From 771c6b44dd035329df336152747fcc689b405199 Mon Sep 17 00:00:00 2001 From: Igor Tsimbalist Date: Fri, 20 Oct 2017 16:03:07 +0200 Subject: [PATCH] Add documentation for fcf-protection option and nocf_check attribute gcc/doc/ * extend.texi: Add 'nocf_check' documentation. * gimple.texi: Add second parameter to gimple_build_call_from_tree. * invoke.texi: Add -fcf-protection documentation. * rtl.texi: Add REG_CALL_NOTRACK documenation. From-SVN: r253938 --- gcc/ChangeLog | 8 +++++++ gcc/doc/extend.texi | 52 +++++++++++++++++++++++++++++++++++++++++++++ gcc/doc/gimple.texi | 12 ++++++----- gcc/doc/invoke.texi | 23 ++++++++++++++++++++ gcc/doc/rtl.texi | 16 ++++++++++++++ 5 files changed, 106 insertions(+), 5 deletions(-) diff --git a/gcc/ChangeLog b/gcc/ChangeLog index 054907b3fee..42fc979fcf1 100644 --- a/gcc/ChangeLog +++ b/gcc/ChangeLog @@ -1,3 +1,11 @@ +2017-10-20 Igor Tsimbalist + + * extend.texi: Add 'nocf_check' documentation. + * gimple.texi: Add second parameter to + gimple_build_call_from_tree. + * invoke.texi: Add -fcf-protection documentation. + * rtl.texi: Add REG_CALL_NOTRACK documenation. + 2017-10-20 Richard Biener PR tree-optimization/82473 diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index 768751f58a1..71d638f05c0 100644 --- a/gcc/doc/extend.texi +++ b/gcc/doc/extend.texi @@ -5690,6 +5690,58 @@ Specify which floating-point unit to use. You must specify the @code{target("fpmath=sse,387")} option as @code{target("fpmath=sse+387")} because the comma would separate different options. + +@item nocf_check +@cindex @code{nocf_check} function attribute +The @code{nocf_check} attribute on a function is used to inform the +compiler that the function's prologue should not be instrumented when +compiled with the @option{-fcf-protection=branch} option. The +compiler assumes that the function's address is a valid target for a +control-flow transfer. + +The @code{nocf_check} attribute on a type of pointer to function is +used to inform the compiler that a call through the pointer should +not be instrumented when compiled with the +@option{-fcf-protection=branch} option. The compiler assumes +that the function's address from the pointer is a valid target for +a control-flow transfer. A direct function call through a function +name is assumed to be a safe call thus direct calls are not +instrumented by the compiler. + +The @code{nocf_check} attribute is applied to an object's type. +In case of assignment of a function address or a function pointer to +another pointer, the attribute is not carried over from the right-hand +object's type; the type of left-hand object stays unchanged. The +compiler checks for @code{nocf_check} attribute mismatch and reports +a warning in case of mismatch. + +@smallexample +@{ +int foo (void) __attribute__(nocf_check); +void (*foo1)(void) __attribute__(nocf_check); +void (*foo2)(void); + +int +foo (void) /* The function's address is assumed to be valid. */ + + /* This call site is not checked for control-flow validity. */ + (*foo1)(); + + foo1 = foo2; /* A warning is printed about attribute mismatch. */ + /* This call site is still not checked for control-flow validity. */ + (*foo1)(); + + /* This call site is checked for control-flow validity. */ + (*foo2)(); + + foo2 = foo1; /* A warning is printed about attribute mismatch. */ + /* This call site is still checked for control-flow validity. */ + (*foo2)(); + + return 0; +@} +@end smallexample + @end table On the x86, the inliner does not inline a diff --git a/gcc/doc/gimple.texi b/gcc/doc/gimple.texi index 635abd39b6e..fa98800a675 100644 --- a/gcc/doc/gimple.texi +++ b/gcc/doc/gimple.texi @@ -1310,11 +1310,13 @@ operand is validated with @code{is_gimple_operand}). @end deftypefn -@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr) -Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node. The arguments and the -function are taken from the expression directly. This routine -assumes that @code{call_expr} is already in GIMPLE form. That is, its -operands are GIMPLE values and the function call needs no further +@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr, @ +tree fnptrtype) +Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node. The arguments +and the function are taken from the expression directly. The type of the +@code{GIMPLE_CALL} is set from the second parameter passed by a caller. +This routine assumes that @code{call_expr} is already in GIMPLE form. +That is, its operands are GIMPLE values and the function call needs no further simplification. All the call flags in @code{call_expr} are copied over to the new @code{GIMPLE_CALL}. @end deftypefn diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 8dd32f559fc..7b1a697d5bb 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -461,6 +461,7 @@ Objective-C and Objective-C++ Dialects}. -fchkp-check-read -fchkp-check-write -fchkp-store-bounds @gol -fchkp-instrument-calls -fchkp-instrument-marked-only @gol -fchkp-use-wrappers -fchkp-flexible-struct-trailing-arrays@gol +-fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]} @gol -fstack-protector -fstack-protector-all -fstack-protector-strong @gol -fstack-protector-explicit -fstack-check @gol -fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol @@ -11418,6 +11419,28 @@ is used to link a program, the GCC driver automatically links against @file{libmpxwrappers}. See also @option{-static-libmpxwrappers}. Enabled by default. +@item -fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]} +@opindex fcf-protection +Enable code instrumentation of control-flow transfers to increase +program security by checking that target addresses of control-flow +transfer instructions (such as indirect function call, function return, +indirect jump) are valid. This prevents diverting the flow of control +to an unexpected target. This is intended to protect against such +threats as Return-oriented Programming (ROP), and similarly +call/jmp-oriented programming (COP/JOP). + +The value @code{branch} tells the compiler to implement checking of +validity of control-flow transfer at the point of indirect branch +instructions, i.e. call/jmp instructions. The value @code{return} +implements checking of validity at the point of returning from a +function. The value @code{full} is an alias for specifying both +@code{branch} and @code{return}. The value @code{none} turns off +instrumentation. + +You can also use the @code{nocf_check} attribute to identify +which functions and calls should be skipped from instrumentation +(@pxref{Function Attributes}). + @item -fstack-protector @opindex fstack-protector Emit extra code to check for buffer overflows, such as stack smashing diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi index 3b2b24748b8..8b474160030 100644 --- a/gcc/doc/rtl.texi +++ b/gcc/doc/rtl.texi @@ -4040,6 +4040,22 @@ is used in place of the actual insn pattern. This is done in cases where the pattern is either complex or misleading. @end table +The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the +@option{-fcf-protection=branch} option. The note is set if a +@code{nocf_check} attribute is specified for a function type or a +pointer to function type. The note is stored in the @code{REG_NOTES} +field of an insn. + +@table @code +@findex REG_CALL_NOCF_CHECK +@item REG_CALL_NOCF_CHECK +Users have control through the @code{nocf_check} attribute to identify +which calls to a function should be skipped from control-flow instrumentation +when the option @option{-fcf-protection=branch} is specified. The compiler +puts a @code{REG_CALL_NOCF_CHECK} note on each @code{CALL_INSN} instruction +that has a function type marked with a @code{nocf_check} attribute. +@end table + For convenience, the machine mode in an @code{insn_list} or @code{expr_list} is printed using these symbolic codes in debugging dumps. -- 2.30.2