1 //===-- sanitizer/common_interface_defs.h -----------------------*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Common part of the public sanitizer interface. 10 //===----------------------------------------------------------------------===// 11 12 #ifndef SANITIZER_COMMON_INTERFACE_DEFS_H 13 #define SANITIZER_COMMON_INTERFACE_DEFS_H 14 15 #include <stddef.h> 16 #include <stdint.h> 17 18 // GCC does not understand __has_feature. 19 #if !defined(__has_feature) 20 #define __has_feature(x) 0 21 #endif 22 23 #ifdef __cplusplus 24 extern "C" { 25 #endif 26 // Arguments for __sanitizer_sandbox_on_notify() below. 27 typedef struct { 28 // Enable sandbox support in sanitizer coverage. 29 int coverage_sandboxed; 30 // File descriptor to write coverage data to. If -1 is passed, a file will 31 // be pre-opened by __sanitizer_sandobx_on_notify(). This field has no 32 // effect if coverage_sandboxed == 0. 33 intptr_t coverage_fd; 34 // If non-zero, split the coverage data into well-formed blocks. This is 35 // useful when coverage_fd is a socket descriptor. Each block will contain 36 // a header, allowing data from multiple processes to be sent over the same 37 // socket. 38 unsigned int coverage_max_block_size; 39 } __sanitizer_sandbox_arguments; 40 41 // Tell the tools to write their reports to "path.<pid>" instead of stderr. 42 void __sanitizer_set_report_path(const char *path); 43 // Tell the tools to write their reports to the provided file descriptor 44 // (casted to void *). 45 void __sanitizer_set_report_fd(void *fd); 46 47 // Notify the tools that the sandbox is going to be turned on. The reserved 48 // parameter will be used in the future to hold a structure with functions 49 // that the tools may call to bypass the sandbox. 50 void __sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args); 51 52 // This function is called by the tool when it has just finished reporting 53 // an error. 'error_summary' is a one-line string that summarizes 54 // the error message. This function can be overridden by the client. 55 void __sanitizer_report_error_summary(const char *error_summary); 56 57 // Some of the sanitizers (for example ASan/TSan) could miss bugs that happen 58 // in unaligned loads/stores. To find such bugs reliably, you need to replace 59 // plain unaligned loads/stores with these calls. 60 61 /// Loads a 16-bit unaligned value. 62 /// 63 /// \param p Pointer to unaligned memory. 64 /// 65 /// \returns Loaded value. 66 uint16_t __sanitizer_unaligned_load16(const void *p); 67 68 /// Loads a 32-bit unaligned value. 69 /// 70 /// \param p Pointer to unaligned memory. 71 /// 72 /// \returns Loaded value. 73 uint32_t __sanitizer_unaligned_load32(const void *p); 74 75 /// Loads a 64-bit unaligned value. 76 /// 77 /// \param p Pointer to unaligned memory. 78 /// 79 /// \returns Loaded value. 80 uint64_t __sanitizer_unaligned_load64(const void *p); 81 82 /// Stores a 16-bit unaligned value. 83 /// 84 /// \param p Pointer to unaligned memory. 85 /// \param x 16-bit value to store. 86 void __sanitizer_unaligned_store16(void *p, uint16_t x); 87 88 /// Stores a 32-bit unaligned value. 89 /// 90 /// \param p Pointer to unaligned memory. 91 /// \param x 32-bit value to store. 92 void __sanitizer_unaligned_store32(void *p, uint32_t x); 93 94 /// Stores a 64-bit unaligned value. 95 /// 96 /// \param p Pointer to unaligned memory. 97 /// \param x 64-bit value to store. 98 void __sanitizer_unaligned_store64(void *p, uint64_t x); 99 100 // Returns 1 on the first call, then returns 0 thereafter. Called by the tool 101 // to ensure only one report is printed when multiple errors occur 102 // simultaneously. 103 int __sanitizer_acquire_crash_state(); 104 105 /// Annotates the current state of a contiguous container, such as 106 /// <c>std::vector</c>, <c>std::string</c>, or similar. 