| blob | 5dc72a4796d1dfd54b850a28058d507b26f51f06 |
1 /* Copyright (C) 2013-2015 Free Software Foundation, Inc.
3 This file is part of GCC.
5 GCC is free software; you can redistribute it and/or modify it under
6 the terms of the GNU General Public License as published by the Free
7 Software Foundation; either version 3, or (at your option) any later
8 version.
10 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
11 WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 for more details.
15 You should have received a copy of the GNU General Public License
16 along with GCC; see the file COPYING3. If not see
17 <http://www.gnu.org/licenses/>. */
19 /* Virtual Table Pointer Security Pass - Detect corruption of vtable pointers
20 before using them for virtual method dispatches. */
22 /* This file is part of the vtable security feature implementation.
23 The vtable security feature is designed to detect when a virtual
24 call is about to be made through an invalid vtable pointer
25 (possibly due to data corruption or malicious attacks). The
26 compiler finds every virtual call, and inserts a verification call
27 before the virtual call. The verification call takes the actual
28 vtable pointer value in the object through which the virtual call
29 is being made, and compares the vtable pointer against a set of all
30 valid vtable pointers that the object could contain (this set is
31 based on the declared type of the object). If the pointer is in
32 the valid set, execution is allowed to continue; otherwise the
33 program is halted.
35 There are several pieces needed in order to make this work: 1. For
36 every virtual class in the program (i.e. a class that contains
37 virtual methods), we need to build the set of all possible valid
38 vtables that an object of that class could point to. This includes
39 vtables for any class(es) that inherit from the class under
40 consideration. 2. For every such data set we build up, we need a
41 way to find and reference the data set. This is complicated by the
42 fact that the real vtable addresses are not known until runtime,
43 when the program is loaded into memory, but we need to reference the
44 sets at compile time when we are inserting verification calls into
45 the program. 3. We need to find every virtual call in the program,
46 and insert the verification call (with the appropriate arguments)
47 before the virtual call. 4. We need some runtime library pieces:
48 the code to build up the data sets at runtime; the code to actually
49 perform the verification using the data sets; and some code to set
50 protections on the data sets, so they themselves do not become
51 hacker targets.
53 To find and reference the set of valid vtable pointers for any given
54 virtual class, we create a special global variable for each virtual
55 class. We refer to this as the "vtable map variable" for that
56 class. The vtable map variable has the type "void *", and is
57 initialized by the compiler to NULL. At runtime when the set of
58 valid vtable pointers for a virtual class, e.g. class Foo, is built,
59 the vtable map variable for class Foo is made to point to the set.
60 During compile time, when the compiler is inserting verification
61 calls into the program, it passes the vtable map variable for the
62 appropriate class to the verification call, so that at runtime the
63 verification call can find the appropriate data set.
65 The actual set of valid vtable pointers for a virtual class,
66 e.g. class Foo, cannot be built until runtime, when the vtables get
67 loaded into memory and their addresses are known. But the knowledge
68 about which vtables belong in which class' hierarchy is only known
69 at compile time. Therefore at compile time we collect class
70 hierarchy and vtable information about every virtual class, and we
71 generate calls to build up the data sets at runtime. To build the
72 data sets, we call one of the functions we add to the runtime
73 library, __VLTRegisterPair. __VLTRegisterPair takes two arguments,
74 a vtable map variable and the address of a vtable. If the vtable
75 map variable is currently NULL, it creates a new data set (hash
76 table), makes the vtable map variable point to the new data set, and
77 inserts the vtable address into the data set. If the vtable map
78 variable is not NULL, it just inserts the vtable address into the
79 data set. In order to make sure that our data sets are built before
80 any verification calls happen, we create a special constructor
81 initialization function for each compilation unit, give it a very
82 high initialization priority, and insert all of our calls to
83 __VLTRegisterPair into our special constructor initialization
84 function.
86 The vtable verification feature is controlled by the flag
87 '-fvtable-verify='. There are three flavors of this:
88 '-fvtable-verify=std', '-fvtable-verify=preinit', and
89 '-fvtable-verify=none'. If the option '-fvtable-verfy=preinit' is
90 used, then our constructor initialization function gets put into the
91 preinit array. This is necessary if there are data sets that need
92 to be built very early in execution. If the constructor
93 initialization function gets put into the preinit array, the we also
94 add calls to __VLTChangePermission at the beginning and end of the
95 function. The call at the beginning sets the permissions on the
96 data sets and vtable map variables to read/write, and the one at the
97 end makes them read-only. If the '-fvtable-verify=std' option is
98 used, the constructor initialization functions are executed at their
99 normal time, and the __VLTChangePermission calls are handled
100 differently (see the comments in libstdc++-v3/libsupc++/vtv_rts.cc).
