1//===-- CFGuard.cpp - Control Flow Guard checks -----------------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8///
9/// \file
10/// This file contains the IR transform to add Microsoft's Control Flow Guard
11/// checks on Windows targets.
12///
13//===----------------------------------------------------------------------===//
14
15#include "llvm/Transforms/CFGuard.h"
16#include "llvm/ADT/SmallVector.h"
17#include "llvm/ADT/Statistic.h"
18#include "llvm/IR/CallingConv.h"
19#include "llvm/IR/IRBuilder.h"
20#include "llvm/IR/Instruction.h"
21#include "llvm/IR/Module.h"
22#include "llvm/InitializePasses.h"
23#include "llvm/Pass.h"
24#include "llvm/TargetParser/Triple.h"
25
26using namespace llvm;
27
28using OperandBundleDef = OperandBundleDefT<Value *>;
29
30#define DEBUG_TYPE "cfguard"
31
32STATISTIC(CFGuardCounter, "Number of Control Flow Guard checks added");
33
34namespace {
35
36/// Adds Control Flow Guard (CFG) checks on indirect function calls/invokes.
37/// These checks ensure that the target address corresponds to the start of an
38/// address-taken function. X86_64 targets use the Mechanism::Dispatch
39/// mechanism. X86, ARM, and AArch64 targets use the Mechanism::Check machanism.
40class CFGuardImpl {
41public:
42 using Mechanism = CFGuardPass::Mechanism;
43
44 CFGuardImpl(Mechanism M) : GuardMechanism(M) {
45 // Get or insert the guard check or dispatch global symbols.
46 switch (GuardMechanism) {
47 case Mechanism::Check:
48 GuardFnName = "__guard_check_icall_fptr";
49 break;
50 case Mechanism::Dispatch:
51 GuardFnName = "__guard_dispatch_icall_fptr";
52 break;
53 }
54 }
55
56 /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
57 /// check mechanism. When the image is loaded, the loader puts the appropriate
58 /// guard check function pointer in the __guard_check_icall_fptr global
59 /// symbol. This checks that the target address is a valid address-taken
60 /// function. The address of the target function is passed to the guard check
61 /// function in an architecture-specific register (e.g. ECX on 32-bit X86,
62 /// X15 on Aarch64, and R0 on ARM). The guard check function has no return
63 /// value (if the target is invalid, the guard check funtion will raise an
64 /// error).
65 ///
66 /// For example, the following LLVM IR:
67 /// \code
68 /// %func_ptr = alloca i32 ()*, align 8
69 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
70 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
71 /// %1 = call i32 %0()
72 /// \endcode
73 ///
74 /// is transformed to:
75 /// \code
76 /// %func_ptr = alloca i32 ()*, align 8
77 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
78 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
79 /// %1 = load void (i8*)*, void (i8*)** @__guard_check_icall_fptr
80 /// %2 = bitcast i32 ()* %0 to i8*
81 /// call cfguard_checkcc void %1(i8* %2)
82 /// %3 = call i32 %0()
83 /// \endcode
84 ///
85 /// For example, the following X86 assembly code:
86 /// \code
87 /// movl $_target_func, %eax
88 /// calll *%eax
89 /// \endcode
90 ///
91 /// is transformed to:
92 /// \code
93 /// movl $_target_func, %ecx
94 /// calll *___guard_check_icall_fptr
95 /// calll *%ecx
96 /// \endcode
97 ///
98 /// \param CB indirect call to instrument.
99 void insertCFGuardCheck(CallBase *CB);
100
101 /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
102 /// dispatch mechanism. When the image is loaded, the loader puts the
103 /// appropriate guard check function pointer in the
104 /// __guard_dispatch_icall_fptr global symbol. This checks that the target
105 /// address is a valid address-taken function and, if so, tail calls the
106 /// target. The target address is passed in an architecture-specific register
107 /// (e.g. RAX on X86_64), with all other arguments for the target function
108 /// passed as usual.
