1 /* 2 * UBSAN error reporting functions 3 * 4 * Copyright (c) 2014 Samsung Electronics Co., Ltd. 5 * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 * 11 */ 12 13 #include <linux/bitops.h> 14 #include <linux/bug.h> 15 #include <linux/ctype.h> 16 #include <linux/init.h> 17 #include <linux/kernel.h> 18 #include <linux/types.h> 19 #include <linux/sched.h> 20 21 #include "ubsan.h" 22 23 const char *type_check_kinds[] = { 24 "load of", 25 "store to", 26 "reference binding to", 27 "member access within", 28 "member call on", 29 "constructor call on", 30 "downcast of", 31 "downcast of" 32 }; 33 34 #define REPORTED_BIT 31 35 36 #if (BITS_PER_LONG == 64) && defined(__BIG_ENDIAN) 37 #define COLUMN_MASK (~(1U << REPORTED_BIT)) 38 #define LINE_MASK (~0U) 39 #else 40 #define COLUMN_MASK (~0U) 41 #define LINE_MASK (~(1U << REPORTED_BIT)) 42 #endif 43 44 #define VALUE_LENGTH 40 45 46 static bool was_reported(struct source_location *location) 47 { 48 return test_and_set_bit(REPORTED_BIT, &location->reported); 49 } 50 51 static void print_source_location(const char *prefix, 52 struct source_location *loc) 53 { 54 pr_err("%s %s:%d:%d\n", prefix, loc->file_name, 55 loc->line & LINE_MASK, loc->column & COLUMN_MASK); 56 } 57 58 static bool suppress_report(struct source_location *loc) 59 { 60 return current->in_ubsan || was_reported(loc); 61 } 62 63 static bool type_is_int(struct type_descriptor *type) 64 { 65 return type->type_kind == type_kind_int; 66 } 67 68 static bool type_is_signed(struct type_descriptor *type) 69 { 70 WARN_ON(!type_is_int(type)); 71 return type->type_info & 1; 72 } 73 74 static unsigned type_bit_width(struct type_descriptor *type) 75 { 76 return 1 << (type->type_info >> 1); 77 } 78 79 static bool is_inline_int(struct type_descriptor *type) 80 { 81 unsigned inline_bits = sizeof(unsigned long)*8; 82 unsigned bits = type_bit_width(type); 83 84 WARN_ON(!type_is_int(type)); 85 86 return bits <= inline_bits; 87 } 88 89 static s_max get_signed_val(struct type_descriptor *type, unsigned long val) 90 { 91 if (is_inline_int(type)) { 92 unsigned extra_bits = sizeof(s_max)*8 - type_bit_width(type); 93 return ((s_max)val) << extra_bits >> extra_bits; 94 } 95 96 if (type_bit_width(type) == 64) 97 return *(s64 *)val; 98 99 return *(s_max *)val; 100 } 101 102 static bool val_is_negative(struct type_descriptor *type, unsigned long val) 103 { 104 return type_is_signed(type) && get_signed_val(type, val) < 0; 105 } 106 107 static u_max get_unsigned_val(struct type_descriptor *type, unsigned long val) 108 { 109 if (is_inline_int(type)) 110 return val; 111 112 if (type_bit_width(type) == 64) 113 return *(u64 *)val; 114 115 return *(u_max *)val; 116 } 117 118 static void val_to_string(char *str, size_t size, struct type_descriptor *type, 119 unsigned long value) 120 { 121 if (type_is_int(type)) { 122 if (type_bit_width(type) == 128) { 123 #if defined(CONFIG_ARCH_SUPPORTS_INT128) && defined(__SIZEOF_INT128__) 124 u_max val = get_unsigned_val(type, value); 125 126 scnprintf(str, size, "0x%08x%08x%08x%08x", 127 (u32)(val >> 96), 128 (u32)(val >> 64), 129 (u32)(val >> 32), 130 (u32)(val)); 131 #else 132 WARN_ON(1); 133 #endif 134 } else if (type_is_signed(type)) { 135 scnprintf(str, size, "%lld", 136 (s64)get_signed_val(type, value)); 137 } else { 138 scnprintf(str, size, "%llu", 139 (u64)get_unsigned_val(type, value)); 140 } 141 } 142 } 143 144 static bool location_is_valid(struct source_location *loc) 145 { 146 return loc->file_name != NULL; 147 } 148 149 static DEFINE_SPINLOCK(report_lock); 150 151 static void ubsan_prologue(struct source_location *location, 152 unsigned long *flags) 153 { 154 current->in_ubsan++; 155 spin_lock_irqsave(&report_lock, *flags); 156 157 pr_err("========================================" 158 "========================================\n"); 159 print_source_location("UBSAN: Undefined behaviour in", location); 160 } 161 162 static void ubsan_epilogue(unsigned long *flags) 163 { 164 dump_stack(); 165 pr_err("========================================" 166 "========================================\n"); 