LLVM 17.0.0git
X86IndirectThunks.cpp
Go to the documentation of this file.
1//==- X86IndirectThunks.cpp - Construct indirect call/jump thunks for x86 --=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8/// \file
9///
10/// Pass that injects an MI thunk that is used to lower indirect calls in a way
11/// that prevents speculation on some x86 processors and can be used to mitigate
12/// security vulnerabilities due to targeted speculative execution and side
13/// channels such as CVE-2017-5715.
14///
15/// Currently supported thunks include:
16/// - Retpoline -- A RET-implemented trampoline that lowers indirect calls
17/// - LVI Thunk -- A CALL/JMP-implemented thunk that forces load serialization
18/// before making an indirect call/jump
19///
20/// Note that the reason that this is implemented as a MachineFunctionPass and
21/// not a ModulePass is that ModulePasses at this point in the LLVM X86 pipeline
22/// serialize all transformations, which can consume lots of memory.
23///
24/// TODO(chandlerc): All of this code could use better comments and
25/// documentation.
26///
27//===----------------------------------------------------------------------===//
28
29#include "X86.h"
30#include "X86InstrBuilder.h"
31#include "X86Subtarget.h"
32#include "llvm/CodeGen/IndirectThunks.h"
33#include "llvm/CodeGen/MachineFunction.h"
34#include "llvm/CodeGen/MachineFunctionPass.h"
35#include "llvm/CodeGen/MachineInstrBuilder.h"
36#include "llvm/CodeGen/MachineModuleInfo.h"
37#include "llvm/CodeGen/Passes.h"
38#include "llvm/CodeGen/TargetPassConfig.h"
39#include "llvm/IR/IRBuilder.h"
40#include "llvm/IR/Instructions.h"
41#include "llvm/IR/Module.h"
42#include "llvm/Support/CommandLine.h"
43#include "llvm/Support/Debug.h"
44#include "llvm/Support/raw_ostream.h"
45#include "llvm/Target/TargetMachine.h"
46
47using namespace llvm;
48
49#define DEBUG_TYPE "x86-retpoline-thunks"
50
51static const char RetpolineNamePrefix[] = "__llvm_retpoline_";
52static const char R11RetpolineName[] = "__llvm_retpoline_r11";
53static const char EAXRetpolineName[] = "__llvm_retpoline_eax";
54static const char ECXRetpolineName[] = "__llvm_retpoline_ecx";
55static const char EDXRetpolineName[] = "__llvm_retpoline_edx";
56static const char EDIRetpolineName[] = "__llvm_retpoline_edi";
57
58static const char LVIThunkNamePrefix[] = "__llvm_lvi_thunk_";
59static const char R11LVIThunkName[] = "__llvm_lvi_thunk_r11";
60
61namespace {
62struct RetpolineThunkInserter : ThunkInserter<RetpolineThunkInserter> {
63 const char *getThunkPrefix() { return RetpolineNamePrefix; }
64 bool mayUseThunk(const MachineFunction &MF, bool InsertedThunks) {
65 if (InsertedThunks)
66 return false;
67 const auto &STI = MF.getSubtarget<X86Subtarget>();
68 return (STI.useRetpolineIndirectCalls() ||
69 STI.useRetpolineIndirectBranches()) &&
70 !STI.useRetpolineExternalThunk();
71 }
72 bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF);
73 void populateThunk(MachineFunction &MF);
74};
75
76struct LVIThunkInserter : ThunkInserter<LVIThunkInserter> {
77 const char *getThunkPrefix() { return LVIThunkNamePrefix; }
78 bool mayUseThunk(const MachineFunction &MF, bool InsertedThunks) {
79 if (InsertedThunks)
80 return false;
81 return MF.getSubtarget<X86Subtarget>().useLVIControlFlowIntegrity();
82 }
83 bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF) {
84 createThunkFunction(MMI, R11LVIThunkName);
85 return true;
86 }
87 void populateThunk(MachineFunction &MF) {
88 assert (MF.size() == 1);
89 MachineBasicBlock *Entry = &MF.front();
90 Entry->clear();
91
92 // This code mitigates LVI by replacing each indirect call/jump with a
93 // direct call/jump to a thunk that looks like:
94 // ```
95 // lfence
96 // jmpq *%r11
97 // ```
98 // This ensures that if the value in register %r11 was loaded from memory,
99 // then the value in %r11 is (architecturally) correct prior to the jump.
