Page MenuHomePhabricator

[X86] Add Indirect Thunk Support to X86 to mitigate Load Value Injection (LVI) [3/3]
ClosedPublic

Authored by sconstab on Mar 25 2020, 4:35 PM.

Details

Summary

This pass replaces each indirect call/jump with a direct call to a thunk that looks like:

lfence
jmpq *%r11

This ensures that if the value in register %r11 was loaded from memory, then
the value in %r11 is (architecturally) correct prior to the jump.
Also adds a new target feature to X86: +lvi-cfi
("cfi" meaning control-flow integrity)
The feature can be added via clang CLI using -mlvi-cfi.

This is an alternate implementation to https://reviews.llvm.org/D75934 That merges the thunk insertion functionality with the existing X86 retpoline code.

Diff Detail

Event Timeline

sconstab created this revision.Mar 25 2020, 4:35 PM
sconstab retitled this revision from Add Indirect Thunk Support to X86 to mitigate Load Value Injection (LVI) [3/3] to [X86] Add Indirect Thunk Support to X86 to mitigate Load Value Injection (LVI) [3/3].
sconstab updated this revision to Diff 253888.Mar 31 2020, 7:42 AM

Added a comment to the header of X86IndirectThunks.cpp to indicate support for LVI thunks.

craig.topper added inline comments.Apr 1 2020, 11:25 AM
llvm/lib/Target/X86/X86IndirectThunks.cpp
97

Why don't you need the code from retpoline that erases extra BBs?

sconstab updated this revision to Diff 254276.Apr 1 2020, 12:50 PM

@craig.topper I think that removing spurious MBBs is not really necessary because the emitted machine code doesn't contain the spurious MBBs, from what I have observed. I added the check anyways, if only because others may look at this discrepancy and have the same question.

sconstab marked an inline comment as done.Apr 1 2020, 12:51 PM
This revision is now accepted and ready to land.Apr 1 2020, 9:44 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptApr 3 2020, 1:02 AM