[llvm] [BOLT][binary-analysis] Add initial pac-ret gadget scanner (PR #122304)
Alan Zhao via llvm-commits
llvm-commits at lists.llvm.org
Mon Feb 24 11:33:44 PST 2025
alanzhao1 wrote:
FYI I bisected a test failure to this change:
```
Testing:
FAIL: BOLT :: binary-analysis/AArch64/gs-pacret-autiasp.s (1657 of 88694)
******************** TEST 'BOLT :: binary-analysis/AArch64/gs-pacret-autiasp.s' FAILED ********************
Exit Code: 1
Command Output (stderr):
--
RUN: at line 1: /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/bin/clang --target=x86_64-unknown-linux-gnu -fPIE -fuse-ld=lld -Wl,--unresolved-symbols=ignore-all -Wl,--build-id=none -pie --target=aarch64-linux-gnu -nostartfiles -nostdlib -ffreestanding -march=armv9.5-a+pauth-lr -mbranch-protection=pac-ret /b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/gs-pacret-autiasp.s /b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/../../Inputs/asm_main.c -o /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/tools/bolt/test/binary-analysis/AArch64/Output/gs-pacret-autiasp.s.tmp.exe
+ /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/bin/clang --target=x86_64-unknown-linux-gnu -fPIE -fuse-ld=lld -Wl,--unresolved-symbols=ignore-all -Wl,--build-id=none -pie --target=aarch64-linux-gnu -nostartfiles -nostdlib -ffreestanding -march=armv9.5-a+pauth-lr -mbranch-protection=pac-ret /b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/gs-pacret-autiasp.s /b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/../../Inputs/asm_main.c -o /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/tools/bolt/test/binary-analysis/AArch64/Output/gs-pacret-autiasp.s.tmp.exe
ld.lld: warning: cannot find entry symbol _start; not setting start address
RUN: at line 2: /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/bin/llvm-bolt-binary-analysis --scanners=pacret /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/tools/bolt/test/binary-analysis/AArch64/Output/gs-pacret-autiasp.s.tmp.exe 2>&1 | /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/bin/FileCheck /b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/gs-pacret-autiasp.s
+ /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/bin/FileCheck /b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/gs-pacret-autiasp.s
+ /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/bin/llvm-bolt-binary-analysis --scanners=pacret /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/tools/bolt/test/binary-analysis/AArch64/Output/gs-pacret-autiasp.s.tmp.exe
/b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/gs-pacret-autiasp.s:16:17: error: CHECK-LABEL: expected string not found in input
// CHECK-LABEL: GS-PACRET: non-protected ret found in function f1, basic block .LBB{{[0-9]+}}, at address
^
<stdin>:1:1: note: scanning from here
BOLT-INFO: shared object or position-independent executable detected
^
<stdin>:8:1: note: possible intended match here
GS-PACRET: non-protected ret found in function f1, basic block .Ltmp0, at address 10270
^
Input file: <stdin>
Check file: /b/s/w/ir/cache/builder/src/third_party/llvm/bolt/test/binary-analysis/AArch64/gs-pacret-autiasp.s
-dump-input=help explains the following input dump.
Input was:
<<<<<<
1: BOLT-INFO: shared object or position-independent executable detected
label:16'0 X~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ error: no match found
2: BOLT-INFO: Target architecture: aarch64
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3: BOLT-INFO: BOLT version: 72768d9bb8ad3e97a852270726f04d7167d9ef50
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4: BOLT-INFO: first alloc address is 0x0
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5: BOLT-INFO: creating new program header table at address 0x200000, offset 0x200000
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6: BOLT-WARNING: non-relocation mode for AArch64 is not fully supported
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7:
label:16'0 ~
8: GS-PACRET: non-protected ret found in function f1, basic block .Ltmp0, at address 10270
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
label:16'1 ? possible intended match
9: The return instruction is 00010270: ret
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10: The 1 instructions that write to the return register after any authentication are:
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
11: 1. 0001026c: ldp x29, x30, [sp], #0x10
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12: This happens in the following basic block:
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13: 00010268: add x0, x0, #0x3
label:16'0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.
.
.
>>>>>>
--
********************
Testing: 0.. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80.. 90..
********************
Failed Tests (1):
BOLT :: binary-analysis/AArch64/gs-pacret-autiasp.s
```
https://github.com/llvm/llvm-project/pull/122304
More information about the llvm-commits
mailing list