summaryrefslogtreecommitdiff
path: root/tools/testing/selftests/bpf/libarena/src/asan.bpf.c
blob: 5135d5c72a46d6d1d740540cb27b0d0a5bcac629 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
// SPDX-License-Identifier: LGPL-2.1 OR BSD-2-Clause
/* Copyright (c) 2026 Meta Platforms, Inc. and affiliates. */
#include <vmlinux.h>
#include <libarena/common.h>
#include <libarena/asan.h>


enum {
	/*
	 * Is the access checked by check_region_inline
	 * a read or a write?
	 */
	ASAN_READ		= 0x0U,
	ASAN_WRITE		= 0x1U,
};

/*
 * Address sanitizer (ASAN) for arena-based BPF programs, inspired
 * by KASAN.
 *
 * The API
 * -------
 *
 * The implementation includes two kinds of components: Implementation
 * of ASAN hooks injected by LLVM into the program, and API calls that
 * allocators use to mark memory as valid or invalid. The full list is:
 *
 * LLVM stubs:
 *
 * void __asan_{load, store}<size>(intptr_t addr)
 *	Checks whether an access is valid. All variations covered
 *	by check_region_inline().
 *
 * void __asan_{store, load}((intptr_t addr, ssize_t size)
 *
 * void __asan_report_{load, store}<size>(intptr_t addr)
 *	Report an access violation for the program. Used when LLVM
 *	uses direct code generation for shadow map checks.
 *
 * void *__asan_memcpy(void *d, const void *s, size_t n)
 * void *__asan_memmove(void *d, const void *s, size_t n)
 * void *__asan_memset(void *p, int c, size_t n)
 *	Hooks for ASAN instrumentation of the LLVM mem* builtins.
 *	Currently unimplemented just like the builtins themselves.
 *
 * API methods:
 *
 * asan_init()
 *	Initialize the ASAN map for the arena.
 *
 * asan_poison()
 *	Mark a region of memory as poisoned. Accessing poisoned memory
 *	causes asan_report() to fire. Invoked during free().
 *
 * asan_unpoison()
 *	Mark a region as unpoisoned after alloc().
 *
 * asan_shadow_set()
 *	Check a byte's validity directly.
 *
 * The Algorithm In Brief
 * ----------------------
 * Each group of 8 bytes is mapped to a "granule" in the shadow map. This
 * granule is the size of the byte and describes which bytes are valid.
 * Possible values are:
 *
 * 0: All bytes are valid. Makes checks in the middle of an allocated region
 * (most of them) fast.
 * (0, 7]: How many consecutive bytes are valid, starting from the lowest one.
 * The tradeoff is that we can't poison individual bytes in the middle of a
 * valid region.
 * [0x80, 0xff]: Special poison values, can be used to denote specific error
 * modes (e.g., recently freed vs uninitialized memory).
 *
 * The mapping between a memory location and its shadow is:
 * shadow_addr = shadow_base + (addr >> 3). We retain the 8:1 data:shadow
 * ratio of existing ASAN implementations as a compromise between tracking
 * granularity and space usage/scan overhead.
 */

#ifdef BPF_ARENA_ASAN

#pragma clang attribute push(__attribute__((no_sanitize("address"))), \
			     apply_to = function)

#define SHADOW_ALL_ZEROES ((u64)-1)

/*
 * Canary variable for ASAN violations. Set to the offending address.
 */
volatile u64 asan_violated = 0;

/*
 * Shadow map occupancy map.
 */
volatile u64 __asan_shadow_memory_dynamic_address;

volatile u32 asan_reported = false;
volatile bool asan_inited = false;

/*
 * Set during program load.
 */
volatile bool asan_report_once = false;

/*
 * BPF does not currently support the memset/memcpy/memcmp intrinsics.
 * For large sequential copies, or assignments of large data structures,
 * the frontend will generate an intrinsic that causes the BPF backend
 * to exit due to a missing implementation. Provide a simple implementation
 * just for memset to use it for poisoning/unpoisoning the map.
 */
__weak int asan_memset(s8 __arena *dst, s8 val, size_t size)
{
	size_t i;

	for (i = zero; i < size && can_loop; i++)
		dst[i] = val;

	return 0;
}

/* Validate a 1-byte access, always within a single byte. */
static __always_inline bool memory_is_poisoned_1(s8 __arena *addr)
{
	s8 shadow_value = *(s8 __arena *)mem_to_shadow(addr);

	/* Byte is 0, access is valid. */
	if (likely(!shadow_value))
		return false;

	/*
	 * Byte is non-zero. Access is valid if granule offset in [0, shadow_value),
	 * so the memory is poisoned if shadow_value is negative or smaller than
	 * the granule's value.
	 */

	return ASAN_GRANULE(addr) >= shadow_value;
}

/* Validate a 2- 4-, 8-byte access, shadow spans up to 2 bytes. */
static __always_inline bool memory_is_poisoned_2_4_8(s8 __arena *addr, u64 size)
{
	u64 end = (u64)addr + size - 1;

	/*
	 * Region fully within a single byte (addition didn't
	 * overflow above ASAN_GRANULE).
	 */
	if (likely(ASAN_GRANULE(end) >= size - 1))
		return memory_is_poisoned_1((s8 __arena *)end);

	/*
	 * Otherwise first byte must be fully unpoisoned, and second byte
	 * must be unpoisoned up to the end of the accessed region.
	 */

	return *(s8 __arena *)mem_to_shadow(addr) || memory_is_poisoned_1((s8 __arena *)end);
}

__weak bool asan_shadow_set(void __arena *addr)
{
	return memory_is_poisoned_1(addr);
}

static __always_inline u64 first_nonzero_byte(u64 addr, size_t size)
{
	while (size && can_loop) {
		if (unlikely(*(s8 __arena *)addr))
			return addr;
		addr += 1;
		size -= 1;
	}

	return SHADOW_ALL_ZEROES;
}

static __always_inline bool memory_is_poisoned_n(s8 __arena *addr, u64 size)
{
	u64 ret;
	u64 start;
	u64 end;

	/* Size of [start, end] is end - start + 1. */
	start = (u64)mem_to_shadow(addr);
	end = (u64)mem_to_shadow(addr + size - 1);

	ret = first_nonzero_byte(start, (end - start) + 1);
	if (likely(ret == SHADOW_ALL_ZEROES))
		return false;

	return unlikely(ret != end || ASAN_GRANULE(addr + size - 1) >= *(s8 __arena *)end);
}

__weak int asan_report(s8 __arena *addr, size_t sz, u32 flags)
{
	u32 reported = __sync_val_compare_and_swap(&asan_reported, false, true);

	/* Only report the first ASAN violation. */
	if (reported && asan_report_once)
		return 0;

	asan_violated = (u64)addr;

	arena_stderr("Memory violation for address %p (0x%lx) for %s of size %ld\n",
			addr, (u64)addr,
			(flags & ASAN_WRITE) ? "write" : "read",
			sz);
	bpf_stream_print_stack(BPF_STDERR);

	return 0;
}

static __always_inline bool check_asan_args(s8 __arena *addr, size_t size,
					    bool *result)
{
	bool valid = true;

	/* Size 0 accesses are valid even if the address is invalid. */
	if (unlikely(size == 0))
		goto confirmed_valid;

	/*
	 * Wraparound is possible for values close to the the edge of the
	 * 4GiB boundary of the arena (last valid address is 1UL << 32 - 1).
	 *
	 *
	 * The wraparound detection below works for small sizes. check_asan_args is
	 * always called from the builtin ASAN checks, so 1 <= size <= 64. Even
	 * for storeN/loadN that we do not expect to encounter the intrinsics will
	 * not have a large enough size that:
	 *
	 * - addr + size  > MAX_U32
	 * - (u32)(addr + size) > (u32) addr
	 *
	 * which would defeat wraparound detection.
	 */
	if (unlikely((u32)(u64)(addr + size) < (u32)(u64)addr))
		goto confirmed_invalid;

	return false;

confirmed_invalid:
	valid = false;

	/* FALLTHROUGH */
confirmed_valid:
	*result = valid;

	return true;
}

static __always_inline bool check_region_inline(intptr_t ptr, size_t size,
						u32 flags)
{
	s8 __arena *addr = (s8 __arena *)(u64)ptr;
	bool is_poisoned, is_valid;

	if (check_asan_args(addr, size, &is_valid)) {
		if (!is_valid)
			asan_report(addr, size, flags);
		return is_valid;
	}

	switch (size) {
	case 1:
		is_poisoned = memory_is_poisoned_1(addr);
		break;
	case 2:
	case 4:
	case 8:
		is_poisoned = memory_is_poisoned_2_4_8(addr, size);
		break;
	default:
		is_poisoned = memory_is_poisoned_n(addr, size);
	}

