1*5e3eaea3SApple OSS Distributions /*
2*5e3eaea3SApple OSS Distributions * Copyright (c) 2016-2021 Apple Inc. All rights reserved.
3*5e3eaea3SApple OSS Distributions *
4*5e3eaea3SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*5e3eaea3SApple OSS Distributions *
6*5e3eaea3SApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*5e3eaea3SApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*5e3eaea3SApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*5e3eaea3SApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*5e3eaea3SApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*5e3eaea3SApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*5e3eaea3SApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*5e3eaea3SApple OSS Distributions * terms of an Apple operating system software license agreement.
14*5e3eaea3SApple OSS Distributions *
15*5e3eaea3SApple OSS Distributions * Please obtain a copy of the License at
16*5e3eaea3SApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*5e3eaea3SApple OSS Distributions *
18*5e3eaea3SApple OSS Distributions * The Original Code and all software distributed under the License are
19*5e3eaea3SApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*5e3eaea3SApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*5e3eaea3SApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*5e3eaea3SApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*5e3eaea3SApple OSS Distributions * Please see the License for the specific language governing rights and
24*5e3eaea3SApple OSS Distributions * limitations under the License.
25*5e3eaea3SApple OSS Distributions *
26*5e3eaea3SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*5e3eaea3SApple OSS Distributions */
28*5e3eaea3SApple OSS Distributions
29*5e3eaea3SApple OSS Distributions #include <string.h>
30*5e3eaea3SApple OSS Distributions #include <stdint.h>
31*5e3eaea3SApple OSS Distributions #include <stdbool.h>
32*5e3eaea3SApple OSS Distributions #include <vm/vm_map.h>
33*5e3eaea3SApple OSS Distributions #include <kern/assert.h>
34*5e3eaea3SApple OSS Distributions #include <kern/cpu_data.h>
35*5e3eaea3SApple OSS Distributions #include <machine/machine_routines.h>
36*5e3eaea3SApple OSS Distributions #include <kern/locks.h>
37*5e3eaea3SApple OSS Distributions #include <kern/simple_lock.h>
38*5e3eaea3SApple OSS Distributions #include <kern/debug.h>
39*5e3eaea3SApple OSS Distributions #include <kern/backtrace.h>
40*5e3eaea3SApple OSS Distributions #include <kern/thread.h>
41*5e3eaea3SApple OSS Distributions #include <kern/btlog.h>
42*5e3eaea3SApple OSS Distributions #include <libkern/libkern.h>
43*5e3eaea3SApple OSS Distributions #include <mach/mach_vm.h>
44*5e3eaea3SApple OSS Distributions #include <mach/mach_types.h>
45*5e3eaea3SApple OSS Distributions #include <mach/vm_param.h>
46*5e3eaea3SApple OSS Distributions #include <mach/machine/vm_param.h>
47*5e3eaea3SApple OSS Distributions #include <mach/sdt.h>
48*5e3eaea3SApple OSS Distributions #include <machine/atomic.h>
49*5e3eaea3SApple OSS Distributions #include <sys/sysctl.h>
50*5e3eaea3SApple OSS Distributions
51*5e3eaea3SApple OSS Distributions #include "kasan.h"
52*5e3eaea3SApple OSS Distributions #include "kasan_internal.h"
53*5e3eaea3SApple OSS Distributions #include "memintrinsics.h"
54*5e3eaea3SApple OSS Distributions #include "kasan-classic.h"
55*5e3eaea3SApple OSS Distributions
56*5e3eaea3SApple OSS Distributions
57*5e3eaea3SApple OSS Distributions /*
58*5e3eaea3SApple OSS Distributions * KASAN-CLASSIC
59*5e3eaea3SApple OSS Distributions *
60*5e3eaea3SApple OSS Distributions * This implementation relies on a shadow table that matches each
61*5e3eaea3SApple OSS Distributions * byte with 8 bytes of the kernel virtual address space. The value of this
62*5e3eaea3SApple OSS Distributions * byte is either:
63*5e3eaea3SApple OSS Distributions *
64*5e3eaea3SApple OSS Distributions * - 0: the full 8 bytes are addressable
65*5e3eaea3SApple OSS Distributions * - [1,7]: the byte is partially addressable (as many valid bytes
66*5e3eaea3SApple OSS Distributions * as specified)
67*5e3eaea3SApple OSS Distributions * - 0xFx, 0xAC, 0xE9: byte is not addressable and poisoned somehow (for a
68*5e3eaea3SApple OSS Distributions * complete list, check kasan-classic.h)
69*5e3eaea3SApple OSS Distributions *
70*5e3eaea3SApple OSS Distributions * Through instrumentation of every load and store and through modifications
71*5e3eaea3SApple OSS Distributions * to the kernel to properly record and/or quarantine memory regions as a
72*5e3eaea3SApple OSS Distributions * consequence of memory management operations, KASAN can detect nearly any
73*5e3eaea3SApple OSS Distributions * type of memory corruption, with two big caveats: linear overflows and
74*5e3eaea3SApple OSS Distributions * use-after-free. These are solved by redzoning and quarantines.
75*5e3eaea3SApple OSS Distributions *
76*5e3eaea3SApple OSS Distributions * For linear overflows, if the adjacent memory is valid (as it is common on
77*5e3eaea3SApple OSS Distributions * both stack and heap), KASAN must add redzones next to each buffer.
78*5e3eaea3SApple OSS Distributions * For use-after-free, free'd buffers are not returned immediately on subsequent
79*5e3eaea3SApple OSS Distributions * memory allocation calls, but are 'stored' in a quarantined region, de-facto
80*5e3eaea3SApple OSS Distributions * delaying reallocation.
81*5e3eaea3SApple OSS Distributions *
82*5e3eaea3SApple OSS Distributions * KASAN-CLASSIC has significant memory cost:
83*5e3eaea3SApple OSS Distributions * 1) ~13% of available memory for the shadow table (4G phone -> ~512MB)
84*5e3eaea3SApple OSS Distributions * 2) ~20-30MB of quarantine space
85*5e3eaea3SApple OSS Distributions * 3) extra padding introduced to support redzones
86*5e3eaea3SApple OSS Distributions *
87*5e3eaea3SApple OSS Distributions * (1) and (2) is backed by stealing memory at boot. (3) is instead added at
88*5e3eaea3SApple OSS Distributions * runtime on top of each allocation.
89*5e3eaea3SApple OSS Distributions */
90*5e3eaea3SApple OSS Distributions
91*5e3eaea3SApple OSS Distributions _Static_assert(!KASAN_LIGHT, "Light mode not supported by KASan Classic.");
92*5e3eaea3SApple OSS Distributions
93*5e3eaea3SApple OSS Distributions /* Configuration options */
94*5e3eaea3SApple OSS Distributions static unsigned quarantine_enabled = 1; /* Quarantine on/off */
95*5e3eaea3SApple OSS Distributions static bool checks_enabled = false; /* Poision checking on/off */
96*5e3eaea3SApple OSS Distributions
97*5e3eaea3SApple OSS Distributions /*
98*5e3eaea3SApple OSS Distributions * LLVM contains enough logic to inline check operations against the shadow
99*5e3eaea3SApple OSS Distributions * table and uses this symbol as an anchor to find it in memory.
