]> git.proxmox.com Git - rustc.git/blob - src/compiler-rt/lib/interception/interception_win.cc
projects / rustc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Imported Upstream version 1.6.0+dfsg1
[rustc.git] / src / compiler-rt / lib / interception / interception_win.cc
1 //===-- interception_linux.cc -----------------------------------*- C++ -*-===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file is a part of AddressSanitizer, an address sanity checker.
11 //
12 // Windows-specific interception methods.
13 //===----------------------------------------------------------------------===//
14
15 #ifdef _WIN32
16
17 #include "interception.h"
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20
21 namespace __interception {
22
23 // FIXME: internal_str* and internal_mem* functions should be moved from the
24 // ASan sources into interception/.
25
26 static void _memset(void *p, int value, size_t sz) {
27 for (size_t i = 0; i < sz; ++i)
28 ((char*)p)[i] = (char)value;
29 }
30
31 static void _memcpy(void *dst, void *src, size_t sz) {
32 char *dst_c = (char*)dst,
33 *src_c = (char*)src;
34 for (size_t i = 0; i < sz; ++i)
35 dst_c[i] = src_c[i];
36 }
37
38 static void WriteJumpInstruction(char *jmp_from, char *to) {
39 // jmp XXYYZZWW = E9 WW ZZ YY XX, where XXYYZZWW is an offset fromt jmp_from
40 // to the next instruction to the destination.
41 ptrdiff_t offset = to - jmp_from - 5;
42 *jmp_from = '\xE9';
43 *(ptrdiff_t*)(jmp_from + 1) = offset;
44 }
45
46 static char *GetMemoryForTrampoline(size_t size) {
47 // Trampolines are allocated from a common pool.
48 const int POOL_SIZE = 1024;
49 static char *pool = NULL;
50 static size_t pool_used = 0;
51 if (!pool) {
52 pool = (char *)VirtualAlloc(NULL, POOL_SIZE, MEM_RESERVE | MEM_COMMIT,
53 PAGE_EXECUTE_READWRITE);
54 // FIXME: Might want to apply PAGE_EXECUTE_READ access after all the
55 // interceptors are in place.
56 if (!pool)
57 return NULL;
58 _memset(pool, 0xCC /* int 3 */, POOL_SIZE);
59 }
60
61 if (pool_used + size > POOL_SIZE)
62 return NULL;
63
64 char *ret = pool + pool_used;
65 pool_used += size;
66 return ret;
67 }
68
69 // Returns 0 on error.
70 static size_t RoundUpToInstrBoundary(size_t size, char *code) {
71 size_t cursor = 0;
72 while (cursor < size) {
73 switch (code[cursor]) {
74 case '\x51': // push ecx
75 case '\x52': // push edx
76 case '\x53': // push ebx
77 case '\x54': // push esp
78 case '\x55': // push ebp
79 case '\x56': // push esi
80 case '\x57': // push edi
81 case '\x5D': // pop ebp
82 cursor++;
83 continue;
84 case '\x6A': // 6A XX = push XX
85 cursor += 2;
86 continue;
87 case '\xE9': // E9 XX YY ZZ WW = jmp WWZZYYXX
88 case '\xB8': // B8 XX YY ZZ WW = mov eax, WWZZYYXX
89 cursor += 5;
90 continue;
91 }
92 switch (*(unsigned short*)(code + cursor)) { // NOLINT
93 case 0xFF8B: // 8B FF = mov edi, edi
94 case 0xEC8B: // 8B EC = mov ebp, esp
95 case 0xC033: // 33 C0 = xor eax, eax
96 cursor += 2;
97 continue;
98 case 0x458B: // 8B 45 XX = mov eax, dword ptr [ebp+XXh]
99 case 0x5D8B: // 8B 5D XX = mov ebx, dword ptr [ebp+XXh]
100 case 0xEC83: // 83 EC XX = sub esp, XX
101 case 0x75FF: // FF 75 XX = push dword ptr [ebp+XXh]
102 cursor += 3;
103 continue;
