This is an archive of the discontinued LLVM Phabricator instance.

Differential D3032

Implement NaCl sandboxing of function calls
ClosedPublic

Authored by sstankovic on Mar 10 2014, 2:00 PM.

Download Raw Diff

Details

Reviewers

mseaborn

Commits

rL203606: [mips] Implement NaCl sandboxing of function calls:

Summary

[mips] Implement NaCl sandboxing of function calls:

Add masking instructions before indirect calls (in MC layer).
Align call + branch delay to the bundle end (in MC layer).

Diff Detail

Event Timeline

mseaborn added inline comments.Mar 10 2014, 2:19 PM

lib/Target/Mips/MCTargetDesc/MipsNaClELFStreamer.cpp
45 ↗	(On Diff #7713)	Please comment these three fields. "Call" and "IsIndirectCall" are only defined if SandboxingCall is true -- so please comment that, and put SandboxingCall first.
46 ↗	(On Diff #7713)	Maybe something like "Pending" or "Saved" rather than "Sandboxing" would better suggest what's going on here?
166 ↗	(On Diff #7713)	Nit: drop the "else" to be consistent with the rest of the function -- it isn't needed if the "if" block returns.
167 ↗	(On Diff #7713)	Maybe comment this block: "Save up the call to emit after we see the branch delay instruction that follows"?
test/MC/Mips/nacl-mask.s
12 ↗	(On Diff #7713)	Is the reason for adding this that EmitBundleLock(true) complains if an alignment hasn't been set already? Or does the test work without adding this .align?

Patch is updated.

sstankovic added inline comments.Mar 11 2014, 8:01 AM

test/MC/Mips/nacl-mask.s
12 ↗	(On Diff #7713)	No, I added this because llvm-mc doesn't call AsmPrinter::runOnMachineFunction, which means that functions are not bundle-aligned. Test expects that function start is bundle-aligned.

LGTM, thanks

lib/Target/Mips/MCTargetDesc/MipsNaClELFStreamer.cpp
135 ↗	(On Diff #7744)	You could check PendingCall here (and for isIndirectJump above and isCall below) and report_fatal_error if it's set, since this would be an invalid instruction in the branch delay slot. Otherwise you might silently emit a mismatched bundle lock/unlock.
152 ↗	(On Diff #7744)	Nice simplification from the previous version.

Patch is updated.

Closed by commit rL203606 (authored by @sstankovic).

Revision Contents

Path

Size

llvm/

trunk/

lib/

Target/

Mips/

MCTargetDesc/

MipsNaClELFStreamer.cpp

58 lines

test/

MC/

Mips/

nacl-mask.s

66 lines

Diff 7757

llvm/trunk/lib/Target/Mips/MCTargetDesc/MipsNaClELFStreamer.cpp

//===-- MipsNaClELFStreamer.cpp - ELF Object Output for Mips NaCl ---------===//		//===-- MipsNaClELFStreamer.cpp - ELF Object Output for Mips NaCl ---------===//
//		//
// The LLVM Compiler Infrastructure		// The LLVM Compiler Infrastructure
//		//
// This file is distributed under the University of Illinois Open Source		// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.		// License. See LICENSE.TXT for details.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
// This file implements MCELFStreamer for Mips NaCl. It emits .o object files		// This file implements MCELFStreamer for Mips NaCl. It emits .o object files
// as required by NaCl's SFI sandbox. It inserts address-masking instructions		// as required by NaCl's SFI sandbox. It inserts address-masking instructions
// before dangerous control-flow and memory access instructions. It inserts		// before dangerous control-flow and memory access instructions. It inserts
// address-masking instructions after instructions that change the stack		// address-masking instructions after instructions that change the stack
// pointer. It ensures that the mask and the dangerous instruction are always		// pointer. It ensures that the mask and the dangerous instruction are always
// emitted in the same bundle.		// emitted in the same bundle. It aligns call + branch delay to the bundle end,
		// so that return address is always aligned to the start of next bundle.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#define DEBUG_TYPE "mips-mc-nacl"		#define DEBUG_TYPE "mips-mc-nacl"

