diff --git a/clang/include/clang/AST/Decl.h b/clang/include/clang/AST/Decl.h --- a/clang/include/clang/AST/Decl.h +++ b/clang/include/clang/AST/Decl.h @@ -2839,6 +2839,7 @@ unsigned BitField : 1; unsigned Mutable : 1; mutable unsigned CachedFieldIndex : 30; + mutable unsigned OriginalFieldIndex : 30; /// The kinds of value we can store in InitializerOrBitWidth. /// @@ -2883,12 +2884,12 @@ protected: FieldDecl(Kind DK, DeclContext *DC, SourceLocation StartLoc, - SourceLocation IdLoc, IdentifierInfo *Id, - QualType T, TypeSourceInfo *TInfo, Expr *BW, bool Mutable, + SourceLocation IdLoc, IdentifierInfo *Id, QualType T, + TypeSourceInfo *TInfo, Expr *BW, bool Mutable, InClassInitStyle InitStyle) - : DeclaratorDecl(DK, DC, IdLoc, Id, T, TInfo, StartLoc), - BitField(false), Mutable(Mutable), CachedFieldIndex(0), - InitStorage(nullptr, (InitStorageKind) InitStyle) { + : DeclaratorDecl(DK, DC, IdLoc, Id, T, TInfo, StartLoc), BitField(false), + Mutable(Mutable), CachedFieldIndex(0), OriginalFieldIndex(0), + InitStorage(nullptr, (InitStorageKind)InitStyle) { if (BW) setBitWidth(BW); } @@ -2909,6 +2910,16 @@ /// as appropriate for passing to ASTRecordLayout::getFieldOffset. unsigned getFieldIndex() const; + /// For struct field reorg, this is the original index, 1-based, or + /// 0 if reorg did not happen. + unsigned getOriginalFieldIndex() const { return OriginalFieldIndex; } + + /// For struct field reorg, sets a 1-based index. + void setOriginalFieldIndex(unsigned Idx) { + assert(Idx && "Invalid original field index"); + OriginalFieldIndex = Idx; + } + /// Determines whether this field is mutable (C++ only). bool isMutable() const { return Mutable; } @@ -4051,6 +4062,10 @@ RecordDeclBits.ParamDestroyedInCallee = V; } + bool isRandomized() const { return RecordDeclBits.IsRandomized; } + + void setIsRandomized(bool V) const { RecordDeclBits.IsRandomized = V; } + /// Determines whether this declaration represents the /// injected class name. /// diff --git a/clang/include/clang/AST/DeclBase.h b/clang/include/clang/AST/DeclBase.h --- a/clang/include/clang/AST/DeclBase.h +++ b/clang/include/clang/AST/DeclBase.h @@ -1540,10 +1540,13 @@ /// Represents the way this type is passed to a function. uint64_t ArgPassingRestrictions : 2; + + /// Indicates whether this struct has had its field layout randomized. + mutable uint64_t IsRandomized : 1; }; /// Number of non-inherited bits in RecordDeclBitfields. - enum { NumRecordDeclBits = 14 }; + enum { NumRecordDeclBits = 15 }; /// Stores the bits used by OMPDeclareReductionDecl. /// If modified NumOMPDeclareReductionDeclBits and the accessor diff --git a/clang/include/clang/AST/Randstruct.h b/clang/include/clang/AST/Randstruct.h new file mode 100644 --- /dev/null +++ b/clang/include/clang/AST/Randstruct.h @@ -0,0 +1,43 @@ +//===- Randstruct.h - Interfact for structure randomization -------*- C++ -*-=// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file contains the interface for Clang's structure field layout +// randomization. +// +//===----------------------------------------------------------------------===// + +#ifndef LLVM_CLANG_AST_RANDSTRUCT_H +#define LLVM_CLANG_AST_RANDSTRUCT_H + +#include + +namespace llvm { +template class SmallVectorImpl; +} // end namespace llvm + +namespace clang { + +class ASTContext; +class Decl; +class FieldDecl; +class RecordDecl; + +namespace randstruct { + +using llvm::SmallVectorImpl; + +extern std::string SEED; + +bool shouldRandomize(const ASTContext &Context, const RecordDecl *RD); +void randomizeStructureLayout(const ASTContext &Context, const RecordDecl *RD, + SmallVectorImpl &FinalOrdering); + +} // namespace randstruct +} // namespace clang + +#endif // LLVM_CLANG_AST_RANDSTRUCT_H diff --git a/clang/include/clang/Basic/Attr.td b/clang/include/clang/Basic/Attr.td --- a/clang/include/clang/Basic/Attr.td +++ b/clang/include/clang/Basic/Attr.td @@ -3933,3 +3933,21 @@ let Subjects = SubjectList<[Function], ErrorDiag>; let Documentation = [ErrorAttrDocs]; } + +def RandomizeLayout : InheritableAttr { + let Spellings = [GCC<"randomize_layout">, Declspec<"randomize_layout">, + Keyword<"randomize_layout">]; + let Subjects = SubjectList<[Record]>; + let Documentation = [ClangRandstructDocs]; + let LangOpts = [COnly]; +} + +// The "no_randomize_layout" attribute isn't added to a Decl. Instead, it's +// used to drop the "randomize_layout" attribute. +def NoRandomizeLayout : InheritableAttr { + let Spellings = [GCC<"no_randomize_layout">, Declspec<"no_randomize_layout">, + Keyword<"no_randomize_layout">]; + let Subjects = SubjectList<[Record]>; + let Documentation = [ClangRandstructDocs]; + let LangOpts = [COnly]; +} diff --git a/clang/include/clang/Basic/AttrDocs.td b/clang/include/clang/Basic/AttrDocs.td --- a/clang/include/clang/Basic/AttrDocs.td +++ b/clang/include/clang/Basic/AttrDocs.td @@ -6346,3 +6346,17 @@ .. _Return-Oriented Programming: https://en.wikipedia.org/wiki/Return-oriented_programming }]; } + +def ClangRandstructDocs : Documentation { + let Category = DocCatVariable; + let Heading = "randomize_layout, no_randomize_layout"; + let Content = [{ +The attribute ``randomize_layout`` can be added to a record-type definition to +select it for structure layout field randomization; a compile-time hardening +technique. + +The attribute ``no_randomize_layout`` can be added to a record-type definition +to instruct the compiler that this structure should not have its field layout +randomized. + }]; +} diff --git a/clang/include/clang/Basic/DiagnosticDriverKinds.td b/clang/include/clang/Basic/DiagnosticDriverKinds.td --- a/clang/include/clang/Basic/DiagnosticDriverKinds.td +++ b/clang/include/clang/Basic/DiagnosticDriverKinds.td @@ -165,6 +165,8 @@ "invalid argument '-mno-amdgpu-ieee' only allowed with relaxed NaN handling">; def err_drv_argument_not_allowed_with : Error< "invalid argument '%0' not allowed with '%1'">; +def err_drv_cannot_open_randstruct_seed_filename : Error< + "cannot read randstruct seed file '%0'">; def err_drv_invalid_version_number : Error< "invalid version number in '%0'">; def err_drv_no_linker_llvm_support : Error< diff --git a/clang/include/clang/Basic/DiagnosticSemaKinds.td b/clang/include/clang/Basic/DiagnosticSemaKinds.td --- a/clang/include/clang/Basic/DiagnosticSemaKinds.td +++ b/clang/include/clang/Basic/DiagnosticSemaKinds.td @@ -11528,4 +11528,8 @@ "builtin requires at least one of the following extensions support to be enabled : %0">; def err_riscv_builtin_invalid_lmul : Error< "LMUL argument must be in the range [0,3] or [5,7]">; + +// Layout randomization warning. +def cast_from_randomized_struct : Error< + "casting from randomized structure pointer type %0 to %1">; } // end of sema component. diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -2115,6 +2115,14 @@ def fmessage_length_EQ : Joined<["-"], "fmessage-length=">, Group, Flags<[CC1Option]>, HelpText<"Format message diagnostics so that they fit within N columns">, MarshallingInfoInt>; +def frandstruct_seed_EQ + : Joined<["-"], "frandstruct-seed=">, + Group, + Flags<[CC1Option, CoreOption]>; +def frandstruct_seed_filename_EQ + : Joined<["-"], "frandstruct-seed-filename=">, + Group, + Flags<[CC1Option, CoreOption]>; def fms_compatibility : Flag<["-"], "fms-compatibility">, Group, Flags<[CC1Option, CoreOption]>, HelpText<"Enable full Microsoft Visual C++ compatibility">, MarshallingInfoFlag>; diff --git a/clang/lib/AST/CMakeLists.txt b/clang/lib/AST/CMakeLists.txt --- a/clang/lib/AST/CMakeLists.txt +++ b/clang/lib/AST/CMakeLists.txt @@ -97,6 +97,7 @@ ParentMap.cpp PrintfFormatString.cpp QualTypeNames.cpp + Randstruct.cpp RawCommentList.cpp RecordLayout.cpp RecordLayoutBuilder.cpp diff --git a/clang/lib/AST/Decl.cpp b/clang/lib/AST/Decl.cpp --- a/clang/lib/AST/Decl.cpp +++ b/clang/lib/AST/Decl.cpp @@ -30,6 +30,7 @@ #include "clang/AST/ODRHash.h" #include "clang/AST/PrettyDeclStackTrace.h" #include "clang/AST/PrettyPrinter.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/Redeclarable.h" #include "clang/AST/Stmt.h" #include "clang/AST/TemplateBase.h" @@ -4569,6 +4570,7 @@ setHasNonTrivialToPrimitiveCopyCUnion(false); setParamDestroyedInCallee(false); setArgPassingRestrictions(APK_CanPassInRegs); + setIsRandomized(false); } RecordDecl *RecordDecl::Create(const ASTContext &C, TagKind TK, DeclContext *DC, diff --git a/clang/lib/AST/DeclBase.cpp b/clang/lib/AST/DeclBase.cpp --- a/clang/lib/AST/DeclBase.cpp +++ b/clang/lib/AST/DeclBase.cpp @@ -25,6 +25,7 @@ #include "clang/AST/DeclTemplate.h" #include "clang/AST/DependentDiagnostic.h" #include "clang/AST/ExternalASTSource.