (thread |
| 99 | // control block) as well, eliminating another level of indirection and making |
| 100 | // such accesses faster. Alternatively, dedicating a separate register for |
| 101 | // storing it would also be possible. |
| 102 | |
| 103 | /// Minimum stack alignment for the unsafe stack. |
| 104 | const unsigned kStackAlign = 16; |
| 105 | |
| 106 | /// Default size of the unsafe stack. This value is only used if the stack |
| 107 | /// size rlimit is set to infinity. |
| 108 | const unsigned kDefaultUnsafeStackSize = 0x2800000; |
| 109 | |
| 110 | // Per-thread unsafe stack information. It's not frequently accessed, so there |
| 111 | // it can be kept out of the tcb in normal thread-local variables. |
| 112 | __thread void *unsafe_stack_start = nullptr; |
| 113 | __thread size_t unsafe_stack_size = 0; |
| 114 | __thread size_t unsafe_stack_guard = 0; |
| 115 | |
| 116 | inline void *unsafe_stack_alloc(size_t size, size_t guard) { |
| 117 | SFS_CHECK(size + guard >= size); |
| 118 | void *addr = Mmap(addr: nullptr, length: size + guard, PROT_READ | PROT_WRITE, |
| 119 | MAP_PRIVATE | MAP_ANON, fd: -1, offset: 0); |
| 120 | SFS_CHECK(MAP_FAILED != addr); |
| 121 | Mprotect(addr, length: guard, PROT_NONE); |
| 122 | return (char *)addr + guard; |
| 123 | } |
| 124 | |
| 125 | inline void unsafe_stack_setup(void *start, size_t size, size_t guard) { |
| 126 | SFS_CHECK((char *)start + size >= (char *)start); |
| 127 | SFS_CHECK((char *)start + guard >= (char *)start); |
| 128 | void *stack_ptr = (char *)start + size; |
| 129 | SFS_CHECK((((size_t)stack_ptr) & (kStackAlign - 1)) == 0); |
| 130 | |
| 131 | __safestack_unsafe_stack_ptr = stack_ptr; |
| 132 | unsafe_stack_start = start; |
| 133 | unsafe_stack_size = size; |
| 134 | unsafe_stack_guard = guard; |
| 135 | } |
| 136 | |
| 137 | /// Thread data for the cleanup handler |
| 138 | pthread_key_t thread_cleanup_key; |
| 139 | |
| 140 | /// Safe stack per-thread information passed to the thread_start function |
| 141 | struct tinfo { |
| 142 | void *(*start_routine)(void *); |
| 143 | void *start_routine_arg; |
| 144 | |
| 145 | void *unsafe_stack_start; |
| 146 | size_t unsafe_stack_size; |
| 147 | size_t unsafe_stack_guard; |
| 148 | }; |
| 149 | |
| 150 | /// Wrap the thread function in order to deallocate the unsafe stack when the |
| 151 | /// thread terminates by returning from its main function. |
| 152 | void *thread_start(void *arg) { |
| 153 | struct tinfo *tinfo = (struct tinfo *)arg; |
| 154 | |
| 155 | void *(*start_routine)(void *) = tinfo->start_routine; |
| 156 | void *start_routine_arg = tinfo->start_routine_arg; |
| 157 | |
| 158 | // Setup the unsafe stack; this will destroy tinfo content |
| 159 | unsafe_stack_setup(start: tinfo->unsafe_stack_start, size: tinfo->unsafe_stack_size, |
| 160 | guard: tinfo->unsafe_stack_guard); |
| 161 | |
| 162 | // Make sure out thread-specific destructor will be called |
| 163 | pthread_setspecific(key: thread_cleanup_key, pointer: (void *)1); |
| 164 | |
| 165 | return start_routine(start_routine_arg); |
| 166 | } |
| 167 | |
| 168 | /// Linked list used to store exiting threads stack/thread information. |
| 169 | struct thread_stack_ll { |
| 170 | struct thread_stack_ll *next; |
| 171 | void *stack_base; |
| 172 | size_t size; |
| 173 | pid_t pid; |
| 174 | ThreadId tid; |
| 175 | }; |
| 176 | |
| 177 | /// Linked list of unsafe stacks for threads that are exiting. We delay |
| 178 | /// unmapping them until the thread exits. |
