doxygen/X86LoadValueInjectionRetHardening_8cpp_source.html

//===-- X86LoadValueInjectionRetHardening.cpp - LVI RET hardening for x86 --==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

///

/// Description: Replaces every `ret` instruction with the sequence:

/// ```

/// pop <scratch-reg>

/// lfence

/// jmp *<scratch-reg>

/// ```

/// where `<scratch-reg>` is some available scratch register, according to the

/// calling convention of the function being mitigated.

///

//===----------------------------------------------------------------------===//


#include "X86.h"

#include "X86InstrBuilder.h"

#include "X86Subtarget.h"

#include "llvm/ADT/Statistic.h"

#include "llvm/CodeGen/MachineBasicBlock.h"

#include "llvm/CodeGen/MachineFunction.h"

#include "llvm/CodeGen/MachineFunctionPass.h"

#include "llvm/CodeGen/MachineInstrBuilder.h"

#include "llvm/IR/Function.h"

#include "llvm/Support/Debug.h"


using namespace llvm;


#define PASS_KEY "x86-lvi-ret"

#define DEBUG_TYPE PASS_KEY


STATISTIC(NumFences, "Number of LFENCEs inserted for LVI mitigation");

STATISTIC(NumFunctionsConsidered, "Number of functions analyzed");

STATISTIC(NumFunctionsMitigated, "Number of functions for which mitigations "

                                 "were deployed");


namespace {


class X86LoadValueInjectionRetHardeningPass : public MachineFunctionPass {

public:

  X86LoadValueInjectionRetHardeningPass() : MachineFunctionPass(ID) {}

  StringRef getPassName() const override {

    return "X86 Load Value Injection (LVI) Ret-Hardening";

  }

  bool runOnMachineFunction(MachineFunction &MF) override;


  static char ID;

};


} // end anonymous namespace


char X86LoadValueInjectionRetHardeningPass::ID = 0;


bool X86LoadValueInjectionRetHardeningPass::runOnMachineFunction(

    MachineFunction &MF) {

  LLVM_DEBUG(dbgs() << "***** " << getPassName() << " : " << MF.getName()

                    << " *****\n");

  const X86Subtarget *Subtarget = &MF.getSubtarget<X86Subtarget>();

  if (!Subtarget->useLVIControlFlowIntegrity() || !Subtarget->is64Bit())

    return false; // FIXME: support 32-bit


  // Don't skip functions with the "optnone" attr but participate in opt-bisect.

  const Function &F = MF.getFunction();

  if (!F.hasOptNone() && skipFunction(F))

    return false;


  ++NumFunctionsConsidered;

  const X86RegisterInfo *TRI = Subtarget->getRegisterInfo();

  const X86InstrInfo *TII = Subtarget->getInstrInfo();


  bool Modified = false;

  for (auto &MBB : MF) {

    for (auto MBBI = MBB.begin(); MBBI != MBB.end(); ++MBBI) {

      if (MBBI->getOpcode() != X86::RET64)

        continue;


      unsigned ClobberReg = TRI->findDeadCallerSavedReg(MBB, MBBI);

      if (ClobberReg != X86::NoRegister) {

        BuildMI(MBB, MBBI, DebugLoc(), TII->get(X86::POP64r))

            .addReg(ClobberReg, RegState::Define)

            .setMIFlag(MachineInstr::FrameDestroy);

        BuildMI(MBB, MBBI, DebugLoc(), TII->get(X86::LFENCE));

        BuildMI(MBB, MBBI, DebugLoc(), TII->get(X86::JMP64r))

            .addReg(ClobberReg);

        MBB.erase(MBBI);

      } else {

        // In case there is no available scratch register, we can still read

        // from RSP to assert that RSP points to a valid page. The write to RSP

        // is also helpful because it verifies that the stack's write

        // permissions are intact.

        MachineInstr *Fence =

            BuildMI(MBB, MBBI, DebugLoc(), TII->get(X86::LFENCE));

        addRegOffset(BuildMI(MBB, Fence, DebugLoc(), TII->get(X86::SHL64mi)),

                     X86::RSP, false, 0)

            .addImm(0)

            ->addRegisterDead(X86::EFLAGS, TRI);

      }


      ++NumFences;

      Modified = true;

      break;

    }

  }


  if (Modified)

    ++NumFunctionsMitigated;

  return Modified;

}


INITIALIZE_PASS(X86LoadValueInjectionRetHardeningPass, PASS_KEY,

                "X86 LVI ret hardener", false, false)


FunctionPass *llvm::createX86LoadValueInjectionRetHardeningPass() {

  return new X86LoadValueInjectionRetHardeningPass();

}

MBB
MachineBasicBlock & MBB
Definition: AArch64SLSHardening.cpp:72

MBBI
MachineBasicBlock MachineBasicBlock::iterator MBBI
Definition: AArch64SLSHardening.cpp:73

Debug.h

LLVM_DEBUG
#define LLVM_DEBUG(X)
Definition: Debug.h:101

Function.h

TII
const HexagonInstrInfo * TII
Definition: HexagonCopyToCombine.cpp:125

LoopDeletionResult::Modified
@ Modified

F
#define F(x, y, z)
Definition: MD5.cpp:55

MachineBasicBlock.h

MachineFunctionPass.h

MachineFunction.h

MachineInstrBuilder.h

TRI
unsigned const TargetRegisterInfo * TRI
Definition: MachineSink.cpp:1875

INITIALIZE_PASS
#define INITIALIZE_PASS(passName, arg, name, cfg, analysis)
Definition: PassSupport.h:38

Statistic.h
This file defines the 'Statistic' class, which is designed to be an easy way to expose various metric...

