buflib: add paranoia checks for handles

Handle checks ensure that the data in the handle table points within buflib memory and checks handle entry pointers in block headers before dereferencing them. Change-Id: Ic16f1b81c1a0ea63c0e7f48d87938293b75c2419
author: Aidan MacDonald <amachronic@protonmail.com> 2022-03-30 17:39:32 +0100
committer: Aidan MacDonald <amachronic@protonmail.com> 2022-09-19 15:09:51 -0400
commit: f82f3044a7fc0fd31e824f29ce3b48377fb80af4 (patch)
tree: 5eef3364240166883d2cf636824c319557fafd2d /firmware/buflib.c
parent: 73b9b227eb35696e061b1c8edd0d4e2a935eb3b7 (diff)
download: rockbox-f82f3044a7fc0fd31e824f29ce3b48377fb80af4.tar.gz
rockbox-f82f3044a7fc0fd31e824f29ce3b48377fb80af4.zip
1 files changed, 105 insertions, 18 deletions
diff --git a/firmware/buflib.c b/firmware/buflib.c
index 6ffe9335a7..6734f21036 100644
--- a/firmware/buflib.c
+++ b/firmware/buflib.c
@@ -98,7 +98,9 @@
 #define BPANICF panicf
 /* Available paranoia checks */
-#define PARANOIA_CHECK_LENGTH   (1 << 0)
+#define PARANOIA_CHECK_LENGTH       (1 << 0)
+#define PARANOIA_CHECK_HANDLE       (1 << 1)
+#define PARANOIA_CHECK_BLOCK_HANDLE (1 << 2)
 /* Bitmask of enabled paranoia checks */
 #define BUFLIB_PARANOIA 0
@@ -143,6 +145,26 @@ static union buflib_data* find_block_before(struct buflib_context *ctx,
 static void check_block_length(struct buflib_context *ctx,
                               union buflib_data *block);
+/* Check a handle table entry to ensure the user pointer is within the
+ * bounds of the allocated area and there is enough room for a minimum
+ * size block header.
+ *
+ * This verifies that it is safe to convert the entry's pointer to a
+ * block end pointer and dereference fields at the block end.
+ */
+static void check_handle(struct buflib_context *ctx,
+                         union buflib_data *h_entry);
+/* Check a block's handle pointer to ensure it is within the handle
+ * table, and that the user pointer is pointing within the block.
+ *
+ * This verifies that it is safe to dereference the entry, in addition
+ * to all checks performed by check_handle(). It also ensures that the
+ * pointer in the handle table points within the block, as determined
+ * by the length field at the start of the block.
+ */
+static void check_block_handle(struct buflib_context *ctx,
+                               union buflib_data *block);
 /* Initialize buffer manager */
 void
@@ -271,15 +293,28 @@ void handle_free(struct buflib_context *ctx, union buflib_data *handle)
 static inline
 union buflib_data* handle_to_block(struct buflib_context* ctx, int handle)
 {
-    union buflib_data *data = ALIGN_DOWN(buflib_get_data(ctx, handle), sizeof (*data));
+    void *ptr = buflib_get_data(ctx, handle);
-    /* this is a valid case, e.g. during buflib_alloc_ex() when the handle
-     * has already been allocated but not the data */
+    /* this is a valid case for shrinking if handle
-    if (!data)
+     * was freed by the shrink callback */
+    if (!ptr)
        return NULL;
+    union buflib_data *data = ALIGN_DOWN(ptr, sizeof(*data));
    return data - data[-bidx_BSIZE].val;
 }
+/* Get the block end pointer from a handle table entry */
+static union buflib_data*
+h_entry_to_block_end(struct buflib_context *ctx, union buflib_data *h_entry)
+{
+    check_handle(ctx, h_entry);
+    void *alloc = h_entry->alloc;
+    union buflib_data *data = ALIGN_DOWN(alloc, sizeof(*data));
+    return data;
+}
 /* Shrink the handle table, returning true if its size was reduced, false if
 * not
 */
@@ -299,13 +334,6 @@ static inline bool handle_table_shrink(struct buflib_context *ctx)
    return handle != old_last;
 }
-static inline
-union buflib_data* userpointer_to_block_end(void *userpointer)
-{
-    union buflib_data *data = ALIGN_DOWN(userpointer, sizeof(*data));
