[apple/xnu.git] / san / kasan_internal.h

/*
 * Copyright (c) 2000-2014 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#ifndef _KASAN_INTERNAL_H_
#define _KASAN_INTERNAL_H_

#include <stdbool.h>
#include <mach/mach_vm.h>
#include <kern/zalloc.h>

typedef uintptr_t uptr;

#define MiB(x) ((x) * 1024UL * 1024)

/*
 * KASAN features and config
 */
#define FAKESTACK     1
/* KASAN_KALLOC defined in kasan.h */
/* KASAN_ZALLOC defined in kasan.h */
#define FAKESTACK_QUARANTINE (1 && FAKESTACK)

#define QUARANTINE_ENTRIES 5000
#define QUARANTINE_MAXSIZE MiB(10)

/*
 * The amount of physical memory stolen by KASan at boot to back the shadow memory
 * and page tables. Larger memory systems need to steal proportionally less.
 */
#ifdef __arm64__
/* Works out at about 25% of 512 MiB and 15% of 3GiB system */
# define STOLEN_MEM_PERCENT  13UL
# define STOLEN_MEM_BYTES    MiB(40)
# define HW_PAGE_SIZE        (ARM_PGBYTES)
# define HW_PAGE_MASK        (ARM_PGMASK)
#else
# define STOLEN_MEM_PERCENT  25UL
# define STOLEN_MEM_BYTES    0
# define HW_PAGE_SIZE        (PAGE_SIZE)
# define HW_PAGE_MASK        (PAGE_MASK)
#endif

/* boot-args */
#define KASAN_ARGS_FAKESTACK       0x0010U
#define KASAN_ARGS_REPORTIGNORED   0x0020U
#define KASAN_ARGS_NODYCHECKS      0x0100U
#define KASAN_ARGS_NOPOISON_HEAP   0x0200U
#define KASAN_ARGS_NOPOISON_GLOBAL 0x0400U
#define KASAN_ARGS_CHECK_LEAKS     0x0800U

/* uninitialized memory detection */
#define KASAN_UNINITIALIZED_HEAP   0xbe

#ifndef KASAN
# error KASAN undefined
#endif

#ifndef KASAN_OFFSET
# error KASAN_OFFSET undefined
#endif

#ifndef KASAN_SCALE
# error KASAN_SCALE undefined
#endif

#define KASAN_GRANULE        (1UL << KASAN_SCALE)
#define KASAN_GRANULE_MASK   (KASAN_GRANULE - 1UL)

static inline uintptr_t
kasan_granule_trunc(uintptr_t x)
{
	return x & ~KASAN_GRANULE_MASK;
}

static inline uintptr_t
kasan_granule_round(uintptr_t x)
{
	return (x + KASAN_GRANULE_MASK) & ~KASAN_GRANULE_MASK;
}

static inline size_t
kasan_granule_partial(uintptr_t x)
{
	return x & KASAN_GRANULE_MASK;
}

#define ADDRESS_FOR_SHADOW(x) (((x) - KASAN_OFFSET) << KASAN_SCALE)
#define SHADOW_FOR_ADDRESS(x) (uint8_t *)(((x) >> KASAN_SCALE) + KASAN_OFFSET)

#if KASAN_DEBUG
# define NOINLINE OS_NOINLINE
#else
# define NOINLINE
#endif
#define ALWAYS_INLINE inline __attribute__((always_inline))

#define CLANG_MIN_VERSION(x) (defined(__apple_build_version__) && (__apple_build_version__ >= (x)))

