1 //===-- sanitizer/common_interface_defs.h -----------------------*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Common part of the public sanitizer interface. 10 //===----------------------------------------------------------------------===// 11 12 #ifndef SANITIZER_COMMON_INTERFACE_DEFS_H 13 #define SANITIZER_COMMON_INTERFACE_DEFS_H 14 15 #include <stddef.h> 16 #include <stdint.h> 17 18 // GCC does not understand __has_feature. 19 #if !defined(__has_feature) 20 #define __has_feature(x) 0 21 #endif 22 23 #ifdef __cplusplus 24 extern "C" { 25 #endif 26 // Arguments for __sanitizer_sandbox_on_notify() below. 27 typedef struct { 28 // Enable sandbox support in sanitizer coverage. 29 int coverage_sandboxed; 30 // File descriptor to write coverage data to. If -1 is passed, a file will 31 // be pre-opened by __sanitizer_sandbox_on_notify(). This field has no 32 // effect if coverage_sandboxed == 0. 33 intptr_t coverage_fd; 34 // If non-zero, split the coverage data into well-formed blocks. This is 35 // useful when coverage_fd is a socket descriptor. Each block will contain 36 // a header, allowing data from multiple processes to be sent over the same 37 // socket. 38 unsigned int coverage_max_block_size; 39 } __sanitizer_sandbox_arguments; 40 41 // Tell the tools to write their reports to "path.<pid>" instead of stderr. 42 void __sanitizer_set_report_path(const char *path); 43 // Tell the tools to write their reports to the provided file descriptor 44 // (casted to void *). 45 void __sanitizer_set_report_fd(void *fd); 46 // Get the current full report file path, if a path was specified by 47 // an earlier call to __sanitizer_set_report_path. Returns null otherwise. 48 const char *__sanitizer_get_report_path(); 49 50 // Notify the tools that the sandbox is going to be turned on. The reserved 51 // parameter will be used in the future to hold a structure with functions 52 // that the tools may call to bypass the sandbox. 53 void __sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args); 54 55 // This function is called by the tool when it has just finished reporting 56 // an error. 'error_summary' is a one-line string that summarizes 57 // the error message. This function can be overridden by the client. 58 void __sanitizer_report_error_summary(const char *error_summary); 59 60 // Some of the sanitizers (for example ASan/TSan) could miss bugs that happen 61 // in unaligned loads/stores. To find such bugs reliably, you need to replace 62 // plain unaligned loads/stores with these calls. 63 64 /// Loads a 16-bit unaligned value. 65 /// 66 /// \param p Pointer to unaligned memory. 67 /// 68 /// \returns Loaded value. 69 uint16_t __sanitizer_unaligned_load16(const void *p); 70 71 /// Loads a 32-bit unaligned value. 72 /// 73 /// \param p Pointer to unaligned memory. 74 /// 75 /// \returns Loaded value. 76 uint32_t __sanitizer_unaligned_load32(const void *p); 77 78 /// Loads a 64-bit unaligned value. 79 /// 80 /// \param p Pointer to unaligned memory. 81 /// 82 /// \returns Loaded value. 83 uint64_t __sanitizer_unaligned_load64(const void *p); 84 85 /// Stores a 16-bit unaligned value. 86 /// 87 /// \param p Pointer to unaligned memory. 88 /// \param x 16-bit value to store. 89 void __sanitizer_unaligned_store16(void *p, uint16_t x); 90 91 /// Stores a 32-bit unaligned value. 92 /// 93 /// \param p Pointer to unaligned memory. 94 /// \param x 32-bit value to store. 95 void __sanitizer_unaligned_store32(void *p, uint32_t x); 96 97 /// Stores a 64-bit unaligned value. 98 /// 99 /// \param p Pointer to unaligned memory. 100 /// \param x 64-bit value to store. 101 void __sanitizer_unaligned_store64(void *p, uint64_t x); 102 103 // Returns 1 on the first call, then returns 0 thereafter. Called by the tool 104 // to ensure only one report is printed when multiple errors occur 105 // simultaneously. 