-    return data;
-}
 static uint32_t calc_block_crc(union buflib_data *block,
                               union buflib_data *block_end)
 {
@@ -327,11 +355,9 @@ move_block(struct buflib_context* ctx, union buflib_data* block, int shift)
    char* new_start;
    union buflib_data *new_block;
-    if (block < ctx->buf_start || block > ctx->alloc_end)
+    check_block_handle(ctx, block);
-        buflib_panic(ctx, "buflib data corrupted %p", block);
    union buflib_data *h_entry = block[fidx_HANDLE].handle;
-    union buflib_data *block_end = userpointer_to_block_end(h_entry->alloc);
+    union buflib_data *block_end = h_entry_to_block_end(ctx, h_entry);
    uint32_t crc = calc_block_crc(block, block_end);
    if (crc != block_end[-bidx_CRC].crc)
@@ -481,6 +507,7 @@ buflib_compact_and_shrink(struct buflib_context *ctx, unsigned shrink_hints)
            if (!ops || !ops->shrink_callback)
                continue;
+            check_block_handle(ctx, this);
            union buflib_data* h_entry = this[fidx_HANDLE].handle;
            int handle = ctx->handle_table - h_entry;
@@ -949,6 +976,7 @@ buflib_shrink(struct buflib_context* ctx, int handle, void* new_start, size_t ne
    new_block = aligned_newstart - metadata_size.val;
    block[fidx_LEN].val = new_next_block - new_block;
+    check_block_handle(ctx, block);
    block[fidx_HANDLE].handle->alloc = newstart;
    if (block != new_block)
    {
@@ -971,7 +999,7 @@ buflib_shrink(struct buflib_context* ctx, int handle, void* new_start, size_t ne
    /* update crc of the metadata */
    union buflib_data *new_h_entry = new_block[fidx_HANDLE].handle;
-    union buflib_data *new_block_end = userpointer_to_block_end(new_h_entry->alloc);
+    union buflib_data *new_block_end = h_entry_to_block_end(ctx, new_h_entry);
    new_block_end[-bidx_CRC].crc = calc_block_crc(new_block, new_block_end);
    /* Now deal with size changes that create free blocks after the allocation */
@@ -1024,8 +1052,9 @@ void buflib_check_valid(struct buflib_context *ctx)
        if (block->val < 0)
            continue;
+        check_block_handle(ctx, block);
        union buflib_data *h_entry = block[fidx_HANDLE].handle;
-        union buflib_data *block_end = userpointer_to_block_end(h_entry->alloc);
+        union buflib_data *block_end = h_entry_to_block_end(ctx, h_entry);
        uint32_t crc = calc_block_crc(block, block_end);
        if (crc != block_end[-bidx_CRC].crc)
        {
@@ -1130,3 +1159,61 @@ static void check_block_length(struct buflib_context *ctx,
        }
    }
 }
+static void check_handle(struct buflib_context *ctx,
+                         union buflib_data *h_entry)
+{
+    if (BUFLIB_PARANOIA & PARANOIA_CHECK_HANDLE)
+    {
+        /* For the pointer to be valid there needs to be room for a minimum
+         * size block header, so we add BUFLIB_NUM_FIELDS to ctx->buf_start. */
+        void *alloc       = h_entry->alloc;
+        void *alloc_begin = ctx->buf_start + BUFLIB_NUM_FIELDS;
+        void *alloc_end   = ctx->alloc_end;
+        /* buflib allows zero length allocations, so alloc_end is inclusive */
+        if (alloc < alloc_begin || alloc > alloc_end)
+        {
+            buflib_panic(ctx, "alloc outside buf [%p]=%p, %p-%p",
+                         h_entry, alloc, alloc_begin, alloc_end);
+        }
+    }
+}
+static void check_block_handle(struct buflib_context *ctx,
+                               union buflib_data *block)
+{
+    if (BUFLIB_PARANOIA & PARANOIA_CHECK_BLOCK_HANDLE)
+    {
+        intptr_t length = block[fidx_LEN].val;
+        union buflib_data *h_entry = block[fidx_HANDLE].handle;
+        /* Check the handle pointer is properly aligned */
+        /* TODO: Can we ensure the compiler doesn't optimize this out?