STATISTIC
#define STATISTIC(VARNAME, DESC)
Definition: Statistic.h:167

X86InstrBuilder.h

PASS_KEY
#define PASS_KEY
Definition: X86LoadValueInjectionRetHardening.cpp:33

X86Subtarget.h

X86.h

llvm::DebugLoc
A debug info location.
Definition: DebugLoc.h:33

llvm::FunctionPass
FunctionPass class - This class is used to implement most global optimizations.
Definition: Pass.h:311

llvm::Function
Definition: Function.h:62

llvm::MachineBasicBlock::begin
iterator begin()
Definition: MachineBasicBlock.h:329

llvm::MachineBasicBlock::end
iterator end()
Definition: MachineBasicBlock.h:331

llvm::MachineBasicBlock::erase
instr_iterator erase(instr_iterator I)
Remove an instruction from the instruction list and delete it.
Definition: MachineBasicBlock.cpp:1426

llvm::MachineFunctionPass
MachineFunctionPass - This class adapts the FunctionPass interface to allow convenient creation of pa...
Definition: MachineFunctionPass.h:30

llvm::MachineFunctionPass::runOnMachineFunction
virtual bool runOnMachineFunction(MachineFunction &MF)=0
runOnMachineFunction - This method must be overloaded to perform the desired machine code transformat...

llvm::MachineFunction
Definition: MachineFunction.h:259

llvm::MachineFunction::getSubtarget
const TargetSubtargetInfo & getSubtarget() const
getSubtarget - Return the subtarget for which this machine code is being compiled.
Definition: MachineFunction.h:718

llvm::MachineFunction::getName
StringRef getName() const
getName - Return the name of the corresponding LLVM function.
Definition: MachineFunction.cpp:609

llvm::MachineFunction::getFunction
Function & getFunction()
Return the LLVM function that this machine code represents.
Definition: MachineFunction.h:684

llvm::MachineInstrBuilder::setMIFlag
const MachineInstrBuilder & setMIFlag(MachineInstr::MIFlag Flag) const
Definition: MachineInstrBuilder.h:279

llvm::MachineInstrBuilder::addImm
const MachineInstrBuilder & addImm(int64_t Val) const
Add a new immediate operand.
Definition: MachineInstrBuilder.h:132

llvm::MachineInstrBuilder::addReg
const MachineInstrBuilder & addReg(Register RegNo, unsigned flags=0, unsigned SubReg=0) const
Add a new virtual register operand.
Definition: MachineInstrBuilder.h:98

llvm::MachineInstr
Representation of each machine instruction.
Definition: MachineInstr.h:69

llvm::MachineInstr::FrameDestroy
@ FrameDestroy
Definition: MachineInstr.h:87

llvm::MachineInstr::addRegisterDead
bool addRegisterDead(Register Reg, const TargetRegisterInfo *RegInfo, bool AddIfNotFound=false)
We have determined MI defined a register without a use.
Definition: MachineInstr.cpp:2043

llvm::Pass::getPassName
virtual StringRef getPassName() const
getPassName - Return a nice clean name for a pass.
Definition: Pass.cpp:81

llvm::StringRef
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:50

llvm::X86InstrInfo
Definition: X86InstrInfo.h:165

llvm::X86RegisterInfo
Definition: X86RegisterInfo.h:24

llvm::X86Subtarget
Definition: X86Subtarget.h:53

llvm::X86Subtarget::getInstrInfo
const X86InstrInfo * getInstrInfo() const override
Definition: X86Subtarget.h:129

llvm::X86Subtarget::getRegisterInfo
const X86RegisterInfo * getRegisterInfo() const override
Definition: X86Subtarget.h:139

unsigned

llvm::CallingConv::ID
unsigned ID
LLVM IR allows to use arbitrary numbers as calling convention identifiers.
Definition: CallingConv.h:24

llvm::RegState::Define
@ Define
Register definition.
Definition: MachineInstrBuilder.h:45

llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18

llvm::BuildMI
MachineInstrBuilder BuildMI(MachineFunction &MF, const MIMetadata &MIMD, const MCInstrDesc &MCID)
Builder interface. Specify how to create the initial instruction itself.
Definition: MachineInstrBuilder.h:363

llvm::createX86LoadValueInjectionRetHardeningPass
FunctionPass * createX86LoadValueInjectionRetHardeningPass()

llvm::addRegOffset
static const MachineInstrBuilder & addRegOffset(const MachineInstrBuilder &MIB, unsigned Reg, bool isKill, int Offset)
addRegOffset - This function is used to add a memory reference of the form [Reg + Offset],...
Definition: X86InstrBuilder.h:157

llvm::dbgs
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Definition: Debug.cpp:163