Add lint check for IRT sandbox base address hiding.

build/link_irt.py

Index: build/link_irt.py
diff --git a/build/link_irt.py b/build/link_irt.py
index c161f2f0445b658e97697adbf3ae5e614cc7f9e9..7600edcfa7bf42fd565d9b97b628f1dddbc8bb37 100644
--- a/build/link_irt.py
+++ b/build/link_irt.py
@@ -15,6 +15,7 @@ TLS access is done.  Thus, it's more complicated than the usual linking.
 
 import argparse
 import os
+import re
 import sys
 
 from build_nexe_tools import (CommandRunner, Error, FixPath, MakeDir)
@@ -43,6 +44,7 @@ class IRTLinker(CommandRunner):
     self.output = options.output
     self.link_cmd = options.link_cmd
     self.readelf_cmd = options.readelf_cmd
+    self.objdump_cmd = options.objdump_cmd
     self.tls_edit = options.tls_edit
     self.SetCommandsAreScripts(options.commands_are_scripts)
 
@@ -162,6 +164,37 @@ class IRTLinker(CommandRunner):
     if tls_edit_err:
       raise Error('FAILED with %d: %s' % (err, ' '.join(tls_edit_cmd)))
 
+  def SandboxBaseCheck(self):
+    '''

[jvoung (off chromium), 2015/03/24 20:47:25]

""" instead of ''' for docstrings and oneliner summary on the first line.

[Derek Schuff, 2015/03/24 23:15:15]

Done.

+    This is a kind of lint check to ensure that the LLVM assembler's option for
+    hiding the sandbox base address on x86-64 is being used in all code compiled
+    into the IRT. It is only a heuristic intended to prevent accidental changes
+    in the IRT or toolchain build, and is not exhaustive. It is a stopgap until
+    we can fix https://code.google.com/p/nativeclient/issues/detail?id=3596
+    '''
+    cmd = [self.objdump_cmd, '-d', self.output]
+    output = self.Run(cmd, get_output=True)
+    # Disallow callq, all movs variants, all stos variants
+    # (objdump always disassembles 'call' as 'callq' in x86-64)
+    test_regex = r'\scallq\s|\smovs[bwlq]\s|\sstos[bwlq]\s'
+    # Disallow reads from rsp (other than %rsp,%rpb), and from rbp
+    test_regex += r'|[^(]%rsp,(?!%rbp)|[^(]%rbp,'

[jvoung (off chromium), 2015/03/24 20:47:25]

Hmm, so the trailing ","  is required? What about push %rbp?

[Derek Schuff, 2015/03/24 23:15:15]

It needs the trailing comma so that it doesn't catch things like
lea    0x0(%rbp,%r15,1),%rbp
or
mov    %rsp,%rbp

I added a check to catch pushes.

+    # Disallow reads from %r11 or uses as a base register
+    test_regex += r'|%r11,'
+    # All indirect jumps must be through r11
+    test_regex += r'|jmpq\s+\*%r(?!11)'
+    matched = re.search(test_regex, output)
+    if matched:
+      print 'The following instructions may reveal the sandbox base address:'
+      for line in output.splitlines():

[jvoung (off chromium), 2015/03/24 20:47:25]

Hmm... can the splitlines() be done earlier?

My main concern is if this will dump the whole executable's text section on
error, which I don't think a developer would want (scrolls the error message).
You could possibly search for the function header as you scan along and scope
the error to a function to dump some context. You could also print the line
number within the objdump output for someone to repro / run objdump separately
and look at just the dump.

[Derek Schuff, 2015/03/24 23:15:15]

I was attempting to avoid splitlines in the non-error case, in case the text was
really big, to avoid a big memory bloat. I could try to limit the number of
lines in the output in case of failure though, in addition to printing the
objdump command? The line output has the address and so is sufficient to locate
a unique instance in the output.

[jvoung (off chromium), 2015/03/25 16:53:49]

Okay sounds fine.

+         match = re.search(test_regex, line)

[jvoung (off chromium), 2015/03/24 20:47:25]

3 space indent -> 2 space indent

[Derek Schuff, 2015/03/24 23:15:15]

Done.

+         if match:
+          print line

[jvoung (off chromium), 2015/03/24 20:47:25]

1 space indent -> 2 space indent

[Derek Schuff, 2015/03/24 23:15:15]

Done.

+      raise Error('IRT sandbox base address hiding lint check failed')
+
+    else:
+      self.Log('Sandbox base address hiding lint check passed')
+
 
 def Main():
   parser = argparse.ArgumentParser()
@@ -173,14 +206,21 @@ def Main():
                       help='Path of linker utility')
   parser.add_argument('--readelf-cmd', dest='readelf_cmd', required=True,
                       help='Path of readelf utility')
-  parser.add_argument('-v', '--verbose', dest='verbose', default=False,
+  parser.add_argument('--objdump-cmd', dest='objdump_cmd', required=False,
+                      help='Path of objdump utility')
+  parser.add_argument('-v', '--verbose', dest='verbose', default=True,
                       help='Enable verbosity', action='store_true')
   parser.add_argument('--commands-are-scripts', dest='commands_are_scripts',
                       action='store_true', default=False,
                       help='Indicate that toolchain commands are scripts')
+  parser.add_argument('--sandbox-base-hiding-check',
+                      dest='sandbox_base_hiding_check', action='store_true',
+                      default=False)

[jvoung (off chromium), 2015/03/24 20:47:25]

help message?

   args, remaining_args = parser.parse_known_args()
   linker = IRTLinker(args)
   linker.Link(remaining_args)
+  if args.sandbox_base_hiding_check:
+    linker.SandboxBaseCheck()
   return 0