diff --git a/clang/include/clang/AST/Decl.h b/clang/include/clang/AST/Decl.h --- a/clang/include/clang/AST/Decl.h +++ b/clang/include/clang/AST/Decl.h @@ -2839,6 +2839,7 @@ unsigned BitField : 1; unsigned Mutable : 1; mutable unsigned CachedFieldIndex : 30; + mutable unsigned OriginalFieldIndex : 30; /// The kinds of value we can store in InitializerOrBitWidth. /// @@ -2883,12 +2884,12 @@ protected: FieldDecl(Kind DK, DeclContext *DC, SourceLocation StartLoc, - SourceLocation IdLoc, IdentifierInfo *Id, - QualType T, TypeSourceInfo *TInfo, Expr *BW, bool Mutable, + SourceLocation IdLoc, IdentifierInfo *Id, QualType T, + TypeSourceInfo *TInfo, Expr *BW, bool Mutable, InClassInitStyle InitStyle) - : DeclaratorDecl(DK, DC, IdLoc, Id, T, TInfo, StartLoc), - BitField(false), Mutable(Mutable), CachedFieldIndex(0), - InitStorage(nullptr, (InitStorageKind) InitStyle) { + : DeclaratorDecl(DK, DC, IdLoc, Id, T, TInfo, StartLoc), BitField(false), + Mutable(Mutable), CachedFieldIndex(0), OriginalFieldIndex(0), + InitStorage(nullptr, (InitStorageKind)InitStyle) { if (BW) setBitWidth(BW); } @@ -2909,6 +2910,16 @@ /// as appropriate for passing to ASTRecordLayout::getFieldOffset. unsigned getFieldIndex() const; + /// For struct field reorg, this is the original index, 1-based, or + /// 0 if reorg did not happen. + unsigned getOriginalFieldIndex() const { return OriginalFieldIndex; } + + /// For struct field reorg, sets a 1-based index. + void setOriginalFieldIndex(unsigned Idx) { + assert(Idx && "Invalid original field index"); + OriginalFieldIndex = Idx; + } + /// Determines whether this field is mutable (C++ only). bool isMutable() const { return Mutable; } @@ -4051,6 +4062,10 @@ RecordDeclBits.ParamDestroyedInCallee = V; } + bool isRandomized() const { return RecordDeclBits.IsRandomized; } + + void setIsRandomized(bool V) const { RecordDeclBits.IsRandomized = V; } + /// Determines whether this declaration represents the /// injected class name. /// diff --git a/clang/include/clang/AST/DeclBase.h b/clang/include/clang/AST/DeclBase.h --- a/clang/include/clang/AST/DeclBase.h +++ b/clang/include/clang/AST/DeclBase.h @@ -55,6 +55,9 @@ class ObjCContainerDecl; class ObjCMethodDecl; struct PrintingPolicy; +namespace randstruct { +struct Randstruct; +} class RecordDecl; class SourceManager; class Stmt; @@ -1540,10 +1543,13 @@ /// Represents the way this type is passed to a function. uint64_t ArgPassingRestrictions : 2; + + /// Indicates whether this struct has had its field layout randomized. + mutable uint64_t IsRandomized : 1; }; /// Number of non-inherited bits in RecordDeclBitfields. - enum { NumRecordDeclBits = 14 }; + enum { NumRecordDeclBits = 15 }; /// Stores the bits used by OMPDeclareReductionDecl. /// If modified NumOMPDeclareReductionDeclBits and the accessor @@ -2324,6 +2330,10 @@ /// Checks whether a declaration is in this context. bool containsDecl(Decl *D) const; + /// Randomizes layout if it has the randomize_layout attribute. C-only + /// feature. + void maybeRandomizeLayout(RecordDecl *RD); + /// Checks whether a declaration is in this context. /// This also loads the Decls from the external source before the check. bool containsDeclAndLoad(Decl *D) const; diff --git a/clang/include/clang/AST/Randstruct.h b/clang/include/clang/AST/Randstruct.h new file mode 100644 --- /dev/null +++ b/clang/include/clang/AST/Randstruct.h @@ -0,0 +1,43 @@ +//===- Randstruct.h - Interfact for structure randomization -------*- C++ -*-=// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file contains the interface for Clang's structure field layout +// randomization. +// +//===----------------------------------------------------------------------===// + +#ifndef LLVM_CLANG_AST_RANDSTRUCT_H +#define LLVM_CLANG_AST_RANDSTRUCT_H + +#include + +namespace llvm { +template class SmallVectorImpl; +} // end namespace llvm + +namespace clang { + +class ASTContext; +class Decl; +class FieldDecl; +class RecordDecl; + +namespace randstruct { + +using llvm::SmallVectorImpl; + +extern std::string SEED; + +bool shouldRandomize(const ASTContext &Context, const RecordDecl *RD); +bool randomizeStructureLayout(const ASTContext &Context, const RecordDecl *RD, + SmallVectorImpl &FinalOrdering); + +} // namespace randstruct +} // namespace clang + +#endif // LLVM_CLANG_AST_RANDSTRUCT_H diff --git a/clang/include/clang/Basic/Attr.td b/clang/include/clang/Basic/Attr.td --- a/clang/include/clang/Basic/Attr.td +++ b/clang/include/clang/Basic/Attr.td @@ -3933,3 +3933,21 @@ let Subjects = SubjectList<[Function], ErrorDiag>; let Documentation = [ErrorAttrDocs]; } + +def RandomizeLayout : InheritableAttr { + let Spellings = [GCC<"randomize_layout">, Declspec<"randomize_layout">, + Keyword<"randomize_layout">]; + let Subjects = SubjectList<[Record]>; + let Documentation = [ClangRandstructDocs]; + let LangOpts = [COnly]; +} + +// The "no_randomize_layout" attribute isn't added to a Decl. Instead, it's +// used to drop the "randomize_layout" attribute. +def NoRandomizeLayout : InheritableAttr { + let Spellings = [GCC<"no_randomize_layout">, Declspec<"no_randomize_layout">, + Keyword<"no_randomize_layout">]; + let Subjects = SubjectList<[Record]>; + let Documentation = [ClangRandstructDocs]; + let LangOpts = [COnly]; +} diff --git a/clang/include/clang/Basic/AttrDocs.td b/clang/include/clang/Basic/AttrDocs.td --- a/clang/include/clang/Basic/AttrDocs.td +++ b/clang/include/clang/Basic/AttrDocs.td @@ -6346,3 +6346,17 @@ .. _Return-Oriented Programming: https://en.wikipedia.org/wiki/Return-oriented_programming }]; } + +def ClangRandstructDocs : Documentation { + let Category = DocCatVariable; + let Heading = "randomize_layout, no_randomize_layout"; + let Content = [{ +The attribute ``randomize_layout`` can be added to a record-type definition to +select it for structure layout field randomization; a compile-time hardening +technique. + +The attribute ``no_randomize_layout`` can be added to a record-type definition +to instruct the compiler that this structure should not have its field layout +randomized. + }]; +} diff --git a/clang/include/clang/Basic/DiagnosticDriverKinds.td b/clang/include/clang/Basic/DiagnosticDriverKinds.td --- a/clang/include/clang/Basic/DiagnosticDriverKinds.td +++ b/clang/include/clang/Basic/DiagnosticDriverKinds.td @@ -165,6 +165,8 @@ "invalid argument '-mno-amdgpu-ieee' only allowed with relaxed NaN handling">; def err_drv_argument_not_allowed_with : Error< "invalid argument '%0' not allowed with '%1'">; +def err_drv_cannot_open_randstruct_seed_filename : Error< + "cannot read randstruct seed file '%0'">; def err_drv_invalid_version_number : Error< "invalid version number in '%0'">; def err_drv_no_linker_llvm_support : Error< diff --git a/clang/include/clang/Basic/DiagnosticSemaKinds.td b/clang/include/clang/Basic/DiagnosticSemaKinds.td --- a/clang/include/clang/Basic/DiagnosticSemaKinds.td +++ b/clang/include/clang/Basic/DiagnosticSemaKinds.td @@ -11528,4 +11528,7 @@ "builtin requires at least one of the following extensions support to be enabled : %0">; def err_riscv_builtin_invalid_lmul : Error< "LMUL argument must be in the range [0,3] or [5,7]">; + +def cast_from_randomized_struct : Error< + "casting between randomized structure pointer types %0 and %1">; } // end of sema component. diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -2114,6 +2114,14 @@ def fmessage_length_EQ : Joined<["-"], "fmessage-length=">, Group, Flags<[CC1Option]>, HelpText<"Format message diagnostics so that they fit within N columns">, MarshallingInfoInt>; +def frandstruct_seed_EQ + : Joined<["-"], "frandstruct-seed=">, + Group, + Flags<[CC1Option, CoreOption]>; +def frandstruct_seed_filename_EQ + : Joined<["-"], "frandstruct-seed-filename=">, + Group, + Flags<[CC1Option, CoreOption]>; def fms_compatibility : Flag<["-"], "fms-compatibility">, Group, Flags<[CC1Option, CoreOption]>, HelpText<"Enable full Microsoft Visual C++ compatibility">, MarshallingInfoFlag>; diff --git a/clang/lib/AST/CMakeLists.txt b/clang/lib/AST/CMakeLists.txt --- a/clang/lib/AST/CMakeLists.txt +++ b/clang/lib/AST/CMakeLists.txt @@ -97,6 +97,7 @@ ParentMap.cpp PrintfFormatString.cpp QualTypeNames.cpp + Randstruct.cpp RawCommentList.cpp RecordLayout.cpp RecordLayoutBuilder.cpp diff --git a/clang/lib/AST/Decl.cpp b/clang/lib/AST/Decl.cpp --- a/clang/lib/AST/Decl.cpp +++ b/clang/lib/AST/Decl.cpp @@ -30,6 +30,7 @@ #include "clang/AST/ODRHash.h" #include "clang/AST/PrettyDeclStackTrace.h" #include "clang/AST/PrettyPrinter.