107 /// 108 /// A contiguous container is a container that keeps all of its elements 109 /// in a contiguous region of memory. The container owns the region of memory 110 /// <c>[beg, end)</c>; the memory <c>[beg, mid)</c> is used to store the 111 /// current elements, and the memory <c>[mid, end)</c> is reserved for future 112 /// elements (<c>beg <= mid <= end</c>). For example, in 113 /// <c>std::vector<> v</c>: 114 /// 115 /// \code 116 /// beg = &v[0]; 117 /// end = beg + v.capacity() * sizeof(v[0]); 118 /// mid = beg + v.size() * sizeof(v[0]); 119 /// \endcode 120 /// 121 /// This annotation tells the Sanitizer tool about the current state of the 122 /// container so that the tool can report errors when memory from 123 /// <c>[mid, end)</c> is accessed. Insert this annotation into methods like 124 /// <c>push_back()</c> or <c>pop_back()</c>. Supply the old and new values of 125 /// <c>mid</c>(<c><i>old_mid</i></c> and <c><i>new_mid</i></c>). In the initial 126 /// state <c>mid == end</c>, so that should be the final state when the 127 /// container is destroyed or when the container reallocates the storage. 128 /// 129 /// For ASan, <c><i>beg</i></c> should be 8-aligned and <c><i>end</i></c> 130 /// should be either 8-aligned or it should point to the end of a separate 131 /// heap-, stack-, or global-allocated buffer. So the following example will 132 /// not work: 133 /// 134 /// \code 135 /// int64_t x[2]; // 16 bytes, 8-aligned 136 /// char *beg = (char *)&x[0]; 137 /// char *end = beg + 12; // Not 8-aligned, not the end of the buffer 138 /// \endcode 139 /// 140 /// The following, however, will work: 141 /// \code 142 /// int32_t x[3]; // 12 bytes, but 8-aligned under ASan. 143 /// char *beg = (char*)&x[0]; 144 /// char *end = beg + 12; // Not 8-aligned, but is the end of the buffer 145 /// \endcode 146 /// 147 /// \note Use this function with caution and do not use for anything other 148 /// than vector-like classes. 149 /// 150 /// \param beg Beginning of memory region. 151 /// \param end End of memory region. 152 /// \param old_mid Old middle of memory region. 153 /// \param new_mid New middle of memory region. 154 void __sanitizer_annotate_contiguous_container(const void *beg, 155 const void *end, 156 const void *old_mid, 157 const void *new_mid); 158 159 /// Returns true if the contiguous container <c>[beg, end)</c> is properly 160 /// poisoned. 161 /// 162 /// Proper poisoning could occur, for example, with 163 /// <c>__sanitizer_annotate_contiguous_container</c>), that is, if 164 /// <c>[beg, mid)</c> is addressable and <c>[mid, end)</c> is unaddressable. 165 /// Full verification requires O (<c>end - beg</c>) time; this function tries 166 /// to avoid such complexity by touching only parts of the container around 167 /// <c><i>beg</i></c>, <c><i>mid</i></c>, and <c><i>end</i></c>. 168 /// 169 /// \param beg Beginning of memory region. 170 /// \param mid Middle of memory region. 171 /// \param end Old end of memory region. 172 /// 173 /// \returns True if the contiguous container <c>[beg, end)</c> is properly 174 /// poisoned. 175 int __sanitizer_verify_contiguous_container(const void *beg, const void *mid, 176 const void *end); 177 178 /// Similar to <c>__sanitizer_verify_contiguous_container()</c> but also 179 /// returns the address of the first improperly poisoned byte. 180 /// 181 /// Returns NULL if the area is poisoned properly. 182 /// 183 /// \param beg Beginning of memory region. 184 /// \param mid Middle of memory region. 185 /// \param end Old end of memory region. 186 /// 187 /// \returns The bad address or NULL. 188 const void *__sanitizer_contiguous_container_find_bad_address(const void *beg, 189 const void *mid, 190 const void *end); 191 192 /// Prints the stack trace leading to this call (useful for calling from the 193 /// debugger). 