101 The option '-fvtable-verify=none' turns off vtable verification.
103 This file contains code for the tree pass that goes through all the
104 statements in each basic block, looking for virtual calls, and
105 inserting a call to __VLTVerifyVtablePointer (with appropriate
106 arguments) before each one. It also contains the hash table
107 functions for the data structures used for collecting the class
108 hierarchy data and building/maintaining the vtable map variable data
109 are defined in gcc/vtable-verify.h. These data structures are
110 shared with the code in the C++ front end that collects the class
111 hierarchy & vtable information and generates the vtable map
112 variables (see cp/vtable-class-hierarchy.c). This tree pass should
113 run just before the gimple is converted to RTL.
115 Some implementation details for this pass:
117 To find all of the virtual calls, we iterate through all the
118 gimple statements in each basic block, looking for any call
119 statement with the code "OBJ_TYPE_REF". Once we have found the
120 virtual call, we need to find the vtable pointer through which the
121 call is being made, and the type of the object containing the
122 pointer (to find the appropriate vtable map variable). We then use
123 these to build a call to __VLTVerifyVtablePointer, passing the
124 vtable map variable, and the vtable pointer. We insert the
125 verification call just after the gimple statement that gets the
126 vtable pointer out of the object, and we update the next
127 statement to depend on the result returned from
128 __VLTVerifyVtablePointer (the vtable pointer value), to ensure
129 subsequent compiler phases don't remove or reorder the call (it's no
130 good to have the verification occur after the virtual call, for
131 example). To find the vtable pointer being used (and the type of
132 the object) we search backwards through the def_stmts chain from the
133 virtual call (see verify_bb_vtables for more details). */
175 /* Keep track of whether or not any virtual call were verified. */
181 /* The following few functions are for the vtbl pointer hash table
182 in the 'registered' field of the struct vtable_map_node. The hash
183 table keeps track of which vtable pointers have been used in
184 calls to __VLTRegisterPair with that particular vtable map variable. */
186 /* This function checks to see if a particular VTABLE_DECL and OFFSET are
187 already in the 'registered' hash table for NODE. */
189 bool
191 tree vtable_decl,
193 {
203 {
208 }
211 }
213 /* This function inserts VTABLE_DECL and OFFSET into the 'registered'
214 hash table for NODE. It returns a boolean indicating whether or not
215 it actually inserted anything. */
217 bool
219 tree vtable_decl,
221 {
233 {
242 }
243 else
244 {
245 /* We found the vtable_decl slot; we need to see if it already
246 contains the offset. If not, we need to add the offset. */
254 {
257 }
258 }
260 }
262 /* Hashtable functions for vtable_registration hashtables. */
264 inline hashval_t
266 {
269 }
274 {
280 }
282 /* End of hashtable functions for "registered" hashtables. */
286 /* Hashtable definition and functions for vtbl_map_hash. */
289 {
294 };
296 /* Returns a hash code for P. */
298 inline hashval_t
300 {
303 }
305 /* Returns nonzero if P1 and P2 are equal. */
309 {
314 }
316 /* Here are the two structures into which we insert vtable map nodes.
