1//===-- sanitizer/common_interface_defs.h -----------------------*- C++ -*-===// 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===----------------------------------------------------------------------===// 8// 9// Common part of the public sanitizer interface. 10//===----------------------------------------------------------------------===// 11 12#ifndef SANITIZER_COMMON_INTERFACE_DEFS_H 13#define SANITIZER_COMMON_INTERFACE_DEFS_H 14 15#include <stddef.h> 16#include <stdint.h> 17 18// GCC does not understand __has_feature. 19#if !defined(__has_feature) 20#define __has_feature(x) 0 21#endif 22 23#ifdef __cplusplus 24extern "C" { 25#endif 26// Arguments for __sanitizer_sandbox_on_notify() below. 27typedef struct { 28 // Enable sandbox support in sanitizer coverage. 29 int coverage_sandboxed; 30 // File descriptor to write coverage data to. If -1 is passed, a file will 31 // be pre-opened by __sanitizer_sandbox_on_notify(). This field has no 32 // effect if coverage_sandboxed == 0. 33 intptr_t coverage_fd; 34 // If non-zero, split the coverage data into well-formed blocks. This is 35 // useful when coverage_fd is a socket descriptor. Each block will contain 36 // a header, allowing data from multiple processes to be sent over the same 37 // socket. 38 unsigned int coverage_max_block_size; 39} __sanitizer_sandbox_arguments; 40 41// Tell the tools to write their reports to "path.<pid>" instead of stderr. 42void __sanitizer_set_report_path(const char *path); 43// Tell the tools to write their reports to the provided file descriptor 44// (casted to void *). 45void __sanitizer_set_report_fd(void *fd); 46// Get the current full report file path, if a path was specified by 47// an earlier call to __sanitizer_set_report_path. Returns null otherwise. 48const char *__sanitizer_get_report_path(); 49 50// Notify the tools that the sandbox is going to be turned on. The reserved 51// parameter will be used in the future to hold a structure with functions 52// that the tools may call to bypass the sandbox. 53void __sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args); 54 55// This function is called by the tool when it has just finished reporting 56// an error. 'error_summary' is a one-line string that summarizes 57// the error message. This function can be overridden by the client. 58void __sanitizer_report_error_summary(const char *error_summary); 59 60// Some of the sanitizers (for example ASan/TSan) could miss bugs that happen 61// in unaligned loads/stores. To find such bugs reliably, you need to replace 62// plain unaligned loads/stores with these calls. 63 64/// Loads a 16-bit unaligned value. 65/// 66/// \param p Pointer to unaligned memory. 67/// 68/// \returns Loaded value. 69uint16_t __sanitizer_unaligned_load16(const void *p); 70 71/// Loads a 32-bit unaligned value. 72/// 73/// \param p Pointer to unaligned memory. 74/// 75/// \returns Loaded value. 76uint32_t __sanitizer_unaligned_load32(const void *p); 77 78/// Loads a 64-bit unaligned value. 79/// 80/// \param p Pointer to unaligned memory. 81/// 82/// \returns Loaded value. 83uint64_t __sanitizer_unaligned_load64(const void *p); 84 85/// Stores a 16-bit unaligned value. 86/// 87/// \param p Pointer to unaligned memory. 88/// \param x 16-bit value to store. 89void __sanitizer_unaligned_store16(void *p, uint16_t x); 90 91/// Stores a 32-bit unaligned value. 92/// 93/// \param p Pointer to unaligned memory. 94/// \param x 32-bit value to store. 95void __sanitizer_unaligned_store32(void *p, uint32_t x); 96 97/// Stores a 64-bit unaligned value. 98/// 99/// \param p Pointer to unaligned memory. 100/// \param x 64-bit value to store. 101void __sanitizer_unaligned_store64(void *p, uint64_t x); 102 103// Returns 1 on the first call, then returns 0 thereafter. Called by the tool 104// to ensure only one report is printed when multiple errors occur 105// simultaneously. 106int __sanitizer_acquire_crash_state(); 107 108/// Annotates the current state of a contiguous container, such as 109/// <c>std::vector</c>, <c>std::string</c>, or similar. 110/// 111/// A contiguous container is a container that keeps all of its elements 112/// in a contiguous region of memory. The container owns the region of memory 113/// <c>[beg, end)</c>; the memory <c>[beg, mid)</c> is used to store the 114/// current elements, and the memory <c>[mid, end)</c> is reserved for future 115/// elements (<c>beg <= mid <= end</c>). For example, in 116/// <c>std::vector<> v</c>: 117/// 118/// \code 119/// beg = &v[0]; 120/// end = beg + v.capacity() * sizeof(v[0]); 121/// mid = beg + v.size() * sizeof(v[0]); 122/// \endcode 123/// 124/// This annotation tells the Sanitizer tool about the current state of the 125/// container so that the tool can report errors when memory from 126/// <c>[mid, end)</c> is accessed. Insert this annotation into methods like 127/// <c>push_back()</c> or <c>pop_back()</c>. Supply the old and new values of 128/// <c>mid</c>(<c><i>old_mid</i></c> and <c><i>new_mid</i></c>). In the initial 129/// state <c>mid == end</c>, so that should be the final state when the 130/// container is destroyed or when the container reallocates the storage. 