lib/CodeGen/ForwardControlFlowIntegrity.cpp

//===-- ForwardControlFlowIntegrity.cpp: Forward-Edge CFI -----------------===//
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// \file
/// \brief A pass that instruments code with fast checks for indirect calls and
/// hooks for a function to check violations.
///
//===----------------------------------------------------------------------===//

#define DEBUG_TYPE "cfi"

#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/JumpInstrTableInfo.h"
#include "llvm/CodeGen/ForwardControlFlowIntegrity.h"
#include "llvm/CodeGen/JumpInstrTables.h"
#include "llvm/CodeGen/Passes.h"
#include "llvm/IR/Attributes.h"
#include "llvm/IR/CallSite.h"
#include "llvm/IR/Constants.h"
#include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/GlobalValue.h"
#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/Operator.h"
#include "llvm/IR/Type.h"
#include "llvm/IR/Verifier.h"
#include "llvm/Pass.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"

using namespace llvm;

STATISTIC(NumCFIIndirectCalls,
          "Number of indirect call sites rewritten by the CFI pass");

char ForwardControlFlowIntegrity::ID = 0;
INITIALIZE_PASS_BEGIN(ForwardControlFlowIntegrity, "forward-cfi",
                      "Control-Flow Integrity", true, true)
INITIALIZE_PASS_DEPENDENCY(JumpInstrTableInfo);
INITIALIZE_PASS_DEPENDENCY(JumpInstrTables);
INITIALIZE_PASS_END(ForwardControlFlowIntegrity, "forward-cfi",
                    "Control-Flow Integrity", true, true)

ModulePass *llvm::createForwardControlFlowIntegrityPass() {
  return new ForwardControlFlowIntegrity();
}

ModulePass *llvm::createForwardControlFlowIntegrityPass(
    JumpTable::JumpTableType JTT, CFIntegrity CFIType, bool CFIEnforcing,
    StringRef CFIFuncName) {
  return new ForwardControlFlowIntegrity(JTT, CFIType, CFIEnforcing,
                                         CFIFuncName);
}

// Checks to see if a given CallSite is making an indirect call, including
// cases where the indirect call is made through a bitcast.
static bool isIndirectCall(CallSite &CS) {
  if (CS.getCalledFunction())
    return false;

  // Check the value to see if it is merely a bitcast of a function. In
  // this case, it will translate to a direct function call in the resulting
  // assembly, so we won't treat it as an indirect call here.
  const Value *V = CS.getCalledValue();
  if (const ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) {
    return !(CE->isCast() && isa<Function>(CE->getOperand(0)));
  }

  // Otherwise, since we know it's a call, it must be an indirect call
  return true;
}

static const char cfi_failure_func_name[] = "__llvm_cfi_pointer_warning";

ForwardControlFlowIntegrity::ForwardControlFlowIntegrity()
    : ModulePass(ID), IndirectCalls(), JTType(JumpTable::Single),
      CFIType(CFIntegrity::Sub), CFIEnforcing(false), CFIFuncName("") {
  initializeForwardControlFlowIntegrityPass(*PassRegistry::getPassRegistry());
}

ForwardControlFlowIntegrity::ForwardControlFlowIntegrity(
    JumpTable::JumpTableType JTT, CFIntegrity CFIType, bool CFIEnforcing,
    std::string CFIFuncName)
    : ModulePass(ID), IndirectCalls(), JTType(JTT), CFIType(CFIType),
      CFIEnforcing(CFIEnforcing), CFIFuncName(CFIFuncName) {
  initializeForwardControlFlowIntegrityPass(*PassRegistry::getPassRegistry());
}

ForwardControlFlowIntegrity::~ForwardControlFlowIntegrity() {}

void ForwardControlFlowIntegrity::getAnalysisUsage(AnalysisUsage &AU) const {
  AU.addRequired<JumpInstrTableInfo>();
  AU.addRequired<JumpInstrTables>();
}

void ForwardControlFlowIntegrity::getIndirectCalls(Module &M) {
  // To get the indirect calls, we iterate over all functions and iterate over
  // the list of basic blocks in each. We extract a total list of indirect calls
  // before modifying any of them, since our modifications will modify the list
  // of basic blocks.
  for (Function &F : M) {
    for (BasicBlock &BB : F) {
      for (Instruction &I : BB) {
        CallSite CS(&I);
        if (!(CS && isIndirectCall(CS)))
          continue;

        Value *CalledValue = CS.getCalledValue();

        // Don't rewrite this instruction if the indirect call is actually just
        // inline assembly, since our transformation will generate an invalid
        // module in that case.
        if (isa<InlineAsm>(CalledValue))
          continue;

        IndirectCalls.push_back(&I);
      }
    }
  }
}

void ForwardControlFlowIntegrity::updateIndirectCalls(Module &M,
                                                      CFITables &CFIT) {
  Type *Int64Ty = Type::getInt64Ty(M.getContext());
  for (Instruction *I : IndirectCalls) {
    CallSite CS(I);
    Value *CalledValue = CS.getCalledValue();

