-fsanitize=kcfi can cause alignment faults due to Arm/Thumb interworking

[statham-arm]

The option -fsanitize=kcfi causes clang to emit code that (in 32-bit Arm) loads a 32-bit word from offset -4 relative to a function pointer it's about to call through. But in 32-bit Arm, function pointers may have the low bit set to indicate that they should be entered in Thumb state (and calling through the pointer via the BX or BLX instruction will automatically do that). So loading from (pointer-4) will cause an alignment fault if the pointer is Thumb.

For example:

typedef int functype(int);
int call_with_42(functype *funcptr) { return funcptr(42); }

Compiled with this command (as of commit 1264849):

clang --target=arm-none-eabi -O1 -fsanitize=kcfi -S -o - test.c

the generated code looks like this:

        mov     r1, r0
        ldr     r0, [r0, #-4]   # load from just before the function
        ldr     r2, .LCPI0_0    # load a constant containing expected value
        cmp     r0, r2          # check if they're equal
        bne     .LBB0_2         # and go and take a trap if they're not
        mov     r0, #42
        bx      r1              # otherwise, tailcall the function

and if r0 on entry to the function had had an address with bit 0 set, then the first LDR instruction would cause an alignment fault (or, if unaligned access is enabled in the CPU, load incorrect data).

[llvmbot]

@llvm/issue-subscribers-backend-arm

[MaskRay]

@samitolvanen's https://reviews.llvm.org/D152484 will fix this issue.

Note: there is currently no AArch32 KCFI_CHECK support for -fsanitize=kcfi, so there is no .kcfi_traps section and the check sequence is likely not suitable for the Linux kernel.

[llvmbot]

@llvm/issue-subscribers-clang-codegen