Page MenuHomePhabricator

[X86] Check if call is indirect before emitting NT_CALL

Authored by joaomoreira on Sep 8 2020, 11:59 AM.



The notrack prefix is a relaxation of CET policies which makes it possible to indirectly call targets which do not have an ENDBR instruction in the landing address. To emit a call with this prefix, the special attribute "nocf_check" is used. When used as a function attribute, a CallInst targeting the respective function will return true for the method "doesNoCfCheck()", no matter if it is a direct call (and such should remain like this, as the information that the to-be-called function won't perform control-flow checks is useful in other contexts). Yet, when emitting an X86ISD::NT_CALL, the respective CallInst should be verified for its indirection, allowing that the prefixed calls are only emitted in the right situations.

Update the respective testing unit to also verify for direct calls to functions with ''nocf_check'' attributes.

The bug can also be reproduced through compiling the following C code using the -fcf-protection=full flag.

int __attribute__((nocf_check)) foo(int a) {};

int main() {

Diff Detail

Event Timeline

joaomoreira created this revision.Sep 8 2020, 11:59 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 8 2020, 11:59 AM
joaomoreira requested review of this revision.Sep 8 2020, 11:59 AM
joaomoreira edited the summary of this revision. (Show Details)Sep 8 2020, 12:01 PM
joaomoreira added a reviewer:

Should we add a test here ?

This needs test coverage.

Also, please regenerate the diff with context (e.g. git diff -U9999 HEAD)

joaomoreira edited the summary of this revision. (Show Details)
joaomoreira added a comment.EditedSep 18 2020, 12:30 PM

The test was updated in the last revision, diff was also updated for context. Is there anything else needed for this?

This revision is now accepted and ready to land.Sep 23 2020, 10:09 AM
This revision was automatically updated to reflect the committed changes.