317 We use two data structures because of the vastly different ways we need
318 to find the nodes for various tasks (see comments in vtable-verify.h
319 for more details. */
324 /* Vtable map variable nodes stored in a hash table. */
327 /* Vtable map variable nodes stored in a vector. */
330 /* Return vtbl_map node for CLASS_NAME without creating a new one. */
334 {
338 tree class_type_decl;
339 tree class_name;
348 /* Find the TYPE_DECL for the class. */
351 /* Verify that there aren't any qualifiers on the type. */
355 /* Get the mangled name for the unqualified type. */
364 }
366 /* Return vtbl_map node assigned to BASE_CLASS_TYPE. Create new one
367 when needed. */
371 {
375 tree class_type_decl;
381 /* Find the TYPE_DECL for the class. */
384 /* Verify that there aren't any type qualifiers on type. */
417 }
419 /* End of hashtable functions for vtable_map variables hash table. */
421 /* Given a gimple STMT, this function checks to see if the statement
422 is an assignment, the rhs of which is getting the vtable pointer
423 value out of an object. (i.e. it's the value we need to verify
424 because its the vtable pointer that will be used for a virtual
425 call). */
427 static bool
429 {
433 else
434 {
450 }
453 }
455 /* This function attempts to recover the declared class of an object
456 that is used in making a virtual call. We try to get the type from
457 the type cast in the gimple assignment statement that extracts the
458 vtable pointer from the object (DEF_STMT). The gimple statement
459 usually looks something like this:
461 D.2201_4 = MEM[(struct Event *)this_1(D)]._vptr.Event */
463 static tree
465 {
468 /* Try to find and extract the type cast from that stmt. */
470 {
476 {
481 else
483 }
485 {
490 }
491 }
494 }
496 /* This function traces forward through the def-use chain of an SSA
497 variable to see if it ever gets used in a virtual function call. It
498 returns a boolean indicating whether or not it found a virtual call in
499 the use chain. */
501 static bool
503 {
504 imm_use_iterator imm_iter;
506 use_operand_p use_p;
514 /* Iterate through the immediate uses of the current variable. If
515 it's a virtual function call, we're done. Otherwise, if there's
516 an LHS for the use stmt, add the ssa var to the work list
517 (assuming it's not already in the list and is not a variable
518 we've already examined. */
521 {
525 {
529 else
531 }
533 {
534 found_vcall = var_is_used_for_virtual_call_p
536 mem_ref_depth);
537 }
539 {
546 {
553 }
556 found_vcall = var_is_used_for_virtual_call_p
558 mem_ref_depth);
559 }
561 else
566 }
569 }
571 /* Search through all the statements in a basic block (BB), searching
572 for virtual method calls. For each virtual method dispatch, find
573 the vptr value used, and the statically declared type of the
574 object; retrieve the vtable map variable for the type of the
575 object; generate a call to __VLTVerifyVtablePointer; and insert the
576 generated call into the basic block, after the point where the vptr
577 value is gotten out of the object and before the virtual method
578 dispatch. Make the virtual method dispatch depend on the return
579 value from the verification call, so that subsequent optimizations
580 cannot reorder the two calls. */
582 static void
584 {
585 gimple_seq stmts;
587 gimple_stmt_iterator gsi_vtbl_assign;
588 gimple_stmt_iterator gsi_virtual_call;
593 {
596 /* Count virtual calls. */
598 {
601 total_num_virtual_calls++;
602 }
605 {
612 tree tmp0;
616 /* Make sure this vptr field access is for a virtual call. */
620 /* Now we have found the virtual method dispatch and
621 the preceding access of the _vptr.* field... Next
622 we need to find the statically declared type of
623 the object, so we can find and use the right
624 vtable map variable in the verification call. */
625 tree class_type = extract_object_class_type
633 {
634 /* Get the vtable VAR_DECL for the type. */
644 vtable_map_node = vtbl_map_get_node
649 /* Given the vtable pointer for the base class of the
650 object, build the call to __VLTVerifyVtablePointer to
651 verify that the object's vtable pointer (contained in
652 lhs) is in the set of valid vtable pointers for the
653 base class. */
656 {
663 /* Call different routines if we are interested in
664 trace information to debug problems. */
666 {
671 call_stmt = gimple_build_call
674 TYPE_POINTER_TO
676 vtbl_var_decl),
677 lhs,
678 build_string_literal
680 IDENTIFIER_POINTER
681 (DECL_NAME
684 vtable_name));
685 }
686 else
687 call_stmt = gimple_build_call
690 TYPE_POINTER_TO
692 vtbl_var_decl),
693 lhs);
696 /* Create a new SSA_NAME var to hold the call's
697 return value, and make the call_stmt use the
698 variable for that purpose. */
703 /* Replace all uses of lhs with tmp0. */
705 imm_use_iterator iterator;
706 gimple use_stmt;
708 {
709 use_operand_p use_p;
716 }
720 /* Insert the new verification call just after the
721 statement that gets the vtable pointer out of the
722 object. */
725 GSI_NEW_STMT);
728 total_num_verified_vcalls++;
729 }
730 }
731 }
732 }
733 }
735 /* Definition of this optimization pass. */
740 {
750 };
753 {
757 {}
759 /* opt_pass methods: */
765 /* Loop through all the basic blocks in the current function, passing them to
766 verify_bb_vtables, which searches for virtual calls, and inserts
767 calls to __VLTVerifyVtablePointer. */
769 unsigned int
771 {
773 basic_block bb;
779 }
783 gimple_opt_pass *
785 {
787 }