Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/42496 )
Change subject: lib: Add ASan support to ramstage on x86 arch ......................................................................
lib: Add ASan support to ramstage on x86 arch
This patch adds address sanitizer module to the library and reserves a linker section representing the shadow region for ramstage. Also, it adds an instruction to initialize shadow region on x86 architecture when ramstage is loaded.
Change-Id: Ica06bd2be78fcfc79fa888721ed920d4e8248f3b Signed-off-by: Harshit Sharma harshitsharmajs@gmail.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/42496 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Werner Zeh werner.zeh@siemens.com --- M src/arch/x86/c_start.S A src/include/asan.h M src/include/symbols.h M src/lib/asan.c M src/lib/program.ld 5 files changed, 523 insertions(+), 19 deletions(-)
Approvals: build bot (Jenkins): Verified Werner Zeh: Looks good to me, approved
diff --git a/src/arch/x86/c_start.S b/src/arch/x86/c_start.S index 4e2ae08..c46a45c 100644 --- a/src/arch/x86/c_start.S +++ b/src/arch/x86/c_start.S @@ -91,6 +91,10 @@
andl $0xFFFFFFF0, %esp
+#if CONFIG(ASAN_IN_RAMSTAGE) + call asan_init +#endif + #if CONFIG(GDB_WAIT) call gdb_hw_init call gdb_stub_breakpoint diff --git a/src/include/asan.h b/src/include/asan.h new file mode 100644 index 0000000..8816eaf --- /dev/null +++ b/src/include/asan.h @@ -0,0 +1,113 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef __ASAN_H +#define __ASAN_H + +#define ASAN_SHADOW_SCALE_SHIFT 3 + +#define ASAN_SHADOW_SCALE_SIZE (1UL << ASAN_SHADOW_SCALE_SHIFT) +#define ASAN_SHADOW_MASK (ASAN_SHADOW_SCALE_SIZE - 1) + +#define ASAN_GLOBAL_REDZONE 0xFA +#define ASAN_STACK_LEFT 0xF1 +#define ASAN_STACK_MID 0xF2 +#define ASAN_STACK_RIGHT 0xF3 +#define ASAN_STACK_PARTIAL 0xF4 +#define ASAN_USE_AFTER_SCOPE 0xF8 + +#define _RET_IP_ ((unsigned long)__builtin_return_address(0)) +#define likely(x) __builtin_expect(!!(x), 1) +#define unlikely(x) __builtin_expect(!!(x), 0) + +#define WARN_ON(condition) ({ \ + int __ret_warn_on = !!(condition); \ + unlikely(__ret_warn_on); \ +}) + +#ifndef ASAN_ABI_VERSION +#define ASAN_ABI_VERSION 5 +#endif + +/* The layout of struct dictated by compiler */ +struct asan_source_location { + const char *filename; + int line_no; + int column_no; +}; + +/* The layout of struct dictated by compiler */ +struct asan_global { + const void *beg; /* Address of the beginning of the global variable. */ + size_t size; /* Size of the global variable. */ + size_t size_with_redzone; /* Size of the variable + size of the red zone + 32 bytes aligned. */ + const void *name; + const void *module_name; /* Name of the module where the global variable + is declared. */ + unsigned long has_dynamic_init; /* This needed for C++. */ +#if ASAN_ABI_VERSION >= 4 + struct asan_source_location *location; +#endif +#if ASAN_ABI_VERSION >= 5 + char *odr_indicator; +#endif +}; + +void asan_unpoison_shadow(const void *address, size_t size); +void asan_report(unsigned long addr, size_t size, bool is_write, + unsigned long ip); +void asan_init(void); + +uintptr_t __asan_shadow_offset(uintptr_t addr); +void __asan_register_globals(struct asan_global *globals, size_t size); +void __asan_unregister_globals(struct asan_global *globals, size_t size); +void __asan_poison_stack_memory(const void *addr, size_t size); +void __asan_unpoison_stack_memory(const void *addr, size_t size); + +void __asan_load1(unsigned long addr); +void __asan_store1(unsigned long addr); +void __asan_load2(unsigned long addr); +void __asan_store2(unsigned long addr); +void __asan_load4(unsigned long addr); +void __asan_store4(unsigned long addr); +void __asan_load8(unsigned long addr); +void __asan_store8(unsigned long addr); +void __asan_load16(unsigned long addr); +void __asan_store16(unsigned long addr); +void __asan_loadN(unsigned long addr, size_t size); +void __asan_storeN(unsigned long addr, size_t size); + +void __asan_load1_noabort(unsigned long addr); +void __asan_store1_noabort(unsigned long addr); +void __asan_load2_noabort(unsigned long addr); +void __asan_store2_noabort(unsigned long addr); +void __asan_load4_noabort(unsigned long addr); +void __asan_store4_noabort(unsigned long addr); +void __asan_load8_noabort(unsigned long addr); +void __asan_store8_noabort(unsigned long addr); +void __asan_load16_noabort(unsigned long addr); +void __asan_store16_noabort(unsigned long addr); +void __asan_loadN_noabort(unsigned long addr, size_t size); +void __asan_storeN_noabort(unsigned long addr, size_t size); +void __asan_handle_no_return(void); + +void __asan_set_shadow_00(const void *addr, size_t size); +void __asan_set_shadow_f1(const void *addr, size_t size); +void __asan_set_shadow_f2(const void *addr, size_t size); +void __asan_set_shadow_f3(const void *addr, size_t size); +void __asan_set_shadow_f5(const void *addr, size_t size); +void __asan_set_shadow_f8(const void *addr, size_t size); + +void __asan_report_load1_noabort(unsigned long addr); +void __asan_report_store1_noabort(unsigned long addr); +void __asan_report_load2_noabort(unsigned long addr); +void __asan_report_store2_noabort(unsigned long addr); +void __asan_report_load4_noabort(unsigned long addr); +void __asan_report_store4_noabort(unsigned long addr); +void __asan_report_load8_noabort(unsigned long addr); +void __asan_report_store8_noabort(unsigned long addr); +void __asan_report_load16_noabort(unsigned long addr); +void __asan_report_store16_noabort(unsigned long addr); +void __asan_report_load_n_noabort(unsigned long addr, size_t size); +void __asan_report_store_n_noabort(unsigned long addr, size_t size); +#endif diff --git a/src/include/symbols.h b/src/include/symbols.h index f84672e..2fbb449 100644 --- a/src/include/symbols.h +++ b/src/include/symbols.h @@ -24,6 +24,12 @@ DECLARE_REGION(fmap_cache) DECLARE_REGION(tpm_tcpa_log)
+#if CONFIG(ASAN_IN_RAMSTAGE) +DECLARE_REGION(data) +DECLARE_REGION(heap) +DECLARE_REGION(asan_shadow) +#endif + /* Regions for execution units. */
DECLARE_REGION(payload) diff --git a/src/lib/asan.c b/src/lib/asan.c index e4a1012..0c186d6 100644 --- a/src/lib/asan.c +++ b/src/lib/asan.c @@ -1,16 +1,337 @@ -#include <stddef.h> +/* SPDX-License-Identifier: GPL-2.0 */
-#pragma GCC diagnostic ignored "-Wmissing-prototypes" +/* + * Address sanitizer support. + * + * Parts of this file are based on mm/kasan + * from the Linux kernel 4.19.137. + * + */
