1*bdd1243dSDimitry Andric //===-- KCFI.cpp - Generic KCFI operand bundle lowering ---------*- C++ -*-===// 2*bdd1243dSDimitry Andric // 3*bdd1243dSDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4*bdd1243dSDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 5*bdd1243dSDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6*bdd1243dSDimitry Andric // 7*bdd1243dSDimitry Andric //===----------------------------------------------------------------------===// 8*bdd1243dSDimitry Andric // 9*bdd1243dSDimitry Andric // This pass emits generic KCFI indirect call checks for targets that don't 10*bdd1243dSDimitry Andric // support lowering KCFI operand bundles in the back-end. 11*bdd1243dSDimitry Andric // 12*bdd1243dSDimitry Andric //===----------------------------------------------------------------------===// 13*bdd1243dSDimitry Andric 14*bdd1243dSDimitry Andric #include "llvm/Transforms/Instrumentation/KCFI.h" 15*bdd1243dSDimitry Andric #include "llvm/ADT/Statistic.h" 16*bdd1243dSDimitry Andric #include "llvm/IR/Constants.h" 17*bdd1243dSDimitry Andric #include "llvm/IR/DiagnosticInfo.h" 18*bdd1243dSDimitry Andric #include "llvm/IR/DiagnosticPrinter.h" 19*bdd1243dSDimitry Andric #include "llvm/IR/Function.h" 20*bdd1243dSDimitry Andric #include "llvm/IR/GlobalObject.h" 21*bdd1243dSDimitry Andric #include "llvm/IR/IRBuilder.h" 22*bdd1243dSDimitry Andric #include "llvm/IR/InstIterator.h" 23*bdd1243dSDimitry Andric #include "llvm/IR/Instructions.h" 24*bdd1243dSDimitry Andric #include "llvm/IR/Intrinsics.h" 25*bdd1243dSDimitry Andric #include "llvm/IR/MDBuilder.h" 26*bdd1243dSDimitry Andric #include "llvm/IR/Module.h" 27*bdd1243dSDimitry Andric #include "llvm/InitializePasses.h" 28*bdd1243dSDimitry Andric #include "llvm/Pass.h" 29*bdd1243dSDimitry Andric #include "llvm/Target/TargetMachine.h" 30*bdd1243dSDimitry Andric #include "llvm/Transforms/Instrumentation.h" 31*bdd1243dSDimitry Andric #include "llvm/Transforms/Utils/BasicBlockUtils.h" 32*bdd1243dSDimitry Andric 33*bdd1243dSDimitry Andric using namespace llvm; 34*bdd1243dSDimitry Andric 35*bdd1243dSDimitry Andric #define DEBUG_TYPE "kcfi" 36*bdd1243dSDimitry Andric 37*bdd1243dSDimitry Andric STATISTIC(NumKCFIChecks, "Number of kcfi operands transformed into checks"); 38*bdd1243dSDimitry Andric 39*bdd1243dSDimitry Andric namespace { 40*bdd1243dSDimitry Andric class DiagnosticInfoKCFI : public DiagnosticInfo { 41*bdd1243dSDimitry Andric const Twine &Msg; 42*bdd1243dSDimitry Andric 43*bdd1243dSDimitry Andric public: 44*bdd1243dSDimitry Andric DiagnosticInfoKCFI(const Twine &DiagMsg, 45*bdd1243dSDimitry Andric DiagnosticSeverity Severity = DS_Error) 46*bdd1243dSDimitry Andric : DiagnosticInfo(DK_Linker, Severity), Msg(DiagMsg) {} 47*bdd1243dSDimitry Andric void print(DiagnosticPrinter &DP) const override { DP << Msg; } 48*bdd1243dSDimitry Andric }; 49*bdd1243dSDimitry Andric } // namespace 50*bdd1243dSDimitry Andric 51*bdd1243dSDimitry Andric PreservedAnalyses KCFIPass::run(Function &F, FunctionAnalysisManager &AM) { 52*bdd1243dSDimitry Andric Module &M = *F.getParent(); 53*bdd1243dSDimitry Andric if (!M.getModuleFlag("kcfi")) 54*bdd1243dSDimitry Andric return PreservedAnalyses::all(); 55*bdd1243dSDimitry Andric 56*bdd1243dSDimitry Andric // Find call instructions with KCFI operand bundles. 