linker/linker_cfi.cpp - android_bionic - Gitiles

 /*
  * Copyright (C) 2008 The Android Open Source Project
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *  * Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  *  * Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
  *    the documentation and/or other materials provided with the
  *    distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */

 #include "linker_cfi.h"

 #include "linker_debug.h"
 #include "linker_globals.h"
 #include "platform/bionic/page.h"

 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/types.h>
 #include <cstdint>

 // Update shadow without making it writable by preparing the data on the side and mremap-ing it in
 // place.
 class ShadowWrite {
   char* shadow_start;
   char* shadow_end;
   char* aligned_start;
   char* aligned_end;
   char* tmp_start;

  public:
   ShadowWrite(uint16_t* s, uint16_t* e) {
     shadow_start = reinterpret_cast<char*>(s);
     shadow_end = reinterpret_cast<char*>(e);
     aligned_start = reinterpret_cast<char*>(PAGE_START(reinterpret_cast<uintptr_t>(shadow_start)));
     aligned_end = reinterpret_cast<char*>(PAGE_END(reinterpret_cast<uintptr_t>(shadow_end)));
     tmp_start =
         reinterpret_cast<char*>(mmap(nullptr, aligned_end - aligned_start, PROT_READ | PROT_WRITE,
                                      MAP_PRIVATE | MAP_ANONYMOUS, -1, 0));
     CHECK(tmp_start != MAP_FAILED);
     mprotect(aligned_start, aligned_end - aligned_start, PROT_READ);
     memcpy(tmp_start, aligned_start, shadow_start - aligned_start);
     memcpy(tmp_start + (shadow_end - aligned_start), shadow_end, aligned_end - shadow_end);
   }

   uint16_t* begin() {
     return reinterpret_cast<uint16_t*>(tmp_start + (shadow_start - aligned_start));
   }

   uint16_t* end() {
     return reinterpret_cast<uint16_t*>(tmp_start + (shadow_end - aligned_start));
   }

   ~ShadowWrite() {
     size_t size = aligned_end - aligned_start;
     mprotect(tmp_start, size, PROT_READ);
     void* res = mremap(tmp_start, size, size, MREMAP_MAYMOVE | MREMAP_FIXED,
                        reinterpret_cast<void*>(aligned_start));
     CHECK(res != MAP_FAILED);
   }
 };

 void CFIShadowWriter::FixupVmaName() {
   prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, *shadow_start, kShadowSize, "cfi shadow");
 }

 void CFIShadowWriter::AddConstant(uintptr_t begin, uintptr_t end, uint16_t v) {
   uint16_t* shadow_begin = MemToShadow(begin);
   uint16_t* shadow_end = MemToShadow(end - 1) + 1;

   ShadowWrite sw(shadow_begin, shadow_end);
   std::fill(sw.begin(), sw.end(), v);
 }

 void CFIShadowWriter::AddUnchecked(uintptr_t begin, uintptr_t end) {
   AddConstant(begin, end, kUncheckedShadow);
 }

 void CFIShadowWriter::AddInvalid(uintptr_t begin, uintptr_t end) {
   AddConstant(begin, end, kInvalidShadow);
 }

 void CFIShadowWriter::Add(uintptr_t begin, uintptr_t end, uintptr_t cfi_check) {
   CHECK((cfi_check & (kCfiCheckAlign - 1)) == 0);

   // Don't fill anything below cfi_check. We can not represent those addresses
   // in the shadow, and must make sure at codegen to place all valid call
   // targets above cfi_check.
   begin = std::max(begin, cfi_check) & ~(kShadowAlign - 1);
   uint16_t* shadow_begin = MemToShadow(begin);
   uint16_t* shadow_end = MemToShadow(end - 1) + 1;

   ShadowWrite sw(shadow_begin, shadow_end);
   uint16_t sv_begin = ((begin + kShadowAlign - cfi_check) >> kCfiCheckGranularity) + kRegularShadowMin;

