1 //===-- CFGuard.cpp - Control Flow Guard checks -----------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 ///
9 /// \file
10 /// This file contains the IR transform to add Microsoft's Control Flow Guard
11 /// checks on Windows targets.
12 ///
13 //===----------------------------------------------------------------------===//
14
15 #include "llvm/Transforms/CFGuard.h"
16 #include "llvm/ADT/SmallVector.h"
17 #include "llvm/ADT/Statistic.h"
18 #include "llvm/ADT/Triple.h"
19 #include "llvm/IR/CallingConv.h"
20 #include "llvm/IR/IRBuilder.h"
21 #include "llvm/IR/Instruction.h"
22 #include "llvm/InitializePasses.h"
23 #include "llvm/Pass.h"
24
25 using namespace llvm;
26
27 using OperandBundleDef = OperandBundleDefT<Value *>;
28
29 #define DEBUG_TYPE "cfguard"
30
31 STATISTIC(CFGuardCounter, "Number of Control Flow Guard checks added");
32
33 namespace {
34
35 /// Adds Control Flow Guard (CFG) checks on indirect function calls/invokes.
36 /// These checks ensure that the target address corresponds to the start of an
37 /// address-taken function. X86_64 targets use the CF_Dispatch mechanism. X86,
38 /// ARM, and AArch64 targets use the CF_Check machanism.
39 class CFGuard : public FunctionPass {
40 public:
41 static char ID;
42
43 enum Mechanism { CF_Check, CF_Dispatch };
44
45 // Default constructor required for the INITIALIZE_PASS macro.
CFGuard()46 CFGuard() : FunctionPass(ID) {
47 initializeCFGuardPass(*PassRegistry::getPassRegistry());
48 // By default, use the guard check mechanism.
49 GuardMechanism = CF_Check;
50 }
51
52 // Recommended constructor used to specify the type of guard mechanism.
CFGuard(Mechanism Var)53 CFGuard(Mechanism Var) : FunctionPass(ID) {
54 initializeCFGuardPass(*PassRegistry::getPassRegistry());
55 GuardMechanism = Var;
56 }
57
58 /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
59 /// check mechanism. When the image is loaded, the loader puts the appropriate
60 /// guard check function pointer in the __guard_check_icall_fptr global
61 /// symbol. This checks that the target address is a valid address-taken
62 /// function. The address of the target function is passed to the guard check
63 /// function in an architecture-specific register (e.g. ECX on 32-bit X86,
64 /// X15 on Aarch64, and R0 on ARM). The guard check function has no return
65 /// value (if the target is invalid, the guard check funtion will raise an
66 /// error).
67 ///
68 /// For example, the following LLVM IR:
69 /// \code
70 /// %func_ptr = alloca i32 ()*, align 8
71 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
72 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
73 /// %1 = call i32 %0()
74 /// \endcode
75 ///
76 /// is transformed to:
77 /// \code
78 /// %func_ptr = alloca i32 ()*, align 8
79 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
80 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
81 /// %1 = load void (i8*)*, void (i8*)** @__guard_check_icall_fptr
82 /// %2 = bitcast i32 ()* %0 to i8*
83 /// call cfguard_checkcc void %1(i8* %2)
84 /// %3 = call i32 %0()
85 /// \endcode
86 ///
87 /// For example, the following X86 assembly code:
88 /// \code
89 /// movl $_target_func, %eax
90 /// calll *%eax
91 /// \endcode
92 ///
93 /// is transformed to:
94 /// \code
95 /// movl $_target_func, %ecx
96 /// calll *___guard_check_icall_fptr
97 /// calll *%ecx
98 /// \endcode
99 ///
100 /// \param CB indirect call to instrument.
101 void insertCFGuardCheck(CallBase *CB);
102
103 /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
104 /// dispatch mechanism. When the image is loaded, the loader puts the
105 /// appropriate guard check function pointer in the
106 /// __guard_dispatch_icall_fptr global symbol. This checks that the target
107 /// address is a valid address-taken function and, if so, tail calls the
108 /// target. The target address is passed in an architecture-specific register
109 /// (e.g. RAX on X86_64), with all other arguments for the target function
110 /// passed as usual.
