From: Matthew Malcomson <Matthew.Malcomson@arm.com>
To: "gcc-patches@gcc.gnu.org" <gcc-patches@gcc.gnu.org>
Cc: "mliska@suse.cz" <mliska@suse.cz>,
"dodji@redhat.com" <dodji@redhat.com>, nd <nd@arm.com>,
"kcc@google.com" <kcc@google.com>,
"jakub@redhat.com" <jakub@redhat.com>,
"dvyukov@google.com" <dvyukov@google.com>
Subject: [RFC][PATCH 11/X][libsanitizer] Uncolour stack frame on function exit
Date: Fri, 06 Sep 2019 14:47:00 -0000 [thread overview]
Message-ID: <VI1PR08MB54714F7177B32B32A439B387E0BA0@VI1PR08MB5471.eurprd08.prod.outlook.com> (raw)
In-Reply-To: <156778058239.16148.17480879484406897649.scripted-patch-series@arm.com>
[-- Attachment #1: Type: text/plain, Size: 3514 bytes --]
When exiting a function we need to ensure the shadow stack for this
function has no remaining colour. Without clearing the shadow stack
area for this function pointer checks to later function calls could
check untagged areas (such as parameters passed on the stack) against
a shadow stack area with left-over colour causing a false-positive.
Here we ensure that the entire stack frame is cleared on function exit.
gcc/ChangeLog:
2019-09-06 Matthew Malcomson <matthew.malcomson@arm.com>
* asan.c (hwasan_emit_uncolour_frame): New.
* asan.h (hwasan_emit_uncolour_frame): New.
* cfgexpand.c (expand_used_vars): Uncolour shadow frame on
function exit.
############### Attachment also inlined for ease of reply ###############
diff --git a/gcc/asan.h b/gcc/asan.h
index 028afdd2e7d16245c6cbbe106b7ccb9c5034d542..c5492ce35980d0b26d4707f96482b69dc76a525a 100644
--- a/gcc/asan.h
+++ b/gcc/asan.h
@@ -31,6 +31,7 @@ extern rtx hwasan_with_tag (rtx, poly_int64);
extern void hwasan_tag_init ();
extern rtx hwasan_create_untagged_base (rtx);
extern void hwasan_emit_prologue (rtx *, rtx *, poly_int64 *, uint8_t *, size_t);
+extern rtx_insn *hwasan_emit_uncolour_frame (rtx, rtx, rtx_insn *);
extern bool memory_tagging_p (void);
extern rtx_insn *asan_emit_stack_protection (rtx, rtx, unsigned int,
HOST_WIDE_INT *, tree *, int);
diff --git a/gcc/asan.c b/gcc/asan.c
index d361b4b562f75cb0c2e081218073eacb3704f8d0..0e74e32ae6ca4e130b3f13abe110364b119def46 100644
--- a/gcc/asan.c
+++ b/gcc/asan.c
@@ -3836,6 +3836,46 @@ hwasan_emit_prologue (rtx *bases,
}
}
+rtx_insn *
+hwasan_emit_uncolour_frame (rtx dynamic, rtx vars, rtx_insn *before)
+{
+ if (before)
+ push_to_sequence (before);
+ else
+ start_sequence ();
+
+ dynamic = convert_memory_address (ptr_mode, dynamic);
+ vars = convert_memory_address (ptr_mode, vars);
+
+ rtx top_rtx;
+ rtx bot_rtx;
+ if (STACK_GROWS_DOWNWARD)
+ {
+ top_rtx = vars;
+ bot_rtx = dynamic;
+ }
+ else
+ {
+ top_rtx = dynamic;
+ bot_rtx = vars;
+ }
+
+ rtx size_rtx = expand_simple_binop (Pmode, MINUS, top_rtx, bot_rtx,
+ NULL_RTX, /* unsignedp = */0, OPTAB_DIRECT);
+
+ /* TODO Other options (i.e. inline options) */
+ rtx ret = init_one_libfunc ("__hwasan_tag_memory");
+ emit_library_call (ret, LCT_NORMAL, VOIDmode,
+ bot_rtx, ptr_mode,
+ const0_rtx, QImode,
+ size_rtx, ptr_mode);
+
+ do_pending_stack_adjust ();
+ rtx_insn *insns = get_insns ();
+ end_sequence ();
+ return insns;
+}
+
rtx
hwasan_create_untagged_base (rtx orig_base)
{
diff --git a/gcc/cfgexpand.c b/gcc/cfgexpand.c
index aacf210facc462675a980ee87bd38d4a7d94ad09..9f0872b32354cbc3186f3f2d2600f711a46926d1 100644
--- a/gcc/cfgexpand.c
+++ b/gcc/cfgexpand.c
@@ -2412,6 +2412,14 @@ expand_used_vars (void)
var_end_seq = asan_emit_allocas_unpoison (virtual_stack_dynamic_rtx,
virtual_stack_vars_rtx,
var_end_seq);
+ /* Here we uncolour the entire frame for this function.
