Skip to content

Commit

Permalink
[CFGuard] Add address-taken IAT tables and delay-load support
Browse files Browse the repository at this point in the history 
This patch adds support for creating Guard Address-Taken IAT Entry Tables (.giats$y sections) in object files, matching the behavior of MSVC. These contain lists of address-taken imported functions, which are used by the linker to create the final GIATS table.
Additionally, if any DLLs are delay-loaded, the linker must look through the .giats tables and add the respective load thunks of address-taken imports to the GFIDS table, as these are also valid call targets.

Reviewed By: rnk

Differential Revision: https://reviews.llvm.org/D87544
  • Loading branch information
@ajpaverd @aeubanks
ajpaverd authored and aeubanks committed Nov 18, 2020
1 parent 63a8ee3 commit 0139c8a
Show file tree
Hide file tree
Showing 13 changed files with 284 additions and 19 deletions.
10 changes: 10 additions & 0 deletions lld/COFF/DLL.cpp
View file
Expand Up @@ -19,6 +19,7 @@

#include "DLL.h"
#include "Chunks.h"
#include "SymbolTable.h"
#include "llvm/Object/COFF.h"
#include "llvm/Support/Endian.h"
#include "llvm/Support/Path.h"
Expand Down Expand Up @@ -653,9 +654,18 @@ void DelayLoadContents::create(Defined *h) {
auto *c = make<HintNameChunk>(extName, 0);
names.push_back(make<LookupChunk>(c));
hintNames.push_back(c);
// Add a syntentic symbol for this load thunk, using the "__imp_load"
// prefix, in case this thunk needs to be added to the list of valid
// call targets for Control Flow Guard.
StringRef symName = saver.save("__imp_load_" + extName);
s->loadThunkSym =
cast<DefinedSynthetic>(symtab->addSynthetic(symName, t));
}
}
thunks.push_back(tm);
StringRef tmName =
saver.save("__tailMerge_" + syms[0]->getDLLName().lower());
symtab->addSynthetic(tmName, tm);
// Terminate with null values.
addresses.push_back(make<NullChunk>(8));
names.push_back(make<NullChunk>(8));
Expand Down
2 changes: 1 addition & 1 deletion lld/COFF/ICF.cpp
View file
Expand Up @@ -131,7 +131,7 @@ bool ICF::assocEquals(const SectionChunk *a, const SectionChunk *b) {
auto considerForICF = [](const SectionChunk &assoc) {
StringRef Name = assoc.getSectionName();
return !(Name.startswith(".debug") || Name == ".gfids$y" ||
Name == ".gljmp$y");
Name == ".giats$y" || Name == ".gljmp$y");
};
auto ra = make_filter_range(a->children(), considerForICF);
auto rb = make_filter_range(b->children(), considerForICF);
Expand Down
2 changes: 2 additions & 0 deletions lld/COFF/InputFiles.cpp
View file
Expand Up @@ -280,6 +280,8 @@ SectionChunk *ObjFile::readSection(uint32_t sectionNumber,
debugChunks.push_back(c);
else if (name == ".gfids$y")
guardFidChunks.push_back(c);
else if (name == ".giats$y")
guardIATChunks.push_back(c);
else if (name == ".gljmp$y")
guardLJmpChunks.push_back(c);
else if (name == ".sxdata")
Expand Down
7 changes: 5 additions & 2 deletions lld/COFF/InputFiles.h
View file
Expand Up @@ -144,6 +144,7 @@ class ObjFile : public InputFile {
ArrayRef<SectionChunk *> getDebugChunks() { return debugChunks; }
ArrayRef<SectionChunk *> getSXDataChunks() { return sxDataChunks; }
ArrayRef<SectionChunk *> getGuardFidChunks() { return guardFidChunks; }
ArrayRef<SectionChunk *> getGuardIATChunks() { return guardIATChunks; }
ArrayRef<SectionChunk *> getGuardLJmpChunks() { return guardLJmpChunks; }
ArrayRef<Symbol *> getSymbols() { return symbols; }

Expand Down Expand Up @@ -285,9 +286,11 @@ class ObjFile : public InputFile {
// 32-bit x86.
std::vector<SectionChunk *> sxDataChunks;

