Add IRGen support for reads and writes to imported __ptrauth qualified field function pointers

meg-gupta · meg-gupta · commit 01154c679e43 · 2023-01-24T16:09:19.000-08:00
Access to such pointers are protected by begin_access [signed]/end_access.
Generate code to auth/sign them before access.
diff --git a/lib/IRGen/Callee.h b/lib/IRGen/Callee.h
@@ -78,6 +78,9 @@ namespace irgen {
                                 llvm::Value *storageAddress,
                                 const PointerAuthEntity &entity);
 
+    static PointerAuthInfo emit(IRGenModule &IGM,
+                                clang::PointerAuthQualifier pointerAuthQual);
+
     static PointerAuthInfo forFunctionPointer(IRGenModule &IGM,
                                               CanSILFunctionType fnType);
 
diff --git a/lib/IRGen/GenPointerAuth.cpp b/lib/IRGen/GenPointerAuth.cpp
@@ -238,6 +238,15 @@ PointerAuthInfo PointerAuthInfo::emit(IRGenFunction &IGF,
   return PointerAuthInfo(key, discriminator);
 }
 
+PointerAuthInfo
+PointerAuthInfo::emit(IRGenModule &IGM,
+                      clang::PointerAuthQualifier pointerAuthQual) {
+  return PointerAuthInfo(
+      pointerAuthQual.getKey(),
+      llvm::ConstantInt::get(IGM.Int64Ty,
+                             pointerAuthQual.getExtraDiscriminator()));
+}
+
 llvm::ConstantInt *
 PointerAuthInfo::getOtherDiscriminator(IRGenModule &IGM,
                                        const PointerAuthSchema &schema,
diff --git a/lib/IRGen/IRGenSIL.cpp b/lib/IRGen/IRGenSIL.cpp
@@ -5750,7 +5750,6 @@ void IRGenSILFunction::visitBeginAccessInst(BeginAccessInst *access) {
 
   case SILAccessEnforcement::Static:
   case SILAccessEnforcement::Unsafe:
-  case SILAccessEnforcement::Signed:
     // nothing to do
     setLoweredAddress(access, addr);
     return;
@@ -5773,6 +5772,41 @@ void IRGenSILFunction::visitBeginAccessInst(BeginAccessInst *access) {
     setLoweredDynamicallyEnforcedAddress(access, addr, scratch);
     return;
   }
+  case SILAccessEnforcement::Signed: {
+    auto &ti = getTypeInfo(access->getType());
+    auto *sea = cast<StructElementAddrInst>(access->getOperand());
+    auto *Int64PtrTy = llvm::Type::getInt64PtrTy(IGM.getLLVMContext());
+    auto *Int64PtrPtrTy = Int64PtrTy->getPointerTo();
+    if (access->getAccessKind() == SILAccessKind::Read) {
+      // When we see a signed read access, generate code to:
+      // authenticate the signed pointer, and store the authenticated value to a
+      // shadow stack location. Set the lowered address of the access to this
+      // stack location.
+      auto pointerAuthQual = sea->getField()->getPointerAuthQualifier();
+      auto *pointerToSignedFptr = getLoweredAddress(sea).getAddress();
+      auto *pointerToIntPtr =
+          Builder.CreateBitCast(pointerToSignedFptr, Int64PtrPtrTy);
+      auto *signedFptr = Builder.CreateLoad(pointerToIntPtr, Int64PtrTy,
+                                            IGM.getPointerAlignment());
+      auto *unsignedFptr = emitPointerAuthAuth(
+          *this, signedFptr, PointerAuthInfo::emit(IGM, pointerAuthQual));
+      auto temp = ti.allocateStack(*this, access->getType(), "ptrauth.temp");
+      auto *tempAddressToIntPtr =
+          Builder.CreateBitCast(temp.getAddressPointer(), Int64PtrPtrTy);
+      Builder.CreateStore(unsignedFptr, tempAddressToIntPtr,
+                          IGM.getPointerAlignment());
+      setLoweredAddress(access, temp.getAddress());
+      return;
+    }
+    if (access->getAccessKind() == SILAccessKind::Modify) {
+      // When we see a signed modify access, create a shadow stack location and
+      // set the lowered address of the access to this stack location.
+      auto temp = ti.allocateStack(*this, access->getType(), "ptrauth.temp");
+      setLoweredAddress(access, temp.getAddress());
+      return;
+    }
+    llvm_unreachable("Incompatible access kind with begin_access [signed]");
+  }
   }
   llvm_unreachable("bad access enforcement");
 }
@@ -5837,7 +5871,6 @@ void IRGenSILFunction::visitEndAccessInst(EndAccessInst *i) {
 
   case SILAccessEnforcement::Static:
   case SILAccessEnforcement::Unsafe:
-  case SILAccessEnforcement::Signed:
     // nothing to do
     return;
 
