//===-- dfsan.cpp ---------------------------------------------------------===// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // // This file is a part of DataFlowSanitizer. // // DataFlowSanitizer runtime. This file defines the public interface to // DataFlowSanitizer as well as the definition of certain runtime functions // called automatically by the compiler (specifically the instrumentation pass // in llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp). // // The public interface is defined in include/sanitizer/dfsan_interface.h whose // functions are prefixed dfsan_ while the compiler interface functions are // prefixed __dfsan_. //===----------------------------------------------------------------------===// #include "dfsan/dfsan.h" #include "dfsan/dfsan_chained_origin_depot.h" #include "dfsan/dfsan_flags.h" #include "dfsan/dfsan_origin.h" #include "dfsan/dfsan_thread.h" #include "sanitizer_common/sanitizer_atomic.h" #include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_file.h" #include "sanitizer_common/sanitizer_flag_parser.h" #include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_internal_defs.h" #include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_report_decorator.h" #include "sanitizer_common/sanitizer_stacktrace.h" #if SANITIZER_LINUX # include <sys/personality.h> #endif usingnamespace__dfsan; Flags __dfsan::flags_data; // The size of TLS variables. These constants must be kept in sync with the ones // in DataFlowSanitizer.cpp. static const int kDFsanArgTlsSize = …; static const int kDFsanRetvalTlsSize = …; static const int kDFsanArgOriginTlsSize = …; SANITIZER_INTERFACE_ATTRIBUTE THREADLOCAL u64 __dfsan_retval_tls[kDFsanRetvalTlsSize / sizeof(u64)]; SANITIZER_INTERFACE_ATTRIBUTE THREADLOCAL u32 __dfsan_retval_origin_tls; SANITIZER_INTERFACE_ATTRIBUTE THREADLOCAL u64 __dfsan_arg_tls[kDFsanArgTlsSize / sizeof(u64)]; SANITIZER_INTERFACE_ATTRIBUTE THREADLOCAL u32 __dfsan_arg_origin_tls[kDFsanArgOriginTlsSize / sizeof(u32)]; // Instrumented code may set this value in terms of -dfsan-track-origins. // * undefined or 0: do not track origins. // * 1: track origins at memory store operations. // * 2: track origins at memory load and store operations. // TODO: track callsites. extern "C" SANITIZER_WEAK_ATTRIBUTE const int __dfsan_track_origins; extern "C" SANITIZER_INTERFACE_ATTRIBUTE int dfsan_get_track_origins() { … } // On Linux/x86_64, memory is laid out as follows: // // +--------------------+ 0x800000000000 (top of memory) // | application 3 | // +--------------------+ 0x700000000000 // | invalid | // +--------------------+ 0x610000000000 // | origin 1 | // +--------------------+ 0x600000000000 // | application 2 | // +--------------------+ 0x510000000000 // | shadow 1 | // +--------------------+ 0x500000000000 // | invalid | // +--------------------+ 0x400000000000 // | origin 3 | // +--------------------+ 0x300000000000 // | shadow 3 | // +--------------------+ 0x200000000000 // | origin 2 | // +--------------------+ 0x110000000000 // | invalid | // +--------------------+ 0x100000000000 // | shadow 2 | // +--------------------+ 0x010000000000 // | application 1 | // +--------------------+ 0x000000000000 // // MEM_TO_SHADOW(mem) = mem ^ 0x500000000000 // SHADOW_TO_ORIGIN(shadow) = shadow + 0x100000000000 extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label __dfsan_union_load(const dfsan_label *ls, uptr n) { … } // Return the union of all the n labels from addr at the high 32 bit, and the // origin of the first taint byte at the low 32 bit. extern "C" SANITIZER_INTERFACE_ATTRIBUTE u64 __dfsan_load_label_and_origin(const void *addr, uptr n) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_unimplemented(char *fname) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_wrapper_extern_weak_null( const void *addr, char *fname) { … } // Use '-mllvm -dfsan-debug-nonzero-labels' and break on this function // to try to figure out where labels are being introduced in a nominally // label-free program. extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_nonzero_label() { … } // Indirect call to an uninstrumented vararg function. We don't have a way of // handling these at the moment. extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_vararg_wrapper(const char *fname) { … } // Resolves the union of two labels. SANITIZER_INTERFACE_ATTRIBUTE dfsan_label dfsan_union(dfsan_label l1, dfsan_label l2) { … } static const uptr kOriginAlign = …; static const uptr kOriginAlignMask = …; static uptr OriginAlignUp(uptr u) { … } static uptr OriginAlignDown(uptr u) { … } // Return the origin of the first taint byte in the size bytes from the address // addr. static dfsan_origin GetOriginIfTainted(uptr addr, uptr size) { … } // For platforms which support slow unwinder only, we need to restrict the store // context size to 1, basically only storing the current pc, because the slow // unwinder which is based on libunwind is not async signal safe and causes // random freezes in forking applications as well as in signal handlers. // DFSan supports only Linux. So we do not restrict the store context size. #define