diff options
author | Caroline Tice <ctice@gcc.gnu.org> | 2013-08-06 20:38:59 -0700 |
---|---|---|
committer | Caroline Tice <ctice@gcc.gnu.org> | 2013-08-06 20:38:59 -0700 |
commit | 2077db1be5b18b94a91095a3fb380bbc4a81e61b (patch) | |
tree | 2799c94bc06794956a20aaa9db224f64c5e35e4d /libvtv/vtv_rts.cc | |
parent | 03085d1cf9cc91b1283d7a13343760a526b69282 (diff) | |
download | gcc-2077db1be5b18b94a91095a3fb380bbc4a81e61b.tar.gz |
Commit the vtable verification feature.
Commit the vtable verification feature. This feature is designed to
detect, at run time, if/when the vtable pointer in a C++ object has
been corrupted, before allowing virtual calls through that pointer.
If pointer corruption is detected, execution of the program is halted.
libstdc++-v3 ChangeLog:
2013-08-06 Caroline Tice <cmtice@google.com>
* fragment.am: Add XTEMPLATE_FLAGS.
* configure.ac: Add definitions for --enable-vtable-verify.
* acinclude.m4: Add --enable-vtable-verify and
--disable-vtable-verify; define --enable-vtable-verify; define
VTV_CXXFLAGS, VTV_PCH_CXXFLAGS and VTV_CXXLINKFLAGS.
* config/abi/pre/gnu.ver: Export symbols for vtable verification.
* libsupc++/Makefile.am: Define vtv_sources and add it to
libsupc___la_SOURCES and libsupc__convenience_la_SOURCES.
* libsupc++/vtv_stubs.cc: New file.
* include/Makefile.am: Add VTV_PCH_CXXFLAGS to PCHFLAGS.
* src/Makefile.am: Add VTV_CXXFLAGS to AM_CXXFLAGS; add
VTV_CXXLINKFLAGS to CXXLINK.
* src/c++98/Makefile.am: Comment out XTEMPLATE_FLAGS; add VTV_CXXFLAGS
to AM_CXXFLAGS; add VTV_CXXXLINKFLAGS to CXXLINK.
* src/C++11/Makefile.am: Ditto.
* doc/xml/manual/configure.xml: Add entry for --enable-vtable-verify.
* scripts/testsuite_flags.in: Add cxxvtvflags to Usage; cause
cxxvtvflags to use VTV_CXXFLAGS and VTV_CXXLINKFLAGS.
* testsuite/lib/libstdc++.exp: Add cxxvtvflags; add code to locate
libvtv if --enable-vtable-verify was used; set cxxvtvflags; add
cxxvtvflags to cxx_final.
* testsuite/18_support/bad_exception/23591_thread-1.c: Add
-fvtable-verify=none to compiler flags.
* testsuite/17_intro/freestanding.cc: Add -fvtable-verify=none
to compiler flags.
* configure: Regenerated.
* Makefile.in: Regenerated.
* python/Makefile.in: Regenerated.
* include/Makefile.in: Regenerated.
* libsupc++/Makefile.in: Regenerated.
* config.h.in: Regenerated.
* po/Makefile.in: Regenerated.
* src/Makefile.in: Regenerated.
* src/c++98/Makefile.in: Regenerated.
* src/c++11/Makefile.in: Regenerated.
* doc/Makefile.in: Regenerated.
* testsuite/Makefile.in: Regenerated.
top level ChangeLog:
2013-08-06 Caroline Tice <cmtice@google.com>
* configure.ac: Add target-libvtv to target_libraries; disable libvtv
on non-linux systems; add target-libvtv to noconfigdirs; add
libsupc++/.libs to C++ library search paths.
* configure: Regenerated.
* Makefile.def: Add libvtv to target_modules; make libvtv depend on
libstdc++ and libgcc.
* Makefile.in: Regenerated.
include/ChangeLog:
2013-08-06 Caroline Tice <cmtice@google.com>
* vtv-change-permission.h: New file.
contrib/ChangeLog:
2013-08-06 Caroline Tice4 <cmtice@google.com>
* gcc_update: Add libvtv files.
libgcc/ChangeLog:
2013-08-06 Caroline Tice <cmtice@google.com>
config.host (extra_parts): Add vtv_start.o, vtv_end.o
vtv_start_preinit.o and vtv_end_preinit.o.
configure.ac: Add code to check/set enable_vtable_verify.
Makefile.in: Add rules to build vtv_*.o, if enable_vtable_verify is
true.
vtv_start_preinit.c: New file.
vtv_end_preinit.c: New file.
vtv_start.c: New file.
vtv_end.c: New file.
configure: Regenerated.
gcc/ChangeLog:
2013-08-06 Caroline Tice <cmtice@google.com>
* gcc.c (VTABLE_VERIFICATION_SPEC): New definition.
(LINK_COMMAND_SPEC): Add VTABLE_VERIFICATION_SPEC.
* tree-pass.h: Add pass_vtable_verify.
* varasm.c (assemble_variable): Add code to properly set the comdat
section and name for the .vtable_map_vars section.
(assemble_vtyv_preinit_initializer): New function.
(default_sectin_type_flags): Make sure .vtable_map_vars section has
LINK_ONCE flag.
* output.h: Add function decl for assemble_vtv_preinit_initializer.
* vtable-verify.c: New file.
* vtable-verify.h: New file.
* flag-types.h (enum vtv_priority): Defintions for flag_vtable_verify
initialiation levels.
* timevar.def (TV_VTABLE_VERIFICATION): New definition.
* passes.def: Insert pass_vtable_verify.
* aclocal.m4: Reorder includes.
* doc/invoke.texi: Add documentation for the flags -fvtable-verify=,
-fvtv-debug and -fvtv-counts.
* config/gnu-user.h (GNU_USER_TARGET_STARTFILE_SPEC): Add vtv_start*.o,
as appropriate, if -fvtable-verify=... is used.
(GNU_USER_TARGET_ENDFILE_SPEC): Add vtv_end*.o as appropriate, if
-fvtable-verify=... is used.
* Makefile.in (OBJS): Add vtable-verify.o to list.
(vtable-verify.o): Add new build rule.
(GTFILES): Add vtable-verify.c to list.
* common.opt (fvtable-verify=): New flag.
(vtv_priority): Values for fvtable-verify= flag.
(fvtv-counts): New flag.
(fvtv-debug): New flag.
* tree.h (save_vtable_map_decl): New extern function decl.
gcc/cp/ChangeLog:
2013-08-06 Caroline Tice <cmtice@google.com>
* Make-lang.in (*CXX_AND_OBJCXX_OBJS): Add vtable-class-hierarchy.o to
list.
(vtable-class-hierarchy.o): Add build rule.
* cp-tree.h (vtv_start_verification_constructor_init_function): New
extern function decl.
(vtv_finish_verification_constructor_init_function): New extern
function decl.
(build_vtbl_address): New extern function decl.
(get_mangled_vtable_map_var_name): New extern function decl.
(vtv_compute_class_hierarchy_transitive_closure): New extern function
decl.
(vtv_generate_init_routine): New extern function decl.
(vtv_save_class_info): New extern function decl.
(vtv_recover_class_info): New extern function decl.
(vtv_build_vtable_verify_fndecl): New extern function decl.
* class.c (finish_struct_1): Add call to vtv_save_class_info if
flag_vtable_verify is true.
* config-lang.in: Add vtable-class-hierarchy.c to gtfiles list.
* vtable-class-hierarchy.c: New file.
* mangle.c (get_mangled_vtable_map_var_name): New function.
* decl2.c (start_objects): Update function comment.
(cp_write_global_declarations): Call vtv_recover_class_info,
vtv_compute_class_hierarchy_transitive_closure and
vtv_build_vtable_verify_fndecl, before calling
finalize_compilation_unit, and call vtv_generate_init_rount after, IFF
flag_vtable_verify is true.
(vtv_start_verification_constructor_init_function): New function.
(vtv_finish_verification_constructor_init_function): New function.
* init.c (build_vtbl_address): Remove static qualifier from function.
libvtv/ChangeLog:
2013-08-06 Caroline Tice <cmtice@google.com>
Initial check-in of new vtable verification feature.
* configure.ac : New file.
* acinclude.m4 : New file.
