Skip to content

Commit c1fcd45

Browse files
chen-hu-97chen-hu-97
authored
JIT: Add IBT support (#8636)
Indirect Branch Tracking (IBT) is part of Intel's Control-Flow Enforcement Technology (CET). IBT is hardware based, forward edge Control-Flow-Integrity mechanism where any indirect CALL/JMP must target an ENDBR instruction or suffer #CP. This commit adds IBT support for JIT: 1. Add endbr32/64 instruction in Dynasm. 2. Insert endbr32/64 in indirect branch target for jitted code. gcc support CET since v8.1 and set it to default since gcc 11. With this commit, endbr is inserted in jitted code if PHP is compiled with "gcc -fcf-protection=full/branch". Signed-off-by: Chen, Hu <hu1.chen@intel.com>
1 parent 2d1a320 commit c1fcd45

File tree

2 files changed

+15
-0
lines changed

2 files changed

+15
-0
lines changed

ext/opcache/jit/dynasm/dasm_x86.lua

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1147,6 +1147,8 @@ local map_op = {
11471147
rep_0 = "F3",
11481148
repe_0 = "F3",
11491149
repz_0 = "F3",
1150+
endbr32_0 = "F30F1EFB",
1151+
endbr64_0 = "F30F1EFA",
11501152
-- F4: *hlt
11511153
cmc_0 = "F5",
11521154
-- F6: test... mb,i; div... mb

ext/opcache/jit/zend_jit_x86.dasc

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1623,6 +1623,16 @@ static size_t tsrm_tls_offset;
16231623
|| }
16241624
|.endmacro
16251625

1626+
|.macro ENDBR
1627+
||#if defined (__CET__) && (__CET__ & 1) != 0
1628+
| .if X64
1629+
| endbr64
1630+
| .else
1631+
| endbr32
1632+
| .endif
1633+
||#endif
1634+
|.endmacro
1635+
16261636
static bool reuse_ip = 0;
16271637
static bool delayed_call_chain = 0;
16281638
static uint32_t delayed_call_level = 0;
@@ -2292,6 +2302,7 @@ static int zend_jit_hybrid_hot_code_stub(dasm_State **Dst)
22922302
*/
22932303
static int zend_jit_hybrid_hot_counter_stub(dasm_State **Dst, uint32_t cost)
22942304
{
2305+
| ENDBR
22952306
| mov r0, EX->func
22962307
| mov r1, aword [r0 + offsetof(zend_op_array, reserved[zend_func_info_rid])]
22972308
| mov r2, aword [r1 + offsetof(zend_jit_op_array_hot_extension, counter)]
@@ -2362,6 +2373,7 @@ static int zend_jit_hybrid_hot_trace_stub(dasm_State **Dst)
23622373

23632374
static int zend_jit_hybrid_trace_counter_stub(dasm_State **Dst, uint32_t cost)
23642375
{
2376+
| ENDBR
23652377
| mov r0, EX->func
23662378
| mov r1, aword [r0 + offsetof(zend_op_array, reserved[zend_func_info_rid])]
23672379
| mov r1, aword [r1 + offsetof(zend_jit_op_array_trace_extension, offset)]
@@ -3049,6 +3061,7 @@ static int zend_jit_align_func(dasm_State **Dst)
30493061

30503062
static int zend_jit_prologue(dasm_State **Dst)
30513063
{
3064+
| ENDBR
30523065
if (zend_jit_vm_kind == ZEND_VM_KIND_HYBRID) {
30533066
| SUB_HYBRID_SPAD
30543067
} else if (GCC_GLOBAL_REGS) {

0 commit comments

Comments
 (0)