JIT: Add IBT support

chen-hu-97 · Chen Hu · commit 3517c8dd56b7 · 2022-05-27T01:05:09.000-07:00
Indirect Branch Tracking (IBT) is part of Intel's Control-Flow
Enforcement Technology (CET). IBT is hardware based, forward edge
Control-Flow-Integrity mechanism where any indirect CALL/JMP must target
an ENDBR instruction or suffer #CP.

This commit adds IBT support for JIT:
1. Add endbr32/64 instruction in Dynasm.
2. Insert endbr32/64 in indirect branch target for jitted code.

gcc support CET since v8.1 and set it to default since gcc 11. With this
commit, endbr is inserted in jitted code if PHP is compiled with "gcc
-fcf-protection=full/branch".

Signed-off-by: Chen, Hu &lt;hu1.chen@intel.com&gt;
diff --git a/ext/opcache/jit/dynasm/dasm_x86.lua b/ext/opcache/jit/dynasm/dasm_x86.lua
@@ -1147,6 +1147,8 @@ local map_op = {
   rep_0 =	"F3",
   repe_0 =	"F3",
   repz_0 =	"F3",
+  endbr32_0 =	"F30F1EFB",
+  endbr64_0 =	"F30F1EFA",
   -- F4: *hlt
   cmc_0 =	"F5",
   -- F6: test... mb,i; div... mb
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -1623,6 +1623,16 @@ static size_t tsrm_tls_offset;
 ||	}
 |.endmacro
 
+|.macro ENDBR
+||#if defined (__CET__) && (__CET__ & 1) != 0
+|	.if X64
+|		endbr64
+|	.else
+|		endbr32
+|	.endif
+||#endif
+|.endmacro
+
 static bool reuse_ip = 0;
 static bool delayed_call_chain = 0;
 static uint32_t  delayed_call_level = 0;
@@ -2322,7 +2332,7 @@ static int zend_jit_hybrid_func_hot_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_func_hot_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_hot_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_func) - 1) / JIT_G(hot_func)));
 }
@@ -2334,7 +2344,6 @@ static int zend_jit_hybrid_loop_hot_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_loop_hot_counter:
-
 	return zend_jit_hybrid_hot_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_loop) - 1) / JIT_G(hot_loop)));
 }
@@ -2379,7 +2388,7 @@ static int zend_jit_hybrid_func_trace_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_func_trace_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_trace_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_func) - 1)  / JIT_G(hot_func)));
 }
@@ -2391,7 +2400,7 @@ static int zend_jit_hybrid_ret_trace_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_ret_trace_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_trace_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_return) - 1) / JIT_G(hot_return)));
 }
@@ -2403,7 +2412,7 @@ static int zend_jit_hybrid_loop_trace_counter_stub(dasm_State **Dst)
 	}
 
 	|->hybrid_loop_trace_counter:
-
+	|	ENDBR
 	return zend_jit_hybrid_trace_counter_stub(Dst,
 		((ZEND_JIT_COUNTER_INIT + JIT_G(hot_loop) - 1) / JIT_G(hot_loop)));
 }
@@ -3049,6 +3058,7 @@ static int zend_jit_align_func(dasm_State **Dst)
 
 static int zend_jit_prologue(dasm_State **Dst)
 {
+	|	ENDBR
 	if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {
 		|	SUB_HYBRID_SPAD
 	} else if (GCC_GLOBAL_REGS) {

Original file line number	Diff line number	Diff line change
`@@ -1623,6 +1623,16 @@ static size_t tsrm_tls_offset;`
`1623`	`1623`	`\|\| }`
`1624`	`1624`	`\|.endmacro`
`1625`	`1625`
	`1626`	`+\|.macro ENDBR`
	`1627`	`+\|\|#if defined (__CET__) && (__CET__ & 1) != 0`
	`1628`	`+\| .if X64`
	`1629`	`+\| endbr64`
	`1630`	`+\| .else`
	`1631`	`+\| endbr32`
	`1632`	`+\| .endif`
	`1633`	`+\|\|#endif`
	`1634`	`+\|.endmacro`
	`1635`	`+`
`1626`	`1636`	`static bool reuse_ip = 0;`
`1627`	`1637`	`static bool delayed_call_chain = 0;`
`1628`	`1638`	`static uint32_t delayed_call_level = 0;`
`@@ -2322,7 +2332,7 @@ static int zend_jit_hybrid_func_hot_counter_stub(dasm_State **Dst)`
`2322`	`2332`	`}`
`2323`	`2333`
`2324`	`2334`	`\|->hybrid_func_hot_counter:`
`2325`		`-`
	`2335`	`+ \| ENDBR`
`2326`	`2336`	`return zend_jit_hybrid_hot_counter_stub(Dst,`
`2327`	`2337`	`((ZEND_JIT_COUNTER_INIT + JIT_G(hot_func) - 1) / JIT_G(hot_func)));`
`2328`	`2338`	`}`
`@@ -2334,7 +2344,6 @@ static int zend_jit_hybrid_loop_hot_counter_stub(dasm_State **Dst)`
`2334`	`2344`	`}`
`2335`	`2345`
`2336`	`2346`	`\|->hybrid_loop_hot_counter:`
`2337`		`-`
`2338`	`2347`	`return zend_jit_hybrid_hot_counter_stub(Dst,`
`2339`	`2348`	`((ZEND_JIT_COUNTER_INIT + JIT_G(hot_loop) - 1) / JIT_G(hot_loop)));`
`2340`	`2349`	`}`
`@@ -2379,7 +2388,7 @@ static int zend_jit_hybrid_func_trace_counter_stub(dasm_State **Dst)`
`2379`	`2388`	`}`
`2380`	`2389`
`2381`	`2390`	`\|->hybrid_func_trace_counter:`
`2382`		`-`
	`2391`	`+ \| ENDBR`
`2383`	`2392`	`return zend_jit_hybrid_trace_counter_stub(Dst,`
`2384`	`2393`	`((ZEND_JIT_COUNTER_INIT + JIT_G(hot_func) - 1) / JIT_G(hot_func)));`
`2385`	`2394`	`}`
`@@ -2391,7 +2400,7 @@ static int zend_jit_hybrid_ret_trace_counter_stub(dasm_State **Dst)`
`2391`	`2400`	`}`
`2392`	`2401`
`2393`	`2402`	`\|->hybrid_ret_trace_counter:`
`2394`		`-`
	`2403`	`+ \| ENDBR`
`2395`	`2404`	`return zend_jit_hybrid_trace_counter_stub(Dst,`
`2396`	`2405`	`((ZEND_JIT_COUNTER_INIT + JIT_G(hot_return) - 1) / JIT_G(hot_return)));`
`2397`	`2406`	`}`
`@@ -2403,7 +2412,7 @@ static int zend_jit_hybrid_loop_trace_counter_stub(dasm_State **Dst)`
`2403`	`2412`	`}`
`2404`	`2413`
`2405`	`2414`	`\|->hybrid_loop_trace_counter:`
`2406`		`-`
	`2415`	`+ \| ENDBR`
`2407`	`2416`	`return zend_jit_hybrid_trace_counter_stub(Dst,`
`2408`	`2417`	`((ZEND_JIT_COUNTER_INIT + JIT_G(hot_loop) - 1) / JIT_G(hot_loop)));`
`2409`	`2418`	`}`
`@@ -3049,6 +3058,7 @@ static int zend_jit_align_func(dasm_State **Dst)`
`3049`	`3058`
`3050`	`3059`	`static int zend_jit_prologue(dasm_State **Dst)`
`3051`	`3060`	`{`
	`3061`	`+ \| ENDBR`
`3052`	`3062`	`if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {`
`3053`	`3063`	`\| SUB_HYBRID_SPAD`
`3054`	`3064`	`} else if (GCC_GLOBAL_REGS) {`