StackProtector.cpp revision 613f77439eb6e1f660e615e0e851187da13255ae
1//===-- StackProtector.cpp - Stack Protector Insertion --------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This pass inserts stack protectors into functions which need them. A variable 11// with a random value in it is stored onto the stack before the local variables 12// are allocated. Upon exiting the block, the stored value is checked. If it's 13// changed, then there was some sort of violation and the program aborts. 14// 15//===----------------------------------------------------------------------===// 16 17#define DEBUG_TYPE "stack-protector" 18#include "llvm/CodeGen/Passes.h" 19#include "llvm/Constants.h" 20#include "llvm/DerivedTypes.h" 21#include "llvm/Function.h" 22#include "llvm/Instructions.h" 23#include "llvm/Module.h" 24#include "llvm/Pass.h" 25#include "llvm/ADT/APInt.h" 26#include "llvm/Support/CommandLine.h" 27#include "llvm/Target/TargetData.h" 28#include "llvm/Target/TargetLowering.h" 29using namespace llvm; 30 31// Enable stack protectors. 32static cl::opt<unsigned> 33SSPBufferSize("stack-protector-buffer-size", cl::init(8), 34 cl::desc("The lower bound for a buffer to be considered for " 35 "stack smashing protection.")); 36 37namespace { 38 class VISIBILITY_HIDDEN StackProtector : public FunctionPass { 39 /// Level - The level of stack protection. 40 SSP::StackProtectorLevel Level; 41 42 /// TLI - Keep a pointer of a TargetLowering to consult for determining 43 /// target type sizes. 44 const TargetLowering *TLI; 45 46 Function *F; 47 Module *M; 48 49 /// InsertStackProtectors - Insert code into the prologue and epilogue of 50 /// the function. 51 /// 52 /// - The prologue code loads and stores the stack guard onto the stack. 53 /// - The epilogue checks the value stored in the prologue against the 54 /// original value. It calls __stack_chk_fail if they differ. 55 bool InsertStackProtectors(); 56 57 /// CreateFailBB - Create a basic block to jump to when the stack protector 58 /// check fails. 59 BasicBlock *CreateFailBB(); 60 61 /// RequiresStackProtector - Check whether or not this function needs a 62 /// stack protector based upon the stack protector level. 63 bool RequiresStackProtector() const; 64 public: 65 static char ID; // Pass identification, replacement for typeid. 66 StackProtector() : FunctionPass(&ID), Level(SSP::OFF), TLI(0) {} 67 StackProtector(SSP::StackProtectorLevel lvl, const TargetLowering *tli) 68 : FunctionPass(&ID), Level(lvl), TLI(tli) {} 69 70 virtual bool runOnFunction(Function &Fn); 71 }; 72} // end anonymous namespace 73 74char StackProtector::ID = 0; 75static RegisterPass<StackProtector> 76X("stack-protector", "Insert stack protectors"); 77 78FunctionPass *llvm::createStackProtectorPass(SSP::StackProtectorLevel lvl, 79 const TargetLowering *tli) { 80 return new StackProtector(lvl, tli); 81} 82 83bool StackProtector::runOnFunction(Function &Fn) { 84 F = &Fn; 85 M = F->getParent(); 86 87 if (!RequiresStackProtector()) return false; 88 89 return InsertStackProtectors(); 90} 91 92/// InsertStackProtectors - Insert code into the prologue and epilogue of the 93/// function. 94/// 95/// - The prologue code loads and stores the stack guard onto the stack. 96/// - The epilogue checks the value stored in the prologue against the original 97/// value. It calls __stack_chk_fail if they differ. 98bool StackProtector::InsertStackProtectors() { 99 std::vector<BasicBlock*> ReturnBBs; 100 101 for (Function::iterator I = F->begin(); I != F->end(); ++I) 102 if (isa<ReturnInst>(I->getTerminator())) 103 ReturnBBs.push_back(I); 104 105 // If this function doesn't return, don't bother with stack protectors. 106 if (ReturnBBs.empty()) return false; 107 108 // Insert code into the entry block that stores the __stack_chk_guard variable 109 // onto the stack. 