Commit graph

42 commits

Author SHA1 Message Date
Peter Collingbourne
5d3aa86cd1 Add an API for per-process disabling memory initialization.
Introduce an android_mallopt(M_DISABLE_MEMORY_MITIGATIONS) API call
that may be used to disable zero- or pattern-init on non-MTE hardware,
or memory tagging on MTE hardware. The intent is that this function
may be called at any time, including when there are multiple threads
running.

Disabling zero- or pattern-init is quite trivial, we just need to set
a global variable to 0 via a Scudo API call (although there will be
some separate work required on the Scudo side to make this operation
thread-safe).

It is a bit more tricky to disable MTE across a process, because
the kernel does not provide an API for disabling tag checking in all
threads in a process, only per-thread. We need to send a signal to each
of the process's threads with a handler that issues the required prctl
call, and lock thread creation for the duration of the API call to
avoid races between thread enumeration and calls to pthread_create().

Bug: 135772972
Change-Id: I81ece86ace916eb6b435ab516cd431ec4b48a3bf
2020-10-08 14:02:36 -07:00
Vy Nguyen
d500751443 Add a thread-properties API
(Based on proposal at https://sourceware.org/glibc/wiki/ThreadPropertiesAPI)

This includes API to:
 - locate static and dynamic TLS
 - register thread-exit and  dynamic TLS creation/destruction callbacks

Change-Id: Icd9d29a5b2f47495395645e19d3b2c96826f19c8
2020-08-11 16:51:43 +00:00
Ryan Prichard
16455b5100 Implement dynamic TLS accesses and allocation
Initialize a thread's DTV to an empty zeroed DTV. Allocate the DTV and
any ELF module's TLS segment on-demand in __tls_get_addr. Use a generation
counter, incremented in the linker, to signal when threads should
update/reallocate their DTV objects.

A generation count of 0 always indicates the constant zero DTV.

Once a DTV is allocated, it isn't freed until the thread exits, because
a signal handler could interrupt the fast path of __tls_get_addr between
accessing the DTV slot and reading a field of the DTV. Bionic keeps a
linked list of DTV objects so it can free them at thread-exit.

Dynamic TLS memory is allocated using a BionicAllocator instance in
libc_shared_globals. For async-signal safety, access to the
linker/libc-shared state is protected by first blocking signals, then by
acquiring the reader-writer lock, TlsModules::rwlock. A write lock is
needed to allocate or free memory.

In pthread_exit, unconditionally block signals before freeing dynamic
TLS memory or freeing the shadow call stack.

ndk_cruft.cpp: Avoid including pthread_internal.h inside an extern "C".
(The header now includes a C++ template that doesn't compile inside
extern "C".)

Bug: http://b/78026329
Bug: http://b/123094171
Test: bionic unit tests
Change-Id: I3c9b12921c9e68b33dcc1d1dd276bff364eff5d7
2019-01-25 17:53:01 -08:00
Ryan Prichard
45d1349c63 Reorganize static TLS memory for ELF TLS
For ELF TLS "local-exec" accesses, the static linker assumes that an
executable's TLS segment is located at a statically-known offset from the
thread pointer (i.e. "variant 1" for ARM and "variant 2" for x86).
Because these layouts are incompatible, Bionic generally needs to allocate
its TLS slots differently between different architectures.

To allow per-architecture TLS slots:
 - Replace the TLS_SLOT_xxx enumerators with macros. New ARM slots are
   generally negative, while new x86 slots are generally positive.
 - Define a bionic_tcb struct that provides two things:
    - a void* raw_slots_storage[BIONIC_TLS_SLOTS] field
    - an inline accessor function: void*& tls_slot(size_t tpindex);

For ELF TLS, it's necessary to allocate a temporary TCB (i.e. TLS slots),
because the runtime linker doesn't know how large the static TLS area is
until after it has loaded all of the initial solibs.

To accommodate Golang, it's necessary to allocate the pthread keys at a
fixed, small, positive offset from the thread pointer.

