vtable-verify.cc File Reference
#include "config.h"#include "system.h"#include "coretypes.h"#include "backend.h"#include "tree.h"#include "gimple.h"#include "tree-pass.h"#include "ssa.h"#include "gimple-iterator.h"#include "vtable-verify.h"#include "gt-vtable-verify.h"
Include dependency graph for vtable-verify.cc:
Data Structures | |
| struct | vtbl_map_hasher |
Typedefs | |
| typedef hash_table< vtbl_map_hasher > | vtbl_map_table_type |
| typedef vtbl_map_table_type::iterator | vtbl_map_iterator_type |
Functions | |
| unsigned int | vtable_verify_main (void) |
| bool | vtbl_map_node_registration_find (struct vtbl_map_node *node, tree vtable_decl, unsigned offset) |
| bool | vtbl_map_node_registration_insert (struct vtbl_map_node *node, tree vtable_decl, unsigned offset) |
| static tree | vtbl_find_mangled_name (tree class_type) |
| void | vtbl_register_mangled_name (tree class_type, tree mangled_name) |
| struct vtbl_map_node * | vtbl_map_get_node (tree class_type) |
| struct vtbl_map_node * | find_or_create_vtbl_map_node (tree base_class_type) |
| static bool | is_vtable_assignment_stmt (gimple *stmt) |
| static tree | extract_object_class_type (tree rhs) |
| static bool | var_is_used_for_virtual_call_p (tree lhs, int *mem_ref_depth, int *recursion_depth) |
| static void | verify_bb_vtables (basic_block bb) |
| gimple_opt_pass * | make_pass_vtable_verify (gcc::context *ctxt) |
Variables | |
| unsigned | num_vtable_map_nodes = 0 |
| int | total_num_virtual_calls = 0 |
| int | total_num_verified_vcalls = 0 |
| tree | verify_vtbl_ptr_fndecl = NULL_TREE |
| static bool | any_verification_calls_generated = false |
| static vtbl_map_table_type * | vtbl_map_hash |
| vec< struct vtbl_map_node * > | vtbl_map_nodes_vec |
| vec< tree, va_gc > * | vtbl_mangled_name_types |
| vec< tree, va_gc > * | vtbl_mangled_name_ids |
Typedef Documentation
◆ vtbl_map_iterator_type
◆ vtbl_map_table_type
Here are the two structures into which we insert vtable map nodes. We use two data structures because of the vastly different ways we need to find the nodes for various tasks (see comments in vtable-verify.h for more details.
Function Documentation
◆ extract_object_class_type()
This function attempts to recover the declared class of an object that is used in making a virtual call. We try to get the type from the type cast in the gimple assignment statement that extracts the vtable pointer from the object (DEF_STMT). The gimple statement usually looks something like this: D.2201_4 = MEM[(struct Event *)this_1(D)]._vptr.Event
References DECL_VIRTUAL_P, extract_object_class_type(), ggc_alloc(), NULL_TREE, TREE_CODE, TREE_OPERAND, and TREE_TYPE.
Referenced by extract_object_class_type(), and verify_bb_vtables().
◆ find_or_create_vtbl_map_node()
| struct vtbl_map_node * find_or_create_vtbl_map_node | ( | tree | base_class_type | ) |
Return vtbl_map node assigned to BASE_CLASS_TYPE. Create new one when needed.
References vtv_graph_node::children, vtbl_map_node::class_info, vtbl_map_node::class_name, vtv_graph_node::class_type, vtv_graph_node::class_uid, DECL_ASSEMBLER_NAME, hash_table< Descriptor, Lazy, Allocator >::find_slot(), gcc_assert, ggc_alloc(), HAS_DECL_ASSEMBLER_NAME_P, IDENTIFIER_POINTER, vtbl_map_node::is_used, NULL, NULL_TREE, vtv_graph_node::num_processed_children, num_vtable_map_nodes, vtv_graph_node::parents, vtbl_map_node::registered, TREE_TYPE, TYPE_NAME, TYPE_QUALS, TYPE_UNQUALIFIED, vtbl_map_node::uid, vtbl_find_mangled_name(), vtbl_map_node::vtbl_map_decl, vtbl_map_hash, and vtbl_map_nodes_vec.
◆ is_vtable_assignment_stmt()
End of hashtable functions for vtable_map variables hash table.
