Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/lib/Target/X86/X86RetpolineThunks.cpp
Line
Count
Source
1
//======- X86RetpolineThunks.cpp - Construct retpoline thunks for x86  --=====//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
/// \file
9
///
10
/// Pass that injects an MI thunk implementing a "retpoline". This is
11
/// a RET-implemented trampoline that is used to lower indirect calls in a way
12
/// that prevents speculation on some x86 processors and can be used to mitigate
13
/// security vulnerabilities due to targeted speculative execution and side
14
/// channels such as CVE-2017-5715.
15
///
16
/// TODO(chandlerc): All of this code could use better comments and
17
/// documentation.
18
///
19
//===----------------------------------------------------------------------===//
20
21
#include "X86.h"
22
#include "X86InstrBuilder.h"
23
#include "X86Subtarget.h"
24
#include "llvm/CodeGen/MachineFunction.h"
25
#include "llvm/CodeGen/MachineInstrBuilder.h"
26
#include "llvm/CodeGen/MachineModuleInfo.h"
27
#include "llvm/CodeGen/Passes.h"
28
#include "llvm/CodeGen/TargetPassConfig.h"
29
#include "llvm/IR/IRBuilder.h"
30
#include "llvm/IR/Instructions.h"
31
#include "llvm/IR/Module.h"
32
#include "llvm/Support/CommandLine.h"
33
#include "llvm/Support/Debug.h"
34
#include "llvm/Support/raw_ostream.h"
35
36
using namespace llvm;
37
38
#define DEBUG_TYPE "x86-retpoline-thunks"
39
40
static const char ThunkNamePrefix[] = "__llvm_retpoline_";
41
static const char R11ThunkName[]    = "__llvm_retpoline_r11";
42
static const char EAXThunkName[]    = "__llvm_retpoline_eax";
43
static const char ECXThunkName[]    = "__llvm_retpoline_ecx";
44
static const char EDXThunkName[]    = "__llvm_retpoline_edx";
45
static const char EDIThunkName[]    = "__llvm_retpoline_edi";
46
47
namespace {
48
class X86RetpolineThunks : public MachineFunctionPass {
49
public:
50
  static char ID;
51
52
12.2k
  X86RetpolineThunks() : MachineFunctionPass(ID) {}
53
54
150k
  StringRef getPassName() const override { return "X86 Retpoline Thunks"; }
55
56
  bool doInitialization(Module &M) override;
57
  bool runOnMachineFunction(MachineFunction &F) override;
58
59
12.1k
  void getAnalysisUsage(AnalysisUsage &AU) const override {
60
12.1k
    MachineFunctionPass::getAnalysisUsage(AU);
61
12.1k
    AU.addRequired<MachineModuleInfo>();
62
12.1k
    AU.addPreserved<MachineModuleInfo>();
63
12.1k
  }
64
65
private:
66
  MachineModuleInfo *MMI;
67
  const TargetMachine *TM;
68
  bool Is64Bit;
69
  const X86Subtarget *STI;
70
  const X86InstrInfo *TII;
71
72
  bool InsertedThunks;
73
74
  void createThunkFunction(Module &M, StringRef Name);
75
  void insertRegReturnAddrClobber(MachineBasicBlock &MBB, unsigned Reg);
76
  void populateThunk(MachineFunction &MF, unsigned Reg);
77
};
78
79
} // end anonymous namespace
80
81
12.2k
FunctionPass *llvm::createX86RetpolineThunksPass() {
82
12.2k
  return new X86RetpolineThunks();
83
12.2k
}
84
85
char X86RetpolineThunks::ID = 0;
86
87
12.1k
bool X86RetpolineThunks::doInitialization(Module &M) {
88
12.1k
  InsertedThunks = false;
89
12.1k
  return false;
90
12.1k
}
91
92
137k
bool X86RetpolineThunks::runOnMachineFunction(MachineFunction &MF) {
93
137k
  LLVM_DEBUG(dbgs() << getPassName() << '\n');
94
137k
95
137k
  TM = &MF.getTarget();;
96
137k
  STI = &MF.getSubtarget<X86Subtarget>();
97
137k
  TII = STI->getInstrInfo();
98
137k
  Is64Bit = TM->getTargetTriple().getArch() == Triple::x86_64;
99
137k
100
137k
  MMI = &getAnalysis<MachineModuleInfo>();
101
137k
  Module &M = const_cast<Module &>(*MMI->getModule());
102
137k
103
137k
  // If this function is not a thunk, check to see if we need to insert
104
137k
  // a thunk.
105
137k
  if (!MF.getName().startswith(ThunkNamePrefix)) {
106
137k
    // If we've already inserted a thunk, nothing else to do.