This CL moves the pthread keys into bionic_tls, then allocates a single
mapping per thread that looks like so:
 - stack guard
 - stack [omitted for main thread and with pthread_attr_setstack]
 - static TLS:
    - bionic_tcb [exec TLS will either precede or succeed the TCB]
    - bionic_tls [prefixed by the pthread keys]
    - [solib TLS segments will be placed here]
 - guard page

As before, if the new mapping includes a stack, the pthread_internal_t
is allocated on it.

At startup, Bionic allocates a temporary bionic_tcb object on the stack,
then allocates a temporary bionic_tls object using mmap. This mmap is
delayed because the linker can't currently call async_safe_fatal() before
relocating itself.

Later, Bionic allocates a stack-less thread mapping for the main thread,
and copies slots from the temporary TCB to the new TCB.
(See *::copy_from_bootstrap methods.)

Bug: http://b/78026329
Test: bionic unit tests
Test: verify that a Golang app still works
Test: verify that a Golang app crashes if bionic_{tls,tcb} are swapped
Merged-In: I6543063752f4ec8ef6dc9c7f2a06ce2a18fc5af3
Change-Id: I6543063752f4ec8ef6dc9c7f2a06ce2a18fc5af3
(cherry picked from commit 1e660b70da)
2019-01-11 15:34:22 -08:00
Peter Collingbourne
734beec3d4 Allocate a small guard region around the shadow call stack.
This lets us do two things:

1) Make setjmp and longjmp compatible with shadow call stack.
   To avoid leaking the shadow call stack address into memory, only the
   lower log2(SCS_SIZE) bits of x18 are stored to jmp_buf. This requires
   allocating an additional guard page so that we're guaranteed to be
   able to allocate a sufficiently aligned SCS.

2) SCS overflow detection. Overflows now result in a SIGSEGV instead
   of corrupting the allocation that comes after it.

Change-Id: I04d6634f96162bf625684672a87fba8b402b7fd1
Test: bionic-unit-tests
2018-11-16 14:37:08 -08:00
Peter Collingbourne
da772e2113 bionic: Allocate a shadow call stack for each thread.
Instead of allocating the stack within a 16MB guard region as we
were doing before, just allocate the stack on its own. This isn't
as secure as with the guard region (since it means that an attacker
who can read the pthread_internal_t can determine the address of the
SCS), but it will at least allow us to discover more blockers until
a solution to b/118642754 is decided on.

Bug: 112907825
Bug: 118642754
Change-Id: Ibe5dffbad1b4700eaa0e24177eea792e7c329a61
2018-11-12 20:04:40 -08:00
Peter Collingbourne
7b13dd918e Revert "bionic: Allocate a shadow call stack for each thread."
This reverts commit da1bc79f93.

Reason for revert: Caused OOM in media process

Bug: 112907825
Bug: 118593766
Change-Id: I545663871d75889b209b9fd2131cdaa97166478f
2018-10-29 21:48:59 +00:00
Peter Collingbourne
da1bc79f93 bionic: Allocate a shadow call stack for each thread.
Bug: 112907825
Change-Id: I7c1479a0cd68696739bf6aa5e0700ba4f2a137ec
Merged-In: I7c1479a0cd68696739bf6aa5e0700ba4f2a137ec
2018-10-29 19:55:18 +00:00
Evgenii Stepanov
be551f596f HWASan support in bionic.
* Allow sanitization of libc (excluding existing global sanitizers)
  and disallow sanitization of linker. The latter has not been
  necessary before because HWASan is the first sanitizer to support
  static binaries (with the exception of CFI, which is not used
  globally).
* Static binary startup: initialize HWASan shadow very early so that
  almost entire libc can be sanitized. The rest of initialization is
  done in a global constructor; until that is done sanitized code can
  run but can't report errors (will simply crash with SIGTRAP).
* Switch malloc_common from je_*  to __sanitizer_*.
* Call hwasan functions when entering and leaving threads. We can not
  intercept pthread_create when libc depends on libclang_rt.hwasan.
  An alternative to this would be a callback interface like requested
  here:
    https://sourceware.org/glibc/wiki/ThreadPropertiesAPI

