diff options
| author | Vlad Tsyrklevich <vlad@tsyrklevich.net> | 2019-03-07 18:56:36 +0000 |
|---|---|---|
| committer | Vlad Tsyrklevich <vlad@tsyrklevich.net> | 2019-03-07 18:56:36 +0000 |
| commit | 2e1479e2f2dd0e5a7c445fdf6f12b6e66aea96f3 (patch) | |
| tree | 711d4b4cc815ce928e824566232dc11af14152b4 /clang/docs/ShadowCallStack.rst | |
| parent | de3348ae3f01fd4e45c03edc571c41aab182c308 (diff) | |
| download | bcm5719-llvm-2e1479e2f2dd0e5a7c445fdf6f12b6e66aea96f3.tar.gz bcm5719-llvm-2e1479e2f2dd0e5a7c445fdf6f12b6e66aea96f3.zip | |
Delete x86_64 ShadowCallStack support
Summary:
ShadowCallStack on x86_64 suffered from the same racy security issues as
Return Flow Guard and had performance overhead as high as 13% depending
on the benchmark. x86_64 ShadowCallStack was always an experimental
feature and never shipped a runtime required to support it, as such
there are no expected downstream users.
Reviewers: pcc
Reviewed By: pcc
Subscribers: mgorny, javed.absar, hiraditya, jdoerfert, cfe-commits, #sanitizers, llvm-commits
Tags: #clang, #sanitizers, #llvm
Differential Revision: https://reviews.llvm.org/D59034
llvm-svn: 355624
Diffstat (limited to 'clang/docs/ShadowCallStack.rst')
| -rw-r--r-- | clang/docs/ShadowCallStack.rst | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/clang/docs/ShadowCallStack.rst b/clang/docs/ShadowCallStack.rst index c1284f7c2de..b1ab4c6e8b2 100644 --- a/clang/docs/ShadowCallStack.rst +++ b/clang/docs/ShadowCallStack.rst @@ -9,7 +9,7 @@ Introduction ============ ShadowCallStack is an instrumentation pass, currently only implemented for -aarch64 and x86_64, that protects programs against return address overwrites +aarch64, that protects programs against return address overwrites (e.g. stack buffer overflows.) It works by saving a function's return address to a separately allocated 'shadow call stack' in the function prolog in non-leaf functions and loading the return address from the shadow call stack @@ -18,11 +18,10 @@ for compatibility with unwinders, but is otherwise unused. The aarch64 implementation is considered production ready, and an `implementation of the runtime`_ has been added to Android's libc -(bionic). The x86_64 implementation was evaluated using Chromium and was -found to have critical performance and security deficiencies, and may be -removed in a future release of the compiler. This document only describes -the aarch64 implementation; details on the x86_64 implementation are found -in the `Clang 7.0.1 documentation`_. +(bionic). An x86_64 implementation was evaluated using Chromium and was found +to have critical performance and security deficiencies--it was removed in +LLVM 9.0. Details on the x86_64 implementation can be found in the +`Clang 7.0.1 documentation`_. .. _`implementation of the runtime`: https://android.googlesource.com/platform/bionic/+/808d176e7e0dd727c7f929622ec017f6e065c582/libc/bionic/pthread_create.cpp#128 .. _`Clang 7.0.1 documentation`: https://releases.llvm.org/7.0.1/tools/clang/docs/ShadowCallStack.html @@ -37,10 +36,9 @@ consuming more memory for shorter function prologs and epilogs with fewer memory accesses. `Return Flow Guard`_ is a pure software implementation of shadow call stacks -on x86_64. It is similar to the ShadowCallStack x86_64 implementation but -trades off higher memory usage for a shorter prologue and epilogue. Like -x86_64 ShadowCallStack, it is inherently racy due to the architecture's use -of the stack for calls and returns. +on x86_64. Like the previous implementation of ShadowCallStack on x86_64, it is +inherently racy due to the architecture's use of the stack for calls and +returns. Intel `Control-flow Enforcement Technology`_ (CET) is a proposed hardware extension that would add native support to use a shadow stack to store/check |
