1 //===-- dfsan_custom.cpp --------------------------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file is a part of DataFlowSanitizer. 10 // 11 // This file defines the custom functions listed in done_abilist.txt. 12 //===----------------------------------------------------------------------===// 13 14 #include <arpa/inet.h> 15 #include <assert.h> 16 #include <ctype.h> 17 #include <dlfcn.h> 18 #include <link.h> 19 #include <poll.h> 20 #include <pthread.h> 21 #include <pwd.h> 22 #include <sched.h> 23 #include <signal.h> 24 #include <stdarg.h> 25 #include <stdint.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <sys/epoll.h> 30 #include <sys/resource.h> 31 #include <sys/select.h> 32 #include <sys/socket.h> 33 #include <sys/stat.h> 34 #include <sys/time.h> 35 #include <sys/types.h> 36 #include <time.h> 37 #include <unistd.h> 38 39 #include "dfsan/dfsan.h" 40 #include "dfsan/dfsan_chained_origin_depot.h" 41 #include "dfsan/dfsan_flags.h" 42 #include "dfsan/dfsan_thread.h" 43 #include "sanitizer_common/sanitizer_common.h" 44 #include "sanitizer_common/sanitizer_internal_defs.h" 45 #include "sanitizer_common/sanitizer_linux.h" 46 #include "sanitizer_common/sanitizer_stackdepot.h" 47 48 using namespace __dfsan; 49 50 #define CALL_WEAK_INTERCEPTOR_HOOK(f, ...) \ 51 do { \ 52 if (f) \ 53 f(__VA_ARGS__); \ 54 } while (false) 55 #define DECLARE_WEAK_INTERCEPTOR_HOOK(f, ...) \ 56 SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE void f(__VA_ARGS__); 57 58 // Async-safe, non-reentrant spin lock. 59 class SignalSpinLocker { 60 public: 61 SignalSpinLocker() { 62 sigset_t all_set; 63 sigfillset(&all_set); 64 pthread_sigmask(SIG_SETMASK, &all_set, &saved_thread_mask_); 65 sigactions_mu.Lock(); 66 } 67 ~SignalSpinLocker() { 68 sigactions_mu.Unlock(); 69 pthread_sigmask(SIG_SETMASK, &saved_thread_mask_, nullptr); 70 } 71 72 private: 73 static StaticSpinMutex sigactions_mu; 74 sigset_t saved_thread_mask_; 75 76 SignalSpinLocker(const SignalSpinLocker &) = delete; 77 SignalSpinLocker &operator=(const SignalSpinLocker &) = delete; 78 }; 79 80 StaticSpinMutex SignalSpinLocker::sigactions_mu; 81 82 extern "C" { 83 SANITIZER_INTERFACE_ATTRIBUTE int 84 __dfsw_stat(const char *path, struct stat *buf, dfsan_label path_label, 85 dfsan_label buf_label, dfsan_label *ret_label) { 86 int ret = stat(path, buf); 87 if (ret == 0) 88 dfsan_set_label(0, buf, sizeof(struct stat)); 89 *ret_label = 0; 90 return ret; 91 } 92 93 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_stat( 94 const char *path, struct stat *buf, dfsan_label path_label, 95 dfsan_label buf_label, dfsan_label *ret_label, dfsan_origin path_origin, 96 dfsan_origin buf_origin, dfsan_origin *ret_origin) { 97 int ret = __dfsw_stat(path, buf, path_label, buf_label, ret_label); 98 return ret; 99 } 100 101 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_fstat(int fd, struct stat *buf, 102 dfsan_label fd_label, 103 dfsan_label buf_label, 104 dfsan_label *ret_label) { 105 int ret = fstat(fd, buf); 106 if (ret == 0) 107 dfsan_set_label(0, buf, sizeof(struct stat)); 108 *ret_label = 0; 109 return ret; 110 } 111 112 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_fstat( 113 int fd, struct stat *buf, dfsan_label fd_label, dfsan_label buf_label, 114 dfsan_label *ret_label, dfsan_origin fd_origin, dfsan_origin buf_origin, 115 dfsan_origin *ret_origin) { 116 int ret = __dfsw_fstat(fd, buf, fd_label, buf_label, ret_label); 117 return ret; 118 } 119 120 static char *dfsan_strchr_with_label(const char *s, int c, size_t *bytes_read, 121 dfsan_label s_label, dfsan_label c_label, 122 dfsan_label *ret_label) { 123 char *match_pos = nullptr; 124 for (size_t i = 0;; ++i) { 125 if (s[i] == c || s[i] == 0) { 126 // If s[i] is the \0 at the end of the string, and \0 is not the 127 // character we are searching for, then return null. 128 *bytes_read = i + 1; 129 match_pos = s[i] == 0 && c != 0 ? nullptr : const_cast<char *>(s + i); 130 break; 131 } 132 } 133 if (flags().strict_data_dependencies) 134 *ret_label = s_label; 135 else 136 *ret_label = dfsan_union(dfsan_read_label(s, *bytes_read), 137 dfsan_union(s_label, c_label)); 138 return match_pos; 139 } 140 141 SANITIZER_INTERFACE_ATTRIBUTE char *__dfsw_strchr(const char *s, int c, 142 dfsan_label s_label, 143 dfsan_label c_label, 144 dfsan_label *ret_label) { 145 size_t bytes_read; 146 return dfsan_strchr_with_label(s, c, &bytes_read, s_label, c_label, 147 ret_label); 148 } 149 150 SANITIZER_INTERFACE_ATTRIBUTE char *__dfso_strchr( 151 const char *s, int c, dfsan_label s_label, dfsan_label c_label, 152 dfsan_label *ret_label, dfsan_origin s_origin, dfsan_origin c_origin, 153 dfsan_origin *ret_origin) { 154 size_t bytes_read; 155 char *r = 156 dfsan_strchr_with_label(s, c, &bytes_read, s_label, c_label, ret_label); 157 if (flags().strict_data_dependencies) { 158 *ret_origin = s_origin; 159 } else if (*ret_label) { 160 dfsan_origin o = dfsan_read_origin_of_first_taint(s, bytes_read); 161 *ret_origin = o ? o : (s_label ? s_origin : c_origin); 162 } 163 return r; 164 } 165 166 SANITIZER_INTERFACE_ATTRIBUTE char *__dfsw_strpbrk(const char *s, 167 const char *accept, 168 dfsan_label s_label, 169 dfsan_label accept_label, 170 dfsan_label *ret_label) { 171 const char *ret = strpbrk(s, accept); 172 if (flags().strict_data_dependencies) { 173 *ret_label = ret ? s_label : 0; 174 } else { 175 size_t s_bytes_read = (ret ? ret - s : strlen(s)) + 1; 176 *ret_label = 177 dfsan_union(dfsan_read_label(s, s_bytes_read), 178 dfsan_union(dfsan_read_label(accept, strlen(accept) + 1), 179 dfsan_union(s_label, accept_label))); 180 } 181 return const_cast<char *>(ret); 182 } 183 184 SANITIZER_INTERFACE_ATTRIBUTE char *__dfso_strpbrk( 185 const char *s, const char *accept, dfsan_label s_label, 186 dfsan_label accept_label, dfsan_label *ret_label, dfsan_origin s_origin, 187 dfsan_origin accept_origin, dfsan_origin *ret_origin) { 188 const char *ret = __dfsw_strpbrk(s, accept, s_label, accept_label, ret_label); 189 if (flags().strict_data_dependencies) { 190 if (ret) 191 *ret_origin = s_origin; 192 } else { 193 if (*ret_label) { 194 size_t s_bytes_read = (ret ? ret - s : strlen(s)) + 1; 195 dfsan_origin o = dfsan_read_origin_of_first_taint(s, s_bytes_read); 196 if (o) { 197 *ret_origin = o; 198 } else { 199 o = dfsan_read_origin_of_first_taint(accept, strlen(accept) + 1); 200 *ret_origin = o ? o : (s_label ? s_origin : accept_origin); 201 } 202 } 203 } 204 return const_cast<char *>(ret); 205 } 206 207 static int dfsan_memcmp_bcmp(const void *s1, const void *s2, size_t n, 208 size_t *bytes_read) { 209 const char *cs1 = (const char *) s1, *cs2 = (const char *) s2; 210 for (size_t i = 0; i != n; ++i) { 211 if (cs1[i] != cs2[i]) { 212 *bytes_read = i + 1; 213 return cs1[i] - cs2[i]; 214 } 215 } 216 *bytes_read = n; 217 return 0; 218 } 219 220 static dfsan_label dfsan_get_memcmp_label(const void *s1, const void *s2, 221 size_t pos) { 222 if (flags().strict_data_dependencies) 223 return 0; 224 return dfsan_union(dfsan_read_label(s1, pos), dfsan_read_label(s2, pos)); 225 } 226 227 static void dfsan_get_memcmp_origin(const void *s1, const void *s2, size_t pos, 228 dfsan_label *ret_label, 229 dfsan_origin *ret_origin) { 230 *ret_label = dfsan_get_memcmp_label(s1, s2, pos); 231 if (*ret_label == 0) 232 return; 233 dfsan_origin o = dfsan_read_origin_of_first_taint(s1, pos); 234 *ret_origin = o ? o : dfsan_read_origin_of_first_taint(s2, pos); 235 } 236 237 static int dfsan_memcmp_bcmp_label(const void *s1, const void *s2, size_t n, 238 dfsan_label *ret_label) { 239 size_t bytes_read; 240 int r = dfsan_memcmp_bcmp(s1, s2, n, &bytes_read); 241 *ret_label = dfsan_get_memcmp_label(s1, s2, bytes_read); 242 return r; 243 } 244 245 static int dfsan_memcmp_bcmp_origin(const void *s1, const void *s2, size_t n, 246 dfsan_label *ret_label, 247 dfsan_origin *ret_origin) { 248 size_t bytes_read; 249 int r = dfsan_memcmp_bcmp(s1, s2, n, &bytes_read); 250 dfsan_get_memcmp_origin(s1, s2, bytes_read, ret_label, ret_origin); 251 return r; 252 } 253 254 DECLARE_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_memcmp, uptr caller_pc, 255 const void *s1, const void *s2, size_t n, 256 dfsan_label s1_label, dfsan_label s2_label, 257 dfsan_label n_label) 258 259 DECLARE_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_origin_memcmp, uptr caller_pc, 260 const void *s1, const void *s2, size_t n, 261 dfsan_label s1_label, dfsan_label s2_label, 262 dfsan_label n_label, dfsan_origin s1_origin, 263 dfsan_origin s2_origin, dfsan_origin n_origin) 264 265 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_memcmp(const void *s1, const void *s2, 266 size_t n, dfsan_label s1_label, 267 dfsan_label s2_label, 268 dfsan_label n_label, 269 dfsan_label *ret_label) { 270 CALL_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_memcmp, GET_CALLER_PC(), s1, s2, n, 271 s1_label, s2_label, n_label); 272 return dfsan_memcmp_bcmp_label(s1, s2, n, ret_label); 273 } 274 275 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_memcmp( 276 const void *s1, const void *s2, size_t n, dfsan_label s1_label, 277 dfsan_label s2_label, dfsan_label n_label, dfsan_label *ret_label, 278 dfsan_origin s1_origin, dfsan_origin s2_origin, dfsan_origin n_origin, 279 dfsan_origin *ret_origin) { 280 CALL_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_origin_memcmp, GET_CALLER_PC(), s1, 281 s2, n, s1_label, s2_label, n_label, s1_origin, 282 s2_origin, n_origin); 283 return dfsan_memcmp_bcmp_origin(s1, s2, n, ret_label, ret_origin); 284 } 285 286 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_bcmp(const void *s1, const void *s2, 287 size_t n, dfsan_label s1_label, 288 dfsan_label s2_label, 289 dfsan_label n_label, 290 dfsan_label *ret_label) { 291 return dfsan_memcmp_bcmp_label(s1, s2, n, ret_label); 292 } 293 294 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_bcmp( 295 const void *s1, const void *s2, size_t n, dfsan_label s1_label, 296 dfsan_label s2_label, dfsan_label n_label, dfsan_label *ret_label, 297 dfsan_origin s1_origin, dfsan_origin s2_origin, dfsan_origin n_origin, 298 dfsan_origin *ret_origin) { 299 return dfsan_memcmp_bcmp_origin(s1, s2, n, ret_label, ret_origin); 300 } 301 302 // When n == 0, compare strings without byte limit. 303 // When n > 0, compare the first (at most) n bytes of s1 and s2. 304 static int dfsan_strncmp(const char *s1, const char *s2, size_t n, 305 size_t *bytes_read) { 306 for (size_t i = 0;; ++i) { 307 if (s1[i] != s2[i] || s1[i] == 0 || s2[i] == 0 || (n > 0 && i == n - 1)) { 308 *bytes_read = i + 1; 309 return s1[i] - s2[i]; 310 } 311 } 312 } 313 314 DECLARE_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_strcmp, uptr caller_pc, 315 const char *s1, const char *s2, 316 dfsan_label s1_label, dfsan_label s2_label) 317 318 DECLARE_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_origin_strcmp, uptr caller_pc, 319 const char *s1, const char *s2, 320 dfsan_label s1_label, dfsan_label s2_label, 321 dfsan_origin s1_origin, dfsan_origin s2_origin) 322 323 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_strcmp(const char *s1, const char *s2, 324 dfsan_label s1_label, 325 dfsan_label s2_label, 326 dfsan_label *ret_label) { 327 CALL_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_strcmp, GET_CALLER_PC(), s1, s2, 328 s1_label, s2_label); 329 size_t bytes_read; 330 int r = dfsan_strncmp(s1, s2, 0, &bytes_read); 331 *ret_label = dfsan_get_memcmp_label(s1, s2, bytes_read); 332 return r; 333 } 334 335 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_strcmp( 336 const char *s1, const char *s2, dfsan_label s1_label, dfsan_label s2_label, 337 dfsan_label *ret_label, dfsan_origin s1_origin, dfsan_origin s2_origin, 338 dfsan_origin *ret_origin) { 339 CALL_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_origin_strcmp, GET_CALLER_PC(), s1, 340 s2, s1_label, s2_label, s1_origin, s2_origin); 341 size_t bytes_read; 342 int r = dfsan_strncmp(s1, s2, 0, &bytes_read); 343 dfsan_get_memcmp_origin(s1, s2, bytes_read, ret_label, ret_origin); 344 return r; 345 } 346 347 // When n == 0, compare strings without byte limit. 