llvm · SchrodingerZhu · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 18, 2024
diff --git a/libc/config/config.json b/libc/config/config.json
@@ -103,6 +103,10 @@
     "LIBC_CONF_SETJMP_AARCH64_RESTORE_PLATFORM_REGISTER": {
       "value": true,
       "doc": "Make setjmp save the value of x18, and longjmp restore it. The AArch64 ABI delegates this register to platform ABIs, which can choose whether to make it caller-saved."
+    },
+    "LIBC_CONF_SETJMP_FORTIFICATION": {
+      "value": false,
+      "doc": "Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux."
     }
   },
   "time": {

diff --git a/libc/config/linux/x86_64/config.json b/libc/config/linux/x86_64/config.json
@@ -0,0 +1,8 @@
+{
+    "setjmp": {
+        "LIBC_CONF_SETJMP_FORTIFICATION": {
+            "value": true,
+            "doc": "Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux."
+        }
+    }
+}
diff --git a/libc/docs/configure.rst b/libc/docs/configure.rst
@@ -55,6 +55,7 @@ to learn about the defaults for your platform and target.
     - ``LIBC_CONF_SCANF_DISABLE_INDEX_MODE``: Disable index mode in the scanf format string.
 * **"setjmp" options**
     - ``LIBC_CONF_SETJMP_AARCH64_RESTORE_PLATFORM_REGISTER``: Make setjmp save the value of x18, and longjmp restore it. The AArch64 ABI delegates this register to platform ABIs, which can choose whether to make it caller-saved.
+    - ``LIBC_CONF_SETJMP_FORTIFICATION``: Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux.
 * **"string" options**
     - ``LIBC_CONF_MEMSET_X86_USE_SOFTWARE_PREFETCHING``: Inserts prefetch for write instructions (PREFETCHW) for memset on x86 to recover performance when hardware prefetcher is disabled.
     - ``LIBC_CONF_STRING_UNSAFE_WIDE_READ``: Read more than a byte at a time to perform byte-string operations like strlen.

diff --git a/libc/include/llvm-libc-types/jmp_buf.h b/libc/include/llvm-libc-types/jmp_buf.h
@@ -50,6 +50,8 @@ typedef struct {
 #else
 #error "__jmp_buf not available for your target architecture."
 #endif
+  // unused if checksum feature is not enabled.
+  __UINTPTR_TYPE__ __chksum;
 } __jmp_buf;
 
 typedef __jmp_buf jmp_buf[1];

diff --git a/libc/src/setjmp/CMakeLists.txt b/libc/src/setjmp/CMakeLists.txt
@@ -1,3 +1,24 @@
+if (LIBC_CONF_SETJMP_FORTIFICATION)
+  if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_OS})
+    add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_OS})
+  endif()
+  if (TARGET libc.src.setjmp.${LIBC_TARGET_OS}.checksum
+      AND LIBC_TARGET_ARCHITECTURE STREQUAL "x86_64")
+    add_object_library(
+      checksum
+      ALIAS
+      DEPENDS
+        .${LIBC_TARGET_OS}.checksum
+    )
+    set(fortification_deps libc.src.setjmp.checksum)
+    set(fortification_defs -DLIBC_COPT_SETJMP_FORTIFICATION=1)
+  else()
+    message(WARNING "Jmpbuf fortification is enabled but not supported for target ${LIBC_TARGET_ARCHITECTURE} ${LIBC_TARGET_OS}")
+    set(fortification_deps)
+    set(fortification_defs -DLIBC_COPT_SETJMP_FORTIFICATION=0)
+  endif()
+endif()
+
 if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
   add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
 endif()

