This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RFC: GCC plugin to find encrypted function pointer calls in glibc

From: Aldy Hernandez <aldyh at redhat dot com>
To: libc-alpha at sourceware dot org, Florian Weimer <fweimer at redhat dot com>
Date: Fri, 29 Apr 2016 06:23:02 -0400
Subject: RFC: GCC plugin to find encrypted function pointer calls in glibc
Authentication-results: sourceware.org; auth=none

Hi folks!

I'm working on a GCC plugin to pinpoint places in glibc where indirectfunction calls are made through a function pointer that has not beendemangled.

As a reference, I am attaching a test case with various things that myplugin currently warns on that may serve as examples to what I am tryingto accomplish.

The general idea is that I have defined a decryption operation as theoutput of a binary operator (xor, ior, and), so while we would warn forsomething like this:


	typedef void (*callback_t) (void);
	void foo (callback_t cb)
	{
	  cb ();
	}

...the following would be OK:

	#define PTR_DEMANGLE(var) \
	  (var) = (__typeof(var)) ((unsigned long) (var) ^ MAGIC)

	typedef void (*callback_t) (void);
	void foo (callback_t cb)
	{
	  callback_t tmp = cb;
	  PTR_DEMANGLE (tmp);
	  tmp ();
	}

However, I see glibc uses the following idiom:

#  define PTR_DEMANGLE(reg)	asm ("ror $2*" LP_SIZE "+1....)

Since I would prefer not to assume the output of all inline asm's are ademangling operation, I would like to get feedback from the community onwhat would be preferred.

My preferred approach is to add an attribute to an inline function thatwould wrap the asm:


	__attribute__((decrypt)) static inline funcp demangler (funcp f)
	{
		asm("blah");
	}

This is straightforward, clean, and follows language semantics (not tomention that I already have it implemented into my plugin :)), butFlorian made funny faces when I showed it to him, so here I am :).

It would be neat if GCC had a way of tagging individual gimplestatements with an attribute, so we could tag them with__attribute__((decrypt)), but alas we don't have such mechanism, and I'dprefer not to perform major surgery to GCC to make it so.

Another alternative would be to tag inline asms with commented out magicat the end, such that the plugin would notice and take appropriate action:


#ifdef FUNCTION_POINTER_CHECKS
#define DEMANGLE_TAG " ##_DEMANGLE_##"
#else
#define DEMANGLE_TAG ""
#endif
#  define PTR_DEMANGLE(var)  asm("ror $2*..."##DEMANGLE_TAG \
				: "=r" (var)
				: "0" (var)
				etc
				etc

This is straightforward, but I still prefer the inline function plusattribute idea.


If anyone is interested, I can post the code to my plugin.

What do y'all think?

Aldy

Attachment: test-funcp.c
Description: Text document

Follow-Ups:
- Re: RFC: GCC plugin to find encrypted function pointer calls in glibc
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]