[CFI] Enable cfi-icall type generalization

Control Flow Integrity [1] indirect call checking verifies that function pointers only call valid functions with a matching type signature. This condition can be too strict, a common form of 'abstraction' relies on function pointers being cast to generalize argument pointer types to void*. For example, qsort() accepts two const void*s but the implementations are likely to implement the comparison function using pointers to the specific type being sorted. This function relaxes cfi-icall type checking for code that uses this pattern by using the new -fsanitize-cfi-icall-generalize-pointers argument. It considers all pointer types equal as long as their qualifiers match. TBR=drott@chromium.org,rsleevi@chromium.org,piman@chromium.org Bug: 785442 Change-Id: Ic9487908b6372898f031502c84284d008a3fdec1 Reviewed-on: https://chromium-review.googlesource.com/777555 Commit-Queue: Peter Collingbourne <pcc@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Dominik Röttsches <drott@chromium.org> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Antoine Labour <piman@chromium.org> Reviewed-by: Peter Collingbourne <pcc@chromium.org> Reviewed-by: Johann Koenig <johannkoenig@google.com> Reviewed-by: Dirk Pranke <dpranke@chromium.org> Cr-Commit-Position: refs/heads/master@{#518446}

[CFI] Enable cfi-icall type generalization
Control Flow Integrity [1] indirect call checking verifies that function pointers only call valid functions with a matching type signature. This condition can be too strict, a common form of 'abstraction' relies on function pointers being cast to generalize argument pointer types to void*. For example, qsort() accepts two const void*s but the implementations are likely to implement the comparison function using pointers to the specific type being sorted. This function relaxes cfi-icall type checking for code that uses this pattern by using the new -fsanitize-cfi-icall-generalize-pointers argument. It considers all pointer types equal as long as their qualifiers match. TBR=drott@chromium.org,rsleevi@chromium.org,piman@chromium.org Bug: 785442 Change-Id: Ic9487908b6372898f031502c84284d008a3fdec1 Reviewed-on: https://chromium-review.googlesource.com/777555 Commit-Queue: Peter Collingbourne <pcc@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Dominik Röttsches <drott@chromium.org> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Antoine Labour <piman@chromium.org> Reviewed-by: Peter Collingbourne <pcc@chromium.org> Reviewed-by: Johann Koenig <johannkoenig@google.com> Reviewed-by: Dirk Pranke <dpranke@chromium.org> Cr-Commit-Position: refs/heads/master@{#518446}
521fd17a · Vlad Tsyrklevich · Commit Bot · dd082eca · 521fd17a · 521fd17a
Commit 521fd17a authored Nov 21, 2017 by Vlad Tsyrklevich Committed by Commit Bot Nov 21, 2017
6 changed files
--- a/build/config/sanitizers/BUILD.gn
+++ b/build/config/sanitizers/BUILD.gn
@@ -387,6 +387,14 @@ config("cfi_flags") {
  }
 }

+# crbug.com/785442: Fix cfi-icall failures for code that casts pointer argument
+# types in function pointer type signatures.
+config("cfi_icall_generalize_pointers") {
+  if (is_clang && is_cfi && use_cfi_icall) {
+    cflags = [ "-fsanitize-cfi-icall-generalize-pointers" ]
+  }
+}
+
 config("coverage_flags") {
  cflags = []


--- a/third_party/boringssl/BUILD.gn
+++ b/third_party/boringssl/BUILD.gn
@@ -31,6 +31,7 @@ config("internal_config") {
    # TODO(davidben): Fix size_t truncations in BoringSSL.
    # https://crbug.com/boringssl/22
    "//build/config/compiler:no_size_t_to_int_warning",
+    "//build/config/sanitizers:cfi_icall_generalize_pointers",
  ]
  if (is_posix) {
    cflags_c = [ "-std=c99" ]

--- a/third_party/freetype/BUILD.gn
+++ b/third_party/freetype/BUILD.gn
@@ -139,6 +139,7 @@ source_set("freetype_source") {
  }
  configs -= [ "//build/config/compiler:chromium_code" ]
  configs += [ "//build/config/compiler:no_chromium_code" ]
+  configs += [ "//build/config/sanitizers:cfi_icall_generalize_pointers" ]
  configs += [ ":freetype-warnings" ]

  public_configs = [ ":freetype_config" ]

--- a/third_party/mesa/BUILD.gn
+++ b/third_party/mesa/BUILD.gn
@@ -26,6 +26,7 @@ source_set("mesa_headers") {
 # dirs appear before the system ones on Windows. This is necessary so that
 # #include "GL/gl.h" means to include Mesa's, not the system's.
 config("mesa_internal_config") {
+  configs = [ "//build/config/sanitizers:cfi_icall_generalize_pointers" ]
  cflags = []
  defines = [
    "MAPI_ABI_HEADER=\"glapi_mapi_tmp_shared.h\"",

--- a/third_party/yasm/BUILD.gn
+++ b/third_party/yasm/BUILD.gn
@@ -66,6 +66,7 @@ if (current_toolchain == host_toolchain) {
  import("//build/compiled_action.gni")

  config("yasm_config") {
+    configs = [ "//build/config/sanitizers:cfi_icall_generalize_pointers" ]
    include_dirs = [
      "source/config/$host_os",
      "source/patched-yasm",

--- a/tools/cfi/blacklist.txt
+++ b/tools/cfi/blacklist.txt
@@ -188,17 +188,17 @@ src:*third_party/WebKit/Source/platform/wtf/*
 # v8/src/intl.cc
 fun:*LocaleConvertCase*

-src:*third_party/boringssl/*
-src:*third_party/freetype/*
-src:*third_party/harfbuzz-ng/*
+# Casts away const qualifier
+# third_party/boringssl/src/crypto/pem/pem_lib.c
+fun:*PEM_ASN1_write*
+
 src:*third_party/libsrtp/*
 src:*third_party/libvpx/*
 src:*third_party/libxml/*
 src:*third_party/pdfium/third_party/lcms/*
-src:*third_party/mesa/*
 src:*third_party/sqlite/*
 src:*third_party/webrtc/*
-src:*third_party/yasm/*
+
 src:*v8/*

 ######### Uncategorized