131/// 132/// For ASan, <c><i>beg</i></c> should be 8-aligned and <c><i>end</i></c> 133/// should be either 8-aligned or it should point to the end of a separate 134/// heap-, stack-, or global-allocated buffer. So the following example will 135/// not work: 136/// 137/// \code 138/// int64_t x[2]; // 16 bytes, 8-aligned 139/// char *beg = (char *)&x[0]; 140/// char *end = beg + 12; // Not 8-aligned, not the end of the buffer 141/// \endcode 142/// 143/// The following, however, will work: 144/// \code 145/// int32_t x[3]; // 12 bytes, but 8-aligned under ASan. 146/// char *beg = (char*)&x[0]; 147/// char *end = beg + 12; // Not 8-aligned, but is the end of the buffer 148/// \endcode 149/// 150/// \note Use this function with caution and do not use for anything other 151/// than vector-like classes. 152/// 153/// \param beg Beginning of memory region. 154/// \param end End of memory region. 155/// \param old_mid Old middle of memory region. 156/// \param new_mid New middle of memory region. 157void __sanitizer_annotate_contiguous_container(const void *beg, 158 const void *end, 159 const void *old_mid, 160 const void *new_mid); 161 162/// Returns true if the contiguous container <c>[beg, end)</c> is properly 163/// poisoned. 164/// 165/// Proper poisoning could occur, for example, with 166/// <c>__sanitizer_annotate_contiguous_container</c>), that is, if 167/// <c>[beg, mid)</c> is addressable and <c>[mid, end)</c> is unaddressable. 168/// Full verification requires O (<c>end - beg</c>) time; this function tries 169/// to avoid such complexity by touching only parts of the container around 170/// <c><i>beg</i></c>, <c><i>mid</i></c>, and <c><i>end</i></c>. 171/// 172/// \param beg Beginning of memory region. 173/// \param mid Middle of memory region. 174/// \param end Old end of memory region. 175/// 176/// \returns True if the contiguous container <c>[beg, end)</c> is properly 177/// poisoned. 178int __sanitizer_verify_contiguous_container(const void *beg, const void *mid, 179 const void *end); 180 181/// Similar to <c>__sanitizer_verify_contiguous_container()</c> but also 182/// returns the address of the first improperly poisoned byte. 183/// 184/// Returns NULL if the area is poisoned properly. 185/// 186/// \param beg Beginning of memory region. 187/// \param mid Middle of memory region. 188/// \param end Old end of memory region. 189/// 190/// \returns The bad address or NULL. 191const void *__sanitizer_contiguous_container_find_bad_address(const void *beg, 192 const void *mid, 193 const void *end); 194 195/// Prints the stack trace leading to this call (useful for calling from the 196/// debugger). 197void __sanitizer_print_stack_trace(void); 198 199// Symbolizes the supplied 'pc' using the format string 'fmt'. 200// Outputs at most 'out_buf_size' bytes into 'out_buf'. 201// If 'out_buf' is not empty then output is zero or more non empty C strings 202// followed by single empty C string. Multiple strings can be returned if PC 203// corresponds to inlined function. Inlined frames are printed in the order 204// from "most-inlined" to the "least-inlined", so the last frame should be the 205// not inlined function. 206// Inlined frames can be removed with 'symbolize_inline_frames=0'. 207// The format syntax is described in 208// lib/sanitizer_common/sanitizer_stacktrace_printer.h. 209void __sanitizer_symbolize_pc(void *pc, const char *fmt, char *out_buf, 210 size_t out_buf_size); 211// Same as __sanitizer_symbolize_pc, but for data section (i.e. globals). 212void __sanitizer_symbolize_global(void *data_ptr, const char *fmt, 213 char *out_buf, size_t out_buf_size); 214 215/// Sets the callback to be called immediately before death on error. 216/// 217/// Passing 0 will unset the callback. 218/// 219/// \param callback User-provided callback. 220void __sanitizer_set_death_callback(void (*callback)(void)); 221 222 223// Interceptor hooks. 224// Whenever a libc function interceptor is called, it checks if the 225// corresponding weak hook is defined, and calls it if it is indeed defined. 226// The primary use-case is data-flow-guided fuzzing, where the fuzzer needs 227// to know what is being passed to libc functions (for example memcmp). 228// FIXME: implement more hooks. 229 230/// Interceptor hook for <c>memcmp()</c>. 231/// 232/// \param called_pc PC (program counter) address of the original call. 233/// \param s1 Pointer to block of memory. 234/// \param s2 Pointer to block of memory. 235/// \param n Number of bytes to compare. 236/// \param result Value returned by the intercepted function. 237void __sanitizer_weak_hook_memcmp(void *called_pc, const void *s1, 238 const void *s2, size_t n, int result); 239 240/// Interceptor hook for <c>strncmp()</c>. 241/// 242/// \param called_pc PC (program counter) address of the original call. 243/// \param s1 Pointer to block of memory. 244/// \param s2 Pointer to block of memory. 245/// \param n Number of bytes to compare. 246/// \param result Value returned by the intercepted function. 