111 ///
112 /// For example, the following LLVM IR:
113 /// \code
114 /// %func_ptr = alloca i32 ()*, align 8
115 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
116 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
117 /// %1 = call i32 %0()
118 /// \endcode
119 ///
120 /// is transformed to:
121 /// \code
122 /// %func_ptr = alloca i32 ()*, align 8
123 /// store i32 ()* @target_func, i32 ()** %func_ptr, align 8
124 /// %0 = load i32 ()*, i32 ()** %func_ptr, align 8
125 /// %1 = load i32 ()*, i32 ()** @__guard_dispatch_icall_fptr
126 /// %2 = call i32 %1() [ "cfguardtarget"(i32 ()* %0) ]
127 /// \endcode
128 ///
129 /// For example, the following X86_64 assembly code:
130 /// \code
131 /// leaq target_func(%rip), %rax
132 /// callq *%rax
133 /// \endcode
134 ///
135 /// is transformed to:
136 /// \code
137 /// leaq target_func(%rip), %rax
138 /// callq *__guard_dispatch_icall_fptr(%rip)
139 /// \endcode
140 ///
141 /// \param CB indirect call to instrument.
142 void insertCFGuardDispatch(CallBase *CB);
143
144 bool doInitialization(Module &M) override;
145 bool runOnFunction(Function &F) override;
146
147 private:
148 // Only add checks if the module has the cfguard=2 flag.
149 int cfguard_module_flag = 0;
150 Mechanism GuardMechanism = CF_Check;
151 FunctionType *GuardFnType = nullptr;
152 PointerType *GuardFnPtrType = nullptr;
153 Constant *GuardFnGlobal = nullptr;
154 };
155
156 } // end anonymous namespace
157
insertCFGuardCheck(CallBase * CB)158 void CFGuard::insertCFGuardCheck(CallBase *CB) {
159
160 assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
161 "Only applicable for Windows targets");
162 assert(CB->isIndirectCall() &&
163 "Control Flow Guard checks can only be added to indirect calls");
164
165 IRBuilder<> B(CB);
166 Value *CalledOperand = CB->getCalledOperand();
167
168 // Load the global symbol as a pointer to the check function.
169 LoadInst *GuardCheckLoad = B.CreateLoad(GuardFnPtrType, GuardFnGlobal);
170
171 // Create new call instruction. The CFGuard check should always be a call,
172 // even if the original CallBase is an Invoke or CallBr instruction.
173 CallInst *GuardCheck =
174 B.CreateCall(GuardFnType, GuardCheckLoad,
175 {B.CreateBitCast(CalledOperand, B.getInt8PtrTy())});
176
177 // Ensure that the first argument is passed in the correct register
178 // (e.g. ECX on 32-bit X86 targets).
179 GuardCheck->setCallingConv(CallingConv::CFGuard_Check);
180 }
181
insertCFGuardDispatch(CallBase * CB)182 void CFGuard::insertCFGuardDispatch(CallBase *CB) {
183
184 assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
185 "Only applicable for Windows targets");
186 assert(CB->isIndirectCall() &&
187 "Control Flow Guard checks can only be added to indirect calls");
188
189 IRBuilder<> B(CB);
190 Value *CalledOperand = CB->getCalledOperand();
191 Type *CalledOperandType = CalledOperand->getType();
192
193 // Cast the guard dispatch global to the type of the called operand.
194 PointerType *PTy = PointerType::get(CalledOperandType, 0);
195 if (GuardFnGlobal->getType() != PTy)
196 GuardFnGlobal = ConstantExpr::getBitCast(GuardFnGlobal, PTy);
197
198 // Load the global as a pointer to a function of the same type.
199 LoadInst *GuardDispatchLoad = B.CreateLoad(CalledOperandType, GuardFnGlobal);
200
201 // Add the original call target as a cfguardtarget operand bundle.
202 SmallVector<llvm::OperandBundleDef, 1> Bundles;
203 CB->getOperandBundlesAsDefs(Bundles);
204 Bundles.emplace_back("cfguardtarget", CalledOperand);
205
206 // Create a copy of the call/invoke instruction and add the new bundle.