	if (is_poisoned) {
		asan_report(addr, size, flags);
		return false;
	}

	return true;
}

/*
 * __alias is not supported for BPF so define *__noabort() variants as wrappers.
 */
#define DEFINE_ASAN_LOAD_STORE(size)                                  \
	__hidden void __asan_store##size(intptr_t addr)                  \
	{                                                             \
		check_region_inline(addr, size, ASAN_WRITE);          \
	}                                                             \
	__hidden void __asan_store##size##_noabort(intptr_t addr)        \
	{                                                             \
		check_region_inline(addr, size, ASAN_WRITE);          \
	}                                                             \
	__hidden void __asan_load##size(intptr_t addr)                   \
	{                                                             \
		check_region_inline(addr, size, ASAN_READ);           \
	}                                                             \
	__hidden void __asan_load##size##_noabort(intptr_t addr)         \
	{                                                             \
		check_region_inline(addr, size, ASAN_READ);           \
	}                                                             \
	__hidden void __asan_report_store##size(intptr_t addr)           \
	{                                                             \
		asan_report((s8 __arena *)addr, size, ASAN_WRITE);           \
	}                                                             \
	__hidden void __asan_report_store##size##_noabort(intptr_t addr) \
	{                                                             \
		asan_report((s8 __arena *)addr, size, ASAN_WRITE);           \
	}                                                             \
	__hidden void __asan_report_load##size(intptr_t addr)            \
	{                                                             \
		asan_report((s8 __arena *)addr, size, ASAN_READ);            \
	}                                                             \
	__hidden void __asan_report_load##size##_noabort(intptr_t addr)  \
	{                                                             \
		asan_report((s8 __arena *)addr, size, ASAN_READ);            \
	}

DEFINE_ASAN_LOAD_STORE(1);
DEFINE_ASAN_LOAD_STORE(2);
DEFINE_ASAN_LOAD_STORE(4);
DEFINE_ASAN_LOAD_STORE(8);

void __asan_storeN(intptr_t addr, ssize_t size)
{
	check_region_inline(addr, size, ASAN_WRITE);
}

void __asan_storeN_noabort(intptr_t addr, ssize_t size)
{
	check_region_inline(addr, size, ASAN_WRITE);
}

void __asan_loadN(intptr_t addr, ssize_t size)
{
	check_region_inline(addr, size, ASAN_READ);
}

void __asan_loadN_noabort(intptr_t addr, ssize_t size)
{
	check_region_inline(addr, size, ASAN_READ);
}

/*
 * We currently do not sanitize globals.
 */
void __asan_register_globals(intptr_t globals, size_t n)
{
}

void __asan_unregister_globals(intptr_t globals, size_t n)
{
}

/*
 * We do not currently have memcpy/memmove/memset intrinsics
 * in LLVM. Do not implement sanitization.
 */
void *__asan_memcpy(void *d, const void *s, size_t n)
{
	arena_stderr("ASAN: Unexpected %s call", __func__);
	return NULL;
}

void *__asan_memmove(void *d, const void *s, size_t n)
{
	arena_stderr("ASAN: Unexpected %s call", __func__);
	return NULL;
}

void *__asan_memset(void *p, int c, size_t n)
{
	arena_stderr("ASAN: Unexpected %s call", __func__);
	return NULL;
}

/*
 * Poisoning code, used when we add more freed memory to the allocator by:
 * 	a) pulling memory from the arena segment using bpf_arena_alloc_pages()
 * 	b) freeing memory from application code
 */
__hidden __noasan int asan_poison(void __arena *addr, s8 val, size_t size)
{
	s8 __arena *shadow;
	size_t len;

	/*
	 * Poisoning from a non-granule address makes no sense: We can only allocate
	 * memory to the application that has a granule-aligned starting address,
	 * and bpf_arena_alloc_pages returns page-aligned memory. A non-aligned
	 * addr then implies we're freeing a different address than the one we
	 * allocated.
	 */
	if (unlikely((u64)addr & ASAN_GRANULE_MASK))
		return -EINVAL;