194 void __sanitizer_print_stack_trace(void); 195 196 // Symbolizes the supplied 'pc' using the format string 'fmt'. 197 // Outputs at most 'out_buf_size' bytes into 'out_buf'. 198 // If 'out_buf' is not empty then output is zero or more non empty C strings 199 // followed by single empty C string. Multiple strings can be returned if PC 200 // corresponds to inlined function. Inlined frames are printed in the order 201 // from "most-inlined" to the "least-inlined", so the last frame should be the 202 // not inlined function. 203 // Inlined frames can be removed with 'symbolize_inline_frames=0'. 204 // The format syntax is described in 205 // lib/sanitizer_common/sanitizer_stacktrace_printer.h. 206 void __sanitizer_symbolize_pc(void *pc, const char *fmt, char *out_buf, 207 size_t out_buf_size); 208 // Same as __sanitizer_symbolize_pc, but for data section (i.e. globals). 209 void __sanitizer_symbolize_global(void *data_ptr, const char *fmt, 210 char *out_buf, size_t out_buf_size); 211 212 /// Sets the callback to be called immediately before death on error. 213 /// 214 /// Passing 0 will unset the callback. 215 /// 216 /// \param callback User-provided callback. 217 void __sanitizer_set_death_callback(void (*callback)(void)); 218 219 220 // Interceptor hooks. 221 // Whenever a libc function interceptor is called, it checks if the 222 // corresponding weak hook is defined, and calls it if it is indeed defined. 223 // The primary use-case is data-flow-guided fuzzing, where the fuzzer needs 224 // to know what is being passed to libc functions (for example memcmp). 225 // FIXME: implement more hooks. 226 227 /// Interceptor hook for <c>memcmp()</c>. 228 /// 229 /// \param called_pc PC (program counter) address of the original call. 230 /// \param s1 Pointer to block of memory. 231 /// \param s2 Pointer to block of memory. 232 /// \param n Number of bytes to compare. 233 /// \param result Value returned by the intercepted function. 234 void __sanitizer_weak_hook_memcmp(void *called_pc, const void *s1, 235 const void *s2, size_t n, int result); 236 237 /// Interceptor hook for <c>strncmp()</c>. 238 /// 239 /// \param called_pc PC (program counter) address of the original call. 240 /// \param s1 Pointer to block of memory. 241 /// \param s2 Pointer to block of memory. 242 /// \param n Number of bytes to compare. 243 /// \param result Value returned by the intercepted function. 244 void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1, 245 const char *s2, size_t n, int result); 246 247 /// Interceptor hook for <c>strncasecmp()</c>. 248 /// 249 /// \param called_pc PC (program counter) address of the original call. 250 /// \param s1 Pointer to block of memory. 251 /// \param s2 Pointer to block of memory. 252 /// \param n Number of bytes to compare. 253 /// \param result Value returned by the intercepted function. 254 void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1, 255 const char *s2, size_t n, int result); 256 257 /// Interceptor hook for <c>strcmp()</c>. 258 /// 259 /// \param called_pc PC (program counter) address of the original call. 260 /// \param s1 Pointer to block of memory. 261 /// \param s2 Pointer to block of memory. 262 /// \param result Value returned by the intercepted function. 263 void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1, 264 const char *s2, int result); 265 266 /// Interceptor hook for <c>strcasecmp()</c>. 267 /// 268 /// \param called_pc PC (program counter) address of the original call. 269 /// \param s1 Pointer to block of memory. 270 /// \param s2 Pointer to block of memory. 271 /// \param result Value returned by the intercepted function. 272 void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1, 273 const char *s2, int result); 274 275 /// Interceptor hook for <c>strstr()</c>. 