1 //===-- StackProtector.cpp - Stack Protector Insertion --------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This pass inserts stack protectors into functions which need them. A variable 11 // with a random value in it is stored onto the stack before the local variables 12 // are allocated. Upon exiting the block, the stored value is checked. If it's 13 // changed, then there was some sort of violation and the program aborts. 14 // 15 //===----------------------------------------------------------------------===// 16 17 #define DEBUG_TYPE "stack-protector" 18 #include "llvm/CodeGen/Passes.h" 19 #include "llvm/ADT/SmallPtrSet.h" 20 #include "llvm/ADT/Statistic.h" 21 #include "llvm/ADT/Triple.h" 22 #include "llvm/Analysis/Dominators.h" 23 #include "llvm/IR/Attributes.h" 24 #include "llvm/IR/Constants.h" 25 #include "llvm/IR/DataLayout.h" 26 #include "llvm/IR/DerivedTypes.h" 27 #include "llvm/IR/Function.h" 28 #include "llvm/IR/GlobalValue.h" 29 #include "llvm/IR/GlobalVariable.h" 30 #include "llvm/IR/Instructions.h" 31 #include "llvm/IR/Intrinsics.h" 32 #include "llvm/IR/Module.h" 33 #include "llvm/Pass.h" 34 #include "llvm/Support/CommandLine.h" 35 #include "llvm/Target/TargetLowering.h" 36 #include <cstdlib> 37 using namespace llvm; 38 39 STATISTIC(NumFunProtected, "Number of functions protected"); 40 STATISTIC(NumAddrTaken, "Number of local variables that have their address" 41 " taken."); 42 43 namespace { 44 class StackProtector : public FunctionPass { 45 const TargetMachine *TM; 46 47 /// TLI - Keep a pointer of a TargetLowering to consult for determining 48 /// target type sizes. 49 const TargetLoweringBase *TLI; 50 const Triple Trip; 51 52 Function *F; 53 Module *M; 54 55 DominatorTree *DT; 56 57 /// \brief The minimum size of buffers that will receive stack smashing 58 /// protection when -fstack-protection is used. 59 unsigned SSPBufferSize; 60 61 /// VisitedPHIs - The set of PHI nodes visited when determining 62 /// if a variable's reference has been taken. This set 63 /// is maintained to ensure we don't visit the same PHI node multiple 64 /// times. 65 SmallPtrSet<const PHINode*, 16> VisitedPHIs; 66 67 /// InsertStackProtectors - Insert code into the prologue and epilogue of 68 /// the function. 69 /// 70 /// - The prologue code loads and stores the stack guard onto the stack. 71 /// - The epilogue checks the value stored in the prologue against the 72 /// original value. It calls __stack_chk_fail if they differ. 73 bool InsertStackProtectors(); 74 75 /// CreateFailBB - Create a basic block to jump to when the stack protector 76 /// check fails. 77 BasicBlock *CreateFailBB(); 78 79 /// ContainsProtectableArray - Check whether the type either is an array or 80 /// contains an array of sufficient size so that we need stack protectors 81 /// for it. 82 bool ContainsProtectableArray(Type *Ty, bool Strong = false, 83 bool InStruct = false) const; 84 85 /// \brief Check whether a stack allocation has its address taken. 86 bool HasAddressTaken(const Instruction *AI); 87 88 /// RequiresStackProtector - Check whether or not this function needs a 89 /// stack protector based upon the stack protector level. 90 bool RequiresStackProtector(); 91 public: 92 static char ID; // Pass identification, replacement for typeid. 