Mmap interceptor providing mprotect support
Summary: - Intercepting mprotect calls. - Fixing forgotten flag check. Patch by David CARLIER Reviewers: vitalybuka, vsk Subscribers: delcypher, srhines, kubamracek, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D44777 llvm-svn: 328415
This commit is contained in:
parent
eb8a3674ec
commit
8616363017
|
@ -106,6 +106,8 @@ void *MmapAlignedOrDieOnFatalError(uptr size, uptr alignment,
|
|||
bool MprotectNoAccess(uptr addr, uptr size);
|
||||
bool MprotectReadOnly(uptr addr, uptr size);
|
||||
|
||||
void MprotectMallocZones(void *addr, int prot);
|
||||
|
||||
// Find an available address space.
|
||||
uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding,
|
||||
uptr *largest_gap_found, uptr *max_occupied_addr);
|
||||
|
@ -378,7 +380,7 @@ void ReportErrorSummary(const char *error_type, const AddressInfo &info,
|
|||
void ReportErrorSummary(const char *error_type, const StackTrace *trace,
|
||||
const char *alt_tool_name = nullptr);
|
||||
|
||||
void ReportMmapWriteExec();
|
||||
void ReportMmapWriteExec(int prot);
|
||||
|
||||
// Math
|
||||
#if SANITIZER_WINDOWS && !defined(__clang__) && !defined(__GNUC__)
|
||||
|
|
|
@ -6888,13 +6888,26 @@ INTERCEPTOR(void *, mmap, void *addr, SIZE_T sz, int prot, int flags, int fd,
|
|||
OFF_T off) {
|
||||
void *ctx;
|
||||
if (common_flags()->detect_write_exec)
|
||||
ReportMmapWriteExec();
|
||||
ReportMmapWriteExec(prot);
|
||||
if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED)
|
||||
return (void *)internal_mmap(addr, sz, prot, flags, fd, off);
|
||||
COMMON_INTERCEPTOR_ENTER(ctx, mmap, addr, sz, prot, flags, fd, off);
|
||||
COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, sz, prot, flags, fd, off);
|
||||
}
|
||||
#define INIT_MMAP COMMON_INTERCEPT_FUNCTION(mmap);
|
||||
|
||||
INTERCEPTOR(int, mprotect, void *addr, SIZE_T sz, int prot) {
|
||||
void *ctx;
|
||||
if (common_flags()->detect_write_exec)
|
||||
ReportMmapWriteExec(prot);
|
||||
if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED)
|
||||
return (int)internal_mprotect(addr, sz, prot);
|
||||
COMMON_INTERCEPTOR_ENTER(ctx, mprotect, addr, sz, prot);
|
||||
MprotectMallocZones(addr, prot);
|
||||
return REAL(mprotect)(addr, sz, prot);
|
||||
}
|
||||
#define INIT_MMAP \
|
||||
COMMON_INTERCEPT_FUNCTION(mmap); \
|
||||
COMMON_INTERCEPT_FUNCTION(mprotect);
|
||||
#else
|
||||
#define INIT_MMAP
|
||||
#endif
|
||||
|
@ -6904,7 +6917,7 @@ INTERCEPTOR(void *, mmap64, void *addr, SIZE_T sz, int prot, int flags, int fd,
|
|||
OFF64_T off) {
|
||||
void *ctx;
|
||||
if (common_flags()->detect_write_exec)
|
||||
ReportMmapWriteExec();
|
||||
ReportMmapWriteExec(prot);
|
||||
if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED)
|
||||
return (void *)internal_mmap(addr, sz, prot, flags, fd, off);
|
||||
COMMON_INTERCEPTOR_ENTER(ctx, mmap64, addr, sz, prot, flags, fd, off);
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
|
||||
#if SANITIZER_POSIX
|
||||
#include "sanitizer_posix.h"
|
||||
#include <sys/mman.h>
|
||||
#endif
|
||||
|
||||
namespace __sanitizer {
|
||||
|
@ -81,8 +82,11 @@ void ReportErrorSummary(const char *error_type, const StackTrace *stack,
|
|||
#endif
|
||||
}
|
||||
|
||||
void ReportMmapWriteExec() {
|
||||
#if !SANITIZER_GO && !SANITIZER_ANDROID
|
||||
void ReportMmapWriteExec(int prot) {
|
||||
#if SANITIZER_POSIX && (!SANITIZER_GO && !SANITIZER_ANDROID)
|
||||
if ((prot & (PROT_WRITE | PROT_EXEC)) != (PROT_WRITE | PROT_EXEC))
|
||||
return;
|
||||
|
||||
ScopedErrorReportLock l;
|
||||
SanitizerCommonDecorator d;
|
||||
|
||||
|
|
|
@ -61,6 +61,7 @@ extern "C" {
|
|||
#include <mach/mach.h>
|
||||
#include <mach/mach_time.h>
|
||||
#include <mach/vm_statistics.h>
|
||||
#include <malloc/malloc.h>
|
||||
#include <pthread.h>
|
||||
#include <sched.h>
|
||||
#include <signal.h>
|
||||
|
@ -343,6 +344,29 @@ uptr GetPageSize() {
|
|||
return sysconf(_SC_PAGESIZE);
|
||||
}
|
||||
|
||||
extern unsigned malloc_num_zones;
|
||||
extern malloc_zone_t **malloc_zones;
|
||||
static malloc_zone_t sanitizer_zone;
|
||||
|
||||
// We need to make sure that sanitizer_zone is registered as malloc_zones[0]. If
|
||||
// libmalloc tries to set up a different zone as malloc_zones[0], it will call
|
||||
// mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch that and
|
||||
// make sure we are still the first (default) zone.
