1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
|
//===-- dfsan.cc ----------------------------------------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file is a part of DataFlowSanitizer.
//
// This file defines the custom functions listed in done_abilist.txt.
//===----------------------------------------------------------------------===//
#include "sanitizer_common/sanitizer_internal_defs.h"
#include "sanitizer_common/sanitizer_linux.h"
#include "dfsan/dfsan.h"
#include <ctype.h>
#include <dlfcn.h>
#include <link.h>
#include <pthread.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <unistd.h>
using namespace __dfsan;
extern "C" {
SANITIZER_INTERFACE_ATTRIBUTE int
__dfsw_stat(const char *path, struct stat *buf, dfsan_label path_label,
dfsan_label buf_label, dfsan_label *ret_label) {
int ret = stat(path, buf);
if (ret == 0)
dfsan_set_label(0, buf, sizeof(struct stat));
*ret_label = 0;
return ret;
}
SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_fstat(int fd, struct stat *buf,
dfsan_label fd_label,
dfsan_label buf_label,
dfsan_label *ret_label) {
int ret = fstat(fd, buf);
if (ret == 0)
dfsan_set_label(0, buf, sizeof(struct stat));
*ret_label = 0;
return ret;
}
SANITIZER_INTERFACE_ATTRIBUTE char *__dfsw_strchr(const char *s, int c,
dfsan_label s_label,
dfsan_label c_label,
dfsan_label *ret_label) {
for (size_t i = 0;; ++i) {
if (s[i] == c || s[i] == 0) {
*ret_label = dfsan_union(dfsan_read_label(s, i+1), c_label);
return s[i] == 0 ? 0 : const_cast<char *>(s+i);
}
}
}
SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_memcmp(const void *s1, const void *s2,
size_t n, dfsan_label s1_label,
dfsan_label s2_label,
dfsan_label n_label,
dfsan_label *ret_label) {
const char *cs1 = (const char *) s1, *cs2 = (const char *) s2;
for (size_t i = 0; i != n; ++i) {
if (cs1[i] != cs2[i]) {
*ret_label = dfsan_union(dfsan_read_label(cs1, i+1),
dfsan_read_label(cs2, i+1));
return cs1[i] - cs2[i];
}
}
*ret_label = dfsan_union(dfsan_read_label(cs1, n),
dfsan_read_label(cs2, n));
return 0;
}
SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_strcmp(const char *s1, const char *s2,
dfsan_label s1_label,
dfsan_label s2_label,
dfsan_label *ret_label) {
for (size_t i = 0;; ++i) {
if (s1[i] != s2[i] || s1[i] == 0 || s2[i] == 0) {
*ret_label = dfsan_union(dfsan_read_label(s1, i+1),
dfsan_read_label(s2, i+1));
return s1[i] - s2[i];
}
}
return 0;
}
SANITIZER_INTERFACE_ATTRIBUTE int
__dfsw_strcasecmp(const char *s1, const char *s2, dfsan_label s1_label,
dfsan_label s2_label, dfsan_label *ret_label) {
for (size_t i = 0;; ++i) {
if (tolower(s1[i]) != tolower(s2[i]) || s1[i] == 0 || s2[i] == 0) {
*ret_label = dfsan_union(dfsan_read_label(s1, i+1),
dfsan_read_label(s2, i+1));
return s1[i] - s2[i];
}
}
return 0;
}
SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_strncmp(const char *s1, const char *s2,
size_t n, dfsan_label s1_label,
dfsan_label s2_label,
dfsan_label n_label,
dfsan_label *ret_label) {
if (n == 0) {
*ret_label = 0;
return 0;
}
for (size_t i = 0;; ++i) {
if (s1[i] != s2[i] || s1[i] == 0 || s2[i] == 0 || i == n-1) {
*ret_label = dfsan_union(dfsan_read_label(s1, i+1),
dfsan_read_label(s2, i+1));
return s1[i] - s2[i];
}
}
return 0;
}
SANITIZER_INTERFACE_ATTRIBUTE int
__dfsw_strncasecmp(const char *s1, const char *s2, size_t n,
dfsan_label s1_label, dfsan_label s2_label,
dfsan_label n_label, dfsan_label *ret_label) {
