]> git.saurik.com Git - apple/xnu.git/blob - san/ubsan.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-7195.50.7.100.1.tar.gz
[apple/xnu.git] / san / ubsan.c
1 /*
2 * Copyright (c) 2018 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <stdatomic.h>
30 #include <kern/debug.h>
31 #include <libkern/libkern.h>
32 #include "ubsan.h"
33
34 static const bool ubsan_print = false;
35 static const uint32_t line_acquired = 0x80000000UL;
36 static const char *get_type_check_kind(uint8_t kind);
37
38 static size_t
39 format_loc(struct san_src_loc *loc, char *dst, size_t sz)
40 {
41 return scnprintf(dst, sz, ", file:\"%s\", line:%d, column:%d },\n",
42 loc->filename,
43 loc->line & ~line_acquired,
44 loc->col
45 );
46 }
47
48 /*
49 * return true for the first visit to this loc, false every subsequent time
50 */
51 static bool
52 ubsan_loc_acquire(struct san_src_loc *loc)
53 {
54 uint32_t line = loc->line;
55 if (line & line_acquired) {
56 return false;
57 }
58 uint32_t acq = line | line_acquired;
59 return atomic_compare_exchange_strong((_Atomic uint32_t *)&loc->line, &line, acq);
60 }
61
62 static const char *const
63 overflow_str[] = {
64 NULL,
65 "add",
66 "sub",
67 "mul",
68 "divrem",
69 "negate",
70 NULL
71 };
72
73 static size_t
74 format_overflow(struct ubsan_violation *v, char *buf, size_t sz)
75 {
76 struct san_type_desc *ty = v->overflow->ty;
77 return scnprintf(buf, sz,
78 "problem:\"%s overflow\", op:\"%s\", ty:\"%s\", width:%d, lhs:0x%llx, rhs:0x%llx, ",
79 ty->issigned ? "signed" : "unsigned",
80 overflow_str[v->ubsan_type],
81 ty->name,
82 1 << ty->width,
83 v->lhs,
84 v->rhs
85 );
86 }
87
88 static size_t
89 format_shift(struct ubsan_violation *v, char *buf, size_t sz)
90 {
91 size_t n = 0;
92 struct san_type_desc *l = v->shift->lhs_t;
93 struct san_type_desc *r = v->shift->rhs_t;
94
95 n += scnprintf(buf + n, sz - n, "problem:\"bad shift\", ");
96 n += scnprintf(buf + n, sz - n, "lhs:0x%llx, lty:\"%s\", lsigned:%d, lwidth:%d, ", v->lhs, l->name, l->issigned, 1 << l->width);
97 n += scnprintf(buf + n, sz - n, "rhs:0x%llx, rty:\"%s\", rsigned:%d, rwidth:%d, ", v->rhs, r->name, r->issigned, 1 << r->width);
98
99 return n;
100 }
101
102 static const char * const
103 type_check_kinds[] = {
104 "load of", "store to", "reference binding to", "member access within",
105 "member call on", "constructor call on", "downcast of", "downcast of",
106 "upcast of", "cast to virtual base of", "_Nonnull binding to"
107 };
108
109 static const char *
110 get_type_check_kind(uint8_t kind)
111 {
112 return (kind < (sizeof(type_check_kinds) / sizeof(type_check_kinds[0])))
113 ? type_check_kinds[kind]
114 : "some";
115 }
116
117 static size_t
118 format_type_mismatch(struct ubsan_violation *v, char *buf, size_t sz)
119 {
120 size_t n = 0;
121 size_t alignment = 1 << v->align->align;
122 void *ptr = (void*)v->lhs;
123 const char * kind = get_type_check_kind(v->align->kind);
124 if (NULL == ptr) {
125 //null pointer use
126 n += scnprintf(buf + n, sz - n, "problem:\"%s NULL pointer\", ty:\"%s\", ", kind, v->align->ty->name);
127 } else if (alignment && ((uintptr_t)ptr & (alignment - 1))) {
128 //misaligned pointer use
129 n += scnprintf(buf + n, sz - n, "problem:\"%s mis-aligned\", address:%p, ty:\"%s\", ", kind, (void*)v->lhs, v->align->ty->name);
130 n += scnprintf(buf + n, sz - n, "required_alignment:%d, ", 1 << v->align->align);
131 } else {
132 //insufficient object size
133 n += scnprintf(buf + n, sz - n, "problem:\"%s insufficient object size\", ty:\"%s\", address:%p, ",
134 kind, v->align->ty->name, ptr);
135 }
136
137 return n;
138 }
139
140 static size_t
141 format_oob(struct ubsan_violation *v, char *buf, size_t sz)
142 {
143 size_t n = 0;
144 struct san_type_desc *aty = v->oob->array_ty;
145 struct san_type_desc *ity = v->oob->index_ty;
146 uintptr_t idx = v->lhs;
147
148 n += scnprintf(buf + n, sz - n, "problem:\"OOB array access\", ");
149 n += scnprintf(buf + n, sz - n, "idx:%ld, ", idx);
150 n += scnprintf(buf + n, sz - n, "aty:\"%s\", asigned:%d, awidth:%d, ", aty->name, aty->issigned, 1 << aty->width);
151 n += scnprintf(buf + n, sz - n, "ity:\"%s\", isigned:%d, iwidth:%d, ", ity->name, ity->issigned, 1 << ity->width);
152
153 return n;
154 }
155
156 static size_t
157 format_load_invalid_value(struct ubsan_violation *v, char *buf, size_t sz)
158 {
159 return scnprintf(buf, sz, "problem:\"invalid value load\", type:\"%s\", value:0x%llx",
160 v->invalid->type->name, v->lhs);
161 }
162
163 size_t
164 ubsan_format(struct ubsan_violation *v, char *buf, size_t sz)
165 {
166 size_t n = scnprintf(buf, sz, "{ ");
167
168 switch (v->ubsan_type) {
169 case UBSAN_OVERFLOW_add ... UBSAN_OVERFLOW_negate:
170 n += format_overflow(v, buf + n, sz - n);
171 break;
172 case UBSAN_UNREACHABLE:
173 n += scnprintf(buf + n, sz - n, "problem:\"unreachable\", ");
174 break;
175 case UBSAN_SHIFT:
176 n += format_shift(v, buf + n, sz - n);
177 break;
178 case UBSAN_TYPE_MISMATCH:
179 n += format_type_mismatch(v, buf + n, sz - n);
180 break;
181 case UBSAN_POINTER_OVERFLOW:
182 n += scnprintf(buf + n, sz - n, "problem:\"pointer overflow\", before:0x%llx, after:0x%llx, ", v->lhs, v->rhs);
183 break;
184 case UBSAN_OOB:
185 n += format_oob(v, buf + n, sz - n);
186 break;
187 case UBSAN_LOAD_INVALID_VALUE:
188 n += format_load_invalid_value(v, buf + n, sz - n);
189 break;
190 case UBSAN_GENERIC:
191 n += scnprintf(buf + n, sz - n, "problem:\"generic\", function:\"%s\", ", v->func);
192 break;
193 default:
194 panic("unknown violation");
195 }
196
197 n += format_loc(v->loc, buf + n, sz - n);
198
199 return n;
200 }
201
202 enum UBFatality { Fatal, FleshWound };
203
204 static void
205 ubsan_handle(struct ubsan_violation *v, enum UBFatality fatality)
206 {
207 if (!ubsan_loc_acquire(v->loc)) {
208 /* violation site already reported */
209 return;
210 }
211
212 ubsan_log_append(v);
213
214 if (ubsan_print || (fatality == Fatal)) {
215 const size_t sz = 256;
216 static char buf[sz];
217 buf[0] = '\0';
218 ubsan_format(v, buf, sz);
219 printf("UBSan: %s", buf);
220 }
221 }
222
223 void
224 __ubsan_handle_builtin_unreachable(struct ubsan_unreachable_desc *desc)
225 {
226 struct ubsan_violation v = { UBSAN_UNREACHABLE, 0, 0, .unreachable = desc, &desc->loc };
227 ubsan_handle(&v, Fatal);
228 }
229
230 void
231 __ubsan_handle_shift_out_of_bounds(struct ubsan_shift_desc *desc, uint64_t lhs, uint64_t rhs)
232 {
233 struct ubsan_violation v = { UBSAN_SHIFT, lhs, rhs, .shift = desc, &desc->loc };
234 ubsan_handle(&v, FleshWound);
235 }
236
237 void
238 __ubsan_handle_shift_out_of_bounds_abort(struct ubsan_shift_desc *desc, uint64_t lhs, uint64_t rhs)
239 {
240 struct ubsan_violation v = { UBSAN_SHIFT, lhs, rhs, .shift = desc, &desc->loc };
241 ubsan_handle(&v, Fatal);
242 }
243
244 #define DEFINE_OVERFLOW(op) \