diff --git a/libc/src/setjmp/checksum.h b/libc/src/setjmp/checksum.h
@@ -0,0 +1,34 @@
+//===-- Implementation header for jmpbuf checksum ---------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
+#define LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
+
+#include "src/__support/common.h"
+
+namespace LIBC_NAMESPACE_DECL {
+namespace jmpbuf {
+
+extern __UINTPTR_TYPE__ value_mask;
+extern __UINTPTR_TYPE__ checksum_cookie;
+
+// single register update derived from aHash
+// https://github.com/tkaitchuck/aHash/blob/master/src/fallback_hash.rs#L95
+//
+// checksum = folded_multiple(data ^ checksum, MULTIPLE)
+// folded_multiple(x, m) = HIGH(x * m) ^ LOW(x * m)
+
+// From Knuth's PRNG
+LIBC_INLINE constexpr __UINTPTR_TYPE__ MULTIPLE =
+    static_cast<__UINTPTR_TYPE__>(6364136223846793005ull);
-LIBC_INLINE constexpr __UINTPTR_TYPE__ MULTIPLE =
-    static_cast<__UINTPTR_TYPE__>(6364136223846793005ull);
+LIBC_INLINE constexpr auto MULTIPLE =
+    static_cast<__UINTPTR_TYPE__>(6364136223846793005ull);
-LIBC_INLINE constexpr __UINTPTR_TYPE__ MULTIPLE =
-    static_cast<__UINTPTR_TYPE__>(6364136223846793005ull);
+LIBC_INLINE constexpr auto MULTIPLE =
+    static_cast<__UINTPTR_TYPE__>(6364136223846793005ull);
+void initialize();
+extern "C" [[gnu::cold, noreturn]] void __libc_jmpbuf_corruption();
+} // namespace jmpbuf
+} // namespace LIBC_NAMESPACE_DECL
+
+#endif // LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
diff --git a/libc/src/setjmp/i386/CMakeLists.txt b/libc/src/setjmp/i386/CMakeLists.txt
@@ -0,0 +1,24 @@
+add_entrypoint_object(
+  setjmp
+  SRCS
+    setjmp.cpp
+  HDRS
+    ../setjmp_impl.h
+  DEPENDS
+    libc.hdr.types.jmp_buf
+  COMPILE_OPTIONS
+    -O3
+)
+
+add_entrypoint_object(
+  longjmp
+  SRCS
+    longjmp.cpp
+  HDRS
+    ../longjmp.h
+  DEPENDS
+    libc.hdr.types.jmp_buf
+  COMPILE_OPTIONS
+    -O3
+    -fomit-frame-pointer
+)
diff --git a/libc/src/setjmp/i386/longjmp.cpp b/libc/src/setjmp/i386/longjmp.cpp
@@ -0,0 +1,41 @@
+//===-- Implementation of longjmp (32-bit) --------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "src/setjmp/longjmp.h"
+#include "include/llvm-libc-macros/offsetof-macro.h"
+#include "src/__support/common.h"
+#include "src/__support/macros/config.h"
+
+#if !defined(LIBC_TARGET_ARCH_IS_X86_32)
+#error "Invalid file include"
+#endif
+
+namespace LIBC_NAMESPACE_DECL {
+
+[[gnu::naked]]
+LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
+  asm(R"(
+      mov 0x4(%%esp), %%ecx
+      mov 0x8(%%esp), %%eax
+      cmpl $0x1, %%eax
+      adcl $0x0, %%eax
+
+      mov %c[ebx](%%ecx), %%ebx
+      mov %c[esi](%%ecx), %%esi
+      mov %c[edi](%%ecx), %%edi
+      mov %c[ebp](%%ecx), %%ebp
+      mov %c[esp](%%ecx), %%esp
+
+      jmp *%c[eip](%%ecx)
+      )" ::[ebx] "i"(offsetof(__jmp_buf, ebx)),
+      [esi] "i"(offsetof(__jmp_buf, esi)), [edi] "i"(offsetof(__jmp_buf, edi)),
+      [ebp] "i"(offsetof(__jmp_buf, ebp)), [esp] "i"(offsetof(__jmp_buf, esp)),
+      [eip] "i"(offsetof(__jmp_buf, eip)));
+}
+
+} // namespace LIBC_NAMESPACE_DECL
diff --git a/libc/src/setjmp/i386/setjmp.cpp b/libc/src/setjmp/i386/setjmp.cpp
@@ -0,0 +1,43 @@
+//===-- Implementation of setjmp (32-bit) ---------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "include/llvm-libc-macros/offsetof-macro.h"
+#include "src/__support/common.h"
+#include "src/__support/macros/config.h"
+#include "src/setjmp/setjmp_impl.h"
+
+#if !defined(LIBC_TARGET_ARCH_IS_X86_32)
+#error "Invalid file include"
+#endif
+
+namespace LIBC_NAMESPACE_DECL {
+[[gnu::naked]]
