| //===-- msandr.cc ---------------------------------------------------------===// |
| // |
| // The LLVM Compiler Infrastructure |
| // |
| // This file is distributed under the University of Illinois Open Source |
| // License. See LICENSE.TXT for details. |
| // |
| //===----------------------------------------------------------------------===// |
| // |
| // This file is a part of MemorySanitizer. |
| // |
| // DynamoRio client for MemorySanitizer. |
| // |
| // MemorySanitizer requires that all program code is instrumented. Any memory |
| // store that can turn an uninitialized value into an initialized value must be |
| // observed by the tool, otherwise we risk reporting a false UMR. |
| // |
| // This also includes any libraries that the program depends on. |
| // |
| // In the case when rebuilding all program dependencies with MemorySanitizer is |
| // problematic, an experimental MSanDR tool (the code you are currently looking |
| // at) can be used. It is a DynamoRio-based tool that uses dynamic |
| // instrumentation to |
| // * Unpoison all memory stores. |
| // * Unpoison TLS slots used by MemorySanitizer to pass function arguments and |
| // return value shadow on anything that looks like a function call or a return |
| // from a function. |
| // |
| // This tool does not detect the use of uninitialized values in uninstrumented |
| // libraries. It merely gets rid of false positives by marking all data that |
| // passes through uninstrumented code as fully initialized. |
| //===----------------------------------------------------------------------===// |
| |
| #include <dr_api.h> |
| #include <drutil.h> |
| #include <drmgr.h> |
| #include <drsyscall.h> |
| |
| #include <sys/mman.h> |
| #include <sys/syscall.h> /* for SYS_mmap */ |
| |
| #include <algorithm> |
| #include <string> |
| #include <set> |
| #include <vector> |
| #include <string.h> |
| |
| using std::string; |
| |
| #define TESTALL(mask, var) (((mask) & (var)) == (mask)) |
| #define TESTANY(mask, var) (((mask) & (var)) != 0) |
| |
| #define CHECK_IMPL(condition, file, line) \ |
| do { \ |
| if (!(condition)) { \ |
| dr_printf("Check failed: `%s`\nat %s:%d\n", #condition, file, line); \ |
| dr_abort(); \ |
| } \ |
| } while (0) // TODO: stacktrace |
| |
| #define CHECK(condition) CHECK_IMPL(condition, __FILE__, __LINE__) |
| |
| #define VERBOSITY 0 |
| |
| namespace { |
| |
| class ModuleData { |
| public: |
| ModuleData(); |
| ModuleData(const module_data_t *info); |
| // Yes, we want default copy, assign, and dtor semantics. |
| |
| public: |
| app_pc start_; |
| app_pc end_; |
| // Full path to the module. |
| string path_; |
| module_handle_t handle_; |
| bool should_instrument_; |
| bool executed_; |
| }; |
| |
| string g_app_path; |
| |
| int msan_retval_tls_offset; |
| int msan_param_tls_offset; |
| |
| // A vector of loaded modules sorted by module bounds. We lookup the current PC |
| // in here from the bb event. This is better than an rb tree because the lookup |
| // is faster and the bb event occurs far more than the module load event. |
| std::vector<ModuleData> g_module_list; |
| |
| ModuleData::ModuleData() |
| : start_(NULL), end_(NULL), path_(""), handle_(NULL), |
| should_instrument_(false), executed_(false) { |
| } |
| |
| ModuleData::ModuleData(const module_data_t *info) |
| : start_(info->start), end_(info->end), path_(info->full_path), |
| handle_(info->handle), |
| // We'll check the black/white lists later and adjust this. |
| should_instrument_(true), executed_(false) { |
| } |
| |
| int(*__msan_get_retval_tls_offset)(); |
| int(*__msan_get_param_tls_offset)(); |
