[libc] address CRs

Author: SchrodingerZhu

libc/config/config.json

@@ -104,7 +104,7 @@
       "value": true,
       "doc": "Make setjmp save the value of x18, and longjmp restore it. The AArch64 ABI delegates this register to platform ABIs, which can choose whether to make it caller-saved."
     },
-    "LIBC_CONF_SETJMP_ENABLE_FORTIFICATION": {
+    "LIBC_CONF_SETJMP_FORTIFICATION": {
       "value": true,
       "doc": "Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux."
     }

libc/docs/configure.rst

@@ -55,7 +55,7 @@ to learn about the defaults for your platform and target.
     - ``LIBC_CONF_SCANF_DISABLE_INDEX_MODE``: Disable index mode in the scanf format string.
 * **"setjmp" options**
     - ``LIBC_CONF_SETJMP_AARCH64_RESTORE_PLATFORM_REGISTER``: Make setjmp save the value of x18, and longjmp restore it. The AArch64 ABI delegates this register to platform ABIs, which can choose whether to make it caller-saved.
-    - ``LIBC_CONF_SETJMP_ENABLE_FORTIFICATION``: Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux.
+    - ``LIBC_CONF_SETJMP_FORTIFICATION``: Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux.
 * **"string" options**
     - ``LIBC_CONF_MEMSET_X86_USE_SOFTWARE_PREFETCHING``: Inserts prefetch for write instructions (PREFETCHW) for memset on x86 to recover performance when hardware prefetcher is disabled.
     - ``LIBC_CONF_STRING_UNSAFE_WIDE_READ``: Read more than a byte at a time to perform byte-string operations like strlen.

libc/src/setjmp/CMakeLists.txt

@@ -2,7 +2,7 @@ if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_OS})
   add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_OS})
 endif()
 
-if (LIBC_CONF_SETJMP_ENABLE_FORTIFICATION)
+if (LIBC_CONF_SETJMP_FORTIFICATION)
   if (TARGET libc.src.setjmp.${LIBC_TARGET_OS}.checksum
       AND LIBC_TARGET_ARCHITECTURE STREQUAL "x86_64")
     add_object_library(
@@ -12,11 +12,11 @@ if (LIBC_CONF_SETJMP_ENABLE_FORTIFICATION)
         .${LIBC_TARGET_OS}.checksum
     )
     set(fortification_deps libc.src.setjmp.checksum)
-    set(fortification_defs -DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=1)
+    set(fortification_defs -DLIBC_COPT_SETJMP_FORTIFICATION=1)
   else()
     message(WARNING "Jmpbuf fortification is enabled but not supported for target ${LIBC_TARGET_ARCHITECTURE} ${LIBC_TARGET_OS}")
     set(fortification_deps)
-    set(fortification_defs -DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=0)
+    set(fortification_defs -DLIBC_COPT_SETJMP_FORTIFICATION=0)
   endif()
 endif()
 

libc/src/setjmp/x86_64/checksum.def

@@ -0,0 +1,34 @@
+//===-- Common macros for jmpbuf checksum -----------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+// For now, the checksum is computed with a simple multiply-xor-rotation
+// algorithm. The pesudo code is as follows:
+//
+// def checksum(x, acc):
+//     masked = x ^ MASK
+//     high, low = full_multiply(masked, acc)
+//     return rotate(high ^ low, ROTATION)
+//
+// Similar other multiplication-based hashing, zero inputs
+// for the `full_multiply` function may pollute the checksum with zero.
+// However, user inputs are always masked where the initial ACC amd MASK are
+// generated with random entropy and ROTATION is a fixed prime number. It should
+// be of a ultra-low chance for masked or acc being zero given a good quality of
+// system-level entropy.
+
+#define ACCUMULATE_CHECKSUM()                                                  \
+  "mul %[checksum]\n\t"                                                        \
+  "xor %%rax, %[checksum]\n\t"                                                 \
+  "rol $%c[rotation], %[checksum]\n\t"
+
+#define LOAD_CHKSUM_STATE_REGISTERS()                                          \
+  asm("mov %[value_mask], %[mask]\n\t"                                         \
+      "mov %[checksum_cookie], %[checksum]\n\t"                                \
+      : [mask] "=r"(mask), [checksum] "=r"(checksum)                           \
+      : [value_mask] "m"(jmpbuf::value_mask), [checksum_cookie] "m"(           \
+                                                  jmpbuf::checksum_cookie));

libc/src/setjmp/x86_64/longjmp.cpp

@@ -11,7 +11,7 @@
 #include "src/__support/common.h"
 #include "src/__support/macros/config.h"
 
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
 #include "src/setjmp/checksum.h"
 #endif
 
@@ -26,18 +26,8 @@ namespace LIBC_NAMESPACE_DECL {
   "adcl $0x0, %%esi\n\t"                                                       \
   "movq %%rsi, %%rax\n\t"
 
