LLVM 19.0.0git
X86IndirectThunks.cpp
Go to the documentation of this file.
1//==- X86IndirectThunks.cpp - Construct indirect call/jump thunks for x86 --=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8/// \file
9///
10/// Pass that injects an MI thunk that is used to lower indirect calls in a way
11/// that prevents speculation on some x86 processors and can be used to mitigate
12/// security vulnerabilities due to targeted speculative execution and side
13/// channels such as CVE-2017-5715.
14///
15/// Currently supported thunks include:
16/// - Retpoline -- A RET-implemented trampoline that lowers indirect calls
17/// - LVI Thunk -- A CALL/JMP-implemented thunk that forces load serialization
18/// before making an indirect call/jump
19///
20/// Note that the reason that this is implemented as a MachineFunctionPass and
21/// not a ModulePass is that ModulePasses at this point in the LLVM X86 pipeline
22/// serialize all transformations, which can consume lots of memory.
23///
24/// TODO(chandlerc): All of this code could use better comments and
25/// documentation.
26///
27//===----------------------------------------------------------------------===//
28
29#include "X86.h"
30#include "X86InstrBuilder.h"
31#include "X86Subtarget.h"
32#include "llvm/CodeGen/IndirectThunks.h"
33#include "llvm/CodeGen/MachineFunction.h"
34#include "llvm/CodeGen/MachineFunctionPass.h"
35#include "llvm/CodeGen/MachineInstrBuilder.h"
36#include "llvm/CodeGen/MachineModuleInfo.h"
37#include "llvm/CodeGen/Passes.h"
38#include "llvm/CodeGen/TargetPassConfig.h"
39#include "llvm/IR/IRBuilder.h"
40#include "llvm/IR/Instructions.h"
41#include "llvm/IR/Module.h"
42#include "llvm/Support/CommandLine.h"
43#include "llvm/Support/Debug.h"
44#include "llvm/Support/raw_ostream.h"
45#include "llvm/Target/TargetMachine.h"
46
47using namespace llvm;
48
49#define DEBUG_TYPE "x86-retpoline-thunks"
50
51static const char RetpolineNamePrefix[] = "__llvm_retpoline_";
52static const char R11RetpolineName[] = "__llvm_retpoline_r11";
53static const char EAXRetpolineName[] = "__llvm_retpoline_eax";
54static const char ECXRetpolineName[] = "__llvm_retpoline_ecx";
55static const char EDXRetpolineName[] = "__llvm_retpoline_edx";
56static const char EDIRetpolineName[] = "__llvm_retpoline_edi";
57
58static const char LVIThunkNamePrefix[] = "__llvm_lvi_thunk_";
59static const char R11LVIThunkName[] = "__llvm_lvi_thunk_r11";
60
61namespace {
62struct RetpolineThunkInserter : ThunkInserter<RetpolineThunkInserter> {
63 const char *getThunkPrefix() { return RetpolineNamePrefix; }
64 bool mayUseThunk(const MachineFunction &MF, bool InsertedThunks) {
65 if (InsertedThunks)
66 return false;
67 const auto &STI = MF.getSubtarget<X86Subtarget>();
68 return (STI.useRetpolineIndirectCalls() ||
69 STI.useRetpolineIndirectBranches()) &&
70 !STI.useRetpolineExternalThunk();
71 }
72 bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF);
73 void populateThunk(MachineFunction &MF);
74};
75
76struct LVIThunkInserter : ThunkInserter<LVIThunkInserter> {
77 const char *getThunkPrefix() { return LVIThunkNamePrefix; }
78 bool mayUseThunk(const MachineFunction &MF, bool InsertedThunks) {
79 if (InsertedThunks)
80 return false;
81 return MF.getSubtarget<X86Subtarget>().useLVIControlFlowIntegrity();
82 }
83 bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF) {
84 createThunkFunction(MMI, R11LVIThunkName);
85 return true;
86 }
87 void populateThunk(MachineFunction &MF) {
88 assert (MF.size() == 1);
89 MachineBasicBlock *Entry = &MF.front();
90 Entry->clear();
91
92 // This code mitigates LVI by replacing each indirect call/jump with a
93 // direct call/jump to a thunk that looks like:
94 // ```
95 // lfence
96 // jmpq *%r11
97 // ```
98 // This ensures that if the value in register %r11 was loaded from memory,
99 // then the value in %r11 is (architecturally) correct prior to the jump.
