<br><br><div class="gmail_quote">On Fri, Jun 17, 2011 at 12:42 PM, Renato Golin <span dir="ltr"><<a href="mailto:rengolin@systemcall.org">rengolin@systemcall.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="gmail_quote"><div class="im">On 17 June 2011 09:14, Kostya Serebryany <span dir="ltr"><<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Maybe the fallback code should just use a function call. Much simpler for documentation purposes. </blockquote></div><div><br>Sounds good.<br></div></div></blockquote><div><br></div><div>I implemented the asm-free way to report warnings as an option to the llvm instrumentation pass (uses a call to run-time).</div>
<div>It generates more code, it also creates prologue/epilogue in otherwise leaf functions. </div><div>Such mode may still be useful if for whatever reason we can not use SIGILL. </div><div><br></div><div>Default (use ud2): </div>
<div><div><font class="Apple-style-span" face="'courier new', monospace"> 402ed5: 48 89 d8 mov %rbx,%rax << move the address to rax</font></div><div><font class="Apple-style-span" face="'courier new', monospace"> 402ed8: 0f 0b ud2a << crash</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"> 402eda: 52 push %rdx << encode is_write and size in the opcode</font></div></div><div>(note: with a good disassembler and some work we can leave just ud2 or equivalent)</div>
<div><br></div><div>-mllvm -asan-use-call</div><div><div><font class="Apple-style-span" face="'courier new', monospace"> 402ed5: 48 89 df mov %rbx,%rdi << address is the paremeter to </font><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">__asan_report_error_2</span></div>
<meta http-equiv="content-type" content="text/html; charset=utf-8"><div><font class="Apple-style-span" face="'courier new', monospace"> 402ed8: e8 53 69 00 00 callq 409830 <__asan_report_error_2> << is_write and size is encoded in the function name</font></div>
</div><div><br></div><div><br></div><div>--kcc </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="gmail_quote"><div> <br><br></div><div class="im">
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div class="gmail_quote"><div></div><div>On 32-bit, the shadow region is:</div><div><span style="font-family:arial, sans-serif;font-size:13px"><table style="border-collapse:separate;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204)">
<tbody><tr><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">[0x28000000, 0x3fffffff]</tt></td><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">HighShadow</tt></td></tr><tr><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">[0x24000000, 0x27ffffff]</tt></td><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">ShadowGap</tt></td></tr><tr><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">[0x20000000, 0x23ffffff]</tt></td><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">LowShadow</tt></td></tr></tbody></table></span></div>
<div><br></div><div>This is 0.5G total. So, I mmap all these three shadow subregions and 'mprotect' the ShadowGap. </div><div>This is done at startup. If the mmap fails, an assert will fire. </div></div></blockquote>
</div><div><br><br>I see. On embedded platforms that won't work with all cases. Most implementations have fragmented memory, memory mapped I/O, secure zones, etc. Depending on what you're trying to do, mmap will work but writing to memory won't.<br>
<br>On ARM world, SoC designers can come up with any number of configurations, which makes a generic implementation impossible. You'll need some kind of tablegen to define writeable regions and how to map between memory and shadow. Manufacturers generally provide this information when you buy the kit.<br>
<br>But again, most OSes should take care of that for you, so that's only relevant for bare-metal applications.<br><br><br> </div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div class="gmail_quote"><div><br></div><div>
On 64-bit, the shadow looks like this: </div><div><span style="font-family:arial, sans-serif;font-size:13px"><table style="border-collapse:separate;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204)">
<tbody><tr><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">[0x0000140000000000, 0x00001fffffffffff]</tt></td><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
HighShadow</td></tr><tr><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">[0x0000120000000000, 0x000013ffffffffff]</tt></td><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
ShadowGap</td></tr><tr><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
<tt style="font-family:Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;font-size:12px;max-width:66em">[0x0000100000000000, 0x000011ffffffffff]</tt></td><td style="font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);padding-top:5px;padding-right:5px;padding-bottom:5px;padding-left:5px">
LowShadow</td></tr></tbody></table></span></div><div><br></div><div>This is quite a lot, I can not mmap/mprotect this thing. </div><div>So, I basically *hope* that it won't be used by anyone but the ASAN run time (of course, there are asserts here and there to check it). </div>
<div>When some part of the shadow region is being written to (when we poison memory), SEGV happens and the SEGV handler mmaps the required region. </div></div></blockquote></div><div><br>Ok, if you allocate big enough regions you shouldn't need to SEGV that often.<br>
<br>
<br></div></div>-- <br>cheers,<br>--renato<br><br><a href="http://systemcall.org/" target="_blank">http://systemcall.org/</a><br><br>Reclaim your digital rights, eliminate DRM, learn more at <a href="http://www.defectivebydesign.org/what_is_drm" target="_blank">http://www.defectivebydesign.org/what_is_drm</a><br>
</blockquote></div><br>