vtable-verify.h File Reference

#include "sbitmap.h"

Include dependency graph for vtable-verify.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	vtable_registration
struct	registration_hasher
struct	vtv_graph_node
struct	vtbl_map_node

Typedefs
typedef hash_table< registration_hasher >	register_table_type
typedef register_table_type::iterator	registration_iterator_type

Functions
void	vtbl_register_mangled_name (tree, tree)
struct vtbl_map_node *	vtbl_map_get_node (tree)
struct vtbl_map_node *	find_or_create_vtbl_map_node (tree)
void	vtbl_map_node_class_insert (struct vtbl_map_node *, unsigned)
bool	vtbl_map_node_registration_find (struct vtbl_map_node *, tree, unsigned)
bool	vtbl_map_node_registration_insert (struct vtbl_map_node *, tree, unsigned)

Variables
tree	verify_vtbl_ptr_fndecl
unsigned	num_vtable_map_nodes
int	total_num_virtual_calls
int	total_num_verified_vcalls
bool	vtv_debug
vec< struct vtbl_map_node * >	vtbl_map_nodes_vec
vec< tree, va_gc > *	vtbl_mangled_name_types
vec< tree, va_gc > *	vtbl_mangled_name_ids

Typedef Documentation

register_table_type

typedef hash_table<registration_hasher> register_table_type

registration_iterator_type

typedef register_table_type::iterator registration_iterator_type

Function Documentation

find_or_create_vtbl_map_node()

struct vtbl_map_node * find_or_create_vtbl_map_node ( tree base_class_type )

extern

Return vtbl_map node assigned to BASE_CLASS_TYPE.  Create new one
when needed.   

References vtv_graph_node::children, vtbl_map_node::class_info, vtbl_map_node::class_name, vtv_graph_node::class_type, vtv_graph_node::class_uid, DECL_ASSEMBLER_NAME, hash_table< Descriptor, Lazy, Allocator >::find_slot(), gcc_assert, ggc_alloc(), HAS_DECL_ASSEMBLER_NAME_P, IDENTIFIER_POINTER, vtbl_map_node::is_used, NULL, NULL_TREE, vtv_graph_node::num_processed_children, num_vtable_map_nodes, vtv_graph_node::parents, vtbl_map_node::registered, TREE_TYPE, TYPE_NAME, TYPE_QUALS, TYPE_UNQUALIFIED, vtbl_map_node::uid, vtbl_find_mangled_name(), vtbl_map_node::vtbl_map_decl, vtbl_map_hash, and vtbl_map_nodes_vec.

vtbl_map_get_node()

struct vtbl_map_node * vtbl_map_get_node ( tree class_type )

extern

Return vtbl_map node for CLASS_NAME  without creating a new one.   

References vtbl_map_node::class_name, DECL_ASSEMBLER_NAME, hash_table< Descriptor, Lazy, Allocator >::find_slot(), gcc_assert, ggc_alloc(), HAS_DECL_ASSEMBLER_NAME_P, IDENTIFIER_POINTER, NULL, TREE_CODE, TREE_TYPE, TYPE_NAME, TYPE_QUALS, TYPE_UNQUALIFIED, vtbl_find_mangled_name(), and vtbl_map_hash.

Referenced by verify_bb_vtables().

vtbl_map_node_class_insert()

void vtbl_map_node_class_insert ( struct vtbl_map_node * , unsigned  )

extern

vtbl_map_node_registration_find()

bool vtbl_map_node_registration_find ( struct vtbl_map_node * node, tree vtable_decl, unsigned offset )

extern

The following few functions are for the vtbl pointer hash table
in the 'registered' field of the struct vtable_map_node.  The hash
table keeps track of which vtable pointers have been used in
calls to __VLTRegisterPair with that particular vtable map variable.   

This function checks to see if a particular VTABLE_DECL and OFFSET are
already in the 'registered' hash table for NODE.   

References gcc_assert, ggc_alloc(), i, offset, and vtable_registration::vtable_decl.

vtbl_map_node_registration_insert()

bool vtbl_map_node_registration_insert ( struct vtbl_map_node * node, tree vtable_decl, unsigned offset )

extern

This function inserts VTABLE_DECL and OFFSET into the 'registered'
hash table for NODE.  It returns a boolean indicating whether or not
it actually inserted anything.   

