PR #22485 opened by Martin Storsjö (mstorsjo) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22485 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22485.patch
Fix a case in hevcdsp where it violated the shadow stack, and set the GCS bit in assembly source files, if this feature is enabled in the compiler. This fixes #21499. From b531a43eb7867cff8108801138be29828dd11724 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <[email protected]> Date: Thu, 12 Mar 2026 14:53:26 +0200 Subject: [PATCH 1/2] aarch64: hevcdsp: Make returns match the call site For cases when returning early without updating any pixels, we previously returned to return address in the caller's scope, bypassing one function entirely. While this may seem like a neat optimization, it makes the return stack predictor mispredict the returns - which potentially can cost more performance than it gains. Secondly, if the armv9.3 feature GCS (Guarded Control Stack) is enabled, then returns _must_ match the expected value; this feature is being enabled across linux distributions, and by fixing the hevc assembly, we can enable the security feature on ffmpeg as well. --- libavcodec/aarch64/hevcdsp_deblock_neon.S | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/aarch64/hevcdsp_deblock_neon.S b/libavcodec/aarch64/hevcdsp_deblock_neon.S index 581056a91e..7a25fe2457 100644 --- a/libavcodec/aarch64/hevcdsp_deblock_neon.S +++ b/libavcodec/aarch64/hevcdsp_deblock_neon.S @@ -511,8 +511,11 @@ function hevc_loop_filter_luma_body_\bitdepth\()_neon, export=0 sqxtun v6.8b, v6.8h sqxtun v7.8b, v7.8h .endif + // Use x15 to signal whether any pixels should be updated or not. + mov x15, #1 + ret +3: mov x15, #0 ret -3: ret x6 endfunc .endm @@ -562,6 +565,7 @@ function ff_hevc_\dir\()_loop_filter_luma_\bitdepth\()_neon, export=1 .endif .endif bl hevc_loop_filter_luma_body_\bitdepth\()_neon + cbz x15, 9f .if \bitdepth > 8 .ifc \dir, v transpose_8x8H v0, v1, v2, v3, v4, v5, v6, v7, v16, v17 @@ -587,6 +591,7 @@ function ff_hevc_\dir\()_loop_filter_luma_\bitdepth\()_neon, export=1 st1 {v6.8b}, [x10], x1 st1 {v7.8b}, [x10] .endif +9: ret x6 endfunc .endm -- 2.52.0 From fa0516379b793a42dc20a276479b61545f2f8fef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <[email protected]> Date: Thu, 12 Mar 2026 14:52:29 +0200 Subject: [PATCH 2/2] aarch64: Add Armv9.3-A GCS support Signal that our assembly is compliant with the GCS feature, if the GCS feature is enabled in the compiler (available since Clang 18 and GCC 15). GCS doesn't require any specific modifications to the assembly code, but requires that all functions return to the expected call address (using a shadow stack). --- libavutil/aarch64/asm.S | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/aarch64/asm.S b/libavutil/aarch64/asm.S index d9698a3203..33807c8caa 100644 --- a/libavutil/aarch64/asm.S +++ b/libavutil/aarch64/asm.S @@ -255,8 +255,14 @@ DISABLE_SME2 # define AARCH64_VALIDATE_LINK_REGISTER #endif +#if defined(__ARM_FEATURE_GCS_DEFAULT) && __ARM_FEATURE_GCS_DEFAULT == 1 +#define GNU_PROPERTY_AARCH64_GCS (1 << 2) +#else +#define GNU_PROPERTY_AARCH64_GCS 0 /* No GCS */ +#endif -#if (GNU_PROPERTY_AARCH64_BTI != 0 || GNU_PROPERTY_AARCH64_PAC != 0) && defined(__ELF__) + +#if (GNU_PROPERTY_AARCH64_BTI != 0 || GNU_PROPERTY_AARCH64_PAC != 0 || GNU_PROPERTY_AARCH64_GCS != 0) && defined(__ELF__) .pushsection .note.gnu.property, "a" .balign 8 .long 4 @@ -265,7 +271,7 @@ DISABLE_SME2 .asciz "GNU" .long 0xc0000000 /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ .long 4 - .long (GNU_PROPERTY_AARCH64_BTI | GNU_PROPERTY_AARCH64_PAC) + .long (GNU_PROPERTY_AARCH64_BTI | GNU_PROPERTY_AARCH64_PAC | GNU_PROPERTY_AARCH64_GCS) .long 0 .popsection #endif -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
