| /* |
| * Copyright 2017, Data61 |
| * Commonwealth Scientific and Industrial Research Organisation (CSIRO) |
| * ABN 41 687 119 230. |
| * |
| * This software may be distributed and modified according to the terms of |
| * the BSD 2-Clause license. Note that NO WARRANTY is provided. |
| * See "LICENSE_BSD2.txt" for details. |
| * |
| * @TAG(DATA61_BSD) |
| */ |
| |
| /* This file contains functionality for debugging heap corruption issues. It is |
| * styled after Electric Fence [0], but we can't check as thoroughly as eFence |
| * can because we don't have support for mapping/unmapping/mprotecting regions. |
| * The basic concept is that we stick a 'canary' value before and after |
| * allocated memory. During free, we check that these canaries haven't been |
| * overwritten, which would imply buffer underflow or overflow. This checking |
| * is limited in that we don't catch heap corruption until memory is actually |
| * freed. |
| * |
| * Essentially any allocated region actually looks like this: |
| * p q r |
| * ↓ ↓ ↓ |
| * |canary|size|memory...|canary| |
| * |
| * Internally we deal in 'unboxed' pointers, like p. Externally the caller is |
| * given 'boxed' pointers, like q. We effectively play the same tricks malloc |
| * does to store some book keeping information surrounding the malloced memory. |
| * The 'size' stored is the size the user requested, not the size including |
| * the canaries etc. We need to track this in order to calculate the pointer r |
| * on free. |
| * |
| * In addition to checking for corruption within the heap, this functionality |
| * also tracks pointers that have been allocated. If you try and free (or |
| * realloc) a pointer that was never allocated, it will be detected. |
| * |
| * To use this, you will need to instruct the linker to wrap your calls to |
| * allocation functions. You will need to append something like the following |
| * to your LD_FALGS: |
| * -Wl,--wrap=malloc -Wl,--wrap=free -Wl,--wrap=realloc -Wl,--wrap=calloc |
| * |
| * Ensure you do not call any functions that malloc or free memory within this |
| * file or you will infinitely recurse. |
| */ |
| |
| #include <assert.h> |
| #include <autoconf.h> |
| #include <sel4debug/gen_config.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> /* for size_t */ |
| #include <string.h> |
| |
| /* Maximum alignment of a data type. The malloc spec requires that returned |
| * pointers are aligned to this. |
| */ |
| #define MAX_ALIGNMENT (sizeof(void*) * 2) /* bytes */ |
| |
| /* Random bits to OR into the pre- and post-canary values so we're not storing |
| * an exact pointer value. Note that these should be less than MAX_ALIGNMENT so |
| * that we're ORing into known 0 bits. Preserving the pointer is not actually |
| * necessary so nothing will break if you change these values to any random |
| * word-sized value. |
| */ |
| #define PRE_EXTRA_BITS 0x7 |
| #define POST_EXTRA_BITS 0x3 |
| |
| /* Algorithms for calculating a canary value to use before and after the |
| * allocated region. The actual algorithm used here is more or less irrelevant |
| * as long as it is deterministic. |
| */ |
| static uintptr_t pre_canary(void *ptr) |
| { |
| return ((uintptr_t)ptr) | PRE_EXTRA_BITS; |
| } |
| static uintptr_t post_canary(void *ptr) |
| { |
| return ((uintptr_t)ptr) | POST_EXTRA_BITS; |
| } |
| |
| typedef struct { |
| uintptr_t canary; |
| size_t size; |
| } __attribute__((aligned(MAX_ALIGNMENT))) metadata_t; |
| |
| /* A `uintptr_t` that is not naturally aligned. It is necessary to explicitly |
| * tag unaligned pointers because, e.g., on ARM the compiler is free to |
| * transform `memcpy` calls into a variant that assumes its inputs are aligned |
| * and performs word-sized accesses. See the following for more information: |
| * http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/4972.html |
| */ |
| typedef uintptr_t unaligned_uintptr_t __attribute__((aligned(1))); |
| |
| /* Whether we've already encountered heap corruption. See uses of this below, |
| * where we abandon all instrumentation if we've hit an error. The reasoning |
| * behind this is that error reporting functions may call malloc. |
| */ |
| static int err = 0; |
| |
| /* Adjust a size that is about to be passed to the real allocation functions in |
| * order to account for our instrumentation. |
| */ |
| static size_t adjust_size(size_t size) |
| { |
| return size + sizeof(metadata_t) + sizeof(uintptr_t); |
| } |
| |
| /* Wrap a (just-allocated) region with canary values. */ |
| static void *box(void *ptr, size_t size) |
| { |
| if (ptr == NULL) { |
| return ptr; |
| } |
| |
| metadata_t *pre = (metadata_t *)ptr; |
| ptr += sizeof(*pre); |
| unaligned_uintptr_t *post = ptr + size; |
| |
| /* Write the leading canary. */ |
| pre->canary = pre_canary(ptr); |
| pre->size = size; |
| |
| /* Use memcpy for the trailing canary so we don't need to care about |
| * alignment. |
| */ |
