Seccomp sandbox changes (performance and correctness fixes, primarily targetting x86-32)

sandbox/linux/seccomp/library.cc

+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
 #define XOPEN_SOURCE 500
 #include <algorithm>
 #include <elf.h>
 #include <errno.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <iostream>
 #include <linux/unistd.h>
 #include <set>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/ptrace.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
+#include "allocator.h"
 #include "debug.h"
 #include "library.h"
 #include "sandbox_impl.h"
 #include "syscall.h"
 #include "syscall_table.h"
 #include "x86_decode.h"
 
 #if defined(__x86_64__)
 typedef Elf64_Phdr    Elf_Phdr;
 typedef Elf64_Rela    Elf_Rel;
@@ skipping 48 matching lines @@
 char* Library::__kernel_sigreturn;
 char* Library::__kernel_rt_sigreturn;
 
 Library::~Library() {
   if (image_size_) {
     // We no longer need access to a full mapping of the underlying library
     // file. Move the temporarily extended mapping back to where we originally
     // found. Make sure to preserve any changes that we might have made since.
     Sandbox::SysCalls sys;
     sys.mprotect(image_, 4096, PROT_READ | PROT_WRITE);
-    memcpy(image_, memory_ranges_.rbegin()->second.start, 4096);
+    if (memcmp(image_, memory_ranges_.rbegin()->second.start, 4096)) {
+      // Only copy data, if we made any changes in this data. Otherwise there
+      // is no need to create another modified COW mapping.
+      memcpy(image_, memory_ranges_.rbegin()->second.start, 4096);
+    }
     sys.mprotect(image_, 4096, PROT_READ | PROT_EXEC);
     sys.mremap(image_, image_size_, 4096, MREMAP_MAYMOVE | MREMAP_FIXED,
                memory_ranges_.rbegin()->second.start);
   }
 }
 
 char* Library::getBytes(char* dst, const char* src, ssize_t len) {
   // Some kernels don't allow accessing the VDSO from write()
   if (isVDSO_ &&
       src >= memory_ranges_.begin()->second.start &&
@@ skipping 68 matching lines @@
     return NULL;
   }
   char *src = reinterpret_cast<char *>(iter->second.start) + offset;
   memset(buf, 0, len);
   if (!getBytes(buf, src, len)) {
     return NULL;
   }
   return buf;
 }
 
-std::string Library::get(Elf_Addr offset) {
+Library::string Library::get(Elf_Addr offset) {
   if (!valid_) {
     return "";
   }
   RangeMap::const_iterator iter = memory_ranges_.lower_bound(offset);
   if (iter == memory_ranges_.end()) {
     return "";
   }
   offset -= iter->first;
   const char *start = reinterpret_cast<char *>(iter->second.start) + offset;
   const char *stop  = reinterpret_cast<char *>(iter->second.stop) + offset;
   char buf[4096]    = { 0 };
   getBytes(buf, start, stop - start >= (int)sizeof(buf) ?
            sizeof(buf) - 1 : stop - start);
   start             = buf;
   stop              = buf;
   while (*stop) {
     ++stop;
   }
-  std::string s = stop > start ? std::string(start, stop - start) : "";
+  string s = stop > start ? string(start, stop - start) : "";
   return s;
 }
 