// Chunks containing symbol table indices of address taken symbols and longjmp
// targets. These are not linked into the final binary when /guard:cf is set.
// Chunks containing symbol table indices of address taken symbols, address
// taken IAT entries, and longjmp targets. These are not linked into the
// final binary when /guard:cf is set.
std::vector<SectionChunk *> guardFidChunks;
std::vector<SectionChunk *> guardIATChunks;
std::vector<SectionChunk *> guardLJmpChunks;

// This vector contains a list of all symbols defined or referenced by this
Expand Down
7 changes: 7 additions & 0 deletions lld/COFF/Symbols.h
View file
Expand Up @@ -353,6 +353,13 @@ class DefinedImportData : public Defined {
uint16_t getOrdinal() { return file->hdr->OrdinalHint; }

ImportFile *file;

// This is a pointer to the synthetic symbol associated with the load thunk
// for this symbol that will be called if the DLL is delay-loaded. This is
// needed for Control Flow Guard because if this DefinedImportData symbol is a
// valid call target, the corresponding load thunk must also be marked as a
// valid call target.
DefinedSynthetic *loadThunkSym = nullptr;
};

// This class represents a symbol for a jump table entry which jumps
Expand Down
46 changes: 40 additions & 6 deletions lld/COFF/Writer.cpp
View file
Expand Up @@ -227,6 +227,9 @@ class Writer {
void markSymbolsForRVATable(ObjFile *file,
ArrayRef<SectionChunk *> symIdxChunks,
SymbolRVASet &tableSymbols);
void getSymbolsFromSections(ObjFile *file,
ArrayRef<SectionChunk *> symIdxChunks,
std::vector<Symbol *> &symbols);
void maybeAddRVATable(SymbolRVASet tableSymbols, StringRef tableSym,
StringRef countSym);
void setSectionPermissions();
Expand Down Expand Up @@ -607,8 +610,9 @@ void Writer::run() {

createImportTables();
createSections();
createMiscChunks();
appendImportThunks();
// Import thunks must be added before the Control Flow Guard tables are added.
createMiscChunks();
createExportTable();
mergeSections();
removeUnusedSections();
Expand Down Expand Up @@ -1628,6 +1632,8 @@ static void markSymbolsWithRelocations(ObjFile *file,
// table.
void Writer::createGuardCFTables() {
SymbolRVASet addressTakenSyms;
SymbolRVASet giatsRVASet;
std::vector<Symbol *> giatsSymbols;
SymbolRVASet longJmpTargets;
for (ObjFile *file : ObjFile::instances) {
// If the object was compiled with /guard:cf, the address taken symbols
Expand All @@ -1637,6 +1643,8 @@ void Writer::createGuardCFTables() {
// possibly address-taken.
if (file->hasGuardCF()) {
markSymbolsForRVATable(file, file->getGuardFidChunks(), addressTakenSyms);
markSymbolsForRVATable(file, file->getGuardIATChunks(), giatsRVASet);
getSymbolsFromSections(file, file->getGuardIATChunks(), giatsSymbols);
markSymbolsForRVATable(file, file->getGuardLJmpChunks(), longJmpTargets);
} else {
markSymbolsWithRelocations(file, addressTakenSyms);
Expand All @@ -1651,6 +1659,16 @@ void Writer::createGuardCFTables() {
for (Export &e : config->exports)
maybeAddAddressTakenFunction(addressTakenSyms, e.sym);

// For each entry in the .giats table, check if it has a corresponding load
// thunk (e.g. because the DLL that defines it will be delay-loaded) and, if
// so, add the load thunk to the address taken (.gfids) table.
for (Symbol *s : giatsSymbols) {
if (auto *di = dyn_cast<DefinedImportData>(s)) {
if (di->loadThunkSym)
addSymbolToRVASet(addressTakenSyms, di->loadThunkSym);
}
}

// Ensure sections referenced in the gfid table are 16-byte aligned.
for (const ChunkAndOffset &c : addressTakenSyms)
if (c.inputChunk->getAlignment() < 16)
Expand All @@ -1659,6 +1677,10 @@ void Writer::createGuardCFTables() {
maybeAddRVATable(std::move(addressTakenSyms), "__guard_fids_table",
"__guard_fids_count");

// Add the Guard Address Taken IAT Entry Table (.giats).
maybeAddRVATable(std::move(giatsRVASet), "__guard_iat_table",
"__guard_iat_count");