207 CallBase *NewCB;
208 if (CallInst *CI = dyn_cast<CallInst>(CB)) {
209 NewCB = CallInst::Create(CI, Bundles, CB);
210 } else {
211 assert(isa<InvokeInst>(CB) && "Unknown indirect call type");
212 InvokeInst *II = cast<InvokeInst>(CB);
213 NewCB = llvm::InvokeInst::Create(II, Bundles, CB);
214 }
215
216 // Change the target of the call to be the guard dispatch function.
217 NewCB->setCalledOperand(GuardDispatchLoad);
218
219 // Replace the original call/invoke with the new instruction.
220 CB->replaceAllUsesWith(NewCB);
221
222 // Delete the original call/invoke.
223 CB->eraseFromParent();
224 }
225
doInitialization(Module & M)226 bool CFGuard::doInitialization(Module &M) {
227
228 // Check if this module has the cfguard flag and read its value.
229 if (auto *MD =
230 mdconst::extract_or_null<ConstantInt>(M.getModuleFlag("cfguard")))
231 cfguard_module_flag = MD->getZExtValue();
232
233 // Skip modules for which CFGuard checks have been disabled.
234 if (cfguard_module_flag != 2)
235 return false;
236
237 // Set up prototypes for the guard check and dispatch functions.
238 GuardFnType = FunctionType::get(Type::getVoidTy(M.getContext()),
239 {Type::getInt8PtrTy(M.getContext())}, false);
240 GuardFnPtrType = PointerType::get(GuardFnType, 0);
241
242 // Get or insert the guard check or dispatch global symbols.
243 if (GuardMechanism == CF_Check) {
244 GuardFnGlobal =
245 M.getOrInsertGlobal("__guard_check_icall_fptr", GuardFnPtrType);
246 } else {
247 assert(GuardMechanism == CF_Dispatch && "Invalid CFGuard mechanism");
248 GuardFnGlobal =
249 M.getOrInsertGlobal("__guard_dispatch_icall_fptr", GuardFnPtrType);
250 }
251
252 return true;
253 }
254
runOnFunction(Function & F)255 bool CFGuard::runOnFunction(Function &F) {
256
257 // Skip modules for which CFGuard checks have been disabled.
258 if (cfguard_module_flag != 2)
259 return false;
260
261 SmallVector<CallBase *, 8> IndirectCalls;
262
263 // Iterate over the instructions to find all indirect call/invoke/callbr
264 // instructions. Make a separate list of pointers to indirect
265 // call/invoke/callbr instructions because the original instructions will be
266 // deleted as the checks are added.
267 for (BasicBlock &BB : F.getBasicBlockList()) {
268 for (Instruction &I : BB.getInstList()) {
269 auto *CB = dyn_cast<CallBase>(&I);
270 if (CB && CB->isIndirectCall() && !CB->hasFnAttr("guard_nocf")) {
271 IndirectCalls.push_back(CB);
272 CFGuardCounter++;
273 }
274 }
275 }
276
277 // If no checks are needed, return early.
278 if (IndirectCalls.empty()) {
279 return false;
280 }
281
282 // For each indirect call/invoke, add the appropriate dispatch or check.
283 if (GuardMechanism == CF_Dispatch) {
284 for (CallBase *CB : IndirectCalls) {
285 insertCFGuardDispatch(CB);
286 }
287 } else {
288 for (CallBase *CB : IndirectCalls) {
289 insertCFGuardCheck(CB);
290 }
291 }
292
293 return true;
294 }
295
296 char CFGuard::ID = 0;
297 INITIALIZE_PASS(CFGuard, "CFGuard", "CFGuard", false, false)
298
createCFGuardCheckPass()299 FunctionPass *llvm::createCFGuardCheckPass() {
300 return new CFGuard(CFGuard::CF_Check);
301 }
302
createCFGuardDispatchPass()303 FunctionPass *llvm::createCFGuardDispatchPass() {
304 return new CFGuard(CFGuard::CF_Dispatch);
305 }