106 int __sanitizer_acquire_crash_state(); 107 108 /// Annotates the current state of a contiguous container, such as 109 /// <c>std::vector</c>, <c>std::string</c>, or similar. 110 /// 111 /// A contiguous container is a container that keeps all of its elements 112 /// in a contiguous region of memory. The container owns the region of memory 113 /// <c>[beg, end)</c>; the memory <c>[beg, mid)</c> is used to store the 114 /// current elements, and the memory <c>[mid, end)</c> is reserved for future 115 /// elements (<c>beg <= mid <= end</c>). For example, in 116 /// <c>std::vector<> v</c>: 117 /// 118 /// \code 119 /// beg = &v[0]; 120 /// end = beg + v.capacity() * sizeof(v[0]); 121 /// mid = beg + v.size() * sizeof(v[0]); 122 /// \endcode 123 /// 124 /// This annotation tells the Sanitizer tool about the current state of the 125 /// container so that the tool can report errors when memory from 126 /// <c>[mid, end)</c> is accessed. Insert this annotation into methods like 127 /// <c>push_back()</c> or <c>pop_back()</c>. Supply the old and new values of 128 /// <c>mid</c>(<c><i>old_mid</i></c> and <c><i>new_mid</i></c>). In the initial 129 /// state <c>mid == end</c>, so that should be the final state when the 130 /// container is destroyed or when the container reallocates the storage. 131 /// 132 /// For ASan, <c><i>beg</i></c> no longer needs to be 8-aligned, 133 /// first and last granule may be shared with other objects 134 /// and therefore the function can be used for any allocator. 135 /// 136 /// The following example shows how to use the function: 137 /// 138 /// \code 139 /// int32_t x[3]; // 12 bytes 140 /// char *beg = (char*)&x[0]; 141 /// char *end = beg + 12; 142 /// __sanitizer_annotate_contiguous_container(beg, end, beg, end); 143 /// \endcode 144 /// 145 /// \note Use this function with caution and do not use for anything other 146 /// than vector-like classes. 147 /// \note Unaligned <c><i>beg</i></c> or <c><i>end</i></c> may miss bugs in 148 /// these granules. 149 /// 150 /// \param beg Beginning of memory region. 151 /// \param end End of memory region. 152 /// \param old_mid Old middle of memory region. 153 /// \param new_mid New middle of memory region. 154 void __sanitizer_annotate_contiguous_container(const void *beg, 155 const void *end, 156 const void *old_mid, 157 const void *new_mid); 158 159 /// Similar to <c>__sanitizer_annotate_contiguous_container</c>. 160 /// 161 /// Annotates the current state of a contiguous container memory, 162 /// such as <c>std::deque</c>'s single chunk, when the boundries are moved. 163 /// 164 /// A contiguous chunk is a chunk that keeps all of its elements 165 /// in a contiguous region of memory. The container owns the region of memory 166 /// <c>[storage_beg, storage_end)</c>; the memory <c>[container_beg, 167 /// container_end)</c> is used to store the current elements, and the memory 168 /// <c>[storage_beg, container_beg), [container_end, storage_end)</c> is 169 /// reserved for future elements (<c>storage_beg <= container_beg <= 170 /// container_end <= storage_end</c>). For example, in <c> std::deque </c>: 171 /// - chunk with a frist deques element will have container_beg equal to address 172 /// of the first element. 173 /// - in every next chunk with elements, true is <c> container_beg == 174 /// storage_beg </c>. 175 /// 176 /// Argument requirements: 177 /// During unpoisoning memory of empty container (before first element is 178 /// added): 179 /// - old_container_beg_p == old_container_end_p 180 /// During poisoning after last element was removed: 181 /// - new_container_beg_p == new_container_end_p 182 /// \param storage_beg Beginning of memory region. 183 /// \param storage_end End of memory region. 184 /// \param old_container_beg Old beginning of used region. 185 /// \param old_container_end End of used region. 186 /// \param new_container_beg New beginning of used region. 187 /// \param new_container_end New end of used region. 