167 spin_unlock_irqrestore(&report_lock, *flags); 168 current->in_ubsan--; 169 } 170 171 static void handle_overflow(struct overflow_data *data, unsigned long lhs, 172 unsigned long rhs, char op) 173 { 174 175 struct type_descriptor *type = data->type; 176 unsigned long flags; 177 char lhs_val_str[VALUE_LENGTH]; 178 char rhs_val_str[VALUE_LENGTH]; 179 180 if (suppress_report(&data->location)) 181 return; 182 183 ubsan_prologue(&data->location, &flags); 184 185 val_to_string(lhs_val_str, sizeof(lhs_val_str), type, lhs); 186 val_to_string(rhs_val_str, sizeof(rhs_val_str), type, rhs); 187 pr_err("%s integer overflow:\n", 188 type_is_signed(type) ? "signed" : "unsigned"); 189 pr_err("%s %c %s cannot be represented in type %s\n", 190 lhs_val_str, 191 op, 192 rhs_val_str, 193 type->type_name); 194 195 ubsan_epilogue(&flags); 196 } 197 198 void __ubsan_handle_add_overflow(struct overflow_data *data, 199 unsigned long lhs, 200 unsigned long rhs) 201 { 202 203 handle_overflow(data, lhs, rhs, '+'); 204 } 205 EXPORT_SYMBOL(__ubsan_handle_add_overflow); 206 207 void __ubsan_handle_sub_overflow(struct overflow_data *data, 208 unsigned long lhs, 209 unsigned long rhs) 210 { 211 handle_overflow(data, lhs, rhs, '-'); 212 } 213 EXPORT_SYMBOL(__ubsan_handle_sub_overflow); 214 215 void __ubsan_handle_mul_overflow(struct overflow_data *data, 216 unsigned long lhs, 217 unsigned long rhs) 218 { 219 handle_overflow(data, lhs, rhs, '*'); 220 } 221 EXPORT_SYMBOL(__ubsan_handle_mul_overflow); 222 223 void __ubsan_handle_negate_overflow(struct overflow_data *data, 224 unsigned long old_val) 225 { 226 unsigned long flags; 227 char old_val_str[VALUE_LENGTH]; 228 229 if (suppress_report(&data->location)) 230 return; 231 232 ubsan_prologue(&data->location, &flags); 233 234 val_to_string(old_val_str, sizeof(old_val_str), data->type, old_val); 235 236 pr_err("negation of %s cannot be represented in type %s:\n", 237 old_val_str, data->type->type_name); 238 239 ubsan_epilogue(&flags); 240 } 241 EXPORT_SYMBOL(__ubsan_handle_negate_overflow); 242 243 244 void __ubsan_handle_divrem_overflow(struct overflow_data *data, 245 unsigned long lhs, 246 unsigned long rhs) 247 { 248 unsigned long flags; 249 char rhs_val_str[VALUE_LENGTH]; 250 251 if (suppress_report(&data->location)) 252 return; 253 254 ubsan_prologue(&data->location, &flags); 255 256 val_to_string(rhs_val_str, sizeof(rhs_val_str), data->type, rhs); 257 258 if (type_is_signed(data->type) && get_signed_val(data->type, rhs) == -1) 259 pr_err("division of %s by -1 cannot be represented in type %s\n", 260 rhs_val_str, data->type->type_name); 261 else 262 pr_err("division by zero\n"); 263 264 ubsan_epilogue(&flags); 265 } 266 EXPORT_SYMBOL(__ubsan_handle_divrem_overflow); 267 268 static void handle_null_ptr_deref(struct type_mismatch_data *data) 269 { 270 unsigned long flags; 271 272 if (suppress_report(&data->location)) 273 return; 274 275 ubsan_prologue(&data->location, &flags); 276 277 pr_err("%s null pointer of type %s\n", 278 type_check_kinds[data->type_check_kind], 279 data->type->type_name); 280 281 ubsan_epilogue(&flags); 282 } 283 284 static void handle_missaligned_access(struct type_mismatch_data *data, 285 unsigned long ptr) 286 { 287 unsigned long flags; 288 289 if (suppress_report(&data->location)) 290 return; 291 292 ubsan_prologue(&data->location, &flags); 293 294 pr_err("%s misaligned address %p for type %s\n", 295 type_check_kinds[data->type_check_kind], 296 (void *)ptr, data->type->type_name); 297 pr_err("which requires %ld byte alignment\n", data->alignment); 298 299 ubsan_epilogue(&flags); 300 } 301 302 static void handle_object_size_mismatch(struct type_mismatch_data *data, 303 unsigned long ptr) 304 { 305 unsigned long flags; 306 307 if (suppress_report(&data->location)) 308 return; 309 310 ubsan_prologue(&data->location, &flags); 311 pr_err("%s address %pk with insufficient space\n", 312 type_check_kinds[data->type_check_kind], 313 (void *) ptr); 314 pr_err("for an object of type %s\n", data->type->type_name); 315 ubsan_epilogue(&flags); 316 } 317 318 