[GWP-ASan] Integrate GWP-ASan into bionc's malloc() (using hooks).
This patch introduces GWP-ASan - a sampled allocator framework that
finds use-after-free and heap-buffer-overflow bugs in production
environments.
GWP-ASan is being introduced in an always-disabled mode. This means that
GWP-ASan will be permanently disabled until a further patch turns on
support. As such, there should be no visible functional change for the
time being.
GWP-ASan requires -fno-emulated-tls wherever it's linked from. We
intentionally link GWP-ASan into libc so that it's part of the initial
set of libraries, and thus has static TLS storage (so we can use
Initial-Exec TLS instead of Global-Dynamic). As a benefit, this reduces
overhead for a sampled process.
GWP-ASan is always initialised via. a call to
mallopt(M_INITIALIZE_GWP_ASAN, which must be done before a process is
multithreaded).
More information about GWP-ASan can be found in the upstream
documentation: http://llvm.org/docs/GwpAsan.html
Bug: 135634846
Test: atest bionic
Change-Id: Ib9bd33337d17dab39ac32f4536bff71bd23498b0
diff --git a/libc/bionic/gwp_asan_wrappers.cpp b/libc/bionic/gwp_asan_wrappers.cpp
new file mode 100644
index 0000000..680c5e7
--- /dev/null
+++ b/libc/bionic/gwp_asan_wrappers.cpp
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <platform/bionic/malloc.h>
+#include <private/bionic_malloc_dispatch.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include "bionic/gwp_asan_wrappers.h"
+#include "gwp_asan/guarded_pool_allocator.h"
+#include "gwp_asan/options.h"
+#include "gwp_asan/random.h"
+#include "malloc_common.h"
+
+#ifndef LIBC_STATIC
+#include "bionic/malloc_common_dynamic.h"
+#endif // LIBC_STATIC
+
+static gwp_asan::GuardedPoolAllocator GuardedAlloc;
+static const MallocDispatch* prev_dispatch;
+
+using Options = gwp_asan::options::Options;
+
+// ============================================================================
+// Implementation of gFunctions.
+// ============================================================================
+
+// This function handles initialisation as asked for by MallocInitImpl. This
+// should always be called in a single-threaded context.
+bool gwp_asan_initialize(const MallocDispatch* dispatch, bool*, const char*) {
+ prev_dispatch = dispatch;
+
+ Options Opts;
+ Opts.Enabled = true;
+ Opts.MaxSimultaneousAllocations = 32;
+ Opts.SampleRate = 2500;
+ Opts.InstallSignalHandlers = false;
+ Opts.InstallForkHandlers = true;
+
+ GuardedAlloc.init(Opts);
+ info_log("GWP-ASan has been enabled.");
+ return true;
+}
+
+void gwp_asan_finalize() {
+}
+
+void gwp_asan_get_malloc_leak_info(uint8_t**, size_t*, size_t*, size_t*, size_t*) {
+}
+
+void gwp_asan_free_malloc_leak_info(uint8_t*) {
+}
+
+ssize_t gwp_asan_malloc_backtrace(void*, uintptr_t*, size_t) {
+ // TODO(mitchp): GWP-ASan might be able to return the backtrace for the
+ // provided address.
+ return -1;
+}
+
+bool gwp_asan_write_malloc_leak_info(FILE*) {
+ return false;
+}
+
+void* gwp_asan_gfunctions[] = {
+ (void*)gwp_asan_initialize, (void*)gwp_asan_finalize,
+ (void*)gwp_asan_get_malloc_leak_info, (void*)gwp_asan_free_malloc_leak_info,
+ (void*)gwp_asan_malloc_backtrace, (void*)gwp_asan_write_malloc_leak_info,
+};
+
+// ============================================================================
+// Implementation of GWP-ASan malloc wrappers.
