diff options
Diffstat (limited to 'llvm/tools')
| -rw-r--r-- | llvm/tools/llvm-cfi-verify/CMakeLists.txt | 5 | ||||
| -rw-r--r-- | llvm/tools/llvm-cfi-verify/lib/CMakeLists.txt | 4 | ||||
| -rw-r--r-- | llvm/tools/llvm-cfi-verify/lib/FileAnalysis.h | 3 | ||||
| -rw-r--r-- | llvm/tools/llvm-cfi-verify/lib/GraphBuilder.cpp | 291 | ||||
| -rw-r--r-- | llvm/tools/llvm-cfi-verify/lib/GraphBuilder.h | 133 |
5 files changed, 431 insertions, 5 deletions
diff --git a/llvm/tools/llvm-cfi-verify/CMakeLists.txt b/llvm/tools/llvm-cfi-verify/CMakeLists.txt index bf65cf7785c..ae203e53470 100644 --- a/llvm/tools/llvm-cfi-verify/CMakeLists.txt +++ b/llvm/tools/llvm-cfi-verify/CMakeLists.txt @@ -4,6 +4,7 @@ set(LLVM_LINK_COMPONENTS AllTargetsDescs AllTargetsDisassemblers AllTargetsInfos + CFIVerify MC MCParser Object @@ -11,8 +12,6 @@ set(LLVM_LINK_COMPONENTS ) add_llvm_tool(llvm-cfi-verify - llvm-cfi-verify.cpp - lib/FileAnalysis.cpp - ) + llvm-cfi-verify.cpp) add_subdirectory(lib) diff --git a/llvm/tools/llvm-cfi-verify/lib/CMakeLists.txt b/llvm/tools/llvm-cfi-verify/lib/CMakeLists.txt index 814e30a234b..8cbbc79ceca 100644 --- a/llvm/tools/llvm-cfi-verify/lib/CMakeLists.txt +++ b/llvm/tools/llvm-cfi-verify/lib/CMakeLists.txt @@ -1,7 +1,9 @@ add_library(LLVMCFIVerify STATIC FileAnalysis.cpp - FileAnalysis.h) + FileAnalysis.h + GraphBuilder.cpp + GraphBuilder.h) llvm_update_compile_flags(LLVMCFIVerify) llvm_map_components_to_libnames(libs diff --git a/llvm/tools/llvm-cfi-verify/lib/FileAnalysis.h b/llvm/tools/llvm-cfi-verify/lib/FileAnalysis.h index df1ad603b6c..3c24bcda75c 100644 --- a/llvm/tools/llvm-cfi-verify/lib/FileAnalysis.h +++ b/llvm/tools/llvm-cfi-verify/lib/FileAnalysis.h @@ -10,6 +10,7 @@ #ifndef LLVM_CFI_VERIFY_FILE_ANALYSIS_H #define LLVM_CFI_VERIFY_FILE_ANALYSIS_H +#include "llvm/ADT/DenseMap.h" #include "llvm/BinaryFormat/ELF.h" #include "llvm/MC/MCAsmInfo.h" #include "llvm/MC/MCContext.h" @@ -161,7 +162,7 @@ private: // Contains a mapping between a specific address, and a list of instructions // that use this address as a branch target (including call instructions). - std::unordered_map<uint64_t, std::vector<uint64_t>> StaticBranchTargetings; + DenseMap<uint64_t, std::vector<uint64_t>> StaticBranchTargetings; // A list of addresses of indirect control flow instructions. std::set<uint64_t> IndirectInstructions; diff --git a/llvm/tools/llvm-cfi-verify/lib/GraphBuilder.cpp b/llvm/tools/llvm-cfi-verify/lib/GraphBuilder.cpp new file mode 100644 index 00000000000..1121045780f --- /dev/null +++ b/llvm/tools/llvm-cfi-verify/lib/GraphBuilder.cpp @@ -0,0 +1,291 @@ +//===- GraphBuilder.cpp -----------------------------------------*- C++ -*-===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +#include "GraphBuilder.h" + +#include "llvm/BinaryFormat/ELF.h" +#include "llvm/MC/MCAsmInfo.h" +#include "llvm/MC/MCContext.h" +#include "llvm/MC/MCDisassembler/MCDisassembler.h" +#include "llvm/MC/MCInst.h" +#include "llvm/MC/MCInstPrinter.h" +#include "llvm/MC/MCInstrAnalysis.h" +#include "llvm/MC/MCInstrDesc.h" +#include "llvm/MC/MCInstrInfo.h" +#include "llvm/MC/MCObjectFileInfo.h" +#include "llvm/MC/MCRegisterInfo.h" +#include "llvm/MC/MCSubtargetInfo.h" +#include "llvm/Object/Binary.h" +#include "llvm/Object/COFF.h" +#include "llvm/Object/ELFObjectFile.h" +#include "llvm/Object/ObjectFile.h" +#include "llvm/Support/Casting.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/Error.h" +#include "llvm/Support/FormatVariadic.h" +#include "llvm/Support/MemoryBuffer.h" +#include "llvm/Support/TargetRegistry.h" +#include "llvm/Support/TargetSelect.h" +#include "llvm/Support/raw_ostream.h" + +#include <functional> + +using Instr = llvm::cfi_verify::FileAnalysis::Instr; + +namespace llvm { +namespace cfi_verify { + +uint64_t SearchLengthForUndef; +uint64_t SearchLengthForConditionalBranch; + +static cl::opt<uint64_t, true> SearchLengthForUndefArg( + "search-length-undef", + cl::desc("Specify the maximum amount of instructions " + "to inspect when searching for an undefined " + "instruction from a conditional branch."), + cl::location(SearchLengthForUndef), cl::init(2)); + +static cl::opt<uint64_t, true> SearchLengthForConditionalBranchArg( + "search-length-cb", + cl::desc("Specify the maximum amount of instructions " + "to inspect when searching for a conditional " + "branch from an indirect control flow."), + cl::location(SearchLengthForConditionalBranch), cl::init(20)); + +std::vector<uint64_t> GraphResult::flattenAddress(uint64_t Address) const { + std::vector<uint64_t> Addresses; + + auto It = IntermediateNodes.find(Address); + Addresses.push_back(Address); + + while (It != IntermediateNodes.end()) { + Addresses.push_back(It->second); + It = IntermediateNodes.find(It->second); + } + return Addresses; +} + +GraphResult GraphBuilder::buildFlowGraph(const FileAnalysis &Analysis, + uint64_t Address) { + GraphResult Result; + Result.BaseAddress = Address; + DenseSet<uint64_t> OpenedNodes; + + const auto &IndirectInstructions = Analysis.getIndirectInstructions(); + + if (IndirectInstructions.find(Address) == IndirectInstructions.end()) + return Result; + + buildFlowGraphImpl(Analysis, OpenedNodes, Result, Address, 0); + return Result; +} + +void GraphBuilder::buildFlowsToUndefined(const FileAnalysis &Analysis, + GraphResult &Result, + ConditionalBranchNode &BranchNode, + const Instr &BranchInstrMeta) { + assert(SearchLengthForUndef > 0 && + "Search length for undefined flow must be greater than zero."); + + // Start setting up the next node in the block. + uint64_t NextAddress = 0; + const Instr *NextMetaPtr; + + // Find out the next instruction in the block and add it to the new + // node. + if (BranchNode.Target && !BranchNode.Fallthrough) { + // We know the target of the branch, find the fallthrough. + NextMetaPtr = Analysis.getNextInstructionSequential(BranchInstrMeta); + if (!NextMetaPtr) { + errs() << "Failed to get next instruction from " + << format_hex(BranchNode.Address, 2) << ".\n"; + return; + } + + NextAddress = NextMetaPtr->VMAddress; + BranchNode.Fallthrough = + NextMetaPtr->VMAddress; // Add the new node to the branch head. + } else if (BranchNode.Fallthrough && !BranchNode.Target) { + // We already know the fallthrough, evaluate the target. + uint64_t Target; + if (!Analysis.getMCInstrAnalysis()->evaluateBranch( + BranchInstrMeta.Instruction, BranchInstrMeta.VMAddress, + BranchInstrMeta.InstructionSize, Target)) { + errs() << "Failed to get branch target for conditional branch at address " + << format_hex(BranchInstrMeta.VMAddress, 2) << ".\n"; + return; + } + + // Resolve the meta pointer for the target of this branch. + NextMetaPtr = Analysis.getInstruction(Target); + if (!NextMetaPtr) { + errs() << "Failed to find instruction at address " + << format_hex(Target, 2) << ".\n"; + return; + } + + NextAddress = Target; + BranchNode.Target = + NextMetaPtr->VMAddress; // Add the new node to the branch head. + } else { + errs() << "ControlBranchNode supplied to buildFlowsToUndefined should " + "provide Target xor Fallthrough.