100 const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
101 BuildMI(&MF.front(), DebugLoc(), TII->get(X86::LFENCE));
102 BuildMI(&MF.front(), DebugLoc(), TII->get(X86::JMP64r)).addReg(X86::R11);
103 MF.front().addLiveIn(X86::R11);
104 }
105};
106
107class X86IndirectThunks : public MachineFunctionPass {
108public:
109 static char ID;
110
111 X86IndirectThunks() : MachineFunctionPass(ID) {}
112
113 StringRef getPassName() const override { return "X86 Indirect Thunks"; }
114
115 bool doInitialization(Module &M) override;
116 bool runOnMachineFunction(MachineFunction &MF) override;
117
118private:
119 std::tuple<RetpolineThunkInserter, LVIThunkInserter> TIs;
120
121 // FIXME: When LLVM moves to C++17, these can become folds
122 template <typename... ThunkInserterT>
123 static void initTIs(Module &M,
124 std::tuple<ThunkInserterT...> &ThunkInserters) {
125 (void)std::initializer_list<int>{
126 (std::get<ThunkInserterT>(ThunkInserters).init(M), 0)...};
127 }
128 template <typename... ThunkInserterT>
129 static bool runTIs(MachineModuleInfo &MMI, MachineFunction &MF,
130 std::tuple<ThunkInserterT...> &ThunkInserters) {
131 bool Modified = false;
132 (void)std::initializer_list<int>{
133 Modified |= std::get<ThunkInserterT>(ThunkInserters).run(MMI, MF)...};
134 return Modified;
135 }
136};
137
138} // end anonymous namespace
139
140bool RetpolineThunkInserter::insertThunks(MachineModuleInfo &MMI,
141 MachineFunction &MF) {
142 if (MMI.getTarget().getTargetTriple().getArch() == Triple::x86_64)
143 createThunkFunction(MMI, R11RetpolineName);
144 else
145 for (StringRef Name : {EAXRetpolineName, ECXRetpolineName, EDXRetpolineName,
146 EDIRetpolineName})
147 createThunkFunction(MMI, Name);
148 return true;
149}
150
151void RetpolineThunkInserter::populateThunk(MachineFunction &MF) {
152 bool Is64Bit = MF.getTarget().getTargetTriple().getArch() == Triple::x86_64;
153 Register ThunkReg;
154 if (Is64Bit) {
155 assert(MF.getName() == "__llvm_retpoline_r11" &&
156 "Should only have an r11 thunk on 64-bit targets");
157
158 // __llvm_retpoline_r11:
159 // callq .Lr11_call_target
160 // .Lr11_capture_spec:
161 // pause
162 // lfence
163 // jmp .Lr11_capture_spec
164 // .align 16
165 // .Lr11_call_target:
166 // movq %r11, (%rsp)
167 // retq
168 ThunkReg = X86::R11;
169 } else {
170 // For 32-bit targets we need to emit a collection of thunks for various
171 // possible scratch registers as well as a fallback that uses EDI, which is
172 // normally callee saved.