107
137k
    if (InsertedThunks)
108
36
      return false;
109
137k
110
137k
    // Only add a thunk if one of the functions has the retpoline feature
111
137k
    // enabled in its subtarget, and doesn't enable external thunks.
112
137k
    // FIXME: Conditionalize on indirect calls so we don't emit a thunk when
113
137k
    // nothing will end up calling it.
114
137k
    // FIXME: It's a little silly to look at every function just to enumerate
115
137k
    // the subtargets, but eventually we'll want to look at them for indirect
116
137k
    // calls, so maybe this is OK.
117
137k
    if ((!STI->useRetpolineIndirectCalls() &&
118
137k
         
!STI->useRetpolineIndirectBranches()137k
) ||
119
137k
        
STI->useRetpolineExternalThunk()22
)
120
137k
      return false;
121
18.4E
122
18.4E
    // Otherwise, we need to insert the thunk.
123
18.4E
    // WARNING: This is not really a well behaving thing to do in a function
124
18.4E
    // pass. We extract the module and insert a new function (and machine
125
18.4E
    // function) directly into the module.
126
18.4E
    if (Is64Bit)
127
3
      createThunkFunction(M, R11ThunkName);
128
18.4E
    else
129
18.4E
      for (StringRef Name :
130
18.4E
           {EAXThunkName, ECXThunkName, EDXThunkName, EDIThunkName})
131
12
        createThunkFunction(M, Name);
132
18.4E
    InsertedThunks = true;
133
18.4E
    return true;
134
18.4E
  }
135
28
136
28
  // If this *is* a thunk function, we need to populate it with the correct MI.
137
28
  if (Is64Bit) {
138
3
    assert(MF.getName() == "__llvm_retpoline_r11" &&
139
3
           "Should only have an r11 thunk on 64-bit targets");
140
3
141
3
    // __llvm_retpoline_r11:
142
3
    //   callq .Lr11_call_target
143
3
    // .Lr11_capture_spec:
144
3
    //   pause
145
3
    //   lfence
146
3
    //   jmp .Lr11_capture_spec
147
3
    // .align 16
148
3
    // .Lr11_call_target:
149
3
    //   movq %r11, (%rsp)
150
3
    //   retq
151
3
    populateThunk(MF, X86::R11);
152
25
  } else {
153
25
    // For 32-bit targets we need to emit a collection of thunks for various
154
25
    // possible scratch registers as well as a fallback that uses EDI, which is
155
25
    // normally callee saved.
156
25
    //   __llvm_retpoline_eax:
157
25
    //         calll .Leax_call_target
158
25
    //   .Leax_capture_spec:
159
25
    //         pause
160
25
    //         jmp .Leax_capture_spec
161
25
    //   .align 16
162
25
    //   .Leax_call_target:
163
25
    //         movl %eax, (%esp)  # Clobber return addr
164
25
    //         retl
165
25
    //
166
25
    //   __llvm_retpoline_ecx:
167
25
    //   ... # Same setup
168
25
    //         movl %ecx, (%esp)
169
25
    //         retl
170
25
    //
171
25
    //   __llvm_retpoline_edx:
172
25
    //   ... # Same setup
173
25
    //         movl %edx, (%esp)
174
25
    //         retl
175
25
    //
176
25
    //   __llvm_retpoline_edi:
177
25
    //   ... # Same setup
178
25
    //         movl %edi, (%esp)
179
25
    //         retl
180
25
    if (MF.getName() == EAXThunkName)
181
3
      populateThunk(MF, X86::EAX);
182
22
    else if (MF.getName() == ECXThunkName)
183
3
      populateThunk(MF, X86::ECX);
184
19
    else if (MF.getName() == EDXThunkName)
185
3
      populateThunk(MF, X86::EDX);
186
16
    else if (MF.getName() == EDIThunkName)
187
3
      populateThunk(MF, X86::EDI);
188
16
    else
189
16
      
llvm_unreachable13
("Invalid thunk name on x86-32!");
190
25
  }
191
28
192
28
  
return true15
;
193
28
}
194
195
15
void X86RetpolineThunks::createThunkFunction(Module &M, StringRef Name) {
196
15
  assert(Name.startswith(ThunkNamePrefix) &&
197
15
         "Created a thunk with an unexpected prefix!");
198
15
199
15
  LLVMContext &Ctx = M.getContext();
200
15
  auto Type = FunctionType::get(Type::getVoidTy(Ctx), false);
201
15
  Function *F =
202
15
      Function::Create(Type, GlobalValue::LinkOnceODRLinkage, Name, &M);
203
15
  F->setVisibility(GlobalValue::HiddenVisibility);
204
15
  F->setComdat(M.getOrInsertComdat(Name));
205
15
206
15
  // Add Attributes so that we don't create a frame, unwind information, or
207
15
  // inline.