All of the above is behind a compile-time check
__has_feature(hwaddress_sanitizer). This means that HWASan actually
requires libc to be instrumented, and would not work otherwise. It's
an implementation choice that greatly reduces complexity of the tool.
Instrumented libc also guarantees that hwasan is present and
initialized in every process, which allows piecemeal sanitization
(i.e. library w/o main executable, or even individual static
libraries), unlike ASan.

Change-Id: If44c46b79b15049d1745ba46ec910ae4f355d19c
2018-08-21 00:15:47 +00:00
Yi Kong
32bc0fcf69 Modernize codebase by replacing NULL with nullptr
Fixes -Wzero-as-null-pointer-constant warning.

Test: m
Bug: 68236239
Change-Id: I5b4123bc6709641315120a191e36cc57541349b2
2018-08-02 18:09:44 -07:00
Elliott Hughes
4b1c6e7385 Better handling of sigset_t on LP32.
The main motivation here is that the sigprocmask in pthread_exit wasn't
actually blocking the real-time signals, and debuggerd (amongst other
things) is using them. I wasn't able to write a test that actually won
that race but I did write an equivalent one for posix_spawn.

This also fixes all the uses of sigset_t where the sigset_t isn't
exposed to the outside (which we can't easily fix because it would be
an ABI change).

Bug: https://issuetracker.google.com/72291624
Test: ran tests
Change-Id: Ib6eebebc5a7b0150079f1cb79593247917dcf750
2018-01-26 13:04:57 -08:00
dimitry
fa432524a6 Mark __BIONIC_WEAK_FOR_NATIVE_BRIDGE symbols
To make it easier for Native Bridge implementations
to override these symbols.

Bug: http://b/67993967
Test: make
Change-Id: I4c53e53af494bca365dd2b3305ab0ccc2b23ba44
2017-10-27 10:01:46 +02:00
Elliott Hughes
d6c678ca90 Support larger guard regions.
This also fixes a long-standing bug where the guard region would be taken
out of the stack itself, rather than being -- as POSIX demands -- additional
space after the stack. Historically a 128KiB stack with a 256KiB guard would
have given you an immediate crash.

Bug: http://b/38413813
Test: builds, boots
Change-Id: Idd12a3899be1d92fea3d3e0fa6882ca2216bd79c
2017-09-18 16:09:43 -07:00
Josh Gao
5450f86b31 Fix leak of bionic TLS when threads are detached.
__pthread_internal_free doesn't happen on threads that are detached,
causing the bionic TLS allocation (and guard pages) to be leaked.

Fix the leak, and name the allocations to make things apparent if this
ever happens again.

Bug: http://b/36045112
Test: manually ran a program that detached empty threads
Change-Id: Id1c7852b7384474244f7bf5a0f7da54ff962e0a1
2017-03-07 23:24:50 -08:00
Elliott Hughes
7484c21c4c Revert "Remove the global thread list."
This reverts commit b0e8c565a6.

Breaks swiftshader (http:/b/34883464).

Change-Id: I7b21193ba8a78f07d7ac65e41d0fe8516940a83b
2017-02-02 02:41:38 +00:00
Elliott Hughes
b0e8c565a6 Remove the global thread list.
Another release, another attempt to fix this bug.

This change affects pthread_detach, pthread_getcpuclockid,
pthread_getschedparam/pthread_setschedparam, pthread_join, and pthread_kill:
instead of returning ESRCH when passed an invalid pthread_t, they'll now SEGV.

Note that this doesn't change behavior as much as you might think: the old
lookup only held the global thread list lock for the duration of the lookup,
so there was still a race between that and the dereference in the caller,
given that callers actually need the tid to pass to some syscall or other,
and sometimes update fields in the pthread_internal_t struct too.

