[all-commits] [llvm/llvm-project] b8721f: [AArch64][PAC] Sign block addresses used in indire...

Ahmed Bougacha via All-commits all-commits at lists.llvm.org
Mon Jul 22 21:25:00 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: b8721fa0afa65e8e44d7f264712499d24f3cc68b
      https://github.com/llvm/llvm-project/commit/b8721fa0afa65e8e44d7f264712499d24f3cc68b
  Author: Ahmed Bougacha <ahmed at bougacha.org>
  Date:   2024-07-22 (Mon, 22 Jul 2024)

  Changed paths:
    M clang/include/clang/Basic/DiagnosticSemaKinds.td
    M clang/include/clang/Basic/Features.def
    M clang/include/clang/Basic/LangOptions.def
    M clang/include/clang/Basic/PointerAuthOptions.h
    M clang/include/clang/Driver/Options.td
    M clang/lib/CodeGen/CodeGenFunction.cpp
    M clang/lib/Driver/ToolChains/Clang.cpp
    M clang/lib/Frontend/CompilerInvocation.cpp
    M clang/lib/Sema/SemaExpr.cpp
    M clang/test/CodeGen/ptrauth-function-attributes.c
    A clang/test/Sema/ptrauth-indirect-goto.c
    M llvm/docs/PointerAuth.md
    M llvm/include/llvm/CodeGen/AsmPrinter.h
    M llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp
    M llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp
    M llvm/lib/Target/AArch64/AArch64FastISel.cpp
    M llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
    M llvm/lib/Target/AArch64/AArch64ISelLowering.h
    M llvm/lib/Target/AArch64/AArch64InstrInfo.td
    M llvm/lib/Target/AArch64/AArch64Subtarget.cpp
    M llvm/lib/Target/AArch64/AArch64Subtarget.h
    M llvm/lib/Target/AArch64/GISel/AArch64InstructionSelector.cpp
    A llvm/test/CodeGen/AArch64/ptrauth-indirectbr.ll

  Log Message:
  -----------
  [AArch64][PAC] Sign block addresses used in indirectbr. (#97647)

Enabled in clang using:
    -fptrauth-indirect-gotos

and at the IR level using function attribute:
    "ptrauth-indirect-gotos"

Signing uses IA and a per-function integer discriminator. The
discriminator isn't ABI-visible, and is currently:
    ptrauth_string_discriminator("<function_name> blockaddress")

A sufficiently sophisticated frontend could benefit from per-indirectbr
discrimination, which would need additional machinery, such as allowing
"ptrauth" bundles on indirectbr. For our purposes, the simple scheme
above is sufficient.

This approach doesn't support subtracting label addresses and using
the result as offsets, because each label address is signed.
Pointer arithmetic on signed pointers corrupts the signature bits,
and because label address expressions aren't typed beyond void*,
we can't do anything reliably intelligent on the arithmetic exprs.
Not signing addresses when used to form offsets would allow
easily hijacking control flow by overwriting the offset.

This diagnoses the basic cases (`&&lbl2 - &&lbl1`) in the frontend,
while we evaluate either alternative implementations (e.g., lowering
blockaddress to a bb number, and indirectbr to a checked jump-table),
or better diagnostics (both at the frontend level and on unencodable
IR constants).



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list