+         * I dunno, maybe the compiler can assume the pointer is always
+         * properly aligned due to some C standard voodoo?? */
+        if (!IS_ALIGNED((uintptr_t)h_entry, alignof(*h_entry)))
+        {
+            buflib_panic(ctx, "handle unaligned [%p]=%p",
+                         &block[fidx_HANDLE], h_entry);
+        }
+        /* Check the pointer is actually inside the handle table */
+        if (h_entry < ctx->last_handle || h_entry >= ctx->handle_table)
+        {
+            buflib_panic(ctx, "handle out of bounds [%p]=%p",
+                         &block[fidx_HANDLE], h_entry);
+        }
+        /* Now check the allocation is within the block.
+         * This is stricter than check_handle(). */
+        void *alloc       = h_entry->alloc;
+        void *alloc_begin = block;
+        void *alloc_end   = block + length;
+        /* buflib allows zero length allocations, so alloc_end is inclusive */
+        if (alloc < alloc_begin || alloc > alloc_end)
+        {
+            buflib_panic(ctx, "alloc outside block [%p]=%p, %p-%p",
+                         h_entry, alloc, alloc_begin, alloc_end);
+        }
+    }
+}
author	Aidan MacDonald <amachronic@protonmail.com>	2022-03-30 17:39:32 +0100
committer	Aidan MacDonald <amachronic@protonmail.com>	2022-09-19 15:09:51 -0400
commit	f82f3044a7fc0fd31e824f29ce3b48377fb80af4 (patch)
tree	5eef3364240166883d2cf636824c319557fafd2d /firmware/buflib.c
parent	73b9b227eb35696e061b1c8edd0d4e2a935eb3b7 (diff)
download	rockbox-f82f3044a7fc0fd31e824f29ce3b48377fb80af4.tar.gz rockbox-f82f3044a7fc0fd31e824f29ce3b48377fb80af4.zip

diff --git a/firmware/buflib.c b/firmware/buflib.c index 6ffe9335a7..6734f21036 100644 --- a/firmware/buflib.c +++ b/firmware/buflib.c
@@ -98,7 +98,9 @@
98	#define BPANICF panicf	98	#define BPANICF panicf
99		99
100	/* Available paranoia checks */	100	/* Available paranoia checks */
101	#define PARANOIA_CHECK_LENGTH (1 << 0)	101	#define PARANOIA_CHECK_LENGTH (1 << 0)
		102	#define PARANOIA_CHECK_HANDLE (1 << 1)
		103	#define PARANOIA_CHECK_BLOCK_HANDLE (1 << 2)
102	/* Bitmask of enabled paranoia checks */	104	/* Bitmask of enabled paranoia checks */
103	#define BUFLIB_PARANOIA 0	105	#define BUFLIB_PARANOIA 0
104		106
@@ -143,6 +145,26 @@ static union buflib_data* find_block_before(struct buflib_context *ctx,
143	static void check_block_length(struct buflib_context *ctx,	145	static void check_block_length(struct buflib_context *ctx,
144	union buflib_data *block);	146	union buflib_data *block);
145		147
		148	/* Check a handle table entry to ensure the user pointer is within the
		149	* bounds of the allocated area and there is enough room for a minimum
		150	* size block header.
		151	*
		152	* This verifies that it is safe to convert the entry's pointer to a
		153	* block end pointer and dereference fields at the block end.
		154	*/
		155	static void check_handle(struct buflib_context *ctx,
		156	union buflib_data *h_entry);
		157
		158	/* Check a block's handle pointer to ensure it is within the handle
		159	* table, and that the user pointer is pointing within the block.
		160	*
		161	* This verifies that it is safe to dereference the entry, in addition
		162	* to all checks performed by check_handle(). It also ensures that the
		163	* pointer in the handle table points within the block, as determined
		164	* by the length field at the start of the block.