+ We need to uncolour *something* if either we have coloured some local
+ variables or we have coloured some alloca objects. */
+ else if (memory_tagging_p ()
+ && (cfun->calls_alloca || stack_vars_num > 0))
+ var_end_seq = hwasan_emit_uncolour_frame (virtual_stack_dynamic_rtx,
+ virtual_stack_vars_rtx,
+ var_end_seq);
fini_vars_expansion ();
[-- Attachment #2: hwasan-implementation10.patch --]
[-- Type: text/plain, Size: 2664 bytes --]
diff --git a/gcc/asan.h b/gcc/asan.h
index 028afdd2e7d16245c6cbbe106b7ccb9c5034d542..c5492ce35980d0b26d4707f96482b69dc76a525a 100644
--- a/gcc/asan.h
+++ b/gcc/asan.h
@@ -31,6 +31,7 @@ extern rtx hwasan_with_tag (rtx, poly_int64);
extern void hwasan_tag_init ();
extern rtx hwasan_create_untagged_base (rtx);
extern void hwasan_emit_prologue (rtx *, rtx *, poly_int64 *, uint8_t *, size_t);
+extern rtx_insn *hwasan_emit_uncolour_frame (rtx, rtx, rtx_insn *);
extern bool memory_tagging_p (void);
extern rtx_insn *asan_emit_stack_protection (rtx, rtx, unsigned int,
HOST_WIDE_INT *, tree *, int);
diff --git a/gcc/asan.c b/gcc/asan.c
index d361b4b562f75cb0c2e081218073eacb3704f8d0..0e74e32ae6ca4e130b3f13abe110364b119def46 100644
--- a/gcc/asan.c
+++ b/gcc/asan.c
@@ -3836,6 +3836,46 @@ hwasan_emit_prologue (rtx *bases,
}
}
+rtx_insn *
+hwasan_emit_uncolour_frame (rtx dynamic, rtx vars, rtx_insn *before)
+{
+ if (before)
+ push_to_sequence (before);
+ else
+ start_sequence ();
+
+ dynamic = convert_memory_address (ptr_mode, dynamic);
+ vars = convert_memory_address (ptr_mode, vars);
+
+ rtx top_rtx;
+ rtx bot_rtx;
+ if (STACK_GROWS_DOWNWARD)
+ {
+ top_rtx = vars;
+ bot_rtx = dynamic;
+ }
+ else
+ {
+ top_rtx = dynamic;
+ bot_rtx = vars;
+ }
+
+ rtx size_rtx = expand_simple_binop (Pmode, MINUS, top_rtx, bot_rtx,
+ NULL_RTX, /* unsignedp = */0, OPTAB_DIRECT);
+
+ /* TODO Other options (i.e. inline options) */
+ rtx ret = init_one_libfunc ("__hwasan_tag_memory");
+ emit_library_call (ret, LCT_NORMAL, VOIDmode,
+ bot_rtx, ptr_mode,
+ const0_rtx, QImode,
+ size_rtx, ptr_mode);
+
+ do_pending_stack_adjust ();
+ rtx_insn *insns = get_insns ();
+ end_sequence ();
+ return insns;
+}
+
rtx
hwasan_create_untagged_base (rtx orig_base)
{
diff --git a/gcc/cfgexpand.c b/gcc/cfgexpand.c
index aacf210facc462675a980ee87bd38d4a7d94ad09..9f0872b32354cbc3186f3f2d2600f711a46926d1 100644
--- a/gcc/cfgexpand.c
+++ b/gcc/cfgexpand.c
@@ -2412,6 +2412,14 @@ expand_used_vars (void)
var_end_seq = asan_emit_allocas_unpoison (virtual_stack_dynamic_rtx,
virtual_stack_vars_rtx,
var_end_seq);
+ /* Here we uncolour the entire frame for this function.
