1 //===-- KCFI.cpp - Generic KCFI operand bundle lowering ---------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This pass emits generic KCFI indirect call checks for targets that don't
10 // support lowering KCFI operand bundles in the back-end.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "llvm/Transforms/Instrumentation/KCFI.h"
15 #include "llvm/ADT/Statistic.h"
16 #include "llvm/IR/Constants.h"
17 #include "llvm/IR/DiagnosticInfo.h"
18 #include "llvm/IR/DiagnosticPrinter.h"
19 #include "llvm/IR/Function.h"
20 #include "llvm/IR/GlobalObject.h"
21 #include "llvm/IR/IRBuilder.h"
22 #include "llvm/IR/InstIterator.h"
23 #include "llvm/IR/Instructions.h"
24 #include "llvm/IR/Intrinsics.h"
25 #include "llvm/IR/MDBuilder.h"
26 #include "llvm/IR/Module.h"
27 #include "llvm/InitializePasses.h"
28 #include "llvm/Pass.h"
29 #include "llvm/Target/TargetMachine.h"
30 #include "llvm/Transforms/Instrumentation.h"
31 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
32
33 using namespace llvm;
34
35 #define DEBUG_TYPE "kcfi"
36
37 STATISTIC(NumKCFIChecks, "Number of kcfi operands transformed into checks");
38
39 namespace {
40 class DiagnosticInfoKCFI : public DiagnosticInfo {
41 const Twine &Msg;
42
43 public:
DiagnosticInfoKCFI(const Twine & DiagMsg,DiagnosticSeverity Severity=DS_Error)44 DiagnosticInfoKCFI(const Twine &DiagMsg,
45 DiagnosticSeverity Severity = DS_Error)
46 : DiagnosticInfo(DK_Linker, Severity), Msg(DiagMsg) {}
print(DiagnosticPrinter & DP) const47 void print(DiagnosticPrinter &DP) const override { DP << Msg; }
48 };
49 } // namespace
50
run(Function & F,FunctionAnalysisManager & AM)51 PreservedAnalyses KCFIPass::run(Function &F, FunctionAnalysisManager &AM) {
52 Module &M = *F.getParent();
53 if (!M.getModuleFlag("kcfi"))
54 return PreservedAnalyses::all();
55
56 // Find call instructions with KCFI operand bundles.
57 SmallVector<CallInst *> KCFICalls;
58 for (Instruction &I : instructions(F)) {
59 if (auto *CI = dyn_cast<CallInst>(&I))
60 if (CI->getOperandBundle(LLVMContext::OB_kcfi))
61 KCFICalls.push_back(CI);
62 }
63
64 if (KCFICalls.empty())
65 return PreservedAnalyses::all();
66
67 LLVMContext &Ctx = M.getContext();
68 // patchable-function-prefix emits nops between the KCFI type identifier
69 // and the function start. As we don't know the size of the emitted nops,
70 // don't allow this attribute with generic lowering.
71 if (F.hasFnAttribute("patchable-function-prefix"))
72 Ctx.diagnose(
73 DiagnosticInfoKCFI("-fpatchable-function-entry=N,M, where M>0 is not "
74 "compatible with -fsanitize=kcfi on this target"));
75
76 IntegerType *Int32Ty = Type::getInt32Ty(Ctx);
77 MDNode *VeryUnlikelyWeights =
78 MDBuilder(Ctx).createBranchWeights(1, (1U << 20) - 1);
79
80 for (CallInst *CI : KCFICalls) {
81 // Get the expected hash value.
82 const uint32_t ExpectedHash =
83 cast<ConstantInt>(CI->getOperandBundle(LLVMContext::OB_kcfi)->Inputs[0])
84 ->getZExtValue();
85
86 // Drop the KCFI operand bundle.
87 CallBase *Call =
88 CallBase::removeOperandBundle(CI, LLVMContext::OB_kcfi, CI);
89 assert(Call != CI);
90 Call->copyMetadata(*CI);
91 CI->replaceAllUsesWith(Call);
92 CI->eraseFromParent();
93
94 if (!Call->isIndirectCall())
95 continue;
96
97 // Emit a check and trap if the target hash doesn't match.
98 IRBuilder<> Builder(Call);
99 Value *HashPtr = Builder.CreateConstInBoundsGEP1_32(
100 Int32Ty, Call->getCalledOperand(), -1);
101 Value *Test = Builder.CreateICmpNE(Builder.CreateLoad(Int32Ty, HashPtr),
102 ConstantInt::get(Int32Ty, ExpectedHash));
103 Instruction *ThenTerm =
104 SplitBlockAndInsertIfThen(Test, Call, false, VeryUnlikelyWeights);
105 Builder.SetInsertPoint(ThenTerm);
106 Builder.CreateCall(Intrinsic::getDeclaration(&M, Intrinsic::trap));
107 ++NumKCFIChecks;
108 }
109
110 return PreservedAnalyses::none();
111 }
112