1 /* Copyright (C) 2012-2013
2 Free Software Foundation
3
4 This file is part of GCC.
5
6 GCC is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3, or (at your option)
9 any later version.
10
11 GCC is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 Under Section 7 of GPL version 3, you are granted additional
17 permissions described in the GCC Runtime Library Exception, version
18 3.1, as published by the Free Software Foundation.
19
20 You should have received a copy of the GNU General Public License and
21 a copy of the GCC Runtime Library Exception along with this program;
22 see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
23 <http://www.gnu.org/licenses/>. */
24
25 /* This file is part of the vtable security feature implementation.
26 The vtable security feature is designed to detect when a virtual
27 call is about to be made through an invalid vtable pointer
28 (possibly due to data corruption or malicious attacks).
29
30 This file also contains the failure functions that get called when
31 a vtable pointer is not found in the data set. Two particularly
32 important functions are __vtv_verify_fail and __vtv_really_fail.
33 They are both externally visible. __vtv_verify_fail is defined in
34 such a way that it can be replaced by a programmer, if desired. It
35 is the function that __VLTVerifyVtablePointer calls if it can't
36 find the pointer in the data set. Allowing the programmer to
37 overwrite this function means that he/she can do some alternate
38 verification, including NOT failing in certain specific cases, if
39 desired. This may be the case if the programmer has to deal wtih
40 unverified third party software, for example. __vtv_really_fail is
41 available for the programmer to call from his version of
42 __vtv_verify_fail, if he decides the failure is real.
43
44 */
45
46 #include <stdlib.h>
47 #include <stdio.h>
48 #include <string.h>
49 #include <execinfo.h>
50 #include <unistd.h>
51
52 #include "vtv_utils.h"
53 #include "vtv_fail.h"
54
55 /* This is used to disable aborts for debugging purposes. */
56 bool vtv_no_abort = false;
57
58
59 extern "C" {
60
61 /* __fortify_fail is a function in glibc that calls __libc_message,
62 causing it to print out a program termination error message
63 (including the name of the binary being terminated), a stack
64 trace where the error occurred, and a memory map dump. Ideally
65 we would have called __libc_message directly, but that function
66 does not appear to be accessible to functions outside glibc,
67 whereas __fortify_fail is. We call __fortify_fail from
68 __vtv_really_fail. We looked at calling __libc_fatal, which is
69 externally accessible, but it does not do the back trace and
70 memory dump. */
71
72 extern void __fortify_fail (const char *) __attribute__((noreturn));
73
74 } /* extern "C" */
75
76 const unsigned long SET_HANDLE_HANDLE_BIT = 0x2;
77
78 /* Instantiate the template classes (in vtv_set.h) for our particular
79 hash table needs. */
80 typedef void * vtv_set_handle;
81 typedef vtv_set_handle * vtv_set_handle_handle;
82
83 static int vtv_failures_log_fd = -1;
84
85 /* Open error logging file, if not already open, and write vtable
86 verification failure messages (LOG_MSG) to the log file. Also
87 generate a backtrace in the log file, if GENERATE_BACKTRACE is
88 set. */
89
90 static void
log_error_message(const char * log_msg,bool generate_backtrace)91 log_error_message (const char *log_msg, bool generate_backtrace)
92 {
93 if (vtv_failures_log_fd == -1)
94 vtv_failures_log_fd = vtv_open_log ("vtable_verification_failures.log");
95
96 if (vtv_failures_log_fd == -1)
97 return;
98
99 vtv_add_to_log (vtv_failures_log_fd, "%s", log_msg);
100
101 if (generate_backtrace)
102 {
103 #define STACK_DEPTH 20
104 void *callers[STACK_DEPTH];
105 int actual_depth = backtrace (callers, STACK_DEPTH);
106 backtrace_symbols_fd (callers, actual_depth, vtv_failures_log_fd);
107 }
108 }
109
110 /* In the case where a vtable map variable is the only instance of the
111 variable we have seen, it points directly to the set of valid
112 vtable pointers. All subsequent instances of the 'same' vtable map
113 variable point to the first vtable map variable. This function,
114 given a vtable map variable PTR, checks a bit to see whether it's
115 pointing directly to the data set or to the first vtable map
116 variable. */
117
118 static inline bool
is_set_handle_handle(void * ptr)119 is_set_handle_handle (void * ptr)