348 // When n > 0, compare the first (at most) n bytes of s1 and s2. 349 static int dfsan_strncasecmp(const char *s1, const char *s2, size_t n, 350 size_t *bytes_read) { 351 for (size_t i = 0;; ++i) { 352 char s1_lower = tolower(s1[i]); 353 char s2_lower = tolower(s2[i]); 354 355 if (s1_lower != s2_lower || s1[i] == 0 || s2[i] == 0 || 356 (n > 0 && i == n - 1)) { 357 *bytes_read = i + 1; 358 return s1_lower - s2_lower; 359 } 360 } 361 } 362 363 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_strcasecmp(const char *s1, 364 const char *s2, 365 dfsan_label s1_label, 366 dfsan_label s2_label, 367 dfsan_label *ret_label) { 368 size_t bytes_read; 369 int r = dfsan_strncasecmp(s1, s2, 0, &bytes_read); 370 *ret_label = dfsan_get_memcmp_label(s1, s2, bytes_read); 371 return r; 372 } 373 374 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_strcasecmp( 375 const char *s1, const char *s2, dfsan_label s1_label, dfsan_label s2_label, 376 dfsan_label *ret_label, dfsan_origin s1_origin, dfsan_origin s2_origin, 377 dfsan_origin *ret_origin) { 378 size_t bytes_read; 379 int r = dfsan_strncasecmp(s1, s2, 0, &bytes_read); 380 dfsan_get_memcmp_origin(s1, s2, bytes_read, ret_label, ret_origin); 381 return r; 382 } 383 384 DECLARE_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_strncmp, uptr caller_pc, 385 const char *s1, const char *s2, size_t n, 386 dfsan_label s1_label, dfsan_label s2_label, 387 dfsan_label n_label) 388 389 DECLARE_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_origin_strncmp, uptr caller_pc, 390 const char *s1, const char *s2, size_t n, 391 dfsan_label s1_label, dfsan_label s2_label, 392 dfsan_label n_label, dfsan_origin s1_origin, 393 dfsan_origin s2_origin, dfsan_origin n_origin) 394 395 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_strncmp(const char *s1, const char *s2, 396 size_t n, dfsan_label s1_label, 397 dfsan_label s2_label, 398 dfsan_label n_label, 399 dfsan_label *ret_label) { 400 if (n == 0) { 401 *ret_label = 0; 402 return 0; 403 } 404 405 CALL_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_strncmp, GET_CALLER_PC(), s1, s2, 406 n, s1_label, s2_label, n_label); 407 408 size_t bytes_read; 409 int r = dfsan_strncmp(s1, s2, n, &bytes_read); 410 *ret_label = dfsan_get_memcmp_label(s1, s2, bytes_read); 411 return r; 412 } 413 414 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_strncmp( 415 const char *s1, const char *s2, size_t n, dfsan_label s1_label, 416 dfsan_label s2_label, dfsan_label n_label, dfsan_label *ret_label, 417 dfsan_origin s1_origin, dfsan_origin s2_origin, dfsan_origin n_origin, 418 dfsan_origin *ret_origin) { 419 if (n == 0) { 420 *ret_label = 0; 421 return 0; 422 } 423 424 CALL_WEAK_INTERCEPTOR_HOOK(dfsan_weak_hook_origin_strncmp, GET_CALLER_PC(), 425 s1, s2, n, s1_label, s2_label, n_label, s1_origin, 426 s2_origin, n_origin); 427 428 size_t bytes_read; 429 int r = dfsan_strncmp(s1, s2, n, &bytes_read); 430 dfsan_get_memcmp_origin(s1, s2, bytes_read, ret_label, ret_origin); 431 return r; 432 } 433 434 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_strncasecmp( 435 const char *s1, const char *s2, size_t n, dfsan_label s1_label, 436 dfsan_label s2_label, dfsan_label n_label, dfsan_label *ret_label) { 437 if (n == 0) { 438 *ret_label = 0; 439 return 0; 440 } 441 442 size_t bytes_read; 443 int r = dfsan_strncasecmp(s1, s2, n, &bytes_read); 444 *ret_label = dfsan_get_memcmp_label(s1, s2, bytes_read); 445 return r; 446 } 447 448 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_strncasecmp( 449 const char *s1, const char *s2, size_t n, dfsan_label s1_label, 450 dfsan_label s2_label, dfsan_label n_label, dfsan_label *ret_label, 451 dfsan_origin s1_origin, dfsan_origin s2_origin, dfsan_origin n_origin, 452 dfsan_origin *ret_origin) { 453 if (n == 0) { 454 *ret_label = 0; 455 return 0; 456 } 457 458 size_t bytes_read; 459 int r = dfsan_strncasecmp(s1, s2, n, &bytes_read); 460 dfsan_get_memcmp_origin(s1, s2, bytes_read, ret_label, ret_origin); 461 return r; 462 } 463 464 465 SANITIZER_INTERFACE_ATTRIBUTE size_t 466 __dfsw_strlen(const char *s, dfsan_label s_label, dfsan_label *ret_label) { 467 size_t ret = strlen(s); 468 if (flags().strict_data_dependencies) { 469 *ret_label = 0; 470 } else { 471 *ret_label = dfsan_read_label(s, ret + 1); 472 } 473 return ret; 474 } 475 476 SANITIZER_INTERFACE_ATTRIBUTE size_t __dfso_strlen(const char *s, 477 dfsan_label s_label, 478 dfsan_label *ret_label, 479 dfsan_origin s_origin, 480 dfsan_origin *ret_origin) { 481 size_t ret = __dfsw_strlen(s, s_label, ret_label); 482 if (!flags().strict_data_dependencies) 483 *ret_origin = dfsan_read_origin_of_first_taint(s, ret + 1); 484 return ret; 485 } 486 487 static void *dfsan_memmove(void *dest, const void *src, size_t n) { 488 dfsan_label *sdest = shadow_for(dest); 489 const dfsan_label *ssrc = shadow_for(src); 490 internal_memmove((void *)sdest, (const void *)ssrc, n * sizeof(dfsan_label)); 491 return internal_memmove(dest, src, n); 492 } 493 494 static void *dfsan_memmove_with_origin(void *dest, const void *src, size_t n) { 495 dfsan_mem_origin_transfer(dest, src, n); 496 return dfsan_memmove(dest, src, n); 497 } 498 499 static void *dfsan_memcpy(void *dest, const void *src, size_t n) { 500 dfsan_label *sdest = shadow_for(dest); 501 const dfsan_label *ssrc = shadow_for(src); 502 internal_memcpy((void *)sdest, (const void *)ssrc, n * sizeof(dfsan_label)); 503 return internal_memcpy(dest, src, n); 504 } 505 506 static void *dfsan_memcpy_with_origin(void *dest, const void *src, size_t n) { 507 dfsan_mem_origin_transfer(dest, src, n); 508 return dfsan_memcpy(dest, src, n); 509 } 510 511 static void dfsan_memset(void *s, int c, dfsan_label c_label, size_t n) { 512 internal_memset(s, c, n); 513 dfsan_set_label(c_label, s, n); 514 } 515 516 static void dfsan_memset_with_origin(void *s, int c, dfsan_label c_label, 517 dfsan_origin c_origin, size_t n) { 518 internal_memset(s, c, n); 519 dfsan_set_label_origin(c_label, c_origin, s, n); 520 } 521 522 SANITIZER_INTERFACE_ATTRIBUTE 523 void *__dfsw_memcpy(void *dest, const void *src, size_t n, 524 dfsan_label dest_label, dfsan_label src_label, 525 dfsan_label n_label, dfsan_label *ret_label) { 526 *ret_label = dest_label; 527 return dfsan_memcpy(dest, src, n); 528 } 529 530 SANITIZER_INTERFACE_ATTRIBUTE 531 void *__dfso_memcpy(void *dest, const void *src, size_t n, 532 dfsan_label dest_label, dfsan_label src_label, 533 dfsan_label n_label, dfsan_label *ret_label, 534 dfsan_origin dest_origin, dfsan_origin src_origin, 535 dfsan_origin n_origin, dfsan_origin *ret_origin) { 536 *ret_label = dest_label; 537 *ret_origin = dest_origin; 538 return dfsan_memcpy_with_origin(dest, src, n); 539 } 540 541 SANITIZER_INTERFACE_ATTRIBUTE 542 void *__dfsw_memmove(void *dest, const void *src, size_t n, 543 dfsan_label dest_label, dfsan_label src_label, 544 dfsan_label n_label, dfsan_label *ret_label) { 545 *ret_label = dest_label; 546 return dfsan_memmove(dest, src, n); 547 } 548 549 SANITIZER_INTERFACE_ATTRIBUTE 550 void *__dfso_memmove(void *dest, const void *src, size_t n, 551 dfsan_label dest_label, dfsan_label src_label, 552 dfsan_label n_label, dfsan_label *ret_label, 553 dfsan_origin dest_origin, dfsan_origin src_origin, 554 dfsan_origin n_origin, dfsan_origin *ret_origin) { 555 *ret_label = dest_label; 556 *ret_origin = dest_origin; 557 return dfsan_memmove_with_origin(dest, src, n); 558 } 559 560 SANITIZER_INTERFACE_ATTRIBUTE 561 void *__dfsw_memset(void *s, int c, size_t n, 562 dfsan_label s_label, dfsan_label c_label, 563 dfsan_label n_label, dfsan_label *ret_label) { 564 dfsan_memset(s, c, c_label, n); 565 *ret_label = s_label; 566 return s; 567 } 568 569 SANITIZER_INTERFACE_ATTRIBUTE 570 void *__dfso_memset(void *s, int c, size_t n, dfsan_label s_label, 571 dfsan_label c_label, dfsan_label n_label, 572 dfsan_label *ret_label, dfsan_origin s_origin, 573 dfsan_origin c_origin, dfsan_origin n_origin, 574 dfsan_origin *ret_origin) { 575 dfsan_memset_with_origin(s, c, c_label, c_origin, n); 576 *ret_label = s_label; 577 *ret_origin = s_origin; 578 return s; 579 } 580 581 SANITIZER_INTERFACE_ATTRIBUTE char *__dfsw_strcat(char *dest, const char *src, 582 dfsan_label dest_label, 583 dfsan_label src_label, 584 dfsan_label *ret_label) { 585 size_t dest_len = strlen(dest); 586 char *ret = strcat(dest, src); // NOLINT 587 dfsan_label *sdest = shadow_for(dest + dest_len); 588 const dfsan_label *ssrc = shadow_for(src); 589 internal_memcpy((void *)sdest, (const void *)ssrc, 590 strlen(src) * sizeof(dfsan_label)); 591 *ret_label = dest_label; 592 return ret; 593 } 594 595 SANITIZER_INTERFACE_ATTRIBUTE char *__dfso_strcat( 596 char *dest, const char *src, dfsan_label dest_label, dfsan_label src_label, 597 dfsan_label *ret_label, dfsan_origin dest_origin, dfsan_origin src_origin, 598 dfsan_origin *ret_origin) { 599 size_t dest_len = strlen(dest); 600 char *ret = strcat(dest, src); // NOLINT 601 dfsan_label *sdest = shadow_for(dest + dest_len); 602 const dfsan_label *ssrc = shadow_for(src); 603 size_t src_len = strlen(src); 604 dfsan_mem_origin_transfer(dest + dest_len, src, src_len); 605 internal_memcpy((void *)sdest, (const void *)ssrc, 606 src_len * sizeof(dfsan_label)); 607 *ret_label = dest_label; 608 *ret_origin = dest_origin; 609 return ret; 610 } 611 612 SANITIZER_INTERFACE_ATTRIBUTE char * 613 __dfsw_strdup(const char *s, dfsan_label s_label, dfsan_label *ret_label) { 614 size_t len = strlen(s); 615 void *p = malloc(len+1); 616 dfsan_memcpy(p, s, len+1); 617 *ret_label = 0; 618 return static_cast<char *>(p); 619 } 620 621 SANITIZER_INTERFACE_ATTRIBUTE char *__dfso_strdup(const char *s, 622 dfsan_label s_label, 623 dfsan_label *ret_label, 624 dfsan_origin s_origin, 625 dfsan_origin *ret_origin) { 626 size_t len = strlen(s); 627 void *p = malloc(len + 1); 628 dfsan_memcpy_with_origin(p, s, len + 1); 629 *ret_label = 0; 630 return static_cast<char *>(p); 631 } 632 633 SANITIZER_INTERFACE_ATTRIBUTE char * 634 __dfsw_strncpy(char *s1, const char *s2, size_t n, dfsan_label s1_label, 635 dfsan_label s2_label, dfsan_label n_label, 636 dfsan_label *ret_label) { 637 size_t len = strlen(s2); 638 if (len < n) { 639 dfsan_memcpy(s1, s2, len+1); 640 dfsan_memset(s1+len+1, 0, 0, n-len-1); 641 } else { 642 dfsan_memcpy(s1, s2, n); 643 } 644 645 *ret_label = s1_label; 646 return s1; 647 } 648 649 SANITIZER_INTERFACE_ATTRIBUTE char *__dfso_strncpy( 650 char *s1, const char *s2, size_t n, dfsan_label s1_label, 651 dfsan_label s2_label, dfsan_label n_label, dfsan_label *ret_label, 652 dfsan_origin s1_origin, dfsan_origin s2_origin, dfsan_origin n_origin, 653 dfsan_origin *ret_origin) { 654 size_t len = strlen(s2); 655 if (len < n) { 656 dfsan_memcpy_with_origin(s1, s2, len + 1); 657 dfsan_memset_with_origin(s1 + len + 1, 0, 0, 0, n - len - 1); 658 } else { 659 dfsan_memcpy_with_origin(s1, s2, n); 660 } 661 662 *ret_label = s1_label; 663 *ret_origin = s1_origin; 664 return s1; 665 } 666 667 SANITIZER_INTERFACE_ATTRIBUTE ssize_t 668 __dfsw_pread(int fd, void *buf, size_t count, off_t offset, 669 dfsan_label fd_label, dfsan_label buf_label, 670 dfsan_label count_label, dfsan_label offset_label, 671 dfsan_label *ret_label) { 672 ssize_t ret = pread(fd, buf, count, offset); 673 if (ret > 0) 674 dfsan_set_label(0, buf, ret); 675 *ret_label = 0; 676 return ret; 677 } 678 679 SANITIZER_INTERFACE_ATTRIBUTE ssize_t __dfso_pread( 680 int fd, void *buf, size_t count, off_t offset, dfsan_label fd_label, 681 dfsan_label buf_label, dfsan_label count_label, dfsan_label offset_label, 682 dfsan_label *ret_label, dfsan_origin fd_origin, dfsan_origin buf_origin, 683 dfsan_origin count_origin, dfsan_label offset_origin, 684 dfsan_origin *ret_origin) { 685 return __dfsw_pread(fd, buf, count, offset, fd_label, buf_label, count_label, 686 offset_label, ret_label); 687 } 688 689 SANITIZER_INTERFACE_ATTRIBUTE ssize_t 690 __dfsw_read(int fd, void *buf, size_t count, 691 dfsan_label fd_label, dfsan_label buf_label, 692 dfsan_label count_label, 693 dfsan_label *ret_label) { 694 ssize_t ret = read(fd, buf, count); 695 if (ret > 0) 696 dfsan_set_label(0, buf, ret); 697 *ret_label = 0; 698 return ret; 699 } 700 701 SANITIZER_INTERFACE_ATTRIBUTE ssize_t __dfso_read( 702 int fd, void *buf, size_t count, dfsan_label fd_label, 703 dfsan_label buf_label, dfsan_label count_label, dfsan_label *ret_label, 704 dfsan_origin fd_origin, dfsan_origin buf_origin, dfsan_origin count_origin, 705 dfsan_origin *ret_origin) { 706 return __dfsw_read(fd, buf, count, fd_label, buf_label, count_label, 707 ret_label); 708 } 709 710 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_clock_gettime(clockid_t clk_id, 711 struct timespec *tp, 712 dfsan_label clk_id_label, 713 dfsan_label tp_label, 714 dfsan_label *ret_label) { 715 int ret = clock_gettime(clk_id, tp); 716 if (ret == 0) 717 dfsan_set_label(0, tp, sizeof(struct timespec)); 718 *ret_label = 0; 719 return ret; 720 } 721 722 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_clock_gettime( 723 clockid_t clk_id, struct timespec *tp, dfsan_label clk_id_label, 724 dfsan_label tp_label, dfsan_label *ret_label, dfsan_origin clk_id_origin, 725 dfsan_origin tp_origin, dfsan_origin *ret_origin) { 726 return __dfsw_clock_gettime(clk_id, tp, clk_id_label, tp_label, ret_label); 727 } 728 729 static void dfsan_set_zero_label(const void *ptr, uptr size) { 730 dfsan_set_label(0, const_cast<void *>(ptr), size); 731 } 732 733 // dlopen() ultimately calls mmap() down inside the loader, which generally 734 // doesn't participate in dynamic symbol resolution. Therefore we won't 735 // intercept its calls to mmap, and we have to hook it here. 736 SANITIZER_INTERFACE_ATTRIBUTE void * 737 __dfsw_dlopen(const char *filename, int flag, dfsan_label filename_label, 738 dfsan_label flag_label, dfsan_label *ret_label) { 739 void *handle = dlopen(filename, flag); 740 link_map *map = GET_LINK_MAP_BY_DLOPEN_HANDLE(handle); 741 if (map) 742 ForEachMappedRegion(map, dfsan_set_zero_label); 743 *ret_label = 0; 744 return handle; 745 } 746 747 SANITIZER_INTERFACE_ATTRIBUTE void *__dfso_dlopen( 748 const char *filename, int flag, dfsan_label filename_label, 749 dfsan_label flag_label, dfsan_label *ret_label, 750 dfsan_origin filename_origin, dfsan_origin flag_origin, 751 dfsan_origin *ret_origin) { 752 return __dfsw_dlopen(filename, flag, filename_label, flag_label, ret_label); 753 } 754 755 static void *DFsanThreadStartFunc(void *arg) { 756 DFsanThread *t = (DFsanThread *)arg; 757 SetCurrentThread(t); 758 return t->ThreadStart(); 759 } 760 761 static int dfsan_pthread_create(pthread_t *thread, const pthread_attr_t *attr, 762 void *start_routine_trampoline, 763 void *start_routine, void *arg, 764 dfsan_label *ret_label, 765 bool track_origins = false) { 766 pthread_attr_t myattr; 767 if (!attr) { 768 pthread_attr_init(&myattr); 769 attr = &myattr; 770 } 771 772 // Ensure that the thread stack is large enough to hold all TLS data. 773 AdjustStackSize((void *)(const_cast<pthread_attr_t *>(attr))); 774 775 DFsanThread *t = 776 DFsanThread::Create(start_routine_trampoline, 777 (thread_callback_t)start_routine, arg, track_origins); 778 int res = pthread_create(thread, attr, DFsanThreadStartFunc, t); 779 780 if (attr == &myattr) 781 pthread_attr_destroy(&myattr); 782 *ret_label = 0; 783 return res; 784 } 785 786 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_pthread_create( 787 pthread_t *thread, const pthread_attr_t *attr, 788 void *(*start_routine_trampoline)(void *, void *, dfsan_label, 789 dfsan_label *), 790 void *start_routine, void *arg, dfsan_label thread_label, 791 dfsan_label attr_label, dfsan_label start_routine_label, 792 dfsan_label arg_label, dfsan_label *ret_label) { 793 return dfsan_pthread_create(thread, attr, (void *)start_routine_trampoline, 794 start_routine, arg, ret_label); 795 } 796 797 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_pthread_create( 798 pthread_t *thread, const pthread_attr_t *attr, 799 void *(*start_routine_trampoline)(void *, void *, dfsan_label, 800 dfsan_label *, dfsan_origin, 801 dfsan_origin *), 802 void *start_routine, void *arg, dfsan_label thread_label, 803 dfsan_label attr_label, dfsan_label start_routine_label, 804 dfsan_label arg_label, dfsan_label *ret_label, dfsan_origin thread_origin, 805 dfsan_origin attr_origin, dfsan_origin start_routine_origin, 806 dfsan_origin arg_origin, dfsan_origin *ret_origin) { 807 return dfsan_pthread_create(thread, attr, (void *)start_routine_trampoline, 808 start_routine, arg, ret_label, true); 809 } 810 811 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_pthread_join(pthread_t thread, 812 void **retval, 813 dfsan_label thread_label, 814 dfsan_label retval_label, 815 dfsan_label *ret_label) { 816 int ret = pthread_join(thread, retval); 817 if (ret == 0 && retval) 818 dfsan_set_label(0, retval, sizeof(*retval)); 819 *ret_label = 0; 820 return ret; 821 } 822 823 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_pthread_join( 824 pthread_t thread, void **retval, dfsan_label thread_label, 825 dfsan_label retval_label, dfsan_label *ret_label, 826 dfsan_origin thread_origin, dfsan_origin retval_origin, 827 dfsan_origin *ret_origin) { 828 return __dfsw_pthread_join(thread, retval, thread_label, retval_label, 829 ret_label); 830 } 831 832 struct dl_iterate_phdr_info { 833 int (*callback_trampoline)(void *callback, struct dl_phdr_info *info, 834 size_t size, void *data, dfsan_label info_label, 835 dfsan_label size_label, dfsan_label data_label, 836 dfsan_label *ret_label); 837 void *callback; 838 void *data; 839 }; 840 841 struct dl_iterate_phdr_origin_info { 842 int (*callback_trampoline)(void *callback, struct dl_phdr_info *info, 843 size_t size, void *data, dfsan_label info_label, 844 dfsan_label size_label, dfsan_label data_label, 845 dfsan_label *ret_label, dfsan_origin info_origin, 846 dfsan_origin size_origin, dfsan_origin data_origin, 847 dfsan_origin *ret_origin); 848 void *callback; 849 void *data; 850 }; 851 852 int dl_iterate_phdr_cb(struct dl_phdr_info *info, size_t size, void *data) { 853 dl_iterate_phdr_info *dipi = (dl_iterate_phdr_info *)data; 854 dfsan_set_label(0, *info); 855 dfsan_set_label(0, const_cast<char *>(info->dlpi_name), 856 strlen(info->dlpi_name) + 1); 857 dfsan_set_label( 858 0, const_cast<char *>(reinterpret_cast<const char *>(info->dlpi_phdr)), 859 sizeof(*info->dlpi_phdr) * info->dlpi_phnum); 860 dfsan_label ret_label; 861 return dipi->callback_trampoline(dipi->callback, info, size, dipi->data, 0, 0, 862 0, &ret_label); 863 } 864 865 int dl_iterate_phdr_origin_cb(struct dl_phdr_info *info, size_t size, 866 void *data) { 867 dl_iterate_phdr_origin_info *dipi = (dl_iterate_phdr_origin_info *)data; 868 dfsan_set_label(0, *info); 869 dfsan_set_label(0, const_cast<char *>(info->dlpi_name), 870 strlen(info->dlpi_name) + 1); 871 dfsan_set_label( 872 0, const_cast<char *>(reinterpret_cast<const char *>(info->dlpi_phdr)), 873 sizeof(*info->dlpi_phdr) * info->dlpi_phnum); 874 dfsan_label ret_label; 875 dfsan_origin ret_origin; 876 return dipi->callback_trampoline(dipi->callback, info, size, dipi->data, 0, 0, 877 0, &ret_label, 0, 0, 0, &ret_origin); 878 } 879 880 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_dl_iterate_phdr( 881 int (*callback_trampoline)(void *callback, struct dl_phdr_info *info, 882 size_t size, void *data, dfsan_label info_label, 883 dfsan_label size_label, dfsan_label data_label, 884 dfsan_label *ret_label), 885 void *callback, void *data, dfsan_label callback_label, 886 dfsan_label data_label, dfsan_label *ret_label) { 887 dl_iterate_phdr_info dipi = { callback_trampoline, callback, data }; 888 *ret_label = 0; 889 return dl_iterate_phdr(dl_iterate_phdr_cb, &dipi); 890 } 891 892 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_dl_iterate_phdr( 893 int (*callback_trampoline)(void *callback, struct dl_phdr_info *info, 894 size_t size, void *data, dfsan_label info_label, 895 dfsan_label size_label, dfsan_label data_label, 896 dfsan_label *ret_label, dfsan_origin info_origin, 897 dfsan_origin size_origin, 898 dfsan_origin data_origin, 899 dfsan_origin *ret_origin), 900 void *callback, void *data, dfsan_label callback_label, 901 dfsan_label data_label, dfsan_label *ret_label, 902 dfsan_origin callback_origin, dfsan_origin data_origin, 903 dfsan_origin *ret_origin) { 904 dl_iterate_phdr_origin_info dipi = {callback_trampoline, callback, data}; 905 *ret_label = 0; 906 return dl_iterate_phdr(dl_iterate_phdr_origin_cb, &dipi); 907 } 908 909 // This function is only available for glibc 2.27 or newer. Mark it weak so 910 // linking succeeds with older glibcs. 