libffi: patches to support software CFI

Author: lewurm

truffle/src/libffi/patches/linux-amd64-musl-swcfi/swcfi-0001-If-other-methods-fail-attempt-to-use-mprotect-in-ffi.patch

@@ -0,0 +1,72 @@
+From 3aa0ebdd2ee6b5634443d7464f1e37be5c20786e Mon Sep 17 00:00:00 2001
+From: Gilles Duboscq <[email protected]>
+Date: Wed, 23 Apr 2025 18:42:40 +0200
+Subject: [PATCH 1/3] If other methods fail, attempt to use mprotect in
+ ffi_tramp_init_os
+
+---
+ src/tramp.c | 39 ++++++++++++++++++++++++++++-----------
+ 1 file changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/tramp.c b/src/tramp.c
+index 8ec0848..7edaebc 100644
+--- a/src/tramp.c
++++ b/src/tramp.c
+@@ -289,7 +289,10 @@ ffi_tramp_init_os (void)
+ {
+   if (ffi_tramp_get_libffi ())
+     return 1;
+-  return ffi_tramp_get_temp_file ();
++  if (ffi_tramp_get_temp_file ())
++    return 1;
++  // try to allocate with the mprotect fall-back
++  return tramp_table_alloc ();
+ }
+ 
+ #endif /* defined (__linux__) || defined (__CYGWIN__) */
+@@ -347,18 +350,32 @@ tramp_table_map (struct tramp_table *table)
+   if (addr == MAP_FAILED)
+     return 0;
+ 
+-  /*
+-   * Replace the top half of the anonymous mapping with the code table mapping.
+-   */
+-  table->code_table = mmap (addr, tramp_globals.map_size, PROT_READ | PROT_EXEC,
+-    MAP_PRIVATE | MAP_FIXED, tramp_globals.fd, tramp_globals.offset);
+-  if (table->code_table == MAP_FAILED)
++  if (tramp_globals.fd != -1)
+     {
+-      (void) munmap (addr, tramp_globals.map_size * 2);
+-      return 0;
++      /*
++       * Replace the top half of the anonymous mapping with the code table mapping.
++       */
++      table->code_table = mmap(addr, tramp_globals.map_size, PROT_READ | PROT_EXEC,
++                               MAP_PRIVATE | MAP_FIXED, tramp_globals.fd, tramp_globals.offset);
++      if (table->code_table != MAP_FAILED) {
++        table->parm_table = table->code_table + tramp_globals.map_size;
++        return 1;
++      }
+     }
+-  table->parm_table = table->code_table + tramp_globals.map_size;
+-  return 1;
++
++  /*
++   * Try to copy the trampolines and mprotect
++   */
++  memcpy(addr, tramp_globals.text, tramp_globals.map_size);
++  if (mprotect(addr, tramp_globals.map_size, PROT_READ | PROT_EXEC) == 0)
++  {
++    table->code_table = addr;
++    table->parm_table = table->code_table + tramp_globals.map_size;
++    return 1;
++  }
++
++  (void) munmap (addr, tramp_globals.map_size * 2);
++  return 0;
+ }
+ 
+ static void
+-- 
+2.43.0
+

truffle/src/libffi/patches/linux-amd64-musl-swcfi/swcfi-0002-Add-support-__SANDBOX_SWCFI__-in-unix64.S-and-win64.patch

