| blob | 41d68b62eb8d7e47d427a73cfd80fcfed34d51d2 |
1 //===-- CFGuard.cpp - Control Flow Guard checks -----------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 ///
9 /// \file
10 /// This file contains the IR transform to add Microsoft's Control Flow Guard
11 /// checks on Windows targets.
12 ///
13 //===----------------------------------------------------------------------===//
36 /// Adds Control Flow Guard (CFG) checks on indirect function calls/invokes.
37 /// These checks ensure that the target address corresponds to the start of an
38 /// address-taken function. X86_64 targets use the Mechanism::Dispatch
39 /// mechanism. X86, ARM, and AArch64 targets use the Mechanism::Check machanism.
45 // Get or insert the guard check or dispatch global symbols.
53 }
54 }
56 /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
57 /// check mechanism. When the image is loaded, the loader puts the appropriate
58 /// guard check function pointer in the __guard_check_icall_fptr global
59 /// symbol. This checks that the target address is a valid address-taken
60 /// function. The address of the target function is passed to the guard check
61 /// function in an architecture-specific register (e.g. ECX on 32-bit X86,
62 /// X15 on Aarch64, and R0 on ARM). The guard check function has no return
63 /// value (if the target is invalid, the guard check funtion will raise an
64 /// error).
65 ///
66 /// For example, the following LLVM IR:
67 /// \code
68 /// %func_ptr = alloca i32 ()*, align 8
69 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
70 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
71 /// %1 = call i32 %0()
72 /// \endcode
73 ///
74 /// is transformed to:
75 /// \code
76 /// %func_ptr = alloca i32 ()*, align 8
77 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
78 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
79 /// %1 = load void (i8*)*, void (i8*)** @__guard_check_icall_fptr
80 /// %2 = bitcast i32 ()* %0 to i8*
81 /// call cfguard_checkcc void %1(i8* %2)
82 /// %3 = call i32 %0()
83 /// \endcode
84 ///
85 /// For example, the following X86 assembly code:
86 /// \code
87 /// movl $_target_func, %eax
88 /// calll *%eax
89 /// \endcode
90 ///
91 /// is transformed to:
92 /// \code
93 /// movl $_target_func, %ecx
94 /// calll *___guard_check_icall_fptr
95 /// calll *%ecx
96 /// \endcode
97 ///
98 /// \param CB indirect call to instrument.
101 /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
102 /// dispatch mechanism. When the image is loaded, the loader puts the
103 /// appropriate guard check function pointer in the
104 /// __guard_dispatch_icall_fptr global symbol. This checks that the target
105 /// address is a valid address-taken function and, if so, tail calls the
106 /// target. The target address is passed in an architecture-specific register
107 /// (e.g. RAX on X86_64), with all other arguments for the target function
108 /// passed as usual.
109 ///
110 /// For example, the following LLVM IR:
111 /// \code
112 /// %func_ptr = alloca i32 ()*, align 8
113 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
114 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
115 /// %1 = call i32 %0()
116 /// \endcode
117 ///
118 /// is transformed to:
119 /// \code
120 /// %func_ptr = alloca i32 ()*, align 8
121 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
122 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
123 /// %1 = load i32 ()*, i32 ()** @__guard_dispatch_icall_fptr
124 /// %2 = call i32 %1() [ "cfguardtarget"(i32 ()* %0) ]
125 /// \endcode
126 ///
127 /// For example, the following X86_64 assembly code:
128 /// \code
129 /// leaq target_func(%rip), %rax
130 /// callq *%rax
131 /// \endcode
132 ///
133 /// is transformed to:
134 /// \code
135 /// leaq target_func(%rip), %rax
136 /// callq *__guard_dispatch_icall_fptr(%rip)
137 /// \endcode
138 ///
139 /// \param CB indirect call to instrument.
146 // Only add checks if the module has the cfguard=2 flag.
148 StringRef GuardFnName;
153 };
156 CFGuardImpl Impl;
161 // Default constructor required for the INITIALIZE_PASS macro.
164 }
168 };
182 // If the indirect call is called within catchpad or cleanuppad,
183 // we need to copy "funclet" bundle of the call.
188 // Load the global symbol as a pointer to the check function.
191 // Create new call instruction. The CFGuard check should always be a call,
192 // even if the original CallBase is an Invoke or CallBr instruction.
196 // Ensure that the first argument is passed in the correct register
197 // (e.g. ECX on 32-bit X86 targets).
199 }
212 // Load the global as a pointer to a function of the same type.
215 // Add the original call target as a cfguardtarget operand bundle.
220 // Create a copy of the call/invoke instruction and add the new bundle.
225 // Change the target of the call to be the guard dispatch function.
228 // Replace the original call/invoke with the new instruction.
231 // Delete the original call/invoke.
233 }
237 // Check if this module has the cfguard flag and read its value.
242 // Skip modules for which CFGuard checks have been disabled.
246 // Set up prototypes for the guard check and dispatch functions.
247 GuardFnType =
255 GuardFnName);
258 });
261 }
265 // Skip modules for which CFGuard checks have been disabled.
271 // Iterate over the instructions to find all indirect call/invoke/callbr
272 // instructions. Make a separate list of pointers to indirect
273 // call/invoke/callbr instructions because the original instructions will be
274 // deleted as the checks are added.
280 CFGuardCounter++;
281 }
282 }
283 }
285 // If no checks are needed, return early.
288 }
290 // For each indirect call/invoke, add the appropriate dispatch or check.
294 }
298 }
299 }
302 }
309 }
316 }
320 }