llvm/lib/Target/ARM/ARMBranchTargets.cpp

   1 //===-- ARMBranchTargets.cpp -- Harden code using v8.1-M BTI extension -----==//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8 //
   9 // This pass inserts BTI instructions at the start of every function and basic
  10 // block which could be indirectly called. The hardware will (when enabled)
  11 // trap when an indirect branch or call instruction targets an instruction
  12 // which is not a valid BTI instruction. This is intended to guard against
  13 // control-flow hijacking attacks.
  14 //
  15 //===----------------------------------------------------------------------===//
  16
  17 #include "ARM.h"
  18 #include "ARMInstrInfo.h"
  19 #include "ARMMachineFunctionInfo.h"
  20 #include "llvm/CodeGen/MachineFunctionPass.h"
  21 #include "llvm/CodeGen/MachineInstrBuilder.h"
  22 #include "llvm/CodeGen/MachineJumpTableInfo.h"
  23 #include "llvm/CodeGen/MachineModuleInfo.h"
  24 #include "llvm/Support/Debug.h"
  25
  26 using namespace llvm;
  27
  28 #define DEBUG_TYPE "arm-branch-targets"
  29 #define ARM_BRANCH_TARGETS_NAME "ARM Branch Targets"
  30
  31 namespace {
  32 class ARMBranchTargets : public MachineFunctionPass {
  33 public:
  34   static char ID;
  35   ARMBranchTargets() : MachineFunctionPass(ID) {}
  36   void getAnalysisUsage(AnalysisUsage &AU) const override;
  37   bool runOnMachineFunction(MachineFunction &MF) override;
  38   StringRef getPassName() const override { return ARM_BRANCH_TARGETS_NAME; }
  39
  40 private:
  41   void addBTI(const ARMInstrInfo &TII, MachineBasicBlock &MBB, bool IsFirstBB);
  42 };
  43 } // end anonymous namespace
  44
  45 char ARMBranchTargets::ID = 0;
  46
  47 INITIALIZE_PASS(ARMBranchTargets, "arm-branch-targets", ARM_BRANCH_TARGETS_NAME,
  48                 false, false)
  49
  50 void ARMBranchTargets::getAnalysisUsage(AnalysisUsage &AU) const {
  51   AU.setPreservesCFG();
  52   MachineFunctionPass::getAnalysisUsage(AU);
  53 }
  54
  55 FunctionPass *llvm::createARMBranchTargetsPass() {
  56   return new ARMBranchTargets();
  57 }
  58
  59 bool ARMBranchTargets::runOnMachineFunction(MachineFunction &MF) {
  60   if (!MF.getInfo<ARMFunctionInfo>()->branchTargetEnforcement())
  61     return false;
  62
  63   LLVM_DEBUG(dbgs() << "********** ARM Branch Targets  **********\n"
  64                     << "********** Function: " << MF.getName() << '\n');
  65   const ARMInstrInfo &TII =
  66       *static_cast<const ARMInstrInfo *>(MF.getSubtarget().getInstrInfo());
  67
  68   bool MadeChange = false;
  69   for (MachineBasicBlock &MBB : MF) {
  70     bool IsFirstBB = &MBB == &MF.front();
  71
  72     // Every function can potentially be called indirectly (even if it has
  73     // static linkage, due to linker-generated veneers).
  74     // If the block itself is address-taken, or is an exception landing pad, it
  75     // could be indirectly branched to.
  76     // Jump tables only emit indirect jumps (JUMPTABLE_ADDRS) in ARM or Thumb1
  77     // modes. These modes do not support PACBTI. As a result, BTI instructions
  78     // are not added in the destination blocks.
  79
  80     if (IsFirstBB || MBB.hasAddressTaken() || MBB.isEHPad()) {
  81       addBTI(TII, MBB, IsFirstBB);
  82       MadeChange = true;
  83     }
  84   }
  85
  86   return MadeChange;
  87 }
  88
  89 /// Insert a BTI/PACBTI instruction into a given basic block \c MBB. If
  90 /// \c IsFirstBB is true (meaning that this is the first BB in a function) try
  91 /// to find a PAC instruction and replace it with PACBTI. Otherwise just insert
  92 /// a BTI instruction.
  93 /// The point of insertion is in the beginning of the BB, immediately after meta
  94 /// instructions (such labels in exception handling landing pads).
  95 void ARMBranchTargets::addBTI(const ARMInstrInfo &TII, MachineBasicBlock &MBB,
  96                               bool IsFirstBB) {
  97   // Which instruction to insert: BTI or PACBTI
  98   unsigned OpCode = ARM::t2BTI;
  99   unsigned MIFlags = 0;
 100
 101   // Skip meta instructions, including EH labels
 102   auto MBBI = llvm::find_if_not(MBB.instrs(), [](const MachineInstr &MI) {
 103     return MI.isMetaInstruction();
 104   });
 105
 106   // If this is the first BB in a function, check if it starts with a PAC
 107   // instruction and in that case remove the PAC instruction.
 108   if (IsFirstBB) {
 109     if (MBBI != MBB.instr_end() && MBBI->getOpcode() == ARM::t2PAC) {
 110       LLVM_DEBUG(dbgs() << "Removing a 'PAC' instr from BB '" << MBB.getName()
 111                         << "' to replace with PACBTI\n");
 112       OpCode = ARM::t2PACBTI;
 113       MIFlags = MachineInstr::FrameSetup;
 114       auto NextMBBI = std::next(MBBI);
 115       MBBI->eraseFromParent();
 116       MBBI = NextMBBI;
 117     }
 118   }
 119
 120   LLVM_DEBUG(dbgs() << "Inserting a '"
 121                     << (OpCode == ARM::t2BTI ? "BTI" : "PACBTI")
 122                     << "' instr into BB '" << MBB.getName() << "'\n");
 123   // Finally, insert a new instruction (either PAC or PACBTI)
 124   BuildMI(MBB, MBBI, MBB.findDebugLoc(MBBI), TII.get(OpCode))
 125       .setMIFlags(MIFlags);
 126 }