From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2140) id A98023857006; Thu, 8 Jun 2023 04:47:55 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A98023857006 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1686199675; bh=cvhyKT4T3Mp8BNCgTWh7HMatA790509/XZjf846RYrY=; h=From:To:Subject:Date:From; b=pDjglZNtBPmCEnedT1tk2y9wwFViFlSEs0qBB58h5z8lX/x1CCPzO8cgNq5eJ4AAU EWcsa4dxlVP7PRSF92p9rcuWVK1S/TTeU37TTXFJqMKXynDqk37/bh+1flEjpUnpiJ xIKYZa8AOeWRGCBu0ypbMbSIRour9/lOGg+Zdh1Q= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Alexandre Oliva To: gcc-cvs@gcc.gnu.org Subject: [gcc(refs/users/aoliva/heads/testme)] hardcfr: prevent deferred sets of visited bitmap X-Act-Checkin: gcc X-Git-Author: Alexandre Oliva X-Git-Refname: refs/users/aoliva/heads/testme X-Git-Oldrev: ae6a9e6a22d1ad5cd46f23fe869ead7e51263e55 X-Git-Newrev: a273f6e55352f2596c98e0c3d96a106fe21561c9 Message-Id: <20230608044755.A98023857006@sourceware.org> Date: Thu, 8 Jun 2023 04:47:55 +0000 (GMT) List-Id: https://gcc.gnu.org/g:a273f6e55352f2596c98e0c3d96a106fe21561c9 commit a273f6e55352f2596c98e0c3d96a106fe21561c9 Author: Alexandre Oliva Date: Wed Oct 19 20:36:28 2022 -0300 hardcfr: prevent deferred sets of visited bitmap Make bitmap sets volatile-ish, preventing deferral and likely combinations. for gcc/ChangeLog * gimple-harden-control-flow.cc (rt_bb_visited::rt_bb_visited): Move optimization barrier... (rt_bb_visited::vset): ... here. Diff: --- gcc/gimple-harden-control-flow.cc | 48 ++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc index 53717a652ca..3e6fe2db479 100644 --- a/gcc/gimple-harden-control-flow.cc +++ b/gcc/gimple-harden-control-flow.cc @@ -545,6 +545,36 @@ class rt_bb_visited gassign *vstore = gimple_build_assign (unshare_expr (setme), temp); gimple_seq_add_stmt (&seq, vstore); + /* Prevent stores into visited from being deferred, forcing + subsequent bitsets to reload the word rather than reusing + values already in register. The purpose is threefold: make the + bitset get to memory in this block, so that control flow + attacks in functions called in this block don't easily bypass + the bitset; prevent the bitset word from being retained in a + register across blocks, which could, in an attack scenario, + make a later block set more than one bit; and prevent hoisting + or sinking loads or stores of bitset words out of loops or even + throughout functions, which could significantly weaken the + verification. This is equivalent to making the bitsetting + volatile within the function body, but without changing its + type; making the bitset volatile would make inline checking far + less optimizable for no reason. */ + vec *inputs = NULL; + vec *outputs = NULL; + vec_safe_push (outputs, + build_tree_list + (build_tree_list + (NULL_TREE, build_string (2, "=m")), + visited)); + vec_safe_push (inputs, + build_tree_list + (build_tree_list + (NULL_TREE, build_string (1, "m")), + visited)); + gasm *stabilize = gimple_build_asm_vec ("", inputs, outputs, + NULL, NULL); + gimple_seq_add_stmt (&seq, stabilize); + return seq; } @@ -615,24 +645,6 @@ public: tree visited_type = vtype (); visited = create_tmp_var (visited_type, ".cfrvisited"); - /* Prevent stores into visited from being used to optimize the - control flow redundancy checks. asm ("" : "+m" (visited)); */ - vec *inputs = NULL; - vec *outputs = NULL; - vec_safe_push (outputs, - build_tree_list - (build_tree_list - (NULL_TREE, build_string (2, "=m")), - visited)); - vec_safe_push (inputs, - build_tree_list - (build_tree_list - (NULL_TREE, build_string (1, "m")), - visited)); - gasm *detach = gimple_build_asm_vec ("", inputs, outputs, - NULL, NULL); - gimple_seq_add_stmt (&ckseq, detach); - if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks) || checkpoints > 1) {