\n"; + return; + } + + uint64_t CurrentAddress = NextAddress; + const Instr *CurrentMetaPtr = NextMetaPtr; + + // Now the branch head has been set properly, complete the rest of the block. + for (uint64_t i = 1; i < SearchLengthForUndef; ++i) { + // Check to see whether the block should die. + if (Analysis.isCFITrap(*CurrentMetaPtr)) { + BranchNode.CFIProtection = true; + return; + } + + // Find the metadata of the next instruction. + NextMetaPtr = Analysis.getDefiniteNextInstruction(*CurrentMetaPtr); + if (!NextMetaPtr) + return; + + // Setup the next node. + NextAddress = NextMetaPtr->VMAddress; + + // Add this as an intermediate. + Result.IntermediateNodes[CurrentAddress] = NextAddress; + + // Move the 'current' pointers to the new tail of the block. + CurrentMetaPtr = NextMetaPtr; + CurrentAddress = NextAddress; + } + + // Final check of the last thing we added to the block. + if (Analysis.isCFITrap(*CurrentMetaPtr)) + BranchNode.CFIProtection = true; +} + +void GraphBuilder::buildFlowGraphImpl(const FileAnalysis &Analysis, + DenseSet<uint64_t> &OpenedNodes, + GraphResult &Result, uint64_t Address, + uint64_t Depth) { + // If we've exceeded the flow length, terminate. + if (Depth >= SearchLengthForConditionalBranch) { + Result.OrphanedNodes.push_back(Address); + return; + } + + // Ensure this flow is acyclic. + if (OpenedNodes.count(Address)) + Result.OrphanedNodes.push_back(Address); + + // If this flow is already explored, stop here. + if (Result.IntermediateNodes.count(Address)) + return; + + // Get the metadata for the node instruction. + const auto &InstrMetaPtr = Analysis.getInstruction(Address); + if (!InstrMetaPtr) { + errs() << "Failed to build flow graph for instruction at address " + << format_hex(Address, 2) << ".\n"; + Result.OrphanedNodes.push_back(Address); + return; + } + const auto &ChildMeta = *InstrMetaPtr; + + OpenedNodes.insert(Address); + std::set<const Instr *> CFCrossRefs = + Analysis.getDirectControlFlowXRefs(ChildMeta); + + bool HasValidCrossRef = false; + + for (const auto *ParentMetaPtr : CFCrossRefs) { + assert(ParentMetaPtr && "CFCrossRefs returned nullptr."); + const auto &ParentMeta = *ParentMetaPtr; + const auto &ParentDesc = + Analysis.getMCInstrInfo()->get(ParentMeta.Instruction.getOpcode()); + + if (!ParentDesc.mayAffectControlFlow(ParentMeta.Instruction, + *Analysis.getRegisterInfo())) { + // If this cross reference doesn't affect CF, continue the graph. + buildFlowGraphImpl(Analysis, OpenedNodes, Result, ParentMeta.VMAddress, + Depth + 1); + Result.IntermediateNodes[ParentMeta.VMAddress] = Address; + HasValidCrossRef = true; + continue; + } + + // Evaluate the branch target to ascertain whether this XRef is the result + // of a fallthrough or the target of a branch. + uint64_t BranchTarget; + if (!Analysis.getMCInstrAnalysis()->evaluateBranch( + ParentMeta.Instruction, ParentMeta.VMAddress, + ParentMeta.InstructionSize, BranchTarget)) { + errs() << "Failed to evaluate branch target for instruction at address " + << format_hex(ParentMeta.VMAddress, 2) << ".\n"; + Result.IntermediateNodes[ParentMeta.VMAddress] = Address; + Result.OrphanedNodes.push_back(ParentMeta.VMAddress); + continue; + } + + // Allow unconditional branches to be part of the upwards traversal. + if (ParentDesc.isUnconditionalBranch()) { + // Ensures that the unconditional branch is actually an XRef to the child. + if (BranchTarget != Address) { + errs() << "Control flow to " << format_hex(Address, 2) + << ", but target resolution of " + << format_hex(ParentMeta.VMAddress, 2) + << " is not this address?