#define BIT(x) (1U << (x))

enum __attribute__((flag_enum)) kasan_access_types {
	TYPE_LOAD    = BIT(0),  /* regular memory load */
	TYPE_STORE   = BIT(1),  /* regular store */
	TYPE_MEMR    = BIT(2),  /* memory intrinsic (read) */
	TYPE_MEMW    = BIT(3),  /* memory intrinsic (write) */
	TYPE_STRR    = BIT(4),  /* string intrinsic (read) */
	TYPE_STRW    = BIT(5),  /* string intrinsic (write) */
	TYPE_KFREE   = BIT(6),  /* kfree() */
	TYPE_ZFREE   = BIT(7),  /* zfree() */
	TYPE_FSFREE  = BIT(8),  /* fakestack free */

	TYPE_UAF           = BIT(12),
	TYPE_POISON_GLOBAL = BIT(13),
	TYPE_POISON_HEAP   = BIT(14),
	/* no TYPE_POISON_STACK, because the runtime does not control stack poisoning */
	TYPE_TEST          = BIT(15),
	TYPE_LEAK          = BIT(16),

	/* masks */
	TYPE_MEM     = TYPE_MEMR | TYPE_MEMW,            /* memory intrinsics */
	TYPE_STR     = TYPE_STRR | TYPE_STRW,            /* string intrinsics */
	TYPE_READ    = TYPE_LOAD | TYPE_MEMR | TYPE_STRR,  /* all reads */
	TYPE_WRITE   = TYPE_STORE | TYPE_MEMW | TYPE_STRW, /* all writes */
	TYPE_RW      = TYPE_READ | TYPE_WRITE,           /* reads and writes */
	TYPE_FREE    = TYPE_KFREE | TYPE_ZFREE | TYPE_FSFREE,
	TYPE_NORMAL  = TYPE_RW | TYPE_FREE,
	TYPE_DYNAMIC = TYPE_NORMAL | TYPE_UAF,
	TYPE_POISON  = TYPE_POISON_GLOBAL | TYPE_POISON_HEAP,
	TYPE_ALL     = ~0U,
};

enum kasan_violation_types {
	REASON_POISONED =       0, /* read or write of poisoned data */
	REASON_BAD_METADATA =   1, /* incorrect kasan metadata */
	REASON_INVALID_SIZE =   2, /* free size did not match alloc size */
	REASON_MOD_AFTER_FREE = 3, /* object modified after free */
	REASON_MOD_OOB =        4, /* out of bounds modification of object */
	REASON_UNINITIALIZED =  5, /* leak of uninitialized kernel memory */
};

typedef enum kasan_access_types access_t;
typedef enum kasan_violation_types violation_t;

bool kasan_range_poisoned(vm_offset_t base, vm_size_t size, vm_offset_t *first_invalid);
void kasan_check_range(const void *x, size_t sz, access_t);
void kasan_test(int testno, int fail);
void kasan_handle_test(void);
void kasan_free_internal(void **addrp, vm_size_t *sizep, int type, zone_t *, vm_size_t user_size, int locked, bool doquarantine);
void kasan_poison(vm_offset_t base, vm_size_t size, vm_size_t leftrz, vm_size_t rightrz, uint8_t flags);
void kasan_lock(boolean_t *b);
void kasan_unlock(boolean_t b);
bool kasan_lock_held(thread_t thread);
void kasan_init_fakestack(void);

/* dynamic blacklist */
void kasan_init_dybl(void);
bool kasan_is_blacklisted(access_t);
void kasan_dybl_load_kext(uintptr_t addr, const char *kextname);
void kasan_dybl_unload_kext(uintptr_t addr);

/* arch-specific interface */
void kasan_arch_init(void);
bool kasan_is_shadow_mapped(uintptr_t shadowp);

extern vm_address_t kernel_vbase;
extern vm_address_t kernel_vtop;

extern unsigned shadow_pages_used;

/* boot-arg configurable */
extern int fakestack_enabled;

/* Describes the source location where a global is defined. */
struct asan_global_source_location {
	const char *filename;
	int line_no;
	int column_no;
};