100*5e3eaea3SApple OSS Distributions */
101*5e3eaea3SApple OSS Distributions const uintptr_t __asan_shadow_memory_dynamic_address = KASAN_OFFSET;
102*5e3eaea3SApple OSS Distributions
103*5e3eaea3SApple OSS Distributions void
kasan_impl_init(void)104*5e3eaea3SApple OSS Distributions kasan_impl_init(void)
105*5e3eaea3SApple OSS Distributions {
106*5e3eaea3SApple OSS Distributions /* Quarantine is enabled by default */
107*5e3eaea3SApple OSS Distributions quarantine_enabled = 1;
108*5e3eaea3SApple OSS Distributions
109*5e3eaea3SApple OSS Distributions /* Enable shadow checking early on. */
110*5e3eaea3SApple OSS Distributions checks_enabled = true;
111*5e3eaea3SApple OSS Distributions }
112*5e3eaea3SApple OSS Distributions
113*5e3eaea3SApple OSS Distributions void
kasan_impl_kdp_disable(void)114*5e3eaea3SApple OSS Distributions kasan_impl_kdp_disable(void)
115*5e3eaea3SApple OSS Distributions {
116*5e3eaea3SApple OSS Distributions quarantine_enabled = 0;
117*5e3eaea3SApple OSS Distributions __asan_option_detect_stack_use_after_return = 0;
118*5e3eaea3SApple OSS Distributions fakestack_enabled = 0;
119*5e3eaea3SApple OSS Distributions checks_enabled = false;
120*5e3eaea3SApple OSS Distributions }
121*5e3eaea3SApple OSS Distributions
122*5e3eaea3SApple OSS Distributions void NOINLINE
kasan_impl_late_init(void)123*5e3eaea3SApple OSS Distributions kasan_impl_late_init(void)
124*5e3eaea3SApple OSS Distributions {
125*5e3eaea3SApple OSS Distributions kasan_init_fakestack();
126*5e3eaea3SApple OSS Distributions }
127*5e3eaea3SApple OSS Distributions
128*5e3eaea3SApple OSS Distributions /* Describes the source location where a global is defined. */
129*5e3eaea3SApple OSS Distributions struct asan_global_source_location {
130*5e3eaea3SApple OSS Distributions const char *filename;
131*5e3eaea3SApple OSS Distributions int line_no;
132*5e3eaea3SApple OSS Distributions int column_no;
133*5e3eaea3SApple OSS Distributions };
134*5e3eaea3SApple OSS Distributions
135*5e3eaea3SApple OSS Distributions /* Describes an instrumented global variable. */
136*5e3eaea3SApple OSS Distributions struct asan_global {
137*5e3eaea3SApple OSS Distributions uptr addr;
138*5e3eaea3SApple OSS Distributions uptr size;
139*5e3eaea3SApple OSS Distributions uptr size_with_redzone;
140*5e3eaea3SApple OSS Distributions const char *name;
141*5e3eaea3SApple OSS Distributions const char *module;
142*5e3eaea3SApple OSS Distributions uptr has_dynamic_init;
143*5e3eaea3SApple OSS Distributions struct asan_global_source_location *location;
144*5e3eaea3SApple OSS Distributions #if CLANG_MIN_VERSION(8020000)
145*5e3eaea3SApple OSS Distributions uptr odr_indicator;
146*5e3eaea3SApple OSS Distributions #endif
147*5e3eaea3SApple OSS Distributions };
148*5e3eaea3SApple OSS Distributions
149*5e3eaea3SApple OSS Distributions /* Walk through the globals section and set them up at boot */
150*5e3eaea3SApple OSS Distributions void NOINLINE
kasan_init_globals(vm_offset_t base,vm_size_t size)151*5e3eaea3SApple OSS Distributions kasan_init_globals(vm_offset_t base, vm_size_t size)
152*5e3eaea3SApple OSS Distributions {
153*5e3eaea3SApple OSS Distributions struct asan_global *glob = (struct asan_global *)base;
154*5e3eaea3SApple OSS Distributions struct asan_global *glob_end = (struct asan_global *)(base + size);
155*5e3eaea3SApple OSS Distributions for (; glob < glob_end; glob++) {
156*5e3eaea3SApple OSS Distributions /*
157*5e3eaea3SApple OSS Distributions * Add a redzone after each global variable.
158*5e3eaea3SApple OSS Distributions * size=variable size, leftsz=0, rightsz=redzone
159*5e3eaea3SApple OSS Distributions */
160*5e3eaea3SApple OSS Distributions kasan_poison(glob->addr, glob->size, 0, glob->size_with_redzone - glob->size, ASAN_GLOBAL_RZ);
161*5e3eaea3SApple OSS Distributions }
162*5e3eaea3SApple OSS Distributions }
163*5e3eaea3SApple OSS Distributions
164*5e3eaea3SApple OSS Distributions /* Reporting */
165*5e3eaea3SApple OSS Distributions static const char *
kasan_classic_access_to_str(access_t type)166*5e3eaea3SApple OSS Distributions kasan_classic_access_to_str(access_t type)
167*5e3eaea3SApple OSS Distributions {
168*5e3eaea3SApple OSS Distributions if (type & TYPE_READ) {
169*5e3eaea3SApple OSS Distributions return "load from";
170*5e3eaea3SApple OSS Distributions } else if (type & TYPE_WRITE) {
171*5e3eaea3SApple OSS Distributions return "store to";
172*5e3eaea3SApple OSS Distributions } else if (type & TYPE_FREE) {
173*5e3eaea3SApple OSS Distributions return "free of";
174*5e3eaea3SApple OSS Distributions } else {
175*5e3eaea3SApple OSS Distributions return "access of";
176*5e3eaea3SApple OSS Distributions }
177*5e3eaea3SApple OSS Distributions }
178*5e3eaea3SApple OSS Distributions
179*5e3eaea3SApple OSS Distributions static const char *kasan_classic_shadow_strings[] = {
180*5e3eaea3SApple OSS Distributions [ASAN_VALID] = "VALID",
181*5e3eaea3SApple OSS Distributions [ASAN_PARTIAL1] = "PARTIAL1",
182*5e3eaea3SApple OSS Distributions [ASAN_PARTIAL2] = "PARTIAL2",
183*5e3eaea3SApple OSS Distributions [ASAN_PARTIAL3] = "PARTIAL3",
