* [Bug target/102768] [feature request] Add support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
@ 2021-10-15 10:36 ` pinskia at gcc dot gnu.org
2021-10-15 15:59 ` nsz at gcc dot gnu.org
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: pinskia at gcc dot gnu.org @ 2021-10-15 10:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
Component|rtl-optimization |target
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
2021-10-15 10:36 ` [Bug target/102768] " pinskia at gcc dot gnu.org
@ 2021-10-15 15:59 ` nsz at gcc dot gnu.org
2021-10-15 17:08 ` ashimida at linux dot alibaba.com
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: nsz at gcc dot gnu.org @ 2021-10-15 15:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
nsz at gcc dot gnu.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nsz at gcc dot gnu.org
--- Comment #1 from nsz at gcc dot gnu.org ---
note that this at least
- requires runtime support (to manage the shadow stack),
- needs a reserved register (x18),
- affects unwinding (shadow stack must be unwound too),
- affects longjmp and jmp_buf abi.
i guess these are taken care of in the linux context and in
that case i think it makes sense to have the gcc support
upstream instead of in a plugin.
however the general support in user-space is not trivial
(the required libc changes may not be possible in a backward
compatible way such as changing jmp_buf, or reliably such as
allocating the size of shadow stack and dealing with related
failures, or with good ui e.g. opt-in mechanism for binaries
that require shadow stack so there is no regression for
non-shadow-stack binaries, etc.) and there are existing stack
protection mechanisms implemented.
i just wanted to note here that the linux kernel use-case
can be treated separately from user-space applications and
likely less effort and less controversial if you scope the
feature right.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
2021-10-15 10:36 ` [Bug target/102768] " pinskia at gcc dot gnu.org
2021-10-15 15:59 ` nsz at gcc dot gnu.org
@ 2021-10-15 17:08 ` ashimida at linux dot alibaba.com
2021-10-18 16:59 ` nsz at gcc dot gnu.org
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: ashimida at linux dot alibaba.com @ 2021-10-15 17:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
--- Comment #2 from ashimida <ashimida at linux dot alibaba.com> ---
(In reply to nsz from comment #1)
> note that this at least
>
> - requires runtime support (to manage the shadow stack),
> - needs a reserved register (x18),
> - affects unwinding (shadow stack must be unwound too),
> - affects longjmp and jmp_buf abi.
>
> i guess these are taken care of in the linux context and in
> that case i think it makes sense to have the gcc support
> upstream instead of in a plugin.
>
> however the general support in user-space is not trivial
> (the required libc changes may not be possible in a backward
> compatible way such as changing jmp_buf, or reliably such as
> allocating the size of shadow stack and dealing with related
> failures, or with good ui e.g. opt-in mechanism for binaries
> that require shadow stack so there is no regression for
> non-shadow-stack binaries, etc.) and there are existing stack
> protection mechanisms implemented.
>
> i just wanted to note here that the linux kernel use-case
> can be treated separately from user-space applications and
> likely less effort and less controversial if you scope the
> feature right.
Thanks nsz,
As far as I know, existing security mechanisms such as stack
canary usually do not achieve the same effect, and pac is not
always supported by hardware.
As you said, it will take a lot of trivial work to let the
user space support Shadow Call Stack, and Linux Kernel is ready
for this.
But Shadow Call Stack should be a general mechanism, just as
Android can support Clang SCS by modifying bionic, gcc's basic
support for SCS can provide a lot of convenience for users
itself to implement user-mode SCS (users may not always need to
face all the above issues)
So what I want to say in the request is whether we can provide
SCS support in the compiler side as a good start.
Maybe it‘s better to modify the feature description as follows?
[feature request] Add compiler support for aarch64 shadow call
stack
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
` (2 preceding siblings ...)
2021-10-15 17:08 ` ashimida at linux dot alibaba.com
@ 2021-10-18 16:59 ` nsz at gcc dot gnu.org
2021-11-02 7:08 ` [Bug target/102768] [feature request] Add compiler " ashimida at linux dot alibaba.com
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: nsz at gcc dot gnu.org @ 2021-10-18 16:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
--- Comment #3 from nsz at gcc dot gnu.org ---
well, protection mechanisms are rarely equivalent. neither scs nor
traditional stack protector are perfect.
to me compiler support for freestanding environments such as linux
makes sense. i cannot immediately tell if libc support would work.
(android is not a good indicator of what can be done in linux userspace:
the android abi is broken between releases while glibc is abi stable,
bionic can do hacks in longjmp/setcontext that is not acceptable in
glibc and android does not have mixed toolchain issues such as old
unwinder tries to unwind across a new binary.)
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
` (3 preceding siblings ...)
2021-10-18 16:59 ` nsz at gcc dot gnu.org
@ 2021-11-02 7:08 ` ashimida at linux dot alibaba.com
2021-11-23 8:12 ` ashimida at linux dot alibaba.com
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: ashimida at linux dot alibaba.com @ 2021-11-02 7:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
--- Comment #4 from ashimida <ashimida at linux dot alibaba.com> ---
RFC :) https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
` (4 preceding siblings ...)
2021-11-02 7:08 ` [Bug target/102768] [feature request] Add compiler " ashimida at linux dot alibaba.com
@ 2021-11-23 8:12 ` ashimida at linux dot alibaba.com
2021-11-26 7:10 ` ashimida at linux dot alibaba.com
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: ashimida at linux dot alibaba.com @ 2021-11-23 8:12 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
--- Comment #5 from ashimida <ashimida at linux dot alibaba.com> ---
Created attachment 51854
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51854&action=edit
[RFC] Aarch64 add libgcc unwind support for shadow call stack
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
` (5 preceding siblings ...)
