instrumentation.c 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * KMSAN compiler API.
  4. *
  5. * This file implements __msan_XXX hooks that Clang inserts into the code
  6. * compiled with -fsanitize=kernel-memory.
  7. * See Documentation/dev-tools/kmsan.rst for more information on how KMSAN
  8. * instrumentation works.
  9. *
  10. * Copyright (C) 2017-2022 Google LLC
  11. * Author: Alexander Potapenko <glider@google.com>
  12. *
  13. */
  14. #include "kmsan.h"
  15. #include <linux/gfp.h>
  16. #include <linux/kmsan.h>
  17. #include <linux/kmsan_string.h>
  18. #include <linux/mm.h>
  19. #include <linux/uaccess.h>
  20. static inline bool is_bad_asm_addr(void *addr, uintptr_t size, bool is_store)
  21. {
  22. if (IS_ENABLED(CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE) &&
  23. (u64)addr < TASK_SIZE)
  24. return true;
  25. if (!kmsan_get_metadata(addr, KMSAN_META_SHADOW))
  26. return true;
  27. return false;
  28. }
  29. static inline struct shadow_origin_ptr
  30. get_shadow_origin_ptr(void *addr, u64 size, bool store)
  31. {
  32. unsigned long ua_flags = user_access_save();
  33. struct shadow_origin_ptr ret;
  34. ret = kmsan_get_shadow_origin_ptr(addr, size, store);
  35. user_access_restore(ua_flags);
  36. return ret;
  37. }
  38. /*
  39. * KMSAN instrumentation functions follow. They are not declared elsewhere in
  40. * the kernel code, so they are preceded by prototypes, to silence
  41. * -Wmissing-prototypes warnings.
  42. */
  43. /* Get shadow and origin pointers for a memory load with non-standard size. */
  44. struct shadow_origin_ptr __msan_metadata_ptr_for_load_n(void *addr,
  45. uintptr_t size);
  46. struct shadow_origin_ptr __msan_metadata_ptr_for_load_n(void *addr,
  47. uintptr_t size)
  48. {
  49. return get_shadow_origin_ptr(addr, size, /*store*/ false);
  50. }
  51. EXPORT_SYMBOL(__msan_metadata_ptr_for_load_n);
  52. /* Get shadow and origin pointers for a memory store with non-standard size. */
  53. struct shadow_origin_ptr __msan_metadata_ptr_for_store_n(void *addr,
  54. uintptr_t size);
  55. struct shadow_origin_ptr __msan_metadata_ptr_for_store_n(void *addr,
  56. uintptr_t size)
  57. {
  58. return get_shadow_origin_ptr(addr, size, /*store*/ true);
  59. }
  60. EXPORT_SYMBOL(__msan_metadata_ptr_for_store_n);
  61. /*
  62. * Declare functions that obtain shadow/origin pointers for loads and stores
  63. * with fixed size.
  64. */
  65. #define DECLARE_METADATA_PTR_GETTER(size) \
  66. struct shadow_origin_ptr __msan_metadata_ptr_for_load_##size( \
  67. void *addr); \
  68. struct shadow_origin_ptr __msan_metadata_ptr_for_load_##size( \
  69. void *addr) \
  70. { \
  71. return get_shadow_origin_ptr(addr, size, /*store*/ false); \
  72. } \
  73. EXPORT_SYMBOL(__msan_metadata_ptr_for_load_##size); \
  74. struct shadow_origin_ptr __msan_metadata_ptr_for_store_##size( \
  75. void *addr); \
  76. struct shadow_origin_ptr __msan_metadata_ptr_for_store_##size( \
  77. void *addr) \
  78. { \
  79. return get_shadow_origin_ptr(addr, size, /*store*/ true); \
  80. } \
  81. EXPORT_SYMBOL(__msan_metadata_ptr_for_store_##size)
  82. DECLARE_METADATA_PTR_GETTER(1);
  83. DECLARE_METADATA_PTR_GETTER(2);
  84. DECLARE_METADATA_PTR_GETTER(4);
  85. DECLARE_METADATA_PTR_GETTER(8);
  86. /*
  87. * Handle a memory store performed by inline assembly. KMSAN conservatively
  88. * attempts to unpoison the outputs of asm() directives to prevent false
  89. * positives caused by missed stores.
  90. *
  91. * __msan_instrument_asm_store() may be called for inline assembly code when
  92. * entering or leaving IRQ. We omit the check for kmsan_in_runtime() to ensure
  93. * the memory written to in these cases is also marked as initialized.
