xref: /freebsd/contrib/llvm-project/llvm/lib/Transforms/Instrumentation/KCFI.cpp (revision f81cdf24ba5436367377f7c8e8f51f6df2a75ca7) 
1 //===-- KCFI.cpp - Generic KCFI operand bundle lowering ---------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This pass emits generic KCFI indirect call checks for targets that don't
10 // support lowering KCFI operand bundles in the back-end.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "llvm/Transforms/Instrumentation/KCFI.h"
15 #include "llvm/ADT/Statistic.h"
16 #include "llvm/IR/Constants.h"
17 #include "llvm/IR/DiagnosticInfo.h"
18 #include "llvm/IR/DiagnosticPrinter.h"
19 #include "llvm/IR/Function.h"
20 #include "llvm/IR/GlobalObject.h"
21 #include "llvm/IR/IRBuilder.h"
22 #include "llvm/IR/InstIterator.h"
23 #include "llvm/IR/Instructions.h"
24 #include "llvm/IR/Intrinsics.h"
25 #include "llvm/IR/MDBuilder.h"
26 #include "llvm/IR/Module.h"
27 #include "llvm/Target/TargetMachine.h"
28 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
29 
30 using namespace llvm;
31 
32 #define DEBUG_TYPE "kcfi"
33 
34 STATISTIC(NumKCFIChecks, "Number of kcfi operands transformed into checks");
35 
36 namespace {
37 class DiagnosticInfoKCFI : public DiagnosticInfo {
38   const Twine &Msg;
39 
40 public:
41   DiagnosticInfoKCFI(const Twine &DiagMsg,
42                      DiagnosticSeverity Severity = DS_Error)
43       : DiagnosticInfo(DK_Linker, Severity), Msg(DiagMsg) {}
44   void print(DiagnosticPrinter &DP) const override { DP << Msg; }
45 };
46 } // namespace
47 
48 PreservedAnalyses KCFIPass::run(Function &F, FunctionAnalysisManager &AM) {
49   Module &M = *F.getParent();
50   if (!M.getModuleFlag("kcfi"))
51     return PreservedAnalyses::all();
52 
53   // Find call instructions with KCFI operand bundles.
54   SmallVector<CallInst *> KCFICalls;
55   for (Instruction &I : instructions(F)) {
56     if (auto *CI = dyn_cast<CallInst>(&I))
57       if (CI->getOperandBundle(LLVMContext::OB_kcfi))
58         KCFICalls.push_back(CI);
59   }
60 
61   if (KCFICalls.empty())
62     return PreservedAnalyses::all();
63 
64   LLVMContext &Ctx = M.getContext();
65   // patchable-function-prefix emits nops between the KCFI type identifier
66   // and the function start. As we don't know the size of the emitted nops,
67   // don't allow this attribute with generic lowering.
68   if (F.hasFnAttribute("patchable-function-prefix"))
69     Ctx.diagnose(
70         DiagnosticInfoKCFI("-fpatchable-function-entry=N,M, where M>0 is not "
71                            "compatible with -fsanitize=kcfi on this target"));
72 
73   IntegerType *Int32Ty = Type::getInt32Ty(Ctx);
74   MDNode *VeryUnlikelyWeights =
75       MDBuilder(Ctx).createBranchWeights(1, (1U << 20) - 1);
76   Triple T(M.getTargetTriple());
77 
78   for (CallInst *CI : KCFICalls) {
79     // Get the expected hash value.
80     const uint32_t ExpectedHash =
81         cast<ConstantInt>(CI->getOperandBundle(LLVMContext::OB_kcfi)->Inputs[0])
82             ->getZExtValue();
83 
84     // Drop the KCFI operand bundle.
85     CallBase *Call =
86         CallBase::removeOperandBundle(CI, LLVMContext::OB_kcfi, CI);
87     assert(Call != CI);
88     Call->copyMetadata(*CI);
89     CI->replaceAllUsesWith(Call);
90     CI->eraseFromParent();
91 
92     if (!Call->isIndirectCall())
93       continue;
94 
95     // Emit a check and trap if the target hash doesn't match.
96     IRBuilder<> Builder(Call);
97     Value *FuncPtr = Call->getCalledOperand();
98     // ARM uses the least significant bit of the function pointer to select
99     // between ARM and Thumb modes for the callee. Instructions are always
100     // at least 16-bit aligned, so clear the LSB before we compute the hash
101     // location.
102     if (T.isARM() || T.isThumb()) {
103       FuncPtr = Builder.CreateIntToPtr(
104           Builder.CreateAnd(Builder.CreatePtrToInt(FuncPtr, Int32Ty),
105                             ConstantInt::get(Int32Ty, -2)),
106           FuncPtr->getType());
107     }
108     Value *HashPtr = Builder.CreateConstInBoundsGEP1_32(Int32Ty, FuncPtr, -1);
109     Value *Test = Builder.CreateICmpNE(Builder.CreateLoad(Int32Ty, HashPtr),
110                                        ConstantInt::get(Int32Ty, ExpectedHash));
111     Instruction *ThenTerm =
112         SplitBlockAndInsertIfThen(Test, Call, false, VeryUnlikelyWeights);
113     Builder.SetInsertPoint(ThenTerm);
114     Builder.CreateCall(Intrinsic::getDeclaration(&M, Intrinsic::debugtrap));
115     ++NumKCFIChecks;
116   }
117 
118   return PreservedAnalyses::none();
119 }
120