doxygen/CFGuard_8cpp_source.html

//===-- CFGuard.cpp - Control Flow Guard checks -----------------*- C++ -*-===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

///

/// \file

/// This file contains the IR transform to add Microsoft's Control Flow Guard

/// checks on Windows targets.

///

//===----------------------------------------------------------------------===//


#include "llvm/Transforms/CFGuard.h"

#include "llvm/ADT/SmallVector.h"

#include "llvm/ADT/Statistic.h"

#include "llvm/IR/CallingConv.h"

#include "llvm/IR/IRBuilder.h"

#include "llvm/IR/Instruction.h"

#include "llvm/InitializePasses.h"

#include "llvm/Pass.h"

#include "llvm/TargetParser/Triple.h"


using namespace llvm;


using OperandBundleDef = OperandBundleDefT<Value *>;


#define DEBUG_TYPE "cfguard"


STATISTIC(CFGuardCounter, "Number of Control Flow Guard checks added");


namespace {


/// Adds Control Flow Guard (CFG) checks on indirect function calls/invokes.

/// These checks ensure that the target address corresponds to the start of an

/// address-taken function. X86_64 targets use the CF_Dispatch mechanism. X86,

/// ARM, and AArch64 targets use the CF_Check machanism.

class CFGuard : public FunctionPass {

public:

  static char ID;


  enum Mechanism { CF_Check, CF_Dispatch };


  // Default constructor required for the INITIALIZE_PASS macro.

  CFGuard() : FunctionPass(ID) {

    initializeCFGuardPass(*PassRegistry::getPassRegistry());

    // By default, use the guard check mechanism.

    GuardMechanism = CF_Check;

  }


  // Recommended constructor used to specify the type of guard mechanism.

  CFGuard(Mechanism Var) : FunctionPass(ID) {

    initializeCFGuardPass(*PassRegistry::getPassRegistry());

    GuardMechanism = Var;

  }


  /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG

  /// check mechanism. When the image is loaded, the loader puts the appropriate

  /// guard check function pointer in the __guard_check_icall_fptr global

  /// symbol. This checks that the target address is a valid address-taken

  /// function. The address of the target function is passed to the guard check

  /// function in an architecture-specific register (e.g. ECX on 32-bit X86,

  /// X15 on Aarch64, and R0 on ARM). The guard check function has no return

  /// value (if the target is invalid, the guard check funtion will raise an

  /// error).

  ///

  /// For example, the following LLVM IR:

  /// \code

  ///   %func_ptr = alloca i32 ()*, align 8

  ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8

  ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8

  ///   %1 = call i32 %0()

  /// \endcode

  ///

  /// is transformed to:

  /// \code

  ///   %func_ptr = alloca i32 ()*, align 8

  ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8

  ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8

  ///   %1 = load void (i8*)*, void (i8*)** @__guard_check_icall_fptr

  ///   %2 = bitcast i32 ()* %0 to i8*

  ///   call cfguard_checkcc void %1(i8* %2)

  ///   %3 = call i32 %0()

  /// \endcode

  ///

  /// For example, the following X86 assembly code:

  /// \code

  ///   movl  $_target_func, %eax

  ///   calll *%eax

  /// \endcode

  ///

  /// is transformed to:

  /// \code

  ///   movl  $_target_func, %ecx

  ///   calll *___guard_check_icall_fptr

  ///   calll *%ecx

  /// \endcode

  ///

  /// \param CB indirect call to instrument.

  void insertCFGuardCheck(CallBase *CB);


  /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG

  /// dispatch mechanism. When the image is loaded, the loader puts the

  /// appropriate guard check function pointer in the

  /// __guard_dispatch_icall_fptr global symbol. This checks that the target

  /// address is a valid address-taken function and, if so, tail calls the

  /// target. The target address is passed in an architecture-specific register

  /// (e.g. RAX on X86_64), with all other arguments for the target function

  /// passed as usual.

  ///

  /// For example, the following LLVM IR:

  /// \code

  ///   %func_ptr = alloca i32 ()*, align 8

  ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8

  ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8

  ///   %1 = call i32 %0()

  /// \endcode

  ///

  /// is transformed to:

  /// \code

  ///   %func_ptr = alloca i32 ()*, align 8

  ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8

  ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8

  ///   %1 = load i32 ()*, i32 ()** @__guard_dispatch_icall_fptr

  ///   %2 = call i32 %1() [ "cfguardtarget"(i32 ()* %0) ]

  /// \endcode

  ///

  /// For example, the following X86_64 assembly code:

  /// \code

  ///   leaq   target_func(%rip), %rax

  ///   callq  *%rax

  /// \endcode

  ///

  /// is transformed to:

