+ Likun
On Tue, 28 Mar 2023 at 06:18, Sami Tolvanen wrote:
>
> On Mon, Mar 27, 2023 at 2:30 AM Peter Zijlstra wrote:
> >
> > On Sat, Mar 25, 2023 at 01:54:16AM -0700, Dan Li wrote:
> >
> > > In the compiler part[4], most of the content is the same as Sami'
I would be very grateful
if someone can help complete this series of patches.
BTW, please let me know if there are more groups I can cc for help.
Thanks!
Dan.
On Sat, 25 Mar 2023 at 16:11, Dan Li wrote:
>
> This series of patches is mainly used to support the control flow
> integrity p
, I'm still looking at this and plan to finish it by the end of this
year, but it's taking too long and there's a lot of uncertainty, so
please just consider this only as a backup option.
Thanks,
Dan.
On Thu, 22 Jun 2023 at 05:54, Kees Cook wrote:
>
> On Sat, Mar 25, 2023 a
On 03/27, Sami Tolvanen wrote:
> On Mon, Mar 27, 2023 at 2:30 AM Peter Zijlstra wrote:
> >
> > On Sat, Mar 25, 2023 at 01:54:16AM -0700, Dan Li wrote:
> >
> > > In the compiler part[4], most of the content is the same as Sami's
> > > implementation[3
On 03/27, Peter Zijlstra wrote:
> On Sat, Mar 25, 2023 at 01:54:16AM -0700, Dan Li wrote:
>
> > In the compiler part[4], most of the content is the same as Sami's
> > implementation[3], except for some minor differences, mainly including:
> >
> > 1. The functi
...@google.com/
[2] https://clang.llvm.org/docs/ControlFlowIntegrity.html
[3] https://reviews.llvm.org/D119296
Signed-off-by: Dan Li
---
Dan Li (3):
[PR102768] flag-types.h (enum sanitize_code): Extend sanitize_code to
64 bits to support more features
[PR102768] Support CFI: Add basic support for
that on different
platforms, the location of typeid insertion (the offset between
it and the function header) may be different, such as [1], and
this patch only implements the platform-independent part.
[1]: https://reviews.llvm.org/D119296
Signed-off-by: Dan Li
gcc/ChangeLog:
PR c/1
https://reviews.llvm.org/D119296
[4] https://lore.kernel.org/all/20230325081117.93245-1-ashimida.1...@gmail.com/
Signed-off-by: Dan Li
---
RFC/RFT V2:
- The CFI typeid check is changed from the form of calling the callback
function to the calling of the brk instruction.
- Add support for -
) as typeid in front of them. If
not, the attacker may use the instruction/data before the function
as typeid to bypass CFI.
All typeids ignore some bits (& AARCH64_UNALLOCATED_INSN_MASK) to
avoid conflicts with the AArch64 instruction set (see AAPCS64 for
details).
Signed-off-by: Dan Li
32-bit sanitize_code can no longer accommodate new options,
extending it to 64-bit.
Signed-off-by: Dan Li
gcc/ChangeLog:
PR c/102768
* asan.h (sanitize_flags_p): Promote to uint64_t.
* common.opt: Likewise.
* dwarf2asm.cc (dw2_output_indirect_constant_1
On 02/08, Peter Collingbourne wrote:
> On Sun, Dec 18, 2022 at 10:06 PM Dan Li wrote:
> >
> > This series of patches is mainly used to support the control flow
> > integrity protection of the linux kernel [1], which is similar to
> > -fsanitize=kcfi in clang 16.0 [2,3
On 02/09, Hongtao Liu wrote:
> On Mon, Dec 19, 2022 at 3:59 PM Dan Li via Gcc-patches
> wrote:
> >
> > This series of patches is mainly used to support the control flow
> > integrity protection of the linux kernel [1], which is similar to
> > -fsanitize=kcfi in cl
tween it and the function header)
may be different, such as [1], and this patch only implements
the platform-independent part.