// Add the longjmp target table unless the user told us not to.
if (config->guardCF == GuardCFLevel::Full)
maybeAddRVATable(std::move(longJmpTargets), "__guard_longjmp_table",
Expand All @@ -1675,11 +1697,11 @@ void Writer::createGuardCFTables() {
}

// Take a list of input sections containing symbol table indices and add those
// symbols to an RVA table. The challenge is that symbol RVAs are not known and
// symbols to a vector. The challenge is that symbol RVAs are not known and
// depend on the table size, so we can't directly build a set of integers.
void Writer::markSymbolsForRVATable(ObjFile *file,
void Writer::getSymbolsFromSections(ObjFile *file,
ArrayRef<SectionChunk *> symIdxChunks,
SymbolRVASet &tableSymbols) {
std::vector<Symbol *> &symbols) {
for (SectionChunk *c : symIdxChunks) {
// Skip sections discarded by linker GC. This comes up when a .gfids section
// is associated with something like a vtable and the vtable is discarded.
Expand All @@ -1697,7 +1719,7 @@ void Writer::markSymbolsForRVATable(ObjFile *file,
}

// Read each symbol table index and check if that symbol was included in the
// final link. If so, add it to the table symbol set.
// final link. If so, add it to the vector of symbols.
ArrayRef<ulittle32_t> symIndices(
reinterpret_cast<const ulittle32_t *>(data.data()), data.size() / 4);
ArrayRef<Symbol *> objSymbols = file->getSymbols();
Expand All @@ -1709,12 +1731,24 @@ void Writer::markSymbolsForRVATable(ObjFile *file,
}
if (Symbol *s = objSymbols[symIndex]) {
if (s->isLive())
addSymbolToRVASet(tableSymbols, cast<Defined>(s));
symbols.push_back(cast<Symbol>(s));
}
}
}
}

// Take a list of input sections containing symbol table indices and add those
// symbols to an RVA table.
void Writer::markSymbolsForRVATable(ObjFile *file,
ArrayRef<SectionChunk *> symIdxChunks,
SymbolRVASet &tableSymbols) {
std::vector<Symbol *> syms;
getSymbolsFromSections(file, symIdxChunks, syms);

for (Symbol *s : syms)
addSymbolToRVASet(tableSymbols, cast<Defined>(s));
}

// Replace the absolute table symbol with a synthetic symbol pointing to
// tableChunk so that we can emit base relocations for it and resolve section
// relative relocations.
Expand Down
117 changes: 117 additions & 0 deletions lld/test/COFF/giats.s
View file
@@ -0,0 +1,117 @@
# REQUIRES: x86

# Make a DLL that exports exportfn1.
# RUN: yaml2obj %p/Inputs/export.yaml -o %basename_t-exp.obj
# RUN: lld-link /out:%basename_t-exp.dll /dll %basename_t-exp.obj /export:exportfn1 /implib:%basename_t-exp.lib

# Make an object file that imports exportfn1.
# RUN: llvm-mc -triple x86_64-windows-msvc %s -filetype=obj -o %basename_t.obj

# Check that the Guard address-taken IAT entry tables are propagated to the final executable.
# RUN: lld-link %basename_t.obj -guard:cf -entry:main -out:%basename_t-nodelay.exe %basename_t-exp.lib
# RUN: llvm-readobj --file-headers --coff-load-config %basename_t-nodelay.exe | FileCheck %s --check-prefix CHECK

# CHECK: ImageBase: 0x140000000
# CHECK: LoadConfig [
# CHECK: GuardCFFunctionTable: 0x140002114
# CHECK: GuardCFFunctionCount: 1
# CHECK: GuardFlags: 0x10500
# CHECK: GuardAddressTakenIatEntryTable: 0x140002118
# CHECK: GuardAddressTakenIatEntryCount: 1
# CHECK: ]
# CHECK: GuardFidTable [
# CHECK-NEXT: 0x14000{{.*}}
# CHECK-NEXT: ]
# CHECK: GuardIatTable [
# CHECK-NEXT: 0x14000{{.*}}
# CHECK-NEXT: ]