  /// \code

  ///   leaq   target_func(%rip), %rax

  ///   callq  *__guard_dispatch_icall_fptr(%rip)

  /// \endcode

  ///

  /// \param CB indirect call to instrument.

  void insertCFGuardDispatch(CallBase *CB);


  bool doInitialization(Module &M) override;

  bool runOnFunction(Function &F) override;


private:

  // Only add checks if the module has the cfguard=2 flag.

  int cfguard_module_flag = 0;

  Mechanism GuardMechanism = CF_Check;

  FunctionType *GuardFnType = nullptr;

  PointerType *GuardFnPtrType = nullptr;

  Constant *GuardFnGlobal = nullptr;

};


} // end anonymous namespace


void CFGuard::insertCFGuardCheck(CallBase *CB) {


  assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&

         "Only applicable for Windows targets");

  assert(CB->isIndirectCall() &&

         "Control Flow Guard checks can only be added to indirect calls");


  IRBuilder<> B(CB);

  Value *CalledOperand = CB->getCalledOperand();


  // If the indirect call is called within catchpad or cleanuppad,

  // we need to copy "funclet" bundle of the call.

  SmallVector<llvm::OperandBundleDef, 1> Bundles;

  if (auto Bundle = CB->getOperandBundle(LLVMContext::OB_funclet))

    Bundles.push_back(OperandBundleDef(*Bundle));


  // Load the global symbol as a pointer to the check function.

  LoadInst *GuardCheckLoad = B.CreateLoad(GuardFnPtrType, GuardFnGlobal);


  // Create new call instruction. The CFGuard check should always be a call,

  // even if the original CallBase is an Invoke or CallBr instruction.

  CallInst *GuardCheck =

      B.CreateCall(GuardFnType, GuardCheckLoad,

                   {B.CreateBitCast(CalledOperand, B.getInt8PtrTy())}, Bundles);


  // Ensure that the first argument is passed in the correct register

  // (e.g. ECX on 32-bit X86 targets).

  GuardCheck->setCallingConv(CallingConv::CFGuard_Check);

}


void CFGuard::insertCFGuardDispatch(CallBase *CB) {


  assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&

         "Only applicable for Windows targets");

  assert(CB->isIndirectCall() &&

         "Control Flow Guard checks can only be added to indirect calls");


  IRBuilder<> B(CB);

  Value *CalledOperand = CB->getCalledOperand();

  Type *CalledOperandType = CalledOperand->getType();


  // Cast the guard dispatch global to the type of the called operand.

  PointerType *PTy = PointerType::get(CalledOperandType, 0);

  if (GuardFnGlobal->getType() != PTy)

    GuardFnGlobal = ConstantExpr::getBitCast(GuardFnGlobal, PTy);


  // Load the global as a pointer to a function of the same type.

  LoadInst *GuardDispatchLoad = B.CreateLoad(CalledOperandType, GuardFnGlobal);


  // Add the original call target as a cfguardtarget operand bundle.

  SmallVector<llvm::OperandBundleDef, 1> Bundles;

  CB->getOperandBundlesAsDefs(Bundles);

  Bundles.emplace_back("cfguardtarget", CalledOperand);


  // Create a copy of the call/invoke instruction and add the new bundle.

  assert((isa<CallInst>(CB) || isa<InvokeInst>(CB)) &&

         "Unknown indirect call type");

  CallBase *NewCB = CallBase::Create(CB, Bundles, CB);


  // Change the target of the call to be the guard dispatch function.

  NewCB->setCalledOperand(GuardDispatchLoad);


  // Replace the original call/invoke with the new instruction.

  CB->replaceAllUsesWith(NewCB);


  // Delete the original call/invoke.

  CB->eraseFromParent();

}


bool CFGuard::doInitialization(Module &M) {


  // Check if this module has the cfguard flag and read its value.

  if (auto *MD =

          mdconst::extract_or_null<ConstantInt>(M.getModuleFlag("cfguard")))

    cfguard_module_flag = MD->getZExtValue();


  // Skip modules for which CFGuard checks have been disabled.

  if (cfguard_module_flag != 2)

    return false;


  // Set up prototypes for the guard check and dispatch functions.

