//===-- safestack.cpp -----------------------------------------------------===// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // // This file implements the runtime support for the safe stack protection // mechanism. The runtime manages allocation/deallocation of the unsafe stack // for the main thread, as well as all pthreads that are created/destroyed // during program execution. // //===----------------------------------------------------------------------===// #define SANITIZER_COMMON_NO_REDEFINE_BUILTINS #include "safestack_platform.h" #include "safestack_util.h" #include "sanitizer_common/sanitizer_internal_defs.h" #include <errno.h> #include <string.h> #include <sys/resource.h> #include "interception/interception.h" // interception.h drags in sanitizer_redefine_builtins.h, which in turn // creates references to __sanitizer_internal_memcpy etc. The interceptors // aren't needed here, so just forward to libc. extern "C" { SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memcpy(void *dest, const void *src, size_t n) { … } SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memmove( void *dest, const void *src, size_t n) { … } SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memset(void *s, int c, size_t n) { … } } // extern "C" usingnamespacesafestack; // TODO: To make accessing the unsafe stack pointer faster, we plan to // eventually store it directly in the thread control block data structure on // platforms where this structure is pointed to by %fs or %gs. This is exactly // the same mechanism as currently being used by the traditional stack // protector pass to store the stack guard (see getStackCookieLocation() // function above). Doing so requires changing the tcbhead_t struct in glibc // on Linux and tcb struct in libc on FreeBSD. // // For now, store it in a thread-local variable. extern "C" { __attribute__((visibility( "default"))) __thread void *__safestack_unsafe_stack_ptr = …; } namespace { // TODO: The runtime library does not currently protect the safe stack beyond // relying on the system-enforced ASLR. The protection of the (safe) stack can // be provided by three alternative features: // // 1) Protection via hardware segmentation on x86-32 and some x86-64 // architectures: the (safe) stack segment (implicitly accessed via the %ss // segment register) can be separated from the data segment (implicitly // accessed via the %ds segment register). Dereferencing a pointer to the safe // segment would result in a segmentation fault. // // 2) Protection via software fault isolation: memory writes that are not meant // to access the safe stack can be prevented from doing so through runtime // instrumentation. One way to do it is to allocate the safe stack(s) in the // upper half of the userspace and bitmask the corresponding upper bit of the // memory addresses of memory writes that are not meant to access the safe // stack. // // 3) Protection via information hiding on 64 bit architectures: the location // of the safe stack(s) can be randomized through secure mechanisms, and the // leakage of the stack pointer can be prevented. Currently, libc can leak the // stack pointer in several ways (e.g. in longjmp, signal handling, user-level // context switching related functions, etc.). These can be fixed in libc and // in other low-level libraries, by either eliminating the escaping/dumping of // the stack pointer (i.e., %rsp) when that's possible, or by using // encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret // we control and protect better, as is already done for setjmp in glibc.) // Furthermore, a static machine code level verifier can be ran after code // generation to make sure that the stack pointer is never written to memory, // or if it is, its written on the safe stack. // // Finally, while the Unsafe Stack pointer is currently stored in a thread // local variable, with libc support it could be stored in the TCB (thread // control block) as well, eliminating another level of indirection and making // such accesses faster. Alternatively, dedicating a separate register for // storing it would also be possible. /// Minimum stack alignment for the unsafe stack. const unsigned kStackAlign = …; /// Default size of the unsafe stack. This value is only used if the stack /// size rlimit is set to infinity. const unsigned kDefaultUnsafeStackSize = …; // Per-thread unsafe stack information. It's not frequently accessed, so there // it can be kept out of the tcb in normal thread-local variables. __thread void *unsafe_stack_start = …; __thread size_t unsafe_stack_size = …; __thread size_t unsafe_stack_guard = …; inline void *unsafe_stack_alloc(size_t size, size_t guard) { … } inline void unsafe_stack_setup(void *start, size_t size, size_t guard) { … } /// Thread data for the cleanup handler pthread_key_t thread_cleanup_key; /// Safe stack per-thread information passed to the thread_start function struct tinfo { … }; /// Wrap the thread function in order to deallocate the unsafe stack when the /// thread terminates by returning from its main function. void *thread_start(void *arg) { … } /// Linked list used to store exiting threads stack/thread information. struct thread_stack_ll { … }; /// Linked list of unsafe stacks for threads that are exiting. We delay /// unmapping them until the thread exits. thread_stack_ll *thread_stacks = …; pthread_mutex_t thread_stacks_mutex = …; /// Thread-specific data destructor. We want to free the unsafe stack only after /// this thread is terminated. libc can call functions in safestack-instrumented /// code (like free) after thread-specific data destructors have run. void thread_cleanup_handler(void *_iter) { … } void EnsureInterceptorsInitialized(); /// Intercept thread creation operation to allocate and setup the unsafe stack INTERCEPTOR(int, pthread_create, pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void*), void *arg) { … } pthread_mutex_t interceptor_init_mutex = …; bool interceptors_inited = …; void EnsureInterceptorsInitialized() { … } } // namespace extern "C" __attribute__((visibility("default"))) #if !SANITIZER_CAN_USE_PREINIT_ARRAY // On ELF platforms, the constructor is invoked using .preinit_array (see below) __attribute__((constructor(0))) #endif void __safestack_init() { … } #if SANITIZER_CAN_USE_PREINIT_ARRAY // On ELF platforms, run safestack initialization before any other constructors. // On other platforms we use the constructor attribute to arrange to run our // initialization early. extern "C" { __attribute__((section(".preinit_array"), used)) void (*__safestack_preinit)(void) = …; } #endif extern "C" __attribute__((visibility("default"))) void *__get_unsafe_stack_bottom() { … } extern "C" __attribute__((visibility("default"))) void *__get_unsafe_stack_top() { … } extern "C" __attribute__((visibility("default"))) void *__get_unsafe_stack_start() { … } extern "C" __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() { … }
Codebase Browser
llvm