LLVM  9.0.0svn
X86RetpolineThunks.cpp
Go to the documentation of this file.
1 //======- X86RetpolineThunks.cpp - Construct retpoline thunks for x86 --=====//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 /// \file
9 ///
10 /// Pass that injects an MI thunk implementing a "retpoline". This is
11 /// a RET-implemented trampoline that is used to lower indirect calls in a way
12 /// that prevents speculation on some x86 processors and can be used to mitigate
13 /// security vulnerabilities due to targeted speculative execution and side
14 /// channels such as CVE-2017-5715.
15 ///
16 /// TODO(chandlerc): All of this code could use better comments and
17 /// documentation.
18 ///
19 //===----------------------------------------------------------------------===//
20 
21 #include "X86.h"
22 #include "X86InstrBuilder.h"
23 #include "X86Subtarget.h"
27 #include "llvm/CodeGen/Passes.h"
29 #include "llvm/IR/IRBuilder.h"
30 #include "llvm/IR/Instructions.h"
31 #include "llvm/IR/Module.h"
33 #include "llvm/Support/Debug.h"
35 
36 using namespace llvm;
37 
38 #define DEBUG_TYPE "x86-retpoline-thunks"
39 
40 static const char ThunkNamePrefix[] = "__llvm_retpoline_";
41 static const char R11ThunkName[] = "__llvm_retpoline_r11";
42 static const char EAXThunkName[] = "__llvm_retpoline_eax";
43 static const char ECXThunkName[] = "__llvm_retpoline_ecx";
44 static const char EDXThunkName[] = "__llvm_retpoline_edx";
45 static const char EDIThunkName[] = "__llvm_retpoline_edi";
46 
47 namespace {
48 class X86RetpolineThunks : public MachineFunctionPass {
49 public:
50  static char ID;
51 
52  X86RetpolineThunks() : MachineFunctionPass(ID) {}
53 
54  StringRef getPassName() const override { return "X86 Retpoline Thunks"; }
55 
56  bool doInitialization(Module &M) override;
57  bool runOnMachineFunction(MachineFunction &F) override;
58 
59  void getAnalysisUsage(AnalysisUsage &AU) const override {
63  }
64 
65 private:
66  MachineModuleInfo *MMI;
67  const TargetMachine *TM;
68  bool Is64Bit;
69  const X86Subtarget *STI;
70  const X86InstrInfo *TII;
71 
72  bool InsertedThunks;
73 
74  void createThunkFunction(Module &M, StringRef Name);
75  void insertRegReturnAddrClobber(MachineBasicBlock &MBB, unsigned Reg);
76  void populateThunk(MachineFunction &MF, unsigned Reg);
77 };
78 
79 } // end anonymous namespace
80 
82  return new X86RetpolineThunks();
83 }
84 
85 char X86RetpolineThunks::ID = 0;
86 
87 bool X86RetpolineThunks::doInitialization(Module &M) {
88  InsertedThunks = false;
89  return false;
90 }
91 
92 bool X86RetpolineThunks::runOnMachineFunction(MachineFunction &MF) {
93  LLVM_DEBUG(dbgs() << getPassName() << '\n');
94 
95  TM = &MF.getTarget();;
96  STI = &MF.getSubtarget<X86Subtarget>();
97  TII = STI->getInstrInfo();
98  Is64Bit = TM->getTargetTriple().getArch() == Triple::x86_64;
99 
100  MMI = &getAnalysis<MachineModuleInfo>();
101  Module &M = const_cast<Module &>(*MMI->getModule());
102 
103  // If this function is not a thunk, check to see if we need to insert
104  // a thunk.
105  if (!MF.getName().startswith(ThunkNamePrefix)) {
106  // If we've already inserted a thunk, nothing else to do.
107  if (InsertedThunks)
108  return false;
109 
110  // Only add a thunk if one of the functions has the retpoline feature
111  // enabled in its subtarget, and doesn't enable external thunks.
112  // FIXME: Conditionalize on indirect calls so we don't emit a thunk when
113  // nothing will end up calling it.
114  // FIXME: It's a little silly to look at every function just to enumerate
115  // the subtargets, but eventually we'll want to look at them for indirect
116  // calls, so maybe this is OK.