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
-#define ACCUMULATE_CHECKSUM()                                                  \
-  "mul %[checksum]\n\t"                                                        \
-  "xor %%rax, %[checksum]\n\t"                                                 \
-  "rol $%c[rotation], %[checksum]\n\t"
-
-#define LOAD_CHKSUM_STATE_REGISTERS()                                          \
-  asm("mov %[value_mask], %[mask]\n\t"                                         \
-      "mov %[checksum_cookie], %[checksum]\n\t"                                \
-      : [mask] "=r"(mask), [checksum] "=r"(checksum)                           \
-      : [value_mask] "m"(jmpbuf::value_mask), [checksum_cookie] "m"(           \
-                                                  jmpbuf::checksum_cookie));
+#if LIBC_COPT_SETJMP_FORTIFICATION
+#include "src/setjmp/x86_64/checksum.def"
 
 // clang-format off
 #define RESTORE_REG(DST)                                                       \
@@ -81,7 +71,7 @@ namespace LIBC_NAMESPACE_DECL {
       RESTORE_RIP()
       // clang-format on
       : /* outputs */
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
       [mask] "+r"(mask), [checksum] "+r"(checksum)
 #endif
       : /* inputs */
@@ -90,7 +80,7 @@ namespace LIBC_NAMESPACE_DECL {
       [r14] "i"(offsetof(__jmp_buf, r14)), [r15] "i"(offsetof(__jmp_buf, r15)),
       [rsp] "i"(offsetof(__jmp_buf, rsp)),
       [rip] "i"(offsetof(__jmp_buf, rip))
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
       // clang-format off
       ,[rotation] "i"(jmpbuf::ROTATION)
       ,[__chksum] "i"(offsetof(__jmp_buf, __chksum))

libc/src/setjmp/x86_64/setjmp.cpp

@@ -11,26 +11,16 @@
 #include "src/__support/macros/config.h"
 #include "src/setjmp/setjmp_impl.h"
 
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
 #include "src/setjmp/checksum.h"
 #endif
 
 #if !defined(LIBC_TARGET_ARCH_IS_X86)
 #error "Invalid file include"
 #endif
 
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
-#define ACCUMULATE_CHECKSUM()                                                  \
-  "mul %[checksum]\n\t"                                                        \
-  "xor %%rax, %[checksum]\n\t"                                                 \
-  "rol $%c[rotation], %[checksum]\n\t"
-
-#define LOAD_CHKSUM_STATE_REGISTERS()                                          \
-  asm("mov %[value_mask], %[mask]\n\t"                                         \
-      "mov %[checksum_cookie], %[checksum]\n\t"                                \
-      : [mask] "=r"(mask), [checksum] "=r"(checksum)                           \
-      : [value_mask] "m"(jmpbuf::value_mask), [checksum_cookie] "m"(           \
-                                                  jmpbuf::checksum_cookie));
+#if LIBC_COPT_SETJMP_FORTIFICATION
+#include "src/setjmp/x86_64/checksum.def"
 
 #define STORE_REG(SRC)                                                         \
   "mov %%" #SRC ", %%rax\n\t"                                                  \
@@ -80,7 +70,7 @@ LLVM_LIBC_FUNCTION(int, setjmp, (jmp_buf buf)) {
     STORE_CHECKSUM()
       // clang-format on
       :
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
       [checksum] "+r"(checksum)
 #endif
       :
@@ -89,7 +79,7 @@ LLVM_LIBC_FUNCTION(int, setjmp, (jmp_buf buf)) {
       [r14] "i"(offsetof(__jmp_buf, r14)), [r15] "i"(offsetof(__jmp_buf, r15)),
       [rsp] "i"(offsetof(__jmp_buf, rsp)),
       [rip] "i"(offsetof(__jmp_buf, rip))
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
       // clang-format off
       ,[rotation] "i"(jmpbuf::ROTATION)
       ,[__chksum] "i"(offsetof(__jmp_buf, __chksum))

libc/startup/linux/CMakeLists.txt

@@ -88,12 +88,12 @@ endif()
 
 add_subdirectory(${LIBC_TARGET_ARCHITECTURE})
 
-if (LIBC_CONF_SETJMP_ENABLE_FORTIFICATION AND LIBC_TARGET_ARCHITECTURE STREQUAL "x86_64")
+if (LIBC_CONF_SETJMP_FORTIFICATION AND LIBC_TARGET_ARCHITECTURE STREQUAL "x86_64")
   set(jmpbuf_fortification_deps libc.src.setjmp.checksum)  
-  set(jmpbuf_fortification_defs -DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=1)
+  set(jmpbuf_fortification_defs -DLIBC_COPT_SETJMP_FORTIFICATION=1)
 else()
   set(jmpbuf_fortification_deps)
-  set(jmpbuf_fortification_defs -DLIBC_COPT_SETJMP_ENABLE_FORTIFICATION=0)
+  set(jmpbuf_fortification_defs -DLIBC_COPT_SETJMP_FORTIFICATION=0)
 endif()
 
 add_object_library(

libc/startup/linux/do_start.cpp

@@ -21,7 +21,7 @@
 #include <sys/mman.h>
 #include <sys/syscall.h>
 
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
 #include "src/setjmp/checksum.h"
 #endif
 
@@ -135,7 +135,7 @@ void teardown_main_tls() { cleanup_tls(tls.addr, tls.size); }
   if (tls.size != 0 && !set_thread_ptr(tls.tp))
     syscall_impl<long>(SYS_exit, 1);
 
-#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#if LIBC_COPT_SETJMP_FORTIFICATION
   jmpbuf::initialize();
 #endif