This is an archive of the discontinued LLVM Phabricator instance.

Differential D49793

[AArch64] - return address signing
ClosedPublic

Authored by LukeCheeseman on Jul 25 2018, 5:46 AM.

Details

Reviewers
javed.absar
pcc
kcc
vlad.tsyrklevich
eugenis
olista01
Commits
rG0ac44c18b768: [AArch64] - return address signing
rG64dcdec60cdc: [AArch64] - Generate pointer authentication instructions
rC340019: [AArch64] - return address signing
rL340019: [AArch64] - return address signing
rL340018: [AArch64] - Generate pointer authentication instructions
Summary

Add a command line options -msign-return-address to enable return address signing

  • Armv8.3a added instructions to sign the return address to help mitigate against ROP attacks
  • This patch adds command line options to generate function attributes that signal to the back whether return address signing instructions should be added

Diff Detail

Event Timeline

LukeCheeseman created this revision.Jul 25 2018, 5:46 AM
Herald added a reviewer: javed.absar. · View Herald TranscriptJul 25 2018, 5:46 AM
Herald added a subscriber: kristof.beyls. · View Herald Transcript
LukeCheeseman added reviewers: pcc, kcc, vlad.tsyrklevich, eugenis.Jul 25 2018, 5:47 AM
LukeCheeseman set the repository for this revision to rC Clang.
Herald added a subscriber: cfe-commits. · View Herald TranscriptJul 25 2018, 5:47 AM
javed.absar added a comment.Jul 25 2018, 6:15 AM

Maybe you can provide some more context to this patch (why you need this, or point to some document), if possible.

include/clang/Frontend/CodeGenOptions.h
111

Please conform this to the code around (i.e. each option on a separate line with comments explaining the option).

test/CodeGen/aarch64-sign-return-address.c
5

Can the label check not be under one 'CHECK' prefix?

LukeCheeseman updated this revision to Diff 157266.Jul 25 2018, 7:56 AM
LukeCheeseman edited the summary of this revision. (Show Details)
LukeCheeseman marked 2 inline comments as done.
kcc added inline comments.Jul 25 2018, 1:27 PM
include/clang/Frontend/CodeGenOptions.h
114

what's the purpose of signing LR if it is not spilled?

LukeCheeseman updated this revision to Diff 157444.Jul 26 2018, 3:13 AM

Change codegen option partial to non-leaf to match msign-return-address scope values

LukeCheeseman added inline comments.Jul 26 2018, 3:31 AM
include/clang/Frontend/CodeGenOptions.h
114

Assuming you are in a context where you have managed to gain control of the flow of execution. If you don't sign functions that spill LR then those functions become good candidates for finding gadgets as now execution can start from any point in that function.

LukeCheeseman updated this revision to Diff 158491.Aug 1 2018, 3:57 AM

Move -msign-return-address argument handling into AArch64TargetArgs

LukeCheeseman added a comment.Aug 16 2018, 2:40 AM

ping

olista01 accepted this revision.Aug 17 2018, 5:36 AM
olista01 added a subscriber: olista01.

LGTM, thanks!

This revision is now accepted and ready to land.Aug 17 2018, 5:36 AM
Closed by commit rL340018: [AArch64] - Generate pointer authentication instructions (authored by LukeCheeseman). · Explain WhyAug 17 2018, 5:54 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptAug 17 2018, 5:54 AM
hctim added a subscriber: hctim.Jan 20 2020, 4:31 PM
This comment was removed by hctim.
Herald added a project: Restricted Project. · View Herald TranscriptJan 20 2020, 4:31 PM

Revision Contents

PathSize
include/
clang/
Driver/
4 lines
Frontend/
2 lines
1 line
lib/
CodeGen/
17 lines
Driver/
ToolChains/
5 lines
Frontend/
13 lines
test/
CodeGen/
14 lines

