replica
/
hanchenye-llvm-project
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Mmap interceptor providing mprotect support 

Summary:
- Intercepting mprotect calls.
- Fixing forgotten flag check.

Patch by David CARLIER

Reviewers: vitalybuka, vsk

Subscribers: delcypher, srhines, kubamracek, llvm-commits, #sanitizers

Differential Revision: https://reviews.llvm.org/D44777

llvm-svn: 328415
This commit is contained in:
Vitaly Buka 2018-03-24 07:45:24 +00:00
parent eb8a3674ec
commit 8616363017
7 changed files with 77 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
compiler-rt/lib/sanitizer_common/sanitizer_common.h
View File

@ -106,6 +106,8 @@ void *MmapAlignedOrDieOnFatalError(uptr size, uptr alignment,
bool MprotectNoAccess(uptr addr, uptr size);
bool MprotectReadOnly(uptr addr, uptr size);
void MprotectMallocZones(void *addr, int prot);
// Find an available address space.
uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding,
uptr *largest_gap_found, uptr *max_occupied_addr);
@ -378,7 +380,7 @@ void ReportErrorSummary(const char *error_type, const AddressInfo &info,
void ReportErrorSummary(const char *error_type, const StackTrace *trace,
const char *alt_tool_name = nullptr);
void ReportMmapWriteExec();
void ReportMmapWriteExec(int prot);
// Math
#if SANITIZER_WINDOWS && !defined(__clang__) && !defined(__GNUC__)

19
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
View File

@ -6888,13 +6888,26 @@ INTERCEPTOR(void *, mmap, void *addr, SIZE_T sz, int prot, int flags, int fd,
OFF_T off) {
void *ctx;
if (common_flags()->detect_write_exec)
ReportMmapWriteExec();
ReportMmapWriteExec(prot);
if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED)
return (void *)internal_mmap(addr, sz, prot, flags, fd, off);
COMMON_INTERCEPTOR_ENTER(ctx, mmap, addr, sz, prot, flags, fd, off);
COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, sz, prot, flags, fd, off);
}
#define INIT_MMAP COMMON_INTERCEPT_FUNCTION(mmap);
INTERCEPTOR(int, mprotect, void *addr, SIZE_T sz, int prot) {
void *ctx;
if (common_flags()->detect_write_exec)
ReportMmapWriteExec(prot);
if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED)
return (int)internal_mprotect(addr, sz, prot);
COMMON_INTERCEPTOR_ENTER(ctx, mprotect, addr, sz, prot);
MprotectMallocZones(addr, prot);
return REAL(mprotect)(addr, sz, prot);
}
#define INIT_MMAP \
COMMON_INTERCEPT_FUNCTION(mmap); \
COMMON_INTERCEPT_FUNCTION(mprotect);
#else
#define INIT_MMAP
#endif
@ -6904,7 +6917,7 @@ INTERCEPTOR(void *, mmap64, void *addr, SIZE_T sz, int prot, int flags, int fd,
OFF64_T off) {
void *ctx;
if (common_flags()->detect_write_exec)
ReportMmapWriteExec();
ReportMmapWriteExec(prot);
if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED)
return (void *)internal_mmap(addr, sz, prot, flags, fd, off);
COMMON_INTERCEPTOR_ENTER(ctx, mmap64, addr, sz, prot, flags, fd, off);

8
compiler-rt/lib/sanitizer_common/sanitizer_common_libcdep.cc
View File

@ -24,6 +24,7 @@
#if SANITIZER_POSIX
#include "sanitizer_posix.h"
#include <sys/mman.h>
#endif
namespace __sanitizer {
@ -81,8 +82,11 @@ void ReportErrorSummary(const char *error_type, const StackTrace *stack,
#endif
}
void ReportMmapWriteExec() {
#if !SANITIZER_GO && !SANITIZER_ANDROID
void ReportMmapWriteExec(int prot) {
#if SANITIZER_POSIX && (!SANITIZER_GO && !SANITIZER_ANDROID)
if ((prot & (PROT_WRITE | PROT_EXEC)) != (PROT_WRITE | PROT_EXEC))
return;
ScopedErrorReportLock l;
SanitizerCommonDecorator d;