 char *Library::getOriginal(Elf_Addr offset, char *buf, size_t len) {
   if (!valid_) {
     memset(buf, 0, len);
     return NULL;
   }
   Sandbox::SysCalls sys;
   if (!image_ && !isVDSO_ && !memory_ranges_.empty() &&
       memory_ranges_.rbegin()->first == 0) {
     // Extend the mapping of the very first page of the underlying library
     // file. This way, we can read the original file contents of the entire
     // library.
     // We have to be careful, because doing so temporarily removes the first
     // 4096 bytes of the library from memory. And we don't want to accidentally
     // unmap code that we are executing. So, only use functions that can be
     // inlined.
     void* start = memory_ranges_.rbegin()->second.start;
     image_size_ = memory_ranges_.begin()->first +
       (reinterpret_cast<char *>(memory_ranges_.begin()->second.stop) -
        reinterpret_cast<char *>(memory_ranges_.begin()->second.start));
+    if (image_size_ < 8192) {
+      // It is possible to create a library that is only a single page in
+      // size. In that case, we have to make sure that we artificially map
+      // one extra page past the end of it, as our code relies on mremap()
+      // actually moving the mapping.
+      image_size_ = 8192;
+    }
     image_ = reinterpret_cast<char *>(sys.mremap(start, 4096, image_size_,
                                                  MREMAP_MAYMOVE));
+    if (image_size_ == 8192 && image_ == start) {
+      // We really mean it, when we say we want the memory to be moved.
+      image_ = reinterpret_cast<char *>(sys.mremap(start, 4096, image_size_,
+                                                   MREMAP_MAYMOVE));
+      sys.munmap(reinterpret_cast<char *>(start) + 4096, 4096);
+    }
     if (image_ == MAP_FAILED) {
       image_ = NULL;
     } else {
       sys.MMAP(start, 4096, PROT_READ | PROT_WRITE,
                MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
       for (int i = 4096 / sizeof(long); --i;
            reinterpret_cast<long *>(start)[i] =
              reinterpret_cast<long *>(image_)[i]);
     }
   }
@@ skipping 13 matching lines @@
       }
     }
     if (buf && offset + len <= image_size_) {
       return reinterpret_cast<char *>(memcpy(buf, image_ + offset, len));
     }
     return NULL;
   }
   return buf ? get(offset, buf, len) : NULL;
 }
 
-std::string Library::getOriginal(Elf_Addr offset) {
+Library::string Library::getOriginal(Elf_Addr offset) {
   if (!valid_) {
     return "";
   }
   // Make sure we actually have a mapping that we can access. If the string
   // is located at the end of the image, we might not yet have extended the
   // mapping sufficiently.
   if (!image_ || image_size_ <= offset) {
     getOriginal(offset, NULL, 1);
   }
 
   if (image_) {
     if (offset < image_size_) {
       char* start = image_ + offset;
       char* stop  = start;
       while (stop < image_ + image_size_ && *stop) {
         ++stop;
         if (stop >= image_ + image_size_) {
           getOriginal(stop - image_, NULL, 1);
         }
       }
-      return std::string(start, stop - start);
+      return string(start, stop - start);
     }
     return "";
   }
   return get(offset);
 }
 
 const Elf_Ehdr* Library::getEhdr() {
   if (!valid_) {
     return NULL;
   }
   return &ehdr_;
 }
 
-const Elf_Shdr* Library::getSection(const std::string& section) {
+const Elf_Shdr* Library::getSection(const string& section) {
   if (!valid_) {
     return NULL;
   }
   SectionTable::const_iterator iter = section_table_.find(section);
   if (iter == section_table_.end()) {
     return NULL;
   }
   return &iter->second.second;
 }
 
-const int Library::getSectionIndex(const std::string& section) {
+const int Library::getSectionIndex(const string& section) {
   if (!valid_) {
     return -1;
   }
   SectionTable::const_iterator iter = section_table_.find(section);
   if (iter == section_table_.end()) {
     return -1;
   }
   return iter->second.first;
 }
 
-void **Library::getRelocation(const std::string& symbol) {
-  PltTable::const_iterator iter = plt_entries_.find(symbol);
-  if (iter == plt_entries_.end()) {
-    return NULL;
-  }
-  return reinterpret_cast<void **>(asr_offset_ + iter->second);
-}
-
-void *Library::getSymbol(const std::string& symbol) {
-  SymbolTable::const_iterator iter = symbols_.find(symbol);
-  if (iter == symbols_.end() || !iter->second.st_value) {
-    return NULL;
-  }
-  return asr_offset_ + iter->second.st_value;
-}
-
 void Library::makeWritable(bool state) const {
   for (RangeMap::const_iterator iter = memory_ranges_.begin();
        iter != memory_ranges_.end(); ++iter) {
     const Range& range = iter->second;
     long length = reinterpret_cast<char *>(range.stop) -
                   reinterpret_cast<char *>(range.start);
     Sandbox::SysCalls sys;
     sys.mprotect(range.start, length,
                  range.prot | (state ? PROT_WRITE : 0));
   }
@@ skipping 37 matching lines @@
   if (*extraSpace) {
     *extraLength -= needed;
     return *extraSpace + *extraLength;
   }
   Sandbox::die("Insufficient space to intercept system call");
 }
 
