diff options
| author | qing zhao <qinzhao@gcc.gnu.org> | 2020-10-30 20:41:38 +0100 |
|---|---|---|
| committer | qing zhao <qinzhao@gcc.gnu.org> | 2020-10-30 20:41:38 +0100 |
| commit | d10f3e900b0377b4760a090b0f90371bcef01686 (patch) | |
| tree | f78af058a8e7a4a1c04d601dbda48821a4eaa2e4 /gcc/doc | |
| parent | 44fbc9c6e02ca5b8f98f25b514ed7588e7ba733d (diff) | |
| download | gcc-d10f3e900b0377b4760a090b0f90371bcef01686.zip gcc-d10f3e900b0377b4760a090b0f90371bcef01686.tar.gz gcc-d10f3e900b0377b4760a090b0f90371bcef01686.tar.bz2 | |
Add -fzero-call-used-regs option and zero_call_used_regs function attributes.
This new feature causes the compiler to zero a subset of all call-used
registers at function return. This is used to increase program security
by either mitigating Return-Oriented Programming (ROP) attacks or
preventing information leakage through registers.
gcc/ChangeLog:
2020-10-30 Qing Zhao <qing.zhao@oracle.com>
H.J.Lu <hjl.tools@gmail.com>
* common.opt: Add new option -fzero-call-used-regs
* config/i386/i386.c (zero_call_used_regno_p): New function.
(zero_call_used_regno_mode): Likewise.
(zero_all_vector_registers): Likewise.
(zero_all_st_registers): Likewise.
(zero_all_mm_registers): Likewise.
(ix86_zero_call_used_regs): Likewise.
(TARGET_ZERO_CALL_USED_REGS): Define.
* df-scan.c (df_epilogue_uses_p): New function.
(df_get_exit_block_use_set): Replace EPILOGUE_USES with
df_epilogue_uses_p.
* df.h (df_epilogue_uses_p): Declare.
* doc/extend.texi: Document the new zero_call_used_regs attribute.
* doc/invoke.texi: Document the new -fzero-call-used-regs option.
* doc/tm.texi: Regenerate.
* doc/tm.texi.in (TARGET_ZERO_CALL_USED_REGS): New hook.
* emit-rtl.h (struct rtl_data): New field must_be_zero_on_return.
* flag-types.h (namespace zero_regs_flags): New namespace.
* function.c (gen_call_used_regs_seq): New function.
(class pass_zero_call_used_regs): New class.
(pass_zero_call_used_regs::execute): New function.
(make_pass_zero_call_used_regs): New function.
* optabs.c (expand_asm_reg_clobber_mem_blockage): New function.
* optabs.h (expand_asm_reg_clobber_mem_blockage): Declare.
* opts.c (zero_call_used_regs_opts): New structure array
initialization.
(parse_zero_call_used_regs_options): New function.
(common_handle_option): Handle -fzero-call-used-regs.
* opts.h (zero_call_used_regs_opts): New structure array.
* passes.def: Add new pass pass_zero_call_used_regs.
* recog.c (valid_insn_p): New function.
* recog.h (valid_insn_p): Declare.
* resource.c (init_resource_info): Replace EPILOGUE_USES with
df_epilogue_uses_p.
* target.def (zero_call_used_regs): New hook.
* targhooks.c (default_zero_call_used_regs): New function.
* targhooks.h (default_zero_call_used_regs): Declare.
* tree-pass.h (make_pass_zero_call_used_regs): Declare.
gcc/c-family/ChangeLog:
2020-10-30 Qing Zhao <qing.zhao@oracle.com>
H.J.Lu <hjl.tools@gmail.com>
* c-attribs.c (c_common_attribute_table): Add new attribute
zero_call_used_regs.
(handle_zero_call_used_regs_attribute): New function.
gcc/testsuite/ChangeLog:
2020-10-30 Qing Zhao <qing.zhao@oracle.com>
H.J.Lu <hjl.tools@gmail.com>
* c-c++-common/zero-scratch-regs-1.c: New test.
* c-c++-common/zero-scratch-regs-10.c: New test.
* c-c++-common/zero-scratch-regs-11.c: New test.
* c-c++-common/zero-scratch-regs-2.c: New test.
* c-c++-common/zero-scratch-regs-3.c: New test.
* c-c++-common/zero-scratch-regs-4.c: New test.
* c-c++-common/zero-scratch-regs-5.c: New test.
