From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2140) id BF444385661B; Fri, 9 Jun 2023 08:07:08 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BF444385661B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1686298028; bh=xawWDVDV4jQO4HdGcabB6+PVsrLM8pppTR65MmMfvZs=; h=From:To:Subject:Date:From; b=FxVEK8LZTtXiME6gs9DFbkg5KGw9oRMYntVbc54udFnk0WI0+JMqDKXRBH2aWwE1B U6WiVYGgIYP3O5tN07bEEgQsW+edmcQReOYRfgbgxi6ncUErdU6VZt70aLH/rbVGh3 Xr6ZeSSWkjo6+eAHcACAmjbiSVYHsuNsTxS6XWhI= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Alexandre Oliva To: gcc-cvs@gcc.gnu.org Subject: [gcc(refs/users/aoliva/heads/testme)] hardcfr: prevent deferred sets of visited bitmap X-Act-Checkin: gcc X-Git-Author: Alexandre Oliva X-Git-Refname: refs/users/aoliva/heads/testme X-Git-Oldrev: c2adf71b5e5036e412fc150245764f0d2246bec2 X-Git-Newrev: 0e2a8d05cd6f6103e9d9746d6a3e61f84030d299 Message-Id: <20230609080708.BF444385661B@sourceware.org> Date: Fri, 9 Jun 2023 08:07:08 +0000 (GMT) List-Id: https://gcc.gnu.org/g:0e2a8d05cd6f6103e9d9746d6a3e61f84030d299 commit 0e2a8d05cd6f6103e9d9746d6a3e61f84030d299 Author: Alexandre Oliva Date: Thu Jun 8 01:35:23 2023 -0300 hardcfr: prevent deferred sets of visited bitmap Make bitmap sets volatile-ish, preventing deferral and likely combinations. for gcc/ChangeLog * gimple-harden-control-flow.cc (rt_bb_visited::rt_bb_visited): Move optimization barrier... (rt_bb_visited::vset): ... here. Diff: --- gcc/gimple-harden-control-flow.cc | 48 ++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc index 53717a652ca..3e6fe2db479 100644 --- a/gcc/gimple-harden-control-flow.cc +++ b/gcc/gimple-harden-control-flow.cc @@ -545,6 +545,36 @@ class rt_bb_visited gassign *vstore = gimple_build_assign (unshare_expr (setme), temp); gimple_seq_add_stmt (&seq, vstore); + /* Prevent stores into visited from being deferred, forcing + subsequent bitsets to reload the word rather than reusing + values already in register. The purpose is threefold: make the + bitset get to memory in this block, so that control flow + attacks in functions called in this block don't easily bypass + the bitset; prevent the bitset word from being retained in a + register across blocks, which could, in an attack scenario, + make a later block set more than one bit; and prevent hoisting + or sinking loads or stores of bitset words out of loops or even + throughout functions, which could significantly weaken the + verification. This is equivalent to making the bitsetting + volatile within the function body, but without changing its + type; making the bitset volatile would make inline checking far + less optimizable for no reason. */ + vec *inputs = NULL; + vec *outputs = NULL; + vec_safe_push (outputs, + build_tree_list + (build_tree_list + (NULL_TREE, build_string (2, "=m")), + visited)); + vec_safe_push (inputs, + build_tree_list + (build_tree_list + (NULL_TREE, build_string (1, "m")), + visited)); + gasm *stabilize = gimple_build_asm_vec ("", inputs, outputs, + NULL, NULL); + gimple_seq_add_stmt (&seq, stabilize); + return seq; } @@ -615,24 +645,6 @@ public: tree visited_type = vtype (); visited = create_tmp_var (visited_type, ".cfrvisited"); - /* Prevent stores into visited from being used to optimize the - control flow redundancy checks. asm ("" : "+m" (visited)); */ - vec *inputs = NULL; - vec *outputs = NULL; - vec_safe_push (outputs, - build_tree_list - (build_tree_list - (NULL_TREE, build_string (2, "=m")), - visited)); - vec_safe_push (inputs, - build_tree_list - (build_tree_list - (NULL_TREE, build_string (1, "m")), - visited)); - gasm *detach = gimple_build_asm_vec ("", inputs, outputs, - NULL, NULL); - gimple_seq_add_stmt (&ckseq, detach); - if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks) || checkpoints > 1) {