We can't check thread->tid against 0 to see whether a pthread_t is still
valid because a dead thread gets its thread struct unmapped along with its
stack, so the dereference isn't safe.

Taking the affected functions one by one:

* pthread_getcpuclockid and pthread_getschedparam/pthread_setschedparam
  should be fine. Unsafe calls to those seem highly unlikely.

* Unsafe pthread_detach callers probably want to switch to
  pthread_attr_setdetachstate instead, or using pthread_detach(pthread_self())
  from the new thread's start routine rather than doing the detach in the
  parent.

* pthread_join calls should be safe anyway, because a joinable thread won't
  actually exit and unmap until it's joined. If you're joining an
  unjoinable thread, the fix is to stop marking it detached. If you're
  joining an already-joined thread, you need to rethink your design.

* Unsafe pthread_kill calls aren't portably fixable. (And are obviously
  inherently non-portable as-is.) The best alternative on Android is to
  use pthread_gettid_np at some point that you know the thread to be alive,
  and then call kill/tgkill directly. That's still not completely safe
  because if you're too late, the tid may have been reused, but then your
  code is inherently unsafe anyway.

If we find too much code is still broken, we can come back and disable
the global thread list lookups for anything targeting >= O and then have
another go at really removing this in P...

Bug: http://b/19636317
Test: N6P boots, bionic tests pass
Change-Id: Ia92641212f509344b99ee2a9bfab5383147fcba6
2017-01-07 14:16:46 -08:00
Elliott Hughes
f86c4494ff If you're going to use memset...
...you'd better #include <string.h>.

Change-Id: I83e0877f4151fc764588e2d876e66d7712d41f61
2016-02-25 22:05:28 -08:00
Elliott Hughes
2c6c95348c GCC doesn't like {}, and clang doesn't like {0}...
...so memset it is, then.

I'll be glad when GCC is dead and we can use "= {}" like it's the 21st century.

Change-Id: I28d820d3926ac9bf44bf7c1e89e184726c840391
2016-02-25 21:51:50 -08:00
Anton Kirilov
6bd5cf60fa Fix a structure initialisation in pthread_exit().
The purpose of this change is to silence Valgrind's warning about a
syscall parameter pointing to uninitialised bytes.

Change-Id: I2737235f9ac288dbc8ec4be0c6f1cef181c9b7d7
2016-02-25 20:49:15 -08:00
Yabin Cui
ef11500301 Revert "Revert "add guard pages to the internal signal stacks""
This reverts commit a3125fd139.
And Fix the prctl() problem that cause system crash.

Change-Id: Icc8d12d848cfba881a7984ca2827fd81be41f9fd
2015-03-30 20:51:39 -07:00
Elliott Hughes
a3125fd139 Revert "add guard pages to the internal signal stacks"
This reverts commit 595752f623.

Change-Id: Iefa66e9049ca0424e53cd5fc320d161b93556dcb
2015-03-31 02:42:39 +00:00
Daniel Micay
595752f623 add guard pages to the internal signal stacks
Signal handlers tend to be lean, but can still overflow the (tiny)
stack.

Change-Id: Ia21c6453d92a9f8d1536ad01ff26a1a84c05f8fb
2015-03-30 17:13:20 -04:00
Dmitriy Ivanov
df79c330d8 Initial implementation of __cxa_thread_atexit_impl
This is initial implementations; does not yet handle
  dlclose - undefined behavior, needs linker support to
  handle it right.

Bug: 19800080
Bug: 16696563
Change-Id: I7a3e21ed7f7ec01e62ea1b7cb2ab253590ea0686
2015-03-25 18:07:59 -07:00
Yabin Cui
673b15e4ee Let g_thread_list_lock only protect g_thread_list.
As glibc/netbsd don't protect access to thread struct members by a global
lock, we don't want to do it either. This change reduces the
responsibility of g_thread_list_lock to only protect g_thread_list.