+LLVM_LIBC_FUNCTION(int, setjmp, (jmp_buf buf)) {
+  asm(R"(
+      mov 4(%%esp), %%eax
+
+      mov %%ebx, %c[ebx](%%eax)
+      mov %%esi, %c[esi](%%eax)
+      mov %%edi, %c[edi](%%eax)
+      mov %%ebp, %c[ebp](%%eax)
+
+      lea 4(%%esp), %%ecx
+      mov %%ecx, %c[esp](%%eax)
+
+      mov (%%esp), %%ecx
+      mov %%ecx, %c[eip](%%eax)
+
+      xorl %%eax, %%eax
+      retl)" ::[ebx] "i"(offsetof(__jmp_buf, ebx)),
+      [esi] "i"(offsetof(__jmp_buf, esi)), [edi] "i"(offsetof(__jmp_buf, edi)),
+      [ebp] "i"(offsetof(__jmp_buf, ebp)), [esp] "i"(offsetof(__jmp_buf, esp)),
+      [eip] "i"(offsetof(__jmp_buf, eip))
+      : "eax", "ecx");
+}
+
+} // namespace LIBC_NAMESPACE_DECL
diff --git a/libc/src/setjmp/linux/CMakeLists.txt b/libc/src/setjmp/linux/CMakeLists.txt
@@ -0,0 +1,11 @@
+add_object_library(
+  checksum
+  SRCS
+  checksum.cpp
+  HDRS
+    ../checksum.h
+  DEPENDS
+    libc.src.__support.common
+    libc.src.__support.OSUtil.osutil
+    libc.src.stdlib.abort
+)
diff --git a/libc/src/setjmp/linux/checksum.cpp b/libc/src/setjmp/linux/checksum.cpp
@@ -0,0 +1,38 @@
+//===-- Implementation for jmpbuf checksum ----------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "src/setjmp/checksum.h"
+#include "src/__support/OSUtil/io.h"
+#include "src/stdlib/abort.h"
+#include <sys/syscall.h>
+
+namespace LIBC_NAMESPACE_DECL {
+namespace jmpbuf {
+// random bytes from https://www.random.org/cgi-bin/randbyte?nbytes=8&format=h
+// the cookie should not be zero otherwise it will be a bad seed as a multiplier
+__UINTPTR_TYPE__ value_mask =
+    static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull);
+__UINTPTR_TYPE__ checksum_cookie =
+    static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull);
-__UINTPTR_TYPE__ value_mask =
-    static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull);
-__UINTPTR_TYPE__ checksum_cookie =
-    static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull);
+auto value_mask =
+    static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull);
+auto checksum_cookie =
+    static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull);
-__UINTPTR_TYPE__ value_mask =
-    static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull);
-__UINTPTR_TYPE__ checksum_cookie =
-    static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull);
+auto value_mask =
+    static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull);
+auto checksum_cookie =
+    static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull);
+
+// initialize the checksum state
+void initialize() {
+  __UINTPTR_TYPE__ entropy[2];
+  syscall_impl<long>(SYS_getrandom, entropy, sizeof(entropy), 0);
+  // add in additional entropy
+  jmpbuf::value_mask ^= entropy[0];
+  jmpbuf::checksum_cookie ^= entropy[0];
+}
+
+extern "C" [[gnu::cold, noreturn]] void __libc_jmpbuf_corruption() {
+  write_to_stderr("invalid checksum detected in longjmp\n");
+  abort();
+}
+
+} // namespace jmpbuf
+} // namespace LIBC_NAMESPACE_DECL
diff --git a/libc/src/setjmp/x86_64/CMakeLists.txt b/libc/src/setjmp/x86_64/CMakeLists.txt
@@ -1,24 +1,36 @@
+if(LIBC_CONF_SETJMP_FORTIFICATION)
+  set (setjmp_src setjmp_fortified.cpp)
+  set (longjmp_src longjmp_fortified.cpp)
+else()
+  set (setjmp_src setjmp.cpp)
+  set (longjmp_src longjmp.cpp)
+endif()
+
 add_entrypoint_object(
   setjmp
   SRCS
-    setjmp.cpp
+    ${setjmp_src}
   HDRS
     ../setjmp_impl.h
   DEPENDS
     libc.hdr.types.jmp_buf
+    ${fortification_deps}
   COMPILE_OPTIONS
     -O3
+    ${fortification_defs}
 )
 