173 // __llvm_retpoline_eax:
174 // calll .Leax_call_target
175 // .Leax_capture_spec:
176 // pause
177 // jmp .Leax_capture_spec
178 // .align 16
179 // .Leax_call_target:
180 // movl %eax, (%esp) # Clobber return addr
181 // retl
182 //
183 // __llvm_retpoline_ecx:
184 // ... # Same setup
185 // movl %ecx, (%esp)
186 // retl
187 //
188 // __llvm_retpoline_edx:
189 // ... # Same setup
190 // movl %edx, (%esp)
191 // retl
192 //
193 // __llvm_retpoline_edi:
194 // ... # Same setup
195 // movl %edi, (%esp)
196 // retl
197 if (MF.getName() == EAXRetpolineName)
198 ThunkReg = X86::EAX;
199 else if (MF.getName() == ECXRetpolineName)
200 ThunkReg = X86::ECX;
201 else if (MF.getName() == EDXRetpolineName)
202 ThunkReg = X86::EDX;
203 else if (MF.getName() == EDIRetpolineName)
204 ThunkReg = X86::EDI;
205 else
206 llvm_unreachable("Invalid thunk name on x86-32!");
207 }
208
209 const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
210 assert (MF.size() == 1);
211 MachineBasicBlock *Entry = &MF.front();
212 Entry->clear();
213
214 MachineBasicBlock *CaptureSpec =
215 MF.CreateMachineBasicBlock(Entry->getBasicBlock());
216 MachineBasicBlock *CallTarget =
217 MF.CreateMachineBasicBlock(Entry->getBasicBlock());
218 MCSymbol *TargetSym = MF.getContext().createTempSymbol();
219 MF.push_back(CaptureSpec);
220 MF.push_back(CallTarget);
221
222 const unsigned CallOpc = Is64Bit ? X86::CALL64pcrel32 : X86::CALLpcrel32;
223 const unsigned RetOpc = Is64Bit ? X86::RET64 : X86::RET32;
224
225 Entry->addLiveIn(ThunkReg);
226 BuildMI(Entry, DebugLoc(), TII->get(CallOpc)).addSym(TargetSym);
227
228 // The MIR verifier thinks that the CALL in the entry block will fall through
229 // to CaptureSpec, so mark it as the successor. Technically, CaptureTarget is
230 // the successor, but the MIR verifier doesn't know how to cope with that.
231 Entry->addSuccessor(CaptureSpec);
232
233 // In the capture loop for speculation, we want to stop the processor from
234 // speculating as fast as possible. On Intel processors, the PAUSE instruction
235 // will block speculation without consuming any execution resources. On AMD
236 // processors, the PAUSE instruction is (essentially) a nop, so we also use an
237 // LFENCE instruction which they have advised will stop speculation as well
238 // with minimal resource utilization. We still end the capture with a jump to
239 // form an infinite loop to fully guarantee that no matter what implementation
240 // of the x86 ISA, speculating this code path never escapes.
241 BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::PAUSE));
242 BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::LFENCE));
243 BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::JMP_1)).addMBB(CaptureSpec);
244 CaptureSpec->setMachineBlockAddressTaken();
245 CaptureSpec->addSuccessor(CaptureSpec);
246
247 CallTarget->addLiveIn(ThunkReg);
248 CallTarget->setMachineBlockAddressTaken();
249 CallTarget->setAlignment(Align(16));
250
251 // Insert return address clobber
252 const unsigned MovOpc = Is64Bit ? X86::MOV64mr : X86::MOV32mr;
253 const Register SPReg = Is64Bit ? X86::RSP : X86::ESP;
254 addRegOffset(BuildMI(CallTarget, DebugLoc(), TII->get(MovOpc)), SPReg, false,
255 0)
256 .addReg(ThunkReg);
257
258 CallTarget->back().setPreInstrSymbol(MF, TargetSym);
259 BuildMI(CallTarget, DebugLoc(), TII->get(RetOpc));
260}
261
262FunctionPass *llvm::createX86IndirectThunksPass() {
263 return new X86IndirectThunks();
264}
265
266char X86IndirectThunks::ID = 0;
267
268bool X86IndirectThunks::doInitialization(Module &M) {
269 initTIs(M, TIs);
270 return false;
271}
272
273bool X86IndirectThunks::runOnMachineFunction(MachineFunction &MF) {
274 LLVM_DEBUG(dbgs() << getPassName() << '\n');
275 auto &MMI = getAnalysis<MachineModuleInfoWrapperPass>().getMMI();
276 return runTIs(MMI, MF, TIs);
277}
LLVM_DEBUG
#define LLVM_DEBUG(X)
Definition: Debug.h:101
Name
std::string Name
Definition: ELFObjHandler.cpp:77
TII
const HexagonInstrInfo * TII
Definition: HexagonCopyToCombine.cpp:125
IndirectThunks.h
Contains a base class for Passes that inject an MI thunk.
