1 //===-------- cfi.cc ------------------------------------------------------===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file implements the runtime support for the cross-DSO CFI.
12 //===----------------------------------------------------------------------===//
17 #include "sanitizer_common/sanitizer_common.h"
19 #include <sys/link_elf.h>
27 typedef ElfW(Phdr
) Elf_Phdr
;
28 typedef ElfW(Ehdr
) Elf_Ehdr
;
29 typedef ElfW(Addr
) Elf_Addr
;
30 typedef ElfW(Sym
) Elf_Sym
;
31 typedef ElfW(Dyn
) Elf_Dyn
;
32 #elif SANITIZER_FREEBSD
33 #if SANITIZER_WORDSIZE == 64
34 #define ElfW64_Dyn Elf_Dyn
35 #define ElfW64_Sym Elf_Sym
37 #define ElfW32_Dyn Elf_Dyn
38 #define ElfW32_Sym Elf_Sym
42 #include "interception/interception.h"
43 #include "sanitizer_common/sanitizer_flag_parser.h"
44 #include "ubsan/ubsan_init.h"
45 #include "ubsan/ubsan_flags.h"
47 #ifdef CFI_ENABLE_DIAG
48 #include "ubsan/ubsan_handlers.h"
51 using namespace __sanitizer
;
55 #define kCfiShadowLimitsStorageSize 4096 // 1 page
56 // Lets hope that the data segment is mapped with 4K pages.
57 // The pointer to the cfi shadow region is stored at the start of this page.
58 // The rest of the page is unused and re-mapped read-only.
60 char space
[kCfiShadowLimitsStorageSize
];
65 } cfi_shadow_limits_storage
66 __attribute__((aligned(kCfiShadowLimitsStorageSize
)));
67 static constexpr uptr kShadowGranularity
= 12;
68 static constexpr uptr kShadowAlign
= 1UL << kShadowGranularity
; // 4096
70 static constexpr uint16_t kInvalidShadow
= 0;
71 static constexpr uint16_t kUncheckedShadow
= 0xFFFFU
;
73 // Get the start address of the CFI shadow region.
75 return cfi_shadow_limits_storage
.limits
.start
;
78 uptr
GetShadowSize() {
79 return cfi_shadow_limits_storage
.limits
.size
;
82 // This will only work while the shadow is not allocated.
83 void SetShadowSize(uptr size
) {
84 cfi_shadow_limits_storage
.limits
.size
= size
;
87 uptr
MemToShadowOffset(uptr x
) {
88 return (x
>> kShadowGranularity
) << 1;
91 uint16_t *MemToShadow(uptr x
, uptr shadow_base
) {
92 return (uint16_t *)(shadow_base
+ MemToShadowOffset(x
));
95 typedef int (*CFICheckFn
)(u64
, void *, void *);
97 // This class reads and decodes the shadow contents.
101 explicit ShadowValue(uptr addr
, uint16_t v
) : addr(addr
), v(v
) {}
104 bool is_invalid() const { return v
== kInvalidShadow
; }
106 bool is_unchecked() const { return v
== kUncheckedShadow
; }
108 CFICheckFn
get_cfi_check() const {
109 assert(!is_invalid() && !is_unchecked());
110 uptr aligned_addr
= addr
& ~(kShadowAlign
- 1);
111 uptr p
= aligned_addr
- (((uptr
)v
- 1) << kShadowGranularity
);
112 return reinterpret_cast<CFICheckFn
>(p
);
115 // Load a shadow value for the given application memory address.
116 static const ShadowValue
load(uptr addr
) {
117 uptr shadow_base
= GetShadow();
118 uptr shadow_offset
= MemToShadowOffset(addr
);
119 if (shadow_offset
> GetShadowSize())
120 return ShadowValue(addr
, kInvalidShadow
);
123 addr
, *reinterpret_cast<uint16_t *>(shadow_base
+ shadow_offset
));
127 class ShadowBuilder
{
131 // Allocate a new empty shadow (for the entire address space) on the side.
133 // Mark the given address range as unchecked.
134 // This is used for uninstrumented libraries like libc.
135 // Any CFI check with a target in that range will pass.
136 void AddUnchecked(uptr begin
, uptr end
);
137 // Mark the given address range as belonging to a library with the given
138 // cfi_check function.
139 void Add(uptr begin
, uptr end
, uptr cfi_check
);
140 // Finish shadow construction. Atomically switch the current active shadow
141 // region with the newly constructed one and deallocate the former.