\n"; + Result.IntermediateNodes[ParentMeta.VMAddress] = Address; + Result.OrphanedNodes.push_back(ParentMeta.VMAddress); + continue; + } + + buildFlowGraphImpl(Analysis, OpenedNodes, Result, ParentMeta.VMAddress, + Depth + 1); + Result.IntermediateNodes[ParentMeta.VMAddress] = Address; + HasValidCrossRef = true; + continue; + } + + // Ensure that any unknown CFs are caught. + if (!ParentDesc.isConditionalBranch()) { + errs() << "Unknown control flow encountered when building graph at " + << format_hex(Address, 2) << "\n."; + Result.IntermediateNodes[ParentMeta.VMAddress] = Address; + Result.OrphanedNodes.push_back(ParentMeta.VMAddress); + continue; + } + + // Only direct conditional branches should be present at this point. Setup + // a conditional branch node and build flows to the ud2. + ConditionalBranchNode BranchNode; + BranchNode.Address = ParentMeta.VMAddress; + BranchNode.Target = 0; + BranchNode.Fallthrough = 0; + BranchNode.CFIProtection = false; + + if (BranchTarget == Address) + BranchNode.Target = Address; + else + BranchNode.Fallthrough = Address; + + HasValidCrossRef = true; + buildFlowsToUndefined(Analysis, Result, BranchNode, ParentMeta); + Result.ConditionalBranchNodes.push_back(BranchNode); + } + + if (!HasValidCrossRef) + Result.OrphanedNodes.push_back(Address); + + OpenedNodes.erase(Address); +} + +} // namespace cfi_verify +} // namespace llvm diff --git a/llvm/tools/llvm-cfi-verify/lib/GraphBuilder.h b/llvm/tools/llvm-cfi-verify/lib/GraphBuilder.h new file mode 100644 index 00000000000..3536520d590 --- /dev/null +++ b/llvm/tools/llvm-cfi-verify/lib/GraphBuilder.h @@ -0,0 +1,133 @@ +//===- GraphBuilder.h -------------------------------------------*- C++ -*-===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +#ifndef LLVM_CFI_VERIFY_GRAPH_BUILDER_H +#define LLVM_CFI_VERIFY_GRAPH_BUILDER_H + +#include "FileAnalysis.h" + +#include "llvm/ADT/DenseMap.h" +#include "llvm/BinaryFormat/ELF.h" +#include "llvm/MC/MCAsmInfo.h" +#include "llvm/MC/MCContext.h" +#include "llvm/MC/MCDisassembler/MCDisassembler.h" +#include "llvm/MC/MCInst.h" +#include "llvm/MC/MCInstPrinter.h" +#include "llvm/MC/MCInstrAnalysis.h" +#include "llvm/MC/MCInstrDesc.h" +#include "llvm/MC/MCInstrInfo.h" +#include "llvm/MC/MCObjectFileInfo.h" +#include "llvm/MC/MCRegisterInfo.h" +#include "llvm/MC/MCSubtargetInfo.h" +#include "llvm/Object/Binary.h" +#include "llvm/Object/COFF.h" +#include "llvm/Object/ELFObjectFile.h" +#include "llvm/Object/ObjectFile.h" +#include "llvm/Support/Casting.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/Error.h" +#include "llvm/Support/MemoryBuffer.h" +#include "llvm/Support/TargetRegistry.h" +#include "llvm/Support/TargetSelect.h" +#include "llvm/Support/raw_ostream.h" + +#include <functional> +#include <set> +#include <string> +#include <unordered_map> + +using Instr = llvm::cfi_verify::FileAnalysis::Instr; + +namespace llvm { +namespace cfi_verify { + +extern uint64_t SearchLengthForUndef; +extern uint64_t SearchLengthForConditionalBranch; + +struct ConditionalBranchNode { + uint64_t Address; + uint64_t Target; + uint64_t Fallthrough; + // Does this conditional branch look like it's used for CFI protection? i.e. + // - The exit point of