@@ -5854,6 +5887,35 @@ void IRGenSILFunction::visitEndAccessInst(EndAccessInst *i) {
     Builder.CreateLifetimeEnd(scratch);
     return;
   }
+
+  case SILAccessEnforcement::Signed: {
+    if (access->getAccessKind() != SILAccessKind::Modify) {
+      // nothing to do.
+      return;
+    }
+    // When we see a signed modify access, get the lowered address of the
+    // access which is the shadow stack slot, sign the value and write back to
+    // the struct field.
+    auto *Int64PtrTy = llvm::Type::getInt64PtrTy(IGM.getLLVMContext());
+    auto *Int64PtrPtrTy = Int64PtrTy->getPointerTo();
+    auto pointerAuthQual = cast<StructElementAddrInst>(access->getOperand())
+                               ->getField()
+                               ->getPointerAuthQualifier();
+    auto tempAddress = getLoweredAddress(access);
+    auto *tempAddressToIntPtr =
+        Builder.CreateBitCast(tempAddress.getAddress(), Int64PtrPtrTy);
+    auto *tempAddressValue = Builder.CreateLoad(tempAddressToIntPtr, Int64PtrTy,
+                                                IGM.getPointerAlignment());
+    auto *signedFptr = emitPointerAuthSign(
+        *this, tempAddressValue, PointerAuthInfo::emit(IGM, pointerAuthQual));
+
+    auto *pointerToSignedFptr =
+        getLoweredAddress(access->getOperand()).getAddress();
+    auto *pointerToIntPtr =
+        Builder.CreateBitCast(pointerToSignedFptr, Int64PtrPtrTy);
+    Builder.CreateStore(signedFptr, pointerToIntPtr, IGM.getPointerAlignment());
+    return;
+  }
   }
   llvm_unreachable("bad access enforcement");
 }
diff --git a/test/IRGen/Inputs/module.modulemap b/test/IRGen/Inputs/module.modulemap
@@ -31,3 +31,7 @@ module SynthesizedProtocol {
   header "synthesized_protocol.h"
   export *
 }
+
+module PointerAuth {
+   header "ptrauth_field_fptr_import.h"
+ }
diff --git a/test/IRGen/Inputs/ptrauth_field_fptr_import.h b/test/IRGen/Inputs/ptrauth_field_fptr_import.h
@@ -0,0 +1,12 @@
+#ifndef TEST_C_FUNCTION
+#define TEST_C_FUNCTION
+
+int returnInt() {
+  return 111;
+}
+struct SecureStruct {
+   int  (* __ptrauth(2, 0, 88)(secure_func_ptr))();
+};
+
+struct SecureStruct* ptr_to_secure_struct;
+#endif
diff --git a/test/IRGen/ptrauth_field_fptr_import.swift b/test/IRGen/ptrauth_field_fptr_import.swift
@@ -0,0 +1,47 @@
+// RUN: %swift-frontend %s -enable-import-ptrauth-field-function-pointers -emit-ir -target arm64e-apple-ios13.0 -I %S/Inputs/ -validate-tbd-against-ir=none 2>&1 | %FileCheck %s
+
+import PointerAuth
+
+// CHECK: define hidden swiftcc i32 @"$s25ptrauth_field_fptr_import05test_B8_fn_reads5Int32VyF"() #0 {
+// CHECK: [[LD:%.*]] = load i64, i64* bitcast (%struct.SecureStruct** @ptr_to_secure_struct to i64*), align 8