/* Describes an instrumented global variable. */
struct asan_global {
	uptr addr;
	uptr size;
	uptr size_with_redzone;
	const char *name;
	const char *module;
	uptr has_dynamic_init;
	struct asan_global_source_location *location;
#if CLANG_MIN_VERSION(8020000)
	uptr odr_indicator;
#endif
};

#if defined(__x86_64__)
# define _JBLEN ((9 * 2) + 3 + 16)
#elif defined(__arm64__)
# define _JBLEN ((14 + 8 + 2) * 2)
#else
# error "Unknown arch"
#endif

typedef int jmp_buf[_JBLEN];
void _longjmp(jmp_buf env, int val) OS_NORETURN;
int _setjmp(jmp_buf env) __attribute__((returns_twice));

#endif /* _KASAN_INTERNAL_H_ */
Commit	Line	Data
5ba3f43e A	1	/*
	2	* Copyright (c) 2000-2014 Apple Inc. All rights reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#ifndef _KASAN_INTERNAL_H_
	30	#define _KASAN_INTERNAL_H_
	31
	32	#include <stdbool.h>
	33	#include <mach/mach_vm.h>
	34	#include <kern/zalloc.h>
	35
	36	typedef uintptr_t uptr;
	37
5c9f4661 A	38	#define MiB(x) ((x) * 1024UL * 1024)
5c9f4661 A	39
5ba3f43e A	40	/*
	41	* KASAN features and config
	42	*/
5ba3f43e	43	#define FAKESTACK 1
5ba3f43e A	44	/* KASAN_KALLOC defined in kasan.h */
	45	/* KASAN_ZALLOC defined in kasan.h */
	46	#define FAKESTACK_QUARANTINE (1 && FAKESTACK)
	47
	48	#define QUARANTINE_ENTRIES 5000
5c9f4661 A	49	#define QUARANTINE_MAXSIZE MiB(10)
	50
	51	/*
	52	* The amount of physical memory stolen by KASan at boot to back the shadow memory
	53	* and page tables. Larger memory systems need to steal proportionally less.
	54	*/
	55	#ifdef __arm64__
	56	/* Works out at about 25% of 512 MiB and 15% of 3GiB system */
	57	# define STOLEN_MEM_PERCENT 13UL
0a7de745	58	# define STOLEN_MEM_BYTES MiB(40)
d9a64523 A	59	# define HW_PAGE_SIZE (ARM_PGBYTES)
d9a64523 A	60	# define HW_PAGE_MASK (ARM_PGMASK)
5c9f4661 A	61	#else
	62	# define STOLEN_MEM_PERCENT 25UL
	63	# define STOLEN_MEM_BYTES 0
d9a64523 A	64	# define HW_PAGE_SIZE (PAGE_SIZE)
d9a64523 A	65	# define HW_PAGE_MASK (PAGE_MASK)
5c9f4661	66	#endif
5ba3f43e	67
a39ff7e2 A	68	/* boot-args */
	69	#define KASAN_ARGS_FAKESTACK 0x0010U
	70	#define KASAN_ARGS_REPORTIGNORED 0x0020U
	71	#define KASAN_ARGS_NODYCHECKS 0x0100U
	72	#define KASAN_ARGS_NOPOISON_HEAP 0x0200U
	73	#define KASAN_ARGS_NOPOISON_GLOBAL 0x0400U
cb323159 A	74	#define KASAN_ARGS_CHECK_LEAKS 0x0800U
	75
	76	/* uninitialized memory detection */
	77	#define KASAN_UNINITIALIZED_HEAP 0xbe
a39ff7e2	78
5ba3f43e A	79	#ifndef KASAN
	80	# error KASAN undefined
	81	#endif
	82
f427ee49 A	83	#ifndef KASAN_OFFSET
f427ee49 A	84	# error KASAN_OFFSET undefined
5ba3f43e A	85	#endif
5ba3f43e A	86
f427ee49 A	87	#ifndef KASAN_SCALE
	88	# error KASAN_SCALE undefined
	89	#endif
	90
