Add memcheck, a memory usage error checker

Author: lgeek

makefile

@@ -7,6 +7,7 @@
 #PLUGINS+=plugins/instruction_mix.c
 #PLUGINS+=plugins/strace.c
 #PLUGINS+=plugins/symbol_example.c
+#PLUGINS+=plugins/memcheck/memcheck.S plugins/memcheck/memcheck.c plugins/memcheck/naive_stdlib.c
 
 OPTS= -DDBM_LINK_UNCOND_IMM
 OPTS+=-DDBM_INLINE_UNCOND_IMM
@@ -22,7 +23,7 @@ OPTS+=-DDBM_TRACES #-DTB_AS_TRACE_HEAD #-DBLXI_AS_TRACE_HEAD
 CFLAGS+=-D_GNU_SOURCE -g -std=gnu99 -O2
 CFLAGS+=-DGIT_VERSION=\"$(shell git describe --abbrev=8 --dirty --always)\"
 
-LDFLAGS+=-static -ldl -Wl,-Ttext-segment=$(or $(TEXT_SEGMENT),0xa8000000)
+LDFLAGS+=-static -ldl
 LIBS=-lelf -lpthread -lz
 HEADERS=*.h makefile
 INCLUDES=-I/usr/include/libelf
@@ -33,6 +34,7 @@ SOURCES+=elf/elf_loader.o elf/symbol_parser.o
 ARCH=$(shell $(CC) -dumpmachine | awk -F '-' '{print $$1}')
 ifeq ($(findstring arm, $(ARCH)), arm)
 	CFLAGS += -march=armv7-a -mfpu=neon
+	LDFLAGS += -Wl,-Ttext-segment=$(or $(TEXT_SEGMENT),0xa8000000)
 	HEADERS += api/emit_arm.h api/emit_thumb.h
 	PIE = pie/pie-arm-encoder.o pie/pie-arm-decoder.o pie/pie-arm-field-decoder.o
 	PIE += pie/pie-thumb-encoder.o pie/pie-thumb-decoder.o pie/pie-thumb-field-decoder.o
@@ -41,6 +43,7 @@ ifeq ($(findstring arm, $(ARCH)), arm)
 endif
 ifeq ($(ARCH),aarch64)
 	HEADERS += api/emit_a64.h
+	LDFLAGS += -Wl,-Ttext-segment=$(or $(TEXT_SEGMENT),0x7000000000)
 	PIE += pie/pie-a64-field-decoder.o pie/pie-a64-encoder.o pie/pie-a64-decoder.o
 	SOURCES += scanner_a64.c
 	SOURCES += api/emit_a64.c
@@ -68,6 +71,9 @@ $(or $(OUTPUT_FILE),dbm): $(HEADERS) $(SOURCES) $(PLUGINS)
 cachesim:
 	PLUGINS="plugins/cachesim/cachesim.c plugins/cachesim/cachesim.S plugins/cachesim/cachesim_model.c" OUTPUT_FILE=mambo_cachesim make
 
+memcheck:
+	PLUGINS="plugins/memcheck/memcheck.S plugins/memcheck/memcheck.c plugins/memcheck/naive_stdlib.c" OUTPUT_FILE=mambo_memcheck make
+
 clean:
 	rm -f dbm elf/elf_loader.o elf/symbol_parser.o
 