* c-c++-common/zero-scratch-regs-6.c: New test.
* c-c++-common/zero-scratch-regs-7.c: New test.
* c-c++-common/zero-scratch-regs-8.c: New test.
* c-c++-common/zero-scratch-regs-9.c: New test.
* c-c++-common/zero-scratch-regs-attr-usages.c: New test.
* gcc.target/i386/zero-scratch-regs-1.c: New test.
* gcc.target/i386/zero-scratch-regs-10.c: New test.
* gcc.target/i386/zero-scratch-regs-11.c: New test.
* gcc.target/i386/zero-scratch-regs-12.c: New test.
* gcc.target/i386/zero-scratch-regs-13.c: New test.
* gcc.target/i386/zero-scratch-regs-14.c: New test.
* gcc.target/i386/zero-scratch-regs-15.c: New test.
* gcc.target/i386/zero-scratch-regs-16.c: New test.
* gcc.target/i386/zero-scratch-regs-17.c: New test.
* gcc.target/i386/zero-scratch-regs-18.c: New test.
* gcc.target/i386/zero-scratch-regs-19.c: New test.
* gcc.target/i386/zero-scratch-regs-2.c: New test.
* gcc.target/i386/zero-scratch-regs-20.c: New test.
* gcc.target/i386/zero-scratch-regs-21.c: New test.
* gcc.target/i386/zero-scratch-regs-22.c: New test.
* gcc.target/i386/zero-scratch-regs-23.c: New test.
* gcc.target/i386/zero-scratch-regs-24.c: New test.
* gcc.target/i386/zero-scratch-regs-25.c: New test.
* gcc.target/i386/zero-scratch-regs-26.c: New test.
* gcc.target/i386/zero-scratch-regs-27.c: New test.
* gcc.target/i386/zero-scratch-regs-28.c: New test.
* gcc.target/i386/zero-scratch-regs-29.c: New test.
* gcc.target/i386/zero-scratch-regs-30.c: New test.
* gcc.target/i386/zero-scratch-regs-31.c: New test.
* gcc.target/i386/zero-scratch-regs-3.c: New test.
* gcc.target/i386/zero-scratch-regs-4.c: New test.
* gcc.target/i386/zero-scratch-regs-5.c: New test.
* gcc.target/i386/zero-scratch-regs-6.c: New test.
* gcc.target/i386/zero-scratch-regs-7.c: New test.
* gcc.target/i386/zero-scratch-regs-8.c: New test.
* gcc.target/i386/zero-scratch-regs-9.c: New test.
Diffstat (limited to 'gcc/doc')
| -rw-r--r-- | gcc/doc/extend.texi | 86 | ||||
| -rw-r--r-- | gcc/doc/invoke.texi | 15 | ||||
| -rw-r--r-- | gcc/doc/tm.texi | 12 | ||||
| -rw-r--r-- | gcc/doc/tm.texi.in | 2 |
4 files changed, 114 insertions, 1 deletions
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index 661cdbc..f14772f 100644 --- a/gcc/doc/extend.texi +++ b/gcc/doc/extend.texi @@ -3996,6 +3996,92 @@ performing a link with relocatable output (i.e.@: @code{ld -r}) on them. A declaration to which @code{weakref} is attached and that is associated with a named @code{target} must be @code{static}. +@item zero_call_used_regs ("@var{choice}") +@cindex @code{zero_call_used_regs} function attribute + +The @code{zero_call_used_regs} attribute causes the compiler to zero +a subset of all call-used registers@footnote{A ``call-used'' register +is a register whose contents can be changed by a function call; +therefore, a caller cannot assume that the register has the same contents +on return from the function as it had before calling the function. Such +registers are also called ``call-clobbered'', ``caller-saved'', or +``volatile''.} at function return. +This is used to increase program security by either mitigating +Return-Oriented Programming (ROP) attacks or preventing information leakage +through registers. + +In order to satisfy users with different security needs and control the +run-time overhead at the same time, the @var{choice} parameter provides a +flexible way to choose the subset of the call-used registers to be zeroed. +The three basic values of @var{choice} are: + +@itemize @bullet +@item +@samp{skip} doesn't zero any call-used registers. + +@item +@samp{used} only zeros call-used registers that are used in the function. +A ``used'' register is one whose content has been set or referenced in +the function. + +@item +@samp{all} zeros all call-used registers. +@end itemize + +In addition to these three basic choices, it is possible to modify +@samp{used} or @samp{all} as follows: + +@itemize @bullet +@item +Adding @samp{-gpr} restricts the zeroing to general-purpose registers. + +@item +Adding @samp{-arg} restricts the zeroing to registers that can sometimes +be used to pass function arguments. This includes