diff options
author | Scott Constable <scott.d.constable@intel.com> | 2020-04-03 12:12:51 -0700 |
---|---|---|
committer | Tom Stellard <tstellar@redhat.com> | 2020-06-24 09:31:04 -0700 |
commit | e3ba468fc3c123880cfd03dfbc9d1ed61d5904c6 (patch) | |
tree | f6c12a064fd12233966a2d7968f736db35379d14 | |
parent | 6a4589599d74cae8c4ac7b0ff7ae14aeeb2f988b (diff) | |
download | llvm-e3ba468fc3c123880cfd03dfbc9d1ed61d5904c6.tar.gz |
[X86] Add a Pass that builds a Condensed CFG for Load Value Injection (LVI) Gadgets
Adds a new data structure, ImmutableGraph, and uses RDF to find LVI gadgets and add them to a MachineGadgetGraph.
More specifically, a new X86 machine pass finds Load Value Injection (LVI) gadgets consisting of a load from memory (i.e., SOURCE), and any operation that may transmit the value loaded from memory over a covert channel, or use the value loaded from memory to determine a branch/call target (i.e., SINK).
Also adds a new target feature to X86: +lvi-load-hardening
The feature can be added via the clang CLI using -mlvi-hardening.
Differential Revision: https://reviews.llvm.org/D75936
-rw-r--r-- | clang/include/clang/Driver/Options.td | 4 | ||||
-rw-r--r-- | clang/lib/Driver/ToolChains/Arch/X86.cpp | 8 | ||||
-rw-r--r-- | clang/test/Driver/x86-target-features.c | 5 | ||||
-rw-r--r-- | llvm/lib/Target/X86/CMakeLists.txt | 1 | ||||
-rw-r--r-- | llvm/lib/Target/X86/ImmutableGraph.h | 432 | ||||
-rw-r--r-- | llvm/lib/Target/X86/X86.h | 2 | ||||
-rw-r--r-- | llvm/lib/Target/X86/X86.td | 7 | ||||
-rw-r--r-- | llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp | 586 | ||||
-rw-r--r-- | llvm/lib/Target/X86/X86Subtarget.h | 5 | ||||
-rw-r--r-- | llvm/lib/Target/X86/X86TargetMachine.cpp | 2 | ||||
-rw-r--r-- | llvm/test/CodeGen/X86/O0-pipeline.ll | 4 | ||||
-rw-r--r-- | llvm/test/CodeGen/X86/O3-pipeline.ll | 4 | ||||
-rw-r--r-- | llvm/test/CodeGen/X86/lvi-hardening-gadget-graph.ll | 129 |
13 files changed, 1187 insertions, 2 deletions
diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td index f57effa2c40e..391c895a453b 100644 --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -2267,6 +2267,10 @@ def mspeculative_load_hardening : Flag<["-"], "mspeculative-load-hardening">, Group<m_Group>, Flags<[CoreOption,CC1Option]>; def mno_speculative_load_hardening : Flag<["-"], "mno-speculative-load-hardening">, Group<m_Group>, Flags<[CoreOption]>; +def mlvi_hardening : Flag<["-"], "mlvi-hardening">, Group<m_Group>, Flags<[CoreOption,DriverOption]>, + HelpText<"Enable all mitigations for Load Value Injection (LVI)">; +def mno_lvi_hardening : Flag<["-"], "mno-lvi-hardening">, Group<m_Group>, Flags<[CoreOption,DriverOption]>, + HelpText<"Disable mitigations for Load Value Injection (LVI)">; def mlvi_cfi : Flag<["-"], "mlvi-cfi">, Group<m_Group>, Flags<[CoreOption,DriverOption]>, HelpText<"Enable only control-flow mitigations for Load Value Injection (LVI)">; def mno_lvi_cfi : Flag<["-"], "mno-lvi-cfi">, Group<m_Group>, Flags<[CoreOption,DriverOption]>, diff --git a/clang/lib/Driver/ToolChains/Arch/X86.cpp b/clang/lib/Driver/ToolChains/Arch/X86.cpp index 477e04485bf1..d170b7ac3a77 100644 --- a/clang/lib/Driver/ToolChains/Arch/X86.cpp +++ b/clang/lib/Driver/ToolChains/Arch/X86.cpp @@ -173,7 +173,13 @@ void x86::getX86TargetFeatures(const Driver &D, const llvm::Triple &Triple, } auto LVIOpt = clang::driver::options::ID::OPT_INVALID; - if (Args.hasFlag(options::OPT_mlvi_cfi, options::OPT_mno_lvi_cfi, false)) { + if (Args.hasFlag(options::OPT_mlvi_hardening, options::OPT_mno_lvi_hardening, + false)) { + Features.push_back("+lvi-load-hardening"); + Features.push_back("+lvi-cfi"); // load hardening implies CFI protection + LVIOpt = options::OPT_mlvi_hardening; + } else if (Args.hasFlag(options::OPT_mlvi_cfi, options::OPT_mno_lvi_cfi, + false)) { Features.push_back("+lvi-cfi"); LVIOpt = options::OPT_mlvi_cfi; } diff --git a/clang/test/Driver/x86-target-features.c b/clang/test/Driver/x86-target-features.c index 5c1668048f15..97e205013287 100644 --- a/clang/test/Driver/x86-target-features.c +++ b/clang/test/Driver/x86-target-features.c @@ -159,6 +159,11 @@ // LVICFI: "-target-feature" "+lvi-cfi" // NO-LVICFI-NOT: lvi-cfi +// RUN: %clang -target i386-linux-gnu -mlvi-hardening %s -### -o %t.o 2>&1 | FileCheck -check-prefix=LVIHARDENING %s +// RUN: %clang -target i386-linux-gnu -mno-lvi-hardening %s -### -o %t.o 2>&1 | FileCheck -check-prefix=NO-LVIHARDENING %s +// LVIHARDENING: "-target-feature" "+lvi-load-hardening" "-target-feature" "+lvi-cfi" +// NO-LVIHARDENING-NOT: lvi + // RUN: %clang -target i386-linux-gnu -mwaitpkg %s -### -o %t.o 2>&1 | FileCheck -check-prefix=WAITPKG %s // RUN: %clang -target i386-linux-gnu -mno-waitpkg %s -### -o %t.o 2>&1 | FileCheck -check-prefix=NO-WAITPKG %s // WAITPKG: "-target-feature" "+waitpkg" diff --git a/llvm/lib/Target/X86/CMakeLists.txt b/llvm/lib/Target/X86/CMakeLists.txt index 6b60aaf6d855..524e043c7df8 100644 --- a/llvm/lib/Target/X86/CMakeLists.txt +++ b/llvm/lib/Target/X86/CMakeLists.txt @@ -52,6 +52,7 @@ set(sources X86InstrInfo.cpp X86EvexToVex.cpp X86LegalizerInfo.cpp + X86LoadValueInjectionLoadHardening.cpp X86LoadValueInjectionRetHardening.cpp X86MCInstLower.cpp X86MachineFunctionInfo.cpp diff --git a/llvm/lib/Target/X86/ImmutableGraph.h b/llvm/lib/Target/X86/ImmutableGraph.h new file mode 100644 index 000000000000..80c9cf489ded --- /dev/null +++ b/llvm/lib/Target/X86/ImmutableGraph.h @@ -0,0 +1,432 @@ +//==========-- ImmutableGraph.h - A fast DAG implementation ---------=========// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +/// +/// Description: ImmutableGraph is a fast DAG implementation that cannot be +/// modified, except by creating a new ImmutableGraph. ImmutableGraph is +/// implemented as two arrays: one containing nodes, and one containing edges. +/// The advantages to this implementation are two-fold: +/// 1. Iteration and traversal operations should experience terrific caching +/// performance. +/// 2. Set representations and operations on nodes and edges become +/// extraordinarily efficient. For instance, a set of edges is implemented as +/// a bit vector, wherein each bit corresponds to one edge in the edge +/// array. This implies a lower bound of 64x spacial improvement over, e.g., +/// an llvm::DenseSet or llvm::SmallSet. It also means that +/// insert/erase/contains operations complete in negligible constant time: +/// insert and erase require one load and one