Bug: 19636317
Change-Id: I897890710653dac165d8fa4452c7ecf74abdbf2b
2015-03-23 19:03:49 -07:00
Yabin Cui
58cf31b506 Make pthread join_state not protected by g_thread_list_lock.
1. Move the representation of thread join_state from pthread.attr.flag
   to pthread.join_state. This clarifies thread state change.
2. Use atomic operations for pthread.join_state. So we don't need to
   protect it by g_thread_list_lock. g_thread_list_lock will be reduced
   to only protect g_thread_list or even removed in further changes.

Bug: 19636317
Change-Id: I31fb143a7c69508c7287307dd3b0776993ec0f43
2015-03-12 21:39:49 -07:00
Yabin Cui
19e246dda6 Fix possible leak in pthread_detach.
If pthread_detach() is called while the thread is in pthread_exit(),
it takes the risk that no one can free the pthread_internal_t.
So I add PTHREAD_ATTR_FLAG_ZOMBIE to detect this, maybe very rare, but
both glibc and netbsd libpthread have similar function.

Change-Id: Iaa15f651903b8ca07aaa7bd4de46ff14a2f93835
2015-01-15 10:45:25 -08:00
Yabin Cui
ba8dfc2669 Remove PTHREAD_ATTR_FLAG_USER_ALLOCATED_STACK.
Patch for https://android-review.googlesource.com/#/c/120844/.

Change-Id: Idca5ccd7b28e8f07f1d2d1b6e3bba6781b62f0e0
2015-01-06 17:11:23 -08:00
Yabin Cui
6a7aaf4675 Reserve enough user request stack space in pthread_create.
Bug: 18830897
Change-Id: I1ba4aaeaf66a7ff99c5d82ad45469011171b0a3b
2015-01-02 14:33:48 -08:00
Yabin Cui
8cf1b30567 Use mmap to create the pthread_internal_t
Add name to mmaped regions.
Add pthread benchmark code.
Allocate pthread_internal_t on regular stack.

Bug: 16847284
Change-Id: Id60835163bb0d68092241f1a118015b5a8f85069
2014-12-19 16:05:29 -08:00
Yabin Cui
8574a0670b Use mmap to create the pthread_internal_t.
Bug: 16847284
Change-Id: I488fa236f57aa3acb29b4ffbbab2fab51b0653be
2014-12-02 10:39:25 -08:00
Nicolas Geoffray
5b8ceff5f8 Revert "Use mmap to create the pthread_internal_t."
Unfortunately, this change provokes random crashes for ART, and
I have seen libc crashes on the device that might be related to it.

Reverting it fixes the ART crashes. there is unfortunately no
stack trace for the crashes, but just a "Segmentation fault" message.


This reverts commit cc5f6543e3.

Change-Id: I68dca8e1e9b9edcce7eb84596e8db619e40e8052
2014-11-26 11:56:54 +00:00
Yabin Cui
cc5f6543e3 Use mmap to create the pthread_internal_t.
Bug: 16847284
Change-Id: Ic8c85f95afac1d8422ecb69674c688d1fecb6a44
2014-11-25 15:25:06 -08:00
Christopher Ferris
e380960813 Do a second key cleanup in pthread_exit.
During pthread_exit, the keys are cleaned. Unfortunately, a call to
free occurs after the cleanup and the memory for some of the keys
is recreated when using jemalloc. The solution is to do the key
cleanup twice.

Also, modify the pthread_detach__leak test to be less flaky
when run on a jemalloc system.

Bug: 16513133

(cherry picked from commit 18d93f2793)

Change-Id: Idb32e7f9b09e2c088d256ed9eb881df80c81ff8e
2014-08-06 17:57:04 -07:00
Elliott Hughes
40a5217448 Only wipe TLS for user-supplied stacks.
Bug: 16667988
Change-Id: Id180ab2bc6713e1612386120a306db5bbf1d6046
2014-07-30 14:49:40 -07:00
Elliott Hughes
6203e7b853 Add some missing __noreturn attributes.
This is more honest, and lets us remove a hack.