184*5e3eaea3SApple OSS Distributions [ASAN_PARTIAL4] = "PARTIAL4",
185*5e3eaea3SApple OSS Distributions [ASAN_PARTIAL5] = "PARTIAL5",
186*5e3eaea3SApple OSS Distributions [ASAN_PARTIAL6] = "PARTIAL6",
187*5e3eaea3SApple OSS Distributions [ASAN_PARTIAL7] = "PARTIAL7",
188*5e3eaea3SApple OSS Distributions [ASAN_STACK_LEFT_RZ] = "STACK_LEFT_RZ",
189*5e3eaea3SApple OSS Distributions [ASAN_STACK_MID_RZ] = "STACK_MID_RZ",
190*5e3eaea3SApple OSS Distributions [ASAN_STACK_RIGHT_RZ] = "STACK_RIGHT_RZ",
191*5e3eaea3SApple OSS Distributions [ASAN_STACK_FREED] = "STACK_FREED",
192*5e3eaea3SApple OSS Distributions [ASAN_STACK_OOSCOPE] = "STACK_OOSCOPE",
193*5e3eaea3SApple OSS Distributions [ASAN_GLOBAL_RZ] = "GLOBAL_RZ",
194*5e3eaea3SApple OSS Distributions [ASAN_HEAP_LEFT_RZ] = "HEAP_LEFT_RZ",
195*5e3eaea3SApple OSS Distributions [ASAN_HEAP_RIGHT_RZ] = "HEAP_RIGHT_RZ",
196*5e3eaea3SApple OSS Distributions [ASAN_HEAP_FREED] = "HEAP_FREED",
197*5e3eaea3SApple OSS Distributions [0xff] = NULL
198*5e3eaea3SApple OSS Distributions };
199*5e3eaea3SApple OSS Distributions
200*5e3eaea3SApple OSS Distributions size_t
kasan_impl_decode_issue(char * logbuf,size_t bufsize,uptr p,uptr width,access_t access,violation_t reason)201*5e3eaea3SApple OSS Distributions kasan_impl_decode_issue(char *logbuf, size_t bufsize, uptr p, uptr width, access_t access, violation_t reason)
202*5e3eaea3SApple OSS Distributions {
203*5e3eaea3SApple OSS Distributions uint8_t *shadow_ptr = SHADOW_FOR_ADDRESS(p);
204*5e3eaea3SApple OSS Distributions uint8_t shadow_type = *shadow_ptr;
205*5e3eaea3SApple OSS Distributions size_t n = 0;
206*5e3eaea3SApple OSS Distributions
207*5e3eaea3SApple OSS Distributions const char *shadow_str = kasan_classic_shadow_strings[shadow_type];
208*5e3eaea3SApple OSS Distributions if (!shadow_str) {
209*5e3eaea3SApple OSS Distributions shadow_str = "<invalid>";
210*5e3eaea3SApple OSS Distributions }
211*5e3eaea3SApple OSS Distributions
212*5e3eaea3SApple OSS Distributions if (reason == REASON_MOD_OOB || reason == REASON_BAD_METADATA) {
213*5e3eaea3SApple OSS Distributions n += scnprintf(logbuf, bufsize, "KASan: free of corrupted/invalid object %#lx\n", p);
214*5e3eaea3SApple OSS Distributions } else if (reason == REASON_MOD_AFTER_FREE) {
215*5e3eaea3SApple OSS Distributions n += scnprintf(logbuf, bufsize, "KASan: UaF of quarantined object %#lx\n", p);
216*5e3eaea3SApple OSS Distributions } else {
217*5e3eaea3SApple OSS Distributions n += scnprintf(logbuf, bufsize, "KASan: invalid %lu-byte %s %#lx [%s]\n",
218*5e3eaea3SApple OSS Distributions width, kasan_classic_access_to_str(access), p, shadow_str);
219*5e3eaea3SApple OSS Distributions }
220*5e3eaea3SApple OSS Distributions
221*5e3eaea3SApple OSS Distributions return n;
222*5e3eaea3SApple OSS Distributions }
223*5e3eaea3SApple OSS Distributions
224*5e3eaea3SApple OSS Distributions static inline bool
kasan_poison_active(uint8_t flags)225*5e3eaea3SApple OSS Distributions kasan_poison_active(uint8_t flags)
226*5e3eaea3SApple OSS Distributions {
227*5e3eaea3SApple OSS Distributions switch (flags) {
228*5e3eaea3SApple OSS Distributions case ASAN_GLOBAL_RZ:
229*5e3eaea3SApple OSS Distributions return kasan_check_enabled(TYPE_POISON_GLOBAL);
230*5e3eaea3SApple OSS Distributions case ASAN_HEAP_RZ:
231*5e3eaea3SApple OSS Distributions case ASAN_HEAP_LEFT_RZ:
232*5e3eaea3SApple OSS Distributions case ASAN_HEAP_RIGHT_RZ:
233*5e3eaea3SApple OSS Distributions case ASAN_HEAP_FREED:
234*5e3eaea3SApple OSS Distributions return kasan_check_enabled(TYPE_POISON_HEAP);
235*5e3eaea3SApple OSS Distributions default:
236*5e3eaea3SApple OSS Distributions return true;
237*5e3eaea3SApple OSS Distributions }
238*5e3eaea3SApple OSS Distributions }
239*5e3eaea3SApple OSS Distributions
240*5e3eaea3SApple OSS Distributions /*
241*5e3eaea3SApple OSS Distributions * Create a poisoned redzone at the top and at the end of a (marked) valid range.
242*5e3eaea3SApple OSS Distributions * Parameters:
243*5e3eaea3SApple OSS Distributions * base: starting address (including the eventual left red zone)
244*5e3eaea3SApple OSS Distributions * size: size of the valid range
245*5e3eaea3SApple OSS Distributions * leftrz: size (multiple of KASAN_GRANULE) of the left redzone
246*5e3eaea3SApple OSS Distributions * rightrz: size (multiple of KASAN_GRANULE) of the right redzone
247*5e3eaea3SApple OSS Distributions * flags: select between different poisoning options (e.g. stack vs heap)
248*5e3eaea3SApple OSS Distributions */
249*5e3eaea3SApple OSS Distributions void NOINLINE
kasan_poison(vm_offset_t base,vm_size_t size,vm_size_t leftrz,vm_size_t rightrz,uint8_t flags)250*5e3eaea3SApple OSS Distributions kasan_poison(vm_offset_t base, vm_size_t size, vm_size_t leftrz,
251*5e3eaea3SApple OSS Distributions vm_size_t rightrz, uint8_t flags)
252*5e3eaea3SApple OSS Distributions {
253*5e3eaea3SApple OSS Distributions uint8_t *shadow = SHADOW_FOR_ADDRESS(base);
254*5e3eaea3SApple OSS Distributions /*
255*5e3eaea3SApple OSS Distributions * Buffer size is allowed to not be a multiple of 8. Create a partial
256*5e3eaea3SApple OSS Distributions * entry in the shadow table if so.
