• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //===-- safestack.cc ------------------------------------------------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file implements the runtime support for the safe stack protection
11 // mechanism. The runtime manages allocation/deallocation of the unsafe stack
12 // for the main thread, as well as all pthreads that are created/destroyed
13 // during program execution.
14 //
15 //===----------------------------------------------------------------------===//
16 
17 #include <limits.h>
18 #include <pthread.h>
19 #include <stddef.h>
20 #include <stdint.h>
21 #include <unistd.h>
22 #include <sys/resource.h>
23 #include <sys/types.h>
24 #include <sys/user.h>
25 
26 #include "interception/interception.h"
27 #include "sanitizer_common/sanitizer_common.h"
28 
29 // TODO: The runtime library does not currently protect the safe stack beyond
30 // relying on the system-enforced ASLR. The protection of the (safe) stack can
31 // be provided by three alternative features:
32 //
33 // 1) Protection via hardware segmentation on x86-32 and some x86-64
34 // architectures: the (safe) stack segment (implicitly accessed via the %ss
35 // segment register) can be separated from the data segment (implicitly
36 // accessed via the %ds segment register). Dereferencing a pointer to the safe
37 // segment would result in a segmentation fault.
38 //
39 // 2) Protection via software fault isolation: memory writes that are not meant
40 // to access the safe stack can be prevented from doing so through runtime
41 // instrumentation. One way to do it is to allocate the safe stack(s) in the
42 // upper half of the userspace and bitmask the corresponding upper bit of the
43 // memory addresses of memory writes that are not meant to access the safe
44 // stack.
45 //
46 // 3) Protection via information hiding on 64 bit architectures: the location
47 // of the safe stack(s) can be randomized through secure mechanisms, and the
48 // leakage of the stack pointer can be prevented. Currently, libc can leak the
49 // stack pointer in several ways (e.g. in longjmp, signal handling, user-level
50 // context switching related functions, etc.). These can be fixed in libc and
51 // in other low-level libraries, by either eliminating the escaping/dumping of
52 // the stack pointer (i.e., %rsp) when that's possible, or by using
53 // encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret
54 // we control and protect better, as is already done for setjmp in glibc.)
55 // Furthermore, a static machine code level verifier can be ran after code
56 // generation to make sure that the stack pointer is never written to memory,
57 // or if it is, its written on the safe stack.
58 //
59 // Finally, while the Unsafe Stack pointer is currently stored in a thread
60 // local variable, with libc support it could be stored in the TCB (thread
61 // control block) as well, eliminating another level of indirection and making
62 // such accesses faster. Alternatively, dedicating a separate register for
63 // storing it would also be possible.
64 
65 /// Minimum stack alignment for the unsafe stack.
66 const unsigned kStackAlign = 16;
67 
68 /// Default size of the unsafe stack. This value is only used if the stack
69 /// size rlimit is set to infinity.
70 const unsigned kDefaultUnsafeStackSize = 0x2800000;
71 
72 /// Runtime page size obtained through sysconf
73 static unsigned pageSize;
74 
75 // TODO: To make accessing the unsafe stack pointer faster, we plan to
76 // eventually store it directly in the thread control block data structure on
77 // platforms where this structure is pointed to by %fs or %gs. This is exactly
78 // the same mechanism as currently being used by the traditional stack
79 // protector pass to store the stack guard (see getStackCookieLocation()
80 // function above). Doing so requires changing the tcbhead_t struct in glibc
81 // on Linux and tcb struct in libc on FreeBSD.
82 //
83 // For now, store it in a thread-local variable.
84 extern "C" {
85 __attribute__((visibility(
86     "default"))) __thread void *__safestack_unsafe_stack_ptr = nullptr;
87 }
88 
89 // Per-thread unsafe stack information. It's not frequently accessed, so there
90 // it can be kept out of the tcb in normal thread-local variables.
91 static __thread void *unsafe_stack_start = nullptr;
92 static __thread size_t unsafe_stack_size = 0;
93 static __thread size_t unsafe_stack_guard = 0;
94 
unsafe_stack_alloc(size_t size,size_t guard)95 static inline void *unsafe_stack_alloc(size_t size, size_t guard) {
96   CHECK_GE(size + guard, size);
97   void *addr = MmapOrDie(size + guard, "unsafe_stack_alloc");
98   MprotectNoAccess((uptr)addr, (uptr)guard);
99   return (char *)addr + guard;
100 }
101 
unsafe_stack_setup(void * start,size_t size,size_t guard)102 static inline void unsafe_stack_setup(void *start, size_t size, size_t guard) {
103   CHECK_GE((char *)start + size, (char *)start);
104   CHECK_GE((char *)start + guard, (char *)start);
105   void *stack_ptr = (char *)start + size;
106   CHECK_EQ((((size_t)stack_ptr) & (kStackAlign - 1)), 0);
107 
108   __safestack_unsafe_stack_ptr = stack_ptr;
109   unsafe_stack_start = start;
110   unsafe_stack_size = size;
111   unsafe_stack_guard = guard;
112 }
113 
unsafe_stack_free()114 static void unsafe_stack_free() {
115   if (unsafe_stack_start) {
116     UnmapOrDie((char *)unsafe_stack_start - unsafe_stack_guard,
117                unsafe_stack_size + unsafe_stack_guard);
118   }
119   unsafe_stack_start = nullptr;
120 }
121 
122 /// Thread data for the cleanup handler
123 static pthread_key_t thread_cleanup_key;
124 
125 /// Safe stack per-thread information passed to the thread_start function
126 struct tinfo {
127   void *(*start_routine)(void *);
128   void *start_routine_arg;
129 
130   void *unsafe_stack_start;
131   size_t unsafe_stack_size;
132   size_t unsafe_stack_guard;
133 };
134 
135 /// Wrap the thread function in order to deallocate the unsafe stack when the
136 /// thread terminates by returning from its main function.