Module.h
Module.h This file contains the declarations for the Module class.
assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
TargetPassConfig.h
Target-Independent Code Generator Pass Configuration Options pass.
ECXRetpolineName
static const char ECXRetpolineName[]
Definition: X86IndirectThunks.cpp:54
RetpolineNamePrefix
static const char RetpolineNamePrefix[]
Definition: X86IndirectThunks.cpp:51
EDIRetpolineName
static const char EDIRetpolineName[]
Definition: X86IndirectThunks.cpp:56
LVIThunkNamePrefix
static const char LVIThunkNamePrefix[]
Definition: X86IndirectThunks.cpp:58
EDXRetpolineName
static const char EDXRetpolineName[]
Definition: X86IndirectThunks.cpp:55
EAXRetpolineName
static const char EAXRetpolineName[]
Definition: X86IndirectThunks.cpp:53
R11LVIThunkName
static const char R11LVIThunkName[]
Definition: X86IndirectThunks.cpp:59
R11RetpolineName
static const char R11RetpolineName[]
Definition: X86IndirectThunks.cpp:52
llvm::DebugLoc
A debug info location.
Definition: DebugLoc.h:33
llvm::FunctionPass
FunctionPass class - This class is used to implement most global optimizations.
Definition: Pass.h:308
llvm::MCContext::createTempSymbol
MCSymbol * createTempSymbol()
Create a temporary symbol with a unique name.
Definition: MCContext.cpp:318
llvm::MCSymbol
MCSymbol - Instances of this class represent a symbol name in the MC file, and MCSymbols are created ...
Definition: MCSymbol.h:41
llvm::MachineBasicBlock::setAlignment
void setAlignment(Align A)
Set alignment of the basic block.
Definition: MachineBasicBlock.h:563
llvm::MachineBasicBlock::addSuccessor
void addSuccessor(MachineBasicBlock *Succ, BranchProbability Prob=BranchProbability::getUnknown())
Add Succ as a successor of this MachineBasicBlock.
Definition: MachineBasicBlock.cpp:772
llvm::MachineBasicBlock::addLiveIn
void addLiveIn(MCRegister PhysReg, LaneBitmask LaneMask=LaneBitmask::getAll())
Adds the specified register as a live in.
Definition: MachineBasicBlock.h:408
llvm::MachineBasicBlock::setMachineBlockAddressTaken
void setMachineBlockAddressTaken()
Set this block to indicate that its address is used as something other than the target of a terminato...
Definition: MachineBasicBlock.h:251
llvm::MachineFunctionPass
MachineFunctionPass - This class adapts the FunctionPass interface to allow convenient creation of pa...
Definition: MachineFunctionPass.h:30
llvm::MachineFunctionPass::doInitialization
bool doInitialization(Module &) override
doInitialization - Virtual method overridden by subclasses to do any necessary initialization before ...
Definition: MachineFunctionPass.h:32
llvm::MachineFunctionPass::runOnMachineFunction
virtual bool runOnMachineFunction(MachineFunction &MF)=0
runOnMachineFunction - This method must be overloaded to perform the desired machine code transformat...
llvm::MachineFunction::CreateMachineBasicBlock
MachineBasicBlock * CreateMachineBasicBlock(const BasicBlock *bb=nullptr)
CreateMachineBasicBlock - Allocate a new MachineBasicBlock.
Definition: MachineFunction.cpp:445
llvm::MachineFunction::getSubtarget
const TargetSubtargetInfo & getSubtarget() const
getSubtarget - Return the subtarget for which this machine code is being compiled.
Definition: MachineFunction.h:672
llvm::MachineFunction::getName
StringRef getName() const
getName - Return the name of the corresponding LLVM function.