  GuardFnType = FunctionType::get(Type::getVoidTy(M.getContext()),

                                  {Type::getInt8PtrTy(M.getContext())}, false);

  GuardFnPtrType = PointerType::get(GuardFnType, 0);


  // Get or insert the guard check or dispatch global symbols.

  llvm::StringRef GuardFnName;

  if (GuardMechanism == CF_Check) {

    GuardFnName = "__guard_check_icall_fptr";

  } else if (GuardMechanism == CF_Dispatch) {

    GuardFnName = "__guard_dispatch_icall_fptr";

  } else {

    assert(false && "Invalid CFGuard mechanism");

  }

  GuardFnGlobal = M.getOrInsertGlobal(GuardFnName, GuardFnPtrType, [&] {

    auto *Var = new GlobalVariable(M, GuardFnPtrType, false,

                                   GlobalVariable::ExternalLinkage, nullptr,

                                   GuardFnName);

    Var->setDSOLocal(true);

    return Var;

  });


  return true;

}


bool CFGuard::runOnFunction(Function &F) {


  // Skip modules for which CFGuard checks have been disabled.

  if (cfguard_module_flag != 2)

    return false;


  SmallVector<CallBase *, 8> IndirectCalls;


  // Iterate over the instructions to find all indirect call/invoke/callbr

  // instructions. Make a separate list of pointers to indirect

  // call/invoke/callbr instructions because the original instructions will be

  // deleted as the checks are added.

  for (BasicBlock &BB : F) {

    for (Instruction &I : BB) {

      auto *CB = dyn_cast<CallBase>(&I);

      if (CB && CB->isIndirectCall() && !CB->hasFnAttr("guard_nocf")) {

        IndirectCalls.push_back(CB);

        CFGuardCounter++;

      }

    }

  }


  // If no checks are needed, return early.

  if (IndirectCalls.empty()) {

    return false;

  }


  // For each indirect call/invoke, add the appropriate dispatch or check.

  if (GuardMechanism == CF_Dispatch) {

    for (CallBase *CB : IndirectCalls) {

      insertCFGuardDispatch(CB);

    }

  } else {

    for (CallBase *CB : IndirectCalls) {

      insertCFGuardCheck(CB);

    }

  }


  return true;

}


char CFGuard::ID = 0;

INITIALIZE_PASS(CFGuard, "CFGuard", "CFGuard", false, false)


FunctionPass *llvm::createCFGuardCheckPass() {

  return new CFGuard(CFGuard::CF_Check);

}


FunctionPass *llvm::createCFGuardDispatchPass() {

  return new CFGuard(CFGuard::CF_Dispatch);

}

B
static GCRegistry::Add< OcamlGC > B("ocaml", "ocaml 3.10-compatible GC")

OperandBundleDef
OperandBundleDefT< Value * > OperandBundleDef
Definition: CFGuard.cpp:27

CFGuard.h

CallingConv.h

IRBuilder.h

Instruction.h

InitializePasses.h

F
#define F(x, y, z)
Definition: MD5.cpp:55

I
#define I(x, y, z)
Definition: MD5.cpp:58

INITIALIZE_PASS
#define INITIALIZE_PASS(passName, arg, name, cfg, analysis)
Definition: PassSupport.h:38

Pass.h

assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())

SmallVector.h
This file defines the SmallVector class.

Statistic.h
This file defines the 'Statistic' class, which is designed to be an easy way to expose various metric...

STATISTIC
#define STATISTIC(VARNAME, DESC)
Definition: Statistic.h:167

Triple.h

FunctionType
Definition: ItaniumDemangle.h:778

PointerType
Definition: ItaniumDemangle.h:591

llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:56

llvm::CallBase
Base class for all callable instructions (InvokeInst and CallInst) Holds everything related to callin...
Definition: InstrTypes.h:1186

llvm::CallBase::setCallingConv
void setCallingConv(CallingConv::ID CC)
Definition: InstrTypes.h:1471

llvm::CallBase::getOperandBundlesAsDefs
void getOperandBundlesAsDefs(SmallVectorImpl< OperandBundleDef > &Defs) const
Return the list of operand bundles attached to this instruction as a vector of OperandBundleDefs.
Definition: Instructions.cpp:441

llvm::CallBase::getOperandBundle
std::optional< OperandBundleUse > getOperandBundle(StringRef Name) const
Return an operand bundle by name, if present.
Definition: InstrTypes.h:2046

llvm::CallBase::hasFnAttr
bool hasFnAttr(Attribute::AttrKind Kind) const
Determine whether this call has the given attribute.
Definition: InstrTypes.h:1495

llvm::CallBase::isIndirectCall
bool isIndirectCall() const
Return true if the callsite is an indirect call.
Definition: Instructions.cpp:300

llvm::CallBase::Create
static CallBase * Create(CallBase *CB, ArrayRef< OperandBundleDef > Bundles, Instruction *InsertPt=nullptr)
Create a clone of CB with a different set of operand bundles and insert it before InsertPt.
Definition: Instructions.cpp:266

