[thirdparty/gcc.git] / libvtv / vtv_fail.cc

/* Copyright (C) 2012-2020 Free Software Foundation, Inc.

 This file is part of GCC.

 GCC is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 3, or (at your option)
 any later version.

 GCC is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.

 Under Section 7 of GPL version 3, you are granted additional
 permissions described in the GCC Runtime Library Exception, version
 3.1, as published by the Free Software Foundation.

 You should have received a copy of the GNU General Public License and
 a copy of the GCC Runtime Library Exception along with this program;
 see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
 <http://www.gnu.org/licenses/>.  */

/* This file is part of the vtable security feature implementation.
   The vtable security feature is designed to detect when a virtual
   call is about to be made through an invalid vtable pointer
   (possibly due to data corruption or malicious attacks).

   This file also contains the failure functions that get called when
   a vtable pointer is not found in the data set.  Two particularly
   important functions are __vtv_verify_fail and __vtv_really_fail.
   They are both externally visible.  __vtv_verify_fail is defined in
   such a way that it can be replaced by a programmer, if desired.  It
   is the function that __VLTVerifyVtablePointer calls if it can't
   find the pointer in the data set.  Allowing the programmer to
   overwrite this function means that he/she can do some alternate
   verification, including NOT failing in certain specific cases, if
   desired.  This may be the case if the programmer has to deal wtih
   unverified third party software, for example.  __vtv_really_fail is
   available for the programmer to call from his version of
   __vtv_verify_fail, if he decides the failure is real.

*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#if !defined (__CYGWIN__) && !defined (__MINGW32__)
#include <execinfo.h>
#endif

#include <unistd.h>

#include "vtv_utils.h"
#include "vtv_fail.h"

/* This is used to disable aborts for debugging purposes.  */
bool vtv_no_abort = false;


extern "C" {

  /* __fortify_fail is a function in glibc that calls __libc_message,
     causing it to print out a program termination error message
     (including the name of the binary being terminated), a stack
     trace where the error occurred, and a memory map dump.  Ideally
     we would have called __libc_message directly, but that function
     does not appear to be accessible to functions outside glibc,
     whereas __fortify_fail is.  We call __fortify_fail from
     __vtv_really_fail.  We looked at calling __libc_fatal, which is
     externally accessible, but it does not do the back trace and
     memory dump.  */

  extern void __fortify_fail (const char *) __attribute__((noreturn));

} /* extern "C" */

const unsigned long SET_HANDLE_HANDLE_BIT = 0x2;

/* Instantiate the template classes (in vtv_set.h) for our particular
   hash table needs.  */
typedef void * vtv_set_handle;
typedef vtv_set_handle * vtv_set_handle_handle; 

static int vtv_failures_log_fd = -1;

/* Open error logging file, if not already open, and write vtable
   verification failure messages (LOG_MSG) to the log file.  Also
   generate a backtrace in the log file, if GENERATE_BACKTRACE is
   set.  */

static void
log_error_message (const char *log_msg, bool generate_backtrace)
{
  if (vtv_failures_log_fd == -1)
    vtv_failures_log_fd = vtv_open_log ("vtable_verification_failures.log");

  if (vtv_failures_log_fd == -1)
    return;

  vtv_add_to_log (vtv_failures_log_fd, "%s", log_msg);

  if (generate_backtrace)
    {
#define STACK_DEPTH 20
      void *callers[STACK_DEPTH];
#if !defined (__CYGWIN__) && !defined (__MINGW32__)
      int actual_depth = backtrace (callers, STACK_DEPTH);
      backtrace_symbols_fd (callers, actual_depth, vtv_failures_log_fd);
#endif
    }
}

/* In the case where a vtable map variable is the only instance of the
   variable we have seen, it points directly to the set of valid
   vtable pointers.  All subsequent instances of the 'same' vtable map
   variable point to the first vtable map variable.  This function,
   given a vtable map variable PTR, checks a bit to see whether it's
   pointing directly to the data set or to the first vtable map
   variable.  */

static inline bool
is_set_handle_handle (void * ptr)
{
  return ((unsigned long) ptr & SET_HANDLE_HANDLE_BIT)
                                                      == SET_HANDLE_HANDLE_BIT;
}

/* Returns the actual pointer value of a vtable map variable, PTR (see
   comments for is_set_handle_handle for more details).  */

static inline vtv_set_handle * 
ptr_from_set_handle_handle (void * ptr)
{
  return (vtv_set_handle *) ((unsigned long) ptr & ~SET_HANDLE_HANDLE_BIT);
}