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/Stmt.h" #include "clang/AST/Type.h" #include "clang/Basic/IdentifierTable.h" diff --git a/clang/lib/AST/Randstruct.cpp b/clang/lib/AST/Randstruct.cpp new file mode 100644 --- /dev/null +++ b/clang/lib/AST/Randstruct.cpp @@ -0,0 +1,223 @@ +//===--- Randstruct.cpp ---------------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file contains the implementation for Clang's structure field layout +// randomization. +// +//===----------------------------------------------------------------------===// + +#include "clang/AST/Randstruct.h" +#include "clang/AST/ASTContext.h" +#include "clang/AST/ASTDiagnostic.h" +#include "clang/AST/Attr.h" +#include "clang/Basic/Diagnostic.h" +#include "llvm/ADT/SmallVector.h" + +#include +#include +#include +#include +#include + +namespace clang { +namespace randstruct { + +std::string SEED; + +// FIXME: Replace this with some discovery once that mechanism exists. +enum { CACHE_LINE = 64 }; + +// The Bucket class holds the struct fields we're trying to fill to a +// cache-line. +class Bucket { + SmallVector Fields; + int Size = 0; + +public: + virtual ~Bucket() = default; + + SmallVector &fields() { return Fields; } + void addField(FieldDecl *Field, int FieldSize); + virtual bool canFit(int FieldSize) const { + return Size + FieldSize <= CACHE_LINE; + } + virtual bool isBitfieldRun() const { return false; } + bool full() const { return Size >= CACHE_LINE; } +}; + +void Bucket::addField(FieldDecl *Field, int FieldSize) { + Size += FieldSize; + Fields.push_back(Field); +} + +struct BitfieldRunBucket : public Bucket { + bool canFit(int FieldSize) const override { return true; } + bool isBitfieldRun() const override { return true; } +}; + +bool shouldRandomize(const ASTContext &Context, const RecordDecl *RD) { + return Context.getLangOpts().C99 && !SEED.empty() && !RD->isUnion() && + RD->hasAttr(); +} + +void randomizeStructureLayoutImpl(const ASTContext &Context, + SmallVectorImpl &FieldsOut, + std::mt19937 &RNG) { + // All of the Buckets produced by best-effort cache-line algorithm. + // TODO: Figure out a better initial size. + SmallVector, 16> Buckets; + + // The current bucket of fields that we are trying to fill to a cache-line. + std::unique_ptr CurrentBucket = nullptr; + + // The current bucket containing the run of adjacent bitfields to ensure they + // remain adjacent. + std::unique_ptr CurrentBitfieldRun = nullptr; + + // Tracks the number of fields that we failed to fit to the current bucket, + // and thus still need to be added later. + size_t Skipped = 0; + + while (!FieldsOut.empty()) { + // If we've Skipped more fields than we have remaining to place, that means + // that they can't fit in our current bucket, and we need to start a new + // one. + if (Skipped >= FieldsOut.size()) { + Skipped = 0; + Buckets.push_back(std::move(CurrentBucket)); + } + + // Take the first field that needs to be put in a bucket. + auto FieldIter = FieldsOut.begin(); + FieldDecl *FD = *FieldIter; + + if (FD->isBitField() && !FD->isZeroLengthBitField(Context)) { + // Start a bitfield run if this is the first bitfield we have found. + if (!CurrentBitfieldRun) + CurrentBitfieldRun = std::make_unique(); + + // We've placed the field, and can remove it from the "awaiting Buckets" + // vector called "Fields." + CurrentBitfieldRun->addField(FD, /*FieldSize is irrelevant here*/ 1); + FieldsOut.erase(FieldIter); + continue; + } + + // Else, current field is not a bitfield. If we were previously in a + // bitfield run, end it. + if (CurrentBitfieldRun) + Buckets.push_back(std::move(CurrentBitfieldRun)); + + // If we don't have a bucket, make one. + if (!CurrentBucket) + CurrentBucket = std::make_unique(); + + uint64_t Width = Context.getTypeInfo(FD->getType()).Width; + if (Width >= randstruct::CACHE_LINE) { + std::unique_ptr OverSized = + std::make_unique(); + OverSized->addField(FD, Width); + FieldsOut.erase(FieldIter); + Buckets.push_back(std::move(OverSized)); + continue; + } + + // If it fits, add it. + if (CurrentBucket->canFit(Width)) { + CurrentBucket->addField(FD, Width); + FieldsOut.erase(FieldIter); + + // If it's now full, tie off the bucket. + if (CurrentBucket->full()) { + Skipped = 0; + Buckets.push_back(std::move(CurrentBucket)); + } + } else { + // We can't fit it in our current bucket. Move to the end for processing + // later. + ++Skipped; // Mark it skipped. + FieldsOut.push_back(FD); + FieldsOut.erase(FieldIter); + } + } + + // Done processing