1480093f4SDimitry Andric //===-- CFGuard.cpp - Control Flow Guard checks -----------------*- C++ -*-===// 2480093f4SDimitry Andric // 3480093f4SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4480093f4SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 5480093f4SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6480093f4SDimitry Andric // 7480093f4SDimitry Andric //===----------------------------------------------------------------------===// 8480093f4SDimitry Andric /// 9480093f4SDimitry Andric /// \file 10480093f4SDimitry Andric /// This file contains the IR transform to add Microsoft's Control Flow Guard 11480093f4SDimitry Andric /// checks on Windows targets. 12480093f4SDimitry Andric /// 13480093f4SDimitry Andric //===----------------------------------------------------------------------===// 14480093f4SDimitry Andric 15480093f4SDimitry Andric #include "llvm/Transforms/CFGuard.h" 16480093f4SDimitry Andric #include "llvm/ADT/SmallVector.h" 17480093f4SDimitry Andric #include "llvm/ADT/Statistic.h" 18480093f4SDimitry Andric #include "llvm/IR/CallingConv.h" 19480093f4SDimitry Andric #include "llvm/IR/IRBuilder.h" 20480093f4SDimitry Andric #include "llvm/IR/Instruction.h" 21480093f4SDimitry Andric #include "llvm/InitializePasses.h" 22480093f4SDimitry Andric #include "llvm/Pass.h" 2306c3fb27SDimitry Andric #include "llvm/TargetParser/Triple.h" 24480093f4SDimitry Andric 25480093f4SDimitry Andric using namespace llvm; 26480093f4SDimitry Andric 27480093f4SDimitry Andric using OperandBundleDef = OperandBundleDefT<Value *>; 28480093f4SDimitry Andric 29480093f4SDimitry Andric #define DEBUG_TYPE "cfguard" 30480093f4SDimitry Andric 31480093f4SDimitry Andric STATISTIC(CFGuardCounter, "Number of Control Flow Guard checks added"); 32480093f4SDimitry Andric 33480093f4SDimitry Andric namespace { 34480093f4SDimitry Andric 35480093f4SDimitry Andric /// Adds Control Flow Guard (CFG) checks on indirect function calls/invokes. 36480093f4SDimitry Andric /// These checks ensure that the target address corresponds to the start of an 37*5f757f3fSDimitry Andric /// address-taken function. X86_64 targets use the Mechanism::Dispatch 38*5f757f3fSDimitry Andric /// mechanism. X86, ARM, and AArch64 targets use the Mechanism::Check machanism. 39*5f757f3fSDimitry Andric class CFGuardImpl { 40480093f4SDimitry Andric public: 41*5f757f3fSDimitry Andric using Mechanism = CFGuardPass::Mechanism; 42480093f4SDimitry Andric 43*5f757f3fSDimitry Andric CFGuardImpl(Mechanism M) : GuardMechanism(M) { 44*5f757f3fSDimitry Andric // Get or insert the guard check or dispatch global symbols. 45*5f757f3fSDimitry Andric switch (GuardMechanism) { 46*5f757f3fSDimitry Andric case Mechanism::Check: 47*5f757f3fSDimitry Andric GuardFnName = "__guard_check_icall_fptr"; 48*5f757f3fSDimitry Andric break; 49*5f757f3fSDimitry Andric case Mechanism::Dispatch: 50*5f757f3fSDimitry Andric GuardFnName = "__guard_dispatch_icall_fptr"; 51*5f757f3fSDimitry Andric break; 52480093f4SDimitry Andric } 53480093f4SDimitry Andric } 54480093f4SDimitry Andric 55480093f4SDimitry Andric /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG 56480093f4SDimitry Andric /// check mechanism. When the image is loaded, the loader puts the appropriate 57480093f4SDimitry Andric /// guard check function pointer in the __guard_check_icall_fptr global 58480093f4SDimitry Andric /// symbol. This checks that the target address is a valid address-taken 59480093f4SDimitry Andric /// function. The address of the target function is passed to the guard check 60480093f4SDimitry Andric /// function in an architecture-specific register (e.g. ECX on 32-bit X86, 61480093f4SDimitry Andric /// X15 on Aarch64, and R0 on ARM). The guard check function has no return 62480093f4SDimitry Andric /// value (if the target is invalid, the guard check funtion will raise an 63480093f4SDimitry Andric /// error). 