Definition: MachineFunction.cpp:581
llvm::MachineFunction::push_back
void push_back(MachineBasicBlock *MBB)
Definition: MachineFunction.h:887
llvm::MachineFunction::getContext
MCContext & getContext() const
Definition: MachineFunction.h:624
llvm::MachineFunction::size
unsigned size() const
Definition: MachineFunction.h:880
llvm::MachineFunction::getTarget
const LLVMTargetMachine & getTarget() const
getTarget - Return the target machine this machine code is compiled with
Definition: MachineFunction.h:668
llvm::MachineFunction::front
const MachineBasicBlock & front() const
Definition: MachineFunction.h:882
llvm::MachineInstrBuilder::addSym
const MachineInstrBuilder & addSym(MCSymbol *Sym, unsigned char TargetFlags=0) const
Definition: MachineInstrBuilder.h:267
llvm::MachineInstrBuilder::addReg
const MachineInstrBuilder & addReg(Register RegNo, unsigned flags=0, unsigned SubReg=0) const
Add a new virtual register operand.
Definition: MachineInstrBuilder.h:97
llvm::MachineInstrBuilder::addMBB
const MachineInstrBuilder & addMBB(MachineBasicBlock *MBB, unsigned TargetFlags=0) const
Definition: MachineInstrBuilder.h:146
llvm::MachineInstr::setPreInstrSymbol
void setPreInstrSymbol(MachineFunction &MF, MCSymbol *Symbol)
Set a symbol that will be emitted just prior to the instruction itself.
Definition: MachineInstr.cpp:457
llvm::MachineModuleInfo
This class contains meta information specific to a module.
Definition: MachineModuleInfo.h:74
llvm::MachineModuleInfo::getTarget
const LLVMTargetMachine & getTarget() const
Definition: MachineModuleInfo.h:137
llvm::Module
A Module instance is used to store all the information related to an LLVM module.
Definition: Module.h:65
llvm::Pass::getPassName
virtual StringRef getPassName() const
getPassName - Return a nice clean name for a pass.
Definition: Pass.cpp:81
llvm::Register
Wrapper class representing virtual and physical registers.
Definition: Register.h:19
llvm::StringRef
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:50
llvm::TargetInstrInfo
TargetInstrInfo - Interface to description of machine instruction set.
Definition: TargetInstrInfo.h:99
llvm::TargetMachine::getTargetTriple
const Triple & getTargetTriple() const
Definition: TargetMachine.h:127
llvm::ThunkInserter::createThunkFunction
void createThunkFunction(MachineModuleInfo &MMI, StringRef Name, bool Comdat=true, StringRef TargetAttrs="")
Definition: IndirectThunks.h:48
llvm::Triple::getArch
ArchType getArch() const
Get the parsed architecture type of this triple.
Definition: Triple.h:356
llvm_unreachable
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
Definition: ErrorHandling.h:143
llvm::CallingConv::ID
unsigned ID
LLVM IR allows to use arbitrary numbers as calling convention identifiers.
Definition: CallingConv.h:24
llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18
llvm::BuildMI
MachineInstrBuilder BuildMI(MachineFunction &MF, const MIMetadata &MIMD, const MCInstrDesc &MCID)
Builder interface. Specify how to create the initial instruction itself.
Definition: MachineInstrBuilder.h:357
llvm::addRegOffset
static const MachineInstrBuilder & addRegOffset(const MachineInstrBuilder &MIB, unsigned Reg, bool isKill, int Offset)
addRegOffset - This function is used to add a memory reference of the form [Reg + Offset],...
Definition: X86InstrBuilder.h:157
llvm::dbgs
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Definition: Debug.cpp:163
llvm::createX86IndirectThunksPass
FunctionPass * createX86IndirectThunksPass()
This pass creates the thunks for the retpoline feature.
Definition: X86IndirectThunks.cpp:262
raw_ostream.h
llvm::Align
This struct is a compact representation of a valid (non-zero power of two) alignment.
Definition: Alignment.h:39
Generated on Sun Mar 26 2023 14:24:02 for LLVM by doxygen 1.9.6