188 void __sanitizer_annotate_double_ended_contiguous_container( 189 const void *storage_beg, const void *storage_end, 190 const void *old_container_beg, const void *old_container_end, 191 const void *new_container_beg, const void *new_container_end); 192 193 /// Returns true if the contiguous container <c>[beg, end)</c> is properly 194 /// poisoned. 195 /// 196 /// Proper poisoning could occur, for example, with 197 /// <c>__sanitizer_annotate_contiguous_container</c>), that is, if 198 /// <c>[beg, mid)</c> is addressable and <c>[mid, end)</c> is unaddressable. 199 /// Full verification requires O (<c>end - beg</c>) time; this function tries 200 /// to avoid such complexity by touching only parts of the container around 201 /// <c><i>beg</i></c>, <c><i>mid</i></c>, and <c><i>end</i></c>. 202 /// 203 /// \param beg Beginning of memory region. 204 /// \param mid Middle of memory region. 205 /// \param end Old end of memory region. 206 /// 207 /// \returns True if the contiguous container <c>[beg, end)</c> is properly 208 /// poisoned. 209 int __sanitizer_verify_contiguous_container(const void *beg, const void *mid, 210 const void *end); 211 212 /// Returns true if the double ended contiguous 213 /// container <c>[storage_beg, storage_end)</c> is properly poisoned. 214 /// 215 /// Proper poisoning could occur, for example, with 216 /// <c>__sanitizer_annotate_double_ended_contiguous_container</c>), that is, if 217 /// <c>[storage_beg, container_beg)</c> is not addressable, <c>[container_beg, 218 /// container_end)</c> is addressable and <c>[container_end, end)</c> is 219 /// unaddressable. Full verification requires O (<c>storage_end - 220 /// storage_beg</c>) time; this function tries to avoid such complexity by 221 /// touching only parts of the container around <c><i>storage_beg</i></c>, 222 /// <c><i>container_beg</i></c>, <c><i>container_end</i></c>, and 223 /// <c><i>storage_end</i></c>. 224 /// 225 /// \param storage_beg Beginning of memory region. 226 /// \param container_beg Beginning of used region. 227 /// \param container_end End of used region. 228 /// \param storage_end End of memory region. 229 /// 230 /// \returns True if the double-ended contiguous container <c>[storage_beg, 231 /// container_beg, container_end, end)</c> is properly poisoned - only 232 /// [container_beg; container_end) is addressable. 233 int __sanitizer_verify_double_ended_contiguous_container( 234 const void *storage_beg, const void *container_beg, 235 const void *container_end, const void *storage_end); 236 237 /// Similar to <c>__sanitizer_verify_contiguous_container()</c> but also 238 /// returns the address of the first improperly poisoned byte. 239 /// 240 /// Returns NULL if the area is poisoned properly. 241 /// 242 /// \param beg Beginning of memory region. 243 /// \param mid Middle of memory region. 244 /// \param end Old end of memory region. 245 /// 246 /// \returns The bad address or NULL. 247 const void *__sanitizer_contiguous_container_find_bad_address(const void *beg, 248 const void *mid, 249 const void *end); 250 251 /// returns the address of the first improperly poisoned byte. 252 /// 253 /// Returns NULL if the area is poisoned properly. 254 /// 255 /// \param storage_beg Beginning of memory region. 256 /// \param container_beg Beginning of used region. 257 /// \param container_end End of used region. 258 /// \param storage_end End of memory region. 259 /// 260 /// \returns The bad address or NULL. 261 const void *__sanitizer_double_ended_contiguous_container_find_bad_address( 262 const void *storage_beg, const void *container_beg, 263 const void *container_end, const void *storage_end); 264 265 /// Prints the stack trace leading to this call (useful for calling from the 266 /// debugger). 267 void __sanitizer_print_stack_trace(void); 268 269 // Symbolizes the supplied 'pc' using the format string 'fmt'. 