diff options
author | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2006-01-31 11:09:21 +0000 |
---|---|---|
committer | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2006-01-31 11:09:21 +0000 |
commit | 847a2a17167996abbc61d81db3de86b92cab3fde (patch) | |
tree | 5578d06f9b3e97650d2847a2198d21f29bb26546 | |
parent | f0107b2c5d12b257e36dc13cf6acb11dc925dceb (diff) | |
download | src-847a2a17167996abbc61d81db3de86b92cab3fde.tar.gz src-847a2a17167996abbc61d81db3de86b92cab3fde.zip |
Add buffer corruption protection (RedZone) for kernel's malloc(9).
It detects both: buffer underflows and buffer overflows bugs at runtime
(on free(9) and realloc(9)) and prints backtraces from where memory was
allocated and from where it was freed.
Tested by: kris
Notes
Notes:
svn path=/head/; revision=155086
-rw-r--r-- | share/man/man9/Makefile | 1 | ||||
-rw-r--r-- | share/man/man9/redzone.9 | 123 | ||||
-rw-r--r-- | sys/conf/NOTES | 6 | ||||
-rw-r--r-- | sys/conf/files | 1 | ||||
-rw-r--r-- | sys/conf/options | 3 | ||||
-rw-r--r-- | sys/kern/kern_malloc.c | 23 | ||||
-rw-r--r-- | sys/vm/redzone.c | 181 | ||||
-rw-r--r-- | sys/vm/redzone.h | 38 |
8 files changed, 375 insertions, 1 deletions
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index 63eb6fccf06e..3ecff81031ee 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -188,6 +188,7 @@ MAN= accept_filter.9 \ psignal.9 \ random.9 \ random_harvest.9 \ + redzone.9 \ resettodr.9 \ resource_int_value.9 \ rijndael.9 \ diff --git a/share/man/man9/redzone.9 b/share/man/man9/redzone.9 new file mode 100644 index 000000000000..ef3cb53ca540 --- /dev/null +++ b/share/man/man9/redzone.9 @@ -0,0 +1,123 @@ +.\" Copyright (c) 2006 Pawel Jakub Dawidek <pjd@FreeBSD.org> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd January 31, 2006 +.Dt REDZONE 9 +.Os +.Sh NAME +.Nm RedZone +.Nd "buffer corruptions detector" +.Sh SYNOPSIS +.Cd "options DEBUG_REDZONE" +.Sh DESCRIPTION +.Nm +detects buffer underflow and buffer overflow bugs at runtime. +Currently +.Nm +only detects buffer corruptions for memory allocated with +.Xr malloc 9 . +When such corruption is detected two backtraces are printed on the console. +The first one shows from where memory was allocated, the second one shows from +where memory was freed. +By default the system will not panic when buffer corruption is detected. +This can be changed by setting the +.Va vm.redzone.panic +.Xr sysctl 8 +variable to 1. +The amount of extra memory allocated for +.Nm Ns 's +needs is stored in the +.Va vm.redzone.extra_mem +.Xr sysctl 8 +variable. +.Sh EXAMPLE +The example below shows the logs from the detection of a buffer underflow and a +buffer overflow. +.Bd -literal -offset indent +REDZONE: Buffer underflow detected. 