Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / a6e9dcf4cddf87f0c2f5c15241b21c08ef01398f / . / libc / bionic / libc_init_mte.cpp
blob: 3c8ef7da63750fe2b0cb735683fd09f5de73acfc [file] [log] [blame]
Florian Mayera6e9dcf2024-11-06 12:41:22 -0800[diff] [blame^]1/*
2 * Copyright (C) 2024 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include <android/api-level.h>
30#include <elf.h>
31#include <errno.h>
32#include <malloc.h>
33#include <signal.h>
34#include <stddef.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <stdlib.h>
38#include <sys/auxv.h>
39#include <sys/mman.h>
40
41#include "async_safe/log.h"
42#include "heap_tagging.h"
43#include "libc_init_common.h"
44#include "platform/bionic/macros.h"
45#include "platform/bionic/mte.h"
46#include "platform/bionic/page.h"
47#include "platform/bionic/reserved_signals.h"
48#include "private/KernelArgumentBlock.h"
49#include "private/bionic_asm.h"
50#include "private/bionic_asm_note.h"
51#include "private/bionic_call_ifunc_resolver.h"
52#include "private/bionic_elf_tls.h"
53#include "private/bionic_globals.h"
54#include "private/bionic_tls.h"
55#include "private/elf_note.h"
56#include "pthread_internal.h"
57#include "sys/system_properties.h"
58#include "sysprop_helpers.h"
59
60#ifdef __aarch64__
61extern "C" const char* __gnu_basename(const char* path);
62
63static HeapTaggingLevel __get_memtag_level_from_note(const ElfW(Phdr) * phdr_start, size_t phdr_ct,
64 const ElfW(Addr) load_bias, bool* stack) {
65 const ElfW(Nhdr) * note;
66 const char* desc;
67 if (!__find_elf_note(NT_ANDROID_TYPE_MEMTAG, "Android", phdr_start, phdr_ct, &note, &desc,
68 load_bias)) {
69 return M_HEAP_TAGGING_LEVEL_TBI;
70 }
71
72 // Previously (in Android 12), if the note was != 4 bytes, we check-failed
73 // here. Let's be more permissive to allow future expansion.
74 if (note->n_descsz < 4) {
75 async_safe_fatal("unrecognized android.memtag note: n_descsz = %d, expected >= 4",
76 note->n_descsz);
77 }
78
79 // `desc` is always aligned due to ELF requirements, enforced in __find_elf_note().
80 ElfW(Word) note_val = *reinterpret_cast<const ElfW(Word)*>(desc);
81 *stack = (note_val & NT_MEMTAG_STACK) != 0;
82
83 // Warning: In Android 12, any value outside of bits [0..3] resulted in a check-fail.
84 if (!(note_val & (NT_MEMTAG_HEAP | NT_MEMTAG_STACK))) {
85 async_safe_format_log(ANDROID_LOG_INFO, "libc",
86 "unrecognised memtag note_val did not specificy heap or stack: %u",
87 note_val);
88 return M_HEAP_TAGGING_LEVEL_TBI;
89 }
90
91 unsigned mode = note_val & NT_MEMTAG_LEVEL_MASK;
92 switch (mode) {
93 case NT_MEMTAG_LEVEL_NONE:
94 // Note, previously (in Android 12), NT_MEMTAG_LEVEL_NONE was
95 // NT_MEMTAG_LEVEL_DEFAULT, which implied SYNC mode. This was never used
96 // by anyone, but we note it (heh) here for posterity, in case the zero
97 // level becomes meaningful, and binaries with this note can be executed
98 // on Android 12 devices.
99 return M_HEAP_TAGGING_LEVEL_TBI;
100 case NT_MEMTAG_LEVEL_ASYNC:
101 return M_HEAP_TAGGING_LEVEL_ASYNC;
102 case NT_MEMTAG_LEVEL_SYNC:
103 default:
104 // We allow future extensions to specify mode 3 (currently unused), with
105 // the idea that it might be used for ASYMM mode or something else. On
106 // this version of Android, it falls back to SYNC mode.
