This is an archive of the discontinued LLVM Phabricator instance.

Differential D39820

[cfi-verify] Validate there are no register clobbers between CFI-check and instruction execution.
ClosedPublic

Authored by hctim on Nov 8 2017, 3:14 PM.

Details

Reviewers
vlad.tsyrklevich
Commits
rG2e7be2a65af2: [cfi-verify] Validate there are no register clobbers between CFI-check and…
rL318238: [cfi-verify] Validate there are no register clobbers between CFI-check and…
Summary

This patch adds another failure mode for validateCFIProtection(..), wherein any register that affects the indirect control flow instruction is clobbered to between the CFI-check and the instruction's execution.

Also includes a modification to make MCInstrDesc::hasDefOfPhysReg public.

Diff Detail

Repository
rL LLVM

Event Timeline

hctim created this revision.Nov 8 2017, 3:14 PM
hctim added a parent revision: D39819: [cfi-verify] Add DOT graph printing for GraphResult objects..
vlad.tsyrklevich added inline comments.Nov 10 2017, 11:38 AM
tools/llvm-cfi-verify/lib/FileAnalysis.cpp
294 ↗(On Diff #122165)

I think Branch should explicitly be declared a reference to avoid copies.

306 ↗(On Diff #122165)

Reading the MCInstrDesc docs it makes it seem like this will ONLY check for implicit uses, not explicit uses. It's confusing why then your add $0, %eax unit tests below works, maybe it' s because you're implicitly defining rax by adding to eax. Could you try using an add rax instruction instead and see if that works?

tools/llvm-cfi-verify/lib/GraphBuilder.cpp
304 ↗(On Diff #122165)
BranchNode.IndirectCFIsOnTargetPath = (BranchTarget == Address);
if (BranchNode.IndirectCFIsOnTargetPath) {
hctim updated this revision to Diff 122520.Nov 10 2017, 1:55 PM
hctim marked 3 inline comments as done.

Addressed Vlad's comments: Added an explicit register check and some minor changes.

Also changed instances of 'spill' to 'clobber' as it's more representative of what we're actually checking for.

tools/llvm-cfi-verify/lib/FileAnalysis.cpp
294 ↗(On Diff #122165)

Thanks, nice catch!

306 ↗(On Diff #122165)

I was similarly confused by the naming/comment of hasImplicitDefOfPhysReg, I've added a test and it's all good. It's interesting as getImplicitUses is described as "Return a list of registers that are potentially read by any instance of this machine instruction", which would indicate that it also gets the explicit uses.

I'm not sure why the documentation is (apparently) wrong for hasImplicitDefOfPhysReg...

Harbormaster completed remote builds in B12084: Diff 122520.Nov 10 2017, 1:56 PM
vlad.tsyrklevich added inline comments.Nov 10 2017, 2:24 PM
unittests/tools/llvm-cfi-verify/FileAnalysis.cpp
751 ↗(On Diff #122520)

Take a look at [1]. This uses 0x05 which is an encoding specifically for add %eax, if you use an instruction that explicit encodes %rax in the ModR/M encoding like 48 83 c0 00 this test will fail. This is a bit silly since from the assembly writers perspective %rax is explicit here but it's not at the MC layer.

[1] http://x86.renejeschke.de/html/file_module_x86_id_5.html

*Also this still says %eax

vlad.tsyrklevich added inline comments.Nov 10 2017, 2:27 PM
unittests/tools/llvm-cfi-verify/FileAnalysis.cpp
751 ↗(On Diff #122520)

Oh, I forgot to mention you can witness this with llvm-mc:

$ echo "0x48 0x83 0xc0 0x00" | llvm-mc --disassemble -show-inst -show-inst-operands
	.text
	addq	$0, %rax                # <MCInst #187 ADD64ri8
                                        #  <MCOperand Reg:35>
                                        #  <MCOperand Reg:35>
                                        #  <MCOperand Imm:0>>
$ echo "0x48 0x05 0x00 0x00 0x00 0x00" | llvm-mc --disassemble -show-inst -show-inst-operands
	.text
	addq	$0, %rax                # <MCInst #181 ADD64i32
                                        #  <MCOperand Imm:0>>
hctim mentioned this in D39925: [MC] Expose hasDefOfPhysReg(..) in the public MCInstrDesc interface..Nov 10 2017, 2:51 PM
hctim updated this revision to Diff 122718.EditedNov 13 2017, 1:27 PM

Updated clobber checking to use hasDefOfPhysReg rather than the implicit counterpart. This change now includes a modification to make MCInstrDesc::hasDefOfPhysReg public on pcc's reccomendation.