 void Library::patchSystemCallsInFunction(const Maps* maps, char *start,
                                          char *end, char** extraSpace,
                                          int* extraLength) {
-  std::set<char *> branch_targets;
+  std::set<char *, std::less<char *>, SystemAllocator<char *> > branch_targets;
   for (char *ptr = start; ptr < end; ) {
     unsigned short insn = next_inst((const char **)&ptr, __WORDSIZE == 64);
     char *target;
     if ((insn >= 0x70 && insn <= 0x7F) /* Jcc */ || insn == 0xEB /* JMP */) {
       target = ptr + (reinterpret_cast<signed char *>(ptr))[-1];
     } else if (insn == 0xE8 /* CALL */ || insn == 0xE9 /* JMP */ ||
                (insn >= 0x0F80 && insn <= 0x0F8F) /* Jcc */) {
       target = ptr + (reinterpret_cast<int *>(ptr))[-1];
     } else {
       continue;
@@ skipping 115 matching lines @@
         code[i].len = next - code[i].addr;
         code[i].is_ip_relative = tmp_rm && (*tmp_rm & 0xC7) == 0x5;
         if (!code[i].is_ip_relative && isSafeInsn(code[i].insn)) {
           endIdx = i;
           length = next - code[startIdx].addr;
         } else {
           break;
         }
       }
       // We now know, how many instructions neighboring the system call we
-      // can safely overwrite. We need five bytes to insert a JMP/CALL and a
-      // 32bit address. We then jump to a code fragment that safely forwards
-      // to our system call wrapper. On x86-64, this is complicated by
-      // the fact that the API allows up to 128 bytes of red-zones below the
-      // current stack pointer. So, we cannot write to the stack until we
-      // have adjusted the stack pointer.
+      // can safely overwrite. On x86-32 we need six bytes, and on x86-64
+      // We need five bytes to insert a JMPQ and a 32bit address. We then
+      // jump to a code fragment that safely forwards to our system call
+      // wrapper.
+      // On x86-64, this is complicated by the fact that the API allows up
+      // to 128 bytes of red-zones below the current stack pointer. So, we
+      // cannot write to the stack until we have adjusted the stack
+      // pointer.
+      // On both x86-32 and x86-64 we take care to leave the stack unchanged
+      // while we are executing the preamble and postamble. This allows us
+      // to treat instructions that reference %esp/%rsp as safe for
+      // relocation.
+      // In particular, this means that on x86-32 we cannot use CALL, but
+      // have to use a PUSH/RET combination to change the instruction pointer.
+      // On x86-64, we can instead use a 32bit JMPQ.
       //
       // .. .. .. .. ; any leading instructions copied from original code
       // 48 81 EC 80 00 00 00        SUB  $0x80, %rsp
       // 50                          PUSH %rax
       // 48 8D 05 .. .. .. ..        LEA  ...(%rip), %rax
       // 50                          PUSH %rax
       // 48 B8 .. .. .. ..           MOV  $syscallWrapper, %rax
       // .. .. .. ..
       // 50                          PUSH %rax
       // 48 8D 05 06 00 00 00        LEA  6(%rip), %rax
       // 48 87 44 24 10              XCHG %rax, 16(%rsp)
       // C3                          RETQ
       // 48 81 C4 80 00 00 00        ADD  $0x80, %rsp
       // .. .. .. .. ; any trailing instructions copied from original code
       // E9 .. .. .. ..              JMPQ ...
       //
       // Total: 52 bytes + any bytes that were copied
       //
       // On x86-32, the stack is available and we can do:
       //
       // TODO(markus): Try to maintain frame pointers on x86-32
       //
       // .. .. .. .. ; any leading instructions copied from original code
       // 68 .. .. .. ..              PUSH return_addr
       // 68 .. .. .. ..              PUSH $syscallWrapper
       // C3                          RET
       // .. .. .. .. ; any trailing instructions copied from original code
+      // 68 .. .. .. ..              PUSH return_addr
       // C3                          RET
       //
-      // Total: 12 bytes + any bytes that were copied
+      // Total: 17 bytes + any bytes that were copied
       //
       // For indirect jumps from the VDSO to the VSyscall page, we instead
       // replace the following code (this is only necessary on x86-64). This
       // time, we don't have to worry about red zones:
       //
       // .. .. .. .. ; any leading instructions copied from original code
       // E8 00 00 00 00              CALL .
       // 48 83 04 24 ..              ADDQ $.., (%rsp)
       // FF .. .. .. .. ..           PUSH ..  ; from original CALL instruction
       // 48 81 3C 24 00 00 00 FF     CMPQ $0xFFFFFFFFFF000000, 0(%rsp)
       // 72 10                       JB   . + 16
       // 81 2C 24 .. .. .. ..        SUBL ..., 0(%rsp)
       // C7 44 24 04 00 00 00 00     MOVL $0, 4(%rsp)
       // C3                          RETQ
       // 48 87 04 24                 XCHG %rax,(%rsp)
       // 48 89 44 24 08              MOV  %rax,0x8(%rsp)
       // 58                          POP  %rax
       // C3                          RETQ
       // .. .. .. .. ; any trailing instructions copied from original code
       // E9 .. .. .. ..              JMPQ ...
       //
       // Total: 52 bytes + any bytes that were copied
 
