Apply 0023-dynfixup-aslr.patch

Author: dpaoliello

clang/include/clang/Basic/Attr.td

@@ -5255,3 +5255,10 @@ def NonString : InheritableAttr {
   let Subjects = SubjectList<[Var, Field]>;
   let Documentation = [NonStringDocs];
 }
+
+def DynamicFixup : InheritableAttr {
+  let Spellings = [Declspec<"dynfixup">];
+  let Subjects = SubjectList<[ExternalGlobalVar]>;
+  let LangOpts = [MicrosoftExt];
+  let Documentation = [Undocumented];
+}

clang/lib/CodeGen/CodeGenModule.cpp

@@ -5310,6 +5310,14 @@ CodeGenModule::GetOrCreateLLVMGlobal(StringRef MangledName, llvm::Type *Ty,
         isExternallyVisible(D->getLinkageAndVisibility().getLinkage()))
       GV->setSection(".cp.rodata");
 
+    // Propagate MSVC dynamic fixup attribute for globals for further handling
+    // in target(s).
+    if (getTriple().isWindowsMSVCEnvironment() &&
+        D->getLanguageLinkage() == CLanguageLinkage &&
+        isExternallyVisible(D->getLinkageAndVisibility().getLinkage()))
+      if (const DynamicFixupAttr *DA = D->getAttr<DynamicFixupAttr>())
+        GV->addAttribute("msvc_dynfixup");
+
     // Handle code model attribute
     if (const auto *CMA = D->getAttr<CodeModelAttr>())
       GV->setCodeModel(CMA->getModel());

clang/lib/Sema/SemaDeclAttr.cpp

@@ -6961,6 +6961,11 @@ static void handleVTablePointerAuthentication(Sema &S, Decl *D,
       CustomDiscriminationValue));
 }
 
+static void handleDynamicFixup(Sema &S, Decl *D,
+                               const ParsedAttr &AL) {
+  D->addAttr(::new ( S.Context) DynamicFixupAttr(S.Context, AL));
+}
+
 //===----------------------------------------------------------------------===//
 // Top Level Sema Entry Points
 //===----------------------------------------------------------------------===//
@@ -7885,6 +7890,11 @@ ProcessDeclAttribute(Sema &S, Scope *scope, Decl *D, const ParsedAttr &AL,
   case ParsedAttr::AT_VTablePointerAuthentication:
     handleVTablePointerAuthentication(S, D, AL);
     break;
+
+  case ParsedAttr::AT_DynamicFixup:
+    handleDynamicFixup(S, D, AL);
+    break;
+
   }
 }
 

llvm/include/llvm/MC/MCExpr.h

@@ -196,6 +196,7 @@ class MCSymbolRefExpr : public MCExpr {
   // a cleaner approach.
   enum VariantKind : uint16_t {
     VK_COFF_IMGREL32 = 3, // symbol@imgrel (image-relative)
+    VK_COFF_DYNFIXUP, // Absolute relocation for external tooling
 
     FirstTargetSpecifier,
   };

llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp

@@ -3563,6 +3563,15 @@ const MCExpr *AArch64AsmPrinter::lowerConstant(const Constant *CV,
                                                const Constant *BaseCV,
                                                uint64_t Offset) {
   if (const GlobalValue *GV = dyn_cast<GlobalValue>(CV)) {
+
+    // Check for dynamic fixup in the constant pool and propagate to the symbol
+    // reference
+    if (const auto *GVar = dyn_cast<llvm::GlobalVariable>(GV)) {
+        if (GVar->hasAttribute("msvc_dynfixup"))
+          return MCSymbolRefExpr::create(MCInstLowering.GetGlobalValueSymbol(GV, 0),
+                                         MCSymbolRefExpr::VK_COFF_DYNFIXUP,
+                                         OutContext);
+    }
     return MCSymbolRefExpr::create(MCInstLowering.GetGlobalValueSymbol(GV, 0),
                                    OutContext);
   }

llvm/lib/Target/AArch64/AArch64ISelLowering.cpp

@@ -9890,6 +9890,17 @@ SDValue AArch64TargetLowering::LowerGlobalAddress(SDValue Op,
   }
 