   // With each step of the loop below, __cfi_check address computation base is increased by
   // 2**ShadowGranularity.
   // To compensate for that, each next shadow value must be increased by 2**ShadowGranularity /
   // 2**CfiCheckGranularity.
   uint16_t sv_step = 1 << (kShadowGranularity - kCfiCheckGranularity);
   uint16_t sv = sv_begin;
   for (uint16_t& s : sw) {
     if (sv < sv_begin) {
       // If shadow value wraps around, also fall back to unchecked. This means the binary is too
       // large. FIXME: consider using a (slow) resolution function instead.
       s = kUncheckedShadow;
       continue;
     }
     // If there is something there already, fall back to unchecked. This may happen in rare cases
     // with MAP_FIXED libraries. FIXME: consider using a (slow) resolution function instead.
     s = (s == kInvalidShadow) ? sv : kUncheckedShadow;
     sv += sv_step;
   }
 }

 static soinfo* find_libdl(soinfo* solist) {
   for (soinfo* si = solist; si != nullptr; si = si->next) {
     if (strcmp(si->get_soname(), "libdl.so") == 0) {
       return si;
     }
   }
   return nullptr;
 }

 static uintptr_t soinfo_find_symbol(soinfo* si, const char* s) {
   SymbolName name(s);
   if (const ElfW(Sym)* sym = si->find_symbol_by_name(name, nullptr)) {
     return si->resolve_symbol_address(sym);
   }
   return 0;
 }

 uintptr_t soinfo_find_cfi_check(soinfo* si) {
   return soinfo_find_symbol(si, "__cfi_check");
 }

 uintptr_t CFIShadowWriter::MapShadow() {
   void* p =
       mmap(nullptr, kShadowSize, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE, -1, 0);
   CHECK(p != MAP_FAILED);
   return reinterpret_cast<uintptr_t>(p);
 }

 bool CFIShadowWriter::AddLibrary(soinfo* si) {
   CHECK(shadow_start != nullptr);
   if (si->base == 0 || si->size == 0) {
     return true;
   }
   uintptr_t cfi_check = soinfo_find_cfi_check(si);
   if (cfi_check == 0) {
     INFO("[ CFI add 0x%zx + 0x%zx %s ]", static_cast<uintptr_t>(si->base),
          static_cast<uintptr_t>(si->size), si->get_soname());
     AddUnchecked(si->base, si->base + si->size);
     return true;
   }

   INFO("[ CFI add 0x%zx + 0x%zx %s: 0x%zx ]", static_cast<uintptr_t>(si->base),
        static_cast<uintptr_t>(si->size), si->get_soname(), cfi_check);
 #ifdef __arm__
   // Require Thumb encoding.
   if ((cfi_check & 1UL) != 1UL) {
     DL_ERR("__cfi_check in not a Thumb function in the library \"%s\"", si->get_soname());
     return false;
   }
   cfi_check &= ~1UL;
 #endif
   if ((cfi_check & (kCfiCheckAlign - 1)) != 0) {
     DL_ERR("unaligned __cfi_check in the library \"%s\"", si->get_soname());
     return false;
   }
   Add(si->base, si->base + si->size, cfi_check);
   return true;
 }

 // Pass the shadow mapping address to libdl.so. In return, we get an pointer to the location
 // libdl.so uses to store the address.
 bool CFIShadowWriter::NotifyLibDl(soinfo* solist, uintptr_t p) {
   soinfo* libdl = find_libdl(solist);
   if (libdl == nullptr) {
     DL_ERR("CFI could not find libdl");
     return false;
   }

   uintptr_t cfi_init = soinfo_find_symbol(libdl, "__cfi_init");
   CHECK(cfi_init != 0);
   shadow_start = reinterpret_cast<uintptr_t* (*)(uintptr_t)>(cfi_init)(p);
   CHECK(shadow_start != nullptr);
   CHECK(*shadow_start == p);
   mprotect(shadow_start, PAGE_SIZE, PROT_READ);
   return true;
 }

 bool CFIShadowWriter::MaybeInit(soinfo* new_si, soinfo* solist) {
   CHECK(initial_link_done);
   CHECK(shadow_start == nullptr);
   // Check if CFI shadow must be initialized at this time.
   bool found = false;
   if (new_si == nullptr) {
     // This is the case when we've just completed the initial link. There may have been earlier
     // calls to MaybeInit that were skipped. Look though the entire solist.
     for (soinfo* si = solist; si != nullptr; si = si->next) {
       if (soinfo_find_cfi_check(si)) {
         found = true;
         break;
       }
     }
   } else {
     // See if the new library uses CFI.
     found = soinfo_find_cfi_check(new_si);
   }