# Check that the additional load thunk symbol is added to the GFIDs table.
# RUN: lld-link %basename_t.obj -guard:cf -entry:main -out:%basename_t-delay.exe %basename_t-exp.lib -alternatename:__delayLoadHelper2=main -delayload:%basename_t-exp.dll
# RUN: llvm-readobj --file-headers --coff-load-config %basename_t-delay.exe | FileCheck %s --check-prefix DELAY-CHECK

# DELAY-CHECK: ImageBase: 0x140000000
# DELAY-CHECK: LoadConfig [
# DELAY-CHECK: GuardCFFunctionTable: 0x140002114
# DELAY-CHECK: GuardCFFunctionCount: 2
# DELAY-CHECK: GuardFlags: 0x10500
# DELAY-CHECK: GuardAddressTakenIatEntryTable: 0x14000211C
# DELAY-CHECK: GuardAddressTakenIatEntryCount: 1
# DELAY-CHECK: ]
# DELAY-CHECK: GuardFidTable [
# DELAY-CHECK-NEXT: 0x14000{{.*}}
# DELAY-CHECK-NEXT: 0x14000{{.*}}
# DELAY-CHECK-NEXT: ]
# DELAY-CHECK: GuardIatTable [
# DELAY-CHECK-NEXT: 0x14000{{.*}}
# DELAY-CHECK-NEXT: ]


# This assembly is reduced from C code like:
# __declspec(noinline)
# void IndirectCall(BOOL (func)(HANDLE)) {
# (*func)(NULL);
# }
# int main(int argc, char** argv) {
# IndirectCall(exportfn1);
# }

.text
.def @feat.00;
.scl 3;
.type 0;
.endef
.globl @feat.00
.set @feat.00, 2048
.def IndirectCall; .scl 2; .type 32; .endef
.globl IndirectCall # -- Begin function IndirectCall
.p2align 4, 0x90
IndirectCall: # @IndirectCall
# %bb.0:
subq $40, %rsp
movq %rcx, 32(%rsp)
movq 32(%rsp), %rax
movq %rax, %rdx # This would otherwise be: movq __guard_dispatch_icall_fptr(%rip), %rdx
xorl %ecx, %ecx
callq *%rdx
nop
addq $40, %rsp
retq
# -- End function
.def main; .scl 2; .type 32; .endef
.globl main # -- Begin function main
.p2align 4, 0x90
main: # @main
# %bb.0:
subq $56, %rsp
movq __imp_exportfn1(%rip), %rax
movq %rdx, 48(%rsp)
movl %ecx, 44(%rsp)
movq %rax, %rcx
callq IndirectCall
xorl %eax, %eax
addq $56, %rsp
retq
# -- End function
.section .gfids$y,"dr"
.section .giats$y,"dr"
.symidx __imp_exportfn1
.section .gljmp$y,"dr"

# Load configuration directory entry (winnt.h _IMAGE_LOAD_CONFIG_DIRECTORY64).
# The linker will define the __guard_* symbols.
.section .rdata,"dr"
.globl _load_config_used
_load_config_used:
.long 256
.fill 124, 1, 0
.quad __guard_fids_table
.quad __guard_fids_count
.long __guard_flags
.fill 12, 1, 0
.quad __guard_iat_table
.quad __guard_iat_count
.quad __guard_longjmp_table
.quad __guard_fids_count
.fill 84, 1, 0
2 changes: 2 additions & 0 deletions llvm/include/llvm/MC/MCObjectFileInfo.h
View file
Expand Up @@ -215,6 +215,7 @@ class MCObjectFileInfo {
MCSection *XDataSection = nullptr;
MCSection *SXDataSection = nullptr;
MCSection *GFIDsSection = nullptr;
MCSection *GIATsSection = nullptr;
MCSection *GLJMPSection = nullptr;

// XCOFF specific sections
Expand Down Expand Up @@ -397,6 +398,7 @@ class MCObjectFileInfo {
MCSection *getXDataSection() const { return XDataSection; }
MCSection *getSXDataSection() const { return SXDataSection; }
MCSection *getGFIDsSection() const { return GFIDsSection; }
MCSection *getGIATsSection() const { return GIATsSection; }
MCSection *getGLJMPSection() const { return GLJMPSection; }

// XCOFF specific sections
Expand Down

0 comments on commit 0139c8a

Please sign in to comment.