2021-11-23 8:12 ` ashimida at linux dot alibaba.com
@ 2021-11-26 7:10 ` ashimida at linux dot alibaba.com
2021-12-06 2:49 ` ashimida at linux dot alibaba.com
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: ashimida at linux dot alibaba.com @ 2021-11-26 7:10 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
--- Comment #6 from ashimida <ashimida at linux dot alibaba.com> ---
RFC,v2: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/585496.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
` (6 preceding siblings ...)
2021-11-26 7:10 ` ashimida at linux dot alibaba.com
@ 2021-12-06 2:49 ` ashimida at linux dot alibaba.com
2021-12-20 8:37 ` ashimida at linux dot alibaba.com
2022-02-22 12:43 ` nsz at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: ashimida at linux dot alibaba.com @ 2021-12-06 2:49 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
--- Comment #7 from ashimida <ashimida at linux dot alibaba.com> ---
Hi nsz,
Could you please review this patch :)
Link: https://gcc.gnu.org/pipermail/gcc-patches/2021-December/586204.html
Thanks,
-- Dan
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
` (7 preceding siblings ...)
2021-12-06 2:49 ` ashimida at linux dot alibaba.com
@ 2021-12-20 8:37 ` ashimida at linux dot alibaba.com
2022-02-22 12:43 ` nsz at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: ashimida at linux dot alibaba.com @ 2021-12-20 8:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
--- Comment #8 from ashimida <ashimida at linux dot alibaba.com> ---
Gentile ping for this :), thanks.
https://gcc.gnu.org/pipermail/gcc-patches/2021-December/587185.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug target/102768] [feature request] Add compiler support for aarch64 shadow call stack
2021-10-15 9:17 [Bug rtl-optimization/102768] New: [feature request] Add support for aarch64 shadow call stack ashimida at linux dot alibaba.com
` (8 preceding siblings ...)
2021-12-20 8:37 ` ashimida at linux dot alibaba.com
@ 2022-02-22 12:43 ` nsz at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: nsz at gcc dot gnu.org @ 2022-02-22 12:43 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
nsz at gcc dot gnu.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
Target Milestone|--- |12.0
--- Comment #9 from nsz at gcc dot gnu.org ---
i'm closing this as fixed. open separate bugs for further improvements.
Fixed by
https://gcc.gnu.org/g:ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e
commit ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e
Author: Dan Li <ashimida@linux.alibaba.com>
AuthorDate: 2022-02-21 20:01:14 +0000
aarch64: Add compiler support for Shadow Call Stack
Shadow Call Stack can be used to protect the return address of a
function at runtime, and clang already supports this feature[1].
To enable SCS in user mode, in addition to compiler, other support
is also required (as discussed in [2]). This patch only adds basic
support for SCS from the compiler side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
gcc/ChangeLog:
* config/aarch64/aarch64.cc (SLOT_REQUIRED):
Change wb_candidate[12] to wb_push_candidate[12].
(aarch64_layout_frame): Likewise, and
change callee_adjust when scs is enabled.
(aarch64_save_callee_saves):
Change wb_candidate[12] to wb_push_candidate[12].
(aarch64_restore_callee_saves):
Change wb_candidate[12] to wb_pop_candidate[12].
(aarch64_get_separate_components):
Change wb_candidate[12] to wb_push_candidate[12].
(aarch64_expand_prologue): Push x30 onto SCS before it's
pushed onto stack.
(aarch64_expand_epilogue): Pop x30 frome SCS, while
preventing it from being popped from the regular stack again.
(aarch64_override_options_internal): Add SCS compile option check.
(TARGET_HAVE_SHADOW_CALL_STACK): New hook.
* config/aarch64/aarch64.h (struct GTY): Add is_scs_enabled,
wb_pop_candidate[12], and rename wb_candidate[12] to
wb_push_candidate[12].
* config/aarch64/aarch64.md (scs_push): New template.
(scs_pop): Likewise.
* doc/invoke.texi: Document -fsanitize=shadow-call-stack.
* doc/tm.texi: Regenerate.
* doc/tm.texi.in: Add hook have_shadow_call_stack.
* flag-types.h (enum sanitize_code):
Add SANITIZE_SHADOW_CALL_STACK.
* opts.cc (parse_sanitizer_options): Add shadow-call-stack
and exclude SANITIZE_SHADOW_CALL_STACK.
* target.def: New hook.
* toplev.cc (process_options): Add SCS compile option check.
* ubsan.cc (ubsan_expand_null_ifn): Enum type conversion.
gcc/testsuite/ChangeLog:
* gcc.target/aarch64/shadow_call_stack_1.c: New test.
* gcc.target/aarch64/shadow_call_stack_2.c: New test.
* gcc.target/aarch64/shadow_call_stack_3.c: New test.
* gcc.target/aarch64/shadow_call_stack_4.c: New test.
* gcc.target/aarch64/shadow_call_stack_5.c: New test.
* gcc.target/aarch64/shadow_call_stack_6.c: New test.
* gcc.target/aarch64/shadow_call_stack_7.c: New test.
* gcc.target/aarch64/shadow_call_stack_8.c: New test.
^ permalink raw reply [flat|nested] 11+ messages in thread