thread_start(void * arg)137 static void *thread_start(void *arg) {
138   struct tinfo *tinfo = (struct tinfo *)arg;
139 
140   void *(*start_routine)(void *) = tinfo->start_routine;
141   void *start_routine_arg = tinfo->start_routine_arg;
142 
143   // Setup the unsafe stack; this will destroy tinfo content
144   unsafe_stack_setup(tinfo->unsafe_stack_start, tinfo->unsafe_stack_size,
145                      tinfo->unsafe_stack_guard);
146 
147   // Make sure out thread-specific destructor will be called
148   // FIXME: we can do this only any other specific key is set by
149   // intercepting the pthread_setspecific function itself
150   pthread_setspecific(thread_cleanup_key, (void *)1);
151 
152   return start_routine(start_routine_arg);
153 }
154 
155 /// Thread-specific data destructor
thread_cleanup_handler(void * _iter)156 static void thread_cleanup_handler(void *_iter) {
157   // We want to free the unsafe stack only after all other destructors
158   // have already run. We force this function to be called multiple times.
159   // User destructors that might run more then PTHREAD_DESTRUCTOR_ITERATIONS-1
160   // times might still end up executing after the unsafe stack is deallocated.
161   size_t iter = (size_t)_iter;
162   if (iter < PTHREAD_DESTRUCTOR_ITERATIONS) {
163     pthread_setspecific(thread_cleanup_key, (void *)(iter + 1));
164   } else {
165     // This is the last iteration
166     unsafe_stack_free();
167   }
168 }
169 
170 /// Intercept thread creation operation to allocate and setup the unsafe stack
INTERCEPTOR(int,pthread_create,pthread_t * thread,const pthread_attr_t * attr,void * (* start_routine)(void *),void * arg)171 INTERCEPTOR(int, pthread_create, pthread_t *thread,
172             const pthread_attr_t *attr,
173             void *(*start_routine)(void*), void *arg) {
174 
175   size_t size = 0;
176   size_t guard = 0;
177 
178   if (attr) {
179     pthread_attr_getstacksize(attr, &size);
180     pthread_attr_getguardsize(attr, &guard);
181   } else {
182     // get pthread default stack size
183     pthread_attr_t tmpattr;
184     pthread_attr_init(&tmpattr);
185     pthread_attr_getstacksize(&tmpattr, &size);
186     pthread_attr_getguardsize(&tmpattr, &guard);
187     pthread_attr_destroy(&tmpattr);
188   }
189 
190   CHECK_NE(size, 0);
191   CHECK_EQ((size & (kStackAlign - 1)), 0);
192   CHECK_EQ((guard & (pageSize - 1)), 0);
193 
194   void *addr = unsafe_stack_alloc(size, guard);
195   struct tinfo *tinfo =
196       (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo));
197   tinfo->start_routine = start_routine;
198   tinfo->start_routine_arg = arg;
199   tinfo->unsafe_stack_start = addr;
200   tinfo->unsafe_stack_size = size;
201   tinfo->unsafe_stack_guard = guard;
202 
203   return REAL(pthread_create)(thread, attr, thread_start, tinfo);
204 }
205 
206 extern "C" __attribute__((visibility("default")))
207 #if !SANITIZER_CAN_USE_PREINIT_ARRAY
208 // On ELF platforms, the constructor is invoked using .preinit_array (see below)
209 __attribute__((constructor(0)))
210 #endif
__safestack_init()211 void __safestack_init() {
212   // Determine the stack size for the main thread.
213   size_t size = kDefaultUnsafeStackSize;
214   size_t guard = 4096;
215 
216   struct rlimit limit;
217   if (getrlimit(RLIMIT_STACK, &limit) == 0 && limit.rlim_cur != RLIM_INFINITY)
218     size = limit.rlim_cur;
219 
220   // Allocate unsafe stack for main thread
221   void *addr = unsafe_stack_alloc(size, guard);
222 
223   unsafe_stack_setup(addr, size, guard);
224   pageSize = sysconf(_SC_PAGESIZE);
225 
226   // Initialize pthread interceptors for thread allocation
227   INTERCEPT_FUNCTION(pthread_create);
228 
229   // Setup the cleanup handler
230   pthread_key_create(&thread_cleanup_key, thread_cleanup_handler);
231 }
232 
233 #if SANITIZER_CAN_USE_PREINIT_ARRAY
234 // On ELF platforms, run safestack initialization before any other constructors.
235 // On other platforms we use the constructor attribute to arrange to run our
236 // initialization early.
237 extern "C" {
238 __attribute__((section(".preinit_array"),
239                used)) void (*__safestack_preinit)(void) = __safestack_init;
240 }
241 #endif
242 
243 extern "C"
__get_unsafe_stack_start()244     __attribute__((visibility("default"))) void *__get_unsafe_stack_start() {
245   return unsafe_stack_start;
246 }
247 
248 extern "C"
__get_unsafe_stack_ptr()249     __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() {
250   return __safestack_unsafe_stack_ptr;
251 }
252