/* Given a vtable map variable, PTR, this function sets the bit that
   says this is the second (or later) instance of a vtable map
   variable.  */

static inline vtv_set_handle_handle
set_handle_handle (vtv_set_handle * ptr)
{
  return (vtv_set_handle_handle) ((unsigned long) ptr | SET_HANDLE_HANDLE_BIT);
}

/* This function is called from __VLTVerifyVtablePointerDebug; it
   sends as much debugging information as it can to the error log
   file, then calls __vtv_verify_fail.  SET_HANDLE_PTR is the pointer
   to the set of valid vtable pointers, VTBL_PTR is the pointer that
   was not found in the set, and DEBUG_MSG is the message to be
   written to the log file before failing. n */

void
__vtv_verify_fail_debug (void **set_handle_ptr, const void *vtbl_ptr, 
                         const char *debug_msg)
{
  log_error_message (debug_msg, false);

  /* Call the public interface in case it has been overwritten by
     user.  */
  __vtv_verify_fail (set_handle_ptr, vtbl_ptr);

  log_error_message ("Returned from __vtv_verify_fail."
                     " Secondary verification succeeded.\n", false);
}

/* This function calls __fortify_fail with a FAILURE_MSG and then
   calls abort.  */

void
__vtv_really_fail (const char *failure_msg)
{
  __fortify_fail (failure_msg);

  /* We should never get this far; __fortify_fail calls __libc_message
     which prints out a back trace and a memory dump and then is
     supposed to call abort, but let's play it safe anyway and call abort
     ourselves.  */
  abort ();
}

/* This function takes an error MSG, a vtable map variable
   (DATA_SET_PTR) and a vtable pointer (VTBL_PTR).  It is called when
   an attempt to verify VTBL_PTR with the set pointed to by
   DATA_SET_PTR failed.  It outputs a failure message with the
   addresses involved, and calls __vtv_really_fail.  */

static void
vtv_fail (const char *msg, void **data_set_ptr, const void *vtbl_ptr)
{
  char buffer[128];
  int buf_len;
  const char *format_str =
                 "*** Unable to verify vtable pointer (%p) in set (%p) *** \n";

  snprintf (buffer, sizeof (buffer), format_str, vtbl_ptr,
            is_set_handle_handle(*data_set_ptr) ?
              ptr_from_set_handle_handle (*data_set_ptr) :
	      *data_set_ptr);
  buf_len = strlen (buffer);
  /*  Send this to to stderr.  */
  write (2, buffer, buf_len);

  if (!vtv_no_abort)
    __vtv_really_fail (msg);
}

/* Send information about what we were trying to do when verification
   failed to the error log, then call vtv_fail.  This function can be
   overwritten/replaced by the user, to implement a secondary
   verification function instead.  DATA_SET_PTR is the vtable map
   variable used for the failed verification, and VTBL_PTR is the
   vtable pointer that was not found in the set.  */

void
__vtv_verify_fail (void **data_set_ptr, const void *vtbl_ptr)
{
  char log_msg[256];
  snprintf (log_msg, sizeof (log_msg), "Looking for vtable %p in set %p.\n",
            vtbl_ptr,
            is_set_handle_handle (*data_set_ptr) ?
              ptr_from_set_handle_handle (*data_set_ptr) :
              *data_set_ptr);
  log_error_message (log_msg, false);

  const char *format_str =
            "*** Unable to verify vtable pointer (%p) in set (%p) *** \n";
  snprintf (log_msg, sizeof (log_msg), format_str, vtbl_ptr, *data_set_ptr);
  log_error_message (log_msg, false);
  log_error_message ("  Backtrace: \n", true);

