On Tue, 14 Feb 2023, Jakub Jelinek wrote:
> Hi!
>
> While in the -fsanitize=address case libasan overloads memcpy, memset,
> memmove and many other builtins, such that they are always instrumented,
> Linux kernel for -fsanitize=kernel-address recently changed or is changing,
> such that memcpy, memset and memmove actually aren't instrumented because
> they are often used also from no_sanitize ("kernel-address") functions
> and wants __{,hw,}asaN_{memcpy,memset,memmove} to be used instead
> for the instrumented calls. See e.g. the https://lkml.org/lkml/2023/2/9/1182
> thread. Without appropriate support on the compiler side, that will mean
> any time a kernel-address instrumented function (most of them) calls
> memcpy/memset/memmove, they will not be instrumented and thus won't catch
> kernel bugs. Apparently clang 15 has a param for this.
>
> The following patch implements the same (except it is a usual GCC --param,
> not -mllvm argument) on the GCC side. I know this isn't a regression
> bugfix, but given that -fsanitize=kernel-address has a single project that
> uses it which badly wants this I think it would be worthwhile to make an
> exception and get this into GCC 13 rather than waiting another year, it
> won't affect non-kernel code, nor even the kernel unless the new parameter
> is used.
>
> Bootstrapped/regtested on x86_64-linux and i686-linux and Marco has tested
> it on the kernel, ok for trunk?
OK.
Thanks,
Richard.
> 2023-02-14 Jakub Jelinek <ja...@redhat.com>
>
> PR sanitizer/108777
> * params.opt (-param=asan-kernel-mem-intrinsic-prefix=): New param.
> * asan.h (asan_memfn_rtl): Declare.
> * asan.cc (asan_memfn_rtls): New variable.
> (asan_memfn_rtl): New function.
> * builtins.cc (expand_builtin): If
> param_asan_kernel_mem_intrinsic_prefix and function is
> kernel-{,hw}address sanitized, emit calls to
> __{,hw}asan_{memcpy,memmove,memset} rather than
> {memcpy,memmove,memset}. Use sanitize_flags_p (SANITIZE_ADDRESS)
> instead of flag_sanitize & SANITIZE_ADDRESS to check if
> asan_intercepted_p functions shouldn't be expanded inline.
>
> * gcc.dg/asan/pr108777-1.c: New test.
> * gcc.dg/asan/pr108777-2.c: New test.
> * gcc.dg/asan/pr108777-3.c: New test.
> * gcc.dg/asan/pr108777-4.c: New test.
> * gcc.dg/asan/pr108777-5.c: New test.
> * gcc.dg/asan/pr108777-6.c: New test.
> * gcc.dg/completion-3.c: Adjust expected multiline output.
>
> --- gcc/params.opt.jj 2023-02-10 19:04:58.289014706 +0100
> +++ gcc/params.opt 2023-02-13 16:19:50.411101775 +0100
> @@ -50,6 +50,10 @@ Enable asan store operations protection.
> Common Joined UInteger Var(param_asan_instrumentation_with_call_threshold)
> Init(7000) Param Optimization
> Use callbacks instead of inline code if number of accesses in function
> becomes greater or equal to this number.
>
> +-param=asan-kernel-mem-intrinsic-prefix=
> +Common Joined UInteger Var(param_asan_kernel_mem_intrinsic_prefix) Init(0)
> IntegerRange(0, 1) Param Optimization
> +Prefix calls to memcpy, memset and memmove with __asan_ or __hwasan_ for
> -fsanitize=kernel-address or -fsanitize=kernel-hwaddress.
> +
> -param=asan-memintrin=
> Common Joined UInteger Var(param_asan_memintrin) Init(1) IntegerRange(0, 1)
> Param Optimization
> Enable asan builtin functions protection.