if (n == 0) {
*ret_label = 0;
return 0;
}
for (size_t i = 0;; ++i) {
if (tolower(s1[i]) != tolower(s2[i]) || s1[i] == 0 || s2[i] == 0 ||
i == n - 1) {
*ret_label = dfsan_union(dfsan_read_label(s1, i+1),
dfsan_read_label(s2, i+1));
return s1[i] - s2[i];
}
}
return 0;
}
SANITIZER_INTERFACE_ATTRIBUTE void *__dfsw_calloc(size_t nmemb, size_t size,
dfsan_label nmemb_label,
dfsan_label size_label,
dfsan_label *ret_label) {
void *p = calloc(nmemb, size);
dfsan_set_label(0, p, nmemb * size);
*ret_label = 0;
return p;
}
SANITIZER_INTERFACE_ATTRIBUTE size_t
__dfsw_strlen(const char *s, dfsan_label s_label, dfsan_label *ret_label) {
size_t ret = strlen(s);
*ret_label = dfsan_read_label(s, ret+1);
return ret;
}
static void *dfsan_memcpy(void *dest, const void *src, size_t n) {
dfsan_label *sdest = shadow_for(dest), *ssrc = shadow_for((void *)src);
internal_memcpy((void *)sdest, (void *)ssrc, n * sizeof(dfsan_label));
return internal_memcpy(dest, src, n);
}
static void dfsan_memset(void *s, int c, dfsan_label c_label, size_t n) {
internal_memset(s, c, n);
dfsan_set_label(c_label, s, n);
}
SANITIZER_INTERFACE_ATTRIBUTE
void *__dfsw_memcpy(void *dest, const void *src, size_t n,
dfsan_label dest_label, dfsan_label src_label,
dfsan_label n_label, dfsan_label *ret_label) {
*ret_label = 0;
return dfsan_memcpy(dest, src, n);
}
SANITIZER_INTERFACE_ATTRIBUTE
void *__dfsw_memset(void *s, int c, size_t n,
dfsan_label s_label, dfsan_label c_label,
dfsan_label n_label, dfsan_label *ret_label) {
dfsan_memset(s, c, c_label, n);
*ret_label = 0;
return s;
}
SANITIZER_INTERFACE_ATTRIBUTE char *
__dfsw_strdup(const char *s, dfsan_label s_label, dfsan_label *ret_label) {
size_t len = strlen(s);
void *p = malloc(len+1);
dfsan_memcpy(p, s, len+1);
*ret_label = 0;
return static_cast<char *>(p);
}
SANITIZER_INTERFACE_ATTRIBUTE char *
__dfsw_strncpy(char *s1, const char *s2, size_t n, dfsan_label s1_label,
dfsan_label s2_label, dfsan_label n_label,
dfsan_label *ret_label) {
size_t len = strlen(s2);
if (len < n) {
dfsan_memcpy(s1, s2, len+1);
dfsan_memset(s1+len+1, 0, 0, n-len-1);
} else {
dfsan_memcpy(s1, s2, n);
}
*ret_label = 0;
return s1;
}
SANITIZER_INTERFACE_ATTRIBUTE ssize_t
__dfsw_pread(int fd, void *buf, size_t count, off_t offset,
dfsan_label fd_label, dfsan_label buf_label,
dfsan_label count_label, dfsan_label offset_label,
dfsan_label *ret_label) {
ssize_t ret = pread(fd, buf, count, offset);
if (ret > 0)
dfsan_set_label(0, buf, ret);
*ret_label = 0;
return ret;
}
SANITIZER_INTERFACE_ATTRIBUTE ssize_t
__dfsw_read(int fd, void *buf, size_t count,
dfsan_label fd_label, dfsan_label buf_label,
dfsan_label count_label,
dfsan_label *ret_label) {
ssize_t ret = read(fd, buf, count);
if (ret > 0)
dfsan_set_label(0, buf, ret);
*ret_label = 0;
return ret;
}
SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_clock_gettime(clockid_t clk_id,
struct timespec *tp,
dfsan_label clk_id_label,
dfsan_label tp_label,
dfsan_label *ret_label) {
int ret = clock_gettime(clk_id, tp);
if (ret == 0)
dfsan_set_label(0, tp, sizeof(struct timespec));
*ret_label = 0;
return ret;
}
static void unpoison(const void *ptr, uptr size) {
dfsan_set_label(0, const_cast<void *>(ptr), size);
}
// dlopen() ultimately calls mmap() down inside the loader, which generally
// doesn't participate in dynamic symbol resolution. Therefore we won't
// intercept its calls to mmap, and we have to hook it here.
