From: Claudiu Zissulescu <claudiu.zissulescu-iancule...@oracle.com>
Hi,
Please find a new series of patches that implememnts stack sanitizer
using AArch64 MTE instructions. This new series is based on Indu
previous patch series.
What is new:
- Introduces a new target instruction tag_memory.
- Introduces a new target hook to deal with tag computation
(TARGET_MEMTAG_COMPOSE_OFFSET_TAG).
- Simplify the stg/st2g instruction patterns to accept POST/PRE
modify type of addresses.
- Minimize asan.cc modification.
- Add execution tests.
- Improve and fix emitting stg/st2g instructions.
- Various text improvements.
Thank you,
Claudiu
======================================
MTE on AArch64 and Memory Tagging
Memory Tagging Extension (MTE) is an AArch64 extension. This
extension allows coloring of 16-byte memory granules with 4-bit tag
values. The extension provides additional instructions in ISA and a
new memory type, Normal Tagged Memory, added to the Arm Architecture.
This hardware-assisted mechanism can be used to detect memory bugs
like buffer overrun or use-after-free. The detection is
probabilistic.
Under the hoods, the MTE extension introduces two types of tags:
- Address Tags, and,
- Allocation Tags (a.k.a., Memory Tags)
Address Tag: which acts as the key. This adds four bits to the top of
a virtual address. It is built on AArch64 'top-byte-ignore'(TBI)
feature.
Allocation Tag: which acts as the lock. Allocation tags also consist
of four bits, linked with every aligned 16-byte region in the physical
memory space. Arm refers to these 16-byte regions as tag granules.
The way Allocation tags are stored is a hardware implementation
detail.
A subset of the MTE instructions which are relevant in the current
context are:
[Xn, Xd are registers containing addresses].
- irg Xd, Xn
Copy Xn into Xd, insert a random 4-bit Address Tag into Xd.
- addg Xd, Xn, #<immA>, #<immB>
Xd = Xn + immA, with Address Tag modified by #immB. Similarly, there
exists a subg.
- stg Xd, [Xn]
(Store Allocation Tag) updates Allocation Tag for [Xn, Xn + 16) to the
Address Tag of Xd.
Additionally, note that load and store instructions with SP base
register do not check tags.
MEMTAG sanitizer for stack
Use MTE instructions to instrument stack accesses to detect memory safety
issues.
Detecting stack-related memory bugs requires the compiler to:
- ensure that each object on the stack is allocated in its own 16-byte
granule.
- Tag/Color: put tags into each stack variable pointer.
- Untag: the function epilogue will untag the (stack) memory.
Above should work with dynamic stack allocation as well.
GCC has HWASAN machinery for coloring stack variables. Extend the
machinery to emit MTE instructions when MEMTAG sanitizer is in effect.
Deploying and running user space programs built with -fsanitizer=memtag will
need following additional pieces in place. If there is any existing work /
ideas on any of the following, please send comments to help define the work.
Additional necessary pieces
* MTE aware exception handling and unwinding routines
The additional stack coloring must work with C++ exceptions and C
setjmp/longjmp.
* When unwinding the stack for handling C++ exceptions, the unwinder
additionally also needs to untag the stack frame. As per the
AADWARF64 document: "The character 'G' indicates that associated
frames may modify MTE tags on the stack space they use."
* When restoring the context in longjmp, we need to additionally untag the
stack.
Claudiu Zissulescu (4):
target-insns.def: (tag_memory) New pattern.