> --- gcc/asan.h.jj 2023-01-02 09:32:26.721222635 +0100
> +++ gcc/asan.h 2023-02-13 16:45:14.475088159 +0100
> @@ -33,6 +33,7 @@ extern bool asan_expand_check_ifn (gimpl
> extern bool asan_expand_mark_ifn (gimple_stmt_iterator *);
> extern bool asan_expand_poison_ifn (gimple_stmt_iterator *, bool *,
> hash_map<tree, tree> &);
> +extern rtx asan_memfn_rtl (tree);
>
> extern void hwasan_record_frame_init ();
> extern void hwasan_record_stack_var (rtx, rtx, poly_int64, poly_int64);
> --- gcc/asan.cc.jj 2023-02-02 10:54:44.326473507 +0100
> +++ gcc/asan.cc 2023-02-13 16:52:16.711015256 +0100
> @@ -391,6 +391,46 @@ asan_memintrin (void)
> }
>
>
> +/* Support for --param asan-kernel-mem-intrinsic-prefix=1. */
> +static GTY(()) rtx asan_memfn_rtls[3];
> +
> +rtx
> +asan_memfn_rtl (tree fndecl)
> +{
> + int i;
> + const char *f, *p;
> + char buf[sizeof ("__hwasan_memmove")];
> +
> + switch (DECL_FUNCTION_CODE (fndecl))
> + {
> + case BUILT_IN_MEMCPY: i = 0; f = "memcpy"; break;
> + case BUILT_IN_MEMSET: i = 1; f = "memset"; break;
> + case BUILT_IN_MEMMOVE: i = 2; f = "memmove"; break;
> + default: gcc_unreachable ();
> + }
> + if (asan_memfn_rtls[i] == NULL_RTX)
> + {
> + tree save_name = DECL_NAME (fndecl);
> + tree save_assembler_name = DECL_ASSEMBLER_NAME (fndecl);
> + rtx save_rtl = DECL_RTL (fndecl);
> + if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS)
> + p = "__hwasan_";
> + else
> + p = "__asan_";
> + strcpy (buf, p);
> + strcat (buf, f);
> + DECL_NAME (fndecl) = get_identifier (buf);
> + DECL_ASSEMBLER_NAME_RAW (fndecl) = NULL_TREE;
> + SET_DECL_RTL (fndecl, NULL_RTX);
> + asan_memfn_rtls[i] = DECL_RTL (fndecl);
> + DECL_NAME (fndecl) = save_name;
> + DECL_ASSEMBLER_NAME_RAW (fndecl) = save_assembler_name;
> + SET_DECL_RTL (fndecl, save_rtl);
> + }
> + return asan_memfn_rtls[i];
> +}
> +
> +
> /* Checks whether section SEC should be sanitized. */
>
> static bool
> --- gcc/builtins.cc.jj 2023-02-02 10:54:44.330473449 +0100
> +++ gcc/builtins.cc 2023-02-13 16:46:42.127826612 +0100
> @@ -7326,7 +7326,24 @@ expand_builtin (tree exp, rtx target, rt
> by ASan. */
>
> enum built_in_function fcode = DECL_FUNCTION_CODE (fndecl);
> - if ((flag_sanitize & SANITIZE_ADDRESS) && asan_intercepted_p (fcode))
> + if (param_asan_kernel_mem_intrinsic_prefix
> + && sanitize_flags_p (SANITIZE_KERNEL_ADDRESS
> + | SANITIZE_KERNEL_HWADDRESS))
> + switch (fcode)
> + {
> + rtx save_decl_rtl, ret;
> + case BUILT_IN_MEMCPY:
> + case BUILT_IN_MEMMOVE:
> + case BUILT_IN_MEMSET:
> + save_decl_rtl = DECL_RTL (fndecl);
> + DECL_RTL (fndecl) = asan_memfn_rtl (fndecl);
> + ret = expand_call (exp, target, ignore);
> + DECL_RTL (fndecl) = save_decl_rtl;
> + return ret;
> + default:
> + break;
> + }
> + if (sanitize_flags_p (SANITIZE_ADDRESS) && asan_intercepted_p (fcode))
> return expand_call (exp, target, ignore);
>
> /* When not optimizing, generate calls to library functions for a certain
> --- gcc/testsuite/gcc.dg/asan/pr108777-1.c.jj 2023-02-13 17:49:23.139002484
> +0100