257*5e3eaea3SApple OSS Distributions */
258*5e3eaea3SApple OSS Distributions uint8_t partial = (uint8_t)kasan_granule_partial(size);
259*5e3eaea3SApple OSS Distributions vm_size_t total = leftrz + size + rightrz;
260*5e3eaea3SApple OSS Distributions vm_size_t pos = 0;
261*5e3eaea3SApple OSS Distributions
262*5e3eaea3SApple OSS Distributions /* ensure base, leftrz and total allocation size are granule-aligned */
263*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(base) == 0);
264*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(leftrz) == 0);
265*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(total) == 0);
266*5e3eaea3SApple OSS Distributions
267*5e3eaea3SApple OSS Distributions if (!kasan_enabled || !kasan_poison_active(flags)) {
268*5e3eaea3SApple OSS Distributions return;
269*5e3eaea3SApple OSS Distributions }
270*5e3eaea3SApple OSS Distributions
271*5e3eaea3SApple OSS Distributions leftrz >>= KASAN_SCALE;
272*5e3eaea3SApple OSS Distributions size >>= KASAN_SCALE;
273*5e3eaea3SApple OSS Distributions total >>= KASAN_SCALE;
274*5e3eaea3SApple OSS Distributions
275*5e3eaea3SApple OSS Distributions uint8_t l_flags = flags;
276*5e3eaea3SApple OSS Distributions uint8_t r_flags = flags;
277*5e3eaea3SApple OSS Distributions
278*5e3eaea3SApple OSS Distributions if (flags == ASAN_STACK_RZ) {
279*5e3eaea3SApple OSS Distributions l_flags = ASAN_STACK_LEFT_RZ;
280*5e3eaea3SApple OSS Distributions r_flags = ASAN_STACK_RIGHT_RZ;
281*5e3eaea3SApple OSS Distributions } else if (flags == ASAN_HEAP_RZ) {
282*5e3eaea3SApple OSS Distributions l_flags = ASAN_HEAP_LEFT_RZ;
283*5e3eaea3SApple OSS Distributions r_flags = ASAN_HEAP_RIGHT_RZ;
284*5e3eaea3SApple OSS Distributions }
285*5e3eaea3SApple OSS Distributions
286*5e3eaea3SApple OSS Distributions /*
287*5e3eaea3SApple OSS Distributions * poison the redzones and unpoison the valid bytes
288*5e3eaea3SApple OSS Distributions */
289*5e3eaea3SApple OSS Distributions __nosan_memset(shadow + pos, l_flags, leftrz);
290*5e3eaea3SApple OSS Distributions pos += leftrz;
291*5e3eaea3SApple OSS Distributions
292*5e3eaea3SApple OSS Distributions __nosan_memset(shadow + pos, ASAN_VALID, size);
293*5e3eaea3SApple OSS Distributions pos += size;
294*5e3eaea3SApple OSS Distributions
295*5e3eaea3SApple OSS Distributions /* Do we have any leftover valid byte? */
296*5e3eaea3SApple OSS Distributions if (partial && pos < total) {
297*5e3eaea3SApple OSS Distributions shadow[pos++] = partial;
298*5e3eaea3SApple OSS Distributions }
299*5e3eaea3SApple OSS Distributions
300*5e3eaea3SApple OSS Distributions __nosan_memset(shadow + pos, r_flags, total - pos);
301*5e3eaea3SApple OSS Distributions }
302*5e3eaea3SApple OSS Distributions
303*5e3eaea3SApple OSS Distributions /*
304*5e3eaea3SApple OSS Distributions * Check the shadow table to determine whether [base, base+size) is valid or
305*5e3eaea3SApple OSS Distributions * is poisoned.
306*5e3eaea3SApple OSS Distributions */
307*5e3eaea3SApple OSS Distributions static bool NOINLINE
kasan_range_poisoned(vm_offset_t base,vm_size_t size,vm_offset_t * first_invalid)308*5e3eaea3SApple OSS Distributions kasan_range_poisoned(vm_offset_t base, vm_size_t size, vm_offset_t *first_invalid)
309*5e3eaea3SApple OSS Distributions {
310*5e3eaea3SApple OSS Distributions uint8_t *shadow;
311*5e3eaea3SApple OSS Distributions vm_size_t i;
312*5e3eaea3SApple OSS Distributions
313*5e3eaea3SApple OSS Distributions if (!kasan_enabled) {
314*5e3eaea3SApple OSS Distributions return false;
315*5e3eaea3SApple OSS Distributions }
316*5e3eaea3SApple OSS Distributions
317*5e3eaea3SApple OSS Distributions size += kasan_granule_partial(base);
318*5e3eaea3SApple OSS Distributions base = kasan_granule_trunc(base);
319*5e3eaea3SApple OSS Distributions
320*5e3eaea3SApple OSS Distributions shadow = SHADOW_FOR_ADDRESS(base);
321*5e3eaea3SApple OSS Distributions size_t limit = (size + KASAN_GRANULE - 1) / KASAN_GRANULE;
322*5e3eaea3SApple OSS Distributions
323*5e3eaea3SApple OSS Distributions /* Walk the shadow table, fail on any non-valid value */
324*5e3eaea3SApple OSS Distributions for (i = 0; i < limit; i++, size -= KASAN_GRANULE) {
325*5e3eaea3SApple OSS Distributions assert(size > 0);
326*5e3eaea3SApple OSS Distributions uint8_t s = shadow[i];
327*5e3eaea3SApple OSS Distributions if (s == 0 || (size < KASAN_GRANULE && s >= size && s < KASAN_GRANULE)) {
328*5e3eaea3SApple OSS Distributions /* valid */
329*5e3eaea3SApple OSS Distributions continue;
330*5e3eaea3SApple OSS Distributions } else {
331*5e3eaea3SApple OSS Distributions goto fail;
332*5e3eaea3SApple OSS Distributions }
333*5e3eaea3SApple OSS Distributions }
334*5e3eaea3SApple OSS Distributions
335*5e3eaea3SApple OSS Distributions return false;
336*5e3eaea3SApple OSS Distributions
337*5e3eaea3SApple OSS Distributions fail:
338*5e3eaea3SApple OSS Distributions if (first_invalid) {
339*5e3eaea3SApple OSS Distributions /* XXX: calculate the exact first byte that failed */
340*5e3eaea3SApple OSS Distributions *first_invalid = base + i * 8;
341*5e3eaea3SApple OSS Distributions }
342*5e3eaea3SApple OSS Distributions return true;
343*5e3eaea3SApple OSS Distributions }
344*5e3eaea3SApple OSS Distributions
345*5e3eaea3SApple OSS Distributions /* An 8-byte valid range is indetified by 0 in kasan classic shadow table */
346*5e3eaea3SApple OSS Distributions void
kasan_impl_fill_valid_range(uintptr_t page,size_t size)347*5e3eaea3SApple OSS Distributions kasan_impl_fill_valid_range(uintptr_t page, size_t size)
348*5e3eaea3SApple OSS Distributions {
349*5e3eaea3SApple OSS Distributions __nosan_bzero((void *)page, size);
350*5e3eaea3SApple OSS Distributions }
351*5e3eaea3SApple OSS Distributions
352*5e3eaea3SApple OSS Distributions /*
353*5e3eaea3SApple OSS Distributions * Verify whether an access to memory is valid. A valid access is one that
354*5e3eaea3SApple OSS Distributions * doesn't touch any region marked as a poisoned redzone or invalid.
