CFGuard.cpp
10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
//===-- CFGuard.cpp - Control Flow Guard checks -----------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
///
/// \file
/// This file contains the IR transform to add Microsoft's Control Flow Guard
/// checks on Windows targets.
///
//===----------------------------------------------------------------------===//
#include "llvm/Transforms/CFGuard.h"
#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/ADT/Triple.h"
#include "llvm/IR/CallingConv.h"
#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/Instruction.h"
#include "llvm/InitializePasses.h"
#include "llvm/Pass.h"
using namespace llvm;
using OperandBundleDef = OperandBundleDefT<Value *>;
#define DEBUG_TYPE "cfguard"
STATISTIC(CFGuardCounter, "Number of Control Flow Guard checks added");
namespace {
/// Adds Control Flow Guard (CFG) checks on indirect function calls/invokes.
/// These checks ensure that the target address corresponds to the start of an
/// address-taken function. X86_64 targets use the CF_Dispatch mechanism. X86,
/// ARM, and AArch64 targets use the CF_Check machanism.
class CFGuard : public FunctionPass {
public:
static char ID;
enum Mechanism { CF_Check, CF_Dispatch };
// Default constructor required for the INITIALIZE_PASS macro.
CFGuard() : FunctionPass(ID) {
initializeCFGuardPass(*PassRegistry::getPassRegistry());
// By default, use the guard check mechanism.
GuardMechanism = CF_Check;
}
// Recommended constructor used to specify the type of guard mechanism.
CFGuard(Mechanism Var) : FunctionPass(ID) {
initializeCFGuardPass(*PassRegistry::getPassRegistry());
GuardMechanism = Var;
}
/// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
/// check mechanism. When the image is loaded, the loader puts the appropriate
/// guard check function pointer in the __guard_check_icall_fptr global
/// symbol. This checks that the target address is a valid address-taken
/// function. The address of the target function is passed to the guard check
/// function in an architecture-specific register (e.g. ECX on 32-bit X86,
/// X15 on Aarch64, and R0 on ARM). The guard check function has no return
/// value (if the target is invalid, the guard check funtion will raise an
/// error).
///
/// For example, the following LLVM IR:
/// \code
/// %func_ptr = alloca i32 ()*, align 8
/// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
/// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
/// %1 = call i32 %0()
/// \endcode
///
/// is transformed to:
/// \code
/// %func_ptr = alloca i32 ()*, align 8
/// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
/// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
/// %1 = load void (i8*)*, void (i8*)** @__guard_check_icall_fptr
/// %2 = bitcast i32 ()* %0 to i8*
/// call cfguard_checkcc void %1(i8* %2)
/// %3 = call i32 %0()
/// \endcode
///
/// For example, the following X86 assembly code:
/// \code
/// movl $_target_func, %eax
/// calll *%eax
/// \endcode
///
/// is transformed to:
/// \code
/// movl $_target_func, %ecx
/// calll *___guard_check_icall_fptr
/// calll *%ecx
/// \endcode
///
/// \param CB indirect call to instrument.
void insertCFGuardCheck(CallBase *CB);
/// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
/// dispatch mechanism. When the image is loaded, the loader puts the
/// appropriate guard check function pointer in the
/// __guard_dispatch_icall_fptr global symbol. This checks that the target
/// address is a valid address-taken function and, if so, tail calls the
/// target. The target address is passed in an architecture-specific register
/// (e.g. RAX on X86_64), with all other arguments for the target function
/// passed as usual.
///
/// For example, the following LLVM IR:
/// \code
/// %func_ptr = alloca i32 ()*, align 8
/// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
/// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
/// %1 = call i32 %0()
/// \endcode
///
/// is transformed to:
/// \code
/// %func_ptr = alloca i32 ()*, align 8
/// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
/// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
/// %1 = load i32 ()*, i32 ()** @__guard_dispatch_icall_fptr
/// %2 = call i32 %1() [ "cfguardtarget"(i32 ()* %0) ]
/// \endcode
///
/// For example, the following X86_64 assembly code:
/// \code
/// leaq target_func(%rip), %rax
/// callq *%rax
/// \endcode
///
/// is transformed to:
/// \code
/// leaq target_func(%rip), %rax
/// callq *__guard_dispatch_icall_fptr(%rip)
/// \endcode
///
/// \param CB indirect call to instrument.
void insertCFGuardDispatch(CallBase *CB);
bool doInitialization(Module &M) override;
bool runOnFunction(Function &F) override;
private:
// Only add checks if the module has the cfguard=2 flag.
int cfguard_module_flag = 0;
Mechanism GuardMechanism = CF_Check;
FunctionType *GuardFnType = nullptr;
PointerType *GuardFnPtrType = nullptr;
Constant *GuardFnGlobal = nullptr;
};
} // end anonymous namespace
void CFGuard::insertCFGuardCheck(CallBase *CB) {
assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
"Only applicable for Windows targets");
assert(CB->isIndirectCall() &&
"Control Flow Guard checks can only be added to indirect calls");
IRBuilder<> B(CB);
Value *CalledOperand = CB->getCalledOperand();
// Load the global symbol as a pointer to the check function.