2 bytes corrupted before 0xc8688580 (16 bytes allocated). +Allocation backtrace: +#0 0xc0583e4e at redzone_setup+0x3c +#1 0xc04a23fa at malloc+0x19e +#2 0xcdeb69ca at redzone_modevent+0x60 +#3 0xc04a3f3c at module_register_init+0x82 +#4 0xc049d96a at linker_file_sysinit+0x8e +#5 0xc049dc7c at linker_load_file+0xed +#6 0xc04a041f at linker_load_module+0xc4 +#7 0xc049e883 at kldload+0x116 +#8 0xc05d9b3d at syscall+0x325 +#9 0xc05c944f at Xint0x80_syscall+0x1f +Free backtrace: +#0 0xc0583f92 at redzone_check+0xd4 +#1 0xc04a2422 at free+0x1c +#2 0xcdeb69a6 at redzone_modevent+0x3c +#3 0xc04a438d at module_unload+0x61 +#4 0xc049e0b3 at linker_file_unload+0x89 +#5 0xc049e979 at kern_kldunload+0x96 +#6 0xc049ea00 at kldunloadf+0x2c +#7 0xc05d9b3d at syscall+0x325 +#8 0xc05c944f at Xint0x80_syscall+0x1f + +REDZONE: Buffer overflow detected. 4 bytes corrupted after 0xc8688590 (16 bytes allocated). +Allocation backtrace: +#0 0xc0583e4e at redzone_setup+0x3c +#1 0xc04a23fa at malloc+0x19e +#2 0xcdeb69ca at redzone_modevent+0x60 +#3 0xc04a3f3c at module_register_init+0x82 +#4 0xc049d96a at linker_file_sysinit+0x8e +#5 0xc049dc7c at linker_load_file+0xed +#6 0xc04a041f at linker_load_module+0xc4 +#7 0xc049e883 at kldload+0x116 +#8 0xc05d9b3d at syscall+0x325 +#9 0xc05c944f at Xint0x80_syscall+0x1f +Free backtrace: +#0 0xc0584020 at redzone_check+0x162 +#1 0xc04a2422 at free+0x1c +#2 0xcdeb69a6 at redzone_modevent+0x3c +#3 0xc04a438d at module_unload+0x61 +#4 0xc049e0b3 at linker_file_unload+0x89 +#5 0xc049e979 at kern_kldunload+0x96 +#6 0xc049ea00 at kldunloadf+0x2c +#7 0xc05d9b3d at syscall+0x325 +#8 0xc05c944f at Xint0x80_syscall+0x1f +.Ed +.Sh SEE ALSO +.Xr sysctl 8 , +.Xr malloc 9 , +.Xr memguard 9 +.Sh HISTORY +.Nm +first appeared in +.Fx 7.0 . +.Sh AUTHORS +.An Pawel Jakub Dawidek Aq pjd@FreeBSD.org +.Sh BUGS +Currently, +.Nm +does not cooperate with +.Xr memguard 9 . +Allocations from a memory type controlled by +.Xr memguard 9 +are simply skipped, so buffer corruptions will not be detected there. diff --git a/sys/conf/NOTES b/sys/conf/NOTES index e6b139bd6c20..fde97a859aa1 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -327,6 +327,12 @@ options SYSCTL_DEBUG options DEBUG_MEMGUARD # +# DEBUG_REDZONE enables buffer underflows and buffer overflows detection for +# malloc(9). +# +options DEBUG_REDZONE + +# # KTRACE enables the system-call tracing facility ktrace(2). To be more # SMP-friendly, KTRACE uses a worker thread to process most trace events # asynchronously to the thread generating the event. This requires a diff --git a/sys/conf/files b/sys/conf/files index 243f110b4b19..07c44fcf611a 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1867,6 +1867,7 @@ ufs/ufs/ufs_vnops.c optional ffs vm/default_pager.c standard vm/device_pager.c standard vm/phys_pager.c standard +vm/redzone.c optional DEBUG_REDZONE vm/swap_pager.c standard vm/uma_core.c standard vm/uma_dbg.c standard diff --git a/sys/conf/options b/sys/conf/options index d5c9df64f3d3..84aa1e45c934 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -530,6 +530,9 @@ PQ_NOOPT opt_vmpage.h # The MemGuard replacement allocator used for tamper-after-free detection DEBUG_MEMGUARD opt_vm.h +# The RedZone malloc(9) protection +DEBUG_REDZONE opt_vm.h + # Standard SMP options SMP opt_global.h diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c index 6b2e73d86fd2..27c2d19eccc6 100644 --- a/sys/kern/kern_malloc.c +++ b/sys/kern/kern_malloc.c @@ -65,6 +65,9 @@ __FBSDID("$FreeBSD$"); #ifdef DEBUG_MEMGUARD #include <vm/memguard.h> #endif +#ifdef DEBUG_REDZONE +#include <vm/redzone.h> +#endif #if defined(INVARIANTS) && defined(__i386__) #include <machine/cpu.h> @@ -259,7 +262,7 @@ malloc(unsigned long size, struct malloc_type *mtp, int flags) caddr_t va; uma_zone_t zone; uma_keg_t keg; -#ifdef DIAGNOSTIC +#if defined(DIAGNOSTIC) || defined(DEBUG_REDZONE) unsigned long osize = size; #endif @@ -302,6 +305,10 @@ malloc(unsigned long size, struct malloc_type *mtp, int flags) return memguard_alloc(size, flags); #endif +#ifdef DEBUG_REDZONE + size = redzone_size_ntor(size); +#endif + if (size <= KMEM_ZMAX) { if (size & KMEM_ZMASK) size = (size & ~KMEM_ZMASK) + KMEM_ZBASE; @@ -331,6 +338,10 @@ malloc(unsigned long size, struct malloc_type *mtp, int flags) memset(va, 0x70, osize); } #endif +#ifdef DEBUG_REDZONE + if (va != NULL) + va = redzone_setup(va, osize); +#endif return ((void *) va); } @@ -358,6 +369,11 @@ free(void *addr, struct malloc_type *mtp) } #endif +#ifdef DEBUG_REDZONE + redzone_check(addr); + addr = redzone_addr_ntor(addr); +#endif + size = 0; slab = vtoslab((vm_offset_t)addr & (~UMA_SLAB_MASK)); @@ -421,6 +437,10 @@ if (memguard_cmp(mtp)) { } else { #endif +#ifdef DEBUG_REDZONE + slab = NULL; + alloc = redzone_get_size(addr); +#else slab = vtoslab((vm_offset_t)addr & ~(UMA_SLAB_MASK)); /* Sanity check */ @@ -437,6 +457,7 @@ if (memguard_cmp(mtp)) { if (size <= alloc && (size > (alloc >> REALLOC_FRACTION) || alloc == MINALLOCSIZE)) return (addr); +#endif /* !DEBUG_REDZONE */ #ifdef DEBUG_MEMGUARD } diff --git a/sys/vm/redzone.c b/sys/vm/redzone.c new file mode 100644 index 000000000000..5598b5defb6f --- /dev/null +++ b/sys/vm/redzone.c @@ -0,0 +1,181 @@ +/*- + * Copyright (c) 2006 Pawel Jakub Dawidek <pjd@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/stack.h> +#include <sys/sysctl.h> + +#include <vm/redzone.h> + + +SYSCTL_NODE(_vm, OID_AUTO, redzone, CTLFLAG_RW, NULL, "RedZone data"); +static u_long redzone_extra_mem = 0; +SYSCTL_ULONG(_vm_redzone, OID_AUTO, extra_mem, CTLFLAG_RD, &redzone_extra_mem, + 0, "Extra memory allocated by redzone"); +static int redzone_panic = 0; +TUNABLE_INT("vm.redzone.panic", &redzone_panic); +SYSCTL_INT(_vm_redzone, OID_AUTO, panic, CTLFLAG_RW, &redzone_panic, 0, + "Panic when buffer corruption is detected"); + +#define REDZONE_CHSIZE (16) +#define REDZONE_CFSIZE (16) +#define REDZONE_HSIZE (sizeof(struct stack) + sizeof(u_long) + REDZONE_CHSIZE) +#define REDZONE_FSIZE (REDZONE_CFSIZE) + +static u_long +redzone_roundup(u_long n) +{ + + if (n <= 128) + return (128); + else if (n <= 256) + return (256); + else if (n <= 512) + return (512); + else if (n <= 1024) + return (1024); + else if (n <= 2048) + return (2048); + return (PAGE_SIZE); +} + +u_long +redzone_get_size(caddr_t naddr) +{ + u_long nsize; + + bcopy(naddr - REDZONE_CHSIZE - sizeof(u_long), &nsize, sizeof(nsize)); + return (nsize); +} + +u_long +redzone_size_ntor(u_long nsize) +{ + + return (nsize + redzone_roundup(nsize) + REDZONE_FSIZE); +} + +void * +redzone_addr_ntor(caddr_t naddr) +{ + + return (naddr - redzone_roundup(redzone_get_size(naddr))); +} + +/* + * Set redzones and remember allocation backtrace. + */ +void * +redzone_setup(caddr_t raddr, u_long nsize) +{ + struct stack st; + caddr_t haddr, faddr; + + atomic_add_long(&redzone_extra_mem, redzone_size_ntor(nsize) - nsize); + + haddr = raddr + redzone_roundup(nsize) - REDZONE_HSIZE; + faddr = haddr + REDZONE_HSIZE + nsize; + + /* Redzone header. */ + stack_save(&st); + bcopy(&st, haddr, sizeof(st)); + haddr += sizeof(st); + bcopy(&nsize, haddr, sizeof(nsize)); + haddr += sizeof(nsize); + memset(haddr, 0x42, REDZONE_CHSIZE); + haddr += REDZONE_CHSIZE; + + /* Redzone footer. */ + memset(faddr, 0x42, REDZONE_CFSIZE); + + return (haddr); +} + +/* + * Verify redzones. + * This function is called on free() and realloc(). + */ +void +redzone_check(caddr_t naddr) +{ + struct stack ast, fst; + caddr_t haddr, faddr; + u_int ncorruptions; + u_long nsize; + int i; + + haddr = naddr - REDZONE_HSIZE; + bcopy(haddr, &ast, sizeof(ast)); + haddr += sizeof(ast); + bcopy(haddr, &nsize, sizeof(nsize)); + haddr += sizeof(nsize); + + atomic_subtract_long(&redzone_extra_mem, + redzone_size_ntor(nsize) - nsize); + + /* Look for buffer underflow. */ + ncorruptions = 0; + for (i = 0; i < REDZONE_CHSIZE; i++, haddr++) { + if (*(u_char *)haddr != 0x42) + ncorruptions++; + } + if (ncorruptions > 0) { + printf("REDZONE: Buffer underflow detected. %u byte%s " + "corrupted before %p (%lu bytes allocated).\n", + ncorruptions, ncorruptions == 1 ? "" : "s", naddr, nsize); + printf("Allocation backtrace:\n"); + stack_print(&ast); + printf("Free backtrace:\n"); + stack_save(&fst); + stack_print(&fst); + if (redzone_panic) + panic("Stopping here."); + } + faddr = naddr + nsize; + /* Look for buffer overflow. */ + ncorruptions = 0; + for (i = 0; i < REDZONE_CFSIZE; i++, faddr++) { + if (*(u_char *)faddr != 0x42) + ncorruptions++; + } + if (ncorruptions > 0) { + printf("REDZONE: Buffer overflow detected. %u byte%s corrupted " + "after %p (%lu bytes allocated).\n", ncorruptions, + ncorruptions == 1 ? "" : "s", naddr + nsize, nsize); + printf("Allocation backtrace:\n"); + stack_print(&ast); + printf("Free backtrace:\n"); + stack_save(&fst); + stack_print(&fst); + if (redzone_panic) + panic("Stopping here."); + } +} diff --git a/sys/vm/redzone.h b/sys/vm/redzone.h new file mode 100644 index 000000000000..8738d7e02fb2 --- /dev/null +++ b/sys/vm/redzone.h @@ -0,0 +1,38 @@ +/*- + * Copyright (c) 2006 Pawel Jakub Dawidek <pjd@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _VM_REDZONE_H_ +#define _VM_REDZONE_H_ + +u_long redzone_get_size(caddr_t naddr); +u_long redzone_size_ntor(u_long nsize); +void *redzone_addr_ntor(caddr_t naddr); +void *redzone_setup(caddr_t raddr, u_long nsize); +void redzone_check(caddr_t naddr); + +#endif /* _VM_REDZONE_H_ */ |