> +++ gcc/testsuite/gcc.dg/asan/pr108777-1.c 2023-02-13 17:51:09.433479988
> +0100
> @@ -0,0 +1,28 @@
> +/* PR sanitizer/108777 */
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fno-sanitize=all -fsanitize=kernel-address --param
> asan-kernel-mem-intrinsic-prefix=1" } */
> +/* { dg-final { scan-assembler "__asan_memcpy" } } */
> +/* { dg-final { scan-assembler "__asan_memset" } } */
> +/* { dg-final { scan-assembler "__asan_memmove" } } */
> +
> +extern void *memcpy (void *, const void *, __SIZE_TYPE__);
> +extern void *memmove (void *, const void *, __SIZE_TYPE__);
> +extern void *memset (void *, int, __SIZE_TYPE__);
> +
> +void
> +foo (void *p, void *q, int s)
> +{
> + memcpy (p, q, s);
> +}
> +
> +void
> +bar (void *p, void *q, int s)
> +{
> + memmove (p, q, s);
> +}
> +
> +void
> +baz (void *p, int c, int s)
> +{
> + memset (p, c, s);
> +}
> --- gcc/testsuite/gcc.dg/asan/pr108777-2.c.jj 2023-02-13 17:49:27.215944098
> +0100
> +++ gcc/testsuite/gcc.dg/asan/pr108777-2.c 2023-02-13 17:51:09.433479988
> +0100
> @@ -0,0 +1,24 @@
> +/* PR sanitizer/108777 */
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fno-sanitize=all -fsanitize=kernel-address --param
> asan-kernel-mem-intrinsic-prefix=1" } */
> +/* { dg-final { scan-assembler "__asan_memcpy" } } */
> +/* { dg-final { scan-assembler "__asan_memset" } } */
> +/* { dg-final { scan-assembler "__asan_memmove" } } */
> +
> +void
> +foo (void *p, void *q, int s)
> +{
> + __builtin_memcpy (p, q, s);
> +}
> +
> +void
> +bar (void *p, void *q, int s)
> +{
> + __builtin_memmove (p, q, s);
> +}
> +
> +void
> +baz (void *p, int c, int s)
> +{
> + __builtin_memset (p, c, s);
> +}
> --- gcc/testsuite/gcc.dg/asan/pr108777-3.c.jj 2023-02-13 17:49:30.683894408
> +0100
> +++ gcc/testsuite/gcc.dg/asan/pr108777-3.c 2023-02-13 17:51:09.434479973
> +0100
> @@ -0,0 +1,28 @@
> +/* PR sanitizer/108777 */
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fno-sanitize=all -fsanitize=kernel-address --param
> asan-kernel-mem-intrinsic-prefix=1" } */
> +/* { dg-final { scan-assembler-not "__asan_memcpy" } } */
> +/* { dg-final { scan-assembler-not "__asan_memset" } } */
> +/* { dg-final { scan-assembler-not "__asan_memmove" } } */
> +
> +extern void *memcpy (void *, const void *, __SIZE_TYPE__);
> +extern void *memmove (void *, const void *, __SIZE_TYPE__);
> +extern void *memset (void *, int, __SIZE_TYPE__);
> +
> +__attribute__((no_sanitize("kernel-address"))) void
> +foo (void *p, void *q, int s)
> +{
> + memcpy (p, q, s);
> +}
> +
> +__attribute__((no_sanitize("kernel-address"))) void
> +bar (void *p, void *q, int s)
> +{
> + memmove (p, q, s);
> +}
> +
> +__attribute__((no_sanitize("kernel-address"))) void
> +baz (void *p, int c, int s)
> +{
> + memset (p, c, s);
> +}
> --- gcc/testsuite/gcc.dg/asan/pr108777-4.c.jj 2023-02-13 17:49:33.985847114
> +0100
> +++ gcc/testsuite/gcc.dg/asan/pr108777-4.c 2023-02-13 17:51:09.434479973
> +0100
> @@ -0,0 +1,24 @@
> +/* PR sanitizer/108777 */