100 const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
101 BuildMI(&MF.front(), DebugLoc(), TII->get(X86::LFENCE));
102 BuildMI(&MF.front(), DebugLoc(), TII->get(X86::JMP64r)).addReg(X86::R11);
103 MF.front().addLiveIn(X86::R11);
104 }
105};
106
107class X86IndirectThunks : public MachineFunctionPass {
108public:
109 static char ID;
110
111 X86IndirectThunks() : MachineFunctionPass(ID) {}
112
113 StringRef getPassName() const override { return "X86 Indirect Thunks"; }
114
115 bool doInitialization(Module &M) override;
116 bool runOnMachineFunction(MachineFunction &MF) override;
117
118private:
119 std::tuple<RetpolineThunkInserter, LVIThunkInserter> TIs;
120
121 template <typename... ThunkInserterT>
122 static void initTIs(Module &M,
123 std::tuple<ThunkInserterT...> &ThunkInserters) {
124 (..., std::get<ThunkInserterT>(ThunkInserters).init(M));
125 }
126 template <typename... ThunkInserterT>
127 static bool runTIs(MachineModuleInfo &MMI, MachineFunction &MF,
128 std::tuple<ThunkInserterT...> &ThunkInserters) {
129 return (0 | ... | std::get<ThunkInserterT>(ThunkInserters).run(MMI, MF));
130 }
131};
132
133} // end anonymous namespace
134
135bool RetpolineThunkInserter::insertThunks(MachineModuleInfo &MMI,
136 MachineFunction &MF) {
137 if (MMI.getTarget().getTargetTriple().getArch() == Triple::x86_64)
138 createThunkFunction(MMI, R11RetpolineName);
139 else
140 for (StringRef Name : {EAXRetpolineName, ECXRetpolineName, EDXRetpolineName,
141 EDIRetpolineName})
142 createThunkFunction(MMI, Name);
143 return true;
144}
145
146void RetpolineThunkInserter::populateThunk(MachineFunction &MF) {
147 bool Is64Bit = MF.getTarget().getTargetTriple().getArch() == Triple::x86_64;
148 Register ThunkReg;
149 if (Is64Bit) {
150 assert(MF.getName() == "__llvm_retpoline_r11" &&
151 "Should only have an r11 thunk on 64-bit targets");
152
153 // __llvm_retpoline_r11:
154 // callq .Lr11_call_target
155 // .Lr11_capture_spec:
156 // pause
157 // lfence
158 // jmp .Lr11_capture_spec
159 // .align 16
160 // .Lr11_call_target:
161 // movq %r11, (%rsp)
162 // retq
163 ThunkReg = X86::R11;
164 } else {
165 // For 32-bit targets we need to emit a collection of thunks for various
166 // possible scratch registers as well as a fallback that uses EDI, which is
167 // normally callee saved.