270 // Outputs at most 'out_buf_size' bytes into 'out_buf'. 271 // If 'out_buf' is not empty then output is zero or more non empty C strings 272 // followed by single empty C string. Multiple strings can be returned if PC 273 // corresponds to inlined function. Inlined frames are printed in the order 274 // from "most-inlined" to the "least-inlined", so the last frame should be the 275 // not inlined function. 276 // Inlined frames can be removed with 'symbolize_inline_frames=0'. 277 // The format syntax is described in 278 // lib/sanitizer_common/sanitizer_stacktrace_printer.h. 279 void __sanitizer_symbolize_pc(void *pc, const char *fmt, char *out_buf, 280 size_t out_buf_size); 281 // Same as __sanitizer_symbolize_pc, but for data section (i.e. globals). 282 void __sanitizer_symbolize_global(void *data_ptr, const char *fmt, 283 char *out_buf, size_t out_buf_size); 284 // Determine the return address. 285 #if !defined(_MSC_VER) || defined(__clang__) 286 #define __sanitizer_return_address() \ 287 __builtin_extract_return_addr(__builtin_return_address(0)) 288 #else 289 extern "C" void *_ReturnAddress(void); 290 #pragma intrinsic(_ReturnAddress) 291 #define __sanitizer_return_address() _ReturnAddress() 292 #endif 293 294 /// Sets the callback to be called immediately before death on error. 295 /// 296 /// Passing 0 will unset the callback. 297 /// 298 /// \param callback User-provided callback. 299 void __sanitizer_set_death_callback(void (*callback)(void)); 300 301 302 // Interceptor hooks. 303 // Whenever a libc function interceptor is called, it checks if the 304 // corresponding weak hook is defined, and calls it if it is indeed defined. 305 // The primary use-case is data-flow-guided fuzzing, where the fuzzer needs 306 // to know what is being passed to libc functions (for example memcmp). 307 // FIXME: implement more hooks. 308 309 /// Interceptor hook for <c>memcmp()</c>. 310 /// 311 /// \param called_pc PC (program counter) address of the original call. 312 /// \param s1 Pointer to block of memory. 313 /// \param s2 Pointer to block of memory. 314 /// \param n Number of bytes to compare. 315 /// \param result Value returned by the intercepted function. 316 void __sanitizer_weak_hook_memcmp(void *called_pc, const void *s1, 317 const void *s2, size_t n, int result); 318 319 /// Interceptor hook for <c>strncmp()</c>. 320 /// 321 /// \param called_pc PC (program counter) address of the original call. 322 /// \param s1 Pointer to block of memory. 323 /// \param s2 Pointer to block of memory. 324 /// \param n Number of bytes to compare. 325 /// \param result Value returned by the intercepted function. 326 void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1, 327 const char *s2, size_t n, int result); 328 329 /// Interceptor hook for <c>strncasecmp()</c>. 330 /// 331 /// \param called_pc PC (program counter) address of the original call. 332 /// \param s1 Pointer to block of memory. 333 /// \param s2 Pointer to block of memory. 334 /// \param n Number of bytes to compare. 335 /// \param result Value returned by the intercepted function. 336 void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1, 337 const char *s2, size_t n, int result); 338 339 /// Interceptor hook for <c>strcmp()</c>. 340 /// 341 /// \param called_pc PC (program counter) address of the original call. 342 /// \param s1 Pointer to block of memory. 343 /// \param s2 Pointer to block of memory. 344 /// \param result Value returned by the intercepted function. 345 void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1, 346 const char *s2, int result); 347 348 /// Interceptor hook for <c>strcasecmp()</c>. 349 /// 350 /// \param called_pc PC (program counter) address of the original call. 351 /// \param s1 Pointer to block of memory. 352 /// \param s2 Pointer to block of memory. 353 /// \param result Value returned by the intercepted function. 