JIT: Add IBT support

Indirect Branch Tracking (IBT) is part of Intel's Control-Flow
Enforcement Technology (CET). IBT is hardware based, forward edge
Control-Flow-Integrity mechanism where any indirect CALL/JMP must target
an ENDBR instruction or suffer #CP.

This commit adds IBT support for JIT:
1. Add endbr32/64 instruction in Dynasm.
2. Insert endbr32/64 in indirect branch target for jitted code.

gcc support CET since v8.1 and set it to default since gcc 11. With this
commit, endbr is inserted in jitted code if PHP is compiled with "gcc
-fcf-protection=full/branch".

Signed-off-by: Chen, Hu <hu1.chen@intel.com>

Author: chen-hu-97

ext/opcache/jit/dynasm/dasm_x86.lua

@@ -1147,6 +1147,8 @@ local map_op = {
   rep_0 =	"F3",
   repe_0 =	"F3",
   repz_0 =	"F3",
+  endbr32_0 =	"F30F1EFB",
+  endbr64_0 =	"F30F1EFA",
   -- F4: *hlt
   cmc_0 =	"F5",
   -- F6: test... mb,i; div... mb

ext/opcache/jit/zend_jit_x86.dasc

@@ -1623,6 +1623,16 @@ static size_t tsrm_tls_offset;
 ||	}
 |.endmacro
 
+|.macro ENDBR
+||#if defined (__CET__) && (__CET__ & 1) != 0
+|	.if X64
+|		endbr64
+|	.else
+|		endbr32
+|	.endif
+||#endif
+|.endmacro
+
 static bool reuse_ip = 0;
 static bool delayed_call_chain = 0;
 static uint32_t  delayed_call_level = 0;
@@ -1690,6 +1700,7 @@ static void zend_jit_stop_reuse_ip(void)
 static int zend_jit_interrupt_handler_stub(dasm_State **Dst)
 {
 	|->interrupt_handler:
+	|	ENDBR
 	|	SAVE_IP
 	|	//EG(vm_interrupt) = 0;
 	|	MEM_STORE_ZTS byte, executor_globals, vm_interrupt, 0, r0
@@ -1739,6 +1750,7 @@ static int zend_jit_interrupt_handler_stub(dasm_State **Dst)
 static int zend_jit_exception_handler_stub(dasm_State **Dst)
 {
 	|->exception_handler:
+	|	ENDBR
 	if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {
 		const void *handler = zend_get_opcode_handler_func(EG(exception_op));
 