168 // __llvm_retpoline_eax:
169 // calll .Leax_call_target
170 // .Leax_capture_spec:
171 // pause
172 // jmp .Leax_capture_spec
173 // .align 16
174 // .Leax_call_target:
175 // movl %eax, (%esp) # Clobber return addr
176 // retl
177 //
178 // __llvm_retpoline_ecx:
179 // ... # Same setup
180 // movl %ecx, (%esp)
181 // retl
182 //
183 // __llvm_retpoline_edx:
184 // ... # Same setup
185 // movl %edx, (%esp)
186 // retl
187 //
188 // __llvm_retpoline_edi:
189 // ... # Same setup
190 // movl %edi, (%esp)
191 // retl
192 if (MF.getName() == EAXRetpolineName)
193 ThunkReg = X86::EAX;
194 else if (MF.getName() == ECXRetpolineName)
195 ThunkReg = X86::ECX;
196 else if (MF.getName() == EDXRetpolineName)
197 ThunkReg = X86::EDX;
198 else if (MF.getName() == EDIRetpolineName)
199 ThunkReg = X86::EDI;
200 else
201 llvm_unreachable("Invalid thunk name on x86-32!");
202 }
203
204 const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
205 assert (MF.size() == 1);
206 MachineBasicBlock *Entry = &MF.front();
207 Entry->clear();
208
209 MachineBasicBlock *CaptureSpec =
210 MF.CreateMachineBasicBlock(Entry->getBasicBlock());
211 MachineBasicBlock *CallTarget =
212 MF.CreateMachineBasicBlock(Entry->getBasicBlock());
213 MCSymbol *TargetSym = MF.getContext().createTempSymbol();
214 MF.push_back(CaptureSpec);
215 MF.push_back(CallTarget);
216
217 const unsigned CallOpc = Is64Bit ? X86::CALL64pcrel32 : X86::CALLpcrel32;
218 const unsigned RetOpc = Is64Bit ? X86::RET64 : X86::RET32;
219
220 Entry->addLiveIn(ThunkReg);
221 BuildMI(Entry, DebugLoc(), TII->get(CallOpc)).addSym(TargetSym);
222
223 // The MIR verifier thinks that the CALL in the entry block will fall through
224 // to CaptureSpec, so mark it as the successor. Technically, CaptureTarget is
225 // the successor, but the MIR verifier doesn't know how to cope with that.
226 Entry->addSuccessor(CaptureSpec);
227
228 // In the capture loop for speculation, we want to stop the processor from
229 // speculating as fast as possible. On Intel processors, the PAUSE instruction
230 // will block speculation without consuming any execution resources. On AMD
231 // processors, the PAUSE instruction is (essentially) a nop, so we also use an
232 // LFENCE instruction which they have advised will stop speculation as well
233 // with minimal resource utilization. We still end the capture with a jump to
234 // form an infinite loop to fully guarantee that no matter what implementation
235 // of the x86 ISA, speculating this code path never escapes.
236 BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::PAUSE));
237 BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::LFENCE));
238 BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::JMP_1)).addMBB(CaptureSpec);
239 CaptureSpec->setMachineBlockAddressTaken();
240 CaptureSpec->addSuccessor(CaptureSpec);
241
242 CallTarget->addLiveIn(ThunkReg);
243 CallTarget->setMachineBlockAddressTaken();
244 CallTarget->setAlignment(Align(16));
245
246 // Insert return address clobber
247 const unsigned MovOpc = Is64Bit ? X86::MOV64mr : X86::MOV32mr;
248 const Register SPReg = Is64Bit ? X86::RSP : X86::ESP;
249 addRegOffset(BuildMI(CallTarget, DebugLoc(), TII->get(MovOpc)), SPReg, false,
250 0)
251 .addReg(ThunkReg);
252
253 CallTarget->back().setPreInstrSymbol(MF, TargetSym);
254 BuildMI(CallTarget, DebugLoc(), TII->get(RetOpc));
255}
256
257FunctionPass *llvm::createX86IndirectThunksPass() {
258 return new X86IndirectThunks();
259}
260
261char X86IndirectThunks::ID = 0;
262
263bool X86IndirectThunks::doInitialization(Module &M) {
264 initTIs(M, TIs);
265 return false;
266}
267
268bool X86IndirectThunks::runOnMachineFunction(MachineFunction &MF) {
269 LLVM_DEBUG(dbgs() << getPassName() << '\n');
270 auto &MMI = getAnalysis<MachineModuleInfoWrapperPass>().getMMI();
271 return runTIs(MMI, MF, TIs);
272}
LLVM_DEBUG
#define LLVM_DEBUG(X)
Definition: Debug.h:101
Name
std::string Name
Definition: ELFObjHandler.cpp:77
TII
const HexagonInstrInfo * TII
Definition: HexagonCopyToCombine.cpp:125
IndirectThunks.h
Contains a base class for Passes that inject an MI thunk.