the fields awaiting a bucket. + + // If we were filling a bucket, tie it off. + if (CurrentBucket) + Buckets.push_back(std::move(CurrentBucket)); + + // If we were processing a bitfield run bucket, tie it off. + if (CurrentBitfieldRun) + Buckets.push_back(std::move(CurrentBitfieldRun)); + + std::shuffle(std::begin(Buckets), std::end(Buckets), RNG); + + // Produce the new ordering of the elements from the Buckets. + SmallVector FinalOrder; + for (const std::unique_ptr &B : Buckets) { + SmallVectorImpl &RandFields = B->fields(); + if (!B->isBitfieldRun()) + std::shuffle(std::begin(RandFields), std::end(RandFields), RNG); + + FinalOrder.insert(FinalOrder.end(), RandFields.begin(), RandFields.end()); + } + + FieldsOut = FinalOrder; +} + +void randomizeStructureLayout(const ASTContext &Context, const RecordDecl *RD, + SmallVectorImpl &FinalOrdering) { + if (!shouldRandomize(Context, RD)) + return; + + SmallVector RandomizedFields; + + unsigned Index = 1; + unsigned TotalNumFields = 0; + for (Decl *D : RD->decls()) { + ++TotalNumFields; + if (auto FD = dyn_cast(D)) { + FD->setOriginalFieldIndex(Index++); + RandomizedFields.push_back(FD); + } else { + FinalOrdering.push_back(D); + } + } + + if (RandomizedFields.empty()) + return; + + // Struct might end with a variable-length array or an array of size 0 or 1, + // in which case we don't want to randomize it. + FieldDecl *VLA = nullptr; + const auto *CA = + dyn_cast(RandomizedFields.back()->getType()); + if ((CA && (CA->getSize().sle(2) || CA->isIncompleteArrayType())) || + RD->hasFlexibleArrayMember()) + VLA = RandomizedFields.pop_back_val(); + + std::string Seed = SEED + RD->getNameAsString(); + std::seed_seq SeedSeq(Seed.begin(), Seed.end()); + std::mt19937 RNG(SeedSeq); + + randomizeStructureLayoutImpl(Context, RandomizedFields, RNG); + if (VLA) + RandomizedFields.push_back(VLA); + + FinalOrdering.insert(FinalOrdering.end(), RandomizedFields.begin(), + RandomizedFields.end()); + + assert(TotalNumFields == FinalOrdering.size() && + "Decl count has been altered after Randstruct randomization!"); + + RD->setIsRandomized(true); +} + +} // end namespace randstruct +} // end namespace clang diff --git a/clang/lib/AST/RecordLayoutBuilder.cpp b/clang/lib/AST/RecordLayoutBuilder.cpp --- a/clang/lib/AST/RecordLayoutBuilder.cpp +++ b/clang/lib/AST/RecordLayoutBuilder.cpp @@ -14,8 +14,9 @@ #include "clang/AST/DeclCXX.h" #include "clang/AST/DeclObjC.h" #include "clang/AST/Expr.h" -#include "clang/AST/VTableBuilder.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/RecordLayout.h" +#include "clang/AST/VTableBuilder.h" #include "clang/Basic/TargetInfo.h" #include "llvm/ADT/SmallSet.h" #include "llvm/Support/Format.h" diff --git a/clang/lib/Driver/ToolChains/Clang.cpp b/clang/lib/Driver/ToolChains/Clang.cpp --- a/clang/lib/Driver/ToolChains/Clang.cpp +++ b/clang/lib/Driver/ToolChains/Clang.cpp @@ -5883,6 +5883,14 @@ CmdArgs.push_back( Args.MakeArgString("-fmessage-length=" + Twine(MessageLength))); + if (Arg *A = Args.getLastArg(options::OPT_frandstruct_seed_EQ)) + CmdArgs.push_back( + Args.MakeArgString("-frandstruct-seed=" + Twine(A->getValue(0)))); + + if (Arg *A = Args.getLastArg(options::OPT_frandstruct_seed_filename_EQ)) + CmdArgs.push_back(Args.MakeArgString("-frandstruct-seed-filename=" + + Twine(A->getValue(0)))); + // -fvisibility= and -fvisibility-ms-compat are of a piece. if (const Arg *A = Args.getLastArg(options::OPT_fvisibility_EQ, options::OPT_fvisibility_ms_compat)) { diff --git a/clang/lib/Frontend/CompilerInvocation.cpp b/clang/lib/Frontend/CompilerInvocation.cpp --- a/clang/lib/Frontend/CompilerInvocation.cpp +++ b/clang/lib/Frontend/CompilerInvocation.cpp @@ -8,6 +8,7 @@ #include "clang/Frontend/CompilerInvocation.h" #include "TestModuleFileExtension.h" +#include "clang/AST/Randstruct.h" #include "clang/Basic/Builtins.h" #include "clang/Basic/CharInfo.h" #include "clang/Basic/CodeGenOptions.h" @@ -94,6 +95,7 @@ #include #include #include +#include #include #include #include @@ -2695,6 +2697,20 @@ Opts.ProgramAction = frontend::PluginAction; Opts.ActionName = A->getValue(); } + + if (const Arg *A = Args.getLastArg(OPT_frandstruct_seed_filename_EQ)) { + std::ifstream SeedFile(A->getValue(0)); + + if (!SeedFile.is_open()) + Diags.Report(diag::err_drv_cannot_open_randstruct_seed_filename) + << A->getValue(0); + + std::getline(SeedFile, randstruct::SEED); + } + + if (const Arg *A = Args.getLastArg(OPT_frandstruct_seed_EQ)) + randstruct::SEED = A->getValue(0); + for (const auto *AA : Args.filtered(OPT_plugin_arg)) Opts.PluginArgs[AA->getValue(0)].emplace_back(AA->getValue(1)); diff --git a/clang/lib/Parse/ParseDeclCXX.cpp b/clang/lib/Parse/ParseDeclCXX.cpp --- a/clang/lib/Parse/ParseDeclCXX.cpp +++ b/clang/lib/Parse/ParseDeclCXX.cpp @@ -10,15 +10,16 @@ // //===----------------------------------------------------------------------===// -#include "clang/Parse/Parser.h" #include "clang/AST/ASTContext.h" #include "clang/AST/DeclTemplate.h" #include "clang/AST/PrettyDeclStackTrace.h" +#include "clang/AST/Randstruct.h" #include "clang/Basic/Attributes.h" #include "clang/Basic/CharInfo.h" #include "clang/Basic/OperatorKinds.h" #include "clang/Basic/TargetInfo.h" #include "clang/Parse/ParseDiagnostic.h" +#include "clang/Parse/Parser.h" #include "clang/Parse/RAIIObjectsForParser.h" #include "clang/Sema/DeclSpec.h" #include "clang/Sema/ParsedTemplate.h" @@ -2050,10 +2051,25 @@ } } - if (!TagOrTempResult.isInvalid()) + if (!TagOrTempResult.isInvalid()) { // Delayed processing of attributes. Actions.ProcessDeclAttributeDelayed(TagOrTempResult.get(), attrs); + RecordDecl *RD = TagOrTempResult.getAs(); + if (randstruct::shouldRandomize(Actions.getASTContext(), RD)) { + SmallVector FinalOrdering; + randstruct::randomizeStructureLayout(Actions.getASTContext(), RD, + FinalOrdering); + if (RD->isRandomized()) { + for (Decl *D : FinalOrdering) + RD->removeDecl(D); + + for (Decl *D : FinalOrdering) + RD->addDecl(D); + } + } + } + const char *PrevSpec = nullptr; unsigned DiagID; bool Result; diff --git a/clang/lib/Sema/AnalysisBasedWarnings.cpp b/clang/lib/Sema/AnalysisBasedWarnings.cpp --- a/clang/lib/Sema/AnalysisBasedWarnings.cpp +++ b/clang/lib/Sema/AnalysisBasedWarnings.cpp @@ -19,6 +19,7 @@ #include "clang/AST/ExprCXX.h" #include "clang/AST/ExprObjC.h" #include "clang/AST/ParentMap.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/RecursiveASTVisitor.h" #include "clang/AST/StmtCXX.h" #include "clang/AST/StmtObjC.h" @@ -2140,6 +2141,53 @@ } // namespace consumed } // namespace clang +//===----------------------------------------------------------------------===// +// Checking for bad casts from randomize structs +//===----------------------------------------------------------------------===// + +namespace clang { +namespace randstruct { +namespace { +class BadCastsASTWalk : public RecursiveASTVisitor { + Sema &S; + +public: + BadCastsASTWalk(Sema &S) : S(S){}; + + bool VisitCastExpr(const CastExpr *E) { + if (E->getCastKind() != CK_BitCast) + return true; + + if (const auto *SubExpr = dyn_cast(E->getSubExpr())) { + CanQualType ExprTy = S.Context.getCanonicalType(E->getType()); + CanQualType SubExprTy = S.Context.getCanonicalType(SubExpr->getType()); + + if (isa(ExprTy) && isa(SubExprTy)) { + const QualType CastTy = cast(ExprTy)->getPointeeType(); + const QualType BaseTy = cast(SubExprTy)->getPointeeType(); + + const RecordDecl *CastRD = CastTy->getAsRecordDecl(); + const RecordDecl *BaseRD = BaseTy->getAsRecordDecl(); + + if (CastRD && BaseRD && CastRD != BaseRD && BaseRD->isRandomized()) + // The struct we are casting the pointer from was randomized. + S.Diag(E->getExprLoc(), diag::cast_from_randomized_struct) + << SubExprTy << ExprTy; + } + } + + return true; + } +}; + +void checkForBadCasts(Sema &S, AnalysisDeclContext &AC) { + BadCastsASTWalk walker(S); + walker.TraverseStmt(AC.getBody()); +} +} // anonymous namespace +} // namespace randstruct +} // namespace clang + //===----------------------------------------------------------------------===// // AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based // warnings on a function, method, or block. @@ -2451,6 +2499,9 @@ ++NumFunctionsWithBadCFGs; } } + + // FIXME: Any way to get a handle to a RecordDecl struct here? + clang::randstruct::checkForBadCasts(S, AC); } void clang::sema::AnalysisBasedWarnings::PrintStats() const { diff --git a/clang/lib/Sema/SemaDecl.cpp b/clang/lib/Sema/SemaDecl.cpp --- a/clang/lib/Sema/SemaDecl.cpp +++ b/clang/lib/Sema/SemaDecl.cpp @@ -24,6 +24,7 @@ #include "clang/AST/Expr.h" #include "clang/AST/ExprCXX.h" #include "clang/AST/NonTrivialTypeVisitor.h" +#include "clang/AST/Randstruct.h" #include "clang/AST/StmtCXX.h" #include "clang/Basic/Builtins.h" #include "clang/Basic/PartialDiagnostic.h" diff --git a/clang/lib/Sema/SemaDeclAttr.cpp b/clang/lib/Sema/SemaDeclAttr.cpp --- a/clang/lib/Sema/SemaDeclAttr.cpp +++ b/clang/lib/Sema/SemaDeclAttr.cpp @@ -8547,6 +8547,13 @@ case ParsedAttr::AT_Section: handleSectionAttr(S, D, AL); break; + case ParsedAttr::AT_RandomizeLayout: + handleSimpleAttribute(S, D, AL); + break; + case ParsedAttr::AT_NoRandomizeLayout: + // Drop the "randomize_layout" attribute if it's on the decl. + D->dropAttr(); + break; case ParsedAttr::AT_CodeSeg: handleCodeSegAttr(S, D, AL); break; diff --git a/clang/test/Misc/pragma-attribute-supported-attributes-list.test b/clang/test/Misc/pragma-attribute-supported-attributes-list.test --- a/clang/test/Misc/pragma-attribute-supported-attributes-list.test +++ b/clang/test/Misc/pragma-attribute-supported-attributes-list.test @@ -104,6 +104,7 @@ // CHECK-NEXT: NoMicroMips (SubjectMatchRule_function) // CHECK-NEXT: NoMips16 (SubjectMatchRule_function) // CHECK-NEXT: NoProfileFunction (SubjectMatchRule_function) +// CHECK-NEXT: NoRandomizeLayout (SubjectMatchRule_record) // CHECK-NEXT: NoSanitize (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_variable_is_global) // CHECK-NEXT: NoSanitizeSpecific (SubjectMatchRule_function, SubjectMatchRule_variable_is_global) // CHECK-NEXT: NoSpeculativeLoadHardening (SubjectMatchRule_function, SubjectMatchRule_objc_method) @@ -148,6 +149,7 @@ // CHECK-NEXT: PassObjectSize (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method) // CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union) +// CHECK-NEXT: RandomizeLayout (SubjectMatchRule_record) // CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function) // CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function) diff --git a/clang/unittests/AST/CMakeLists.txt b/clang/unittests/AST/CMakeLists.txt --- a/clang/unittests/AST/CMakeLists.txt +++ b/clang/unittests/AST/CMakeLists.txt @@ -25,6 +25,7 @@ EvaluateAsRValueTest.cpp ExternalASTSourceTest.cpp NamedDeclPrinterTest.cpp + RandstructTest.cpp RecursiveASTVisitorTest.cpp SizelessTypesTest.cpp SourceLocationTest.cpp diff --git a/clang/unittests/AST/RandstructTest.cpp b/clang/unittests/AST/RandstructTest.cpp new file mode 100644 --- /dev/null +++ b/clang/unittests/AST/RandstructTest.cpp @@ -0,0 +1,409 @@ +//===- unittest/AST/RandstructTest.cpp ------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file contains tests for Clang's structure field layout randomization. +// +//===----------------------------------------------------------------------===// + +/* + * Build this test suite by running `make ASTTests` in the build folder. + * + * Run this test suite by running the following in the build folder: + * ` ./tools/clang/unittests/AST/ASTTests + * --gtest_filter=StructureLayoutRandomization*` + */ + +#include "clang/AST/Randstruct.h" +#include "gtest/gtest.h" + +#include "DeclMatcher.h" +#include "clang/AST/RecordLayout.h" +#include "clang/ASTMatchers/ASTMatchers.h" +#include "clang/Frontend/ASTUnit.h" +#include "clang/Testing/CommandLineArgs.h" +#include "clang/Tooling/Tooling.h" + +#include + +using namespace clang; +using namespace clang::ast_matchers; +using namespace clang::randstruct; + +using field_names = std::vector; + +namespace { + +std::unique_ptr makeAST(const std::string &SourceCode) { + std::vector Args = getCommandLineArgsForTesting(Lang_C99); + Args.push_back("-frandstruct-seed=1234567890abcdef"); + return tooling::buildASTFromCodeWithArgs(SourceCode, Args, "input.cc"); +} + +RecordDecl *getRecordDeclFromAST(const ASTContext &C, const std::string &Name) { + return FirstDeclMatcher().match(C.getTranslationUnitDecl(), + recordDecl(hasName(Name))); +} + +std::vector getFieldNamesFromRecord(const RecordDecl *RD) { + std::vector Fields; + + Fields.reserve(8); + for (auto *Field : RD->fields()) + Fields.push_back(Field->getNameAsString()); + + return Fields; +} + +bool isSubsequence(const field_names &Seq, const field_names &Subseq) { + unsigned SeqLen = Seq.size(); + unsigned SubLen = Subseq.size(); + + bool IsSubseq = false; + for (unsigned I = 0; I < SeqLen; ++I) + if (Seq[I] == Subseq[0]) { + IsSubseq = true; + for (unsigned J = 0; J + I < SeqLen && J < SubLen; ++J) { + if (Seq[J + I] != Subseq[J]) { + IsSubseq = false; + break; + } + } + } + + return IsSubseq; +} + +} // end anonymous namespace + +namespace