* Makefile.am : New file.
* aclocal.m4 : New file.
* configure.tgt : New file.
* configure: New file (generated).
* Makefile.in: New file (generated).
* vtv_set.h : New file.
* vtv_utils.cc : New file.
* vtv_utils.h : New file.
* vtv_malloc.cc : New file.
* vtv_rts.cc : New file.
* vtv_malloc.h : New file.
* vtv_rts.h : New file.
* vtv_fail.cc : New file.
* vtv_fail.h : New file.
* vtv_map.h : New file.
* scripts/run-testsuite.sh : New file.
* scripts/sum-vtv-counts.c : New file.
* testsuite/parts-test-main.h : New file.
* testusite/dataentry.cc : New file.
* testsuite/temp_deriv.cc : New file.
* testsuite/register_pair.cc : New file.
* testsuite/virtual_inheritance.cc : New file.
* testsuite/field-test.cc : New file.
* testsuite/nested_vcall_test.cc : New file.
* testsuite/template-list-iostream.cc : New file.
* testsuite/register_pair_inserts.cc : New file.
* testsuite/register_pair_inserts_mt.cc : New file.
* testsuite/event.list : New file.
* testsuite/parts-test-extra-parts-views.cc : New file.
* testsuite/parts-test-extra-parts-views.h : New file.
* testsuite/environment-fail-32.s : New file.
* testsuite/parts-test-extra-parts.h : New file.
* testsuite/temp_deriv2.cc : New file.
* testsuite/dlopen_mt.cc : New file.
* testsuite/event.h : New file.
* testsuite/template-list.cc : New file.
* testsuite/replace-fail.cc : New file.
* testsuite/Makefile.am : New file.
* testsuite/Makefile.in: New file (generated).
* testsuite/mempool_negative.c : New file.
* testsuite/parts-test-main.cc : New file.
* testsuite/event-private.cc : New file.
* testsuite/thunk.cc : New file.
* testsuite/event-defintiions.cc : New file.
* testsuite/event-private.h : New file.
* testsuite/parts-test.list : New file.
* testusite/register_pair_mt.cc : New file.
* testsuite/povray-derived.cc : New file.
* testsuite/event-main.cc : New file.
* testsuite/environment.cc : New file.
* testsuite/template-list2.cc : New file.
* testsuite/thunk_vtable_map_attack.cc : New file.
* testsuite/parts-test-extra-parts.cc : New file.
* testsuite/environment-fail-64.s : New file.
* testsuite/dlopen.cc : New file.
* testsuite/so.cc : New file.
* testsuite/temp_deriv3.cc : New file.
* testsuite/const_vtable.cc : New file.
* testsuite/mempool_positive.c : New file.
* testsuite/dup_name.cc : New file.
From-SVN: r201555
Diffstat (limited to 'libvtv/vtv_rts.cc')
-rw-r--r-- | libvtv/vtv_rts.cc | 1523 |
1 files changed, 1523 insertions, 0 deletions
diff --git a/libvtv/vtv_rts.cc b/libvtv/vtv_rts.cc new file mode 100644 index 00000000000..1ddbbec7a07 --- /dev/null +++ b/libvtv/vtv_rts.cc @@ -0,0 +1,1523 @@ +/* Copyright (C) 2012-2013 + Free Software Foundation + + This file is part of GCC. + + GCC is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3, or (at your option) + any later version. + + GCC is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + Under Section 7 of GPL version 3, you are granted additional + permissions described in the GCC Runtime Library Exception, version + 3.1, as published by the Free Software Foundation. + + You should have received a copy of the GNU General Public License and + a copy of the GCC Runtime Library Exception along with this program; + see the files COPYING3 and COPYING.RUNTIME respectively. If not, see + <http://www.gnu.org/licenses/>. */ + +/* This file is part of the vtable security feature implementation. + The vtable security feature is designed to detect when a virtual + call is about to be made through an invalid vtable pointer + (possibly due to data corruption or malicious attacks). The + compiler finds every virtual call, and inserts a verification call + before the virtual call. The verification call takes the actual + vtable pointer value in the object through which the virtual call + is being made, and compares the vtable pointer against a set of all + valid vtable pointers that the object could contain (this set is + based on the declared type of the object). If the pointer is in + the valid set, execution is allowed to continue; otherwise the + program is halted. + + There are several pieces needed in order to make this work: 1. For + every virtual class in the program (i.e. a class that contains + virtual methods), we need to build the set of all possible valid + vtables that an object of that class could point to. This includes + vtables for any class(es) that inherit from the class under + consideration. 2. For every such data set we build up, we need a + way to find and reference the data set. This is complicated by the + fact that the real vtable addresses are not known until runtime, + when the program is loaded into memory, but we need to reference the + sets at compile time when we are inserting verification calls into + the program. 3. We need to find every virtual call in the program, + and insert the verification call (with the appropriate arguments) + before the virtual call. 4. We need some runtime library pieces: + the code to build up the data sets at runtime; the code to actually + perform the verification using the data sets; and some code to set + protections on the data sets, so they themselves do not become + hacker targets. + + To find and reference the set of valid vtable pointers for any given + virtual class, we create a special global varible for each virtual + class. We refer to this as the "vtable map variable" for that + class. The vtable map variable has the type "void *", and is + initialized by the compiler to NULL. At runtime when the set of + valid vtable pointers for a virtual class, e.g. class Foo, is built, + the vtable map variable for class Foo is made to point to the set. + During compile time, when the compiler is inserting verification + calls into the program, it passes the vtable map variable for the + appropriate class to the verification call, so that at runtime the + verification call can find the appropriate data set. + + The actual set of valid vtable pointers for a polymorphic class, + e.g. class Foo, cannot be built until runtime, when the vtables get + loaded into memory and their addresses are known. But the knowledge + about which vtables belong in which class' hierarchy is only known + at compile time. Therefore at compile time we collect class + hierarchy and vtable information about every virtual class, and we + generate calls to build up the data sets at runtime. To build the + data sets, we call one of the functions we add to the runtime + library, __VLTRegisterPair. __VLTRegisterPair takes two arguments, + a vtable map variable and the address of a vtable. If the vtable + map variable is currently NULL, it creates a new data set (hash + table), makes the vtable map variable point to the new data set, and + inserts the vtable address into the data set. If the vtable map + variable is not NULL, it just inserts the vtable address into the + data set. In order to make sure that our data sets are built before + any verification calls happen, we create a special constructor + initialization function for each compilation unit, give it a very + high initialization priority, and insert all of our calls to + __VLTRegisterPair into our special constructor initialization + function. */ + +/* This file contains the main externally visible runtime library + functions for vtable verification: __VLTChangePermission, + __VLTRegisterPair, and __VLTVerifyVtablePointer. It also contains + debug versions __VLTRegisterPairDebug and + __VLTVerifyVtablePointerDebug, which have extra parameters in order + to make it easier to debug verification failures. + + The final piece of functionality implemented in this file is symbol + resolution for multiple instances of the same vtable map variable. + If the same virtual class is used in two different compilation + units, then each compilation unit will create a vtable map variable + for the class. We need all instances of the same vtable map + variable to point to the same (single) set of valid vtable + pointers for the class, so we wrote our own hashtable-based symbol + resolution for vtable map variables (with a tiny optimization in + the case where there is only one instance of the variable). + + There are two other important pieces to the runtime for vtable + verification besides the main pieces that go into libstdc++.so: two + special tiny shared libraries, libvtv_init.so and libvtv_stubs.so. + libvtv_init.so is built from vtv_init.cc. It is designed to help + minimize the calls made to mprotect (see the comments in + vtv_init.cc for more details). Anything compiled with + "-fvtable-verify=std" must be linked with libvtv_init.so (the gcc + driver has been modified to do this). vtv_stubs.so is built from + vtv_stubs.cc. It replaces the main runtime functions + (__VLTChangePermissino, __VLTRegisterPair and + __VLTVerifyVtablePointer) with stub functions that do nothing. If + a programmer has a library that was built with verification, but + wishes to not have verification turned on, the programmer can link + in the vtv_stubs.so library. */ + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <execinfo.h> + +#include <unistd.h> +#include <sys/mman.h> +#include <errno.h> +#include <link.h> +#include <fcntl.h> +#include <limits.h> + +/* For gthreads suppport */ +#include <bits/c++config.h> +#include <ext/concurrence.h> + +#include "vtv_utils.h" +#include "vtv_malloc.h" +#include "vtv_set.h" +#include "vtv_map.h" +#include "vtv_rts.h" +#include "vtv_fail.h" + +#include "vtv-change-permission.h" + +extern "C" { + + /* __fortify_fail is a function in glibc that calls __libc_message, + causing it to print out a program termination error message + (including the name of the binary being terminated), a stack + trace where the error occurred, and a memory map dump. Ideally + we would have called __libc_message directly, but that function + does not appear to be accessible to functions outside glibc, + whereas __fortify_fail is. We call __fortify_fail from + __vtv_really_fail. We looked at calling __libc_fatal, which is + externally accessible, but it does not do the back trace and + memory dump. */ + + extern void __fortify_fail (const char *) __attribute__((noreturn)); + +} /* extern "C" */ + +/* The following variables are used only for debugging and performance + tuning purposes. Therefore they do not need to be "protected". + They cannot be used to attack the vtable verification system and if + they become corrupted it will not affect the correctness or + security of any of the rest of the vtable verification feature. */ + +unsigned int num_calls_to_regset = 0; +unsigned int num_calls_to_regpair = 0; +unsigned int num_calls_to_verify_vtable = 0; +unsigned long long regset_cycles = 0; +unsigned long long regpair_cycles = 0; +unsigned long long verify_vtable_cycles = 0; + +/* Be careful about initialization of statics in this file. Some of + the routines below are called before any runtime initialization for + statics in this file will be done. For example, dont try to + initialize any of these statics with a runtime call (for ex: + sysconf). The initialization will happen after calls to the routines + to protect/unprotec the vtabla_map variables */ + +/* No need to mark the following variables with VTV_PROTECTED_VAR. + These are either const or are only used for debugging/tracing. + debugging/tracing will not be ON on production environments */ + +static const bool debug_hash = HASHTABLE_STATS; +static const int debug_functions = 0; +static const int debug_init = 0; +static const int debug_verify_vtable = 0; + +#ifdef VTV_DEBUG +static const int debug_functions = 1; +static const int debug_init = 1; +static const int debug_verify_vtable = 1; +#endif + +/* Global file descriptor variables for logging, tracing and debugging. */ + +static int init_log_fd = -1; +static int verify_vtable_log_fd = -1; + +/* This holds a formatted error logging message, to be written to the + vtable verify failures log. */ +static char debug_log_message[1024]; + + +#ifdef __GTHREAD_MUTEX_INIT +static __gthread_mutex_t change_permissions_lock = __GTHREAD_MUTEX_INIT; +#else +static __gthread_mutex_t change_permissions_lock; +#endif + + +#ifndef VTV_STATS +#define VTV_STATS 0 +#endif + +#if VTV_STATS + +static inline unsigned long long +get_cycle_count (void) +{ + return rdtsc(); +} + +static inline void +accumulate_cycle_count (unsigned long long *sum, unsigned long long start) +{ + unsigned long long end = rdtsc(); + *sum = *sum + (end - start); +} + +static inline void +increment_num_calls (unsigned int *num_calls) +{ + *num_calls = *num_calls + 1; +} + +#else + +static inline unsigned long long +get_cycle_count (void) +{ + return (unsigned long long) 0; +} + +static inline void +accumulate_cycle_count (unsigned long long *sum __attribute__((__unused__)), + unsigned long long start __attribute__((__unused__))) +{ + /* Do nothing. */ +} + +static inline void +increment_num_calls (unsigned int *num_calls __attribute__((__unused__))) +{ + /* Do nothing. */ +} + +#endif + +/* Types needed by insert_only_hash_sets. */ +typedef uintptr_t int_vptr; + +/* The set of valid vtable pointers for each virtual class is stored + in a hash table. This is the hashing function used for the hash + table. For more information on the implementation of the hash + table, see the class insert_only_hash_sets in vtv_set.h. */ + +struct vptr_hash + { + /* Hash function, used to convert vtable pointer, V, (a memory + address) into an index into the hash table. */ + size_t + operator() (int_vptr v) const + { + const uint32_t x = 0x7a35e4d9; + const int shift = (sizeof (v) == 8) ? 23 : 21; + v = x * v; + return v ^ (v >> shift); + } + }; + +/* This is the memory allocator used to create the hash table data + sets of valid vtable pointers. We use VTV_malloc in order to keep + track of which pages have been allocated, so we can update the + protections on those pages appropriately. See the class + insert_only_hash_sets in vtv_set.h for more information. */ + +struct vptr_set_alloc + { + /* Memory allocator operator. N is the number of bytes to be + allocated. */ + void * + operator() (size_t n) const + { + return __vtv_malloc (n); + } + }; + +/* Instantiate the template classes (in vtv_set.h) for our particular + hash table needs. */ +typedef insert_only_hash_sets<int_vptr, vptr_hash, vptr_set_alloc> vtv_sets; +typedef vtv_sets::insert_only_hash_set vtv_set; +typedef vtv_set * vtv_set_handle; +typedef vtv_set_handle * vtv_set_handle_handle; + +/* Records for caching the section header information that we have + read out of the file(s) on disk (in dl_iterate_phdr_callback), to + avoid having to re-open and re-read the same file multiple + times. */ + +struct sect_hdr_data +{ + ElfW (Addr) dlpi_addr; /* The header address in the INFO record, + passed in from dl_iterate_phdr. */ + ElfW (Addr) mp_low; /* Start address of the .vtable_map_vars + section in memory. */ + size_t mp_size; /* Size of the .vtable_map_vars section in + memory. */ +}; + +/* Array for caching the section header information, read from file, + to avoid re-opening and re-reading the same file over-and-over + again. */ + +#define MAX_ENTRIES 250 +static struct sect_hdr_data vtv_sect_info_cache[MAX_ENTRIES] VTV_PROTECTED_VAR; + +unsigned int num_cache_entries VTV_PROTECTED_VAR = 0; + +/* This function takes the LOAD_ADDR for an object opened by the + dynamic loader, and checks the array of cached file data to see if + there is an entry with the same addres. If it finds such an entry, + it returns the record for that entry; otherwise it returns + NULL. */ + +struct sect_hdr_data * +search_cached_file_data (ElfW (Addr) load_addr) +{ + unsigned int i; + for (i = 0; i < num_cache_entries; ++i) + { + if (vtv_sect_info_cache[i].dlpi_addr == load_addr) + return &(vtv_sect_info_cache[i]); + } + + return NULL; +} + +/* This function tries to read COUNT bytes out of the file referred to + by FD