• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //===-- CFGuard.cpp - Control Flow Guard checks -----------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 ///
9 /// \file
10 /// This file contains the IR transform to add Microsoft's Control Flow Guard
11 /// checks on Windows targets.
12 ///
13 //===----------------------------------------------------------------------===//
14 
15 #include "llvm/Transforms/CFGuard.h"
16 #include "llvm/ADT/SmallVector.h"
17 #include "llvm/ADT/Statistic.h"
18 #include "llvm/ADT/Triple.h"
19 #include "llvm/IR/CallingConv.h"
20 #include "llvm/IR/IRBuilder.h"
21 #include "llvm/IR/Instruction.h"
22 #include "llvm/InitializePasses.h"
23 #include "llvm/Pass.h"
24 
25 using namespace llvm;
26 
27 using OperandBundleDef = OperandBundleDefT<Value *>;
28 
29 #define DEBUG_TYPE "cfguard"
30 
31 STATISTIC(CFGuardCounter, "Number of Control Flow Guard checks added");
32 
33 namespace {
34 
35 /// Adds Control Flow Guard (CFG) checks on indirect function calls/invokes.
36 /// These checks ensure that the target address corresponds to the start of an
37 /// address-taken function. X86_64 targets use the CF_Dispatch mechanism. X86,
38 /// ARM, and AArch64 targets use the CF_Check machanism.
39 class CFGuard : public FunctionPass {
40 public:
41   static char ID;
42 
43   enum Mechanism { CF_Check, CF_Dispatch };
44 
45   // Default constructor required for the INITIALIZE_PASS macro.
CFGuard()46   CFGuard() : FunctionPass(ID) {
47     initializeCFGuardPass(*PassRegistry::getPassRegistry());
48     // By default, use the guard check mechanism.
49     GuardMechanism = CF_Check;
50   }
51 
52   // Recommended constructor used to specify the type of guard mechanism.
CFGuard(Mechanism Var)53   CFGuard(Mechanism Var) : FunctionPass(ID) {
54     initializeCFGuardPass(*PassRegistry::getPassRegistry());
55     GuardMechanism = Var;
56   }
57 
58   /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
59   /// check mechanism. When the image is loaded, the loader puts the appropriate
60   /// guard check function pointer in the __guard_check_icall_fptr global
61   /// symbol. This checks that the target address is a valid address-taken
62   /// function. The address of the target function is passed to the guard check
63   /// function in an architecture-specific register (e.g. ECX on 32-bit X86,
64   /// X15 on Aarch64, and R0 on ARM). The guard check function has no return
65   /// value (if the target is invalid, the guard check funtion will raise an
66   /// error).
67   ///
68   /// For example, the following LLVM IR:
69   /// \code
70   ///   %func_ptr = alloca i32 ()*, align 8
71   ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8
72   ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8
73   ///   %1 = call i32 %0()
74   /// \endcode
75   ///
76   /// is transformed to:
77   /// \code
78   ///   %func_ptr = alloca i32 ()*, align 8
79   ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8
80   ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8
81   ///   %1 = load void (i8*)*, void (i8*)** @__guard_check_icall_fptr
82   ///   %2 = bitcast i32 ()* %0 to i8*
83   ///   call cfguard_checkcc void %1(i8* %2)
84   ///   %3 = call i32 %0()
85   /// \endcode
86   ///
87   /// For example, the following X86 assembly code:
88   /// \code
89   ///   movl  $_target_func, %eax
90   ///   calll *%eax
91   /// \endcode
92   ///
93   /// is transformed to:
94   /// \code
95   /// 	movl	$_target_func, %ecx
96   /// 	calll	*___guard_check_icall_fptr
97   /// 	calll	*%ecx
98   /// \endcode
99   ///
100   /// \param CB indirect call to instrument.
101   void insertCFGuardCheck(CallBase *CB);
102 
103   /// Inserts a Control Flow Guard (CFG) check on an indirect call using the CFG
104   /// dispatch mechanism. When the image is loaded, the loader puts the
105   /// appropriate guard check function pointer in the
106   /// __guard_dispatch_icall_fptr global symbol. This checks that the target
107   /// address is a valid address-taken function and, if so, tail calls the
108   /// target. The target address is passed in an architecture-specific register
109   /// (e.g. RAX on X86_64), with all other arguments for the target function
110   /// passed as usual.
111   ///
112   /// For example, the following LLVM IR:
113   /// \code
114   ///   %func_ptr = alloca i32 ()*, align 8
115   ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8
116   ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8
117   ///   %1 = call i32 %0()
118   /// \endcode
119   ///
120   /// is transformed to:
121   /// \code
122   ///   %func_ptr = alloca i32 ()*, align 8
123   ///   store i32 ()* @target_func, i32 ()** %func_ptr, align 8
124   ///   %0 = load i32 ()*, i32 ()** %func_ptr, align 8
125   ///   %1 = load i32 ()*, i32 ()** @__guard_dispatch_icall_fptr
126   ///   %2 = call i32 %1() [ "cfguardtarget"(i32 ()* %0) ]
127   /// \endcode
128   ///
129   /// For example, the following X86_64 assembly code:
130   /// \code
131   ///   leaq   target_func(%rip), %rax
132   ///	  callq  *%rax
133   /// \endcode
134   ///
135   /// is transformed to:
136   /// \code
137   ///   leaq   target_func(%rip), %rax
138   ///   callq  *__guard_dispatch_icall_fptr(%rip)
139   /// \endcode
140   ///
141   /// \param CB indirect call to instrument.
142   void insertCFGuardDispatch(CallBase *CB);
143 
144   bool doInitialization(Module &M) override;
145   bool runOnFunction(Function &F) override;
146 
147 private:
148   // Only add checks if the module has the cfguard=2 flag.
149   int cfguard_module_flag = 0;
150   Mechanism GuardMechanism = CF_Check;
151   FunctionType *GuardFnType = nullptr;
152   PointerType *GuardFnPtrType = nullptr;
153   Constant *GuardFnGlobal = nullptr;
154 };
155 
156 } // end anonymous namespace
157 
insertCFGuardCheck(CallBase * CB)158 void CFGuard::insertCFGuardCheck(CallBase *CB) {
159 
160   assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
161          "Only applicable for Windows targets");
162   assert(CB->isIndirectCall() &&
163          "Control Flow Guard checks can only be added to indirect calls");
164 
165   IRBuilder<> B(CB);
166   Value *CalledOperand = CB->getCalledOperand();
167 
168   // Load the global symbol as a pointer to the check function.
169   LoadInst *GuardCheckLoad = B.CreateLoad(GuardFnPtrType, GuardFnGlobal);
170 
171   // Create new call instruction. The CFGuard check should always be a call,
172   // even if the original CallBase is an Invoke or CallBr instruction.
173   CallInst *GuardCheck =
174       B.CreateCall(GuardFnType, GuardCheckLoad,
175                    {B.CreateBitCast(CalledOperand, B.getInt8PtrTy())});
176 
177   // Ensure that the first argument is passed in the correct register
178   // (e.g. ECX on 32-bit X86 targets).
179   GuardCheck->setCallingConv(CallingConv::CFGuard_Check);
180 }
181 
insertCFGuardDispatch(CallBase * CB)182 void CFGuard::insertCFGuardDispatch(CallBase *CB) {
183 
184   assert(Triple(CB->getModule()->getTargetTriple()).isOSWindows() &&
185          "Only applicable for Windows targets");
186   assert(CB->isIndirectCall() &&
187          "Control Flow Guard checks can only be added to indirect calls");
188 
189   IRBuilder<> B(CB);
190   Value *CalledOperand = CB->getCalledOperand();
191   Type *CalledOperandType = CalledOperand->getType();
192 
193   // Cast the guard dispatch global to the type of the called operand.
194   PointerType *PTy = PointerType::get(CalledOperandType, 0);
195   if (GuardFnGlobal->getType() != PTy)
196     GuardFnGlobal = ConstantExpr::getBitCast(GuardFnGlobal, PTy);
197 
198   // Load the global as a pointer to a function of the same type.
199   LoadInst *GuardDispatchLoad = B.CreateLoad(CalledOperandType, GuardFnGlobal);
200 
201   // Add the original call target as a cfguardtarget operand bundle.