plugins/memcheck/README.md

@@ -0,0 +1,72 @@
+MAMBO memcheck
+==============
+
+This instrumentation plugin for [MAMBO](https://github.com/beehive-lab/mambo) detects memory usage errors such as out-of-bounds accesses and invalid `free()` calls with relatively low performance overhead. This is still experimental software, please report any problems using [github's issue tracker](https://github.com/beehive-lab/mambo/issues).
+
+
+Publication:
+------------
+
+* [Cosmin Gorgovan, Guillermo Callaghan, and Mikel Luján. Balancing Performance and Productivity for the Development of Dynamic Binary Instrumentation Tools - A Case Study on Arm Systems. In Proceedings of the 29th International Conference on Compiler Construction (CC ’20)](https://dl.acm.org/doi/abs/10.1145/3377555.3377895) **Free download** [via research.manchester.ac.uk](https://www.research.manchester.ac.uk/portal/en/publications/balancing-performance-and-productivity-for-the-development-of-dynamic-binary-instrumentation-tools--a-case-study-on-arm-systems(80e57c1b-9e38-4a15-942d-eb240888b12b).html).
+
+
+Building:
+---------
+
+    git clone -b memcheck --recurse-submodules https://github.com/beehive-lab/mambo.git
+    cd mambo
+    make memcheck
+
+
+Usage:
+------
+
+To run an application under MAMBO memcheck, simply prefix the command with a call to `mambo_memcheck`. For example to execute `lscpu`, from the mambo source directory run:
+
+    ./mambo_memcheck /usr/bin/lscpu
+    
+or
+    
+    ./mambo_memcheck `which lscpu`
+    
+When an application runs under MAMBO memcheck, the first output should be its git version, e.g.:
+
+    $ ./mambo_memcheck `which lscpu`
+
+    -- MAMBO memcheck 29f87421 --
+
+    Architecture:        aarch64
+    CPU op-mode(s):      32-bit, 64-bit
+    [...]
+    
+Please include the git version in any bug reports.
+
+You can also copy `mambo_memcheck` somewhere in your `PATH`, for example `/usr/local/bin`.
+
+
+Example output from a buggy application:
+---------------
+
+    $ mambo_memcheck ~/test
+    
+    -- MAMBO memcheck 29f87421 --
+    
+    ==memcheck== Invalid store (size 4) to 0x3ffce462c8
+    ==memcheck==  at [main]+0x60 (0x3ffffac978) in /home/cosmin/test
+    ==memcheck==  Backtrace:
+    ==memcheck==  at [__libc_start_main]+0xe4 (0x3ffd06c12c) in /usr/lib/libc-2.30.so
+    ==memcheck==  at [(null)]+0x7e4 (0x3ffffac7e4) in /home/cosmin/test
+    
+    ==memcheck== Invalid load (size 4) from 0x3ffce462cc
+    ==memcheck==  at [main]+0x80 (0x3ffffac998) in /home/cosmin/test
+    ==memcheck==  Backtrace:
+    ==memcheck==  at [__libc_start_main]+0xe4 (0x3ffd06c12c) in /usr/lib/libc-2.30.so
+    ==memcheck==  at [(null)]+0x7e4 (0x3ffffac7e4) in /home/cosmin/test
+    
+    ==memcheck== double free for 0x3ffce466e0
+
+
+Advanced configuration
+----------------------
+
+One of the more challenging aspects of this software is avoiding noisy false positive errors, e.g. harmless out-of-bounds reads in the hand written assembly code from glibc. We have implemented a number of techniques to avoid reporting such errors, which are documented and can be enabled or disabled in [memcheck.h](memcheck.h).