64480093f4SDimitry Andric /// 65480093f4SDimitry Andric /// For example, the following LLVM IR: 66480093f4SDimitry Andric /// \code 67480093f4SDimitry Andric /// %func_ptr = alloca i32 ()*, align 8 68480093f4SDimitry Andric /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8 69480093f4SDimitry Andric /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8 70480093f4SDimitry Andric /// %1 = call i32 %0() 71480093f4SDimitry Andric /// \endcode 72480093f4SDimitry Andric /// 73480093f4SDimitry Andric /// is transformed to: 74480093f4SDimitry Andric /// \code 75480093f4SDimitry Andric /// %func_ptr = alloca i32 ()*, align 8 76480093f4SDimitry Andric /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8 77480093f4SDimitry Andric /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8 78480093f4SDimitry Andric /// %1 = load void (i8*)*, void (i8*)** @__guard_check_icall_fptr 79480093f4SDimitry Andric /// %2 = bitcast i32 ()* %0 to i8* 80480093f4SDimitry Andric /// call cfguard_checkcc void %1(i8* %2) 81480093f4SDimitry Andric /// %3 = call i32 %0() 82480093f4SDimitry Andric /// \endcode 83480093f4SDimitry Andric /// 84480093f4SDimitry Andric /// For example, the following X86 assembly code: 85480093f4SDimitry Andric /// \code 86480093f4SDimitry Andric /// movl $_target_func, %eax 87480093f4SDimitry Andric /// calll *%eax 88480093f4SDimitry Andric /// \endcode 89480093f4SDimitry Andric /// 90480093f4SDimitry Andric /// is transformed to: 91480093f4SDimitry Andric /// \code 92480093f4SDimitry Andric /// movl $_target_func, %ecx 93480093f4SDimitry Andric /// calll *___guard_check_icall_fptr 94480093f4SDimitry Andric /// calll *%ecx 95480093f4SDimitry Andric /// \endcode 96480093f4SDimitry Andric /// 97480093f4SDimitry Andric /// \param CB indirect call to instrument. 98480093f4SDimitry Andric void insertCFGuardCheck(CallBase *CB); 99480093f4SDimitry Andric 100480093f4SDimitry Andric /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG 101480093f4SDimitry Andric /// dispatch mechanism. When the image is loaded, the loader puts the 102480093f4SDimitry Andric /// appropriate guard check function pointer in the 103480093f4SDimitry Andric /// __guard_dispatch_icall_fptr global symbol. This checks that the target 104480093f4SDimitry Andric /// address is a valid address-taken function and, if so, tail calls the 105480093f4SDimitry Andric /// target. The target address is passed in an architecture-specific register 106480093f4SDimitry Andric /// (e.g. RAX on X86_64), with all other arguments for the target function 107480093f4SDimitry Andric /// passed as usual. 108480093f4SDimitry Andric /// 109480093f4SDimitry Andric /// For example, the following LLVM IR: 110480093f4SDimitry Andric /// \code 111480093f4SDimitry Andric /// %func_ptr = alloca i32 ()*, align 8 112480093f4SDimitry Andric /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8 113480093f4SDimitry Andric /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8 114480093f4SDimitry Andric /// %1 = call i32 %0() 115480093f4SDimitry Andric /// \endcode 116480093f4SDimitry Andric /// 117480093f4SDimitry Andric /// is transformed to: 118480093f4SDimitry Andric /// \code 119480093f4SDimitry Andric /// %func_ptr = alloca i32 ()*, align 8 120480093f4SDimitry Andric /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8 121480093f4SDimitry Andric /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8 122480093f4SDimitry Andric /// %1 = load i32 ()*, i32 ()** @__guard_dispatch_icall_fptr 123480093f4SDimitry Andric /// %2 = call i32 %1() [ "cfguardtarget"(i32 ()* %0) ] 