store, and contains requires +/// just one load. +/// +//===----------------------------------------------------------------------===// + +#ifndef IMMUTABLEGRAPH_H +#define IMMUTABLEGRAPH_H + +#include "llvm/ADT/BitVector.h" +#include "llvm/ADT/GraphTraits.h" +#include "llvm/ADT/STLExtras.h" +#include "llvm/Support/raw_ostream.h" +#include <algorithm> +#include <iterator> +#include <utility> +#include <vector> + +namespace llvm { + +template <typename _NodeValueT, typename _EdgeValueT, typename _SizeT = int> +class ImmutableGraph { + using Traits = GraphTraits<ImmutableGraph<_NodeValueT, _EdgeValueT> *>; + template <typename> friend class ImmutableGraphBuilder; + +public: + using NodeValueT = _NodeValueT; + using EdgeValueT = _EdgeValueT; + using size_type = _SizeT; + class Node; + class Edge { + friend class ImmutableGraph; + template <typename> friend class ImmutableGraphBuilder; + friend Traits; + + Node *__dest; + EdgeValueT __value; + + public: + EdgeValueT &value() { return __value; } + }; + class Node { + friend class ImmutableGraph; + template <typename> friend class ImmutableGraphBuilder; + friend Traits; + + Edge *__edges; + NodeValueT __value; + + public: + NodeValueT &value() { return __value; } + }; + +protected: + ImmutableGraph(Node *Nodes, size_type NodesSize, Edge *Edges, + size_type EdgesSize) + : __nodes{Nodes}, __nodes_size{NodesSize}, __edges{Edges}, + __edges_size{EdgesSize} {} + ImmutableGraph(const ImmutableGraph &) = delete; + ImmutableGraph(ImmutableGraph &&) = delete; + ImmutableGraph &operator=(const ImmutableGraph &) = delete; + ImmutableGraph &operator=(ImmutableGraph &&) = delete; + +public: + ~ImmutableGraph() { + delete[] __edges; + delete[] __nodes; + } + + Node *nodes_begin() const { return __nodes; } + Node *nodes_end() const { return __nodes + __nodes_size; } + Edge *edges_begin() const { return __edges; } + Edge *edges_end() const { return __edges + __edges_size; } + size_type nodes_size() const { return __nodes_size; } + size_type edges_size() const { return __edges_size; } + bool empty() const { return __nodes_size == 0; } + + class NodeSet { + friend class iterator; + + const ImmutableGraph &__g; + BitVector __v; + + public: + NodeSet(const ImmutableGraph &G, bool ContainsAll = false) + : __g{G}, __v{static_cast<unsigned>(__g.nodes_size()), ContainsAll} {} + bool insert(Node *N) { + size_type Idx = std::distance(__g.nodes_begin(), N); + bool AlreadyExists = __v.test(Idx); + __v.set(Idx); + return !AlreadyExists; + } + void erase(Node *N) { + size_type Idx = std::distance(__g.nodes_begin(), N); + __v.reset(Idx); + } + bool contains(Node *N) const { + size_type Idx = std::distance(__g.nodes_begin(), N); + return __v.test(Idx); + } + void clear() { __v.reset(); } + size_type empty() const { return __v.none(); } + /// Return the number of elements in the set + size_type count() const { return __v.count(); } + /// Return the size of the set's domain + size_type size() const { return __v.size(); } + /// Set union + NodeSet &operator|=(const NodeSet &RHS) { + assert(&this->__g == &RHS.__g); + __v |= RHS.__v; + return *this; + } + /// Set intersection + NodeSet &operator&=(const NodeSet &RHS) { + assert(&this->__g == &RHS.__g); + __v &= RHS.__v; + return *this; + } + /// Set disjoint union + NodeSet &operator^=(const NodeSet &RHS) { + assert(&this->__g == &RHS.__g); + __v ^= RHS.__v; + return *this; + } + + using index_iterator = typename BitVector::const_set_bits_iterator; + index_iterator index_begin() const { return __v.set_bits_begin(); } + index_iterator index_end() const { return __v.set_bits_end(); } + void set(size_type Idx) { __v.set(Idx); } + void reset(size_type Idx) { __v.reset(Idx); } + + class iterator { + const NodeSet &__set; + size_type __current; + + void advance() { + assert(__current != -1); + __current = __set.__v.find_next(__current); + } + + public: + iterator(const NodeSet &Set, size_type Begin) + : __set{Set}, __current{Begin} {} + iterator operator++(int) { + iterator Tmp = *this; + advance(); + return Tmp; + } + iterator &operator++() { + advance(); + return *this; + } + Node *operator*() const { + assert(__current != -1); + return __set.__g.nodes_begin() + __current; + } + bool operator==(const iterator &other) const { + assert(&this->__set == &other.__set); + return this->__current == other.__current; + } + bool operator!=(const iterator &other) const { return !(*this == other); } + }; + + iterator begin() const { return iterator{*this, __v.find_first()}; } + iterator end() const { return iterator{*this, -1}; } + }; + + class EdgeSet { + const ImmutableGraph &__g; + BitVector __v; + + public: + EdgeSet(const ImmutableGraph &G, bool ContainsAll = false) + : __g{G}, __v{static_cast<unsigned>(__g.edges_size()), ContainsAll} {} + bool insert(Edge *E) { + size_type Idx = std::distance(__g.edges_begin(), E); + bool AlreadyExists = __v.test(Idx); + __v.set(Idx); + return !AlreadyExists; + } + void erase(Edge *E) { + size_type Idx = std::distance(__g.edges_begin(), E); + __v.reset(Idx); + } + bool contains(Edge *E) const { + size_type Idx = std::distance(__g.edges_begin(), E); + return __v.test(Idx); + } + void clear() { __v.reset(); } + bool empty() const { return __v.none(); } + /// Return the number of elements in the set + size_type count() const { return __v.count(); } + /// Return the size of the set's domain + size_type size() const { return __v.size(); } + /// Set union + EdgeSet &operator|=(const EdgeSet &RHS) { + assert(&this->__g == &RHS.__g); + __v |= RHS.__v; + return *this; + } + /// Set intersection + EdgeSet &operator&=(const EdgeSet &RHS) { + assert(&this->__g == &RHS.__g); + __v &= RHS.__v; + return *this; + } + /// Set disjoint union + EdgeSet &operator^=(const EdgeSet &RHS) { + assert(&this->__g == &RHS.__g); + __v ^= RHS.__v; + return *this; + } + + using index_iterator = typename BitVector::const_set_bits_iterator; + index_iterator index_begin() const { return __v.set_bits_begin(); } + index_iterator index_end() const { return __v.set_bits_end(); } + void set(size_type Idx) { __v.set(Idx); } + void reset(size_type Idx) { __v.reset(Idx); } + + class iterator { + const EdgeSet &__set; + size_type __current; + + void advance() { + assert(__current != -1); + __current = __set.__v.find_next(__current); + } + + public: + iterator(const EdgeSet &Set, size_type Begin) + : __set{Set}, __current{Begin} {} + iterator operator++(int) { + iterator Tmp = *this; + advance(); + return Tmp; + } + iterator &operator++() { + advance(); + return *this; + } + Edge *operator*() const { + assert(__current != -1); + return __set.