-#define DEFINE_ASAN_LOAD_STORE(size) \ - void __asan_load##size(unsigned long addr) \ - {} \ - void __asan_load##size##_noabort(unsigned long addr) \ - {} \ - void __asan_store##size(unsigned long addr) \ - {} \ - void __asan_store##size##_noabort(unsigned long addr) \ - {} +#include <symbols.h> +#include <assert.h> +#include <asan.h> + +static inline void *asan_mem_to_shadow(const void *addr) +{ + return (void *)((uintptr_t)&_asan_shadow + (((uintptr_t)addr - + (uintptr_t)&_data) >> ASAN_SHADOW_SCALE_SHIFT)); +} + +static inline const void *asan_shadow_to_mem(const void *shadow_addr) +{ + return (void *)((uintptr_t)&_data + (((uintptr_t)shadow_addr - + (uintptr_t)&_asan_shadow) << ASAN_SHADOW_SCALE_SHIFT)); +} + +static void asan_poison_shadow(const void *address, size_t size, u8 value) +{ + void *shadow_start, *shadow_end; + + shadow_start = asan_mem_to_shadow(address); + shadow_end = asan_mem_to_shadow(address + size); + + __builtin_memset(shadow_start, value, shadow_end - shadow_start); +} + +void asan_unpoison_shadow(const void *address, size_t size) +{ + asan_poison_shadow(address, size, 0); + + if (size & ASAN_SHADOW_MASK) { + u8 *shadow = (u8 *)asan_mem_to_shadow(address + size); + *shadow = size & ASAN_SHADOW_MASK; + } +} + +static __always_inline bool memory_is_poisoned_1(unsigned long addr) +{ + s8 shadow_value = *(s8 *)asan_mem_to_shadow((void *)addr); + + if (unlikely(shadow_value)) { + s8 last_accessible_byte = addr & ASAN_SHADOW_MASK; + return unlikely(last_accessible_byte >= shadow_value); + } + + return false; +} + +static __always_inline bool memory_is_poisoned_2_4_8(unsigned long addr, + unsigned long size) +{ + u8 *shadow_addr = (u8 *)asan_mem_to_shadow((void *)addr); + + if (unlikely(((addr + size - 1) & ASAN_SHADOW_MASK) < size - 1)) + return *shadow_addr || memory_is_poisoned_1(addr + size - 1); + + return memory_is_poisoned_1(addr + size - 1); +} + +static __always_inline bool memory_is_poisoned_16(unsigned long addr) +{ + u16 *shadow_addr = (u16 *)asan_mem_to_shadow((void *)addr); + + if (unlikely(!IS_ALIGNED(addr, ASAN_SHADOW_SCALE_SIZE))) + return *shadow_addr || memory_is_poisoned_1(addr + 15); + + return *shadow_addr; +} + +static __always_inline unsigned long bytes_is_nonzero(const u8 *start, + size_t size) +{ + while (size) { + if (unlikely(*start)) + return (unsigned long)start; + start++; + size--; + } + + return 0; +} + +static __always_inline unsigned long memory_is_nonzero(const void *start, + const void *end) +{ + unsigned int words; + unsigned long ret; + unsigned int prefix = (unsigned long)start % 8; + + if (end - start <= 16) + return bytes_is_nonzero(start, end - start); + + if (prefix) { + prefix = 8 - prefix; + ret = bytes_is_nonzero(start, prefix); + if (unlikely(ret)) + return ret; + start += prefix; + } + + words = (end - start) / 8; + while (words) { + if (unlikely(*(u64 *)start)) + return bytes_is_nonzero(start, 8); + start += 8; + words--; + } + + return bytes_is_nonzero(start, (end - start) % 8); +} + +static __always_inline bool memory_is_poisoned_n(unsigned long addr, + size_t size) +{ + unsigned long ret; + + ret = memory_is_nonzero(asan_mem_to_shadow((void *)addr), + asan_mem_to_shadow((void *)addr + size - 1) + 1); + + if (unlikely(ret)) { + unsigned long last_byte = addr + size - 1; + s8 *last_shadow = (s8 *)asan_mem_to_shadow((void *)last_byte); + + if (unlikely(ret != (unsigned long)last_shadow || + ((long)(last_byte & ASAN_SHADOW_MASK) >= *last_shadow))) + return true; + } + return false; +} + +static __always_inline bool memory_is_poisoned(unsigned long addr, size_t size) +{ + if (__builtin_constant_p(size)) { + switch (size) { + case 1: + return memory_is_poisoned_1(addr); + case 2: + case 4: + case 8: + return memory_is_poisoned_2_4_8(addr, size); + case 16: + return memory_is_poisoned_16(addr); + default: + assert(0); + } + } + + return memory_is_poisoned_n(addr, size); +} + +static const void *find_first_bad_addr(const void *addr, size_t size) +{ + u8 shadow_val = *(u8 *)asan_mem_to_shadow(addr); + const void *first_bad_addr = addr; + + while (!shadow_val && first_bad_addr < addr + size) { + first_bad_addr += ASAN_SHADOW_SCALE_SIZE; + shadow_val = *(u8 *)asan_mem_to_shadow(first_bad_addr); + } + return first_bad_addr; +} + +static const char *get_shadow_bug_type(const void *addr, size_t size) +{ + const char *bug_type = "unknown-crash"; + u8 *shadow_addr; + const void *first_bad_addr; + + if (addr < asan_shadow_to_mem((void *) &_asan_shadow)) + return bug_type; + + first_bad_addr = find_first_bad_addr(addr, size); + + shadow_addr = (u8 *)asan_mem_to_shadow(first_bad_addr); + + if (*shadow_addr > 0 && *shadow_addr <= ASAN_SHADOW_SCALE_SIZE - 1) + shadow_addr++; + + switch (*shadow_addr) { + case 0 ... ASAN_SHADOW_SCALE_SIZE - 1: + bug_type = "out-of-bounds"; + break; + case ASAN_GLOBAL_REDZONE: + bug_type = "global-out-of-bounds"; + break; + case ASAN_STACK_LEFT: + case ASAN_STACK_MID: + case ASAN_STACK_RIGHT: + case ASAN_STACK_PARTIAL: + bug_type = "stack-out-of-bounds"; + break; + case ASAN_USE_AFTER_SCOPE: + bug_type = "use-after-scope"; + break; + default: + bug_type = "unknown-crash"; + } + + return bug_type; +} + +void asan_report(unsigned long addr, size_t size, bool is_write, + unsigned long ip) +{ + const char *bug_type = get_shadow_bug_type((void *) addr, size); + printk(BIOS_ERR, "\n"); + printk(BIOS_ERR, "ASan: %s in %p\n", bug_type, (void *) ip); + printk(BIOS_ERR, "%s of %zu byte%s at addr %p\n", + is_write ? "Write" : "Read", size, (size > 1 ? "s" : ""), + (void *) addr); + printk(BIOS_ERR, "\n"); +} + +static __always_inline void check_memory_region_inline(unsigned long addr, + size_t size, bool write, + unsigned long ret_ip) +{ + if (((uintptr_t)addr < (uintptr_t)&_data) || + ((uintptr_t)addr > (uintptr_t)&_eheap)) + return; + + if (unlikely(size == 0)) + return; + + if (unlikely((void *)addr < + asan_shadow_to_mem((void *) &_asan_shadow))) { + asan_report(addr, size, write, ret_ip); + return; + } + + if (likely(!memory_is_poisoned(addr, size))) + return; + + asan_report(addr, size, write, ret_ip); +} + +static void check_memory_region(unsigned long addr, size_t size, bool write, + unsigned long ret_ip) +{ + check_memory_region_inline(addr, size, write, ret_ip); +} + +uintptr_t __asan_shadow_offset(uintptr_t addr) +{ + return (uintptr_t)&_asan_shadow - (((uintptr_t)&_data) >> + ASAN_SHADOW_SCALE_SHIFT); +} + +static void register_global(struct asan_global *global) +{ + size_t aligned_size = ALIGN_UP(global->size, ASAN_SHADOW_SCALE_SIZE); + + asan_unpoison_shadow(global->beg, global->size); + + asan_poison_shadow(global->beg + aligned_size, + global->size_with_redzone - aligned_size, + ASAN_GLOBAL_REDZONE); +} + +void __asan_register_globals(struct asan_global *globals, size_t size) +{ + int i; + + for (i = 0; i < size; i++) + register_global(&globals[i]); +} + +void __asan_unregister_globals(struct asan_global *globals, size_t size) +{ +} + +/* + * GCC adds constructors invoking __asan_register_globals() and passes + * information about global variable (address, size, size with redzone ...) + * to it so we could poison variable's redzone. + * This function calls those constructors. + */ +static void asan_ctors(void) +{ + extern long __CTOR_LIST__; + typedef void (*func_ptr)(void); + func_ptr *ctor = (func_ptr *) &__CTOR_LIST__; + if (ctor == NULL) + return; + + for (; *ctor != (func_ptr) 0; ctor++) + (*ctor)(); +} + +void asan_init(void) +{ + size_t size = (size_t)&_eheap - (size_t)&_data; + asan_unpoison_shadow((void *)&_data, size); + asan_ctors(); +} + +void __asan_poison_stack_memory(const void *addr, size_t size) +{ + asan_poison_shadow(addr, ALIGN_UP(size, ASAN_SHADOW_SCALE_SIZE), + ASAN_USE_AFTER_SCOPE); +} + +void __asan_unpoison_stack_memory(const void *addr, size_t size) +{ + asan_unpoison_shadow(addr, size); +} + +#define DEFINE_ASAN_LOAD_STORE(size) \ + void __asan_load##size(unsigned long addr) \ + { \ + check_memory_region_inline(addr, size, false, _RET_IP_);\ + } \ + void __asan_load##size##_noabort(unsigned long addr) \ + { \ + check_memory_region_inline(addr, size, false, _RET_IP_);\ + } \ + void __asan_store##size(unsigned long addr) \ + { \ + check_memory_region_inline(addr, size, true, _RET_IP_); \ + } \ + void __asan_store##size##_noabort(unsigned long addr) \ + { \ + check_memory_region_inline(addr, size, true, _RET_IP_); \ + }
DEFINE_ASAN_LOAD_STORE(1); DEFINE_ASAN_LOAD_STORE(2); @@ -19,16 +340,71 @@ DEFINE_ASAN_LOAD_STORE(16);
void __asan_loadN(unsigned long addr, size_t size) -{} - -void __asan_loadN_noabort(unsigned long addr, size_t size) -{} +{ + check_memory_region(addr, size, false, _RET_IP_); +}
void __asan_storeN(unsigned long addr, size_t size) -{} +{ + check_memory_region(addr, size, true, _RET_IP_); +} + +void __asan_loadN_noabort(unsigned long addr, size_t size) +{ + check_memory_region(addr, size, false, _RET_IP_); +}
void __asan_storeN_noabort(unsigned long addr, size_t size) -{} +{ + check_memory_region(addr, size, true, _RET_IP_); +}
void __asan_handle_no_return(void) -{} +{ +} + +#define DEFINE_ASAN_SET_SHADOW(byte) \ + void __asan_set_shadow_##byte(const void *addr, size_t size) \ + { \ + __builtin_memset((void *)addr, 0x##byte, size); \ + } + +DEFINE_ASAN_SET_SHADOW(00); +DEFINE_ASAN_SET_SHADOW(f1); +DEFINE_ASAN_SET_SHADOW(f2); +DEFINE_ASAN_SET_SHADOW(f3); +DEFINE_ASAN_SET_SHADOW(f5); +DEFINE_ASAN_SET_SHADOW(f8); + +#define DEFINE_ASAN_REPORT_LOAD(size) \ +void __asan_report_load##size##_noabort(unsigned long addr) \ +{ \ + asan_report(addr, size, false, _RET_IP_); \ +} + +#define DEFINE_ASAN_REPORT_STORE(size) \ +void __asan_report_store##size##_noabort(unsigned long addr) \ +{ \ + asan_report(addr, size, true, _RET_IP_); \ +} + +DEFINE_ASAN_REPORT_LOAD(1); +DEFINE_ASAN_REPORT_LOAD(2); +DEFINE_ASAN_REPORT_LOAD(4); +DEFINE_ASAN_REPORT_LOAD(8); +DEFINE_ASAN_REPORT_LOAD(16); +DEFINE_ASAN_REPORT_STORE(1); +DEFINE_ASAN_REPORT_STORE(2); +DEFINE_ASAN_REPORT_STORE(4); +DEFINE_ASAN_REPORT_STORE(8); +DEFINE_ASAN_REPORT_STORE(16); + +void __asan_report_load_n_noabort(unsigned long addr, size_t size) +{ + asan_report(addr, size, false, _RET_IP_); +} + +void __asan_report_store_n_noabort(unsigned long addr, size_t size) +{ + asan_report(addr, size, true, _RET_IP_); +} diff --git a/src/lib/program.ld b/src/lib/program.ld index 88a3126..3b6aa2e 100644 --- a/src/lib/program.ld +++ b/src/lib/program.ld @@ -51,7 +51,7 @@ _etext = .; } : to_load
-#if ENV_RAMSTAGE && CONFIG(COVERAGE) +#if ENV_RAMSTAGE && (CONFIG(COVERAGE) || CONFIG(ASAN_IN_RAMSTAGE)) .ctors . : { . = ALIGN(0x100); __CTOR_LIST__ = .; @@ -126,6 +126,11 @@ } #endif
+#if ENV_RAMSTAGE && CONFIG(ASAN_IN_RAMSTAGE) + _shadow_size = (_eheap - _data) >> 3; + REGION(asan_shadow, ., _shadow_size, ARCH_POINTER_ALIGN_SIZE) +#endif + _eprogram = .;
/* Discard the sections we don't need/want */