124480093f4SDimitry Andric /// \endcode 125480093f4SDimitry Andric /// 126480093f4SDimitry Andric /// For example, the following X86_64 assembly code: 127480093f4SDimitry Andric /// \code 128480093f4SDimitry Andric /// leaq target_func(%rip), %rax 129480093f4SDimitry Andric /// callq *%rax 130480093f4SDimitry Andric /// \endcode 131480093f4SDimitry Andric /// 132480093f4SDimitry Andric /// is transformed to: 133480093f4SDimitry Andric /// \code 134480093f4SDimitry Andric /// leaq target_func(%rip), %rax 135480093f4SDimitry Andric /// callq *__guard_dispatch_icall_fptr(%rip) 136480093f4SDimitry Andric /// \endcode 137480093f4SDimitry Andric /// 138480093f4SDimitry Andric /// \param CB indirect call to instrument. 139480093f4SDimitry Andric void insertCFGuardDispatch(CallBase *CB); 140480093f4SDimitry Andric 141*5f757f3fSDimitry Andric bool doInitialization(Module &M); 142*5f757f3fSDimitry Andric bool runOnFunction(Function &F); 143480093f4SDimitry Andric 144480093f4SDimitry Andric private: 145480093f4SDimitry Andric // Only add checks if the module has the cfguard=2 flag. 146480093f4SDimitry Andric int cfguard_module_flag = 0; 147*5f757f3fSDimitry Andric StringRef GuardFnName; 148*5f757f3fSDimitry Andric Mechanism GuardMechanism = Mechanism::Check; 149480093f4SDimitry Andric FunctionType *GuardFnType = nullptr; 150480093f4SDimitry Andric PointerType *GuardFnPtrType = nullptr; 151480093f4SDimitry Andric Constant *GuardFnGlobal = nullptr; 152480093f4SDimitry Andric }; 153480093f4SDimitry Andric 154*5f757f3fSDimitry Andric class CFGuard : public FunctionPass { 155*5f757f3fSDimitry Andric CFGuardImpl Impl; 156*5f757f3fSDimitry Andric 157*5f757f3fSDimitry Andric public: 158*5f757f3fSDimitry Andric static char ID; 159*5f757f3fSDimitry Andric 160*5f757f3fSDimitry Andric // Default constructor required for the INITIALIZE_PASS macro. 161*5f757f3fSDimitry Andric CFGuard(CFGuardImpl::Mechanism M) : FunctionPass(ID), Impl(M) { 162*5f757f3fSDimitry Andric initializeCFGuardPass(*PassRegistry::getPassRegistry()); 163*5f757f3fSDimitry Andric } 164*5f757f3fSDimitry Andric 165*5f757f3fSDimitry Andric bool doInitialization(Module &M) override { return Impl.doInitialization(M); } 166*5f757f3fSDimitry Andric bool runOnFunction(Function &F) override { return Impl.runOnFunction(F); } 167*5f757f3fSDimitry Andric }; 168*5f757f3fSDimitry Andric 169480093f4SDimitry Andric } // end anonymous namespace 170480093f4SDimitry Andric 171*5f757f3fSDimitry Andric void CFGuardImpl::insertCFGuardCheck(CallBase *CB) { 172480093f4SDimitry Andric 173480093f4SDimitry Andric assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() && 174480093f4SDimitry Andric "Only applicable for Windows targets"); 175480093f4SDimitry Andric assert(CB->isIndirectCall() && 176480093f4SDimitry Andric "Control Flow Guard checks can only be added to indirect calls"); 177480093f4SDimitry Andric 178480093f4SDimitry Andric IRBuilder<> B(CB); 179480093f4SDimitry Andric Value *CalledOperand = CB->getCalledOperand(); 180480093f4SDimitry Andric 1810eae32dcSDimitry Andric // If the indirect call is called within catchpad or cleanuppad, 1820eae32dcSDimitry Andric // we need to copy "funclet" bundle of the call. 1830eae32dcSDimitry Andric SmallVector<llvm::OperandBundleDef, 1> Bundles; 1840eae32dcSDimitry Andric if (auto Bundle = CB->getOperandBundle(LLVMContext::OB_funclet)) 1850eae32dcSDimitry Andric Bundles.push_back(OperandBundleDef(*Bundle)); 1860eae32dcSDimitry Andric 187480093f4SDimitry Andric // Load the global symbol as a pointer to the check function. 188480093f4SDimitry Andric LoadInst *GuardCheckLoad = B.CreateLoad(GuardFnPtrType, GuardFnGlobal); 189480093f4SDimitry Andric 190480093f4SDimitry Andric // Create new call instruction. The CFGuard check should always be a call, 191480093f4SDimitry Andric // even if the original CallBase is an Invoke or CallBr instruction. 