  const char *fail_msg = "Potential vtable pointer corruption detected!!\n";
  vtv_fail (fail_msg, data_set_ptr, vtbl_ptr);
}
Commit	Line	Data
8d9254fc	1	/* Copyright (C) 2012-2020 Free Software Foundation, Inc.
2077db1b CT	2
	3	This file is part of GCC.
	4
	5	GCC is free software; you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License as published by
	7	the Free Software Foundation; either version 3, or (at your option)
	8	any later version.
	9
	10	GCC is distributed in the hope that it will be useful,
	11	but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	GNU General Public License for more details.
	14
	15	Under Section 7 of GPL version 3, you are granted additional
	16	permissions described in the GCC Runtime Library Exception, version
	17	3.1, as published by the Free Software Foundation.
	18
	19	You should have received a copy of the GNU General Public License and
	20	a copy of the GCC Runtime Library Exception along with this program;
	21	see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
	22	<http://www.gnu.org/licenses/>. */
	23
	24	/* This file is part of the vtable security feature implementation.
	25	The vtable security feature is designed to detect when a virtual
	26	call is about to be made through an invalid vtable pointer
	27	(possibly due to data corruption or malicious attacks).
	28
	29	This file also contains the failure functions that get called when
	30	a vtable pointer is not found in the data set. Two particularly
	31	important functions are __vtv_verify_fail and __vtv_really_fail.
	32	They are both externally visible. __vtv_verify_fail is defined in
	33	such a way that it can be replaced by a programmer, if desired. It
	34	is the function that __VLTVerifyVtablePointer calls if it can't
	35	find the pointer in the data set. Allowing the programmer to
	36	overwrite this function means that he/she can do some alternate
	37	verification, including NOT failing in certain specific cases, if
	38	desired. This may be the case if the programmer has to deal wtih
	39	unverified third party software, for example. __vtv_really_fail is
	40	available for the programmer to call from his version of
	41	__vtv_verify_fail, if he decides the failure is real.
	42
	43	*/
	44
	45	#include <stdlib.h>
	46	#include <stdio.h>
	47	#include <string.h>
f7f049fa CT	48
f7f049fa CT	49	#if !defined (__CYGWIN__) && !defined (__MINGW32__)
2077db1b	50	#include <execinfo.h>
f7f049fa CT	51	#endif
f7f049fa CT	52
2077db1b CT	53	#include <unistd.h>
	54
	55	#include "vtv_utils.h"
	56	#include "vtv_fail.h"
	57
	58	/* This is used to disable aborts for debugging purposes. */
	59	bool vtv_no_abort = false;
	60
	61
	62	extern "C" {
	63
	64	/* __fortify_fail is a function in glibc that calls __libc_message,
	65	causing it to print out a program termination error message
	66	(including the name of the binary being terminated), a stack
	67	trace where the error occurred, and a memory map dump. Ideally
	68	we would have called __libc_message directly, but that function
	69	does not appear to be accessible to functions outside glibc,
	70	whereas __fortify_fail is. We call __fortify_fail from
	71	__vtv_really_fail. We looked at calling __libc_fatal, which is
	72	externally accessible, but it does not do the back trace and
	73	memory dump. */
	74
	75	extern void __fortify_fail (const char *) __attribute__((noreturn));
	76
	77	} /* extern "C" */
	78
	79	const unsigned long SET_HANDLE_HANDLE_BIT = 0x2;
	80
	81	/* Instantiate the template classes (in vtv_set.h) for our particular
	82	hash table needs. */
	83	typedef void * vtv_set_handle;
	84	typedef vtv_set_handle * vtv_set_handle_handle;
	85
	86	static int vtv_failures_log_fd = -1;
	87
	88	/* Open error logging file, if not already open, and write vtable
	89	verification failure messages (LOG_MSG) to the log file. Also
	90	generate a backtrace in the log file, if GENERATE_BACKTRACE is
	91	set. */
	92
	93	static void
	94	log_error_message (const char *log_msg, bool generate_backtrace)
	95	{
	96	if (vtv_failures_log_fd == -1)
	97	vtv_failures_log_fd = vtv_open_log ("vtable_verification_failures.log");
	98
	99	if (vtv_failures_log_fd == -1)
	100	return;
	101
	102	vtv_add_to_log (vtv_failures_log_fd, "%s", log_msg);
	103
	104	if (generate_backtrace)
	105	{
	106	#define STACK_DEPTH 20
	107	void *callers[STACK_DEPTH];
f7f049fa	108	#if !defined (__CYGWIN__) && !defined (__MINGW32__)
2077db1b CT	109	int actual_depth = backtrace (callers, STACK_DEPTH);
2077db1b CT	110	backtrace_symbols_fd (callers, actual_depth, vtv_failures_log_fd);
f7f049fa	111	#endif
2077db1b CT	112	}
	113	}
	114