plugins/memcheck/memcheck.S

@@ -0,0 +1,245 @@
+/*
+  This file is part of MAMBO, a low-overhead dynamic binary modification tool:
+      https://github.com/beehive-lab/mambo
+
+  Copyright 2017-2020 The University of Manchester
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+#include "memcheck.h"
+
+#ifdef __arm__
+.syntax unified
+#endif
+
+// 1 to 3 arguments need to be preserved
+// (es-1) (X18/R3) is a pointer to <in_malloc>
+.global memcheck_malloc_pre
+.func
+memcheck_malloc_pre:
+#ifdef __aarch64__
+  LDR X4, [X18]
+  ADD X4, X4, #1
+  STR X4, [X18]
+  RET
+#elif __arm__
+  LDR R12, [R3]
+  ADD R12, R12, #1
+  STR R12, [R3]
+  BX LR
+#endif
+.endfunc
+
+
+// X0/R0 - address
+// (es-1) (X18/R3) is a pointer to <in_malloc>
+// (es) (X19/R4) - size
+.global memcheck_malloc_post
+.func
+memcheck_malloc_post:
+#ifdef __aarch64__
+  LDR X2, [X18]
+  SUB X2, X2, #1
+  STR X2, [X18]
+
+  CBZ X0, mmp_ret
+
+  #ifdef COMPACT_SHADOW
+  STP X0, X30, [SP, #-16]!
+  MOV X1, X19
+  BL memcheck_alloc_hook
+  LDP X0, X30, [SP], #16
+  #else
+  MOV X1, #0x200000000
+  STR X19, [X1, X0]
+  STR X19, [X0]
+
+  MOV W4, #1
+  MOV X2, #0x100000000
+  MOV X3, X19
+  ADD X2, X0, X2
+
+mmp_loop:
+  CBZ X3, mmp_ret
+  STRB W4, [X2], #1
+  SUB X3, X3, #1
+  B mmp_loop
+#endif
+
+mmp_ret:
+  RET
+
+#elif __arm__
+  LDR R2, [R3]
+  SUB R2, R2, #1
+  STR R2, [R3]
+
+  CMP R0, #0
+  BEQ mmp_ret
+
+  PUSH {R0, LR}
+  MOV R1, R4
+  BL memcheck_alloc_hook
+  POP {R0, LR}
+
+mmp_ret:
+  BX LR
+#endif
+.endfunc
+
+
+// X0/R0 - address
+// (es-1) (X18/R3) is a pointer to <in_malloc>
+.global memcheck_free_pre
+.func
+memcheck_free_pre:
+#ifdef __aarch64__
+  LDR X3, [X18]
+  ADD X3, X3, #1
+  STR X3, [X18]
+
+  #ifdef COMPACT_SHADOW
+  STR X0, [SP, #-32]!
+  STP X1, X30, [SP, #16]
+  BL memcheck_free_hook
+  LDP X1, X30, [SP, #16]
+  LDR X0, [SP], #32
+  #else
+  MOV X2, #0x200000000
+  LDR X2, [X2, X0]
+
+  MOV X3, #0x100000000
+  ADD X3, X3, X0
+
+mfp_l:
+  CBZ X2, mfp_l_exit
+  STRB WZR, [X3], #1
+  SUB X2, X2, #1
+  B mfp_l
+
+mfp_l_exit:
+  #endif
+  RET
+
+#elif __arm__
+  LDR R2, [R3]
+  ADD R2, R2, #1
+  STR R2, [R3]
+
+  /* We don't really need to preserve the value of R2 here,
+     but by pushing it we maintain stack alignment */
+  PUSH {R0-R2, LR}
+  BL memcheck_free_hook
+  POP {R0-R2, PC}
+#endif
+.endfunc
+
+
+// (es-1) (X18/R3) is a pointer to <in_malloc>
+.global memcheck_free_post
+.func
+memcheck_free_post:
+#ifdef __aarch64__
+  LDR X2, [X18]
+  SUB X2, X2, #1
+  STR X2, [X18]
+  RET
+#elif __arm__
+  LDR R2, [R3]
+  SUB R2, R2, #1
+  STR R2, [R3]
+  BX LR
+#endif
+.endfunc
+
+
+// X0/R0 - access address
+// X1/R1 - access size | IS_STORE
+// X2/R2 - SPC
+// X3/R3 is a pointer to <in_malloc>
+// X4/R4 and LR are also pushed
+.global memcheck_unalloc
+.func
+#ifdef __arm__
+.thumb_func
+#endif
+memcheck_unalloc:
+#ifdef __aarch64__
+  LDR X3, [X3]
+  CBNZ X3, skip_err
+
+  STR X30, [SP, #-16]!
+
+  BL push_x4_x21
+  MRS X19, NZCV
+  MRS X20, FPCR
+  MRS X21, FPSR
+  BL push_neon
+
+  MOV X3, X29 // frame pointer
+  BL memcheck_print_error
+
+  BL pop_neon
+  MSR NZCV, X19
+  MSR FPCR, X20
+  MSR FPSR, X21
+  BL pop_x4_x21
+
+  LDR X30, [SP], #16
+
+skip_err:
+  RET
+
+#elif __arm__
+  LDR R3, [R3]
+  CBNZ R3, skip_err
+
+  PUSH {R5-R6, R9, R12, LR}
+  VPUSH {d16-d31}
+  VPUSH {d0-d7}
+
+  MRS r4, CPSR
+  VMRS r5, FPSCR
+
+  // align the SP
+  MOV R6, SP
+  BIC R3, R6, #7
+  MOV SP, R3
+
+  MOV R3, R11 // frame pointer
+  BL memcheck_print_error
+
+  MOV SP, R6
+
+  VMSR FPSCR, r5
+  MSR CPSR, r4
+
+  VPOP {d0-d7}
+  VPOP {d16-d31}
+  POP {R5-R6, R9, R12, LR}
+
+skip_err:
+  BX LR
+#endif
+.endfunc
+
+
+.global memcheck_ret
+.func
+memcheck_ret:
+#ifdef __aarch64__
+  RET
+#elif __arm__
+  BX LR
+#endif