[PATCH] D155485: Retain all jump table range checks when using BTI.

Peter Smith via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Jul 26 01:49:20 PDT 2023 

peter.smith added a comment.

In D155485#4534229 <https://reviews.llvm.org/D155485#4534229>, @MaskRay wrote:

> I agree with the hardening side argument. I have checked `FallthroughUnreachable` uses in `CC_BitTests` and `CC_Range` for some CodeGen tests (mostly in X86/) and confirmed that they don't need the `"branch-target-enforcement"` special case.
>
>> A table-based branch of any kind is at risk of being a JOP gadget, if it doesn't range-check the offset into the table. ...
>
> Consider adding `CC_JumpTable` to the paragraph. Its case label is many lines above and with the default context of git log, it's difficult to see how this change is relevant to `CC_JumpTable` ...
>
>> ... many of these table branch idioms use branch instructions that do not set the BTI flag, so they can target instructions without BTI landing pads.
>
> Q: what does "use branch instructions that do not set the BTI flag" mean?

AArch32 has quite a few ways to do an indirect branch as the PC is a writeable register. The way the M-profile BTI is defined is in terms of BTI setting and BTI clearing instructions, where the flag is the `EPSR.B` bit. Intuitively a BTI setting instruction must transfer control to a BTI clearing instruction. Some indirect branches such as `MOV PC, <Src Reg>` are not BTI setting so they are not required to transfer control to a BTI clearing instruction.

Quotes/paraphrases from the v8-m Arm ARM https://developer.arm.com/documentation/ddi0553/latest/

  BTI clearing: Branch Target Identification clearing instruction. Any instruction that clears the EPSR.B bit to zero.
  BTI setting: Branch Target Identification setting instruction. Any instruction that sets the EPSR.B bit to one.
  ...
  EPSR.B bit:
  Unless otherwise stated, when this bit is set the next executed instruction must be a BTI clearing instruction otherwise an INVSTATE UsageFault is generated.

The BTI setting instructions are:

  * BLX.
  * BLXNS.
  * When the register holding the branch address is not the LR:
  – BX.
  – BXNS.
  * When the address is loaded into the PC:
  – LDR (register).
  – LDR (literal).
  * When the address is loaded into the PC and the base address register is either not the SP or the SP and write-back of the SP does not occur:
  – LDR (immediate).
  – LDM, LDMIA, LDMFD.
  – LDMDB, LDMEA.

The BTI clearing instructions are:

  * BTI.
  * SG.
  * PACBTI.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D155485/new/

https://reviews.llvm.org/D155485

More information about the llvm-commits mailing list