@@ -0,0 +1,255 @@
+From 4900a67c4daabedbf83b563d77830c3f1c6eb599 Mon Sep 17 00:00:00 2001
+From: Gilles Duboscq <[email protected]>
+Date: Wed, 23 Apr 2025 18:45:10 +0200
+Subject: [PATCH 2/3] Add support __SANDBOX_SWCFI__ in unix64.S and win64.S
+
+This mode requires a software check for jump targets.
+---
+ src/x86/internal64.h |  4 +++
+ src/x86/unix64.S     | 30 ++++++++++++++++++++
+ src/x86/win64.S      | 65 +++++++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 98 insertions(+), 1 deletion(-)
+
+diff --git a/src/x86/internal64.h b/src/x86/internal64.h
+index 282b408..7142645 100644
+--- a/src/x86/internal64.h
++++ b/src/x86/internal64.h
+@@ -29,7 +29,11 @@
+ #define UNIX64_TRAMP_MAP_SHIFT	12
+ #define UNIX64_TRAMP_MAP_SIZE	(1 << UNIX64_TRAMP_MAP_SHIFT)
+ #ifdef ENDBR_PRESENT
++#ifdef __SANDBOX_SWCFI__
++#define UNIX64_TRAMP_SIZE	48
++#else
+ #define UNIX64_TRAMP_SIZE	40
++#endif
+ #else
+ #define UNIX64_TRAMP_SIZE	32
+ #endif
+diff --git a/src/x86/unix64.S b/src/x86/unix64.S
+index d9c5bd4..10d9c8d 100644
+--- a/src/x86/unix64.S
++++ b/src/x86/unix64.S
+@@ -98,6 +98,13 @@ L(ret_from_load_sse):
+ 
+ 	/* Deallocate the reg arg area, except for r10, then load via pop.  */
+ 	leaq	0xb8(%r10), %rsp
++#ifdef __SANDBOX_SWCFI__
++	movl	(%r11), %r10d
++	addl	$0x5e1f00d, %r10d
++	jz	1f
++	int3
++1:
++#endif
+ 	popq	%r10
+ 
+ 	/* Call the user function.  */
+@@ -126,6 +133,13 @@ L(UW2):
+ #endif
+ 	leaq	(%r11, %r10, 8), %r10
+ 
++#ifdef __SANDBOX_SWCFI__
++	movl	(%r10), %r11d
++	addl	$0x5e1f00d, %r11d
++	jz	1f
++	int3
++1:
++#endif
+ 	/* Prep for the structure cases: scratch area in redzone.  */
+ 	leaq	-20(%rsp), %rsi
+ 	jmp	*%r10
+@@ -318,6 +332,13 @@ L(UW10):
+ 	addl	%r10d, %r10d
+ #endif
+ 	leaq	(%r11, %r10, 8), %r10
++#ifdef __SANDBOX_SWCFI__
++	movl	(%r10), %r11d
++	addl	$0x5e1f00d, %r11d
++	jz	1f
++	int3
++1:
++#endif
+ 	leaq	ffi_closure_RED_RVALUE(%rsp), %rsi
+ 	jmp	*%r10
+ 
+@@ -538,6 +559,15 @@ C(trampoline_code_table):
+ 	movl	X86_CODE_OFFSET(%rip), %r10d	/* Copy code into %r10 */
+ #else
+ 	movq	X86_CODE_OFFSET(%rip), %r10	/* Copy code into %r10 */
++#endif
++#ifdef __SANDBOX_SWCFI__
++	pushq	%rdi
++	movl	(%r10), %edi
++	addl	$0x5e1f00d, %edi
++	jz	1f
++	int3
++1:
++	popq	%rdi
+ #endif
+ 	jmp	*%r10				/* Jump to code */
+ 	.align	8
+diff --git a/src/x86/win64.S b/src/x86/win64.S
+index 58ec6a1..d1a180a 100644
+--- a/src/x86/win64.S
++++ b/src/x86/win64.S
+@@ -27,7 +27,10 @@
+    actual table.  The entry points into the table are all 8 bytes.
+    The use of ORG asserts that we're at the correct location.  */
+ /* ??? The clang assembler doesn't handle .org with symbolic expressions.  */
+-#if defined(__clang__) || defined(__APPLE__) || (defined (__sun__) && defined(__svr4__))
++#ifdef __SANDBOX_SWCFI__
++/* Triple slot size to 24 byte to add ENDBR64 and jump for ret.  */
++# define E(BASE, X)	.balign 8; .org BASE + (X) * 24
++#elif defined(__clang__) || defined(__APPLE__) || (defined (__sun__) && defined(__svr4__))
+ # define E(BASE, X)	.balign 8
+ #else
+ # define E(BASE, X)	.balign 8; .org BASE + (X) * 8
+@@ -73,18 +76,58 @@ C(ffi_call_win64):
+ 	movq	24(%rsp), %r9
+ 	movsd	24(%rsp), %xmm3
+ 
++#ifdef __SANDBOX_SWCFI__
++	movq	16(%rbp), %r11
++	pushq	%r10
++	movl	(%r11), %r10d
++	addl	$0x5e1f00d, %r10d
++	jz	1f
++	int3
++1:
++	popq	%r10
++	call	*%r11
++#else
+ 	call	*16(%rbp)
++#endif
+ 
+ 	movl	24(%rbp), %ecx
+ 	movq	32(%rbp), %r8
+ 	leaq	0f(%rip), %r10
+ 	cmpl	$FFI_TYPE_SMALL_STRUCT_4B, %ecx
++
++#ifdef __SANDBOX_SWCFI__