[1]: https://reviews.llvm.org/D119296
Signed-off-by: Dan Li
gcc/ChangeLog:
PR c/102768
* Makefile.in: Add tree-cfi.o.
* cgraphun
32-bit sanitize_code can no longer accommodate new options,
extending it to 64-bit.
Signed-off-by: Dan Li
gcc/ChangeLog:
PR c/102768
* asan.h (sanitize_flags_p): Promote to uint64_t.
* common.opt: Likewise.
* dwarf2asm.cc (dw2_output_indirect_constant_1
function
as typeid to bypass CFI.
All typeids ignore some bits (& AARCH64_UNALLOCATED_INSN_MASK) to
avoid conflicts with the AArch64 instruction set.
Signed-off-by: Dan Li
gcc/ChangeLog:
PR c/102768
* config/aarch64/aarch64.cc (RESERVED_CFI_TYPEID): Macro defini
),
so I use -fsanitize=cfi as a compilation option here.
Any suggestion please let me know :).
Thanks, Dan.
[1]
https://lore.kernel.org/all/20220908215504.3686827-1-samitolva...@google.com/
[2] https://clang.llvm.org/docs/ControlFlowIntegrity.html
[3] https://reviews.llvm.org/D119296
Dan Li (3
On 4/12/22 06:05, Richard Sandiford wrote:
Dan Li writes:
Gentile ping for this :), thanks.
Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-February/590906.html
Sorry, I should have realised this at the time, but I don't think
we can do this after all. The ABI requires us to s
Gentile ping for this :), thanks.
Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-February/590906.html
R30_REGNUM could also be used as a component in shrink-wrapping
separate, this patch enables it in aarch64.
gcc/ChangeLog:
* config/aarch64/aarch64.cc (aarch64_get_separate_comp
Gentile ping for this :), thanks.
Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-February/590906.html
R30_REGNUM could also be used as a component in shrink-wrapping
separate, this patch enables it in aarch64.
gcc/ChangeLog:
* config/aarch64/aarch64.cc (aarch64_get_separate_comp
Gentile ping for this :), thanks.
Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-February/590906.html
R30_REGNUM could also be used as a component in shrink-wrapping
separate, this patch enables it in aarch64.
gcc/ChangeLog:
* config/aarch64/aarch64.cc (aarch64_get_separate_comp
On 2/11/22 07:35, Richard Sandiford wrote:
Dan Li writes:
On 2/11/22 01:53, Richard Sandiford wrote:
Dan Li writes:
On 2/10/22 01:55, Richard Sandiford wrote:
void f();
int g(int x) {
if (x == 0) {
__asm__ ("":::"x19", "x20");
R30_REGNUM could also be used as a component in shrink-wrapping
separate, this patch enables it in aarch64.
gcc/ChangeLog:
* config/aarch64/aarch64.cc (aarch64_get_separate_components):
Remove bitmap clear of R30_REGNUM.
(aarch64_components_for_bb): Support R30_REGNUM as a
On 2/15/22 10:02, Richard Sandiford wrote:
Dan Li writes:
Shadow Call Stack can be used to protect the return address of a
Looks good, thanks. However, when I bootstrap it on
aarch64-linux-gnu I get:
.../gcc/ubsan.cc: In function ‘bool
ubsan_expand_null_ifn(gimple_stmt_iterator
side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/ChangeLog:
* config/aarch64
On 2/15/22 10:02, Richard Sandiford wrote:
Dan Li writes:
Shadow Call Stack can be used to protect the return address of a
function at runtime, and clang already supports this feature[1].
Looks good, thanks. However, when I bootstrap it on
aarch64-linux-gnu I get:
.../gcc/ubsan.cc: In
On 2/11/22 07:35, Richard Sandiford wrote:
Dan Li writes:
On 2/11/22 01:53, Richard Sandiford wrote:
Dan Li writes:
On 2/10/22 01:55, Richard Sandiford wrote:
And I think maybe we could handle this through three patches:
1.Keep current patch (a V5) unchanged for scs.
