[libc] address CRs

Author: SchrodingerZhu

libc/config/config.json

@@ -106,7 +106,7 @@
     },
     "LIBC_CONF_SETJMP_ENABLE_FORTIFICATION": {
       "value": true,
-      "doc": "Enable fortification for setjmp and longjmp."
+      "doc": "Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux."
     }
   },
   "time": {

libc/docs/configure.rst

@@ -55,7 +55,7 @@ to learn about the defaults for your platform and target.
     - ``LIBC_CONF_SCANF_DISABLE_INDEX_MODE``: Disable index mode in the scanf format string.
 * **"setjmp" options**
     - ``LIBC_CONF_SETJMP_AARCH64_RESTORE_PLATFORM_REGISTER``: Make setjmp save the value of x18, and longjmp restore it. The AArch64 ABI delegates this register to platform ABIs, which can choose whether to make it caller-saved.
-    - ``LIBC_CONF_SETJMP_ENABLE_FORTIFICATION``: Enable fortification for setjmp and longjmp.
+    - ``LIBC_CONF_SETJMP_ENABLE_FORTIFICATION``: Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux.
 * **"string" options**
     - ``LIBC_CONF_MEMSET_X86_USE_SOFTWARE_PREFETCHING``: Inserts prefetch for write instructions (PREFETCHW) for memset on x86 to recover performance when hardware prefetcher is disabled.
     - ``LIBC_CONF_STRING_UNSAFE_WIDE_READ``: Read more than a byte at a time to perform byte-string operations like strlen.

libc/src/setjmp/CMakeLists.txt

@@ -1,24 +1,28 @@
-if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
-  add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
+if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_OS})
+  add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_OS})
 endif()
 
 if (LIBC_CONF_SETJMP_ENABLE_FORTIFICATION)
-  set(checksum_flags "-DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=1")
-else()
-  set(checksum_flags "-DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=0")
+  if (TARGET libc.src.setjmp.${LIBC_TARGET_OS}.checksum
+      AND LIBC_TARGET_ARCHITECTURE STREQUAL "x86_64")
+    add_object_library(
+      checksum
+      ALIAS
+      DEPENDS
+        .${LIBC_TARGET_OS}.checksum
+    )
+    set(fortification_deps libc.src.setjmp.checksum)
+    set(fortification_defs -DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=1)
+  else()
+    message(WARNING "Jmpbuf fortification is enabled but not supported for target ${LIBC_TARGET_ARCHITECTURE} ${LIBC_TARGET_OS}")
+    set(fortification_deps)
+    set(fortification_defs -DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=0)
+  endif()
 endif()
 
-
-add_header_library(
-  checksum
-  HDRS
-    checksum.h
-  DEPENDS
-    libc.src.__support.common
-    libc.src.__support.OSUtil.osutil
-  COMPILE_OPTIONS
-    ${checksum_flags}
-)
+if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
+  add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
+endif()
 
 add_entrypoint_object(
   setjmp

libc/src/setjmp/checksum.h

@@ -9,38 +9,19 @@
 #ifndef LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
 #define LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
 
-#ifndef LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
-#define LIBC_COPT_SETJMP_ENABLE_FORTIFICATION 1
-#endif
-
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
-#include "src/__support/OSUtil/syscall.h"
-#include "src/__support/macros/config.h"
-#include <sys/syscall.h>
+#include "src/__support/common.h"
 
 namespace LIBC_NAMESPACE_DECL {
 namespace jmpbuf {
-// random bytes from https://www.random.org/cgi-bin/randbyte?nbytes=8&format=h
-LIBC_INLINE __UINTPTR_TYPE__ value_mask = 0x3899'f0d3'5005'd953;
-LIBC_INLINE __UINT64_TYPE__ checksum_cookie = 0xc7d9'd341'6afc'33f2;
+
+extern __UINTPTR_TYPE__ value_mask;
+extern __UINT64_TYPE__ checksum_cookie;
+
 // abitrary prime number
 LIBC_INLINE constexpr __UINT64_TYPE__ ROTATION = 13;
-// initialize the checksum state
-LIBC_INLINE void initialize() {
-  union {
-    struct {
-      __UINTPTR_TYPE__ entropy0;
-      __UINT64_TYPE__ entropy1;
-    };
-    char buffer[sizeof(__UINTPTR_TYPE__) + sizeof(__UINT64_TYPE__)];
-  };
-  syscall_impl<long>(SYS_getrandom, buffer, sizeof(buffer), 0);
-  // add in additional entropy
-  jmpbuf::value_mask ^= entropy0;
-  jmpbuf::checksum_cookie ^= entropy1;
-}
+void initialize();
+extern "C" [[gnu::cold, noreturn]] void __libc_jmpbuf_corruption();
 } // namespace jmpbuf
 } // namespace LIBC_NAMESPACE_DECL
-#endif // LIBC_SETJMP_ENABLE_FORTIFICATION
 