into the buffer BUF. It returns the actual number of bytes + it succeeded in reading. */ + +static size_t +ReadPersistent (int fd, void *buf, size_t count) +{ + char *buf0 = (char *) buf; + size_t num_bytes = 0; + while (num_bytes < count) + { + int len; + len = read (fd, buf0 + num_bytes, count - num_bytes); + if (len < 0) + return -1; + if (len == 0) + break; + num_bytes += len; + } + + return num_bytes; +} + +/* This function tries to read COUNT bytes, starting at OFFSET from + the file referred to by FD, and put them into BUF. It calls + ReadPersistent to help it do so. It returns the actual number of + bytes read, or -1 if it fails altogether. */ + +static size_t +ReadFromOffset (int fd, void *buf, const size_t count, const off_t offset) +{ + off_t off = lseek (fd, offset, SEEK_SET); + if (off != (off_t) -1) + return ReadPersistent (fd, buf, count); + return -1; +} + +/* The function takes a MESSAGE and attempts to write it to the vtable + memory protection log (for debugging purposes). If the file is not + open, it attempts to open the file first. */ + +static void +log_memory_protection_data (char *message) +{ + static int log_fd = -1; + + if (log_fd == -1) + log_fd = __vtv_open_log ("vtv_memory_protection_data_%d.log"); + + __vtv_add_to_log (log_fd, "%s", message); +} + +static void +read_section_offset_and_length (struct dl_phdr_info *info, + const char *sect_name, + int mprotect_flags, + off_t *sect_offset, + ElfW (Word) *sect_len) +{ + char program_name[PATH_MAX]; + char *cptr; + bool found = false; + struct sect_hdr_data *cached_data = NULL; + const ElfW (Phdr) *phdr_info = info->dlpi_phdr; + const ElfW (Ehdr) *ehdr_info = + (const ElfW (Ehdr) *) (info->dlpi_addr + info->dlpi_phdr[0].p_vaddr + - info->dlpi_phdr[0].p_offset); + + + /* Get the name of the main executable. This may or may not include + arguments passed to the program. Find the first space, assume it + is the start of the argument list, and change it to a '\0'. */ + snprintf (program_name, sizeof (program_name), program_invocation_name); + + /* Check to see if we already have the data for this file. */ + cached_data = search_cached_file_data (info->dlpi_addr); + + if (cached_data) + { + *sect_offset = cached_data->mp_low; + *sect_len = cached_data->mp_size; + return; + } + + /* Find the first non-escaped space in the program name and make it + the end of the string. */ + cptr = strchr (program_name, ' '); + if (cptr != NULL && cptr[-1] != '\\') + cptr[0] = '\0'; + + if ((phdr_info->p_type == PT_PHDR || phdr_info->p_type == PT_LOAD) + && (ehdr_info->e_shoff && ehdr_info->e_shnum)) + { + int name_len = strlen (sect_name); + int fd = -1; + + /* Attempt to open the binary file on disk. */ + if (strlen (info->dlpi_name) == 0) + { + /* If the constructor initialization function was put into + the preinit array, then this function will get called + while handling preinit array stuff, in which case + program_invocation_name has not been initialized. In + that case we can get the filename of the executable from + "/proc/self/exe". */ + if (strlen (program_name) > 0) + { + if (phdr_info->p_type == PT_PHDR) + fd = open (program_name, O_RDONLY); + } + else + fd = open ("/proc/self/exe", O_RDONLY); + } + else + fd = open (info->dlpi_name, O_RDONLY); + + if (fd != -1) + { + /* Find the section header information in the file. */ + ElfW (Half) strtab_idx = ehdr_info->e_shstrndx; + ElfW (Shdr) shstrtab; + off_t shstrtab_offset = ehdr_info->e_shoff + + (ehdr_info->e_shentsize * strtab_idx); + size_t bytes_read = ReadFromOffset (fd, &shstrtab, sizeof (shstrtab), + shstrtab_offset); + VTV_ASSERT (bytes_read == sizeof (shstrtab)); + + ElfW (Shdr) sect_hdr; + + /* This code will be needed once we have crated libvtv.so. */ + bool is_libvtv = false; + + /* + if (strstr (info->dlpi_name, "libvtv.so")) + is_libvtv = true; + */ + + /* Loop through all the section headers, looking for one whose + name is ".vtable_map_vars". */ + + for (int i = 0; i < ehdr_info->e_shnum && !found; ++i) + { + off_t offset = ehdr_info->e_shoff + (ehdr_info->e_shentsize * i); + + bytes_read = ReadFromOffset (fd, §_hdr, sizeof (sect_hdr), + offset); + + VTV_ASSERT (bytes_read == sizeof (sect_hdr)); + + char header_name[64]; + off_t name_offset = shstrtab.sh_offset + sect_hdr.sh_name; + + bytes_read = ReadFromOffset (fd, &header_name, 64, name_offset); + + VTV_ASSERT (bytes_read > 0); + + if (memcmp (header_name, sect_name, name_len) == 0) + { + /* We found the section; get its load offset and + size. */ + *sect_offset = sect_hdr.sh_addr; + if (!is_libvtv) + *sect_len = sect_hdr.sh_size - VTV_PAGE_SIZE; + else + *sect_len = sect_hdr.sh_size; + found = true; + } + } + close (fd); + } + } + + if (*sect_offset != 0 && *sect_len != 0) + { + /* Calculate the page location in memory, making sure the + address is page-aligned. */ + ElfW (Addr) start_addr = (const ElfW (Addr)) info->dlpi_addr + + *sect_offset; + *sect_offset = start_addr & ~(VTV_PAGE_SIZE - 1); + *sect_len = *sect_len - 1; + + /* Since we got this far, we must not have found these pages in + the cache, so add them to it. NOTE: We could get here either + while making everything read-only or while making everything + read-write. We will only update the cache if we get here on + a read-write (to make absolutely sure the cache is writable + -- also the read-write pass should come before the read-only + pass). */ + if ((mprotect_flags & PROT_WRITE) + && num_cache_entries < MAX_ENTRIES) + { + vtv_sect_info_cache[num_cache_entries].dlpi_addr = info->dlpi_addr; + vtv_sect_info_cache[num_cache_entries].mp_low = *sect_offset; + vtv_sect_info_cache[num_cache_entries].mp_size = *sect_len; + num_cache_entries++; + } + } +} + +/* This is the callback function used by dl_iterate_phdr (which is + called from vtv_unprotect_vtable_vars and vtv_protect_vtable_vars). + It attempts to find the binary file on disk for the INFO record + that dl_iterate_phdr passes in; open the binary file, and read its + section header information. If the file contains a + ".vtable_map_vars" section, read the section offset and size. Use + the section offset and size, in conjunction with the data in INFO + to locate the pages in memory where the section is. Call + 'mprotect' on those pages, setting the protection either to + read-only or read-write, depending on what's in DATA. */ + +static int +dl_iterate_phdr_callback (struct dl_phdr_info *info, size_t, void *data) +{ + int * mprotect_flags = (int *) data; + off_t map_sect_offset = 0; + ElfW (Word) map_sect_len = 0; + char buffer[1024]; + char program_name[1024]; + const char *map_sect_name = VTV_PROTECTED_VARS_SECTION; + + /* Check to see if this is the record for the Linux Virtual Dynamic + Shared Object (linux-vdso.so.1), which exists only in memory (and + therefore cannot be read from disk). */ + + if (strcmp (info->dlpi_name, "linux-vdso.so.1") == 0) + return 0; + + if (strlen (info->dlpi_name) == 0 + && info->dlpi_addr != 0) + return 0; + + /* Get the name of the main executable. This may or may not include + arguments passed to the program. Find the first space, assume it + is the start of the argument list, and change it to a '\0'. */ + snprintf (program_name, sizeof (program_name), program_invocation_name); + + read_section_offset_and_length (info, map_sect_name, *mprotect_flags, + &map_sect_offset, &map_sect_len); + + if (debug_functions) + { + snprintf (buffer, sizeof(buffer), + " Looking at load module %s to change permissions to %s\n", + ((strlen (info->dlpi_name) == 0) ? program_name + : info->dlpi_name), + (*mprotect_flags & PROT_WRITE) ? "READ/WRITE" : "READ-ONLY"); + log_memory_protection_data (buffer); + } + + /* See if we actually found the section. */ + if (map_sect_offset && map_sect_len) + { + unsigned long long start; + int result; + + if (debug_functions) + { + snprintf (buffer, sizeof (buffer), + " (%s): Protecting %p to %p\n", + ((strlen (info->dlpi_name) == 0) ? program_name + : info->dlpi_name), + (void *) map_sect_offset, + (void *) (map_sect_offset + map_sect_len)); + log_memory_protection_data (buffer); + } + + /* Change the protections on the pages for the section. */ + + start = get_cycle_count (); + result = mprotect ((void *) map_sect_offset, map_sect_len, + *mprotect_flags); + accumulate_cycle_count (&mprotect_cycles, start); + if (result == -1) + { + if (debug_functions) + { + snprintf (buffer, sizeof (buffer), + "Failed called to mprotect for %s error: ", + (*mprotect_flags & PROT_WRITE) ? + "READ/WRITE" : "READ-ONLY"); + log_memory_protection_data (buffer); + perror(NULL); + } + VTV_error(); + } + else + { + if (debug_functions) + { + snprintf (buffer, sizeof (buffer), + "mprotect'ed range [%p, %p]\n", + (void *) map_sect_offset, + (char *) map_sect_offset + map_sect_len); + log_memory_protection_data (buffer); + } + } + increment_num_calls (&num_calls_to_mprotect); + /* num_pages_protected += (map_sect_len + VTV_PAGE_SIZE - 1) / VTV_PAGE_SIZE; */ + num_pages_protected += (map_sect_len + 4096 - 1) / 4096; + } + + return 0; +} + +/* This function explicitly changes the protection (read-only or read-write) + on the vtv_sect_info_cache, which is used for speeding up look ups in the + function dl_iterate_phdr_callback. This data structure needs to be + explicitly made read-write before any calls to dl_iterate_phdr_callback, + because otherwise it may still be read-only when dl_iterate_phdr_callback + attempts to write to it. + + More detailed explanation: dl_iterate_phdr_callback finds all the + .vtable_map_vars sections in all loaded objects (including the main program) + and (depending on where it was called from) either makes all the pages in the + sections read-write or read-only. The vtv_sect_info_cache should be in the + .vtable_map_vars section for libstdc++.so, which means that normally it would + be read-only until libstdc++.so is processed by dl_iterate_phdr_callback + (on the read-write pass), after which it will be writable. But if any loaded + object gets processed before libstdc++.so, it will attempt to update the + data cache, which will still be read-only, and cause a seg fault. Hence + we need a special function, called before dl_iterate_phdr_callback, that + will make the data cache writable. */ + +static void +change_protections_on_phdr_cache (int protection_flag) +{ + char * low_address = (char *) &(vtv_sect_info_cache); + size_t cache_size = MAX_ENTRIES * sizeof (struct sect_hdr_data); + + low_address = (char *) ((unsigned long) low_address & ~(VTV_PAGE_SIZE - 1)); + + if (mprotect ((void *) low_address, cache_size, protection_flag) == -1) + VTV_error (); +} + +/* Unprotect all the vtable map vars and other side data that is used + to keep the core hash_map data. All of these data have been put + into relro sections */ + +static void +vtv_unprotect_vtable_vars (void) +{ + int mprotect_flags; + + mprotect_flags = PROT_READ | PROT_WRITE; + change_protections_on_phdr_cache (mprotect_flags); + dl_iterate_phdr (dl_iterate_phdr_callback, (void *) &mprotect_flags); +} + +/* Protect all the vtable map vars and other side data that is used + to keep the core hash_map data. All of these data have been put + into relro sections */ + +static void +vtv_protect_vtable_vars (void) +{ + int mprotect_flags; + + mprotect_flags = PROT_READ; + dl_iterate_phdr (dl_iterate_phdr_callback, (void *) &mprotect_flags); + change_protections_on_phdr_cache (mprotect_flags); +} + +#ifndef __GTHREAD_MUTEX_INIT +static void +initialize_change_permissions_mutexes () +{ + __GTHREAD_MUTEX_INIT_FUNCTION (&change_permissions_lock); +} +#endif + +/* Variables needed for getting the statistics about the hashtable set. */ +#if HASHTABLE_STATS +_AtomicStatCounter stat_contains = 0; +_AtomicStatCounter stat_insert = 0; +_AtomicStatCounter stat_resize = 0; +_AtomicStatCounter stat_create = 0; +_AtomicStatCounter stat_probes_in_non_trivial_set = 0; +_AtomicStatCounter stat_contains_size0 = 0; +_AtomicStatCounter stat_contains_size1 = 0; +_AtomicStatCounter stat_contains_size2 = 0; +_AtomicStatCounter stat_contains_size3 = 0; +_AtomicStatCounter stat_contains_size4 = 0; +_AtomicStatCounter stat_contains_size5 = 0; +_AtomicStatCounter stat_contains_size6 = 0; +_AtomicStatCounter stat_contains_size7 = 0; +_AtomicStatCounter stat_contains_size8 = 0; +_AtomicStatCounter stat_contains_size9 = 0; +_AtomicStatCounter stat_contains_size10 = 0; +_AtomicStatCounter stat_contains_size11 = 0; +_AtomicStatCounter stat_contains_size12 = 0; +_AtomicStatCounter stat_contains_size13_or_more = 0; +_AtomicStatCounter stat_contains_sizes = 0; +_AtomicStatCounter stat_grow_from_size0_to_1 = 0; +_AtomicStatCounter stat_grow_from_size1_to_2 = 0; +_AtomicStatCounter stat_double_the_number_of_buckets = 0; +_AtomicStatCounter stat_insert_found_hash_collision = 0; +_AtomicStatCounter stat_contains_in_non_trivial_set = 0; +_AtomicStatCounter stat_insert_key_that_was_already_present = 0; +#endif +/* Record statistics about the hash table sets, for debugging. */ + +static void +log_set_stats (void) +{ +#if HASHTABLE_STATS + if (set_log_fd == -1) + set_log_fd = __vtv_open_log ("vtv_set_stats.log"); + + __vtv_add_to_log (set_log_fd, "---\n%s\n", + insert_only_hash_tables_stats().c_str()); +#endif +} + +/* Change the permissions on all the pages we have allocated for the + data sets and all the ".vtable_map_var" sections in memory (which + contain our vtable map variables). PERM indicates whether to make + the permissions read-only or read-write. */ + +extern "C" /* This is only being applied to __VLTChangePermission*/ +void +__VLTChangePermission (int perm) +{ + if (debug_functions) + { + if (perm == __VLTP_READ_WRITE) + fprintf (stdout, "Changing VLT permisisons to Read-Write.\n"); + else if (perm == __VLTP_READ_ONLY) + fprintf (stdout, "Changing VLT permissions to Read-only.\n"); + + else + fprintf (stdout, "Unrecognized permissions value: %d\n", perm); + } + +#ifndef __GTHREAD_MUTEX_INIT + static __gthread_once_t mutex_once VTV_PROTECTED_VAR = __GTHREAD_ONCE_INIT; + + __gthread_once (&mutex_once, initialize_change_permissions_mutexes); +#endif + + /* Ordering of these unprotect/protect calls is very important. + You first need to unprotect all the map vars and side + structures before you do anything with the core data + structures (hash_maps) */ + + if (perm == __VLTP_READ_WRITE) + { + /* TODO: Need to revisit this code for dlopen. It most probably + is not unlocking the protected vtable vars after for load + module that is not the first load module. */ + __gthread_mutex_lock (&change_permissions_lock); + + vtv_unprotect_vtable_vars (); + __vtv_malloc_init (); + __vtv_malloc_unprotect (); + + } + else if (perm == __VLTP_READ_ONLY) + { + if (debug_hash) + log_set_stats(); + + __vtv_malloc_protect (); + vtv_protect_vtable_vars (); + + __gthread_mutex_unlock (&change_permissions_lock); + } +} + +/* This is the memory allocator used to create the hash table that + maps from vtable map variable name to the data set that vtable map + variable should point to. This is part of our vtable map variable + symbol resolution, which is necessary because the same vtable map + variable may be created by multiple compilation units and we need a + method to make sure that all vtable map variables for a particular + class point to the same data set at runtime. */ + +struct insert_only_hash_map_allocator + { + /* N is the number of bytes to allocate. */ + void * + alloc (size_t n) const + { + return __vtv_malloc (n); + } + + /* P points to the memory to be deallocated; N is the number of + bytes to deallocate. */ + void + dealloc (void *p, size_t) const + { + __vtv_free (p); + } + }; + +/* Explicitly instantiate this class since this file is compiled with + -fno-implicit-templates. These are for the hash table that is used + to do vtable map variable symbol resolution. */ +template class insert_only_hash_map <vtv_set_handle *, + insert_only_hash_map_allocator >; +typedef insert_only_hash_map <vtv_set_handle *, + insert_only_hash_map_allocator > s2s; +typedef const s2s::key_type vtv_symbol_key; + +static s2s * vtv_symbol_unification_map VTV_PROTECTED_VAR = NULL; + +const unsigned long SET_HANDLE_HANDLE_BIT = 0x2; + +/* In the case where a vtable map variable is the only instance of the + variable we have seen, it points directly to the set of valid + vtable pointers. All subsequent instances of the 'same' vtable map + variable point to the first vtable map variable. This function, + given a vtable map variable PTR, checks a bit to see whether it's + pointing directly to the data set or to the first vtable map + variable. */ + +static inline bool +is_set_handle_handle (void * ptr) +{ + return ((unsigned long) ptr & SET_HANDLE_HANDLE_BIT) + == SET_HANDLE_HANDLE_BIT; +} + +/* Returns the actual pointer value of a vtable map variable, PTR (see + comments for is_set_handle_handle for more details). */ + +static inline vtv_set_handle * +ptr_from_set_handle_handle (void * ptr) +{ + return (vtv_set_handle *) ((unsigned long) ptr & ~SET_HANDLE_HANDLE_BIT); +} + +/* Given a vtable map variable, PTR, this function sets the bit that + says this is the second (or later) instance of a vtable map + variable. */ + +static inline vtv_set_handle_handle +set_handle_handle (vtv_set_handle * ptr) +{ + return (vtv_set_handle_handle) ((unsigned long) ptr | SET_HANDLE_HANDLE_BIT); +} + +static inline void +register_set_common (void **set_handle_ptr, size_t num_args, + void **vtable_ptr_array, bool debug) +{ + /* Now figure out what pointer to use for the set pointer, for the + inserts. */ + vtv_set_handle *handle_ptr = (vtv_set_handle *) set_handle_ptr; + + if (debug) + VTV_DEBUG_ASSERT (vtv_symbol_unification_map != NULL); + + if (!is_set_handle_handle (*set_handle_ptr)) + handle_ptr = (vtv_set_handle *) set_handle_ptr; + else + handle_ptr = ptr_from_set_handle_handle (*set_handle_ptr); + + /* Now we've got the set and it's initialized, add the vtable + pointers. */ + for (size_t index = 0; index < num_args; ++index) + { + int_vptr vtbl_ptr = (int_vptr) vtable_ptr_array[index]; + vtv_sets::insert (vtbl_ptr, handle_ptr); + } +} + +static inline void +register_pair_common (void **set_handle_ptr, const void *vtable_ptr, + const char *set_symbol_name, const char *vtable_name, + bool debug) +{ + /* Now we've got the set and it's initialized, add the vtable + pointer (assuming that it's not NULL...It may be NULL, as we may + have called this function merely to initialize the set + pointer). */ + int_vptr vtbl_ptr = (int_vptr) vtable_ptr; + if (vtbl_ptr) + { + vtv_set_handle *handle_ptr = (vtv_set_handle *) set_handle_ptr; + if (debug) + VTV_DEBUG_ASSERT (vtv_symbol_unification_map != NULL); + if (!is_set_handle_handle (*set_handle_ptr)) + handle_ptr = (vtv_set_handle *) set_handle_ptr; + else + handle_ptr = ptr_from_set_handle_handle (*set_handle_ptr); + + vtv_sets::insert (vtbl_ptr, handle_ptr); + } + + if (debug && debug_init) + { + if (init_log_fd == -1) + init_log_fd = __vtv_open_log("vtv_init.log"); + + __vtv_add_to_log(init_log_fd, + "Registered %s : %s (%p) 2 level deref = %s\n", + set_symbol_name, vtable_name, vtbl_ptr, + is_set_handle_handle(*set_handle_ptr) ? "yes" : "no" ); + } +} + +/* This routine initializes a set handle to a vtable set. It makes + sure that there is only one set handle for a particular set by + using a map from set name to pointer to set handle. Since there + will be multiple copies of the pointer to the set handle (one per + compilation unit that uses it), it makes sure to initialize all the + pointers to the set handle so that the set handle is unique. To + make this a little more efficient and avoid a level of indirection + in some cases, the first pointer to handle for a particular handle + becomes the handle itself and the other pointers will point to the + set handle. This is the debug version of this function, so it + outputs extra debugging messages and logging. SET_HANDLE_PTR is + the address of the vtable map variable, SET_SYMBOL_KEY is the hash + table key (containing the name of the map variable and the hash + value) and SIZE_HINT is a guess for the best initial size for the + set of vtable pointers that SET_HANDLE_POINTER will point to. */ + +static inline void +init_set_symbol_debug (void **set_handle_ptr, const void *set_symbol_key, + size_t size_hint) +{ + VTV_DEBUG_ASSERT (set_handle_ptr); + + if (vtv_symbol_unification_map == NULL) + { + /* TODO: For now we have chosen 1024, but we need to come up with a + better initial size for this. */ + vtv_symbol_unification_map = s2s::create (1024); + VTV_DEBUG_ASSERT(vtv_symbol_unification_map); + } + + vtv_set_handle *handle_ptr = (vtv_set_handle *) set_handle_ptr; + vtv_symbol_key *symbol_key_ptr = (vtv_symbol_key *) set_symbol_key; + + const s2s::value_type * map_value_ptr = + vtv_symbol_unification_map->get (symbol_key_ptr); + char buffer[200]; + if (map_value_ptr == NULL) + { + if (*handle_ptr != NULL) + { + snprintf (buffer, sizeof (buffer), + "*** Found non-NULL local set ptr %p missing for symbol" + " %.*s", + *handle_ptr, symbol_key_ptr->n, symbol_key_ptr->bytes); + __vtv_log_verification_failure (buffer, true); + VTV_DEBUG_ASSERT (0); + } + } + else if (*handle_ptr != NULL && + (handle_ptr != *map_value_ptr && + ptr_from_set_handle_handle (*handle_ptr) != *map_value_ptr)) + { + VTV_DEBUG_ASSERT (*map_value_ptr != NULL); + snprintf (buffer, sizeof(buffer), + "*** Found diffence between local set ptr %p and set ptr %p" + "for symbol %.*s", + *handle_ptr, *map_value_ptr, + symbol_key_ptr->n, symbol_key_ptr->bytes); + __vtv_log_verification_failure (buffer, true); + VTV_DEBUG_ASSERT (0); + } + else if (*handle_ptr == NULL) + { + /* Execution should not reach this point. */ + } + + if (*handle_ptr != NULL) + { + if (!is_set_handle_handle (*set_handle_ptr)) + handle_ptr = (vtv_set_handle *) set_handle_ptr; + else + handle_ptr = ptr_from_set_handle_handle (*set_handle_ptr); + vtv_sets::resize (size_hint, handle_ptr); + return; + } + + VTV_DEBUG_ASSERT (*handle_ptr == NULL); + if (map_value_ptr != NULL) + { + if (*map_value_ptr == handle_ptr) + vtv_sets::resize (size_hint, *map_value_ptr); + else + { + /* The one level handle to the set already exists. So, we + are adding one level of indirection here and we will + store a pointer to the one level handle here. */ + + vtv_set_handle_handle * handle_handle_ptr = + (vtv_set_handle_handle *)handle_ptr; + *handle_handle_ptr = set_handle_handle(*map_value_ptr); + VTV_DEBUG_ASSERT(*handle_handle_ptr != NULL); + + /* The handle can itself be NULL if the set has only + been initiazlied with size hint == 1. */ + vtv_sets::resize (size_hint, *map_value_ptr); + } + } + else + { + /* We will create a new set. So, in this case handle_ptr is the + one level pointer to the set handle. Create copy of map name + in case the memory where this comes from gets unmapped by + dlclose. */ + size_t map_key_len = symbol_key_ptr->n + sizeof (vtv_symbol_key); + void *map_key = __vtv_malloc (map_key_len); + + memcpy (map_key, symbol_key_ptr, map_key_len); + + s2s::value_type *value_ptr; + vtv_symbol_unification_map = + vtv_symbol_unification_map->find_or_add_key ((vtv_symbol_key *)map_key, + &value_ptr); + *value_ptr = handle_ptr; + + /* TODO: We should verify the return value. */ + vtv_sets::create (size_hint, handle_ptr); + VTV_DEBUG_ASSERT (size_hint <= 1 || *handle_ptr != NULL); + } + + if (debug_init) + { + if (init_log_fd == -1) + init_log_fd = __vtv_open_log ("vtv_init.log"); + + __vtv_add_to_log (init_log_fd, + "Init handle:%p for symbol:%.