107 return M_HEAP_TAGGING_LEVEL_SYNC;
108 }
109}
110
111// Returns true if there's an environment setting (either sysprop or env var)
112// that should overwrite the ELF note, and places the equivalent heap tagging
113// level into *level.
114static bool get_environment_memtag_setting(HeapTaggingLevel* level) {
115 static const char kMemtagPrognameSyspropPrefix[] = "arm64.memtag.process.";
116 static const char kMemtagGlobalSysprop[] = "persist.arm64.memtag.default";
117 static const char kMemtagOverrideSyspropPrefix[] =
118 "persist.device_config.memory_safety_native.mode_override.process.";
119
120 const char* progname = __libc_shared_globals()->init_progname;
121 if (progname == nullptr) return false;
122
123 const char* basename = __gnu_basename(progname);
124
125 char options_str[PROP_VALUE_MAX];
126 char sysprop_name[512];
127 async_safe_format_buffer(sysprop_name, sizeof(sysprop_name), "%s%s", kMemtagPrognameSyspropPrefix,
128 basename);
129 char remote_sysprop_name[512];
130 async_safe_format_buffer(remote_sysprop_name, sizeof(remote_sysprop_name), "%s%s",
131 kMemtagOverrideSyspropPrefix, basename);
132 const char* sys_prop_names[] = {sysprop_name, remote_sysprop_name, kMemtagGlobalSysprop};
133
134 if (!get_config_from_env_or_sysprops("MEMTAG_OPTIONS", sys_prop_names, arraysize(sys_prop_names),
135 options_str, sizeof(options_str))) {
136 return false;
137 }
138
139 if (strcmp("sync", options_str) == 0) {
140 *level = M_HEAP_TAGGING_LEVEL_SYNC;
141 } else if (strcmp("async", options_str) == 0) {
142 *level = M_HEAP_TAGGING_LEVEL_ASYNC;
143 } else if (strcmp("off", options_str) == 0) {
144 *level = M_HEAP_TAGGING_LEVEL_TBI;
145 } else {
146 async_safe_format_log(
147 ANDROID_LOG_ERROR, "libc",
148 "unrecognized memtag level: \"%s\" (options are \"sync\", \"async\", or \"off\").",
149 options_str);
150 return false;
151 }
152
153 return true;
154}
155
156// Returns the initial heap tagging level. Note: This function will never return
157// M_HEAP_TAGGING_LEVEL_NONE, if MTE isn't enabled for this process we enable
158// M_HEAP_TAGGING_LEVEL_TBI.
159static HeapTaggingLevel __get_tagging_level(const memtag_dynamic_entries_t* memtag_dynamic_entries,
160 const void* phdr_start, size_t phdr_ct,
161 uintptr_t load_bias, bool* stack) {
162 HeapTaggingLevel level = M_HEAP_TAGGING_LEVEL_TBI;
163
164 // If the dynamic entries exist, use those. Otherwise, fall back to the old
165 // Android note, which is still used for fully static executables. When
166 // -fsanitize=memtag* is used in newer toolchains, currently both the dynamic
167 // entries and the old note are created, but we'd expect to move to just the
168 // dynamic entries for dynamically linked executables in the future. In
169 // addition, there's still some cleanup of the build system (that uses a
170 // manually-constructed note) needed. For more information about the dynamic
171 // entries, see:
172 // https://github.com/ARM-software/abi-aa/blob/main/memtagabielf64/memtagabielf64.rst#dynamic-section
173 if (memtag_dynamic_entries && memtag_dynamic_entries->has_memtag_mode) {
174 switch (memtag_dynamic_entries->memtag_mode) {
175 case 0:
176 level = M_HEAP_TAGGING_LEVEL_SYNC;
177 break;
178 case 1:
179 level = M_HEAP_TAGGING_LEVEL_ASYNC;
180 break;
181 default:
182 async_safe_format_log(ANDROID_LOG_INFO, "libc",
183 "unrecognised DT_AARCH64_MEMTAG_MODE value: %u",
184 memtag_dynamic_entries->memtag_mode);
185 }
186 *stack = memtag_dynamic_entries->memtag_stack;
187 } else {
188 level = __get_memtag_level_from_note(reinterpret_cast<const ElfW(Phdr)*>(phdr_start), phdr_ct,
189 load_bias, stack);
190 }
191
192 // We can't short-circuit the environment override, as `stack` is still inherited from the
193 // binary's settings.
194 get_environment_memtag_setting(&level);
195 return level;
196}
197
198static void __enable_mte_signal_handler(int, siginfo_t* info, void*) {
199 if (info->si_code != SI_TIMER) {
200 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "Got BIONIC_ENABLE_MTE not from SI_TIMER");
201 return;
202 }
203 int tagged_addr_ctrl = prctl(PR_GET_TAGGED_ADDR_CTRL, 0, 0, 0, 0);
204 if (tagged_addr_ctrl < 0) {
205 async_safe_fatal("failed to PR_GET_TAGGED_ADDR_CTRL: %m");
206 }
207 if ((tagged_addr_ctrl & PR_MTE_TCF_MASK) != PR_MTE_TCF_NONE) {
208 return;
209 }
210 async_safe_format_log(ANDROID_LOG_INFO, "libc",
211 "Re-enabling MTE, value: %x (tagged_addr_ctrl %lu)",
212 info->si_value.sival_int, info->si_value.sival_int & PR_MTE_TCF_MASK);
213 tagged_addr_ctrl =
214 (tagged_addr_ctrl & ~PR_MTE_TCF_MASK) | (info->si_value.sival_int & PR_MTE_TCF_MASK);
215 if (prctl(PR_SET_TAGGED_ADDR_CTRL, tagged_addr_ctrl, 0, 0, 0) < 0) {
216 async_safe_fatal("failed to PR_SET_TAGGED_ADDR_CTRL %d: %m", tagged_addr_ctrl);
217 }
218}
219
220static int64_t __get_memtag_upgrade_secs() {
221 char* env = getenv("BIONIC_MEMTAG_UPGRADE_SECS");
222 if (!env) return 0;
223 int64_t timed_upgrade = 0;
224 static const char kAppProcessName[] = "app_process64";
225 const char* progname = __libc_shared_globals()->init_progname;
226 progname = progname ? __gnu_basename(progname) : nullptr;
227 // disable timed upgrade for zygote, as the thread spawned will violate the requirement
228 // that it be single-threaded.
229 if (!progname || strncmp(progname, kAppProcessName, sizeof(kAppProcessName)) != 0) {
230 char* endptr;
231 timed_upgrade = strtoll(env, &endptr, 10);
232 if (*endptr != '\0' || timed_upgrade < 0) {
233 async_safe_format_log(ANDROID_LOG_ERROR, "libc",
234 "Invalid value for BIONIC_MEMTAG_UPGRADE_SECS: %s", env);
235 timed_upgrade = 0;
236 }
237 }
238 // Make sure that this does not get passed to potential processes inheriting
239 // this environment.
240 unsetenv("BIONIC_MEMTAG_UPGRADE_SECS");
241 return timed_upgrade;
242}
243
244// Figure out the desired memory tagging mode (sync/async, heap/globals/stack) for this executable.
245// This function is called from the linker before the main executable is relocated.
