diff options
| author | Ahmed Bougacha <ahmed@bougacha.org> | 2024-07-22 19:01:42 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-22 19:01:42 -0700 |
| commit | 6049cd62871d529b2e80b4f80fb7d74e347fb725 (patch) | |
| tree | c5553afd4f8d12bd8a310c27c5f718c45d71afe6 /clang/lib/CodeGen/CodeGenFunction.cpp | |
| parent | 03e92bf4836e888910815a54c66b07058cc8bb50 (diff) | |
| download | llvm-6049cd62871d529b2e80b4f80fb7d74e347fb725.zip llvm-6049cd62871d529b2e80b4f80fb7d74e347fb725.tar.gz llvm-6049cd62871d529b2e80b4f80fb7d74e347fb725.tar.bz2 | |
[AArch64][PAC] Lower jump-tables using hardened pseudo. (#97666)
This introduces an alternative hardened lowering for jump-table
dispatch, controlled by the function attribute
`"aarch64-jump-table-hardening"`.
The implementation is centered around a pseudo, BR_JumpTable:
> A hardened but more expensive version of jump-table dispatch.
> This combines the target address computation (otherwise done using
> the JumpTableDest pseudos above) with the branch itself (otherwise
> done using a plain BR) in a single non-attackable sequence.
>
> We take the final entry index as an operand to allow isel freedom.
> This does mean that the index can be attacker-controlled. To
> address that, we also do limited checking of the offset, mainly
> ensuring it still points within the jump-table array. When it
> doesn't, this branches to the first entry. We might want it to
> trap instead.
>
> This is intended for use in conjunction with ptrauth for other
> code pointers, to avoid signing jump-table entries and turning
> them into pointers.
>
> Entry index is passed in x16. Clobbers x16/x17/nzcv.
Jump-table compression isn't supported yet.
Diffstat (limited to 'clang/lib/CodeGen/CodeGenFunction.cpp')
0 files changed, 0 insertions, 0 deletions