Diff 157241

include/clang/Driver/Options.td

Show First 20 LinesShow All 2,024 Lines▼ Show 20 Lines
def mno_fix_cortex_a53_835769 : Flag<["-"], "mno-fix-cortex-a53-835769">, def mno_fix_cortex_a53_835769 : Flag<["-"], "mno-fix-cortex-a53-835769">,
Group<m_aarch64_Features_Group>, Group<m_aarch64_Features_Group>,
HelpText<"Don't workaround Cortex-A53 erratum 835769 (AArch64 only)">; HelpText<"Don't workaround Cortex-A53 erratum 835769 (AArch64 only)">;
def ffixed_x18 : Flag<["-"], "ffixed-x18">, Group<m_aarch64_Features_Group>, def ffixed_x18 : Flag<["-"], "ffixed-x18">, Group<m_aarch64_Features_Group>,
HelpText<"Reserve the x18 register (AArch64 only)">; HelpText<"Reserve the x18 register (AArch64 only)">;
def ffixed_x20 : Flag<["-"], "ffixed-x20">, Group<m_aarch64_Features_Group>, def ffixed_x20 : Flag<["-"], "ffixed-x20">, Group<m_aarch64_Features_Group>,
HelpText<"Reserve the x20 register (AArch64 only)">; HelpText<"Reserve the x20 register (AArch64 only)">;
def msign_return_address : Joined<["-"], "msign-return-address=">,
Flags<[CC1Option]>, Group<m_Group>,
HelpText<"Select return address signing scope">, Values<"none,all,non-leaf">;
def msimd128 : Flag<["-"], "msimd128">, Group<m_wasm_Features_Group>; def msimd128 : Flag<["-"], "msimd128">, Group<m_wasm_Features_Group>;
def mno_simd128 : Flag<["-"], "mno-simd128">, Group<m_wasm_Features_Group>; def mno_simd128 : Flag<["-"], "mno-simd128">, Group<m_wasm_Features_Group>;
def mnontrapping_fptoint : Flag<["-"], "mnontrapping-fptoint">, Group<m_wasm_Features_Group>; def mnontrapping_fptoint : Flag<["-"], "mnontrapping-fptoint">, Group<m_wasm_Features_Group>;
def mno_nontrapping_fptoint : Flag<["-"], "mno-nontrapping-fptoint">, Group<m_wasm_Features_Group>; def mno_nontrapping_fptoint : Flag<["-"], "mno-nontrapping-fptoint">, Group<m_wasm_Features_Group>;
def msign_ext : Flag<["-"], "msign-ext">, Group<m_wasm_Features_Group>; def msign_ext : Flag<["-"], "msign-ext">, Group<m_wasm_Features_Group>;
def mno_sign_ext : Flag<["-"], "mno-sign-ext">, Group<m_wasm_Features_Group>; def mno_sign_ext : Flag<["-"], "mno-sign-ext">, Group<m_wasm_Features_Group>;
def mexception_handing : Flag<["-"], "mexception-handling">, Group<m_wasm_Features_Group>; def mexception_handing : Flag<["-"], "mexception-handling">, Group<m_wasm_Features_Group>;
def mno_exception_handing : Flag<["-"], "mno-exception-handling">, Group<m_wasm_Features_Group>; def mno_exception_handing : Flag<["-"], "mno-exception-handling">, Group<m_wasm_Features_Group>;
▲ Show 20 LinesShow All 973 LinesShow Last 20 Lines

include/clang/Frontend/CodeGenOptions.h

Show First 20 LinesShow All 102 Lines▼ Show 20 Linespublic:
enum EmbedBitcodeKind { enum EmbedBitcodeKind {
Embed_Off, // No embedded bitcode. Embed_Off, // No embedded bitcode.
Embed_All, // Embed both bitcode and commandline in the output. Embed_All, // Embed both bitcode and commandline in the output.
Embed_Bitcode, // Embed just the bitcode in the output. Embed_Bitcode, // Embed just the bitcode in the output.
Embed_Marker // Embed a marker as a placeholder for bitcode. Embed_Marker // Embed a marker as a placeholder for bitcode.
}; };
enum SignReturnAddressScope { None, Partial, All };
javed.absarUnsubmitted
Done
ReplyInline Actions

Please conform this to the code around (i.e. each option on a separate line with comments explaining the option).

javed.absar: Please conform this to the code around (i.e. each option on a separate line with comments…
/// The code model to use (-mcmodel). /// The code model to use (-mcmodel).
std::string CodeModel; std::string CodeModel;
kccUnsubmitted
Not Done
ReplyInline Actions

what's the purpose of signing LR if it is not spilled?

kcc: what's the purpose of signing LR if it is not spilled?
LukeCheesemanAuthorUnsubmitted
Not Done
ReplyInline Actions

Assuming you are in a context where you have managed to gain control of the flow of execution. If you don't sign functions that spill LR then those functions become good candidates for finding gadgets as now execution can start from any point in that function.