104 case 0xC1F7: // F7 C1 XX YY ZZ WW = test ecx, WWZZYYXX
105 case 0x25FF: // FF 25 XX YY ZZ WW = jmp dword ptr ds:[WWZZYYXX]
106 cursor += 6;
107 continue;
108 case 0x3D83: // 83 3D XX YY ZZ WW TT = cmp TT, WWZZYYXX
109 cursor += 7;
110 continue;
111 }
112 switch (0x00FFFFFF & *(unsigned int*)(code + cursor)) {
113 case 0x24448A: // 8A 44 24 XX = mov eal, dword ptr [esp+XXh]
114 case 0x24448B: // 8B 44 24 XX = mov eax, dword ptr [esp+XXh]
115 case 0x244C8B: // 8B 4C 24 XX = mov ecx, dword ptr [esp+XXh]
116 case 0x24548B: // 8B 54 24 XX = mov edx, dword ptr [esp+XXh]
117 case 0x24748B: // 8B 74 24 XX = mov esi, dword ptr [esp+XXh]
118 case 0x247C8B: // 8B 7C 24 XX = mov edi, dword ptr [esp+XXh]
119 cursor += 4;
120 continue;
121 }
122
123 // Unknown instruction!
124 // FIXME: Unknown instruction failures might happen when we add a new
125 // interceptor or a new compiler version. In either case, they should result
126 // in visible and readable error messages. However, merely calling abort()
127 // leads to an infinite recursion in CheckFailed.
128 // Do we have a good way to abort with an error message here?
129 __debugbreak();
130 return 0;
131 }
132
133 return cursor;
134 }
135
136 bool OverrideFunction(uptr old_func, uptr new_func, uptr *orig_old_func) {
137 #ifdef _WIN64
138 #error OverrideFunction is not yet supported on x64
139 #endif
140 // Function overriding works basically like this:
141 // We write "jmp <new_func>" (5 bytes) at the beginning of the 'old_func'
142 // to override it.
143 // We might want to be able to execute the original 'old_func' from the
144 // wrapper, in this case we need to keep the leading 5+ bytes ('head')
145 // of the original code somewhere with a "jmp <old_func+head>".
146 // We call these 'head'+5 bytes of instructions a "trampoline".
147 char *old_bytes = (char *)old_func;
148
149 // We'll need at least 5 bytes for a 'jmp'.
150 size_t head = 5;
151 if (orig_old_func) {
152 // Find out the number of bytes of the instructions we need to copy
153 // to the trampoline and store it in 'head'.
154 head = RoundUpToInstrBoundary(head, old_bytes);
155 if (!head)
156 return false;
157
158 // Put the needed instructions into the trampoline bytes.
159 char *trampoline = GetMemoryForTrampoline(head + 5);
160 if (!trampoline)
161 return false;
162 _memcpy(trampoline, old_bytes, head);
163 WriteJumpInstruction(trampoline + head, old_bytes + head);
164 *orig_old_func = (uptr)trampoline;
165 }
166
167 // Now put the "jmp <new_func>" instruction at the original code location.
168 // We should preserve the EXECUTE flag as some of our own code might be
169 // located in the same page (sic!). FIXME: might consider putting the
170 // __interception code into a separate section or something?
171 DWORD old_prot, unused_prot;
172 if (!VirtualProtect((void *)old_bytes, head, PAGE_EXECUTE_READWRITE,
173 &old_prot))
174 return false;
175
176 WriteJumpInstruction(old_bytes, (char *)new_func);
177 _memset(old_bytes + 5, 0xCC /* int 3 */, head - 5);
178
179 // Restore the original permissions.
180 if (!VirtualProtect((void *)old_bytes, head, old_prot, &unused_prot))
181 return false; // not clear if this failure bothers us.