@@ -1771,6 +1783,7 @@ static int zend_jit_exception_handler_stub(dasm_State **Dst)
 static int zend_jit_exception_handler_undef_stub(dasm_State **Dst)
 {
 	|->exception_handler_undef:
+	|	ENDBR
 	|	MEM_LOAD_ZTS r0, aword, executor_globals, opline_before_exception, r0
 	|	test byte OP:r0->result_type, (IS_TMP_VAR|IS_VAR)
 	|	jz >1
@@ -1786,6 +1799,7 @@ static int zend_jit_exception_handler_undef_stub(dasm_State **Dst)
 static int zend_jit_exception_handler_free_op1_op2_stub(dasm_State **Dst)
 {
 	|->exception_handler_free_op1_op2:
+	|	ENDBR
 	|	UNDEF_OPLINE_RESULT_IF_USED
 	|	test byte OP:RX->op1_type, (IS_TMP_VAR|IS_VAR)
 	|	je >9
@@ -1806,6 +1820,7 @@ static int zend_jit_exception_handler_free_op1_op2_stub(dasm_State **Dst)
 static int zend_jit_exception_handler_free_op2_stub(dasm_State **Dst)
 {
 	|->exception_handler_free_op2:
+	|	ENDBR
 	|	MEM_LOAD_ZTS RX, aword, executor_globals, opline_before_exception, r0
 	|	UNDEF_OPLINE_RESULT_IF_USED
 	|	test byte OP:RX->op2_type, (IS_TMP_VAR|IS_VAR)
@@ -1821,6 +1836,7 @@ static int zend_jit_exception_handler_free_op2_stub(dasm_State **Dst)
 static int zend_jit_leave_function_stub(dasm_State **Dst)
 {
 	|->leave_function_handler:
+	|	ENDBR
 	|	mov FCARG1d, dword [FP + offsetof(zend_execute_data, This.u1.type_info)]
 	if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {
 		|	test FCARG1d, ZEND_CALL_TOP
@@ -1854,6 +1870,7 @@ static int zend_jit_leave_function_stub(dasm_State **Dst)
 static int zend_jit_leave_throw_stub(dasm_State **Dst)
 {
 	|->leave_throw_handler:
+	|	ENDBR
 	|	// if (opline->opcode != ZEND_HANDLE_EXCEPTION) {
 	if (GCC_GLOBAL_REGS) {
 		|	cmp byte OP:IP->opcode, ZEND_HANDLE_EXCEPTION
@@ -1887,6 +1904,7 @@ static int zend_jit_leave_throw_stub(dasm_State **Dst)
 static int zend_jit_icall_throw_stub(dasm_State **Dst)
 {
 	|->icall_throw_handler:
+	|	ENDBR
 	|	// zend_rethrow_exception(zend_execute_data *execute_data)
 	|	mov IP, aword EX->opline
 	|	// if (EX(opline)->opcode != ZEND_HANDLE_EXCEPTION) {
@@ -1909,6 +1927,7 @@ static int zend_jit_icall_throw_stub(dasm_State **Dst)
 static int zend_jit_throw_cannot_pass_by_ref_stub(dasm_State **Dst)
 {
 	|->throw_cannot_pass_by_ref:
+	|	ENDBR
 	|	mov r0, EX->opline
 	|	mov ecx, dword OP:r0->result.var
 	|	SET_Z_TYPE_INFO RX+r1, IS_UNDEF
@@ -1936,6 +1955,7 @@ static int zend_jit_throw_cannot_pass_by_ref_stub(dasm_State **Dst)
 static int zend_jit_undefined_offset_ex_stub(dasm_State **Dst)
 {
 	|->undefined_offset_ex:
+	|	ENDBR
 	|	SAVE_IP
 	|	jmp ->undefined_offset
 
@@ -1945,6 +1965,7 @@ static int zend_jit_undefined_offset_ex_stub(dasm_State **Dst)
 static int zend_jit_undefined_offset_stub(dasm_State **Dst)
 {
 	|->undefined_offset:
+	|	ENDBR
 	|.if X64WIN
 		|	sub r4, 0x28
 	|.elif X64
@@ -1996,6 +2017,7 @@ static int zend_jit_undefined_offset_stub(dasm_State **Dst)
 static int zend_jit_undefined_index_ex_stub(dasm_State **Dst)
 {
 	|->undefined_index_ex:
+	|	ENDBR
 	|	SAVE_IP
 	|	jmp ->undefined_index
 
@@ -2005,6 +2027,7 @@ static int zend_jit_undefined_index_ex_stub(dasm_State **Dst)
 static int zend_jit_undefined_index_stub(dasm_State **Dst)
 {
 	|->undefined_index:
+	|	ENDBR
 	|.if X64WIN
 		|	sub r4, 0x28
 	|.elif X64
@@ -2060,6 +2083,7 @@ static int zend_jit_undefined_index_stub(dasm_State **Dst)
 static int zend_jit_cannot_add_element_ex_stub(dasm_State **Dst)
 {
 	|->cannot_add_element_ex:
+	|	ENDBR
 	|	SAVE_IP
 	|	jmp ->cannot_add_element
 
@@ -2069,6 +2093,7 @@ static int zend_jit_cannot_add_element_ex_stub(dasm_State **Dst)
 static int zend_jit_cannot_add_element_stub(dasm_State **Dst)
 {
 	|->cannot_add_element:
+	|	ENDBR
 	|.if X64WIN
 		|	sub r4, 0x28
 	|.elif X64
@@ -2107,6 +2132,7 @@ static int zend_jit_cannot_add_element_stub(dasm_State **Dst)
 static int zend_jit_undefined_function_stub(dasm_State **Dst)
 {
 	|->undefined_function:
+	|	ENDBR
 	|	mov r0, aword EX->opline
 	|.if X64
 		|	xor CARG1, CARG1
@@ -2131,6 +2157,7 @@ static int zend_jit_undefined_function_stub(dasm_State **Dst)
 static int zend_jit_negative_shift_stub(dasm_State **Dst)
 {
 	|->negative_shift:
+	|	ENDBR
 	|	mov RX, EX->opline
 	|.if X64
 		|.if WIN
@@ -2160,6 +2187,7 @@ static int zend_jit_negative_shift_stub(dasm_State **Dst)
 static int zend_jit_mod_by_zero_stub(dasm_State **Dst)
 {
 	|->mod_by_zero:
+	|	ENDBR
 	|	mov RX, EX->opline
 	|.if X64
 		|.if WIN
@@ -2189,6 +2217,7 @@ static int zend_jit_mod_by_zero_stub(dasm_State **Dst)
 static int zend_jit_invalid_this_stub(dasm_State **Dst)
 {
 	|->invalid_this:
+	|	ENDBR
 	|	UNDEF_OPLINE_RESULT
 	|.if X64
 		|	xor CARG1, CARG1
@@ -2208,6 +2237,7 @@ static int zend_jit_invalid_this_stub(dasm_State **Dst)
 static int zend_jit_double_one_stub(dasm_State **Dst)
 {
 	|->one:
+	|	ENDBR
 	|.dword 0, 0x3ff00000
 	return 1;
 }
@@ -2219,6 +2249,7 @@ static int zend_jit_hybrid_runtime_jit_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_runtime_jit:
+	|	ENDBR
 	|	EXT_CALL zend_runtime_jit, r0
 	|	JMP_IP
 	return 1;
@@ -2231,6 +2262,7 @@ static int zend_jit_hybrid_profile_jit_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_profile_jit:
+	|	ENDBR
 	|	// ++zend_jit_profile_counter;
 	|	.if X64
 	|		LOAD_ADDR r0, &zend_jit_profile_counter
@@ -2258,6 +2290,7 @@ static int zend_jit_hybrid_hot_code_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_hot_code:
+	|	ENDBR
 	|	mov word [r2], ZEND_JIT_COUNTER_INIT
 	|	mov FCARG1a, FP
 	|	GET_IP FCARG2a
@@ -2322,7 +2355,7 @@ static int zend_jit_hybrid_func_hot_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_func_hot_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_hot_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_func) - 1) / JIT_G(hot_func)));
 }
@@ -2334,7 +2367,7 @@ static int zend_jit_hybrid_loop_hot_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_loop_hot_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_hot_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_loop) - 1) / JIT_G(hot_loop)));
 }
@@ -2346,6 +2379,7 @@ static int zend_jit_hybrid_hot_trace_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_hot_trace:
+	|	ENDBR
 	|	mov word [r2], ZEND_JIT_COUNTER_INIT
 	|	mov FCARG1a, FP
 	|	GET_IP FCARG2a
@@ -2379,7 +2413,7 @@ static int zend_jit_hybrid_func_trace_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_func_trace_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_trace_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_func) - 1)  / JIT_G(hot_func)));
 }
@@ -2391,7 +2425,7 @@ static int zend_jit_hybrid_ret_trace_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_ret_trace_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_trace_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_return) - 1) / JIT_G(hot_return)));
 }
@@ -2403,14 +2437,15 @@ static int zend_jit_hybrid_loop_trace_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_loop_trace_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_trace_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_loop) - 1) / JIT_G(hot_loop)));
 }
 