void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, 319 unsigned long ptr) 320 { 321 322 if (!ptr) 323 handle_null_ptr_deref(data); 324 else if (data->alignment && !IS_ALIGNED(ptr, data->alignment)) 325 handle_missaligned_access(data, ptr); 326 else 327 handle_object_size_mismatch(data, ptr); 328 } 329 EXPORT_SYMBOL(__ubsan_handle_type_mismatch); 330 331 void __ubsan_handle_nonnull_return(struct nonnull_return_data *data) 332 { 333 unsigned long flags; 334 335 if (suppress_report(&data->location)) 336 return; 337 338 ubsan_prologue(&data->location, &flags); 339 340 pr_err("null pointer returned from function declared to never return null\n"); 341 342 if (location_is_valid(&data->attr_location)) 343 print_source_location("returns_nonnull attribute specified in", 344 &data->attr_location); 345 346 ubsan_epilogue(&flags); 347 } 348 EXPORT_SYMBOL(__ubsan_handle_nonnull_return); 349 350 void __ubsan_handle_vla_bound_not_positive(struct vla_bound_data *data, 351 unsigned long bound) 352 { 353 unsigned long flags; 354 char bound_str[VALUE_LENGTH]; 355 356 if (suppress_report(&data->location)) 357 return; 358 359 ubsan_prologue(&data->location, &flags); 360 361 val_to_string(bound_str, sizeof(bound_str), data->type, bound); 362 pr_err("variable length array bound value %s <= 0\n", bound_str); 363 364 ubsan_epilogue(&flags); 365 } 366 EXPORT_SYMBOL(__ubsan_handle_vla_bound_not_positive); 367 368 void __ubsan_handle_out_of_bounds(struct out_of_bounds_data *data, 369 unsigned long index) 370 { 371 unsigned long flags; 372 char index_str[VALUE_LENGTH]; 373 374 if (suppress_report(&data->location)) 375 return; 376 377 ubsan_prologue(&data->location, &flags); 378 379 val_to_string(index_str, sizeof(index_str), data->index_type, index); 380 pr_err("index %s is out of range for type %s\n", index_str, 381 data->array_type->type_name); 382 ubsan_epilogue(&flags); 383 } 384 EXPORT_SYMBOL(__ubsan_handle_out_of_bounds); 385 386 void __ubsan_handle_shift_out_of_bounds(struct shift_out_of_bounds_data *data, 387 unsigned long lhs, unsigned long rhs) 388 { 389 unsigned long flags; 390 struct type_descriptor *rhs_type = data->rhs_type; 391 struct type_descriptor *lhs_type = data->lhs_type; 392 char rhs_str[VALUE_LENGTH]; 393 char lhs_str[VALUE_LENGTH]; 394 395 if (suppress_report(&data->location)) 396 return; 397 398 ubsan_prologue(&data->location, &flags); 399 400 val_to_string(rhs_str, sizeof(rhs_str), rhs_type, rhs); 401 val_to_string(lhs_str, sizeof(lhs_str), lhs_type, lhs); 402 403 if (val_is_negative(rhs_type, rhs)) 404 pr_err("shift exponent %s is negative\n", rhs_str); 405 406 else if (get_unsigned_val(rhs_type, rhs) >= 407 type_bit_width(lhs_type)) 408 pr_err("shift exponent %s is too large for %u-bit type %s\n", 409 rhs_str, 410 type_bit_width(lhs_type), 411 lhs_type->type_name); 412 else if (val_is_negative(lhs_type, lhs)) 413 pr_err("left shift of negative value %s\n", 414 lhs_str); 415 else 416 pr_err("left shift of %s by %s places cannot be" 417 " represented in type %s\n", 418 lhs_str, rhs_str, 419 lhs_type->type_name); 420 421 ubsan_epilogue(&flags); 422 } 423 EXPORT_SYMBOL(__ubsan_handle_shift_out_of_bounds); 424 425 426 void __noreturn 427 __ubsan_handle_builtin_unreachable(struct unreachable_data *data) 428 { 429 unsigned long flags; 430 431 ubsan_prologue(&data->location, &flags); 432 pr_err("calling __builtin_unreachable()\n"); 433 ubsan_epilogue(&flags); 434 panic("can't return from __builtin_unreachable()"); 435 } 436 EXPORT_SYMBOL(__ubsan_handle_builtin_unreachable); 437 438 void __ubsan_handle_load_invalid_value(struct invalid_value_data *data, 439 unsigned long val) 440 { 441 unsigned long flags; 442 char val_str[VALUE_LENGTH]; 443 444 if (suppress_report(&data->location)) 445 return; 446 447 ubsan_prologue(&data->location, &flags); 448 449 val_to_string(val_str, sizeof(val_str), data->type, val); 450 451 pr_err("load of value %s is not a valid value for type %s\n", 452 val_str, data->type->type_name); 453 454 ubsan_epilogue(&flags); 455 } 456 EXPORT_SYMBOL(__ubsan_handle_load_invalid_value); 457