1 //===-- safestack.cc ------------------------------------------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements the runtime support for the safe stack protection 11 // mechanism. The runtime manages allocation/deallocation of the unsafe stack 12 // for the main thread, as well as all pthreads that are created/destroyed 13 // during program execution. 14 // 15 //===----------------------------------------------------------------------===// 16 17 #include <limits.h> 18 #include <pthread.h> 19 #include <stddef.h> 20 #include <stdint.h> 21 #include <unistd.h> 22 #include <sys/resource.h> 23 #include <sys/types.h> 24 #include <sys/user.h> 25 26 #include "interception/interception.h" 27 #include "sanitizer_common/sanitizer_common.h" 28 29 // TODO: The runtime library does not currently protect the safe stack beyond 30 // relying on the system-enforced ASLR. The protection of the (safe) stack can 31 // be provided by three alternative features: 32 // 33 // 1) Protection via hardware segmentation on x86-32 and some x86-64 34 // architectures: the (safe) stack segment (implicitly accessed via the %ss 35 // segment register) can be separated from the data segment (implicitly 36 // accessed via the %ds segment register). Dereferencing a pointer to the safe 37 // segment would result in a segmentation fault. 38 // 39 // 2) Protection via software fault isolation: memory writes that are not meant 40 // to access the safe stack can be prevented from doing so through runtime 41 // instrumentation. One way to do it is to allocate the safe stack(s) in the 42 // upper half of the userspace and bitmask the corresponding upper bit of the 43 // memory addresses of memory writes that are not meant to access the safe 44 // stack. 45 // 46 // 3) Protection via information hiding on 64 bit architectures: the location 47 // of the safe stack(s) can be randomized through secure mechanisms, and the 48 // leakage of the stack pointer can be prevented. Currently, libc can leak the 49 // stack pointer in several ways (e.g. in longjmp, signal handling, user-level 50 // context switching related functions, etc.). These can be fixed in libc and 51 // in other low-level libraries, by either eliminating the escaping/dumping of 52 // the stack pointer (i.e., %rsp) when that's possible, or by using 53 // encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret 54 // we control and protect better, as is already done for setjmp in glibc.) 55 // Furthermore, a static machine code level verifier can be ran after code 56 // generation to make sure that the stack pointer is never written to memory, 57 // or if it is, its written on the safe stack. 58 // 59 // Finally, while the Unsafe Stack pointer is currently stored in a thread 60 // local variable, with libc support it could be stored in the TCB (thread 61 // control block) as well, eliminating another level of indirection and making 62 // such accesses faster. Alternatively, dedicating a separate register for 63 // storing it would also be possible. 64 65 /// Minimum stack alignment for the unsafe stack. 66 const unsigned kStackAlign = 16; 67 68 /// Default size of the unsafe stack. This value is only used if the stack 69 /// size rlimit is set to infinity. 70 const unsigned kDefaultUnsafeStackSize = 0x2800000; 71 72 /// Runtime page size obtained through sysconf 73 static unsigned pageSize; 74 75 // TODO: To make accessing the unsafe stack pointer faster, we plan to 76 // eventually store it directly in the thread control block data structure on 77 // platforms where this structure is pointed to by %fs or %gs. This is exactly 78 // the same mechanism as currently being used by the traditional stack 79 // protector pass to store the stack guard (see getStackCookieLocation() 80 // function above). Doing so requires changing the tcbhead_t struct in glibc 81 // on Linux and tcb struct in libc on FreeBSD. 82 // 83 // For now, store it in a thread-local variable. 84 extern "C" { 85 __attribute__((visibility( 86 "default"))) __thread void *__safestack_unsafe_stack_ptr = nullptr; 87 } 88 89 // Per-thread unsafe stack information. It's not frequently accessed, so there 90 // it can be kept out of the tcb in normal thread-local variables. 