1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
/*
* Copyright (c) 2019-2021, Andrew Kaster <akaster@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <AK/Bitmap.h>
#include <AK/Checked.h>
#include <AK/Debug.h>
#include <AK/Format.h>
#include <AK/NeverDestroyed.h>
#include <LibC/bits/pthread_integration.h>
#include <LibC/mallocdefs.h>
#include <assert.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/internals.h>
#include <sys/mman.h>
#include <unistd.h>
extern "C" {
struct AtExitEntry {
AtExitFunction method { nullptr };
void* parameter { nullptr };
void* dso_handle { nullptr };
};
// We'll re-allocate the region if it ends up being too small at runtime.
// Invariant: atexit_entry_region_capacity * sizeof(AtExitEntry) does not overflow.
static size_t atexit_entry_region_capacity = PAGE_SIZE / sizeof(AtExitEntry);
static size_t atexit_region_bytes(size_t capacity = atexit_entry_region_capacity)
{
return PAGE_ROUND_UP(capacity * sizeof(AtExitEntry));
}
static size_t atexit_next_capacity()
{
size_t original_num_bytes = atexit_region_bytes();
VERIFY(!Checked<size_t>::addition_would_overflow(original_num_bytes, PAGE_SIZE));
return (original_num_bytes + PAGE_SIZE) / sizeof(AtExitEntry);
}
static AtExitEntry* atexit_entries;
static size_t atexit_entry_count = 0;
static pthread_mutex_t atexit_mutex = __PTHREAD_MUTEX_INITIALIZER;
// The C++ compiler automagically registers the destructor of this object with __cxa_atexit.
// However, we can't control the order in which these destructors are run, so we might still want to access this data after the registered entry.
// Hence, we will call the destructor manually, when we know it is safe to do so.
static NeverDestroyed<Bitmap> atexit_called_entries;
// During startup, it is sufficiently unlikely that the attacker can exploit any write primitive.
// We use this to avoid unnecessary syscalls to mprotect.
static bool atexit_region_should_lock = false;
static void lock_atexit_handlers()
{
if (atexit_region_should_lock && mprotect(atexit_entries, atexit_region_bytes(), PROT_READ) < 0) {
perror("lock_atexit_handlers");
_exit(1);
}
}
static void unlock_atexit_handlers()
{
if (atexit_region_should_lock && mprotect(atexit_entries, atexit_region_bytes(), PROT_READ | PROT_WRITE) < 0) {
perror("unlock_atexit_handlers");
_exit(1);
}
}
void __begin_atexit_locking()
{
atexit_region_should_lock = true;
lock_atexit_handlers();
}
int __cxa_atexit(AtExitFunction exit_function, void* parameter, void* dso_handle)
{
pthread_mutex_lock(&atexit_mutex);
// allocate initial atexit region
if (!atexit_entries) {
atexit_entries = (AtExitEntry*)mmap(nullptr, atexit_region_bytes(), PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (atexit_entries == MAP_FAILED) {
pthread_mutex_unlock(&atexit_mutex);
perror("__cxa_atexit mmap");
_exit(1);
}
}
// reallocate atexit region, increasing size by PAGE_SIZE
if (atexit_entry_count >= atexit_entry_region_capacity) {
size_t new_capacity = atexit_next_capacity();
size_t new_atexit_region_size = atexit_region_bytes(new_capacity);
dbgln_if(GLOBAL_DTORS_DEBUG, "__cxa_atexit: Growing exit handler region from {} entries to {} entries", atexit_entry_region_capacity, new_capacity);
auto* new_atexit_entries = (AtExitEntry*)mmap(nullptr, new_atexit_region_size, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (new_atexit_entries == MAP_FAILED) {
pthread_mutex_unlock(&atexit_mutex);
perror("__cxa_atexit mmap (new size)");
return -1;
}
// Note: We must make sure to only copy initialized entries, as even touching uninitialized bytes will trigger UBSan.
memcpy(new_atexit_entries, atexit_entries, atexit_entry_count * sizeof(AtExitEntry));
if (munmap(atexit_entries, atexit_region_bytes()) < 0) {
perror("__cxa_atexit munmap old region");
// leak the old region on failure
}
atexit_entries = new_atexit_entries;
atexit_entry_region_capacity = new_capacity;
}
unlock_atexit_handlers();
atexit_entries[atexit_entry_count++] = { exit_function, parameter, dso_handle };
lock_atexit_handlers();
pthread_mutex_unlock(&atexit_mutex);
return 0;
}
void __cxa_finalize(void* dso_handle)
{
// From the itanium abi, https://itanium-cxx-abi.github.io/cxx-abi/abi.html#dso-dtor-runtime-api
//
// When __cxa_finalize(d) is called, it should walk the termination function list, calling each in turn
// if d matches __dso_handle for the termination function entry. If d == NULL, it should call all of them.
// Multiple calls to __cxa_finalize shall not result in calling termination function entries multiple times;
// the implementation may either remove entries or mark them finished.
pthread_mutex_lock(&atexit_mutex);
if (atexit_entry_count > atexit_called_entries->size())
atexit_called_entries->grow(atexit_entry_count, false);
ssize_t entry_index = atexit_entry_count;
dbgln_if(GLOBAL_DTORS_DEBUG, "__cxa_finalize: {} entries in the finalizer list", entry_index);
while (--entry_index >= 0) {
auto& exit_entry = atexit_entries[entry_index];
bool needs_calling = !atexit_called_entries->get(entry_index) && (!dso_handle || dso_handle == exit_entry.dso_handle);
if (needs_calling) {
dbgln_if(GLOBAL_DTORS_DEBUG, "__cxa_finalize: calling entry[{}] {:p}({:p}) dso: {:p}", entry_index, exit_entry.method, exit_entry.parameter, exit_entry.dso_handle);
atexit_called_entries->set(entry_index, true);
pthread_mutex_unlock(&atexit_mutex);
exit_entry.method(exit_entry.parameter);
pthread_mutex_lock(&atexit_mutex);
}
}
pthread_mutex_unlock(&atexit_mutex);
}
__attribute__((noreturn)) void __cxa_pure_virtual()
{
VERIFY_NOT_REACHED();
}
} // extern "C"
|