[llvm] [BOLT] Gadget scanner: detect authentication oracles (PR #135663)

[Kristof Beyls via llvm-commits]

================
@@ -0,0 +1,739 @@
+// RUN: %clang %cflags -march=armv8.3-a %s -o %t.exe
+// RUN: llvm-bolt-binary-analysis --scanners=pacret %t.exe 2>&1 | FileCheck -check-prefix=PACRET %s
+// RUN: llvm-bolt-binary-analysis --scanners=pauth  %t.exe 2>&1 | FileCheck %s
+
+// The detection of compiler-generated explicit pointer checks is tested in
+// gs-pauth-address-checks.s, for that reason only test here "dummy-load" and
+// "high-bits-notbi" checkers, as the shortest examples of checkers that are
+// detected per-instruction and per-BB.
+
+// PACRET-NOT: authentication oracle found in function
----------------
kbeyls wrote:

I'm wondering if authentication oracles should be reported for pac-ret functions too?
I can't immediately come up with why not. Maybe authentication oracles are always already reported in a different way when pac-ret scanning?

For example, is the following an authentication oracle in the pac-ret scheme?
```
        paciasp
        stp     x29, x30, [sp, #-16]!
        ldp     x29, x30, [sp], #16
        autiasp
        str x30, [x0] /// <-- authentication oracle?
        ret
```

But maybe in the above example, the authentication oracle isn't really exploitable by an attacker as it would need other code to be called before the `ret`. And if there was a call between authentication and the return instruction, the pac-ret scanner would flag that?

https://github.com/llvm/llvm-project/pull/135663