145 void ShadowBuilder::Start() {
146 shadow_
= (uptr
)MmapNoReserveOrDie(GetShadowSize(), "CFI shadow");
147 VReport(1, "CFI: shadow at %zx .. %zx\n", shadow_
, shadow_
+ GetShadowSize());
150 void ShadowBuilder::AddUnchecked(uptr begin
, uptr end
) {
151 uint16_t *shadow_begin
= MemToShadow(begin
, shadow_
);
152 uint16_t *shadow_end
= MemToShadow(end
- 1, shadow_
) + 1;
153 // memset takes a byte, so our unchecked shadow value requires both bytes to
154 // be the same. Make sure we're ok during compilation.
155 static_assert((kUncheckedShadow
& 0xff) == ((kUncheckedShadow
>> 8) & 0xff),
156 "Both bytes of the 16-bit value must be the same!");
157 memset(shadow_begin
, kUncheckedShadow
& 0xff,
158 (shadow_end
- shadow_begin
) * sizeof(*shadow_begin
));
161 void ShadowBuilder::Add(uptr begin
, uptr end
, uptr cfi_check
) {
162 assert((cfi_check
& (kShadowAlign
- 1)) == 0);
164 // Don't fill anything below cfi_check. We can not represent those addresses
165 // in the shadow, and must make sure at codegen to place all valid call
166 // targets above cfi_check.
167 begin
= Max(begin
, cfi_check
);
168 uint16_t *s
= MemToShadow(begin
, shadow_
);
169 uint16_t *s_end
= MemToShadow(end
- 1, shadow_
) + 1;
170 uint16_t sv
= ((begin
- cfi_check
) >> kShadowGranularity
) + 1;
171 for (; s
< s_end
; s
++, sv
++)
175 #if SANITIZER_LINUX || SANITIZER_FREEBSD || SANITIZER_NETBSD
176 void ShadowBuilder::Install() {
177 MprotectReadOnly(shadow_
, GetShadowSize());
178 uptr main_shadow
= GetShadow();
182 void *res
= mremap((void *)shadow_
, GetShadowSize(), GetShadowSize(),
183 MREMAP_MAYMOVE
| MREMAP_FIXED
, (void *)main_shadow
);
184 CHECK(res
!= MAP_FAILED
);
185 #elif SANITIZER_NETBSD
186 void *res
= mremap((void *)shadow_
, GetShadowSize(), (void *)main_shadow
,
187 GetShadowSize(), MAP_FIXED
);
188 CHECK(res
!= MAP_FAILED
);
190 void *res
= MmapFixedOrDie(shadow_
, GetShadowSize());
191 CHECK(res
!= MAP_FAILED
);
192 ::memcpy(&shadow_
, &main_shadow
, GetShadowSize());
196 CHECK_EQ(kCfiShadowLimitsStorageSize
, GetPageSizeCached());
197 CHECK_EQ(0, GetShadow());
198 cfi_shadow_limits_storage
.limits
.start
= shadow_
;
199 MprotectReadOnly((uptr
)&cfi_shadow_limits_storage
,
200 sizeof(cfi_shadow_limits_storage
));
201 CHECK_EQ(shadow_
, GetShadow());
205 #error not implemented
208 // This is a workaround for a glibc bug:
209 // https://sourceware.org/bugzilla/show_bug.cgi?id=15199
210 // Other platforms can, hopefully, just do
211 // dlopen(RTLD_NOLOAD | RTLD_LAZY)
212 // dlsym("__cfi_check").
213 uptr
find_cfi_check_in_dso(dl_phdr_info
*info
) {
214 const Elf_Dyn
*dynamic
= nullptr;
215 for (int i
= 0; i
< info
->dlpi_phnum
; ++i
) {
216 if (info
->dlpi_phdr
[i
].p_type
== PT_DYNAMIC
) {
218 (const Elf_Dyn
*)(info
->dlpi_addr
+ info
->dlpi_phdr
[i
].p_vaddr
);
222 if (!dynamic
) return 0;
223 uptr strtab
= 0, symtab
= 0, strsz
= 0;
224 for (const Elf_Dyn
*p
= dynamic
; p
->d_tag
!= PT_NULL
; ++p
) {
225 if (p
->d_tag
== DT_SYMTAB
)
226 symtab
= p
->d_un
.d_ptr
;
227 else if (p
->d_tag
== DT_STRTAB
)
228 strtab
= p
->d_un
.d_ptr
;
229 else if (p
->d_tag
== DT_STRSZ
)
230 strsz
= p
->d_un
.d_ptr
;
233 if (symtab
> strtab
) {
234 VReport(1, "Can not handle: symtab > strtab (%p > %zx)\n", symtab
, strtab
);
238 // Verify that strtab and symtab are inside of the same LOAD segment.