clang { +namespace ast_matchers { + +#define RANDSTRUCT_TEST_SUITE_TEST StructureLayoutRandomizationTestSuiteTest + +TEST(RANDSTRUCT_TEST_SUITE_TEST, CanDetermineIfSubsequenceExists) { + const field_names Seq = {"a", "b", "c", "d"}; + + ASSERT_TRUE(isSubsequence(Seq, {"b", "c"})); + ASSERT_TRUE(isSubsequence(Seq, {"a", "b", "c", "d"})); + ASSERT_TRUE(isSubsequence(Seq, {"b", "c", "d"})); + ASSERT_TRUE(isSubsequence(Seq, {"a"})); + ASSERT_FALSE(isSubsequence(Seq, {"a", "d"})); +} + +#define RANDSTRUCT_TEST StructureLayoutRandomization + +TEST(RANDSTRUCT_TEST, UnmarkedStruct) { + const std::unique_ptr AST = makeAST(R"c( + struct test { + int bacon; + long lettuce; + long long tomato; + float mayonnaise; + }; + )c"); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + const field_names Expected = {"bacon", "lettuce", "tomato", "mayonnaise"}; + + ASSERT_FALSE(RD->getAttr()); + ASSERT_FALSE(RD->isRandomized()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +TEST(RANDSTRUCT_TEST, MarkedNoRandomize) { + const std::unique_ptr AST = makeAST(R"c( + struct test { + int bacon; + long lettuce; + long long tomato; + float mayonnaise; + } __attribute__((no_randomize_layout)); + )c"); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + const field_names Expected = {"bacon", "lettuce", "tomato", "mayonnaise"}; + + ASSERT_FALSE(RD->getAttr()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +TEST(RANDSTRUCT_TEST, MarkedRandomize) { + const std::unique_ptr AST = makeAST(R"c( + struct test { + int bacon; + long lettuce; + long long tomato; + float mayonnaise; + } __attribute__((randomize_layout)); + )c"); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + const field_names Expected = {"mayonnaise", "bacon", "tomato", "lettuce"}; + + ASSERT_TRUE(RD->getAttr()); + ASSERT_TRUE(RD->isRandomized()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +TEST(RANDSTRUCT_TEST, MultipleAttrsNoRandomize) { + const std::unique_ptr AST = makeAST(R"c( + struct test { + int bacon; + long lettuce; + long long tomato; + float mayonnaise; + } __attribute__((randomize_layout)) __attribute__((no_randomize_layout)); + )c"); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + const field_names Expected = {"bacon", "lettuce", "tomato", "mayonnaise"}; + + ASSERT_FALSE(RD->getAttr()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +TEST(RANDSTRUCT_TEST, MultipleAttrsRandomize) { + const std::unique_ptr AST = makeAST(R"c( + struct test { + int bacon; + long lettuce; + long long tomato; + float mayonnaise; + } __attribute__((no_randomize_layout)) __attribute__((randomize_layout)); + )c"); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + const field_names Expected = {"mayonnaise", "bacon", "tomato", "lettuce"}; + + ASSERT_TRUE(RD->getAttr()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +// FIXME: Clang trips an assertion in the DiagnosticsEngine when the warning is +// emitted while running under the test suite: +// clang/lib/Frontend/TextDiagnosticPrinter.cpp:150: virtual void +// clang::TextDiagnosticPrinter::HandleDiagnostic(clang::DiagnosticsEngine::Level, +// const clang::Diagnostic&): Assertion `TextDiag && "UnExpected diagnostic +// outside source file processing"' failed. +// +// Although the test *technically* is marked as pass; outside of the test suite +// this functionality works and no assertion is tripped. +TEST( + RANDSTRUCT_TEST, + DISABLED_EmitWarningWhenStructureIsMarkedWithBothRandomizeAndNoRandomizeAttributes) { + const std::unique_ptr AST = makeAST(R"c( + struct test_struct { + int a; + int b; + int c; + } __attribute__((no_randomize_layout)) __attribute__((randomize_layout)); + )c"); + + ASSERT_EQ(AST->getASTContext().getDiagnostics().getNumWarnings(), 1UL); +} + +// End of FIXME regarding DiagnosticsEngine assertion tests. + +TEST(RANDSTRUCT_TEST, CheckAdjacentBitfieldsRemainAdjacentAfterRandomization) { + const std::unique_ptr AST = makeAST(R"c( + struct test { + int a; + int b; + int x : 1; + int y : 1; + int z : 1; + int c; + } __attribute__((randomize_layout)); + )c"); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + + const field_names Expected = {"c", "x", "y", "z", "b", "a"}; + const field_names Subseq = {"x", "y", "z"}; + const field_names Actual = getFieldNamesFromRecord(RD); + + ASSERT_TRUE(isSubsequence(Actual, Subseq)); + ASSERT_EQ(Expected, Actual); +} + +TEST(RANDSTRUCT_TEST, CheckVariableLengthArrayMemberRemainsAtEndOfStructure) { + const