24
compiler-rt/lib/sanitizer_common/sanitizer_mac.cc
View File

@ -61,6 +61,7 @@ extern "C" {
#include <mach/mach.h>
#include <mach/mach_time.h>
#include <mach/vm_statistics.h>
#include <malloc/malloc.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
@ -343,6 +344,29 @@ uptr GetPageSize() {
return sysconf(_SC_PAGESIZE);
}
extern unsigned malloc_num_zones;
extern malloc_zone_t **malloc_zones;
static malloc_zone_t sanitizer_zone;
// We need to make sure that sanitizer_zone is registered as malloc_zones[0]. If
// libmalloc tries to set up a different zone as malloc_zones[0], it will call
// mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch that and
// make sure we are still the first (default) zone.
void MprotectMallocZones(void *addr, int prot) {
if (addr == malloc_zones && prot == PROT_READ) {
if (malloc_num_zones > 1 && malloc_zones[0] != &sanitizer_zone) {
for (unsigned i = 1; i < malloc_num_zones; i++) {
if (malloc_zones[i] == &sanitizer_zone) {
// Swap malloc_zones[0] and malloc_zones[i].
malloc_zones[i] = malloc_zones[0];
malloc_zones[0] = &sanitizer_zone;
break;
}
}
}
}
}
BlockingMutex::BlockingMutex() {
internal_memset(this, 0, sizeof(*this));
}

25
compiler-rt/lib/sanitizer_common/sanitizer_malloc_mac.inc
View File

@ -29,8 +29,6 @@
// Similar code is used in Google Perftools,
// https://github.com/gperftools/gperftools.
static malloc_zone_t sanitizer_zone;
INTERCEPTOR(malloc_zone_t *, malloc_create_zone,
vm_size_t start_size, unsigned zone_flags) {
COMMON_MALLOC_ENTER();
@ -65,29 +63,6 @@ INTERCEPTOR(void, malloc_destroy_zone, malloc_zone_t *zone) {
COMMON_MALLOC_FREE(zone);
}
extern unsigned malloc_num_zones;
extern malloc_zone_t **malloc_zones;
// We need to make sure that sanitizer_zone is registered as malloc_zones[0]. If
// libmalloc tries to set up a different zone as malloc_zones[0], it will call
// mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch that and
// make sure we are still the first (default) zone.
INTERCEPTOR(int, mprotect, void *addr, size_t len, int prot) {
if (addr == malloc_zones && prot == PROT_READ) {
if (malloc_num_zones > 1 && malloc_zones[0] != &sanitizer_zone) {
for (unsigned i = 1; i < malloc_num_zones; i++) {
if (malloc_zones[i] == &sanitizer_zone) {
// Swap malloc_zones[0] and malloc_zones[i].
malloc_zones[i] = malloc_zones[0];
malloc_zones[0] = &sanitizer_zone;
break;
}
}
}
}
return REAL(mprotect)(addr, len, prot);
}
INTERCEPTOR(malloc_zone_t *, malloc_default_zone, void) {
COMMON_MALLOC_ENTER();
return &sanitizer_zone;

4
compiler-rt/lib/sanitizer_common/sanitizer_posix.cc
View File

@ -153,6 +153,10 @@ bool MprotectReadOnly(uptr addr, uptr size) {
return 0 == internal_mprotect((void *)addr, size, PROT_READ);
}
#if !SANITIZER_MAC
void MprotectMallocZones(void *addr, int prot) {}
#endif
fd_t OpenFile(const char *filename, FileAccessMode mode, error_t *errno_p) {
int flags;
switch (mode) {

26
compiler-rt/test/sanitizer_common/TestCases/Linux/mmap_write_exec.cpp
View File

@ -1,15 +1,37 @@
// RUN: %clangxx %s -o %t
// RUN: %env_tool_opts=detect_write_exec=1 %run %t 2>&1 | FileCheck %s
// ubsan and lsan do not install mmap interceptors
// UNSUPPORTED: ubsan, lsan
// RUN: %env_tool_opts=detect_write_exec=0 %run %t 2>&1 | FileCheck %s \
// RUN: --check-prefix=CHECK-DISABLED
// ubsan and lsan do not install mmap interceptors UNSUPPORTED: ubsan, lsan
// TODO: Fix option on Android, it hangs there for unknown reasons.
// XFAIL: android
#include <stdio.h>
#include <sys/mman.h>
int main(int argc, char **argv) {
char *p = (char *)mmap(0, 1024, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
// CHECK: WARNING: {{.*}}Sanitizer: writable-executable page usage
// CHECK: #{{[0-9]+.*}}main{{.*}}mmap_write_exec.cpp:[[@LINE-3]]
// CHECK: SUMMARY: {{.*}}Sanitizer: w-and-x-usage
char *q = (char *)mmap(p, 64, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
(void)mprotect(q, 64, PROT_WRITE | PROT_EXEC);
// CHECK: WARNING: {{.*}}Sanitizer: writable-executable page usage
// CHECK: #{{[0-9]+.*}}main{{.*}}mmap_write_exec.cpp:[[@LINE-2]]
// CHECK: SUMMARY: {{.*}}Sanitizer: w-and-x-usage
char *a = (char *)mmap(0, 1024, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
char *b = (char *)mmap(a, 64, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
(void)mprotect(q, 64, PROT_READ | PROT_EXEC);
// CHECK-NOT: Sanitizer
printf("done\n");
// CHECK-DISABLED-NOT: Sanitizer
// CHECK-DISABLED: done
}