Bug 1470264 CFI icall
This adds a supressions list and icall attributes
MozReview-Commit-ID: HMlh9Vii3t4
--- a/build/moz.configure/toolchain.configure
+++ b/build/moz.configure/toolchain.configure
@@ -1318,19 +1318,19 @@ wine = check_prog('WINE', ['wine'], when
# ==============================================================
js_option('--enable-lto',
nargs='?',
choices=('full', 'thin'),
help='Enable LTO')
-@depends('--enable-lto', c_compiler)
+@depends('--enable-lto', c_compiler, check_build_environment)
@imports('multiprocessing')
-def lto(value, c_compiler):
+def lto(value, c_compiler, build_env):
flags = []
ldflags = []
# clang and clang-cl
if c_compiler.type in ('clang', 'clang-cl'):
# Until Bug 1457168 is fixed, we have to hardcode -fuse-ld=lld here
if c_compiler.type == 'clang':
flags.append("-fuse-ld=lld")
@@ -1339,21 +1339,25 @@ def lto(value, c_compiler):
flags.append("-flto")
ldflags.append("-flto")
elif value:
flags.append("-flto=thin")
ldflags.append("-flto=thin")
flags.append("-fsanitize=cfi-icall")
flags.append("-fsanitize-cfi-icall-generalize-pointers")
+ flags.append("-fsanitize-blacklist=%s/build/sanitizers/cfi_suppressions.txt"
+ % build_env.topsrcdir)
flags.append("-fno-sanitize-trap=cfi")
flags.append("-fsanitize-recover=cfi")
ldflags.append("-fsanitize=cfi-icall")
ldflags.append("-fsanitize-cfi-icall-generalize-pointers")
+ ldflags.append("-fsanitize-blacklist=%s/build/sanitizers/cfi_suppressions.txt"
+ % build_env.topsrcdir)
ldflags.append("-fno-sanitize-trap=cfi")
ldflags.append("-fsanitize-recover=cfi")
# gcc and other compilers
elif value:
num_cores = multiprocessing.cpu_count()
flags.append("-flto")
flags.append("-flifetime-dse=1")
new file mode 100644
--- /dev/null
+++ b/build/sanitizers/cfi_suppressions.txt
@@ -0,0 +1,105 @@
+[cfi-icall]
+
+# Believed to be Cross-DSO:
+
+src:*nsprpub/lib/ds/plhash.c
+src:*nsprpub/pr/src/io/priometh.c
+src:*nsprpub/pr/src/misc/prinit.c
+src:*nsprpub/pr/src/pthreads/ptio.c
+src:*nsprpub/pr/src/pthreads/ptthread.c
+src:*nsprpub/pr/src/threads/prtpd.c
+
+src:*security/nss/lib/dev/devtoken.c
+src:*security/nss/lib/freebl/loader.c
+src:*security/nss/lib/freebl/stubs.c
+src:*security/nss/lib/pk11wrap/*
+src:*security/nss/lib/cryptohi/sechash.c
+src:*security/nss/lib/cryptohi/secvfy.c
+src:*security/nss/lib/dev/ckhelper.c
+src:*security/nss/lib/nss/nssinit.c
+src:*security/nss/lib/softoken/lowpbe.c
+src:*security/nss/lib/softoken/pkcs11c.c
+src:*security/nss/lib/ssl/ssl3con.c
+src:*security/nss/lib/ssl/ssl3ext.c
+src:*security/nss/lib/ssl/ssldef.c
+src:*security/nss/lib/ssl/sslsecur.c
+src:*security/nss/lib/ssl/sslsock.c
+src:*security/manager/ssl/nsNSSIOLayer.cpp
+
+src:*storage/TelemetryVFS.cpp
+src:*db/sqlite3/src/sqlite3.c
+
+src:*gfx/skia/skia/src/ports/SkFontHost_cairo.cpp
+
+src:*security/sandbox/linux/SandboxHooks.cpp
+
+src:*toolkit/system/gnome/nsGConfService.cpp
+src:*toolkit/system/gnome/nsGSettingsService.cpp
+src:*toolkit/xre/nsNativeAppSupportUnix.cpp
+
+src:*widget/gtk/gtk3drawing.cpp
+src:*widget/gtk/nsAppShell.cpp
+src:*widget/gtk/nsIdleServiceGTK.cpp
+src:*widget/gtk/nsSound.cpp
+src:*widget/gtk/nsWindow.cpp
+src:*widget/gtk/ScreenHelperGTK.cpp
+src:*widget/gtk/WidgetStyleCache.cpp
+
+src:*xpcom/base/nsSystemInfo.cpp
+src:*xpcom/build/NSPRInterposer.cpp
+src:*xpcom/glue/standalone/nsXPCOMGlue.cpp
+
+src:*dom/plugins/base/nsPluginsDirUnix.cpp
+
+src:*dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp
+src:*dom/media/platforms/ffmpeg/FFmpegLibWrapper.cpp
+
+# To investigate more
+
+src:*accessible/atk/AccessibleWrap.cpp
+src:*dom/gamepad/linux/LinuxGamepad.cpp
+src:*dom/gamepad/linux/udev.h
+src:*dom/media/platforms/ffmpeg/FFmpegAudioDecoder.cpp
+src:*dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp
+src:*dom/plugins/ipc/BrowserStreamChild.cpp
+src:*dom/plugins/ipc/PluginInstanceChild.cpp
+src:*dom/plugins/ipc/PluginModuleChild.cpp
+src:*dom/plugins/ipc/PluginScriptableObjectChild.cpp
+src:*dom/plugins/test/testplugin/nptest.cpp
+src:*gfx/cairo/cairo/src/cairo-xlib-surface.c
+src:*gfx/gl/GLContext.cpp
+src:*gfx/gl/GLContext.h
+src:*gfx/gl/GLLibraryLoader.cpp
+src:*gfx/thebes/gfxFT2Utils.cpp
+src:*intl/locale/gtk/OSPreferences_gtk.cpp
+src:*js/src/jsapi-tests/testJitMacroAssembler.cpp
+src:*js/src/wasm/WasmInstance.cpp
+src:*media/libcubeb/src/cubeb.c
+src:*media/mtransport/transportlayerdtls.cpp
+src:*mfbt/tests/TestPoisonArea.cpp
+src:*mozglue/misc/StackWalk.cpp
+src:*nsprpub/pr/src/io/prlayer.c
+src:*nsprpub/pr/src/misc/prtpool.c
+src:*obj-firefox/dist/include/GLContext.h
+src:*obj-firefox/dist/include/GLXLibrary.h
+src:*obj-firefox/dist/include/mozilla/plugins/PluginModuleChild.h
+src:*security/nss/cmd/shlibsign/shlibsign.c
+src:*security/nss/lib/cryptohi/secsign.c
+src:*security/nss/lib/pkcs7/p7local.c
+src:*security/nss/lib/softoken/legacydb/lgutil.c
+src:*security/nss/lib/softoken/lgglue.c
+src:*security/nss/lib/softoken/sftkdb.c
+src:*security/nss/lib/softoken/sftkpwd.c
+src:*security/nss/lib/util/secasn1d.c
+src:*security/nss/lib/util/secasn1u.c
+src:*security/nss/lib/util/secport.c
+src:*storage/test/gtest/storage_test_harness.h
+src:*toolkit/system/gnome/nsAlertsIconListener.cpp
+src:*toolkit/xre/nsSigHandlers.cpp
+src:*widget/gtk/nsPSPrinters.cpp
+src:*widget/gtk/WakeLockListener.cpp
+src:*media/webrtc/trunk/webrtc/modules/desktop_capture/x11/x_error_trap.cc
+src:*media/webrtc/trunk/webrtc/modules/desktop_capture/x11/x_server_pixel_buffer.cc
+src:*media/ffvpx/libavcodec/decode.c
+src:*js/src/ds/MemoryProtectionExceptionHandler.cpp
+src:*gfx/thebes/gfxFT2FontBase.cpp
--- a/mfbt/Attributes.h
+++ b/mfbt/Attributes.h
@@ -241,16 +241,32 @@
#ifdef __clang__
# ifdef MOZ_HAVE_NO_SANITIZE_ATTR
# define MOZ_HAVE_UNSIGNED_OVERFLOW_SANITIZE_ATTR
# define MOZ_HAVE_SIGNED_OVERFLOW_SANITIZE_ATTR
# endif
#endif
/*
+ * MOZ_CFI_xxx_BLACKLIST are macros to tell the compiler not to apply specific
+ * types of control flow integrity checks inside the annotated function.
+ */
+#if defined(__clang__) && defined(__has_attribute)
+# if __has_attribute(no_sanitize)
+# define MOZ_HAVE_CFI_BLACKLIST
+# endif
+#endif
+
+#if defined(MOZ_HAVE_CFI_BLACKLIST)
+# define MOZ_CFI_ICALL_BLACKLIST __attribute__((no_sanitize("cfi-icall")))
+#else
+# define MOZ_CFI_ICALL_BLACKLIST /* nothing */
+#endif
+
+/*
* MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW disables *un*signed integer overflow
* checking on the function it annotates, in builds configured to perform it.
* (Currently this is only Clang using -fsanitize=unsigned-integer-overflow, or
* via --enable-unsigned-overflow-sanitizer in Mozilla's build system.) It has
* no effect in other builds.
*
* Place this attribute at the very beginning of a function declaration.
*