2.Add shrink
side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/ChangeLog:
* config/aarch64
On 2/11/22 07:35, Richard Sandiford wrote:
Dan Li writes:
On 2/11/22 01:53, Richard Sandiford wrote:
Dan Li writes:
On 2/10/22 01:55, Richard Sandiford wrote:
And I think maybe we could handle this through three patches:
1.Keep current patch (a V5) unchanged for scs.
2.Add shrink
On 2/11/22 01:53, Richard Sandiford wrote:
Dan Li writes:
On 2/10/22 01:55, Richard Sandiford wrote:
But treating scs push and scs pop as part of the register save and
restore sequences would have one advantage: it would allow the
scs push and scs pop to be shrink-wrapped.
Sorry for
On 2/10/22 01:55, Richard Sandiford wrote:
There might be a little difference:
- Using push candidates means that a register to be ignored in pop
candidates will not be emitted again during the "restore" (pop_candidates
should always be a subset of push_candidates, since popping a register
w
On 2/9/22 08:08, Richard Sandiford wrote:
Dan Li writes:
+
+ /* When shadow call stack is enabled, the scs_pop in the epilogue will
+ restore x30, and we don't need to pop x30 again in the traditional
+ way. Pop candidates record the registers that need to be p
There is the following code in aarch64_layout_frame:
else if (crtl->outgoing_args_size.is_constant (&const_outgoing_args_size)
&& frame.saved_regs_size.is_constant (&const_saved_regs_size)
&& const_outgoing_args_size + const_saved_regs_size < 512
&& (!saves_below_hard_f
Hi, Richard,
I have sent out my v4[1], please let me know if i got something wrong :).
[1] https://gcc.gnu.org/pipermail/gcc-patches/2022-February/589921.html
Thanks,
Dan.
On 1/31/22 09:00, Richard Sandiford wrote:
Dan Li writes:
Shadow Call Stack can be used to protect the return address
side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/ChangeLog:
* config/aarch64
On 1/31/22 09:00, Richard Sandiford wrote:
Dan Li writes:
Shadow Call Stack can be used to protect the return address of a
function at runtime, and clang already supports this feature[1].
/* This file should be included last. */
#include "target-def.h"
@@ -7478,1
On 1/31/22 08:26, Richard Sandiford wrote:
Thanks for the discussion and sorry for the slow reply, was out most of
last week.
Dan Li writes:
Thanks, Ard,
On 1/26/22 00:10, Ard Biesheuvel wrote:
On Wed, 26 Jan 2022 at 08:53, Dan Li wrote:
Hi, all,
Sorry for bothering.
I'm tryi
Hi, Richard,
I have sent out my v3[1], and (probably) fixed the previous issues,
please let me know if i got something wrong :)
[1] https://gcc.gnu.org/pipermail/gcc-patches/2022-January/589471.html
Thanks,
Dan.
On 1/25/22 02:19, Richard Sandiford wrote:
Dan Li writes:
+
if
side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/ChangeLog:
* config/aarch64
On 1/26/22 03:09, Ard Biesheuvel wrote:
On Wed, 26 Jan 2022 at 11:40, Dan Li wrote:
Thanks, Ard,
On 1/26/22 00:10, Ard Biesheuvel wrote:
On Wed, 26 Jan 2022 at 08:53, Dan Li wrote:
Hi, all,
Sorry for bothering.
I'm trying to commit aarch64 scs code to the gcc and there is an
Thanks, Ard,
On 1/26/22 00:10, Ard Biesheuvel wrote:
On Wed, 26 Jan 2022 at 08:53, Dan Li wrote:
Hi, all,
Sorry for bothering.
I'm trying to commit aarch64 scs code to the gcc and there is an issue
that I'm not sure about, could someone give me some suggestions?
(To avoid noise,
FAICT, it seems fine and also safe for SCS. But I'm not sure if I'm
missing something with the kernel, could someone give some suggestions?