    // Get the function type for this call and look it up in the tables.
    Type *VTy = CalledValue->getType();
    PointerType *PTy = dyn_cast<PointerType>(VTy);
    Type *EltTy = PTy->getElementType();
    FunctionType *FunTy = dyn_cast<FunctionType>(EltTy);
    FunctionType *TransformedTy = JumpInstrTables::transformType(JTType, FunTy);
    ++NumCFIIndirectCalls;
    Constant *JumpTableStart = nullptr;
    Constant *JumpTableMask = nullptr;
    Constant *JumpTableSize = nullptr;

    // Some call sites have function types that don't correspond to any
    // address-taken function in the module. This happens when function pointers
    // are passed in from external code.
    auto it = CFIT.find(TransformedTy);
    if (it == CFIT.end()) {
      // In this case, make sure that the function pointer will change by
      // setting the mask and the start to be 0 so that the transformed
      // function is 0.
      JumpTableStart = ConstantInt::get(Int64Ty, 0);
      JumpTableMask = ConstantInt::get(Int64Ty, 0);
      JumpTableSize = ConstantInt::get(Int64Ty, 0);
    } else {
      JumpTableStart = it->second.StartValue;
      JumpTableMask = it->second.MaskValue;
      JumpTableSize = it->second.Size;
    }

    rewriteFunctionPointer(M, I, CalledValue, JumpTableStart, JumpTableMask,
                           JumpTableSize);
  }

  return;
}

bool ForwardControlFlowIntegrity::runOnModule(Module &M) {
  JumpInstrTableInfo *JITI = &getAnalysis<JumpInstrTableInfo>();
  Type *Int64Ty = Type::getInt64Ty(M.getContext());
  Type *VoidPtrTy = Type::getInt8PtrTy(M.getContext());

  // JumpInstrTableInfo stores information about the alignment of each entry.
  // The alignment returned by JumpInstrTableInfo is alignment in bytes, not
  // in the exponent.
  ByteAlignment = JITI->entryByteAlignment();
  LogByteAlignment = llvm::Log2_64(ByteAlignment);

  // Set up tables for control-flow integrity based on information about the
  // jump-instruction tables.
  CFITables CFIT;
  for (const auto &KV : JITI->getTables()) {
    uint64_t Size = static_cast<uint64_t>(KV.second.size());
    uint64_t TableSize = NextPowerOf2(Size);

    int64_t MaskValue = ((TableSize << LogByteAlignment) - 1) & -ByteAlignment;
    Constant *JumpTableMaskValue = ConstantInt::get(Int64Ty, MaskValue);
    Constant *JumpTableSize = ConstantInt::get(Int64Ty, Size);

    // The base of the table is defined to be the first jumptable function in
    // the table.
    Function *First = KV.second.begin()->second;
    Constant *JumpTableStartValue = ConstantExpr::getBitCast(First, VoidPtrTy);
    CFIT[KV.first].StartValue = JumpTableStartValue;
    CFIT[KV.first].MaskValue = JumpTableMaskValue;
    CFIT[KV.first].Size = JumpTableSize;
  }

  if (CFIT.empty())
    return false;

  getIndirectCalls(M);

  if (!CFIEnforcing) {
    addWarningFunction(M);
  }

  // Update the instructions with the check and the indirect jump through our
  // table.
  updateIndirectCalls(M, CFIT);

  return true;
}

void ForwardControlFlowIntegrity::addWarningFunction(Module &M) {
  PointerType *CharPtrTy = Type::getInt8PtrTy(M.getContext());

  // Get the type of the Warning Function: void (i8*, i8*),
  // where the first argument is the name of the function in which the violation
  // occurs, and the second is the function pointer that violates CFI.
  SmallVector<Type *, 2> WarningFunArgs;
  WarningFunArgs.push_back(CharPtrTy);
  WarningFunArgs.push_back(CharPtrTy);
  FunctionType *WarningFunTy =
      FunctionType::get(Type::getVoidTy(M.getContext()), WarningFunArgs, false);

  if (!CFIFuncName.empty()) {
    Constant *FailureFun = M.getOrInsertFunction(CFIFuncName, WarningFunTy);
    if (!FailureFun)
      report_fatal_error("Could not get or insert the function specified by"
                         " -cfi-func-name");
  } else {
    // The default warning function swallows the warning and lets the call
    // continue, since there's no generic way for it to print out this
    // information.
    Function *WarningFun = M.getFunction(cfi_failure_func_name);
    if (!WarningFun) {
      WarningFun =
          Function::Create(WarningFunTy, GlobalValue::LinkOnceAnyLinkage,
                           cfi_failure_func_name, &M);
    }

    BasicBlock *Entry =
        BasicBlock::Create(M.getContext(), "entry", WarningFun, 0);
    ReturnInst::Create(M.getContext(), Entry);
  }
}

void ForwardControlFlowIntegrity::rewriteFunctionPointer(
    Module &M, Instruction *I, Value *FunPtr, Constant *JumpTableStart,
    Constant *JumpTableMask, Constant *JumpTableSize) {
  IRBuilder<> TempBuilder(I);

  Type *OrigFunType = FunPtr->getType();