std::unique_ptr AST = makeAST(R"c( + struct test { + int a; + double b; + short c; + char name[]; + } __attribute__((randomize_layout)); + )c"); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + const field_names Expected = {"b", "c", "a", "name"}; + + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +TEST(RANDSTRUCT_TEST, RandstructDoesNotOverrideThePackedAttr) { + const std::unique_ptr AST = makeAST(R"c( + struct test_struct { + char a; + float b[3]; + short c; + int d; + } __attribute__((packed, randomize_layout)); + + struct another_struct { + char a; + char b[5]; + int c; + } __attribute__((packed, randomize_layout)); + + struct last_struct { + char a; + long long b; + int c[]; + } __attribute__((packed, randomize_layout)); + )c"); + + // FIXME (?): calling getASTRecordLayout is probably a necessary evil so that + // Clang's RecordBuilders can actually flesh out the information like + // alignment, etc. + { + const RecordDecl *RD = + getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + const ASTRecordLayout *Layout = + &AST->getASTContext().getASTRecordLayout(RD); + const field_names Expected = {"c", "a", "d", "b"}; + + ASSERT_EQ(19, Layout->getSize().getQuantity()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); + } + + { + const RecordDecl *RD = + getRecordDeclFromAST(AST->getASTContext(), "another_struct"); + const ASTRecordLayout *Layout = + &AST->getASTContext().getASTRecordLayout(RD); + const field_names Expected = {"c", "a", "b"}; + + ASSERT_EQ(10, Layout->getSize().getQuantity()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); + } + + { + const RecordDecl *RD = + getRecordDeclFromAST(AST->getASTContext(), "last_struct"); + const ASTRecordLayout *Layout = + &AST->getASTContext().getASTRecordLayout(RD); + const field_names Expected = {"b", "a", "c"}; + + ASSERT_EQ(9, Layout->getSize().getQuantity()); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); + } +} + +TEST(RANDSTRUCT_TEST, ZeroWidthBitfieldsSeparateAllocationUnits) { + const std::unique_ptr AST = makeAST(R"c( + struct test_struct { + int a : 1; + int : 0; + int b : 1; + } __attribute__((randomize_layout)); + )c"); + + const RecordDecl *RD = + getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + const field_names Expected = {"", "a", "b"}; + + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +TEST(RANDSTRUCT_TEST, RandstructDoesNotRandomizeUnionFieldOrder) { + const std::unique_ptr AST = makeAST(R"c( + union test_union { + int a; + int b; + int c; + int d; + int e; + int f; + } __attribute__((randomize_layout)); + )c"); + + const RecordDecl *RD = + getRecordDeclFromAST(AST->getASTContext(), "test_union"); + const field_names Expected = {"a", "b", "c", "d", "e", "f"}; + + ASSERT_FALSE(shouldRandomize(AST->getASTContext(), RD)); + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); +} + +TEST(RANDSTRUCT_TEST, AnonymousStructsAndUnionsRetainFieldOrder) { + const std::unique_ptr AST = makeAST(R"c( + struct test_struct { + int a; + struct sub_struct { + int b; + int c; + int d; + int e; + int f; + } __attribute__((randomize_layout)) s; + int f; + struct { + int g; + int h; + int i; + int j; + int k; + }; + int l; + union { + int m; + int n; + int o; + int p; + int q; + }; + int r; + } __attribute__((randomize_layout)); + )c"); + + const RecordDecl *RD = + getRecordDeclFromAST(AST->getASTContext(), "test_struct"); + const field_names Expected = {"f", "a", "l", "", "", "s", "r"}; + + ASSERT_EQ(Expected, getFieldNamesFromRecord(RD)); + + bool AnonStructTested = false; + bool AnonUnionTested = false; + for (const Decl *D : RD->decls()) + if (const RecordDecl *SubRD = dyn_cast(D)) { + if (SubRD->isAnonymousStructOrUnion()) { + if (SubRD->isUnion()) { + const field_names Expected = {"m", "n", "o", "p", "q"}; + + ASSERT_EQ(Expected, getFieldNamesFromRecord(SubRD)); + AnonUnionTested = true; + } else { + const field_names Expected = {"g", "h", "i", "j", "k"}; + + ASSERT_EQ(Expected, getFieldNamesFromRecord(SubRD)); + AnonStructTested = true; + } + } else if (SubRD->isStruct()) { + const field_names Expected = {"d", "e", "f", "c", "b"}; + ASSERT_EQ(Expected, getFieldNamesFromRecord(SubRD)); + } + } + + ASSERT_TRUE(AnonStructTested); + ASSERT_TRUE(AnonUnionTested); +} + +} // namespace ast_matchers +} // namespace clang