| 1 | //===-- KCFI.cpp - Generic KCFI operand bundle lowering ---------*- C++ -*-===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // |
| 9 | // This pass emits generic KCFI indirect call checks for targets that don't |
| 10 | // support lowering KCFI operand bundles in the back-end. |
| 11 | // |
| 12 | //===----------------------------------------------------------------------===// |
| 13 | |
| 14 | #include "llvm/Transforms/Instrumentation/KCFI.h" |
| 15 | #include "llvm/ADT/Statistic.h" |
| 16 | #include "llvm/IR/Constants.h" |
| 17 | #include "llvm/IR/DiagnosticInfo.h" |
| 18 | #include "llvm/IR/DiagnosticPrinter.h" |
| 19 | #include "llvm/IR/Function.h" |
| 20 | #include "llvm/IR/IRBuilder.h" |
| 21 | #include "llvm/IR/InstIterator.h" |
| 22 | #include "llvm/IR/Instructions.h" |
| 23 | #include "llvm/IR/Intrinsics.h" |
| 24 | #include "llvm/IR/MDBuilder.h" |
| 25 | #include "llvm/IR/Module.h" |
| 26 | #include "llvm/Target/TargetMachine.h" |
| 27 | #include "llvm/Transforms/Utils/BasicBlockUtils.h" |
| 28 | |
| 29 | using namespace llvm; |
| 30 | |
| 31 | #define DEBUG_TYPE "kcfi" |
| 32 | |
| 33 | STATISTIC(NumKCFIChecks, "Number of kcfi operands transformed into checks"); |
| 34 | |
| 35 | namespace { |
| 36 | class DiagnosticInfoKCFI : public DiagnosticInfo { |
| 37 | const Twine &Msg; |
| 38 | |
| 39 | public: |
| 40 | DiagnosticInfoKCFI(const Twine &DiagMsg LLVM_LIFETIME_BOUND, |
| 41 | DiagnosticSeverity Severity = DS_Error) |
| 42 | : DiagnosticInfo(DK_Linker, Severity), Msg(DiagMsg) {} |
| 43 | void print(DiagnosticPrinter &DP) const override { DP << Msg; } |
| 44 | }; |
| 45 | } // namespace |
| 46 | |
| 47 | PreservedAnalyses KCFIPass::run(Function &F, FunctionAnalysisManager &AM) { |
| 48 | Module &M = *F.getParent(); |
| 49 | if (!M.getModuleFlag(Key: "kcfi")) |
| 50 | return PreservedAnalyses::all(); |
| 51 | |
| 52 | // Find call instructions with KCFI operand bundles. |
| 53 | SmallVector<CallInst *> KCFICalls; |
| 54 | for (Instruction &I : instructions(F)) { |
| 55 | if (auto *CI = dyn_cast<CallInst>(Val: &I)) |
| 56 | if (CI->getOperandBundle(ID: LLVMContext::OB_kcfi)) |
| 57 | KCFICalls.push_back(Elt: CI); |
| 58 | } |
| 59 | |
| 60 | if (KCFICalls.empty()) |
| 61 | return PreservedAnalyses::all(); |
| 62 | |
| 63 | LLVMContext &Ctx = M.getContext(); |
| 64 | // patchable-function-prefix emits nops between the KCFI type identifier |
| 65 | // and the function start. As we don't know the size of the emitted nops, |
| 66 | // don't allow this attribute with generic lowering. |
| 67 | if (F.hasFnAttribute(Kind: "patchable-function-prefix")) |
| 68 | Ctx.diagnose( |
| 69 | DI: DiagnosticInfoKCFI("-fpatchable-function-entry=N,M, where M>0 is not " |
| 70 | "compatible with -fsanitize=kcfi on this target")); |
| 71 | |
| 72 | IntegerType *Int32Ty = Type::getInt32Ty(C&: Ctx); |
| 73 | MDNode *VeryUnlikelyWeights = MDBuilder(Ctx).createUnlikelyBranchWeights(); |
| 74 | Triple T(M.getTargetTriple()); |
| 75 | |
| 76 | for (CallInst *CI : KCFICalls) { |
| 77 | // Get the expected hash value. |
| 78 | const uint32_t ExpectedHash = |
| 79 | cast<ConstantInt>(Val: CI->getOperandBundle(ID: LLVMContext::OB_kcfi)->Inputs[0]) |
| 80 | ->getZExtValue(); |
| 81 | |
| 82 | // Drop the KCFI operand bundle. |
| 83 | CallBase *Call = CallBase::removeOperandBundle(CB: CI, ID: LLVMContext::OB_kcfi, |
| 84 | InsertPt: CI->getIterator()); |
| 85 | assert(Call != CI); |
| 86 | Call->copyMetadata(SrcInst: *CI); |
| 87 | CI->replaceAllUsesWith(V: Call); |
| 88 | CI->eraseFromParent(); |
| 89 | |
| 90 | if (!Call->isIndirectCall()) |
| 91 | continue; |
| 92 | |
| 93 | // Emit a check and trap if the target hash doesn't match. |
| 94 | IRBuilder<> Builder(Call); |
| 95 | Value *FuncPtr = Call->getCalledOperand(); |
| 96 | // ARM uses the least significant bit of the function pointer to select |
| 97 | // between ARM and Thumb modes for the callee. Instructions are always |
| 98 | // at least 16-bit aligned, so clear the LSB before we compute the hash |
| 99 | // location. |
| 100 | if (T.isARM() || T.isThumb()) { |
| 101 | FuncPtr = Builder.CreateIntToPtr( |
| 102 | V: Builder.CreateAnd(LHS: Builder.CreatePtrToInt(V: FuncPtr, DestTy: Int32Ty), |
| 103 | RHS: ConstantInt::get(Ty: Int32Ty, V: -2)), |
| 104 | DestTy: FuncPtr->getType()); |
| 105 | } |
| 106 | Value *HashPtr = Builder.CreateConstInBoundsGEP1_32(Ty: Int32Ty, Ptr: FuncPtr, Idx0: -1); |
| 107 | Value *Test = Builder.CreateICmpNE(LHS: Builder.CreateLoad(Ty: Int32Ty, Ptr: HashPtr), |
| 108 | RHS: ConstantInt::get(Ty: Int32Ty, V: ExpectedHash)); |
| 109 | Instruction *ThenTerm = |
| 110 | SplitBlockAndInsertIfThen(Cond: Test, SplitBefore: Call, Unreachable: false, BranchWeights: VeryUnlikelyWeights); |
| 111 | Builder.SetInsertPoint(ThenTerm); |
| 112 | Builder.CreateIntrinsic(ID: Intrinsic::debugtrap, Args: {}); |
| 113 | ++NumKCFIChecks; |
| 114 | } |
| 115 | |
| 116 | return PreservedAnalyses::none(); |
| 117 | } |
| 118 |
Generated on 2025-Jul-04 from project llvm_projects revision main-0ba59587f
Powered by 
Code Browser 2.1
Generator usage only permitted with license.