__g.edges_begin() + __current; + } + bool operator==(const iterator &other) const { + assert(&this->__set == &other.__set); + return this->__current == other.__current; + } + bool operator!=(const iterator &other) const { return !(*this == other); } + }; + + iterator begin() const { return iterator{*this, __v.find_first()}; } + iterator end() const { return iterator{*this, -1}; } + }; + +private: + Node *__nodes; + size_type __nodes_size; + Edge *__edges; + size_type __edges_size; +}; + +template <typename GraphT> class ImmutableGraphBuilder { + using NodeValueT = typename GraphT::NodeValueT; + using EdgeValueT = typename GraphT::EdgeValueT; + static_assert( + std::is_base_of<ImmutableGraph<NodeValueT, EdgeValueT>, GraphT>::value, + "Template argument to ImmutableGraphBuilder must derive from " + "ImmutableGraph<>"); + using size_type = typename GraphT::size_type; + using NodeSet = typename GraphT::NodeSet; + using Node = typename GraphT::Node; + using EdgeSet = typename GraphT::EdgeSet; + using Edge = typename GraphT::Edge; + using BuilderEdge = std::pair<EdgeValueT, size_type>; + using EdgeList = std::vector<BuilderEdge>; + using BuilderVertex = std::pair<NodeValueT, EdgeList>; + using VertexVec = std::vector<BuilderVertex>; + +public: + using NodeRef = size_type; + + NodeRef addVertex(const NodeValueT &V) { + auto I = __adj_list.emplace(__adj_list.end(), V, EdgeList{}); + return std::distance(__adj_list.begin(), I); + } + + void addEdge(const EdgeValueT &E, NodeRef From, NodeRef To) { + __adj_list[From].second.emplace_back(E, To); + } + + bool empty() const { return __adj_list.empty(); } + + template <typename... ArgT> GraphT *get(ArgT &&... Args) { + size_type VertexSize = __adj_list.size(), EdgeSize = 0; + for (const auto &V : __adj_list) { + EdgeSize += V.second.size(); + } + auto *VertexArray = new Node[VertexSize + 1 /* terminator node */]; + auto *EdgeArray = new Edge[EdgeSize]; + size_type VI = 0, EI = 0; + for (; VI < static_cast<size_type>(__adj_list.size()); ++VI) { + VertexArray[VI].__value = std::move(__adj_list[VI].first); + VertexArray[VI].__edges = &EdgeArray[EI]; + auto NumEdges = static_cast<size_type>(__adj_list[VI].second.size()); + if (NumEdges > 0) { + for (size_type VEI = 0; VEI < NumEdges; ++VEI, ++EI) { + auto &E = __adj_list[VI].second[VEI]; + EdgeArray[EI].__value = std::move(E.first); + EdgeArray[EI].__dest = VertexArray + E.second; + } + } + } + assert(VI == VertexSize && EI == EdgeSize && "Gadget graph malformed"); + VertexArray[VI].__edges = EdgeArray + EdgeSize; // terminator node + return new GraphT{VertexArray, VertexSize, EdgeArray, EdgeSize, + std::forward<ArgT>(Args)...}; + } + + template <typename... ArgT> + static GraphT *trim(const GraphT &G, const NodeSet &TrimNodes, + const EdgeSet &TrimEdges, ArgT &&... Args) { + size_type NewVertexSize = TrimNodes.size() - TrimNodes.count(); + size_type NewEdgeSize = TrimEdges.size() - TrimEdges.count(); + auto *NewVertexArray = new Node[NewVertexSize + 1 /* terminator node */]; + auto *NewEdgeArray = new Edge[NewEdgeSize]; + size_type TrimmedNodesSoFar = 0, + *TrimmedNodes = new size_type[TrimNodes.size()]; + for (size_type I = 0; I < TrimNodes.size(); ++I) { + TrimmedNodes[I] = TrimmedNodesSoFar; + if (TrimNodes.contains(G.nodes_begin() + I)) + ++TrimmedNodesSoFar; + } + size_type VertexI = 0, EdgeI = 0; + for (Node *NI = G.nodes_begin(), *NE = G.nodes_end(); NI != NE; ++NI) { + if (TrimNodes.contains(NI)) + continue; + size_type NewNumEdges = + static_cast<int>((NI + 1)->__edges - NI->__edges) > 0 + ? std::count_if( + NI->__edges, (NI + 1)->__edges, + [&TrimEdges](Edge &E) { return !TrimEdges.contains(&E); }) + : 0; + NewVertexArray[VertexI].__value = NI->__value; + NewVertexArray[VertexI].__edges = &NewEdgeArray[EdgeI]; + if (NewNumEdges > 0) { + for (Edge *EI = NI->__edges, *EE = (NI + 1)->__edges; EI != EE; ++EI) { + if (TrimEdges.contains(EI)) + continue; + NewEdgeArray[EdgeI].__value = EI->__value; + size_type DestIdx = std::distance(G.nodes_begin(), EI->__dest); + size_type NewIdx = DestIdx - TrimmedNodes[DestIdx]; + assert(NewIdx < NewVertexSize); + NewEdgeArray[EdgeI].__dest = NewVertexArray + NewIdx; + ++EdgeI; + } + } + ++VertexI; + } + delete[] TrimmedNodes; + assert(VertexI == NewVertexSize && EdgeI == NewEdgeSize && + "Gadget graph malformed"); + NewVertexArray[VertexI].__edges = NewEdgeArray + NewEdgeSize; + return new GraphT{NewVertexArray, NewVertexSize, NewEdgeArray, NewEdgeSize, + std::forward<ArgT>(Args)...}; + } + +private: + VertexVec __adj_list; +}; + +template <typename NodeValueT, typename EdgeValueT> +struct GraphTraits<ImmutableGraph<NodeValueT, EdgeValueT> *> { + using GraphT = ImmutableGraph<NodeValueT, EdgeValueT>; + using NodeRef = typename GraphT::Node *; + using EdgeRef = typename GraphT::Edge &; + + static NodeRef edge_dest(EdgeRef E) { return E.__dest; } + using ChildIteratorType = + mapped_iterator<typename GraphT::Edge *, decltype(&edge_dest)>; + + static NodeRef getEntryNode(GraphT *G) { return G->nodes_begin(); } + static ChildIteratorType child_begin(NodeRef N) { + return {N->__edges, &edge_dest}; + } + static ChildIteratorType child_end(NodeRef N) { + return {(N + 1)->__edges, &edge_dest}; + } + + static NodeRef getNode(typename GraphT::Node &N) { return NodeRef{&N}; } + using nodes_iterator = + mapped_iterator<typename GraphT::Node *, decltype(&getNode)>; + static nodes_iterator nodes_begin(GraphT *G) { + return {G->nodes_begin(), &getNode}; + } + static nodes_iterator nodes_end(GraphT *G) { + return {G->nodes_end(), &getNode}; + } + + using ChildEdgeIteratorType = typename GraphT::Edge *; + + static ChildEdgeIteratorType child_edge_begin(NodeRef N) { + return N->__edges; + } + static ChildEdgeIteratorType child_edge_end(NodeRef N) { + return (N + 1)->__edges; + } + static typename GraphT::size_type size(GraphT *G) { return G->nodes_size(); } +}; + +} // end namespace llvm + +#endif // IMMUTABLEGRAPH_H diff --git a/llvm/lib/Target/X86/X86.h b/llvm/lib/Target/X86/X86.h index 06b8ae8754aa..39b2f814defa 100644 --- a/llvm/lib/Target/X86/X86.h +++ b/llvm/lib/Target/X86/X86.h @@ -133,6 +133,7 @@ InstructionSelector *createX86InstructionSelector(const X86TargetMachine &TM, X86Subtarget &, X86RegisterBankInfo &); +FunctionPass *createX86LoadValueInjectionLoadHardeningPass(); FunctionPass *createX86LoadValueInjectionRetHardeningPass(); FunctionPass *createX86SpeculativeLoadHardeningPass(); @@ -149,6 +150,7 @@ void initializeX86DomainReassignmentPass(PassRegistry &); void initializeX86ExecutionDomainFixPass(PassRegistry &); void initializeX86ExpandPseudoPass(PassRegistry &); void initializeX86FlagsCopyLoweringPassPass(PassRegistry &); +void initializeX86LoadValueInjectionLoadHardeningPassPass(PassRegistry &); void initializeX86LoadValueInjectionRetHardeningPassPass(PassRegistry &); void initializeX86OptimizeLEAPassPass(PassRegistry &); void initializeX86SpeculativeLoadHardeningPassPass(PassRegistry &); diff --git a/llvm/lib/Target/X86/X86.td b/llvm/lib/Target/X86/X86.td index edc474825760..bb8952f54e3a 100644 --- a/llvm/lib/Target/X86/X86.td +++ b/llvm/lib/Target/X86/X86.td @@ -435,6 +435,13 @@ def FeatureLVIControlFlowIntegrity "LFENCE instruction to serialize control flow. Also decompose RET " "instructions into a POP+LFENCE+JMP sequence.">; +// Mitigate LVI attacks against data loads +def FeatureLVILoadHardening + : SubtargetFeature< + "lvi-load-hardening", "UseLVILoadHardening", "true", + "Insert LFENCE instructions to prevent data speculatively injected " + "into loads from being used maliciously.">; + // Direct Move instructions. def FeatureMOVDIRI : SubtargetFeature<"movdiri", "HasMOVDIRI", "true", "Support movdiri instruction">; diff --git a/llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp b/llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp new file mode 100644 index 000000000000..7c027e5fca67 --- /dev/null +++ b/llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp @@ -0,0 +1,586 @@ +//==-- X86LoadValueInjectionLoadHardening.cpp - LVI load hardening for x86 --=// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +/// +/// Description: This pass finds Load Value Injection (LVI) gadgets consisting +/// of a load from memory (i.e., SOURCE), and any operation that may transmit +/// the value loaded from memory over a covert channel, or use the value loaded +/// from memory to determine a branch/call target (i.e., SINK). +/// +//===----------------------------------------------------------------------===// + +#include "ImmutableGraph.h" +#include "X86.h" +#include "X86Subtarget.h" +#include "X86TargetMachine.h" +#include "llvm/ADT/DenseMap.h" +#include "llvm/ADT/DenseSet.h" +#include "llvm/ADT/SmallSet.h" +#include "llvm/ADT/Statistic.h" +#include "llvm/ADT/StringRef.h" +#include "llvm/CodeGen/MachineBasicBlock.h" +#include "llvm/CodeGen/MachineDominanceFrontier.h" +#include "llvm/CodeGen/MachineDominators.h" +#include "llvm/CodeGen/MachineFunction.h" +#include "llvm/CodeGen/MachineFunctionPass.h" +#include "llvm/CodeGen/MachineInstr.h" +#include "llvm/CodeGen/MachineInstrBuilder.h" +#include "llvm/CodeGen/MachineLoopInfo.h" +#include "llvm/CodeGen/MachineRegisterInfo.h" +#include "llvm/CodeGen/RDFGraph.h" +#include "llvm/CodeGen/RDFLiveness.h" +#include "llvm/InitializePasses.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/DOTGraphTraits.h" +#include "llvm/Support/Debug.h" +#include "llvm/Support/GraphWriter.h" +#include "llvm/Support/raw_ostream.h" + +using namespace llvm; + +#define PASS_KEY "x86-lvi-load" +#define DEBUG_TYPE PASS_KEY + +STATISTIC(NumFunctionsConsidered, "Number of functions analyzed"); +STATISTIC(NumFunctionsMitigated, "Number of functions for which mitigations " + "were deployed"); +STATISTIC(NumGadgets, "Number of LVI gadgets detected during analysis"); + +static cl::opt<bool> NoConditionalBranches( + PASS_KEY "-no-cbranch", + cl::desc("Don't treat conditional branches as disclosure gadgets. This " + "may improve performance, at the cost of security."), + cl::init(false), cl::Hidden); + +static cl::opt<bool> EmitDot( + PASS_KEY "-dot", + cl::desc( + "For each function, emit a dot graph depicting potential LVI gadgets"), + cl::init(false), cl::Hidden); + +static cl::opt<bool> EmitDotOnly( + PASS_KEY "-dot-only", + cl::desc("For each function, emit a dot graph depicting potential LVI " + "gadgets, and do not insert any fences"), + cl::init(false), cl::Hidden); + +static cl::opt<bool> EmitDotVerify( + PASS_KEY "-dot-verify", + cl::desc("For each function, emit a dot graph to stdout depicting " + "potential LVI gadgets, used for testing purposes only"), + cl::init(false), cl::Hidden); + +static cl::opt<bool> NoFixedLoads( + PASS_KEY "-no-fixed", + cl::desc("Don't mitigate RIP-relative or RSP-relative loads. This " + "may improve performance, at the cost of security."), + cl::init(false), cl::Hidden); + +#define ARG_NODE nullptr +#define GADGET_EDGE ((int)(-1)) +#define WEIGHT(EdgeValue) ((double)(2 * (EdgeValue) + 1)) + +namespace { + +class X86LoadValueInjectionLoadHardeningPass : public MachineFunctionPass { +public: + X86LoadValueInjectionLoadHardeningPass() : MachineFunctionPass(ID) {} + + StringRef getPassName() const override { + return "X86 Load Value Injection (LVI) Load Hardening"; + } + void getAnalysisUsage(AnalysisUsage &AU) const override; + bool runOnMachineFunction(MachineFunction &MF) override; + + static char ID; + +private: + struct MachineGadgetGraph : ImmutableGraph<MachineInstr *, int> { + using GraphT = ImmutableGraph<MachineInstr *, int>; + using Node = typename GraphT::Node; + using Edge = typename GraphT::Edge; + using size_type = typename GraphT::size_type; + MachineGadgetGraph(Node *Nodes, size_type NodesSize, Edge *Edges, + size_type EdgesSize, int NumFences = 0, + int NumGadgets = 0) + : GraphT{Nodes, NodesSize, Edges, EdgesSize}, NumFences{NumFences}, + NumGadgets{NumGadgets} {} + MachineFunction &getMF() { // FIXME: This function should be cleaner + for (Node *NI = nodes_begin(), *const NE = nodes_end(); NI != NE; ++NI) { + if (NI->value()) { + return *NI->value()->getMF(); + } + } + llvm_unreachable("Could not find a valid node"); + } + static inline bool isCFGEdge(Edge &E) { return E.value() != GADGET_EDGE; } + static inline bool isGadgetEdge(Edge &E) { + return E.value() == GADGET_EDGE; + } + int NumFences; + int NumGadgets; + }; + friend struct llvm::DOTGraphTraits<MachineGadgetGraph *>; + using GTraits = llvm::GraphTraits<MachineGadgetGraph *>; + using GraphBuilder = ImmutableGraphBuilder<MachineGadgetGraph>; + using EdgeSet = MachineGadgetGraph::EdgeSet; + using Gadget = std::pair<MachineInstr *, MachineInstr *>; + + const X86Subtarget *STI; + const TargetInstrInfo *TII; + const TargetRegisterInfo *TRI; + + int