StackProtector.cpp revision 9adc0abad3c3ed40a268ccbcee0c74cb9e1359fe
1//===-- StackProtector.cpp - Stack Protector Insertion --------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This pass inserts stack protectors into functions which need them. A variable 11// with a random value in it is stored onto the stack before the local variables 12// are allocated. Upon exiting the block, the stored value is checked. If it's 13// changed, then there was some sort of violation and the program aborts. 14// 15//===----------------------------------------------------------------------===// 16 17#define DEBUG_TYPE "stack-protector" 18#include "llvm/CodeGen/Passes.h" 19#include "llvm/Attributes.h" 20#include "llvm/Constants.h" 21#include "llvm/DerivedTypes.h" 22#include "llvm/Function.h" 23#include "llvm/Instructions.h" 24#include "llvm/Intrinsics.h" 25#include "llvm/Module.h" 26#include "llvm/Pass.h" 27#include "llvm/Support/CommandLine.h" 28#include "llvm/Target/TargetData.h" 29#include "llvm/Target/TargetLowering.h" 30using namespace llvm; 31 32// SSPBufferSize - The lower bound for a buffer to be considered for stack 33// smashing protection. 34static cl::opt<unsigned> 35SSPBufferSize("stack-protector-buffer-size", cl::init(8), 36 cl::desc("Lower bound for a buffer to be considered for " 37 "stack protection")); 38 39namespace { 40 class VISIBILITY_HIDDEN StackProtector : public FunctionPass { 41 /// TLI - Keep a pointer of a TargetLowering to consult for determining 42 /// target type sizes. 43 const TargetLowering *TLI; 44 45 Function *F; 46 Module *M; 47 48 /// InsertStackProtectors - Insert code into the prologue and epilogue of 49 /// the function. 50 /// 51 /// - The prologue code loads and stores the stack guard onto the stack. 52 /// - The epilogue checks the value stored in the prologue against the 53 /// original value. It calls __stack_chk_fail if they differ. 54 bool InsertStackProtectors(); 55 56 /// CreateFailBB - Create a basic block to jump to when the stack protector 57 /// check fails. 58 BasicBlock *CreateFailBB(); 59 60 /// RequiresStackProtector - Check whether or not this function needs a 61 /// stack protector based upon the stack protector level. 62 bool RequiresStackProtector() const; 63 public: 64 static char ID; // Pass identification, replacement for typeid. 65 StackProtector() : FunctionPass(&ID), TLI(0) {} 66 StackProtector(const TargetLowering *tli) 67 : FunctionPass(&ID), TLI(tli) {} 68 69 virtual bool runOnFunction(Function &Fn); 70 }; 71} // end anonymous namespace 72 73char StackProtector::ID = 0; 74static RegisterPass<StackProtector> 75X("stack-protector", "Insert stack protectors"); 76 77FunctionPass *llvm::createStackProtectorPass(const TargetLowering *tli) { 78 return new StackProtector(tli); 79} 80 81bool StackProtector::runOnFunction(Function &Fn) { 82 F = &Fn; 83 M = F->getParent(); 84 85 if (!RequiresStackProtector()) return false; 86 87 return InsertStackProtectors(); 88} 89 90/// RequiresStackProtector - Check whether or not this function needs a stack 91/// protector based upon the stack protector level. The heuristic we use is to 92/// add a guard variable to functions that call alloca, and functions with 93/// buffers larger than SSPBufferSize bytes. 94bool StackProtector::RequiresStackProtector() const { 95 if (F->hasFnAttr(Attribute::StackProtectReq)) 96 return true; 97 98 if (!F->hasFnAttr(Attribute::StackProtect)) 99 return false; 100 101 const TargetData *TD = TLI->getTargetData(); 102 103 for (Function::iterator I = F->begin(), E = F->end(); I != E; ++I) { 104 BasicBlock *BB = I; 105 106 for (BasicBlock::iterator 107 II = BB->begin(), IE = BB->end(); II != IE; ++II) 108 if (AllocaInst *AI = dyn_cast<AllocaInst>(II)) { 109 if (AI->isArrayAllocation()) 110 // This is a call to alloca with a variable size. Emit stack 111 // protectors. 