		165	*/
		166	static void check_block_handle(struct buflib_context *ctx,
		167	union buflib_data *block);
146		168
147	/* Initialize buffer manager */	169	/* Initialize buffer manager */
148	void	170	void
@@ -271,15 +293,28 @@ void handle_free(struct buflib_context ctx, union buflib_data handle)
271	static inline	293	static inline
272	union buflib_data* handle_to_block(struct buflib_context* ctx, int handle)	294	union buflib_data* handle_to_block(struct buflib_context* ctx, int handle)
273	{	295	{
274	union buflib_data data = ALIGN_DOWN(buflib_get_data(ctx, handle), sizeof (data));	296	void *ptr = buflib_get_data(ctx, handle);
275	/* this is a valid case, e.g. during buflib_alloc_ex() when the handle	297
276	* has already been allocated but not the data */	298	/* this is a valid case for shrinking if handle
277	if (!data)	299	* was freed by the shrink callback */
		300	if (!ptr)
278	return NULL;	301	return NULL;
279		302
		303	union buflib_data data = ALIGN_DOWN(ptr, sizeof(data));
280	return data - data[-bidx_BSIZE].val;	304	return data - data[-bidx_BSIZE].val;
281	}	305	}
282		306
		307	/* Get the block end pointer from a handle table entry */
		308	static union buflib_data*
		309	h_entry_to_block_end(struct buflib_context ctx, union buflib_data h_entry)
		310	{
		311	check_handle(ctx, h_entry);
		312
		313	void *alloc = h_entry->alloc;
		314	union buflib_data data = ALIGN_DOWN(alloc, sizeof(data));
		315	return data;
		316	}
		317
283	/* Shrink the handle table, returning true if its size was reduced, false if	318	/* Shrink the handle table, returning true if its size was reduced, false if
284	* not	319	* not
285	*/	320	*/
@@ -299,13 +334,6 @@ static inline bool handle_table_shrink(struct buflib_context *ctx)
299	return handle != old_last;	334	return handle != old_last;
300	}	335	}
301		336
302	static inline
303	union buflib_data* userpointer_to_block_end(void *userpointer)
304	{
305	union buflib_data data = ALIGN_DOWN(userpointer, sizeof(data));
306	return data;
307	}
308
309	static uint32_t calc_block_crc(union buflib_data *block,	337	static uint32_t calc_block_crc(union buflib_data *block,
310	union buflib_data *block_end)	338	union buflib_data *block_end)
311	{	339	{
@@ -327,11 +355,9 @@ move_block(struct buflib_context* ctx, union buflib_data* block, int shift)
327	char* new_start;	355	char* new_start;
328	union buflib_data *new_block;	356	union buflib_data *new_block;
329		357
330	if (block < ctx->buf_start \|\| block > ctx->alloc_end)	358	check_block_handle(ctx, block);
331	buflib_panic(ctx, "buflib data corrupted %p", block);
332
333	union buflib_data *h_entry = block[fidx_HANDLE].handle;	359	union buflib_data *h_entry = block[fidx_HANDLE].handle;
334	union buflib_data *block_end = userpointer_to_block_end(h_entry->alloc);	360	union buflib_data *block_end = h_entry_to_block_end(ctx, h_entry);
335		361
336	uint32_t crc = calc_block_crc(block, block_end);	362	uint32_t crc = calc_block_crc(block, block_end);
337	if (crc != block_end[-bidx_CRC].crc)	363	if (crc != block_end[-bidx_CRC].crc)
@@ -481,6 +507,7 @@ buflib_compact_and_shrink(struct buflib_context *ctx, unsigned shrink_hints)
481	if (!ops \|\| !ops->shrink_callback)	507	if (!ops \|\| !ops->shrink_callback)
482	continue;	508	continue;
483		509
		510	check_block_handle(ctx, this);
484	union buflib_data* h_entry = this[fidx_HANDLE].handle;	511	union buflib_data* h_entry = this[fidx_HANDLE].handle;
485	int handle = ctx->handle_table - h_entry;	512	int handle = ctx->handle_table - h_entry;
486		513
@@ -949,6 +976,7 @@ buflib_shrink(struct buflib_context* ctx, int handle, void* new_start, size_t ne
949	new_block = aligned_newstart - metadata_size.val;	976	new_block = aligned_newstart - metadata_size.val;
950	block[fidx_LEN].val = new_next_block - new_block;	977	block[fidx_LEN].val = new_next_block - new_block;
951		978
		979	check_block_handle(ctx, block);
952	block[fidx_HANDLE].handle->alloc = newstart;	980	block[fidx_HANDLE].handle->alloc = newstart;
