Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/llvm-project/llvm/lib/Transforms/Instrumentation/KCFI.cpp
35269 views
1
//===-- KCFI.cpp - Generic KCFI operand bundle lowering ---------*- C++ -*-===//

2
//

3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

4
// See https://llvm.org/LICENSE.txt for license information.

5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

6
//

7
//===----------------------------------------------------------------------===//

8
//

9
// This pass emits generic KCFI indirect call checks for targets that don't

10
// support lowering KCFI operand bundles in the back-end.

11
//

12
//===----------------------------------------------------------------------===//

13


14
#include "llvm/Transforms/Instrumentation/KCFI.h"

15
#include "llvm/ADT/Statistic.h"

16
#include "llvm/IR/Constants.h"

17
#include "llvm/IR/DiagnosticInfo.h"

18
#include "llvm/IR/DiagnosticPrinter.h"

19
#include "llvm/IR/Function.h"

20
#include "llvm/IR/GlobalObject.h"

21
#include "llvm/IR/IRBuilder.h"

22
#include "llvm/IR/InstIterator.h"

23
#include "llvm/IR/Instructions.h"

24
#include "llvm/IR/Intrinsics.h"

25
#include "llvm/IR/MDBuilder.h"

26
#include "llvm/IR/Module.h"

27
#include "llvm/Target/TargetMachine.h"

28
#include "llvm/Transforms/Utils/BasicBlockUtils.h"

29


30
using namespace llvm;

31


32
#define DEBUG_TYPE "kcfi"

33


34
STATISTIC(NumKCFIChecks, "Number of kcfi operands transformed into checks");

35


36
namespace {

37
class DiagnosticInfoKCFI : public DiagnosticInfo {

38
  const Twine &Msg;

39


40
public:

41
  DiagnosticInfoKCFI(const Twine &DiagMsg,

42
                     DiagnosticSeverity Severity = DS_Error)

43
      : DiagnosticInfo(DK_Linker, Severity), Msg(DiagMsg) {}

44
  void print(DiagnosticPrinter &DP) const override { DP << Msg; }

45
};

46
} // namespace

47


48
PreservedAnalyses KCFIPass::run(Function &F, FunctionAnalysisManager &AM) {

49
  Module &M = *F.getParent();

50
  if (!M.getModuleFlag("kcfi"))

51
    return PreservedAnalyses::all();

52


53
  // Find call instructions with KCFI operand bundles.

54
  SmallVector<CallInst *> KCFICalls;

55
  for (Instruction &I : instructions(F)) {

56
    if (auto *CI = dyn_cast<CallInst>(&I))

57
      if (CI->getOperandBundle(LLVMContext::OB_kcfi))

58
        KCFICalls.push_back(CI);

59
  }

60


61
  if (KCFICalls.empty())

62
    return PreservedAnalyses::all();

63


64
  LLVMContext &Ctx = M.getContext();

65
  // patchable-function-prefix emits nops between the KCFI type identifier

66
  // and the function start. As we don't know the size of the emitted nops,

67
  // don't allow this attribute with generic lowering.

68
  if (F.hasFnAttribute("patchable-function-prefix"))

69
    Ctx.diagnose(

70
        DiagnosticInfoKCFI("-fpatchable-function-entry=N,M, where M>0 is not "

71
                           "compatible with -fsanitize=kcfi on this target"));

72


73
  IntegerType *Int32Ty = Type::getInt32Ty(Ctx);

74
  MDNode *VeryUnlikelyWeights = MDBuilder(Ctx).createUnlikelyBranchWeights();

75
  Triple T(M.getTargetTriple());

76


77
  for (CallInst *CI : KCFICalls) {

78
    // Get the expected hash value.

79
    const uint32_t ExpectedHash =

80
        cast<ConstantInt>(CI->getOperandBundle(LLVMContext::OB_kcfi)->Inputs[0])

81
            ->getZExtValue();

82


83
    // Drop the KCFI operand bundle.

84
    CallBase *Call = CallBase::removeOperandBundle(CI, LLVMContext::OB_kcfi,

85
                                                   CI->getIterator());

86
    assert(Call != CI);

87
    Call->copyMetadata(*CI);

88
    CI->replaceAllUsesWith(Call);

89
    CI->eraseFromParent();

90


91
    if (!Call->isIndirectCall())

92
      continue;

93


94
    // Emit a check and trap if the target hash doesn't match.

95
    IRBuilder<> Builder(Call);

96
    Value *FuncPtr = Call->getCalledOperand();

97
    // ARM uses the least significant bit of the function pointer to select

98
    // between ARM and Thumb modes for the callee. Instructions are always

99
    // at least 16-bit aligned, so clear the LSB before we compute the hash

100
    // location.

101
    if (T.isARM() || T.isThumb()) {

102
      FuncPtr = Builder.CreateIntToPtr(

103
          Builder.CreateAnd(Builder.CreatePtrToInt(FuncPtr, Int32Ty),

104
                            ConstantInt::get(Int32Ty, -2)),

105
          FuncPtr->getType());

106
    }

107
    Value *HashPtr = Builder.CreateConstInBoundsGEP1_32(Int32Ty, FuncPtr, -1);

108
    Value *Test = Builder.CreateICmpNE(Builder.CreateLoad(Int32Ty, HashPtr),

109
                                       ConstantInt::get(Int32Ty, ExpectedHash));

110
    Instruction *ThenTerm =

111
        SplitBlockAndInsertIfThen(Test, Call, false, VeryUnlikelyWeights);

112
    Builder.SetInsertPoint(ThenTerm);

113
    Builder.CreateCall(Intrinsic::getDeclaration(&M, Intrinsic::debugtrap));

114
    ++NumKCFIChecks;

115
  }

116


117
  return PreservedAnalyses::none();

118
}

119


120