commit 0a3637d3eb2424d8e825ad1825f843450a888406
author Evgenii Stepanov <eugenis@google.com> Wed Jul 06 13:20:59 2016 -0700
committer Evgenii Stepanov <eugenis@google.com> Wed Jan 18 13:13:52 2017 -0800
tree dc0d4c31cddc2ff06902fcbdf4233f7759258764
parent 1b2975d54b9c17ced29883aef24490773a4a9fe6

Runtime support for CFI

Control Flow Integrity support in bionic.

General design:
http://clang.llvm.org/docs/ControlFlowIntegrityDesign.html#shared-library-support

This CL implements subsections "CFI Shadow" and "CFI_SlowPath" in the above document.

Bug: 22033465
Test: bionic device tests
Change-Id: I14dfea630de468eb5620e7f55f92b1397ba06217

tests/libs/cfi_test_lib.cpp

diff --git a/tests/libs/cfi_test_lib.cpp b/tests/libs/cfi_test_lib.cpp
new file mode 100644
index 0000000..b0e2f42
--- /dev/null
+++ b/tests/libs/cfi_test_lib.cpp
@@ -0,0 +1,68 @@
+#include <assert.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+// This library is built for all targets, including host tests, so __cfi_slowpath may not be
+// present. But it is only used in the bionic loader tests.
+extern "C" __attribute__((weak)) void __cfi_slowpath(uint64_t, void*);
+
+static int g_count;
+static uint64_t g_last_type_id;
+static void* g_last_address;
+static void* g_last_diag;
+
+extern "C" {
+
+// Mock a CFI-enabled library without relying on the compiler.
+__attribute__((aligned(4096))) void __cfi_check(uint64_t CallSiteTypeId, void* TargetAddr,
+                                                void* Diag) {
+  ++g_count;
+  g_last_type_id = CallSiteTypeId;
+  g_last_address = TargetAddr;
+  g_last_diag = Diag;
+}
+
+int get_count() {
+  return g_count;
+}
+
+uint64_t get_last_type_id() {
+  return g_last_type_id;
+}
+
+void* get_last_address() {
+  return g_last_address;
+}
+
+void* get_last_diag() {
+  return g_last_diag;
+}
+
+void* get_global_address() {
+  return &g_count;
+}
+}
+
+// Check that CFI is set up in module constructors and destructors.
+struct A {
+  void check_cfi_self() {
+    g_last_type_id = 0;
+    assert(&__cfi_slowpath);
+    // CFI check for an invalid address. Normally, this would kill the process by routing the call
+    // back to the calling module's __cfi_check, which does the right thing based on
+    // -fsanitize-recover / -fsanitize-trap. But this module has custom __cfi_check that does not do
+    // any of that, so the result looks like a passing check.
+    int zz;
+    __cfi_slowpath(13, static_cast<void*>(&zz));
+    assert(g_last_type_id == 13);
+    // CFI check for a libc function. This never goes into this module's __cfi_check, and must pass.
+    __cfi_slowpath(14, reinterpret_cast<void*>(&exit));
+    assert(g_last_type_id == 13);
+  }
+  A() {
+    check_cfi_self();
+  }
+  ~A() {
+    check_cfi_self();
+  }
+} a;