From: Vlad Tsyrklevich Date: Thu, 7 Mar 2019 18:56:36 +0000 (+0000) Subject: Delete x86_64 ShadowCallStack support X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=278f2430d0db2b7b861e4b1910052e3e038ddd42;p=clang Delete x86_64 ShadowCallStack support Summary: ShadowCallStack on x86_64 suffered from the same racy security issues as Return Flow Guard and had performance overhead as high as 13% depending on the benchmark. x86_64 ShadowCallStack was always an experimental feature and never shipped a runtime required to support it, as such there are no expected downstream users. Reviewers: pcc Reviewed By: pcc Subscribers: mgorny, javed.absar, hiraditya, jdoerfert, cfe-commits, #sanitizers, llvm-commits Tags: #clang, #sanitizers, #llvm Differential Revision: https://reviews.llvm.org/D59034 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@355624 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/docs/ShadowCallStack.rst b/docs/ShadowCallStack.rst index c1284f7c2d..b1ab4c6e8b 100644 --- a/docs/ShadowCallStack.rst +++ b/docs/ShadowCallStack.rst @@ -9,7 +9,7 @@ Introduction ============ ShadowCallStack is an instrumentation pass, currently only implemented for -aarch64 and x86_64, that protects programs against return address overwrites +aarch64, that protects programs against return address overwrites (e.g. stack buffer overflows.) It works by saving a function's return address to a separately allocated 'shadow call stack' in the function prolog in non-leaf functions and loading the return address from the shadow call stack @@ -18,11 +18,10 @@ for compatibility with unwinders, but is otherwise unused. The aarch64 implementation is considered production ready, and an `implementation of the runtime`_ has been added to Android's libc -(bionic). The x86_64 implementation was evaluated using Chromium and was -found to have critical performance and security deficiencies, and may be -removed in a future release of the compiler. This document only describes -the aarch64 implementation; details on the x86_64 implementation are found -in the `Clang 7.0.1 documentation`_. +(bionic). An x86_64 implementation was evaluated using Chromium and was found +to have critical performance and security deficiencies--it was removed in +LLVM 9.0. Details on the x86_64 implementation can be found in the +`Clang 7.0.1 documentation`_. .. _`implementation of the runtime`: https://android.googlesource.com/platform/bionic/+/808d176e7e0dd727c7f929622ec017f6e065c582/libc/bionic/pthread_create.cpp#128 .. _`Clang 7.0.1 documentation`: https://releases.llvm.org/7.0.1/tools/clang/docs/ShadowCallStack.html @@ -37,10 +36,9 @@ consuming more memory for shorter function prologs and epilogs with fewer memory accesses. `Return Flow Guard`_ is a pure software implementation of shadow call stacks -on x86_64. It is similar to the ShadowCallStack x86_64 implementation but -trades off higher memory usage for a shorter prologue and epilogue. Like -x86_64 ShadowCallStack, it is inherently racy due to the architecture's use -of the stack for calls and returns. +on x86_64. Like the previous implementation of ShadowCallStack on x86_64, it is +inherently racy due to the architecture's use of the stack for calls and +returns. Intel `Control-flow Enforcement Technology`_ (CET) is a proposed hardware extension that would add native support to use a shadow stack to store/check