| uintptr_t canary = post_canary(ptr); |
| memcpy(post, &canary, sizeof(canary)); |
| |
| return ptr; |
| } |
| |
| /* Throw an error resulting from a bad user invocation. */ |
| #define error(args...) do { \ |
| assert(!err); /* We should not already be handling an error. */ \ |
| err = 1; \ |
| fprintf(stderr, args); \ |
| abort(); \ |
| } while (0) |
| |
| /* Unwrap a canary-endowed region into the original allocated pointer. */ |
| static void *unbox(void *ptr, void *ret_addr) |
| { |
| if (ptr == NULL) { |
| return ptr; |
| } |
| |
| metadata_t *pre = (metadata_t *)(ptr - sizeof(*pre)); |
| unaligned_uintptr_t *post = ptr + pre->size; |
| |
| /* Check the leading canary (underflow). */ |
| if (pre->canary != pre_canary(ptr)) { |
| error("Leading corruption in heap memory pointed to by %p (called " |
| "prior to %p)\n", ptr, ret_addr); |
| } |
| |
| /* Check the trailing canary with memcmp so we don't need to care about |
| * alignment. If the memcmp VM faults here, it's likely that you underran |
| * your buffer and overwrote the 'size' metadata, causing this function to |
| * derive an incorrect 'post' pointer. |
| */ |
| uintptr_t canary = post_canary(ptr); |
| if (memcmp(post, &canary, sizeof(canary)) != 0) { |
| error("Buffer overflow in heap memory pointed to by %p (called prior " |
| "to %p)\n", ptr, ret_addr); |
| } |
| |
| return (void *)pre; |
| } |
| |
| /* Buffer for tracking currently live heap pointers. This is used to detect |
| * when the user attempts to free an invalid pointer. Note that we always track |
| * *boxed* pointers as these are the ones seen by the user. |
| */ |
| #ifndef CONFIG_LIBSEL4DEBUG_ALLOC_BUFFER_ENTRIES |
| #define CONFIG_LIBSEL4DEBUG_ALLOC_BUFFER_ENTRIES 128 |
| #endif |
| static uintptr_t alloced[CONFIG_LIBSEL4DEBUG_ALLOC_BUFFER_ENTRIES]; |
| |
| /* Track the given heap pointer as currently live. */ |
| static void track(void *ptr) |
| { |
| if (sizeof(alloced) == 0 || ptr == NULL) { |
| /* Disable tracking if we have no buffer and never track NULL. */ |
| return; |
| } |
| for (unsigned int i = 0; i < sizeof(alloced) / sizeof(uintptr_t); i++) { |
| if (alloced[i] == 0) { |
| /* Found a free slot. */ |
| alloced[i] = (uintptr_t)ptr; |
| return; |
| } |
| } |
| /* Failed to find a free slot. */ |
| error("Exhausted pointer tracking buffer; try increasing " |
| "CONFIG_LIBSEL4DEBUG_ALLOC_BUFFER_ENTRIES value\n"); |
| } |
| |
| /* Stop tracking the given pointer (mark it as dead). */ |
| static void untrack(void *ptr, void *ret_addr) |
| { |
| if (sizeof(alloced) == 0 || ptr == NULL) { |
| /* Ignore tracking if we have no buffer or are freeing NULL. */ |
| return; |
| } |
| for (unsigned int i = 0; i < sizeof(alloced) / sizeof(uintptr_t); i++) { |
| if (alloced[i] == (uintptr_t)ptr) { |
| /* Found it. */ |
| alloced[i] = 0; |
| return; |
| } |
| } |
| /* Failed to find it. */ |
| error("Attempt to free pointer %p that was never malloced (called prior " |
| "to %p)\n", ptr, ret_addr); |
| } |
| |
| /* Wrapped functions that will be exported to us from libmuslc. */ |
| void *__real_malloc(size_t size); |
| void __real_free(void *ptr); |
| void *__real_calloc(size_t num, size_t size); |
| void *__real_realloc(void *ptr, size_t size); |
| |
| /* Actual allocation wrappers follow. */ |
| |
| void *__wrap_malloc(size_t size) |
| { |
| if (err) { |
| return __real_malloc(size); |
| } |
| |
| size_t new_size = adjust_size(size); |
| void *ptr = __real_malloc(new_size); |
| ptr = box(ptr, size); |
| track(ptr); |
| return ptr; |
| } |
| |
| void __wrap_free(void *ptr) |
| { |
| if (err) { |
| __real_free(ptr); |
| return; |
| } |
| |
| void *ret = __builtin_extract_return_addr(__builtin_return_address(0)); |
| |
| untrack(ptr, ret); |
| |
| /* Write garbage all over the region we were handed back to try to expose |
| * use-after-free bugs. If we fault while doing this, it probably means the |
| * user underran their buffer and overwrote the 'size' metadata. |
| */ |
| metadata_t *pre = (metadata_t *)(ptr - sizeof(*pre)); |
| for (unsigned int i = 0; i < pre->size; i++) { |
| ((char *)ptr)[i] ^= (char)~i; |
| } |
| |
| ptr = unbox(ptr, ret); |
| __real_free(ptr); |
| } |
| |
| void *__wrap_calloc(size_t num, size_t size) |
| { |
| if (err) { |
| return __real_calloc(num, size); |
| } |
| |
| size_t sz = adjust_size(num * size); |
| size_t new_num = sz / size; |
| if (sz % size != 0) { |
| new_num++; |
| } |
| |
| void *ptr = __real_calloc(new_num, size); |
| ptr = box(ptr, num * size); |
| track(ptr); |
| return ptr; |
| } |
| |
| void *__wrap_realloc(void *ptr, size_t size) |
| { |
| if (err) { |
| return __real_realloc(ptr, size); |
| } |
| |
| void *ret = __builtin_extract_return_addr(__builtin_return_address(0)); |
| |
| untrack(ptr, ret); |
| ptr = unbox(ptr, ret); |
| size_t new_size = adjust_size(size); |
| ptr = __real_realloc(ptr, new_size); |
| ptr = box(ptr, size); |
| track(ptr); |
| return ptr; |
| } |
