]>
Commit | Line | Data |
---|---|---|
2077db1b CT |
1 | /* Copyright (C) 2012-2013 |
2 | Free Software Foundation | |
3 | ||
4 | This file is part of GCC. | |
5 | ||
6 | GCC is free software; you can redistribute it and/or modify | |
7 | it under the terms of the GNU General Public License as published by | |
8 | the Free Software Foundation; either version 3, or (at your option) | |
9 | any later version. | |
10 | ||
11 | GCC is distributed in the hope that it will be useful, | |
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | GNU General Public License for more details. | |
15 | ||
16 | Under Section 7 of GPL version 3, you are granted additional | |
17 | permissions described in the GCC Runtime Library Exception, version | |
18 | 3.1, as published by the Free Software Foundation. | |
19 | ||
20 | You should have received a copy of the GNU General Public License and | |
21 | a copy of the GCC Runtime Library Exception along with this program; | |
22 | see the files COPYING3 and COPYING.RUNTIME respectively. If not, see | |
23 | <http://www.gnu.org/licenses/>. */ | |
24 | ||
25 | /* This file is part of the vtable security feature implementation. | |
26 | The vtable security feature is designed to detect when a virtual | |
27 | call is about to be made through an invalid vtable pointer | |
28 | (possibly due to data corruption or malicious attacks). | |
29 | ||
30 | This file also contains the failure functions that get called when | |
31 | a vtable pointer is not found in the data set. Two particularly | |
32 | important functions are __vtv_verify_fail and __vtv_really_fail. | |
33 | They are both externally visible. __vtv_verify_fail is defined in | |
34 | such a way that it can be replaced by a programmer, if desired. It | |
35 | is the function that __VLTVerifyVtablePointer calls if it can't | |
36 | find the pointer in the data set. Allowing the programmer to | |
37 | overwrite this function means that he/she can do some alternate | |
38 | verification, including NOT failing in certain specific cases, if | |
39 | desired. This may be the case if the programmer has to deal wtih | |
40 | unverified third party software, for example. __vtv_really_fail is | |
41 | available for the programmer to call from his version of | |
42 | __vtv_verify_fail, if he decides the failure is real. | |
43 | ||
44 | */ | |
45 | ||
46 | #include <stdlib.h> | |
47 | #include <stdio.h> | |
48 | #include <string.h> | |
49 | #include <execinfo.h> | |
50 | #include <unistd.h> | |
51 | ||
52 | #include "vtv_utils.h" | |
53 | #include "vtv_fail.h" | |
54 | ||
55 | /* This is used to disable aborts for debugging purposes. */ | |
56 | bool vtv_no_abort = false; | |
57 | ||
58 | ||
59 | extern "C" { | |
60 | ||
61 | /* __fortify_fail is a function in glibc that calls __libc_message, | |
62 | causing it to print out a program termination error message | |
63 | (including the name of the binary being terminated), a stack | |
64 | trace where the error occurred, and a memory map dump. Ideally | |
65 | we would have called __libc_message directly, but that function | |
66 | does not appear to be accessible to functions outside glibc, | |
67 | whereas __fortify_fail is. We call __fortify_fail from | |
68 | __vtv_really_fail. We looked at calling __libc_fatal, which is | |
69 | externally accessible, but it does not do the back trace and | |
70 | memory dump. */ | |
71 | ||
72 | extern void __fortify_fail (const char *) __attribute__((noreturn)); | |
73 | ||
74 | } /* extern "C" */ | |
75 | ||
76 | const unsigned long SET_HANDLE_HANDLE_BIT = 0x2; | |
77 | ||
78 | /* Instantiate the template classes (in vtv_set.h) for our particular | |
79 | hash table needs. */ | |
80 | typedef void * vtv_set_handle; | |
81 | typedef vtv_set_handle * vtv_set_handle_handle; | |
82 | ||
83 | static int vtv_failures_log_fd = -1; | |
84 | ||
85 | /* Open error logging file, if not already open, and write vtable | |
86 | verification failure messages (LOG_MSG) to the log file. Also | |
87 | generate a backtrace in the log file, if GENERATE_BACKTRACE is | |
88 | set. */ | |
89 | ||
90 | static void | |
91 | log_error_message (const char *log_msg, bool generate_backtrace) | |
92 | { | |
93 | if (vtv_failures_log_fd == -1) | |
94 | vtv_failures_log_fd = vtv_open_log ("vtable_verification_failures.log"); | |
95 | ||
96 | if (vtv_failures_log_fd == -1) | |
97 | return; | |
98 | ||
99 | vtv_add_to_log (vtv_failures_log_fd, "%s", log_msg); | |
100 | ||
101 | if (generate_backtrace) | |
102 | { | |
103 | #define STACK_DEPTH 20 | |
104 | void *callers[STACK_DEPTH]; | |
105 | int actual_depth = backtrace (callers, STACK_DEPTH); | |
106 | backtrace_symbols_fd (callers, actual_depth, vtv_failures_log_fd); | |
107 | } | |
108 | } | |
109 | ||
110 | /* In the case where a vtable map variable is the only instance of the | |
111 | variable we have seen, it points directly to the set of valid | |
112 | vtable pointers. All subsequent instances of the 'same' vtable map | |
