[clang] 41cde46 - [PAC][Driver] Add `-faarch64-jump-table-hardening` flag (#113149)
via cfe-commits
cfe-commits at lists.llvm.org
Thu Dec 5 00:34:32 PST 2024
Author: Daniil Kovalev
Date: 2024-12-05T11:34:29+03:00
New Revision: 41cde465acfddb44d400b0a53bb57960762312a2
URL: https://github.com/llvm/llvm-project/commit/41cde465acfddb44d400b0a53bb57960762312a2
DIFF: https://github.com/llvm/llvm-project/commit/41cde465acfddb44d400b0a53bb57960762312a2.diff
LOG: [PAC][Driver] Add `-faarch64-jump-table-hardening` flag (#113149)
The flag is placed together with pointer authentication flags since they
serve the same security purpose of protecting against attacks on control
flow. The flag is not ABI-affecting and might be enabled separately if
needed, but it's also intended to be enabled as part of pauth-enabled
environments (e.g. pauthtest).
See also codegen implementation #97666.
Added:
Modified:
clang/include/clang/Basic/LangOptions.def
clang/include/clang/Basic/PointerAuthOptions.h
clang/include/clang/Driver/Options.td
clang/lib/CodeGen/CodeGenFunction.cpp
clang/lib/Driver/ToolChains/Clang.cpp
clang/lib/Frontend/CompilerInvocation.cpp
clang/test/CodeGen/ptrauth-function-attributes.c
clang/test/Driver/aarch64-ptrauth.c
Removed:
################################################################################
diff --git a/clang/include/clang/Basic/LangOptions.def b/clang/include/clang/Basic/LangOptions.def
index 39e4851dd3814c..3b833240e5b68c 100644
--- a/clang/include/clang/Basic/LangOptions.def
+++ b/clang/include/clang/Basic/LangOptions.def
@@ -178,6 +178,7 @@ LANGOPT(PointerAuthInitFini, 1, 0, "sign function pointers in init/fini arrays")
LANGOPT(PointerAuthInitFiniAddressDiscrimination, 1, 0,
"incorporate address discrimination in authenticated function pointers in init/fini arrays")
LANGOPT(PointerAuthELFGOT, 1, 0, "authenticate pointers from GOT")
+LANGOPT(AArch64JumpTableHardening, 1, 0, "use hardened lowering for jump-table dispatch")
LANGOPT(DoubleSquareBracketAttributes, 1, 0, "'[[]]' attributes extension for all language standard modes")
LANGOPT(ExperimentalLateParseAttributes, 1, 0, "experimental late parsing of attributes")
diff --git a/clang/include/clang/Basic/PointerAuthOptions.h b/clang/include/clang/Basic/PointerAuthOptions.h
index 3deb666b375136..a3a3e50bcde5dc 100644
--- a/clang/include/clang/Basic/PointerAuthOptions.h
+++ b/clang/include/clang/Basic/PointerAuthOptions.h
@@ -172,6 +172,9 @@ struct PointerAuthOptions {
/// Do indirect goto label addresses need to be authenticated?
bool IndirectGotos = false;
+ /// Use hardened lowering for jump-table dispatch?
+ bool AArch64JumpTableHardening = false;
+
/// The ABI for C function pointers.
PointerAuthSchema FunctionPointers;
diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td
index 5fca5fbbbd24a9..a89a4e8f8ec985 100644
--- a/clang/include/clang/Driver/Options.td
+++ b/clang/include/clang/Driver/Options.td
@@ -4353,6 +4353,7 @@ defm ptrauth_init_fini : OptInCC1FFlag<"ptrauth-init-fini", "Enable signing of f
defm ptrauth_init_fini_address_discrimination : OptInCC1FFlag<"ptrauth-init-fini-address-discrimination",
"Enable address discrimination of function pointers in init/fini arrays">;
defm ptrauth_elf_got : OptInCC1FFlag<"ptrauth-elf-got", "Enable authentication of pointers from GOT (ELF only)">;
+defm aarch64_jump_table_hardening: OptInCC1FFlag<"aarch64-jump-table-hardening", "Use hardened lowering for jump-table dispatch">;
}
def fenable_matrix : Flag<["-"], "fenable-matrix">, Group<f_Group>,
diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp
index f8138e9cee250c..2bc10cdd2d3441 100644
--- a/clang/lib/CodeGen/CodeGenFunction.cpp
+++ b/clang/lib/CodeGen/CodeGenFunction.cpp
@@ -899,6 +899,8 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
Fn->addFnAttr("ptrauth-auth-traps");
if (CodeGenOpts.PointerAuth.IndirectGotos)
Fn->addFnAttr("ptrauth-indirect-gotos");
+ if (CodeGenOpts.PointerAuth.AArch64JumpTableHardening)
+ Fn->addFnAttr("aarch64-jump-table-hardening");
// Apply xray attributes to the function (as a string, for now)
bool AlwaysXRayAttr = false;
diff --git a/clang/lib/Driver/ToolChains/Clang.cpp b/clang/lib/Driver/ToolChains/Clang.cpp
index 22df5b26687cc6..7ef55a33547c50 100644
--- a/clang/lib/Driver/ToolChains/Clang.cpp
+++ b/clang/lib/Driver/ToolChains/Clang.cpp
@@ -1876,6 +1876,8 @@ void Clang::AddAArch64TargetArgs(const ArgList &Args,
Args.addOptInFlag(CmdArgs,
options::OPT_fptrauth_init_fini_address_discrimination,
options::OPT_fno_ptrauth_init_fini_address_discrimination);
+ Args.addOptInFlag(CmdArgs, options::OPT_faarch64_jump_table_hardening,
+ options::OPT_fno_aarch64_jump_table_hardening);
}
void Clang::AddLoongArchTargetArgs(const ArgList &Args,
diff --git a/clang/lib/Frontend/CompilerInvocation.cpp b/clang/lib/Frontend/CompilerInvocation.cpp
index 3dd94c31b2bc7a..98136b7a455d9c 100644
--- a/clang/lib/Frontend/CompilerInvocation.cpp
+++ b/clang/lib/Frontend/CompilerInvocation.cpp
@@ -1511,6 +1511,7 @@ void CompilerInvocation::setDefaultPointerAuthOptions(
Opts.ReturnAddresses = LangOpts.PointerAuthReturns;
Opts.AuthTraps = LangOpts.PointerAuthAuthTraps;
Opts.IndirectGotos = LangOpts.PointerAuthIndirectGotos;
+ Opts.AArch64JumpTableHardening = LangOpts.AArch64JumpTableHardening;
}
static void parsePointerAuthOptions(PointerAuthOptions &Opts,
@@ -1518,7 +1519,8 @@ static void parsePointerAuthOptions(PointerAuthOptions &Opts,
const llvm::Triple &Triple,
DiagnosticsEngine &Diags) {
if (!LangOpts.PointerAuthCalls && !LangOpts.PointerAuthReturns &&
- !LangOpts.PointerAuthAuthTraps && !LangOpts.PointerAuthIndirectGotos)
+ !LangOpts.PointerAuthAuthTraps && !LangOpts.PointerAuthIndirectGotos &&
+ !LangOpts.AArch64JumpTableHardening)
return;
CompilerInvocation::setDefaultPointerAuthOptions(Opts, LangOpts, Triple);
@@ -3454,6 +3456,8 @@ static void GeneratePointerAuthArgs(const LangOptions &Opts,
GenerateArg(Consumer, OPT_fptrauth_init_fini_address_discrimination);
if (Opts.PointerAuthELFGOT)
GenerateArg(Consumer, OPT_fptrauth_elf_got);
+ if (Opts.AArch64JumpTableHardening)
+ GenerateArg(Consumer, OPT_faarch64_jump_table_hardening);
}
static void ParsePointerAuthArgs(LangOptions &Opts, ArgList &Args,
@@ -3475,6 +3479,8 @@ static void ParsePointerAuthArgs(LangOptions &Opts, ArgList &Args,
Opts.PointerAuthInitFiniAddressDiscrimination =
Args.hasArg(OPT_fptrauth_init_fini_address_discrimination);
Opts.PointerAuthELFGOT = Args.hasArg(OPT_fptrauth_elf_got);
+ Opts.AArch64JumpTableHardening =
+ Args.hasArg(OPT_faarch64_jump_table_hardening);
}
/// Check if input file kind and language standard are compatible.