References hash_table< Descriptor, Lazy, Allocator >::find_slot(), ggc_alloc(), i, offset, vtable_registration::offsets, vtbl_map_node::registered, and vtable_registration::vtable_decl.

vtbl_register_mangled_name()

void vtbl_register_mangled_name ( tree class_type, tree mangled_name )

extern

Store a class type decl and its mangled name, for an anonymous RECORD_TYPE,
in the vtbl_mangled_names vector.  Make sure there is not already an
entry for the class type before adding it.   

References gcc_assert, ggc_alloc(), NULL_TREE, vec_alloc(), vec_safe_push(), vtbl_find_mangled_name(), vtbl_mangled_name_ids, and vtbl_mangled_name_types.

Variable Documentation

num_vtable_map_nodes

unsigned num_vtable_map_nodes

extern

Global variable keeping track of how many vtable map variables we
have created.  

Copyright (C) 2013-2024 Free Software Foundation, Inc.

This file is part of GCC.

GCC is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation; either version 3, or (at your option) any later
version.

GCC is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
for more details.

You should have received a copy of the GNU General Public License
along with GCC; see the file COPYING3.  If not see
<http://www.gnu.org/licenses/>.   

Virtual Table Pointer Security Pass - Detect corruption of vtable pointers
before using them for virtual method dispatches.   

This file is part of the vtable security feature implementation.
 The vtable security feature is designed to detect when a virtual
 call is about to be made through an invalid vtable pointer
 (possibly due to data corruption or malicious attacks). The
 compiler finds every virtual call, and inserts a verification call
 before the virtual call.  The verification call takes the actual
 vtable pointer value in the object through which the virtual call
 is being made, and compares the vtable pointer against a set of all
 valid vtable pointers that the object could contain (this set is
 based on the declared type of the object).  If the pointer is in
 the valid set, execution is allowed to continue; otherwise the
 program is halted.

There are several pieces needed in order to make this work: 1. For
every virtual class in the program (i.e. a class that contains
virtual methods), we need to build the set of all possible valid
vtables that an object of that class could point to.  This includes
vtables for any class(es) that inherit from the class under
consideration.  2. For every such data set we build up, we need a
way to find and reference the data set.  This is complicated by the
fact that the real vtable addresses are not known until runtime,
when the program is loaded into memory, but we need to reference the
sets at compile time when we are inserting verification calls into
the program.  3.  We need to find every virtual call in the program,
and insert the verification call (with the appropriate arguments)
before the virtual call.  4. We need some runtime library pieces:
the code to build up the data sets at runtime; the code to actually
perform the verification using the data sets; and some code to set
protections on the data sets, so they themselves do not become
hacker targets.

To find and reference the set of valid vtable pointers for any given
virtual class, we create a special global variable for each virtual
class.  We refer to this as the "vtable map variable" for that
class.  The vtable map variable has the type "void *", and is
initialized by the compiler to NULL.  At runtime when the set of
valid vtable pointers for a virtual class, e.g. class Foo, is built,
the vtable map variable for class Foo is made to point to the set.
During compile time, when the compiler is inserting verification
calls into the program, it passes the vtable map variable for the
appropriate class to the verification call, so that at runtime the
verification call can find the appropriate data set.

The actual set of valid vtable pointers for a virtual class,
e.g. class Foo, cannot be built until runtime, when the vtables get
loaded into memory and their addresses are known.  But the knowledge
about which vtables belong in which class' hierarchy is only known
at compile time.  Therefore at compile time we collect class
hierarchy and vtable information about every virtual class, and we
generate calls to build up the data sets at runtime.  To build the
data sets, we call one of the functions we add to the runtime
library, __VLTRegisterPair.  __VLTRegisterPair takes two arguments,
a vtable map variable and the address of a vtable.  If the vtable
map variable is currently NULL, it creates a new data set (hash
table), makes the vtable map variable point to the new data set, and
inserts the vtable address into the data set.  If the vtable map
variable is not NULL, it just inserts the vtable address into the
data set.  In order to make sure that our data sets are built before
any verification calls happen, we create a special constructor
initialization function for each compilation unit, give it a very
high initialization priority, and insert all of our calls to
__VLTRegisterPair into our special constructor initialization
function.