93 StackProtector() : FunctionPass(ID), TM(0), TLI(0), SSPBufferSize(0) { 94 initializeStackProtectorPass(*PassRegistry::getPassRegistry()); 95 } 96 StackProtector(const TargetMachine *TM) 97 : FunctionPass(ID), TM(TM), TLI(0), Trip(TM->getTargetTriple()), 98 SSPBufferSize(8) { 99 initializeStackProtectorPass(*PassRegistry::getPassRegistry()); 100 } 101 102 virtual void getAnalysisUsage(AnalysisUsage &AU) const { 103 AU.addPreserved<DominatorTree>(); 104 } 105 106 virtual bool runOnFunction(Function &Fn); 107 }; 108 } // end anonymous namespace 109 110 char StackProtector::ID = 0; 111 INITIALIZE_PASS(StackProtector, "stack-protector", 112 "Insert stack protectors", false, false) 113 114 FunctionPass *llvm::createStackProtectorPass(const TargetMachine *TM) { 115 return new StackProtector(TM); 116 } 117 118 bool StackProtector::runOnFunction(Function &Fn) { 119 F = &Fn; 120 M = F->getParent(); 121 DT = getAnalysisIfAvailable<DominatorTree>(); 122 TLI = TM->getTargetLowering(); 123 124 if (!RequiresStackProtector()) return false; 125 126 Attribute Attr = 127 Fn.getAttributes().getAttribute(AttributeSet::FunctionIndex, 128 "stack-protector-buffer-size"); 129 if (Attr.isStringAttribute()) 130 SSPBufferSize = atoi(Attr.getValueAsString().data()); 131 132 ++NumFunProtected; 133 return InsertStackProtectors(); 134 } 135 136 /// ContainsProtectableArray - Check whether the type either is an array or 137 /// contains a char array of sufficient size so that we need stack protectors 138 /// for it. 139 bool StackProtector::ContainsProtectableArray(Type *Ty, bool Strong, 140 bool InStruct) const { 141 if (!Ty) return false; 142 if (ArrayType *AT = dyn_cast<ArrayType>(Ty)) { 143 // In strong mode any array, regardless of type and size, triggers a 144 // protector 145 if (Strong) 146 return true; 147 if (!AT->getElementType()->isIntegerTy(8)) { 148 // If we're on a non-Darwin platform or we're inside of a structure, don't 149 // add stack protectors unless the array is a character array. 150 if (InStruct || !Trip.isOSDarwin()) 151 return false; 152 } 153 154 // If an array has more than SSPBufferSize bytes of allocated space, then we 155 // emit stack protectors. 156 if (SSPBufferSize <= TLI->getDataLayout()->getTypeAllocSize(AT)) 157 return true; 158 } 159 160 const StructType *ST = dyn_cast<StructType>(Ty); 161 if (!ST) return false; 162 163 for (StructType::element_iterator I = ST->element_begin(), 164 E = ST->element_end(); I != E; ++I) 165 if (ContainsProtectableArray(*I, Strong, true)) 166 return true; 167 168 return false; 169 } 170 171 bool StackProtector::HasAddressTaken(const Instruction *AI) { 172 for (Value::const_use_iterator UI = AI->use_begin(), UE = AI->use_end(); 173 UI != UE; ++UI) { 174 const User *U = *UI; 175 if (const StoreInst *SI = dyn_cast<StoreInst>(U)) { 176 if (AI == SI->getValueOperand()) 177 return true; 178 } else if (const PtrToIntInst *SI = dyn_cast<PtrToIntInst>(U)) { 179 if (AI == SI->getOperand(0)) 180 return true; 181 } else if (isa<CallInst>(U)) { 182 return true; 183 } else if (isa<InvokeInst>(U)) { 184 return true; 185 } else if (const SelectInst *SI = dyn_cast<SelectInst>(U)) { 186 if (HasAddressTaken(SI)) 187 return true; 188 } else if (const PHINode *PN = dyn_cast<PHINode>(U)) { 189 // Keep track of what PHI nodes we have already visited to ensure 190 // they are only visited once. 191 if (VisitedPHIs.insert(PN)) 192 if (HasAddressTaken(PN)) 193 return true; 194 } else if (const GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(U)) { 195 if (HasAddressTaken(GEP)) 196 return true; 197 } else if (const BitCastInst *BI = dyn_cast<BitCastInst>(U)) { 198 if (HasAddressTaken(BI)) 199 return true; 200 } 201 } 202 return false; 203 } 204 205 /// \brief Check whether or not this function needs a stack protector based 206 /// upon the stack protector level. 207 /// 208 /// We use two heuristics: a standard (ssp) and strong (sspstrong). 