1b8ab2f089
Virtual function pointer entries in v-tables are signed with address
discrimination in addition to declaration-based discrimination, where an
integer discriminator the string hash (see
`ptrauth_string_discriminator`) of the mangled name of the overridden
method. This notably provides diversity based on the full signature of
the overridden method, including the method name and parameter types.
This patch introduces ItaniumVTableContext logic to find the original
declaration of the overridden method.
On AArch64, these pointers are signed using the `IA` key (the
process-independent code key.)
V-table pointers can be signed with either no discrimination, or a
similar scheme using address and decl-based discrimination. In this
case, the integer discriminator is the string hash of the mangled
v-table identifier of the class that originally introduced the vtable
pointer.
On AArch64, these pointers are signed using the `DA` key (the
process-independent data key.)
Not using discrimination allows attackers to simply copy valid v-table
pointers from one object to another. However, using a uniform
discriminator of 0 does have positive performance and code-size
implications on AArch64, and diversity for the most important v-table
access pattern (virtual dispatch) is already better assured by the
signing schemas used on the virtual functions. It is also known that
some code in practice copies objects containing v-tables with `memcpy`,
and while this is not permitted formally, it is something that may be
invasive to eliminate.
This is controlled by:
```
-fptrauth-vtable-pointer-type-discrimination
-fptrauth-vtable-pointer-address-discrimination
```
In addition, this provides fine-grained controls in the
ptrauth_vtable_pointer attribute, which allows overriding the default
ptrauth schema for vtable pointers on a given class hierarchy, e.g.:
```
[[clang::ptrauth_vtable_pointer(no_authentication, no_address_discrimination,
no_extra_discrimination)]]
[[clang::ptrauth_vtable_pointer(default_key, default_address_discrimination,
custom_discrimination, 0xf00d)]]
```
The override is then mangled as a parametrized vendor extension:
```
"__vtptrauth" I
<key>
<addressDiscriminated>
<extraDiscriminator>
E
```
To support this attribute, this patch adds a small extension to the
attribute-emitter tablegen backend.
Note that there are known areas where signing is either missing
altogether or can be strengthened. Some will be addressed in later
changes (e.g., member function pointers, some RTTI).
`dynamic_cast` in particular is handled by emitting an artificial
v-table pointer load (in a way that always authenticates it) before the
runtime call itself, as the runtime doesn't have enough information
today to properly authenticate it. Instead, the runtime is currently
expected to strip the v-table pointer.
---------
Co-authored-by: John McCall <rjmccall@apple.com>
Co-authored-by: Ahmed Bougacha <ahmed@bougacha.org>
317 lines
11 KiB
C++
317 lines
11 KiB
C++
//===--- ConstantInitBuilder.cpp - Global initializer builder -------------===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
//
|
|
// This file defines out-of-line routines for building initializers for
|
|
// global variables, in particular the kind of globals that are implicitly
|
|
// introduced by various language ABIs.
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "clang/CodeGen/ConstantInitBuilder.h"
|
|
#include "CodeGenModule.h"
|
|
|
|
using namespace clang;
|
|
using namespace CodeGen;
|
|
|
|
llvm::Type *ConstantInitFuture::getType() const {
|
|
assert(Data && "dereferencing null future");
|
|
if (Data.is<llvm::Constant*>()) {
|
|
return Data.get<llvm::Constant*>()->getType();
|
|
} else {
|
|
return Data.get<ConstantInitBuilderBase*>()->Buffer[0]->getType();
|
|
}
|
|
}
|
|
|
|
void ConstantInitFuture::abandon() {
|
|
assert(Data && "abandoning null future");
|
|
if (auto builder = Data.dyn_cast<ConstantInitBuilderBase*>()) {
|
|
builder->abandon(0);
|
|
}
|
|
Data = nullptr;
|
|
}
|
|
|
|
void ConstantInitFuture::installInGlobal(llvm::GlobalVariable *GV) {
|
|
assert(Data && "installing null future");
|
|
if (Data.is<llvm::Constant*>()) {
|
|
GV->setInitializer(Data.get<llvm::Constant*>());
|
|
} else {
|
|
auto &builder = *Data.get<ConstantInitBuilderBase*>();
|
|
assert(builder.Buffer.size() == 1);
|
|
builder.setGlobalInitializer(GV, builder.Buffer[0]);
|
|
builder.Buffer.clear();
|
|
Data = nullptr;
|
|
}
|
|
}
|
|
|
|
ConstantInitFuture
|
|
ConstantInitBuilderBase::createFuture(llvm::Constant *initializer) {
|
|
assert(Buffer.empty() && "buffer not current empty");
|
|
Buffer.push_back(initializer);
|
|
return ConstantInitFuture(this);
|
|
}
|
|
|
|
// Only used in this file.