   SDValue Result;
+  SDLoc DL(GN);
+  EVT PtrVT = getPointerTy(DAG.getDataLayout());
+
+  // Dynamic fixups require an absolute relocation, so lower to a load from the
+  // constant pool where this relocation can be applied.
+  if ((OpFlags & AArch64II::MO_DYNFIXUP) != 0) {
+    Result = DAG.getTargetConstantPool(GV, PtrVT, Align(8));
+    Result = DAG.getNode(AArch64ISD::LOADgot, DL, PtrVT, Result);
+    return Result;
+  }
+
   if (getTargetMachine().getCodeModel() == CodeModel::Large &&
       !getTargetMachine().isPositionIndependent()) {
     Result = getAddrLarge(GN, DAG, OpFlags);
@@ -9898,8 +9909,6 @@ SDValue AArch64TargetLowering::LowerGlobalAddress(SDValue Op,
   } else {
     Result = getAddr(GN, DAG, OpFlags);
   }
-  EVT PtrVT = getPointerTy(DAG.getDataLayout());
-  SDLoc DL(GN);
   if (OpFlags & (AArch64II::MO_DLLIMPORT | AArch64II::MO_COFFSTUB))
     Result = DAG.getLoad(PtrVT, DL, DAG.getEntryNode(), Result,
                          MachinePointerInfo::getGOT(DAG.getMachineFunction()));

llvm/lib/Target/AArch64/AArch64Subtarget.cpp

@@ -24,6 +24,7 @@
 #include "llvm/CodeGen/MachineFrameInfo.h"
 #include "llvm/CodeGen/MachineScheduler.h"
 #include "llvm/IR/GlobalValue.h"
+#include "llvm/IR/GlobalVariable.h"
 #include "llvm/Support/SipHash.h"
 #include "llvm/TargetParser/AArch64TargetParser.h"
 
@@ -464,6 +465,14 @@ AArch64Subtarget::ClassifyGlobalReference(const GlobalValue *GV,
   if (TM.getCodeModel() == CodeModel::Large && isTargetMachO())
     return AArch64II::MO_GOT;
 
+  // MSVC Dynamic fixup requires a an absolute relocation.  Load from constant
+  // pool and apply that relocation there.
+  if (const auto *GVar = dyn_cast<llvm::GlobalVariable>(GV)) {
+    if (GVar->hasAttribute("msvc_dynfixup")) {
+      return AArch64II::MO_DYNFIXUP;
+    }
+  }
+
   // All globals dynamically protected by MTE must have their address tags
   // synthesized. This is done by having the loader stash the tag in the GOT
   // entry. Force all tagged globals (even ones with internal linkage) through

llvm/lib/Target/AArch64/MCTargetDesc/AArch64MCAsmInfo.cpp

@@ -33,6 +33,7 @@ static cl::opt<AsmWriterVariantTy> AsmWriterVariant(
 
 const MCAsmInfo::AtSpecifier COFFAtSpecifiers[] = {
     {MCSymbolRefExpr::VK_COFF_IMGREL32, "IMGREL"},
+    {MCSymbolRefExpr::VK_COFF_DYNFIXUP, "DYNFIXUP"},
     {AArch64::S_MACHO_PAGEOFF, "PAGEOFF"},
 };
 

llvm/lib/Target/AArch64/MCTargetDesc/AArch64WinCOFFObjectWriter.cpp

@@ -47,6 +47,7 @@ class AArch64WinCOFFObjectWriter : public MCWinCOFFObjectTargetWriter {
 unsigned AArch64WinCOFFObjectWriter::getRelocType(
     MCContext &Ctx, const MCValue &Target, const MCFixup &Fixup,
     bool IsCrossSection, const MCAsmBackend &MAB) const {
+
   unsigned FixupKind = Fixup.getKind();
   bool PCRel = Fixup.isPCRel();
   if (IsCrossSection) {
@@ -105,7 +106,10 @@ unsigned AArch64WinCOFFObjectWriter::getRelocType(
     }
 
   case FK_Data_8:
-    return COFF::IMAGE_REL_ARM64_ADDR64;
+    if (Spec == MCSymbolRefExpr::VK_COFF_DYNFIXUP)
+      return COFF::IMAGE_REL_ARM64_ABSOLUTE;
+    else
+      return COFF::IMAGE_REL_ARM64_ADDR64;
 
   case FK_SecRel_2:
     return COFF::IMAGE_REL_ARM64_SECTION;

llvm/lib/Target/AArch64/Utils/AArch64BaseInfo.h

@@ -883,6 +883,13 @@ enum TOF {
   /// uses "__imp_aux".  For other symbols, this means it uses the mangled
   /// ("#" prefix for C) name.
   MO_ARM64EC_CALLMANGLE = 0x800,
+
+  /// MO_DYNFIXUP - This flag indicates that this symbol will be dynamically
+  // fixed up -- first by the linker, and then potentially at runtime.
+  // Reference it from the literal pool with an ABS relocation
+  // N.B. Never stored so does not exceed 12 bits associated with target flags
+  MO_DYNFIXUP = 0x1000,
+
 };
 } // end namespace AArch64II