all argument registers +defined by the platform's calling conversion, regardless of whether the +function uses those registers for function arguments or not. +@end itemize + +The modifiers can be used individually or together. If they are used +together, they must appear in the order above. + +The full list of @var{choice}s is therefore: + +@table @code +@item skip +doesn't zero any call-used register. + +@item used +only zeros call-used registers that are used in the function. + +@item used-gpr +only zeros call-used general purpose registers that are used in the function. + +@item used-arg +only zeros call-used registers that are used in the function and pass arguments. + +@item used-gpr-arg +only zeros call-used general purpose registers that are used in the function +and pass arguments. + +@item all +zeros all call-used registers. + +@item all-gpr +zeros all call-used general purpose registers. + +@item all-arg +zeros all call-used registers that pass arguments. + +@item all-gpr-arg +zeros all call-used general purpose registers that pass +arguments. +@end table + +Of this list, @samp{used-arg}, @samp{used-gpr-arg}, @samp{all-arg}, +and @samp{all-gpr-arg} are mainly used for ROP mitigation. + +The default for the attribute is controlled by @option{-fzero-call-used-regs}. @end table @c This is the end of the target-independent attribute table diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 79d479c..492b7dc 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -554,7 +554,7 @@ Objective-C and Objective-C++ Dialects}. -funit-at-a-time -funroll-all-loops -funroll-loops @gol -funsafe-math-optimizations -funswitch-loops @gol -fipa-ra -fvariable-expansion-in-unroller -fvect-cost-model -fvpt @gol --fweb -fwhole-program -fwpa -fuse-linker-plugin @gol +-fweb -fwhole-program -fwpa -fuse-linker-plugin -fzero-call-used-regs @gol --param @var{name}=@var{value} -O -O0 -O1 -O2 -O3 -Os -Ofast -Og} @@ -12648,6 +12648,19 @@ int foo (void) Not all targets support this option. +@item -fzero-call-used-regs=@var{choice} +@opindex fzero-call-used-regs +Zero call-used registers at function return to increase program +security by either mitigating Return-Oriented Programming (ROP) +attacks or preventing information leakage through registers. + +The possible values of @var{choice} are the same as for the +@code{zero_call_used_regs} attribute (@pxref{Function Attributes}). +The default is @samp{skip}. + +You can control this behavior for a specific function by using the function +attribute @code{zero_call_used_regs} (@pxref{Function Attributes}). + @item --param @var{name}=@var{value} @opindex param In some places, GCC uses various constants to control the amount of diff --git a/gcc/doc/tm.texi b/gcc/doc/tm.texi index 24c37f6..833320b 100644 --- a/gcc/doc/tm.texi +++ b/gcc/doc/tm.texi @@ -12046,6 +12046,18 @@ argument list due to stack realignment. Return @code{NULL} if no DRAP is needed. @end deftypefn +@deftypefn {Target Hook} HARD_REG_SET TARGET_ZERO_CALL_USED_REGS (HARD_REG_SET @var{selected_regs}) +This target hook emits instructions to zero the subset of @var{selected_regs} +that could conceivably contain values that are useful to an attacker. +Return the set of registers that were actually cleared. + +The default implementation uses normal move instructions to zero +all the registers in @var{selected_regs}. Define this hook if the +target has more efficient ways of zeroing certain registers, +or if you believe that certain registers would never contain +values that are useful to an attacker. +@end deftypefn + @deftypefn {Target Hook} bool TARGET_ALLOCATE_STACK_SLOTS_FOR_ARGS (void) When optimization is disabled, this hook indicates whether or not arguments should be allocated to stack slots. Normally, GCC allocates diff --git a/gcc/doc/tm.texi.in b/gcc/doc/tm.texi.in index 2b8d29f..58109be 100644 --- a/gcc/doc/tm.texi.in +++ b/gcc/doc/tm.texi.in @@ -8109,6 +8109,8 @@ and the associated definitions of those functions. @hook TARGET_GET_DRAP_RTX +@hook TARGET_ZERO_CALL_USED_REGS + @hook TARGET_ALLOCATE_STACK_SLOTS_FOR_ARGS @hook TARGET_CONST_ANCHOR |