SANITIZER_INTERFACE_ATTRIBUTE void *
__dfsw_dlopen(const char *filename, int flag, dfsan_label filename_label,
dfsan_label flag_label, dfsan_label *ret_label) {
link_map *map = (link_map *)dlopen(filename, flag);
if (map)
ForEachMappedRegion(map, unpoison);
*ret_label = 0;
return (void *)map;
}
struct pthread_create_info {
void *(*start_routine_trampoline)(void *, void *, dfsan_label, dfsan_label *);
void *start_routine;
void *arg;
};
static void *pthread_create_cb(void *p) {
pthread_create_info pci(*(pthread_create_info *)p);
free(p);
dfsan_label ret_label;
return pci.start_routine_trampoline(pci.start_routine, pci.arg, 0,
&ret_label);
}
SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_pthread_create(
pthread_t *thread, const pthread_attr_t *attr,
void *(*start_routine_trampoline)(void *, void *, dfsan_label,
dfsan_label *),
void *start_routine, void *arg, dfsan_label thread_label,
dfsan_label attr_label, dfsan_label start_routine_label,
dfsan_label arg_label, dfsan_label *ret_label) {
pthread_create_info *pci =
(pthread_create_info *)malloc(sizeof(pthread_create_info));
pci->start_routine_trampoline = start_routine_trampoline;
pci->start_routine = start_routine;
pci->arg = arg;
int rv = pthread_create(thread, attr, pthread_create_cb, (void *)pci);
if (rv != 0)
free(pci);
*ret_label = 0;
return rv;
}
struct dl_iterate_phdr_info {
int (*callback_trampoline)(void *callback, struct dl_phdr_info *info,
size_t size, void *data, dfsan_label info_label,
dfsan_label size_label, dfsan_label data_label,
dfsan_label *ret_label);
void *callback;
void *data;
};
int dl_iterate_phdr_cb(struct dl_phdr_info *info, size_t size, void *data) {
dl_iterate_phdr_info *dipi = (dl_iterate_phdr_info *)data;
dfsan_set_label(0, *info);
dfsan_set_label(0, (void *)info->dlpi_name, strlen(info->dlpi_name) + 1);
dfsan_set_label(0, (void *)info->dlpi_phdr,
sizeof(*info->dlpi_phdr) * info->dlpi_phnum);
dfsan_label ret_label;
return dipi->callback_trampoline(dipi->callback, info, size, dipi->data, 0, 0,
0, &ret_label);
}
SANITIZER_INTERFACE_ATTRIBUTE int __dfsw_dl_iterate_phdr(
int (*callback_trampoline)(void *callback, struct dl_phdr_info *info,
size_t size, void *data, dfsan_label info_label,
dfsan_label size_label, dfsan_label data_label,
dfsan_label *ret_label),
void *callback, void *data, dfsan_label callback_label,
dfsan_label data_label, dfsan_label *ret_label) {
dl_iterate_phdr_info dipi = { callback_trampoline, callback, data };
*ret_label = 0;
return dl_iterate_phdr(dl_iterate_phdr_cb, &dipi);
}
}
|