Given a gimple STMT, this function checks to see if the statement is an assignment, the rhs of which is getting the vtable pointer value out of an object. (i.e. it's the value we need to verify because its the vtable pointer that will be used for a virtual call).
References DECL_VIRTUAL_P, ggc_alloc(), gimple_assign_lhs(), gimple_assign_rhs1(), TREE_CODE, and TREE_OPERAND.
Referenced by verify_bb_vtables().
◆ make_pass_vtable_verify()
| gimple_opt_pass * make_pass_vtable_verify | ( | gcc::context * | ctxt | ) |
References ggc_alloc().
◆ var_is_used_for_virtual_call_p()
|
static |
This function traces forward through the def-use chain of an SSA variable to see if it ever gets used in a virtual function call. It returns a boolean indicating whether or not it found a virtual call in the use chain.
References FOR_EACH_IMM_USE_FAST, ggc_alloc(), gimple_assign_lhs(), gimple_assign_rhs1(), gimple_call_fn(), gimple_phi_result(), is_gimple_assign(), is_gimple_call(), TREE_CODE, TREE_OPERAND, USE_STMT, and var_is_used_for_virtual_call_p().
Referenced by var_is_used_for_virtual_call_p(), and verify_bb_vtables().
◆ verify_bb_vtables()
|
static |
Search through all the statements in a basic block (BB), searching for virtual method calls. For each virtual method dispatch, find the vptr value used, and the statically declared type of the object; retrieve the vtable map variable for the type of the object; generate a call to __VLTVerifyVtablePointer; and insert the generated call into the basic block, after the point where the vptr value is gotten out of the object and before the virtual method dispatch. Make the virtual method dispatch depend on the return value from the verification call, so that subsequent optimizations cannot reorder the two calls.
References any_verification_calls_generated, bb_seq(), BINFO_VTABLE, build1(), build_string_literal(), DECL_NAME, extract_object_class_type(), FOR_EACH_IMM_USE_ON_STMT, FOR_EACH_IMM_USE_STMT, gcc_assert, ggc_alloc(), gimple_assign_lhs(), gimple_assign_rhs1(), gimple_build_call(), gimple_call_fn(), gimple_call_set_lhs(), gsi_end_p(), gsi_for_stmt(), gsi_insert_after(), GSI_NEW_STMT, gsi_next(), gsi_start(), gsi_stmt(), IDENTIFIER_POINTER, is_gimple_call(), is_vtable_assignment_stmt(), make_temp_ssa_name(), NULL, NULL_TREE, SET_USE, total_num_verified_vcalls, total_num_virtual_calls, TREE_CODE, TREE_OPERAND, TREE_TYPE, TYPE_BINFO, TYPE_MAIN_VARIANT, TYPE_POINTER_TO, update_stmt(), var_is_used_for_virtual_call_p(), VAR_P, verify_vtbl_ptr_fndecl, and vtbl_map_get_node().
◆ vtable_verify_main()
◆ vtbl_find_mangled_name()
Look up class_type (a type decl for record types) in the vtbl_mangled_names_* vectors. This is a linear lookup. Return the associated mangled name for the class type. This is for handling types from anonymous namespaces, whose DECL_ASSEMBLER_NAME ends up being "<anon>", which is useless for our purposes. We use two vectors of trees to keep track of the mangled names: One is a vector of class types and the other is a vector of the mangled names. The assumption is that these two vectors are kept in perfect lock-step so that vtbl_mangled_name_ids[i] is the mangled name for vtbl_mangled_name_types[i].
References ggc_alloc(), i, NULL_TREE, vtbl_mangled_name_ids, and vtbl_mangled_name_types.
Referenced by find_or_create_vtbl_map_node(), vtbl_map_get_node(), and vtbl_register_mangled_name().
◆ vtbl_map_get_node()
| struct vtbl_map_node * vtbl_map_get_node | ( | tree | class_type | ) |
Return vtbl_map node for CLASS_NAME without creating a new one.
References vtbl_map_node::class_name, DECL_ASSEMBLER_NAME, hash_table< Descriptor, Lazy, Allocator >::find_slot(), gcc_assert, ggc_alloc(), HAS_DECL_ASSEMBLER_NAME_P, IDENTIFIER_POINTER, NULL, TREE_CODE, TREE_TYPE, TYPE_NAME, TYPE_QUALS, TYPE_UNQUALIFIED, vtbl_find_mangled_name(), and vtbl_map_hash.
