doxygen/X86IndirectThunks_8cpp_source.html

//==- X86IndirectThunks.cpp - Construct indirect call/jump thunks for x86  --=//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

/// \file

///

/// Pass that injects an MI thunk that is used to lower indirect calls in a way

/// that prevents speculation on some x86 processors and can be used to mitigate

/// security vulnerabilities due to targeted speculative execution and side

/// channels such as CVE-2017-5715.

///

/// Currently supported thunks include:

/// - Retpoline -- A RET-implemented trampoline that lowers indirect calls

/// - LVI Thunk -- A CALL/JMP-implemented thunk that forces load serialization

///   before making an indirect call/jump

///

/// Note that the reason that this is implemented as a MachineFunctionPass and

/// not a ModulePass is that ModulePasses at this point in the LLVM X86 pipeline

/// serialize all transformations, which can consume lots of memory.

///

/// TODO(chandlerc): All of this code could use better comments and

/// documentation.

///

//===----------------------------------------------------------------------===//


#include "X86.h"

#include "X86InstrBuilder.h"

#include "X86Subtarget.h"

#include "llvm/CodeGen/IndirectThunks.h"

#include "llvm/CodeGen/MachineFunction.h"

#include "llvm/CodeGen/MachineInstrBuilder.h"

#include "llvm/CodeGen/MachineModuleInfo.h"

#include "llvm/CodeGen/Passes.h"

#include "llvm/CodeGen/TargetPassConfig.h"

#include "llvm/IR/Instructions.h"

#include "llvm/Target/TargetMachine.h"


using namespace llvm;


#define DEBUG_TYPE "x86-retpoline-thunks"


static const char RetpolineNamePrefix[] = "__llvm_retpoline_";

static const char R11RetpolineName[] = "__llvm_retpoline_r11";

static const char EAXRetpolineName[] = "__llvm_retpoline_eax";

static const char ECXRetpolineName[] = "__llvm_retpoline_ecx";

static const char EDXRetpolineName[] = "__llvm_retpoline_edx";

static const char EDIRetpolineName[] = "__llvm_retpoline_edi";


static const char LVIThunkNamePrefix[] = "__llvm_lvi_thunk_";

static const char R11LVIThunkName[] = "__llvm_lvi_thunk_r11";


namespace {

struct RetpolineThunkInserter : ThunkInserter<RetpolineThunkInserter> {

  const char *getThunkPrefix() { return RetpolineNamePrefix; }

  bool mayUseThunk(const MachineFunction &MF) {

    const auto &STI = MF.getSubtarget<X86Subtarget>();

    return (STI.useRetpolineIndirectCalls() ||

            STI.useRetpolineIndirectBranches()) &&

           !STI.useRetpolineExternalThunk();

  }

  bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF,

                    bool ExistingThunks);

  void populateThunk(MachineFunction &MF);

};


struct LVIThunkInserter : ThunkInserter<LVIThunkInserter> {

  const char *getThunkPrefix() { return LVIThunkNamePrefix; }

  bool mayUseThunk(const MachineFunction &MF) {

    return MF.getSubtarget<X86Subtarget>().useLVIControlFlowIntegrity();

  }

  bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF,

                    bool ExistingThunks) {

    if (ExistingThunks)

      return false;

    createThunkFunction(MMI, R11LVIThunkName);

    return true;

  }

  void populateThunk(MachineFunction &MF) {

    assert (MF.size() == 1);

    MachineBasicBlock *Entry = &MF.front();

    Entry->clear();


    // This code mitigates LVI by replacing each indirect call/jump with a

    // direct call/jump to a thunk that looks like:

    // ```

    // lfence

    // jmpq *%r11

    // ```

    // This ensures that if the value in register %r11 was loaded from memory,

    // then the value in %r11 is (architecturally) correct prior to the jump.

    const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();

    BuildMI(&MF.front(), DebugLoc(), TII->get(X86::LFENCE));

    BuildMI(&MF.front(), DebugLoc(), TII->get(X86::JMP64r)).addReg(X86::R11);

    MF.front().addLiveIn(X86::R11);

  }

};


class X86IndirectThunks

    : public ThunkInserterPass<RetpolineThunkInserter, LVIThunkInserter> {

public:

  static char ID;


  X86IndirectThunks() : ThunkInserterPass(ID) {}


  StringRef getPassName() const override { return "X86 Indirect Thunks"; }

};


} // end anonymous namespace


bool RetpolineThunkInserter::insertThunks(MachineModuleInfo &MMI,

                                          MachineFunction &MF,

                                          bool ExistingThunks) {

  if (ExistingThunks)

    return false;

  if (MMI.getTarget().getTargetTriple().getArch() == Triple::x86_64)

    createThunkFunction(MMI, R11RetpolineName);

  else

    for (StringRef Name : {EAXRetpolineName, ECXRetpolineName, EDXRetpolineName,

                           EDIRetpolineName})

      createThunkFunction(MMI, Name);

  return true;