diff --git a/clang/test/CodeGen/ptrauth-function-attributes.c b/clang/test/CodeGen/ptrauth-function-attributes.c
index e7081f00b4f686..caf613f0c66aba 100644
--- a/clang/test/CodeGen/ptrauth-function-attributes.c
+++ b/clang/test/CodeGen/ptrauth-function-attributes.c
@@ -14,6 +14,9 @@
// RUN: %clang_cc1 -triple arm64-apple-ios -fptrauth-indirect-gotos -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,GOTOS
// RUN: %clang_cc1 -triple aarch64-linux-gnu -fptrauth-indirect-gotos -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,GOTOS
+// RUN: %clang_cc1 -triple arm64e-apple-ios -faarch64-jump-table-hardening -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,JMPTBL
+// RUN: %clang_cc1 -triple aarch64-linux-gnu -faarch64-jump-table-hardening -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,JMPTBL
+
// ALL: define {{(dso_local )?}}void @test() #0
void test() {
}
@@ -26,4 +29,6 @@ void test() {
// GOTOS: attributes #0 = {{{.*}} "ptrauth-indirect-gotos" {{.*}}}
+// JMPTBL: attributes #0 = {{{.*}} "aarch64-jump-table-hardening" {{.*}}}
+
// OFF-NOT: attributes {{.*}} "ptrauth-
diff --git a/clang/test/Driver/aarch64-ptrauth.c b/clang/test/Driver/aarch64-ptrauth.c
index 19eaa73b14d9ea..d036189e614983 100644
--- a/clang/test/Driver/aarch64-ptrauth.c
+++ b/clang/test/Driver/aarch64-ptrauth.c
@@ -15,8 +15,9 @@
// RUN: -fno-ptrauth-indirect-gotos -fptrauth-indirect-gotos \
// RUN: -fno-ptrauth-init-fini -fptrauth-init-fini \
// RUN: -fno-ptrauth-init-fini-address-discrimination -fptrauth-init-fini-address-discrimination \
+// RUN: -fno-aarch64-jump-table-hardening -faarch64-jump-table-hardening \
// RUN: %s 2>&1 | FileCheck %s --check-prefix=ALL
-// ALL: "-cc1"{{.*}} "-fptrauth-intrinsics" "-fptrauth-calls" "-fptrauth-returns" "-fptrauth-auth-traps" "-fptrauth-vtable-pointer-address-discrimination" "-fptrauth-vtable-pointer-type-discrimination" "-fptrauth-type-info-vtable-pointer-discrimination" "-fptrauth-indirect-gotos" "-fptrauth-init-fini" "-fptrauth-init-fini-address-discrimination"
+// ALL: "-cc1"{{.*}} "-fptrauth-intrinsics" "-fptrauth-calls" "-fptrauth-returns" "-fptrauth-auth-traps" "-fptrauth-vtable-pointer-address-discrimination" "-fptrauth-vtable-pointer-type-discrimination" "-fptrauth-type-info-vtable-pointer-discrimination" "-fptrauth-indirect-gotos" "-fptrauth-init-fini" "-fptrauth-init-fini-address-discrimination" "-faarch64-jump-table-hardening"
// RUN: %clang -### -c --target=aarch64-linux -mabi=pauthtest %s 2>&1 | FileCheck %s --check-prefix=PAUTHABI1
// RUN: %clang -### -c --target=aarch64-linux-pauthtest %s 2>&1 | FileCheck %s --check-prefix=PAUTHABI1
@@ -38,7 +39,7 @@
// RUN: not %clang -### -c --target=x86_64 -fptrauth-intrinsics -fptrauth-calls -fptrauth-returns -fptrauth-auth-traps \
// RUN: -fptrauth-vtable-pointer-address-discrimination -fptrauth-vtable-pointer-type-discrimination \
// RUN: -fptrauth-type-info-vtable-pointer-discrimination -fptrauth-indirect-gotos -fptrauth-init-fini \
-// RUN: -fptrauth-init-fini-address-discrimination %s 2>&1 | FileCheck %s --check-prefix=ERR1
+// RUN: -fptrauth-init-fini-address-discrimination -faarch64-jump-table-hardening %s 2>&1 | FileCheck %s --check-prefix=ERR1
// ERR1: error: unsupported option '-fptrauth-intrinsics' for target '{{.*}}'
// ERR1-NEXT: error: unsupported option '-fptrauth-calls' for target '{{.*}}'
// ERR1-NEXT: error: unsupported option '-fptrauth-returns' for target '{{.*}}'
@@ -49,6 +50,7 @@
// ERR1-NEXT: error: unsupported option '-fptrauth-indirect-gotos' for target '{{.*}}'
// ERR1-NEXT: error: unsupported option '-fptrauth-init-fini' for target '{{.*}}'
// ERR1-NEXT: error: unsupported option '-fptrauth-init-fini-address-discrimination' for target '{{.*}}'
+// ERR1-NEXT: error: unsupported option '-faarch64-jump-table-hardening' for target '{{.*}}'
//// Only support PAuth ABI for Linux as for now.
// RUN: not %clang -o /dev/null -c --target=aarch64-unknown -mabi=pauthtest %s 2>&1 | FileCheck %s --check-prefix=ERR2
More information about the cfe-commits
mailing list