247void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1, 248 const char *s2, size_t n, int result); 249 250/// Interceptor hook for <c>strncasecmp()</c>. 251/// 252/// \param called_pc PC (program counter) address of the original call. 253/// \param s1 Pointer to block of memory. 254/// \param s2 Pointer to block of memory. 255/// \param n Number of bytes to compare. 256/// \param result Value returned by the intercepted function. 257void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1, 258 const char *s2, size_t n, int result); 259 260/// Interceptor hook for <c>strcmp()</c>. 261/// 262/// \param called_pc PC (program counter) address of the original call. 263/// \param s1 Pointer to block of memory. 264/// \param s2 Pointer to block of memory. 265/// \param result Value returned by the intercepted function. 266void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1, 267 const char *s2, int result); 268 269/// Interceptor hook for <c>strcasecmp()</c>. 270/// 271/// \param called_pc PC (program counter) address of the original call. 272/// \param s1 Pointer to block of memory. 273/// \param s2 Pointer to block of memory. 274/// \param result Value returned by the intercepted function. 275void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1, 276 const char *s2, int result); 277 278/// Interceptor hook for <c>strstr()</c>. 279/// 280/// \param called_pc PC (program counter) address of the original call. 281/// \param s1 Pointer to block of memory. 282/// \param s2 Pointer to block of memory. 283/// \param result Value returned by the intercepted function. 284void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1, 285 const char *s2, char *result); 286 287void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1, 288 const char *s2, char *result); 289 290void __sanitizer_weak_hook_memmem(void *called_pc, 291 const void *s1, size_t len1, 292 const void *s2, size_t len2, void *result); 293 294// Prints stack traces for all live heap allocations ordered by total 295// allocation size until top_percent of total live heap is shown. top_percent 296// should be between 1 and 100. At most max_number_of_contexts contexts 297// (stack traces) are printed. 298// Experimental feature currently available only with ASan on Linux/x86_64. 299void __sanitizer_print_memory_profile(size_t top_percent, 300 size_t max_number_of_contexts); 301 302/// Notify ASan that a fiber switch has started (required only if implementing 303/// your own fiber library). 304/// 305/// Before switching to a different stack, you must call 306/// <c>__sanitizer_start_switch_fiber()</c> with a pointer to the bottom of the 307/// destination stack and with its size. When code starts running on the new 308/// stack, it must call <c>__sanitizer_finish_switch_fiber()</c> to finalize 309/// the switch. The <c>__sanitizer_start_switch_fiber()</c> function takes a 310/// <c>void**</c> pointer argument to store the current fake stack if there is 311/// one (it is necessary when the runtime option 312/// <c>detect_stack_use_after_return</c> is enabled). 313/// 314/// When restoring a stack, this <c>void**</c> pointer must be given to the 315/// <c>__sanitizer_finish_switch_fiber()</c> function. In most cases, this 316/// pointer can be stored on the stack immediately before switching. When 317/// leaving a fiber definitely, NULL must be passed as the first argument to 318/// the <c>__sanitizer_start_switch_fiber()</c> function so that the fake stack 319/// is destroyed. If your program does not need stack use-after-return 320/// detection, you can always pass NULL to these two functions. 321/// 322/// \note The fake stack mechanism is disabled during fiber switch, so if a 323/// signal callback runs during the switch, it will not benefit from stack 324/// use-after-return detection. 325/// 326/// \param[out] fake_stack_save Fake stack save location. 327/// \param bottom Bottom address of stack. 328/// \param size Size of stack in bytes. 329void __sanitizer_start_switch_fiber(void **fake_stack_save, 330 const void *bottom, size_t size); 331 332/// Notify ASan that a fiber switch has completed (required only if 333/// implementing your own fiber library). 334/// 335/// When code starts running on the new stack, it must call 336/// <c>__sanitizer_finish_switch_fiber()</c> to finalize 337/// the switch. For usage details, see the description of 338/// <c>__sanitizer_start_switch_fiber()</c>. 339/// 340/// \param fake_stack_save Fake stack save location. 341/// \param[out] bottom_old Bottom address of old stack. 342/// \param[out] size_old Size of old stack in bytes. 343void __sanitizer_finish_switch_fiber(void *fake_stack_save, 344 const void **bottom_old, 345 size_t *size_old); 346 347// Get full module name and calculate pc offset within it. 348// Returns 1 if pc belongs to some module, 0 if module was not found. 349int __sanitizer_get_module_and_offset_for_pc(void *pc, char *module_path, 350 size_t module_path_len, 351 void **pc_offset); 352 353#ifdef __cplusplus 354} // extern "C" 355#endif 356 357#endif // SANITIZER_COMMON_INTERFACE_DEFS_H 358