+// CHECK: 5:                                                ; preds = %entry
+// CHECK:   [[CAST0:%.*]] = inttoptr i64 [[LD]] to i8*
+// CHECK:   br label %12
+// CHECK: 12:
+// CHECK:   [[SECURESTRUCT:%.*]] = phi i8* [ [[CAST0]], %5 ]
+// CHECK:   [[CAST1:%.*]] = bitcast i8* [[SECURESTRUCT]] to %TSo12SecureStructV*
+// CHECK:   %.secure_func_ptr = getelementptr inbounds %TSo12SecureStructV, %TSo12SecureStructV* %14, i32 0, i32 0
+// CHECK:   [[CAST2:%.*]] = bitcast %Ts5Int32VIetCd_Sg* %.secure_func_ptr to i64*
+// CHECK:   [[PTR:%.*]] = load i64*, i64** [[CAST2]], align 8
+// CHECK:   [[SIGNEDINT:%.*]] = ptrtoint i64* [[PTR]] to i64
+// CHECK:   [[AUTHVAL:%.*]] = call i64 @llvm.ptrauth.auth(i64 [[SIGNEDINT]], i32 2, i64 88)
+// CHECK:   [[AUTHPTR:%.*]] = inttoptr i64 [[AUTHVAL]] to i64*
+// CHECK:   [[TMPCAST1:%.*]] = bitcast %Ts5Int32VIetCd_Sg* %ptrauth.temp to i64**
+// CHECK:   store i64* [[AUTHPTR]], i64** [[TMPCAST1]], align 8
+// CHECK:   [[TMPCAST2:%.*]] = bitcast %Ts5Int32VIetCd_Sg* %ptrauth.temp to i64*
+// CHECK:   [[FUNCPTR:%.*]] = load i64, i64* [[TMPCAST2]], align 8
+func test_field_fn_read() -> Int32 {
+  let fn = ptr_to_secure_struct!.pointee.secure_func_ptr!
+  return fn()
+}
+
+// CHECK-LABEL: define hidden swiftcc void @"$s25ptrauth_field_fptr_import05test_B14_fn_ptr_modifyyyF"() #0 {
+// CHECK: 11:                                               ; preds = %4
+// CHECK:   [[SECURESTRUCT:%.*]] = phi i8* [ %5, %4 ]
+// CHECK:   [[CAST1:%.*]] = bitcast i8* [[SECURESTRUCT]] to %TSo12SecureStructV*
+// CHECK:   %.secure_func_ptr = getelementptr inbounds %TSo12SecureStructV, %TSo12SecureStructV* [[CAST1]], i32 0, i32 0
+// CHECK:   [[CAST2:%.*]] = bitcast %Ts5Int32VIetCd_Sg* %ptrauth.temp to i64*
+// CHECK:   store i64 ptrtoint ({ i8*, i32, i64, i64 }* @returnInt.ptrauth to i64), i64* [[CAST2]], align 8
+// CHECK:   [[CAST3:%.*]] = bitcast %Ts5Int32VIetCd_Sg* %ptrauth.temp to i64**
+// CHECK:   [[LD:%.*]] = load i64*, i64** [[CAST3]], align 8
+// CHECK:   [[CAST4:%.*]] = ptrtoint i64* [[LD]] to i64
+// CHECK:   [[SIGN:%.*]] = call i64 @llvm.ptrauth.sign(i64 [[CAST4]], i32 2, i64 88)
+// CHECK:   [[CAST5:%.*]] = inttoptr i64 [[SIGN]] to i64*
+// CHECK:   [[CAST6:%.*]] = bitcast %Ts5Int32VIetCd_Sg* %.secure_func_ptr to i64**
+// CHECK:   store i64* [[CAST5]], i64** [[CAST6]], align 8
+func test_field_fn_ptr_modify() {
+  ptr_to_secure_struct!.pointee.secure_func_ptr = returnInt
+}
+
+print(test_field_fn_read())
+print(test_field_fn_ptr_modify())

Original file line number	Diff line number	Diff line change
`@@ -31,3 +31,7 @@ module SynthesizedProtocol {`
`31`	`31`	`header "synthesized_protocol.h"`
`32`	`32`	`export *`
`33`	`33`	`}`
	`34`	`+`
	`35`	`+module PointerAuth {`
	`36`	`+ header "ptrauth_field_fptr_import.h"`
	`37`	`+ }`