-      if (length < 5) {
+      if (length < (__WORDSIZE == 32 ? 6 : 5)) {
         // There are a very small number of instruction sequences that we
         // cannot easily intercept, and that have been observed in real world
         // examples. Handle them here:
         #if defined(__i386__)
         int diff;
         if (!memcmp(code[codeIdx].addr, "\xCD\x80\xEB", 3) &&
             (diff = *reinterpret_cast<signed char *>(
                  code[codeIdx].addr + 3)) < 0 && diff >= -6) {
           // We have seen...
           //   for (;;) {
@@ skipping 52 matching lines @@
                   branch_targets.end() || *iter >= ptr)) {
           // We changed startIdx to include the IP relative instruction.
           // When copying this preamble, we make sure to patch up the
           // offset.
         }
         #endif
         else {
           Sandbox::die("Cannot intercept system call");
         }
       }
-      int needed = 5 - code[codeIdx].len;
+      int needed = (__WORDSIZE == 32 ? 6 : 5) - code[codeIdx].len;
       int first = codeIdx;
       while (needed > 0 && first != startIdx) {
         first = (first + (sizeof(code) / sizeof(struct Code)) - 1) %
                 (sizeof(code) / sizeof(struct Code));
         needed -= code[first].len;
       }
       int second = codeIdx;
       while (needed > 0) {
         second = (second + 1) % (sizeof(code) / sizeof(struct Code));
         needed -= code[second].len;
       }
       int preamble = code[codeIdx].addr - code[first].addr;
       int postamble = code[second].addr + code[second].len -
                       code[codeIdx].addr - code[codeIdx].len;
 
       // The following is all the code that construct the various bits of
       // assembly code.
       #if defined(__x86_64__)
       if (is_indirect_call) {
         needed = 52 + preamble + code[codeIdx].len + postamble;
       } else {
         needed = 52 + preamble + postamble;
       }
       #elif defined(__i386__)
-      needed = 12 + preamble + postamble;
+      needed = 17 + preamble + postamble;
       #else
       #error Unsupported target platform
       #endif
 
       // Allocate scratch space and copy the preamble of code that was moved
       // from the function that we are patching.
       char* dest = getScratchSpace(maps, code[first].addr, needed,
                                    extraSpace, extraLength);
       memcpy(dest, code[first].addr, preamble);
 