355*5e3eaea3SApple OSS Distributions * 'access' records whether the attempted access is a read or a write.
356*5e3eaea3SApple OSS Distributions */
357*5e3eaea3SApple OSS Distributions void NOINLINE
kasan_check_range(const void * x,size_t sz,access_t access)358*5e3eaea3SApple OSS Distributions kasan_check_range(const void *x, size_t sz, access_t access)
359*5e3eaea3SApple OSS Distributions {
360*5e3eaea3SApple OSS Distributions uintptr_t invalid;
361*5e3eaea3SApple OSS Distributions uintptr_t ptr = (uintptr_t)x;
362*5e3eaea3SApple OSS Distributions
363*5e3eaea3SApple OSS Distributions if (!checks_enabled) {
364*5e3eaea3SApple OSS Distributions return;
365*5e3eaea3SApple OSS Distributions }
366*5e3eaea3SApple OSS Distributions
367*5e3eaea3SApple OSS Distributions if (kasan_range_poisoned(ptr, sz, &invalid)) {
368*5e3eaea3SApple OSS Distributions size_t remaining = sz - (invalid - ptr);
369*5e3eaea3SApple OSS Distributions kasan_violation(invalid, remaining, access, REASON_POISONED);
370*5e3eaea3SApple OSS Distributions }
371*5e3eaea3SApple OSS Distributions }
372*5e3eaea3SApple OSS Distributions
373*5e3eaea3SApple OSS Distributions /*
374*5e3eaea3SApple OSS Distributions * Return true if [base, base+sz) is unpoisoned or matches the passed in
375*5e3eaea3SApple OSS Distributions * shadow value.
376*5e3eaea3SApple OSS Distributions */
377*5e3eaea3SApple OSS Distributions bool
kasan_check_shadow(vm_address_t addr,vm_size_t sz,uint8_t shadow_match_value)378*5e3eaea3SApple OSS Distributions kasan_check_shadow(vm_address_t addr, vm_size_t sz, uint8_t shadow_match_value)
379*5e3eaea3SApple OSS Distributions {
380*5e3eaea3SApple OSS Distributions /* round 'base' up to skip any partial, which won't match 'shadow' */
381*5e3eaea3SApple OSS Distributions uintptr_t base = kasan_granule_round(addr);
382*5e3eaea3SApple OSS Distributions sz -= base - addr;
383*5e3eaea3SApple OSS Distributions
384*5e3eaea3SApple OSS Distributions uintptr_t end = base + sz;
385*5e3eaea3SApple OSS Distributions
386*5e3eaea3SApple OSS Distributions while (base < end) {
387*5e3eaea3SApple OSS Distributions uint8_t *sh = SHADOW_FOR_ADDRESS(base);
388*5e3eaea3SApple OSS Distributions if (*sh && *sh != shadow_match_value) {
389*5e3eaea3SApple OSS Distributions return false;
390*5e3eaea3SApple OSS Distributions }
391*5e3eaea3SApple OSS Distributions base += KASAN_GRANULE;
392*5e3eaea3SApple OSS Distributions }
393*5e3eaea3SApple OSS Distributions return true;
394*5e3eaea3SApple OSS Distributions }
395*5e3eaea3SApple OSS Distributions
396*5e3eaea3SApple OSS Distributions /*
397*5e3eaea3SApple OSS Distributions * KASAN zalloc hooks
398*5e3eaea3SApple OSS Distributions *
399*5e3eaea3SApple OSS Distributions * KASAN can only distinguish between valid and unvalid memory accesses.
400*5e3eaea3SApple OSS Distributions * This property severely limits its applicability to zalloc (and any other
401*5e3eaea3SApple OSS Distributions * memory allocator), whereby linear overflows are generally to valid
402*5e3eaea3SApple OSS Distributions * memory and non-simple use-after-free can hit an already reallocated buffer.
403*5e3eaea3SApple OSS Distributions *
404*5e3eaea3SApple OSS Distributions * To overcome these limitations, KASAN requires a bunch of fairly invasive
405*5e3eaea3SApple OSS Distributions * changes to zalloc to add both red-zoning and quarantines.
406*5e3eaea3SApple OSS Distributions */
407*5e3eaea3SApple OSS Distributions
408*5e3eaea3SApple OSS Distributions __enum_decl(kasan_alloc_state_t, uint16_t, {
409*5e3eaea3SApple OSS Distributions KASAN_STATE_FREED,
410*5e3eaea3SApple OSS Distributions KASAN_STATE_ALLOCATED,
411*5e3eaea3SApple OSS Distributions KASAN_STATE_QUARANTINED,
412*5e3eaea3SApple OSS Distributions });
413*5e3eaea3SApple OSS Distributions
414*5e3eaea3SApple OSS Distributions typedef struct kasan_alloc_header {
415*5e3eaea3SApple OSS Distributions union {
416*5e3eaea3SApple OSS Distributions struct {
417*5e3eaea3SApple OSS Distributions kasan_alloc_state_t state;
418*5e3eaea3SApple OSS Distributions uint16_t left_rz;
419*5e3eaea3SApple OSS Distributions uint32_t user_size;
420*5e3eaea3SApple OSS Distributions };
421*5e3eaea3SApple OSS Distributions struct {
422*5e3eaea3SApple OSS Distributions kasan_alloc_state_t state2;
423*5e3eaea3SApple OSS Distributions intptr_t next : 48;
424*5e3eaea3SApple OSS Distributions };
425*5e3eaea3SApple OSS Distributions };
426*5e3eaea3SApple OSS Distributions btref_t alloc_btref;
427*5e3eaea3SApple OSS Distributions btref_t free_btref;
428*5e3eaea3SApple OSS Distributions } *kasan_alloc_header_t;
429*5e3eaea3SApple OSS Distributions static_assert(sizeof(struct kasan_alloc_header) == KASAN_GUARD_SIZE);
430*5e3eaea3SApple OSS Distributions
431*5e3eaea3SApple OSS Distributions static kasan_alloc_header_t
header_for_user_addr(vm_offset_t addr)432*5e3eaea3SApple OSS Distributions header_for_user_addr(vm_offset_t addr)
433*5e3eaea3SApple OSS Distributions {
434*5e3eaea3SApple OSS Distributions return (void *)(addr - sizeof(struct kasan_alloc_header));
435*5e3eaea3SApple OSS Distributions }
436*5e3eaea3SApple OSS Distributions
437*5e3eaea3SApple OSS Distributions void