117  if ((!STI->useRetpolineIndirectCalls() &&
118  !STI->useRetpolineIndirectBranches()) ||
119  STI->useRetpolineExternalThunk())
120  return false;
121 
122  // Otherwise, we need to insert the thunk.
123  // WARNING: This is not really a well behaving thing to do in a function
124  // pass. We extract the module and insert a new function (and machine
125  // function) directly into the module.
126  if (Is64Bit)
127  createThunkFunction(M, R11ThunkName);
128  else
129  for (StringRef Name :
130  {EAXThunkName, ECXThunkName, EDXThunkName, EDIThunkName})
131  createThunkFunction(M, Name);
132  InsertedThunks = true;
133  return true;
134  }
135 
136  // If this *is* a thunk function, we need to populate it with the correct MI.
137  if (Is64Bit) {
138  assert(MF.getName() == "__llvm_retpoline_r11" &&
139  "Should only have an r11 thunk on 64-bit targets");
140 
141  // __llvm_retpoline_r11:
142  // callq .Lr11_call_target
143  // .Lr11_capture_spec:
144  // pause
145  // lfence
146  // jmp .Lr11_capture_spec
147  // .align 16
148  // .Lr11_call_target:
149  // movq %r11, (%rsp)
150  // retq
151  populateThunk(MF, X86::R11);
152  } else {
153  // For 32-bit targets we need to emit a collection of thunks for various
154  // possible scratch registers as well as a fallback that uses EDI, which is
155  // normally callee saved.
156  // __llvm_retpoline_eax:
157  // calll .Leax_call_target
158  // .Leax_capture_spec:
159  // pause
160  // jmp .Leax_capture_spec
161  // .align 16
162  // .Leax_call_target:
163  // movl %eax, (%esp) # Clobber return addr
164  // retl
165  //
166  // __llvm_retpoline_ecx:
167  // ... # Same setup
168  // movl %ecx, (%esp)
169  // retl
170  //
171  // __llvm_retpoline_edx:
172  // ... # Same setup
173  // movl %edx, (%esp)
174  // retl
175  //
176  // __llvm_retpoline_edi:
177  // ... # Same setup
178  // movl %edi, (%esp)
179  // retl
180  if (MF.getName() == EAXThunkName)
181  populateThunk(MF, X86::EAX);
182  else if (MF.getName() == ECXThunkName)
183  populateThunk(MF, X86::ECX);
184  else if (MF.getName() == EDXThunkName)
185  populateThunk(MF, X86::EDX);
186  else if (MF.getName() == EDIThunkName)
187  populateThunk(MF, X86::EDI);
188  else
189  llvm_unreachable("Invalid thunk name on x86-32!");
190  }
191 
192  return true;
193 }
194 
195 void X86RetpolineThunks::createThunkFunction(Module &M, StringRef Name) {
196  assert(Name.startswith(ThunkNamePrefix) &&
197  "Created a thunk with an unexpected prefix!");
198 
199  LLVMContext &Ctx = M.getContext();
200  auto Type = FunctionType::get(Type::getVoidTy(Ctx), false);
201  Function *F =
204  F->setComdat(M.getOrInsertComdat(Name));
205 
206  // Add Attributes so that we don't create a frame, unwind information, or
207  // inline.
208  AttrBuilder B;
209  B.addAttribute(llvm::Attribute::NoUnwind);
210  B.addAttribute(llvm::Attribute::Naked);
212 
213  // Populate our function a bit so that we can verify.
214  BasicBlock *Entry = BasicBlock::Create(Ctx, "entry", F);
215  IRBuilder<> Builder(Entry);
216 
217  Builder.CreateRetVoid();
218 
219  // MachineFunctions/MachineBasicBlocks aren't created automatically for the
220  // IR-level constructs we already made. Create them and insert them into the
221  // module.
222  MachineFunction &MF = MMI->getOrCreateMachineFunction(*F);
223  MachineBasicBlock *EntryMBB = MF.CreateMachineBasicBlock(Entry);
224 
225  // Insert EntryMBB into MF. It's not in the module until we do this.