110 BasicBlock &Entry = F->getEntryBlock(); 111 Instruction *InsertPt = &Entry.front(); 112 const PointerType *GuardTy = PointerType::getUnqual(Type::Int8Ty); 113 114 // The global variable for the stack guard. 115 Constant *StackGuardVar = M->getOrInsertGlobal("__stack_chk_guard", GuardTy); 116 117 // The place on the stack that the stack protector guard is kept. 118 AllocaInst *StackProtFrameSlot = 119 new AllocaInst(GuardTy, "StackProt_Frame", InsertPt); 120 LoadInst *LI = new LoadInst(StackGuardVar, "StackGuard", false, InsertPt); 121 new StoreInst(LI, StackProtFrameSlot, false, InsertPt); 122 123 // Create the basic block to jump to when the guard check fails. 124 BasicBlock *FailBB = CreateFailBB(); 125 126 // Loop through the basic blocks that have return instructions. Convert this: 127 // 128 // return: 129 // ... 130 // ret ... 131 // 132 // into this: 133 // 134 // return: 135 // ... 136 // %1 = load __stack_chk_guard 137 // %2 = load <stored stack guard> 138 // %3 = cmp i1 %1, %2 139 // br i1 %3, label %SPRet, label %CallStackCheckFailBlk 140 // 141 // SP_return: 142 // ret ... 143 // 144 // CallStackCheckFailBlk: 145 // call void @__stack_chk_fail() 146 // unreachable 147 // 148 for (std::vector<BasicBlock*>::iterator 149 I = ReturnBBs.begin(), E = ReturnBBs.end(); I != E; ++I) { 150 BasicBlock *BB = *I; 151 ReturnInst *RI = cast<ReturnInst>(BB->getTerminator()); 152 Function::iterator InsPt = BB; ++InsPt; // Insertion point for new BB. 153 154 // Split the basic block before the return instruction. 155 BasicBlock *NewBB = BB->splitBasicBlock(RI, "SP_return"); 156 157 // Move the newly created basic block to the point right after the old basic 158 // block so that it's in the "fall through" position. 159 NewBB->removeFromParent(); 160 F->getBasicBlockList().insert(InsPt, NewBB); 161 162 // Generate the stack protector instructions in the old basic block. 163 LoadInst *LI2 = new LoadInst(StackGuardVar, "", false, BB); 164 LoadInst *LI1 = new LoadInst(StackProtFrameSlot, "", true, BB); 165 ICmpInst *Cmp = new ICmpInst(CmpInst::ICMP_EQ, LI1, LI2, "", BB); 166 BranchInst::Create(NewBB, FailBB, Cmp, BB); 167 } 168 169 return true; 170} 171 172/// CreateFailBB - Create a basic block to jump to when the stack protector 173/// check fails. 174BasicBlock *StackProtector::CreateFailBB() { 175 BasicBlock *FailBB = BasicBlock::Create("CallStackCheckFailBlk", F); 176 std::vector<const Type*> Params; 177 Constant *StackChkFail = 178 M->getOrInsertFunction("__stack_chk_fail", Type::VoidTy, NULL); 179 CallInst::Create(StackChkFail, "", FailBB); 180 new UnreachableInst(FailBB); 181 return FailBB; 182} 183 184/// RequiresStackProtector - Check whether or not this function needs a stack 185/// protector based upon the stack protector level. 186bool StackProtector::RequiresStackProtector() const { 187 switch (Level) { 188 default: return false; 189 case SSP::ALL: return true; 190 case SSP::SOME: { 191 // If the size of the local variables allocated on the stack is greater than 192 // SSPBufferSize, then we require a stack protector. 193 uint64_t StackSize = 0; 194 const TargetData *TD = TLI->getTargetData(); 195 196 for (Function::iterator I = F->begin(), E = F->end(); I != E; ++I) { 197 BasicBlock *BB = I; 198 199 for (BasicBlock::iterator 200 II = BB->begin(), IE = BB->end(); II != IE; ++II) 201 if (AllocaInst *AI = dyn_cast<AllocaInst>(II)) { 202 if (ConstantInt *CI = dyn_cast<ConstantInt>(AI->getArraySize())) { 203 uint64_t Bytes = TD->getTypeSizeInBits(AI->getAllocatedType()) / 8; 204 const APInt &Size = CI->getValue(); 205 StackSize += Bytes * Size.getZExtValue(); 206 207 if (SSPBufferSize <= StackSize) 208 return true; 209 } 210 } 211 } 212 213 return false; 214 } 215 } 216} 217