| void (*__msan_unpoison)(void *base, size_t size); |
| bool (*__msan_is_in_loader)(); |
| |
| static generic_func_t LookupCallback(module_data_t *app, const char *name) { |
| generic_func_t callback = dr_get_proc_address(app->handle, name); |
| if (callback == NULL) { |
| dr_printf("Couldn't find `%s` in %s\n", name, app->full_path); |
| CHECK(callback); |
| } |
| return callback; |
| } |
| |
| void InitializeMSanCallbacks() { |
| module_data_t *app = dr_lookup_module_by_name(dr_get_application_name()); |
| if (!app) { |
| dr_printf("%s - oops, dr_lookup_module_by_name failed!\n", |
| dr_get_application_name()); |
| CHECK(app); |
| } |
| g_app_path = app->full_path; |
| |
| __msan_get_retval_tls_offset = (int (*)()) |
| LookupCallback(app, "__msan_get_retval_tls_offset"); |
| __msan_get_param_tls_offset = (int (*)()) |
| LookupCallback(app, "__msan_get_param_tls_offset"); |
| __msan_unpoison = (void(*)(void *, size_t)) |
| LookupCallback(app, "__msan_unpoison"); |
| __msan_is_in_loader = (bool (*)()) |
| LookupCallback(app, "__msan_is_in_loader"); |
| |
| dr_free_module_data(app); |
| } |
| |
| // FIXME: Handle absolute addresses and PC-relative addresses. |
| // FIXME: Handle TLS accesses via FS or GS. DR assumes all other segments have |
| // a zero base anyway. |
| bool OperandIsInteresting(opnd_t opnd) { |
| return (opnd_is_base_disp(opnd) && opnd_get_segment(opnd) != DR_SEG_FS && |
| opnd_get_segment(opnd) != DR_SEG_GS); |
| } |
| |
| bool WantToInstrument(instr_t *instr) { |
| // TODO: skip push instructions? |
| switch (instr_get_opcode(instr)) { |
| // FIXME: support the instructions excluded below: |
| case OP_rep_cmps: |
| // f3 a6 rep cmps %ds:(%rsi) %es:(%rdi) %rsi %rdi %rcx -> %rsi %rdi %rcx |
| return false; |
| } |
| |
| // Labels appear due to drutil_expand_rep_string() |
| if (instr_is_label(instr)) |
| return false; |
| |
| CHECK(instr_ok_to_mangle(instr) == true); |
| |
| if (instr_writes_memory(instr)) { |
| for (int d = 0; d < instr_num_dsts(instr); d++) { |
| opnd_t op = instr_get_dst(instr, d); |
| if (OperandIsInteresting(op)) |
| return true; |
| } |
| } |
| |
| return false; |
| } |
| |
| #define PRE(at, what) instrlist_meta_preinsert(bb, at, INSTR_CREATE_##what); |
| #define PREF(at, what) instrlist_meta_preinsert(bb, at, what); |
| |
| void InstrumentMops(void *drcontext, instrlist_t *bb, instr_t *instr, opnd_t op, |
| bool is_write) { |
| bool need_to_restore_eflags = false; |
| uint flags = instr_get_arith_flags(instr); |
| // TODO: do something smarter with flags and spills in general? |
| // For example, spill them only once for a sequence of instrumented |
| // instructions that don't change/read flags. |
| |
| if (!TESTALL(EFLAGS_WRITE_6, flags) || TESTANY(EFLAGS_READ_6, flags)) { |
| if (VERBOSITY > 1) |
| dr_printf("Spilling eflags...\n"); |
| need_to_restore_eflags = true; |
| // TODO: Maybe sometimes don't need to 'seto'. |
| // TODO: Maybe sometimes don't want to spill XAX here? |
| // TODO: No need to spill XAX here if XAX is not used in the BB. |
| dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| dr_save_arith_flags_to_xax(drcontext, bb, instr); |
| dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_3); |
| dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| } |
| |
| #if 0 |
| dr_printf("==DRMSAN== DEBUG: %d %d %d %d %d %d\n", |
| opnd_is_memory_reference(op), opnd_is_base_disp(op), |
| opnd_is_base_disp(op) ? opnd_get_index(op) : -1, |
| opnd_is_far_memory_reference(op), opnd_is_reg_pointer_sized(op), |
| opnd_is_base_disp(op) ? opnd_get_disp(op) : -1); |
| #endif |
| |
| reg_id_t R1; |
| bool address_in_R1 = false; |