*s hash:%u size_hint:%lu" + "number of symbols:%lu \n", + set_handle_ptr, symbol_key_ptr->n, + symbol_key_ptr->bytes, symbol_key_ptr->hash, size_hint, + vtv_symbol_unification_map->size ()); + } +} + + +/* This routine initializes a set handle to a vtable set. It makes + sure that there is only one set handle for a particular set by + using a map from set name to pointer to set handle. Since there + will be multiple copies of the pointer to the set handle (one per + compilation unit that uses it), it makes sure to initialize all the + pointers to the set handle so that the set handle is unique. To + make this a little more efficient and avoid a level of indirection + in some cases, the first pointer to handle for a particular handle + becomes the handle itself and the other pointers will point to the + set handle. This is the debug version of this function, so it + outputs extra debugging messages and logging. SET_HANDLE_PTR is + the address of the vtable map variable, SET_SYMBOL_KEY is the hash + table key (containing the name of the map variable and the hash + value) and SIZE_HINT is a guess for the best initial size for the + set of vtable pointers that SET_HANDLE_POINTER will point to. */ + +void +__VLTRegisterSetDebug (void **set_handle_ptr, const void *set_symbol_key, + size_t size_hint, size_t num_args, + void **vtable_ptr_array) +{ + unsigned long long start = get_cycle_count (); + increment_num_calls (&num_calls_to_regset); + + VTV_DEBUG_ASSERT(set_handle_ptr != NULL); + init_set_symbol_debug (set_handle_ptr, set_symbol_key, size_hint); + + register_set_common (set_handle_ptr, num_args, vtable_ptr_array, true); + + accumulate_cycle_count (®set_cycles, start); +} + +/* This function takes a the address of a vtable map variable + (SET_HANDLE_PTR), a VTABLE_PTR to add to the data set, the name of + the vtable map variable (SET_SYMBOL_NAME) and the name of the + vtable (VTABLE_NAME) being pointed to. If the vtable map variable + is NULL it creates a new data set and initializes the variable, + otherwise it uses our symbol unification to find the right data + set; in either case it then adds the vtable pointer to the set. + The other two parameters are used for debugging information. */ + +void +__VLTRegisterPairDebug (void **set_handle_ptr, const void *set_symbol_key, + size_t size_hint, const void *vtable_ptr, + const char *set_symbol_name, const char *vtable_name) +{ + unsigned long long start = get_cycle_count (); + increment_num_calls (&num_calls_to_regpair); + + VTV_DEBUG_ASSERT(set_handle_ptr != NULL); + init_set_symbol_debug (set_handle_ptr, set_symbol_key, size_hint); + + register_pair_common (set_handle_ptr, vtable_ptr, set_symbol_name, vtable_name, + true); + + accumulate_cycle_count (®pair_cycles, start); +} + + +/* This is the debug version of the verification function. It takes + the address of a vtable map variable (SET_HANDLE_PTR) and a + VTABLE_PTR to validate, as well as the name of the vtable map + variable (SET_SYMBOL_NAME) and VTABLE_NAME, which are used for + debugging messages. It checks to see if VTABLE_PTR is in the set + pointed to by SET_HANDLE_PTR. If so, it returns VTABLE_PTR, + otherwise it calls __vtv_verify_fail, which usually logs error + messages and calls abort. */ + +const void * +__VLTVerifyVtablePointerDebug (void **set_handle_ptr, const void *vtable_ptr, + const char *set_symbol_name, + const char *vtable_name) +{ + unsigned long long start = get_cycle_count (); + VTV_DEBUG_ASSERT (set_handle_ptr != NULL && *set_handle_ptr != NULL); + int_vptr vtbl_ptr = (int_vptr) vtable_ptr; + + increment_num_calls (&num_calls_to_verify_vtable); + vtv_set_handle *handle_ptr; + if (!is_set_handle_handle (*set_handle_ptr)) + handle_ptr = (vtv_set_handle *) set_handle_ptr; + else + handle_ptr = ptr_from_set_handle_handle (*set_handle_ptr); + + if (vtv_sets::contains (vtbl_ptr, handle_ptr)) + { + if (debug_verify_vtable) + { + if (verify_vtable_log_fd == -1) + __vtv_open_log ("vtv_verify_vtable.log"); + __vtv_add_to_log (verify_vtable_log_fd, + "Verified %s %s value = %p\n", + set_symbol_name, vtable_name, vtable_ptr); + } + } + else + { + /* We failed to find the vtable pointer in the set of valid + pointers. Log the error data and call the failure + function. */ + snprintf (debug_log_message, sizeof (debug_log_message), + "Looking for %s in %s\n", vtable_name, set_symbol_name); + __vtv_verify_fail_debug (set_handle_ptr, vtable_ptr, debug_log_message); + + /* Normally __vtv_verify_fail_debug will call abort, so we won't + execute the return below. If we get this far, the assumption + is that the programmer has replaced __vtv_verify_fail_debug + with some kind of secondary verification AND this secondary + verification succeeded, so the vtable pointer is valid. */ + } + accumulate_cycle_count (&verify_vtable_cycles, start); + + return vtable_ptr; +} + +/* This routine initializes a set handle to a vtable set. It makes + sure that there is only one set handle for a particular set by + using a map from set name to pointer to set handle. Since there + will be multiple copies of the pointer to the set handle (one per + compilation unit that uses it), it makes sure to initialize all the + pointers to the set handle so that the set handle is unique. To + make this a little more efficient and avoid a level of indirection + in some cases, the first pointer to handle for a particular handle + becomes the handle itself and the other pointers will point to the + set handle. SET_HANDLE_PTR is the address of the vtable map + variable, SET_SYMBOL_KEY is the hash table key (containing the name + of the map variable and the hash value) and SIZE_HINT is a guess + for the best initial size for the set of vtable pointers that + SET_HANDLE_POINTER will point to.*/ + +static inline void +init_set_symbol (void **set_handle_ptr, const void *set_symbol_key, + size_t size_hint) +{ + vtv_set_handle *handle_ptr = (vtv_set_handle *) set_handle_ptr; + + if (*handle_ptr != NULL) + { + if (!is_set_handle_handle (*set_handle_ptr)) + handle_ptr = (vtv_set_handle *) set_handle_ptr; + else + handle_ptr = ptr_from_set_handle_handle (*set_handle_ptr); + vtv_sets::resize (size_hint, handle_ptr); + return; + } + + if (vtv_symbol_unification_map == NULL) + vtv_symbol_unification_map = s2s::create (1024); + + vtv_symbol_key *symbol_key_ptr = (vtv_symbol_key *) set_symbol_key; + const s2s::value_type *map_value_ptr = + vtv_symbol_unification_map->get (symbol_key_ptr); + + if (map_value_ptr != NULL) + { + if (*map_value_ptr == handle_ptr) + vtv_sets::resize (size_hint, *map_value_ptr); + else + { + /* The one level handle to the set already exists. So, we + are adding one level of indirection here and we will + store a pointer to the one level pointer here. */ + vtv_set_handle_handle *handle_handle_ptr = + (vtv_set_handle_handle *) handle_ptr; + *handle_handle_ptr = set_handle_handle (*map_value_ptr); + vtv_sets::resize (size_hint, *map_value_ptr); + } + } + else + { + /* We will create a new set. So, in this case handle_ptr is the + one level pointer to the set handle. Create copy of map name + in case the memory where this comes from gets unmapped by + dlclose. */ + size_t map_key_len = symbol_key_ptr->n + sizeof (vtv_symbol_key); + void * map_key = __vtv_malloc (map_key_len); + memcpy (map_key, symbol_key_ptr, map_key_len); + + s2s::value_type * value_ptr; + vtv_symbol_unification_map = + vtv_symbol_unification_map->find_or_add_key ((vtv_symbol_key *)map_key, + &value_ptr); + + *value_ptr = handle_ptr; + + /* TODO: We should verify the return value. */ + vtv_sets::create (size_hint, handle_ptr); + } +} + +/* This routine initializes a set handle to a vtable set. It makes + sure that there is only one set handle for a particular set by + using a map from set name to pointer to set handle. Since there + will be multiple copies of the pointer to the set handle (one per + compilation unit that uses it), it makes sure to initialize all the + pointers to the set handle so that the set handle is unique. To + make this a little more efficient and avoid a level of indirection + in some cases, the first pointer to handle for a particular handle + becomes the handle itself and the other pointers will point to the + set handle. SET_HANDLE_PTR is the address of the vtable map + variable, SET_SYMBOL_KEY is the hash table key (containing the name + of the map variable and the hash value) and SIZE_HINT is a guess + for the best initial size for the set of vtable pointers that + SET_HANDLE_POINTER will point to.