57*bdd1243dSDimitry Andric SmallVector<CallInst *> KCFICalls; 58*bdd1243dSDimitry Andric for (Instruction &I : instructions(F)) { 59*bdd1243dSDimitry Andric if (auto *CI = dyn_cast<CallInst>(&I)) 60*bdd1243dSDimitry Andric if (CI->getOperandBundle(LLVMContext::OB_kcfi)) 61*bdd1243dSDimitry Andric KCFICalls.push_back(CI); 62*bdd1243dSDimitry Andric } 63*bdd1243dSDimitry Andric 64*bdd1243dSDimitry Andric if (KCFICalls.empty()) 65*bdd1243dSDimitry Andric return PreservedAnalyses::all(); 66*bdd1243dSDimitry Andric 67*bdd1243dSDimitry Andric LLVMContext &Ctx = M.getContext(); 68*bdd1243dSDimitry Andric // patchable-function-prefix emits nops between the KCFI type identifier 69*bdd1243dSDimitry Andric // and the function start. As we don't know the size of the emitted nops, 70*bdd1243dSDimitry Andric // don't allow this attribute with generic lowering. 71*bdd1243dSDimitry Andric if (F.hasFnAttribute("patchable-function-prefix")) 72*bdd1243dSDimitry Andric Ctx.diagnose( 73*bdd1243dSDimitry Andric DiagnosticInfoKCFI("-fpatchable-function-entry=N,M, where M>0 is not " 74*bdd1243dSDimitry Andric "compatible with -fsanitize=kcfi on this target")); 75*bdd1243dSDimitry Andric 76*bdd1243dSDimitry Andric IntegerType *Int32Ty = Type::getInt32Ty(Ctx); 77*bdd1243dSDimitry Andric MDNode *VeryUnlikelyWeights = 78*bdd1243dSDimitry Andric MDBuilder(Ctx).createBranchWeights(1, (1U << 20) - 1); 79*bdd1243dSDimitry Andric 80*bdd1243dSDimitry Andric for (CallInst *CI : KCFICalls) { 81*bdd1243dSDimitry Andric // Get the expected hash value. 82*bdd1243dSDimitry Andric const uint32_t ExpectedHash = 83*bdd1243dSDimitry Andric cast<ConstantInt>(CI->getOperandBundle(LLVMContext::OB_kcfi)->Inputs[0]) 84*bdd1243dSDimitry Andric ->getZExtValue(); 85*bdd1243dSDimitry Andric 86*bdd1243dSDimitry Andric // Drop the KCFI operand bundle. 87*bdd1243dSDimitry Andric CallBase *Call = 88*bdd1243dSDimitry Andric CallBase::removeOperandBundle(CI, LLVMContext::OB_kcfi, CI); 89*bdd1243dSDimitry Andric assert(Call != CI); 90*bdd1243dSDimitry Andric Call->copyMetadata(*CI); 91*bdd1243dSDimitry Andric CI->replaceAllUsesWith(Call); 92*bdd1243dSDimitry Andric CI->eraseFromParent(); 93*bdd1243dSDimitry Andric 94*bdd1243dSDimitry Andric if (!Call->isIndirectCall()) 95*bdd1243dSDimitry Andric continue; 96*bdd1243dSDimitry Andric 97*bdd1243dSDimitry Andric // Emit a check and trap if the target hash doesn't match. 98*bdd1243dSDimitry Andric IRBuilder<> Builder(Call); 99*bdd1243dSDimitry Andric Value *HashPtr = Builder.CreateConstInBoundsGEP1_32( 100*bdd1243dSDimitry Andric Int32Ty, Call->getCalledOperand(), -1); 101*bdd1243dSDimitry Andric Value *Test = Builder.CreateICmpNE(Builder.CreateLoad(Int32Ty, HashPtr), 102*bdd1243dSDimitry Andric ConstantInt::get(Int32Ty, ExpectedHash)); 103*bdd1243dSDimitry Andric Instruction *ThenTerm = 104*bdd1243dSDimitry Andric SplitBlockAndInsertIfThen(Test, Call, false, VeryUnlikelyWeights); 105*bdd1243dSDimitry Andric Builder.SetInsertPoint(ThenTerm); 106*bdd1243dSDimitry Andric Builder.CreateCall(Intrinsic::getDeclaration(&M, Intrinsic::trap)); 107*bdd1243dSDimitry Andric ++NumKCFIChecks; 108*bdd1243dSDimitry Andric } 109*bdd1243dSDimitry Andric 110*bdd1243dSDimitry Andric return PreservedAnalyses::none(); 111*bdd1243dSDimitry Andric } 112