GCC Middle and Back End API Reference
vtable-verify.c File Reference

Data Structures

struct  vtbl_map_hasher

Typedefs

typedef hash_table
< vtbl_map_hasher
vtbl_map_table_type
typedef
vtbl_map_table_type::iterator 
vtbl_map_iterator_type

Functions

unsigned int vtable_verify_main (void)
bool vtbl_map_node_registration_find (struct vtbl_map_node *node, tree vtable_decl, unsigned offset)
bool vtbl_map_node_registration_insert (struct vtbl_map_node *node, tree vtable_decl, unsigned offset)
struct vtbl_map_nodevtbl_map_get_node ()
struct vtbl_map_nodefind_or_create_vtbl_map_node ()
static bool is_vtable_assignment_stmt ()
static tree extract_object_class_type ()
static bool var_is_used_for_virtual_call_p ()
static void verify_bb_vtables ()
static bool gate_tree_vtable_verify ()
gimple_opt_passmake_pass_vtable_verify ()

Variables

unsigned num_vtable_map_nodes = 0
int total_num_virtual_calls = 0
int total_num_verified_vcalls = 0
tree verify_vtbl_ptr_fndecl = NULL_TREE
static bool any_verification_calls_generated = false
static vtbl_map_table_type vtbl_map_hash
vec< struct vtbl_map_node * > vtbl_map_nodes_vec

Typedef Documentation

   Here are the two structures into which we insert vtable map nodes.
   We use two data structures because of the vastly different ways we need
   to find the nodes for various tasks (see comments in vtable-verify.h
   for more details.  

Function Documentation

static tree extract_object_class_type ( )
static
   This function attempts to recover the declared class of an object
   that is used in making a virtual call.  We try to get the type from
   the type cast in the gimple assignment statement that extracts the
   vtable pointer from the object (DEF_STMT).  The gimple statement
   usually looks something like this:

   D.2201_4 = MEM[(struct Event *)this_1(D)]._vptr.Event    
     Try to find and extract the type cast from that stmt.  
struct vtbl_map_node* find_or_create_vtbl_map_node ( )
read
   Return vtbl_map node assigned to BASE_CLASS_TYPE.  Create new one
   when needed.  
     Find the TYPE_DECL for the class.  
     Verify that there aren't any type qualifiers on type.  
static bool gate_tree_vtable_verify ( )
static
   Gate function for the pass.  
static bool is_vtable_assignment_stmt ( )
static
   End of hashtable functions for vtable_map variables hash table.   
   Given a gimple STMT, this function checks to see if the statement
   is an assignment, the rhs of which is getting the vtable pointer
   value out of an object.  (i.e. it's the value we need to verify
   because its the vtable pointer that will be used for a virtual
   call).  
gimple_opt_pass* make_pass_vtable_verify ( )
static bool var_is_used_for_virtual_call_p ( )
static
   This function traces forward through the def-use chain of an SSA
   variable to see if it ever gets used in a virtual function call.  It
   returns a boolean indicating whether or not it found a virtual call in
   the use chain.  
     Iterate through the immediate uses of the current variable.  If
     it's a virtual function call, we're done.  Otherwise, if there's
     an LHS for the use stmt, add the ssa var to the work list
     (assuming it's not already in the list and is not a variable
     we've already examined.  
static void verify_bb_vtables ( )
static
   Search through all the statements in a basic block (BB), searching
   for virtual method calls.  For each virtual method dispatch, find
   the vptr value used, and the statically declared type of the
   object; retrieve the vtable map variable for the type of the
   object; generate a call to __VLTVerifyVtablePointer; and insert the
   generated call into the basic block, after the point where the vptr
   value is gotten out of the object and before the virtual method
   dispatch. Make the virtual method dispatch depend on the return
   value from the verification call, so that subsequent optimizations
   cannot reorder the two calls.  
         Count virtual calls.  
             Make sure this vptr field access is for a virtual call.  
             Now we have found the virtual method dispatch and
             the preceding access of the _vptr.* field... Next
             we need to find the statically declared type of
             the object, so we can find and use the right
             vtable map variable in the verification call.  
                 Get the vtable VAR_DECL for the type.  
                 Given the vtable pointer for the base class of the
                 object, build the call to __VLTVerifyVtablePointer to
                 verify that the object's vtable pointer (contained in
                 lhs) is in the set of valid vtable pointers for the
                 base class.  
                     Call different routines if we are interested in
                     trace information to debug problems.  
                     Create a new SSA_NAME var to hold the call's
                     return value, and make the call_stmt use the
                     variable for that purpose.  
                     Find the next stmt, after the vptr assignment
                     statememt, which should use the result of the
                     vptr assignment statement value. 
                     Find any/all uses of 'lhs' in next_stmt, and
                     replace them with 'tmp0'.  
                     Insert the new verification call just after the
                     statement that gets the vtable pointer out of the
                     object.  
unsigned int vtable_verify_main ( )
   Main function, called from pass->excute().  Loop through all the
   basic blocks in the current function, passing them to
   verify_bb_vtables, which searches for virtual calls, and inserts
   calls to __VLTVerifyVtablePointer.  
struct vtbl_map_node* vtbl_map_get_node ( )
read
   Return vtbl_map node for CLASS_NAME  without creating a new one.  
     Find the TYPE_DECL for the class.  
     Verify that there aren't any qualifiers on the type.  
     Get the mangled name for the unqualified type.  
bool vtbl_map_node_registration_find ( struct vtbl_map_node node,
tree  vtable_decl,
unsigned  offset 
)
   The following few functions are for the vtbl pointer hash table
   in the 'registered' field of the struct vtable_map_node.  The hash
   table keeps track of which vtable pointers have been used in
   calls to __VLTRegisterPair with that particular vtable map variable.  
   This function checks to see if a particular VTABLE_DECL and OFFSET are
   already in the 'registered' hash table for NODE.  
bool vtbl_map_node_registration_insert ( struct vtbl_map_node node,
tree  vtable_decl,
unsigned  offset 
)
   This function inserts VTABLE_DECL and OFFSET into the 'registered'
   hash table for NODE.  It returns a boolean indicating whether or not
   it actually inserted anything.  
         We found the vtable_decl slot; we need to see if it already
         contains the offset.  If not, we need to add the offset.  