911 SANITIZER_WEAK_ATTRIBUTE void _dl_get_tls_static_info(size_t *sizep, 912 size_t *alignp); 913 914 SANITIZER_INTERFACE_ATTRIBUTE void __dfsw__dl_get_tls_static_info( 915 size_t *sizep, size_t *alignp, dfsan_label sizep_label, 916 dfsan_label alignp_label) { 917 assert(_dl_get_tls_static_info); 918 _dl_get_tls_static_info(sizep, alignp); 919 dfsan_set_label(0, sizep, sizeof(*sizep)); 920 dfsan_set_label(0, alignp, sizeof(*alignp)); 921 } 922 923 SANITIZER_INTERFACE_ATTRIBUTE void __dfso__dl_get_tls_static_info( 924 size_t *sizep, size_t *alignp, dfsan_label sizep_label, 925 dfsan_label alignp_label, dfsan_origin sizep_origin, 926 dfsan_origin alignp_origin) { 927 __dfsw__dl_get_tls_static_info(sizep, alignp, sizep_label, alignp_label); 928 } 929 930 SANITIZER_INTERFACE_ATTRIBUTE 931 char *__dfsw_ctime_r(const time_t *timep, char *buf, dfsan_label timep_label, 932 dfsan_label buf_label, dfsan_label *ret_label) { 933 char *ret = ctime_r(timep, buf); 934 if (ret) { 935 dfsan_set_label(dfsan_read_label(timep, sizeof(time_t)), buf, 936 strlen(buf) + 1); 937 *ret_label = buf_label; 938 } else { 939 *ret_label = 0; 940 } 941 return ret; 942 } 943 944 SANITIZER_INTERFACE_ATTRIBUTE 945 char *__dfso_ctime_r(const time_t *timep, char *buf, dfsan_label timep_label, 946 dfsan_label buf_label, dfsan_label *ret_label, 947 dfsan_origin timep_origin, dfsan_origin buf_origin, 948 dfsan_origin *ret_origin) { 949 char *ret = ctime_r(timep, buf); 950 if (ret) { 951 dfsan_set_label_origin( 952 dfsan_read_label(timep, sizeof(time_t)), 953 dfsan_read_origin_of_first_taint(timep, sizeof(time_t)), buf, 954 strlen(buf) + 1); 955 *ret_label = buf_label; 956 *ret_origin = buf_origin; 957 } else { 958 *ret_label = 0; 959 } 960 return ret; 961 } 962 963 SANITIZER_INTERFACE_ATTRIBUTE 964 char *__dfsw_fgets(char *s, int size, FILE *stream, dfsan_label s_label, 965 dfsan_label size_label, dfsan_label stream_label, 966 dfsan_label *ret_label) { 967 char *ret = fgets(s, size, stream); 968 if (ret) { 969 dfsan_set_label(0, ret, strlen(ret) + 1); 970 *ret_label = s_label; 971 } else { 972 *ret_label = 0; 973 } 974 return ret; 975 } 976 977 SANITIZER_INTERFACE_ATTRIBUTE 978 char *__dfso_fgets(char *s, int size, FILE *stream, dfsan_label s_label, 979 dfsan_label size_label, dfsan_label stream_label, 980 dfsan_label *ret_label, dfsan_origin s_origin, 981 dfsan_origin size_origin, dfsan_origin stream_origin, 982 dfsan_origin *ret_origin) { 983 char *ret = __dfsw_fgets(s, size, stream, s_label, size_label, stream_label, 984 ret_label); 985 if (ret) 986 *ret_origin = s_origin; 987 return ret; 988 } 989 990 SANITIZER_INTERFACE_ATTRIBUTE 991 char *__dfsw_getcwd(char *buf, size_t size, dfsan_label buf_label, 992 dfsan_label size_label, dfsan_label *ret_label) { 993 char *ret = getcwd(buf, size); 994 if (ret) { 995 dfsan_set_label(0, ret, strlen(ret) + 1); 996 *ret_label = buf_label; 997 } else { 998 *ret_label = 0; 999 } 1000 return ret; 1001 } 1002 1003 SANITIZER_INTERFACE_ATTRIBUTE 1004 char *__dfso_getcwd(char *buf, size_t size, dfsan_label buf_label, 1005 dfsan_label size_label, dfsan_label *ret_label, 1006 dfsan_origin buf_origin, dfsan_origin size_origin, 1007 dfsan_origin *ret_origin) { 1008 char *ret = __dfsw_getcwd(buf, size, buf_label, size_label, ret_label); 1009 if (ret) 1010 *ret_origin = buf_origin; 1011 return ret; 1012 } 1013 1014 SANITIZER_INTERFACE_ATTRIBUTE 1015 char *__dfsw_get_current_dir_name(dfsan_label *ret_label) { 1016 char *ret = get_current_dir_name(); 1017 if (ret) 1018 dfsan_set_label(0, ret, strlen(ret) + 1); 1019 *ret_label = 0; 1020 return ret; 1021 } 1022 1023 SANITIZER_INTERFACE_ATTRIBUTE 1024 char *__dfso_get_current_dir_name(dfsan_label *ret_label, 1025 dfsan_origin *ret_origin) { 1026 return __dfsw_get_current_dir_name(ret_label); 1027 } 1028 1029 SANITIZER_INTERFACE_ATTRIBUTE 1030 int __dfsw_gethostname(char *name, size_t len, dfsan_label name_label, 1031 dfsan_label len_label, dfsan_label *ret_label) { 1032 int ret = gethostname(name, len); 1033 if (ret == 0) { 1034 dfsan_set_label(0, name, strlen(name) + 1); 1035 } 1036 *ret_label = 0; 1037 return ret; 1038 } 1039 1040 SANITIZER_INTERFACE_ATTRIBUTE 1041 int __dfso_gethostname(char *name, size_t len, dfsan_label name_label, 1042 dfsan_label len_label, dfsan_label *ret_label, 1043 dfsan_origin name_origin, dfsan_origin len_origin, 1044 dfsan_label *ret_origin) { 1045 return __dfsw_gethostname(name, len, name_label, len_label, ret_label); 1046 } 1047 1048 SANITIZER_INTERFACE_ATTRIBUTE 1049 int __dfsw_getrlimit(int resource, struct rlimit *rlim, 1050 dfsan_label resource_label, dfsan_label rlim_label, 1051 dfsan_label *ret_label) { 1052 int ret = getrlimit(resource, rlim); 1053 if (ret == 0) { 1054 dfsan_set_label(0, rlim, sizeof(struct rlimit)); 1055 } 1056 *ret_label = 0; 1057 return ret; 1058 } 1059 1060 SANITIZER_INTERFACE_ATTRIBUTE 1061 int __dfso_getrlimit(int resource, struct rlimit *rlim, 1062 dfsan_label resource_label, dfsan_label rlim_label, 1063 dfsan_label *ret_label, dfsan_origin resource_origin, 1064 dfsan_origin rlim_origin, dfsan_origin *ret_origin) { 1065 return __dfsw_getrlimit(resource, rlim, resource_label, rlim_label, 1066 ret_label); 1067 } 1068 1069 SANITIZER_INTERFACE_ATTRIBUTE 1070 int __dfsw_getrusage(int who, struct rusage *usage, dfsan_label who_label, 1071 dfsan_label usage_label, dfsan_label *ret_label) { 1072 int ret = getrusage(who, usage); 1073 if (ret == 0) { 1074 dfsan_set_label(0, usage, sizeof(struct rusage)); 1075 } 1076 *ret_label = 0; 1077 return ret; 1078 } 1079 1080 SANITIZER_INTERFACE_ATTRIBUTE 1081 int __dfso_getrusage(int who, struct rusage *usage, dfsan_label who_label, 1082 dfsan_label usage_label, dfsan_label *ret_label, 1083 dfsan_origin who_origin, dfsan_origin usage_origin, 1084 dfsan_label *ret_origin) { 1085 return __dfsw_getrusage(who, usage, who_label, usage_label, ret_label); 1086 } 1087 1088 SANITIZER_INTERFACE_ATTRIBUTE 1089 char *__dfsw_strcpy(char *dest, const char *src, dfsan_label dst_label, 1090 dfsan_label src_label, dfsan_label *ret_label) { 1091 char *ret = strcpy(dest, src); // NOLINT 1092 if (ret) { 1093 internal_memcpy(shadow_for(dest), shadow_for(src), 1094 sizeof(dfsan_label) * (strlen(src) + 1)); 1095 } 1096 *ret_label = dst_label; 1097 return ret; 1098 } 1099 1100 SANITIZER_INTERFACE_ATTRIBUTE 1101 char *__dfso_strcpy(char *dest, const char *src, dfsan_label dst_label, 1102 dfsan_label src_label, dfsan_label *ret_label, 1103 dfsan_origin dst_origin, dfsan_origin src_origin, 1104 dfsan_origin *ret_origin) { 1105 char *ret = strcpy(dest, src); // NOLINT 1106 if (ret) { 1107 size_t str_len = strlen(src) + 1; 1108 dfsan_mem_origin_transfer(dest, src, str_len); 1109 internal_memcpy(shadow_for(dest), shadow_for(src), 1110 sizeof(dfsan_label) * str_len); 1111 } 1112 *ret_label = dst_label; 1113 *ret_origin = dst_origin; 1114 return ret; 1115 } 1116 1117 static long int dfsan_strtol(const char *nptr, char **endptr, int base, 1118 char **tmp_endptr) { 1119 assert(tmp_endptr); 1120 long int ret = strtol(nptr, tmp_endptr, base); 1121 if (endptr) 1122 *endptr = *tmp_endptr; 1123 return ret; 1124 } 1125 1126 static void dfsan_strtolong_label(const char *nptr, const char *tmp_endptr, 1127 dfsan_label base_label, 1128 dfsan_label *ret_label) { 1129 if (tmp_endptr > nptr) { 1130 // If *tmp_endptr is '\0' include its label as well. 1131 *ret_label = dfsan_union( 1132 base_label, 1133 dfsan_read_label(nptr, tmp_endptr - nptr + (*tmp_endptr ? 0 : 1))); 1134 } else { 1135 *ret_label = 0; 1136 } 1137 } 1138 1139 static void dfsan_strtolong_origin(const char *nptr, const char *tmp_endptr, 1140 dfsan_label base_label, 1141 dfsan_label *ret_label, 1142 dfsan_origin base_origin, 1143 dfsan_origin *ret_origin) { 1144 if (tmp_endptr > nptr) { 1145 // When multiple inputs are tainted, we propagate one of its origins. 1146 // Because checking if base_label is tainted does not need additional 1147 // computation, we prefer to propagating base_origin. 1148 *ret_origin = base_label 1149 ? base_origin 1150 : dfsan_read_origin_of_first_taint( 1151 nptr, tmp_endptr - nptr + (*tmp_endptr ? 0 : 1)); 1152 } 1153 } 1154 1155 SANITIZER_INTERFACE_ATTRIBUTE 1156 long int __dfsw_strtol(const char *nptr, char **endptr, int base, 1157 dfsan_label nptr_label, dfsan_label endptr_label, 1158 dfsan_label base_label, dfsan_label *ret_label) { 1159 char *tmp_endptr; 1160 long int ret = dfsan_strtol(nptr, endptr, base, &tmp_endptr); 1161 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1162 return ret; 1163 } 1164 1165 SANITIZER_INTERFACE_ATTRIBUTE 1166 long int __dfso_strtol(const char *nptr, char **endptr, int base, 1167 dfsan_label nptr_label, dfsan_label endptr_label, 1168 dfsan_label base_label, dfsan_label *ret_label, 1169 dfsan_origin nptr_origin, dfsan_origin endptr_origin, 1170 dfsan_origin base_origin, dfsan_origin *ret_origin) { 1171 char *tmp_endptr; 1172 long int ret = dfsan_strtol(nptr, endptr, base, &tmp_endptr); 1173 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1174 dfsan_strtolong_origin(nptr, tmp_endptr, base_label, ret_label, base_origin, 1175 ret_origin); 1176 return ret; 1177 } 1178 1179 static double dfsan_strtod(const char *nptr, char **endptr, char **tmp_endptr) { 1180 assert(tmp_endptr); 1181 double ret = strtod(nptr, tmp_endptr); 1182 if (endptr) 1183 *endptr = *tmp_endptr; 1184 return ret; 1185 } 1186 1187 static void dfsan_strtod_label(const char *nptr, const char *tmp_endptr, 1188 dfsan_label *ret_label) { 1189 if (tmp_endptr > nptr) { 1190 // If *tmp_endptr is '\0' include its label as well. 1191 *ret_label = dfsan_read_label( 1192 nptr, 1193 tmp_endptr - nptr + (*tmp_endptr ? 0 : 1)); 1194 } else { 1195 *ret_label = 0; 1196 } 1197 } 1198 1199 SANITIZER_INTERFACE_ATTRIBUTE 1200 double __dfsw_strtod(const char *nptr, char **endptr, dfsan_label nptr_label, 1201 dfsan_label endptr_label, dfsan_label *ret_label) { 1202 char *tmp_endptr; 1203 double ret = dfsan_strtod(nptr, endptr, &tmp_endptr); 1204 dfsan_strtod_label(nptr, tmp_endptr, ret_label); 1205 return ret; 1206 } 1207 1208 SANITIZER_INTERFACE_ATTRIBUTE 1209 double __dfso_strtod(const char *nptr, char **endptr, dfsan_label nptr_label, 1210 dfsan_label endptr_label, dfsan_label *ret_label, 1211 dfsan_origin nptr_origin, dfsan_origin endptr_origin, 1212 dfsan_origin *ret_origin) { 1213 char *tmp_endptr; 1214 double ret = dfsan_strtod(nptr, endptr, &tmp_endptr); 1215 dfsan_strtod_label(nptr, tmp_endptr, ret_label); 1216 if (tmp_endptr > nptr) { 1217 // If *tmp_endptr is '\0' include its label as well. 1218 *ret_origin = dfsan_read_origin_of_first_taint( 1219 nptr, tmp_endptr - nptr + (*tmp_endptr ? 0 : 1)); 1220 } else { 1221 *ret_origin = 0; 1222 } 1223 return ret; 1224 } 1225 1226 static long long int dfsan_strtoll(const char *nptr, char **endptr, int base, 1227 char **tmp_endptr) { 1228 assert(tmp_endptr); 1229 long long int ret = strtoll(nptr, tmp_endptr, base); 1230 if (endptr) 1231 *endptr = *tmp_endptr; 1232 return ret; 1233 } 1234 1235 SANITIZER_INTERFACE_ATTRIBUTE 1236 long long int __dfsw_strtoll(const char *nptr, char **endptr, int base, 1237 dfsan_label nptr_label, dfsan_label endptr_label, 1238 dfsan_label base_label, dfsan_label *ret_label) { 1239 char *tmp_endptr; 1240 long long int ret = dfsan_strtoll(nptr, endptr, base, &tmp_endptr); 1241 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1242 return ret; 1243 } 1244 1245 SANITIZER_INTERFACE_ATTRIBUTE 1246 long long int __dfso_strtoll(const char *nptr, char **endptr, int base, 1247 dfsan_label nptr_label, dfsan_label endptr_label, 1248 dfsan_label base_label, dfsan_label *ret_label, 1249 dfsan_origin nptr_origin, 1250 dfsan_origin endptr_origin, 1251 dfsan_origin base_origin, 1252 dfsan_origin *ret_origin) { 1253 char *tmp_endptr; 1254 long long int ret = dfsan_strtoll(nptr, endptr, base, &tmp_endptr); 1255 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1256 dfsan_strtolong_origin(nptr, tmp_endptr, base_label, ret_label, base_origin, 1257 ret_origin); 1258 return ret; 1259 } 1260 1261 static unsigned long int dfsan_strtoul(const char *nptr, char **endptr, 1262 int base, char **tmp_endptr) { 1263 assert(tmp_endptr); 1264 unsigned long int ret = strtoul(nptr, tmp_endptr, base); 1265 if (endptr) 1266 *endptr = *tmp_endptr; 1267 return ret; 1268 } 1269 1270 SANITIZER_INTERFACE_ATTRIBUTE 1271 unsigned long int __dfsw_strtoul(const char *nptr, char **endptr, int base, 1272 dfsan_label nptr_label, dfsan_label endptr_label, 1273 dfsan_label base_label, dfsan_label *ret_label) { 1274 char *tmp_endptr; 1275 unsigned long int ret = dfsan_strtoul(nptr, endptr, base, &tmp_endptr); 1276 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1277 return ret; 1278 } 1279 1280 SANITIZER_INTERFACE_ATTRIBUTE 1281 unsigned long int __dfso_strtoul( 1282 const char *nptr, char **endptr, int base, dfsan_label nptr_label, 1283 dfsan_label endptr_label, dfsan_label base_label, dfsan_label *ret_label, 1284 dfsan_origin nptr_origin, dfsan_origin endptr_origin, 1285 dfsan_origin base_origin, dfsan_origin *ret_origin) { 1286 char *tmp_endptr; 1287 unsigned long int ret = dfsan_strtoul(nptr, endptr, base, &tmp_endptr); 1288 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1289 dfsan_strtolong_origin(nptr, tmp_endptr, base_label, ret_label, base_origin, 1290 ret_origin); 1291 return ret; 1292 } 1293 1294 static long long unsigned int dfsan_strtoull(const char *nptr, char **endptr, 1295 int base, char **tmp_endptr) { 1296 assert(tmp_endptr); 1297 long long unsigned int ret = strtoull(nptr, tmp_endptr, base); 1298 if (endptr) 1299 *endptr = *tmp_endptr; 1300 return ret; 1301 } 1302 1303 SANITIZER_INTERFACE_ATTRIBUTE 1304 long long unsigned int __dfsw_strtoull(const char *nptr, char **endptr, 1305 int base, dfsan_label nptr_label, 1306 dfsan_label endptr_label, 1307 dfsan_label base_label, 1308 dfsan_label *ret_label) { 1309 char *tmp_endptr; 1310 long long unsigned int ret = dfsan_strtoull(nptr, endptr, base, &tmp_endptr); 1311 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1312 return ret; 1313 } 1314 1315 SANITIZER_INTERFACE_ATTRIBUTE 1316 long long unsigned int __dfso_strtoull( 1317 const char *nptr, char **endptr, int base, dfsan_label nptr_label, 1318 dfsan_label endptr_label, dfsan_label base_label, dfsan_label *ret_label, 1319 dfsan_origin nptr_origin, dfsan_origin endptr_origin, 1320 dfsan_origin base_origin, dfsan_origin *ret_origin) { 1321 char *tmp_endptr; 1322 long long unsigned int ret = dfsan_strtoull(nptr, endptr, base, &tmp_endptr); 1323 dfsan_strtolong_label(nptr, tmp_endptr, base_label, ret_label); 1324 dfsan_strtolong_origin(nptr, tmp_endptr, base_label, ret_label, base_origin, 1325 ret_origin); 1326 return ret; 1327 } 1328 1329 SANITIZER_INTERFACE_ATTRIBUTE 1330 time_t __dfsw_time(time_t *t, dfsan_label t_label, dfsan_label *ret_label) { 1331 time_t ret = time(t); 1332 if (ret != (time_t) -1 && t) { 1333 dfsan_set_label(0, t, sizeof(time_t)); 1334 } 1335 *ret_label = 0; 1336 return ret; 1337 } 1338 1339 SANITIZER_INTERFACE_ATTRIBUTE 1340 time_t __dfso_time(time_t *t, dfsan_label t_label, dfsan_label *ret_label, 1341 dfsan_origin t_origin, dfsan_origin *ret_origin) { 1342 return __dfsw_time(t, t_label, ret_label); 1343 } 1344 1345 SANITIZER_INTERFACE_ATTRIBUTE 1346 int __dfsw_inet_pton(int af, const char *src, void *dst, dfsan_label af_label, 1347 dfsan_label src_label, dfsan_label dst_label, 1348 dfsan_label *ret_label) { 1349 int ret = inet_pton(af, src, dst); 1350 if (ret == 1) { 1351 dfsan_set_label(dfsan_read_label(src, strlen(src) + 1), dst, 1352 af == AF_INET ? sizeof(struct in_addr) : sizeof(in6_addr)); 1353 } 1354 *ret_label = 0; 1355 return ret; 1356 } 1357 1358 SANITIZER_INTERFACE_ATTRIBUTE 1359 int __dfso_inet_pton(int af, const char *src, void *dst, dfsan_label af_label, 1360 dfsan_label src_label, dfsan_label dst_label, 1361 dfsan_label *ret_label, dfsan_origin af_origin, 1362 dfsan_origin src_origin, dfsan_origin dst_origin, 1363 dfsan_origin *ret_origin) { 1364 int ret = inet_pton(af, src, dst); 1365 if (ret == 1) { 1366 int src_len = strlen(src) + 1; 1367 dfsan_set_label_origin( 1368 dfsan_read_label(src, src_len), 1369 dfsan_read_origin_of_first_taint(src, src_len), dst, 1370 af == AF_INET ? sizeof(struct in_addr) : sizeof(in6_addr)); 1371 } 1372 *ret_label = 0; 1373 return ret; 1374 } 1375 1376 SANITIZER_INTERFACE_ATTRIBUTE 1377 struct tm *__dfsw_localtime_r(const time_t *timep, struct tm *result, 1378 dfsan_label timep_label, dfsan_label result_label, 1379 dfsan_label *ret_label) { 1380 struct tm *ret = localtime_r(timep, result); 1381 if (ret) { 1382 dfsan_set_label(dfsan_read_label(timep, sizeof(time_t)), result, 1383 sizeof(struct tm)); 1384 *ret_label = result_label; 1385 } else { 1386 *ret_label = 0; 1387 } 1388 return ret; 1389 } 1390 1391 SANITIZER_INTERFACE_ATTRIBUTE 1392 struct tm *__dfso_localtime_r(const time_t *timep, struct tm *result, 1393 dfsan_label timep_label, dfsan_label result_label, 1394 dfsan_label *ret_label, dfsan_origin timep_origin, 1395 dfsan_origin result_origin, 1396 dfsan_origin *ret_origin) { 1397 struct tm *ret = localtime_r(timep, result); 1398 if (ret) { 1399 dfsan_set_label_origin( 1400 dfsan_read_label(timep, sizeof(time_t)), 1401 dfsan_read_origin_of_first_taint(timep, sizeof(time_t)), result, 1402 sizeof(struct tm)); 1403 *ret_label = result_label; 1404 *ret_origin = result_origin; 1405 } else { 1406 *ret_label = 0; 1407 } 1408 return ret; 1409 } 1410 1411 SANITIZER_INTERFACE_ATTRIBUTE 1412 int __dfsw_getpwuid_r(id_t uid, struct passwd *pwd, 1413 char *buf, size_t buflen, struct passwd **result, 1414 dfsan_label uid_label, dfsan_label pwd_label, 1415 dfsan_label buf_label, dfsan_label buflen_label, 1416 dfsan_label result_label, dfsan_label *ret_label) { 1417 // Store the data in pwd, the strings referenced from pwd in buf, and the 1418 // address of pwd in *result. On failure, NULL is stored in *result. 1419 int ret = getpwuid_r(uid, pwd, buf, buflen, result); 1420 if (ret == 0) { 1421 dfsan_set_label(0, pwd, sizeof(struct passwd)); 1422 dfsan_set_label(0, buf, strlen(buf) + 1); 1423 } 1424 *ret_label = 0; 1425 dfsan_set_label(0, result, sizeof(struct passwd*)); 1426 return ret; 1427 } 1428 1429 SANITIZER_INTERFACE_ATTRIBUTE 1430 int __dfso_getpwuid_r(id_t uid, struct passwd *pwd, char *buf, size_t buflen, 1431 struct passwd **result, dfsan_label uid_label, 1432 dfsan_label pwd_label, dfsan_label buf_label, 1433 dfsan_label buflen_label, dfsan_label result_label, 1434 dfsan_label *ret_label, dfsan_origin uid_origin, 1435 dfsan_origin pwd_origin, dfsan_origin buf_origin, 1436 dfsan_origin buflen_origin, dfsan_origin result_origin, 1437 dfsan_origin *ret_origin) { 1438 return __dfsw_getpwuid_r(uid, pwd, buf, buflen, result, uid_label, pwd_label, 1439 buf_label, buflen_label, result_label, ret_label); 1440 } 1441 1442 SANITIZER_INTERFACE_ATTRIBUTE 1443 int __dfsw_epoll_wait(int epfd, struct epoll_event *events, int maxevents, 1444 int timeout, dfsan_label epfd_label, 1445 dfsan_label events_label, dfsan_label maxevents_label, 1446 dfsan_label timeout_label, dfsan_label *ret_label) { 1447 int ret = epoll_wait(epfd, events, maxevents, timeout); 1448 if (ret > 0) 1449 dfsan_set_label(0, events, ret * sizeof(*events)); 1450 *ret_label = 0; 1451 return ret; 1452 } 1453 1454 SANITIZER_INTERFACE_ATTRIBUTE 1455 int __dfso_epoll_wait(int epfd, struct epoll_event *events, int maxevents, 1456 int timeout, dfsan_label epfd_label, 1457 dfsan_label events_label, dfsan_label maxevents_label, 1458 dfsan_label timeout_label, dfsan_label *ret_label, 1459 dfsan_origin epfd_origin, dfsan_origin events_origin, 1460 dfsan_origin maxevents_origin, 1461 dfsan_origin timeout_origin, dfsan_origin *ret_origin) { 1462 return __dfsw_epoll_wait(epfd, events, maxevents, timeout, epfd_label, 1463 events_label, maxevents_label, timeout_label, 1464 ret_label); 1465 } 1466 1467 SANITIZER_INTERFACE_ATTRIBUTE 1468 int __dfsw_poll(struct pollfd *fds, nfds_t nfds, int timeout, 1469 dfsan_label dfs_label, dfsan_label nfds_label, 1470 dfsan_label timeout_label, dfsan_label *ret_label) { 1471 int ret = poll(fds, nfds, timeout); 1472 if (ret >= 0) { 1473 for (; nfds > 0; --nfds) { 1474 dfsan_set_label(0, &fds[nfds - 1].revents, sizeof(fds[nfds - 1].revents)); 1475 } 1476 } 1477 *ret_label = 0; 1478 return ret; 1479 } 1480 1481 SANITIZER_INTERFACE_ATTRIBUTE 1482 int __dfso_poll(struct pollfd *fds, nfds_t nfds, int timeout, 1483 dfsan_label dfs_label, dfsan_label nfds_label, 1484 dfsan_label timeout_label, dfsan_label *ret_label, 1485 dfsan_origin dfs_origin, dfsan_origin nfds_origin, 1486 dfsan_origin timeout_origin, dfsan_origin *ret_origin) { 1487 return __dfsw_poll(fds, nfds, timeout, dfs_label, nfds_label, timeout_label, 1488 ret_label); 1489 } 1490 1491 SANITIZER_INTERFACE_ATTRIBUTE 1492 int __dfsw_select(int nfds, fd_set *readfds, fd_set *writefds, 1493 fd_set *exceptfds, struct timeval *timeout, 1494 dfsan_label nfds_label, dfsan_label readfds_label, 1495 dfsan_label writefds_label, dfsan_label exceptfds_label, 1496 dfsan_label timeout_label, dfsan_label *ret_label) { 1497 int ret = select(nfds, readfds, writefds, exceptfds, timeout); 1498 // Clear everything (also on error) since their content is either set or 1499 // undefined. 1500 if (readfds) { 1501 dfsan_set_label(0, readfds, sizeof(fd_set)); 1502 } 1503 if (writefds) { 1504 dfsan_set_label(0, writefds, sizeof(fd_set)); 1505 } 1506 if (exceptfds) { 1507 dfsan_set_label(0, exceptfds, sizeof(fd_set)); 1508 } 1509 dfsan_set_label(0, timeout, sizeof(struct timeval)); 1510 *ret_label = 0; 1511 return ret; 1512 } 1513 1514 SANITIZER_INTERFACE_ATTRIBUTE 1515 int __dfso_select(int nfds, fd_set *readfds, fd_set *writefds, 1516 fd_set *exceptfds, struct timeval *timeout, 1517 dfsan_label nfds_label, dfsan_label readfds_label, 1518 dfsan_label writefds_label, dfsan_label exceptfds_label, 1519 dfsan_label timeout_label, dfsan_label *ret_label, 1520 dfsan_origin nfds_origin, dfsan_origin readfds_origin, 1521 dfsan_origin writefds_origin, dfsan_origin exceptfds_origin, 1522 dfsan_origin timeout_origin, dfsan_origin *ret_origin) { 1523 return __dfsw_select(nfds, readfds, writefds, exceptfds, timeout, nfds_label, 1524 readfds_label, writefds_label, exceptfds_label, 1525 timeout_label, ret_label); 1526 } 1527 1528 SANITIZER_INTERFACE_ATTRIBUTE 1529 int __dfsw_sched_getaffinity(pid_t pid, size_t cpusetsize, cpu_set_t *mask, 1530 dfsan_label pid_label, 1531 dfsan_label cpusetsize_label, 1532 dfsan_label mask_label, dfsan_label *ret_label) { 1533 int ret = sched_getaffinity(pid, cpusetsize, mask); 1534 if (ret == 0) { 1535 dfsan_set_label(0, mask, cpusetsize); 1536 } 1537 *ret_label = 0; 1538 return ret; 1539 } 1540 1541 SANITIZER_INTERFACE_ATTRIBUTE 1542 int __dfso_sched_getaffinity(pid_t pid, size_t cpusetsize, cpu_set_t *mask, 1543 dfsan_label pid_label, 1544 dfsan_label cpusetsize_label, 1545 dfsan_label mask_label, dfsan_label *ret_label, 1546 dfsan_origin pid_origin, 1547 dfsan_origin cpusetsize_origin, 1548 dfsan_origin mask_origin, 1549 dfsan_origin *ret_origin) { 1550 return __dfsw_sched_getaffinity(pid, cpusetsize, mask, pid_label, 1551 cpusetsize_label, mask_label, ret_label); 1552 } 1553 1554 SANITIZER_INTERFACE_ATTRIBUTE 1555 int __dfsw_sigemptyset(sigset_t *set, dfsan_label set_label, 1556 dfsan_label *ret_label) { 1557 int ret = sigemptyset(set); 1558 dfsan_set_label(0, set, sizeof(sigset_t)); 1559 *ret_label = 0; 1560 return ret; 1561 } 1562 1563 SANITIZER_INTERFACE_ATTRIBUTE 1564 int __dfso_sigemptyset(sigset_t *set, dfsan_label set_label, 1565 dfsan_label *ret_label, dfsan_origin set_origin, 1566 dfsan_origin *ret_origin) { 1567 return __dfsw_sigemptyset(set, set_label, ret_label); 1568 } 1569 1570 class SignalHandlerScope { 1571 public: 1572 SignalHandlerScope() { 1573 if (DFsanThread *t = GetCurrentThread()) 1574 t->EnterSignalHandler(); 1575 } 1576 ~SignalHandlerScope() { 1577 if (DFsanThread *t = GetCurrentThread()) 1578 t->LeaveSignalHandler(); 1579 } 1580 }; 1581 1582 // Clear DFSan runtime TLS state at the end of a scope. 