	91	#define KASAN_GRANULE (1UL << KASAN_SCALE)
	92	#define KASAN_GRANULE_MASK (KASAN_GRANULE - 1UL)
	93
	94	static inline uintptr_t
	95	kasan_granule_trunc(uintptr_t x)
	96	{
	97	return x & ~KASAN_GRANULE_MASK;
	98	}
	99
	100	static inline uintptr_t
	101	kasan_granule_round(uintptr_t x)
	102	{
	103	return (x + KASAN_GRANULE_MASK) & ~KASAN_GRANULE_MASK;
	104	}
	105
	106	static inline size_t
	107	kasan_granule_partial(uintptr_t x)
	108	{
	109	return x & KASAN_GRANULE_MASK;
	110	}
	111
	112	#define ADDRESS_FOR_SHADOW(x) (((x) - KASAN_OFFSET) << KASAN_SCALE)
	113	#define SHADOW_FOR_ADDRESS(x) (uint8_t *)(((x) >> KASAN_SCALE) + KASAN_OFFSET)
5ba3f43e	114
a39ff7e2	115	#if KASAN_DEBUG
d9a64523	116	# define NOINLINE OS_NOINLINE
a39ff7e2 A	117	#else
	118	# define NOINLINE
	119	#endif
5ba3f43e A	120	#define ALWAYS_INLINE inline __attribute__((always_inline))
	121
	122	#define CLANG_MIN_VERSION(x) (defined(__apple_build_version__) && (__apple_build_version__ >= (x)))
	123
	124	#define BIT(x) (1U << (x))
	125
a39ff7e2 A	126	enum __attribute__((flag_enum)) kasan_access_types {
	127	TYPE_LOAD = BIT(0), /* regular memory load */
	128	TYPE_STORE = BIT(1), /* regular store */
	129	TYPE_MEMR = BIT(2), /* memory intrinsic (read) */
	130	TYPE_MEMW = BIT(3), /* memory intrinsic (write) */
	131	TYPE_STRR = BIT(4), /* string intrinsic (read) */
	132	TYPE_STRW = BIT(5), /* string intrinsic (write) */
	133	TYPE_KFREE = BIT(6), /* kfree() */
	134	TYPE_ZFREE = BIT(7), /* zfree() */
	135	TYPE_FSFREE = BIT(8), /* fakestack free */
	136
	137	TYPE_UAF = BIT(12),
	138	TYPE_POISON_GLOBAL = BIT(13),
	139	TYPE_POISON_HEAP = BIT(14),
	140	/* no TYPE_POISON_STACK, because the runtime does not control stack poisoning */
	141	TYPE_TEST = BIT(15),
cb323159	142	TYPE_LEAK = BIT(16),
5ba3f43e A	143
5ba3f43e A	144	/* masks */
0a7de745 A	145	TYPE_MEM = TYPE_MEMR \| TYPE_MEMW, /* memory intrinsics */
	146	TYPE_STR = TYPE_STRR \| TYPE_STRW, /* string intrinsics */
	147	TYPE_READ = TYPE_LOAD \| TYPE_MEMR \| TYPE_STRR, /* all reads */
	148	TYPE_WRITE = TYPE_STORE \| TYPE_MEMW \| TYPE_STRW, /* all writes */
	149	TYPE_RW = TYPE_READ \| TYPE_WRITE, /* reads and writes */
	150	TYPE_FREE = TYPE_KFREE \| TYPE_ZFREE \| TYPE_FSFREE,
	151	TYPE_NORMAL = TYPE_RW \| TYPE_FREE,
	152	TYPE_DYNAMIC = TYPE_NORMAL \| TYPE_UAF,
	153	TYPE_POISON = TYPE_POISON_GLOBAL \| TYPE_POISON_HEAP,
a39ff7e2	154	TYPE_ALL = ~0U,
5ba3f43e A	155	};
5ba3f43e A	156
a39ff7e2 A	157	enum kasan_violation_types {
	158	REASON_POISONED = 0, /* read or write of poisoned data */
	159	REASON_BAD_METADATA = 1, /* incorrect kasan metadata */
	160	REASON_INVALID_SIZE = 2, /* free size did not match alloc size */