+ We need to uncolour *something* if either we have coloured some local
+ variables or we have coloured some alloca objects. */
+ else if (memory_tagging_p ()
+ && (cfun->calls_alloca || stack_vars_num > 0))
+ var_end_seq = hwasan_emit_uncolour_frame (virtual_stack_dynamic_rtx,
+ virtual_stack_vars_rtx,
+ var_end_seq);
fini_vars_expansion ();
next prev parent reply other threads:[~2019-09-06 14:47 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-06 14:46 [Patch 0/X] [WIP][RFC][libsanitizer] Introduce HWASAN to GCC Matthew Malcomson
2019-09-06 14:46 ` [RFC][PATCH 7/X][libsanitizer] Add option to bootstrap using HWASAN Matthew Malcomson
2019-09-06 14:46 ` [RFC][PATCH 8/X][libsanitizer] Ensure HWASAN required alignment for stack variables Matthew Malcomson
2019-09-06 14:46 ` [RFC][PATCH 5/X][libsanitizer] Introduce longjmp/setjmp interceptors to libhwasan Matthew Malcomson
2019-09-09 10:02 ` Martin Liška
2019-09-09 10:29 ` Matthew Malcomson
2019-09-09 10:49 ` Martin Liška
2019-09-06 14:46 ` [RFC][PATCH 3/X][libsanitizer] Allow compilation for HWASAN_WITH_INTERCEPTORS=OFF Matthew Malcomson
2019-09-09 9:27 ` Martin Liška
2019-09-06 14:46 ` [RFC][PATCH 2/X][libsanitizer] Tie the hwasan library into our build system Matthew Malcomson
2019-09-06 14:46 ` [RFC][PATCH 4/X][libsanitizer] Pass size and pointer info to error reporting functions Matthew Malcomson
2019-09-09 9:27 ` Martin Liška
2019-09-06 14:46 ` [RFC][PATCH 14/X][libsanitizer] Introduce HWASAN block-scope poisoning Matthew Malcomson
2019-09-06 14:46 ` [RFC][PATCH 1/X][libsanitizer] Introduce libsanitizer to GCC tree Matthew Malcomson
2019-09-09 9:26 ` Martin Liška
2019-09-06 14:47 ` [RFC][PATCH 10/X][libsanitizer] Colour the shadow stack for each stack variable Matthew Malcomson
2019-09-06 14:47 ` [RFC][PATCH 13/X][libsanitizer] Instrument known builtin function calls Matthew Malcomson
2019-09-06 14:47 ` Matthew Malcomson [this message]
2019-09-06 14:47 ` [RFC][PATCH 15/X][libsanitizer] Add in MTE stubs Matthew Malcomson
2019-09-06 14:47 ` [RFC][PATCH 16/X][libsanitizer] Build libhwasan with interceptors Matthew Malcomson
2019-09-06 14:47 ` [RFC][PATCH 12/X][libsanitizer] Check pointer tags match address tags Matthew Malcomson
2019-09-06 14:47 ` [RFC][PATCH 9/X][libsanitizer] Put tags into each stack variable pointer Matthew Malcomson
2019-09-06 14:47 ` [RFC][PATCH 6/X][libsanitizer] Add -fsanitize=hwaddress flags Matthew Malcomson
2019-09-09 10:06 ` Martin Liška
2019-09-09 10:18 ` Matthew Malcomson
2019-09-09 10:20 ` Martin Liška
2019-09-09 10:47 ` [Patch 0/X] [WIP][RFC][libsanitizer] Introduce HWASAN to GCC Martin Liška
2019-09-09 15:55 ` Matthew Malcomson
2019-09-10 1:06 ` Kostya Serebryany via gcc-patches
2019-09-11 11:53 ` Martin Liška
2019-09-11 16:37 ` Matthew Malcomson
2019-09-11 18:34 ` Evgenii Stepanov via gcc-patches
2019-09-23 8:02 ` Martin Liška
2019-10-23 11:02 ` Matthew Malcomson
2019-10-24 10:11 ` Martin Liška
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VI1PR08MB54714F7177B32B32A439B387E0BA0@VI1PR08MB5471.eurprd08.prod.outlook.com \
--to=matthew.malcomson@arm.com \
--cc=dodji@redhat.com \
--cc=dvyukov@google.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=jakub@redhat.com \
--cc=kcc@google.com \
--cc=mliska@suse.cz \
--cc=nd@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).