void created this revision. void added reviewers: aaron.ballman, MaskRay. Herald added a subscriber: StephenFan. Herald added a project: All. void requested review of this revision. Herald added a project: clang. Herald added a subscriber: cfe-commits.
Strutures of function pointers are a good surface area for attacks. We should therefore randomize them unless explicitly told not to. Repository: rG LLVM Github Monorepo https://reviews.llvm.org/D123544 Files: clang/lib/Sema/SemaDecl.cpp clang/unittests/AST/RandstructTest.cpp Index: clang/unittests/AST/RandstructTest.cpp =================================================================== --- clang/unittests/AST/RandstructTest.cpp +++ clang/unittests/AST/RandstructTest.cpp @@ -417,5 +417,49 @@ EXPECT_TRUE(AnonUnionTested); } +TEST(RANDSTRUCT_TEST, AutoRandomizeStructOfFunctionPointers) { + const std::unique_ptr<ASTUnit> AST = makeAST(R"c( + typedef void (*func_ptr)(); + + struct test { + func_ptr a; + func_ptr b; + func_ptr c; + func_ptr d; + func_ptr e; + func_ptr f; + func_ptr g; + }; + )c"); + + EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred()); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + + EXPECT_TRUE(RD->isRandomized()); +} + +TEST(RANDSTRUCT_TEST, DisableAutoRandomizeStructOfFunctionPointers) { + const std::unique_ptr<ASTUnit> AST = makeAST(R"c( + typedef void (*func_ptr)(); + + struct test { + func_ptr a; + func_ptr b; + func_ptr c; + func_ptr d; + func_ptr e; + func_ptr f; + func_ptr g; + } __attribute__((no_randomize_layout)); + )c"); + + EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred()); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + + EXPECT_FALSE(RD->isRandomized()); +} + } // namespace ast_matchers } // namespace clang Index: clang/lib/Sema/SemaDecl.cpp =================================================================== --- clang/lib/Sema/SemaDecl.cpp +++ clang/lib/Sema/SemaDecl.cpp @@ -17969,8 +17969,22 @@ // Handle attributes before checking the layout. ProcessDeclAttributeList(S, Record, Attrs); - // Maybe randomize the field order. - if (!getLangOpts().CPlusPlus && Record->hasAttr<RandomizeLayoutAttr>() && + // Check to see if a FieldDecl is a pointer to a function. + auto IsFunctionPointer = [&](const FieldDecl *FD) { + QualType FieldType = FD->getType().getDesugaredType(Context); + if (isa<PointerType>(FieldType)) { + QualType PointeeType = cast<PointerType>(FieldType)->getPointeeType(); + return PointeeType.getDesugaredType(Context)->isFunctionType(); + } + return false; + }; + + // Maybe randomize the field order. We automatically randomize a structure + // of function pointers, unless it has the "no_randomize_layout" attribute. + if (!getLangOpts().CPlusPlus && + (Record->hasAttr<RandomizeLayoutAttr>() || + (!Record->hasAttr<NoRandomizeLayoutAttr>() && + llvm::all_of(Record->fields(), IsFunctionPointer))) && !Record->isUnion() && !getLangOpts().RandstructSeed.empty() && !Record->isRandomized()) { SmallVector<Decl *, 32> OrigFieldOrdering(Record->fields());
Index: clang/unittests/AST/RandstructTest.cpp =================================================================== --- clang/unittests/AST/RandstructTest.cpp +++ clang/unittests/AST/RandstructTest.cpp @@ -417,5 +417,49 @@ EXPECT_TRUE(AnonUnionTested); } +TEST(RANDSTRUCT_TEST, AutoRandomizeStructOfFunctionPointers) { + const std::unique_ptr<ASTUnit> AST = makeAST(R"c( + typedef void (*func_ptr)(); + + struct test { + func_ptr a; + func_ptr b; + func_ptr c; + func_ptr d; + func_ptr e; + func_ptr f; + func_ptr g; + }; + )c"); + + EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred()); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + + EXPECT_TRUE(RD->isRandomized()); +} + +TEST(RANDSTRUCT_TEST, DisableAutoRandomizeStructOfFunctionPointers) { + const std::unique_ptr<ASTUnit> AST = makeAST(R"c( + typedef void (*func_ptr)(); + + struct test { + func_ptr a; + func_ptr b; + func_ptr c; + func_ptr d; + func_ptr e; + func_ptr f; + func_ptr g; + } __attribute__((no_randomize_layout)); + )c"); + + EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred()); + + const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test"); + + EXPECT_FALSE(RD->isRandomized()); +} + } // namespace ast_matchers } // namespace clang Index: clang/lib/Sema/SemaDecl.cpp =================================================================== --- clang/lib/Sema/SemaDecl.cpp +++ clang/lib/Sema/SemaDecl.cpp @@ -17969,8 +17969,22 @@ // Handle attributes before checking the layout. ProcessDeclAttributeList(S, Record, Attrs); - // Maybe randomize the field order. - if (!getLangOpts().CPlusPlus && Record->hasAttr<RandomizeLayoutAttr>() && + // Check to see if a FieldDecl is a pointer to a function. + auto IsFunctionPointer = [&](const FieldDecl *FD) { + QualType FieldType = FD->getType().getDesugaredType(Context); + if (isa<PointerType>(FieldType)) { + QualType PointeeType = cast<PointerType>(FieldType)->getPointeeType(); + return PointeeType.getDesugaredType(Context)->isFunctionType(); + } + return false; + }; + + // Maybe randomize the field order. We automatically randomize a structure + // of function pointers, unless it has the "no_randomize_layout" attribute. + if (!getLangOpts().CPlusPlus && + (Record->hasAttr<RandomizeLayoutAttr>() || + (!Record->hasAttr<NoRandomizeLayoutAttr>() && + llvm::all_of(Record->fields(), IsFunctionPointer))) && !Record->isUnion() && !getLangOpts().RandstructSeed.empty() && !Record->isRandomized()) { SmallVector<Decl *, 32> OrigFieldOrdering(Record->fields());
_______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits