1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "linux_shadow_stacks.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static const int kMaxShadowIndex = 2048;
static const char kOverflowMessage[] = "Shadow stack overflow\n";
// Thread-local vars.
__thread
int shadow_index = -1;
__thread
void *shadow_ip_stack[kMaxShadowIndex];
__thread
void *shadow_sp_stack[kMaxShadowIndex];
enum Status {UNINITIALIZED = -1, DISABLED, ENABLED};
Status status = UNINITIALIZED;
void init() {
if (!getenv("KEEP_SHADOW_STACKS")) {
status = DISABLED;
return;
}
status = ENABLED;
}
void __cyg_profile_func_enter(void *this_fn, void *call_site) {
if (status == DISABLED) return;
if (status == UNINITIALIZED) {
init();
if (status == DISABLED) return;
}
shadow_index++;
if (shadow_index > kMaxShadowIndex) {
// Avoid memory allocation when reporting an error.
write(2, kOverflowMessage, sizeof(kOverflowMessage));
int a = 0;
a = a / a;
}
// Update the shadow IP stack
shadow_ip_stack[shadow_index] = this_fn;
// Update the shadow SP stack. The code for obtaining the frame address was
// borrowed from Google Perftools, http://code.google.com/p/google-perftools/
//
// Copyright (c) 2005, Google Inc.
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
void **sp;
#if (__GNUC__ > 4) || (__GNUC__ == 4 && __GNUC_MINOR__ >= 2) || __llvm__
// __builtin_frame_address(0) can return the wrong address on gcc-4.1.0-k8.
// It's always correct on llvm, and the techniques below aren't (in
// particular, llvm-gcc will make a copy of this_fn, so it's not in sp[2]),
// so we also prefer __builtin_frame_address when running under llvm.
sp = reinterpret_cast<void**>(__builtin_frame_address(0));
#elif defined(__i386__)
// Stack frame format:
// sp[0] pointer to previous frame
// sp[1] caller address
// sp[2] first argument
// ...
// NOTE: This will break under llvm, since result is a copy and not in sp[2]
sp = (void **)&this_fn - 2;
#elif defined(__x86_64__)
unsigned long rbp;
// Move the value of the register %rbp into the local variable rbp.
// We need 'volatile' to prevent this instruction from getting moved
// around during optimization to before function prologue is done.
// An alternative way to achieve this
// would be (before this __asm__ instruction) to call Noop() defined as
// static void Noop() __attribute__ ((noinline)); // prevent inlining
// static void Noop() { asm(""); } // prevent optimizing-away
__asm__ volatile ("mov %%rbp, %0" : "=r" (rbp));
// Arguments are passed in registers on x86-64, so we can't just
// offset from &result
sp = (void **) rbp;
#else
# error Cannot obtain SP (possibly compiling on a non x86 architecture)
#endif
shadow_sp_stack[shadow_index] = (void*)sp;
return;
}
void __cyg_profile_func_exit(void *this_fn, void *call_site) {
if (status == DISABLED) return;
shadow_index--;
}
void *get_shadow_ip_stack(int *index /*OUT*/) {
*index = shadow_index;
return shadow_ip_stack;
}
void *get_shadow_sp_stack(int *index /*OUT*/) {
*index = shadow_index;
return shadow_sp_stack;
}
|