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/Redeclarable.h" #include "clang/AST/Stmt.h" #include "clang/AST/TemplateBase.h" @@ -4569,6 +4570,7 @@ setHasNonTrivialToPrimitiveCopyCUnion(false); setParamDestroyedInCallee(false); setArgPassingRestrictions(APK_CanPassInRegs); + setIsRandomized(false); } RecordDecl *RecordDecl::Create(const ASTContext &C, TagKind TK, DeclContext *DC, @@ -4577,6 +4579,7 @@ RecordDecl *R = new (C, DC) RecordDecl(Record, TK, C, DC, StartLoc, IdLoc, Id, PrevDecl); R->setMayHaveOutOfDateDef(C.getLangOpts().Modules); + DC->maybeRandomizeLayout(R); C.getTypeDeclType(R, PrevDecl); return R; diff --git a/clang/lib/AST/DeclBase.cpp b/clang/lib/AST/DeclBase.cpp --- a/clang/lib/AST/DeclBase.cpp +++ b/clang/lib/AST/DeclBase.cpp @@ -25,6 +25,7 @@ #include "clang/AST/DeclTemplate.h" #include "clang/AST/DependentDiagnostic.h" #include "clang/AST/ExternalASTSource.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/Stmt.h" #include "clang/AST/Type.h" #include "clang/Basic/IdentifierTable.h" @@ -1582,6 +1583,26 @@ makeDeclVisibleInContextWithFlags(ND, true, true); } +void DeclContext::maybeRandomizeLayout(RecordDecl *RD) { + SmallVector FinalOrdering; + if (!randstruct::randomizeStructureLayout(getParentASTContext(), RD, + FinalOrdering)) + return; + + // Fix the linked list so that the fields correctly point to each other. + for (Decl *D : FinalOrdering) { + if (LastDecl) + LastDecl->NextInContextAndBits.setPointer(D); + else + FirstDecl = D; + + LastDecl = D; + LastDecl->NextInContextAndBits.setPointer(nullptr); + } + + RD->setIsRandomized(true); +} + /// buildLookup - Build the lookup data structure with all of the /// declarations in this DeclContext (and any other contexts linked /// to it or transparent contexts nested within it) and return it. diff --git a/clang/lib/AST/Randstruct.cpp b/clang/lib/AST/Randstruct.cpp new file mode 100644 --- /dev/null +++ b/clang/lib/AST/Randstruct.cpp @@ -0,0 +1,219 @@ +//===--- Randstruct.cpp ---------------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file contains the implementation for Clang's structure field layout +// randomization. +// +//===----------------------------------------------------------------------===// + +#include "clang/AST/Randstruct.h" +#include "clang/AST/ASTContext.h" +#include "clang/AST/ASTDiagnostic.h" +#include "clang/AST/Attr.h" +#include "clang/Basic/Diagnostic.h" +#include "llvm/ADT/SmallVector.h" + +#include +#include +#include +#include +#include + +namespace clang { +namespace randstruct { + +std::string SEED; + +// FIXME: Replace this with some discovery once that mechanism exists. +enum { CACHE_LINE = 64 }; + +// The Bucket class holds the struct fields we're trying to fill to a +// cache-line. +class Bucket { + SmallVector Fields; + int Size = 0; + +public: + virtual ~Bucket() = default; + + SmallVector &fields() { return Fields; } + void addField(FieldDecl *Field, int FieldSize); + virtual bool canFit(int FieldSize) const { + return Size + FieldSize <= CACHE_LINE; + } + virtual bool isBitfieldRun() const { return false; } + bool full() const { return Size >= CACHE_LINE; } +}; + +void Bucket::addField(FieldDecl *Field, int FieldSize) { + Size += FieldSize; + Fields.push_back(Field); +} + +struct BitfieldRunBucket : public Bucket { + bool canFit(int FieldSize) const override { return true; } + bool isBitfieldRun() const override { return true; } +}; + +bool shouldRandomize(const ASTContext &Context, const RecordDecl *RD) { + return Context.getLangOpts().C99 && !SEED.empty() && !RD->field_empty() && + !RD->isUnion() && RD->hasAttr(); +} + +void randomizeStructureLayoutImpl(const ASTContext &Context, + SmallVectorImpl &FieldsOut, + std::mt19937 &RNG) { + // All of the Buckets produced by best-effort cache-line algorithm. + // TODO: Figure out a better initial size. + SmallVector, 16> Buckets; + + // The current bucket of fields that we are trying to fill to a cache-line. + std::unique_ptr CurrentBucket = nullptr; + + // The current bucket containing the run of adjacent bitfields to ensure they + // remain adjacent. + std::unique_ptr CurrentBitfieldRun = nullptr; + + // Tracks the number of fields that we failed to fit to the current bucket, + // and thus still need to be added later. + size_t Skipped = 0; + + while (!FieldsOut.empty()) { + // If we've Skipped more fields than we have remaining to place, that means + // that they can't fit in our current bucket, and we need to start a new + // one. + if (Skipped >= FieldsOut.size()) { + Skipped = 0; + Buckets.push_back(std::move(CurrentBucket)); + } + + // Take the first field that needs to be put in a bucket. + auto FieldIter = FieldsOut.begin(); + FieldDecl *FD = *FieldIter; + + if (FD->isBitField() && !FD->isZeroLengthBitField(Context)) { + // Start a bitfield run if this is the first bitfield