Update aosp/master compiler-rt for rebase to r256229
http://b/26987366
Change-Id: I0ca3d7d3f1b7926fcffcb5b467e79958de576437
diff --git a/lib/safestack/.clang-format b/lib/safestack/.clang-format
new file mode 100644
index 0000000..f6cb8ad
--- /dev/null
+++ b/lib/safestack/.clang-format
@@ -0,0 +1 @@
+BasedOnStyle: Google
diff --git a/lib/safestack/CMakeLists.txt b/lib/safestack/CMakeLists.txt
index 1c15d07..9c11bb6 100644
--- a/lib/safestack/CMakeLists.txt
+++ b/lib/safestack/CMakeLists.txt
@@ -8,21 +8,27 @@
if(APPLE)
# Build universal binary on APPLE.
- add_compiler_rt_osx_static_runtime(clang_rt.safestack_osx
- ARCH ${SAFESTACK_SUPPORTED_ARCH}
+ add_compiler_rt_runtime(clang_rt.safestack
+ STATIC
+ OS osx
+ ARCHS ${SAFESTACK_SUPPORTED_ARCH}
SOURCES ${SAFESTACK_SOURCES}
$<TARGET_OBJECTS:RTInterception.osx>
$<TARGET_OBJECTS:RTSanitizerCommon.osx>
- CFLAGS ${SAFESTACK_CFLAGS})
- add_dependencies(safestack clang_rt.safestack_osx)
+ $<TARGET_OBJECTS:RTSanitizerCommonNoLibc.osx>
+ CFLAGS ${SAFESTACK_CFLAGS}
+ PARENT_TARGET safestack)
else()
# Otherwise, build separate libraries for each target.
foreach(arch ${SAFESTACK_SUPPORTED_ARCH})
- add_compiler_rt_runtime(clang_rt.safestack-${arch} ${arch} STATIC
+ add_compiler_rt_runtime(clang_rt.safestack
+ STATIC
+ ARCHS ${arch}
SOURCES ${SAFESTACK_SOURCES}
$<TARGET_OBJECTS:RTInterception.${arch}>
$<TARGET_OBJECTS:RTSanitizerCommon.${arch}>
- CFLAGS ${SAFESTACK_CFLAGS})
- add_dependencies(safestack clang_rt.safestack-${arch})
+ $<TARGET_OBJECTS:RTSanitizerCommonNoLibc.${arch}>
+ CFLAGS ${SAFESTACK_CFLAGS}
+ PARENT_TARGET safestack)
endforeach()
endif()
diff --git a/lib/safestack/safestack.cc b/lib/safestack/safestack.cc
index 43366fd..92c24b3 100644
--- a/lib/safestack/safestack.cc
+++ b/lib/safestack/safestack.cc
@@ -17,39 +17,50 @@
#include <limits.h>
#include <pthread.h>
#include <stddef.h>
+#include <stdint.h>
+#include <unistd.h>
#include <sys/resource.h>
+#include <sys/types.h>
#include <sys/user.h>
#include "interception/interception.h"
#include "sanitizer_common/sanitizer_common.h"
-// TODO: The runtime library does not currently protect the safe stack. The
-// protection of the (safe) stack can be provided by two alternative features
-// that requires C library support:
+// TODO: The runtime library does not currently protect the safe stack beyond
+// relying on the system-enforced ASLR. The protection of the (safe) stack can
+// be provided by three alternative features:
//
-// 1) Protection via hardware segmentation on x32 architectures: the (safe)
-// stack segment (implicitly accessed via the %ss segment register) can be
-// separated from the data segment (implicitly accessed via the %ds segment
-// register). Dereferencing a pointer to the safe segment would result in a
-// segmentation fault.
+// 1) Protection via hardware segmentation on x86-32 and some x86-64
+// architectures: the (safe) stack segment (implicitly accessed via the %ss
+// segment register) can be separated from the data segment (implicitly
+// accessed via the %ds segment register). Dereferencing a pointer to the safe
+// segment would result in a segmentation fault.