 static int zend_jit_trace_halt_stub(dasm_State **Dst)
 {
 	|->trace_halt:
+	|	ENDBR
 	if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {
 		|	ADD_HYBRID_SPAD
 		|	EXT_JMP zend_jit_halt_op->handler, r0
@@ -2431,7 +2466,7 @@ static int zend_jit_trace_halt_stub(dasm_State **Dst)
 static int zend_jit_trace_exit_stub(dasm_State **Dst)
 {
 	|->trace_exit:
-	|
+	|	ENDBR
 	|	// Save CPU registers
 	|.if X64
 	|	sub r4, 16*8+16*8-8 /* CPU regs + SSE regs */
@@ -2564,6 +2599,7 @@ static int zend_jit_trace_exit_stub(dasm_State **Dst)
 static int zend_jit_trace_escape_stub(dasm_State **Dst)
 {
 	|->trace_escape:
+	|	ENDBR
 	|
 	if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {
 		|	ADD_HYBRID_SPAD
@@ -2606,6 +2642,7 @@ static int zend_jit_trace_exit_group_stub(dasm_State **Dst, uint32_t n)
 static int zend_jit_context_threaded_call_stub(dasm_State **Dst)
 {
 	|->context_threaded_call:
+	|	ENDBR
 	|	pop r0
 	if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {
 		|	ADD_HYBRID_SPAD
@@ -2635,6 +2672,7 @@ static int zend_jit_assign_const_stub(dasm_State **Dst)
 	uint32_t val_info = MAY_BE_ANY|MAY_BE_RC1|MAY_BE_RCN;
 
 	|->assign_const:
+	|	ENDBR
 	|.if X64WIN
 	|	sub r4, 0x28
 	|.elif X64
@@ -2667,6 +2705,7 @@ static int zend_jit_assign_tmp_stub(dasm_State **Dst)
 	uint32_t val_info = MAY_BE_ANY|MAY_BE_RC1|MAY_BE_RCN;
 
 	|->assign_tmp:
+	|	ENDBR
 	|.if X64WIN
 	|	sub r4, 0x28
 	|.elif X64
@@ -2699,6 +2738,7 @@ static int zend_jit_assign_var_stub(dasm_State **Dst)
 	uint32_t val_info = MAY_BE_ANY|MAY_BE_RC1|MAY_BE_RCN|MAY_BE_REF;
 
 	|->assign_var:
+	|	ENDBR
 	|.if X64WIN
 	|	sub r4, 0x28
 	|.elif X64
@@ -2731,6 +2771,7 @@ static int zend_jit_assign_cv_noref_stub(dasm_State **Dst)
 	uint32_t val_info = MAY_BE_ANY|MAY_BE_RC1|MAY_BE_RCN/*|MAY_BE_UNDEF*/;
 
 	|->assign_cv_noref:
+	|	ENDBR
 	|.if X64WIN
 	|	sub r4, 0x28
 	|.elif X64
@@ -2763,6 +2804,7 @@ static int zend_jit_assign_cv_stub(dasm_State **Dst)
 	uint32_t val_info = MAY_BE_ANY|MAY_BE_RC1|MAY_BE_RCN|MAY_BE_REF/*|MAY_BE_UNDEF*/;
 
 	|->assign_cv:
+	|	ENDBR
 	|.if X64WIN
 	|	sub r4, 0x28
 	|.elif X64
@@ -3044,6 +3086,7 @@ static int zend_jit_align_func(dasm_State **Dst)
 	track_last_valid_opline = 0;
 	jit_return_label = -1;
 	|.align 16
+	|	ENDBR
 	return 1;
 }
 
@@ -3065,6 +3108,7 @@ static int zend_jit_prologue(dasm_State **Dst)
 static int zend_jit_label(dasm_State **Dst, unsigned int label)
 {
 	|=>label:
+	|	ENDBR
 	return 1;
 }
 
@@ -3824,10 +3868,11 @@ static int zend_jit_context_threaded_call(dasm_State **Dst, const zend_op *oplin
 {
 	if (!zend_jit_handler(Dst, opline, 1)) return 0;
 	if (opline->opcode == ZEND_DO_UCALL) {
+		|	ENDBR
 		|	call ->context_threaded_call
 	} else {
 		const zend_op *next_opline = opline + 1;
-
+		|	ENDBR
 		|	CMP_IP next_opline
 		|	je =>next_block
 		|	call ->context_threaded_call