226  MF.insert(MF.end(), EntryMBB);
227 }
228 
229 void X86RetpolineThunks::insertRegReturnAddrClobber(MachineBasicBlock &MBB,
230  unsigned Reg) {
231  const unsigned MovOpc = Is64Bit ? X86::MOV64mr : X86::MOV32mr;
232  const unsigned SPReg = Is64Bit ? X86::RSP : X86::ESP;
233  addRegOffset(BuildMI(&MBB, DebugLoc(), TII->get(MovOpc)), SPReg, false, 0)
234  .addReg(Reg);
235 }
236 
237 void X86RetpolineThunks::populateThunk(MachineFunction &MF,
238  unsigned Reg) {
239  // Set MF properties. We never use vregs...
241 
242  // Grab the entry MBB and erase any other blocks. O0 codegen appears to
243  // generate two bbs for the entry block.
244  MachineBasicBlock *Entry = &MF.front();
245  Entry->clear();
246  while (MF.size() > 1)
247  MF.erase(std::next(MF.begin()));
248 
249  MachineBasicBlock *CaptureSpec = MF.CreateMachineBasicBlock(Entry->getBasicBlock());
250  MachineBasicBlock *CallTarget = MF.CreateMachineBasicBlock(Entry->getBasicBlock());
251  MCSymbol *TargetSym = MF.getContext().createTempSymbol();
252  MF.push_back(CaptureSpec);
253  MF.push_back(CallTarget);
254 
255  const unsigned CallOpc = Is64Bit ? X86::CALL64pcrel32 : X86::CALLpcrel32;
256  const unsigned RetOpc = Is64Bit ? X86::RETQ : X86::RETL;
257 
258  Entry->addLiveIn(Reg);
259  BuildMI(Entry, DebugLoc(), TII->get(CallOpc)).addSym(TargetSym);
260 
261  // The MIR verifier thinks that the CALL in the entry block will fall through
262  // to CaptureSpec, so mark it as the successor. Technically, CaptureTarget is
263  // the successor, but the MIR verifier doesn't know how to cope with that.
264  Entry->addSuccessor(CaptureSpec);
265 
266  // In the capture loop for speculation, we want to stop the processor from
267  // speculating as fast as possible. On Intel processors, the PAUSE instruction
268  // will block speculation without consuming any execution resources. On AMD
269  // processors, the PAUSE instruction is (essentially) a nop, so we also use an
270  // LFENCE instruction which they have advised will stop speculation as well
271  // with minimal resource utilization. We still end the capture with a jump to
272  // form an infinite loop to fully guarantee that no matter what implementation
273  // of the x86 ISA, speculating this code path never escapes.
274  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::PAUSE));
275  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::LFENCE));
276  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::JMP_1)).addMBB(CaptureSpec);
277  CaptureSpec->setHasAddressTaken();
278  CaptureSpec->addSuccessor(CaptureSpec);
279 
280  CallTarget->addLiveIn(Reg);
281  CallTarget->setHasAddressTaken();
282  CallTarget->setAlignment(4);
283  insertRegReturnAddrClobber(*CallTarget, Reg);
284  CallTarget->back().setPreInstrSymbol(MF, TargetSym);
285  BuildMI(CallTarget, DebugLoc(), TII->get(RetOpc));
286 }
void setVisibility(VisibilityTypes V)
Definition: GlobalValue.h:242
static const char EAXThunkName[]
AnalysisUsage & addPreserved()
Add the specified Pass class to the set of analyses preserved by this pass.
This class represents lattice values for constants.
Definition: AllocatorList.h:23
MCSymbol - Instances of this class represent a symbol name in the MC file, and MCSymbols are created ...
Definition: MCSymbol.h:41
A Module instance is used to store all the information related to an LLVM module. ...
Definition: Module.h:65
amdgpu Simplify well known AMD library false FunctionCallee Value const Twine & Name
static const char EDXThunkName[]
const MachineFunctionProperties & getProperties() const
Get the function properties.
LLVM_NODISCARD bool startswith(StringRef Prefix) const
Check if this string starts with the given Prefix.
Definition: StringRef.h:256
unsigned size() const
unsigned Reg
A debug info location.
Definition: DebugLoc.h:33
F(f)
AttrBuilder & addAttribute(Attribute::AttrKind Val)
Add an attribute to the builder.
void setAlignment(unsigned Align)
Set alignment of the basic block.
AnalysisUsage & addRequired()
static const char ECXThunkName[]
MachineFunctionPass - This class adapts the FunctionPass interface to allow convenient creation of pa...
const HexagonInstrInfo * TII
LLVMContext & getContext() const
Get the global data context.
Definition: Module.h:244
This provides a uniform API for creating instructions and inserting them into a basic block: either a...
Definition: IRBuilder.h:779
void setComdat(Comdat *C)
Definition: GlobalObject.h:102
MachineBasicBlock * CreateMachineBasicBlock(const BasicBlock *bb=nullptr)
CreateMachineBasicBlock - Allocate a new MachineBasicBlock.
StringRef getName() const
getName - Return the name of the corresponding LLVM function.
MCContext & getContext() const
MachineInstrBuilder BuildMI(MachineFunction &MF, const DebugLoc &DL, const MCInstrDesc &MCID)
Builder interface. Specify how to create the initial instruction itself.
Same, but only replaced by something equivalent.
Definition: GlobalValue.h:51
void addLiveIn(MCPhysReg PhysReg, LaneBitmask LaneMask=LaneBitmask::getAll())
Adds the specified register as a live in.
static Function * Create(FunctionType *Ty, LinkageTypes Linkage, unsigned AddrSpace, const Twine &N="", Module *M=nullptr)
Definition: Function.h:135
MCSymbol * createTempSymbol(bool CanBeUnnamed=true)
Create and return a new assembler temporary symbol with a unique but unspecified name.
Definition: MCContext.cpp:223
static GCRegistry::Add< OcamlGC > B("ocaml", "ocaml 3.10-compatible GC")
static const char EDIThunkName[]
LLVM Basic Block Representation.
Definition: BasicBlock.h:57
The instances of the Type class are immutable: once they are created, they are never changed...
Definition: Type.h:45
const TargetSubtargetInfo & getSubtarget() const
getSubtarget - Return the subtarget for which this machine code is being compiled.
void getAnalysisUsage(AnalysisUsage &AU) const override
getAnalysisUsage - Subclasses that override getAnalysisUsage must call this.
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:64
Represent the analysis usage information of a pass.
static Type * getVoidTy(LLVMContext &C)
Definition: Type.cpp:160
static const MachineInstrBuilder & addRegOffset(const MachineInstrBuilder &MIB, unsigned Reg, bool isKill, int Offset)
addRegOffset - This function is used to add a memory reference of the form [Reg + Offset]...
FunctionPass class - This class is used to implement most global optimizations.
Definition: Pass.h:284
static FunctionType * get(Type *Result, ArrayRef< Type *> Params, bool isVarArg)
This static method is the primary way of constructing a FunctionType.
Definition: Type.cpp:296
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:99
Comdat * getOrInsertComdat(StringRef Name)
Return the Comdat in the module with the specified name.
Definition: Module.cpp:482
const MachineBasicBlock & front() const
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
void addSuccessor(MachineBasicBlock *Succ, BranchProbability Prob=BranchProbability::getUnknown())
Add Succ as a successor of this MachineBasicBlock.
Module.h This file contains the declarations for the Module class.
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Definition: Debug.cpp:132
void setHasAddressTaken()
Set this block to reflect that it potentially is the target of an indirect branch.
MachineFunctionProperties & set(Property P)
ReturnInst * CreateRetVoid()
Create a &#39;ret void&#39; instruction.
Definition: IRBuilder.h:860
void setPreInstrSymbol(MachineFunction &MF, MCSymbol *Symbol)
Set a symbol that will be emitted just prior to the instruction itself.
const BasicBlock * getBasicBlock() const
Return the LLVM basic block that this instance corresponded to originally.
const MachineInstrBuilder & addReg(unsigned RegNo, unsigned flags=0, unsigned SubReg=0) const
Add a new virtual register operand.
const LLVMTargetMachine & getTarget() const
getTarget - Return the target machine this machine code is compiled with
FunctionPass * createX86RetpolineThunksPass()
This pass creates the thunks for the retpoline feature.
void erase(iterator MBBI)
void addAttributes(unsigned i, const AttrBuilder &Attrs)
adds the attributes to the list of attributes.
Definition: Function.cpp:392
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
static const char R11ThunkName[]
void insert(iterator MBBI, MachineBasicBlock *MBB)
void push_back(MachineBasicBlock *MBB)
Primary interface to the complete machine description for the target machine.
Definition: TargetMachine.h:65
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:48
#define LLVM_DEBUG(X)
Definition: Debug.h:122
This class contains meta information specific to a module.
static const char ThunkNamePrefix[]