GET_STORE_STACK_TRACE_PC_BP(pc, bp) … #define PRINT_CALLER_STACK_TRACE … // Return a chain with the previous ID id and the current stack. // from_init = true if this is the first chain of an origin tracking path. static u32 ChainOrigin(u32 id, StackTrace *stack, bool from_init = false) { … } static void ChainAndWriteOriginIfTainted(uptr src, uptr size, uptr dst, StackTrace *stack) { … } // Copy the origins of the size bytes from src to dst. The source and target // memory ranges cannot be overlapped. This is used by memcpy. stack records the // stack trace of the memcpy. When dst and src are not 4-byte aligned properly, // origins at the unaligned address boundaries may be overwritten because four // contiguous bytes share the same origin. static void CopyOrigin(const void *dst, const void *src, uptr size, StackTrace *stack) { … } // Copy the origins of the size bytes from src to dst. The source and target // memory ranges may be overlapped. So the copy is done in a reverse order. // This is used by memmove. stack records the stack trace of the memmove. static void ReverseCopyOrigin(const void *dst, const void *src, uptr size, StackTrace *stack) { … } // Copy or move the origins of the len bytes from src to dst. The source and // target memory ranges may or may not be overlapped. This is used by memory // transfer operations. stack records the stack trace of the memory transfer // operation. static void MoveOrigin(const void *dst, const void *src, uptr size, StackTrace *stack) { … } // Set the size bytes from the addres dst to be the origin value. static void SetOrigin(const void *dst, uptr size, u32 origin) { … } #define RET_CHAIN_ORIGIN(id) … // Return a new origin chain with the previous ID id and the current stack // trace. extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin __dfsan_chain_origin(dfsan_origin id) { … } // Return a new origin chain with the previous ID id and the current stack // trace if the label is tainted. extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin __dfsan_chain_origin_if_tainted(dfsan_label label, dfsan_origin id) { … } // Copy or move the origins of the len bytes from src to dst. extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_mem_origin_transfer( const void *dst, const void *src, uptr len) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_mem_origin_transfer( const void *dst, const void *src, uptr len) { … } static void CopyShadow(void *dst, const void *src, uptr len) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_mem_shadow_transfer( void *dst, const void *src, uptr len) { … } // Copy shadow and origins of the len bytes from src to dst. extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_mem_shadow_origin_transfer(void *dst, const void *src, uptr size) { … } // Copy shadow and origins as per __atomic_compare_exchange. extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_mem_shadow_origin_conditional_exchange(u8 condition, void *target, void *expected, const void *desired, uptr size) { … } bool __dfsan::dfsan_inited; bool __dfsan::dfsan_init_is_running; void __dfsan::dfsan_copy_memory(void *dst, const void *src, uptr size) { … } // Releases the pages within the origin address range. static void ReleaseOrigins(void *addr, uptr size) { … } static void WriteZeroShadowInRange(uptr beg, uptr end) { … } // Releases the pages within the shadow address range, and sets // the shadow addresses not on the pages to be 0. static void ReleaseOrClearShadows(void *addr, uptr size) { … } static void SetShadow(dfsan_label label, void *addr, uptr size, dfsan_origin origin) { … } // If the label s is tainted, set the size bytes from the address p to be a new // origin chain with the previous ID o and the current stack trace. This is // used by instrumentation to reduce code size when too much code is inserted. extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_maybe_store_origin( dfsan_label s, void *p, uptr size, dfsan_origin o) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_set_label( dfsan_label label, dfsan_origin origin, void *addr, uptr size) { … } SANITIZER_INTERFACE_ATTRIBUTE void dfsan_set_label(dfsan_label label, void *addr, uptr size) { … } SANITIZER_INTERFACE_ATTRIBUTE void dfsan_add_label(dfsan_label label, void *addr, uptr size) { … } // Unlike the other dfsan interface functions the behavior of this function // depends on the label of one of its arguments. Hence it is implemented as a // custom function. extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label __dfsw_dfsan_get_label(long data, dfsan_label data_label, dfsan_label *ret_label) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label __dfso_dfsan_get_label( long data, dfsan_label data_label, dfsan_label *ret_label, dfsan_origin data_origin, dfsan_origin *ret_origin) { … } // This function is used if dfsan_get_origin is called when origin tracking is // off. extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin __dfsw_dfsan_get_origin( long data, dfsan_label data_label, dfsan_label *ret_label) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin __dfso_dfsan_get_origin( long data, dfsan_label data_label, dfsan_label *ret_label, dfsan_origin