xref: /llvm-project/llvm/lib/Target/X86/X86IndirectThunks.cpp (revision dfe43bd1ca46c59399b7cbbf81b09256232e27f9)
1 //==- X86IndirectThunks.cpp - Construct indirect call/jump thunks for x86  --=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 /// \file
9 ///
10 /// Pass that injects an MI thunk that is used to lower indirect calls in a way
11 /// that prevents speculation on some x86 processors and can be used to mitigate
12 /// security vulnerabilities due to targeted speculative execution and side
13 /// channels such as CVE-2017-5715.
14 ///
15 /// Currently supported thunks include:
16 /// - Retpoline -- A RET-implemented trampoline that lowers indirect calls
17 /// - LVI Thunk -- A CALL/JMP-implemented thunk that forces load serialization
18 ///   before making an indirect call/jump
19 ///
20 /// Note that the reason that this is implemented as a MachineFunctionPass and
21 /// not a ModulePass is that ModulePasses at this point in the LLVM X86 pipeline
22 /// serialize all transformations, which can consume lots of memory.
23 ///
24 /// TODO(chandlerc): All of this code could use better comments and
25 /// documentation.
26 ///
27 //===----------------------------------------------------------------------===//
28 
29 #include "X86.h"
30 #include "X86InstrBuilder.h"
31 #include "X86Subtarget.h"
32 #include "llvm/CodeGen/IndirectThunks.h"
33 #include "llvm/CodeGen/MachineFunction.h"
34 #include "llvm/CodeGen/MachineInstrBuilder.h"
35 #include "llvm/CodeGen/MachineModuleInfo.h"
36 #include "llvm/CodeGen/Passes.h"
37 #include "llvm/CodeGen/TargetPassConfig.h"
38 #include "llvm/IR/Instructions.h"
39 #include "llvm/Target/TargetMachine.h"
40 
41 using namespace llvm;
42 
43 #define DEBUG_TYPE "x86-retpoline-thunks"
44 
45 static const char RetpolineNamePrefix[] = "__llvm_retpoline_";
46 static const char R11RetpolineName[] = "__llvm_retpoline_r11";
47 static const char EAXRetpolineName[] = "__llvm_retpoline_eax";
48 static const char ECXRetpolineName[] = "__llvm_retpoline_ecx";
49 static const char EDXRetpolineName[] = "__llvm_retpoline_edx";
50 static const char EDIRetpolineName[] = "__llvm_retpoline_edi";
51 
52 static const char LVIThunkNamePrefix[] = "__llvm_lvi_thunk_";
53 static const char R11LVIThunkName[] = "__llvm_lvi_thunk_r11";
54 
55 namespace {
56 struct RetpolineThunkInserter : ThunkInserter<RetpolineThunkInserter> {
57   const char *getThunkPrefix() { return RetpolineNamePrefix; }
58   bool mayUseThunk(const MachineFunction &MF) {
59     const auto &STI = MF.getSubtarget<X86Subtarget>();
60     return (STI.useRetpolineIndirectCalls() ||
61             STI.useRetpolineIndirectBranches()) &&
62            !STI.useRetpolineExternalThunk();
63   }
64   bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF,
65                     bool ExistingThunks);
66   void populateThunk(MachineFunction &MF);
67 };
68 
69 struct LVIThunkInserter : ThunkInserter<LVIThunkInserter> {
70   const char *getThunkPrefix() { return LVIThunkNamePrefix; }
71   bool mayUseThunk(const MachineFunction &MF) {
72     return MF.getSubtarget<X86Subtarget>().useLVIControlFlowIntegrity();
73   }
74   bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF,
75                     bool ExistingThunks) {
76     if (ExistingThunks)
77       return false;
78     createThunkFunction(MMI, R11LVIThunkName);
79     return true;
80   }
81   void populateThunk(MachineFunction &MF) {
82     assert (MF.size() == 1);
83     MachineBasicBlock *Entry = &MF.front();
84     Entry->clear();
85 
86     // This code mitigates LVI by replacing each indirect call/jump with a
87     // direct call/jump to a thunk that looks like:
88     // ```
89     // lfence
90     // jmpq *%r11
91     // ```
92     // This ensures that if the value in register %r11 was loaded from memory,
93     // then the value in %r11 is (architecturally) correct prior to the jump.