91 static __thread void *unsafe_stack_start = nullptr; 92 static __thread size_t unsafe_stack_size = 0; 93 static __thread size_t unsafe_stack_guard = 0; 94 95 static inline void *unsafe_stack_alloc(size_t size, size_t guard) { 96 CHECK_GE(size + guard, size); 97 void *addr = MmapOrDie(size + guard, "unsafe_stack_alloc"); 98 MprotectNoAccess((uptr)addr, (uptr)guard); 99 return (char *)addr + guard; 100 } 101 102 static inline void unsafe_stack_setup(void *start, size_t size, size_t guard) { 103 CHECK_GE((char *)start + size, (char *)start); 104 CHECK_GE((char *)start + guard, (char *)start); 105 void *stack_ptr = (char *)start + size; 106 CHECK_EQ((((size_t)stack_ptr) & (kStackAlign - 1)), 0); 107 108 __safestack_unsafe_stack_ptr = stack_ptr; 109 unsafe_stack_start = start; 110 unsafe_stack_size = size; 111 unsafe_stack_guard = guard; 112 } 113 114 static void unsafe_stack_free() { 115 if (unsafe_stack_start) { 116 UnmapOrDie((char *)unsafe_stack_start - unsafe_stack_guard, 117 unsafe_stack_size + unsafe_stack_guard); 118 } 119 unsafe_stack_start = nullptr; 120 } 121 122 /// Thread data for the cleanup handler 123 static pthread_key_t thread_cleanup_key; 124 125 /// Safe stack per-thread information passed to the thread_start function 126 struct tinfo { 127 void *(*start_routine)(void *); 128 void *start_routine_arg; 129 130 void *unsafe_stack_start; 131 size_t unsafe_stack_size; 132 size_t unsafe_stack_guard; 133 }; 134 135 /// Wrap the thread function in order to deallocate the unsafe stack when the 136 /// thread terminates by returning from its main function. 137 static void *thread_start(void *arg) { 138 struct tinfo *tinfo = (struct tinfo *)arg; 139 140 void *(*start_routine)(void *) = tinfo->start_routine; 141 void *start_routine_arg = tinfo->start_routine_arg; 142 143 // Setup the unsafe stack; this will destroy tinfo content 144 unsafe_stack_setup(tinfo->unsafe_stack_start, tinfo->unsafe_stack_size, 145 tinfo->unsafe_stack_guard); 146 147 // Make sure out thread-specific destructor will be called 148 // FIXME: we can do this only any other specific key is set by 149 // intercepting the pthread_setspecific function itself 150 pthread_setspecific(thread_cleanup_key, (void *)1); 151 152 return start_routine(start_routine_arg); 153 } 154 155 /// Thread-specific data destructor 156 static void thread_cleanup_handler(void *_iter) { 157 // We want to free the unsafe stack only after all other destructors 158 // have already run. We force this function to be called multiple times. 159 // User destructors that might run more then PTHREAD_DESTRUCTOR_ITERATIONS-1 160 // times might still end up executing after the unsafe stack is deallocated. 161 size_t iter = (size_t)_iter; 162 if (iter < PTHREAD_DESTRUCTOR_ITERATIONS) { 163 pthread_setspecific(thread_cleanup_key, (void *)(iter + 1)); 164 } else { 165 // This is the last iteration 166 unsafe_stack_free(); 167 } 168 } 169 170 /// Intercept thread creation operation to allocate and setup the unsafe stack 171 INTERCEPTOR(int, pthread_create, pthread_t *thread, 172 const pthread_attr_t *attr, 173 void *(*start_routine)(void*), void *arg) { 174 175 size_t size = 0; 176 size_t guard = 0; 177 178 if (attr) { 179 pthread_attr_getstacksize(attr, &size); 180 pthread_attr_getguardsize(attr, &guard); 181 } else { 182 // get pthread default stack size 183 pthread_attr_t tmpattr; 184 pthread_attr_init(&tmpattr); 185 pthread_attr_getstacksize(&tmpattr, &size); 186 pthread_attr_getguardsize(&tmpattr, &guard); 187 pthread_attr_destroy(&tmpattr); 188 } 189 190 CHECK_NE(size, 0); 191 CHECK_EQ((size & (kStackAlign - 1)), 0); 192 CHECK_EQ((guard & (pageSize - 1)), 0); 193 194 void *addr = unsafe_stack_alloc(size, guard); 195 struct tinfo *tinfo = 196 (struct tinfo *)(((char *)addr) + size - sizeof(struct tinfo)); 197 tinfo->start_routine = start_routine; 198 tinfo->start_routine_arg = arg; 199 tinfo->unsafe_stack_start = addr; 200 tinfo->unsafe_stack_size = size; 201 tinfo->unsafe_stack_guard = guard; 202 203 return REAL(pthread_create)(thread, attr, thread_start, tinfo); 204 } 205 206 extern "C" __attribute__((visibility("default"))) 207 #if !SANITIZER_CAN_USE_PREINIT_ARRAY 208 // On ELF platforms, the constructor is invoked using .preinit_array (see below) 209 __attribute__((constructor(0))) 210 #endif 211 void __safestack_init() { 212 // Determine the stack size for the main thread. 213 size_t size = kDefaultUnsafeStackSize; 214 size_t guard = 4096; 215 216 struct rlimit limit; 217 if (getrlimit(RLIMIT_STACK, &limit) == 0 && limit.rlim_cur != RLIM_INFINITY) 218 size = limit.rlim_cur; 219 220 // Allocate unsafe stack for main thread 221 void *addr = unsafe_stack_alloc(size, guard); 222 223 unsafe_stack_setup(addr, size, guard); 224 pageSize = sysconf(_SC_PAGESIZE); 225 226 // Initialize pthread interceptors for thread allocation 227 INTERCEPT_FUNCTION(pthread_create); 228 229 // Setup the cleanup handler 230 pthread_key_create(&thread_cleanup_key, thread_cleanup_handler); 231 } 232 233 #if SANITIZER_CAN_USE_PREINIT_ARRAY 234 // On ELF platforms, run safestack initialization before any other constructors. 235 // On other platforms we use the constructor attribute to arrange to run our 236 // initialization early. 237 extern "C" { 238 __attribute__((section(".preinit_array"), 239 used)) void (*__safestack_preinit)(void) = __safestack_init; 240 } 241 #endif 242 243 extern "C" 244 __attribute__((visibility("default"))) void *__get_unsafe_stack_start() { 245 return unsafe_stack_start; 246 } 247 248 extern "C" 249 __attribute__((visibility("default"))) void *__get_unsafe_stack_ptr() { 250 return __safestack_unsafe_stack_ptr; 251 } 252