Module.h
Module.h This file contains the declarations for the Module class.
assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
TargetPassConfig.h
Target-Independent Code Generator Pass Configuration Options pass.
ECXRetpolineName
static const char ECXRetpolineName[]
Definition: X86IndirectThunks.cpp:54
RetpolineNamePrefix
static const char RetpolineNamePrefix[]
Definition: X86IndirectThunks.cpp:51
EDIRetpolineName
static const char EDIRetpolineName[]
Definition: X86IndirectThunks.cpp:56
LVIThunkNamePrefix
static const char LVIThunkNamePrefix[]
Definition: X86IndirectThunks.cpp:58
EDXRetpolineName
static const char EDXRetpolineName[]
Definition: X86IndirectThunks.cpp:55
EAXRetpolineName
static const char EAXRetpolineName[]
Definition: X86IndirectThunks.cpp:53
R11LVIThunkName
static const char R11LVIThunkName[]
Definition: X86IndirectThunks.cpp:59
R11RetpolineName
static const char R11RetpolineName[]
Definition: X86IndirectThunks.cpp:52
llvm::DebugLoc
A debug info location.
Definition: DebugLoc.h:33
llvm::FunctionPass
FunctionPass class - This class is used to implement most global optimizations.
Definition: Pass.h:311
llvm::MCContext::createTempSymbol
MCSymbol * createTempSymbol()
Create a temporary symbol with a unique name.
Definition: MCContext.cpp:322
llvm::MCSymbol
MCSymbol - Instances of this class represent a symbol name in the MC file, and MCSymbols are created ...
Definition: MCSymbol.h:40
llvm::MachineBasicBlock::setAlignment
void setAlignment(Align A)
Set alignment of the basic block.
Definition: MachineBasicBlock.h:589
llvm::MachineBasicBlock::addSuccessor
void addSuccessor(MachineBasicBlock *Succ, BranchProbability Prob=BranchProbability::getUnknown())
Add Succ as a successor of this MachineBasicBlock.
Definition: MachineBasicBlock.cpp:790
llvm::MachineBasicBlock::addLiveIn
void addLiveIn(MCRegister PhysReg, LaneBitmask LaneMask=LaneBitmask::getAll())
Adds the specified register as a live in.
Definition: MachineBasicBlock.h:428
llvm::MachineBasicBlock::setMachineBlockAddressTaken
void setMachineBlockAddressTaken()
Set this block to indicate that its address is used as something other than the target of a terminato...
Definition: MachineBasicBlock.h:271
llvm::MachineFunctionPass
MachineFunctionPass - This class adapts the FunctionPass interface to allow convenient creation of pa...
Definition: MachineFunctionPass.h:30
llvm::MachineFunctionPass::doInitialization
bool doInitialization(Module &) override
doInitialization - Virtual method overridden by subclasses to do any necessary initialization before ...
Definition: MachineFunctionPass.h:32
llvm::MachineFunctionPass::runOnMachineFunction
virtual bool runOnMachineFunction(MachineFunction &MF)=0
runOnMachineFunction - This method must be overloaded to perform the desired machine code transformat...
llvm::MachineFunction::getSubtarget
const TargetSubtargetInfo & getSubtarget() const
getSubtarget - Return the subtarget for which this machine code is being compiled.
Definition: MachineFunction.h:718
llvm::MachineFunction::getName
StringRef getName() const
getName - Return the name of the corresponding LLVM function.