Also added an explicit unit test that sets rax then jumps to it, rather than relying on a REX prefix byte to target the register, as this was still considered an 'implicitly' changed register.

Harbormaster completed remote builds in B12131: Diff 122718.Nov 13 2017, 1:28 PM
hctim retitled this revision from [cfi-verify] Validate there are no spills between CFI-check and instruction execution. to [cfi-verify] Validate there are no register clobbers between CFI-check and instruction execution..Nov 13 2017, 1:28 PM
hctim edited the summary of this revision. (Show Details)
vlad.tsyrklevich accepted this revision.Nov 14 2017, 1:44 PM
This revision is now accepted and ready to land.Nov 14 2017, 1:44 PM
hctim updated this revision to Diff 122919.Nov 14 2017, 2:53 PM

Merged master in preparation for submission.

hctim updated this revision to Diff 122920.Nov 14 2017, 2:54 PM

/s/eax/rax

Harbormaster completed remote builds in B12179: Diff 122920.Nov 14 2017, 2:54 PM
Closed by commit rL318238: [cfi-verify] Validate there are no register clobbers between CFI-check and… (authored by hctim). · Explain WhyNov 14 2017, 4:35 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
include/
llvm/
MC/
4 lines
tools/
llvm-cfi-verify/
lib/
10 lines
45 lines
1 line
1 line
unittests/
tools/
llvm-cfi-verify/
66 lines

Diff 122947

llvm/trunk/include/llvm/MC/MCInstrDesc.h

Show First 20 LinesShow All 167 Lines▼ Show 20 Linespublic:
unsigned char Size; // Number of bytes in encoding. unsigned char Size; // Number of bytes in encoding.
unsigned short SchedClass; // enum identifying instr sched class unsigned short SchedClass; // enum identifying instr sched class
uint64_t Flags; // Flags identifying machine instr class uint64_t Flags; // Flags identifying machine instr class
uint64_t TSFlags; // Target Specific Flag values uint64_t TSFlags; // Target Specific Flag values
const MCPhysReg *ImplicitUses; // Registers implicitly read by this instr const MCPhysReg *ImplicitUses; // Registers implicitly read by this instr
const MCPhysReg *ImplicitDefs; // Registers implicitly defined by this instr const MCPhysReg *ImplicitDefs; // Registers implicitly defined by this instr
const MCOperandInfo *OpInfo; // 'NumOperands' entries about operands const MCOperandInfo *OpInfo; // 'NumOperands' entries about operands
// Subtarget feature that this is deprecated on, if any // Subtarget feature that this is deprecated on, if any
// -1 implies this is not deprecated by any single feature. It may still be // -1 implies this is not deprecated by any single feature. It may still be
// deprecated due to a "complex" reason, below. // deprecated due to a "complex" reason, below.
int64_t DeprecatedFeature; int64_t DeprecatedFeature;
// A complex method to determine is a certain is deprecated or not, and return // A complex method to determine is a certain is deprecated or not, and return
// the reason for deprecation. // the reason for deprecation.
bool (*ComplexDeprecationInfo)(MCInst &, const MCSubtargetInfo &, bool (*ComplexDeprecationInfo)(MCInst &, const MCSubtargetInfo &,
std::string &); std::string &);
▲ Show 20 LinesShow All 390 Lines▼ Show 20 Lines int findFirstPredOperandIdx() const {
if (isPredicable()) { if (isPredicable()) {
for (unsigned i = 0, e = getNumOperands(); i != e; ++i) for (unsigned i = 0, e = getNumOperands(); i != e; ++i)
if (OpInfo[i].isPredicate()) if (OpInfo[i].isPredicate())
return i; return i;
} }
return -1; return -1;
} }
private:
/// \brief Return true if this instruction defines the specified physical /// \brief Return true if this instruction defines the specified physical
/// register, either explicitly or implicitly. /// register, either explicitly or implicitly.
bool hasDefOfPhysReg(const MCInst &MI, unsigned Reg, bool hasDefOfPhysReg(const MCInst &MI, unsigned Reg,
const MCRegisterInfo &RI) const; const MCRegisterInfo &RI) const;
}; };
} // end namespace llvm } // end namespace llvm
#endif #endif