#include "Mips.h"		#include "Mips.h"
#include "MipsMCNaCl.h"		#include "MipsMCNaCl.h"
#include "llvm/MC/MCELFStreamer.h"		#include "llvm/MC/MCELFStreamer.h"

using namespace llvm;		using namespace llvm;

namespace {		namespace {

const unsigned IndirectBranchMaskReg = Mips::T6;		const unsigned IndirectBranchMaskReg = Mips::T6;
const unsigned LoadStoreStackMaskReg = Mips::T7;		const unsigned LoadStoreStackMaskReg = Mips::T7;

/// Extend the generic MCELFStreamer class so that it can mask dangerous		/// Extend the generic MCELFStreamer class so that it can mask dangerous
/// instructions.		/// instructions.

class MipsNaClELFStreamer : public MCELFStreamer {		class MipsNaClELFStreamer : public MCELFStreamer {
public:		public:
MipsNaClELFStreamer(MCContext &Context, MCAsmBackend &TAB, raw_ostream &OS,		MipsNaClELFStreamer(MCContext &Context, MCAsmBackend &TAB, raw_ostream &OS,
MCCodeEmitter *Emitter)		MCCodeEmitter *Emitter)
: MCELFStreamer(Context, TAB, OS, Emitter) {}		: MCELFStreamer(Context, TAB, OS, Emitter), PendingCall(false) {}

~MipsNaClELFStreamer() {}		~MipsNaClELFStreamer() {}

private:		private:
		// Whether we started the sandboxing sequence for calls. Calls are bundled
		// with branch delays and aligned to the bundle end.
		bool PendingCall;

bool isIndirectJump(const MCInst &MI) {		bool isIndirectJump(const MCInst &MI) {
return MI.getOpcode() == Mips::JR \|\| MI.getOpcode() == Mips::RET;		return MI.getOpcode() == Mips::JR \|\| MI.getOpcode() == Mips::RET;
}		}

bool isStackPointerFirstOperand(const MCInst &MI) {		bool isStackPointerFirstOperand(const MCInst &MI) {
return (MI.getNumOperands() > 0 && MI.getOperand(0).isReg()		return (MI.getNumOperands() > 0 && MI.getOperand(0).isReg()
&& MI.getOperand(0).getReg() == Mips::SP);		&& MI.getOperand(0).getReg() == Mips::SP);
}		}

		bool isCall(unsigned Opcode, bool *IsIndirectCall) {
		*IsIndirectCall = false;

		switch (Opcode) {
		default:
		return false;

		case Mips::JAL:
		case Mips::BAL_BR:
		case Mips::BLTZAL:
		case Mips::BGEZAL:
		return true;

		case Mips::JALR:
		*IsIndirectCall = true;
		return true;
		}
		}

void emitMask(unsigned AddrReg, unsigned MaskReg,		void emitMask(unsigned AddrReg, unsigned MaskReg,
const MCSubtargetInfo &STI) {		const MCSubtargetInfo &STI) {
MCInst MaskInst;		MCInst MaskInst;
MaskInst.setOpcode(Mips::AND);		MaskInst.setOpcode(Mips::AND);
MaskInst.addOperand(MCOperand::CreateReg(AddrReg));		MaskInst.addOperand(MCOperand::CreateReg(AddrReg));
MaskInst.addOperand(MCOperand::CreateReg(AddrReg));		MaskInst.addOperand(MCOperand::CreateReg(AddrReg));
MaskInst.addOperand(MCOperand::CreateReg(MaskReg));		MaskInst.addOperand(MCOperand::CreateReg(MaskReg));
MCELFStreamer::EmitInstruction(MaskInst, STI);		MCELFStreamer::EmitInstruction(MaskInst, STI);
Show All 32 Lines	private:
}		}

public:		public:
/// This function is the one used to emit instruction data into the ELF		/// This function is the one used to emit instruction data into the ELF
/// streamer. We override it to mask dangerous instructions.		/// streamer. We override it to mask dangerous instructions.
virtual void EmitInstruction(const MCInst &Inst, const MCSubtargetInfo &STI) {		virtual void EmitInstruction(const MCInst &Inst, const MCSubtargetInfo &STI) {
// Sandbox indirect jumps.		// Sandbox indirect jumps.
if (isIndirectJump(Inst)) {		if (isIndirectJump(Inst)) {
		if (PendingCall)
		report_fatal_error("Dangerous instruction in branch delay slot!");
sandboxIndirectJump(Inst, STI);		sandboxIndirectJump(Inst, STI);
return;		return;
}		}