LukeCheeseman: Assuming you are in a context where you have managed to gain control of the flow of execution.
/// The filename with path we use for coverage data files. The runtime /// The filename with path we use for coverage data files. The runtime
/// allows further manipulation with the GCOV_PREFIX and GCOV_PREFIX_STRIP /// allows further manipulation with the GCOV_PREFIX and GCOV_PREFIX_STRIP
/// environment variables. /// environment variables.
std::string CoverageDataFile; std::string CoverageDataFile;
/// The filename with path we use for coverage notes files. /// The filename with path we use for coverage notes files.
std::string CoverageNotesFile; std::string CoverageNotesFile;
▲ Show 20 LinesShow All 187 LinesShow Last 20 Lines

include/clang/Frontend/CodeGenOptions.def

Show First 20 LinesShow All 333 Lines▼ Show 20 Lines
CODEGENOPT(EmbedSource, 1, 0) CODEGENOPT(EmbedSource, 1, 0)
/// Whether to emit all vtables /// Whether to emit all vtables
CODEGENOPT(ForceEmitVTables, 1, 0) CODEGENOPT(ForceEmitVTables, 1, 0)
/// Whether to emit an address-significance table into the object file. /// Whether to emit an address-significance table into the object file.
CODEGENOPT(Addrsig, 1, 0) CODEGENOPT(Addrsig, 1, 0)
ENUM_CODEGENOPT(SignReturnAddress, SignReturnAddressScope, 2, None)
#undef CODEGENOPT #undef CODEGENOPT
#undef ENUM_CODEGENOPT #undef ENUM_CODEGENOPT
#undef VALUE_CODEGENOPT #undef VALUE_CODEGENOPT

lib/CodeGen/TargetInfo.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 4,963 Lines▼ Show 20 Lines StringRef getARCRetainAutoreleasedReturnValueMarker() const override {
return "mov\tfp, fp\t\t// marker for objc_retainAutoreleaseReturnValue"; return "mov\tfp, fp\t\t// marker for objc_retainAutoreleaseReturnValue";
} }
int getDwarfEHStackPointer(CodeGen::CodeGenModule &M) const override { int getDwarfEHStackPointer(CodeGen::CodeGenModule &M) const override {
return 31; return 31;
} }
bool doesReturnSlotInterfereWithArgs() const override { return false; } bool doesReturnSlotInterfereWithArgs() const override { return false; }
void setTargetAttributes(const Decl *D, llvm::GlobalValue *GV,
CodeGen::CodeGenModule &CGM) const override {
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
if (!FD)
return;
llvm::Function *Fn = cast<llvm::Function>(GV);
auto Kind = CGM.getCodeGenOpts().getSignReturnAddress();
if (Kind == CodeGenOptions::SignReturnAddressScope::None)
return;
Fn->addFnAttr("sign-return-address",
Kind == CodeGenOptions::SignReturnAddressScope::All
? "all"
: "partial");
}
}; };
class WindowsAArch64TargetCodeGenInfo : public AArch64TargetCodeGenInfo { class WindowsAArch64TargetCodeGenInfo : public AArch64TargetCodeGenInfo {
public: public:
WindowsAArch64TargetCodeGenInfo(CodeGenTypes &CGT, AArch64ABIInfo::ABIKind K) WindowsAArch64TargetCodeGenInfo(CodeGenTypes &CGT, AArch64ABIInfo::ABIKind K)
: AArch64TargetCodeGenInfo(CGT, K) {} : AArch64TargetCodeGenInfo(CGT, K) {}
void getDependentLibraryOption(llvm::StringRef Lib, void getDependentLibraryOption(llvm::StringRef Lib,
▲ Show 20 LinesShow All 4,282 LinesShow Last 20 Lines

lib/Driver/ToolChains/Clang.cpp

Show First 20 LinesShow All 4,067 Lines▼ Show 20 Lines if (Args.hasArg(options::OPT_mstack_probe_size)) {
else else
CmdArgs.push_back("-mstack-probe-size=0"); CmdArgs.push_back("-mstack-probe-size=0");
} }
if (!Args.hasFlag(options::OPT_mstack_arg_probe, if (!Args.hasFlag(options::OPT_mstack_arg_probe,
options::OPT_mno_stack_arg_probe, true)) options::OPT_mno_stack_arg_probe, true))
CmdArgs.push_back(Args.MakeArgString("-mno-stack-arg-probe")); CmdArgs.push_back(Args.MakeArgString("-mno-stack-arg-probe"));
if (Arg *A = Args.getLastArg(options::OPT_msign_return_address)) {
CmdArgs.push_back(
Args.MakeArgString(Twine("-msign-return-address=") + A->getValue()));
}
if (Arg *A = Args.getLastArg(options::OPT_mrestrict_it, if (Arg *A = Args.getLastArg(options::OPT_mrestrict_it,
options::OPT_mno_restrict_it)) { options::OPT_mno_restrict_it)) {
if (A->getOption().matches(options::OPT_mrestrict_it)) { if (A->getOption().matches(options::OPT_mrestrict_it)) {
CmdArgs.push_back("-mllvm"); CmdArgs.push_back("-mllvm");
CmdArgs.push_back("-arm-restrict-it"); CmdArgs.push_back("-arm-restrict-it");
} else { } else {
CmdArgs.push_back("-mllvm"); CmdArgs.push_back("-mllvm");
CmdArgs.push_back("-arm-no-restrict-it"); CmdArgs.push_back("-arm-no-restrict-it");
▲ Show 20 LinesShow All 1,557 LinesShow Last 20 Lines