we have found. + if (!CurrentBitfieldRun) + CurrentBitfieldRun = std::make_unique(); + + // We've placed the field, and can remove it from the "awaiting Buckets" + // vector called "Fields." + CurrentBitfieldRun->addField(FD, /*FieldSize is irrelevant here*/ 1); + FieldsOut.erase(FieldIter); + continue; + } + + // Else, current field is not a bitfield. If we were previously in a + // bitfield run, end it. + if (CurrentBitfieldRun) + Buckets.push_back(std::move(CurrentBitfieldRun)); + + // If we don't have a bucket, make one. + if (!CurrentBucket) + CurrentBucket = std::make_unique(); + + uint64_t Width = Context.getTypeInfo(FD->getType()).Width; + if (Width >= randstruct::CACHE_LINE) { + std::unique_ptr OverSized = + std::make_unique(); + OverSized->addField(FD, Width); + FieldsOut.erase(FieldIter); + Buckets.push_back(std::move(OverSized)); + continue; + } + + // If it fits, add it. + if (CurrentBucket->canFit(Width)) { + CurrentBucket->addField(FD, Width); + FieldsOut.erase(FieldIter); + + // If it's now full, tie off the bucket. + if (CurrentBucket->full()) { + Skipped = 0; + Buckets.push_back(std::move(CurrentBucket)); + } + } else { + // We can't fit it in our current bucket. Move to the end for processing + // later. + ++Skipped; // Mark it skipped. + FieldsOut.push_back(FD); + FieldsOut.erase(FieldIter); + } + } + + // Done processing the fields awaiting a bucket. + + // If we were filling a bucket, tie it off. + if (CurrentBucket) + Buckets.push_back(std::move(CurrentBucket)); + + // If we were processing a bitfield run bucket, tie it off. + if (CurrentBitfieldRun) + Buckets.push_back(std::move(CurrentBitfieldRun)); + + std::shuffle(std::begin(Buckets), std::end(Buckets), RNG); + + // Produce the new ordering of the elements from the Buckets. + SmallVector FinalOrder; + for (const std::unique_ptr &B : Buckets) { + SmallVectorImpl &RandFields = B->fields(); + if (!B->isBitfieldRun()) + std::shuffle(std::begin(RandFields), std::end(RandFields), RNG); + + FinalOrder.insert(FinalOrder.end(), RandFields.begin(), RandFields.end()); + } + + FieldsOut = FinalOrder; +} + +bool randomizeStructureLayout(const ASTContext &Context, const RecordDecl *RD, + SmallVectorImpl &FinalOrdering) { + SmallVector RandomizedFields; + unsigned Index = 1; + unsigned TotalNumFields = 0; + for (Decl *D : RD->decls()) { + ++TotalNumFields; + if (auto FD = dyn_cast(D)) { + FD->setOriginalFieldIndex(Index++); + RandomizedFields.push_back(FD); + } else { + FinalOrdering.push_back(D); + } + } + + if (RandomizedFields.empty()) + return false; + + // Struct might end with a variable-length array or an array of size 0 or 1, + // in which case we don't want to randomize it. + FieldDecl *VLA = nullptr; + const auto *CA = + dyn_cast(RandomizedFields.back()->getType()); + if ((CA && (CA->getSize().sle(2) || CA->isIncompleteArrayType())) || + RD->hasFlexibleArrayMember()) + VLA = RandomizedFields.pop_back_val(); + + std::string Seed = SEED + RD->getNameAsString(); + std::seed_seq SeedSeq(Seed.begin(), Seed.end()); + std::mt19937 RNG(SeedSeq); + + randomizeStructureLayoutImpl(Context, RandomizedFields, RNG); + if (VLA) + RandomizedFields.push_back(VLA); + + FinalOrdering.insert(FinalOrdering.end(), RandomizedFields.begin(), + RandomizedFields.end()); + + assert(TotalNumFields == FinalOrdering.size() && + "Decl count has been altered after Randstruct randomization!"); + + return true; +} + +} // end namespace randstruct +} // end namespace clang diff --git a/clang/lib/AST/RecordLayoutBuilder.cpp b/clang/lib/AST/RecordLayoutBuilder.cpp --- a/clang/lib/AST/RecordLayoutBuilder.cpp +++ b/clang/lib/AST/RecordLayoutBuilder.cpp @@ -14,8 +14,9 @@ #include "clang/AST/DeclCXX.h" #include "clang/AST/DeclObjC.h" #include "clang/AST/Expr.h" -#include "clang/AST/VTableBuilder.