1 //===-- safestack.cc ------------------------------------------------------===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file implements the runtime support for the safe stack protection
11 // mechanism. The runtime manages allocation/deallocation of the unsafe stack
12 // for the main thread, as well as all pthreads that are created/destroyed
13 // during program execution.
15 //===----------------------------------------------------------------------===//
21 #include <sys/resource.h>
22 #include <sys/types.h>
25 #include "interception/interception.h"
26 #include "sanitizer_common/sanitizer_common.h"
28 // TODO: The runtime library does not currently protect the safe stack beyond
29 // relying on the system-enforced ASLR. The protection of the (safe) stack can
30 // be provided by three alternative features:
32 // 1) Protection via hardware segmentation on x86-32 and some x86-64
33 // architectures: the (safe) stack segment (implicitly accessed via the %ss
34 // segment register) can be separated from the data segment (implicitly
35 // accessed via the %ds segment register). Dereferencing a pointer to the safe
36 // segment would result in a segmentation fault.
38 // 2) Protection via software fault isolation: memory writes that are not meant
39 // to access the safe stack can be prevented from doing so through runtime
40 // instrumentation. One way to do it is to allocate the safe stack(s) in the
41 // upper half of the userspace and bitmask the corresponding upper bit of the
42 // memory addresses of memory writes that are not meant to access the safe
45 // 3) Protection via information hiding on 64 bit architectures: the location
46 // of the safe stack(s) can be randomized through secure mechanisms, and the
47 // leakage of the stack pointer can be prevented. Currently, libc can leak the
48 // stack pointer in several ways (e.g. in longjmp, signal handling, user-level
49 // context switching related functions, etc.). These can be fixed in libc and
50 // in other low-level libraries, by either eliminating the escaping/dumping of
51 // the stack pointer (i.e., %rsp) when that's possible, or by using
52 // encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret
53 // we control and protect better, as is already done for setjmp in glibc.)
54 // Furthermore, a static machine code level verifier can be ran after code
55 // generation to make sure that the stack pointer is never written to memory,
56 // or if it is, its written on the safe stack.
58 // Finally, while the Unsafe Stack pointer is currently stored in a thread
59 // local variable, with libc support it could be stored in the TCB (thread
60 // control block) as well, eliminating another level of indirection and making
61 // such accesses faster. Alternatively, dedicating a separate register for
62 // storing it would also be possible.
64 /// Minimum stack alignment for the unsafe stack.
65 const unsigned kStackAlign
= 16;
67 /// Default size of the unsafe stack. This value is only used if the stack
68 /// size rlimit is set to infinity.
69 const unsigned kDefaultUnsafeStackSize
= 0x2800000;
71 // TODO: To make accessing the unsafe stack pointer faster, we plan to
72 // eventually store it directly in the thread control block data structure on
73 // platforms where this structure is pointed to by %fs or %gs. This is exactly
74 // the same mechanism as currently being used by the traditional stack
75 // protector pass to store the stack guard (see getStackCookieLocation()
76 // function above). Doing so requires changing the tcbhead_t struct in glibc
77 // on Linux and tcb struct in libc on FreeBSD.
79 // For now, store it in a thread-local variable.
81 __attribute__((visibility(
82 "default"))) __thread
void *__safestack_unsafe_stack_ptr
= nullptr;
85 // Per-thread unsafe stack information. It's not frequently accessed, so there
86 // it can be kept out of the tcb in normal thread-local variables.
87 static __thread
void *unsafe_stack_start
= nullptr;
88 static __thread
size_t unsafe_stack_size
= 0;
89 static __thread
size_t unsafe_stack_guard
= 0;
91 static inline void *unsafe_stack_alloc(size_t size
, size_t guard
) {
92 CHECK_GE(size
+ guard
, size
);
93 void *addr
= MmapOrDie(size
+ guard
, "unsafe_stack_alloc");
94 MprotectNoAccess((uptr
)addr
, (uptr
)guard
);
95 return (char *)addr
+ guard
;
98 static inline void unsafe_stack_setup(void *start
, size_t size
, size_t guard
) {
99 CHECK_GE((char *)start
+ size
, (char *)start
);
100 CHECK_GE((char *)start
+ guard
, (char *)start
);
101 void *stack_ptr
= (char *)start
+ size
;
102 CHECK_EQ((((size_t)stack_ptr
) & (kStackAlign
- 1)), 0);
104 __safestack_unsafe_stack_ptr
= stack_ptr
;
105 unsafe_stack_start
= start
;
106 unsafe_stack_size
= size
;
107 unsafe_stack_guard
= guard
;
110 static void unsafe_stack_free() {
111 if (unsafe_stack_start
) {
112 UnmapOrDie((char *)unsafe_stack_start
- unsafe_stack_guard
,
113 unsafe_stack_size
+ unsafe_stack_guard
);
115 unsafe_stack_start
= nullptr;
118 /// Thread data for the cleanup handler
119 static pthread_key_t thread_cleanup_key
;
121 /// Safe stack per-thread information passed to the thread_start function
123 void *(*start_routine
)(void *);
124 void *start_routine_arg
;
126 void *unsafe_stack_start
;
127 size_t unsafe_stack_size
;
128 size_t unsafe_stack_guard
;
131 /// Wrap the thread function in order to deallocate the unsafe stack when the
132 /// thread terminates by returning from its main function.
