compiler-rt/lib/safestack/safestack.cpp

   1 //===-- safestack.cpp -----------------------------------------------------===//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8 //
   9 // This file implements the runtime support for the safe stack protection
  10 // mechanism. The runtime manages allocation/deallocation of the unsafe stack
  11 // for the main thread, as well as all pthreads that are created/destroyed
  12 // during program execution.
  13 //
  14 //===----------------------------------------------------------------------===//
  15
  16 #define SANITIZER_COMMON_NO_REDEFINE_BUILTINS
  17
  18 #include "safestack_platform.h"
  19 #include "safestack_util.h"
  20 #include "sanitizer_common/sanitizer_internal_defs.h"
  21
  22 #include <errno.h>
  23 #include <string.h>
  24 #include <sys/resource.h>
  25
  26 #include "interception/interception.h"
  27
  28 // interception.h drags in sanitizer_redefine_builtins.h, which in turn
  29 // creates references to __sanitizer_internal_memcpy etc.  The interceptors
  30 // aren't needed here, so just forward to libc.
  31 extern "C" {
  32 SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memcpy(void *dest,
  33                                                                 const void *src,
  34                                                                 size_t n) {
  35   return memcpy(dest, src, n);
  36 }
  37
  38 SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memmove(
  39     void *dest, const void *src, size_t n) {
  40   return memmove(dest, src, n);
  41 }
  42
  43 SANITIZER_INTERFACE_ATTRIBUTE void *__sanitizer_internal_memset(void *s, int c,
  44                                                                 size_t n) {
  45   return memset(s, c, n);
  46 }
  47 }  // extern "C"
  48
  49 using namespace safestack;
  50
  51 // TODO: To make accessing the unsafe stack pointer faster, we plan to
  52 // eventually store it directly in the thread control block data structure on
  53 // platforms where this structure is pointed to by %fs or %gs. This is exactly
  54 // the same mechanism as currently being used by the traditional stack
  55 // protector pass to store the stack guard (see getStackCookieLocation()
  56 // function above). Doing so requires changing the tcbhead_t struct in glibc
  57 // on Linux and tcb struct in libc on FreeBSD.
  58 //
  59 // For now, store it in a thread-local variable.
  60 extern "C" {
  61 __attribute__((visibility(
  62     "default"))) __thread void *__safestack_unsafe_stack_ptr = nullptr;
  63 }
  64
  65 namespace {
  66
  67 // TODO: The runtime library does not currently protect the safe stack beyond
  68 // relying on the system-enforced ASLR. The protection of the (safe) stack can
  69 // be provided by three alternative features:
  70 //
  71 // 1) Protection via hardware segmentation on x86-32 and some x86-64
  72 // architectures: the (safe) stack segment (implicitly accessed via the %ss
  73 // segment register) can be separated from the data segment (implicitly
  74 // accessed via the %ds segment register). Dereferencing a pointer to the safe
  75 // segment would result in a segmentation fault.
  76 //
  77 // 2) Protection via software fault isolation: memory writes that are not meant
  78 // to access the safe stack can be prevented from doing so through runtime
  79 // instrumentation. One way to do it is to allocate the safe stack(s) in the
  80 // upper half of the userspace and bitmask the corresponding upper bit of the
  81 // memory addresses of memory writes that are not meant to access the safe
  82 // stack.
  83 //
  84 // 3) Protection via information hiding on 64 bit architectures: the location
  85 // of the safe stack(s) can be randomized through secure mechanisms, and the
  86 // leakage of the stack pointer can be prevented. Currently, libc can leak the
  87 // stack pointer in several ways (e.g. in longjmp, signal handling, user-level
  88 // context switching related functions, etc.). These can be fixed in libc and
  89 // in other low-level libraries, by either eliminating the escaping/dumping of
  90 // the stack pointer (i.e., %rsp) when that's possible, or by using
  91 // encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret
  92 // we control and protect better, as is already done for setjmp in glibc.)
  93 // Furthermore, a static machine code level verifier can be ran after code
  94 // generation to make sure that the stack pointer is never written to memory,
  95 // or if it is, its written on the safe stack.
  96 //
  97 // Finally, while the Unsafe Stack pointer is currently stored in a thread
  98 // local variable, with libc support it could be stored in the TCB (thread
  99 // control block) as well, eliminating another level of indirection and making
 100 // such accesses faster. Alternatively, dedicating a separate register for
 101 // storing it would also be possible.
 102
 103 /// Minimum stack alignment for the unsafe stack.
 104 const unsigned kStackAlign = 16;
 105
 106 /// Default size of the unsafe stack. This value is only used if the stack
 107 /// size rlimit is set to infinity.
 108 const unsigned kDefaultUnsafeStackSize = 0x2800000;
 109
 110 // Per-thread unsafe stack information. It's not frequently accessed, so there
 111 // it can be kept out of the tcb in normal thread-local variables.
