Normalize ptrauth handling in sanitizer runtime #100483
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Include ptrauth.h if ptrauth_intrinsics language feature is specified
(per ptrauth spec, this is what enables ptrauh.h usage)
2. For PAC-RET fallback implement two changes:
- Switch to macro, so we can ignore key argument
- Ensure the unsigned value is erased from LR, so the
possibility of gadget reuse is reduced.
Fixes #100467
|
@sylvestre will you please double check if this fixes the issue you're seeing? |
|
@llvm/pr-subscribers-compiler-rt-sanitizer Author: Anton Korobeynikov (asl) Changes
Fixes #100467 Full diff: https://github.com/llvm/llvm-project/pull/100483.diff 1 Files Affected:
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_ptrauth.h b/compiler-rt/lib/sanitizer_common/sanitizer_ptrauth.h
index 5200354694851..d228dd33cf938 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_ptrauth.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_ptrauth.h
@@ -9,24 +9,26 @@
#ifndef SANITIZER_PTRAUTH_H
#define SANITIZER_PTRAUTH_H
-#if __has_feature(ptrauth_calls)
+#if __has_feature(ptrauth_intrinsics)
#include <ptrauth.h>
#elif defined(__ARM_FEATURE_PAC_DEFAULT) && !defined(__APPLE__)
-inline unsigned long ptrauth_strip(void* __value, unsigned int __key) {
- // On the stack the link register is protected with Pointer
- // Authentication Code when compiled with -mbranch-protection.
- // Let's stripping the PAC unconditionally because xpaclri is in
- // the NOP space so will do nothing when it is not enabled or not available.
- unsigned long ret;
- asm volatile(
- "mov x30, %1\n\t"
- "hint #7\n\t" // xpaclri
- "mov %0, x30\n\t"
- : "=r"(ret)
- : "r"(__value)
- : "x30");
- return ret;
-}
+// On the stack the link register is protected with Pointer
+// Authentication Code when compiled with -mbranch-protection.
+// Let's stripping the PAC unconditionally because xpaclri is in
+// the NOP space so will do nothing when it is not enabled or not available.
+#define ptrauth_strip(__value, __key) \
+ ({ \
+ unsigned long ret; \
+ asm volatile( \
+ "mov x30, %1\n\t" \
+ "hint #7\n\t" \
+ "mov %0, x30\n\t" \
+ "mov x30, xzr\n\t" \
+ : "=r"(ret) \
+ : "r"(__value) \
+ : "x30"); \
+ ret; \
+ })
#define ptrauth_auth_data(__value, __old_key, __old_data) __value
#define ptrauth_string_discriminator(__string) ((int)0)
#else
|
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
asl
force-pushed
the
users/asl/compiler-rt-pauth-includes
branch
from
60e4dd8 to
1661d58
Compare
asl
force-pushed
the
users/asl/compiler-rt-pauth-includes
branch
from
1661d58 to
778a0e3
Compare
DanielKristofKiss
approved these changes
Jul 25, 2024
|
/cherry-pick cc4f989 |
llvmbot
pushed a commit
to llvmbot/llvm-project
that referenced
this pull request
Jul 25, 2024
1. Include `ptrauth.h` if `ptrauth_intrinsics` language feature is specified (per ptrauth spec, this is what enables `ptrauh.h` usage and functions like `ptrauth_strip`)
2. For PAC-RET fallback implement two changes:
1. Switch to macro, so we can ignore key argument
2. Ensure the unsigned value is erased from LR, so the possibility of gadget reuse is reduced.
Fixes llvm#100467
(cherry picked from commit cc4f989)
|
/pull-request #100634 |
|
With the fix, this is still broken due to invalid pointer conversion: |
Oh. Thanks for noticing this! I believe we fixed this issue... But apparently, not final version of patch was submitted. So, to double check, the final version has Apparently, there are no buildbots that cover this configuration... |
alanzhao1
added a commit
to alanzhao1/llvm-project
that referenced
this pull request
Jul 25, 2024
With llvm#100483, if the inline asm version of `ptrauth_strip` is used instead of the builtin, the inline asm implementation will return an unsigned long, causing an incompatible pointer conversion issue.
A quick search shows that the preference seems to be to cast the result of |
tru
pushed a commit
to llvmbot/llvm-project
that referenced
this pull request
Jul 26, 2024
1. Include `ptrauth.h` if `ptrauth_intrinsics` language feature is specified (per ptrauth spec, this is what enables `ptrauh.h` usage and functions like `ptrauth_strip`)
2. For PAC-RET fallback implement two changes:
1. Switch to macro, so we can ignore key argument
2. Ensure the unsigned value is erased from LR, so the possibility of gadget reuse is reduced.
Fixes llvm#100467
(cherry picked from commit cc4f989)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ptrauth.hifptrauth_intrinsicslanguage feature is specified (per ptrauth spec, this is what enablesptrauh.husage and functions likeptrauth_strip)Fixes #100467