109 ///
110 /// For example, the following LLVM IR:
111 /// \code
112 /// %func_ptr = alloca i32 ()*, align 8
113 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
114 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
115 /// %1 = call i32 %0()
116 /// \endcode
117 ///
118 /// is transformed to:
119 /// \code
120 /// %func_ptr = alloca i32 ()*, align 8
121 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
122 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
123 /// %1 = load i32 ()*, i32 ()** @__guard_dispatch_icall_fptr
124 /// %2 = call i32 %1() [ "cfguardtarget"(i32 ()* %0) ]
125 /// \endcode
126 ///
127 /// For example, the following X86_64 assembly code:
128 /// \code
129 /// leaq target_func(%rip), %rax
130 /// callq *%rax
131 /// \endcode
132 ///
133 /// is transformed to:
134 /// \code
135 /// leaq target_func(%rip), %rax
136 /// callq *__guard_dispatch_icall_fptr(%rip)
137 /// \endcode
138 ///
139 /// \param CB indirect call to instrument.
140 void insertCFGuardDispatch(CallBase *CB);
141
142 bool doInitialization(Module &M);
143 bool runOnFunction(Function &F);
144
145private:
146 // Only add checks if the module has the cfguard=2 flag.
147 int cfguard_module_flag = 0;
148 StringRef GuardFnName;
149 Mechanism GuardMechanism = Mechanism::Check;
150 FunctionType *GuardFnType = nullptr;
151 PointerType *GuardFnPtrType = nullptr;
152 Constant *GuardFnGlobal = nullptr;
153};
154
155class CFGuard : public FunctionPass {
156 CFGuardImpl Impl;
157
158public:
159 static char ID;
160
161 // Default constructor required for the INITIALIZE_PASS macro.
162 CFGuard(CFGuardImpl::Mechanism M) : FunctionPass(ID), Impl(M) {
163 initializeCFGuardPass(*PassRegistry::getPassRegistry());
164 }
165
166 bool doInitialization(Module &M) override { return Impl.doInitialization(M); }
167 bool runOnFunction(Function &F) override { return Impl.runOnFunction(F); }
168};
169
170} // end anonymous namespace
171
172void CFGuardImpl::insertCFGuardCheck(CallBase *CB) {
173
174 assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
175 "Only applicable for Windows targets");
176 assert(CB->isIndirectCall() &&
177 "Control Flow Guard checks can only be added to indirect calls");
178
179 IRBuilder<> B(CB);
180 Value *CalledOperand = CB->getCalledOperand();
181
182 // If the indirect call is called within catchpad or cleanuppad,
183 // we need to copy "funclet" bundle of the call.
184 SmallVector<llvm::OperandBundleDef, 1> Bundles;
185 if (auto Bundle = CB->getOperandBundle(ID: LLVMContext::OB_funclet))
186 Bundles.push_back(Elt: OperandBundleDef(*Bundle));
187
188 // Load the global symbol as a pointer to the check function.
189 LoadInst *GuardCheckLoad = B.CreateLoad(Ty: GuardFnPtrType, Ptr: GuardFnGlobal);
190
191 // Create new call instruction. The CFGuard check should always be a call,
192 // even if the original CallBase is an Invoke or CallBr instruction.
193 CallInst *GuardCheck =
194 B.CreateCall(FTy: GuardFnType, Callee: GuardCheckLoad, Args: {CalledOperand}, OpBundles: Bundles);
195
196 // Ensure that the first argument is passed in the correct register
197 // (e.g. ECX on 32-bit X86 targets).
198 GuardCheck->setCallingConv(CallingConv::CFGuard_Check);
199}
200
201void CFGuardImpl::insertCFGuardDispatch(CallBase *CB) {
202
203 assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
204 "Only applicable for Windows targets");
205 assert(CB->isIndirectCall() &&
206 "Control Flow Guard checks can only be added to indirect calls");
207
208 IRBuilder<> B(CB);
209 Value *CalledOperand = CB->getCalledOperand();
210 Type *CalledOperandType = CalledOperand->getType();
211
212 // Load the global as a pointer to a function of the same type.
213 LoadInst *GuardDispatchLoad = B.CreateLoad(Ty: CalledOperandType, Ptr: GuardFnGlobal);
214
215 // Add the original call target as a cfguardtarget operand bundle.
216 SmallVector<llvm::OperandBundleDef, 1> Bundles;
217 CB->getOperandBundlesAsDefs(Defs&: Bundles);
218 Bundles.emplace_back(Args: "cfguardtarget", Args&: CalledOperand);
219
220 // Create a copy of the call/invoke instruction and add the new bundle.