+// ============================================================================
+
+void* gwp_asan_calloc(size_t n_elements, size_t elem_size) {
+ if (__predict_false(GuardedAlloc.shouldSample())) {
+ size_t bytes;
+ if (!__builtin_mul_overflow(n_elements, elem_size, &bytes)) {
+ if (void* result = GuardedAlloc.allocate(bytes)) {
+ return result;
+ }
+ }
+ }
+ return prev_dispatch->calloc(n_elements, elem_size);
+}
+
+void gwp_asan_free(void* mem) {
+ if (__predict_false(GuardedAlloc.pointerIsMine(mem))) {
+ GuardedAlloc.deallocate(mem);
+ return;
+ }
+ prev_dispatch->free(mem);
+}
+
+void* gwp_asan_malloc(size_t bytes) {
+ if (__predict_false(GuardedAlloc.shouldSample())) {
+ if (void* result = GuardedAlloc.allocate(bytes)) {
+ return result;
+ }
+ }
+ return prev_dispatch->malloc(bytes);
+}
+
+size_t gwp_asan_malloc_usable_size(const void* mem) {
+ if (__predict_false(GuardedAlloc.pointerIsMine(mem))) {
+ return GuardedAlloc.getSize(mem);
+ }
+ return prev_dispatch->malloc_usable_size(mem);
+}
+
+void* gwp_asan_realloc(void* old_mem, size_t bytes) {
+ if (__predict_false(GuardedAlloc.pointerIsMine(old_mem))) {
+ size_t old_size = GuardedAlloc.getSize(old_mem);
+ void* new_ptr = gwp_asan_malloc(bytes);
+ if (new_ptr) memcpy(new_ptr, old_mem, (bytes < old_size) ? bytes : old_size);
+ GuardedAlloc.deallocate(old_mem);
+ return new_ptr;
+ }
+ return prev_dispatch->realloc(old_mem, bytes);
+}
+
+int gwp_asan_malloc_iterate(uintptr_t base, size_t size,
+ void (*callback)(uintptr_t base, size_t size, void* arg), void* arg) {
+ if (__predict_false(GuardedAlloc.pointerIsMine(reinterpret_cast<void*>(base)))) {
+ // TODO(mitchp): GPA::iterate() returns void, but should return int.
+ // TODO(mitchp): GPA::iterate() should take uintptr_t, not void*.
+ GuardedAlloc.iterate(reinterpret_cast<void*>(base), size, callback, arg);
+ return 0;
+ }
+ return prev_dispatch->malloc_iterate(base, size, callback, arg);
+}
+
+void gwp_asan_malloc_disable() {
+ GuardedAlloc.disable();
+ prev_dispatch->malloc_disable();
+}
+
+void gwp_asan_malloc_enable() {
+ GuardedAlloc.enable();
+ prev_dispatch->malloc_enable();
+}
+
+static const MallocDispatch gwp_asan_dispatch __attribute__((unused)) = {
+ gwp_asan_calloc,
+ gwp_asan_free,
+ Malloc(mallinfo),
+ gwp_asan_malloc,
+ gwp_asan_malloc_usable_size,
+ Malloc(memalign),
+ Malloc(posix_memalign),
+#if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
+ Malloc(pvalloc),
+#endif
+ gwp_asan_realloc,
+#if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
+ Malloc(valloc),
+#endif
+ gwp_asan_malloc_iterate,
+ gwp_asan_malloc_disable,
+ gwp_asan_malloc_enable,
+ Malloc(mallopt),
+ Malloc(aligned_alloc),
+ Malloc(malloc_info),
+};
+
+// TODO(mitchp): Turn on GWP-ASan here probabilistically.
+bool ShouldGwpAsanSampleProcess() {
+ return false;
+}
+
+bool MaybeInitGwpAsanFromLibc() {
+ // Never initialize the Zygote here. A Zygote chosen for sampling would also
+ // have all of its children sampled. Instead, the Zygote child will choose
+ // whether it samples or not just after the Zygote forks. For
+ // libc_scudo-preloaded executables (like mediaswcodec), the program name
+ // might not be available yet. The zygote never uses dynamic libc_scudo.
+ const char* progname = getprogname();
+ if (progname && strncmp(progname, "app_process", 11) == 0) {
+ return false;
+ }
+ return MaybeInitGwpAsan(false);
+}
+
+static bool GwpAsanInitialized = false;
+
+// Maybe initializes GWP-ASan. Called by android_mallopt() and libc's
+// initialisation. This should always be called in a single-threaded context.
+bool MaybeInitGwpAsan(bool force_init) {
+ if (GwpAsanInitialized) {
+ error_log("GWP-ASan was already initialized for this process.");
+ return false;
+ }
+
+ // If the caller hasn't forced GWP-ASan on, check whether we should sample
+ // this process.
