File Manager

003 File Manager

Current Path: /usr/src/contrib/llvm-project/llvm/lib/Target/X86

usr / src / contrib / llvm-project / llvm / lib / Target / X86 /

📁 ..
📁 AsmParser
📁 Disassembler
📄 ImmutableGraph.h(15.15 KB)
📁 MCTargetDesc
📁 TargetInfo
📄 X86.h(7.41 KB)
📄 X86.td(68.44 KB)
📄 X86AsmPrinter.cpp(27.18 KB)
📄 X86AsmPrinter.h(5.96 KB)
📄 X86AvoidStoreForwardingBlocks.cpp(27.94 KB)
📄 X86AvoidTrailingCall.cpp(4.91 KB)
📄 X86CallFrameOptimization.cpp(23.07 KB)
📄 X86CallLowering.cpp(17.62 KB)
📄 X86CallLowering.h(1.74 KB)
📄 X86CallingConv.cpp(13.34 KB)
📄 X86CallingConv.h(1.09 KB)
📄 X86CallingConv.td(46.15 KB)
📄 X86CmovConversion.cpp(34.07 KB)
📄 X86CondBrFolding.cpp(18.4 KB)
📄 X86DiscriminateMemOps.cpp(7.11 KB)
📄 X86DomainReassignment.cpp(25.87 KB)
📄 X86EvexToVex.cpp(8.8 KB)
📄 X86ExpandPseudo.cpp(16.95 KB)
📄 X86FastISel.cpp(139.28 KB)
📄 X86FixupBWInsts.cpp(18.09 KB)
📄 X86FixupLEAs.cpp(24.44 KB)
📄 X86FixupSetCC.cpp(4.44 KB)
📄 X86FlagsCopyLowering.cpp(40.36 KB)
📄 X86FloatingPoint.cpp(62.66 KB)
📄 X86FrameLowering.cpp(138.71 KB)
📄 X86FrameLowering.h(11.64 KB)
📄 X86GenRegisterBankInfo.def(3.32 KB)
📄 X86ISelDAGToDAG.cpp(208.37 KB)
📄 X86ISelLowering.cpp(1.94 MB)
📄 X86ISelLowering.h(60.88 KB)
📄 X86IndirectBranchTracking.cpp(6.17 KB)
📄 X86IndirectThunks.cpp(9.78 KB)
📄 X86InsertPrefetch.cpp(9.64 KB)
📄 X86InsertWait.cpp(4.47 KB)
📄 X86Instr3DNow.td(5.24 KB)
📄 X86InstrAMX.td(5.6 KB)
📄 X86InstrAVX512.td(653.76 KB)
📄 X86InstrArithmetic.td(75.61 KB)
📄 X86InstrBuilder.h(8.45 KB)
📄 X86InstrCMovSetCC.td(5.76 KB)
📄 X86InstrCompiler.td(95.78 KB)
📄 X86InstrControl.td(20.53 KB)
📄 X86InstrExtension.td(11.64 KB)
📄 X86InstrFMA.td(33.23 KB)
📄 X86InstrFMA3Info.cpp(6.21 KB)
📄 X86InstrFMA3Info.h(3.25 KB)
📄 X86InstrFPStack.td(39.52 KB)
📄 X86InstrFoldTables.cpp(393.01 KB)
📄 X86InstrFoldTables.h(3.03 KB)
📄 X86InstrFormats.td(41.05 KB)
📄 X86InstrFragmentsSIMD.td(61.14 KB)
📄 X86InstrInfo.cpp(322.72 KB)
📄 X86InstrInfo.h(29.34 KB)
📄 X86InstrInfo.td(169.76 KB)
📄 X86InstrMMX.td(29.55 KB)
📄 X86InstrMPX.td(3.63 KB)
📄 X86InstrSGX.td(1.12 KB)