*/ + + +void +__VLTRegisterSet (void **set_handle_ptr, const void *set_symbol_key, + size_t size_hint, size_t num_args, void **vtable_ptr_array) +{ + unsigned long long start = get_cycle_count (); + increment_num_calls (&num_calls_to_regset); + + init_set_symbol (set_handle_ptr, set_symbol_key, size_hint); + register_set_common (set_handle_ptr, num_args, vtable_ptr_array, false); + + accumulate_cycle_count (®set_cycles, start); +} + + + +/* This function takes a the address of a vtable map variable + (SET_HANDLE_PTR) and a VTABLE_PTR. If the vtable map variable is + NULL it creates a new data set and initializes the variable, + otherwise it uses our symbol unification to find the right data + set; in either case it then adds the vtable pointer to the set. */ + +void +__VLTRegisterPair (void **set_handle_ptr, const void *set_symbol_key, + size_t size_hint, const void *vtable_ptr) +{ + unsigned long long start = get_cycle_count (); + increment_num_calls (&num_calls_to_regpair); + + init_set_symbol (set_handle_ptr, set_symbol_key, size_hint); + register_pair_common (set_handle_ptr, vtable_ptr, NULL, NULL, false); + + accumulate_cycle_count (®pair_cycles, start); +} + +/* This is the main verification function. It takes the address of a + vtable map variable (SET_HANDLE_PTR) and a VTABLE_PTR to validate. + It checks to see if VTABLE_PTR is in the set pointed to by + SET_HANDLE_PTR. If so, it returns VTABLE_PTR, otherwise it calls + __vtv_verify_fail, which usually logs error messages and calls + abort. Since this function gets called VERY frequently, it is + important for it to be as efficient as possible. */ + +const void * +__VLTVerifyVtablePointer (void ** set_handle_ptr, const void * vtable_ptr) +{ + unsigned long long start = get_cycle_count (); + int_vptr vtbl_ptr = (int_vptr) vtable_ptr; + + vtv_set_handle *handle_ptr; + increment_num_calls (&num_calls_to_verify_vtable); + if (!is_set_handle_handle (*set_handle_ptr)) + handle_ptr = (vtv_set_handle *) set_handle_ptr; + else + handle_ptr = ptr_from_set_handle_handle (*set_handle_ptr); + + if (!vtv_sets::contains (vtbl_ptr, handle_ptr)) + { + __vtv_verify_fail ((void **) handle_ptr, vtable_ptr); + /* Normally __vtv_verify_fail will call abort, so we won't + execute the return below. If we get this far, the assumption + is that the programmer has replaced __vtv_verify_fail with + some kind of secondary verification AND this secondary + verification succeeded, so the vtable pointer is valid. */ + } + accumulate_cycle_count (&verify_vtable_cycles, start); + + return vtable_ptr; +} + +static int page_count_2 = 0; + +static int +dl_iterate_phdr_count_pages (struct dl_phdr_info *info, + size_t unused __attribute__ ((__unused__)), + void *data) +{ + int *mprotect_flags = (int *) data; + off_t map_sect_offset = 0; + ElfW (Word) map_sect_len = 0; + const char *map_sect_name = VTV_PROTECTED_VARS_SECTION; + + /* Check to see if this is the record for the Linux Virtual Dynamic + Shared Object (linux-vdso.so.1), which exists only in memory (and + therefore cannot be read from disk). */ + + if (strcmp (info->dlpi_name, "linux-vdso.so.1") == 0) + return 0; + + if (strlen (info->dlpi_name) == 0 + && info->dlpi_addr != 0) + return 0; + + read_section_offset_and_length (info, map_sect_name, *mprotect_flags, + &map_sect_offset, &map_sect_len); + + /* See if we actually found the section. */ + if (map_sect_len) + page_count_2 += (map_sect_len + VTV_PAGE_SIZE - 1) / VTV_PAGE_SIZE; + + return 0; +} + +static void +count_all_pages (void) +{ + int mprotect_flags; + + mprotect_flags = PROT_READ; + page_count_2 = 0; + + dl_iterate_phdr (dl_iterate_phdr_count_pages, (void *) &mprotect_flags); + page_count_2 += __vtv_count_mmapped_pages (); +} + +void +__VLTDumpStats (void) +{ + int log_fd = __vtv_open_log ("vtv-runtime-stats.log"); + + if (log_fd != -1) + { + count_all_pages (); + __vtv_add_to_log (log_fd, + "Calls: mprotect (%d) regset (%d) regpair (%d)" + " verify_vtable (%d)\n", + num_calls_to_mprotect, num_calls_to_regset, + num_calls_to_regpair, num_calls_to_verify_vtable); + __vtv_add_to_log (log_fd, + "Cycles: mprotect (%lld) regset (%lld) " + "regpair (%lld) verify_vtable (%lld)\n", + mprotect_cycles, regset_cycles, regpair_cycles, + verify_vtable_cycles); + __vtv_add_to_log (log_fd, + "Pages protected (1): %d\n", num_pages_protected); + __vtv_add_to_log (log_fd, "Pages protected (2): %d\n", page_count_2); + + close (log_fd); + } +} + +/* This function is called from __VLTVerifyVtablePointerDebug; it + sends as much debugging information as it can to the error log + file, then calls __vtv_verify_fail. SET_HANDLE_PTR is the pointer + to the set of valid vtable pointers, VTBL_PTR is the pointer that + was not found in the set, and DEBUG_MSG is the message to be + written to the log file before failing. n */ + +void +__vtv_verify_fail_debug (void **set_handle_ptr, const void *vtbl_ptr, + const char *debug_msg) +{ + __vtv_log_verification_failure (debug_msg, false); + + /* Call the public interface in case it has been overwritten by + user. */ + __vtv_verify_fail (set_handle_ptr, vtbl_ptr); + + __vtv_log_verification_failure ("Returned from __vtv_verify_fail." + " Secondary verification succeeded.\n", false); +} + +/* This function calls __fortify_fail with a FAILURE_MSG and then + calls abort. */ + +void +__vtv_really_fail (const char *failure_msg) +{ + __fortify_fail (failure_msg); + + /* We should never get this far; __fortify_fail calls __libc_message + which prints out a back trace and a memory dump and then is + supposed to call abort, but let's play it safe anyway and call abort + ourselves. */ + abort (); +} + +/* This function takes an error MSG, a vtable map variable + (DATA_SET_PTR) and a vtable pointer (VTBL_PTR). It is called when + an attempt to verify VTBL_PTR with the set pointed to by + DATA_SET_PTR failed. It outputs a failure message with the + addresses involved, and calls __vtv_really_fail. */ + +static void +vtv_fail (const char *msg, void **data_set_ptr, const void *vtbl_ptr) +{ + char buffer[128]; + int buf_len; + const char *format_str = + "*** Unable to verify vtable pointer (%p) in set (%p) *** \n"; + + snprintf (buffer, sizeof (buffer), format_str, vtbl_ptr, + is_set_handle_handle(*data_set_ptr) ? + ptr_from_set_handle_handle (*data_set_ptr) : + *data_set_ptr); + buf_len = strlen (buffer); + /* Send this to to stderr. */ + write (2, buffer, buf_len); + +#ifndef VTV_NO_ABORT + __vtv_really_fail (msg); +#endif +} + +/* Send information about what we were trying to do when verification + failed to the error log, then call vtv_fail. This function can be + overwritten/replaced by the user, to implement a secondary + verification function instead. DATA_SET_PTR is the vtable map + variable used for the failed verification, and VTBL_PTR is the + vtable pointer that was not found in the set. */ + +void +__vtv_verify_fail (void **data_set_ptr, const void *vtbl_ptr) +{ + char log_msg[256]; + snprintf (log_msg, sizeof (log_msg), "Looking for vtable %p in set %p.\n", + vtbl_ptr, + is_set_handle_handle (*data_set_ptr) ? + ptr_from_set_handle_handle (*data_set_ptr) : + *data_set_ptr); + __vtv_log_verification_failure (log_msg, false); + + const char *format_str = + "*** Unable to verify vtable pointer (%p) in set (%p) *** \n"; + snprintf (log_msg, sizeof (log_msg), format_str, vtbl_ptr, *data_set_ptr); + __vtv_log_verification_failure (log_msg, false); + __vtv_log_verification_failure (" Backtrace: \n", true); + + const char *fail_msg = "Potential vtable pointer corruption detected!!\n"; + vtv_fail (fail_msg, data_set_ptr, vtbl_ptr); +} |