   // Nothing found.
   if (!found) {
     return true;
   }

   // Init shadow and add all currently loaded libraries (not just the new ones).
   if (!NotifyLibDl(solist, MapShadow()))
     return false;
   for (soinfo* si = solist; si != nullptr; si = si->next) {
     if (!AddLibrary(si))
       return false;
   }
   FixupVmaName();
   return true;
 }

 bool CFIShadowWriter::AfterLoad(soinfo* si, soinfo* solist) {
   if (!initial_link_done) {
     // Too early.
     return true;
   }

   if (shadow_start == nullptr) {
     return MaybeInit(si, solist);
   }

   // Add the new library to the CFI shadow.
   if (!AddLibrary(si))
     return false;
   FixupVmaName();
   return true;
 }

 void CFIShadowWriter::BeforeUnload(soinfo* si) {
   if (shadow_start == nullptr) return;
   if (si->base == 0 || si->size == 0) return;
   INFO("[ CFI remove 0x%zx + 0x%zx: %s ]", static_cast<uintptr_t>(si->base),
        static_cast<uintptr_t>(si->size), si->get_soname());
   AddInvalid(si->base, si->base + si->size);
   FixupVmaName();
 }

 bool CFIShadowWriter::InitialLinkDone(soinfo* solist) {
   CHECK(!initial_link_done);
   initial_link_done = true;
   return MaybeInit(nullptr, solist);
 }

 // Find __cfi_check in the caller and let it handle the problem. Since caller_pc is likely not a
 // valid CFI target, we can not use CFI shadow for lookup. This does not need to be fast, do the
 // regular symbol lookup.
 void CFIShadowWriter::CfiFail(uint64_t CallSiteTypeId, void* Ptr, void* DiagData, void* CallerPc) {
   soinfo* si = find_containing_library(CallerPc);
   if (!si) {
     __builtin_trap();
   }

   uintptr_t cfi_check = soinfo_find_cfi_check(si);
   if (!cfi_check) {
     __builtin_trap();
   }

   reinterpret_cast<CFICheckFn>(cfi_check)(CallSiteTypeId, Ptr, DiagData);
 }
	/*
	* Copyright (C) 2008 The Android Open Source Project
	* All rights reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions
	* are met:
	* * Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* * Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in
	* the documentation and/or other materials provided with the
	* distribution.
	*
	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
	* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
	* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
	* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	* SUCH DAMAGE.
	*/

	#include "linker_cfi.h"

	#include "linker_debug.h"
	#include "linker_globals.h"
	#include "platform/bionic/page.h"

	#include <sys/mman.h>
	#include <sys/prctl.h>
	#include <sys/types.h>
	#include <cstdint>

	// Update shadow without making it writable by preparing the data on the side and mremap-ing it in
	// place.
	class ShadowWrite {
	char* shadow_start;
	char* shadow_end;
	char* aligned_start;
	char* aligned_end;
	char* tmp_start;

	public:
	ShadowWrite(uint16_t* s, uint16_t* e) {
	shadow_start = reinterpret_cast<char*>(s);
	shadow_end = reinterpret_cast<char*>(e);
	aligned_start = reinterpret_cast<char*>(PAGE_START(reinterpret_cast<uintptr_t>(shadow_start)));
	aligned_end = reinterpret_cast<char*>(PAGE_END(reinterpret_cast<uintptr_t>(shadow_end)));
	tmp_start =
	reinterpret_cast<char*>(mmap(nullptr, aligned_end - aligned_start, PROT_READ \| PROT_WRITE,
	MAP_PRIVATE \| MAP_ANONYMOUS, -1, 0));
	CHECK(tmp_start != MAP_FAILED);
	mprotect(aligned_start, aligned_end - aligned_start, PROT_READ);
	memcpy(tmp_start, aligned_start, shadow_start - aligned_start);
	memcpy(tmp_start + (shadow_end - aligned_start), shadow_end, aligned_end - shadow_end);
	}

	uint16_t* begin() {
	return reinterpret_cast<uint16_t*>(tmp_start + (shadow_start - aligned_start));
	}

	uint16_t* end() {
	return reinterpret_cast<uint16_t*>(tmp_start + (shadow_end - aligned_start));
	}