  94. */
  95. void __msan_instrument_asm_store(void *addr, uintptr_t size);
  96. void __msan_instrument_asm_store(void *addr, uintptr_t size)
  97. {
  98. unsigned long ua_flags;
  99. if (!kmsan_enabled)
  100. return;
  101. ua_flags = user_access_save();
  102. /*
  103. * Most of the accesses are below 32 bytes. The exceptions so far are
  104. * clwb() (64 bytes), FPU state (512 bytes) and chsc() (4096 bytes).
  105. */
  106. if (size > 4096) {
  107. WARN_ONCE(1, "assembly store size too big: %ld\n", size);
  108. size = 8;
  109. }
  110. if (is_bad_asm_addr(addr, size, /*is_store*/ true)) {
  111. user_access_restore(ua_flags);
  112. return;
  113. }
  114. /* Unpoisoning the memory on best effort. */
  115. kmsan_internal_unpoison_memory(addr, size, /*checked*/ false);
  116. user_access_restore(ua_flags);
  117. }
  118. EXPORT_SYMBOL(__msan_instrument_asm_store);
  119. /*
  120. * KMSAN instrumentation pass replaces LLVM memcpy, memmove and memset
  121. * intrinsics with calls to respective __msan_ functions. We use
  122. * get_param0_metadata() and set_retval_metadata() to store the shadow/origin
  123. * values for the destination argument of these functions and use them for the
  124. * functions' return values.
  125. */
  126. static inline void get_param0_metadata(u64 *shadow,
  127. depot_stack_handle_t *origin)
  128. {
  129. struct kmsan_ctx *ctx = kmsan_get_context();
  130. *shadow = *(u64 *)(ctx->cstate.param_tls);
  131. *origin = ctx->cstate.param_origin_tls[0];
  132. }
  133. static inline void set_retval_metadata(u64 shadow, depot_stack_handle_t origin)
  134. {
  135. struct kmsan_ctx *ctx = kmsan_get_context();
  136. *(u64 *)(ctx->cstate.retval_tls) = shadow;
  137. ctx->cstate.retval_origin_tls = origin;
  138. }
  139. /* Handle llvm.memmove intrinsic. */
  140. void *__msan_memmove(void *dst, const void *src, uintptr_t n);
  141. void *__msan_memmove(void *dst, const void *src, uintptr_t n)
  142. {
  143. depot_stack_handle_t origin;
  144. void *result;
  145. u64 shadow;
  146. get_param0_metadata(&shadow, &origin);
  147. result = __memmove(dst, src, n);
  148. if (!n)
  149. /* Some people call memmove() with zero length. */
  150. return result;
  151. if (!kmsan_enabled || kmsan_in_runtime())
  152. return result;
  153. kmsan_enter_runtime();
  154. kmsan_internal_memmove_metadata(dst, (void *)src, n);
  155. kmsan_leave_runtime();
  156. set_retval_metadata(shadow, origin);
  157. return result;
  158. }
  159. EXPORT_SYMBOL(__msan_memmove);
  160. /* Handle llvm.memcpy intrinsic. */
  161. void *__msan_memcpy(void *dst, const void *src, uintptr_t n);
  162. void *__msan_memcpy(void *dst, const void *src, uintptr_t n)
  163. {
  164. depot_stack_handle_t origin;
  165. void *result;
  166. u64 shadow;
  167. get_param0_metadata(&shadow, &origin);
  168. result = __memcpy(dst, src, n);
  169. if (!n)
  170. /* Some people call memcpy() with zero length. */
  171. return result;
  172. if (!kmsan_enabled || kmsan_in_runtime())
  173. return result;
  174. kmsan_enter_runtime();
  175. /* Using memmove instead of memcpy doesn't affect correctness. */
  176. kmsan_internal_memmove_metadata(dst, (void *)src, n);
  177. kmsan_leave_runtime();
  178. set_retval_metadata(shadow, origin);
  179. return result;
  180. }
  181. EXPORT_SYMBOL(__msan_memcpy);
  182. /* Handle llvm.memset intrinsic. */
  183. void *__msan_memset(void *dst, int c, uintptr_t n);
  184. void *__msan_memset(void *dst, int c, uintptr_t n)
  185. {
  186. depot_stack_handle_t origin;
  187. void *result;
  188. u64 shadow;
  189. get_param0_metadata(&shadow, &origin);
  190. result = __memset(dst, c, n);
  191. if (!kmsan_enabled || kmsan_in_runtime())
  192. return result;
  193. kmsan_enter_runtime();
  194. /*
  195. * Clang doesn't pass parameter metadata here, so it is impossible to
  196. * use shadow of @c to set up the shadow for @dst.