192480093f4SDimitry Andric CallInst *GuardCheck = 193*5f757f3fSDimitry Andric B.CreateCall(GuardFnType, GuardCheckLoad, {CalledOperand}, Bundles); 194480093f4SDimitry Andric 195480093f4SDimitry Andric // Ensure that the first argument is passed in the correct register 196480093f4SDimitry Andric // (e.g. ECX on 32-bit X86 targets). 197480093f4SDimitry Andric GuardCheck->setCallingConv(CallingConv::CFGuard_Check); 198480093f4SDimitry Andric } 199480093f4SDimitry Andric 200*5f757f3fSDimitry Andric void CFGuardImpl::insertCFGuardDispatch(CallBase *CB) { 201480093f4SDimitry Andric 202480093f4SDimitry Andric assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() && 203480093f4SDimitry Andric "Only applicable for Windows targets"); 204480093f4SDimitry Andric assert(CB->isIndirectCall() && 205480093f4SDimitry Andric "Control Flow Guard checks can only be added to indirect calls"); 206480093f4SDimitry Andric 207480093f4SDimitry Andric IRBuilder<> B(CB); 208480093f4SDimitry Andric Value *CalledOperand = CB->getCalledOperand(); 209480093f4SDimitry Andric Type *CalledOperandType = CalledOperand->getType(); 210480093f4SDimitry Andric 211480093f4SDimitry Andric // Load the global as a pointer to a function of the same type. 212480093f4SDimitry Andric LoadInst *GuardDispatchLoad = B.CreateLoad(CalledOperandType, GuardFnGlobal); 213480093f4SDimitry Andric 214480093f4SDimitry Andric // Add the original call target as a cfguardtarget operand bundle. 215480093f4SDimitry Andric SmallVector<llvm::OperandBundleDef, 1> Bundles; 216480093f4SDimitry Andric CB->getOperandBundlesAsDefs(Bundles); 217480093f4SDimitry Andric Bundles.emplace_back("cfguardtarget", CalledOperand); 218480093f4SDimitry Andric 219480093f4SDimitry Andric // Create a copy of the call/invoke instruction and add the new bundle. 2205ffd83dbSDimitry Andric assert((isa<CallInst>(CB) || isa<InvokeInst>(CB)) && 2215ffd83dbSDimitry Andric "Unknown indirect call type"); 2225ffd83dbSDimitry Andric CallBase *NewCB = CallBase::Create(CB, Bundles, CB); 223480093f4SDimitry Andric 224480093f4SDimitry Andric // Change the target of the call to be the guard dispatch function. 225480093f4SDimitry Andric NewCB->setCalledOperand(GuardDispatchLoad); 226480093f4SDimitry Andric 227480093f4SDimitry Andric // Replace the original call/invoke with the new instruction. 228480093f4SDimitry Andric CB->replaceAllUsesWith(NewCB); 229480093f4SDimitry Andric 230480093f4SDimitry Andric // Delete the original call/invoke. 231480093f4SDimitry Andric CB->eraseFromParent(); 232480093f4SDimitry Andric } 233480093f4SDimitry Andric 234*5f757f3fSDimitry Andric bool CFGuardImpl::doInitialization(Module &M) { 235480093f4SDimitry Andric 236480093f4SDimitry Andric // Check if this module has the cfguard flag and read its value. 237480093f4SDimitry Andric if (auto *MD = 238480093f4SDimitry Andric mdconst::extract_or_null<ConstantInt>(M.getModuleFlag("cfguard"))) 239480093f4SDimitry Andric cfguard_module_flag = MD->getZExtValue(); 240480093f4SDimitry Andric 241480093f4SDimitry Andric // Skip modules for which CFGuard checks have been disabled. 242480093f4SDimitry Andric if (cfguard_module_flag != 2) 243480093f4SDimitry Andric return false; 244480093f4SDimitry Andric 245480093f4SDimitry Andric // Set up prototypes for the guard check and dispatch functions. 