llvm/trunk/tools/llvm-cfi-verify/lib/FileAnalysis.h

Show First 20 LinesShow All 53 Lines▼ Show 20 Linesenum class CFIProtectionStatus {
// The instruction is not an indirect control flow instruction, and thus // The instruction is not an indirect control flow instruction, and thus
// shouldn't be protected. // shouldn't be protected.
FAIL_NOT_INDIRECT_CF, FAIL_NOT_INDIRECT_CF,
// There is a path to the instruction that was unexpected. // There is a path to the instruction that was unexpected.
FAIL_ORPHANS, FAIL_ORPHANS,
// There is a path to the instruction from a conditional branch that does not // There is a path to the instruction from a conditional branch that does not
// properly check the destination for this vcall/icall. // properly check the destination for this vcall/icall.
FAIL_BAD_CONDITIONAL_BRANCH, FAIL_BAD_CONDITIONAL_BRANCH,
// One of the operands of the indirect CF instruction is modified between the
// CFI-check and execution.
FAIL_REGISTER_CLOBBERED,
// The instruction referenced does not exist. This normally indicates an // The instruction referenced does not exist. This normally indicates an
// error in the program, where you try and validate a graph that was created // error in the program, where you try and validate a graph that was created
// in a different FileAnalysis object. // in a different FileAnalysis object.
FAIL_INVALID_INSTRUCTION, FAIL_INVALID_INSTRUCTION,
}; };
StringRef stringCFIProtectionStatus(CFIProtectionStatus Status); StringRef stringCFIProtectionStatus(CFIProtectionStatus Status);
▲ Show 20 LinesShow All 70 Lines▼ Show 20 Linespublic:
// Returns the inlining information for the provided address. // Returns the inlining information for the provided address.
Expected<DIInliningInfo> symbolizeInlinedCode(uint64_t Address); Expected<DIInliningInfo> symbolizeInlinedCode(uint64_t Address);
// Returns whether the provided Graph represents a protected indirect control // Returns whether the provided Graph represents a protected indirect control
// flow instruction in this file. // flow instruction in this file.
CFIProtectionStatus validateCFIProtection(const GraphResult &Graph) const; CFIProtectionStatus validateCFIProtection(const GraphResult &Graph) const;
// Returns the first place the operand register is clobbered between the CFI-
// check and the indirect CF instruction execution. If the register is not
// modified, returns the address of the indirect CF instruction. The result is
// undefined if the provided graph does not fall under either the
// FAIL_REGISTER_CLOBBERED or PROTECTED status (see CFIProtectionStatus).
uint64_t indirectCFOperandClobber(const GraphResult& Graph) const;
// Prints an instruction to the provided stream using this object's pretty- // Prints an instruction to the provided stream using this object's pretty-
// printers. // printers.
void printInstruction(const Instr &InstrMeta, raw_ostream &OS) const; void printInstruction(const Instr &InstrMeta, raw_ostream &OS) const;
protected: protected:
// Construct a blank object with the provided triple and features. Used in // Construct a blank object with the provided triple and features. Used in
// testing, where a sub class will dependency inject protected methods to // testing, where a sub class will dependency inject protected methods to
// allow analysis of raw binary, without requiring a fully valid ELF file. // allow analysis of raw binary, without requiring a fully valid ELF file.
▲ Show 20 LinesShow All 69 LinesShow Last 20 Lines

