Add a CFI protection check that is implemented by building a graph and inspecting the output to deduce if the indirect CF instruction is CFI protected. Also added the output of this instruction to printIndirectInstructions().
Details
Diff Detail
- Build Status
Buildable 10954 Build 10954: arc lint + arc unit
Event Timeline
On a mechanical note, you should add -U999999 to your git diff options to include full files in the diff (makes scrolling below/above added/removed lines possible in the web view)
tools/llvm-cfi-verify/FileVerifier.cpp | ||
---|---|---|
102 ↗ | (On Diff #117452) | This is checked in two different places, might be worth having a helper function? |
112 ↗ | (On Diff #117452) | This would be a surprising reason to see 'Protected? No.' Perhaps worth making this an enum return value with no/yes/could-not-be-determined? |
tools/llvm-cfi-verify/FileVerifier.cpp | ||
---|---|---|
112 ↗ | (On Diff #117452) | I'm not sure it would be surprising. Orphaned nodes are those which have no static cross-references to them, meaning the control flow graph dies with them. [0x0: ud2] [0x1000: movb $0x1, %rax] | | [0x1: nop] <-----------------[0x1002: callq %rax] | [0x2: jmpq %rax] In this example, the graph starts at 0x2, building up to 0x1. There are no xrefs to 0x1 (as 0x0 cannot fall through, and 0x1002's target is non-static), and hence 0x1 is added as an "orphaned node". My assumption is that, in order for an indirect CF to be CFI protected, all possible ways to reach the indirect CF must be CFI protected. If a vcall then immediately makes another vcall without CFI checking (emulated in the example above), shouldn't it be flagged? You have a better understanding of this than me though, feel free to correct me :) |
tools/llvm-cfi-verify/FileAnalysis.h | ||
---|---|---|
72 | Related to https://reviews.llvm.org/D38379#inline-337653. Covers indirect calls as well, LMK if you want this change. | |
tools/llvm-cfi-verify/llvm-cfi-verify.cpp | ||
46 | Related to https://reviews.llvm.org/D38379#inline-337653. This currently only prints indirect calls + jumps. Should this be changed? |
isCFIProtectedIndirectBranch ?