 112 __thread void *unsafe_stack_start = nullptr;
 113 __thread size_t unsafe_stack_size = 0;
 114 __thread size_t unsafe_stack_guard = 0;
 115
 116 inline void *unsafe_stack_alloc(size_t size, size_t guard) {
 117   SFS_CHECK(size + guard >= size);
 118   void *addr = Mmap(nullptr, size + guard, PROT_READ | PROT_WRITE,
 119                     MAP_PRIVATE | MAP_ANON, -1, 0);
 120   SFS_CHECK(MAP_FAILED != addr);
 121   Mprotect(addr, guard, PROT_NONE);
 122   return (char *)addr + guard;
 123 }
 124
 125 inline void unsafe_stack_setup(void *start, size_t size, size_t guard) {
 126   SFS_CHECK((char *)start + size >= (char *)start);
 127   SFS_CHECK((char *)start + guard >= (char *)start);
 128   void *stack_ptr = (char *)start + size;
 129   SFS_CHECK((((size_t)stack_ptr) & (kStackAlign - 1)) == 0);
 130
 131   __safestack_unsafe_stack_ptr = stack_ptr;
 132   unsafe_stack_start = start;
 133   unsafe_stack_size = size;
 134   unsafe_stack_guard = guard;
 135 }
 136
 137 /// Thread data for the cleanup handler
 138 pthread_key_t thread_cleanup_key;
 139
 140 /// Safe stack per-thread information passed to the thread_start function
 141 struct tinfo {
 142   void *(*start_routine)(void *);
 143   void *start_routine_arg;
 144
 145   void *unsafe_stack_start;
 146   size_t unsafe_stack_size;
 147   size_t unsafe_stack_guard;
 148 };
 149
 150 /// Wrap the thread function in order to deallocate the unsafe stack when the
 151 /// thread terminates by returning from its main function.
 152 void *thread_start(void *arg) {
 153   struct tinfo *tinfo = (struct tinfo *)arg;
 154
 155   void *(*start_routine)(void *) = tinfo->start_routine;
 156   void *start_routine_arg = tinfo->start_routine_arg;
 157
 158   // Setup the unsafe stack; this will destroy tinfo content
 159   unsafe_stack_setup(tinfo->unsafe_stack_start, tinfo->unsafe_stack_size,
 160                      tinfo->unsafe_stack_guard);
 161
 162   // Make sure out thread-specific destructor will be called
 163   pthread_setspecific(thread_cleanup_key, (void *)1);
 164
 165   return start_routine(start_routine_arg);
 166 }
 167
 168 /// Linked list used to store exiting threads stack/thread information.
 169 struct thread_stack_ll {
 170   struct thread_stack_ll *next;
 171   void *stack_base;
 172   size_t size;
 173   pid_t pid;
 174   ThreadId tid;
 175 };
 176
 177 /// Linked list of unsafe stacks for threads that are exiting. We delay
 178 /// unmapping them until the thread exits.
 179 thread_stack_ll *thread_stacks = nullptr;
 180 pthread_mutex_t thread_stacks_mutex = PTHREAD_MUTEX_INITIALIZER;
 181
 182 /// Thread-specific data destructor. We want to free the unsafe stack only after
 183 /// this thread is terminated. libc can call functions in safestack-instrumented
 184 /// code (like free) after thread-specific data destructors have run.
 185 void thread_cleanup_handler(void *_iter) {
 186   SFS_CHECK(unsafe_stack_start != nullptr);
 187   pthread_setspecific(thread_cleanup_key, NULL);
 188
 189   pthread_mutex_lock(&thread_stacks_mutex);
 190   // Temporary list to hold the previous threads stacks so we don't hold the
 191   // thread_stacks_mutex for long.
 192   thread_stack_ll *temp_stacks = thread_stacks;
 193   thread_stacks = nullptr;
 194   pthread_mutex_unlock(&thread_stacks_mutex);
 195
 196   pid_t pid = getpid();
 197   ThreadId tid = GetTid();
 198
 199   // Free stacks for dead threads
 200   thread_stack_ll **stackp = &temp_stacks;
 201   while (*stackp) {
 202     thread_stack_ll *stack = *stackp;
 203     if (stack->pid != pid ||
 204         (-1 == TgKill(stack->pid, stack->tid, 0) && errno == ESRCH)) {
 205       Munmap(stack->stack_base, stack->size);
 206       *stackp = stack->next;
 207       free(stack);
 208     } else
 209       stackp = &stack->next;
 210   }
 211
 212   thread_stack_ll *cur_stack =
 213       (thread_stack_ll *)malloc(sizeof(thread_stack_ll));
 214   cur_stack->stack_base = (char *)unsafe_stack_start - unsafe_stack_guard;
 215   cur_stack->size = unsafe_stack_size + unsafe_stack_guard;
 216   cur_stack->pid = pid;
 217   cur_stack->tid = tid;
 218
 219   pthread_mutex_lock(&thread_stacks_mutex);
 220   // Merge thread_stacks with the current thread's stack and any remaining
 221   // temp_stacks
 222   *stackp = thread_stacks;
 223   cur_stack->next = temp_stacks;
 224   thread_stacks = cur_stack;
 225   pthread_mutex_unlock(&thread_stacks_mutex);
 226
 227   unsafe_stack_start = nullptr;
 228 }
 229
 230 void EnsureInterceptorsInitialized();
 231
 232 /// Intercept thread creation operation to allocate and setup the unsafe stack
 233 INTERCEPTOR(int, pthread_create, pthread_t *thread,
 234             const pthread_attr_t *attr,
 235             void *(*start_routine)(void*), void *arg) {
 236   EnsureInterceptorsInitialized();
 237   size_t size = 0;
 238   size_t guard = 0;
 239
 240   if (attr) {
 241     pthread_attr_getstacksize(attr, &size);
 242     pthread_attr_getguardsize(attr, &guard);
 243   } else {
 244     // get pthread default stack size
 245     pthread_attr_t tmpattr;
 246     pthread_attr_init(&tmpattr);
 247     pthread_attr_getstacksize(&tmpattr, &size);
 248     pthread_attr_getguardsize(&tmpattr, &guard);
 249     pthread_attr_destroy(&tmpattr);
 250   }
 251
 252 #if SANITIZER_SOLARIS
 253   // Solaris pthread_attr_init initializes stacksize to 0 (the default), so
 254   // hardcode the actual values as documented in pthread_create(3C).
 255   if (size == 0)
 256 #  if defined(_LP64)
 257     size = 2 * 1024 * 1024;
 258 #  else
 259     size = 1024 * 1024;
 260 #  endif
 261 #endif
 262
 263   SFS_CHECK(size);
 264   size = RoundUpTo(size, kStackAlign);
 265
 266   void *addr = unsafe_stack_alloc(size, guard);
 267   // Put tinfo at the end of the buffer. guard may be not page aligned.
 268   // If that is so then some bytes after addr can be mprotected.
 269   struct tinfo *tinfo =
 270       (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo));
 271   tinfo->start_routine = start_routine;
 272   tinfo->start_routine_arg = arg;
 273   tinfo->unsafe_stack_start = addr;
 274   tinfo->unsafe_stack_size = size;
 275   tinfo->unsafe_stack_guard = guard;
 276
 277   return REAL(pthread_create)(thread, attr, thread_start, tinfo);
 278 }
 279
 280 pthread_mutex_t interceptor_init_mutex = PTHREAD_MUTEX_INITIALIZER;
 281 bool interceptors_inited = false;
 282
 283 void EnsureInterceptorsInitialized() {
 284   MutexLock lock(interceptor_init_mutex);
 285   if (interceptors_inited)
 286     return;
 287
 288   // Initialize pthread interceptors for thread allocation
 289   INTERCEPT_FUNCTION(pthread_create);
 290
 291   interceptors_inited = true;
 292 }
 293
 294 }  // namespace
 295
 296 extern "C" __attribute__((visibility("default")))
 297 #if !SANITIZER_CAN_USE_PREINIT_ARRAY
 298 // On ELF platforms, the constructor is invoked using .preinit_array (see below)
 299 __attribute__((constructor(0)))
 300 #endif
 301 void __safestack_init() {
 302   // Determine the stack size for the main thread.
 303   size_t size = kDefaultUnsafeStackSize;
 304   size_t guard = 4096;
 305
 306   struct rlimit limit;
 307   if (getrlimit(RLIMIT_STACK, &limit) == 0 && limit.rlim_cur != RLIM_INFINITY)
 308     size = limit.rlim_cur;
 309
 310   // Allocate unsafe stack for main thread
 311   void *addr = unsafe_stack_alloc(size, guard);
 312   unsafe_stack_setup(addr, size, guard);
 313
 314   // Setup the cleanup handler
 315   pthread_key_create(&thread_cleanup_key, thread_cleanup_handler);
 316 }
 317
 318 #if SANITIZER_CAN_USE_PREINIT_ARRAY
 319 // On ELF platforms, run safestack initialization before any other constructors.
 320 // On other platforms we use the constructor attribute to arrange to run our
 321 // initialization early.
 322 extern "C" {
 323 __attribute__((section(".preinit_array"),
 324                used)) void (*__safestack_preinit)(void) = __safestack_init;
 325 }
 326 #endif
 327
 328 extern "C"
 329     __attribute__((visibility("default"))) void *__get_unsafe_stack_bottom() {
 330   return unsafe_stack_start;
 331 }
 332
 333 extern "C"
 334     __attribute__((visibility("default"))) void *__get_unsafe_stack_top() {
 335   return (char*)unsafe_stack_start + unsafe_stack_size;
 336 }
 337
 338 extern "C"
 339     __attribute__((visibility("default"))) void *__get_unsafe_stack_start() {
 340   return unsafe_stack_start;
 341 }
 342
 343 extern "C"
 344     __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() {
 345   return __safestack_unsafe_stack_ptr;
 346 }