1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *  * Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *  * Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in
12  *    the documentation and/or other materials provided with the
13  *    distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19  * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <platform/bionic/android_unsafe_frame_pointer_chase.h>
30 #include <platform/bionic/malloc.h>
31 #include <private/bionic_arc4random.h>
32 #include <private/bionic_globals.h>
33 #include <private/bionic_malloc_dispatch.h>
34 #include <stddef.h>
35 #include <stdint.h>
36 #include <stdio.h>
37 #include <string.h>
38 #include <sys/types.h>
39 
40 #include "bionic/gwp_asan_wrappers.h"
41 #include "gwp_asan/guarded_pool_allocator.h"
42 #include "gwp_asan/options.h"
43 #include "gwp_asan/random.h"
44 #include "malloc_common.h"
45 
46 #ifndef LIBC_STATIC
47 #include "bionic/malloc_common_dynamic.h"
48 #endif  // LIBC_STATIC
49 
50 static gwp_asan::GuardedPoolAllocator GuardedAlloc;
51 static const MallocDispatch* prev_dispatch;
52 
53 using Options = gwp_asan::options::Options;
54 
55 // ============================================================================
56 // Implementation of gFunctions.
57 // ============================================================================
58 
59 // This function handles initialisation as asked for by MallocInitImpl. This
60 // should always be called in a single-threaded context.
gwp_asan_initialize(const MallocDispatch * dispatch,bool *,const char *)61 bool gwp_asan_initialize(const MallocDispatch* dispatch, bool*, const char*) {
62   prev_dispatch = dispatch;
63 
64   Options Opts;
65   Opts.Enabled = true;
66   Opts.MaxSimultaneousAllocations = 32;
67   Opts.SampleRate = 2500;
68   Opts.InstallSignalHandlers = false;
69   Opts.InstallForkHandlers = true;
70   Opts.Backtrace = android_unsafe_frame_pointer_chase;
71 
72   GuardedAlloc.init(Opts);
73   // TODO(b/149790891): The log line below causes ART tests to fail as they're
74   // not expecting any output. Disable the output for now.
75   // info_log("GWP-ASan has been enabled.");
76 
77   __libc_shared_globals()->gwp_asan_state = GuardedAlloc.getAllocatorState();
78   __libc_shared_globals()->gwp_asan_metadata = GuardedAlloc.getMetadataRegion();
79   return true;
80 }
81 
gwp_asan_finalize()82 void gwp_asan_finalize() {
83 }
84 
gwp_asan_get_malloc_leak_info(uint8_t **,size_t *,size_t *,size_t *,size_t *)85 void gwp_asan_get_malloc_leak_info(uint8_t**, size_t*, size_t*, size_t*, size_t*) {
86 }
87 
gwp_asan_free_malloc_leak_info(uint8_t *)88 void gwp_asan_free_malloc_leak_info(uint8_t*) {
89 }
90 
gwp_asan_malloc_backtrace(void *,uintptr_t *,size_t)91 ssize_t gwp_asan_malloc_backtrace(void*, uintptr_t*, size_t) {
92   // TODO(mitchp): GWP-ASan might be able to return the backtrace for the
93   // provided address.
94   return -1;
95 }
96 
gwp_asan_write_malloc_leak_info(FILE *)97 bool gwp_asan_write_malloc_leak_info(FILE*) {
98   return false;
99 }
100 
101 void* gwp_asan_gfunctions[] = {
102   (void*)gwp_asan_initialize,           (void*)gwp_asan_finalize,
103   (void*)gwp_asan_get_malloc_leak_info, (void*)gwp_asan_free_malloc_leak_info,
104   (void*)gwp_asan_malloc_backtrace,     (void*)gwp_asan_write_malloc_leak_info,
105 };
106 
107 // ============================================================================
108 // Implementation of GWP-ASan malloc wrappers.