953	if (block != new_block)	981	if (block != new_block)
954	{	982	{
@@ -971,7 +999,7 @@ buflib_shrink(struct buflib_context* ctx, int handle, void* new_start, size_t ne
971		999
972	/* update crc of the metadata */	1000	/* update crc of the metadata */
973	union buflib_data *new_h_entry = new_block[fidx_HANDLE].handle;	1001	union buflib_data *new_h_entry = new_block[fidx_HANDLE].handle;
974	union buflib_data *new_block_end = userpointer_to_block_end(new_h_entry->alloc);	1002	union buflib_data *new_block_end = h_entry_to_block_end(ctx, new_h_entry);
975	new_block_end[-bidx_CRC].crc = calc_block_crc(new_block, new_block_end);	1003	new_block_end[-bidx_CRC].crc = calc_block_crc(new_block, new_block_end);
976		1004
977	/* Now deal with size changes that create free blocks after the allocation */	1005	/* Now deal with size changes that create free blocks after the allocation */
@@ -1024,8 +1052,9 @@ void buflib_check_valid(struct buflib_context *ctx)
1024	if (block->val < 0)	1052	if (block->val < 0)
1025	continue;	1053	continue;
1026		1054
		1055	check_block_handle(ctx, block);
1027	union buflib_data *h_entry = block[fidx_HANDLE].handle;	1056	union buflib_data *h_entry = block[fidx_HANDLE].handle;
1028	union buflib_data *block_end = userpointer_to_block_end(h_entry->alloc);	1057	union buflib_data *block_end = h_entry_to_block_end(ctx, h_entry);
1029	uint32_t crc = calc_block_crc(block, block_end);	1058	uint32_t crc = calc_block_crc(block, block_end);
1030	if (crc != block_end[-bidx_CRC].crc)	1059	if (crc != block_end[-bidx_CRC].crc)
1031	{	1060	{
@@ -1130,3 +1159,61 @@ static void check_block_length(struct buflib_context *ctx,
1130	}	1159	}
1131	}	1160	}
1132	}	1161	}
		1162
		1163	static void check_handle(struct buflib_context *ctx,
		1164	union buflib_data *h_entry)
		1165	{
		1166	if (BUFLIB_PARANOIA & PARANOIA_CHECK_HANDLE)
		1167	{
		1168	/* For the pointer to be valid there needs to be room for a minimum
		1169	* size block header, so we add BUFLIB_NUM_FIELDS to ctx->buf_start. */
		1170	void *alloc = h_entry->alloc;
		1171	void *alloc_begin = ctx->buf_start + BUFLIB_NUM_FIELDS;
		1172	void *alloc_end = ctx->alloc_end;
		1173	/* buflib allows zero length allocations, so alloc_end is inclusive */
		1174	if (alloc < alloc_begin \|\| alloc > alloc_end)
		1175	{
		1176	buflib_panic(ctx, "alloc outside buf [%p]=%p, %p-%p",
		1177	h_entry, alloc, alloc_begin, alloc_end);
		1178	}
		1179	}
		1180	}
		1181
		1182	static void check_block_handle(struct buflib_context *ctx,
		1183	union buflib_data *block)
		1184	{
		1185	if (BUFLIB_PARANOIA & PARANOIA_CHECK_BLOCK_HANDLE)
		1186	{
		1187	intptr_t length = block[fidx_LEN].val;
		1188	union buflib_data *h_entry = block[fidx_HANDLE].handle;
		1189
		1190	/* Check the handle pointer is properly aligned */
		1191	/* TODO: Can we ensure the compiler doesn't optimize this out?
		1192	* I dunno, maybe the compiler can assume the pointer is always
		1193	* properly aligned due to some C standard voodoo?? */
		1194	if (!IS_ALIGNED((uintptr_t)h_entry, alignof(*h_entry)))
		1195	{
		1196	buflib_panic(ctx, "handle unaligned [%p]=%p",
		1197	&block[fidx_HANDLE], h_entry);
		1198	}
		1199
		1200	/* Check the pointer is actually inside the handle table */
		1201	if (h_entry < ctx->last_handle \|\| h_entry >= ctx->handle_table)
		1202	{
		1203	buflib_panic(ctx, "handle out of bounds [%p]=%p",
		1204	&block[fidx_HANDLE], h_entry);
		1205	}
		1206
		1207	/* Now check the allocation is within the block.
		1208	* This is stricter than check_handle(). */
		1209	void *alloc = h_entry->alloc;
		1210	void *alloc_begin = block;
		1211	void *alloc_end = block + length;
		1212	/* buflib allows zero length allocations, so alloc_end is inclusive */
		1213	if (alloc < alloc_begin \|\| alloc > alloc_end)
		1214	{
		1215	buflib_panic(ctx, "alloc outside block [%p]=%p, %p-%p",
		1216	h_entry, alloc, alloc_begin, alloc_end);
		1217	}
		1218	}
		1219	}