Skip to content

[MTE] Disable all MTE protection of globals in sections #78443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 22, 2024
Merged

[MTE] Disable all MTE protection of globals in sections #78443

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions clang/test/CodeGen/memtag-globals-asm.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,10 @@ CONSTRUCTOR(".ctors") func_t func_ctors = func_constructor;
CONSTRUCTOR(".dtors") func_t func_dtors = func_constructor;
CONSTRUCTOR(".init_array") func_t func_init_array = func_constructor;
CONSTRUCTOR(".fini_array") func_t func_fini_array = func_constructor;
CONSTRUCTOR(".preinit_array") func_t preinit_array = func_constructor;
CONSTRUCTOR("array_of_globals") int global1;
CONSTRUCTOR("array_of_globals") int global2;
CONSTRUCTOR("array_of_globals") int global_string;

// CHECK-NOT: .memtag func_constructor
// CHECK-NOT: .memtag func_init
Expand All @@ -279,3 +283,7 @@ CONSTRUCTOR(".fini_array") func_t func_fini_array = func_constructor;
// CHECK-NOT: .memtag func_dtors
// CHECK-NOT: .memtag func_init_array
// CHECK-NOT: .memtag func_fini_array
// CHECK-NOT: .memtag preinit_array
// CHECK-NOT: .memtag global1
// CHECK-NOT: .memtag global2
// CHECK-NOT: .memtag global_string
26 changes: 19 additions & 7 deletions llvm/lib/Target/AArch64/AArch64GlobalsTagging.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,25 @@ static bool shouldTagGlobal(GlobalVariable &G) {
return false;
}

// Don't instrument function pointers that are going into various init arrays
// via `__attribute__((section(<foo>)))`:
// https://github.com/llvm/llvm-project/issues/69939
if (G.hasSection() &&
(G.getSection() == ".init" || G.getSection() == ".fini" ||
G.getSection() == ".init_array" || G.getSection() == ".fini_array" ||
G.getSection() == ".ctors" || G.getSection() == ".dtors")) {
// Globals can be placed implicitly or explicitly in sections. There's two
// different types of globals that meet this criteria that cause problems:
// 1. Function pointers that are going into various init arrays (either
// explicitly through `__attribute__((section(<foo>)))` or implicitly
// through `__attribute__((constructor)))`, such as ".(pre)init(_array)",
// ".fini(_array)", ".ctors", and ".dtors". These function pointers end up
// overaligned and overpadded, making iterating over them problematic, and
// each function pointer is individually tagged (so the iteration over
// them causes SIGSEGV/MTE[AS]ERR).
// 2. Global variables put into an explicit section, where the section's name
// is a valid C-style identifier. The linker emits a `__start_<name>` and
// `__stop_<na,e>` symbol for the section, so that you can iterate over
// globals within this section. Unfortunately, again, these globals would
// be tagged and so iteration causes SIGSEGV/MTE[AS]ERR.
//
// To mitigate both these cases, and because specifying a section is rare
// outside of these two cases, disable MTE protection for globals in any
// section.
if (G.hasSection()) {
Meta.Memtag = false;
G.setSanitizerMetadata(Meta);
return false;
Expand Down