| if (opnd_is_base_disp(op) && opnd_get_index(op) == DR_REG_NULL && |
| opnd_get_disp(op) == 0) { |
| // If this is a simple access with no offset or index, we can just use the |
| // base for R1. |
| address_in_R1 = true; |
| R1 = opnd_get_base(op); |
| } else { |
| // Otherwise, we need to compute the addr into R1. |
| // TODO: reuse some spare register? e.g. r15 on x64 |
| // TODO: might be used as a non-mem-ref register? |
| R1 = DR_REG_XAX; |
| } |
| CHECK(reg_is_pointer_sized(R1)); // otherwise R2 may be wrong. |
| |
| // Pick R2 that's not R1 or used by the operand. It's OK if the instr uses |
| // R2 elsewhere, since we'll restore it before instr. |
| reg_id_t GPR_TO_USE_FOR_R2[] = { |
| DR_REG_XAX, DR_REG_XBX, DR_REG_XCX, DR_REG_XDX |
| // Don't forget to update the +4 below if you add anything else! |
| }; |
| std::set<reg_id_t> unused_registers(GPR_TO_USE_FOR_R2, GPR_TO_USE_FOR_R2 + 4); |
| unused_registers.erase(R1); |
| for (int j = 0; j < opnd_num_regs_used(op); j++) { |
| unused_registers.erase(opnd_get_reg_used(op, j)); |
| } |
| |
| CHECK(unused_registers.size() > 0); |
| reg_id_t R2 = *unused_registers.begin(); |
| CHECK(R1 != R2); |
| |
| // Save the current values of R1 and R2. |
| dr_save_reg(drcontext, bb, instr, R1, SPILL_SLOT_1); |
| // TODO: Something smarter than spilling a "fixed" register R2? |
| dr_save_reg(drcontext, bb, instr, R2, SPILL_SLOT_2); |
| |
| if (!address_in_R1) |
| CHECK(drutil_insert_get_mem_addr(drcontext, bb, instr, op, R1, R2)); |
| PRE(instr, mov_imm(drcontext, opnd_create_reg(R2), |
| OPND_CREATE_INT64(0xffffbfffffffffff))); |
| PRE(instr, and(drcontext, opnd_create_reg(R1), opnd_create_reg(R2))); |
| // There is no mov_st of a 64-bit immediate, so... |
| opnd_size_t op_size = opnd_get_size(op); |
| CHECK(op_size != OPSZ_NA); |
| uint access_size = opnd_size_in_bytes(op_size); |
| if (access_size <= 4) { |
| PRE(instr, |
| mov_st(drcontext, opnd_create_base_disp(R1, DR_REG_NULL, 0, 0, op_size), |
| opnd_create_immed_int((ptr_int_t) 0, op_size))); |
| } else { |
| // FIXME: tail? |
| for (uint ofs = 0; ofs < access_size; ofs += 4) { |
| PRE(instr, |
| mov_st(drcontext, OPND_CREATE_MEM32(R1, ofs), OPND_CREATE_INT32(0))); |
| } |
| } |
| |
| // Restore the registers and flags. |
| dr_restore_reg(drcontext, bb, instr, R1, SPILL_SLOT_1); |
| dr_restore_reg(drcontext, bb, instr, R2, SPILL_SLOT_2); |
| |
| if (need_to_restore_eflags) { |
| if (VERBOSITY > 1) |
| dr_printf("Restoring eflags\n"); |
| // TODO: Check if it's reverse to the dr_restore_reg above and optimize. |
| dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_3); |
| dr_restore_arith_flags_from_xax(drcontext, bb, instr); |
| dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| } |
| |
| // The original instruction is left untouched. The above instrumentation is just |
| // a prefix. |
| } |
| |
| void InstrumentReturn(void *drcontext, instrlist_t *bb, instr_t *instr) { |
| dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| |
| // Clobbers nothing except xax. |
| bool res = |
| dr_insert_get_seg_base(drcontext, bb, instr, DR_SEG_FS, DR_REG_XAX); |
| CHECK(res); |
| |
| // TODO: unpoison more bytes? |
| PRE(instr, |
| mov_st(drcontext, OPND_CREATE_MEM64(DR_REG_XAX, msan_retval_tls_offset), |
| OPND_CREATE_INT32(0))); |
| |
| dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| |
| // The original instruction is left untouched. The above instrumentation is just |
| // a prefix. |
| } |
| |
| void InstrumentIndirectBranch(void *drcontext, instrlist_t *bb, |
| instr_t *instr) { |
| dr_save_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| |
| // Clobbers nothing except xax. |
| bool res = |