@@ skipping 58 matching lines @@
           (code[second].addr + code[second].len) - (dest + post + 5);
       if (is_indirect_call) {
         *reinterpret_cast<int *>(dest + preamble + 13) = vsys_offset_;
       } else {
         *reinterpret_cast<int *>(dest + preamble + 11) =
             (code[second].addr + code[second].len) - (dest + preamble + 15);
         *reinterpret_cast<void **>(dest + preamble + 18) =
             reinterpret_cast<void *>(&syscallWrapper);
       }
       #elif defined(__i386__)
-      *(dest + preamble + 11 + postamble) = '\xC3';
+      *(dest + preamble + 11 + postamble) = '\x68'; // PUSH
+      *reinterpret_cast<char **>(dest + preamble + 12 + postamble) =
+          code[second].addr + code[second].len;
+      *(dest + preamble + 16 + postamble) = '\xC3'; // RET
       *reinterpret_cast<char **>(dest + preamble + 1) =
           dest + preamble + 11;
       *reinterpret_cast<void (**)()>(dest + preamble + 6) = syscallWrapper;
       #else
       #error Unsupported target platform
       #endif
 
       // Pad unused space in the original function with NOPs
       memset(code[first].addr, 0x90 /* NOP */,
              code[second].addr + code[second].len - code[first].addr);
 
       // Replace the system call with an unconditional jump to our new code.
       #if defined(__x86_64__)
-      *code[first].addr = '\xE9'; // JMPQ
+      *code[first].addr = '\xE9';   // JMPQ
+      *reinterpret_cast<int *>(code[first].addr + 1) =
+          dest - (code[first].addr + 5);
       #elif defined(__i386__)
-      *code[first].addr = '\xE8'; // CALL
+      code[first].addr[0] = '\x68'; // PUSH
+      *reinterpret_cast<char **>(code[first].addr + 1) = dest;
+      code[first].addr[5] = '\xC3'; // RET
       #else
       #error Unsupported target platform
       #endif
-      *reinterpret_cast<int *>(code[first].addr + 1) =
-          dest - (code[first].addr + 5);
     }
    replaced:
     codeIdx = (codeIdx + 1) % (sizeof(code) / sizeof(struct Code));
   }
 }
 
 void Library::patchVDSO(char** extraSpace, int* extraLength){
   #if defined(__i386__)
   Sandbox::SysCalls sys;
   if (!__kernel_vsyscall ||
@@ skipping 255 matching lines @@
   // Verify ELF header
   Elf_Shdr str_shdr;
   if (!getOriginal(0, &ehdr_) ||
       ehdr_.e_ehsize < sizeof(Elf_Ehdr) ||
       ehdr_.e_phentsize < sizeof(Elf_Phdr) ||
       ehdr_.e_shentsize < sizeof(Elf_Shdr) ||
       !getOriginal(ehdr_.e_shoff + ehdr_.e_shstrndx * ehdr_.e_shentsize,
                    &str_shdr)) {
     // Not all memory mappings are necessarily ELF files. Skip memory
     // mappings that we cannot identify.
+ error:
     valid_ = false;
     return false;
   }
 
-  // Find PT_DYNAMIC segment. This is what our PLT entries and symbols will
-  // point to. This information is probably incorrect in the child, as it
-  // requires access to the original memory mappings.
-  for (int i = 0; i < ehdr_.e_phnum; i++) {
-    Elf_Phdr phdr;
-    if (getOriginal(ehdr_.e_phoff + i*ehdr_.e_phentsize, &phdr) &&
-        phdr.p_type == PT_DYNAMIC) {
-      RangeMap::const_iterator iter =
-          memory_ranges_.lower_bound(phdr.p_offset);
-      if (iter != memory_ranges_.end()) {
-        asr_offset_ = reinterpret_cast<char *>(iter->second.start) -
-            (phdr.p_vaddr - (phdr.p_offset - iter->first));
-      }
-      break;
-    }
-  }
-
   // Parse section table and find all sections in this ELF file
   for (int i = 0; i < ehdr_.e_shnum; i++) {
     Elf_Shdr shdr;
     if (!getOriginal(ehdr_.e_shoff + i*ehdr_.e_shentsize, &shdr)) {
       continue;
     }
     section_table_.insert(
        std::make_pair(getOriginal(str_shdr.sh_offset + shdr.sh_name),
                       std::make_pair(i, shdr)));
   }
 