// Sandbox loads, stores and SP changes.		// Sandbox loads, stores and SP changes.
unsigned AddrIdx;		unsigned AddrIdx;
bool IsStore;		bool IsStore;
bool IsMemAccess = isBasePlusOffsetMemoryAccess(Inst.getOpcode(), &AddrIdx,		bool IsMemAccess = isBasePlusOffsetMemoryAccess(Inst.getOpcode(), &AddrIdx,
&IsStore);		&IsStore);
bool IsSPFirstOperand = isStackPointerFirstOperand(Inst);		bool IsSPFirstOperand = isStackPointerFirstOperand(Inst);
if (IsMemAccess \|\| IsSPFirstOperand) {		if (IsMemAccess \|\| IsSPFirstOperand) {
		if (PendingCall)
		report_fatal_error("Dangerous instruction in branch delay slot!");

bool MaskBefore = (IsMemAccess		bool MaskBefore = (IsMemAccess
&& baseRegNeedsLoadStoreMask(Inst.getOperand(AddrIdx)		&& baseRegNeedsLoadStoreMask(Inst.getOperand(AddrIdx)
.getReg()));		.getReg()));
bool MaskAfter = IsSPFirstOperand && !IsStore;		bool MaskAfter = IsSPFirstOperand && !IsStore;
if (MaskBefore \|\| MaskAfter)		if (MaskBefore \|\| MaskAfter)
sandboxLoadStoreStackChange(Inst, AddrIdx, STI, MaskBefore, MaskAfter);		sandboxLoadStoreStackChange(Inst, AddrIdx, STI, MaskBefore, MaskAfter);
else		else
MCELFStreamer::EmitInstruction(Inst, STI);		MCELFStreamer::EmitInstruction(Inst, STI);
return;		return;
}		}

		// Sandbox calls by aligning call and branch delay to the bundle end.
		// For indirect calls, emit the mask before the call.
		bool IsIndirectCall;
		if (isCall(Inst.getOpcode(), &IsIndirectCall)) {
		if (PendingCall)
		report_fatal_error("Dangerous instruction in branch delay slot!");

		// Start the sandboxing sequence by emitting call.
		EmitBundleLock(true);
		if (IsIndirectCall) {
		unsigned TargetReg = Inst.getOperand(1).getReg();
		emitMask(TargetReg, IndirectBranchMaskReg, STI);
		}
		MCELFStreamer::EmitInstruction(Inst, STI);
		PendingCall = true;
		return;
		}
		if (PendingCall) {
		// Finish the sandboxing sequence by emitting branch delay.
		MCELFStreamer::EmitInstruction(Inst, STI);
		EmitBundleUnlock();
		PendingCall = false;
		return;
		}

// None of the sandboxing applies, just emit the instruction.		// None of the sandboxing applies, just emit the instruction.
MCELFStreamer::EmitInstruction(Inst, STI);		MCELFStreamer::EmitInstruction(Inst, STI);
}		}
};		};

} // end anonymous namespace		} // end anonymous namespace

namespace llvm {		namespace llvm {
▲ Show 20 Lines • Show All 68 Lines • Show Last 20 Lines

llvm/trunk/test/MC/Mips/nacl-mask.s

	# RUN: llvm-mc -filetype=obj -triple=mipsel-unknown-nacl %s \			# RUN: llvm-mc -filetype=obj -triple=mipsel-unknown-nacl %s \
	# RUN: \| llvm-objdump -triple mipsel -disassemble -no-show-raw-insn - \			# RUN: \| llvm-objdump -triple mipsel -disassemble -no-show-raw-insn - \
	# RUN: \| FileCheck %s			# RUN: \| FileCheck %s

	# This test tests that address-masking sandboxing is added when given assembly			# This test tests that address-masking sandboxing is added when given assembly
	# input.			# input.


	# Test that address-masking sandboxing is added before indirect branches and			# Test that address-masking sandboxing is added before indirect branches and
	# returns.			# returns.