Change-Id: I309f064743ded5248573ccafc379f78d417db08d
2014-05-30 15:56:25 -07:00
Elliott Hughes
1728b23965 Switch to g_ for globals.
That's what the Google style guide recommends, and we're starting
to get a mix.

Change-Id: Ib0c53a890bb5deed5c679e887541a715faea91fc
2014-05-14 10:02:03 -07:00
Elliott Hughes
2aace21a19 Remove the bogus exit status from _exit_with_stack_teardown.
It should always be 0, and there's no reason to pass a constant in as
an argument.

Change-Id: I92ac59b718a18e298bd7c52821af447f9181ca2a
2013-12-21 15:30:49 -08:00
Elliott Hughes
960ee37f2a Clarify a comment.
Change-Id: Iad2e33fb059170f808023ce3d17e9b8c13191f42
2013-12-11 12:41:54 -08:00
Christopher Ferris
101fb7d963 Do not clear tids on detached threads.
Make sure that the kernel isn't going to try and clear the tid of
freed memory.

Bug: 11963327
Change-Id: I95d02340bfbe92f56036d2cc58dbf0e3079eb7c3
2013-12-06 23:00:44 -08:00
Elliott Hughes
877ec6d904 Fix pthread_join.
Let the kernel keep pthread_internal_t::tid updated, including
across forks and for the main thread. This then lets us fix
pthread_join to only return after the thread has really exited.

Also fix the thread attributes of the main thread so we don't
unmap the main thread's stack (which is really owned by the
dynamic linker and contains things like environment variables),
which fixes crashes when joining with an exited main thread
and also fixes problems reported publicly with accessing environment
variables after the main thread exits (for which I've added a new
unit test).

In passing I also fixed a bug where if the clone(2) inside
pthread_create(3) fails, we'd unmap the child's stack and TLS (which
contains the mutex) and then try to unlock the mutex. Boom! It wasn't
until after I'd uploaded the fix for this that I came across a new
public bug reporting this exact failure.

Bug: 8206355
Bug: 11693195
Bug: https://code.google.com/p/android/issues/detail?id=57421
Bug: https://code.google.com/p/android/issues/detail?id=62392
Change-Id: I2af9cf6e8ae510a67256ad93cad891794ed0580b
2013-11-18 19:48:11 -08:00
Elliott Hughes
61fb3fc770 Prepare to switch to the uapi <linux/signal.h>.
<time.h> didn't need to copy the cruft from <signal.h>, and
<signal.h> only needs the uid_t hack when it's not using
uapi headers.

pthread_exit.cpp should include what it uses.

Change-Id: I836c36abe0f0a781d41fc425b249d1c7686bb124
2013-11-07 12:29:07 -08:00
Elliott Hughes
c3f114037d <pthread.h> fixes and pthread cleanup.
<pthread.h> was missing nonnull attributes, noreturn on pthread_exit,
and had incorrect cv qualifiers for several standard functions.

I've also marked the non-standard stuff (where I count glibc rather
than POSIX as "standard") so we can revisit this cruft for LP64 and
try to ensure we're compatible with glibc.

I've also broken out the pthread_cond* functions into a new file.

I've made the remaining pthread files (plus ptrace) part of the bionic code
and fixed all the warnings.

I've added a few more smoke tests for chunks of untested pthread functionality.

We no longer need the libc_static_common_src_files hack for any of the
pthread implementation because we long since stripped out the rest of
the armv5 support, and this hack was just to ensure that __get_tls in libc.a
went via the kernel if necessary.

This patch also finishes the job of breaking up the pthread.c monolith, and
adds a handful of new tests.

Change-Id: Idc0ae7f5d8aa65989598acd4c01a874fe21582c7
2013-10-31 12:31:16 -07:00