[PATCH] D156716: [AArch64][PAC] Check authenticated LR value during tail call

Mon Jul 31 09:54:16 PDT 2023

atrosinenko created this revision.
atrosinenko added reviewers: ab, kristof.beyls, apazos, pcc, psmith, t.p.northover.
Herald added subscribers: JDevlieghere, hiraditya.
Herald added a project: All.
atrosinenko published this revision for review.
atrosinenko added a comment.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.

This patch is inspired by the commit https://github.com/ahmedbougacha/llvm-project/commit/58cf59b84ca4e7930a640480fd5ad1ea194864f5 (and uses the same immediate operand for BRK instruction) but adds the checks during epilogue insertion instead of asm printing.

When performing a tail call, check the value of LR register after
authentication to prevent the callee from signing and spilling an
untrusted value. If it is safe to assume that executable pages are
always readable, just immediately dereference the LR value via LDR,
otherwise compare the authenticated return address with XPAC'ed one.

As an alternative to single LDR instruction, the following snippet is
used:

    ; lowered AUT* instruction
    mov tmp, lr
    xpaclri
    cmp tmp, lr
    b.ne break_block
  ret_block:
    ; lowered TCRETURN
  break_block:
    brk 0xc471

The tricky part is that the address stored in LR is XPAC'ed at some
point, but this makes it possible to only use PAuth instructions that
are encoded as HINTs.

Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D156716

Files:
  llvm/lib/Target/AArch64/AArch64FrameLowering.cpp
  llvm/test/CodeGen/AArch64/sign-return-address-tailcall.ll
  llvm/test/CodeGen/AArch64/sign-return-address.ll

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D156716.545719.patch
Type: text/x-patch
Size: 10507 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20230731/c14ded9c/attachment-0001.bin>