hardenLoads(MachineFunction &MF, bool Fixed) const; + std::unique_ptr<MachineGadgetGraph> + getGadgetGraph(MachineFunction &MF, const MachineLoopInfo &MLI, + const MachineDominatorTree &MDT, + const MachineDominanceFrontier &MDF, bool FixedLoads) const; + + bool instrUsesRegToAccessMemory(const MachineInstr &I, unsigned Reg) const; + bool instrUsesRegToBranch(const MachineInstr &I, unsigned Reg) const; + template <unsigned K> bool hasLoadFrom(const MachineInstr &MI) const; + bool instrAccessesStackSlot(const MachineInstr &MI) const; + bool instrAccessesConstantPool(const MachineInstr &MI) const; + bool instrAccessesGOT(const MachineInstr &MI) const; + inline bool instrIsFixedAccess(const MachineInstr &MI) const { + return instrAccessesConstantPool(MI) || instrAccessesStackSlot(MI) || + instrAccessesGOT(MI); + } + inline bool isFence(const MachineInstr *MI) const { + return MI && (MI->getOpcode() == X86::LFENCE || + (STI->useLVIControlFlowIntegrity() && MI->isCall())); + } +}; + +} // end anonymous namespace + +namespace llvm { + +template <> +struct GraphTraits<X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph *> + : GraphTraits<ImmutableGraph<MachineInstr *, int> *> {}; + +template <> +struct DOTGraphTraits< + X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph *> + : DefaultDOTGraphTraits { + using GraphType = X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph; + using Traits = X86LoadValueInjectionLoadHardeningPass::GTraits; + using NodeRef = typename Traits::NodeRef; + using EdgeRef = typename Traits::EdgeRef; + using ChildIteratorType = typename Traits::ChildIteratorType; + using ChildEdgeIteratorType = typename Traits::ChildEdgeIteratorType; + + DOTGraphTraits(bool isSimple = false) : DefaultDOTGraphTraits(isSimple) {} + + static std::string getGraphName(GraphType *G) { + std::string GraphName{"Speculative gadgets for \""}; + GraphName += G->getMF().getName(); + GraphName += "\" function"; + return GraphName; + } + + std::string getNodeLabel(NodeRef Node, GraphType *) { + std::string str; + raw_string_ostream str_stream{str}; + if (Node->value() == ARG_NODE) + return "ARGS"; + str_stream << *Node->value(); + return str_stream.str(); + } + + static std::string getNodeAttributes(NodeRef Node, GraphType *) { + MachineInstr *MI = Node->value(); + if (MI == ARG_NODE) + return "color = blue"; + else if (MI->getOpcode() == X86::LFENCE) + return "color = green"; + else + return ""; + } + + static std::string getEdgeAttributes(NodeRef, ChildIteratorType E, + GraphType *) { + int EdgeVal = (*E.getCurrent()).value(); + return EdgeVal >= 0 ? "label = " + std::to_string(EdgeVal) + : "color = red, style = \"dashed\""; + } +}; + +} // end namespace llvm + +char X86LoadValueInjectionLoadHardeningPass::ID = 0; + +void X86LoadValueInjectionLoadHardeningPass::getAnalysisUsage( + AnalysisUsage &AU) const { + MachineFunctionPass::getAnalysisUsage(AU); + AU.addRequired<MachineLoopInfo>(); + AU.addRequired<MachineDominatorTree>(); + AU.addRequired<MachineDominanceFrontier>(); + AU.setPreservesCFG(); +} + +bool X86LoadValueInjectionLoadHardeningPass::runOnMachineFunction( + MachineFunction &MF) { + LLVM_DEBUG(dbgs() << "***** " << getPassName() << " : " << MF.getName() + << " *****\n"); + STI = &MF.getSubtarget<X86Subtarget>(); + if (!STI->useLVILoadHardening() || !STI->is64Bit()) + return false; // FIXME: support 32-bit + + // Don't skip functions with the "optnone" attr but participate in opt-bisect. + const Function &F = MF.getFunction(); + if (!F.hasOptNone() && skipFunction(F)) + return false; + + ++NumFunctionsConsidered; + TII = STI->getInstrInfo(); + TRI = STI->getRegisterInfo(); + LLVM_DEBUG(dbgs() << "Hardening data-dependent loads...\n"); + hardenLoads(MF, false); + LLVM_DEBUG(dbgs() << "Hardening data-dependent loads... Done\n"); + if (!NoFixedLoads) { + LLVM_DEBUG(dbgs() << "Hardening fixed loads...\n"); + hardenLoads(MF, true); + LLVM_DEBUG(dbgs() << "Hardening fixed loads... Done\n"); + } + return false; +} + +// Apply the mitigation to `MF`, return the number of fences inserted. +// If `FixedLoads` is `true`, then the mitigation will be applied to fixed +// loads; otherwise, mitigation will be applied to non-fixed loads. +int X86LoadValueInjectionLoadHardeningPass::hardenLoads(MachineFunction &MF, + bool FixedLoads) const { + LLVM_DEBUG(dbgs() << "Building gadget graph...\n"); + const auto &MLI = getAnalysis<MachineLoopInfo>(); + const auto &MDT = getAnalysis<MachineDominatorTree>(); + const auto &MDF = getAnalysis<MachineDominanceFrontier>(); + std::unique_ptr<MachineGadgetGraph> Graph = + getGadgetGraph(MF, MLI, MDT, MDF, FixedLoads); + LLVM_DEBUG(dbgs() << "Building gadget graph... Done\n"); + if (Graph == nullptr) + return 0; // didn't find any gadgets + + if (EmitDotVerify) { + WriteGraph(outs(), Graph.get()); + return 0; + } + + if (EmitDot || EmitDotOnly) { + LLVM_DEBUG(dbgs() << "Emitting gadget graph...\n"); + std::error_code FileError; + std::string FileName = "lvi."; + if (FixedLoads) + FileName += "fixed."; + FileName += Graph->getMF().getName(); + FileName += ".dot"; + raw_fd_ostream FileOut(FileName, FileError); + if (FileError) + errs() << FileError.message(); + WriteGraph(FileOut, Graph.get()); + FileOut.close(); + LLVM_DEBUG(dbgs() << "Emitting gadget graph... Done\n"); + if (EmitDotOnly) + return 0; + } + + return 0; +} + +std::unique_ptr<X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph> +X86LoadValueInjectionLoadHardeningPass::getGadgetGraph( + MachineFunction &MF, const MachineLoopInfo &MLI, + const MachineDominatorTree &MDT, const MachineDominanceFrontier &MDF, + bool FixedLoads) const { + using namespace rdf; + + // Build the Register Dataflow Graph using the RDF framework + TargetOperandInfo TOI{*TII}; + DataFlowGraph DFG{MF, *TII, *TRI, MDT, MDF, TOI}; + DFG.build(); + Liveness L{MF.getRegInfo(), DFG}; + L.computePhiInfo(); + + GraphBuilder Builder; + using GraphIter = typename GraphBuilder::NodeRef; + DenseMap<MachineInstr *, GraphIter> NodeMap; + int FenceCount = 0; + auto MaybeAddNode = [&NodeMap, &Builder](MachineInstr *MI) { + auto Ref = NodeMap.find(MI); + if (Ref == NodeMap.end()) { + auto I = Builder.addVertex(MI); + NodeMap[MI] = I; + return std::pair<GraphIter, bool>{I, true}; + } else { + return std::pair<GraphIter, bool>{Ref->getSecond(), false}; + } + }; + + // Analyze all machine instructions to find gadgets and LFENCEs, adding + // each interesting value to `Nodes` + DenseSet<std::pair<GraphIter, GraphIter>> GadgetEdgeSet; + auto AnalyzeDef = [&](NodeAddr<DefNode *> Def) { + MachineInstr *MI = Def.Addr->getFlags() & NodeAttrs::PhiRef + ? ARG_NODE + : Def.Addr->getOp().getParent(); + auto AnalyzeUse = [&](NodeAddr<UseNode *> Use) { + assert(!