diff options
Diffstat (limited to 'docs/ControlFlowIntegrity.rst')
| -rw-r--r-- | docs/ControlFlowIntegrity.rst | 50 |
1 files changed, 41 insertions, 9 deletions
diff --git a/docs/ControlFlowIntegrity.rst b/docs/ControlFlowIntegrity.rst index 12b4610f8a282..fcc6409888979 100644 --- a/docs/ControlFlowIntegrity.rst +++ b/docs/ControlFlowIntegrity.rst @@ -66,6 +66,8 @@ Available schemes are: wrong dynamic type. - ``-fsanitize=cfi-icall``: Indirect call of a function with wrong dynamic type. + - ``-fsanitize=cfi-mfcall``: Indirect call via a member function pointer with + wrong dynamic type. You can use ``-fsanitize=cfi`` to enable all the schemes and use ``-fno-sanitize`` flag to narrow down the set of schemes as desired. @@ -106,8 +108,9 @@ This CFI scheme can be enabled on its own using ``-fsanitize=cfi-vcall``. For this scheme to work, all translation units containing the definition of a virtual member function (whether inline or not), other than members -of :ref:`blacklisted <cfi-blacklist>` types, must be compiled with -``-fsanitize=cfi-vcall`` enabled and be statically linked into the program. +of :ref:`blacklisted <cfi-blacklist>` types or types with public :doc:`LTO +visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin`` +enabled and be statically linked into the program. Performance ----------- @@ -152,9 +155,9 @@ functions may be :ref:`blacklisted <cfi-blacklist>`. For this scheme to work, all translation units containing the definition of a virtual member function (whether inline or not), other than members -of :ref:`blacklisted <cfi-blacklist>` types, must be compiled with -``-fsanitize=cfi-derived-cast`` or ``-fsanitize=cfi-unrelated-cast`` enabled -and be statically linked into the program. +of :ref:`blacklisted <cfi-blacklist>` types or types with public :doc:`LTO +visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin`` +enabled and be statically linked into the program. Non-Virtual Member Function Call Checking ========================================= @@ -168,8 +171,9 @@ polymorphic class type. This CFI scheme can be enabled on its own using For this scheme to work, all translation units containing the definition of a virtual member function (whether inline or not), other than members -of :ref:`blacklisted <cfi-blacklist>` types, must be compiled with -``-fsanitize=cfi-nvcall`` enabled and be statically linked into the program. +of :ref:`blacklisted <cfi-blacklist>` types or types with public :doc:`LTO +visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin`` +enabled and be statically linked into the program. .. _cfi-strictness: @@ -224,8 +228,8 @@ flag relax pointer type checking for call sites in that translation unit, applied across all functions compiled with ``-fsanitize=cfi-icall``. Specifically, pointers in return and argument types are treated as equivalent as -long as the qualifiers for the type they point to match. For example, ``char*`` -``char**`, and ``int*`` are considered equivalent types. However, ``char*`` and +long as the qualifiers for the type they point to match. For example, ``char*``, +``char**``, and ``int*`` are considered equivalent types. However, ``char*`` and ``const char*`` are considered separate types. ``-fsanitize-cfi-icall-generalize-pointers`` is not compatible with @@ -253,6 +257,34 @@ the identity of function pointers is maintained, and calls across shared library boundaries are no different from calls within a single program or shared library. +Member Function Pointer Call Checking +===================================== + +This scheme checks that indirect calls via a member function pointer +take place using an object of the correct dynamic type. Specifically, we +check that the dynamic type of the member function referenced by the member +function pointer matches the "function pointer" part of the member function +pointer, and that the member function's class type is related to the base +type of the member function. This CFI scheme can be enabled on its own using +``-fsanitize=cfi-mfcall``. + +The compiler will only emit a full CFI check if the member function pointer's +base type is complete. This is because the complete definition of the base +type contains information that is necessary to correctly compile the CFI +check. To ensure that the compiler always emits a full CFI check, it is +recommended to also pass the flag ``-fcomplete-member-pointers``, which +enables a non-conforming language extension that requires member pointer +base types to be complete if they may be used for a call. + +For this scheme to work, all translation units containing the definition +of a virtual member function (whether inline or not), other than members +of :ref:`blacklisted <cfi-blacklist>` types or types with public :doc:`LTO +visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin`` +enabled and be statically linked into the program. + +This scheme is currently not compatible with cross-DSO CFI or the +Microsoft ABI. + .. _cfi-blacklist: Blacklist |