kasan_zmem_add(vm_address_t addr,vm_size_t size,vm_offset_t esize,vm_offset_t offs,vm_offset_t rzsize)438*5e3eaea3SApple OSS Distributions kasan_zmem_add(
439*5e3eaea3SApple OSS Distributions vm_address_t addr,
440*5e3eaea3SApple OSS Distributions vm_size_t size,
441*5e3eaea3SApple OSS Distributions vm_offset_t esize,
442*5e3eaea3SApple OSS Distributions vm_offset_t offs,
443*5e3eaea3SApple OSS Distributions vm_offset_t rzsize)
444*5e3eaea3SApple OSS Distributions {
445*5e3eaea3SApple OSS Distributions uint8_t *shadow = SHADOW_FOR_ADDRESS(addr);
446*5e3eaea3SApple OSS Distributions
447*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(esize) == 0);
448*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(offs) == 0);
449*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(rzsize) == 0);
450*5e3eaea3SApple OSS Distributions assert((size - offs) % esize == 0);
451*5e3eaea3SApple OSS Distributions
452*5e3eaea3SApple OSS Distributions size >>= KASAN_SCALE;
453*5e3eaea3SApple OSS Distributions esize >>= KASAN_SCALE;
454*5e3eaea3SApple OSS Distributions offs >>= KASAN_SCALE;
455*5e3eaea3SApple OSS Distributions rzsize >>= KASAN_SCALE;
456*5e3eaea3SApple OSS Distributions
457*5e3eaea3SApple OSS Distributions __nosan_memset(shadow, ASAN_HEAP_FREED, size);
458*5e3eaea3SApple OSS Distributions
459*5e3eaea3SApple OSS Distributions __nosan_memset(shadow, ASAN_HEAP_LEFT_RZ, offs);
460*5e3eaea3SApple OSS Distributions
461*5e3eaea3SApple OSS Distributions for (vm_offset_t pos = offs; pos < size; pos += esize) {
462*5e3eaea3SApple OSS Distributions __nosan_memset(shadow + pos, ASAN_HEAP_LEFT_RZ, rzsize);
463*5e3eaea3SApple OSS Distributions }
464*5e3eaea3SApple OSS Distributions }
465*5e3eaea3SApple OSS Distributions
466*5e3eaea3SApple OSS Distributions void
kasan_zmem_remove(vm_address_t addr,vm_size_t size,vm_offset_t esize,vm_offset_t offs,vm_offset_t rzsize)467*5e3eaea3SApple OSS Distributions kasan_zmem_remove(
468*5e3eaea3SApple OSS Distributions vm_address_t addr,
469*5e3eaea3SApple OSS Distributions vm_size_t size,
470*5e3eaea3SApple OSS Distributions vm_offset_t esize,
471*5e3eaea3SApple OSS Distributions vm_offset_t offs,
472*5e3eaea3SApple OSS Distributions vm_offset_t rzsize)
473*5e3eaea3SApple OSS Distributions {
474*5e3eaea3SApple OSS Distributions uint8_t *shadow = SHADOW_FOR_ADDRESS(addr);
475*5e3eaea3SApple OSS Distributions
476*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(esize) == 0);
477*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(offs) == 0);
478*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(rzsize) == 0);
479*5e3eaea3SApple OSS Distributions assert((size - offs) % esize == 0);
480*5e3eaea3SApple OSS Distributions
481*5e3eaea3SApple OSS Distributions if (rzsize) {
482*5e3eaea3SApple OSS Distributions for (vm_offset_t pos = offs + rzsize; pos < size; pos += esize) {
483*5e3eaea3SApple OSS Distributions kasan_alloc_header_t h;
484*5e3eaea3SApple OSS Distributions
485*5e3eaea3SApple OSS Distributions h = header_for_user_addr(addr + pos);
486*5e3eaea3SApple OSS Distributions
487*5e3eaea3SApple OSS Distributions assert(h->state == KASAN_STATE_FREED);
488*5e3eaea3SApple OSS Distributions btref_put(h->alloc_btref);
489*5e3eaea3SApple OSS Distributions btref_put(h->free_btref);
490*5e3eaea3SApple OSS Distributions }
491*5e3eaea3SApple OSS Distributions }
492*5e3eaea3SApple OSS Distributions
493*5e3eaea3SApple OSS Distributions __nosan_memset(shadow, ASAN_VALID, size >> KASAN_SCALE);
494*5e3eaea3SApple OSS Distributions }
495*5e3eaea3SApple OSS Distributions
496*5e3eaea3SApple OSS Distributions void
kasan_alloc(vm_address_t addr,vm_size_t size,vm_size_t req,vm_size_t rzsize,bool percpu,void * fp)497*5e3eaea3SApple OSS Distributions kasan_alloc(
498*5e3eaea3SApple OSS Distributions vm_address_t addr,
499*5e3eaea3SApple OSS Distributions vm_size_t size,
500*5e3eaea3SApple OSS Distributions vm_size_t req,
501*5e3eaea3SApple OSS Distributions vm_size_t rzsize,
502*5e3eaea3SApple OSS Distributions bool percpu,
503*5e3eaea3SApple OSS Distributions void *fp)
504*5e3eaea3SApple OSS Distributions {
505*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(addr) == 0);
506*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(size) == 0);
507*5e3eaea3SApple OSS Distributions assert(kasan_granule_partial(rzsize) == 0);
508*5e3eaea3SApple OSS Distributions
509*5e3eaea3SApple OSS Distributions if (rzsize) {
510*5e3eaea3SApple OSS Distributions /* stash the allocation sizes in the left redzone */
511*5e3eaea3SApple OSS Distributions kasan_alloc_header_t h = header_for_user_addr(addr);
512*5e3eaea3SApple OSS Distributions
513*5e3eaea3SApple OSS Distributions btref_put(h->free_btref);
514*5e3eaea3SApple OSS Distributions btref_put(h->alloc_btref);
515*5e3eaea3SApple OSS Distributions
516*5e3eaea3SApple OSS Distributions h->state = KASAN_STATE_ALLOCATED;
517*5e3eaea3SApple OSS Distributions h->left_rz = (uint16_t)rzsize;
518*5e3eaea3SApple OSS Distributions h->user_size = (uint32_t)req;
519*5e3eaea3SApple OSS Distributions h->alloc_btref = btref_get(fp, BTREF_GET_NOWAIT);
520*5e3eaea3SApple OSS Distributions h->free_btref = 0;
521*5e3eaea3SApple OSS Distributions }
522*5e3eaea3SApple OSS Distributions