}


void RetpolineThunkInserter::populateThunk(MachineFunction &MF) {

  bool Is64Bit = MF.getTarget().getTargetTriple().getArch() == Triple::x86_64;

  Register ThunkReg;

  if (Is64Bit) {

    assert(MF.getName() == "__llvm_retpoline_r11" &&

           "Should only have an r11 thunk on 64-bit targets");


    // __llvm_retpoline_r11:

    //   callq .Lr11_call_target

    // .Lr11_capture_spec:

    //   pause

    //   lfence

    //   jmp .Lr11_capture_spec

    // .align 16

    // .Lr11_call_target:

    //   movq %r11, (%rsp)

    //   retq

    ThunkReg = X86::R11;

  } else {

    // For 32-bit targets we need to emit a collection of thunks for various

    // possible scratch registers as well as a fallback that uses EDI, which is

    // normally callee saved.

    //   __llvm_retpoline_eax:

    //         calll .Leax_call_target

    //   .Leax_capture_spec:

    //         pause

    //         jmp .Leax_capture_spec

    //   .align 16

    //   .Leax_call_target:

    //         movl %eax, (%esp)  # Clobber return addr

    //         retl

    //

    //   __llvm_retpoline_ecx:

    //   ... # Same setup

    //         movl %ecx, (%esp)

    //         retl

    //

    //   __llvm_retpoline_edx:

    //   ... # Same setup

    //         movl %edx, (%esp)

    //         retl

    //

    //   __llvm_retpoline_edi:

    //   ... # Same setup

    //         movl %edi, (%esp)

    //         retl

    if (MF.getName() == EAXRetpolineName)

      ThunkReg = X86::EAX;

    else if (MF.getName() == ECXRetpolineName)

      ThunkReg = X86::ECX;

    else if (MF.getName() == EDXRetpolineName)

      ThunkReg = X86::EDX;

    else if (MF.getName() == EDIRetpolineName)

      ThunkReg = X86::EDI;

    else

      llvm_unreachable("Invalid thunk name on x86-32!");

  }


  const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();

  assert (MF.size() == 1);

  MachineBasicBlock *Entry = &MF.front();

  Entry->clear();


  MachineBasicBlock *CaptureSpec =

      MF.CreateMachineBasicBlock(Entry->getBasicBlock());

  MachineBasicBlock *CallTarget =

      MF.CreateMachineBasicBlock(Entry->getBasicBlock());

  MCSymbol *TargetSym = MF.getContext().createTempSymbol();

  MF.push_back(CaptureSpec);

  MF.push_back(CallTarget);


  const unsigned CallOpc = Is64Bit ? X86::CALL64pcrel32 : X86::CALLpcrel32;

  const unsigned RetOpc = Is64Bit ? X86::RET64 : X86::RET32;


  Entry->addLiveIn(ThunkReg);

  BuildMI(Entry, DebugLoc(), TII->get(CallOpc)).addSym(TargetSym);


  // The MIR verifier thinks that the CALL in the entry block will fall through

  // to CaptureSpec, so mark it as the successor. Technically, CaptureTarget is

  // the successor, but the MIR verifier doesn't know how to cope with that.

  Entry->addSuccessor(CaptureSpec);


  // In the capture loop for speculation, we want to stop the processor from

  // speculating as fast as possible. On Intel processors, the PAUSE instruction

  // will block speculation without consuming any execution resources. On AMD

  // processors, the PAUSE instruction is (essentially) a nop, so we also use an

  // LFENCE instruction which they have advised will stop speculation as well

  // with minimal resource utilization. We still end the capture with a jump to

  // form an infinite loop to fully guarantee that no matter what implementation

  // of the x86 ISA, speculating this code path never escapes.

  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::PAUSE));

  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::LFENCE));

  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::JMP_1)).addMBB(CaptureSpec);

  CaptureSpec->setMachineBlockAddressTaken();

  CaptureSpec->addSuccessor(CaptureSpec);


  CallTarget->addLiveIn(ThunkReg);

  CallTarget->setMachineBlockAddressTaken();

  CallTarget->setAlignment(Align(16));


  // Insert return address clobber

  const unsigned MovOpc = Is64Bit ? X86::MOV64mr : X86::MOV32mr;

  const Register SPReg = Is64Bit ? X86::RSP : X86::ESP;

  addRegOffset(BuildMI(CallTarget, DebugLoc(), TII->get(MovOpc)), SPReg, false,

               0)

      .addReg(ThunkReg);


  CallTarget->back().setPreInstrSymbol(MF, TargetSym);

  BuildMI(CallTarget, DebugLoc(), TII->get(RetOpc));

}


FunctionPass *llvm::createX86IndirectThunksPass() {

  return new X86IndirectThunks();

}


char X86IndirectThunks::ID = 0;

Passes.h

Name
std::string Name
Definition: ELFObjHandler.cpp:77

TII
const HexagonInstrInfo * TII
Definition: HexagonCopyToCombine.cpp:125

IndirectThunks.h
Contains a base ThunkInserter class that simplifies injection of MI thunks as well as a default imple...