| 179 | thread_stack_ll *thread_stacks = nullptr; |
| 180 | pthread_mutex_t thread_stacks_mutex = PTHREAD_MUTEX_INITIALIZER; |
| 181 | |
| 182 | /// Thread-specific data destructor. We want to free the unsafe stack only after |
| 183 | /// this thread is terminated. libc can call functions in safestack-instrumented |
| 184 | /// code (like free) after thread-specific data destructors have run. |
| 185 | void thread_cleanup_handler(void *_iter) { |
| 186 | SFS_CHECK(unsafe_stack_start != nullptr); |
| 187 | pthread_setspecific(key: thread_cleanup_key, NULL); |
| 188 | |
| 189 | pthread_mutex_lock(mutex: &thread_stacks_mutex); |
| 190 | // Temporary list to hold the previous threads stacks so we don't hold the |
| 191 | // thread_stacks_mutex for long. |
| 192 | thread_stack_ll *temp_stacks = thread_stacks; |
| 193 | thread_stacks = nullptr; |
| 194 | pthread_mutex_unlock(mutex: &thread_stacks_mutex); |
| 195 | |
| 196 | pid_t pid = getpid(); |
| 197 | ThreadId tid = GetTid(); |
| 198 | |
| 199 | // Free stacks for dead threads |
| 200 | thread_stack_ll **stackp = &temp_stacks; |
| 201 | while (*stackp) { |
| 202 | thread_stack_ll *stack = *stackp; |
| 203 | if (stack->pid != pid || |
| 204 | (-1 == TgKill(pid: stack->pid, tid: stack->tid, sig: 0) && errno == ESRCH)) { |
| 205 | Munmap(addr: stack->stack_base, length: stack->size); |
| 206 | *stackp = stack->next; |
| 207 | free(ptr: stack); |
| 208 | } else |
| 209 | stackp = &stack->next; |
| 210 | } |
| 211 | |
| 212 | thread_stack_ll *cur_stack = |
| 213 | (thread_stack_ll *)malloc(size: sizeof(thread_stack_ll)); |
| 214 | cur_stack->stack_base = (char *)unsafe_stack_start - unsafe_stack_guard; |
| 215 | cur_stack->size = unsafe_stack_size + unsafe_stack_guard; |
| 216 | cur_stack->pid = pid; |
| 217 | cur_stack->tid = tid; |
| 218 | |
| 219 | pthread_mutex_lock(mutex: &thread_stacks_mutex); |
| 220 | // Merge thread_stacks with the current thread's stack and any remaining |
| 221 | // temp_stacks |
| 222 | *stackp = thread_stacks; |
| 223 | cur_stack->next = temp_stacks; |
| 224 | thread_stacks = cur_stack; |
| 225 | pthread_mutex_unlock(mutex: &thread_stacks_mutex); |
| 226 | |
| 227 | unsafe_stack_start = nullptr; |
| 228 | } |
| 229 | |
| 230 | void EnsureInterceptorsInitialized(); |
| 231 | |
| 232 | /// Intercept thread creation operation to allocate and setup the unsafe stack |
| 233 | INTERCEPTOR(int, pthread_create, pthread_t *thread, |
| 234 | const pthread_attr_t *attr, |
| 235 | void *(*start_routine)(void*), void *arg) { |
| 236 | EnsureInterceptorsInitialized(); |
| 237 | size_t size = 0; |
| 238 | size_t guard = 0; |
| 239 | |
| 240 | if (attr) { |
| 241 | pthread_attr_getstacksize(attr: attr, stacksize: &size); |
| 242 | pthread_attr_getguardsize(attr: attr, guardsize: &guard); |
| 243 | } else { |
| 244 | // get pthread default stack size |
| 245 | pthread_attr_t tmpattr; |
| 246 | pthread_attr_init(attr: &tmpattr); |
| 247 | pthread_attr_getstacksize(attr: &tmpattr, stacksize: &size); |
| 248 | pthread_attr_getguardsize(attr: &tmpattr, guardsize: &guard); |
| 249 | pthread_attr_destroy(attr: &tmpattr); |
| 250 | } |
| 251 | |
| 252 | #if SANITIZER_SOLARIS |
| 253 | // Solaris pthread_attr_init initializes stacksize to 0 (the default), so |
| 254 | // hardcode the actual values as documented in pthread_create(3C). |
| 255 | if (size == 0) |
| 256 | # if defined(_LP64) |
| 257 | size = 2 * 1024 * 1024; |
| 258 | # else |
| 259 | size = 1024 * 1024; |