References vtable_registration::offsets, and vtable_registration::vtable_decl.


Variable Documentation

bool any_verification_calls_generated = false
static
   Keep track of whether or not any virtual call were verified.  
unsigned num_vtable_map_nodes = 0
@verbatim 
 Copyright (C) 2013
Free Software Foundation, Inc.

This file is part of GCC.

GCC is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version.

GCC is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with GCC; see the file COPYING3. If not see http://www.gnu.org/licenses/.

   Virtual Table Pointer Security Pass - Detect corruption of vtable pointers
   before using them for virtual method dispatches.  
   This file is part of the vtable security feature implementation.
   The vtable security feature is designed to detect when a virtual
   call is about to be made through an invalid vtable pointer
   (possibly due to data corruption or malicious attacks). The
   compiler finds every virtual call, and inserts a verification call
   before the virtual call.  The verification call takes the actual
   vtable pointer value in the object through which the virtual call
   is being made, and compares the vtable pointer against a set of all
   valid vtable pointers that the object could contain (this set is
   based on the declared type of the object).  If the pointer is in
   the valid set, execution is allowed to continue; otherwise the
   program is halted.

  There are several pieces needed in order to make this work: 1. For
  every virtual class in the program (i.e. a class that contains
  virtual methods), we need to build the set of all possible valid
  vtables that an object of that class could point to.  This includes
  vtables for any class(es) that inherit from the class under
  consideration.  2. For every such data set we build up, we need a
  way to find and reference the data set.  This is complicated by the
  fact that the real vtable addresses are not known until runtime,
  when the program is loaded into memory, but we need to reference the
  sets at compile time when we are inserting verification calls into
  the program.  3.  We need to find every virtual call in the program,
  and insert the verification call (with the appropriate arguments)
  before the virtual call.  4. We need some runtime library pieces:
  the code to build up the data sets at runtime; the code to actually
  perform the verification using the data sets; and some code to set
  protections on the data sets, so they themselves do not become
  hacker targets.

