[Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack

[Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack

[ashimida at linux dot alibaba.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

            Bug ID: 102768
           Summary: [feature request] Add support for aarch64 shadow call
                    stack
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: rtl-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: ashimida at linux dot alibaba.com
  Target Milestone: ---

Shadow Call Stack can be used to protect the return address of a function at
runtime, and clang already supports this feature[1].

Linux kernel also recently had a submission to support Shadow Call Stack on
aarch64 through a gcc plugin[2].

Could we add similar support in gcc?

[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2]
https://patchwork.kernel.org/project/linux-hardening/patch/1634167668-60198-1-git-send-email-ashimida@linux.alibaba.com/

[Bug target/102768] [feature request] Add support for aarch64 shadow call stack

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement
          Component|rtl-optimization            |target

[Bug target/102768] [feature request] Add support for aarch64 shadow call stack

[nsz at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

nsz at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nsz at gcc dot gnu.org

--- Comment #1 from nsz at gcc dot gnu.org ---
note that this at least

 - requires runtime support (to manage the shadow stack),
 - needs a reserved register (x18),
 - affects unwinding (shadow stack must be unwound too),
 - affects longjmp and jmp_buf abi.

i guess these are taken care of in the linux context and in
that case i think it makes sense to have the gcc support
upstream instead of in a plugin.

however the general support in user-space is not trivial
(the required libc changes may not be possible in a backward
compatible way such as changing jmp_buf, or reliably such as
allocating the size of shadow stack and dealing with related
failures, or with good ui e.g. opt-in mechanism for binaries
that require shadow stack so there is no regression for
non-shadow-stack binaries, etc.) and there are existing stack
protection mechanisms implemented.

i just wanted to note here that the linux kernel use-case
can be treated separately from user-space applications and
likely less effort and less controversial if you scope the
feature right.

[Bug target/102768] [feature request] Add support for aarch64 shadow call stack

[ashimida at linux dot alibaba.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

--- Comment #2 from ashimida <ashimida at linux dot alibaba.com> ---
(In reply to nsz from comment #1)
> note that this at least
> 
>  - requires runtime support (to manage the shadow stack),
>  - needs a reserved register (x18),
>  - affects unwinding (shadow stack must be unwound too),
>  - affects longjmp and jmp_buf abi.
> 
> i guess these are taken care of in the linux context and in
> that case i think it makes sense to have the gcc support
> upstream instead of in a plugin.
> 
> however the general support in user-space is not trivial
> (the required libc changes may not be possible in a backward
> compatible way such as changing jmp_buf, or reliably such as
> allocating the size of shadow stack and dealing with related
> failures, or with good ui e.g. opt-in mechanism for binaries
> that require shadow stack so there is no regression for
> non-shadow-stack binaries, etc.) and there are existing stack
> protection mechanisms implemented.
> 
> i just wanted to note here that the linux kernel use-case
> can be treated separately from user-space applications and
> likely less effort and less controversial if you scope the
> feature right.

Thanks nsz,

As far as I know, existing security mechanisms such as stack 
canary usually do not achieve the same effect, and pac is not
always supported by hardware.

As you said, it will take a lot of trivial work to let the
user space support Shadow Call Stack, and Linux Kernel is ready
for this.

But Shadow Call Stack should be a general mechanism, just as 
Android can support Clang SCS by modifying bionic, gcc's basic
support for SCS can provide a lot of convenience for users
itself to implement user-mode SCS (users may not always need to
face all the above issues)

So what I want to say in the request is whether we can provide
SCS support in the compiler side as a good start.

Maybe it‘s better to modify the feature description as follows?
[feature request] Add compiler support for aarch64 shadow call
stack

[Bug target/102768] [feature request] Add support for aarch64 shadow call stack

[nsz at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

--- Comment #3 from nsz at gcc dot gnu.org ---
well, protection mechanisms are rarely equivalent. neither scs nor
traditional stack protector are perfect.

to me compiler support for freestanding environments such as linux
makes sense. i cannot immediately tell if libc support would work.

(android is not a good indicator of what can be done in linux userspace:
the android abi is broken between releases while glibc is abi stable,
bionic can do hacks in longjmp/setcontext that is not acceptable in
glibc and android does not have mixed toolchain issues such as old
unwinder tries to unwind across a new binary.)

[Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack

[ashimida at linux dot alibaba.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

--- Comment #4 from ashimida <ashimida at linux dot alibaba.com> ---
RFC :) https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html

[Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack

[ashimida at linux dot alibaba.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

--- Comment #5 from ashimida <ashimida at linux dot alibaba.com> ---
Created attachment 51854
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51854&action=edit
[RFC] Aarch64 add libgcc unwind support for shadow call stack

[Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack

[ashimida at linux dot alibaba.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

--- Comment #6 from ashimida <ashimida at linux dot alibaba.com> ---
RFC,v2: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/585496.html

[Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack

[ashimida at linux dot alibaba.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

--- Comment #7 from ashimida <ashimida at linux dot alibaba.com> ---
Hi nsz,

Could you please review this patch :)

Link: https://gcc.gnu.org/pipermail/gcc-patches/2021-December/586204.html

Thanks,
-- Dan

[Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack

[ashimida at linux dot alibaba.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

--- Comment #8 from ashimida <ashimida at linux dot alibaba.com> ---
Gentile ping for this :), thanks.

https://gcc.gnu.org/pipermail/gcc-patches/2021-December/587185.html

[Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack

[nsz at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

nsz at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED
   Target Milestone|---                         |12.0

--- Comment #9 from nsz at gcc dot gnu.org ---
i'm closing this as fixed. open separate bugs for further improvements.

Fixed by

https://gcc.gnu.org/g:ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e

commit ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e
Author:     Dan Li <ashimida@linux.alibaba.com>
AuthorDate: 2022-02-21 20:01:14 +0000

    aarch64: Add compiler support for Shadow Call Stack

    Shadow Call Stack can be used to protect the return address of a
    function at runtime, and clang already supports this feature[1].

    To enable SCS in user mode, in addition to compiler, other support
    is also required (as discussed in [2]). This patch only adds basic
    support for SCS from the compiler side, and provides convenience
    for users to enable SCS.

    For linux kernel, only the support of the compiler is required.

    [1] https://clang.llvm.org/docs/ShadowCallStack.html
    [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768

    Signed-off-by: Dan Li <ashimida@linux.alibaba.com>

    gcc/ChangeLog:

            * config/aarch64/aarch64.cc (SLOT_REQUIRED):
            Change wb_candidate[12] to wb_push_candidate[12].
            (aarch64_layout_frame): Likewise, and
            change callee_adjust when scs is enabled.
            (aarch64_save_callee_saves):
            Change wb_candidate[12] to wb_push_candidate[12].
            (aarch64_restore_callee_saves):
            Change wb_candidate[12] to wb_pop_candidate[12].
            (aarch64_get_separate_components):
            Change wb_candidate[12] to wb_push_candidate[12].
            (aarch64_expand_prologue): Push x30 onto SCS before it's
            pushed onto stack.
            (aarch64_expand_epilogue): Pop x30 frome SCS, while
            preventing it from being popped from the regular stack again.
            (aarch64_override_options_internal): Add SCS compile option check.
            (TARGET_HAVE_SHADOW_CALL_STACK): New hook.
            * config/aarch64/aarch64.h (struct GTY): Add is_scs_enabled,
            wb_pop_candidate[12], and rename wb_candidate[12] to
            wb_push_candidate[12].
            * config/aarch64/aarch64.md (scs_push): New template.
            (scs_pop): Likewise.
            * doc/invoke.texi: Document -fsanitize=shadow-call-stack.
            * doc/tm.texi: Regenerate.
            * doc/tm.texi.in: Add hook have_shadow_call_stack.
            * flag-types.h (enum sanitize_code):
            Add SANITIZE_SHADOW_CALL_STACK.
            * opts.cc (parse_sanitizer_options): Add shadow-call-stack
            and exclude SANITIZE_SHADOW_CALL_STACK.
            * target.def: New hook.
            * toplev.cc (process_options): Add SCS compile option check.
            * ubsan.cc (ubsan_expand_null_ifn): Enum type conversion.

    gcc/testsuite/ChangeLog:

            * gcc.target/aarch64/shadow_call_stack_1.c: New test.
            * gcc.target/aarch64/shadow_call_stack_2.c: New test.
            * gcc.target/aarch64/shadow_call_stack_3.c: New test.
            * gcc.target/aarch64/shadow_call_stack_4.c: New test.
            * gcc.target/aarch64/shadow_call_stack_5.c: New test.
            * gcc.target/aarch64/shadow_call_stack_6.c: New test.
            * gcc.target/aarch64/shadow_call_stack_7.c: New test.
            * gcc.target/aarch64/shadow_call_stack_8.c: New test.