1583 // 1584 // Implementation must be async-signal-safe and use small data size, because 1585 // instances of this class may live on the signal handler stack. 1586 // 1587 // DFSan uses TLS to pass metadata of arguments and return values. When an 1588 // instrumented function accesses the TLS, if a signal callback happens, and the 1589 // callback calls other instrumented functions with updating the same TLS, the 1590 // TLS is in an inconsistent state after the callback ends. This may cause 1591 // either under-tainting or over-tainting. 1592 // 1593 // The current implementation simply resets TLS at restore. This prevents from 1594 // over-tainting. Although under-tainting may still happen, a taint flow can be 1595 // found eventually if we run a DFSan-instrumented program multiple times. The 1596 // alternative option is saving the entire TLS. However the TLS storage takes 1597 // 2k bytes, and signal calls could be nested. So it does not seem worth. 1598 class ScopedClearThreadLocalState { 1599 public: 1600 ScopedClearThreadLocalState() {} 1601 ~ScopedClearThreadLocalState() { dfsan_clear_thread_local_state(); } 1602 }; 1603 1604 // SignalSpinLocker::sigactions_mu guarantees atomicity of sigaction() calls. 1605 const int kMaxSignals = 1024; 1606 static atomic_uintptr_t sigactions[kMaxSignals]; 1607 1608 static void SignalHandler(int signo) { 1609 SignalHandlerScope signal_handler_scope; 1610 ScopedClearThreadLocalState scoped_clear_tls; 1611 1612 // Clear shadows for all inputs provided by system. This is why DFSan 1613 // instrumentation generates a trampoline function to each function pointer, 1614 // and uses the trampoline to clear shadows. However sigaction does not use 1615 // a function pointer directly, so we have to do this manually. 1616 dfsan_clear_arg_tls(0, sizeof(dfsan_label)); 1617 1618 typedef void (*signal_cb)(int x); 1619 signal_cb cb = 1620 (signal_cb)atomic_load(&sigactions[signo], memory_order_relaxed); 1621 cb(signo); 1622 } 1623 1624 static void SignalAction(int signo, siginfo_t *si, void *uc) { 1625 SignalHandlerScope signal_handler_scope; 1626 ScopedClearThreadLocalState scoped_clear_tls; 1627 1628 // Clear shadows for all inputs provided by system. Similar to SignalHandler. 1629 dfsan_clear_arg_tls(0, 3 * sizeof(dfsan_label)); 1630 dfsan_set_label(0, si, sizeof(*si)); 1631 dfsan_set_label(0, uc, sizeof(ucontext_t)); 1632 1633 typedef void (*sigaction_cb)(int, siginfo_t *, void *); 1634 sigaction_cb cb = 1635 (sigaction_cb)atomic_load(&sigactions[signo], memory_order_relaxed); 1636 cb(signo, si, uc); 1637 } 1638 1639 SANITIZER_INTERFACE_ATTRIBUTE 1640 int __dfsw_sigaction(int signum, const struct sigaction *act, 1641 struct sigaction *oldact, dfsan_label signum_label, 1642 dfsan_label act_label, dfsan_label oldact_label, 1643 dfsan_label *ret_label) { 1644 CHECK_LT(signum, kMaxSignals); 1645 SignalSpinLocker lock; 1646 uptr old_cb = atomic_load(&sigactions[signum], memory_order_relaxed); 1647 struct sigaction new_act; 1648 struct sigaction *pnew_act = act ? &new_act : nullptr; 1649 if (act) { 1650 internal_memcpy(pnew_act, act, sizeof(struct sigaction)); 1651 if (pnew_act->sa_flags & SA_SIGINFO) { 1652 uptr cb = (uptr)(pnew_act->sa_sigaction); 1653 if (cb != (uptr)SIG_IGN && cb != (uptr)SIG_DFL) { 1654 atomic_store(&sigactions[signum], cb, memory_order_relaxed); 1655 pnew_act->sa_sigaction = SignalAction; 1656 } 1657 } else { 1658 uptr cb = (uptr)(pnew_act->sa_handler); 1659 if (cb != (uptr)SIG_IGN && cb != (uptr)SIG_DFL) { 1660 atomic_store(&sigactions[signum], cb, memory_order_relaxed); 1661 pnew_act->sa_handler = SignalHandler; 1662 } 1663 } 1664 } 1665 1666 int ret = sigaction(signum, pnew_act, oldact); 1667 1668 if (ret == 0 && oldact) { 1669 if (oldact->sa_flags & SA_SIGINFO) { 1670 if (oldact->sa_sigaction == SignalAction) 1671 oldact->sa_sigaction = (decltype(oldact->sa_sigaction))old_cb; 1672 } else { 1673 if (oldact->sa_handler == SignalHandler) 1674 oldact->sa_handler = (decltype(oldact->sa_handler))old_cb; 1675 } 1676 } 1677 1678 if (oldact) { 1679 dfsan_set_label(0, oldact, sizeof(struct sigaction)); 1680 } 1681 *ret_label = 0; 1682 return ret; 1683 } 1684 1685 SANITIZER_INTERFACE_ATTRIBUTE 1686 int __dfso_sigaction(int signum, const struct sigaction *act, 1687 struct sigaction *oldact, dfsan_label signum_label, 1688 dfsan_label act_label, dfsan_label oldact_label, 1689 dfsan_label *ret_label, dfsan_origin signum_origin, 1690 dfsan_origin act_origin, dfsan_origin oldact_origin, 1691 dfsan_origin *ret_origin) { 1692 return __dfsw_sigaction(signum, act, oldact, signum_label, act_label, 1693 oldact_label, ret_label); 1694 } 1695 1696 static sighandler_t dfsan_signal(int signum, sighandler_t handler, 1697 dfsan_label *ret_label) { 1698 CHECK_LT(signum, kMaxSignals); 1699 SignalSpinLocker lock; 1700 uptr old_cb = atomic_load(&sigactions[signum], memory_order_relaxed); 1701 if (handler != SIG_IGN && handler != SIG_DFL) { 1702 atomic_store(&sigactions[signum], (uptr)handler, memory_order_relaxed); 1703 handler = &SignalHandler; 1704 } 1705 1706 sighandler_t ret = signal(signum, handler); 1707 1708 if (ret == SignalHandler) 1709 ret = (sighandler_t)old_cb; 1710 1711 *ret_label = 0; 1712 return ret; 1713 } 1714 1715 SANITIZER_INTERFACE_ATTRIBUTE 1716 sighandler_t __dfsw_signal(int signum, 1717 void *(*handler_trampoline)(void *, int, dfsan_label, 1718 dfsan_label *), 1719 sighandler_t handler, dfsan_label signum_label, 1720 dfsan_label handler_label, dfsan_label *ret_label) { 1721 return dfsan_signal(signum, handler, ret_label); 1722 } 1723 1724 SANITIZER_INTERFACE_ATTRIBUTE 1725 sighandler_t __dfso_signal( 1726 int signum, 1727 void *(*handler_trampoline)(void *, int, dfsan_label, dfsan_label *, 1728 dfsan_origin, dfsan_origin *), 1729 sighandler_t handler, dfsan_label signum_label, dfsan_label handler_label, 1730 dfsan_label *ret_label, dfsan_origin signum_origin, 1731 dfsan_origin handler_origin, dfsan_origin *ret_origin) { 1732 return dfsan_signal(signum, handler, ret_label); 1733 } 1734 1735 SANITIZER_INTERFACE_ATTRIBUTE 1736 int __dfsw_sigaltstack(const stack_t *ss, stack_t *old_ss, dfsan_label ss_label, 1737 dfsan_label old_ss_label, dfsan_label *ret_label) { 1738 int ret = sigaltstack(ss, old_ss); 1739 if (ret != -1 && old_ss) 1740 dfsan_set_label(0, old_ss, sizeof(*old_ss)); 1741 *ret_label = 0; 1742 return ret; 1743 } 1744 1745 SANITIZER_INTERFACE_ATTRIBUTE 1746 int __dfso_sigaltstack(const stack_t *ss, stack_t *old_ss, dfsan_label ss_label, 1747 dfsan_label old_ss_label, dfsan_label *ret_label, 1748 dfsan_origin ss_origin, dfsan_origin old_ss_origin, 1749 dfsan_origin *ret_origin) { 1750 return __dfsw_sigaltstack(ss, old_ss, ss_label, old_ss_label, ret_label); 1751 } 1752 1753 SANITIZER_INTERFACE_ATTRIBUTE 1754 int __dfsw_gettimeofday(struct timeval *tv, struct timezone *tz, 1755 dfsan_label tv_label, dfsan_label tz_label, 1756 dfsan_label *ret_label) { 1757 int ret = gettimeofday(tv, tz); 1758 if (tv) { 1759 dfsan_set_label(0, tv, sizeof(struct timeval)); 1760 } 1761 if (tz) { 1762 dfsan_set_label(0, tz, sizeof(struct timezone)); 1763 } 1764 *ret_label = 0; 1765 return ret; 1766 } 1767 1768 SANITIZER_INTERFACE_ATTRIBUTE 1769 int __dfso_gettimeofday(struct timeval *tv, struct timezone *tz, 1770 dfsan_label tv_label, dfsan_label tz_label, 1771 dfsan_label *ret_label, dfsan_origin tv_origin, 1772 dfsan_origin tz_origin, dfsan_origin *ret_origin) { 1773 return __dfsw_gettimeofday(tv, tz, tv_label, tz_label, ret_label); 1774 } 1775 1776 SANITIZER_INTERFACE_ATTRIBUTE void *__dfsw_memchr(void *s, int c, size_t n, 1777 dfsan_label s_label, 1778 dfsan_label c_label, 1779 dfsan_label n_label, 1780 dfsan_label *ret_label) { 1781 void *ret = memchr(s, c, n); 1782 if (flags().strict_data_dependencies) { 1783 *ret_label = ret ? s_label : 0; 1784 } else { 1785 size_t len = 1786 ret ? reinterpret_cast<char *>(ret) - reinterpret_cast<char *>(s) + 1 1787 : n; 1788 *ret_label = 1789 dfsan_union(dfsan_read_label(s, len), dfsan_union(s_label, c_label)); 1790 } 1791 return ret; 1792 } 1793 1794 SANITIZER_INTERFACE_ATTRIBUTE void *__dfso_memchr( 1795 void *s, int c, size_t n, dfsan_label s_label, dfsan_label c_label, 1796 dfsan_label n_label, dfsan_label *ret_label, dfsan_origin s_origin, 1797 dfsan_origin c_origin, dfsan_origin n_origin, dfsan_origin *ret_origin) { 1798 void *ret = __dfsw_memchr(s, c, n, s_label, c_label, n_label, ret_label); 1799 if (flags().strict_data_dependencies) { 1800 if (ret) 1801 *ret_origin = s_origin; 1802 } else { 1803 size_t len = 1804 ret ? reinterpret_cast<char *>(ret) - reinterpret_cast<char *>(s) + 1 1805 : n; 1806 dfsan_origin o = dfsan_read_origin_of_first_taint(s, len); 1807 *ret_origin = o ? o : (s_label ? s_origin : c_origin); 1808 } 1809 return ret; 1810 } 1811 1812 SANITIZER_INTERFACE_ATTRIBUTE char *__dfsw_strrchr(char *s, int c, 1813 dfsan_label s_label, 1814 dfsan_label c_label, 1815 dfsan_label *ret_label) { 1816 char *ret = strrchr(s, c); 1817 if (flags().strict_data_dependencies) { 1818 *ret_label = ret ? s_label : 0; 1819 } else { 1820 *ret_label = 1821 dfsan_union(dfsan_read_label(s, strlen(s) + 1), 1822 dfsan_union(s_label, c_label)); 1823 } 1824 1825 return ret; 1826 } 1827 1828 SANITIZER_INTERFACE_ATTRIBUTE char *__dfso_strrchr( 1829 char *s, int c, dfsan_label s_label, dfsan_label c_label, 1830 dfsan_label *ret_label, dfsan_origin s_origin, dfsan_origin c_origin, 1831 dfsan_origin *ret_origin) { 1832 char *ret = __dfsw_strrchr(s, c, s_label, c_label, ret_label); 1833 if (flags().strict_data_dependencies) { 1834 if (ret) 1835 *ret_origin = s_origin; 1836 } else { 1837 size_t s_len = strlen(s) + 1; 1838 dfsan_origin o = dfsan_read_origin_of_first_taint(s, s_len); 1839 *ret_origin = o ? o : (s_label ? s_origin : c_origin); 1840 } 1841 1842 return ret; 1843 } 1844 1845 SANITIZER_INTERFACE_ATTRIBUTE char *__dfsw_strstr(char *haystack, char *needle, 1846 dfsan_label haystack_label, 1847 dfsan_label needle_label, 1848 dfsan_label *ret_label) { 1849 char *ret = strstr(haystack, needle); 1850 if (flags().strict_data_dependencies) { 1851 *ret_label = ret ? haystack_label : 0; 1852 } else { 1853 size_t len = ret ? ret + strlen(needle) - haystack : strlen(haystack) + 1; 1854 *ret_label = 1855 dfsan_union(dfsan_read_label(haystack, len), 1856 dfsan_union(dfsan_read_label(needle, strlen(needle) + 1), 1857 dfsan_union(haystack_label, needle_label))); 1858 } 1859 1860 return ret; 1861 } 1862 1863 SANITIZER_INTERFACE_ATTRIBUTE char *__dfso_strstr(char *haystack, char *needle, 1864 dfsan_label haystack_label, 1865 dfsan_label needle_label, 1866 dfsan_label *ret_label, 1867 dfsan_origin haystack_origin, 1868 dfsan_origin needle_origin, 1869 dfsan_origin *ret_origin) { 1870 char *ret = 1871 __dfsw_strstr(haystack, needle, haystack_label, needle_label, ret_label); 1872 if (flags().strict_data_dependencies) { 1873 if (ret) 1874 *ret_origin = haystack_origin; 1875 } else { 1876 size_t needle_len = strlen(needle); 1877 size_t len = ret ? ret + needle_len - haystack : strlen(haystack) + 1; 