[llvm] [BOLT][binary-analysis] Add initial pac-ret gadget scanner (PR #122304)
Kristof Beyls via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 13 05:39:26 PST 2025
================
@@ -148,6 +149,68 @@ class AArch64MCPlusBuilder : public MCPlusBuilder {
return false;
}
+ MCPhysReg getAuthenticatedReg(const MCInst &Inst) const override {
+ switch (Inst.getOpcode()) {
+ case AArch64::AUTIAZ:
+ case AArch64::AUTIBZ:
+ case AArch64::AUTIASP:
+ case AArch64::AUTIBSP:
+ case AArch64::RETAA:
+ case AArch64::RETAB:
+ return AArch64::LR;
+ case AArch64::AUTIA1716:
+ case AArch64::AUTIB1716:
+ return AArch64::X17;
+ case AArch64::ERETAA:
+ case AArch64::ERETAB:
+ return AArch64::LR;
+
+ case AArch64::AUTIA:
+ case AArch64::AUTIB:
+ case AArch64::AUTDA:
+ case AArch64::AUTDB:
----------------
kbeyls wrote:
Hmmm. Good question...
The analysis as currently implemented checks "did any authentication happen on the value in this register that is going to be used in a return instruction", rather than "did an _instruction_ authentication happen".
If no strong indication emerges why this could hide a gap in pac-ret security hardening implementation that will be left undetected through "normal" correctness testing (i.e. checking that the binary processes inputs and translates it to outputs as expected), I think it may be best to leave this idea as a potential low-priority improvement to add later.
https://github.com/llvm/llvm-project/pull/122304
More information about the llvm-commits
mailing list