246__attribute__((no_sanitize("hwaddress", "memtag"))) void __libc_init_mte(
247 const memtag_dynamic_entries_t* memtag_dynamic_entries, const void* phdr_start, size_t phdr_ct,
248 uintptr_t load_bias) {
249 bool memtag_stack = false;
250 HeapTaggingLevel level =
251 __get_tagging_level(memtag_dynamic_entries, phdr_start, phdr_ct, load_bias, &memtag_stack);
252 if (memtag_stack) __libc_shared_globals()->initial_memtag_stack_abi = true;
253
254 if (int64_t timed_upgrade = __get_memtag_upgrade_secs()) {
255 if (level == M_HEAP_TAGGING_LEVEL_ASYNC) {
256 async_safe_format_log(ANDROID_LOG_INFO, "libc",
257 "Attempting timed MTE upgrade from async to sync.");
258 __libc_shared_globals()->heap_tagging_upgrade_timer_sec = timed_upgrade;
259 level = M_HEAP_TAGGING_LEVEL_SYNC;
260 } else if (level != M_HEAP_TAGGING_LEVEL_SYNC) {
261 async_safe_format_log(ANDROID_LOG_ERROR, "libc",
262 "Requested timed MTE upgrade from invalid %s to sync. Ignoring.",
263 DescribeTaggingLevel(level));
264 }
265 }
266 if (level == M_HEAP_TAGGING_LEVEL_SYNC || level == M_HEAP_TAGGING_LEVEL_ASYNC) {
267 unsigned long prctl_arg = PR_TAGGED_ADDR_ENABLE | PR_MTE_TAG_SET_NONZERO;
268 prctl_arg |= (level == M_HEAP_TAGGING_LEVEL_SYNC) ? PR_MTE_TCF_SYNC : PR_MTE_TCF_ASYNC;
269
270 // When entering ASYNC mode, specify that we want to allow upgrading to SYNC by OR'ing in the
271 // SYNC flag. But if the kernel doesn't support specifying multiple TCF modes, fall back to
272 // specifying a single mode.
273 if (prctl(PR_SET_TAGGED_ADDR_CTRL, prctl_arg | PR_MTE_TCF_SYNC, 0, 0, 0) == 0 ||
274 prctl(PR_SET_TAGGED_ADDR_CTRL, prctl_arg, 0, 0, 0) == 0) {
275 __libc_shared_globals()->initial_heap_tagging_level = level;
276
277 struct sigaction action = {};
278 action.sa_flags = SA_SIGINFO | SA_RESTART;
279 action.sa_sigaction = __enable_mte_signal_handler;
280 sigaction(BIONIC_ENABLE_MTE, &action, nullptr);
281 return;
282 }
283 }
284
285 // MTE was either not enabled, or wasn't supported on this device. Try and use
286 // TBI.
287 if (prctl(PR_SET_TAGGED_ADDR_CTRL, PR_TAGGED_ADDR_ENABLE, 0, 0, 0) == 0) {
288 __libc_shared_globals()->initial_heap_tagging_level = M_HEAP_TAGGING_LEVEL_TBI;
289 }
290 // We did not enable MTE, so we do not need to arm the upgrade timer.
291 __libc_shared_globals()->heap_tagging_upgrade_timer_sec = 0;
292}
293
294// Figure out whether we need to map the stack as PROT_MTE.
295// For dynamic executables, this has to be called after loading all
296// DT_NEEDED libraries, in case one of them needs stack MTE.
297__attribute__((no_sanitize("hwaddress", "memtag"))) void __libc_init_mte_stack(void* stack_top) {
298 if (!__libc_shared_globals()->initial_memtag_stack_abi) {
299 return;
300 }
301
302 // Even if the device doesn't support MTE, we have to allocate stack
303 // history buffers for code compiled for stack MTE. That is because the
304 // codegen expects a buffer to be present in TLS_SLOT_STACK_MTE either
305 // way.
306 __get_bionic_tcb()->tls_slot(TLS_SLOT_STACK_MTE) = __allocate_stack_mte_ringbuffer(0, nullptr);
307
308 if (__libc_mte_enabled()) {
309 __libc_shared_globals()->initial_memtag_stack = true;
310 void* pg_start = reinterpret_cast<void*>(page_start(reinterpret_cast<uintptr_t>(stack_top)));
311 if (mprotect(pg_start, page_size(), PROT_READ | PROT_WRITE | PROT_MTE | PROT_GROWSDOWN)) {
312 async_safe_fatal("error: failed to set PROT_MTE on main thread stack: %m");
313 }
314 }
315}
316
317#else // __aarch64__
318void __libc_init_mte(const memtag_dynamic_entries_t*, const void*, size_t, uintptr_t) {}
319void __libc_init_mte_stack(void*) {}
320#endif // __aarch64__
321
322bool __libc_mte_enabled() {
323 HeapTaggingLevel lvl = __libc_shared_globals()->initial_heap_tagging_level;
324 return lvl == M_HEAP_TAGGING_LEVEL_SYNC || lvl == M_HEAP_TAGGING_LEVEL_ASYNC;
325}