[llvm] [BOLT] Gadget scanner: analyze functions without CFG information (PR #133461)
Kristof Beyls via llvm-commits
llvm-commits at lists.llvm.org
Mon Apr 7 05:32:36 PDT 2025
================
@@ -429,6 +429,261 @@ bad_indirect_call_mem_chain_of_auts_multi_bb:
ret
.size bad_indirect_call_mem_chain_of_auts_multi_bb, .-bad_indirect_call_mem_chain_of_auts_multi_bb
+// Tests for CFG-unaware analysis.
+
+ .globl good_direct_call_nocfg
+ .type good_direct_call_nocfg, at function
+good_direct_call_nocfg:
+// CHECK-NOT: good_direct_call_nocfg
+ paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ bl callee
+
+ adr x2, 1f
+ br x2
+1:
+ ldp x29, x30, [sp], #16
+ autiasp
+ ret
+ .size good_direct_call_nocfg, .-good_direct_call_nocfg
+
+ .globl good_indirect_call_arg_nocfg
+ .type good_indirect_call_arg_nocfg, at function
+good_indirect_call_arg_nocfg:
+// CHECK-NOT: good_indirect_call_arg_nocfg
+ paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ autia x0, x1
+ blr x0
+
+ adr x2, 1f
+ br x2
+1:
+ ldp x29, x30, [sp], #16
+ autiasp
+ ret
+ .size good_indirect_call_arg_nocfg, .-good_indirect_call_arg_nocfg
+
+ .globl good_indirect_call_mem_nocfg
+ .type good_indirect_call_mem_nocfg, at function
+good_indirect_call_mem_nocfg:
+// CHECK-NOT: good_indirect_call_mem_nocfg
+ paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x0
+ blr x16
+
+ adr x2, 1f
+ br x2
+1:
+ ldp x29, x30, [sp], #16
+ autiasp
+ ret
+ .size good_indirect_call_mem_nocfg, .-good_indirect_call_mem_nocfg
+
+ .globl good_indirect_call_arg_v83_nocfg
+ .type good_indirect_call_arg_v83_nocfg, at function
+good_indirect_call_arg_v83_nocfg:
+// CHECK-NOT: good_indirect_call_arg_v83_nocfg
+ paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ blraa x0, x1
+
+ adr x2, 1f
+ br x2
+1:
+ ldp x29, x30, [sp], #16
+ autiasp
+ ret
+ .size good_indirect_call_arg_v83_nocfg, .-good_indirect_call_arg_v83_nocfg
+
+ .globl good_indirect_call_mem_v83_nocfg
+ .type good_indirect_call_mem_v83_nocfg, at function
+good_indirect_call_mem_v83_nocfg:
+// CHECK-NOT: good_indirect_call_mem_v83_nocfg
+ paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ blraa x16, x0
+
+ adr x2, 1f
+ br x2
+1:
+ ldp x29, x30, [sp], #16
+ autiasp
+ ret
+ .size good_indirect_call_mem_v83_nocfg, .-good_indirect_call_mem_v83_nocfg
+
+ .globl bad_indirect_call_arg_nocfg
+ .type bad_indirect_call_arg_nocfg, at function
+bad_indirect_call_arg_nocfg:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg_nocfg, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ blr x0
+
+ adr x2, 1f
+ br x2
+1:
+ ldp x29, x30, [sp], #16
+ autiasp
+ ret
+ .size bad_indirect_call_arg_nocfg, .-bad_indirect_call_arg_nocfg
+
+ .globl obscure_indirect_call_arg_nocfg
+ .type obscure_indirect_call_arg_nocfg, at function
+obscure_indirect_call_arg_nocfg:
+// CHECK-NOCFG-LABEL: GS-PAUTH: non-protected call found in function obscure_indirect_call_arg_nocfg, at address
+// CHECK-NOCFG-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NOCFG-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ autia x0, x1 // not observed by the checker
+ b 1f // ... because of unconditional branch
+1:
+ blr x0 // reported as non-protected
----------------
kbeyls wrote:
Maybe it would be useful to indicate explicitly this test case is a "false positive" somehow?
https://github.com/llvm/llvm-project/pull/133461
More information about the llvm-commits
mailing list