1878 dfsan_origin o = dfsan_read_origin_of_first_taint(haystack, len); 1879 if (o) { 1880 *ret_origin = o; 1881 } else { 1882 o = dfsan_read_origin_of_first_taint(needle, needle_len + 1); 1883 *ret_origin = o ? o : (haystack_label ? haystack_origin : needle_origin); 1884 } 1885 } 1886 1887 return ret; 1888 } 1889 1890 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_nanosleep(const struct timespec *req, 1891 struct timespec *rem, 1892 dfsan_label req_label, 1893 dfsan_label rem_label, 1894 dfsan_label *ret_label) { 1895 int ret = nanosleep(req, rem); 1896 *ret_label = 0; 1897 if (ret == -1) { 1898 // Interrupted by a signal, rem is filled with the remaining time. 1899 dfsan_set_label(0, rem, sizeof(struct timespec)); 1900 } 1901 return ret; 1902 } 1903 1904 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_nanosleep( 1905 const struct timespec *req, struct timespec *rem, dfsan_label req_label, 1906 dfsan_label rem_label, dfsan_label *ret_label, dfsan_origin req_origin, 1907 dfsan_origin rem_origin, dfsan_origin *ret_origin) { 1908 return __dfsw_nanosleep(req, rem, req_label, rem_label, ret_label); 1909 } 1910 1911 static void clear_msghdr_labels(size_t bytes_written, struct msghdr *msg) { 1912 dfsan_set_label(0, msg, sizeof(*msg)); 1913 dfsan_set_label(0, msg->msg_name, msg->msg_namelen); 1914 dfsan_set_label(0, msg->msg_control, msg->msg_controllen); 1915 for (size_t i = 0; bytes_written > 0; ++i) { 1916 assert(i < msg->msg_iovlen); 1917 struct iovec *iov = &msg->msg_iov[i]; 1918 size_t iov_written = 1919 bytes_written < iov->iov_len ? bytes_written : iov->iov_len; 1920 dfsan_set_label(0, iov->iov_base, iov_written); 1921 bytes_written -= iov_written; 1922 } 1923 } 1924 1925 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_recvmmsg( 1926 int sockfd, struct mmsghdr *msgvec, unsigned int vlen, int flags, 1927 struct timespec *timeout, dfsan_label sockfd_label, 1928 dfsan_label msgvec_label, dfsan_label vlen_label, dfsan_label flags_label, 1929 dfsan_label timeout_label, dfsan_label *ret_label) { 1930 int ret = recvmmsg(sockfd, msgvec, vlen, flags, timeout); 1931 for (int i = 0; i < ret; ++i) { 1932 dfsan_set_label(0, &msgvec[i].msg_len, sizeof(msgvec[i].msg_len)); 1933 clear_msghdr_labels(msgvec[i].msg_len, &msgvec[i].msg_hdr); 1934 } 1935 *ret_label = 0; 1936 return ret; 1937 } 1938 1939 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_recvmmsg( 1940 int sockfd, struct mmsghdr *msgvec, unsigned int vlen, int flags, 1941 struct timespec *timeout, dfsan_label sockfd_label, 1942 dfsan_label msgvec_label, dfsan_label vlen_label, dfsan_label flags_label, 1943 dfsan_label timeout_label, dfsan_label *ret_label, 1944 dfsan_origin sockfd_origin, dfsan_origin msgvec_origin, 1945 dfsan_origin vlen_origin, dfsan_origin flags_origin, 1946 dfsan_origin timeout_origin, dfsan_origin *ret_origin) { 1947 return __dfsw_recvmmsg(sockfd, msgvec, vlen, flags, timeout, sockfd_label, 1948 msgvec_label, vlen_label, flags_label, timeout_label, 1949 ret_label); 1950 } 1951 1952 SANITIZER_INTERFACE_ATTRIBUTE ssize_t __dfsw_recvmsg( 1953 int sockfd, struct msghdr *msg, int flags, dfsan_label sockfd_label, 1954 dfsan_label msg_label, dfsan_label flags_label, dfsan_label *ret_label) { 1955 ssize_t ret = recvmsg(sockfd, msg, flags); 1956 if (ret >= 0) 1957 clear_msghdr_labels(ret, msg); 1958 *ret_label = 0; 1959 return ret; 1960 } 1961 1962 SANITIZER_INTERFACE_ATTRIBUTE ssize_t __dfso_recvmsg( 1963 int sockfd, struct msghdr *msg, int flags, dfsan_label sockfd_label, 1964 dfsan_label msg_label, dfsan_label flags_label, dfsan_label *ret_label, 1965 dfsan_origin sockfd_origin, dfsan_origin msg_origin, 1966 dfsan_origin flags_origin, dfsan_origin *ret_origin) { 1967 return __dfsw_recvmsg(sockfd, msg, flags, sockfd_label, msg_label, 1968 flags_label, ret_label); 1969 } 1970 1971 SANITIZER_INTERFACE_ATTRIBUTE int 1972 __dfsw_socketpair(int domain, int type, int protocol, int sv[2], 1973 dfsan_label domain_label, dfsan_label type_label, 1974 dfsan_label protocol_label, dfsan_label sv_label, 1975 dfsan_label *ret_label) { 1976 int ret = socketpair(domain, type, protocol, sv); 1977 *ret_label = 0; 1978 if (ret == 0) { 1979 dfsan_set_label(0, sv, sizeof(*sv) * 2); 1980 } 1981 return ret; 1982 } 1983 1984 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_socketpair( 1985 int domain, int type, int protocol, int sv[2], dfsan_label domain_label, 1986 dfsan_label type_label, dfsan_label protocol_label, dfsan_label sv_label, 1987 dfsan_label *ret_label, dfsan_origin domain_origin, 1988 dfsan_origin type_origin, dfsan_origin protocol_origin, 1989 dfsan_origin sv_origin, dfsan_origin *ret_origin) { 1990 return __dfsw_socketpair(domain, type, protocol, sv, domain_label, type_label, 1991 protocol_label, sv_label, ret_label); 1992 } 1993 1994 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_getsockopt( 1995 int sockfd, int level, int optname, void *optval, socklen_t *optlen, 1996 dfsan_label sockfd_label, dfsan_label level_label, 1997 dfsan_label optname_label, dfsan_label optval_label, 1998 dfsan_label optlen_label, dfsan_label *ret_label) { 1999 int ret = getsockopt(sockfd, level, optname, optval, optlen); 2000 if (ret != -1 && optval && optlen) { 2001 dfsan_set_label(0, optlen, sizeof(*optlen)); 2002 dfsan_set_label(0, optval, *optlen); 2003 } 2004 *ret_label = 0; 2005 return ret; 2006 } 2007 2008 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_getsockopt( 2009 int sockfd, int level, int optname, void *optval, socklen_t *optlen, 2010 dfsan_label sockfd_label, dfsan_label level_label, 2011 dfsan_label optname_label, dfsan_label optval_label, 2012 dfsan_label optlen_label, dfsan_label *ret_label, 2013 dfsan_origin sockfd_origin, dfsan_origin level_origin, 2014 dfsan_origin optname_origin, dfsan_origin optval_origin, 2015 dfsan_origin optlen_origin, dfsan_origin *ret_origin) { 2016 return __dfsw_getsockopt(sockfd, level, optname, optval, optlen, sockfd_label, 2017 level_label, optname_label, optval_label, 2018 optlen_label, ret_label); 2019 } 2020 2021 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_getsockname( 2022 int sockfd, struct sockaddr *addr, socklen_t *addrlen, 2023 dfsan_label sockfd_label, dfsan_label addr_label, dfsan_label addrlen_label, 2024 dfsan_label *ret_label) { 2025 socklen_t origlen = addrlen ? *addrlen : 0; 2026 int ret = getsockname(sockfd, addr, addrlen); 2027 if (ret != -1 && addr && addrlen) { 2028 socklen_t written_bytes = origlen < *addrlen ? origlen : *addrlen; 2029 dfsan_set_label(0, addrlen, sizeof(*addrlen)); 2030 dfsan_set_label(0, addr, written_bytes); 2031 } 2032 *ret_label = 0; 2033 return ret; 2034 } 2035 2036 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_getsockname( 2037 int sockfd, struct sockaddr *addr, socklen_t *addrlen, 2038 dfsan_label sockfd_label, dfsan_label addr_label, dfsan_label addrlen_label, 2039 dfsan_label *ret_label, dfsan_origin sockfd_origin, 2040 dfsan_origin addr_origin, dfsan_origin addrlen_origin, 2041 dfsan_origin *ret_origin) { 2042 return __dfsw_getsockname(sockfd, addr, addrlen, sockfd_label, addr_label, 2043 addrlen_label, ret_label); 2044 } 2045 2046 SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_getpeername( 2047 int sockfd, struct sockaddr *addr, socklen_t *addrlen, 2048 dfsan_label sockfd_label, dfsan_label addr_label, dfsan_label addrlen_label, 2049 dfsan_label *ret_label) { 2050 socklen_t origlen = addrlen ? *addrlen : 0; 2051 int ret = getpeername(sockfd, addr, addrlen); 2052 if (ret != -1 && addr && addrlen) { 2053 socklen_t written_bytes = origlen < *addrlen ? origlen : *addrlen; 2054 dfsan_set_label(0, addrlen, sizeof(*addrlen)); 2055 dfsan_set_label(0, addr, written_bytes); 2056 } 2057 *ret_label = 0; 2058 return ret; 2059 } 2060 2061 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_getpeername( 2062 int sockfd, struct sockaddr *addr, socklen_t *addrlen, 2063 dfsan_label sockfd_label, dfsan_label addr_label, dfsan_label addrlen_label, 2064 dfsan_label *ret_label, dfsan_origin sockfd_origin, 2065 dfsan_origin addr_origin, dfsan_origin addrlen_origin, 2066 dfsan_origin *ret_origin) { 2067 return __dfsw_getpeername(sockfd, addr, addrlen, sockfd_label, addr_label, 2068 addrlen_label, ret_label); 2069 } 2070 2071 // Type of the trampoline function passed to the custom version of 2072 // dfsan_set_write_callback. 2073 typedef void (*write_trampoline_t)( 2074 void *callback, 2075 int fd, const void *buf, ssize_t count, 2076 dfsan_label fd_label, dfsan_label buf_label, dfsan_label count_label); 2077 2078 typedef void (*write_origin_trampoline_t)( 2079 void *callback, int fd, const void *buf, ssize_t count, 2080 dfsan_label fd_label, dfsan_label buf_label, dfsan_label count_label, 2081 dfsan_origin fd_origin, dfsan_origin buf_origin, dfsan_origin count_origin); 2082 2083 // Calls to dfsan_set_write_callback() set the values in this struct. 2084 // Calls to the custom version of write() read (and invoke) them. 2085 static struct { 2086 write_trampoline_t write_callback_trampoline = nullptr; 2087 void *write_callback = nullptr; 2088 } write_callback_info; 2089 2090 static struct { 2091 write_origin_trampoline_t write_callback_trampoline = nullptr; 2092 void *write_callback = nullptr; 2093 } write_origin_callback_info; 2094 2095 SANITIZER_INTERFACE_ATTRIBUTE void 2096 __dfsw_dfsan_set_write_callback( 2097 write_trampoline_t write_callback_trampoline, 2098 void *write_callback, 2099 dfsan_label write_callback_label, 2100 dfsan_label *ret_label) { 2101 write_callback_info.write_callback_trampoline = write_callback_trampoline; 2102 write_callback_info.write_callback = write_callback; 2103 } 2104 2105 SANITIZER_INTERFACE_ATTRIBUTE void __dfso_dfsan_set_write_callback( 2106 write_origin_trampoline_t write_callback_trampoline, void *write_callback, 2107 dfsan_label write_callback_label, dfsan_label *ret_label, 2108 dfsan_origin write_callback_origin, dfsan_origin *ret_origin) { 2109 write_origin_callback_info.write_callback_trampoline = 2110 write_callback_trampoline; 2111 write_origin_callback_info.write_callback = write_callback; 2112 } 2113 2114 SANITIZER_INTERFACE_ATTRIBUTE int 2115 __dfsw_write(int fd, const void *buf, size_t count, 2116 dfsan_label fd_label, dfsan_label buf_label, 2117 dfsan_label count_label, dfsan_label *ret_label) { 2118 if (write_callback_info.write_callback) { 2119 write_callback_info.write_callback_trampoline( 2120 write_callback_info.write_callback, 2121 fd, buf, count, 2122 fd_label, buf_label, count_label); 2123 } 2124 2125 *ret_label = 0; 2126 return write(fd, buf, count); 2127 } 2128 2129 SANITIZER_INTERFACE_ATTRIBUTE int __dfso_write( 2130 int fd, const void *buf, size_t count, dfsan_label fd_label, 2131 dfsan_label buf_label, dfsan_label count_label, dfsan_label *ret_label, 2132 dfsan_origin fd_origin, dfsan_origin buf_origin, dfsan_origin count_origin, 2133 dfsan_origin *ret_origin) { 2134 if (write_origin_callback_info.write_callback) { 2135 write_origin_callback_info.write_callback_trampoline( 2136 write_origin_callback_info.write_callback, fd, buf, count, fd_label, 2137 buf_label, count_label, fd_origin, buf_origin, count_origin); 2138 } 2139 2140 *ret_label = 0; 2141 return write(fd, buf, count); 2142 } 2143 } // namespace __dfsan 2144 2145 // Type used to extract a dfsan_label with va_arg() 2146 typedef int dfsan_label_va; 2147 2148 // Formats a chunk either a constant string or a single format directive (e.g., 2149 // '%.3f'). 