]>
Commit | Line | Data |
---|---|---|
223e47cc LB |
1 | //===-- asan_poisoning.cc -------------------------------------------------===// |
2 | // | |
3 | // The LLVM Compiler Infrastructure | |
4 | // | |
5 | // This file is distributed under the University of Illinois Open Source | |
6 | // License. See LICENSE.TXT for details. | |
7 | // | |
8 | //===----------------------------------------------------------------------===// | |
9 | // | |
10 | // This file is a part of AddressSanitizer, an address sanity checker. | |
11 | // | |
12 | // Shadow memory poisoning by ASan RTL and by user application. | |
13 | //===----------------------------------------------------------------------===// | |
14 | ||
15 | #include "asan_interceptors.h" | |
16 | #include "asan_internal.h" | |
17 | #include "asan_mapping.h" | |
18 | #include "sanitizer/asan_interface.h" | |
19 | ||
20 | namespace __asan { | |
21 | ||
22 | void PoisonShadow(uptr addr, uptr size, u8 value) { | |
23 | CHECK(AddrIsAlignedByGranularity(addr)); | |
24 | CHECK(AddrIsAlignedByGranularity(addr + size)); | |
25 | uptr shadow_beg = MemToShadow(addr); | |
26 | uptr shadow_end = MemToShadow(addr + size); | |
27 | CHECK(REAL(memset) != 0); | |
28 | REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg); | |
29 | } | |
30 | ||
31 | void PoisonShadowPartialRightRedzone(uptr addr, | |
32 | uptr size, | |
33 | uptr redzone_size, | |
34 | u8 value) { | |
35 | CHECK(AddrIsAlignedByGranularity(addr)); | |
36 | u8 *shadow = (u8*)MemToShadow(addr); | |
37 | for (uptr i = 0; i < redzone_size; | |
38 | i += SHADOW_GRANULARITY, shadow++) { | |
39 | if (i + SHADOW_GRANULARITY <= size) { | |
40 | *shadow = 0; // fully addressable | |
41 | } else if (i >= size) { | |
42 | *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value; // unaddressable | |
43 | } else { | |
44 | *shadow = size - i; // first size-i bytes are addressable | |
45 | } | |
46 | } | |
47 | } | |
48 | ||
49 | ||
50 | struct ShadowSegmentEndpoint { | |
51 | u8 *chunk; | |
52 | s8 offset; // in [0, SHADOW_GRANULARITY) | |
53 | s8 value; // = *chunk; | |
54 | ||
55 | explicit ShadowSegmentEndpoint(uptr address) { | |
56 | chunk = (u8*)MemToShadow(address); | |
57 | offset = address & (SHADOW_GRANULARITY - 1); | |
58 | value = *chunk; | |
59 | } | |
60 | }; | |
61 | ||
62 | } // namespace __asan | |
63 | ||
64 | // ---------------------- Interface ---------------- {{{1 | |
65 | using namespace __asan; // NOLINT | |
66 | ||
67 | // Current implementation of __asan_(un)poison_memory_region doesn't check | |
68 | // that user program (un)poisons the memory it owns. It poisons memory | |
69 | // conservatively, and unpoisons progressively to make sure asan shadow | |
70 | // mapping invariant is preserved (see detailed mapping description here: | |
71 | // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm). | |
72 | // | |
73 | // * if user asks to poison region [left, right), the program poisons | |
74 | // at least [left, AlignDown(right)). | |
75 | // * if user asks to unpoison region [left, right), the program unpoisons | |
76 | // at most [AlignDown(left), right). | |
77 | void __asan_poison_memory_region(void const volatile *addr, uptr size) { | |
78 | if (!flags()->allow_user_poisoning || size == 0) return; | |
79 | uptr beg_addr = (uptr)addr; | |
80 | uptr end_addr = beg_addr + size; | |
81 | if (flags()->verbosity >= 1) { | |
82 | Printf("Trying to poison memory region [%p, %p)\n", | |
83 | (void*)beg_addr, (void*)end_addr); | |
84 | } | |
85 | ShadowSegmentEndpoint beg(beg_addr); | |
86 | ShadowSegmentEndpoint end(end_addr); | |
87 | if (beg.chunk == end.chunk) { | |
88 | CHECK(beg.offset < end.offset); | |
89 | s8 value = beg.value; | |
90 | CHECK(value == end.value); | |
91 | // We can only poison memory if the byte in end.offset is unaddressable. | |
92 | // No need to re-poison memory if it is poisoned already. | |
93 | if (value > 0 && value <= end.offset) { | |
94 | if (beg.offset > 0) { | |
95 | *beg.chunk = Min(value, beg.offset); | |
96 | } else { | |
97 | *beg.chunk = kAsanUserPoisonedMemoryMagic; | |
98 | } | |
99 | } | |
100 | return; | |
101 | } | |
102 | CHECK(beg.chunk < end.chunk); | |
103 | if (beg.offset > 0) { | |
104 | // Mark bytes from beg.offset as unaddressable. | |
105 | if (beg.value == 0) { | |
106 | *beg.chunk = beg.offset; | |
107 | } else { | |
108 | *beg.chunk = Min(beg.value, beg.offset); | |
109 | } | |
110 | beg.chunk++; | |
111 | } | |
112 | REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk); | |
113 | // Poison if byte in end.offset is unaddressable. | |
114 | if (end.value > 0 && end.value <= end.offset) { | |
115 | *end.chunk = kAsanUserPoisonedMemoryMagic; | |
116 | } | |
117 | } | |
118 | ||
119 | void __asan_unpoison_memory_region(void const volatile *addr, uptr size) { | |
120 | if (!flags()->allow_user_poisoning || size == 0) return; | |
121 | uptr beg_addr = (uptr)addr; | |
122 | uptr end_addr = beg_addr + size; | |
123 | if (flags()->verbosity >= 1) { | |
124 | Printf("Trying to unpoison memory region [%p, %p)\n", | |
125 | (void*)beg_addr, (void*)end_addr); | |
126 | } | |
127 | ShadowSegmentEndpoint beg(beg_addr); | |
128 | ShadowSegmentEndpoint end(end_addr); | |
129 | if (beg.chunk == end.chunk) { | |
130 | CHECK(beg.offset < end.offset); | |
131 | s8 value = beg.value; | |
132 | CHECK(value == end.value); | |
133 | // We unpoison memory bytes up to enbytes up to end.offset if it is not | |
134 | // unpoisoned already. | |
135 | if (value != 0) { | |
136 | *beg.chunk = Max(value, end.offset); | |
137 | } | |
138 | return; | |
139 | } | |
140 | CHECK(beg.chunk < end.chunk); | |
141 | if (beg.offset > 0) { | |
142 | *beg.chunk = 0; | |
143 | beg.chunk++; | |
144 | } | |
145 | REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk); | |
146 | if (end.offset > 0 && end.value != 0) { | |
147 | *end.chunk = Max(end.value, end.offset); | |
148 | } | |
149 | } | |
150 | ||
151 | bool __asan_address_is_poisoned(void const volatile *addr) { | |
152 | return __asan::AddressIsPoisoned((uptr)addr); | |
153 | } |