On 09/26/2017 07:45 AM, Tsimbalist, Igor V wrote:
Here is the updated version (version#3). All comments below are fixed.
This still needs more work. Specific comments below:
+The @code{nocf_check} attribute is applied to an object's type.
+In case of assignment of a function address or a function pointer to
+another pointer, the attribute is not carried over from the right-hand
+object's type, the type of left-hand object stays unchanged. The
s/object's type,/object's type;/
@@ -11348,6 +11349,35 @@ is used to link a program, the GCC driver
automatically links
against @file{libmpxwrappers}. See also @option{-static-libmpxwrappers}.
Enabled by default.
+@item -fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]}
+@opindex fcf-protection
+Enable code instrumentation of control-flow transfers to increase
+program security by checking that target addresses of control-flow
+transfer instructions (such as indirect function call, function return,
+indirect jump) are valid. This prevents diverting the control
+flow instructions from its original target address to a new undesigned
s/control flow instructions/control-flow instructions/
I'd rewrite the next sentence as
This prevents diverting the flow of control to an unexpected target.
+target. This is intended to protect against such threats as
+Return-oriented Programming (ROP), and similarly call/jmp-oriented
+programming (COP/JOP).
+
+Each compiler target, which is going to support the control-flow
+instrumentation, is supposed to have its own target specific
+implementation. For all targets where an implementation is absent the
+usage of @option{-fcf-protection} option causes an error message.
I would really prefer that you list the targets this works on here instead.
+The value @code{branch} tells the compiler to implement checking of
+validity of control-flow transfer at the point of indirect branch
+instructions, i.e. call/jmp instructions. The value @code{return}
+implements checking of validity at the point of returning from a
+function. The value @code{full} is an alias for specifying both
+@code{branch} and @code{return}. The value @code{none} turns off
+instrumentation. This value may be used for future architectures
+where @option{-fcf-protection} option is switched on by default.
I don't think we need to document GCC's future behavior for future
architectures (I'm always going around removing useless discussion from
20 years ago of possible extensions that never got implemented). I
assume that this is just provided for completeness and to override a
previous -fcf-protection option on the command line.
+You can also use the @code{nocf_check} attribute to identify
+which functions and calls should be skipped from instrumentation
+(@pxref{Function Attributes}).
+
@item -fstack-protector
@opindex fstack-protector
Emit extra code to check for buffer overflows, such as stack smashing
diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi
index 12355c2..b4fc5f3 100644
--- a/gcc/doc/rtl.texi
+++ b/gcc/doc/rtl.texi
@@ -4040,6 +4040,22 @@ is used in place of the actual insn pattern. This is
done in cases where
the pattern is either complex or misleading.
@end table
+The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the
+@option{-fcf-protection=branch} option. The note is set if a
+@code{nocf_check} attribute is specified for a function type or a
+pointer to function type. The note is stored in the @code{REG_NOTES}
+field of an insn.
+
+@table @code
+@findex REG_CALL_NOCF_CHECK
+@item REG_CALL_NOCF_CHECK
+A user has a control through the @code{nocf_check} attribute to identify
S/A user has a control/Users have control/
+which call to a function should be skipped from control-flow instrumentation
s/call/calls/
+when the option @option{-fcf-protection=branch} is specified. The compiler
+puts a @code{REG_CALL_NOCF_CHECK} note on @code{CALL_INSN} instruction,
+which has a function type marked with a @code{nocf_check} attribute.
s/@code{CALL_INSN} instruction, which/each @code{CALL_INSN} instruction
that/
-Sandra