109 // ============================================================================
110 
gwp_asan_calloc(size_t n_elements,size_t elem_size)111 void* gwp_asan_calloc(size_t n_elements, size_t elem_size) {
112   if (__predict_false(GuardedAlloc.shouldSample())) {
113     size_t bytes;
114     if (!__builtin_mul_overflow(n_elements, elem_size, &bytes)) {
115       if (void* result = GuardedAlloc.allocate(bytes)) {
116         return result;
117       }
118     }
119   }
120   return prev_dispatch->calloc(n_elements, elem_size);
121 }
122 
gwp_asan_free(void * mem)123 void gwp_asan_free(void* mem) {
124   if (__predict_false(GuardedAlloc.pointerIsMine(mem))) {
125     GuardedAlloc.deallocate(mem);
126     return;
127   }
128   prev_dispatch->free(mem);
129 }
130 
gwp_asan_malloc(size_t bytes)131 void* gwp_asan_malloc(size_t bytes) {
132   if (__predict_false(GuardedAlloc.shouldSample())) {
133     if (void* result = GuardedAlloc.allocate(bytes)) {
134       return result;
135     }
136   }
137   return prev_dispatch->malloc(bytes);
138 }
139 
gwp_asan_malloc_usable_size(const void * mem)140 size_t gwp_asan_malloc_usable_size(const void* mem) {
141   if (__predict_false(GuardedAlloc.pointerIsMine(mem))) {
142     return GuardedAlloc.getSize(mem);
143   }
144   return prev_dispatch->malloc_usable_size(mem);
145 }
146 
gwp_asan_realloc(void * old_mem,size_t bytes)147 void* gwp_asan_realloc(void* old_mem, size_t bytes) {
148   if (__predict_false(GuardedAlloc.pointerIsMine(old_mem))) {
149     size_t old_size = GuardedAlloc.getSize(old_mem);
150     void* new_ptr = gwp_asan_malloc(bytes);
151     if (new_ptr) memcpy(new_ptr, old_mem, (bytes < old_size) ? bytes : old_size);
152     GuardedAlloc.deallocate(old_mem);
153     return new_ptr;
154   }
155   return prev_dispatch->realloc(old_mem, bytes);
156 }
157 
gwp_asan_malloc_iterate(uintptr_t base,size_t size,void (* callback)(uintptr_t base,size_t size,void * arg),void * arg)158 int gwp_asan_malloc_iterate(uintptr_t base, size_t size,
159                             void (*callback)(uintptr_t base, size_t size, void* arg), void* arg) {
160   if (__predict_false(GuardedAlloc.pointerIsMine(reinterpret_cast<void*>(base)))) {
161     // TODO(mitchp): GPA::iterate() returns void, but should return int.
162     // TODO(mitchp): GPA::iterate() should take uintptr_t, not void*.
163     GuardedAlloc.iterate(reinterpret_cast<void*>(base), size, callback, arg);
164     return 0;
165   }
166   return prev_dispatch->malloc_iterate(base, size, callback, arg);
167 }
168 
gwp_asan_malloc_disable()169 void gwp_asan_malloc_disable() {
170   GuardedAlloc.disable();
171   prev_dispatch->malloc_disable();
172 }
173 
gwp_asan_malloc_enable()174 void gwp_asan_malloc_enable() {
175   GuardedAlloc.enable();
176   prev_dispatch->malloc_enable();
177 }
178 
179 static const MallocDispatch gwp_asan_dispatch __attribute__((unused)) = {
180   gwp_asan_calloc,
181   gwp_asan_free,
182   Malloc(mallinfo),
183   gwp_asan_malloc,
184   gwp_asan_malloc_usable_size,
185   Malloc(memalign),
186   Malloc(posix_memalign),
187 #if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
188   Malloc(pvalloc),
189 #endif
190   gwp_asan_realloc,
191 #if defined(HAVE_DEPRECATED_MALLOC_FUNCS)
192   Malloc(valloc),
193 #endif
194   gwp_asan_malloc_iterate,
195   gwp_asan_malloc_disable,
196   gwp_asan_malloc_enable,
197   Malloc(mallopt),
198   Malloc(aligned_alloc),
199   Malloc(malloc_info),
200 };
201 
202 // The probability (1 / kProcessSampleRate) that a process will be ranodmly
203 // selected for sampling. kProcessSampleRate should always be a power of two to
204 // avoid modulo bias.