276 /// 277 /// \param called_pc PC (program counter) address of the original call. 278 /// \param s1 Pointer to block of memory. 279 /// \param s2 Pointer to block of memory. 280 /// \param result Value returned by the intercepted function. 281 void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1, 282 const char *s2, char *result); 283 284 void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1, 285 const char *s2, char *result); 286 287 void __sanitizer_weak_hook_memmem(void *called_pc, 288 const void *s1, size_t len1, 289 const void *s2, size_t len2, void *result); 290 291 // Prints stack traces for all live heap allocations ordered by total 292 // allocation size until top_percent of total live heap is shown. top_percent 293 // should be between 1 and 100. At most max_number_of_contexts contexts 294 // (stack traces) are printed. 295 // Experimental feature currently available only with ASan on Linux/x86_64. 296 void __sanitizer_print_memory_profile(size_t top_percent, 297 size_t max_number_of_contexts); 298 299 /// Notify ASan that a fiber switch has started (required only if implementing 300 /// your own fiber library). 301 /// 302 /// Before switching to a different stack, you must call 303 /// <c>__sanitizer_start_switch_fiber()</c> with a pointer to the bottom of the 304 /// destination stack and with its size. When code starts running on the new 305 /// stack, it must call <c>__sanitizer_finish_switch_fiber()</c> to finalize 306 /// the switch. The <c>__sanitizer_start_switch_fiber()</c> function takes a 307 /// <c>void**</c> pointer argument to store the current fake stack if there is 308 /// one (it is necessary when the runtime option 309 /// <c>detect_stack_use_after_return</c> is enabled). 310 /// 311 /// When restoring a stack, this <c>void**</c> pointer must be given to the 312 /// <c>__sanitizer_finish_switch_fiber()</c> function. In most cases, this 313 /// pointer can be stored on the stack immediately before switching. When 314 /// leaving a fiber definitely, NULL must be passed as the first argument to 315 /// the <c>__sanitizer_start_switch_fiber()</c> function so that the fake stack 316 /// is destroyed. If your program does not need stack use-after-return 317 /// detection, you can always pass NULL to these two functions. 318 /// 319 /// \note The fake stack mechanism is disabled during fiber switch, so if a 320 /// signal callback runs during the switch, it will not benefit from stack 321 /// use-after-return detection. 322 /// 323 /// \param fake_stack_save [out] Fake stack save location. 324 /// \param bottom Bottom address of stack. 325 /// \param size Size of stack in bytes. 326 void __sanitizer_start_switch_fiber(void **fake_stack_save, 327 const void *bottom, size_t size); 328 329 /// Notify ASan that a fiber switch has completed (required only if 330 /// implementing your own fiber library). 331 /// 332 /// When code starts running on the new stack, it must call 333 /// <c>__sanitizer_finish_switch_fiber()</c> to finalize 334 /// the switch. For usage details, see the description of 335 /// <c>__sanitizer_start_switch_fiber()</c>. 336 /// 337 /// \param fake_stack_save Fake stack save location. 338 /// \param bottom_old [out] Bottom address of old stack. 339 /// \param size_old [out] Size of old stack in bytes. 340 void __sanitizer_finish_switch_fiber(void *fake_stack_save, 341 const void **bottom_old, 342 size_t *size_old); 343 344 // Get full module name and calculate pc offset within it. 345 // Returns 1 if pc belongs to some module, 0 if module was not found. 346 int __sanitizer_get_module_and_offset_for_pc(void *pc, char *module_path, 347 size_t module_path_len, 348 void **pc_offset); 349 350 #ifdef __cplusplus 351 } // extern "C" 352 #endif 353 354 #endif // SANITIZER_COMMON_INTERFACE_DEFS_H 355