The vtable verification feature is controlled by the flag
'-fvtable-verify='.  There are three flavors of this:
'-fvtable-verify=std', '-fvtable-verify=preinit', and
'-fvtable-verify=none'.  If the option '-fvtable-verfy=preinit' is
used, then our constructor initialization function gets put into the
preinit array.  This is necessary if there are data sets that need
to be built very early in execution.  If the constructor
initialization function gets put into the preinit array, the we also
add calls to __VLTChangePermission at the beginning and end of the
function.  The call at the beginning sets the permissions on the
data sets and vtable map variables to read/write, and the one at the
end makes them read-only.  If the '-fvtable-verify=std' option is
used, the constructor initialization functions are executed at their
normal time, and the __VLTChangePermission calls are handled
differently (see the comments in libstdc++-v3/libsupc++/vtv_rts.cc).
The option '-fvtable-verify=none' turns off vtable verification.

This file contains code for the tree pass that goes through all the
statements in each basic block, looking for virtual calls, and
inserting a call to __VLTVerifyVtablePointer (with appropriate
arguments) before each one.  It also contains the hash table
functions for the data structures used for collecting the class
hierarchy data and building/maintaining the vtable map variable data
are defined in gcc/vtable-verify.h.  These data structures are
shared with the code in the C++ front end that collects the class
hierarchy & vtable information and generates the vtable map
variables (see cp/vtable-class-hierarchy.cc).  This tree pass should
run just before the gimple is converted to RTL.

Some implementation details for this pass:

To find all of the virtual calls, we iterate through all the
gimple statements in each basic block, looking for any call
statement with the code "OBJ_TYPE_REF".  Once we have found the
virtual call, we need to find the vtable pointer through which the
call is being made, and the type of the object containing the
pointer (to find the appropriate vtable map variable).  We then use
these to build a call to __VLTVerifyVtablePointer, passing the
vtable map variable, and the vtable pointer.  We insert the
verification call just after the gimple statement that gets the
vtable pointer out of the object, and we update the next
statement to depend on the result returned from
__VLTVerifyVtablePointer (the vtable pointer value), to ensure
subsequent compiler phases don't remove or reorder the call (it's no
good to have the verification occur after the virtual call, for
example).  To find the vtable pointer being used (and the type of
the object) we search backwards through the def_stmts chain from the
virtual call (see verify_bb_vtables for more details).   

Referenced by find_or_create_vtbl_map_node().

total_num_verified_vcalls

int total_num_verified_vcalls

extern

Referenced by verify_bb_vtables().

total_num_virtual_calls

int total_num_virtual_calls

extern

Keep track of how many virtual calls we are actually verifying.   

Referenced by verify_bb_vtables().

verify_vtbl_ptr_fndecl

tree verify_vtbl_ptr_fndecl

extern

Copyright (C) 2013-2024 Free Software Foundation, Inc.

This file is part of GCC.

GCC is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation; either version 3, or (at your option) any later
version.

GCC is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
for more details.

You should have received a copy of the GNU General Public License
along with GCC; see the file COPYING3.  If not see
<http://www.gnu.org/licenses/>.   

Virtual Table Pointer Security.   

The function decl used to create calls to __VLTVtableVerify.  It must
be global because it needs to be initialized in the C++ front end, but
used in the middle end (in the vtable verification pass).   

Referenced by verify_bb_vtables().

vtbl_mangled_name_ids

vec<tree, va_gc>* vtbl_mangled_name_ids

extern

Referenced by vtbl_find_mangled_name(), and vtbl_register_mangled_name().

vtbl_mangled_name_types

vec<tree, va_gc>* vtbl_mangled_name_types

extern

The global vectors for mangled class names for anonymous classes.   

Vector of mangled names for anonymous classes.   

Referenced by vtbl_find_mangled_name(), and vtbl_register_mangled_name().

vtbl_map_nodes_vec

vec<struct vtbl_map_node *> vtbl_map_nodes_vec

extern

The global vector of vtbl_map_nodes.   

Vtable map variable nodes stored in a vector.   

Referenced by find_or_create_vtbl_map_node().

vtv_debug

bool vtv_debug

extern

Controls debugging for vtable verification.