Referenced by verify_bb_vtables().
◆ vtbl_map_node_registration_find()
| bool vtbl_map_node_registration_find | ( | struct vtbl_map_node * | node, |
| tree | vtable_decl, | ||
| unsigned | offset ) |
The following few functions are for the vtbl pointer hash table in the 'registered' field of the struct vtable_map_node. The hash table keeps track of which vtable pointers have been used in calls to __VLTRegisterPair with that particular vtable map variable.
This function checks to see if a particular VTABLE_DECL and OFFSET are already in the 'registered' hash table for NODE.
References gcc_assert, ggc_alloc(), i, offset, and vtable_registration::vtable_decl.
◆ vtbl_map_node_registration_insert()
| bool vtbl_map_node_registration_insert | ( | struct vtbl_map_node * | node, |
| tree | vtable_decl, | ||
| unsigned | offset ) |
This function inserts VTABLE_DECL and OFFSET into the 'registered' hash table for NODE. It returns a boolean indicating whether or not it actually inserted anything.
References hash_table< Descriptor, Lazy, Allocator >::find_slot(), ggc_alloc(), i, offset, vtable_registration::offsets, vtbl_map_node::registered, and vtable_registration::vtable_decl.
◆ vtbl_register_mangled_name()
Store a class type decl and its mangled name, for an anonymous RECORD_TYPE, in the vtbl_mangled_names vector. Make sure there is not already an entry for the class type before adding it.
References gcc_assert, ggc_alloc(), NULL_TREE, vec_alloc(), vec_safe_push(), vtbl_find_mangled_name(), vtbl_mangled_name_ids, and vtbl_mangled_name_types.
Variable Documentation
◆ any_verification_calls_generated
Keep track of whether or not any virtual call were verified.
Referenced by verify_bb_vtables().
◆ num_vtable_map_nodes
| unsigned num_vtable_map_nodes = 0 |
Copyright (C) 2013-2024 Free Software Foundation, Inc. This file is part of GCC. GCC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version. GCC is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with GCC; see the file COPYING3. If not see <http://www.gnu.org/licenses/>.
Virtual Table Pointer Security Pass - Detect corruption of vtable pointers before using them for virtual method dispatches.
This file is part of the vtable security feature implementation. The vtable security feature is designed to detect when a virtual call is about to be made through an invalid vtable pointer (possibly due to data corruption or malicious attacks). The compiler finds every virtual call, and inserts a verification call before the virtual call. The verification call takes the actual vtable pointer value in the object through which the virtual call is being made, and compares the vtable pointer against a set of all valid vtable pointers that the object could contain (this set is based on the declared type of the object). If the pointer is in the valid set, execution is allowed to continue; otherwise the program is halted. There are several pieces needed in order to make this work: 1. For every virtual class in the program (i.e. a class that contains virtual methods), we need to build the set of all possible valid vtables that an object of that class could point to. This includes vtables for any class(es) that inherit from the class under consideration. 2. For every such data set we build up, we need a way to find and reference the data set. This is complicated by the fact that the real vtable addresses are not known until runtime, when the program is loaded into memory, but we need to reference the sets at compile time when we are inserting verification calls into the program. 3. We need to find every virtual call in the program, and insert the verification call (with the appropriate arguments) before the virtual call. 4. We need some runtime library pieces: the code to build up the data sets at runtime; the code to actually perform the verification using the data sets; and some code to set protections on the data sets, so they themselves do not become hacker targets. To find and reference the set of valid vtable pointers for any given virtual class, we create a special global variable for each virtual class. We refer to this as the "vtable map variable" for that class. The vtable map variable has the type "void *", and is initialized by the compiler to NULL. At runtime when the set of valid vtable pointers for a virtual class, e.g. class Foo, is built, the vtable map variable for class Foo is made to point to the set. During compile time, when the compiler is inserting verification calls into the program, it passes the vtable map variable for the appropriate class to the verification call, so that at runtime the verification call can find the appropriate data set. The actual set of valid vtable pointers for a virtual class, e.g. class Foo, cannot be built until runtime, when the vtables get loaded into memory and their addresses are known. But the knowledge about which vtables belong in which class' hierarchy is only known at compile time. Therefore at compile time we collect class hierarchy and vtable information about every virtual class, and we generate calls