  197. */
  198. kmsan_internal_unpoison_memory(dst, n, /*checked*/ false);
  199. kmsan_leave_runtime();
  200. set_retval_metadata(shadow, origin);
  201. return result;
  202. }
  203. EXPORT_SYMBOL(__msan_memset);
  204. /*
  205. * Create a new origin from an old one. This is done when storing an
  206. * uninitialized value to memory. When reporting an error, KMSAN unrolls and
  207. * prints the whole chain of stores that preceded the use of this value.
  208. */
  209. depot_stack_handle_t __msan_chain_origin(depot_stack_handle_t origin);
  210. depot_stack_handle_t __msan_chain_origin(depot_stack_handle_t origin)
  211. {
  212. depot_stack_handle_t ret = 0;
  213. unsigned long ua_flags;
  214. if (!kmsan_enabled || kmsan_in_runtime())
  215. return ret;
  216. ua_flags = user_access_save();
  217. /* Creating new origins may allocate memory. */
  218. kmsan_enter_runtime();
  219. ret = kmsan_internal_chain_origin(origin);
  220. kmsan_leave_runtime();
  221. user_access_restore(ua_flags);
  222. return ret;
  223. }
  224. EXPORT_SYMBOL(__msan_chain_origin);
  225. /* Poison a local variable when entering a function. */
  226. void __msan_poison_alloca(void *address, uintptr_t size, char *descr);
  227. void __msan_poison_alloca(void *address, uintptr_t size, char *descr)
  228. {
  229. depot_stack_handle_t handle;
  230. unsigned long entries[4];
  231. unsigned long ua_flags;
  232. if (!kmsan_enabled || kmsan_in_runtime())
  233. return;
  234. ua_flags = user_access_save();
  235. entries[0] = KMSAN_ALLOCA_MAGIC_ORIGIN;
  236. entries[1] = (u64)descr;
  237. entries[2] = (u64)__builtin_return_address(0);
  238. /*
  239. * With frame pointers enabled, it is possible to quickly fetch the
  240. * second frame of the caller stack without calling the unwinder.
  241. * Without them, simply do not bother.
  242. */
  243. if (IS_ENABLED(CONFIG_UNWINDER_FRAME_POINTER))
  244. entries[3] = (u64)__builtin_return_address(1);
  245. else
  246. entries[3] = 0;
  247. /* stack_depot_save() may allocate memory. */
  248. kmsan_enter_runtime();
  249. handle = stack_depot_save(entries, ARRAY_SIZE(entries), __GFP_HIGH);
  250. kmsan_leave_runtime();
  251. kmsan_internal_set_shadow_origin(address, size, -1, handle,
  252. /*checked*/ true);
  253. user_access_restore(ua_flags);
  254. }
  255. EXPORT_SYMBOL(__msan_poison_alloca);
  256. /* Unpoison a local variable. */
  257. void __msan_unpoison_alloca(void *address, uintptr_t size);
  258. void __msan_unpoison_alloca(void *address, uintptr_t size)
  259. {
  260. if (!kmsan_enabled || kmsan_in_runtime())
  261. return;
  262. kmsan_enter_runtime();
  263. kmsan_internal_unpoison_memory(address, size, /*checked*/ true);
  264. kmsan_leave_runtime();
  265. }
  266. EXPORT_SYMBOL(__msan_unpoison_alloca);
  267. /*
  268. * Report that an uninitialized value with the given origin was used in a way
  269. * that constituted undefined behavior.
  270. */
  271. void __msan_warning(u32 origin);
  272. void __msan_warning(u32 origin)
  273. {
  274. kmsan_report(origin, /*address*/ NULL, /*size*/ 0,
  275. /*off_first*/ 0, /*off_last*/ 0, /*user_addr*/ NULL,
  276. REASON_ANY);
  277. }
  278. EXPORT_SYMBOL(__msan_warning);
  279. /*
  280. * At the beginning of an instrumented function, obtain the pointer to
  281. * `struct kmsan_context_state` holding the metadata for function parameters.
  282. */
  283. struct kmsan_context_state *__msan_get_context_state(void);
  284. struct kmsan_context_state *__msan_get_context_state(void)
  285. {
  286. return &kmsan_get_context()->cstate;
  287. }
  288. EXPORT_SYMBOL(__msan_get_context_state);