LoadInst *GuardCheckLoad = B.CreateLoad(GuardFnPtrType, GuardFnGlobal);
// Create new call instruction. The CFGuard check should always be a call,
// even if the original CallBase is an Invoke or CallBr instruction.
CallInst *GuardCheck =
B.CreateCall(GuardFnType, GuardCheckLoad,
{B.CreateBitCast(CalledOperand, B.getInt8PtrTy())});
// Ensure that the first argument is passed in the correct register
// (e.g. ECX on 32-bit X86 targets).
GuardCheck->setCallingConv(CallingConv::CFGuard_Check);
}
void CFGuard::insertCFGuardDispatch(CallBase *CB) {
assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
"Only applicable for Windows targets");
assert(CB->isIndirectCall() &&
"Control Flow Guard checks can only be added to indirect calls");
IRBuilder<> B(CB);
Value *CalledOperand = CB->getCalledOperand();
Type *CalledOperandType = CalledOperand->getType();
// Cast the guard dispatch global to the type of the called operand.
PointerType *PTy = PointerType::get(CalledOperandType, 0);
if (GuardFnGlobal->getType() != PTy)
GuardFnGlobal = ConstantExpr::getBitCast(GuardFnGlobal, PTy);
// Load the global as a pointer to a function of the same type.
LoadInst *GuardDispatchLoad = B.CreateLoad(CalledOperandType, GuardFnGlobal);
// Add the original call target as a cfguardtarget operand bundle.
SmallVector<llvm::OperandBundleDef, 1> Bundles;
CB->getOperandBundlesAsDefs(Bundles);
Bundles.emplace_back("cfguardtarget", CalledOperand);
// Create a copy of the call/invoke instruction and add the new bundle.
CallBase *NewCB;
if (CallInst *CI = dyn_cast<CallInst>(CB)) {
NewCB = CallInst::Create(CI, Bundles, CB);
} else {
assert(isa<InvokeInst>(CB) && "Unknown indirect call type");
InvokeInst *II = cast<InvokeInst>(CB);
NewCB = llvm::InvokeInst::Create(II, Bundles, CB);
}
// Change the target of the call to be the guard dispatch function.
NewCB->setCalledOperand(GuardDispatchLoad);
// Replace the original call/invoke with the new instruction.
CB->replaceAllUsesWith(NewCB);
// Delete the original call/invoke.
CB->eraseFromParent();
}
bool CFGuard::doInitialization(Module &M) {
// Check if this module has the cfguard flag and read its value.
if (auto *MD =
mdconst::extract_or_null<ConstantInt>(M.getModuleFlag("cfguard")))
cfguard_module_flag = MD->getZExtValue();
// Skip modules for which CFGuard checks have been disabled.
if (cfguard_module_flag != 2)
return false;
// Set up prototypes for the guard check and dispatch functions.
GuardFnType = FunctionType::get(Type::getVoidTy(M.getContext()),
{Type::getInt8PtrTy(M.getContext())}, false);
GuardFnPtrType = PointerType::get(GuardFnType, 0);
// Get or insert the guard check or dispatch global symbols.
if (GuardMechanism == CF_Check) {
GuardFnGlobal =
M.getOrInsertGlobal("__guard_check_icall_fptr", GuardFnPtrType);
} else {
assert(GuardMechanism == CF_Dispatch && "Invalid CFGuard mechanism");
GuardFnGlobal =
M.getOrInsertGlobal("__guard_dispatch_icall_fptr", GuardFnPtrType);
}
return true;
}
bool CFGuard::runOnFunction(Function &F) {
// Skip modules for which CFGuard checks have been disabled.
if (cfguard_module_flag != 2)
return false;
SmallVector<CallBase *, 8> IndirectCalls;
// Iterate over the instructions to find all indirect call/invoke/callbr
// instructions. Make a separate list of pointers to indirect
// call/invoke/callbr instructions because the original instructions will be
// deleted as the checks are added.
for (BasicBlock &BB : F.getBasicBlockList()) {
for (Instruction &I : BB.getInstList()) {
auto *CB = dyn_cast<CallBase>(&I);
if (CB && CB->isIndirectCall() && !CB->hasFnAttr("guard_nocf")) {
IndirectCalls.push_back(CB);
CFGuardCounter++;
}
}
}
// If no checks are needed, return early.
if (IndirectCalls.empty()) {
return false;
}
// For each indirect call/invoke, add the appropriate dispatch or check.
if (GuardMechanism == CF_Dispatch) {
for (CallBase *CB : IndirectCalls) {
insertCFGuardDispatch(CB);
}
} else {
for (CallBase *CB : IndirectCalls) {
insertCFGuardCheck(CB);
}
}
return true;
}
char CFGuard::ID = 0;
INITIALIZE_PASS(CFGuard, "CFGuard", "CFGuard", false, false)
FunctionPass *llvm::createCFGuardCheckPass() {
return new CFGuard(CFGuard::CF_Check);
}
FunctionPass *llvm::createCFGuardDispatchPass() {
return new CFGuard(CFGuard::CF_Dispatch);
}