  To find and reference the set of valid vtable pointers for any given
  virtual class, we create a special global variable for each virtual
  class.  We refer to this as the "vtable map variable" for that
  class.  The vtable map variable has the type "void *", and is
  initialized by the compiler to NULL.  At runtime when the set of
  valid vtable pointers for a virtual class, e.g. class Foo, is built,
  the vtable map variable for class Foo is made to point to the set.
  During compile time, when the compiler is inserting verification
  calls into the program, it passes the vtable map variable for the
  appropriate class to the verification call, so that at runtime the
  verification call can find the appropriate data set.

  The actual set of valid vtable pointers for a virtual class,
  e.g. class Foo, cannot be built until runtime, when the vtables get
  loaded into memory and their addresses are known.  But the knowledge
  about which vtables belong in which class' hierarchy is only known
  at compile time.  Therefore at compile time we collect class
  hierarchy and vtable information about every virtual class, and we
  generate calls to build up the data sets at runtime.  To build the
  data sets, we call one of the functions we add to the runtime
  library, __VLTRegisterPair.  __VLTRegisterPair takes two arguments,
  a vtable map variable and the address of a vtable.  If the vtable
  map variable is currently NULL, it creates a new data set (hash
  table), makes the vtable map variable point to the new data set, and
  inserts the vtable address into the data set.  If the vtable map
  variable is not NULL, it just inserts the vtable address into the
  data set.  In order to make sure that our data sets are built before
  any verification calls happen, we create a special constructor
  initialization function for each compilation unit, give it a very
  high initialization priority, and insert all of our calls to
  __VLTRegisterPair into our special constructor initialization
  function.

  The vtable verification feature is controlled by the flag
  '-fvtable-verify='.  There are three flavors of this:
  '-fvtable-verify=std', '-fvtable-verify=preinit', and
  '-fvtable-verify=none'.  If the option '-fvtable-verfy=preinit' is
  used, then our constructor initialization function gets put into the
  preinit array.  This is necessary if there are data sets that need
  to be built very early in execution.  If the constructor
  initialization function gets put into the preinit array, the we also
  add calls to __VLTChangePermission at the beginning and end of the
  function.  The call at the beginning sets the permissions on the
  data sets and vtable map variables to read/write, and the one at the
  end makes them read-only.  If the '-fvtable-verify=std' option is
  used, the constructor initialization functions are executed at their
  normal time, and the __VLTChangePermission calls are handled
  differently (see the comments in libstdc++-v3/libsupc++/vtv_rts.cc).
  The option '-fvtable-verify=none' turns off vtable verification.

  This file contains code for the tree pass that goes through all the
  statements in each basic block, looking for virtual calls, and
  inserting a call to __VLTVerifyVtablePointer (with appropriate
  arguments) before each one.  It also contains the hash table
  functions for the data structures used for collecting the class
  hierarchy data and building/maintaining the vtable map variable data
  are defined in gcc/vtable-verify.h.  These data structures are
  shared with the code in the C++ front end that collects the class
  hierarchy & vtable information and generates the vtable map
  variables (see cp/vtable-class-hierarchy.c).  This tree pass should
  run just before the gimple is converted to RTL.

  Some implementation details for this pass:

  To find all of the virtual calls, we iterate through all the
  gimple statements in each basic block, looking for any call
  statement with the code "OBJ_TYPE_REF".  Once we have found the
  virtual call, we need to find the vtable pointer through which the
  call is being made, and the type of the object containing the
  pointer (to find the appropriate vtable map variable).  We then use
  these to build a call to __VLTVerifyVtablePointer, passing the
  vtable map variable, and the vtable pointer.  We insert the
  verification call just after the gimple statement that gets the
  vtable pointer out of the object, and we update the next
  statement to depend on the result returned from
  __VLTVerifyVtablePointer (the vtable pointer value), to ensure
  subsequent compiler phases don't remove or reorder the call (it's no
  good to have the verification occur after the virtual call, for
  example).  To find the vtable pointer being used (and the type of
  the object) we search backwards through the def_stmts chain from the
  virtual call (see verify_bb_vtables for more details).  
int total_num_verified_vcalls = 0
int total_num_virtual_calls = 0
   Keep track of how many virtual calls we are actually verifying.  
tree verify_vtbl_ptr_fndecl = NULL_TREE
vtbl_map_table_type vtbl_map_hash
static
   Vtable map variable nodes stored in a hash table.  
vec<struct vtbl_map_node *> vtbl_map_nodes_vec
   Vtable map variable nodes stored in a vector.