Definition: MachineFunction.cpp:609
llvm::MachineFunction::push_back
void push_back(MachineBasicBlock *MBB)
Definition: MachineFunction.h:939
llvm::MachineFunction::getContext
MCContext & getContext() const
Definition: MachineFunction.h:670
llvm::MachineFunction::size
unsigned size() const
Definition: MachineFunction.h:932
llvm::MachineFunction::getTarget
const LLVMTargetMachine & getTarget() const
getTarget - Return the target machine this machine code is compiled with
Definition: MachineFunction.h:714
llvm::MachineFunction::front
const MachineBasicBlock & front() const
Definition: MachineFunction.h:934
llvm::MachineFunction::CreateMachineBasicBlock
MachineBasicBlock * CreateMachineBasicBlock(const BasicBlock *BB=nullptr, std::optional< UniqueBBID > BBID=std::nullopt)
CreateMachineBasicBlock - Allocate a new MachineBasicBlock.
Definition: MachineFunction.cpp:461
llvm::MachineInstrBuilder::addSym
const MachineInstrBuilder & addSym(MCSymbol *Sym, unsigned char TargetFlags=0) const
Definition: MachineInstrBuilder.h:268
llvm::MachineInstrBuilder::addReg
const MachineInstrBuilder & addReg(Register RegNo, unsigned flags=0, unsigned SubReg=0) const
Add a new virtual register operand.
Definition: MachineInstrBuilder.h:98
llvm::MachineInstrBuilder::addMBB
const MachineInstrBuilder & addMBB(MachineBasicBlock *MBB, unsigned TargetFlags=0) const
Definition: MachineInstrBuilder.h:147
llvm::MachineInstr::setPreInstrSymbol
void setPreInstrSymbol(MachineFunction &MF, MCSymbol *Symbol)
Set a symbol that will be emitted just prior to the instruction itself.
Definition: MachineInstr.cpp:470
llvm::MachineModuleInfo
This class contains meta information specific to a module.
Definition: MachineModuleInfo.h:74
llvm::MachineModuleInfo::getTarget
const LLVMTargetMachine & getTarget() const
Definition: MachineModuleInfo.h:137
llvm::Module
A Module instance is used to store all the information related to an LLVM module.
Definition: Module.h:65
llvm::Pass::getPassName
virtual StringRef getPassName() const
getPassName - Return a nice clean name for a pass.
Definition: Pass.cpp:81
llvm::Register
Wrapper class representing virtual and physical registers.
Definition: Register.h:19
llvm::StringRef
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:50
llvm::TargetInstrInfo
TargetInstrInfo - Interface to description of machine instruction set.
Definition: TargetInstrInfo.h:110
llvm::TargetMachine::getTargetTriple
const Triple & getTargetTriple() const
Definition: TargetMachine.h:125
llvm::ThunkInserter::createThunkFunction
void createThunkFunction(MachineModuleInfo &MMI, StringRef Name, bool Comdat=true, StringRef TargetAttrs="")
Definition: IndirectThunks.h:48
llvm::Triple::getArch
ArchType getArch() const
Get the parsed architecture type of this triple.
Definition: Triple.h:372
llvm_unreachable
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
Definition: ErrorHandling.h:143
llvm::CallingConv::ID
unsigned ID
LLVM IR allows to use arbitrary numbers as calling convention identifiers.
Definition: CallingConv.h:24
llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18
llvm::BuildMI
MachineInstrBuilder BuildMI(MachineFunction &MF, const MIMetadata &MIMD, const MCInstrDesc &MCID)
Builder interface. Specify how to create the initial instruction itself.
Definition: MachineInstrBuilder.h:363
llvm::addRegOffset
static const MachineInstrBuilder & addRegOffset(const MachineInstrBuilder &MIB, unsigned Reg, bool isKill, int Offset)
addRegOffset - This function is used to add a memory reference of the form [Reg + Offset],...
Definition: X86InstrBuilder.h:157
llvm::dbgs
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Definition: Debug.cpp:163
llvm::createX86IndirectThunksPass
FunctionPass * createX86IndirectThunksPass()
This pass creates the thunks for the retpoline feature.
Definition: X86IndirectThunks.cpp:257
raw_ostream.h
llvm::Align
This struct is a compact representation of a valid (non-zero power of two) alignment.
Definition: Alignment.h:39
Generated on Sun Apr 21 2024 20:14:45 for LLVM by doxygen 1.9.6