diff options
| author | Momchil Velikov <momchil.velikov@arm.com> | 2020-04-28 16:27:52 +0100 |
|---|---|---|
| committer | Momchil Velikov <momchil.velikov@arm.com> | 2020-04-28 17:05:58 +0100 |
| commit | 102b4105e3fd568ed2c758ed7e6fd266a819d6db (patch) | |
| tree | f796adbf9532f2df0bb16b7aca0e0effda619200 /clang/lib/CodeGen/CodeGenFunction.h | |
| parent | e770153865c53c4fd72a68f23acff33c24e42a08 (diff) | |
| download | llvm-102b4105e3fd568ed2c758ed7e6fd266a819d6db.zip llvm-102b4105e3fd568ed2c758ed7e6fd266a819d6db.tar.gz llvm-102b4105e3fd568ed2c758ed7e6fd266a819d6db.tar.bz2 | |
[CMSE] Clear padding bits of struct/unions/fp16 passed by value
When passing a value of a struct/union type from secure to non-secure
state (that is returning from a CMSE entry function or passing an
argument to CMSE-non-secure call), there is a potential sensitive
information leak via the padding bits in the structure. It is not
possible in the general case to ensure those bits are cleared by using
Standard C/C++.
This patch makes the compiler emit code to clear such padding
bits. Since type information is lost in LLVM IR, the code generation
is done by Clang.
For each interesting record type, we build a bitmask, in which all the
bits, corresponding to user declared members, are set. Values of
record types are returned by coercing them to an integer. After the
coercion, the coerced value is masked (with bitwise AND) and then
returned by the function. In a similar manner, values of record types
are passed as arguments by coercing them to an array of integers, and
the coerced values themselves are masked.
For union types, we effectively clear only bits, which aren't part of
any member, since we don't know which is the currently active one.
The compiler will issue a warning, whenever a union is passed to
non-secure state.
Values of half-precision floating-point types are passed in the least
significant bits of a 32-bit register (GPR or FPR) with the most
significant bits unspecified. Since this is also a potential leak of
sensitive information, this patch also clears those unspecified bits.
Differential Revision: https://reviews.llvm.org/D76369
Diffstat (limited to 'clang/lib/CodeGen/CodeGenFunction.h')
| -rw-r--r-- | clang/lib/CodeGen/CodeGenFunction.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/clang/lib/CodeGen/CodeGenFunction.h b/clang/lib/CodeGen/CodeGenFunction.h index 1af83b8..7ea89eb 100644 --- a/clang/lib/CodeGen/CodeGenFunction.h +++ b/clang/lib/CodeGen/CodeGenFunction.h @@ -3877,6 +3877,11 @@ public: llvm::Value *EmitARMCDEBuiltinExpr(unsigned BuiltinID, const CallExpr *E, ReturnValueSlot ReturnValue, llvm::Triple::ArchType Arch); + llvm::Value *EmitCMSEClearRecord(llvm::Value *V, llvm::IntegerType *ITy, + QualType RTy); + llvm::Value *EmitCMSEClearRecord(llvm::Value *V, llvm::ArrayType *ATy, + QualType RTy); + llvm::Value *EmitCMSEClearFP16(llvm::Value *V); llvm::Value *EmitCommonNeonBuiltinExpr(unsigned BuiltinID, unsigned LLVMIntrinsic, |