208
15
  AttrBuilder B;
209
15
  B.addAttribute(llvm::Attribute::NoUnwind);
210
15
  B.addAttribute(llvm::Attribute::Naked);
211
15
  F->addAttributes(llvm::AttributeList::FunctionIndex, B);
212
15
213
15
  // Populate our function a bit so that we can verify.
214
15
  BasicBlock *Entry = BasicBlock::Create(Ctx, "entry", F);
215
15
  IRBuilder<> Builder(Entry);
216
15
217
15
  Builder.CreateRetVoid();
218
15
219
15
  // MachineFunctions/MachineBasicBlocks aren't created automatically for the
220
15
  // IR-level constructs we already made. Create them and insert them into the
221
15
  // module.
222
15
  MachineFunction &MF = MMI->getOrCreateMachineFunction(*F);
223
15
  MachineBasicBlock *EntryMBB = MF.CreateMachineBasicBlock(Entry);
224
15
225
15
  // Insert EntryMBB into MF. It's not in the module until we do this.
226
15
  MF.insert(MF.end(), EntryMBB);
227
15
}
228
229
void X86RetpolineThunks::insertRegReturnAddrClobber(MachineBasicBlock &MBB,
230
15
                                                    unsigned Reg) {
231
15
  const unsigned MovOpc = Is64Bit ? 
X86::MOV64mr3
:
X86::MOV32mr12
;
232
15
  const unsigned SPReg = Is64Bit ? 
X86::RSP3
:
X86::ESP12
;
233
15
  addRegOffset(BuildMI(&MBB, DebugLoc(), TII->get(MovOpc)), SPReg, false, 0)
234
15
      .addReg(Reg);
235
15
}
236
237
void X86RetpolineThunks::populateThunk(MachineFunction &MF,
238
15
                                       unsigned Reg) {
239
15
  // Set MF properties. We never use vregs...
240
15
  MF.getProperties().set(MachineFunctionProperties::Property::NoVRegs);
241
15
242
15
  // Grab the entry MBB and erase any other blocks. O0 codegen appears to
243
15
  // generate two bbs for the entry block.
244
15
  MachineBasicBlock *Entry = &MF.front();
245
15
  Entry->clear();
246
20
  while (MF.size() > 1)
247
5
    MF.erase(std::next(MF.begin()));
248
15
249
15
  MachineBasicBlock *CaptureSpec = MF.CreateMachineBasicBlock(Entry->getBasicBlock());
250
15
  MachineBasicBlock *CallTarget = MF.CreateMachineBasicBlock(Entry->getBasicBlock());
251
15
  MCSymbol *TargetSym = MF.getContext().createTempSymbol();
252
15
  MF.push_back(CaptureSpec);
253
15
  MF.push_back(CallTarget);
254
15
255
15
  const unsigned CallOpc = Is64Bit ? 
X86::CALL64pcrel323
:
X86::CALLpcrel3212
;
256
15
  const unsigned RetOpc = Is64Bit ? 
X86::RETQ3
:
X86::RETL12
;
257
15
258
15
  Entry->addLiveIn(Reg);
259
15
  BuildMI(Entry, DebugLoc(), TII->get(CallOpc)).addSym(TargetSym);
260
15
261
15
  // The MIR verifier thinks that the CALL in the entry block will fall through
262
15
  // to CaptureSpec, so mark it as the successor. Technically, CaptureTarget is
263
15
  // the successor, but the MIR verifier doesn't know how to cope with that.
264
15
  Entry->addSuccessor(CaptureSpec);
265
15
266
15
  // In the capture loop for speculation, we want to stop the processor from
267
15
  // speculating as fast as possible. On Intel processors, the PAUSE instruction
268
15
  // will block speculation without consuming any execution resources. On AMD
269
15
  // processors, the PAUSE instruction is (essentially) a nop, so we also use an
270
15
  // LFENCE instruction which they have advised will stop speculation as well
271
15
  // with minimal resource utilization. We still end the capture with a jump to
272
15
  // form an infinite loop to fully guarantee that no matter what implementation
273
15
  // of the x86 ISA, speculating this code path never escapes.
274
15
  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::PAUSE));
275
15
  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::LFENCE));
276
15
  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::JMP_1)).addMBB(CaptureSpec);
277
15
  CaptureSpec->setHasAddressTaken();
278
15
  CaptureSpec->addSuccessor(CaptureSpec);
279
15
280
15
  CallTarget->addLiveIn(Reg);
281
15
  CallTarget->setHasAddressTaken();
282
15
  CallTarget->setAlignment(4);
283
15
  insertRegReturnAddrClobber(*CallTarget, Reg);
284
15
  CallTarget->back().setPreInstrSymbol(MF, TargetSym);
285
15
  BuildMI(CallTarget, DebugLoc(), TII->get(RetOpc));
286
15
}