+  // Compute the offset of entries in the .text segment
+  const Elf_Shdr* text = getSection(".text");
+  if (text == NULL) {
+    // On x86-32, the VDSO is unusual in as much as it does not have a single
+    // ".text" section. Instead, it has one section per function. Each
+    // section name starts with ".text". We just need to pick an arbitrary
+    // one in order to find the asr_offset_ -- which would typically be zero
+    // for the VDSO.
+    for (SectionTable::const_iterator iter = section_table_.begin();
+         iter != section_table_.end(); ++iter) {
+      if (!strncmp(iter->first.c_str(), ".text", 5)) {
+        text = &iter->second.second;
+        break;
+      }
+    }
+  }
+
+  // Now that we know where the .text segment is located, we can compute the
+  // asr_offset_.
+  if (text) {
+    RangeMap::const_iterator iter =
+        memory_ranges_.lower_bound(text->sh_offset);
+    if (iter != memory_ranges_.end()) {
+      asr_offset_ = reinterpret_cast<char *>(iter->second.start) -
+          (text->sh_addr - (text->sh_offset - iter->first));
+    } else {
+      goto error;
+    }
+  } else {
+    goto error;
+  }
+
   return !isVDSO_ || parseSymbols();
 }
 
 bool Library::parseSymbols() {
   if (!valid_) {
     return false;
   }
 
   Elf_Shdr str_shdr;
   getOriginal(ehdr_.e_shoff + ehdr_.e_shstrndx * ehdr_.e_shentsize, &str_shdr);
@@ skipping 27 matching lines @@
         continue;
       }
       Elf_Sym sym;
       if (!getOriginal(symtab->sh_offset +
                        ELF_R_SYM(rel.r_info)*sizeof(Elf_Sym), &sym) ||
           sym.st_shndx >= ehdr_.e_shnum) {
         Debug::message("Encountered invalid symbol for plt entry\n");
         valid_ = false;
         return false;
       }
-      std::string name = getOriginal(strtab.sh_offset + sym.st_name);
+      string name = getOriginal(strtab.sh_offset + sym.st_name);
       if (name.empty()) {
         continue;
       }
       plt_entries_.insert(std::make_pair(name, rel.r_offset));
     }
   }
 
   if (symtab) {
     // Parse symbol table and add its entries
     for (Elf_Addr addr = 0; addr < symtab->sh_size; addr += sizeof(Elf_Sym)) {
       Elf_Sym sym;
       if (!getOriginal(symtab->sh_offset + addr, &sym) ||
           (sym.st_shndx >= ehdr_.e_shnum &&
            sym.st_shndx < SHN_LORESERVE)) {
         Debug::message("Encountered invalid symbol\n");
         valid_ = false;
         return false;
       }
-      std::string name = getOriginal(strtab.sh_offset + sym.st_name);
+      string name = getOriginal(strtab.sh_offset + sym.st_name);
       if (name.empty()) {
         continue;
       }
       symbols_.insert(std::make_pair(name, sym));
     }
   }
 
   SymbolTable::const_iterator iter = symbols_.find("__kernel_vsyscall");
   if (iter != symbols_.end() && iter->second.st_value) {
     __kernel_vsyscall = asr_offset_ + iter->second.st_value;
   }
   iter = symbols_.find("__kernel_sigreturn");
   if (iter != symbols_.end() && iter->second.st_value) {
     __kernel_sigreturn = asr_offset_ + iter->second.st_value;
   }
   iter = symbols_.find("__kernel_rt_sigreturn");
   if (iter != symbols_.end() && iter->second.st_value) {
     __kernel_rt_sigreturn = asr_offset_ + iter->second.st_value;
   }
 
   return true;
 }
 
 } // namespace