| dr_insert_get_seg_base(drcontext, bb, instr, DR_SEG_FS, DR_REG_XAX); |
| CHECK(res); |
| |
| // TODO: unpoison more bytes? |
| for (int i = 0; i < 6; ++i) { |
| PRE(instr, |
| mov_st(drcontext, OPND_CREATE_MEMPTR(DR_REG_XAX, msan_param_tls_offset + |
| i * sizeof(void *)), |
| OPND_CREATE_INT32(0))); |
| } |
| |
| dr_restore_reg(drcontext, bb, instr, DR_REG_XAX, SPILL_SLOT_1); |
| |
| // The original instruction is left untouched. The above instrumentation is just |
| // a prefix. |
| } |
| |
| // For use with binary search. Modules shouldn't overlap, so we shouldn't have |
| // to look at end_. If that can happen, we won't support such an application. |
| bool ModuleDataCompareStart(const ModuleData &left, const ModuleData &right) { |
| return left.start_ < right.start_; |
| } |
| |
| // Look up the module containing PC. Should be relatively fast, as its called |
| // for each bb instrumentation. |
| ModuleData *LookupModuleByPC(app_pc pc) { |
| ModuleData fake_mod_data; |
| fake_mod_data.start_ = pc; |
| std::vector<ModuleData>::iterator it = |
| lower_bound(g_module_list.begin(), g_module_list.end(), fake_mod_data, |
| ModuleDataCompareStart); |
| // if (it == g_module_list.end()) |
| // return NULL; |
| if (it == g_module_list.end() || pc < it->start_) |
| --it; |
| CHECK(it->start_ <= pc); |
| if (pc >= it->end_) { |
| // We're past the end of this module. We shouldn't be in the next module, |
| // or lower_bound lied to us. |
| ++it; |
| CHECK(it == g_module_list.end() || pc < it->start_); |
| return NULL; |
| } |
| |
| // OK, we found the module. |
| return &*it; |
| } |
| |
| bool ShouldInstrumentNonModuleCode() { return true; } |
| |
| bool ShouldInstrumentModule(ModuleData *mod_data) { |
| // TODO(rnk): Flags for blacklist would get wired in here. |
| generic_func_t p = |
| dr_get_proc_address(mod_data->handle_, "__msan_track_origins"); |
| return !p; |
| } |
| |
| bool ShouldInstrumentPc(app_pc pc, ModuleData **pmod_data) { |
| ModuleData *mod_data = LookupModuleByPC(pc); |
| if (pmod_data) |
| *pmod_data = mod_data; |
| if (mod_data != NULL) { |
| // This module is on a blacklist. |
| if (!mod_data->should_instrument_) { |
| return false; |
| } |
| } else if (!ShouldInstrumentNonModuleCode()) { |
| return false; |
| } |
| return true; |
| } |
| |
| // TODO(rnk): Make sure we instrument after __msan_init. |
| dr_emit_flags_t |
| event_basic_block_app2app(void *drcontext, void *tag, instrlist_t *bb, |
| bool for_trace, bool translating) { |
| app_pc pc = dr_fragment_app_pc(tag); |
| |
| if (ShouldInstrumentPc(pc, NULL)) |
| CHECK(drutil_expand_rep_string(drcontext, bb)); |
| |
| return DR_EMIT_PERSISTABLE; |
| } |
| |
| dr_emit_flags_t event_basic_block(void *drcontext, void *tag, instrlist_t *bb, |
| bool for_trace, bool translating) { |
| app_pc pc = dr_fragment_app_pc(tag); |
| ModuleData *mod_data; |
| |
| if (!ShouldInstrumentPc(pc, &mod_data)) |
| return DR_EMIT_PERSISTABLE; |
| |
| if (VERBOSITY > 1) |
| dr_printf("============================================================\n"); |
| if (VERBOSITY > 0) { |
| string mod_path = (mod_data ? mod_data->path_ : "<no module, JITed?>"); |
| if (mod_data && !mod_data->executed_) { |
| mod_data->executed_ = true; // Nevermind this race. |
| dr_printf("Executing from new module: %s\n", mod_path.c_str()); |
| } |
| dr_printf("BB to be instrumented: %p [from %s]; translating = %s\n", pc, |
| mod_path.c_str(), translating ? "true" : "false"); |
| if (mod_data) { |
| // Match standard sanitizer trace format for free symbols. |
| // #0 0x7f6e35cf2e45 (/blah/foo.so+0x11fe45) |
| dr_printf(" #0 %p (%s+%p)\n", pc, mod_data->path_.c_str(), |
