Add lint check for IRT sandbox base address hiding.

build/link_irt.py

 #!/usr/bin/python
 # Copyright 2014 The Native Client Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 """Script for linking the NaCl IRT and IRT core.
 
 This module will take care of linking the NaCl IRT.  Compiling the libraries
 and object files that go into the NaCl IRT is done outside of this script.
 
 Linking is factored out because the IRT has specific requirements for
 where to place the text vs data segments, and also requires editting how
 TLS access is done.  Thus, it's more complicated than the usual linking.
 """
 
 import argparse
 import os
+import re
 import sys
 
 from build_nexe_tools import (CommandRunner, Error, FixPath, MakeDir)
 
 
 class IRTLinker(CommandRunner):
   """Builder object that generates build command-lines and runs them.
   """
 
   def __init__(self, options):
     super(IRTLinker, self).__init__(options)
     # IRT constraints for auto layout.
     # IRT text can only go up to 256MB. Addresses after that are for data.
     # Reserve an extra page because:
     # * sel_ldr requires a HLT sled at the end of the dynamic code area;
     # * dynamic_load_test currently tests loading at the end of the dynamic
     #   code area.
     self.irt_text_max = 0x10000000 - 0x10000
     # Data can only go up to the sandbox_top - sizeof(stack).
     # NaCl allocates 16MB for the initial thread's stack (see
     # NACL_DEFAULT_STACK_MAX in sel_ldr.h).
     # Assume sandbox_top is 1GB, since even on x86-64 the limit would
     # only be 2GB (rip-relative references can only be +/- 2GB).
     sandbox_top = 0x40000000
     self.irt_data_max = sandbox_top - (16 << 20)
     self.output = options.output
     self.link_cmd = options.link_cmd
     self.readelf_cmd = options.readelf_cmd
+    self.objdump_cmd = options.objdump_cmd
     self.tls_edit = options.tls_edit
     self.SetCommandsAreScripts(options.commands_are_scripts)
 
   def GetIRTLayout(self, irt_file):
     """Check if the IRT's data and text segment fit layout constraints and
        get sizes of the IRT's text and data segments.
 
     Returns a tuple containing:
       * whether the IRT data/text top addresses fit within the max limit
       * current data/text top addrs
@@ skipping 99 matching lines @@
                   'text_top=0x%x and data_top=0x%x\n' % (
                       text_top, data_top))
     self.Log('IRT layout fits: text_top=0x%x and data_top=0x%x' %
              (text_top, data_top))
 
     tls_edit_cmd = [FixPath(self.tls_edit), pre_tls_edit_out, out]
     tls_edit_err = self.Run(tls_edit_cmd, possibly_script=False)
     if tls_edit_err:
       raise Error('FAILED with %d: %s' % (err, ' '.join(tls_edit_cmd)))
 
+  def SandboxBaseCheck(self):
+    '''

[jvoung (off chromium), 2015/03/24 20:47:25]

""" instead of ''' for docstrings and oneliner summary on the first line.

[Derek Schuff, 2015/03/24 23:15:15]

Done.

+    This is a kind of lint check to ensure that the LLVM assembler's option for
+    hiding the sandbox base address on x86-64 is being used in all code compiled
+    into the IRT. It is only a heuristic intended to prevent accidental changes
+    in the IRT or toolchain build, and is not exhaustive. It is a stopgap until
+    we can fix https://code.google.com/p/nativeclient/issues/detail?id=3596
+    '''
+    cmd = [self.objdump_cmd, '-d', self.output]
+    output = self.Run(cmd, get_output=True)
+    # Disallow callq, all movs variants, all stos variants
+    # (objdump always disassembles 'call' as 'callq' in x86-64)
+    test_regex = r'\scallq\s|\smovs[bwlq]\s|\sstos[bwlq]\s'
+    # Disallow reads from rsp (other than %rsp,%rpb), and from rbp
+    test_regex += r'|[^(]%rsp,(?!%rbp)|[^(]%rbp,'

[jvoung (off chromium), 2015/03/24 20:47:25]

Hmm, so the trailing ","  is required? What about push %rbp?

[Derek Schuff, 2015/03/24 23:15:15]

It needs the trailing comma so that it doesn't catch things like
lea    0x0(%rbp,%r15,1),%rbp
or
mov    %rsp,%rbp

I added a check to catch pushes.

+    # Disallow reads from %r11 or uses as a base register
+    test_regex += r'|%r11,'
+    # All indirect jumps must be through r11
+    test_regex += r'|jmpq\s+\*%r(?!11)'
+    matched = re.search(test_regex, output)
+    if matched:
+      print 'The following instructions may reveal the sandbox base address:'
+      for line in output.splitlines():

[jvoung (off chromium), 2015/03/24 20:47:25]

Hmm... can the splitlines() be done earlier?

My main concern is if this will dump the whole executable's text section on
error, which I don't think a developer would want (scrolls the error message).
You could possibly search for the function header as you scan along and scope
the error to a function to dump some context. You could also print the line
number within the objdump output for someone to repro / run objdump separately
and look at just the dump.

[Derek Schuff, 2015/03/24 23:15:15]

I was attempting to avoid splitlines in the non-error case, in case the text was
really big, to avoid a big memory bloat. I could try to limit the number of
lines in the output in case of failure though, in addition to printing the
objdump command? The line output has the address and so is sufficient to locate
a unique instance in the output.

[jvoung (off chromium), 2015/03/25 16:53:49]

Okay sounds fine.

+         match = re.search(test_regex, line)

[jvoung (off chromium), 2015/03/24 20:47:25]

3 space indent -> 2 space indent

[Derek Schuff, 2015/03/24 23:15:15]

Done.

+         if match:
+          print line

[jvoung (off chromium), 2015/03/24 20:47:25]

1 space indent -> 2 space indent

[Derek Schuff, 2015/03/24 23:15:15]

Done.

+      raise Error('IRT sandbox base address hiding lint check failed')
+
+    else:
+      self.Log('Sandbox base address hiding lint check passed')
+
 
 def Main():
   parser = argparse.ArgumentParser()
   parser.add_argument('-o', '--output', dest='output', required=True,
                       help='Output filename')
   parser.add_argument('--tls-edit', dest='tls_edit', required=True,
                       help='Path of tls edit utility')
   parser.add_argument('--link-cmd', dest='link_cmd', required=True,
                       help='Path of linker utility')
   parser.add_argument('--readelf-cmd', dest='readelf_cmd', required=True,
                       help='Path of readelf utility')
-  parser.add_argument('-v', '--verbose', dest='verbose', default=False,
+  parser.add_argument('--objdump-cmd', dest='objdump_cmd', required=False,
+                      help='Path of objdump utility')
+  parser.add_argument('-v', '--verbose', dest='verbose', default=True,
                       help='Enable verbosity', action='store_true')
   parser.add_argument('--commands-are-scripts', dest='commands_are_scripts',
                       action='store_true', default=False,
                       help='Indicate that toolchain commands are scripts')
+  parser.add_argument('--sandbox-base-hiding-check',
+                      dest='sandbox_base_hiding_check', action='store_true',
+                      default=False)

[jvoung (off chromium), 2015/03/24 20:47:25]

help message?

   args, remaining_args = parser.parse_known_args()
   linker = IRTLinker(args)
   linker.Link(remaining_args)
+  if args.sandbox_base_hiding_check:
+    linker.SandboxBaseCheck()
   return 0
 
 
 if __name__ == '__main__':
   sys.exit(Main())