+ if (!force_init && !ShouldGwpAsanSampleProcess()) {
+ return false;
+ }
+
+ // GWP-ASan is compatible with heapprofd/malloc_debug/malloc_hooks iff
+ // GWP-ASan was installed first. If one of these other libraries was already
+ // installed, we don't enable GWP-ASan. These libraries are normally enabled
+ // in libc_init after GWP-ASan, but if the new process is a zygote child and
+ // trying to initialize GWP-ASan through mallopt(), one of these libraries may
+ // be installed. It may be possible to change this in future by modifying the
+ // internal dispatch pointers of these libraries at this point in time, but
+ // given that they're all debug-only, we don't really mind for now.
+ if (GetDefaultDispatchTable() != nullptr) {
+ // Something else is installed.
+ return false;
+ }
+
+ // GWP-ASan's initialization is always called in a single-threaded context, so
+ // we can initialize lock-free.
+ __libc_globals.mutate([](libc_globals* globals) {
+ // Set GWP-ASan as the malloc dispatch table.
+ globals->malloc_dispatch_table = gwp_asan_dispatch;
+ atomic_store(&globals->default_dispatch_table, &gwp_asan_dispatch);
+
+ // If malloc_limit isn't installed, we can skip the default_dispatch_table
+ // lookup.
+ if (GetDispatchTable() == nullptr) {
+ atomic_store(&globals->current_dispatch_table, &gwp_asan_dispatch);
+ }
+ });
+
+#ifndef LIBC_STATIC
+ SetGlobalFunctions(gwp_asan_gfunctions);
+#endif // LIBC_STATIC
+
+ GwpAsanInitialized = true;
+
+ gwp_asan_initialize(NativeAllocatorDispatch(), nullptr, nullptr);
+
+ return true;
+}
diff --git a/libc/bionic/gwp_asan_wrappers.h b/libc/bionic/gwp_asan_wrappers.h
new file mode 100644
index 0000000..9bbc593
--- /dev/null
+++ b/libc/bionic/gwp_asan_wrappers.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include <stddef.h>
+#include <private/bionic_malloc_dispatch.h>
+
+// Hooks for libc to possibly install GWP-ASan.
+bool MaybeInitGwpAsanFromLibc();
+
+// Maybe initialize GWP-ASan. Set force_init to true to bypass process sampling.
+bool MaybeInitGwpAsan(bool force_init = false);
diff --git a/libc/bionic/malloc_common.cpp b/libc/bionic/malloc_common.cpp
index e08083f..da68c80 100644
--- a/libc/bionic/malloc_common.cpp
+++ b/libc/bionic/malloc_common.cpp
@@ -41,6 +41,7 @@
#include <private/bionic_config.h>
#include <platform/bionic/malloc.h>
+#include "gwp_asan_wrappers.h"
#include "heap_tagging.h"
#include "malloc_common.h"
#include "malloc_limit.h"
@@ -316,8 +317,42 @@
if (opcode == M_SET_HEAP_TAGGING_LEVEL) {
return SetHeapTaggingLevel(arg, arg_size);
}
+ if (opcode == M_INITIALIZE_GWP_ASAN) {
+ if (arg == nullptr || arg_size != sizeof(bool)) {
+ errno = EINVAL;
+ return false;
+ }
+ return MaybeInitGwpAsan(*reinterpret_cast<bool*>(arg));
+ }
errno = ENOTSUP;
return false;
}
#endif
// =============================================================================
+
+static constexpr MallocDispatch __libc_malloc_default_dispatch __attribute__((unused)) = {
+ Malloc(calloc),
+ Malloc(free),
+ Malloc(mallinfo),
+ Malloc(malloc),
+ Malloc(malloc_usable_size),
+ Malloc(memalign),
+ Malloc(posix_memalign),
+#if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
+ Malloc(pvalloc),
+#endif
+ Malloc(realloc),
+#if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
+ Malloc(valloc),
+#endif
+ Malloc(malloc_iterate),
+ Malloc(malloc_disable),
+ Malloc(malloc_enable),
+ Malloc(mallopt),
+ Malloc(aligned_alloc),
+ Malloc(malloc_info),
+};
+
+const MallocDispatch* NativeAllocatorDispatch() {
+ return &__libc_malloc_default_dispatch;
+}
diff --git a/libc/bionic/malloc_common.h b/libc/bionic/malloc_common.h
index 79bf98c..4afcc4a 100644
--- a/libc/bionic/malloc_common.h