354 void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1, 355 const char *s2, int result); 356 357 /// Interceptor hook for <c>strstr()</c>. 358 /// 359 /// \param called_pc PC (program counter) address of the original call. 360 /// \param s1 Pointer to block of memory. 361 /// \param s2 Pointer to block of memory. 362 /// \param result Value returned by the intercepted function. 363 void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1, 364 const char *s2, char *result); 365 366 void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1, 367 const char *s2, char *result); 368 369 void __sanitizer_weak_hook_memmem(void *called_pc, 370 const void *s1, size_t len1, 371 const void *s2, size_t len2, void *result); 372 373 // Prints stack traces for all live heap allocations ordered by total 374 // allocation size until top_percent of total live heap is shown. top_percent 375 // should be between 1 and 100. At most max_number_of_contexts contexts 376 // (stack traces) are printed. 377 // Experimental feature currently available only with ASan on Linux/x86_64. 378 void __sanitizer_print_memory_profile(size_t top_percent, 379 size_t max_number_of_contexts); 380 381 /// Notify ASan that a fiber switch has started (required only if implementing 382 /// your own fiber library). 383 /// 384 /// Before switching to a different stack, you must call 385 /// <c>__sanitizer_start_switch_fiber()</c> with a pointer to the bottom of the 386 /// destination stack and with its size. When code starts running on the new 387 /// stack, it must call <c>__sanitizer_finish_switch_fiber()</c> to finalize 388 /// the switch. The <c>__sanitizer_start_switch_fiber()</c> function takes a 389 /// <c>void**</c> pointer argument to store the current fake stack if there is 390 /// one (it is necessary when the runtime option 391 /// <c>detect_stack_use_after_return</c> is enabled). 392 /// 393 /// When restoring a stack, this <c>void**</c> pointer must be given to the 394 /// <c>__sanitizer_finish_switch_fiber()</c> function. In most cases, this 395 /// pointer can be stored on the stack immediately before switching. When 396 /// leaving a fiber definitely, NULL must be passed as the first argument to 397 /// the <c>__sanitizer_start_switch_fiber()</c> function so that the fake stack 398 /// is destroyed. If your program does not need stack use-after-return 399 /// detection, you can always pass NULL to these two functions. 400 /// 401 /// \note The fake stack mechanism is disabled during fiber switch, so if a 402 /// signal callback runs during the switch, it will not benefit from stack 403 /// use-after-return detection. 404 /// 405 /// \param[out] fake_stack_save Fake stack save location. 406 /// \param bottom Bottom address of stack. 407 /// \param size Size of stack in bytes. 408 void __sanitizer_start_switch_fiber(void **fake_stack_save, 409 const void *bottom, size_t size); 410 411 /// Notify ASan that a fiber switch has completed (required only if 412 /// implementing your own fiber library). 413 /// 414 /// When code starts running on the new stack, it must call 415 /// <c>__sanitizer_finish_switch_fiber()</c> to finalize 416 /// the switch. For usage details, see the description of 417 /// <c>__sanitizer_start_switch_fiber()</c>. 418 /// 419 /// \param fake_stack_save Fake stack save location. 420 /// \param[out] bottom_old Bottom address of old stack. 421 /// \param[out] size_old Size of old stack in bytes. 422 void __sanitizer_finish_switch_fiber(void *fake_stack_save, 423 const void **bottom_old, 424 size_t *size_old); 425 426 // Get full module name and calculate pc offset within it. 427 // Returns 1 if pc belongs to some module, 0 if module was not found. 428 int __sanitizer_get_module_and_offset_for_pc(void *pc, char *module_path, 429 size_t module_path_len, 430 void **pc_offset); 431 432 #ifdef __cplusplus 433 } // extern "C" 434 #endif 435 436 #endif // SANITIZER_COMMON_INTERFACE_DEFS_H 437