1 //===- StackProtector.h - Stack Protector Insertion -------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This pass inserts stack protectors into functions which need them. A variable 11 // with a random value in it is stored onto the stack before the local variables 12 // are allocated. Upon exiting the block, the stored value is checked. If it's 13 // changed, then there was some sort of violation and the program aborts. 14 // 15 //===----------------------------------------------------------------------===// 16 17 #ifndef LLVM_CODEGEN_STACKPROTECTOR_H 18 #define LLVM_CODEGEN_STACKPROTECTOR_H 19 20 #include "llvm/ADT/SmallPtrSet.h" 21 #include "llvm/ADT/Triple.h" 22 #include "llvm/IR/Instructions.h" 23 #include "llvm/IR/ValueMap.h" 24 #include "llvm/Pass.h" 25 26 namespace llvm { 27 28 class BasicBlock; 29 class DominatorTree; 30 class Function; 31 class Instruction; 32 class Module; 33 class TargetLoweringBase; 34 class TargetMachine; 35 class Type; 36 37 class StackProtector : public FunctionPass { 38 public: 39 /// SSPLayoutKind. Stack Smashing Protection (SSP) rules require that 40 /// vulnerable stack allocations are located close the stack protector. 41 enum SSPLayoutKind { 42 SSPLK_None, ///< Did not trigger a stack protector. No effect on data 43 ///< layout. 44 SSPLK_LargeArray, ///< Array or nested array >= SSP-buffer-size. Closest 45 ///< to the stack protector. 46 SSPLK_SmallArray, ///< Array or nested array < SSP-buffer-size. 2nd closest 47 ///< to the stack protector. 48 SSPLK_AddrOf ///< The address of this allocation is exposed and 49 ///< triggered protection. 3rd closest to the protector. 50 }; 51 52 /// A mapping of AllocaInsts to their required SSP layout. 53 using SSPLayoutMap = ValueMap<const AllocaInst *, SSPLayoutKind>; 54 55 private: 56 const TargetMachine *TM = nullptr; 57 58 /// TLI - Keep a pointer of a TargetLowering to consult for determining 59 /// target type sizes. 60 const TargetLoweringBase *TLI = nullptr; 61 Triple Trip; 62 63 Function *F; 64 Module *M; 65 66 DominatorTree *DT; 67 68 /// Layout - Mapping of allocations to the required SSPLayoutKind. 69 /// StackProtector analysis will update this map when determining if an 70 /// AllocaInst triggers a stack protector. 71 SSPLayoutMap Layout; 72 73 /// \brief The minimum size of buffers that will receive stack smashing 74 /// protection when -fstack-protection is used. 75 unsigned SSPBufferSize = 0; 76 77 /// VisitedPHIs - The set of PHI nodes visited when determining 78 /// if a variable's reference has been taken. This set 79 /// is maintained to ensure we don't visit the same PHI node multiple 80 /// times. 81 SmallPtrSet<const PHINode *, 16> VisitedPHIs; 82 83 // A prologue is generated. 84 bool HasPrologue = false; 85 86 // IR checking code is generated. 87 bool HasIRCheck = false; 88 89 /// InsertStackProtectors - Insert code into the prologue and epilogue of 90 /// the function. 91 /// 92 /// - The prologue code loads and stores the stack guard onto the stack. 93 /// - The epilogue checks the value stored in the prologue against the 94 /// original value. It calls __stack_chk_fail if they differ. 95 bool InsertStackProtectors(); 96 97 /// CreateFailBB - Create a basic block to jump to when the stack protector 98 /// check fails. 99 BasicBlock *CreateFailBB(); 100 101 /// ContainsProtectableArray - Check whether the type either is an array or 102 /// contains an array of sufficient size so that we need stack protectors 103 /// for it. 104 /// \param [out] IsLarge is set to true if a protectable array is found and 105 /// it is "large" ( >= ssp-buffer-size). In the case of a structure with 106 /// multiple arrays, this gets set if any of them is large. 107 bool ContainsProtectableArray(Type *Ty, bool &IsLarge, bool Strong = false, 108 bool InStruct = false) const; 109 110 /// \brief Check whether a stack allocation has its address taken. 111 bool HasAddressTaken(const Instruction *AI); 112 113 /// RequiresStackProtector - Check whether or not this function needs a 114 /// stack protector based upon the stack protector level. 115 bool RequiresStackProtector(); 116 117 public: 118 static char ID; // Pass identification, replacement for typeid. 119 120 StackProtector() : FunctionPass(ID), SSPBufferSize(8) { 121 initializeStackProtectorPass(*PassRegistry::getPassRegistry()); 122 } 123 124 void getAnalysisUsage(AnalysisUsage &AU) const override; 125 126 SSPLayoutKind getSSPLayout(const AllocaInst *AI) const; 127 128 // Return true if StackProtector is supposed to be handled by SelectionDAG. 129 bool shouldEmitSDCheck(const BasicBlock &BB) const; 130 131 void adjustForColoring(const AllocaInst *From, const AllocaInst *To); 132 133 bool runOnFunction(Function &Fn) override; 134 }; 135 136 } // end namespace llvm 137 138 #endif // LLVM_CODEGEN_STACKPROTECTOR_H 139