209 /// The standard heuristic which will add a guard variable to functions that 210 /// call alloca with a either a variable size or a size >= SSPBufferSize, 211 /// functions with character buffers larger than SSPBufferSize, and functions 212 /// with aggregates containing character buffers larger than SSPBufferSize. The 213 /// strong heuristic will add a guard variables to functions that call alloca 214 /// regardless of size, functions with any buffer regardless of type and size, 215 /// functions with aggregates that contain any buffer regardless of type and 216 /// size, and functions that contain stack-based variables that have had their 217 /// address taken. 218 bool StackProtector::RequiresStackProtector() { 219 bool Strong = false; 220 if (F->getAttributes().hasAttribute(AttributeSet::FunctionIndex, 221 Attribute::StackProtectReq)) 222 return true; 223 else if (F->getAttributes().hasAttribute(AttributeSet::FunctionIndex, 224 Attribute::StackProtectStrong)) 225 Strong = true; 226 else if (!F->getAttributes().hasAttribute(AttributeSet::FunctionIndex, 227 Attribute::StackProtect)) 228 return false; 229 230 for (Function::iterator I = F->begin(), E = F->end(); I != E; ++I) { 231 BasicBlock *BB = I; 232 233 for (BasicBlock::iterator 234 II = BB->begin(), IE = BB->end(); II != IE; ++II) { 235 if (AllocaInst *AI = dyn_cast<AllocaInst>(II)) { 236 if (AI->isArrayAllocation()) { 237 // SSP-Strong: Enable protectors for any call to alloca, regardless 238 // of size. 239 if (Strong) 240 return true; 241 242 if (const ConstantInt *CI = 243 dyn_cast<ConstantInt>(AI->getArraySize())) { 244 if (CI->getLimitedValue(SSPBufferSize) >= SSPBufferSize) 245 // A call to alloca with size >= SSPBufferSize requires 246 // stack protectors. 247 return true; 248 } else { 249 // A call to alloca with a variable size requires protectors. 250 return true; 251 } 252 } 253 254 if (ContainsProtectableArray(AI->getAllocatedType(), Strong)) 255 return true; 256 257 if (Strong && HasAddressTaken(AI)) { 258 ++NumAddrTaken; 259 return true; 260 } 261 } 262 } 263 } 264 265 return false; 266 } 267 268 /// Insert code into the entry block that stores the __stack_chk_guard 269 /// variable onto the stack: 270 /// 271 /// entry: 272 /// StackGuardSlot = alloca i8* 273 /// StackGuard = load __stack_chk_guard 274 /// call void @llvm.stackprotect.create(StackGuard, StackGuardSlot) 275 /// 276 static void CreatePrologue(Function *F, Module *M, ReturnInst *RI, 277 const TargetLoweringBase *TLI, const Triple &Trip, 278 AllocaInst *&AI, Value *&StackGuardVar) { 279 PointerType *PtrTy = Type::getInt8PtrTy(RI->getContext()); 280 unsigned AddressSpace, Offset; 281 if (TLI->getStackCookieLocation(AddressSpace, Offset)) { 282 Constant *OffsetVal = 283 ConstantInt::get(Type::getInt32Ty(RI->getContext()), Offset); 284 285 StackGuardVar = ConstantExpr::getIntToPtr(OffsetVal, 286 PointerType::get(PtrTy, 287 AddressSpace)); 288 } else if (Trip.getOS() == llvm::Triple::OpenBSD) { 289 StackGuardVar = M->getOrInsertGlobal("__guard_local", PtrTy); 290 cast<GlobalValue>(StackGuardVar) 291 ->setVisibility(GlobalValue::HiddenVisibility); 292 } else { 293 StackGuardVar = M->getOrInsertGlobal("__stack_chk_guard", PtrTy); 294 } 295 296 BasicBlock &Entry = F->getEntryBlock(); 297 Instruction *InsPt = &Entry.front(); 298 299 AI = new AllocaInst(PtrTy, "StackGuardSlot", InsPt); 300 LoadInst *LI = new LoadInst(StackGuardVar, "StackGuard", false, InsPt); 301 302 Value *Args[] = { LI, AI }; 303 CallInst:: 304 Create(Intrinsic::getDeclaration(M, Intrinsic::stackprotector), 305 Args, "", InsPt); 306 } 307 308 /// InsertStackProtectors - Insert code into the prologue and epilogue of the 309 /// function. 310 /// 311 /// - The prologue code loads and stores the stack guard onto the stack. 