|
||||
void MprotectMallocZones(void *addr, int prot) {
|
||||
if (addr == malloc_zones && prot == PROT_READ) {
|
||||
if (malloc_num_zones > 1 && malloc_zones[0] != &sanitizer_zone) {
|
||||
for (unsigned i = 1; i < malloc_num_zones; i++) {
|
||||
if (malloc_zones[i] == &sanitizer_zone) {
|
||||
// Swap malloc_zones[0] and malloc_zones[i].
|
||||
malloc_zones[i] = malloc_zones[0];
|
||||
malloc_zones[0] = &sanitizer_zone;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
BlockingMutex::BlockingMutex() {
|
||||
internal_memset(this, 0, sizeof(*this));
|
||||
}
|
||||
|
|
|
@ -29,8 +29,6 @@
|
|||
// Similar code is used in Google Perftools,
|
||||
// https://github.com/gperftools/gperftools.
|
||||
|
||||
static malloc_zone_t sanitizer_zone;
|
||||
|
||||
INTERCEPTOR(malloc_zone_t *, malloc_create_zone,
|
||||
vm_size_t start_size, unsigned zone_flags) {
|
||||
COMMON_MALLOC_ENTER();
|
||||
|
@ -65,29 +63,6 @@ INTERCEPTOR(void, malloc_destroy_zone, malloc_zone_t *zone) {
|
|||
COMMON_MALLOC_FREE(zone);
|
||||
}
|
||||
|
||||
extern unsigned malloc_num_zones;
|
||||
extern malloc_zone_t **malloc_zones;
|
||||
|
||||
// We need to make sure that sanitizer_zone is registered as malloc_zones[0]. If
|
||||
// libmalloc tries to set up a different zone as malloc_zones[0], it will call
|
||||
// mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch that and
|
||||
// make sure we are still the first (default) zone.
|
||||
INTERCEPTOR(int, mprotect, void *addr, size_t len, int prot) {
|
||||
if (addr == malloc_zones && prot == PROT_READ) {
|
||||
if (malloc_num_zones > 1 && malloc_zones[0] != &sanitizer_zone) {
|
||||
for (unsigned i = 1; i < malloc_num_zones; i++) {
|
||||
if (malloc_zones[i] == &sanitizer_zone) {
|
||||
// Swap malloc_zones[0] and malloc_zones[i].
|
||||
malloc_zones[i] = malloc_zones[0];
|
||||
malloc_zones[0] = &sanitizer_zone;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return REAL(mprotect)(addr, len, prot);
|
||||
}
|
||||
|
||||
INTERCEPTOR(malloc_zone_t *, malloc_default_zone, void) {
|
||||
COMMON_MALLOC_ENTER();
|
||||
return &sanitizer_zone;
|
||||
|
|
|
@ -153,6 +153,10 @@ bool MprotectReadOnly(uptr addr, uptr size) {
|
|||
return 0 == internal_mprotect((void *)addr, size, PROT_READ);
|
||||
}
|
||||
|
||||
#if !SANITIZER_MAC
|
||||
void MprotectMallocZones(void *addr, int prot) {}
|
||||
#endif
|
||||
|
||||
fd_t OpenFile(const char *filename, FileAccessMode mode, error_t *errno_p) {
|
||||
int flags;
|
||||
switch (mode) {
|
||||
|
|
|
@ -1,15 +1,37 @@
|
|||
// RUN: %clangxx %s -o %t
|
||||
// RUN: %env_tool_opts=detect_write_exec=1 %run %t 2>&1 | FileCheck %s
|
||||
// ubsan and lsan do not install mmap interceptors
|
||||
// UNSUPPORTED: ubsan, lsan
|
||||
// RUN: %env_tool_opts=detect_write_exec=0 %run %t 2>&1 | FileCheck %s \
|
||||
// RUN: --check-prefix=CHECK-DISABLED
|
||||
// ubsan and lsan do not install mmap interceptors UNSUPPORTED: ubsan, lsan
|
||||
|
||||
// TODO: Fix option on Android, it hangs there for unknown reasons.
|
||||
// XFAIL: android
|
||||
|
||||
#include <stdio.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
char *p = (char *)mmap(0, 1024, PROT_READ | PROT_WRITE | PROT_EXEC,
|
||||
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
|
||||
// CHECK: WARNING: {{.*}}Sanitizer: writable-executable page usage
|
||||
// CHECK: #{{[0-9]+.*}}main{{.*}}mmap_write_exec.cpp:[[@LINE-3]]
|
||||
// CHECK: SUMMARY: {{.*}}Sanitizer: w-and-x-usage
|
||||
|
||||
char *q = (char *)mmap(p, 64, PROT_READ | PROT_WRITE,
|
||||
MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
|
||||
(void)mprotect(q, 64, PROT_WRITE | PROT_EXEC);
|
||||
// CHECK: WARNING: {{.*}}Sanitizer: writable-executable page usage
|
||||
// CHECK: #{{[0-9]+.*}}main{{.*}}mmap_write_exec.cpp:[[@LINE-2]]
|
||||
// CHECK: SUMMARY: {{.*}}Sanitizer: w-and-x-usage
|
||||
|
||||
char *a = (char *)mmap(0, 1024, PROT_READ | PROT_WRITE,
|
||||
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
|
||||
char *b = (char *)mmap(a, 64, PROT_READ | PROT_WRITE,
|
||||
MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
|
||||
(void)mprotect(q, 64, PROT_READ | PROT_EXEC);
|
||||
// CHECK-NOT: Sanitizer
|
||||
|
||||
printf("done\n");
|
||||
// CHECK-DISABLED-NOT: Sanitizer
|
||||
// CHECK-DISABLED: done
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue