Consider this test program: __attribute__ ((weak)) int f1 (int (*f2) (void)) { return f2 (); } int f2 (void) { } int main (void) { f1 (f2); } Compiled with “-O2 -mindirect-branch=thunk -fcf-protection -c”, we get an object file which has: Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature: IBT, SHSTK But also: 0000000000000000 <__x86_indirect_thunk_rdi>: 0: e8 07 00 00 00 callq c <__x86_indirect_thunk_rdi+0xc> 5: f3 90 pause 7: 0f ae e8 lfence a: eb f9 jmp 5 <__x86_indirect_thunk_rdi+0x5> c: 48 89 3c 24 mov %rdi,(%rsp) 10: c3 retq The retq will trap on CET-capable hardware because the shadow stack says it should return to address 7, and not to the address in %rdi. Seen with: xgcc (GCC) 9.0.0 20180924 (experimental) Suggested fix is to error out when both options are specified at the same time.
(In reply to Florian Weimer from comment #0) > > Suggested fix is to error out when both options are specified at the same > time. Yes, -fcf-protection and -mindirect-branch=thunk should be disallowed when used together.
A patch is posted at https://gcc.gnu.org/ml/gcc-patches/2018-09/msg01436.html
Author: hjl Date: Thu Feb 21 13:41:53 2019 New Revision: 269068 URL: https://gcc.gnu.org/viewcvs?rev=269068&root=gcc&view=rev Log: i386: Check -mindirect-branch/-mfunction-return with -fcf-protection Issue an error when -mindirect-branch or -mfunction-return are used with incompatible -fcf-protection. gcc/ PR target/87412 * config/i386/i386.c (ix86_set_indirect_branch_type): Issue an error for -mindirect-branch/-mfunction-return with incompatible -fcf-protection. gcc/testsuite/ PR target/87412 * gcc.target/i386/pr87412-1.c: New file. * gcc.target/i386/pr87412-2.c: Likewise. * gcc.target/i386/pr87412-3.c: Likewise. * gcc.target/i386/pr87412-4.c: Likewise. Added: trunk/gcc/testsuite/gcc.target/i386/pr87412-1.c trunk/gcc/testsuite/gcc.target/i386/pr87412-2.c trunk/gcc/testsuite/gcc.target/i386/pr87412-3.c trunk/gcc/testsuite/gcc.target/i386/pr87412-4.c Modified: trunk/gcc/ChangeLog trunk/gcc/config/i386/i386.c trunk/gcc/testsuite/ChangeLog
Fixed for GCC 9.
Author: hjl Date: Thu Feb 21 18:59:00 2019 New Revision: 269074 URL: https://gcc.gnu.org/viewcvs?rev=269074&root=gcc&view=rev Log: i386: Replace -fcf-protection with -fcf-protection=branch Since -mindirect-branch is incompatible with -fcf-protection=return and -fcf-protection, replace -fcf-protection with -fcf-protection=branch. PR target/87412 * gcc.target/i386/indirect-thunk-attr-14.c: Replace -fcf-protection with -fcf-protection=branch. * gcc.target/i386/indirect-thunk-attr-15.c: Likewise. * gcc.target/i386/indirect-thunk-attr-16.c: Likewise. * gcc.target/i386/indirect-thunk-extern-8.c: Likewise. * gcc.target/i386/indirect-thunk-extern-9.c: Likewise. * gcc.target/i386/indirect-thunk-extern-10.c: Likewise. Modified: trunk/gcc/testsuite/ChangeLog trunk/gcc/testsuite/gcc.target/i386/indirect-thunk-attr-14.c trunk/gcc/testsuite/gcc.target/i386/indirect-thunk-attr-15.c trunk/gcc/testsuite/gcc.target/i386/indirect-thunk-attr-16.c trunk/gcc/testsuite/gcc.target/i386/indirect-thunk-extern-10.c trunk/gcc/testsuite/gcc.target/i386/indirect-thunk-extern-8.c trunk/gcc/testsuite/gcc.target/i386/indirect-thunk-extern-9.c