| pc - mod_data->start_); |
| } |
| } |
| if (VERBOSITY > 1) { |
| instrlist_disassemble(drcontext, pc, bb, STDOUT); |
| instr_t *instr; |
| for (instr = instrlist_first(bb); instr; instr = instr_get_next(instr)) { |
| dr_printf("opcode: %d\n", instr_get_opcode(instr)); |
| } |
| } |
| |
| for (instr_t *i = instrlist_first(bb); i != NULL; i = instr_get_next(i)) { |
| int opcode = instr_get_opcode(i); |
| if (opcode == OP_ret || opcode == OP_ret_far) { |
| InstrumentReturn(drcontext, bb, i); |
| continue; |
| } |
| |
| // These instructions hopefully cover all cases where control is transferred |
| // to a function in a different module (we only care about calls into |
| // compiler-instrumented modules). |
| // * call_ind is used for normal indirect calls. |
| // * jmp_ind is used for indirect tail calls, and calls through PLT (PLT |
| // stub includes a jump to an address from GOT). |
| if (opcode == OP_call_ind || opcode == OP_call_far_ind || |
| opcode == OP_jmp_ind || opcode == OP_jmp_far_ind) { |
| InstrumentIndirectBranch(drcontext, bb, i); |
| continue; |
| } |
| |
| if (!WantToInstrument(i)) |
| continue; |
| |
| if (VERBOSITY > 1) { |
| app_pc orig_pc = dr_fragment_app_pc(tag); |
| uint flags = instr_get_arith_flags(i); |
| dr_printf("+%d -> to be instrumented! [opcode=%d, flags = 0x%08X]\n", |
| instr_get_app_pc(i) - orig_pc, instr_get_opcode(i), flags); |
| } |
| |
| if (instr_writes_memory(i)) { |
| // Instrument memory writes |
| // bool instrumented_anything = false; |
| for (int d = 0; d < instr_num_dsts(i); d++) { |
| opnd_t op = instr_get_dst(i, d); |
| if (!OperandIsInteresting(op)) |
| continue; |
| |
| // CHECK(!instrumented_anything); |
| // instrumented_anything = true; |
| InstrumentMops(drcontext, bb, i, op, true); |
| break; // only instrumenting the first dst |
| } |
| } |
| } |
| |
| // TODO: optimize away redundant restore-spill pairs? |
| |
| if (VERBOSITY > 1) { |
| pc = dr_fragment_app_pc(tag); |
| dr_printf("\nFinished instrumenting dynamorio_basic_block(PC=" PFX ")\n", pc); |
| instrlist_disassemble(drcontext, pc, bb, STDOUT); |
| } |
| return DR_EMIT_PERSISTABLE; |
| } |
| |
| void event_module_load(void *drcontext, const module_data_t *info, |
| bool loaded) { |
| // Insert the module into the list while maintaining the ordering. |
| ModuleData mod_data(info); |
| std::vector<ModuleData>::iterator it = |
| upper_bound(g_module_list.begin(), g_module_list.end(), mod_data, |
| ModuleDataCompareStart); |
| it = g_module_list.insert(it, mod_data); |
| // Check if we should instrument this module. |
| it->should_instrument_ = ShouldInstrumentModule(&*it); |
| dr_module_set_should_instrument(info->handle, it->should_instrument_); |
| |
| if (VERBOSITY > 0) |
| dr_printf("==DRMSAN== Loaded module: %s [%p...%p], instrumentation is %s\n", |
| info->full_path, info->start, info->end, |
| it->should_instrument_ ? "on" : "off"); |
| } |
| |
| void event_module_unload(void *drcontext, const module_data_t *info) { |
| if (VERBOSITY > 0) |
| dr_printf("==DRMSAN== Unloaded module: %s [%p...%p]\n", info->full_path, |
| info->start, info->end); |
| |
| // Remove the module from the list. |
| ModuleData mod_data(info); |
| std::vector<ModuleData>::iterator it = |
| lower_bound(g_module_list.begin(), g_module_list.end(), mod_data, |
| ModuleDataCompareStart); |
| // It's a bug if we didn't actually find the module. |
| CHECK(it != g_module_list.end() && it->start_ == mod_data.start_ && |
| it->end_ == mod_data.end_ && it->path_ == mod_data.path_); |
| g_module_list.erase(it); |
| } |
| |
| void event_exit() { |
| // Clean up so DR doesn't tell us we're leaking memory. |