523*5e3eaea3SApple OSS Distributions kasan_poison(addr, req, 0, size - req, ASAN_HEAP_RZ);
524*5e3eaea3SApple OSS Distributions if (percpu) {
525*5e3eaea3SApple OSS Distributions for (uint32_t i = 1; i < zpercpu_count(); i++) {
526*5e3eaea3SApple OSS Distributions addr += PAGE_SIZE;
527*5e3eaea3SApple OSS Distributions kasan_poison(addr, req, 0, size - req, ASAN_HEAP_RZ);
528*5e3eaea3SApple OSS Distributions }
529*5e3eaea3SApple OSS Distributions }
530*5e3eaea3SApple OSS Distributions }
531*5e3eaea3SApple OSS Distributions
532*5e3eaea3SApple OSS Distributions void
kasan_free(vm_address_t addr,vm_size_t size,vm_size_t req,vm_size_t rzsize,bool percpu,void * fp)533*5e3eaea3SApple OSS Distributions kasan_free(
534*5e3eaea3SApple OSS Distributions vm_address_t addr,
535*5e3eaea3SApple OSS Distributions vm_size_t size,
536*5e3eaea3SApple OSS Distributions vm_size_t req,
537*5e3eaea3SApple OSS Distributions vm_size_t rzsize,
538*5e3eaea3SApple OSS Distributions bool percpu,
539*5e3eaea3SApple OSS Distributions void *fp)
540*5e3eaea3SApple OSS Distributions {
541*5e3eaea3SApple OSS Distributions uint8_t *shadow = SHADOW_FOR_ADDRESS(addr);
542*5e3eaea3SApple OSS Distributions
543*5e3eaea3SApple OSS Distributions if (rzsize) {
544*5e3eaea3SApple OSS Distributions kasan_alloc_header_t h = header_for_user_addr(addr);
545*5e3eaea3SApple OSS Distributions
546*5e3eaea3SApple OSS Distributions kasan_check_alloc(addr, size, req);
547*5e3eaea3SApple OSS Distributions assert(h->free_btref == 0);
548*5e3eaea3SApple OSS Distributions h->state = KASAN_STATE_FREED;
549*5e3eaea3SApple OSS Distributions h->next = 0;
550*5e3eaea3SApple OSS Distributions h->free_btref = btref_get(fp, BTREF_GET_NOWAIT);
551*5e3eaea3SApple OSS Distributions }
552*5e3eaea3SApple OSS Distributions
553*5e3eaea3SApple OSS Distributions __nosan_memset(shadow, ASAN_HEAP_FREED, size >> KASAN_SCALE);
554*5e3eaea3SApple OSS Distributions if (percpu) {
555*5e3eaea3SApple OSS Distributions for (uint32_t i = 1; i < zpercpu_count(); i++) {
556*5e3eaea3SApple OSS Distributions shadow += PAGE_SIZE >> KASAN_SCALE;
557*5e3eaea3SApple OSS Distributions __nosan_memset(shadow, ASAN_HEAP_FREED,
558*5e3eaea3SApple OSS Distributions size >> KASAN_SCALE);
559*5e3eaea3SApple OSS Distributions }
560*5e3eaea3SApple OSS Distributions }
561*5e3eaea3SApple OSS Distributions }
562*5e3eaea3SApple OSS Distributions
563*5e3eaea3SApple OSS Distributions void
kasan_alloc_large(vm_address_t addr,vm_size_t req_size)564*5e3eaea3SApple OSS Distributions kasan_alloc_large(vm_address_t addr, vm_size_t req_size)
565*5e3eaea3SApple OSS Distributions {
566*5e3eaea3SApple OSS Distributions vm_size_t l_rz = PAGE_SIZE;
567*5e3eaea3SApple OSS Distributions vm_size_t r_rz = round_page(req_size) - req_size + PAGE_SIZE;
568*5e3eaea3SApple OSS Distributions
569*5e3eaea3SApple OSS Distributions kasan_poison(addr - l_rz, req_size, l_rz, r_rz, ASAN_HEAP_RZ);
570*5e3eaea3SApple OSS Distributions }
571*5e3eaea3SApple OSS Distributions
572*5e3eaea3SApple OSS Distributions /*
573*5e3eaea3SApple OSS Distributions * return the original user-requested allocation size
574*5e3eaea3SApple OSS Distributions * addr: user alloc pointer
575*5e3eaea3SApple OSS Distributions */
576*5e3eaea3SApple OSS Distributions vm_size_t
kasan_user_size(vm_offset_t addr)577*5e3eaea3SApple OSS Distributions kasan_user_size(vm_offset_t addr)
578*5e3eaea3SApple OSS Distributions {
579*5e3eaea3SApple OSS Distributions kasan_alloc_header_t h = header_for_user_addr(addr);
580*5e3eaea3SApple OSS Distributions
581*5e3eaea3SApple OSS Distributions assert(h->state == KASAN_STATE_ALLOCATED);
582*5e3eaea3SApple OSS Distributions return h->user_size;
583*5e3eaea3SApple OSS Distributions }
584*5e3eaea3SApple OSS Distributions
585*5e3eaea3SApple OSS Distributions /*
586*5e3eaea3SApple OSS Distributions * Verify that `addr' (user pointer) is a valid allocation
587*5e3eaea3SApple OSS Distributions */
588*5e3eaea3SApple OSS Distributions void
kasan_check_alloc(vm_offset_t addr,vm_size_t size,vm_size_t req)589*5e3eaea3SApple OSS Distributions kasan_check_alloc(vm_offset_t addr, vm_size_t size, vm_size_t req)
590*5e3eaea3SApple OSS Distributions {
591*5e3eaea3SApple OSS Distributions kasan_alloc_header_t h = header_for_user_addr(addr);
592*5e3eaea3SApple OSS Distributions
593*5e3eaea3SApple OSS Distributions if (!checks_enabled) {
594*5e3eaea3SApple OSS Distributions return;
595*5e3eaea3SApple OSS Distributions }
596*5e3eaea3SApple OSS Distributions
597*5e3eaea3SApple OSS Distributions if (h->state != KASAN_STATE_ALLOCATED) {
598*5e3eaea3SApple OSS Distributions kasan_violation(addr, req, TYPE_ZFREE, REASON_BAD_METADATA);
599*5e3eaea3SApple OSS Distributions }
600*5e3eaea3SApple OSS Distributions
601*5e3eaea3SApple OSS Distributions /* check the freed size matches what we recorded at alloc time */
602*5e3eaea3SApple OSS Distributions if (h->user_size != req) {
603*5e3eaea3SApple OSS Distributions kasan_violation(addr, req, TYPE_ZFREE, REASON_INVALID_SIZE);
604*5e3eaea3SApple OSS Distributions }
605*5e3eaea3SApple OSS Distributions
606*5e3eaea3SApple OSS Distributions vm_size_t rightrz_sz = size - h->user_size;
607*5e3eaea3SApple OSS Distributions
