x86-64: support IBT (control-flow integrity for indirect jumps)

Author: xavierleroy

driver/Clflags.ml

@@ -38,6 +38,7 @@ let option_mthumb = ref (Configuration.model = "armv7m")
 let option_Osize = ref false
 let option_finline = ref true
 let option_finline_functions_called_once = ref true
+let option_fcf_protection = ref false
 let option_dprepro = ref false
 let option_dparse = ref false
 let option_dcmedium = ref false

driver/Driver.ml

@@ -207,6 +207,8 @@ Code generation options: (use -fno-<opt> to turn off -f<opt>)
   -falign-branch-targets <n>  Set alignment (in bytes) of branch targets
   -falign-cond-branches <n>  Set alignment (in bytes) of conditional branches
   -fcommon       Put uninitialized globals in the common section [on].
+  -fcf-protection=branch  Add control-flow integrity checks
+  -fcf-protection=none    Don't add control-flow integrity checks
 |} ^
  target_help ^
  toolchain_help ^
@@ -266,6 +268,13 @@ let cmdline_actions =
     if n <= 0 || ((n land (n - 1)) <> 0) then
       error no_loc "requested alignment %d is not a power of 2" n
     in
+  let set_cf_protection () =
+    match Configuration.arch, Configuration.model with
+    | "x86", "64" ->
+        option_fcf_protection := true
+    | _ ->
+        error no_loc "Option -fcf_protection=branch not supported on this target"
+    in
   [
 (* Getting help *)
   Exact "-help", Unit print_usage_and_exit;
@@ -301,7 +310,10 @@ let cmdline_actions =
   Exact "-ffloat-const-prop", Integer(fun n -> option_ffloatconstprop := n); 
   Exact "-falign-functions", Integer(fun n -> check_align n; option_falignfunctions := Some n);
   Exact "-falign-branch-targets", Integer(fun n -> check_align n; option_falignbranchtargets := n);
-  Exact "-falign-cond-branches", Integer(fun n -> check_align n; option_faligncondbranchs := n);] @
+  Exact "-falign-cond-branches", Integer(fun n -> check_align n; option_faligncondbranchs := n);
+  Exact "-fcf-protection=branch", Unit set_cf_protection;
+  Exact "-fcf-protection=none", Unset option_fcf_protection
+ ] @
       f_opt "common" option_fcommon @
 (* Target processor options *)
   (if Configuration.arch = "arm" then

runtime/x86_64/sysdeps.h

@@ -38,6 +38,20 @@
 
 	.section .note.GNU-stack,"",%progbits
 
+// The runtime library code is compatible with IBT and SHSTK
+	.section .note.gnu.property,"a"
+	.align	8
+	.long	4
+	.long	4f - 1f
+	.long	5
+	.string	"GNU"
+1:	.align	8
+	.long	0xc0000002
+	.long	3f - 2f
+2:	.long	0x3
+3:	.align	8
+4:
+
 #define GLOB(x) x
 #define FUNCTION(f) \
 	.text; \

x86/TargetPrinter.ml

@@ -178,7 +178,23 @@ module ELF_System : SYSTEM =
 
     let print_var_info = elf_print_var_info
 
-    let print_epilogue _ = ()
+    let print_epilogue oc =
+      if !Clflags.option_fcf_protection then begin
+        output_string oc
+{|	.section        .note.gnu.property,"a"
+	.align	8
+	.long	4
+	.long	4f - 1f
+	.long	5
+	.string	"GNU"
+1:	.align	8
+	.long	0xc0000002
+	.long	3f - 2f
+2:	.long	0x3
+3:	.align	8
+4:
+|}
+      end
 
     let print_comm_decl oc name sz al =
       fprintf oc "	.comm	%a, %s, %d\n" symbol name (Z.to_string sz) al
@@ -744,7 +760,9 @@ module Target(System: SYSTEM):TARGET =
             fprintf oc "	leaq	%a(%%rip), %a\n" label l ireg tmp1;
             fprintf oc "	movslq	(%a, %a, 4), %a\n" ireg tmp1 ireg r ireg tmp2;
             fprintf oc "	addq	%a, %a\n" ireg tmp2 ireg tmp1;
-            fprintf oc "	jmp	*%a\n" ireg tmp1
+            fprintf oc "	%sjmp	*%a\n"
+              (if !Clflags.option_fcf_protection then "notrack " else "")
+              ireg tmp1
           end else begin
             fprintf oc "	jmp	*%a(, %a, 4)\n" label l ireg r
           end
@@ -901,6 +919,8 @@ module Target(System: SYSTEM):TARGET =
 
     let print_instructions oc fn =
       current_function_sig := fn.fn_sig;
+      if !Clflags.option_fcf_protection then
+        fprintf oc "	endbr64\n";
       List.iter (print_instruction oc) fn.fn_code
 
     let print_optional_fun_info _ = ()