(Use.Addr->getFlags() & NodeAttrs::PhiRef)); + MachineOperand &UseMO = Use.Addr->getOp(); + MachineInstr &UseMI = *UseMO.getParent(); + assert(UseMO.isReg()); + // We naively assume that an instruction propagates any loaded Uses + // to all Defs, unless the instruction is a call + if (UseMI.isCall()) + return false; + if (instrUsesRegToAccessMemory(UseMI, UseMO.getReg()) || + (!NoConditionalBranches && + instrUsesRegToBranch(UseMI, UseMO.getReg()))) { // found a gadget! + // add the root of this chain + auto GadgetBegin = MaybeAddNode(MI); + // and the instruction that (transitively) discloses the root + auto GadgetEnd = MaybeAddNode(&UseMI); + if (GadgetEdgeSet.insert({GadgetBegin.first, GadgetEnd.first}).second) + Builder.addEdge(GADGET_EDGE, GadgetBegin.first, GadgetEnd.first); + if (UseMI.mayLoad()) // FIXME: This should be more precise + return false; // stop traversing further uses of `Reg` + } + return true; + }; + SmallSet<NodeId, 8> NodesVisited; + std::function<void(NodeAddr<DefNode *>)> AnalyzeDefUseChain = + [&](NodeAddr<DefNode *> Def) { + if (Def.Addr->getAttrs() & NodeAttrs::Dead) + return; + RegisterRef DefReg = DFG.getPRI().normalize(Def.Addr->getRegRef(DFG)); + NodeList Uses; + for (auto UseID : L.getAllReachedUses(DefReg, Def)) { + auto Use = DFG.addr<UseNode *>(UseID); + if (Use.Addr->getFlags() & NodeAttrs::PhiRef) { // phi node + NodeAddr<PhiNode *> Phi = Use.Addr->getOwner(DFG); + for (auto I : L.getRealUses(Phi.Id)) { + if (DFG.getPRI().alias(RegisterRef(I.first), DefReg)) { + for (auto UA : I.second) { + auto PhiUse = DFG.addr<UseNode *>(UA.first); + Uses.push_back(PhiUse); + } + } + } + } else { // not a phi node + Uses.push_back(Use); + } + } + for (auto N : Uses) { + NodeAddr<UseNode *> Use{N}; + if (NodesVisited.insert(Use.Id).second && AnalyzeUse(Use)) { + NodeAddr<InstrNode *> Owner{Use.Addr->getOwner(DFG)}; + NodeList Defs = Owner.Addr->members_if(DataFlowGraph::IsDef, DFG); + std::for_each(Defs.begin(), Defs.end(), AnalyzeDefUseChain); + } + } + }; + AnalyzeDefUseChain(Def); + }; + + LLVM_DEBUG(dbgs() << "Analyzing def-use chains to find gadgets\n"); + // Analyze function arguments + if (!FixedLoads) { // only need to analyze function args once + NodeAddr<BlockNode *> EntryBlock = DFG.getFunc().Addr->getEntryBlock(DFG); + for (NodeAddr<PhiNode *> ArgPhi : + EntryBlock.Addr->members_if(DataFlowGraph::IsPhi, DFG)) { + NodeList Defs = ArgPhi.Addr->members_if(DataFlowGraph::IsDef, DFG); + std::for_each(Defs.begin(), Defs.end(), AnalyzeDef); + } + } + // Analyze every instruction in MF + for (NodeAddr<BlockNode *> BA : DFG.getFunc().Addr->members(DFG)) { + for (NodeAddr<StmtNode *> SA : + BA.Addr->members_if(DataFlowGraph::IsCode<NodeAttrs::Stmt>, DFG)) { + MachineInstr *MI = SA.Addr->getCode(); + if (isFence(MI)) { + MaybeAddNode(MI); + ++FenceCount; + } else if (MI->mayLoad() && ((FixedLoads && instrIsFixedAccess(*MI)) || + (!FixedLoads && !instrIsFixedAccess(*MI)))) { + NodeList Defs = SA.Addr->members_if(DataFlowGraph::IsDef, DFG); + std::for_each(Defs.begin(), Defs.end(), AnalyzeDef); + } + } + } + int GadgetCount = static_cast<int>(GadgetEdgeSet.size()); + LLVM_DEBUG(dbgs() << "Found " << FenceCount << " fences\n"); + LLVM_DEBUG(dbgs() << "Found " << GadgetCount << " gadgets\n"); + if (GadgetCount == 0) + return nullptr; + NumGadgets += GadgetCount; + + // Traverse CFG to build the rest of the graph + SmallSet<MachineBasicBlock *, 8> BlocksVisited; + std::function<void(MachineBasicBlock *, GraphIter, unsigned)> TraverseCFG = + [&](MachineBasicBlock *MBB, GraphIter GI, unsigned ParentDepth) { + unsigned LoopDepth = MLI.getLoopDepth(MBB); + if (!MBB->empty()) { + // Always add the first instruction in each block + auto NI = MBB->begin(); + auto BeginBB = MaybeAddNode(&*NI); + Builder.addEdge(ParentDepth, GI, BeginBB.first); + if (!BlocksVisited.insert(MBB).second) + return; + + // Add any instructions within the block that are gadget components + GI = BeginBB.first; + while (++NI != MBB->end()) { + auto Ref = NodeMap.find(&*NI); + if (Ref != NodeMap.end()) { + Builder.addEdge(LoopDepth, GI, Ref->getSecond()); + GI = Ref->getSecond(); + } + } + + // Always add the terminator instruction, if one exists + auto T = MBB->getFirstTerminator(); + if (T != MBB->end()) { + auto EndBB = MaybeAddNode(&*T); + if (EndBB.second) + Builder.addEdge(LoopDepth, GI, EndBB.first); + GI = EndBB.first; + } + } + for (MachineBasicBlock *Succ : MBB->successors()) + TraverseCFG(Succ, GI, LoopDepth); + }; + // ARG_NODE is a pseudo-instruction that represents MF args in the GadgetGraph + GraphIter ArgNode = MaybeAddNode(ARG_NODE).first; + TraverseCFG(&MF.front(), ArgNode, 0); + std::unique_ptr<MachineGadgetGraph> G{Builder.get(FenceCount, GadgetCount)}; + LLVM_DEBUG(dbgs() << "Found " << GTraits::size(G.get()) << " nodes\n"); + return G; +} + +bool X86LoadValueInjectionLoadHardeningPass::instrUsesRegToAccessMemory( + const MachineInstr &MI, unsigned Reg) const { + if (!MI.mayLoadOrStore() || MI.getOpcode() == X86::MFENCE || + MI.getOpcode() == X86::SFENCE || MI.getOpcode() == X86::LFENCE) + return false; + + // FIXME: This does not handle pseudo loading instruction like TCRETURN* + const MCInstrDesc &Desc = MI.getDesc(); + int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags); + if (MemRefBeginIdx < 0) { + LLVM_DEBUG(dbgs() << "Warning: unable to obtain memory operand for loading " + "instruction:\n"; + MI.print(dbgs()); dbgs() << '\n';); + return false; + } + MemRefBeginIdx += X86II::getOperandBias(Desc); + + const MachineOperand &BaseMO = + MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg); + const MachineOperand &IndexMO = + MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg); + return (BaseMO.isReg() && BaseMO.getReg() != X86::NoRegister && + TRI->regsOverlap(BaseMO.getReg(), Reg)) || + (IndexMO.isReg() && IndexMO.getReg() != X86::NoRegister && + TRI->regsOverlap(IndexMO.getReg(), Reg)); +} + +bool X86LoadValueInjectionLoadHardeningPass::instrUsesRegToBranch( + const MachineInstr &MI, unsigned Reg) const { + if (!MI.isConditionalBranch()) + return false; + for (const MachineOperand &Use : MI.uses()) + if (Use.isReg() && Use.getReg() == Reg) + return true; + return false; +} + +template <unsigned K> +bool X86LoadValueInjectionLoadHardeningPass::hasLoadFrom( + const MachineInstr &MI) const { + for (auto &MMO : MI.memoperands()) { + const PseudoSourceValue *PSV = MMO->getPseudoValue(); + if (PSV && PSV->kind() == K && MMO->isLoad()) + return true; + } + return false; +} + +bool X86LoadValueInjectionLoadHardeningPass::instrAccessesStackSlot( + const MachineInstr &MI) const { + // Check the PSV first + if (hasLoadFrom<PseudoSourceValue::PSVKind::FixedStack>(MI)) + return true; + // Some loads are not marked with a PSV, so we always need to double check + const MCInstrDesc &Desc = MI.getDesc(); + int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags); + if (MemRefBeginIdx < 0) + return false; + MemRefBeginIdx += X86II::getOperandBias(Desc); + return MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).isFI() && + MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).isImm() && + MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).isReg() && + MI.getOperand(MemRefBeginIdx + X86::AddrDisp).isImm() && + MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).getImm() == 1 && + MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).getReg() == + X86::NoRegister && + MI.getOperand(MemRefBeginIdx + X86::AddrDisp).getImm() == 0; +} + +bool X86LoadValueInjectionLoadHardeningPass::instrAccessesConstantPool( + const MachineInstr &MI) const { + if (hasLoadFrom<PseudoSourceValue::PSVKind::ConstantPool>(MI)) + return true; + const MCInstrDesc &Desc = MI.getDesc(); + int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags); + if (MemRefBeginIdx < 0) + return false; + MemRefBeginIdx += X86II::getOperandBias(Desc); + return MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).isReg() && + MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).isImm() && + MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).isReg() && + MI.getOperand(MemRefBeginIdx + X86::AddrDisp).isCPI() && + (MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).getReg() == + X86::RIP || + MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).getReg() == + X86::NoRegister) && + MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).getImm() == 1 && + MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).getReg() == + X86::NoRegister; +} + +bool X86LoadValueInjectionLoadHardeningPass::instrAccessesGOT( + const MachineInstr &MI) const { + if (hasLoadFrom<PseudoSourceValue::PSVKind::GOT>(MI)) + return true; + const MCInstrDesc &Desc = MI.getDesc(); + int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags); + if (MemRefBeginIdx < 0) + return false; + MemRefBeginIdx += X86II::getOperandBias(Desc); + return MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).isReg() && + MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).isImm() && + MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).isReg() && + MI.getOperand(MemRefBeginIdx + X86::AddrDisp).getTargetFlags() == + X86II::MO_GOTPCREL && + MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).getReg() == + X86::RIP && + MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).getImm() == 1 && + MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).getReg() == + X86::NoRegister; +} + +INITIALIZE_PASS_BEGIN(X86LoadValueInjectionLoadHardeningPass, PASS_KEY, + "X86 LVI load hardening", false, false) +INITIALIZE_PASS_DEPENDENCY(MachineLoopInfo) +INITIALIZE_PASS_DEPENDENCY(MachineDominatorTree) +INITIALIZE_PASS_DEPENDENCY(MachineDominanceFrontier) +INITIALIZE_PASS_END(X86LoadValueInjectionLoadHardeningPass, PASS_KEY, + "X86 LVI load hardening", false, false) + +FunctionPass *llvm::createX86LoadValueInjectionLoadHardeningPass() { + return new X86LoadValueInjectionLoadHardeningPass(); +} diff --git a/llvm/lib/Target/X86/X86Subtarget.h b/llvm/lib/Target/X86/X86Subtarget.h index eb5c293e5cbf..af5153243c8b 100644 --- a/llvm/lib/Target/X86/X86Subtarget.h +++ b/llvm/lib/Target/X86/X86Subtarget.h @@ -427,6 +427,10 @@ protected: /// POP+LFENCE+JMP sequence. bool UseLVIControlFlowIntegrity = false; + /// Insert LFENCE instructions to prevent data speculatively injected into + /// loads from being used maliciously. + bool UseLVILoadHardening = false; + /// Use software floating point for code generation. bool UseSoftFloat = false; @@ -727,6 +731,7 @@ public: bool preferMaskRegisters() const { return PreferMaskRegisters; } bool useGLMDivSqrtCosts() const { return UseGLMDivSqrtCosts; } bool useLVIControlFlowIntegrity() const { return UseLVIControlFlowIntegrity; } + bool useLVILoadHardening() const { return UseLVILoadHardening; } unsigned getPreferVectorWidth() const { return PreferVectorWidth; } unsigned getRequiredVectorWidth() const { return RequiredVectorWidth; } diff --git a/llvm/lib/Target/X86/X86TargetMachine.cpp b/llvm/lib/Target/X86/X86TargetMachine.cpp index e374b16e0e3d..680a52b54385 100644 --- a/llvm/lib/Target/X86/X86TargetMachine.cpp +++ b/llvm/lib/Target/X86/X86TargetMachine.cpp @@ -82,6 +82,7 @@ extern "C" LLVM_EXTERNAL_VISIBILITY void LLVMInitializeX86Target() { initializeX86SpeculativeLoadHardeningPassPass(PR); initializeX86FlagsCopyLoweringPassPass(PR); initializeX86CondBrFoldingPassPass(PR); + initializeX86LoadValueInjectionLoadHardeningPassPass(PR); initializeX86LoadValueInjectionRetHardeningPassPass(PR); initializeX86OptimizeLEAPassPass(PR); } @@ -497,6 +498,7 @@ void X86PassConfig::addMachineSSAOptimization() { void X86PassConfig::addPostRegAlloc() { addPass(createX86FloatingPointStackifierPass()); + addPass(createX86LoadValueInjectionLoadHardeningPass()); } void X86PassConfig::addPreSched2() { addPass(createX86ExpandPseudoPass()); } diff --git a/llvm/test/CodeGen/X86/O0-pipeline.ll b/llvm/test/CodeGen/X86/O0-pipeline.ll index cd1442102d31..a99019941e84 100644 --- a/llvm/test/CodeGen/X86/O0-pipeline.ll +++ b/llvm/test/CodeGen/X86/O0-pipeline.ll @@ -55,6 +55,10 @@ ; CHECK-NEXT: Fast Register Allocator ; CHECK-NEXT: Bundle Machine CFG Edges ; CHECK-NEXT: X86 FP Stackifier +; CHECK-NEXT: MachineDominator Tree Construction +; CHECK-NEXT: Machine Natural Loop Construction +; CHECK-NEXT: Machine Dominance Frontier Construction +; CHECK-NEXT: X86 Load Value Injection (LVI) Load Hardening ; CHECK-NEXT: Lazy Machine Block Frequency Analysis ; CHECK-NEXT: Machine Optimization Remark Emitter ; CHECK-NEXT: Prologue/Epilogue Insertion & Frame Finalization diff --git a/llvm/test/CodeGen/X86/O3-pipeline.ll