				.align 4
	test1:			test1:
	.set noreorder			.set noreorder

	jr $a0			jr $a0
	nop			nop
	jr $ra			jr $ra
	nop			nop

	Show All 10 Lines

	# CHECK: and $ra, $ra, $14			# CHECK: and $ra, $ra, $14
	# CHECK-NEXT: jr $ra			# CHECK-NEXT: jr $ra



	# Test that address-masking sandboxing is added before load instructions.			# Test that address-masking sandboxing is added before load instructions.

				.align 4
	test2:			test2:
	.set noreorder			.set noreorder

	lb $4, 0($1)			lb $4, 0($1)
	nop			nop
	lbu $4, 0($2)			lbu $4, 0($2)
	lh $4, 0($3)			lh $4, 0($3)
	lhu $1, 0($4)			lhu $1, 0($4)
	▲ Show 20 Lines • Show All 53 Lines • ▼ Show 20 Lines
	# CHECK: lw $4, 0($sp)			# CHECK: lw $4, 0($sp)
	# CHECK-NOT: and			# CHECK-NOT: and
	# CHECK: lw $4, 0($24)			# CHECK: lw $4, 0($24)



	# Test that address-masking sandboxing is added before store instructions.			# Test that address-masking sandboxing is added before store instructions.

				.align 4
	test3:			test3:
	.set noreorder			.set noreorder

	sb $4, 0($1)			sb $4, 0($1)
	nop			nop
	sh $4, 0($2)			sh $4, 0($2)
	sw $4, 0($3)			sw $4, 0($3)
	swc1 $f0, 0($4)			swc1 $f0, 0($4)
	▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines
	# CHECK-NOT: and			# CHECK-NOT: and
	# CHECK: sw $4, 0($24)			# CHECK: sw $4, 0($24)



	# Test that address-masking sandboxing is added after instructions that change			# Test that address-masking sandboxing is added after instructions that change
	# stack pointer.			# stack pointer.

				.align 4
	test4:			test4:
	.set noreorder			.set noreorder

	addiu $sp, $sp, 24			addiu $sp, $sp, 24
	nop			nop
	addu $sp, $sp, $1			addu $sp, $sp, $1
	lw $sp, 0($2)			lw $sp, 0($2)
	lw $sp, 123($sp)			lw $sp, 123($sp)
	Show All 35 Lines
	# CHECK-NEXT: and $sp, $sp, $15			# CHECK-NEXT: and $sp, $sp, $15

	# For stores where $sp is destination and base, check that mask is added neither			# For stores where $sp is destination and base, check that mask is added neither
	# before nor after.			# before nor after.

	# CHECK-NOT: and			# CHECK-NOT: and
	# CHECK: sw $sp, 123($sp)			# CHECK: sw $sp, 123($sp)
	# CHECK-NOT: and			# CHECK-NOT: and



				# Test that call + branch delay is aligned at bundle end. Test that mask is
				# added before indirect calls.

				.align 4
				test5:
				.set noreorder

				jal func1
				addiu $4, $zero, 1

				nop
				bal func2
				addiu $4, $zero, 2

				nop
				nop
				bltzal $t1, func3
				addiu $4, $zero, 3

				nop
				nop
				nop
				bgezal $t2, func4
				addiu $4, $zero, 4

				jalr $t9
				addiu $4, $zero, 5

				# CHECK-LABEL: test5:

				# CHECK-NEXT: nop
				# CHECK-NEXT: nop
				# CHECK-NEXT: jal
				# CHECK-NEXT: addiu $4, $zero, 1

				# CHECK-NEXT: nop
				# CHECK-NEXT: nop
				# CHECK-NEXT: bal
				# CHECK-NEXT: addiu $4, $zero, 2

				# CHECK-NEXT: nop
				# CHECK-NEXT: nop
				# CHECK-NEXT: bltzal
				# CHECK-NEXT: addiu $4, $zero, 3

				# CHECK-NEXT: nop
				# CHECK-NEXT: nop
				# CHECK-NEXT: nop
				# CHECK-NEXT: nop

				# CHECK-NEXT: nop
				# CHECK-NEXT: nop
				# CHECK-NEXT: bgezal
				# CHECK-NEXT: addiu $4, $zero, 4

				# CHECK-NEXT: nop
				# CHECK-NEXT: and $25, $25, $14
				# CHECK-NEXT: jalr $25
				# CHECK-NEXT: addiu $4, $zero, 5