  BasicBlock *CurBB = cast<BasicBlock>(I->getParent());
  Function *CurF = cast<Function>(CurBB->getParent());
  Type *Int64Ty = Type::getInt64Ty(M.getContext());

  Value *TI = TempBuilder.CreatePtrToInt(FunPtr, Int64Ty);
  Value *TStartInt = TempBuilder.CreatePtrToInt(JumpTableStart, Int64Ty);

  Value *NewFunPtr = nullptr;
  Value *Check = nullptr;
  switch (CFIType) {
  case CFIntegrity::Sub: {
    // This is the subtract, mask, and add version.
    // Subtract from the base.
    Value *Sub = TempBuilder.CreateSub(TI, TStartInt);

    // Mask the difference to force this to be a table offset.
    Value *And = TempBuilder.CreateAnd(Sub, JumpTableMask);

    // Add it back to the base.
    Value *Result = TempBuilder.CreateAdd(And, TStartInt);

    // Convert it back into a function pointer that we can call.
    NewFunPtr = TempBuilder.CreateIntToPtr(Result, OrigFunType);
    break;
  }
  case CFIntegrity::Ror: {
    // This is the subtract and rotate version.
    // Rotate right by the alignment value. The optimizer should recognize
    // this sequence as a rotation.

    // This cast is safe, since unsigned is always a subset of uint64_t.
    uint64_t LogByteAlignment64 = static_cast<uint64_t>(LogByteAlignment);
    Constant *RightShift = ConstantInt::get(Int64Ty, LogByteAlignment64);
    Constant *LeftShift = ConstantInt::get(Int64Ty, 64 - LogByteAlignment64);

    // Subtract from the base.
    Value *Sub = TempBuilder.CreateSub(TI, TStartInt);

    // Create the equivalent of a rotate-right instruction.
    Value *Shr = TempBuilder.CreateLShr(Sub, RightShift);
    Value *Shl = TempBuilder.CreateShl(Sub, LeftShift);
    Value *Or = TempBuilder.CreateOr(Shr, Shl);

    // Perform unsigned comparison to check for inclusion in the table.
    Check = TempBuilder.CreateICmpULT(Or, JumpTableSize);
    NewFunPtr = FunPtr;
    break;
  }
  case CFIntegrity::Add: {
    // This is the mask and add version.
    // Mask the function pointer to turn it into an offset into the table.
    Value *And = TempBuilder.CreateAnd(TI, JumpTableMask);

    // Then or this offset to the base and get the pointer value.
    Value *Result = TempBuilder.CreateAdd(And, TStartInt);

    // Convert it back into a function pointer that we can call.
    NewFunPtr = TempBuilder.CreateIntToPtr(Result, OrigFunType);
    break;
  }
  }

  if (!CFIEnforcing) {
    // If a check hasn't been added (in the rotation version), then check to see
    // if it's the same as the original function. This check determines whether
    // or not we call the CFI failure function.
    if (!Check)
      Check = TempBuilder.CreateICmpEQ(NewFunPtr, FunPtr);
    BasicBlock *InvalidPtrBlock =
        BasicBlock::Create(M.getContext(), "invalid.ptr", CurF, 0);
    BasicBlock *ContinuationBB = CurBB->splitBasicBlock(I);

    // Remove the unconditional branch that connects the two blocks.
    TerminatorInst *TermInst = CurBB->getTerminator();
    TermInst->eraseFromParent();

    // Add a conditional branch that depends on the Check above.
    BranchInst::Create(ContinuationBB, InvalidPtrBlock, Check, CurBB);

    // Call the warning function for this pointer, then continue.
    Instruction *BI = BranchInst::Create(ContinuationBB, InvalidPtrBlock);
    insertWarning(M, InvalidPtrBlock, BI, FunPtr);
  } else {
    // Modify the instruction to call this value.
    CallSite CS(I);
    CS.setCalledFunction(NewFunPtr);
  }
}

void ForwardControlFlowIntegrity::insertWarning(Module &M, BasicBlock *Block,
                                                Instruction *I, Value *FunPtr) {
  Function *ParentFun = cast<Function>(Block->getParent());

  // Get the function to call right before the instruction.
  Function *WarningFun = nullptr;
  if (CFIFuncName.empty()) {
    WarningFun = M.getFunction(cfi_failure_func_name);
  } else {
    WarningFun = M.getFunction(CFIFuncName);
  }

  assert(WarningFun && "Could not find the CFI failure function");

  Type *VoidPtrTy = Type::getInt8PtrTy(M.getContext());

  IRBuilder<> WarningInserter(I);
  // Create a mergeable GlobalVariable containing the name of the function.
  Value *ParentNameGV =
      WarningInserter.CreateGlobalString(ParentFun->getName());
  Value *ParentNamePtr = WarningInserter.CreateBitCast(ParentNameGV, VoidPtrTy);
  Value *FunVoidPtr = WarningInserter.CreateBitCast(FunPtr, VoidPtrTy);
  WarningInserter.CreateCall2(WarningFun, ParentNamePtr, FunVoidPtr);
}