lib/Frontend/CompilerInvocation.cpp

Show First 20 LinesShow All 1,119 Lines▼ Show 20 Linesstatic bool ParseCodeGenArgs(CodeGenOptions &Opts, ArgList &Args, InputKind IK,
Opts.EmitCheckPathComponentsToStrip = getLastArgIntValue( Opts.EmitCheckPathComponentsToStrip = getLastArgIntValue(
Args, OPT_fsanitize_undefined_strip_path_components_EQ, 0, Diags); Args, OPT_fsanitize_undefined_strip_path_components_EQ, 0, Diags);
Opts.EmitVersionIdentMetadata = Args.hasFlag(OPT_Qy, OPT_Qn, true); Opts.EmitVersionIdentMetadata = Args.hasFlag(OPT_Qy, OPT_Qn, true);
Opts.Addrsig = Args.hasArg(OPT_faddrsig); Opts.Addrsig = Args.hasArg(OPT_faddrsig);
if (Arg *A = Args.getLastArg(OPT_msign_return_address)) {
StringRef SignScope = A->getValue();
if (SignScope.equals_lower("none"))
Opts.setSignReturnAddress(CodeGenOptions::SignReturnAddressScope::None);
else if (SignScope.equals_lower("all"))
Opts.setSignReturnAddress(CodeGenOptions::SignReturnAddressScope::All);
else if (SignScope.equals_lower("non-leaf"))
Opts.setSignReturnAddress(CodeGenOptions::SignReturnAddressScope::Partial);
else
Diags.Report(diag::err_drv_invalid_value) << A->getAsString(Args)
<< A->getValue();
}
return Success; return Success;
} }
static void ParseDependencyOutputArgs(DependencyOutputOptions &Opts, static void ParseDependencyOutputArgs(DependencyOutputOptions &Opts,
ArgList &Args) { ArgList &Args) {
Opts.OutputFile = Args.getLastArgValue(OPT_dependency_file); Opts.OutputFile = Args.getLastArgValue(OPT_dependency_file);
Opts.Targets = Args.getAllArgValues(OPT_MT); Opts.Targets = Args.getAllArgValues(OPT_MT);
Opts.IncludeSystemHeaders = Args.hasArg(OPT_sys_header_deps); Opts.IncludeSystemHeaders = Args.hasArg(OPT_sys_header_deps);
▲ Show 20 LinesShow All 2,110 LinesShow Last 20 Lines

test/CodeGen/aarch64-sign-return-address.c

  • This file was added.
// RUN: %clang -target aarch64-arm-none-eabi -S -emit-llvm -o - -msign-return-address=none %s | FileCheck %s --check-prefix=NONE
// RUN: %clang -target aarch64-arm-none-eabi -S -emit-llvm -o - -msign-return-address=non-leaf %s | FileCheck %s --check-prefix=PARTIAL
// RUN: %clang -target aarch64-arm-none-eabi -S -emit-llvm -o - -msign-return-address=all %s | FileCheck %s --check-prefix=ALL
// NONE: @foo() #[[ATTR:[0-9]*]]
javed.absarUnsubmitted
Done
ReplyInline Actions

Can the label check not be under one 'CHECK' prefix?

javed.absar: Can the label check not be under one 'CHECK' prefix?
// NONE-NOT: attributes #[[ATTR]] = { {{.*}} "sign-return-address"={{.*}} }
// PARTIAL: @foo() #[[ATTR:[0-9]*]]
// PARTIAL: attributes #[[ATTR]] = { {{.*}} "sign-return-address"="partial" {{.*}} }
// ALL: @foo() #[[ATTR:[0-9]*]]
// ALL: attributes #[[ATTR]] = { {{.*}} "sign-return-address"="all" {{.*}} }
void foo() {}