239 // This excludes VDSO, which has (very high) bogus strtab and symtab pointers.
241 for (phdr_idx
= 0; phdr_idx
< info
->dlpi_phnum
; phdr_idx
++) {
242 const Elf_Phdr
*phdr
= &info
->dlpi_phdr
[phdr_idx
];
243 if (phdr
->p_type
== PT_LOAD
) {
244 uptr beg
= info
->dlpi_addr
+ phdr
->p_vaddr
;
245 uptr end
= beg
+ phdr
->p_memsz
;
246 if (strtab
>= beg
&& strtab
+ strsz
< end
&& symtab
>= beg
&&
251 if (phdr_idx
== info
->dlpi_phnum
) {
252 // Nope, either different segments or just bogus pointers.
253 // Can not handle this.
254 VReport(1, "Can not handle: symtab %p, strtab %zx\n", symtab
, strtab
);
258 for (const Elf_Sym
*p
= (const Elf_Sym
*)symtab
; (Elf_Addr
)p
< strtab
;
260 // There is no reliable way to find the end of the symbol table. In
261 // lld-produces files, there are other sections between symtab and strtab.
262 // Stop looking when the symbol name is not inside strtab.
263 if (p
->st_name
>= strsz
) break;
264 char *name
= (char*)(strtab
+ p
->st_name
);
265 if (strcmp(name
, "__cfi_check") == 0) {
266 assert(p
->st_info
== ELF32_ST_INFO(STB_GLOBAL
, STT_FUNC
) ||
267 p
->st_info
== ELF32_ST_INFO(STB_WEAK
, STT_FUNC
));
268 uptr addr
= info
->dlpi_addr
+ p
->st_value
;
275 int dl_iterate_phdr_cb(dl_phdr_info
*info
, size_t size
, void *data
) {
276 uptr cfi_check
= find_cfi_check_in_dso(info
);
278 VReport(1, "Module '%s' __cfi_check %zx\n", info
->dlpi_name
, cfi_check
);
280 ShadowBuilder
*b
= reinterpret_cast<ShadowBuilder
*>(data
);
282 for (int i
= 0; i
< info
->dlpi_phnum
; i
++) {
283 const Elf_Phdr
*phdr
= &info
->dlpi_phdr
[i
];
284 if (phdr
->p_type
== PT_LOAD
) {
285 // Jump tables are in the executable segment.
286 // VTables are in the non-executable one.
287 // Need to fill shadow for both.
288 // FIXME: reject writable if vtables are in the r/o segment. Depend on
290 uptr cur_beg
= info
->dlpi_addr
+ phdr
->p_vaddr
;
291 uptr cur_end
= cur_beg
+ phdr
->p_memsz
;
293 VReport(1, " %zx .. %zx\n", cur_beg
, cur_end
);
294 b
->Add(cur_beg
, cur_end
, cfi_check
);
296 b
->AddUnchecked(cur_beg
, cur_end
);
303 // Init or update shadow for the current set of loaded libraries.
304 void UpdateShadow() {
307 dl_iterate_phdr(dl_iterate_phdr_cb
, &b
);
312 CHECK_EQ(0, GetShadow());
313 CHECK_EQ(0, GetShadowSize());
315 uptr vma
= GetMaxUserVirtualAddress();
316 // Shadow is 2 -> 2**kShadowGranularity.