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/RecordLayout.h" +#include "clang/AST/VTableBuilder.h" #include "clang/Basic/TargetInfo.h" #include "llvm/ADT/SmallSet.h" #include "llvm/Support/Format.h" diff --git a/clang/lib/Driver/ToolChains/Clang.cpp b/clang/lib/Driver/ToolChains/Clang.cpp --- a/clang/lib/Driver/ToolChains/Clang.cpp +++ b/clang/lib/Driver/ToolChains/Clang.cpp @@ -5870,6 +5870,14 @@ CmdArgs.push_back( Args.MakeArgString("-fmessage-length=" + Twine(MessageLength))); + if (Arg *A = Args.getLastArg(options::OPT_frandstruct_seed_EQ)) + CmdArgs.push_back( + Args.MakeArgString("-frandstruct-seed=" + Twine(A->getValue(0)))); + + if (Arg *A = Args.getLastArg(options::OPT_frandstruct_seed_filename_EQ)) + CmdArgs.push_back(Args.MakeArgString("-frandstruct-seed-filename=" + + Twine(A->getValue(0)))); + // -fvisibility= and -fvisibility-ms-compat are of a piece. if (const Arg *A = Args.getLastArg(options::OPT_fvisibility_EQ, options::OPT_fvisibility_ms_compat)) { diff --git a/clang/lib/Frontend/CompilerInvocation.cpp b/clang/lib/Frontend/CompilerInvocation.cpp --- a/clang/lib/Frontend/CompilerInvocation.cpp +++ b/clang/lib/Frontend/CompilerInvocation.cpp @@ -8,6 +8,7 @@ #include "clang/Frontend/CompilerInvocation.h" #include "TestModuleFileExtension.h" +#include "clang/AST/Randstruct.h" #include "clang/Basic/Builtins.h" #include "clang/Basic/CharInfo.h" #include "clang/Basic/CodeGenOptions.h" @@ -94,6 +95,7 @@ #include #include #include +#include #include #include #include @@ -2695,6 +2697,20 @@ Opts.ProgramAction = frontend::PluginAction; Opts.ActionName = A->getValue(); } + + if (const Arg *A = Args.getLastArg(OPT_frandstruct_seed_filename_EQ)) { + std::ifstream SeedFile(A->getValue(0)); + + if (!SeedFile.is_open()) + Diags.Report(diag::err_drv_cannot_open_randstruct_seed_filename) + << A->getValue(0); + + std::getline(SeedFile, randstruct::SEED); + } + + if (const Arg *A = Args.getLastArg(OPT_frandstruct_seed_EQ)) + randstruct::SEED = A->getValue(0); + for (const auto *AA : Args.filtered(OPT_plugin_arg)) Opts.PluginArgs[AA->getValue(0)].emplace_back(AA->getValue(1)); diff --git a/clang/lib/Sema/AnalysisBasedWarnings.cpp b/clang/lib/Sema/AnalysisBasedWarnings.cpp --- a/clang/lib/Sema/AnalysisBasedWarnings.cpp +++ b/clang/lib/Sema/AnalysisBasedWarnings.cpp @@ -19,6 +19,7 @@ #include "clang/AST/ExprCXX.h" #include "clang/AST/ExprObjC.h" #include "clang/AST/ParentMap.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/RecursiveASTVisitor.h" #include "clang/AST/StmtCXX.h" #include "clang/AST/StmtObjC.h" @@ -2140,6 +2141,53 @@ } // namespace consumed } // namespace clang +//===----------------------------------------------------------------------===// +// Checking for bad casts from randomize structs +//===----------------------------------------------------------------------===// + +namespace clang { +namespace randstruct { +namespace { +class BadCastsASTWalk : public RecursiveASTVisitor { + Sema &S; + +public: + BadCastsASTWalk(Sema &S) : S(S){}; + + bool VisitCastExpr(const CastExpr *E) { + if (E->getCastKind() != CK_BitCast) + return true; + + if (const auto *SubExpr = dyn_cast(E->getSubExpr())) { + CanQualType ExprTy = S.Context.getCanonicalType(E->getType()); + CanQualType SubExprTy = S.Context.getCanonicalType(SubExpr->getType()); + + if (isa(ExprTy) && isa(SubExprTy)) { + const QualType CastTy = cast(ExprTy)->getPointeeType(); + const QualType BaseTy = cast(SubExprTy)->getPointeeType(); + + const RecordDecl *CastRD = CastTy->getAsRecordDecl(); + const RecordDecl *BaseRD = BaseTy->getAsRecordDecl(); + + if (CastRD && BaseRD && CastRD != BaseRD && BaseRD->isRandomized()) + // The struct we are casting the pointer from was randomized. + S.Diag(E->getExprLoc(), diag::cast_from_randomized_struct) + << CastRD << BaseRD; + } + } + + return true; + } +}; + +void checkForBadCasts(Sema &S, AnalysisDeclContext &AC) { + BadCastsASTWalk walker(S); + walker.TraverseStmt(AC.getBody()); +} +} // anonymous namespace +} // namespace randstruct +} // namespace clang + //===----------------------------------------------------------------------===// // AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based // warnings on a function, method, or block. @@ -2451,6 +2499,9 @@ ++NumFunctionsWithBadCFGs; } } + + // FIXME: Any way to get a handle to a RecordDecl struct here? + clang::randstruct::checkForBadCasts(S, AC); } void clang::sema::AnalysisBasedWarnings::PrintStats() const { diff --git a/clang/lib/Sema/SemaDeclAttr.cpp b/clang/lib/Sema/SemaDeclAttr.cpp --- a/clang/lib/Sema/SemaDeclAttr.cpp +++ b/clang/lib/Sema/SemaDeclAttr.cpp @@ -8547,6 +8547,13 @@ case ParsedAttr::AT_Section: handleSectionAttr(S, D, AL); break; + case ParsedAttr::AT_RandomizeLayout: + handleSimpleAttribute(S, D, AL); + break; + case ParsedAttr::AT_NoRandomizeLayout: + // Drop the "randomize_layout" attribute if it's on the decl. + D->dropAttr(); + break; case ParsedAttr::AT_CodeSeg: handleCodeSegAttr(S, D, AL); break; diff --git a/clang/test/Misc/pragma-attribute-supported-attributes-list.test