|
|
inline ConstantInitFuture::ConstantInitFuture(ConstantInitBuilderBase *builder)
|
|
: Data(builder) {
|
|
assert(!builder->Frozen);
|
|
assert(builder->Buffer.size() == 1);
|
|
assert(builder->Buffer[0] != nullptr);
|
|
}
|
|
|
|
llvm::GlobalVariable *
|
|
ConstantInitBuilderBase::createGlobal(llvm::Constant *initializer,
|
|
const llvm::Twine &name,
|
|
CharUnits alignment,
|
|
bool constant,
|
|
llvm::GlobalValue::LinkageTypes linkage,
|
|
unsigned addressSpace) {
|
|
auto GV = new llvm::GlobalVariable(CGM.getModule(),
|
|
initializer->getType(),
|
|
constant,
|
|
linkage,
|
|
initializer,
|
|
name,
|
|
/*insert before*/ nullptr,
|
|
llvm::GlobalValue::NotThreadLocal,
|
|
addressSpace);
|
|
GV->setAlignment(alignment.getAsAlign());
|
|
resolveSelfReferences(GV);
|
|
return GV;
|
|
}
|
|
|
|
void ConstantInitBuilderBase::setGlobalInitializer(llvm::GlobalVariable *GV,
|
|
llvm::Constant *initializer){
|
|
GV->setInitializer(initializer);
|
|
|
|
if (!SelfReferences.empty())
|
|
resolveSelfReferences(GV);
|
|
}
|
|
|
|
void ConstantInitBuilderBase::resolveSelfReferences(llvm::GlobalVariable *GV) {
|
|
for (auto &entry : SelfReferences) {
|
|
llvm::Constant *resolvedReference =
|
|
llvm::ConstantExpr::getInBoundsGetElementPtr(
|
|
GV->getValueType(), GV, entry.Indices);
|
|
auto dummy = entry.Dummy;
|
|
dummy->replaceAllUsesWith(resolvedReference);
|
|
dummy->eraseFromParent();
|
|
}
|
|
SelfReferences.clear();
|
|
}
|
|
|
|
void ConstantInitBuilderBase::abandon(size_t newEnd) {
|
|
// Remove all the entries we've added.
|
|
Buffer.erase(Buffer.begin() + newEnd, Buffer.end());
|
|
|
|
// If we're abandoning all the way to the beginning, destroy
|
|
// all the self-references, because we might not get another
|
|
// opportunity.
|
|
if (newEnd == 0) {
|
|
for (auto &entry : SelfReferences) {
|
|
auto dummy = entry.Dummy;
|
|
dummy->replaceAllUsesWith(llvm::PoisonValue::get(dummy->getType()));
|
|
dummy->eraseFromParent();
|
|
}
|
|
SelfReferences.clear();
|
|
}
|
|
}
|
|
|
|
void ConstantAggregateBuilderBase::addSize(CharUnits size) {
|
|
add(Builder.CGM.getSize(size));
|
|
}
|
|
|
|
llvm::Constant *
|
|
ConstantAggregateBuilderBase::getRelativeOffset(llvm::IntegerType *offsetType,
|
|
llvm::Constant *target) {
|
|
return getRelativeOffsetToPosition(offsetType, target,
|
|
Builder.Buffer.size() - Begin);
|
|
}
|
|
|
|
llvm::Constant *ConstantAggregateBuilderBase::getRelativeOffsetToPosition(
|
|
llvm::IntegerType *offsetType, llvm::Constant *target, size_t position) {
|
|
// Compute the address of the relative-address slot.
|
|
auto base = getAddrOfPosition(offsetType, position);
|
|
|
|
// Subtract.