608*5e3eaea3SApple OSS Distributions /* Check that the redzones are valid */
609*5e3eaea3SApple OSS Distributions if (!kasan_check_shadow(addr - h->left_rz, h->left_rz, ASAN_HEAP_LEFT_RZ) ||
610*5e3eaea3SApple OSS Distributions !kasan_check_shadow(addr + h->user_size, rightrz_sz, ASAN_HEAP_RIGHT_RZ)) {
611*5e3eaea3SApple OSS Distributions kasan_violation(addr, req, TYPE_ZFREE, REASON_BAD_METADATA);
612*5e3eaea3SApple OSS Distributions }
613*5e3eaea3SApple OSS Distributions
614*5e3eaea3SApple OSS Distributions /* Check the allocated range is not poisoned */
615*5e3eaea3SApple OSS Distributions kasan_check_range((void *)addr, req, TYPE_ZFREE);
616*5e3eaea3SApple OSS Distributions }
617*5e3eaea3SApple OSS Distributions
618*5e3eaea3SApple OSS Distributions /*
619*5e3eaea3SApple OSS Distributions * KASAN Quarantine
620*5e3eaea3SApple OSS Distributions */
621*5e3eaea3SApple OSS Distributions
622*5e3eaea3SApple OSS Distributions typedef struct kasan_quarantine {
623*5e3eaea3SApple OSS Distributions kasan_alloc_header_t head;
624*5e3eaea3SApple OSS Distributions kasan_alloc_header_t tail;
625*5e3eaea3SApple OSS Distributions uint32_t size;
626*5e3eaea3SApple OSS Distributions uint32_t count;
627*5e3eaea3SApple OSS Distributions } *kasan_quarantine_t;
628*5e3eaea3SApple OSS Distributions
629*5e3eaea3SApple OSS Distributions static struct kasan_quarantine PERCPU_DATA(kasan_quarantine);
630*5e3eaea3SApple OSS Distributions
631*5e3eaea3SApple OSS Distributions extern int get_preemption_level(void);
632*5e3eaea3SApple OSS Distributions
633*5e3eaea3SApple OSS Distributions struct kasan_quarantine_result
kasan_quarantine(vm_address_t addr,vm_size_t size)634*5e3eaea3SApple OSS Distributions kasan_quarantine(vm_address_t addr, vm_size_t size)
635*5e3eaea3SApple OSS Distributions {
636*5e3eaea3SApple OSS Distributions kasan_alloc_header_t h = header_for_user_addr(addr);
637*5e3eaea3SApple OSS Distributions kasan_quarantine_t q = PERCPU_GET(kasan_quarantine);
638*5e3eaea3SApple OSS Distributions struct kasan_quarantine_result kqr = { };
639*5e3eaea3SApple OSS Distributions
640*5e3eaea3SApple OSS Distributions assert(h->state == KASAN_STATE_FREED && h->next == 0);
641*5e3eaea3SApple OSS Distributions
642*5e3eaea3SApple OSS Distributions h->state = KASAN_STATE_QUARANTINED;
643*5e3eaea3SApple OSS Distributions
644*5e3eaea3SApple OSS Distributions q->size += size;
645*5e3eaea3SApple OSS Distributions q->count++;
646*5e3eaea3SApple OSS Distributions if (q->tail == NULL) {
647*5e3eaea3SApple OSS Distributions q->head = h;
648*5e3eaea3SApple OSS Distributions } else {
649*5e3eaea3SApple OSS Distributions q->tail->next = (intptr_t)h;
650*5e3eaea3SApple OSS Distributions }
651*5e3eaea3SApple OSS Distributions q->tail = h;
652*5e3eaea3SApple OSS Distributions
653*5e3eaea3SApple OSS Distributions if (q->size >= QUARANTINE_MAXSIZE || q->count > QUARANTINE_ENTRIES) {
654*5e3eaea3SApple OSS Distributions h = q->head;
655*5e3eaea3SApple OSS Distributions assert(h->state == KASAN_STATE_QUARANTINED);
656*5e3eaea3SApple OSS Distributions
657*5e3eaea3SApple OSS Distributions q->head = (kasan_alloc_header_t)(intptr_t)h->next;
658*5e3eaea3SApple OSS Distributions h->state = KASAN_STATE_FREED;
659*5e3eaea3SApple OSS Distributions h->next = 0;
660*5e3eaea3SApple OSS Distributions
661*5e3eaea3SApple OSS Distributions kqr.addr = (vm_address_t)(h + 1);
662*5e3eaea3SApple OSS Distributions q->size -= kasan_quarantine_resolve(kqr.addr, &kqr.zone);
663*5e3eaea3SApple OSS Distributions q->count--;
664*5e3eaea3SApple OSS Distributions }
665*5e3eaea3SApple OSS Distributions
666*5e3eaea3SApple OSS Distributions return kqr;
667*5e3eaea3SApple OSS Distributions }
668*5e3eaea3SApple OSS Distributions
669*5e3eaea3SApple OSS Distributions /*
670*5e3eaea3SApple OSS Distributions * Unpoison the C++ array cookie (if it exists). We don't know exactly where it
671*5e3eaea3SApple OSS Distributions * lives relative to the start of the buffer, but it's always the word immediately
672*5e3eaea3SApple OSS Distributions * before the start of the array data, so for naturally-aligned objects we need to
673*5e3eaea3SApple OSS Distributions * search at most 2 shadow bytes.
674*5e3eaea3SApple OSS Distributions */
675*5e3eaea3SApple OSS Distributions void
kasan_unpoison_cxx_array_cookie(void * ptr)676*5e3eaea3SApple OSS Distributions kasan_unpoison_cxx_array_cookie(void *ptr)
677*5e3eaea3SApple OSS Distributions {
678*5e3eaea3SApple OSS Distributions uint8_t *shadow = SHADOW_FOR_ADDRESS((uptr)ptr);
679*5e3eaea3SApple OSS Distributions for (size_t i = 0; i < 2; i++) {
680*5e3eaea3SApple OSS Distributions if (shadow[i] == ASAN_ARRAY_COOKIE) {
681*5e3eaea3SApple OSS Distributions shadow[i] = ASAN_VALID;
682*5e3eaea3SApple OSS Distributions return;
683*5e3eaea3SApple OSS Distributions } else if (shadow[i] != ASAN_VALID) {
684*5e3eaea3SApple OSS Distributions /* must have seen the cookie by now */
685*5e3eaea3SApple OSS Distributions return;
686*5e3eaea3SApple OSS Distributions }
687*5e3eaea3SApple OSS Distributions }
688*5e3eaea3SApple OSS Distributions }
689*5e3eaea3SApple OSS Distributions
690*5e3eaea3SApple OSS Distributions SYSCTL_UINT(_kern_kasan, OID_AUTO, quarantine, CTLFLAG_RW, &quarantine_enabled, 0, "");
691