112 return true; 113 114 if (const ArrayType *AT = dyn_cast<ArrayType>(AI->getAllocatedType())) 115 // If an array has more than SSPBufferSize bytes of allocated space, 116 // then we emit stack protectors. 117 if (SSPBufferSize <= TD->getTypeAllocSize(AT)) 118 return true; 119 } 120 } 121 122 return false; 123} 124 125/// InsertStackProtectors - Insert code into the prologue and epilogue of the 126/// function. 127/// 128/// - The prologue code loads and stores the stack guard onto the stack. 129/// - The epilogue checks the value stored in the prologue against the original 130/// value. It calls __stack_chk_fail if they differ. 131bool StackProtector::InsertStackProtectors() { 132 BasicBlock *FailBB = 0; // The basic block to jump to if check fails. 133 AllocaInst *AI = 0; // Place on stack that stores the stack guard. 134 Constant *StackGuardVar = 0; // The stack guard variable. 135 136 for (Function::iterator I = F->begin(), E = F->end(); I != E; ) { 137 BasicBlock *BB = I++; 138 139 ReturnInst *RI = dyn_cast<ReturnInst>(BB->getTerminator()); 140 if (!RI) continue; 141 142 if (!FailBB) { 143 // Insert code into the entry block that stores the __stack_chk_guard 144 // variable onto the stack: 145 // 146 // entry: 147 // StackGuardSlot = alloca i8* 148 // StackGuard = load __stack_chk_guard 149 // call void @llvm.stackprotect.create(StackGuard, StackGuardSlot) 150 // 151 PointerType *PtrTy = PointerType::getUnqual(Type::Int8Ty); 152 StackGuardVar = M->getOrInsertGlobal("__stack_chk_guard", PtrTy); 153 154 BasicBlock &Entry = F->getEntryBlock(); 155 Instruction *InsPt = &Entry.front(); 156 157 AI = new AllocaInst(*Context, PtrTy, "StackGuardSlot", InsPt); 158 LoadInst *LI = new LoadInst(StackGuardVar, "StackGuard", false, InsPt); 159 160 Value *Args[] = { LI, AI }; 161 CallInst:: 162 Create(Intrinsic::getDeclaration(M, Intrinsic::stackprotector), 163 &Args[0], array_endof(Args), "", InsPt); 164 165 // Create the basic block to jump to when the guard check fails. 166 FailBB = CreateFailBB(); 167 } 168 169 // For each block with a return instruction, convert this: 170 // 171 // return: 172 // ... 173 // ret ... 174 // 175 // into this: 176 // 177 // return: 178 // ... 179 // %1 = load __stack_chk_guard 180 // %2 = load StackGuardSlot 181 // %3 = cmp i1 %1, %2 182 // br i1 %3, label %SP_return, label %CallStackCheckFailBlk 183 // 184 // SP_return: 185 // ret ... 186 // 187 // CallStackCheckFailBlk: 188 // call void @__stack_chk_fail() 189 // unreachable 190 191 // Split the basic block before the return instruction. 192 BasicBlock *NewBB = BB->splitBasicBlock(RI, "SP_return"); 193 194 // Remove default branch instruction to the new BB. 195 BB->getTerminator()->eraseFromParent(); 196 197 // Move the newly created basic block to the point right after the old basic 198 // block so that it's in the "fall through" position. 199 NewBB->moveAfter(BB); 200 201 // Generate the stack protector instructions in the old basic block. 202 LoadInst *LI1 = new LoadInst(StackGuardVar, "", false, BB); 203 LoadInst *LI2 = new LoadInst(AI, "", true, BB); 204 ICmpInst *Cmp = new ICmpInst(*BB, CmpInst::ICMP_EQ, LI1, LI2, ""); 205 BranchInst::Create(NewBB, FailBB, Cmp, BB); 206 } 207 208 // Return if we didn't modify any basic blocks. I.e., there are no return 209 // statements in the function. 210 if (!FailBB) return false; 211 212 return true; 213} 214 215/// CreateFailBB - Create a basic block to jump to when the stack protector 216/// check fails. 217BasicBlock *StackProtector::CreateFailBB() { 218 BasicBlock *FailBB = BasicBlock::Create("CallStackCheckFailBlk", F); 219 Constant *StackChkFail = 220 M->getOrInsertFunction("__stack_chk_fail", Type::VoidTy, NULL); 221 CallInst::Create(StackChkFail, "", FailBB); 222 new UnreachableInst(FailBB); 223 return FailBB; 224} 225