| drsys_exit(); |
| drutil_exit(); |
| drmgr_exit(); |
| |
| if (VERBOSITY > 0) |
| dr_printf("==DRMSAN== DONE\n"); |
| } |
| |
| bool event_filter_syscall(void *drcontext, int sysnum) { |
| // FIXME: only intercept syscalls with memory effects. |
| return true; /* intercept everything */ |
| } |
| |
| bool drsys_iter_memarg_cb(drsys_arg_t *arg, void *user_data) { |
| CHECK(arg->valid); |
| |
| if (arg->pre) |
| return true; |
| if (!TESTANY(DRSYS_PARAM_OUT, arg->mode)) |
| return true; |
| |
| size_t sz = arg->size; |
| |
| if (sz > 0xFFFFFFFF) { |
| drmf_status_t res; |
| drsys_syscall_t *syscall = (drsys_syscall_t *)user_data; |
| const char *name; |
| res = drsys_syscall_name(syscall, &name); |
| CHECK(res == DRMF_SUCCESS); |
| |
| dr_printf("SANITY: syscall '%s' arg %d writes %llu bytes memory?!" |
| " Clipping to %llu.\n", |
| name, arg->ordinal, (unsigned long long) sz, |
| (unsigned long long)(sz & 0xFFFFFFFF)); |
| } |
| |
| if (VERBOSITY > 0) { |
| drmf_status_t res; |
| drsys_syscall_t *syscall = (drsys_syscall_t *)user_data; |
| const char *name; |
| res = drsys_syscall_name(syscall, &name); |
| dr_printf("drsyscall: syscall '%s' arg %d wrote range [%p, %p)\n", |
| name, arg->ordinal, arg->start_addr, |
| (char *)arg->start_addr + sz); |
| } |
| |
| // We don't switch to the app context because __msan_unpoison() doesn't need |
| // TLS segments. |
| __msan_unpoison(arg->start_addr, sz); |
| |
| return true; /* keep going */ |
| } |
| |
| bool event_pre_syscall(void *drcontext, int sysnum) { |
| drsys_syscall_t *syscall; |
| drsys_sysnum_t sysnum_full; |
| bool known; |
| drsys_param_type_t ret_type; |
| drmf_status_t res; |
| const char *name; |
| |
| res = drsys_cur_syscall(drcontext, &syscall); |
| CHECK(res == DRMF_SUCCESS); |
| |
| res = drsys_syscall_number(syscall, &sysnum_full); |
| CHECK(res == DRMF_SUCCESS); |
| CHECK(sysnum == sysnum_full.number); |
| |
| res = drsys_syscall_is_known(syscall, &known); |
| CHECK(res == DRMF_SUCCESS); |
| |
| res = drsys_syscall_name(syscall, &name); |
| CHECK(res == DRMF_SUCCESS); |
| |
| res = drsys_syscall_return_type(syscall, &ret_type); |
| CHECK(res == DRMF_SUCCESS); |
| CHECK(ret_type != DRSYS_TYPE_INVALID); |
| CHECK(!known || ret_type != DRSYS_TYPE_UNKNOWN); |
| |
| res = drsys_iterate_memargs(drcontext, drsys_iter_memarg_cb, NULL); |
| CHECK(res == DRMF_SUCCESS); |
| |
| return true; |
| } |
| |
| static bool IsInLoader(void *drcontext) { |
| // TODO: This segment swap is inefficient. DR should just let us query the |
| // app segment base, which it has. Alternatively, if we disable |
| // -mangle_app_seg, then we won't need the swap. |
| bool need_swap = !dr_using_app_state(drcontext); |
| if (need_swap) |
| dr_switch_to_app_state(drcontext); |
| bool is_in_loader = __msan_is_in_loader(); |
| if (need_swap) |
| dr_switch_to_dr_state(drcontext); |
| return is_in_loader; |
| } |
| |
| void event_post_syscall(void *drcontext, int sysnum) { |
| drsys_syscall_t *syscall; |
| drsys_sysnum_t sysnum_full; |
| bool success = false; |
| drmf_status_t res; |
| |
| res = drsys_cur_syscall(drcontext, &syscall); |
| CHECK(res == DRMF_SUCCESS); |
| |
| res = drsys_syscall_number(syscall, &sysnum_full); |
| CHECK(res == DRMF_SUCCESS); |
| CHECK(sysnum == sysnum_full.number); |
| |
| res = drsys_syscall_succeeded(syscall, dr_syscall_get_result(drcontext), |
| &success); |
| CHECK(res == DRMF_SUCCESS); |
| |
| if (success) { |
| res = |
| drsys_iterate_memargs(drcontext, drsys_iter_memarg_cb, (void *)syscall); |
| CHECK(res == DRMF_SUCCESS); |
| } |
| |
| // Our normal mmap interceptor can't intercept calls from the loader itself. |
