• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //===-- asan_poisoning.cc ---------------------------------------*- C++ -*-===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file is a part of AddressSanitizer, an address sanity checker.
11 //
12 // Shadow memory poisoning by ASan RTL and by user application.
13 //===----------------------------------------------------------------------===//
14 
15 #include "asan_interceptors.h"
16 #include "asan_interface.h"
17 #include "asan_internal.h"
18 #include "asan_mapping.h"
19 
20 namespace __asan {
21 
PoisonShadow(uintptr_t addr,size_t size,uint8_t value)22 void PoisonShadow(uintptr_t addr, size_t size, uint8_t value) {
23   CHECK(AddrIsAlignedByGranularity(addr));
24   CHECK(AddrIsAlignedByGranularity(addr + size));
25   uintptr_t shadow_beg = MemToShadow(addr);
26   uintptr_t shadow_end = MemToShadow(addr + size);
27   CHECK(REAL(memset) != NULL);
28   REAL(memset)((void*)shadow_beg, value, shadow_end - shadow_beg);
29 }
30 
PoisonShadowPartialRightRedzone(uintptr_t addr,uintptr_t size,uintptr_t redzone_size,uint8_t value)31 void PoisonShadowPartialRightRedzone(uintptr_t addr,
32                                      uintptr_t size,
33                                      uintptr_t redzone_size,
34                                      uint8_t value) {
35   CHECK(AddrIsAlignedByGranularity(addr));
36   uint8_t *shadow = (uint8_t*)MemToShadow(addr);
37   for (uintptr_t i = 0; i < redzone_size;
38        i += SHADOW_GRANULARITY, shadow++) {
39     if (i + SHADOW_GRANULARITY <= size) {
40       *shadow = 0;  // fully addressable
41     } else if (i >= size) {
42       *shadow = (SHADOW_GRANULARITY == 128) ? 0xff : value;  // unaddressable
43     } else {
44       *shadow = size - i;  // first size-i bytes are addressable
45     }
46   }
47 }
48 
49 
50 struct ShadowSegmentEndpoint {
51   uint8_t *chunk;
52   int8_t offset;  // in [0, SHADOW_GRANULARITY)
53   int8_t value;  // = *chunk;
54 
ShadowSegmentEndpoint__asan::ShadowSegmentEndpoint55   explicit ShadowSegmentEndpoint(uintptr_t address) {
56     chunk = (uint8_t*)MemToShadow(address);
57     offset = address & (SHADOW_GRANULARITY - 1);
58     value = *chunk;
59   }
60 };
61 
62 }  // namespace __asan
63 
64 // ---------------------- Interface ---------------- {{{1
65 using namespace __asan;  // NOLINT
66 
67 // Current implementation of __asan_(un)poison_memory_region doesn't check
68 // that user program (un)poisons the memory it owns. It poisons memory
69 // conservatively, and unpoisons progressively to make sure asan shadow
70 // mapping invariant is preserved (see detailed mapping description here:
71 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm).
72 //
73 // * if user asks to poison region [left, right), the program poisons
74 // at least [left, AlignDown(right)).
75 // * if user asks to unpoison region [left, right), the program unpoisons
76 // at most [AlignDown(left), right).
__asan_poison_memory_region(void const volatile * addr,size_t size)77 void __asan_poison_memory_region(void const volatile *addr, size_t size) {
78   if (!FLAG_allow_user_poisoning || size == 0) return;
79   uintptr_t beg_addr = (uintptr_t)addr;
80   uintptr_t end_addr = beg_addr + size;
81   if (FLAG_v >= 1) {
82     Printf("Trying to poison memory region [%p, %p)\n", beg_addr, end_addr);
83   }
84   ShadowSegmentEndpoint beg(beg_addr);
85   ShadowSegmentEndpoint end(end_addr);
86   if (beg.chunk == end.chunk) {
87     CHECK(beg.offset < end.offset);
88     int8_t value = beg.value;
89     CHECK(value == end.value);
90     // We can only poison memory if the byte in end.offset is unaddressable.
91     // No need to re-poison memory if it is poisoned already.
92     if (value > 0 && value <= end.offset) {
93       if (beg.offset > 0) {
94         *beg.chunk = Min(value, beg.offset);
95       } else {
96         *beg.chunk = kAsanUserPoisonedMemoryMagic;
97       }
98     }
99     return;
100   }
101   CHECK(beg.chunk < end.chunk);
102   if (beg.offset > 0) {
103     // Mark bytes from beg.offset as unaddressable.
104     if (beg.value == 0) {
105       *beg.chunk = beg.offset;
106     } else {
107       *beg.chunk = Min(beg.value, beg.offset);
108     }
109     beg.chunk++;
110   }
111   REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk);
112   // Poison if byte in end.offset is unaddressable.
113   if (end.value > 0 && end.value <= end.offset) {
114     *end.chunk = kAsanUserPoisonedMemoryMagic;
115   }
116 }
117 
__asan_unpoison_memory_region(void const volatile * addr,size_t size)118 void __asan_unpoison_memory_region(void const volatile *addr, size_t size) {
119   if (!FLAG_allow_user_poisoning || size == 0) return;
120   uintptr_t beg_addr = (uintptr_t)addr;
121   uintptr_t end_addr = beg_addr + size;
122   if (FLAG_v >= 1) {
123     Printf("Trying to unpoison memory region [%p, %p)\n", beg_addr, end_addr);
124   }
125   ShadowSegmentEndpoint beg(beg_addr);
126   ShadowSegmentEndpoint end(end_addr);
127   if (beg.chunk == end.chunk) {
128     CHECK(beg.offset < end.offset);
129     int8_t value = beg.value;
130     CHECK(value == end.value);
131     // We unpoison memory bytes up to enbytes up to end.offset if it is not
132     // unpoisoned already.
133     if (value != 0) {
134       *beg.chunk = Max(value, end.offset);
135     }
136     return;
137   }
138   CHECK(beg.chunk < end.chunk);
139   if (beg.offset > 0) {
140     *beg.chunk = 0;
141     beg.chunk++;
142   }
143   REAL(memset)(beg.chunk, 0, end.chunk - beg.chunk);
144   if (end.offset > 0 && end.value != 0) {
145     *end.chunk = Max(end.value, end.offset);
146   }
147 }
148 
__asan_address_is_poisoned(void const volatile * addr)149 bool __asan_address_is_poisoned(void const volatile *addr) {
150   return __asan::AddressIsPoisoned((uintptr_t)addr);
151 }
152