94     const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
95     BuildMI(&MF.front(), DebugLoc(), TII->get(X86::LFENCE));
96     BuildMI(&MF.front(), DebugLoc(), TII->get(X86::JMP64r)).addReg(X86::R11);
97     MF.front().addLiveIn(X86::R11);
98   }
99 };
100 
101 class X86IndirectThunks
102     : public ThunkInserterPass<RetpolineThunkInserter, LVIThunkInserter> {
103 public:
104   static char ID;
105 
106   X86IndirectThunks() : ThunkInserterPass(ID) {}
107 
108   StringRef getPassName() const override { return "X86 Indirect Thunks"; }
109 };
110 
111 } // end anonymous namespace
112 
113 bool RetpolineThunkInserter::insertThunks(MachineModuleInfo &MMI,
114                                           MachineFunction &MF,
115                                           bool ExistingThunks) {
116   if (ExistingThunks)
117     return false;
118   if (MMI.getTarget().getTargetTriple().getArch() == Triple::x86_64)
119     createThunkFunction(MMI, R11RetpolineName);
120   else
121     for (StringRef Name : {EAXRetpolineName, ECXRetpolineName, EDXRetpolineName,
122                            EDIRetpolineName})
123       createThunkFunction(MMI, Name);
124   return true;
125 }
126 
127 void RetpolineThunkInserter::populateThunk(MachineFunction &MF) {
128   bool Is64Bit = MF.getTarget().getTargetTriple().getArch() == Triple::x86_64;
129   Register ThunkReg;
130   if (Is64Bit) {
131     assert(MF.getName() == "__llvm_retpoline_r11" &&
132            "Should only have an r11 thunk on 64-bit targets");
133 
134     // __llvm_retpoline_r11:
135     //   callq .Lr11_call_target
136     // .Lr11_capture_spec:
137     //   pause
138     //   lfence
139     //   jmp .Lr11_capture_spec
140     // .align 16
141     // .Lr11_call_target:
142     //   movq %r11, (%rsp)
143     //   retq
144     ThunkReg = X86::R11;
145   } else {
146     // For 32-bit targets we need to emit a collection of thunks for various
147     // possible scratch registers as well as a fallback that uses EDI, which is
148     // normally callee saved.
149     //   __llvm_retpoline_eax:
150     //         calll .Leax_call_target
151     //   .Leax_capture_spec:
152     //         pause
153     //         jmp .Leax_capture_spec
154     //   .align 16
155     //   .Leax_call_target:
156     //         movl %eax, (%esp)  # Clobber return addr
157     //         retl
158     //
159     //   __llvm_retpoline_ecx:
160     //   ... # Same setup
161     //         movl %ecx, (%esp)
162     //         retl
163     //
164     //   __llvm_retpoline_edx:
165     //   ... # Same setup
166     //         movl %edx, (%esp)
167     //         retl
168     //
169     //   __llvm_retpoline_edi:
170     //   ... # Same setup
171     //         movl %edi, (%esp)
172     //         retl
173     if (MF.getName() == EAXRetpolineName)
174       ThunkReg = X86::EAX;
175     else if (MF.getName() == ECXRetpolineName)
176       ThunkReg = X86::ECX;
177     else if (MF.getName() == EDXRetpolineName)
178       ThunkReg = X86::EDX;
179     else if (MF.getName() == EDIRetpolineName)
180       ThunkReg = X86::EDI;
181     else
182       llvm_unreachable("Invalid thunk name on x86-32!");
183   }
184 
185   const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
186   assert (MF.size() == 1);
187   MachineBasicBlock *Entry = &MF.front();
188   Entry->clear();
189 
190   MachineBasicBlock *CaptureSpec =
191       MF.CreateMachineBasicBlock(Entry->getBasicBlock());
192   MachineBasicBlock *CallTarget =
193       MF.CreateMachineBasicBlock(Entry->getBasicBlock());
194   MCSymbol *TargetSym = MF.getContext().createTempSymbol();
195   MF.push_back(CaptureSpec);
196   MF.push_back(CallTarget);
197 
198   const unsigned CallOpc = Is64Bit ? X86::CALL64pcrel32 : X86::CALLpcrel32;
199   const unsigned RetOpc = Is64Bit ? X86::RET64 : X86::RET32;
200 
201   Entry->addLiveIn(ThunkReg);
202   BuildMI(Entry, DebugLoc(), TII->get(CallOpc)).addSym(TargetSym);
203 
204   // The MIR verifier thinks that the CALL in the entry block will fall through
205   // to CaptureSpec, so mark it as the successor. Technically, CaptureTarget is
206   // the successor, but the MIR verifier doesn't know how to cope with that.
207   Entry->addSuccessor(CaptureSpec);
208 
209   // In the capture loop for speculation, we want to stop the processor from
210   // speculating as fast as possible. On Intel processors, the PAUSE instruction
211   // will block speculation without consuming any execution resources. On AMD
212   // processors, the PAUSE instruction is (essentially) a nop, so we also use an
213   // LFENCE instruction which they have advised will stop speculation as well
214   // with minimal resource utilization. We still end the capture with a jump to
215   // form an infinite loop to fully guarantee that no matter what implementation
216   // of the x86 ISA, speculating this code path never escapes.
217   BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::PAUSE));
218   BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::LFENCE));
219   BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::JMP_1)).addMBB(CaptureSpec);
220   CaptureSpec->setMachineBlockAddressTaken();
221   CaptureSpec->addSuccessor(CaptureSpec);
222 
223   CallTarget->addLiveIn(ThunkReg);
224   CallTarget->setMachineBlockAddressTaken();
225   CallTarget->setAlignment(Align(16));
226 
227   // Insert return address clobber
228   const unsigned MovOpc = Is64Bit ? X86::MOV64mr : X86::MOV32mr;
229   const Register SPReg = Is64Bit ? X86::RSP : X86::ESP;
230   addRegOffset(BuildMI(CallTarget, DebugLoc(), TII->get(MovOpc)), SPReg, false,
231                0)
232       .addReg(ThunkReg);
233 
234   CallTarget->back().setPreInstrSymbol(MF, TargetSym);
235   BuildMI(CallTarget, DebugLoc(), TII->get(RetOpc));
236 }
237 
238 FunctionPass *llvm::createX86IndirectThunksPass() {
239   return new X86IndirectThunks();
240 }
241 
242 char X86IndirectThunks::ID = 0;
243