| // This means we don't clear the shadow for calls to dlopen. For now, we |
| // solve this by intercepting mmap from ld.so here, but ideally we'd have a |
| // solution that doesn't rely on msandr. |
| // |
| // Be careful not to intercept maps done by the msan rtl. Otherwise we end up |
| // unpoisoning vast regions of memory and OOMing. |
| // TODO: __msan_unpoison() could "flush" large regions of memory like tsan |
| // does instead of doing a large memset. However, we need the memory to be |
| // zeroed, where as tsan does not, so plain madvise is not enough. |
| if (success && (sysnum == SYS_mmap IF_NOT_X64(|| sysnum == SYS_mmap2))) { |
| if (IsInLoader(drcontext)) { |
| app_pc base = (app_pc)dr_syscall_get_result(drcontext); |
| ptr_uint_t size; |
| drmf_status_t res = drsys_pre_syscall_arg(drcontext, 1, &size); |
| CHECK(res == DRMF_SUCCESS); |
| if (VERBOSITY > 0) |
| dr_printf("unpoisoning for dlopen: [%p-%p]\n", base, base + size); |
| // We don't switch to the app context because __msan_unpoison() doesn't |
| // need TLS segments. |
| __msan_unpoison(base, size); |
| } |
| } |
| } |
| |
| } // namespace |
| |
| DR_EXPORT void dr_init(client_id_t id) { |
| drmf_status_t res; |
| |
| drmgr_init(); |
| drutil_init(); |
| |
| string app_name = dr_get_application_name(); |
| // This blacklist will still run these apps through DR's code cache. On the |
| // other hand, we are able to follow children of these apps. |
| // FIXME: Once DR has detach, we could just detach here. Alternatively, |
| // if DR had a fork or exec hook to let us decide there, that would be nice. |
| // FIXME: make the blacklist cmd-adjustable. |
| if (app_name == "python" || app_name == "python2.7" || app_name == "bash" || |
| app_name == "sh" || app_name == "true" || app_name == "exit" || |
| app_name == "yes" || app_name == "echo") |
| return; |
| |
| drsys_options_t ops; |
| memset(&ops, 0, sizeof(ops)); |
| ops.struct_size = sizeof(ops); |
| ops.analyze_unknown_syscalls = false; |
| |
| res = drsys_init(id, &ops); |
| CHECK(res == DRMF_SUCCESS); |
| |
| dr_register_filter_syscall_event(event_filter_syscall); |
| drmgr_register_pre_syscall_event(event_pre_syscall); |
| drmgr_register_post_syscall_event(event_post_syscall); |
| res = drsys_filter_all_syscalls(); |
| CHECK(res == DRMF_SUCCESS); |
| |
| InitializeMSanCallbacks(); |
| |
| // FIXME: the shadow is initialized earlier when DR calls one of our wrapper |
| // functions. This may change one day. |
| // TODO: make this more robust. |
| |
| void *drcontext = dr_get_current_drcontext(); |
| |
| dr_switch_to_app_state(drcontext); |
| msan_retval_tls_offset = __msan_get_retval_tls_offset(); |
| msan_param_tls_offset = __msan_get_param_tls_offset(); |
| dr_switch_to_dr_state(drcontext); |
| if (VERBOSITY > 0) { |
| dr_printf("__msan_retval_tls offset: %d\n", msan_retval_tls_offset); |
| dr_printf("__msan_param_tls offset: %d\n", msan_param_tls_offset); |
| } |
| |
| // Standard DR events. |
| dr_register_exit_event(event_exit); |
| |
| drmgr_priority_t priority = { |
| sizeof(priority), /* size of struct */ |
| "msandr", /* name of our operation */ |
| NULL, /* optional name of operation we should precede */ |
| NULL, /* optional name of operation we should follow */ |
| 0 |
| }; /* numeric priority */ |
| |
| drmgr_register_bb_app2app_event(event_basic_block_app2app, &priority); |
| drmgr_register_bb_instru2instru_event(event_basic_block, &priority); |
| drmgr_register_module_load_event(event_module_load); |
| drmgr_register_module_unload_event(event_module_unload); |
| if (VERBOSITY > 0) |
| dr_printf("==MSANDR== Starting!\n"); |
| } |