libgcc/strub.c

   1 /* Stack scrubbing infrastructure
   2    Copyright (C) 2021-2023 Free Software Foundation, Inc.
   3    Contributed by Alexandre Oliva <oliva@adacore.com>
   4
   5 This file is part of GCC.
   6
   7 GCC is free software; you can redistribute it and/or modify it under
   8 the terms of the GNU General Public License as published by the Free
   9 Software Foundation; either version 3, or (at your option) any later
  10 version.
  11
  12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
  13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
  14 FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  15 for more details.
  16
  17 Under Section 7 of GPL version 3, you are granted additional
  18 permissions described in the GCC Runtime Library Exception, version
  19 3.1, as published by the Free Software Foundation.
  20
  21 You should have received a copy of the GNU General Public License and
  22 a copy of the GCC Runtime Library Exception along with this program;
  23 see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
  24 <http://www.gnu.org/licenses/>.  */
  25
  26 #include "tconfig.h"
  27 #include "tsystem.h"
  28 #include "coretypes.h"
  29 #include "tm.h"
  30 #include "libgcc_tm.h"
  31 #include "libgcc2.h"
  32
  33 #if ! STACK_GROWS_DOWNWARD
  34 # define TOPS >
  35 #else
  36 # define TOPS <
  37 #endif
  38
  39 #define ATTRIBUTE_STRUB_CALLABLE __attribute__ ((__strub__ ("callable")))
  40
  41 /* Enter a stack scrubbing context, initializing the watermark to the caller's
  42    stack address.  */
  43 void ATTRIBUTE_STRUB_CALLABLE
  44 __strub_enter (void **watermark)
  45 {
  46   *watermark = __builtin_frame_address (0);
  47 }
  48
  49 /* Update the watermark within a stack scrubbing context with the current stack
  50    pointer.  */
  51 void ATTRIBUTE_STRUB_CALLABLE
  52 __strub_update (void **watermark)
  53 {
  54   void *sp = __builtin_frame_address (0);
  55
  56   if (sp TOPS *watermark)
  57     *watermark = sp;
  58 }
  59
  60 #if TARGET_STRUB_USE_DYNAMIC_ARRAY && ! defined TARGET_STRUB_MAY_USE_MEMSET
  61 # define TARGET_STRUB_MAY_USE_MEMSET 1
  62 #endif
  63
  64 #if defined __x86_64__ && __OPTIMIZE__
  65 # define TARGET_STRUB_DISABLE_RED_ZONE \
  66   /* __attribute__ ((__target__ ("no-red-zone"))) // not needed when optimizing */
  67 #elif !defined RED_ZONE_SIZE || defined __i386__
  68 # define TARGET_STRUB_DISABLE_RED_ZONE
  69 #endif
  70
  71 #ifndef TARGET_STRUB_DISABLE_RED_ZONE
  72 /* Dummy function, called to force the caller to not be a leaf function, so
  73    that it can't use the red zone.  */
  74 static void ATTRIBUTE_STRUB_CALLABLE
  75 __attribute__ ((__noinline__, __noipa__))
  76 __strub_dummy_force_no_leaf (void)
  77 {
  78 }
  79 #endif
  80
  81 /* Leave a stack scrubbing context, clearing the stack between its top and
  82    *MARK.  */
  83 void ATTRIBUTE_STRUB_CALLABLE
  84 #if ! TARGET_STRUB_MAY_USE_MEMSET
  85 __attribute__ ((__optimize__ ("-fno-tree-loop-distribute-patterns")))
  86 #endif
  87 #ifdef TARGET_STRUB_DISABLE_RED_ZONE
  88 TARGET_STRUB_DISABLE_RED_ZONE
  89 #endif
  90 __strub_leave (void **mark)
  91 {
  92   void *sp = __builtin_stack_address ();
  93
  94   void **base, **end;
  95 #if ! STACK_GROWS_DOWNWARD
  96   base = sp; /* ??? Do we need an offset here?  */
  97   end = *mark;
  98 #else
  99   base = *mark;
 100   end = sp; /* ??? Does any platform require an offset here?  */
 101 #endif
 102
 103   if (! (base < end))
 104     return;
 105
 106 #if TARGET_STRUB_USE_DYNAMIC_ARRAY
 107   /* Compute the length without assuming the pointers are both sufficiently
 108      aligned.  They should be, but pointer differences expected to be exact may
 109      yield unexpected results when the assumption doesn't hold.  Given the
 110      potential security implications, compute the length without that
 111      expectation.  If the pointers are misaligned, we may leave a partial
 112      unscrubbed word behind.  */
 113   ptrdiff_t len = ((char *)end - (char *)base) / sizeof (void *);
 114   /* Allocate a dynamically-sized array covering the desired range, so that we
 115      can safely call memset on it.  */
 116   void *ptr[len];
 117   base = &ptr[0];
 118   end = &ptr[len];
 119 #elifndef TARGET_STRUB_DISABLE_RED_ZONE
 120   /* Prevent the use of the red zone, by making this function non-leaf through
 121      an unreachable call that, because of the asm stmt, the compiler will
 122      consider reachable.  */
 123   asm goto ("" : : : : no_leaf);
 124   if (0)
 125     {
 126     no_leaf:
 127       __strub_dummy_force_no_leaf ();
 128       return;
 129     }
 130 #endif
 131
 132   /* ldist may turn these loops into a memset (thus the conditional
 133      -fno-tree-loop-distribute-patterns above).  Without the dynamic array
 134      above, that call would likely be unsafe: possibly tail-called, and likely
 135      scribbling over its own stack frame.  */
 136 #if ! STACK_GROWS_DOWNWARD
 137   do
 138     *base++ = 0;
 139   while (base < end);
 140   /* Make sure the stack overwrites are not optimized away.  */
 141   asm ("" : : "m" (end[0]));
 142 #else
 143   do
 144     *--end = 0;
 145   while (base < end);
 146   /* Make sure the stack overwrites are not optimized away.  */
 147   asm ("" : : "m" (base[0]));
 148 #endif
 149 }