📄 X86InstrSSE.td(385.01 KB)
📄 X86InstrSVM.td(2.16 KB)
📄 X86InstrShiftRotate.td(49.56 KB)
📄 X86InstrSystem.td(34.03 KB)
📄 X86InstrTSX.td(2.1 KB)
📄 X86InstrVMX.td(3.53 KB)
📄 X86InstrVecCompiler.td(21.09 KB)
📄 X86InstrXOP.td(23.81 KB)
📄 X86InstructionSelector.cpp(61.11 KB)
📄 X86InterleavedAccess.cpp(32.7 KB)
📄 X86IntrinsicsInfo.h(73.96 KB)
📄 X86LegalizerInfo.cpp(15.6 KB)
📄 X86LegalizerInfo.h(1.65 KB)
📄 X86LoadValueInjectionLoadHardening.cpp(32.4 KB)
📄 X86LoadValueInjectionRetHardening.cpp(4.93 KB)
📄 X86MCInstLower.cpp(96.53 KB)
📄 X86MachineFunctionInfo.cpp(1.1 KB)
📄 X86MachineFunctionInfo.h(8.87 KB)
📄 X86MacroFusion.cpp(2.62 KB)
📄 X86MacroFusion.h(992 B)
📄 X86OptimizeLEAs.cpp(27.47 KB)
📄 X86PadShortFunction.cpp(7.33 KB)
📄 X86PartialReduction.cpp(15.46 KB)
📄 X86PfmCounters.td(10.18 KB)
📄 X86RegisterBankInfo.cpp(10.55 KB)
📄 X86RegisterBankInfo.h(2.87 KB)
📄 X86RegisterBanks.td(629 B)
📄 X86RegisterInfo.cpp(29 KB)
📄 X86RegisterInfo.h(5.61 KB)
📄 X86RegisterInfo.td(26.07 KB)
📄 X86SchedBroadwell.td(69.45 KB)
📄 X86SchedHaswell.td(73.96 KB)
📄 X86SchedPredicates.td(4.23 KB)
📄 X86SchedSandyBridge.td(50 KB)
📄 X86SchedSkylakeClient.td(74.65 KB)
📄 X86SchedSkylakeServer.td(113.85 KB)
📄 X86Schedule.td(36.9 KB)
📄 X86ScheduleAtom.td(38.26 KB)
📄 X86ScheduleBdVer2.td(56.78 KB)
📄 X86ScheduleBtVer2.td(46.98 KB)
📄 X86ScheduleSLM.td(22.91 KB)
📄 X86ScheduleZnver1.td(48.97 KB)
📄 X86ScheduleZnver2.td(48.12 KB)
📄 X86SelectionDAGInfo.cpp(12.02 KB)
📄 X86SelectionDAGInfo.h(1.8 KB)
📄 X86ShuffleDecodeConstantPool.cpp(11.22 KB)
📄 X86ShuffleDecodeConstantPool.h(2.13 KB)
📄 X86SpeculativeExecutionSideEffectSuppression.cpp(6.97 KB)
📄 X86SpeculativeLoadHardening.cpp(93.16 KB)
📄 X86Subtarget.cpp(13.25 KB)
📄 X86Subtarget.h(32.08 KB)
📄 X86TargetMachine.cpp(18.88 KB)
📄 X86TargetMachine.h(2.04 KB)
📄 X86TargetObjectFile.cpp(2.61 KB)
📄 X86TargetObjectFile.h(2.13 KB)
📄 X86TargetTransformInfo.cpp(189.14 KB)
📄 X86TargetTransformInfo.h(9.63 KB)
📄 X86VZeroUpper.cpp(12.59 KB)
📄 X86WinAllocaExpander.cpp(9.54 KB)
📄 X86WinEHState.cpp(28.97 KB)