	/*
	 * We cannot free an unaligned region because it'd be possible that we
	 * cannot describe the resulting poisoning state of the granule in
	 * the ASAN encoding.
	 *
	 * Every granule represents a region of memory that looks like the
	 * following (P for poisoned bytes, C for clear):
	 *
	 * <Clear>  <Poisoned>
	 * [ C C C ... P P ]
	 *
	 * The value of the granule's shadow map is the number of clear bytes in
	 * it. We cannot represent granules with the following state:
	 *
	 * [ P P ... C C ... P P ]
	 *
	 * That would be possible if we could free unaligned regions, so prevent that.
	 */
	if (unlikely(size & ASAN_GRANULE_MASK))
		return -EINVAL;

	shadow = mem_to_shadow(addr);
	len = size >> ASAN_SHADOW_SHIFT;

	asan_memset(shadow, val, len);

	return 0;
}

/*
 * Unpoisoning code for marking memory as valid during allocation calls.
 *
 * Very similar to asan_poison, except we need to round up instead of
 * down, then partially poison the last granule if necessary.
 *
 * Partial poisoning is useful for keeping the padding poisoned. Allocations
 * are granule-aligned, so we we're reserving granule-aligned sizes for the
 * allocation. However, we want to still treat accesses to the padding as
 * invalid. Partial poisoning takes care of that. Freeing and poisoning the
 * memory is still done in granule-aligned sizes and repoisons the already
 * poisoned padding.
 */
__hidden __noasan int asan_unpoison(void __arena *addr, size_t size)
{
	size_t partial = size & ASAN_GRANULE_MASK;
	s8 __arena *shadow;
	size_t len;

	/*
	 * We cannot allocate in the middle of the granule. The ASAN shadow
	 * map encoding only describes regions of memory where every granule
	 * follows this format (P for poisoned, C for clear):
	 *
	 * <Clear>  <Poisoned>
	 * [ C C C ... P P ]
	 *
	 * This is so we can use a single number in [0, ASAN_SHADOW_SCALE)
	 * to represent the poison state of the granule.
	 */
	if (unlikely((u64)addr & ASAN_GRANULE_MASK))
		return -EINVAL;

	shadow = mem_to_shadow(addr);
	len = size >> ASAN_SHADOW_SHIFT;

	asan_memset(shadow, 0, len);

	/*
	 * If we are allocating a non-granule aligned region, we need to adjust
	 * the last byte of the shadow map to list how many bytes in the granule
	 * are unpoisoned. If the region is aligned, then the memset call above
	 * was enough.
	 */
	if (partial)
		shadow[len] = partial;

	return 0;
}

/*
 * Initialize ASAN state when necessary. Triggered from userspace before
 * allocator startup.
 */
SEC("syscall")
__weak __noasan int asan_init(struct asan_init_args *args)
{
	u64 globals_pages = args->arena_globals_pages;
	u64 all_pages = args->arena_all_pages;
	u64 shadow_map, shadow_pgoff;
	u64 shadow_pages;

	if (asan_inited)
		return 0;

	/*
	 * Round up the shadow map size to the nearest page.
	 */
	shadow_pages = all_pages >> ASAN_SHADOW_SHIFT;
	if ((all_pages & ((1 << ASAN_SHADOW_SHIFT) - 1)))
		shadow_pages += 1;

	if (all_pages > (1ULL << 32) / __PAGE_SIZE) {
		arena_stderr("error: arena size %lx too large", all_pages);
		return -EINVAL;
	}

	if (globals_pages > all_pages) {
		arena_stderr("error: globals %lx do not fit in arena %lx",
				globals_pages, all_pages);
		return -EINVAL;
	}

	if (globals_pages + shadow_pages >= all_pages) {
		arena_stderr("error: globals %lx do not leave room for shadow map %lx "
				"(arena pages %lx)",
				globals_pages, shadow_pages, all_pages);
		return -EINVAL;
	}

	shadow_pgoff = all_pages - shadow_pages - globals_pages;
	__asan_shadow_memory_dynamic_address = shadow_pgoff * __PAGE_SIZE;

	/*
	 * Allocate the last (1/ASAN_SHADOW_SCALE)th of an arena's pages for the map
	 * We find the offset and size from the arena map.
	 *
	 * The allocated map pages are zeroed out, meaning all memory is marked as valid
	 * even if it's not allocated already. This is expected: Since the actual memory
	 * pages are not allocated, accesses to it will trigger page faults and will be
	 * reported through BPF streams. Any pages allocated through bpf_arena_alloc_pages
	 * should be poisoned by the allocator right after the call succeeds.
	 */
	shadow_map = (u64)bpf_arena_alloc_pages(
		&arena, (void __arena *)__asan_shadow_memory_dynamic_address,
		shadow_pages, NUMA_NO_NODE, 0);
	if (!shadow_map) {
		arena_stderr("Could not allocate shadow map\n");

		__asan_shadow_memory_dynamic_address = 0;

		return -ENOMEM;
	}

	asan_inited = true;

	return 0;
}

#pragma clang attribute pop

#endif /* BPF_ARENA_ASAN */

__weak char _license[] SEC("license") = "GPL";