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fno-sanitize=all -fsanitize=kernel-address --param
> asan-kernel-mem-intrinsic-prefix=1" } */
> +/* { dg-final { scan-assembler-not "__asan_memcpy" } } */
> +/* { dg-final { scan-assembler-not "__asan_memset" } } */
> +/* { dg-final { scan-assembler-not "__asan_memmove" } } */
> +
> +__attribute__((no_sanitize("kernel-address"))) void
> +foo (void *p, void *q, int s)
> +{
> + __builtin_memcpy (p, q, s);
> +}
> +
> +__attribute__((no_sanitize("kernel-address"))) void
> +bar (void *p, void *q, int s)
> +{
> + __builtin_memmove (p, q, s);
> +}
> +
> +__attribute__((no_sanitize("kernel-address"))) void
> +baz (void *p, int c, int s)
> +{
> + __builtin_memset (p, c, s);
> +}
> --- gcc/testsuite/gcc.dg/asan/pr108777-5.c.jj 2023-02-13 17:49:37.195801146
> +0100
> +++ gcc/testsuite/gcc.dg/asan/pr108777-5.c 2023-02-13 17:51:09.434479973
> +0100
> @@ -0,0 +1,28 @@
> +/* PR sanitizer/108777 */
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fno-sanitize=all -fsanitize=kernel-address" } */
> +/* { dg-final { scan-assembler-not "__asan_memcpy" } } */
> +/* { dg-final { scan-assembler-not "__asan_memset" } } */
> +/* { dg-final { scan-assembler-not "__asan_memmove" } } */
> +
> +extern void *memcpy (void *, const void *, __SIZE_TYPE__);
> +extern void *memmove (void *, const void *, __SIZE_TYPE__);
> +extern void *memset (void *, int, __SIZE_TYPE__);
> +
> +void
> +foo (void *p, void *q, int s)
> +{
> + memcpy (p, q, s);
> +}
> +
> +void
> +bar (void *p, void *q, int s)
> +{
> + memmove (p, q, s);
> +}
> +
> +void
> +baz (void *p, int c, int s)
> +{
> + memset (p, c, s);
> +}
> --- gcc/testsuite/gcc.dg/asan/pr108777-6.c.jj 2023-02-13 17:49:40.282756931
> +0100
> +++ gcc/testsuite/gcc.dg/asan/pr108777-6.c 2023-02-13 17:51:09.434479973
> +0100
> @@ -0,0 +1,24 @@
> +/* PR sanitizer/108777 */
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fno-sanitize=all -fsanitize=kernel-address" } */
> +/* { dg-final { scan-assembler-not "__asan_memcpy" } } */
> +/* { dg-final { scan-assembler-not "__asan_memset" } } */
> +/* { dg-final { scan-assembler-not "__asan_memmove" } } */
> +
> +void
> +foo (void *p, void *q, int s)
> +{
> + __builtin_memcpy (p, q, s);
> +}
> +
> +void
> +bar (void *p, void *q, int s)
> +{
> + __builtin_memmove (p, q, s);
> +}
> +
> +void
> +baz (void *p, int c, int s)
> +{
> + __builtin_memset (p, c, s);
> +}
> --- gcc/testsuite/gcc.dg/completion-3.c.jj 2020-01-14 20:02:47.249602853
> +0100
> +++ gcc/testsuite/gcc.dg/completion-3.c 2023-02-14 09:39:44.613203143
> +0100
> @@ -7,6 +7,7 @@
> --param=asan-instrument-reads=
> --param=asan-instrument-writes=
> --param=asan-instrumentation-with-call-threshold=
> +--param=asan-kernel-mem-intrinsic-prefix=
> --param=asan-memintrin=
> --param=asan-stack=
> --param=asan-use-after-return=
>
> Jakub
>
>
--
Richard Biener <rguent...@suse.de>
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg,
Germany; GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman;
HRB 36809 (AG Nuernberg)