202   SmallVector<llvm::OperandBundleDef, 1> Bundles;
203   CB->getOperandBundlesAsDefs(Bundles);
204   Bundles.emplace_back("cfguardtarget", CalledOperand);
205 
206   // Create a copy of the call/invoke instruction and add the new bundle.
207   CallBase *NewCB;
208   if (CallInst *CI = dyn_cast<CallInst>(CB)) {
209     NewCB = CallInst::Create(CI, Bundles, CB);
210   } else {
211     assert(isa<InvokeInst>(CB) && "Unknown indirect call type");
212     InvokeInst *II = cast<InvokeInst>(CB);
213     NewCB = llvm::InvokeInst::Create(II, Bundles, CB);
214   }
215 
216   // Change the target of the call to be the guard dispatch function.
217   NewCB->setCalledOperand(GuardDispatchLoad);
218 
219   // Replace the original call/invoke with the new instruction.
220   CB->replaceAllUsesWith(NewCB);
221 
222   // Delete the original call/invoke.
223   CB->eraseFromParent();
224 }
225 
doInitialization(Module & M)226 bool CFGuard::doInitialization(Module &M) {
227 
228   // Check if this module has the cfguard flag and read its value.
229   if (auto *MD =
230           mdconst::extract_or_null<ConstantInt>(M.getModuleFlag("cfguard")))
231     cfguard_module_flag = MD->getZExtValue();
232 
233   // Skip modules for which CFGuard checks have been disabled.
234   if (cfguard_module_flag != 2)
235     return false;
236 
237   // Set up prototypes for the guard check and dispatch functions.
238   GuardFnType = FunctionType::get(Type::getVoidTy(M.getContext()),
239                                   {Type::getInt8PtrTy(M.getContext())}, false);
240   GuardFnPtrType = PointerType::get(GuardFnType, 0);
241 
242   // Get or insert the guard check or dispatch global symbols.
243   if (GuardMechanism == CF_Check) {
244     GuardFnGlobal =
245         M.getOrInsertGlobal("__guard_check_icall_fptr", GuardFnPtrType);
246   } else {
247     assert(GuardMechanism == CF_Dispatch && "Invalid CFGuard mechanism");
248     GuardFnGlobal =
249         M.getOrInsertGlobal("__guard_dispatch_icall_fptr", GuardFnPtrType);
250   }
251 
252   return true;
253 }
254 
runOnFunction(Function & F)255 bool CFGuard::runOnFunction(Function &F) {
256 
257   // Skip modules for which CFGuard checks have been disabled.
258   if (cfguard_module_flag != 2)
259     return false;
260 
261   SmallVector<CallBase *, 8> IndirectCalls;
262 
263   // Iterate over the instructions to find all indirect call/invoke/callbr
264   // instructions. Make a separate list of pointers to indirect
265   // call/invoke/callbr instructions because the original instructions will be
266   // deleted as the checks are added.
267   for (BasicBlock &BB : F.getBasicBlockList()) {
268     for (Instruction &I : BB.getInstList()) {
269       auto *CB = dyn_cast<CallBase>(&I);
270       if (CB && CB->isIndirectCall() && !CB->hasFnAttr("guard_nocf")) {
271         IndirectCalls.push_back(CB);
272         CFGuardCounter++;
273       }
274     }
275   }
276 
277   // If no checks are needed, return early.
278   if (IndirectCalls.empty()) {
279     return false;
280   }
281 
282   // For each indirect call/invoke, add the appropriate dispatch or check.
283   if (GuardMechanism == CF_Dispatch) {
284     for (CallBase *CB : IndirectCalls) {
285       insertCFGuardDispatch(CB);
286     }
287   } else {
288     for (CallBase *CB : IndirectCalls) {
289       insertCFGuardCheck(CB);
290     }
291   }
292 
293   return true;
294 }
295 
296 char CFGuard::ID = 0;
297 INITIALIZE_PASS(CFGuard, "CFGuard", "CFGuard", false, false)
298 
createCFGuardCheckPass()299 FunctionPass *llvm::createCFGuardCheckPass() {
300   return new CFGuard(CFGuard::CF_Check);
301 }
302 
createCFGuardDispatchPass()303 FunctionPass *llvm::createCFGuardDispatchPass() {
304   return new CFGuard(CFGuard::CF_Dispatch);
305 }