|
|
base = llvm::ConstantExpr::getPtrToInt(base, Builder.CGM.IntPtrTy);
|
|
target = llvm::ConstantExpr::getPtrToInt(target, Builder.CGM.IntPtrTy);
|
|
llvm::Constant *offset = llvm::ConstantExpr::getSub(target, base);
|
|
|
|
// Truncate to the relative-address type if necessary.
|
|
if (Builder.CGM.IntPtrTy != offsetType) {
|
|
offset = llvm::ConstantExpr::getTrunc(offset, offsetType);
|
|
}
|
|
|
|
return offset;
|
|
}
|
|
|
|
llvm::Constant *
|
|
ConstantAggregateBuilderBase::getAddrOfPosition(llvm::Type *type,
|
|
size_t position) {
|
|
// Make a global variable. We will replace this with a GEP to this
|
|
// position after installing the initializer.
|
|
auto dummy = new llvm::GlobalVariable(Builder.CGM.getModule(), type, true,
|
|
llvm::GlobalVariable::PrivateLinkage,
|
|
nullptr, "");
|
|
Builder.SelfReferences.emplace_back(dummy);
|
|
auto &entry = Builder.SelfReferences.back();
|
|
(void)getGEPIndicesTo(entry.Indices, position + Begin);
|
|
return dummy;
|
|
}
|
|
|
|
llvm::Constant *
|
|
ConstantAggregateBuilderBase::getAddrOfCurrentPosition(llvm::Type *type) {
|
|
// Make a global variable. We will replace this with a GEP to this
|
|
// position after installing the initializer.
|
|
auto dummy =
|
|
new llvm::GlobalVariable(Builder.CGM.getModule(), type, true,
|
|
llvm::GlobalVariable::PrivateLinkage,
|
|
nullptr, "");
|
|
Builder.SelfReferences.emplace_back(dummy);
|
|
auto &entry = Builder.SelfReferences.back();
|
|
(void) getGEPIndicesToCurrentPosition(entry.Indices);
|
|
return dummy;
|
|
}
|
|
|
|
void ConstantAggregateBuilderBase::getGEPIndicesTo(
|
|
llvm::SmallVectorImpl<llvm::Constant*> &indices,
|
|
size_t position) const {
|
|
// Recurse on the parent builder if present.
|
|
if (Parent) {
|
|
Parent->getGEPIndicesTo(indices, Begin);
|
|
|
|
// Otherwise, add an index to drill into the first level of pointer.
|
|
} else {
|
|
assert(indices.empty());
|
|
indices.push_back(llvm::ConstantInt::get(Builder.CGM.Int32Ty, 0));
|
|
}
|
|
|
|
assert(position >= Begin);
|
|
// We have to use i32 here because struct GEPs demand i32 indices.
|
|
// It's rather unlikely to matter in practice.
|
|
indices.push_back(llvm::ConstantInt::get(Builder.CGM.Int32Ty,
|
|
position - Begin));
|
|
}
|
|
|
|
ConstantAggregateBuilderBase::PlaceholderPosition
|
|
ConstantAggregateBuilderBase::addPlaceholderWithSize(llvm::Type *type) {
|
|
// Bring the offset up to the last field.
|
|
CharUnits offset = getNextOffsetFromGlobal();
|
|
|
|
// Create the placeholder.
|
|
auto position = addPlaceholder();
|
|
|
|
// Advance the offset past that field.
|
|
auto &layout = Builder.CGM.getDataLayout();
|
|
if (!Packed)
|
|
offset = offset.alignTo(CharUnits::fromQuantity(layout.getABITypeAlign(type)));
|
|
offset += CharUnits::fromQuantity(layout.getTypeStoreSize(type));
|
|
|
|
CachedOffsetEnd = Builder.Buffer.size();
|
|
CachedOffsetFromGlobal = offset;
|
|
|
|
return position;
|
|
}
|
|
|
|
CharUnits ConstantAggregateBuilderBase::getOffsetFromGlobalTo(size_t end) const{
|
|
size_t cacheEnd = CachedOffsetEnd;
|
|
assert(cacheEnd <= end);
|
|
|
|
// Fast path: if the cache is valid, just use it.