llvm/trunk/tools/llvm-cfi-verify/lib/FileAnalysis.cpp

Show First 20 LinesShow All 58 Lines▼ Show 20 LinesStringRef stringCFIProtectionStatus(CFIProtectionStatus Status) {
case CFIProtectionStatus::PROTECTED: case CFIProtectionStatus::PROTECTED:
return "PROTECTED"; return "PROTECTED";
case CFIProtectionStatus::FAIL_NOT_INDIRECT_CF: case CFIProtectionStatus::FAIL_NOT_INDIRECT_CF:
return "FAIL_NOT_INDIRECT_CF"; return "FAIL_NOT_INDIRECT_CF";
case CFIProtectionStatus::FAIL_ORPHANS: case CFIProtectionStatus::FAIL_ORPHANS:
return "FAIL_ORPHANS"; return "FAIL_ORPHANS";
case CFIProtectionStatus::FAIL_BAD_CONDITIONAL_BRANCH: case CFIProtectionStatus::FAIL_BAD_CONDITIONAL_BRANCH:
return "FAIL_BAD_CONDITIONAL_BRANCH"; return "FAIL_BAD_CONDITIONAL_BRANCH";
case CFIProtectionStatus::FAIL_REGISTER_CLOBBERED:
return "FAIL_REGISTER_CLOBBERED";
case CFIProtectionStatus::FAIL_INVALID_INSTRUCTION: case CFIProtectionStatus::FAIL_INVALID_INSTRUCTION:
return "FAIL_INVALID_INSTRUCTION"; return "FAIL_INVALID_INSTRUCTION";
} }
llvm_unreachable("Attempted to stringify an unknown enum value."); llvm_unreachable("Attempted to stringify an unknown enum value.");
} }
Expected<FileAnalysis> FileAnalysis::Create(StringRef Filename) { Expected<FileAnalysis> FileAnalysis::Create(StringRef Filename) {
// Open the filename provided. // Open the filename provided.
▲ Show 20 LinesShow All 190 Lines▼ Show 20 LinesFileAnalysis::validateCFIProtection(const GraphResult &Graph) const {
if (!Graph.OrphanedNodes.empty()) if (!Graph.OrphanedNodes.empty())
return CFIProtectionStatus::FAIL_ORPHANS; return CFIProtectionStatus::FAIL_ORPHANS;
for (const auto &BranchNode : Graph.ConditionalBranchNodes) { for (const auto &BranchNode : Graph.ConditionalBranchNodes) {
if (!BranchNode.CFIProtection) if (!BranchNode.CFIProtection)
return CFIProtectionStatus::FAIL_BAD_CONDITIONAL_BRANCH; return CFIProtectionStatus::FAIL_BAD_CONDITIONAL_BRANCH;
} }
if (indirectCFOperandClobber(Graph) != Graph.BaseAddress)
return CFIProtectionStatus::FAIL_REGISTER_CLOBBERED;
return CFIProtectionStatus::PROTECTED; return CFIProtectionStatus::PROTECTED;
} }
uint64_t FileAnalysis::indirectCFOperandClobber(const GraphResult &Graph) const {
assert(Graph.OrphanedNodes.empty() && "Orphaned nodes should be empty.");
// Get the set of registers we must check to ensure they're not clobbered.
const Instr &IndirectCF = getInstructionOrDie(Graph.BaseAddress);
DenseSet<unsigned> RegisterNumbers;
for (const auto &Operand : IndirectCF.Instruction) {
if (Operand.isReg())
RegisterNumbers.insert(Operand.getReg());
}
assert(RegisterNumbers.size() && "Zero register operands on indirect CF.");
// Now check all branches to indirect CFs and ensure no clobbering happens.
for (const auto &Branch : Graph.ConditionalBranchNodes) {
uint64_t Node;
if (Branch.IndirectCFIsOnTargetPath)
Node = Branch.Target;
else
Node = Branch.Fallthrough;
while (Node != Graph.BaseAddress) {
const Instr &NodeInstr = getInstructionOrDie(Node);
const auto &InstrDesc = MII->get(NodeInstr.Instruction.getOpcode());
for (unsigned RegNum : RegisterNumbers) {
if (InstrDesc.hasDefOfPhysReg(NodeInstr.Instruction, RegNum,
*RegisterInfo))
return Node;
}
const auto &KV = Graph.IntermediateNodes.find(Node);
assert((KV != Graph.IntermediateNodes.end()) &&
"Could not get next node.");
Node = KV->second;
}
}
return Graph.BaseAddress;
}
void FileAnalysis::printInstruction(const Instr &InstrMeta, void FileAnalysis::printInstruction(const Instr &InstrMeta,
raw_ostream &OS) const { raw_ostream &OS) const {
Printer->printInst(&InstrMeta.Instruction, OS, "", *SubtargetInfo.get()); Printer->printInst(&InstrMeta.Instruction, OS, "", *SubtargetInfo.get());
} }
Error FileAnalysis::initialiseDisassemblyMembers() { Error FileAnalysis::initialiseDisassemblyMembers() {
std::string TripleName = ObjectTriple.getTriple(); std::string TripleName = ObjectTriple.getTriple();
ArchName = ""; ArchName = "";
▲ Show 20 LinesShow All 175 LinesShow Last 20 Lines