221 assert((isa<CallInst>(CB) || isa<InvokeInst>(CB)) &&
222 "Unknown indirect call type");
223 CallBase *NewCB = CallBase::Create(CB, Bundles, InsertPt: CB->getIterator());
224
225 // Change the target of the call to be the guard dispatch function.
226 NewCB->setCalledOperand(GuardDispatchLoad);
227
228 // Replace the original call/invoke with the new instruction.
229 CB->replaceAllUsesWith(V: NewCB);
230
231 // Delete the original call/invoke.
232 CB->eraseFromParent();
233}
234
235bool CFGuardImpl::doInitialization(Module &M) {
236
237 // Check if this module has the cfguard flag and read its value.
238 if (auto *MD =
239 mdconst::extract_or_null<ConstantInt>(MD: M.getModuleFlag(Key: "cfguard")))
240 cfguard_module_flag = MD->getZExtValue();
241
242 // Skip modules for which CFGuard checks have been disabled.
243 if (cfguard_module_flag != 2)
244 return false;
245
246 // Set up prototypes for the guard check and dispatch functions.
247 GuardFnType =
248 FunctionType::get(Result: Type::getVoidTy(C&: M.getContext()),
249 Params: {PointerType::getUnqual(C&: M.getContext())}, isVarArg: false);
250 GuardFnPtrType = PointerType::get(ElementType: GuardFnType, AddressSpace: 0);
251
252 GuardFnGlobal = M.getOrInsertGlobal(Name: GuardFnName, Ty: GuardFnPtrType, CreateGlobalCallback: [&] {
253 auto *Var = new GlobalVariable(M, GuardFnPtrType, false,
254 GlobalVariable::ExternalLinkage, nullptr,
255 GuardFnName);
256 Var->setDSOLocal(true);
257 return Var;
258 });
259
260 return true;
261}
262
263bool CFGuardImpl::runOnFunction(Function &F) {
264
265 // Skip modules for which CFGuard checks have been disabled.
266 if (cfguard_module_flag != 2)
267 return false;
268
269 SmallVector<CallBase *, 8> IndirectCalls;
270
271 // Iterate over the instructions to find all indirect call/invoke/callbr
272 // instructions. Make a separate list of pointers to indirect
273 // call/invoke/callbr instructions because the original instructions will be
274 // deleted as the checks are added.
275 for (BasicBlock &BB : F) {
276 for (Instruction &I : BB) {
277 auto *CB = dyn_cast<CallBase>(Val: &I);
278 if (CB && CB->isIndirectCall() && !CB->hasFnAttr(Kind: "guard_nocf")) {
279 IndirectCalls.push_back(Elt: CB);
280 CFGuardCounter++;
281 }
282 }
283 }
284
285 // If no checks are needed, return early.
286 if (IndirectCalls.empty()) {
287 return false;
288 }
289
290 // For each indirect call/invoke, add the appropriate dispatch or check.
291 if (GuardMechanism == Mechanism::Dispatch) {
292 for (CallBase *CB : IndirectCalls) {
293 insertCFGuardDispatch(CB);
294 }
295 } else {
296 for (CallBase *CB : IndirectCalls) {
297 insertCFGuardCheck(CB);
298 }
299 }
300
301 return true;
302}
303
304PreservedAnalyses CFGuardPass::run(Function &F, FunctionAnalysisManager &FAM) {
305 CFGuardImpl Impl(GuardMechanism);
306 bool Changed = Impl.doInitialization(M&: *F.getParent());
307 Changed |= Impl.runOnFunction(F);
308 return Changed ? PreservedAnalyses::none() : PreservedAnalyses::all();
309}
310
311char CFGuard::ID = 0;
312INITIALIZE_PASS(CFGuard, "CFGuard", "CFGuard", false, false)
313
314FunctionPass *llvm::createCFGuardCheckPass() {
315 return new CFGuard(CFGuardPass::Mechanism::Check);
316}
317
318FunctionPass *llvm::createCFGuardDispatchPass() {
319 return new CFGuard(CFGuardPass::Mechanism::Dispatch);
320}
321