120 {
121 return ((unsigned long) ptr & SET_HANDLE_HANDLE_BIT)
122 == SET_HANDLE_HANDLE_BIT;
123 }
124
125 /* Returns the actual pointer value of a vtable map variable, PTR (see
126 comments for is_set_handle_handle for more details). */
127
128 static inline vtv_set_handle *
ptr_from_set_handle_handle(void * ptr)129 ptr_from_set_handle_handle (void * ptr)
130 {
131 return (vtv_set_handle *) ((unsigned long) ptr & ~SET_HANDLE_HANDLE_BIT);
132 }
133
134 /* Given a vtable map variable, PTR, this function sets the bit that
135 says this is the second (or later) instance of a vtable map
136 variable. */
137
138 static inline vtv_set_handle_handle
set_handle_handle(vtv_set_handle * ptr)139 set_handle_handle (vtv_set_handle * ptr)
140 {
141 return (vtv_set_handle_handle) ((unsigned long) ptr | SET_HANDLE_HANDLE_BIT);
142 }
143
144 /* This function is called from __VLTVerifyVtablePointerDebug; it
145 sends as much debugging information as it can to the error log
146 file, then calls __vtv_verify_fail. SET_HANDLE_PTR is the pointer
147 to the set of valid vtable pointers, VTBL_PTR is the pointer that
148 was not found in the set, and DEBUG_MSG is the message to be
149 written to the log file before failing. n */
150
151 void
__vtv_verify_fail_debug(void ** set_handle_ptr,const void * vtbl_ptr,const char * debug_msg)152 __vtv_verify_fail_debug (void **set_handle_ptr, const void *vtbl_ptr,
153 const char *debug_msg)
154 {
155 log_error_message (debug_msg, false);
156
157 /* Call the public interface in case it has been overwritten by
158 user. */
159 __vtv_verify_fail (set_handle_ptr, vtbl_ptr);
160
161 log_error_message ("Returned from __vtv_verify_fail."
162 " Secondary verification succeeded.\n", false);
163 }
164
165 /* This function calls __fortify_fail with a FAILURE_MSG and then
166 calls abort. */
167
168 void
__vtv_really_fail(const char * failure_msg)169 __vtv_really_fail (const char *failure_msg)
170 {
171 __fortify_fail (failure_msg);
172
173 /* We should never get this far; __fortify_fail calls __libc_message
174 which prints out a back trace and a memory dump and then is
175 supposed to call abort, but let's play it safe anyway and call abort
176 ourselves. */
177 abort ();
178 }
179
180 /* This function takes an error MSG, a vtable map variable
181 (DATA_SET_PTR) and a vtable pointer (VTBL_PTR). It is called when
182 an attempt to verify VTBL_PTR with the set pointed to by
183 DATA_SET_PTR failed. It outputs a failure message with the
184 addresses involved, and calls __vtv_really_fail. */
185
186 static void
vtv_fail(const char * msg,void ** data_set_ptr,const void * vtbl_ptr)187 vtv_fail (const char *msg, void **data_set_ptr, const void *vtbl_ptr)
188 {
189 char buffer[128];
190 int buf_len;
191 const char *format_str =
192 "*** Unable to verify vtable pointer (%p) in set (%p) *** \n";
193
194 snprintf (buffer, sizeof (buffer), format_str, vtbl_ptr,
195 is_set_handle_handle(*data_set_ptr) ?
196 ptr_from_set_handle_handle (*data_set_ptr) :
197 *data_set_ptr);
198 buf_len = strlen (buffer);
199 /* Send this to to stderr. */
200 write (2, buffer, buf_len);
201
202 if (!vtv_no_abort)
203 __vtv_really_fail (msg);
204 }
205
206 /* Send information about what we were trying to do when verification
207 failed to the error log, then call vtv_fail. This function can be
208 overwritten/replaced by the user, to implement a secondary
209 verification function instead. DATA_SET_PTR is the vtable map
210 variable used for the failed verification, and VTBL_PTR is the
211 vtable pointer that was not found in the set. */
212
213 void
__vtv_verify_fail(void ** data_set_ptr,const void * vtbl_ptr)214 __vtv_verify_fail (void **data_set_ptr, const void *vtbl_ptr)
215 {
216 char log_msg[256];
217 snprintf (log_msg, sizeof (log_msg), "Looking for vtable %p in set %p.\n",
218 vtbl_ptr,
219 is_set_handle_handle (*data_set_ptr) ?
220 ptr_from_set_handle_handle (*data_set_ptr) :
221 *data_set_ptr);
222 log_error_message (log_msg, false);
223
224 const char *format_str =
225 "*** Unable to verify vtable pointer (%p) in set (%p) *** \n";
226 snprintf (log_msg, sizeof (log_msg), format_str, vtbl_ptr, *data_set_ptr);
227 log_error_message (log_msg, false);
228 log_error_message (" Backtrace: \n", true);
229
230 const char *fail_msg = "Potential vtable pointer corruption detected!!\n";
231 vtv_fail (fail_msg, data_set_ptr, vtbl_ptr);
232 }
233
234