	161	REASON_MOD_AFTER_FREE = 3, /* object modified after free */
	162	REASON_MOD_OOB = 4, /* out of bounds modification of object */
cb323159	163	REASON_UNINITIALIZED = 5, /* leak of uninitialized kernel memory */
a39ff7e2 A	164	};
	165
	166	typedef enum kasan_access_types access_t;
	167	typedef enum kasan_violation_types violation_t;
	168
5ba3f43e	169	bool kasan_range_poisoned(vm_offset_t base, vm_size_t size, vm_offset_t *first_invalid);
a39ff7e2	170	void kasan_check_range(const void *x, size_t sz, access_t);
5ba3f43e A	171	void kasan_test(int testno, int fail);
5ba3f43e A	172	void kasan_handle_test(void);
5ba3f43e A	173	void kasan_free_internal(void *addrp, vm_size_t sizep, int type, zone_t *, vm_size_t user_size, int locked, bool doquarantine);
5ba3f43e A	174	void kasan_poison(vm_offset_t base, vm_size_t size, vm_size_t leftrz, vm_size_t rightrz, uint8_t flags);
5ba3f43e A	175	void kasan_lock(boolean_t *b);
5ba3f43e A	176	void kasan_unlock(boolean_t b);
a39ff7e2	177	bool kasan_lock_held(thread_t thread);
5ba3f43e A	178	void kasan_init_fakestack(void);
	179
	180	/* dynamic blacklist */
	181	void kasan_init_dybl(void);
a39ff7e2	182	bool kasan_is_blacklisted(access_t);
5ba3f43e A	183	void kasan_dybl_load_kext(uintptr_t addr, const char *kextname);
	184	void kasan_dybl_unload_kext(uintptr_t addr);
	185
	186	/* arch-specific interface */
	187	void kasan_arch_init(void);
a39ff7e2	188	bool kasan_is_shadow_mapped(uintptr_t shadowp);
5ba3f43e A	189
	190	extern vm_address_t kernel_vbase;
	191	extern vm_address_t kernel_vtop;
	192
a39ff7e2 A	193	extern unsigned shadow_pages_used;
	194
	195	/* boot-arg configurable */
	196	extern int fakestack_enabled;
5ba3f43e A	197
	198	/* Describes the source location where a global is defined. */
	199	struct asan_global_source_location {
	200	const char *filename;
	201	int line_no;
	202	int column_no;
	203	};
	204
	205	/* Describes an instrumented global variable. */
	206	struct asan_global {
	207	uptr addr;
	208	uptr size;
	209	uptr size_with_redzone;
	210	const char *name;
	211	const char *module;
	212	uptr has_dynamic_init;
	213	struct asan_global_source_location *location;
	214	#if CLANG_MIN_VERSION(8020000)
	215	uptr odr_indicator;
	216	#endif
	217	};
	218
	219	#if defined(__x86_64__)
	220	# define _JBLEN ((9 * 2) + 3 + 16)
5c9f4661 A	221	#elif defined(__arm64__)
	222	# define _JBLEN ((14 + 8 + 2) * 2)
	223	#else
	224	# error "Unknown arch"
5ba3f43e A	225	#endif
5ba3f43e A	226
5ba3f43e	227	typedef int jmp_buf[_JBLEN];
d9a64523 A	228	void _longjmp(jmp_buf env, int val) OS_NORETURN;
d9a64523 A	229	int _setjmp(jmp_buf env) __attribute__((returns_twice));
5ba3f43e A	230
5ba3f43e A	231	#endif /* _KASAN_INTERNAL_H_ */