//
-// 2) Protection via information hiding on 64 bit architectures: the location of
-// the safe stack can be randomized through secure mechanisms, and the leakage
-// of the stack pointer can be prevented. Currently, libc can leak the stack
-// pointer in several ways (e.g. in longjmp, signal handling, user-level context
-// switching related functions, etc.). These can be fixed in libc and in other
-// low-level libraries, by either eliminating the escaping/dumping of the stack
-// pointer (i.e., %rsp) when that's possible, or by using encryption/PTR_MANGLE
-// (XOR-ing the dumped stack pointer with another secret we control and protect
-// better). (This is already done for setjmp in glibc.) Furthermore, a static
-// machine code level verifier can be ran after code generation to make sure
-// that the stack pointer is never written to memory, or if it is, its written
-// on the safe stack.
+// 2) Protection via software fault isolation: memory writes that are not meant
+// to access the safe stack can be prevented from doing so through runtime
+// instrumentation. One way to do it is to allocate the safe stack(s) in the
+// upper half of the userspace and bitmask the corresponding upper bit of the
+// memory addresses of memory writes that are not meant to access the safe
+// stack.
//
-// Finally, while the Unsafe Stack pointer is currently stored in a thread local
-// variable, with libc support it could be stored in the TCB (thread control
-// block) as well, eliminating another level of indirection. Alternatively,
-// dedicating a separate register for storing it would also be possible.
+// 3) Protection via information hiding on 64 bit architectures: the location
+// of the safe stack(s) can be randomized through secure mechanisms, and the
+// leakage of the stack pointer can be prevented. Currently, libc can leak the
+// stack pointer in several ways (e.g. in longjmp, signal handling, user-level
+// context switching related functions, etc.). These can be fixed in libc and
+// in other low-level libraries, by either eliminating the escaping/dumping of
+// the stack pointer (i.e., %rsp) when that's possible, or by using
+// encryption/PTR_MANGLE (XOR-ing the dumped stack pointer with another secret
+// we control and protect better, as is already done for setjmp in glibc.)
+// Furthermore, a static machine code level verifier can be ran after code
+// generation to make sure that the stack pointer is never written to memory,
+// or if it is, its written on the safe stack.
+//
+// Finally, while the Unsafe Stack pointer is currently stored in a thread
+// local variable, with libc support it could be stored in the TCB (thread
+// control block) as well, eliminating another level of indirection and making
+// such accesses faster. Alternatively, dedicating a separate register for
+// storing it would also be possible.
/// Minimum stack alignment for the unsafe stack.
const unsigned kStackAlign = 16;
@@ -58,6 +69,9 @@
/// size rlimit is set to infinity.
const unsigned kDefaultUnsafeStackSize = 0x2800000;
+/// Runtime page size obtained through sysconf
+static unsigned pageSize;
+
// TODO: To make accessing the unsafe stack pointer faster, we plan to
// eventually store it directly in the thread control block data structure on
// platforms where this structure is pointed to by %fs or %gs. This is exactly
@@ -161,7 +175,7 @@
size_t size = 0;
size_t guard = 0;
- if (attr != NULL) {
+ if (attr) {
pthread_attr_getstacksize(attr, &size);
pthread_attr_getguardsize(attr, &guard);
} else {
@@ -175,7 +189,7 @@
CHECK_NE(size, 0);
CHECK_EQ((size & (kStackAlign - 1)), 0);
- CHECK_EQ((guard & (PAGE_SIZE - 1)), 0);
+ CHECK_EQ((guard & (pageSize - 1)), 0);
void *addr = unsafe_stack_alloc(size, guard);
struct tinfo *tinfo =
@@ -207,6 +221,7 @@
void *addr = unsafe_stack_alloc(size, guard);
unsafe_stack_setup(addr, size, guard);
+ pageSize = sysconf(_SC_PAGESIZE);
// Initialize pthread interceptors for thread allocation
INTERCEPT_FUNCTION(pthread_create);