205 static constexpr uint8_t kProcessSampleRate = 128;
206 
ShouldGwpAsanSampleProcess()207 bool ShouldGwpAsanSampleProcess() {
208   uint8_t random_number;
209   __libc_safe_arc4random_buf(&random_number, sizeof(random_number));
210   return random_number % kProcessSampleRate == 0;
211 }
212 
MaybeInitGwpAsanFromLibc(libc_globals * globals)213 bool MaybeInitGwpAsanFromLibc(libc_globals* globals) {
214   // Never initialize the Zygote here. A Zygote chosen for sampling would also
215   // have all of its children sampled. Instead, the Zygote child will choose
216   // whether it samples or not just after the Zygote forks. For
217   // libc_scudo-preloaded executables (like mediaswcodec), the program name
218   // might not be available yet. The zygote never uses dynamic libc_scudo.
219   const char* progname = getprogname();
220   if (progname && strncmp(progname, "app_process", 11) == 0) {
221     return false;
222   }
223   return MaybeInitGwpAsan(globals);
224 }
225 
226 static bool GwpAsanInitialized = false;
227 
228 // Maybe initializes GWP-ASan. Called by android_mallopt() and libc's
229 // initialisation. This should always be called in a single-threaded context.
MaybeInitGwpAsan(libc_globals * globals,bool force_init)230 bool MaybeInitGwpAsan(libc_globals* globals, bool force_init) {
231   if (GwpAsanInitialized) {
232     error_log("GWP-ASan was already initialized for this process.");
233     return false;
234   }
235 
236   // If the caller hasn't forced GWP-ASan on, check whether we should sample
237   // this process.
238   if (!force_init && !ShouldGwpAsanSampleProcess()) {
239     return false;
240   }
241 
242   // GWP-ASan is compatible with heapprofd/malloc_debug/malloc_hooks iff
243   // GWP-ASan was installed first. If one of these other libraries was already
244   // installed, we don't enable GWP-ASan. These libraries are normally enabled
245   // in libc_init after GWP-ASan, but if the new process is a zygote child and
246   // trying to initialize GWP-ASan through mallopt(), one of these libraries may
247   // be installed. It may be possible to change this in future by modifying the
248   // internal dispatch pointers of these libraries at this point in time, but
249   // given that they're all debug-only, we don't really mind for now.
250   if (GetDefaultDispatchTable() != nullptr) {
251     // Something else is installed.
252     return false;
253   }
254 
255   // GWP-ASan's initialization is always called in a single-threaded context, so
256   // we can initialize lock-free.
257   // Set GWP-ASan as the malloc dispatch table.
258   globals->malloc_dispatch_table = gwp_asan_dispatch;
259   atomic_store(&globals->default_dispatch_table, &gwp_asan_dispatch);
260 
261   // If malloc_limit isn't installed, we can skip the default_dispatch_table
262   // lookup.
263   if (GetDispatchTable() == nullptr) {
264     atomic_store(&globals->current_dispatch_table, &gwp_asan_dispatch);
265   }
266 
267 #ifndef LIBC_STATIC
268   SetGlobalFunctions(gwp_asan_gfunctions);
269 #endif  // LIBC_STATIC
270 
271   GwpAsanInitialized = true;
272 
273   gwp_asan_initialize(NativeAllocatorDispatch(), nullptr, nullptr);
274 
275   return true;
276 }
277 
DispatchIsGwpAsan(const MallocDispatch * dispatch)278 bool DispatchIsGwpAsan(const MallocDispatch* dispatch) {
279   return dispatch == &gwp_asan_dispatch;
280 }
281