182
183 return true;
184 }
185
186 static void **InterestingDLLsAvailable() {
187 const char *InterestingDLLs[] = {
188 "kernel32.dll",
189 "msvcr110.dll", // VS2012
190 "msvcr120.dll", // VS2013
191 // NTDLL should go last as it exports some functions that we should override
192 // in the CRT [presumably only used internally].
193 "ntdll.dll", NULL
194 };
195 static void *result[ARRAY_SIZE(InterestingDLLs)] = { 0 };
196 if (!result[0]) {
197 for (size_t i = 0, j = 0; InterestingDLLs[i]; ++i) {
198 if (HMODULE h = GetModuleHandleA(InterestingDLLs[i]))
199 result[j++] = (void *)h;
200 }
201 }
202 return &result[0];
203 }
204
205 namespace {
206 // Utility for reading loaded PE images.
207 template <typename T> class RVAPtr {
208 public:
209 RVAPtr(void *module, uptr rva)
210 : ptr_(reinterpret_cast<T *>(reinterpret_cast<char *>(module) + rva)) {}
211 operator T *() { return ptr_; }
212 T *operator->() { return ptr_; }
213 T *operator++() { return ++ptr_; }
214
215 private:
216 T *ptr_;
217 };
218 } // namespace
219
220 // Internal implementation of GetProcAddress. At least since Windows 8,
221 // GetProcAddress appears to initialize DLLs before returning function pointers
222 // into them. This is problematic for the sanitizers, because they typically
223 // want to intercept malloc *before* MSVCRT initializes. Our internal
224 // implementation walks the export list manually without doing initialization.
225 uptr InternalGetProcAddress(void *module, const char *func_name) {
226 // Check that the module header is full and present.
227 RVAPtr<IMAGE_DOS_HEADER> dos_stub(module, 0);
228 RVAPtr<IMAGE_NT_HEADERS> headers(module, dos_stub->e_lfanew);
229 if (!module || dos_stub->e_magic != IMAGE_DOS_SIGNATURE || // "MZ"
230 headers->Signature != IMAGE_NT_SIGNATURE || // "PE\0\0"
231 headers->FileHeader.SizeOfOptionalHeader <
232 sizeof(IMAGE_OPTIONAL_HEADER)) {
233 return 0;
234 }
235
236 IMAGE_DATA_DIRECTORY *export_directory =
237 &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
238 RVAPtr<IMAGE_EXPORT_DIRECTORY> exports(module,
239 export_directory->VirtualAddress);
240 RVAPtr<DWORD> functions(module, exports->AddressOfFunctions);
241 RVAPtr<DWORD> names(module, exports->AddressOfNames);
242 RVAPtr<WORD> ordinals(module, exports->AddressOfNameOrdinals);
243
244 for (DWORD i = 0; i < exports->NumberOfNames; i++) {
245 RVAPtr<char> name(module, names[i]);
246 if (!strcmp(func_name, name)) {
247 DWORD index = ordinals[i];
248 RVAPtr<char> func(module, functions[index]);
249 return (uptr)(char *)func;
250 }
251 }
252
253 return 0;
254 }
255
256 static bool GetFunctionAddressInDLLs(const char *func_name, uptr *func_addr) {
257 *func_addr = 0;
258 void **DLLs = InterestingDLLsAvailable();
259 for (size_t i = 0; *func_addr == 0 && DLLs[i]; ++i)
260 *func_addr = InternalGetProcAddress(DLLs[i], func_name);
261 return (*func_addr != 0);
262 }
263
264 bool OverrideFunction(const char *name, uptr new_func, uptr *orig_old_func) {
265 uptr orig_func;
266 if (!GetFunctionAddressInDLLs(name, &orig_func))
267 return false;
268 return OverrideFunction(orig_func, new_func, orig_old_func);
269 }
270
271 } // namespace __interception
272
273 #endif // _WIN32
backport for Debian buster