317 SetShadowSize((vma
>> (kShadowGranularity
- 1)) + 1);
318 VReport(1, "CFI: VMA size %zx, shadow size %zx\n", vma
, GetShadowSize());
323 THREADLOCAL
int in_loader
;
324 BlockingMutex
shadow_update_lock(LINKER_INITIALIZED
);
327 if (in_loader
== 0) {
328 shadow_update_lock
.Lock();
334 CHECK(in_loader
> 0);
337 if (in_loader
== 0) {
338 shadow_update_lock
.Unlock();
342 ALWAYS_INLINE
void CfiSlowPathCommon(u64 CallSiteTypeId
, void *Ptr
,
344 uptr Addr
= (uptr
)Ptr
;
345 VReport(3, "__cfi_slowpath: %llx, %p\n", CallSiteTypeId
, Ptr
);
346 ShadowValue sv
= ShadowValue::load(Addr
);
347 if (sv
.is_invalid()) {
348 VReport(1, "CFI: invalid memory region for a check target: %p\n", Ptr
);
349 #ifdef CFI_ENABLE_DIAG
351 __ubsan_handle_cfi_check_fail(
352 reinterpret_cast<__ubsan::CFICheckFailData
*>(DiagData
), Addr
, false);
358 if (sv
.is_unchecked()) {
359 VReport(2, "CFI: unchecked call (shadow=FFFF): %p\n", Ptr
);
362 CFICheckFn cfi_check
= sv
.get_cfi_check();
363 VReport(2, "__cfi_check at %p\n", cfi_check
);
364 cfi_check(CallSiteTypeId
, Ptr
, DiagData
);
367 void InitializeFlags() {
368 SetCommonFlagsDefaults();
369 #ifdef CFI_ENABLE_DIAG
370 __ubsan::Flags
*uf
= __ubsan::flags();
374 FlagParser cfi_parser
;
375 RegisterCommonFlags(&cfi_parser
);
376 cfi_parser
.ParseString(GetEnv("CFI_OPTIONS"));
378 #ifdef CFI_ENABLE_DIAG
379 FlagParser ubsan_parser
;
380 __ubsan::RegisterUbsanFlags(&ubsan_parser
, uf
);
381 RegisterCommonFlags(&ubsan_parser
);
383 const char *ubsan_default_options
= __ubsan::MaybeCallUbsanDefaultOptions();
384 ubsan_parser
.ParseString(ubsan_default_options
);
385 ubsan_parser
.ParseString(GetEnv("UBSAN_OPTIONS"));
388 InitializeCommonFlags();
391 ReportUnrecognizedFlags();
393 if (common_flags()->help
) {
394 cfi_parser
.PrintFlagDescriptions();
400 using namespace __cfi
;
402 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
void
403 __cfi_slowpath(u64 CallSiteTypeId
, void *Ptr
) {
404 CfiSlowPathCommon(CallSiteTypeId
, Ptr
, nullptr);
407 #ifdef CFI_ENABLE_DIAG
408 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
void
409 __cfi_slowpath_diag(u64 CallSiteTypeId
, void *Ptr
, void *DiagData
) {
410 CfiSlowPathCommon(CallSiteTypeId
, Ptr
, DiagData
);
414 static void EnsureInterceptorsInitialized();
416 // Setup shadow for dlopen()ed libraries.
417 // The actual shadow setup happens after dlopen() returns, which means that
418 // a library can not be a target of any CFI checks while its constructors are
419 // running. It's unclear how to fix this without some extra help from libc.
420 // In glibc, mmap inside dlopen is not interceptable.
421 // Maybe a seccomp-bpf filter?
422 // We could insert a high-priority constructor into the library, but that would
423 // not help with the uninstrumented libraries.
424 INTERCEPTOR(void*, dlopen
, const char *filename
, int flag
) {
425 EnsureInterceptorsInitialized();
427 void *handle
= REAL(dlopen
)(filename
, flag
);
432 INTERCEPTOR(int, dlclose
, void *handle
) {
433 EnsureInterceptorsInitialized();
435 int res
= REAL(dlclose
)(handle
);
440 static BlockingMutex
interceptor_init_lock(LINKER_INITIALIZED
);
441 static bool interceptors_inited
= false;
443 static void EnsureInterceptorsInitialized() {
444 BlockingMutexLock
lock(&interceptor_init_lock
);
445 if (interceptors_inited
)
448 INTERCEPT_FUNCTION(dlopen
);
449 INTERCEPT_FUNCTION(dlclose
);
451 interceptors_inited
= true;
454 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
455 #if !SANITIZER_CAN_USE_PREINIT_ARRAY
456 // On ELF platforms, the constructor is invoked using .preinit_array (see below)
457 __attribute__((constructor(0)))
460 SanitizerToolName
= "CFI";
464 #ifdef CFI_ENABLE_DIAG
465 __ubsan::InitAsPlugin();
469 #if SANITIZER_CAN_USE_PREINIT_ARRAY
470 // On ELF platforms, run cfi initialization before any other constructors.
471 // On other platforms we use the constructor attribute to arrange to run our
472 // initialization early.
474 __attribute__((section(".preinit_array"),
475 used
)) void (*__cfi_preinit
)(void) = __cfi_init
;