|
|
if (cacheEnd == end) {
|
|
return CachedOffsetFromGlobal;
|
|
}
|
|
|
|
// If the cached range ends before the index at which the current
|
|
// aggregate starts, recurse for the parent.
|
|
CharUnits offset;
|
|
if (cacheEnd < Begin) {
|
|
assert(cacheEnd == 0);
|
|
assert(Parent && "Begin != 0 for root builder");
|
|
cacheEnd = Begin;
|
|
offset = Parent->getOffsetFromGlobalTo(Begin);
|
|
} else {
|
|
offset = CachedOffsetFromGlobal;
|
|
}
|
|
|
|
// Perform simple layout on the elements in cacheEnd..<end.
|
|
if (cacheEnd != end) {
|
|
auto &layout = Builder.CGM.getDataLayout();
|
|
do {
|
|
llvm::Constant *element = Builder.Buffer[cacheEnd];
|
|
assert(element != nullptr &&
|
|
"cannot compute offset when a placeholder is present");
|
|
llvm::Type *elementType = element->getType();
|
|
if (!Packed)
|
|
offset = offset.alignTo(
|
|
CharUnits::fromQuantity(layout.getABITypeAlign(elementType)));
|
|
offset += CharUnits::fromQuantity(layout.getTypeStoreSize(elementType));
|
|
} while (++cacheEnd != end);
|
|
}
|
|
|
|
// Cache and return.
|
|
CachedOffsetEnd = cacheEnd;
|
|
CachedOffsetFromGlobal = offset;
|
|
return offset;
|
|
}
|
|
|
|
llvm::Constant *ConstantAggregateBuilderBase::finishArray(llvm::Type *eltTy) {
|
|
markFinished();
|
|
|
|
auto &buffer = getBuffer();
|
|
assert((Begin < buffer.size() ||
|
|
(Begin == buffer.size() && eltTy))
|
|
&& "didn't add any array elements without element type");
|
|
auto elts = llvm::ArrayRef(buffer).slice(Begin);
|
|
if (!eltTy) eltTy = elts[0]->getType();
|
|
auto type = llvm::ArrayType::get(eltTy, elts.size());
|
|
auto constant = llvm::ConstantArray::get(type, elts);
|
|
buffer.erase(buffer.begin() + Begin, buffer.end());
|
|
return constant;
|
|
}
|
|
|
|
llvm::Constant *
|
|
ConstantAggregateBuilderBase::finishStruct(llvm::StructType *ty) {
|
|
markFinished();
|
|
|
|
auto &buffer = getBuffer();
|
|
auto elts = llvm::ArrayRef(buffer).slice(Begin);
|
|
|
|
if (ty == nullptr && elts.empty())
|
|
ty = llvm::StructType::get(Builder.CGM.getLLVMContext(), {}, Packed);
|
|
|
|
llvm::Constant *constant;
|
|
if (ty) {
|
|
assert(ty->isPacked() == Packed);
|
|
constant = llvm::ConstantStruct::get(ty, elts);
|
|
} else {
|
|
constant = llvm::ConstantStruct::getAnon(elts, Packed);
|
|
}
|
|
|
|
buffer.erase(buffer.begin() + Begin, buffer.end());
|
|
return constant;
|
|
}
|
|
|
|
/// Sign the given pointer and add it to the constant initializer
|
|
/// currently being built.
|
|
void ConstantAggregateBuilderBase::addSignedPointer(
|
|
llvm::Constant *Pointer, const PointerAuthSchema &Schema,
|
|
GlobalDecl CalleeDecl, QualType CalleeType) {
|
|
if (!Schema || !Builder.CGM.shouldSignPointer(Schema))
|
|
return add(Pointer);
|
|
|
|
llvm::Constant *StorageAddress = nullptr;
|
|
if (Schema.isAddressDiscriminated()) {
|
|
StorageAddress = getAddrOfCurrentPosition(Pointer->getType());
|
|
}
|
|
|
|
llvm::Constant *SignedPointer = Builder.CGM.getConstantSignedPointer(
|
|
Pointer, Schema, StorageAddress, CalleeDecl, CalleeType);
|
|
add(SignedPointer);
|
|
}
|