Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 734beec3d48a7ea5cfe3bd0815676181ea698cc7^! / . / libc / bionic / pthread_create.cpp
commit734beec3d48a7ea5cfe3bd0815676181ea698cc7[log] [tgz]
authorPeter Collingbourne <pcc@google.com>Wed Nov 14 12:41:41 2018 -0800
committerPeter Collingbourne <pcc@google.com>Fri Nov 16 14:37:08 2018 -0800
tree4a288b288b56d549c23e25166de6be1b86729c79
parent83590680649dc04ce8a98cd85b6356e1d6066564 [diff] [blame]
Allocate a small guard region around the shadow call stack.

This lets us do two things:

1) Make setjmp and longjmp compatible with shadow call stack.
   To avoid leaking the shadow call stack address into memory, only the
   lower log2(SCS_SIZE) bits of x18 are stored to jmp_buf. This requires
   allocating an additional guard page so that we're guaranteed to be
   able to allocate a sufficiently aligned SCS.

2) SCS overflow detection. Overflows now result in a SIGSEGV instead
   of corrupting the allocation that comes after it.

Change-Id: I04d6634f96162bf625684672a87fba8b402b7fd1
Test: bionic-unit-tests

diff --git a/libc/bionic/pthread_create.cpp b/libc/bionic/pthread_create.cpp
index 720a3ae..6f632e8 100644
--- a/libc/bionic/pthread_create.cpp
+++ b/libc/bionic/pthread_create.cpp

@@ -39,6 +39,7 @@
 
 #include <async_safe/log.h>
 
+#include "private/bionic_constants.h"
 #include "private/bionic_defs.h"
 #include "private/bionic_macros.h"
 #include "private/bionic_ssp.h"
@@ -112,14 +113,19 @@
 
 static void __init_shadow_call_stack(pthread_internal_t* thread __unused) {
 #ifdef __aarch64__
-  // Allocate the stack and store its address in register x18.
-  // TODO(pcc): We ought to allocate a guard region here and then allocate the SCS at a random
-  // location within it. This will provide greater security since it would mean that an attacker who
-  // can read the pthread_internal_t won't be able to discover the address of the SCS. However,
-  // doing so is blocked on a solution to b/118642754.
-  char* scs = reinterpret_cast<char*>(
-      mmap(nullptr, SCS_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0));
-  thread->shadow_call_stack_guard_region = scs;
+  // Allocate the stack and store its address in register x18. The address is aligned to SCS_SIZE so
+  // that we only need to store the lower log2(SCS_SIZE) bits in jmp_buf.
+  // TODO(pcc): We ought to allocate a larger guard region here and then allocate the SCS at a
+  // random location within it. This will provide greater security since it would mean that an
+  // attacker who can read the pthread_internal_t won't be able to discover the address of the SCS.
+  // However, doing so is blocked on a solution to b/118642754.
+  char* scs_guard_region = reinterpret_cast<char*>(
+      mmap(nullptr, SCS_GUARD_REGION_SIZE, 0, MAP_PRIVATE | MAP_ANON, -1, 0));
+  thread->shadow_call_stack_guard_region = scs_guard_region;
+
+  char* scs =
+      reinterpret_cast<char*>(align_up(reinterpret_cast<uintptr_t>(scs_guard_region), SCS_SIZE));
+  mprotect(scs, SCS_SIZE, PROT_READ | PROT_WRITE);
   __asm__ __volatile__("mov x18, %0" ::"r"(scs));
 #endif
 }