133 static void *thread_start(void *arg
) {
134 struct tinfo
*tinfo
= (struct tinfo
*)arg
;
136 void *(*start_routine
)(void *) = tinfo
->start_routine
;
137 void *start_routine_arg
= tinfo
->start_routine_arg
;
139 // Setup the unsafe stack; this will destroy tinfo content
140 unsafe_stack_setup(tinfo
->unsafe_stack_start
, tinfo
->unsafe_stack_size
,
141 tinfo
->unsafe_stack_guard
);
143 // Make sure out thread-specific destructor will be called
144 // FIXME: we can do this only any other specific key is set by
145 // intercepting the pthread_setspecific function itself
146 pthread_setspecific(thread_cleanup_key
, (void *)1);
148 return start_routine(start_routine_arg
);
151 /// Thread-specific data destructor
152 static void thread_cleanup_handler(void *_iter
) {
153 // We want to free the unsafe stack only after all other destructors
154 // have already run. We force this function to be called multiple times.
155 // User destructors that might run more then PTHREAD_DESTRUCTOR_ITERATIONS-1
156 // times might still end up executing after the unsafe stack is deallocated.
157 size_t iter
= (size_t)_iter
;
158 if (iter
< PTHREAD_DESTRUCTOR_ITERATIONS
) {
159 pthread_setspecific(thread_cleanup_key
, (void *)(iter
+ 1));
161 // This is the last iteration
166 /// Intercept thread creation operation to allocate and setup the unsafe stack
167 INTERCEPTOR(int, pthread_create
, pthread_t
*thread
,
168 const pthread_attr_t
*attr
,
169 void *(*start_routine
)(void*), void *arg
) {
175 pthread_attr_getstacksize(attr
, &size
);
176 pthread_attr_getguardsize(attr
, &guard
);
178 // get pthread default stack size
179 pthread_attr_t tmpattr
;
180 pthread_attr_init(&tmpattr
);
181 pthread_attr_getstacksize(&tmpattr
, &size
);
182 pthread_attr_getguardsize(&tmpattr
, &guard
);
183 pthread_attr_destroy(&tmpattr
);
187 CHECK_EQ((size
& (kStackAlign
- 1)), 0);
188 CHECK_EQ((guard
& (PAGE_SIZE
- 1)), 0);
190 void *addr
= unsafe_stack_alloc(size
, guard
);
191 struct tinfo
*tinfo
=
192 (struct tinfo
*)(((char *)addr
) + size
- sizeof(struct tinfo
));
193 tinfo
->start_routine
= start_routine
;
194 tinfo
->start_routine_arg
= arg
;
195 tinfo
->unsafe_stack_start
= addr
;
196 tinfo
->unsafe_stack_size
= size
;
197 tinfo
->unsafe_stack_guard
= guard
;
199 return REAL(pthread_create
)(thread
, attr
, thread_start
, tinfo
);
202 extern "C" __attribute__((visibility("default")))
203 #if !SANITIZER_CAN_USE_PREINIT_ARRAY
204 // On ELF platforms, the constructor is invoked using .preinit_array (see below)
205 __attribute__((constructor(0)))
207 void __safestack_init() {
208 // Determine the stack size for the main thread.
209 size_t size
= kDefaultUnsafeStackSize
;
213 if (getrlimit(RLIMIT_STACK
, &limit
) == 0 && limit
.rlim_cur
!= RLIM_INFINITY
)
214 size
= limit
.rlim_cur
;
216 // Allocate unsafe stack for main thread
217 void *addr
= unsafe_stack_alloc(size
, guard
);
219 unsafe_stack_setup(addr
, size
, guard
);
221 // Initialize pthread interceptors for thread allocation
222 INTERCEPT_FUNCTION(pthread_create
);
224 // Setup the cleanup handler
225 pthread_key_create(&thread_cleanup_key
, thread_cleanup_handler
);
228 #if SANITIZER_CAN_USE_PREINIT_ARRAY
229 // On ELF platforms, run safestack initialization before any other constructors.
230 // On other platforms we use the constructor attribute to arrange to run our
231 // initialization early.
233 __attribute__((section(".preinit_array"),
234 used
)) void (*__safestack_preinit
)(void) = __safestack_init
;
239 __attribute__((visibility("default"))) void *__get_unsafe_stack_start() {
240 return unsafe_stack_start
;
244 __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() {
245 return __safestack_unsafe_stack_ptr
;