b/clang/test/Misc/pragma-attribute-supported-attributes-list.test --- a/clang/test/Misc/pragma-attribute-supported-attributes-list.test +++ b/clang/test/Misc/pragma-attribute-supported-attributes-list.test @@ -104,6 +104,7 @@ // CHECK-NEXT: NoMicroMips (SubjectMatchRule_function) // CHECK-NEXT: NoMips16 (SubjectMatchRule_function) // CHECK-NEXT: NoProfileFunction (SubjectMatchRule_function) +// CHECK-NEXT: NoRandomizeLayout (SubjectMatchRule_record) // CHECK-NEXT: NoSanitize (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_variable_is_global) // CHECK-NEXT: NoSanitizeSpecific (SubjectMatchRule_function, SubjectMatchRule_variable_is_global) // CHECK-NEXT: NoSpeculativeLoadHardening (SubjectMatchRule_function, SubjectMatchRule_objc_method) @@ -148,6 +149,7 @@ // CHECK-NEXT: PassObjectSize (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method) // CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union) +// CHECK-NEXT: RandomizeLayout (SubjectMatchRule_record) // CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function) // CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function) diff --git a/clang/unittests/AST/CMakeLists.txt b/clang/unittests/AST/CMakeLists.txt --- a/clang/unittests/AST/CMakeLists.txt +++ b/clang/unittests/AST/CMakeLists.txt @@ -25,6 +25,7 @@ EvaluateAsRValueTest.cpp ExternalASTSourceTest.cpp NamedDeclPrinterTest.cpp + RandstructTest.cpp RecursiveASTVisitorTest.cpp SizelessTypesTest.cpp SourceLocationTest.cpp diff --git a/clang/unittests/AST/RandstructTest.cpp b/clang/unittests/AST/RandstructTest.cpp new file mode 100644 --- /dev/null +++ b/clang/unittests/AST/RandstructTest.cpp @@ -0,0 +1,457 @@ +//===- unittest/AST/RandstructTest.cpp ------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file contains tests for Clang's structure field layout randomization. +// +//===----------------------------------------------------------------------===// + +/* + * Build this test suite by running `make ASTTests` in the build folder. + * + * Run this test suite by running the following in the build folder: + * ` ./tools/clang/unittests/AST/ASTTests + * --gtest_filter=StructureLayoutRandomization*` + */ + +#include "clang/AST/Randstruct.h" +#include "gtest/gtest.h" + +#include "DeclMatcher.h" +#include "clang/AST/RecordLayout.h" +#include "clang/ASTMatchers/ASTMatchers.h" +#include "clang/Frontend/ASTUnit.h" +#include "clang/Testing/CommandLineArgs.h" +#include "clang/Tooling/Tooling.h" + +#include + +using namespace clang::randstruct; + +namespace clang { +namespace ast_matchers { + +static std::unique_ptr makeAST(const std::string &SourceCode, + TestLanguage Lang) { + std::vector Args = getCommandLineArgsForTesting(Lang); + Args.push_back("-frandstruct-seed=1234567890abcdef"); + return tooling::buildASTFromCodeWithArgs(SourceCode, Args, "input.cc"); +} + +static RecordDecl *getRecordDeclFromAST(const ASTContext &C, + const std::string &Name) { + return FirstDeclMatcher().match(C.getTranslationUnitDecl(), + recordDecl(hasName(Name))); +} + +static std::vector getFieldNamesFromRecord(const RecordDecl *RD) { + std::vector Fields; + Fields.reserve(8); + for (auto *Field : RD->fields()) + Fields.push_back(Field->getNameAsString()); + return Fields; +} + +static bool isSubsequence(const std::vector &Seq, + const std::vector &Subseq) { + const auto SeqLen = Seq.size(); + const auto SubLen = Subseq.size(); + + auto IsSubseq = false; + for (auto I = 0u; I < SeqLen; ++I) { + if (Seq[I] == Subseq[0]) { + IsSubseq = true; + for (auto J = 0u; J + I < SeqLen && J < SubLen; ++J) { + if (Seq[J + I] != Subseq[J]) { + IsSubseq = false; + break; + } + } + } + } + return IsSubseq; +} + +#define RANDSTRUCT_TEST_SUITE_TEST StructureLayoutRandomizationTestSuiteTest + +TEST(RANDSTRUCT_TEST_SUITE_TEST, CanDetermineIfSubsequenceExists) { + const std::vector S0 = {"a", "b", "c", "d"}; + ASSERT_TRUE(isSubsequence(S0, {"b", "c"})); + ASSERT_TRUE(isSubsequence(S0, {"a", "b", "c", "d"})); + ASSERT_TRUE(isSubsequence(S0, {"b", "c", "d"})); + ASSERT_TRUE(isSubsequence(S0, {"a"})); + ASSERT_FALSE(isSubsequence(S0, {"a", "d"})); +} + +#define RANDSTRUCT_TEST StructureLayoutRandomization + +TEST(RANDSTRUCT_TEST, UnmarkedStructuresAreNotRandomized) { + std::string Code = + R"( + struct dont_randomize_me { + int potato; + float tomato; + long cabbage; + }; + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = + getRecordDeclFromAST(AST->getASTContext(), "dont_randomize_me"); + const std::vector