data_origin, dfsan_origin *ret_origin) { … } SANITIZER_INTERFACE_ATTRIBUTE dfsan_label dfsan_read_label(const void *addr, uptr size) { … } SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin dfsan_read_origin_of_first_taint(const void *addr, uptr size) { … } SANITIZER_INTERFACE_ATTRIBUTE void dfsan_set_label_origin(dfsan_label label, dfsan_origin origin, void *addr, uptr size) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE int dfsan_has_label(dfsan_label label, dfsan_label elem) { … } namespace __dfsan { dfsan_conditional_callback_t; } // namespace __dfsan static dfsan_conditional_callback_t conditional_callback = …; static dfsan_label labels_in_signal_conditional = …; static void ConditionalCallback(dfsan_label label, dfsan_origin origin) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_conditional_callback_origin(dfsan_label label, dfsan_origin origin) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_conditional_callback( dfsan_label label) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_set_conditional_callback( __dfsan::dfsan_conditional_callback_t callback) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label dfsan_get_labels_in_signal_conditional() { … } namespace __dfsan { dfsan_reaches_function_callback_t; } // namespace __dfsan static dfsan_reaches_function_callback_t reaches_function_callback = …; static dfsan_label labels_in_signal_reaches_function = …; static void ReachesFunctionCallback(dfsan_label label, dfsan_origin origin, const char *file, unsigned int line, const char *function) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_reaches_function_callback_origin(dfsan_label label, dfsan_origin origin, const char *file, unsigned int line, const char *function) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __dfsan_reaches_function_callback(dfsan_label label, const char *file, unsigned int line, const char *function) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_set_reaches_function_callback( __dfsan::dfsan_reaches_function_callback_t callback) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label dfsan_get_labels_in_signal_reaches_function() { … } namespace { class Decorator : public __sanitizer::SanitizerCommonDecorator { … }; } // namespace static void PrintNoOriginTrackingWarning() { … } static void PrintNoTaintWarning(const void *address) { … } static void PrintInvalidOriginWarning(dfsan_label label, const void *address) { … } static void PrintInvalidOriginIdWarning(dfsan_origin origin) { … } static bool PrintOriginTraceFramesToStr(Origin o, InternalScopedString *out) { … } static bool PrintOriginTraceToStr(const void *addr, const char *description, InternalScopedString *out) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_print_origin_trace( const void *addr, const char *description) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE uptr dfsan_sprint_origin_trace(const void *addr, const char *description, char *out_buf, uptr out_buf_size) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_print_origin_id_trace( dfsan_origin origin) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE uptr dfsan_sprint_origin_id_trace( dfsan_origin origin, char *out_buf, uptr out_buf_size) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin dfsan_get_init_origin(const void *addr) { … } void __sanitizer::BufferedStackTrace::UnwindImpl(uptr pc, uptr bp, void *context, bool request_fast, u32 max_depth) { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_print_stack_trace() { … } extern "C" SANITIZER_INTERFACE_ATTRIBUTE uptr dfsan_sprint_stack_trace(char *out_buf, uptr out_buf_size) { … } void Flags::SetDefaults() { … } static void RegisterDfsanFlags(FlagParser *parser, Flags *f) { … } static void InitializeFlags() { … } SANITIZER_INTERFACE_ATTRIBUTE void dfsan_clear_arg_tls(uptr offset, uptr size) { … } SANITIZER_INTERFACE_ATTRIBUTE void dfsan_clear_thread_local_state() { … } SANITIZER_INTERFACE_ATTRIBUTE void dfsan_set_arg_tls(uptr offset, dfsan_label label) { … } SANITIZER_INTERFACE_ATTRIBUTE void dfsan_set_arg_origin_tls(uptr offset, dfsan_origin o) { … } extern "C" void dfsan_flush() { … } // TODO: CheckMemoryLayoutSanity is based on msan. // Consider refactoring these into a shared implementation. static void CheckMemoryLayoutSanity() { … } // TODO: CheckMemoryRangeAvailability is based on msan. // Consider refactoring these into a shared implementation. static bool CheckMemoryRangeAvailability(uptr beg, uptr size, bool verbose) { … } // TODO: ProtectMemoryRange is based on msan. // Consider refactoring these into a shared implementation. static bool ProtectMemoryRange(uptr beg, uptr size, const char *name) { … } // TODO: InitShadow is based on msan. // Consider refactoring these into a shared implementation. static bool InitShadow(bool init_origins, bool dry_run) { … } static bool InitShadowWithReExec(bool init_origins) { … } static void DFsanInit(int argc, char **argv, char **envp) { … } void __dfsan::dfsan_init() { … } #if SANITIZER_CAN_USE_PREINIT_ARRAY __attribute__((section(".preinit_array"), used)) static void (*dfsan_init_ptr)(int, char **, char **) = …; #endif
Codebase Browser
llvm