 #endif // LLVM_LIBC_SRC_SETJMP_CHECKSUM_H

libc/src/setjmp/linux/CMakeLists.txt

@@ -0,0 +1,11 @@
+add_object_library(
+  checksum
+  SRCS
+  checksum.cpp
+  HDRS
+    ../checksum.h
+  DEPENDS
+    libc.src.__support.common
+    libc.src.__support.OSUtil.osutil
+    libc.src.stdlib.abort
+)

libc/src/setjmp/linux/checksum.cpp

@@ -0,0 +1,42 @@
+//===-- Implementation for jmpbuf checksum ----------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "src/setjmp/checksum.h"
+#include "src/__support/OSUtil/io.h"
+#include "src/stdlib/abort.h"
+#include <sys/syscall.h>
+
+namespace LIBC_NAMESPACE_DECL {
+namespace jmpbuf {
+// random bytes from https://www.random.org/cgi-bin/randbyte?nbytes=8&format=h
+// the cookie should not be zero otherwise it will be a bad seed as a multiplier
+__UINTPTR_TYPE__ value_mask = 0x3899'f0d3'5005'd953;
+__UINT64_TYPE__ checksum_cookie = 0xc7d9'd341'6afc'33f2;
+
+// initialize the checksum state
+void initialize() {
+  union {
+    struct {
+      __UINTPTR_TYPE__ entropy0;
+      __UINT64_TYPE__ entropy1;
+    };
+    char buffer[sizeof(__UINTPTR_TYPE__) + sizeof(__UINT64_TYPE__)];
+  };
+  syscall_impl<long>(SYS_getrandom, buffer, sizeof(buffer), 0);
+  // add in additional entropy
+  jmpbuf::value_mask ^= entropy0;
+  jmpbuf::checksum_cookie ^= entropy1;
+}
+
+extern "C" [[gnu::cold, noreturn]] void __libc_jmpbuf_corruption() {
+  write_to_stderr("invalid checksum detected in longjmp\n");
+  abort();
+}
+
+} // namespace jmpbuf
+} // namespace LIBC_NAMESPACE_DECL

libc/src/setjmp/x86_64/CMakeLists.txt

@@ -6,9 +6,10 @@ add_entrypoint_object(
     ../setjmp_impl.h
   DEPENDS
     libc.hdr.types.jmp_buf
-    libc.src.setjmp.checksum
+    ${fortification_deps}
   COMPILE_OPTIONS
     -O3
+    ${fortification_defs}
 )
 
 add_entrypoint_object(
@@ -19,10 +20,9 @@ add_entrypoint_object(
     ../longjmp.h
   DEPENDS
     libc.hdr.types.jmp_buf
-    libc.src.stdlib.abort
-    libc.src.__support.OSUtil.osutil
-    libc.src.setjmp.checksum
+    ${fortification_deps}
   COMPILE_OPTIONS
     -O3
     -fomit-frame-pointer
+    ${fortification_defs}
 )

libc/src/setjmp/x86_64/longjmp.cpp

@@ -8,61 +8,68 @@
 
 #include "src/setjmp/longjmp.h"
 #include "include/llvm-libc-macros/offsetof-macro.h"
-#include "src/__support/OSUtil/io.h"
 #include "src/__support/common.h"
 #include "src/__support/macros/config.h"
+
+#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
 #include "src/setjmp/checksum.h"
-#include "src/stdlib/abort.h"
+#endif
 
 #if !defined(LIBC_TARGET_ARCH_IS_X86)
 #error "Invalid file include"
 #endif
 
 namespace LIBC_NAMESPACE_DECL {
 
+#define CALCULATE_RETURN_VALUE()                                               \
+  "cmpl $0x1, %%esi\n\t"                                                       \
+  "adcl $0x0, %%esi\n\t"                                                       \
+  "movq %%rsi, %%rax\n\t"
+
 #if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
-extern "C" [[gnu::cold, noreturn]] void __libc_jmpbuf_corruption() {
-  write_to_stderr("invalid checksum detected in longjmp\n");
-  abort();
-}
+#define ACCUMULATE_CHECKSUM()                                                  \
+  "mul %[checksum]\n\t"                                                        \
+  "xor %%rax, %[checksum]\n\t"                                                 \
+  "rol $%c[rotation], %[checksum]\n\t"
+
 #define LOAD_CHKSUM_STATE_REGISTERS()                                          \
-  asm("mov %0, %%rcx\n\t" ::"m"(jmpbuf::value_mask) : "rcx");                  \
-  asm("mov %0, %%rdx\n\t" ::"m"(jmpbuf::checksum_cookie) : "rdx");
+  asm("mov %[value_mask], %[mask]\n\t"                                         \
+      "mov %[checksum_cookie], %[checksum]\n\t"                                \
+      : [mask] "=r"(mask), [checksum] "=r"(checksum)                           \
+      : [value_mask] "m"(jmpbuf::value_mask), [checksum_cookie] "m"(           \
+                                                  jmpbuf::checksum_cookie));
 