 add_entrypoint_object(
   longjmp
   SRCS
-    longjmp.cpp
+    ${longjmp_src}
   HDRS
     ../longjmp.h
   DEPENDS
     libc.hdr.types.jmp_buf
+    ${fortification_deps}
   COMPILE_OPTIONS
     -O3
     -fomit-frame-pointer
+    ${fortification_defs}
 )
diff --git a/libc/src/setjmp/x86_64/longjmp.cpp b/libc/src/setjmp/x86_64/longjmp.cpp
@@ -1,4 +1,4 @@
-//===-- Implementation of longjmp -----------------------------------------===//
+//===-- Implementation of longjmp (64-bit) --------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
@@ -11,34 +11,12 @@
 #include "src/__support/common.h"
 #include "src/__support/macros/config.h"
 
-#if !defined(LIBC_TARGET_ARCH_IS_X86)
+#if !defined(LIBC_TARGET_ARCH_IS_X86_64) || LIBC_COPT_SETJMP_FORTIFICATION
 #error "Invalid file include"
 #endif
 
 namespace LIBC_NAMESPACE_DECL {
 
-#ifdef __i386__
-[[gnu::naked]]
-LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
-  asm(R"(
-      mov 0x4(%%esp), %%ecx
-      mov 0x8(%%esp), %%eax
-      cmpl $0x1, %%eax
-      adcl $0x0, %%eax
-
-      mov %c[ebx](%%ecx), %%ebx
-      mov %c[esi](%%ecx), %%esi
-      mov %c[edi](%%ecx), %%edi
-      mov %c[ebp](%%ecx), %%ebp
-      mov %c[esp](%%ecx), %%esp
-
-      jmp *%c[eip](%%ecx)
-      )" ::[ebx] "i"(offsetof(__jmp_buf, ebx)),
-      [esi] "i"(offsetof(__jmp_buf, esi)), [edi] "i"(offsetof(__jmp_buf, edi)),
-      [ebp] "i"(offsetof(__jmp_buf, ebp)), [esp] "i"(offsetof(__jmp_buf, esp)),
-      [eip] "i"(offsetof(__jmp_buf, eip)));
-}
-#else
 [[gnu::naked]]
 LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
   asm(R"(
@@ -60,6 +38,5 @@ LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
       [r15] "i"(offsetof(__jmp_buf, r15)), [rsp] "i"(offsetof(__jmp_buf, rsp)),
       [rip] "i"(offsetof(__jmp_buf, rip)));
 }
-#endif
 
 } // namespace LIBC_NAMESPACE_DECL