to build up the data sets at runtime. To build the data sets, we call one of the functions we add to the runtime library, __VLTRegisterPair. __VLTRegisterPair takes two arguments, a vtable map variable and the address of a vtable. If the vtable map variable is currently NULL, it creates a new data set (hash table), makes the vtable map variable point to the new data set, and inserts the vtable address into the data set. If the vtable map variable is not NULL, it just inserts the vtable address into the data set. In order to make sure that our data sets are built before any verification calls happen, we create a special constructor initialization function for each compilation unit, give it a very high initialization priority, and insert all of our calls to __VLTRegisterPair into our special constructor initialization function. The vtable verification feature is controlled by the flag '-fvtable-verify='. There are three flavors of this: '-fvtable-verify=std', '-fvtable-verify=preinit', and '-fvtable-verify=none'. If the option '-fvtable-verfy=preinit' is used, then our constructor initialization function gets put into the preinit array. This is necessary if there are data sets that need to be built very early in execution. If the constructor initialization function gets put into the preinit array, the we also add calls to __VLTChangePermission at the beginning and end of the function. The call at the beginning sets the permissions on the data sets and vtable map variables to read/write, and the one at the end makes them read-only. If the '-fvtable-verify=std' option is used, the constructor initialization functions are executed at their normal time, and the __VLTChangePermission calls are handled differently (see the comments in libstdc++-v3/libsupc++/vtv_rts.cc). The option '-fvtable-verify=none' turns off vtable verification. This file contains code for the tree pass that goes through all the statements in each basic block, looking for virtual calls, and inserting a call to __VLTVerifyVtablePointer (with appropriate arguments) before each one. It also contains the hash table functions for the data structures used for collecting the class hierarchy data and building/maintaining the vtable map variable data are defined in gcc/vtable-verify.h. These data structures are shared with the code in the C++ front end that collects the class hierarchy & vtable information and generates the vtable map variables (see cp/vtable-class-hierarchy.cc). This tree pass should run just before the gimple is converted to RTL. Some implementation details for this pass: To find all of the virtual calls, we iterate through all the gimple statements in each basic block, looking for any call statement with the code "OBJ_TYPE_REF". Once we have found the virtual call, we need to find the vtable pointer through which the call is being made, and the type of the object containing the pointer (to find the appropriate vtable map variable). We then use these to build a call to __VLTVerifyVtablePointer, passing the vtable map variable, and the vtable pointer. We insert the verification call just after the gimple statement that gets the vtable pointer out of the object, and we update the next statement to depend on the result returned from __VLTVerifyVtablePointer (the vtable pointer value), to ensure subsequent compiler phases don't remove or reorder the call (it's no good to have the verification occur after the virtual call, for example). To find the vtable pointer being used (and the type of the object) we search backwards through the def_stmts chain from the virtual call (see verify_bb_vtables for more details).
Referenced by find_or_create_vtbl_map_node().
◆ total_num_verified_vcalls
| int total_num_verified_vcalls = 0 |
Referenced by verify_bb_vtables().
◆ total_num_virtual_calls
| int total_num_virtual_calls = 0 |
Keep track of how many virtual calls we are actually verifying.
Referenced by verify_bb_vtables().
◆ verify_vtbl_ptr_fndecl
Copyright (C) 2013-2024 Free Software Foundation, Inc. This file is part of GCC. GCC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version. GCC is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with GCC; see the file COPYING3. If not see <http://www.gnu.org/licenses/>.
Virtual Table Pointer Security.
The function decl used to create calls to __VLTVtableVerify. It must be global because it needs to be initialized in the C++ front end, but used in the middle end (in the vtable verification pass).
Referenced by verify_bb_vtables().
◆ vtbl_mangled_name_ids
Referenced by vtbl_find_mangled_name(), and vtbl_register_mangled_name().
◆ vtbl_mangled_name_types
Vector of mangled names for anonymous classes.
Referenced by vtbl_find_mangled_name(), and vtbl_register_mangled_name().
◆ vtbl_map_hash
|
static |
Vtable map variable nodes stored in a hash table.
Referenced by find_or_create_vtbl_map_node(), and vtbl_map_get_node().
◆ vtbl_map_nodes_vec
| vec<struct vtbl_map_node *> vtbl_map_nodes_vec |
Vtable map variable nodes stored in a vector.
Referenced by find_or_create_vtbl_map_node().