+// clang-format off
 #define RESTORE_REG(DST)                                                       \
   "movq %c[" #DST "](%%rdi), %%rax\n\t"                                        \
   "movq %%rax, %%" #DST "\n\t"                                                 \
-  "xor %%rcx, %%" #DST "\n\t"                                                  \
-  "mul %%rdx\n\t"                                                              \
-  "xor %%rax, %%rdx\n\t"                                                       \
-  "rol $%c[rotation], %%rdx\n\t"
+  "xor %[mask], %%" #DST "\n\t"                                                \
+  ACCUMULATE_CHECKSUM()
 
 #define RESTORE_RIP()                                                          \
   "movq %c[rip](%%rdi), %%rax\n\t"                                             \
-  "xor %%rax, %%rcx\n\t"                                                       \
-  "mul %%rdx\n\t"                                                              \
-  "xor %%rax, %%rdx\n\t"                                                       \
-  "rol $%c[rotation], %%rdx\n\t"                                               \
-  "cmp %c[chksum](%%rdi), %%rdx\n\t"                                           \
+  "xor %%rax, %[mask]\n\t"                                                     \
+  ACCUMULATE_CHECKSUM()                                                        \
+  "cmp %c[__chksum](%%rdi), %%rdx\n\t"                                         \
   "jne __libc_jmpbuf_corruption\n\t"                                           \
-  "cmpl $0x1, %%esi\n\t"                                                       \
-  "adcl $0x0, %%esi\n\t"                                                       \
-  "movq %%rsi, %%rax\n\t"                                                      \
-  "jmp *%%rcx\n\t"
+  CALCULATE_RETURN_VALUE()                                                     \
+  "jmp *%[mask]\n\t"
+// clang-format on
 #else
 #define LOAD_CHKSUM_STATE_REGISTERS()
 #define RESTORE_REG(DST) "movq %c[" #DST "](%%rdi), %%" #DST "\n\t"
 #define RESTORE_RIP()                                                          \
-  "cmpl $0x1, %%esi\n\t"                                                       \
-  "adcl $0x0, %%esi\n\t"                                                       \
-  "movq %%rsi, %%rax\n\t"                                                      \
+  CALCULATE_RETURN_VALUE()                                                     \
   "jmpq *%c[rip](%%rdi)\n\t"
 #endif
 
-[[gnu::naked]]
-LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
+[[gnu::naked]] LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
+  // use registers to make sure values propagate correctly across the asm blocks
+  [[maybe_unused]] register __UINTPTR_TYPE__ mask asm("rcx");
+  [[maybe_unused]] register __UINT64_TYPE__ checksum asm("rdx");
+
   LOAD_CHKSUM_STATE_REGISTERS()
-  asm(
+  asm volatile(
       // clang-format off
       RESTORE_REG(rbx)
       RESTORE_REG(rbp)
@@ -73,18 +80,23 @@ LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
       RESTORE_REG(rsp)
       RESTORE_RIP()
       // clang-format on
-      ::[rbx] "i"(offsetof(__jmp_buf, rbx)),
-      [rbp] "i"(offsetof(__jmp_buf, rbp)), [r12] "i"(offsetof(__jmp_buf, r12)),
-      [r13] "i"(offsetof(__jmp_buf, r13)), [r14] "i"(offsetof(__jmp_buf, r14)),
-      [r15] "i"(offsetof(__jmp_buf, r15)), [rsp] "i"(offsetof(__jmp_buf, rsp)),
+      : /* outputs */
+#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+      [mask] "+r"(mask), [checksum] "+r"(checksum)
+#endif
+      : /* inputs */
+      [rbx] "i"(offsetof(__jmp_buf, rbx)), [rbp] "i"(offsetof(__jmp_buf, rbp)),
+      [r12] "i"(offsetof(__jmp_buf, r12)), [r13] "i"(offsetof(__jmp_buf, r13)),
+      [r14] "i"(offsetof(__jmp_buf, r14)), [r15] "i"(offsetof(__jmp_buf, r15)),
+      [rsp] "i"(offsetof(__jmp_buf, rsp)),
       [rip] "i"(offsetof(__jmp_buf, rip))
 #if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
       // clang-format off
       ,[rotation] "i"(jmpbuf::ROTATION)
-      ,[chksum] "i"(offsetof(__jmp_buf, __chksum))
+      ,[__chksum] "i"(offsetof(__jmp_buf, __chksum))
   // clang-format on
 #endif
-      : "rax", "rdx", "rcx", "rsi");
+      : "rax", "rsi");
 }
 
 } // namespace LIBC_NAMESPACE_DECL