Expected = {"potato", "tomato", "cabbage"}; + const std::vector Actual = getFieldNamesFromRecord(RD); + + ASSERT_EQ(Expected, Actual); +} + +TEST(RANDSTRUCT_TEST, StructuresCanBeMarkedWithRandomizeLayoutAttr) { + std::string Code = + R"( + struct marked { + int bacon; + long lettuce; + } __attribute__((randomize_layout)); + + struct not_marked { + double cookies; + }; + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD0 = getRecordDeclFromAST(AST->getASTContext(), "marked"); + const auto *RD1 = getRecordDeclFromAST(AST->getASTContext(), "not_marked"); + + ASSERT_FALSE(RD0->getAttr()); + ASSERT_FALSE(RD1->getAttr()); +} + +TEST(RANDSTRUCT_TEST, StructuresCanBeMarkedWithNoRandomizeLayoutAttr) { + std::string Code = + R"( + struct marked { + int bacon; + long lettuce; + } __attribute__((no_randomize_layout)); + + struct not_marked { + double cookies; + }; + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD0 = getRecordDeclFromAST(AST->getASTContext(), "marked"); + const auto *RD1 = getRecordDeclFromAST(AST->getASTContext(), "not_marked"); + + ASSERT_FALSE(RD0->getAttr()); + ASSERT_FALSE(RD1->getAttr()); +} + +TEST(RANDSTRUCT_TEST, + StructuresCanBeMarkedWithAlternatingRandomizeLayoutAttrs) { + std::string Code = + R"( + struct randomize { + int bacon; + long lettuce; + } __attribute__((no_randomize_layout)) __attribute__((randomize_layout)); + + struct no_randomize { + double cookies; + } __attribute__((randomize_layout)) __attribute__((no_randomize_layout)); + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD0 = getRecordDeclFromAST(AST->getASTContext(), "randomize"); + const auto *RD1 = getRecordDeclFromAST(AST->getASTContext(), "no_randomize"); + + ASSERT_TRUE(RD0->getAttr()); + ASSERT_FALSE(RD1->getAttr()); +} + +TEST(RANDSTRUCT_TEST, StructuresLayoutFieldLocationsCanBeRandomized) { + std::string Code = + R"( + struct test_struct { + int a; + int b; + int c; + int d; + int e; + int f; + }; + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + SmallVector FinalOrdering; + randomizeStructureLayout(AST->getASTContext(), RD, FinalOrdering); + + const std::vector Before = {"a", "b", "c", "d", "e", "f"}; + std::vector After; + for (const Decl *D : FinalOrdering) + if (const auto FD = dyn_cast(D)) + After.push_back(FD->getNameAsString()); + + // FIXME: Could this be a brittle test? Planning on having a separate unit + // test for reproducible randomizations with seed. + ASSERT_NE(Before, After); +} + +TEST(RANDSTRUCT_TEST, + StructuresMarkedWithNoRandomizeLayoutShouldBeRejectedAndUnchanged) { + std::string Code = + R"( + struct test_struct { + int a; + int b; + int c; + int d; + int e; + int f; + } __attribute__((no_randomize_layout)); + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + + ASSERT_FALSE(randstruct::shouldRandomize(AST->getASTContext(), RD)); +} + +// FIXME: Clang trips an assertion in the DiagnosticsEngine when the warning is +// emitted while running under the test suite: +// clang/lib/Frontend/TextDiagnosticPrinter.cpp:150: virtual void +// clang::TextDiagnosticPrinter::HandleDiagnostic(clang::DiagnosticsEngine::Level, +// const clang::Diagnostic&): Assertion `TextDiag && "UnExpected diagnostic +// outside source file processing"' failed. +// +// Although the test *technically* is marked as pass; outside of the test suite +// this functionality works and no assertion is tripped. +TEST( + RANDSTRUCT_TEST, + DISABLED_EmitWarningWhenStructureIsMarkedWithBothRandomizeAndNoRandomizeAttributes) { + std::string Code = + R"( + struct test_struct { + int a; + int b; + int c; + } __attribute__((no_randomize_layout)) __attribute__((randomize_layout)); + )"; + + const auto AST = makeAST(Code, Lang_C99); + ASSERT_EQ(AST->getASTContext().getDiagnostics().getNumWarnings(), 1UL); +} + +TEST(RANDSTRUCT_TEST, + DISABLED_StructureMarkedWithBothAttributesRemainsUnchanged) { + std::string Code = + R"( + struct test_struct { + int a; + int b; + int c; + } __attribute__((no_randomize_layout)) __attribute__((randomize_layout)); + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + + // FIXME getASTRecordLayout isn't the function we're testing here, it just + // happens to be the place where Randstruct makes a decision and then proceeds + // with that decision. I wonder if this is better as an integration test + // somehow. + static_cast(AST->getASTContext().getASTRecordLayout(RD)); + + const std::vector Expected = {"a", "b", "c"}; + const std::vector Actual = getFieldNamesFromRecord(RD); + + ASSERT_EQ(Expected, Actual); +} + +// End of FIXME regarding DiagnosticsEngine assertion tests. + +TEST(RANDSTRUCT_TEST, AdjacentBitfieldsRemainAdjacentAfterRandomization) { + std::string Code = + R"( + struct test_struct { + int a; + int b; + int x : 1; + int y : 1; + int z : 1; + int c; + } __attribute__((randomize_layout)); + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + SmallVector FinalOrdering; + randomizeStructureLayout(AST->getASTContext(), RD, FinalOrdering); + std::vector Actual; + for (const Decl *D : FinalOrdering) + if (const auto FD = dyn_cast(D)) + Actual.push_back(FD->getNameAsString()); + + const std::vector Subseq = {"x", "y", "z"}; + + ASSERT_TRUE(isSubsequence(Actual, Subseq)); +} + +TEST(RANDSTRUCT_TEST, VariableLengthArrayMemberRemainsAtEndOfStructure) { + std::string Code = + R"( + struct test_struct { + int a; + double b; + short c; + char name[]; + }; + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + SmallVector FinalOrdering; + randomizeStructureLayout(AST->getASTContext(), RD, FinalOrdering); + + std::vector Fields; + for (const Decl *D : FinalOrdering) + if (const auto FD = dyn_cast(D)) + Fields.push_back(FD->getNameAsString()); + + const auto VLA = std::find(Fields.begin(), Fields.end(), "name"); + ASSERT_TRUE(VLA + 1 == Fields.end()); +} + +TEST(RANDSTRUCT_TEST, RandstructDoesNotOverrideThePackedAttr) { + std::string Code = + R"( + struct test_struct { + char a; + short b; + int c; + } __attribute__((packed, randomize_layout)); + + struct another_struct { + char a; + int c; + } __attribute__((packed, randomize_layout)); + + struct last_struct { + char a; + long long b; + } __attribute__((packed, randomize_layout)); + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + // FIXME (?): calling getASTRecordLayout is probably a necessary evil so that + // Clang's RecordBuilders can actually flesh out the information like + // alignment, etc. + const auto &Layout = AST->getASTContext().getASTRecordLayout(RD); + + ASSERT_EQ(7, Layout.getSize().getQuantity()); + + const auto *RD1 = + getRecordDeclFromAST(AST->getASTContext(), "another_struct"); + const auto &Layout1 = AST->getASTContext().getASTRecordLayout(RD1); + + ASSERT_EQ(5, Layout1.getSize().getQuantity()); + + const auto *RD2 = getRecordDeclFromAST(AST->getASTContext(), "last_struct"); + const auto &Layout2 = AST->getASTContext().getASTRecordLayout(RD2); + + ASSERT_EQ(9, Layout2.getSize().getQuantity()); +} + +TEST(RANDSTRUCT_TEST, ZeroWidthBitfieldsSeparateAllocationUnits) { + std::string Code = + R"( + struct test_struct { + int a : 1; + int : 0; + int b : 1; + }; + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + const std::vector Before = getFieldNamesFromRecord(RD); + ASSERT_TRUE(isSubsequence(Before, {"a", "", "b"})); + + SmallVector FinalOrdering; + randomizeStructureLayout(AST->getASTContext(), RD, FinalOrdering); + std::vector After; + for (const Decl *D : FinalOrdering) + if (const auto FD = dyn_cast(D)) + After.push_back(FD->getNameAsString()); + + ASSERT_FALSE(isSubsequence(After, {"a", "", "b"})); +} + +TEST(RANDSTRUCT_TEST, RandstructDoesNotRandomizeUnionFieldOrder) { + std::string Code = + R"( + union test_union { + int a; + int b; + int c; + int d; + int e; + int f; + int g; + } __attribute__((randomize_layout)); + )"; + + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_union"); + + ASSERT_FALSE(shouldRandomize(AST->getASTContext(), RD)); +} + +TEST(RANDSTRUCT_TEST, AnonymousStructsAndUnionsRetainFieldOrder) { + std::string Code = + R"( + struct test_struct { + int a; + struct { + int b; + int c; + int d; + }; + int e; + union { + int f; + int h; + int j; + }; + int k; + } __attribute__((randomize_layout)); + )"; + const auto AST = makeAST(Code, Lang_C99); + const auto *RD = getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + SmallVector Ignore; + randomizeStructureLayout(AST->getASTContext(), RD, Ignore); + + bool AnonStructTested = false; + bool AnonUnionTested = false; + for (auto f : RD->decls()) { + if (auto *SubRD = dyn_cast(f)) + if (SubRD->isAnonymousStructOrUnion()) { + if (isSubsequence(getFieldNamesFromRecord(SubRD), {"b", "c", "d"})) { + AnonStructTested = true; + } + if (isSubsequence(getFieldNamesFromRecord(SubRD), {"f", "h", "j"})) { + AnonUnionTested = true; + } + } + } + ASSERT_TRUE(AnonStructTested); + ASSERT_TRUE(AnonUnionTested); +} + +} // namespace ast_matchers +} // namespace clang