a basic block whos entry point is {target|fallthrough} + // is a CFI trap, and... + // - The exit point of the other basic block is an undirect CF instruction. + bool CFIProtection; +}; + +// The canonical graph result structure returned by GraphBuilder. The members +// in this structure encapsulate all possible code paths to the instruction +// located at `BaseAddress`. +struct GraphResult { + uint64_t BaseAddress; + + // Map between an instruction address, and the address of the next instruction + // that will be executed. This map will contain all keys in the range: + // - [orphaned node, base address) + // - [conditional branch node {target|fallthrough}, base address) + DenseMap<uint64_t, uint64_t> IntermediateNodes; + + // A list of orphaned nodes. A node is an 'orphan' if it meets any of the + // following criteria: + // - The length of the path from the base to this node has exceeded + // `SearchLengthForConditionalBranch`. + // - The node has no cross references to it. + // - The path from the base to this node is cyclic. + std::vector<uint64_t> OrphanedNodes; + + // A list of top-level conditional branches that exist at the top of any + // non-orphan paths from the base. + std::vector<ConditionalBranchNode> ConditionalBranchNodes; + + // Returns an in-order list of the path between the address provided and the + // base. The provided address must be part of this graph, and must not be a + // conditional branch. + std::vector<uint64_t> flattenAddress(uint64_t Address) const; +}; + +class GraphBuilder { +public: + // Build the control flow graph for a provided control flow node. This method + // will enumerate all branch nodes that can lead to this node, and place them + // into GraphResult::ConditionalBranchNodes. It will also provide any orphaned + // (i.e. the upwards traversal did not make it to a branch node) flows to the + // provided node in GraphResult::OrphanedNodes. + static GraphResult buildFlowGraph(const FileAnalysis &Analysis, + uint64_t Address); + +private: + // Implementation function that actually builds the flow graph. Retrieves a + // list of cross references to instruction referenced in `Address`. If any of + // these XRefs are conditional branches, it will build the other potential + // path (fallthrough or target) using `buildFlowsToUndefined`. Otherwise, this + // function will recursively call itself where `Address` in the recursive call + // is now the XRef. If any XRef is an orphan, it is added to + // `Result.OrphanedNodes`. `OpenedNodes` keeps track of the list of nodes + // in the current path and is used for cycle-checking. If the path is found + // to be cyclic, it will be added to `Result.OrphanedNodes`. + static void buildFlowGraphImpl(const FileAnalysis &Analysis, + DenseSet<uint64_t> &OpenedNodes, + GraphResult &Result, uint64_t Address, + uint64_t Depth); + + // Utilised by buildFlowGraphImpl to build the tree out from the provided + // conditional branch node to an undefined instruction. The provided + // conditional branch node must have exactly one of its subtrees set, and will + // update the node's CFIProtection field if a deterministic flow can be found + // to an undefined instruction. + static void buildFlowsToUndefined(const FileAnalysis &Analysis, + GraphResult &Result, + ConditionalBranchNode &BranchNode, + const Instr &BranchInstrMeta); +}; + +} // end namespace cfi_verify +} // end namespace llvm + +#endif // LLVM_CFI_VERIFY_GRAPH_BUILDER_H |