llvm::CallBase::getCalledOperand
Value * getCalledOperand() const
Definition: InstrTypes.h:1401

llvm::CallBase::setCalledOperand
void setCalledOperand(Value *V)
Definition: InstrTypes.h:1444

llvm::CallInst
This class represents a function call, abstracting a target machine's calling convention.
Definition: Instructions.h:1485

llvm::ConstantExpr::getBitCast
static Constant * getBitCast(Constant *C, Type *Ty, bool OnlyIfReduced=false)
Definition: Constants.cpp:2228

llvm::Constant
This is an important base class in LLVM.
Definition: Constant.h:41

llvm::FunctionPass
FunctionPass class - This class is used to implement most global optimizations.
Definition: Pass.h:308

llvm::FunctionPass::runOnFunction
virtual bool runOnFunction(Function &F)=0
runOnFunction - Virtual method overriden by subclasses to do the per-function processing of the pass.

llvm::Function
Definition: Function.h:60

llvm::GlobalVariable
Definition: GlobalVariable.h:39

llvm::IRBuilder
This provides a uniform API for creating instructions and inserting them into a basic block: either a...
Definition: IRBuilder.h:2558

llvm::Instruction
Definition: Instruction.h:42

llvm::Instruction::getModule
const Module * getModule() const
Return the module owning the function this instruction belongs to or nullptr it the function does not...
Definition: Instruction.cpp:70

llvm::Instruction::eraseFromParent
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks 'this' from the containing basic block and deletes it.
Definition: Instruction.cpp:82

llvm::LLVMContext::OB_funclet
@ OB_funclet
Definition: LLVMContext.h:90

llvm::LoadInst
An instruction for reading from memory.
Definition: Instructions.h:177

llvm::Module
A Module instance is used to store all the information related to an LLVM module.
Definition: Module.h:65

llvm::Module::getTargetTriple
const std::string & getTargetTriple() const
Get the target triple which is a string describing the target host.
Definition: Module.h:258

llvm::OperandBundleDefT
A container for an operand bundle being viewed as a set of values rather than a set of uses.
Definition: InstrTypes.h:1139

llvm::PassRegistry::getPassRegistry
static PassRegistry * getPassRegistry()
getPassRegistry - Access the global registry object, which is automatically initialized at applicatio...
Definition: PassRegistry.cpp:24

llvm::Pass::doInitialization
virtual bool doInitialization(Module &)
doInitialization - Virtual method overridden by subclasses to do any necessary initialization before ...
Definition: Pass.h:116

llvm::SmallVectorBase::empty
bool empty() const
Definition: SmallVector.h:94

llvm::SmallVectorImpl::emplace_back
reference emplace_back(ArgTypes &&... Args)
Definition: SmallVector.h:941

llvm::SmallVectorTemplateBase::push_back
void push_back(const T &Elt)
Definition: SmallVector.h:416

llvm::SmallVector
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
Definition: SmallVector.h:1200

llvm::StringRef
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:50

llvm::Triple
Triple - Helper class for working with autoconf configuration names.
Definition: Triple.h:44

llvm::Triple::isOSWindows
bool isOSWindows() const
Tests whether the OS is Windows.
Definition: Triple.h:584

llvm::Type
The instances of the Type class are immutable: once they are created, they are never changed.
Definition: Type.h:45

llvm::Type::getVoidTy
static Type * getVoidTy(LLVMContext &C)

llvm::Value
LLVM Value Representation.
Definition: Value.h:74

llvm::Value::getType
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:255

llvm::Value::replaceAllUsesWith
void replaceAllUsesWith(Value *V)
Change all uses of this to point to a new Value.
Definition: Value.cpp:532

unsigned

llvm::ARM::ProfileKind::M
@ M

llvm::CallingConv::ID
unsigned ID
LLVM IR allows to use arbitrary numbers as calling convention identifiers.
Definition: CallingConv.h:24

llvm::CallingConv::CFGuard_Check
@ CFGuard_Check
Special calling convention on Windows for calling the Control Guard Check ICall funtion.
Definition: CallingConv.h:82

llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18

llvm::createCFGuardDispatchPass
FunctionPass * createCFGuardDispatchPass()
Insert Control FLow Guard dispatches on indirect function calls.
Definition: CFGuard.cpp:311

llvm::initializeCFGuardPass
void initializeCFGuardPass(PassRegistry &)

llvm::createCFGuardCheckPass
FunctionPass * createCFGuardCheckPass()
Insert Control FLow Guard checks on indirect function calls.
Definition: CFGuard.cpp:307