+++ b/libc/bionic/malloc_common.h
@@ -74,6 +74,8 @@
#endif
+const MallocDispatch* NativeAllocatorDispatch();
+
static inline const MallocDispatch* GetDispatchTable() {
return atomic_load_explicit(&__libc_globals->current_dispatch_table, memory_order_acquire);
}
diff --git a/libc/bionic/malloc_common_dynamic.cpp b/libc/bionic/malloc_common_dynamic.cpp
index 2cb1e8a..79d2521 100644
--- a/libc/bionic/malloc_common_dynamic.cpp
+++ b/libc/bionic/malloc_common_dynamic.cpp
@@ -64,6 +64,7 @@
#include <sys/system_properties.h>
+#include "gwp_asan_wrappers.h"
#include "heap_tagging.h"
#include "malloc_common.h"
#include "malloc_common_dynamic.h"
@@ -90,30 +91,6 @@
// =============================================================================
-static constexpr MallocDispatch __libc_malloc_default_dispatch
- __attribute__((unused)) = {
- Malloc(calloc),
- Malloc(free),
- Malloc(mallinfo),
- Malloc(malloc),
- Malloc(malloc_usable_size),
- Malloc(memalign),
- Malloc(posix_memalign),
-#if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
- Malloc(pvalloc),
-#endif
- Malloc(realloc),
-#if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
- Malloc(valloc),
-#endif
- Malloc(malloc_iterate),
- Malloc(malloc_disable),
- Malloc(malloc_enable),
- Malloc(mallopt),
- Malloc(aligned_alloc),
- Malloc(malloc_info),
- };
-
static constexpr char kHooksSharedLib[] = "libc_malloc_hooks.so";
static constexpr char kHooksPrefix[] = "hooks";
static constexpr char kHooksPropertyEnable[] = "libc.debug.hooks.enable";
@@ -261,6 +238,12 @@
return true;
}
+void SetGlobalFunctions(void* functions[]) {
+ for (size_t i = 0; i < FUNC_LAST; i++) {
+ gFunctions[i] = functions[i];
+ }
+}
+
static void ClearGlobalFunctions() {
for (size_t i = 0; i < FUNC_LAST; i++) {
gFunctions[i] = nullptr;
@@ -344,7 +327,15 @@
bool FinishInstallHooks(libc_globals* globals, const char* options, const char* prefix) {
init_func_t init_func = reinterpret_cast<init_func_t>(gFunctions[FUNC_INITIALIZE]);
- if (!init_func(&__libc_malloc_default_dispatch, &gZygoteChild, options)) {
+
+ // If GWP-ASan was initialised, we should use it as the dispatch table for
+ // heapprofd/malloc_debug/malloc_debug.
+ const MallocDispatch* prev_dispatch = GetDefaultDispatchTable();
+ if (prev_dispatch == nullptr) {
+ prev_dispatch = NativeAllocatorDispatch();
+ }
+
+ if (!init_func(prev_dispatch, &gZygoteChild, options)) {
error_log("%s: failed to enable malloc %s", getprogname(), prefix);
ClearGlobalFunctions();
return false;
@@ -388,6 +379,8 @@
char prop[PROP_VALUE_MAX];
char* options = prop;
+ MaybeInitGwpAsanFromLibc();
+
// Prefer malloc debug since it existed first and is a more complete
// malloc interceptor than the hooks.
bool hook_installed = false;
@@ -531,6 +524,13 @@
if (opcode == M_SET_HEAP_TAGGING_LEVEL) {
return SetHeapTaggingLevel(arg, arg_size);
}
+ if (opcode == M_INITIALIZE_GWP_ASAN) {
+ if (arg == nullptr || arg_size != sizeof(bool)) {
+ errno = EINVAL;
+ return false;
+ }
+ return MaybeInitGwpAsan(*reinterpret_cast<bool*>(arg));
+ }
// Try heapprofd's mallopt, as it handles options not covered here.
return HeapprofdMallopt(opcode, arg, arg_size);
}
diff --git a/libc/bionic/malloc_common_dynamic.h b/libc/bionic/malloc_common_dynamic.h
index 755af8f..048d42a 100644
--- a/libc/bionic/malloc_common_dynamic.h
+++ b/libc/bionic/malloc_common_dynamic.h
@@ -45,3 +45,6 @@
// Lock for globals, to guarantee that only one thread is doing a mutate.
extern pthread_mutex_t gGlobalsMutateLock;
extern _Atomic bool gGlobalsMutating;
+
+// Function hooks instantiations, used by dispatch-table allocators to install themselves.
+void SetGlobalFunctions(void* functions[]);