++	/* avoid leave in this mode, use larger slots (3*8) */
++	ja	99f
++	movl	%ecx, %r11d
++	addl	%ecx, %ecx
++	addl	%r11d, %ecx
++	leaq	(%r10, %rcx, 8), %r10
++	movl	(%r10), %ecx
++	addl	$0x5e1f00d, %ecx
++	jz	1f
++	int3
++1:
++	jmp	*%r10
++
++#define jmp_target		\
++	_CET_ENDBR
++#define epilogue		\
++	movq	%rbp, %rsp;	\
++	popq	%rbp;		\
++	cfi_remember_state;	\
++	cfi_def_cfa(%rsp, 8);	\
++	cfi_restore(%rbp);	\
++	ret;			\
++	cfi_restore_state
++#else
++
+ 	leaq	(%r10, %rcx, 8), %r10
+ 	ja	99f
+ 	_CET_NOTRACK jmp *%r10
+ 
+ /* Below, we're space constrained most of the time.  Thus we eschew the
+    modern "mov, pop, ret" sequence (5 bytes) for "leave, ret" (2 bytes).  */
++#define jmp_target
+ #define epilogue		\
+ 	leaveq;			\
+ 	cfi_remember_state;	\
+@@ -92,66 +135,86 @@ C(ffi_call_win64):
+ 	cfi_restore(%rbp);	\
+ 	ret;			\
+ 	cfi_restore_state
++#endif
+ 
+ 	.align	8
+ 0:
+ E(0b, FFI_TYPE_VOID)
++	jmp_target
+ 	epilogue
+ E(0b, FFI_TYPE_INT)
++	jmp_target
+ 	movslq	%eax, %rax
+ 	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_FLOAT)
++	jmp_target
+ 	movss	%xmm0, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_DOUBLE)
++	jmp_target
+ 	movsd	%xmm0, (%r8)
+ 	epilogue
+ // FFI_TYPE_LONGDOUBLE may be FFI_TYPE_DOUBLE but we need a different value here.
+ E(0b, FFI_TYPE_DOUBLE + 1)
++	jmp_target
+ 	call	PLT(C(abort))
+ E(0b, FFI_TYPE_UINT8)
++	jmp_target
+ 	movzbl	%al, %eax
+ 	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_SINT8)
++	jmp_target
+ 	movsbq	%al, %rax
+ 	jmp	98f
+ E(0b, FFI_TYPE_UINT16)
++	jmp_target
+ 	movzwl	%ax, %eax
+ 	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_SINT16)
++	jmp_target
+ 	movswq	%ax, %rax
+ 	jmp	98f
+ E(0b, FFI_TYPE_UINT32)
++	jmp_target
+ 	movl	%eax, %eax
+ 	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_SINT32)
++	jmp_target
+ 	movslq	%eax, %rax
+ 	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_UINT64)
++	jmp_target
+ 98:	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_SINT64)
++	jmp_target
+ 	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_STRUCT)
++	jmp_target
+ 	epilogue
+ E(0b, FFI_TYPE_POINTER)
++	jmp_target
+ 	movq	%rax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_COMPLEX)
++	jmp_target
+ 	call	PLT(C(abort))
+ E(0b, FFI_TYPE_SMALL_STRUCT_1B)
++	jmp_target
+ 	movb	%al, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_SMALL_STRUCT_2B)
++	jmp_target
+ 	movw	%ax, (%r8)
+ 	epilogue
+ E(0b, FFI_TYPE_SMALL_STRUCT_4B)
++	jmp_target
+ 	movl	%eax, (%r8)
+ 	epilogue
+ 
+-- 
+2.43.0
+

truffle/src/libffi/patches/linux-amd64-musl-swcfi/swcfi-0003-Also-run-alternative-ABI-tests-on-clang.patch

@@ -0,0 +1,25 @@
+From b92f010761442c7a44fbf5972a259dedcdf27624 Mon Sep 17 00:00:00 2001
+From: Gilles Duboscq <[email protected]>
+Date: Wed, 23 Apr 2025 21:28:04 +0200
+Subject: [PATCH 3/3] Also run alternative ABI tests on clang
+
+---
+ testsuite/lib/libffi.exp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/testsuite/lib/libffi.exp b/testsuite/lib/libffi.exp
+index b5731db..607013d 100644
+--- a/testsuite/lib/libffi.exp
++++ b/testsuite/lib/libffi.exp
+@@ -537,7 +537,7 @@ proc run-many-tests { testcases extra_flags } {
+     info exists env(LD_LIBRARY_PATH)
+ 
+     set targetabis { "" }
+-    if [string match $compiler_vendor "gnu"] {
++    if { [string match $compiler_vendor "gnu"] || [string match $compiler_vendor "clang"] } then {
+         if [libffi_feature_test "#ifdef __i386__"] {
+             set targetabis {
+                 ""
+-- 
+2.43.0
+