| 260 | # endif |
| 261 | #endif |
| 262 | |
| 263 | SFS_CHECK(size); |
| 264 | size = RoundUpTo(size, boundary: kStackAlign); |
| 265 | |
| 266 | void *addr = unsafe_stack_alloc(size, guard); |
| 267 | // Put tinfo at the end of the buffer. guard may be not page aligned. |
| 268 | // If that is so then some bytes after addr can be mprotected. |
| 269 | struct tinfo *tinfo = |
| 270 | (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo)); |
| 271 | tinfo->start_routine = start_routine; |
| 272 | tinfo->start_routine_arg = arg; |
| 273 | tinfo->unsafe_stack_start = addr; |
| 274 | tinfo->unsafe_stack_size = size; |
| 275 | tinfo->unsafe_stack_guard = guard; |
| 276 | |
| 277 | return REAL(pthread_create)(thread, attr, thread_start, tinfo); |
| 278 | } |
| 279 | |
| 280 | pthread_mutex_t interceptor_init_mutex = PTHREAD_MUTEX_INITIALIZER; |
| 281 | bool interceptors_inited = false; |
| 282 | |
| 283 | void EnsureInterceptorsInitialized() { |
| 284 | MutexLock lock(interceptor_init_mutex); |
| 285 | if (interceptors_inited) |
| 286 | return; |
| 287 | |
| 288 | // Initialize pthread interceptors for thread allocation |
| 289 | INTERCEPT_FUNCTION(pthread_create); |
| 290 | |
| 291 | interceptors_inited = true; |
| 292 | } |
| 293 | |
| 294 | } // namespace |
| 295 | |
| 296 | extern "C"__attribute__((visibility( "default"))) |
| 297 | #if !SANITIZER_CAN_USE_PREINIT_ARRAY |
| 298 | // On ELF platforms, the constructor is invoked using .preinit_array (see below) |
| 299 | __attribute__((constructor(0))) |
| 300 | #endif |
| 301 | void __safestack_init() { |
| 302 | // Determine the stack size for the main thread. |
| 303 | size_t size = kDefaultUnsafeStackSize; |
| 304 | size_t guard = 4096; |
| 305 | |
| 306 | struct rlimit limit; |
| 307 | if (getrlimit(RLIMIT_STACK, rlimits: &limit) == 0 && limit.rlim_cur != RLIM_INFINITY) |
| 308 | size = limit.rlim_cur; |
| 309 | |
| 310 | // Allocate unsafe stack for main thread |
| 311 | void *addr = unsafe_stack_alloc(size, guard); |
| 312 | unsafe_stack_setup(start: addr, size, guard); |
| 313 | |
| 314 | // Setup the cleanup handler |
| 315 | pthread_key_create(key: &thread_cleanup_key, destr_function: thread_cleanup_handler); |
| 316 | } |
| 317 | |
| 318 | #if SANITIZER_CAN_USE_PREINIT_ARRAY |
| 319 | // On ELF platforms, run safestack initialization before any other constructors. |
| 320 | // On other platforms we use the constructor attribute to arrange to run our |
| 321 | // initialization early. |
| 322 | extern "C"{ |
| 323 | __attribute__((section(".preinit_array"), |
| 324 | used)) void (*__safestack_preinit)(void) = __safestack_init; |
| 325 | } |
| 326 | #endif |
| 327 | |
| 328 | extern "C" |
| 329 | __attribute__((visibility("default"))) void *__get_unsafe_stack_bottom() { |
| 330 | return unsafe_stack_start; |
| 331 | } |
| 332 | |
| 333 | extern "C" |
| 334 | __attribute__((visibility("default"))) void *__get_unsafe_stack_top() { |
| 335 | return (char*)unsafe_stack_start + unsafe_stack_size; |
| 336 | } |
| 337 | |
| 338 | extern "C" |
| 339 | __attribute__((visibility("default"))) void *__get_unsafe_stack_start() { |
| 340 | return unsafe_stack_start; |
| 341 | } |
| 342 | |
| 343 | extern "C" |
| 344 | __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() { |
| 345 | return __safestack_unsafe_stack_ptr; |
| 346 | } |
| 347 |
Generated on 2024-Oct-10 from project llvm_runtimes revision release-19.x-64075837b
Powered by 
Code Browser 2.1
Generator usage only permitted with license.