Instructions.h

MachineFunction.h

MachineInstrBuilder.h

MachineModuleInfo.h

SPReg
static constexpr Register SPReg
Definition: RISCVFrameLowering.cpp:108

assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())

TargetPassConfig.h
Target-Independent Code Generator Pass Configuration Options pass.

ECXRetpolineName
static const char ECXRetpolineName[]
Definition: X86IndirectThunks.cpp:48

RetpolineNamePrefix
static const char RetpolineNamePrefix[]
Definition: X86IndirectThunks.cpp:45

EDIRetpolineName
static const char EDIRetpolineName[]
Definition: X86IndirectThunks.cpp:50

LVIThunkNamePrefix
static const char LVIThunkNamePrefix[]
Definition: X86IndirectThunks.cpp:52

EDXRetpolineName
static const char EDXRetpolineName[]
Definition: X86IndirectThunks.cpp:49

EAXRetpolineName
static const char EAXRetpolineName[]
Definition: X86IndirectThunks.cpp:47

R11LVIThunkName
static const char R11LVIThunkName[]
Definition: X86IndirectThunks.cpp:53

R11RetpolineName
static const char R11RetpolineName[]
Definition: X86IndirectThunks.cpp:46

X86InstrBuilder.h

X86Subtarget.h

X86.h

llvm::DebugLoc
A debug info location.
Definition: DebugLoc.h:33

llvm::FunctionPass
FunctionPass class - This class is used to implement most global optimizations.
Definition: Pass.h:310

llvm::MCContext::createTempSymbol
MCSymbol * createTempSymbol()
Create a temporary symbol with a unique name.
Definition: MCContext.cpp:345

llvm::MCSymbol
MCSymbol - Instances of this class represent a symbol name in the MC file, and MCSymbols are created ...
Definition: MCSymbol.h:41

llvm::MachineBasicBlock
Definition: MachineBasicBlock.h:125

llvm::MachineBasicBlock::setAlignment
void setAlignment(Align A)
Set alignment of the basic block.
Definition: MachineBasicBlock.h:617

llvm::MachineBasicBlock::addSuccessor
void addSuccessor(MachineBasicBlock *Succ, BranchProbability Prob=BranchProbability::getUnknown())
Add Succ as a successor of this MachineBasicBlock.
Definition: MachineBasicBlock.cpp:798

llvm::MachineBasicBlock::addLiveIn
void addLiveIn(MCRegister PhysReg, LaneBitmask LaneMask=LaneBitmask::getAll())
Adds the specified register as a live in.
Definition: MachineBasicBlock.h:456

llvm::MachineBasicBlock::back
MachineInstr & back()
Definition: MachineBasicBlock.h:335

llvm::MachineBasicBlock::setMachineBlockAddressTaken
void setMachineBlockAddressTaken()
Set this block to indicate that its address is used as something other than the target of a terminato...
Definition: MachineBasicBlock.h:297

llvm::MachineFunction
Definition: MachineFunction.h:258

llvm::MachineFunction::getSubtarget
const TargetSubtargetInfo & getSubtarget() const
getSubtarget - Return the subtarget for which this machine code is being compiled.
Definition: MachineFunction.h:714

llvm::MachineFunction::getName
StringRef getName() const
getName - Return the name of the corresponding LLVM function.
Definition: MachineFunction.cpp:640

llvm::MachineFunction::push_back
void push_back(MachineBasicBlock *MBB)
Definition: MachineFunction.h:945

llvm::MachineFunction::getContext
MCContext & getContext() const
Definition: MachineFunction.h:671

llvm::MachineFunction::size
unsigned size() const
Definition: MachineFunction.h:938

llvm::MachineFunction::front
const MachineBasicBlock & front() const
Definition: MachineFunction.h:940

llvm::MachineFunction::CreateMachineBasicBlock
MachineBasicBlock * CreateMachineBasicBlock(const BasicBlock *BB=nullptr, std::optional< UniqueBBID > BBID=std::nullopt)
CreateMachineBasicBlock - Allocate a new MachineBasicBlock.
Definition: MachineFunction.cpp:494

