libc/private/CFIShadow.h

/*
 * Copyright (C) 2016 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef CFI_SHADOW_H
#define CFI_SHADOW_H

#include <stdint.h>

#include "private/bionic_page.h"
#include "private/bionic_macros.h"

constexpr unsigned kLibraryAlignmentBits = 18;
constexpr size_t kLibraryAlignment = 1UL << kLibraryAlignmentBits;

// This class defines format of the shadow region for Control Flow Integrity support.
// See documentation in http://clang.llvm.org/docs/ControlFlowIntegrityDesign.html#shared-library-support.
//
// CFI shadow is effectively a very fast and specialized implementation of dladdr: given an address that
// belongs to a shared library or an executable, it can find the address of a specific export in that
// library (a function called "__cfi_check"). This is only guaranteed to work for
// addresses of possible CFI targets inside a library: indirectly called functions and virtual
// tables. A random address inside a library may not work in the future (but it does in the current
// implementation).
//
// Implementation is a sparse array of uint16_t where each element describes the location of
// __cfi_check for a 2**kShadowGranularity range of memory. Array elements (called "shadow values"
// below) are interpreted as follows.
//
// For an address P and corresponding shadow value V, the address of __cfi_check is calculated as
//   align_up(P, 2**kShadowGranularity) - (V - 2) * (2 ** kCfiCheckGranularity)
//
// Special shadow values:
//        0 = kInvalidShadow, this memory range has no valid CFI targets.
//        1 = kUncheckedShadow, any address is this memory range is a valid CFI target
//
// Loader requirement: each aligned 2**kShadowGranularity region of address space may contain at
// most one DSO.
// Compiler requirement: __cfi_check is aligned at kCfiCheckGranularity.
// Compiler requirement: __cfi_check for a given DSO is located below any CFI target for that DSO.
class CFIShadow {
 public:
  static constexpr uintptr_t kShadowGranularity = kLibraryAlignmentBits;
  static constexpr uintptr_t kCfiCheckGranularity = 12;

  // Each uint16_t element of the shadow corresponds to this much application memory.
  static constexpr uintptr_t kShadowAlign = 1UL << kShadowGranularity;

  // Alignment of __cfi_check.
  static constexpr uintptr_t kCfiCheckAlign = 1UL << kCfiCheckGranularity;  // 4K

#if defined (__LP64__)
  static constexpr uintptr_t kMaxTargetAddr = 0xffffffffffff;
#else
  static constexpr uintptr_t kMaxTargetAddr = 0xffffffff;
#endif

  // Shadow is 2 -> 2**kShadowGranularity.
  static constexpr uintptr_t kShadowSize =
      align_up((kMaxTargetAddr >> (kShadowGranularity - 1)), PAGE_SIZE);

  // Returns offset inside the shadow region for an address.
  static constexpr uintptr_t MemToShadowOffset(uintptr_t x) {
    return (x >> kShadowGranularity) << 1;
  }

  typedef int (*CFICheckFn)(uint64_t, void *, void *);

 public:
  enum ShadowValues : uint16_t {
    kInvalidShadow = 0,    // Not a valid CFI target.
    kUncheckedShadow = 1,  // Unchecked, valid CFI target.
    kRegularShadowMin = 2  // This and all higher values encode a negative offset to __cfi_check in
                           // the units of kCfiCheckGranularity, starting with 0 at
                           // kRegularShadowMin.
  };
};

#endif  // CFI_SHADOW_H