245 void __ubsan_handle_##op##_overflow(struct ubsan_overflow_desc *desc, uint64_t lhs, uint64_t rhs) { \
246 struct ubsan_violation v = { UBSAN_OVERFLOW_##op, lhs, rhs, .overflow = desc, &desc->loc }; \
247 ubsan_handle(&v, FleshWound); \
248 } \
249 void __ubsan_handle_##op##_overflow_abort(struct ubsan_overflow_desc *desc, uint64_t lhs, uint64_t rhs) { \
250 struct ubsan_violation v = { UBSAN_OVERFLOW_##op, lhs, rhs, .overflow = desc, &desc->loc }; \
251 ubsan_handle(&v, Fatal); \
252 }
253
254 DEFINE_OVERFLOW(add)
255 DEFINE_OVERFLOW(sub)
256 DEFINE_OVERFLOW(mul)
257 DEFINE_OVERFLOW(divrem)
258 DEFINE_OVERFLOW(negate)
259
260 void
261 __ubsan_handle_type_mismatch_v1(struct ubsan_align_desc *desc, uint64_t val)
262 {
263 struct ubsan_violation v = { UBSAN_TYPE_MISMATCH, val, 0, .align = desc, &desc->loc };
264 ubsan_handle(&v, FleshWound);
265 }
266
267 void
268 __ubsan_handle_type_mismatch_v1_abort(struct ubsan_align_desc *desc, uint64_t val)
269 {
270 struct ubsan_violation v = { UBSAN_TYPE_MISMATCH, val, 0, .align = desc, &desc->loc };
271 ubsan_handle(&v, Fatal);
272 }
273
274 void
275 __ubsan_handle_pointer_overflow(struct ubsan_ptroverflow_desc *desc, uint64_t before, uint64_t after)
276 {
277 struct ubsan_violation v = { UBSAN_POINTER_OVERFLOW, before, after, .ptroverflow = desc, &desc->loc };
278 ubsan_handle(&v, FleshWound);
279 }
280
281 void
282 __ubsan_handle_pointer_overflow_abort(struct ubsan_ptroverflow_desc *desc, uint64_t before, uint64_t after)
283 {
284 struct ubsan_violation v = { UBSAN_POINTER_OVERFLOW, before, after, .ptroverflow = desc, &desc->loc };
285 ubsan_handle(&v, Fatal);
286 }
287
288 void
289 __ubsan_handle_out_of_bounds(struct ubsan_oob_desc *desc, uint64_t idx)
290 {
291 struct ubsan_violation v = { UBSAN_OOB, idx, 0, .oob = desc, &desc->loc };
292 ubsan_handle(&v, FleshWound);
293 }
294
295 void
296 __ubsan_handle_out_of_bounds_abort(struct ubsan_oob_desc *desc, uint64_t idx)
297 {
298 struct ubsan_violation v = { UBSAN_OOB, idx, 0, .oob = desc, &desc->loc };
299 ubsan_handle(&v, Fatal);
300 }
301
302 void
303 __ubsan_handle_load_invalid_value(struct ubsan_load_invalid_desc *desc, uint64_t invalid_value)
304 {
305 struct ubsan_violation v = { UBSAN_LOAD_INVALID_VALUE, invalid_value, 0, .invalid = desc, &desc->loc };
306 ubsan_handle(&v, Fatal);
307 }
308
309 void
310 __ubsan_handle_load_invalid_value_abort(struct ubsan_load_invalid_desc *desc, uint64_t invalid_value)
311 {
312 struct ubsan_violation v = { UBSAN_LOAD_INVALID_VALUE, invalid_value, 0, .invalid = desc, &desc->loc };
313 ubsan_handle(&v, Fatal);
314 }
315
316 #define DEFINE_GENERIC(check) \
317 void __ubsan_handle_##check (struct san_src_loc* loc) \
318 { \
319 struct ubsan_violation v = { UBSAN_GENERIC, 0, 0, .func = __func__, loc }; \
320 ubsan_handle(&v, FleshWound); \
321 } \
322 void __ubsan_handle_##check##_abort(struct san_src_loc* loc) \
323 { \
324 struct ubsan_violation v = { UBSAN_GENERIC, 0, 0, .func = __func__, loc }; \
325 ubsan_handle(&v, Fatal); \
326 }
327
328 DEFINE_GENERIC(invalid_builtin)
329 DEFINE_GENERIC(nonnull_arg)
330 DEFINE_GENERIC(vla_bound_not_positive)
331 DEFINE_GENERIC(float_cast_overflow)
332 DEFINE_GENERIC(function_type_mismatch)
333 DEFINE_GENERIC(missing_return)
334 DEFINE_GENERIC(nonnull_return)
335 DEFINE_GENERIC(nullability_arg)
336 DEFINE_GENERIC(nullability_return)
337 DEFINE_GENERIC(implicit_conversion)
mirror of XNU