llvm::MachineFunction::getTarget
const TargetMachine & getTarget() const
getTarget - Return the target machine this machine code is compiled with
Definition: MachineFunction.h:710

llvm::MachineInstrBuilder::addSym
const MachineInstrBuilder & addSym(MCSymbol *Sym, unsigned char TargetFlags=0) const
Definition: MachineInstrBuilder.h:269

llvm::MachineInstrBuilder::addReg
const MachineInstrBuilder & addReg(Register RegNo, unsigned flags=0, unsigned SubReg=0) const
Add a new virtual register operand.
Definition: MachineInstrBuilder.h:99

llvm::MachineInstrBuilder::addMBB
const MachineInstrBuilder & addMBB(MachineBasicBlock *MBB, unsigned TargetFlags=0) const
Definition: MachineInstrBuilder.h:148

llvm::MachineInstr::setPreInstrSymbol
void setPreInstrSymbol(MachineFunction &MF, MCSymbol *Symbol)
Set a symbol that will be emitted just prior to the instruction itself.
Definition: MachineInstr.cpp:476

llvm::MachineModuleInfo
This class contains meta information specific to a module.
Definition: MachineModuleInfo.h:82

llvm::MachineModuleInfo::getTarget
const TargetMachine & getTarget() const
Definition: MachineModuleInfo.h:123

llvm::Pass::getPassName
virtual StringRef getPassName() const
getPassName - Return a nice clean name for a pass.
Definition: Pass.cpp:81

llvm::Register
Wrapper class representing virtual and physical registers.
Definition: Register.h:19

llvm::StringRef
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:51

llvm::TargetInstrInfo
TargetInstrInfo - Interface to description of machine instruction set.
Definition: TargetInstrInfo.h:112

llvm::TargetMachine::getTargetTriple
const Triple & getTargetTriple() const
Definition: TargetMachine.h:126

llvm::ThunkInserterPass
Basic implementation of MachineFunctionPass wrapping one or more ThunkInserters passed as type parame...
Definition: IndirectThunks.h:189

llvm::ThunkInserter
This class assists in inserting MI thunk functions into the module and rewriting the existing machine...
Definition: IndirectThunks.h:61

llvm::ThunkInserter::mayUseThunk
bool mayUseThunk(const MachineFunction &MF)
Checks if MF may use thunks (true - maybe, false - definitely not).

llvm::ThunkInserter::createThunkFunction
void createThunkFunction(MachineModuleInfo &MMI, StringRef Name, bool Comdat=true, StringRef TargetAttrs="")
Create an empty thunk function.
Definition: IndirectThunks.h:119

llvm::ThunkInserter::insertThunks
InsertedThunksTy insertThunks(MachineModuleInfo &MMI, MachineFunction &MF, InsertedThunksTy ExistingThunks)
Rewrites the function if necessary, returns the set of thunks added.

llvm::ThunkInserter::getThunkPrefix
const char * getThunkPrefix()
Returns common prefix for thunk function's names.

llvm::ThunkInserter::populateThunk
void populateThunk(MachineFunction &MF)
Populate the thunk function with instructions.

llvm::Triple::x86_64
@ x86_64
Definition: Triple.h:86

llvm::Triple::getArch
ArchType getArch() const
Get the parsed architecture type of this triple.
Definition: Triple.h:383

llvm::X86Subtarget
Definition: X86Subtarget.h:53

unsigned

llvm_unreachable
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
Definition: ErrorHandling.h:143

TargetMachine.h

llvm::COFF::Entry
@ Entry
Definition: COFF.h:844

llvm::CallingConv::ID
unsigned ID
LLVM IR allows to use arbitrary numbers as calling convention identifiers.
Definition: CallingConv.h:24

llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18

llvm::BuildMI
MachineInstrBuilder BuildMI(MachineFunction &MF, const MIMetadata &MIMD, const MCInstrDesc &MCID)
Builder interface. Specify how to create the initial instruction itself.
Definition: MachineInstrBuilder.h:373

llvm::addRegOffset
static const MachineInstrBuilder & addRegOffset(const MachineInstrBuilder &MIB, unsigned Reg, bool isKill, int Offset)
addRegOffset - This function is used to add a memory reference of the form [Reg + Offset],...
Definition: X86InstrBuilder.h:157

llvm::createX86IndirectThunksPass
FunctionPass * createX86IndirectThunksPass()
This pass creates the thunks for the retpoline feature.
Definition: X86IndirectThunks.cpp:238

llvm::Align
This struct is a compact representation of a valid (non-zero power of two) alignment.
Definition: Alignment.h:39