svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
adi(7)
Standards, Environments, Macros, Character Sets, and miscellany
adi(7)
NAME
adi, ADI - Application Data Integrity (ADI)
OVERVIEW
Application Data Integrity (ADI) is an extension to the SPARC instruc‐
tion set which detects memory corruptions in optimized production code
by adding version numbers to memory pointers and the memory they point
to. The hardware does this by allowing software to mark software buf‐
fers with special versions. On execution the processor compares the
version encoded in the pointer used by a load or store instruction with
the version assigned to the target location and generates an exception
if there is a mismatch. The ADI feature can be used by user applica‐
tions that manage memory and by the operating system.
Support for ADI is available on these hardware platforms:
Oracle SPARC M7 series
Oracle SPARC S7 series
Oracle SPARC T7 series
Oracle SPARC M8 series
Oracle SPARC T8 series
DESCRIPTION
The ADI feature works in the following way:
1. By using spare bits in the cache and in the memory hierar‐
chy, the hardware allows the software to assign version num‐
bers to regions of memory at the granularity of a cache
line. The software sets the high bits of the virtual address
pointer used to reference a data object with the same ver‐
sion assigned to the target memory in which the data object
resides.
2. On execution, the processor compares the version encoded in
the pointer and referenced by a load or store instruction,
with the version assigned to the target memory.
3. If there is a mismatch, the processor generates a version
mismatch exception and delivers the exception to Oracle
Solaris either as a precise or as a disrupting trap as fol‐
lows:
o For a load instruction, the hardware delivers the excep‐
tion as a precise trap.
o For a store instruction, the hardware delivers the
exception as a precise trap or as a disrupting trap
depending on the current state of the ADI precise excep‐
tion mode of the thread executing the store instruction.
Disrupting traps are the default for performance rea‐
sons.
4. Oracle Solaris signals the exception to a process by deliv‐
ering a SIGSEGV signal.
o For exceptions that generate precise traps, the signal
information includes the exact PC (program counter),
mismatching VA (virtual address), and current version
assigned to the memory.
o For exceptions that generate disrupting traps, the sig‐
nal information only includes the PC (program counter)
of the store instruction.
The hardware can perform ADI checking on data accesses to a given page
of memory if both the following conditions are met:
o ADI is enabled for the thread executing a virtual-addressed
load or store to the memory.
o ADI is enabled for the virtual address range mapped to the
page.
The following conditions need to be met to enable the hardware to get
(read) or set (write) the version associated with a cache line:
o The thread executing the get or set is ADI-enabled.
o The target memory is ADI-enabled.
o The target memory is mapped with protections conducive to a
successful get or set.
By default, all threads of a 64-bit application run with ADI enabled,
but ADI is not enabled on the memory assigned to the application.
32-bit applications cannot use ADI. An application can enable ADI on
memory segments that support ADI using the memcntl(2) or mmap(2) func‐
tion. It is up to applications and libraries to decide which applica‐
tion memory to enable for ADI and the versions to assign to the memory.
When memory segments that have ADI enabled are written to backing
store, additional metadata needs to be stored with them for the ADI
version data. Controls over how much memory can be used for this pur‐
pose are available via the max-adi-metadata-memory resource controls
described in resource-controls(7) and the max-adi-metadata-memory prop‐
erty described in zonecfg(8).
ADI is a powerful technology, but can be incompatible with applications
that do low level address computations. In particular, since pointers
are tagged, an application relying on pointer math needs to first nor‐
malize the pointer, as shown in the Normalizing a Versioned Address
example in adi(2). In addition, accesses beyond buffer limits are also
detected as fatal. Some applications are known to use these accesses as
designed optimizations and can fail under ADI. If an application has
run successfully under a memory checker (for example, valgrind), there
is a fair chance that it won't show these problems.
USING ADI
Use of ADI for specific types of memory can be controlled via these
security extensions:
ADIHEAP ADI based protections for heap allocators
ADISTACK ADI based protections for stacks
KADI ADI based protections for kernel heap
See the sxadm(8) man page for details on using security extensions in
Oracle Solaris.
The default malloc(3C) functions, the libumem(3LIB) functions, and the
libadimalloc(3LIB) functions can use ADI to provide detection of buffer
overruns, out of bounds pointers, stale pointers, and use-after-free
errors. Use of ADI is enabled by default in libadimalloc, while the
others only use ADI if the ADIHEAP security extension is enabled. Other
malloc implementations provided in Oracle Solaris, such as libmtmal‐
loc(3LIB) currently do not use ADI.
DEVELOPING WITH ADI
For more information on developing applications that use ADI, see the
adi(2) and adi(3C) man pages.
The following system interfaces have been modified to support ADI:
copyin() Returns an error value when there is a version mismatch.
For more information, see the copyin(9F) man page.
copyout() Returns an error value when there is a version mismatch.
For more information, see the copyout(9F) man page.
ddi_copyin() Returns an error value when there is a version mismatch.
For more information, see the ddi_copyin(9F) man page.
ddi_copyout() Returns an error value when there is a version mismatch.
For more information, see the ddi_copyout(9F) man page.
getmsg() Returns an error value if a version mismatch is detected
while the system is writing data to the buffer. For more
information, see the getmsg(2) man page.
memcntl() Allows ADI to be enabled or disabled for specified mem‐
ory pages. For more information, see the memcntl(2) man
page.
meminfo() Provides the status of ADI for a specified virtual
address. For more information, see the meminfo(2) man
page.
mmap() Enables ADI for mapped pages. For more information, see
the mmap(2) man page.
pmap() Reports which process mappings have ADI enabled. For
more information, see the pmap(1) man page.
proc() Provides information about the state of a ADI process.
For more information, see the proc(5) man page.
putmsg() Returns an error value if there is a version mismatch
while the system is reading data from the buffer. For
more information, see the putmsg(2) man page.
read() Returns an error value if there is a version mismatch
while the system is writing data to the buffer. For more
information, see the read(2) man page.
siginfo() Defines signal values for signals raised for ADI excep‐
tions. For more information, see the siginfo(3HEAD) man
page.
uiomove() Returns an error value if a version mismatch is detected
while the system is transferring data to or from the
buffer. For more information, see the uiomove(9F) man
page.
write() Returns an error value if a version mismatch is detected
while the system is reading data from the buffer. For
more information, see the write(2) man page.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ ArchitectureSPARC
SEE ALSO
adi(2), memcntl(2), meminfo(2), adi(3C), malloc(3C), dax_adi(3DAX),
attributes(7), sxadm(8)
Oracle Solaris 11.4 2 Feb 2019 adi(7)