246*5f757f3fSDimitry Andric GuardFnType = 247*5f757f3fSDimitry Andric FunctionType::get(Type::getVoidTy(M.getContext()), 248*5f757f3fSDimitry Andric {PointerType::getUnqual(M.getContext())}, false); 249480093f4SDimitry Andric GuardFnPtrType = PointerType::get(GuardFnType, 0); 250480093f4SDimitry Andric 251bdd1243dSDimitry Andric GuardFnGlobal = M.getOrInsertGlobal(GuardFnName, GuardFnPtrType, [&] { 252bdd1243dSDimitry Andric auto *Var = new GlobalVariable(M, GuardFnPtrType, false, 253bdd1243dSDimitry Andric GlobalVariable::ExternalLinkage, nullptr, 254bdd1243dSDimitry Andric GuardFnName); 255bdd1243dSDimitry Andric Var->setDSOLocal(true); 256bdd1243dSDimitry Andric return Var; 257bdd1243dSDimitry Andric }); 258480093f4SDimitry Andric 259480093f4SDimitry Andric return true; 260480093f4SDimitry Andric } 261480093f4SDimitry Andric 262*5f757f3fSDimitry Andric bool CFGuardImpl::runOnFunction(Function &F) { 263480093f4SDimitry Andric 264480093f4SDimitry Andric // Skip modules for which CFGuard checks have been disabled. 265480093f4SDimitry Andric if (cfguard_module_flag != 2) 266480093f4SDimitry Andric return false; 267480093f4SDimitry Andric 268480093f4SDimitry Andric SmallVector<CallBase *, 8> IndirectCalls; 269480093f4SDimitry Andric 270480093f4SDimitry Andric // Iterate over the instructions to find all indirect call/invoke/callbr 271480093f4SDimitry Andric // instructions. Make a separate list of pointers to indirect 272480093f4SDimitry Andric // call/invoke/callbr instructions because the original instructions will be 273480093f4SDimitry Andric // deleted as the checks are added. 274bdd1243dSDimitry Andric for (BasicBlock &BB : F) { 275bdd1243dSDimitry Andric for (Instruction &I : BB) { 276480093f4SDimitry Andric auto *CB = dyn_cast<CallBase>(&I); 277480093f4SDimitry Andric if (CB && CB->isIndirectCall() && !CB->hasFnAttr("guard_nocf")) { 278480093f4SDimitry Andric IndirectCalls.push_back(CB); 279480093f4SDimitry Andric CFGuardCounter++; 280480093f4SDimitry Andric } 281480093f4SDimitry Andric } 282480093f4SDimitry Andric } 283480093f4SDimitry Andric 284480093f4SDimitry Andric // If no checks are needed, return early. 285480093f4SDimitry Andric if (IndirectCalls.empty()) { 286480093f4SDimitry Andric return false; 287480093f4SDimitry Andric } 288480093f4SDimitry Andric 289480093f4SDimitry Andric // For each indirect call/invoke, add the appropriate dispatch or check. 290*5f757f3fSDimitry Andric if (GuardMechanism == Mechanism::Dispatch) { 291480093f4SDimitry Andric for (CallBase *CB : IndirectCalls) { 292480093f4SDimitry Andric insertCFGuardDispatch(CB); 293480093f4SDimitry Andric } 294480093f4SDimitry Andric } else { 295480093f4SDimitry Andric for (CallBase *CB : IndirectCalls) { 296480093f4SDimitry Andric insertCFGuardCheck(CB); 297480093f4SDimitry Andric } 298480093f4SDimitry Andric } 299480093f4SDimitry Andric 300480093f4SDimitry Andric return true; 301480093f4SDimitry Andric } 302480093f4SDimitry Andric 303*5f757f3fSDimitry Andric PreservedAnalyses CFGuardPass::run(Function &F, FunctionAnalysisManager &FAM) { 304*5f757f3fSDimitry Andric CFGuardImpl Impl(GuardMechanism); 305*5f757f3fSDimitry Andric bool Changed = Impl.doInitialization(*F.getParent()); 306*5f757f3fSDimitry Andric Changed |= Impl.runOnFunction(F); 307*5f757f3fSDimitry Andric return Changed ? PreservedAnalyses::none() : PreservedAnalyses::all(); 308*5f757f3fSDimitry Andric } 309*5f757f3fSDimitry Andric 310480093f4SDimitry Andric char CFGuard::ID = 0; 311480093f4SDimitry Andric INITIALIZE_PASS(CFGuard, "CFGuard", "CFGuard", false, false) 312480093f4SDimitry Andric 313480093f4SDimitry Andric FunctionPass *llvm::createCFGuardCheckPass() { 314*5f757f3fSDimitry Andric return new CFGuard(CFGuardPass::Mechanism::Check); 315480093f4SDimitry Andric } 316480093f4SDimitry Andric 317480093f4SDimitry Andric FunctionPass *llvm::createCFGuardDispatchPass() { 318*5f757f3fSDimitry Andric return new CFGuard(CFGuardPass::Mechanism::Dispatch); 319480093f4SDimitry Andric } 320