113 | variable point to the first vtable map variable. This function, | |
114 | given a vtable map variable PTR, checks a bit to see whether it's | |
115 | pointing directly to the data set or to the first vtable map | |
116 | variable. */ | |
117 | ||
118 | static inline bool | |
119 | is_set_handle_handle (void * ptr) | |
120 | { | |
121 | return ((unsigned long) ptr & SET_HANDLE_HANDLE_BIT) | |
122 | == SET_HANDLE_HANDLE_BIT; | |
123 | } | |
124 | ||
125 | /* Returns the actual pointer value of a vtable map variable, PTR (see | |
126 | comments for is_set_handle_handle for more details). */ | |
127 | ||
128 | static inline vtv_set_handle * | |
129 | ptr_from_set_handle_handle (void * ptr) | |
130 | { | |
131 | return (vtv_set_handle *) ((unsigned long) ptr & ~SET_HANDLE_HANDLE_BIT); | |
132 | } | |
133 | ||
134 | /* Given a vtable map variable, PTR, this function sets the bit that | |
135 | says this is the second (or later) instance of a vtable map | |
136 | variable. */ | |
137 | ||
138 | static inline vtv_set_handle_handle | |
139 | set_handle_handle (vtv_set_handle * ptr) | |
140 | { | |
141 | return (vtv_set_handle_handle) ((unsigned long) ptr | SET_HANDLE_HANDLE_BIT); | |
142 | } | |
143 | ||
144 | /* This function is called from __VLTVerifyVtablePointerDebug; it | |
145 | sends as much debugging information as it can to the error log | |
146 | file, then calls __vtv_verify_fail. SET_HANDLE_PTR is the pointer | |
147 | to the set of valid vtable pointers, VTBL_PTR is the pointer that | |
148 | was not found in the set, and DEBUG_MSG is the message to be | |
149 | written to the log file before failing. n */ | |
150 | ||
151 | void | |
152 | __vtv_verify_fail_debug (void **set_handle_ptr, const void *vtbl_ptr, | |
153 | const char *debug_msg) | |
154 | { | |
155 | log_error_message (debug_msg, false); | |
156 | ||
157 | /* Call the public interface in case it has been overwritten by | |
158 | user. */ | |
159 | __vtv_verify_fail (set_handle_ptr, vtbl_ptr); | |
160 | ||
161 | log_error_message ("Returned from __vtv_verify_fail." | |
162 | " Secondary verification succeeded.\n", false); | |
163 | } | |
164 | ||
165 | /* This function calls __fortify_fail with a FAILURE_MSG and then | |
166 | calls abort. */ | |
167 | ||
168 | void | |
169 | __vtv_really_fail (const char *failure_msg) | |
170 | { | |
171 | __fortify_fail (failure_msg); | |
172 | ||
173 | /* We should never get this far; __fortify_fail calls __libc_message | |
174 | which prints out a back trace and a memory dump and then is | |
175 | supposed to call abort, but let's play it safe anyway and call abort | |
176 | ourselves. */ | |
177 | abort (); | |
178 | } | |
179 | ||
180 | /* This function takes an error MSG, a vtable map variable | |
181 | (DATA_SET_PTR) and a vtable pointer (VTBL_PTR). It is called when | |
182 | an attempt to verify VTBL_PTR with the set pointed to by | |
183 | DATA_SET_PTR failed. It outputs a failure message with the | |
184 | addresses involved, and calls __vtv_really_fail. */ | |
185 | ||
186 | static void | |
187 | vtv_fail (const char *msg, void **data_set_ptr, const void *vtbl_ptr) | |
188 | { | |
189 | char buffer[128]; | |
190 | int buf_len; | |
191 | const char *format_str = | |
192 | "*** Unable to verify vtable pointer (%p) in set (%p) *** \n"; | |
193 | ||
194 | snprintf (buffer, sizeof (buffer), format_str, vtbl_ptr, | |
195 | is_set_handle_handle(*data_set_ptr) ? | |
196 | ptr_from_set_handle_handle (*data_set_ptr) : | |
197 | *data_set_ptr); | |
198 | buf_len = strlen (buffer); | |
199 | /* Send this to to stderr. */ | |
200 | write (2, buffer, buf_len); | |
201 | ||
202 | if (!vtv_no_abort) | |
203 | __vtv_really_fail (msg); | |
204 | } | |
205 | ||
206 | /* Send information about what we were trying to do when verification | |
207 | failed to the error log, then call vtv_fail. This function can be | |
208 | overwritten/replaced by the user, to implement a secondary | |
209 | verification function instead. DATA_SET_PTR is the vtable map | |
210 | variable used for the failed verification, and VTBL_PTR is the | |
211 | vtable pointer that was not found in the set. */ | |
212 | ||
213 | void | |
214 | __vtv_verify_fail (void **data_set_ptr, const void *vtbl_ptr) | |
215 | { | |
216 | char log_msg[256]; | |
217 | snprintf (log_msg, sizeof (log_msg), "Looking for vtable %p in set %p.\n", | |
218 | vtbl_ptr, | |
219 | is_set_handle_handle (*data_set_ptr) ? | |
220 | ptr_from_set_handle_handle (*data_set_ptr) : | |
221 | *data_set_ptr); | |
222 | log_error_message (log_msg, false); | |
223 | ||
224 | const char *format_str = | |
225 | "*** Unable to verify vtable pointer (%p) in set (%p) *** \n"; | |
226 | snprintf (log_msg, sizeof (log_msg), format_str, vtbl_ptr, *data_set_ptr); | |
227 | log_error_message (log_msg, false); | |
228 | log_error_message (" Backtrace: \n", true); | |
229 | ||
230 | const char *fail_msg = "Potential vtable pointer corruption detected!!\n"; | |
231 | vtv_fail (fail_msg, data_set_ptr, vtbl_ptr); | |
232 | } | |
233 |