	115	/* In the case where a vtable map variable is the only instance of the
	116	variable we have seen, it points directly to the set of valid
	117	vtable pointers. All subsequent instances of the 'same' vtable map
	118	variable point to the first vtable map variable. This function,
	119	given a vtable map variable PTR, checks a bit to see whether it's
	120	pointing directly to the data set or to the first vtable map
	121	variable. */
	122
	123	static inline bool
	124	is_set_handle_handle (void * ptr)
	125	{
	126	return ((unsigned long) ptr & SET_HANDLE_HANDLE_BIT)
	127	== SET_HANDLE_HANDLE_BIT;
	128	}
	129
	130	/* Returns the actual pointer value of a vtable map variable, PTR (see
	131	comments for is_set_handle_handle for more details). */
	132
	133	static inline vtv_set_handle *
	134	ptr_from_set_handle_handle (void * ptr)
	135	{
	136	return (vtv_set_handle *) ((unsigned long) ptr & ~SET_HANDLE_HANDLE_BIT);
	137	}
	138
	139	/* Given a vtable map variable, PTR, this function sets the bit that
	140	says this is the second (or later) instance of a vtable map
	141	variable. */
	142
	143	static inline vtv_set_handle_handle
	144	set_handle_handle (vtv_set_handle * ptr)
	145	{
	146	return (vtv_set_handle_handle) ((unsigned long) ptr \| SET_HANDLE_HANDLE_BIT);
	147	}
	148
	149	/* This function is called from __VLTVerifyVtablePointerDebug; it
	150	sends as much debugging information as it can to the error log
	151	file, then calls __vtv_verify_fail. SET_HANDLE_PTR is the pointer
	152	to the set of valid vtable pointers, VTBL_PTR is the pointer that
	153	was not found in the set, and DEBUG_MSG is the message to be
	154	written to the log file before failing. n */
	155
	156	void
	157	__vtv_verify_fail_debug (void *set_handle_ptr, const void vtbl_ptr,
	158	const char *debug_msg)
	159	{
	160	log_error_message (debug_msg, false);
	161
	162	/* Call the public interface in case it has been overwritten by
	163	user. */
	164	__vtv_verify_fail (set_handle_ptr, vtbl_ptr);
	165
	166	log_error_message ("Returned from __vtv_verify_fail."
	167	" Secondary verification succeeded.\n", false);
	168	}
	169
	170	/* This function calls __fortify_fail with a FAILURE_MSG and then
	171	calls abort. */
	172
	173	void
	174	__vtv_really_fail (const char *failure_msg)
	175	{
176	__fortify_fail (failure_msg);
177
178	/* We should never get this far; __fortify_fail calls __libc_message
179	which prints out a back trace and a memory dump and then is
180	supposed to call abort, but let's play it safe anyway and call abort
181	ourselves. */
182	abort ();
183	}
184
185	/* This function takes an error MSG, a vtable map variable
186	(DATA_SET_PTR) and a vtable pointer (VTBL_PTR). It is called when
187	an attempt to verify VTBL_PTR with the set pointed to by
188	DATA_SET_PTR failed. It outputs a failure message with the
189	addresses involved, and calls __vtv_really_fail. */
190
191	static void
192	vtv_fail (const char msg, void data_set_ptr, const void vtbl_ptr)
193	{
194	char buffer[128];
195	int buf_len;
196	const char *format_str =
197	"* Unable to verify vtable pointer (%p) in set (%p) * \n";
198
199	snprintf (buffer, sizeof (buffer), format_str, vtbl_ptr,
200	is_set_handle_handle(*data_set_ptr) ?
201	ptr_from_set_handle_handle (*data_set_ptr) :
202	*data_set_ptr);
203	buf_len = strlen (buffer);
204	/* Send this to to stderr. */
205	write (2, buffer, buf_len);
206
207	if (!vtv_no_abort)
208	__vtv_really_fail (msg);
209	}
210
211	/* Send information about what we were trying to do when verification
212	failed to the error log, then call vtv_fail. This function can be
213	overwritten/replaced by the user, to implement a secondary
214	verification function instead. DATA_SET_PTR is the vtable map
215	variable used for the failed verification, and VTBL_PTR is the
216	vtable pointer that was not found in the set. */
217
218	void
219	__vtv_verify_fail (void *data_set_ptr, const void vtbl_ptr)
220	{
221	char log_msg[256];
222	snprintf (log_msg, sizeof (log_msg), "Looking for vtable %p in set %p.\n",
223	vtbl_ptr,
224	is_set_handle_handle (*data_set_ptr) ?
225	ptr_from_set_handle_handle (*data_set_ptr) :
226	*data_set_ptr);
227	log_error_message (log_msg, false);
228
229	const char *format_str =
230	"* Unable to verify vtable pointer (%p) in set (%p) * \n";
231	snprintf (log_msg, sizeof (log_msg), format_str, vtbl_ptr, *data_set_ptr);
232	log_error_message (log_msg, false);
233	log_error_message (" Backtrace: \n", true);
234
235	const char *fail_msg = "Potential vtable pointer corruption detected!!\n";
236	vtv_fail (fail_msg, data_set_ptr, vtbl_ptr);
237	}
238