llvm/trunk/tools/llvm-cfi-verify/lib/GraphBuilder.h

Show First 20 LinesShow All 53 Lines▼ Show 20 Linesstruct ConditionalBranchNode {
uint64_t Address; uint64_t Address;
uint64_t Target; uint64_t Target;
uint64_t Fallthrough; uint64_t Fallthrough;
// Does this conditional branch look like it's used for CFI protection? i.e. // Does this conditional branch look like it's used for CFI protection? i.e.
// - The exit point of a basic block whos entry point is {target|fallthrough} // - The exit point of a basic block whos entry point is {target|fallthrough}
// is a CFI trap, and... // is a CFI trap, and...
// - The exit point of the other basic block is an undirect CF instruction. // - The exit point of the other basic block is an undirect CF instruction.
bool CFIProtection; bool CFIProtection;
bool IndirectCFIsOnTargetPath;
}; };
// The canonical graph result structure returned by GraphBuilder. The members // The canonical graph result structure returned by GraphBuilder. The members
// in this structure encapsulate all possible code paths to the instruction // in this structure encapsulate all possible code paths to the instruction
// located at `BaseAddress`. // located at `BaseAddress`.
struct GraphResult { struct GraphResult {
uint64_t BaseAddress; uint64_t BaseAddress;
▲ Show 20 LinesShow All 67 LinesShow Last 20 Lines

llvm/trunk/tools/llvm-cfi-verify/lib/GraphBuilder.cpp

Show First 20 LinesShow All 295 Lines▼ Show 20 Lines for (const auto *ParentMetaPtr : CFCrossRefs) {
// Only direct conditional branches should be present at this point. Setup // Only direct conditional branches should be present at this point. Setup
// a conditional branch node and build flows to the ud2. // a conditional branch node and build flows to the ud2.
ConditionalBranchNode BranchNode; ConditionalBranchNode BranchNode;
BranchNode.Address = ParentMeta.VMAddress; BranchNode.Address = ParentMeta.VMAddress;
BranchNode.Target = 0; BranchNode.Target = 0;
BranchNode.Fallthrough = 0; BranchNode.Fallthrough = 0;
BranchNode.CFIProtection = false; BranchNode.CFIProtection = false;
BranchNode.IndirectCFIsOnTargetPath = (BranchTarget == Address);
if (BranchTarget == Address) if (BranchTarget == Address)
BranchNode.Target = Address; BranchNode.Target = Address;
else else
BranchNode.Fallthrough = Address; BranchNode.Fallthrough = Address;
HasValidCrossRef = true; HasValidCrossRef = true;
buildFlowsToUndefined(Analysis, Result, BranchNode, ParentMeta); buildFlowsToUndefined(Analysis, Result, BranchNode, ParentMeta);
Show All 11 Lines

