| 1 | //===-- ARMBranchTargets.cpp -- Harden code using v8.1-M BTI extension -----==// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // |
| 9 | // This pass inserts BTI instructions at the start of every function and basic |
| 10 | // block which could be indirectly called. The hardware will (when enabled) |
| 11 | // trap when an indirect branch or call instruction targets an instruction |
| 12 | // which is not a valid BTI instruction. This is intended to guard against |
| 13 | // control-flow hijacking attacks. |
| 14 | // |
| 15 | //===----------------------------------------------------------------------===// |
| 16 | |
| 17 | #include "ARM.h" |
| 18 | #include "ARMInstrInfo.h" |
| 19 | #include "ARMMachineFunctionInfo.h" |
| 20 | #include "llvm/CodeGen/MachineFunctionPass.h" |
| 21 | #include "llvm/CodeGen/MachineInstrBuilder.h" |
| 22 | #include "llvm/CodeGen/MachineJumpTableInfo.h" |
| 23 | #include "llvm/CodeGen/MachineModuleInfo.h" |
| 24 | #include "llvm/Support/Debug.h" |
| 25 | |
| 26 | using namespace llvm; |
| 27 | |
| 28 | #define DEBUG_TYPE "arm-branch-targets" |
| 29 | #define ARM_BRANCH_TARGETS_NAME "ARM Branch Targets" |
| 30 | |
| 31 | namespace { |
| 32 | class ARMBranchTargets : public MachineFunctionPass { |
| 33 | public: |
| 34 | static char ID; |
| 35 | ARMBranchTargets() : MachineFunctionPass(ID) {} |
| 36 | void getAnalysisUsage(AnalysisUsage &AU) const override; |
| 37 | bool runOnMachineFunction(MachineFunction &MF) override; |
| 38 | StringRef getPassName() const override { return ARM_BRANCH_TARGETS_NAME; } |
| 39 | |
| 40 | private: |
| 41 | void addBTI(const ARMInstrInfo &TII, MachineBasicBlock &MBB, bool IsFirstBB); |
| 42 | }; |
| 43 | } // end anonymous namespace |
| 44 | |
| 45 | char ARMBranchTargets::ID = 0; |
| 46 | |
| 47 | INITIALIZE_PASS(ARMBranchTargets, "arm-branch-targets", ARM_BRANCH_TARGETS_NAME, |
| 48 | false, false) |
| 49 | |
| 50 | void ARMBranchTargets::getAnalysisUsage(AnalysisUsage &AU) const { |
| 51 | AU.setPreservesCFG(); |
| 52 | MachineFunctionPass::getAnalysisUsage(AU); |
| 53 | } |
| 54 | |
| 55 | FunctionPass *llvm::createARMBranchTargetsPass() { |
| 56 | return new ARMBranchTargets(); |
| 57 | } |
| 58 | |
| 59 | bool ARMBranchTargets::runOnMachineFunction(MachineFunction &MF) { |
| 60 | if (!MF.getInfo<ARMFunctionInfo>()->branchTargetEnforcement()) |
| 61 | return false; |
| 62 | |
| 63 | LLVM_DEBUG(dbgs() << "********** ARM Branch Targets **********\n" |
| 64 | << "********** Function: "<< MF.getName() << '\n'); |
| 65 | const ARMInstrInfo &TII = |
| 66 | *static_cast<const ARMInstrInfo *>(MF.getSubtarget().getInstrInfo()); |
| 67 | |
| 68 | bool MadeChange = false; |
| 69 | for (MachineBasicBlock &MBB : MF) { |
| 70 | bool IsFirstBB = &MBB == &MF.front(); |
| 71 | |
| 72 | // Every function can potentially be called indirectly (even if it has |
| 73 | // static linkage, due to linker-generated veneers). |
| 74 | // If the block itself is address-taken, or is an exception landing pad, it |
| 75 | // could be indirectly branched to. |
| 76 | // Jump tables only emit indirect jumps (JUMPTABLE_ADDRS) in ARM or Thumb1 |
| 77 | // modes. These modes do not support PACBTI. As a result, BTI instructions |
| 78 | // are not added in the destination blocks. |
| 79 | |
| 80 | if (IsFirstBB || MBB.isMachineBlockAddressTaken() || |
| 81 | MBB.isIRBlockAddressTaken() || MBB.isEHPad()) { |
| 82 | addBTI(TII, MBB, IsFirstBB); |
| 83 | MadeChange = true; |
| 84 | } |
| 85 | } |
| 86 | |
| 87 | return MadeChange; |
| 88 | } |
| 89 | |
| 90 | /// Insert a BTI/PACBTI instruction into a given basic block \c MBB. If |
| 91 | /// \c IsFirstBB is true (meaning that this is the first BB in a function) try |
| 92 | /// to find a PAC instruction and replace it with PACBTI. Otherwise just insert |
| 93 | /// a BTI instruction. |
| 94 | /// The point of insertion is in the beginning of the BB, immediately after meta |
| 95 | /// instructions (such labels in exception handling landing pads). |
| 96 | void ARMBranchTargets::addBTI(const ARMInstrInfo &TII, MachineBasicBlock &MBB, |
| 97 | bool IsFirstBB) { |
| 98 | // Which instruction to insert: BTI or PACBTI |
| 99 | unsigned OpCode = ARM::t2BTI; |
| 100 | unsigned MIFlags = 0; |
| 101 | |
| 102 | // Skip meta instructions, including EH labels |
| 103 | auto MBBI = llvm::find_if_not(Range: MBB.instrs(), P: [](const MachineInstr &MI) { |
| 104 | return MI.isMetaInstruction(); |
| 105 | }); |
| 106 | |
| 107 | // If this is the first BB in a function, check if it starts with a PAC |
| 108 | // instruction and in that case remove the PAC instruction. |
| 109 | if (IsFirstBB) { |
| 110 | if (MBBI != MBB.instr_end() && MBBI->getOpcode() == ARM::t2PAC) { |
| 111 | LLVM_DEBUG(dbgs() << "Removing a 'PAC' instr from BB '"<< MBB.getName() |
| 112 | << "' to replace with PACBTI\n"); |
| 113 | OpCode = ARM::t2PACBTI; |
| 114 | MIFlags = MachineInstr::FrameSetup; |
| 115 | auto NextMBBI = std::next(x: MBBI); |
| 116 | MBBI->eraseFromParent(); |
| 117 | MBBI = NextMBBI; |
| 118 | } |
| 119 | } |
| 120 | |
| 121 | LLVM_DEBUG(dbgs() << "Inserting a '" |
| 122 | << (OpCode == ARM::t2BTI ? "BTI": "PACBTI") |
| 123 | << "' instr into BB '"<< MBB.getName() << "'\n"); |
| 124 | // Finally, insert a new instruction (either PAC or PACBTI) |
| 125 | BuildMI(BB&: MBB, I: MBBI, MIMD: MBB.findDebugLoc(MBBI), MCID: TII.get(Opcode: OpCode)) |
| 126 | .setMIFlags(MIFlags); |
| 127 | } |
| 128 |
Generated on 2025-Jul-04 from project llvm_projects revision main-0ba59587f
Powered by 
Code Browser 2.1
Generator usage only permitted with license.