b/llvm/test/CodeGen/X86/O3-pipeline.ll index 1d487bc266de..87ab9ea63b73 100644 --- a/llvm/test/CodeGen/X86/O3-pipeline.ll +++ b/llvm/test/CodeGen/X86/O3-pipeline.ll @@ -138,9 +138,11 @@ ; CHECK-NEXT: Machine Loop Invariant Code Motion ; CHECK-NEXT: Bundle Machine CFG Edges ; CHECK-NEXT: X86 FP Stackifier +; CHECK-NEXT: MachineDominator Tree Construction +; CHECK-NEXT: Machine Dominance Frontier Construction +; CHECK-NEXT: X86 Load Value Injection (LVI) Load Hardening ; CHECK-NEXT: PostRA Machine Sink ; CHECK-NEXT: Machine Block Frequency Analysis -; CHECK-NEXT: MachineDominator Tree Construction ; CHECK-NEXT: MachinePostDominator Tree Construction ; CHECK-NEXT: Lazy Machine Block Frequency Analysis ; CHECK-NEXT: Machine Optimization Remark Emitter diff --git a/llvm/test/CodeGen/X86/lvi-hardening-gadget-graph.ll b/llvm/test/CodeGen/X86/lvi-hardening-gadget-graph.ll new file mode 100644 index 000000000000..ba2ce26142b5 --- /dev/null +++ b/llvm/test/CodeGen/X86/lvi-hardening-gadget-graph.ll @@ -0,0 +1,129 @@ +; RUN: llc -verify-machineinstrs -mtriple=x86_64-unknown -x86-lvi-load-dot-verify -o %t < %s | FileCheck %s + +; Function Attrs: noinline nounwind optnone uwtable +define dso_local i32 @test(i32* %untrusted_user_ptr, i32* %secret, i32 %secret_size) #0 { +entry: + %untrusted_user_ptr.addr = alloca i32*, align 8 + %secret.addr = alloca i32*, align 8 + %secret_size.addr = alloca i32, align 4 + %ret_val = alloca i32, align 4 + %i = alloca i32, align 4 + store i32* %untrusted_user_ptr, i32** %untrusted_user_ptr.addr, align 8 + store i32* %secret, i32** %secret.addr, align 8 + store i32 %secret_size, i32* %secret_size.addr, align 4 + store i32 0, i32* %ret_val, align 4 + call void @llvm.x86.sse2.lfence() + store i32 0, i32* %i, align 4 + br label %for.cond + +for.cond: ; preds = %for.inc, %entry + %0 = load i32, i32* %i, align 4 + %1 = load i32, i32* %secret_size.addr, align 4 + %cmp = icmp slt i32 %0, %1 + br i1 %cmp, label %for.body, label %for.end + +for.body: ; preds = %for.cond + %2 = load i32, i32* %i, align 4 + %rem = srem i32 %2, 2 + %cmp1 = icmp eq i32 %rem, 0 + br i1 %cmp1, label %if.then, label %if.else + +if.then: ; preds = %for.body + %3 = load i32*, i32** %secret.addr, align 8 + %4 = load i32, i32* %ret_val, align 4 + %idxprom = sext i32 %4 to i64 + %arrayidx = getelementptr inbounds i32, i32* %3, i64 %idxprom + %5 = load i32, i32* %arrayidx, align 4 + %6 = load i32*, i32** %untrusted_user_ptr.addr, align 8 + store i32 %5, i32* %6, align 4 + br label %if.end + +if.else: ; preds = %for.body + %7 = load i32*, i32** %secret.addr, align 8 + %8 = load i32, i32* %ret_val, align 4 + %idxprom2 = sext i32 %8 to i64 + %arrayidx3 = getelementptr inbounds i32, i32* %7, i64 %idxprom2 + store i32 42, i32* %arrayidx3, align 4 + br label %if.end + +if.end: ; preds = %if.else, %if.then + %9 = load i32*, i32** %untrusted_user_ptr.addr, align 8 + %10 = load i32, i32* %9, align 4 + store i32 %10, i32* %ret_val, align 4 + br label %for.inc + +for.inc: ; preds = %if.end + %11 = load i32, i32* %i, align 4 + %inc = add nsw i32 %11, 1 + store i32 %inc, i32* %i, align 4 + br label %for.cond + +for.end: ; preds = %for.cond + %12 = load i32, i32* %ret_val, align 4 + ret i32 %12 +} + +; CHECK: digraph "Speculative gadgets for \"test\" function" { +; CHECK-NEXT: label="Speculative gadgets for \"test\" function"; +; CHECK: Node0x{{[0-9a-f]+}} [shape=record,color = green,label="{LFENCE\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm %stack.4.i, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.i)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JCC_1 %bb.6, 13, implicit killed $eflags\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{CMP32rm killed renamable $eax, %stack.2.secret_size.addr, 1, $noreg, 0, $noreg, implicit-def $eflags :: (dereferenceable load 4 from %ir.secret_size.addr)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm %stack.4.i, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.i)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JCC_1 %bb.4, 5, implicit killed $eflags\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rax = MOV64rm %stack.1.secret.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.secret.addr)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm killed renamable $rax, 4, killed renamable $rcx, 0, $noreg :: (load 4 from %ir.arrayidx)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rcx = MOVSX64rm32 %stack.3.ret_val, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.ret_val)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rcx = MOV64rm %stack.0.untrusted_user_ptr.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.untrusted_user_ptr.addr)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{MOV32mr killed renamable $rcx, 1, $noreg, 0, $noreg, killed renamable $eax :: (store 4 into %ir.6)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rax = MOV64rm %stack.1.secret.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.secret.addr)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{MOV32mi killed renamable $rax, 4, killed renamable $rcx, 0, $noreg, 42 :: (store 4 into %ir.arrayidx3)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rcx = MOVSX64rm32 %stack.3.ret_val, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.ret_val)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rax = MOV64rm %stack.0.untrusted_user_ptr.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.untrusted_user_ptr.addr)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm killed renamable $rax, 1, $noreg, 0, $noreg :: (load 4 from %ir.9)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,color = blue,label="{ARGS}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{MOV64mr %stack.0.untrusted_user_ptr.addr, 1, $noreg, 0, $noreg, killed renamable $rdi :: (store 8 into %ir.untrusted_user_ptr.addr)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JMP_1 %bb.5\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JMP_1 %bb.1\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm %stack.3.ret_val, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.ret_val)\n}"]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0]; +; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{RET 0, $eax\n}"]; +; CHECK-NEXT: } + +; Function Attrs: nounwind +declare void @llvm.x86.sse2.lfence() #1 + +attributes #0 = { "target-features"="+lvi-cfi" + "target-features"="+lvi-load-hardening" } +attributes #1 = { nounwind } |