	~ShadowWrite() {
	size_t size = aligned_end - aligned_start;
	mprotect(tmp_start, size, PROT_READ);
	void* res = mremap(tmp_start, size, size, MREMAP_MAYMOVE \| MREMAP_FIXED,
	reinterpret_cast<void*>(aligned_start));
	CHECK(res != MAP_FAILED);
	}
	};

	void CFIShadowWriter::FixupVmaName() {
	prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, *shadow_start, kShadowSize, "cfi shadow");
	}

	void CFIShadowWriter::AddConstant(uintptr_t begin, uintptr_t end, uint16_t v) {
	uint16_t* shadow_begin = MemToShadow(begin);
	uint16_t* shadow_end = MemToShadow(end - 1) + 1;

	ShadowWrite sw(shadow_begin, shadow_end);
	std::fill(sw.begin(), sw.end(), v);
	}

	void CFIShadowWriter::AddUnchecked(uintptr_t begin, uintptr_t end) {
	AddConstant(begin, end, kUncheckedShadow);
	}

	void CFIShadowWriter::AddInvalid(uintptr_t begin, uintptr_t end) {
	AddConstant(begin, end, kInvalidShadow);
	}

	void CFIShadowWriter::Add(uintptr_t begin, uintptr_t end, uintptr_t cfi_check) {
	CHECK((cfi_check & (kCfiCheckAlign - 1)) == 0);

	// Don't fill anything below cfi_check. We can not represent those addresses
	// in the shadow, and must make sure at codegen to place all valid call
	// targets above cfi_check.
	begin = std::max(begin, cfi_check) & ~(kShadowAlign - 1);
	uint16_t* shadow_begin = MemToShadow(begin);
	uint16_t* shadow_end = MemToShadow(end - 1) + 1;

	ShadowWrite sw(shadow_begin, shadow_end);
	uint16_t sv_begin = ((begin + kShadowAlign - cfi_check) >> kCfiCheckGranularity) + kRegularShadowMin;

	// With each step of the loop below, __cfi_check address computation base is increased by
	// 2**ShadowGranularity.
	// To compensate for that, each next shadow value must be increased by 2**ShadowGranularity /
	// 2**CfiCheckGranularity.
	uint16_t sv_step = 1 << (kShadowGranularity - kCfiCheckGranularity);
	uint16_t sv = sv_begin;
	for (uint16_t& s : sw) {
	if (sv < sv_begin) {
	// If shadow value wraps around, also fall back to unchecked. This means the binary is too
	// large. FIXME: consider using a (slow) resolution function instead.
	s = kUncheckedShadow;
	continue;
	}
	// If there is something there already, fall back to unchecked. This may happen in rare cases
	// with MAP_FIXED libraries. FIXME: consider using a (slow) resolution function instead.
	s = (s == kInvalidShadow) ? sv : kUncheckedShadow;
	sv += sv_step;
	}
	}

	static soinfo* find_libdl(soinfo* solist) {
	for (soinfo* si = solist; si != nullptr; si = si->next) {
	if (strcmp(si->get_soname(), "libdl.so") == 0) {
	return si;
	}
	}
	return nullptr;
	}

	static uintptr_t soinfo_find_symbol(soinfo* si, const char* s) {
	SymbolName name(s);
	if (const ElfW(Sym)* sym = si->find_symbol_by_name(name, nullptr)) {
	return si->resolve_symbol_address(sym);
	}
	return 0;
	}

	uintptr_t soinfo_find_cfi_check(soinfo* si) {
	return soinfo_find_symbol(si, "__cfi_check");
	}

	uintptr_t CFIShadowWriter::MapShadow() {
	void* p =
	mmap(nullptr, kShadowSize, PROT_NONE, MAP_PRIVATE \| MAP_ANONYMOUS \| MAP_NORESERVE, -1, 0);
	CHECK(p != MAP_FAILED);
	return reinterpret_cast<uintptr_t>(p);
	}

	bool CFIShadowWriter::AddLibrary(soinfo* si) {
	CHECK(shadow_start != nullptr);
	if (si->base == 0 \|\| si->size == 0) {
	return true;
	}
	uintptr_t cfi_check = soinfo_find_cfi_check(si);
	if (cfi_check == 0) {
	INFO("[ CFI add 0x%zx + 0x%zx %s ]", static_cast<uintptr_t>(si->base),
	static_cast<uintptr_t>(si->size), si->get_soname());
	AddUnchecked(si->base, si->base + si->size);
	return true;
	}