The previous discussion can be found here [1].
[1] https://gcc.gnu.org/pipermail/gcc-patches/2022-January/589257.html
Thanks a lot!
Dan
On 1/
On 1/25/22 02:19, Richard Sandiford wrote:
Dan Li writes:
+
if (flag_stack_usage_info)
current_function_static_stack_size = constant_lower_bound (frame_size);
@@ -9066,6 +9089,10 @@ aarch64_expand_epilogue (bool for_sibcall)
RTX_FRAME_RELATED_P (insn) = 1
On 1/20/22 04:02, Richard Sandiford wrote:
Thanks for the patch and sorry for the (very) slow review.
Thanks for the review, Richard :).
+/* Handle a "no_sanitize_shadow_call_stack" attribute; arguments as in
+ struct attribute_spec.handler. */
+static tree
+handle_no_sanitize_shadow_ca
] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/c-family/ChangeLog:
* c-attribs.c (handle_no_sanitize_shadow_call_stack_attribute):
New.
gcc/ChangeLog:
* config/aarch64/aarch64-protos.h
] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/c-family/ChangeLog:
* c-attribs.c (handle_no_sanitize_shadow_call_stack_attribute):
New.
gcc/ChangeLog:
* config/aarch64/aarch64-protos.h (aarch64_shadow_call_stack_enabled):
New decl
://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/c-family/ChangeLog:
* c-attribs.c (handle_no_sanitize_shadow_call_stack_attribute):
New.
gcc/ChangeLog:
* config/aarch64/aarch64-protos.h (aarch64_shadow_call_stack_enabled):
New decl
On 12/6/21 10:41 AM, Dan Li wrote:
Shadow Call Stack can be used to protect the return address of a
function at runtime, and clang already supports this feature[1].
To enable SCS in user mode, in addition to compiler, other support
is also required (as discussed in [2]). This patch only adds
side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/c-family/ChangeLog:
* c
side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li
gcc/c-family/ChangeLog:
* c
On 11/23/21 6:51 PM, Szabolcs Nagy wrote:
The 11/23/2021 16:32, Dan Li wrote:
On 11/3/21 8:00 PM, Szabolcs Nagy wrote:
i assume exception handling info has to change for scs to
work (to pop the shadow stack when transferring control),
so either scs must require -fno-exceptions or the eh
Hi Szabolcs,
First of all, apologies for my late reply (since I just had a new baby,
I'm quite busy recently and also because I'm not familiar with C++
exception handling, it takes me some time to learn this part).
On 11/3/21 8:00 PM, Szabolcs Nagy wrote:
The 11/03/2021 00:24, Da
On 11/2/21 9:04 PM, Szabolcs Nagy wrote:
The 11/02/2021 00:06, Dan Li via Gcc-patches wrote:
Shadow Call Stack can be used to protect the return address of a
function at runtime, and clang already supports this feature[1].
To enable SCS in user mode, in addition to compiler, other support
.h (TARGET_SUPPORT_SHADOW_CALL_STACK):
* config/aarch64/aarch64.md (scs_push):
(scs_pop):
* defaults.h (TARGET_SUPPORT_SHADOW_CALL_STACK):
* flag-types.h (enum sanitize_code):
* opts.c (finish_options):
Signed-off-by: Dan Li
---
gcc/c-family/c-attribs.c
gue):
* config/aarch64/aarch64.md:
Signed-off-by: Dan Li
---
gcc/config/aarch64/aarch64.c | 6 +-
gcc/config/aarch64/aarch64.md | 3 +--
2 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
index 699c105a
gcc/ChangeLog:
* config/aarch64/aarch64.c (aarch64_expand_epilogue):
* config/aarch64/aarch64.md:
Signed-off-by: Dan Li
---
gcc/config/aarch64/aarch64.c | 6 +-
gcc/config/aarch64/aarch64.md | 3 +--
2 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/gcc/config
55 matches
Mail list logo