llvm/trunk/unittests/tools/llvm-cfi-verify/FileAnalysis.cpp

Show First 20 LinesShow All 735 Lines▼ Show 20 Lines EXPECT_EQ(CFIProtectionStatus::PROTECTED,
Analysis.validateCFIProtection(Result)); Analysis.validateCFIProtection(Result));
SearchLengthForUndef = 3; SearchLengthForUndef = 3;
Result = GraphBuilder::buildFlowGraph(Analysis, 0x775a68); Result = GraphBuilder::buildFlowGraph(Analysis, 0x775a68);
EXPECT_EQ(CFIProtectionStatus::PROTECTED, EXPECT_EQ(CFIProtectionStatus::PROTECTED,
Analysis.validateCFIProtection(Result)); Analysis.validateCFIProtection(Result));
SearchLengthForUndef = PrevSearchLengthForUndef; SearchLengthForUndef = PrevSearchLengthForUndef;
} }
TEST_F(BasicFileAnalysisTest, CFIProtectionClobberSinglePathExplicit) {
if (!SuccessfullyInitialised)
return;
Analysis.parseSectionContents(
{
0x75, 0x02, // 0: jne 4 [+2]
0x0f, 0x0b, // 2: ud2
0x48, 0x05, 0x00, 0x00, 0x00, 0x00, // 4: add $0x0, %rax
0xff, 0x10, // 10: callq *(%rax)
},
0xDEADBEEF);
GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 10);
EXPECT_EQ(CFIProtectionStatus::FAIL_REGISTER_CLOBBERED,
Analysis.validateCFIProtection(Result));
}
TEST_F(BasicFileAnalysisTest, CFIProtectionClobberSinglePathExplicit2) {
if (!SuccessfullyInitialised)
return;
Analysis.parseSectionContents(
{
0x75, 0x02, // 0: jne 4 [+2]
0x0f, 0x0b, // 2: ud2
0x48, 0x83, 0xc0, 0x00, // 4: add $0x0, %rax
0xff, 0x10, // 8: callq *(%rax)
},
0xDEADBEEF);
GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 8);
EXPECT_EQ(CFIProtectionStatus::FAIL_REGISTER_CLOBBERED,
Analysis.validateCFIProtection(Result));
}
TEST_F(BasicFileAnalysisTest, CFIProtectionClobberSinglePathImplicit) {
if (!SuccessfullyInitialised)
return;
Analysis.parseSectionContents(
{
0x75, 0x02, // 0: jne 4 [+2]
0x0f, 0x0b, // 2: ud2
0x05, 0x00, 0x00, 0x00, 0x00, // 4: add $0x0, %eax
0xff, 0x10, // 9: callq *(%rax)
},
0xDEADBEEF);
GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 9);
EXPECT_EQ(CFIProtectionStatus::FAIL_REGISTER_CLOBBERED,
Analysis.validateCFIProtection(Result));
}
TEST_F(BasicFileAnalysisTest, CFIProtectionClobberDualPathImplicit) {
if (!SuccessfullyInitialised)
return;
Analysis.parseSectionContents(
{
0x75, 0x04, // 0: jne 6 [+4]
0x0f, 0x31, // 2: rdtsc (note: affects eax)
0xff, 0x10, // 4: callq *(%rax)
0x0f, 0x0b, // 6: ud2
0x75, 0xf9, // 8: jne 2 [-7]
0x0f, 0x0b, // 10: ud2
},
0xDEADBEEF);
GraphResult Result = GraphBuilder::buildFlowGraph(Analysis, 0xDEADBEEF + 4);
EXPECT_EQ(CFIProtectionStatus::FAIL_REGISTER_CLOBBERED,
Analysis.validateCFIProtection(Result));
}
} // anonymous namespace } // anonymous namespace
} // end namespace cfi_verify } // end namespace cfi_verify
} // end namespace llvm } // end namespace llvm
int main(int argc, char **argv) { int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv); ::testing::InitGoogleTest(&argc, argv);
llvm::cl::ParseCommandLineOptions(argc, argv); llvm::cl::ParseCommandLineOptions(argc, argv);
llvm::InitializeAllTargetInfos(); llvm::InitializeAllTargetInfos();
llvm::InitializeAllTargetMCs(); llvm::InitializeAllTargetMCs();
llvm::InitializeAllAsmParsers(); llvm::InitializeAllAsmParsers();
llvm::InitializeAllDisassemblers(); llvm::InitializeAllDisassemblers();
return RUN_ALL_TESTS(); return RUN_ALL_TESTS();
} }