[all-commits] [llvm/llvm-project] 6049cd: [AArch64][PAC] Lower jump-tables using hardened ps...

Mon Jul 22 19:02:04 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 6049cd62871d529b2e80b4f80fb7d74e347fb725
      https://github.com/llvm/llvm-project/commit/6049cd62871d529b2e80b4f80fb7d74e347fb725
  Author: Ahmed Bougacha <ahmed at bougacha.org>
  Date:   2024-07-22 (Mon, 22 Jul 2024)

  Changed paths:
    M llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp
    M llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
    M llvm/lib/Target/AArch64/AArch64InstrInfo.td
    M llvm/lib/Target/AArch64/GISel/AArch64InstructionSelector.cpp
    A llvm/test/CodeGen/AArch64/hardened-br-jump-table.ll

  Log Message:
  -----------
  [AArch64][PAC] Lower jump-tables using hardened pseudo. (#97666)

This introduces an alternative hardened lowering for jump-table
dispatch, controlled by the function attribute
`"aarch64-jump-table-hardening"`.
The implementation is centered around a pseudo, BR_JumpTable:

> A hardened but more expensive version of jump-table dispatch.
> This combines the target address computation (otherwise done using
> the JumpTableDest pseudos above) with the branch itself (otherwise
> done using a plain BR) in a single non-attackable sequence.
>
> We take the final entry index as an operand to allow isel freedom.
> This does mean that the index can be attacker-controlled. To
> address that, we also do limited checking of the offset, mainly
> ensuring it still points within the jump-table array.  When it
> doesn't, this branches to the first entry.  We might want it to
> trap instead.
>
> This is intended for use in conjunction with ptrauth for other
> code pointers, to avoid signing jump-table entries and turning
> them into pointers.
>
> Entry index is passed in x16.  Clobbers x16/x17/nzcv.

Jump-table compression isn't supported yet.

To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications