[PATCH] D49608: Mark REAL(swapcontext) with indirect_return attribute on x86

H.J Lu via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Jul 20 10:34:00 PDT 2018 

hjl.tools created this revision.
hjl.tools added a reviewer: kcc.
Herald added subscribers: Sanitizers, kubamracek.

When shadow stack from Intel CET is enabled, the first instruction of all
indirect branch targets must be a special instruction, ENDBR.

lib/asan/asan_interceptors.cc has

...

  int res = REAL(swapcontext)(oucp, ucp);

...

REAL(swapcontext) is a function pointer to swapcontext in libc.  Since
swapcontext may return via indirect branch on x86 when shadow stack is
enabled, as in this case,

int res = REAL(swapcontext)(oucp, ucp);

  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^  This function may be

returned via an indirect branch.

Here compiler must insert ENDBR after call, like

call *bar(%rip)
endbr64

I opened an LLVM bug:

https://bugs.llvm.org/show_bug.cgi?id=38207

to add the indirect_return attribute so that it can be used to inform
compiler to insert ENDBR after REAL(swapcontext) call.  We mark
REAL(swapcontext) with the indirect_return attribute if it is available.


Repository:
  rCRT Compiler Runtime

https://reviews.llvm.org/D49608

Files:
  lib/asan/asan_interceptors.cc


Index: lib/asan/asan_interceptors.cc
===================================================================
--- lib/asan/asan_interceptors.cc
+++ lib/asan/asan_interceptors.cc
@@ -275,7 +275,16 @@
   uptr stack, ssize;
   ReadContextStack(ucp, &stack, &ssize);
   ClearShadowMemoryForContextStack(stack, ssize);
+#if defined(__has_attribute) && (defined(__x86_64__) || defined(__i386__))
+  int (*real_swapcontext)(struct ucontext_t *, struct ucontext_t *)
+# if __has_attribute(__indirect_return__)
+    __attribute__((__indirect_return__))
+# endif
+    = REAL(swapcontext);
+  int res = real_swapcontext(oucp, ucp);
+#else
   int res = REAL(swapcontext)(oucp, ucp);
+#endif
   // swapcontext technically does not return, but program may swap context to
   // "oucp" later, that would look as if swapcontext() returned 0.
   // We need to clear shadow for ucp once again, as it may be in arbitrary


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D49608.156536.patch
Type: text/x-patch
Size: 897 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180720/6efc442b/attachment.bin>

More information about the llvm-commits mailing list