312 /// - The epilogue checks the value stored in the prologue against the original 313 /// value. It calls __stack_chk_fail if they differ. 314 bool StackProtector::InsertStackProtectors() { 315 BasicBlock *FailBB = 0; // The basic block to jump to if check fails. 316 BasicBlock *FailBBDom = 0; // FailBB's dominator. 317 AllocaInst *AI = 0; // Place on stack that stores the stack guard. 318 Value *StackGuardVar = 0; // The stack guard variable. 319 320 for (Function::iterator I = F->begin(), E = F->end(); I != E; ) { 321 BasicBlock *BB = I++; 322 ReturnInst *RI = dyn_cast<ReturnInst>(BB->getTerminator()); 323 if (!RI) continue; 324 325 if (!FailBB) { 326 CreatePrologue(F, M, RI, TLI, Trip, AI, StackGuardVar); 327 // Create the basic block to jump to when the guard check fails. 328 FailBB = CreateFailBB(); 329 } 330 331 // For each block with a return instruction, convert this: 332 // 333 // return: 334 // ... 335 // ret ... 336 // 337 // into this: 338 // 339 // return: 340 // ... 341 // %1 = load __stack_chk_guard 342 // %2 = load StackGuardSlot 343 // %3 = cmp i1 %1, %2 344 // br i1 %3, label %SP_return, label %CallStackCheckFailBlk 345 // 346 // SP_return: 347 // ret ... 348 // 349 // CallStackCheckFailBlk: 350 // call void @__stack_chk_fail() 351 // unreachable 352 353 // Split the basic block before the return instruction. 354 BasicBlock *NewBB = BB->splitBasicBlock(RI, "SP_return"); 355 356 if (DT && DT->isReachableFromEntry(BB)) { 357 DT->addNewBlock(NewBB, BB); 358 FailBBDom = FailBBDom ? DT->findNearestCommonDominator(FailBBDom, BB) :BB; 359 } 360 361 // Remove default branch instruction to the new BB. 362 BB->getTerminator()->eraseFromParent(); 363 364 // Move the newly created basic block to the point right after the old basic 365 // block so that it's in the "fall through" position. 366 NewBB->moveAfter(BB); 367 368 // Generate the stack protector instructions in the old basic block. 369 LoadInst *LI1 = new LoadInst(StackGuardVar, "", false, BB); 370 LoadInst *LI2 = new LoadInst(AI, "", true, BB); 371 ICmpInst *Cmp = new ICmpInst(*BB, CmpInst::ICMP_EQ, LI1, LI2, ""); 372 BranchInst::Create(NewBB, FailBB, Cmp, BB); 373 } 374 375 // Return if we didn't modify any basic blocks. I.e., there are no return 376 // statements in the function. 377 if (!FailBB) return false; 378 379 if (DT && FailBBDom) 380 DT->addNewBlock(FailBB, FailBBDom); 381 382 return true; 383 } 384 385 /// CreateFailBB - Create a basic block to jump to when the stack protector 386 /// check fails. 387 BasicBlock *StackProtector::CreateFailBB() { 388 LLVMContext &Context = F->getContext(); 389 BasicBlock *FailBB = BasicBlock::Create(Context, "CallStackCheckFailBlk", F); 390 if (Trip.getOS() == llvm::Triple::OpenBSD) { 391 Constant *StackChkFail = M->getOrInsertFunction( 392 "__stack_smash_handler", Type::getVoidTy(Context), 393 Type::getInt8PtrTy(Context), NULL); 394 395 Constant *NameStr = ConstantDataArray::getString(Context, F->getName()); 396 Constant *FuncName = 397 new GlobalVariable(*M, NameStr->getType(), true, 398 GlobalVariable::PrivateLinkage, NameStr, "SSH"); 399 400 SmallVector<Constant *, 2> IdxList; 401 IdxList.push_back(ConstantInt::get(Type::getInt8Ty(Context), 0)); 402 IdxList.push_back(ConstantInt::get(Type::getInt8Ty(Context), 0)); 403 404 SmallVector<Value *, 1> Args; 405 Args.push_back(ConstantExpr::getGetElementPtr(FuncName, IdxList)); 406 407 CallInst::Create(StackChkFail, Args, "", FailBB); 408 } else { 409 Constant *StackChkFail = M->getOrInsertFunction( 410 "__stack_chk_fail", Type::getVoidTy(Context), NULL); 411 CallInst::Create(StackChkFail, "", FailBB); 412 } 413 new UnreachableInst(Context, FailBB); 414 return FailBB; 415 } 416