Editing: X86LoadValueInjectionRetHardening.cpp

//===-- X86LoadValueInjectionRetHardening.cpp - LVI RET hardening for x86 --==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
///
/// Description: Replaces every `ret` instruction with the sequence:
/// ```
/// pop <scratch-reg>
/// lfence
/// jmp *<scratch-reg>
/// ```
/// where `<scratch-reg>` is some available scratch register, according to the
/// calling convention of the function being mitigated.
///
//===----------------------------------------------------------------------===//

#include "X86.h"
#include "X86InstrBuilder.h"
#include "X86Subtarget.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/CodeGen/MachineBasicBlock.h"
#include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineFunctionPass.h"
#include "llvm/CodeGen/MachineInstrBuilder.h"
#include "llvm/IR/Function.h"
#include "llvm/Support/Debug.h"
#include <bitset>

using namespace llvm;

#define PASS_KEY "x86-lvi-ret"
#define DEBUG_TYPE PASS_KEY

STATISTIC(NumFences, "Number of LFENCEs inserted for LVI mitigation");
STATISTIC(NumFunctionsConsidered, "Number of functions analyzed");
STATISTIC(NumFunctionsMitigated, "Number of functions for which mitigations "
                                 "were deployed");

namespace {

class X86LoadValueInjectionRetHardeningPass : public MachineFunctionPass {
public:
  X86LoadValueInjectionRetHardeningPass() : MachineFunctionPass(ID) {}
  StringRef getPassName() const override {
    return "X86 Load Value Injection (LVI) Ret-Hardening";
  }
  bool runOnMachineFunction(MachineFunction &MF) override;

static char ID;
};

} // end anonymous namespace

char X86LoadValueInjectionRetHardeningPass::ID = 0;

bool X86LoadValueInjectionRetHardeningPass::runOnMachineFunction(
    MachineFunction &MF) {
  LLVM_DEBUG(dbgs() << "***** " << getPassName() << " : " << MF.getName()
                    << " *****\n");
  const X86Subtarget *Subtarget = &MF.getSubtarget<X86Subtarget>();
  if (!Subtarget->useLVIControlFlowIntegrity() || !Subtarget->is64Bit())
    return false; // FIXME: support 32-bit

// Don't skip functions with the "optnone" attr but participate in opt-bisect.
  const Function &F = MF.getFunction();
  if (!F.hasOptNone() && skipFunction(F))
    return false;

++NumFunctionsConsidered;
  const X86RegisterInfo *TRI = Subtarget->getRegisterInfo();
  const X86InstrInfo *TII = Subtarget->getInstrInfo();
  unsigned ClobberReg = X86::NoRegister;
  std::bitset<X86::NUM_TARGET_REGS> UnclobberableGR64s;
  UnclobberableGR64s.set(X86::RSP); // can't clobber stack pointer
  UnclobberableGR64s.set(X86::RIP); // can't clobber instruction pointer
  UnclobberableGR64s.set(X86::RAX); // used for function return
  UnclobberableGR64s.set(X86::RDX); // used for function return

// We can clobber any register allowed by the function's calling convention.
  for (const MCPhysReg *PR = TRI->getCalleeSavedRegs(&MF); auto Reg = *PR; ++PR)
    UnclobberableGR64s.set(Reg);
  for (auto &Reg : X86::GR64RegClass) {
    if (!UnclobberableGR64s.test(Reg)) {
      ClobberReg = Reg;
      break;
    }
  }

if (ClobberReg != X86::NoRegister) {
    LLVM_DEBUG(dbgs() << "Selected register "
                      << Subtarget->getRegisterInfo()->getRegAsmName(ClobberReg)
                      << " to clobber\n");
  } else {
    LLVM_DEBUG(dbgs() << "Could not find a register to clobber\n");
  }

bool Modified = false;
  for (auto &MBB : MF) {
    if (MBB.empty())
      continue;

MachineInstr &MI = MBB.back();
    if (MI.getOpcode() != X86::RETQ)
      continue;

if (ClobberReg != X86::NoRegister) {
      MBB.erase_instr(&MI);
      BuildMI(MBB, MBB.end(), DebugLoc(), TII->get(X86::POP64r))
          .addReg(ClobberReg, RegState::Define)
          .setMIFlag(MachineInstr::FrameDestroy);
      BuildMI(MBB, MBB.end(), DebugLoc(), TII->get(X86::LFENCE));
      BuildMI(MBB, MBB.end(), DebugLoc(), TII->get(X86::JMP64r))
          .addReg(ClobberReg);
    } else {
      // In case there is no available scratch register, we can still read from
      // RSP to assert that RSP points to a valid page. The write to RSP is
      // also helpful because it verifies that the stack's write permissions
      // are intact.
      MachineInstr *Fence = BuildMI(MBB, MI, DebugLoc(), TII->get(X86::LFENCE));
      addRegOffset(BuildMI(MBB, Fence, DebugLoc(), TII->get(X86::SHL64mi)),
                   X86::RSP, false, 0)
          .addImm(0)
          ->addRegisterDead(X86::EFLAGS, TRI);
    }

++NumFences;
    Modified = true;
  }

if (Modified)
    ++NumFunctionsMitigated;
  return Modified;
}

INITIALIZE_PASS(X86LoadValueInjectionRetHardeningPass, PASS_KEY,
                "X86 LVI ret hardener", false, false)

FunctionPass *llvm::createX86LoadValueInjectionRetHardeningPass() {
  return new X86LoadValueInjectionRetHardeningPass();
}

003 File Manager

Editing: X86LoadValueInjectionRetHardening.cpp

Upload File

Create Folder