targhooks: add TARGET_MEMTAG_COMPOSE_OFFSET_TAG
asan: memtag-stack add support for MTE instructions
aarch64: Add support for memetag-stack sanitizer using MTE insns
Indu Bhagat (5):
targhooks: i386: rename TAG_SIZE to TAG_BITSIZE
opts: use uint64_t for sanitizer flags
aarch64: add new constants for MTE insns
asan: add new memtag sanitizer
aarch64: Add memtag-stack tests
gcc/asan.cc | 214 +++++++---
gcc/asan.h | 17 +-
gcc/builtins.def | 1 +
gcc/c-family/c-attribs.cc | 16 +-
gcc/c-family/c-common.h | 2 +-
gcc/c/c-parser.cc | 4 +-
gcc/cfgexpand.cc | 29 +-
gcc/common.opt | 6 +-
gcc/config/aarch64/aarch64-builtins.cc | 7 +-
gcc/config/aarch64/aarch64-linux.h | 4 +-
gcc/config/aarch64/aarch64-protos.h | 4 +
gcc/config/aarch64/aarch64.cc | 370 +++++++++++++++++-
gcc/config/aarch64/aarch64.md | 78 ++--
gcc/config/aarch64/constraints.md | 26 ++
gcc/config/aarch64/predicates.md | 13 +-
gcc/config/i386/i386.cc | 8 +-
gcc/cp/typeck.cc | 2 +-
gcc/d/d-attribs.cc | 8 +-
gcc/doc/invoke.texi | 19 +-
gcc/doc/md.texi | 5 +
gcc/doc/tm.texi | 8 +-
gcc/doc/tm.texi.in | 4 +-
gcc/dwarf2asm.cc | 2 +-
gcc/flag-types.h | 4 +
gcc/gcc.cc | 2 +
gcc/gimplify.cc | 5 +-
gcc/internal-fn.cc | 68 +++-
gcc/internal-fn.def | 1 +
gcc/opts.cc | 47 ++-
gcc/opts.h | 8 +-
gcc/params.opt | 8 +
gcc/sanopt.cc | 2 +-
gcc/target-insns.def | 1 +
gcc/target.def | 11 +-
gcc/targhooks.cc | 9 +-
gcc/targhooks.h | 4 +-
.../gcc.target/aarch64/acle/memtag_1.c | 2 +-
.../gcc.target/aarch64/memtag/alloca-1.c | 14 +
.../gcc.target/aarch64/memtag/alloca-3.c | 27 ++
.../gcc.target/aarch64/memtag/arguments-1.c | 3 +
.../gcc.target/aarch64/memtag/arguments-2.c | 3 +
.../gcc.target/aarch64/memtag/arguments-3.c | 3 +
.../gcc.target/aarch64/memtag/arguments-4.c | 16 +
.../gcc.target/aarch64/memtag/arguments.c | 3 +
.../gcc.target/aarch64/memtag/basic-1.c | 15 +
.../gcc.target/aarch64/memtag/basic-3.c | 21 +
.../gcc.target/aarch64/memtag/basic-struct.c | 22 ++
.../aarch64/memtag/cfi-mte-memtag-frame-1.c | 11 +
.../gcc.target/aarch64/memtag/large-array.c | 24 ++
.../aarch64/memtag/local-no-escape.c | 20 +
.../gcc.target/aarch64/memtag/memtag.exp | 64 +++
.../gcc.target/aarch64/memtag/mte-sig.h | 15 +
.../aarch64/memtag/no-sanitize-attribute.c | 17 +
.../gcc.target/aarch64/memtag/texec-1.c | 27 ++
.../gcc.target/aarch64/memtag/texec-2.c | 22 ++
.../gcc.target/aarch64/memtag/value-init.c | 14 +
.../aarch64/memtag/vararray-gimple.c | 17 +
.../gcc.target/aarch64/memtag/vararray.c | 14 +
.../gcc.target/aarch64/memtag/vla-1.c | 39 ++
.../gcc.target/aarch64/memtag/vla-2.c | 48 +++
.../gcc.target/aarch64/memtag/zero-init.c | 14 +
gcc/testsuite/lib/target-supports.exp | 12 +
gcc/tree-cfg.cc | 2 +-
63 files changed, 1344 insertions(+), 162 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/alloca-1.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/alloca-3.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-1.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-2.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-3.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-4.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/basic-1.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/basic-3.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/basic-struct.c
create mode 100644
gcc/testsuite/gcc.target/aarch64/memtag/cfi-mte-memtag-frame-1.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/large-array.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/local-no-escape.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/memtag.exp
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/mte-sig.h
create mode 100644
gcc/testsuite/gcc.target/aarch64/memtag/no-sanitize-attribute.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/texec-1.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/texec-2.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/value-init.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vararray-gimple.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vararray.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vla-1.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vla-2.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/zero-init.c
--
2.50.0