	INFO("[ CFI add 0x%zx + 0x%zx %s: 0x%zx ]", static_cast<uintptr_t>(si->base),
	static_cast<uintptr_t>(si->size), si->get_soname(), cfi_check);
	#ifdef __arm__
	// Require Thumb encoding.
	if ((cfi_check & 1UL) != 1UL) {
	DL_ERR("__cfi_check in not a Thumb function in the library \"%s\"", si->get_soname());
	return false;
	}
	cfi_check &= ~1UL;
	#endif
	if ((cfi_check & (kCfiCheckAlign - 1)) != 0) {
	DL_ERR("unaligned __cfi_check in the library \"%s\"", si->get_soname());
	return false;
	}
	Add(si->base, si->base + si->size, cfi_check);
	return true;
	}

	// Pass the shadow mapping address to libdl.so. In return, we get an pointer to the location
	// libdl.so uses to store the address.
	bool CFIShadowWriter::NotifyLibDl(soinfo* solist, uintptr_t p) {
	soinfo* libdl = find_libdl(solist);
	if (libdl == nullptr) {
	DL_ERR("CFI could not find libdl");
	return false;
	}

	uintptr_t cfi_init = soinfo_find_symbol(libdl, "__cfi_init");
	CHECK(cfi_init != 0);
	shadow_start = reinterpret_cast<uintptr_t* (*)(uintptr_t)>(cfi_init)(p);
	CHECK(shadow_start != nullptr);
	CHECK(*shadow_start == p);
	mprotect(shadow_start, PAGE_SIZE, PROT_READ);
	return true;
	}

	bool CFIShadowWriter::MaybeInit(soinfo* new_si, soinfo* solist) {
	CHECK(initial_link_done);
	CHECK(shadow_start == nullptr);
	// Check if CFI shadow must be initialized at this time.
	bool found = false;
	if (new_si == nullptr) {
	// This is the case when we've just completed the initial link. There may have been earlier
	// calls to MaybeInit that were skipped. Look though the entire solist.
	for (soinfo* si = solist; si != nullptr; si = si->next) {
	if (soinfo_find_cfi_check(si)) {
	found = true;
	break;
	}
	}
	} else {
	// See if the new library uses CFI.
	found = soinfo_find_cfi_check(new_si);
	}

	// Nothing found.
	if (!found) {
	return true;
	}

	// Init shadow and add all currently loaded libraries (not just the new ones).
	if (!NotifyLibDl(solist, MapShadow()))
	return false;
	for (soinfo* si = solist; si != nullptr; si = si->next) {
	if (!AddLibrary(si))
	return false;
	}
	FixupVmaName();
	return true;
	}

	bool CFIShadowWriter::AfterLoad(soinfo* si, soinfo* solist) {
	if (!initial_link_done) {
	// Too early.
	return true;
	}

	if (shadow_start == nullptr) {
	return MaybeInit(si, solist);
	}

	// Add the new library to the CFI shadow.
	if (!AddLibrary(si))
	return false;
	FixupVmaName();
	return true;
	}

	void CFIShadowWriter::BeforeUnload(soinfo* si) {
	if (shadow_start == nullptr) return;
	if (si->base == 0 \|\| si->size == 0) return;
	INFO("[ CFI remove 0x%zx + 0x%zx: %s ]", static_cast<uintptr_t>(si->base),
	static_cast<uintptr_t>(si->size), si->get_soname());
	AddInvalid(si->base, si->base + si->size);
	FixupVmaName();
	}

	bool CFIShadowWriter::InitialLinkDone(soinfo* solist) {
	CHECK(!initial_link_done);
	initial_link_done = true;
	return MaybeInit(nullptr, solist);
	}

	// Find __cfi_check in the caller and let it handle the problem. Since caller_pc is likely not a
	// valid CFI target, we can not use CFI shadow for lookup. This does not need to be fast, do the
	// regular symbol lookup.
	void CFIShadowWriter::CfiFail(uint64_t CallSiteTypeId, void* Ptr, void* DiagData, void* CallerPc) {
	soinfo* si = find_containing_library(CallerPc);
	if (!si) {
	__builtin_trap();
	}

	uintptr_t cfi_check = soinfo_find_cfi_check(si);
	if (!cfi_check) {
	__builtin_trap();
	}

	reinterpret_cast<CFICheckFn>(cfi_check)(CallSiteTypeId, Ptr, DiagData);
	}