2150 struct Formatter { 2151 Formatter(char *str_, const char *fmt_, size_t size_) 2152 : str(str_), str_off(0), size(size_), fmt_start(fmt_), fmt_cur(fmt_), 2153 width(-1) {} 2154 2155 int format() { 2156 char *tmp_fmt = build_format_string(); 2157 int retval = 2158 snprintf(str + str_off, str_off < size ? size - str_off : 0, tmp_fmt, 2159 0 /* used only to avoid warnings */); 2160 free(tmp_fmt); 2161 return retval; 2162 } 2163 2164 template <typename T> int format(T arg) { 2165 char *tmp_fmt = build_format_string(); 2166 int retval; 2167 if (width >= 0) { 2168 retval = snprintf(str + str_off, str_off < size ? size - str_off : 0, 2169 tmp_fmt, width, arg); 2170 } else { 2171 retval = snprintf(str + str_off, str_off < size ? size - str_off : 0, 2172 tmp_fmt, arg); 2173 } 2174 free(tmp_fmt); 2175 return retval; 2176 } 2177 2178 char *build_format_string() { 2179 size_t fmt_size = fmt_cur - fmt_start + 1; 2180 char *new_fmt = (char *)malloc(fmt_size + 1); 2181 assert(new_fmt); 2182 internal_memcpy(new_fmt, fmt_start, fmt_size); 2183 new_fmt[fmt_size] = '\0'; 2184 return new_fmt; 2185 } 2186 2187 char *str_cur() { return str + str_off; } 2188 2189 size_t num_written_bytes(int retval) { 2190 if (retval < 0) { 2191 return 0; 2192 } 2193 2194 size_t num_avail = str_off < size ? size - str_off : 0; 2195 if (num_avail == 0) { 2196 return 0; 2197 } 2198 2199 size_t num_written = retval; 2200 // A return value of {v,}snprintf of size or more means that the output was 2201 // truncated. 2202 if (num_written >= num_avail) { 2203 num_written -= num_avail; 2204 } 2205 2206 return num_written; 2207 } 2208 2209 char *str; 2210 size_t str_off; 2211 size_t size; 2212 const char *fmt_start; 2213 const char *fmt_cur; 2214 int width; 2215 }; 2216 2217 // Formats the input and propagates the input labels to the output. The output 2218 // is stored in 'str'. 'size' bounds the number of output bytes. 'format' and 2219 // 'ap' are the format string and the list of arguments for formatting. Returns 2220 // the return value vsnprintf would return. 2221 // 2222 // The function tokenizes the format string in chunks representing either a 2223 // constant string or a single format directive (e.g., '%.3f') and formats each 2224 // chunk independently into the output string. This approach allows to figure 2225 // out which bytes of the output string depends on which argument and thus to 2226 // propagate labels more precisely. 2227 // 2228 // WARNING: This implementation does not support conversion specifiers with 2229 // positional arguments. 2230 static int format_buffer(char *str, size_t size, const char *fmt, 2231 dfsan_label *va_labels, dfsan_label *ret_label, 2232 dfsan_origin *va_origins, dfsan_origin *ret_origin, 2233 va_list ap) { 2234 Formatter formatter(str, fmt, size); 2235 2236 while (*formatter.fmt_cur) { 2237 formatter.fmt_start = formatter.fmt_cur; 2238 formatter.width = -1; 2239 int retval = 0; 2240 2241 if (*formatter.fmt_cur != '%') { 2242 // Ordinary character. Consume all the characters until a '%' or the end 2243 // of the string. 2244 for (; *(formatter.fmt_cur + 1) && *(formatter.fmt_cur + 1) != '%'; 2245 ++formatter.fmt_cur) {} 2246 retval = formatter.format(); 2247 dfsan_set_label(0, formatter.str_cur(), 2248 formatter.num_written_bytes(retval)); 2249 } else { 2250 // Conversion directive. Consume all the characters until a conversion 2251 // specifier or the end of the string. 2252 bool end_fmt = false; 2253 for (; *formatter.fmt_cur && !end_fmt; ) { 2254 switch (*++formatter.fmt_cur) { 2255 case 'd': 2256 case 'i': 2257 case 'o': 2258 case 'u': 2259 case 'x': 2260 case 'X': 2261 switch (*(formatter.fmt_cur - 1)) { 2262 case 'h': 2263 // Also covers the 'hh' case (since the size of the arg is still 2264 // an int). 2265 retval = formatter.format(va_arg(ap, int)); 2266 break; 2267 case 'l': 2268 if (formatter.fmt_cur - formatter.fmt_start >= 2 && 2269 *(formatter.fmt_cur - 2) == 'l') { 2270 retval = formatter.format(va_arg(ap, long long int)); 2271 } else { 2272 retval = formatter.format(va_arg(ap, long int)); 2273 } 2274 break; 2275 case 'q': 2276 retval = formatter.format(va_arg(ap, long long int)); 2277 break; 2278 case 'j': 2279 retval = formatter.format(va_arg(ap, intmax_t)); 2280 break; 2281 case 'z': 2282 case 't': 2283 retval = formatter.format(va_arg(ap, size_t)); 2284 break; 2285 default: 2286 retval = formatter.format(va_arg(ap, int)); 2287 } 2288 if (va_origins == nullptr) 2289 dfsan_set_label(*va_labels++, formatter.str_cur(), 2290 formatter.num_written_bytes(retval)); 2291 else 2292 dfsan_set_label_origin(*va_labels++, *va_origins++, 2293 formatter.str_cur(), 2294 formatter.num_written_bytes(retval)); 2295 end_fmt = true; 2296 break; 2297 2298 case 'a': 2299 case 'A': 2300 case 'e': 2301 case 'E': 2302 case 'f': 2303 case 'F': 2304 case 'g': 2305 case 'G': 2306 if (*(formatter.fmt_cur - 1) == 'L') { 2307 retval = formatter.format(va_arg(ap, long double)); 2308 } else { 2309 retval = formatter.format(va_arg(ap, double)); 2310 } 2311 if (va_origins == nullptr) 2312 dfsan_set_label(*va_labels++, formatter.str_cur(), 2313 formatter.num_written_bytes(retval)); 2314 else 2315 dfsan_set_label_origin(*va_labels++, *va_origins++, 2316 formatter.str_cur(), 2317 formatter.num_written_bytes(retval)); 2318 end_fmt = true; 2319 break; 2320 2321 case 'c': 2322 retval = formatter.format(va_arg(ap, int)); 2323 if (va_origins == nullptr) 2324 dfsan_set_label(*va_labels++, formatter.str_cur(), 2325 formatter.num_written_bytes(retval)); 2326 else 2327 dfsan_set_label_origin(*va_labels++, *va_origins++, 2328 formatter.str_cur(), 2329 formatter.num_written_bytes(retval)); 2330 end_fmt = true; 2331 break; 2332 2333 case 's': { 2334 char *arg = va_arg(ap, char *); 2335 retval = formatter.format(arg); 2336 if (va_origins) { 2337 va_origins++; 2338 dfsan_mem_origin_transfer(formatter.str_cur(), arg, 2339 formatter.num_written_bytes(retval)); 2340 } 2341 va_labels++; 2342 internal_memcpy(shadow_for(formatter.str_cur()), shadow_for(arg), 2343 sizeof(dfsan_label) * 2344 formatter.num_written_bytes(retval)); 2345 end_fmt = true; 2346 break; 2347 } 2348 2349 case 'p': 2350 retval = formatter.format(va_arg(ap, void *)); 2351 if (va_origins == nullptr) 2352 dfsan_set_label(*va_labels++, formatter.str_cur(), 2353 formatter.num_written_bytes(retval)); 2354 else 2355 dfsan_set_label_origin(*va_labels++, *va_origins++, 2356 formatter.str_cur(), 2357 formatter.num_written_bytes(retval)); 2358 end_fmt = true; 2359 break; 2360 2361 case 'n': { 2362 int *ptr = va_arg(ap, int *); 2363 *ptr = (int)formatter.str_off; 2364 va_labels++; 2365 if (va_origins) 2366 va_origins++; 2367 dfsan_set_label(0, ptr, sizeof(ptr)); 2368 end_fmt = true; 2369 break; 2370 } 2371 2372 case '%': 2373 retval = formatter.format(); 2374 dfsan_set_label(0, formatter.str_cur(), 2375 formatter.num_written_bytes(retval)); 2376 end_fmt = true; 2377 break; 2378 2379 case '*': 2380 formatter.width = va_arg(ap, int); 2381 va_labels++; 2382 if (va_origins) 2383 va_origins++; 2384 break; 2385 2386 default: 2387 break; 2388 } 2389 } 2390 } 2391 2392 if (retval < 0) { 2393 return retval; 2394 } 2395 2396 formatter.fmt_cur++; 2397 formatter.str_off += retval; 2398 } 2399 2400 *ret_label = 0; 2401 if (ret_origin) 2402 *ret_origin = 0; 2403 2404 // Number of bytes written in total. 2405 return formatter.str_off; 2406 } 2407 2408 extern "C" { 2409 SANITIZER_INTERFACE_ATTRIBUTE 2410 int __dfsw_sprintf(char *str, const char *format, dfsan_label str_label, 2411 dfsan_label format_label, dfsan_label *va_labels, 2412 dfsan_label *ret_label, ...) { 2413 va_list ap; 2414 va_start(ap, ret_label); 2415 int ret = format_buffer(str, ~0ul, format, va_labels, ret_label, nullptr, 2416 nullptr, ap); 2417 va_end(ap); 2418 return ret; 2419 } 2420 2421 SANITIZER_INTERFACE_ATTRIBUTE 2422 int __dfso_sprintf(char *str, const char *format, dfsan_label str_label, 2423 dfsan_label format_label, dfsan_label *va_labels, 2424 dfsan_label *ret_label, dfsan_origin str_origin, 2425 dfsan_origin format_origin, dfsan_origin *va_origins, 2426 dfsan_origin *ret_origin, ...) { 2427 va_list ap; 2428 va_start(ap, ret_origin); 2429 int ret = format_buffer(str, ~0ul, format, va_labels, ret_label, va_origins, 2430 ret_origin, ap); 2431 va_end(ap); 2432 return ret; 2433 } 2434 2435 SANITIZER_INTERFACE_ATTRIBUTE 2436 int __dfsw_snprintf(char *str, size_t size, const char *format, 2437 dfsan_label str_label, dfsan_label size_label, 2438 dfsan_label format_label, dfsan_label *va_labels, 2439 dfsan_label *ret_label, ...) { 2440 va_list ap; 2441 va_start(ap, ret_label); 2442 int ret = format_buffer(str, size, format, va_labels, ret_label, nullptr, 2443 nullptr, ap); 2444 va_end(ap); 2445 return ret; 2446 } 2447 2448 SANITIZER_INTERFACE_ATTRIBUTE 2449 int __dfso_snprintf(char *str, size_t size, const char *format, 2450 dfsan_label str_label, dfsan_label size_label, 2451 dfsan_label format_label, dfsan_label *va_labels, 2452 dfsan_label *ret_label, dfsan_origin str_origin, 2453 dfsan_origin size_origin, dfsan_origin format_origin, 2454 dfsan_origin *va_origins, dfsan_origin *ret_origin, ...) { 2455 va_list ap; 2456 va_start(ap, ret_origin); 2457 int ret = format_buffer(str, size, format, va_labels, ret_label, va_origins, 2458 ret_origin, ap); 2459 va_end(ap); 2460 return ret; 2461 } 2462 2463 static void BeforeFork() { 2464 StackDepotLockAll(); 2465 GetChainedOriginDepot()->LockAll(); 2466 } 2467 2468 static void AfterFork() { 2469 GetChainedOriginDepot()->UnlockAll(); 2470 StackDepotUnlockAll(); 2471 } 2472 2473 SANITIZER_INTERFACE_ATTRIBUTE 2474 pid_t __dfsw_fork(dfsan_label *ret_label) { 2475 pid_t pid = fork(); 2476 *ret_label = 0; 2477 return pid; 2478 } 2479 2480 SANITIZER_INTERFACE_ATTRIBUTE 2481 pid_t __dfso_fork(dfsan_label *ret_label, dfsan_origin *ret_origin) { 2482 BeforeFork(); 2483 pid_t pid = __dfsw_fork(ret_label); 2484 AfterFork(); 2485 return pid; 2486 } 2487 2488 // Default empty implementations (weak). Users should redefine them. 2489 SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_guard, u32 *) {} 2490 SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_guard_init, u32 *, 2491 u32 *) {} 2492 SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_pcs_init, void) {} 2493 SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_indir, void) {} 2494 2495 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_cmp, void) {} 2496 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_cmp1, void) {} 2497 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_cmp2, void) {} 2498 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_cmp4, void) {} 2499 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_cmp8, void) {} 2500 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_const_cmp1, 2501 void) {} 2502 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_const_cmp2, 2503 void) {} 2504 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_const_cmp4, 2505 void) {} 2506 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_const_cmp8, 2507 void) {} 2508 SANITIZER_INTERFACE_WEAK_DEF(void, __dfsw___sanitizer_cov_trace_switch, void) {} 2509 } // extern "C" 2510