[all-commits] [llvm/llvm-project] 1b8ab2: [clang] Implement pointer authentication for C++ ...
Oliver Hunt via All-commits
all-commits at lists.llvm.org
Wed Jun 26 18:35:31 PDT 2024
Branch: refs/heads/main
Home: https://github.com/llvm/llvm-project
Commit: 1b8ab2f08998d3220e5d95003d47bb3d7cac966b
https://github.com/llvm/llvm-project/commit/1b8ab2f08998d3220e5d95003d47bb3d7cac966b
Author: Oliver Hunt <oliver at apple.com>
Date: 2024-06-26 (Wed, 26 Jun 2024)
Changed paths:
M clang/include/clang/AST/ASTContext.h
M clang/include/clang/AST/GlobalDecl.h
M clang/include/clang/AST/Mangle.h
M clang/include/clang/AST/VTableBuilder.h
M clang/include/clang/Basic/Attr.td
M clang/include/clang/Basic/DiagnosticSemaKinds.td
M clang/include/clang/Basic/PointerAuthOptions.h
M clang/include/clang/Basic/Thunk.h
M clang/include/clang/CodeGen/CodeGenABITypes.h
M clang/include/clang/CodeGen/ConstantInitBuilder.h
M clang/include/clang/InstallAPI/Visitor.h
M clang/include/clang/Sema/Sema.h
M clang/lib/AST/ASTContext.cpp
M clang/lib/AST/ItaniumMangle.cpp
M clang/lib/AST/Mangle.cpp
M clang/lib/AST/MicrosoftMangle.cpp
M clang/lib/AST/VTableBuilder.cpp
M clang/lib/CodeGen/CGCXX.cpp
M clang/lib/CodeGen/CGCXXABI.h
M clang/lib/CodeGen/CGClass.cpp
M clang/lib/CodeGen/CGExpr.cpp
M clang/lib/CodeGen/CGExprConstant.cpp
M clang/lib/CodeGen/CGPointerAuth.cpp
M clang/lib/CodeGen/CGVTT.cpp
M clang/lib/CodeGen/CGVTables.cpp
M clang/lib/CodeGen/CodeGenFunction.cpp
M clang/lib/CodeGen/CodeGenFunction.h
M clang/lib/CodeGen/CodeGenModule.h
M clang/lib/CodeGen/ConstantEmitter.h
M clang/lib/CodeGen/ConstantInitBuilder.cpp
M clang/lib/CodeGen/ItaniumCXXABI.cpp
M clang/lib/CodeGen/MicrosoftCXXABI.cpp
M clang/lib/Frontend/CompilerInvocation.cpp
M clang/lib/Headers/ptrauth.h
M clang/lib/InstallAPI/Visitor.cpp
M clang/lib/Parse/ParseDecl.cpp
M clang/lib/Sema/SemaDeclAttr.cpp
M clang/lib/Sema/SemaDeclCXX.cpp
M clang/lib/Sema/SemaExpr.cpp
A clang/test/CodeGen/ptrauth-ubsan-vptr.cpp
M clang/test/CodeGenCXX/catch-undef-behavior.cpp
A clang/test/CodeGenCXX/ptrauth-apple-kext-indirect-call-2.cpp
A clang/test/CodeGenCXX/ptrauth-apple-kext-indirect-call.cpp
A clang/test/CodeGenCXX/ptrauth-apple-kext-indirect-virtual-dtor-call.cpp
A clang/test/CodeGenCXX/ptrauth-explicit-vtable-pointer-control.cpp
A clang/test/CodeGenCXX/ptrauth-rtti-layout.cpp
A clang/test/CodeGenCXX/ptrauth-thunks.cpp
A clang/test/CodeGenCXX/ptrauth-virtual-function.cpp
A clang/test/CodeGenCXX/ptrauth-vtable-virtual-inheritance-thunk.cpp
M clang/test/CodeGenCXX/ubsan-vtable-checks.cpp
M clang/test/Misc/pragma-attribute-supported-attributes-list.test
A clang/test/SemaCXX/ptrauth-incomplete-virtual-member-function-return-arg-type.cpp
A clang/test/SemaCXX/vtable_pointer_authentication_attribute.cpp
M clang/utils/TableGen/ClangAttrEmitter.cpp
Log Message:
-----------
[clang] Implement pointer authentication for C++ virtual functions, v-tables, and VTTs (#94056)
Virtual function pointer entries in v-tables are signed with address
discrimination in addition to declaration-based discrimination, where an
integer discriminator the string hash (see
`ptrauth_string_discriminator`) of the mangled name of the overridden
method. This notably provides diversity based on the full signature of
the overridden method, including the method name and parameter types.
This patch introduces ItaniumVTableContext logic to find the original
declaration of the overridden method.
On AArch64, these pointers are signed using the `IA` key (the
process-independent code key.)
V-table pointers can be signed with either no discrimination, or a
similar scheme using address and decl-based discrimination. In this
case, the integer discriminator is the string hash of the mangled
v-table identifier of the class that originally introduced the vtable
pointer.
On AArch64, these pointers are signed using the `DA` key (the
process-independent data key.)
Not using discrimination allows attackers to simply copy valid v-table
pointers from one object to another. However, using a uniform
discriminator of 0 does have positive performance and code-size
implications on AArch64, and diversity for the most important v-table
access pattern (virtual dispatch) is already better assured by the
signing schemas used on the virtual functions. It is also known that
some code in practice copies objects containing v-tables with `memcpy`,
and while this is not permitted formally, it is something that may be
invasive to eliminate.
This is controlled by:
```
-fptrauth-vtable-pointer-type-discrimination
-fptrauth-vtable-pointer-address-discrimination
```
In addition, this provides fine-grained controls in the
ptrauth_vtable_pointer attribute, which allows overriding the default
ptrauth schema for vtable pointers on a given class hierarchy, e.g.:
```
[[clang::ptrauth_vtable_pointer(no_authentication, no_address_discrimination,
no_extra_discrimination)]]
[[clang::ptrauth_vtable_pointer(default_key, default_address_discrimination,
custom_discrimination, 0xf00d)]]
```
The override is then mangled as a parametrized vendor extension:
```
"__vtptrauth" I
<key>
<addressDiscriminated>
<extraDiscriminator>
E
```
To support this attribute, this patch adds a small extension to the
attribute-emitter tablegen backend.
Note that there are known areas where signing is either missing
altogether or can be strengthened. Some will be addressed in later
changes (e.g., member function pointers, some RTTI).
`dynamic_cast` in particular is handled by emitting an artificial
v-table pointer load (in a way that always authenticates it) before the
runtime call itself, as the runtime doesn't have enough information
today to properly authenticate it. Instead, the runtime is currently
expected to strip the v-table pointer.
---------
Co-authored-by: John McCall <rjmccall at apple.com>
Co-authored-by: Ahmed Bougacha <ahmed at bougacha.org>
To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications
More information about the All-commits
mailing list