https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87412
Bug ID: 87412 Summary: -fcf-protection and -mindirect-branch=thunk are incompatible on x86_64 Product: gcc Version: 9.0 Status: UNCONFIRMED Keywords: wrong-code Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: fw at gcc dot gnu.org Target Milestone: --- Target: x86_64 Consider this test program: __attribute__ ((weak)) int f1 (int (*f2) (void)) { return f2 (); } int f2 (void) { } int main (void) { f1 (f2); } Compiled with ā-O2 -mindirect-branch=thunk -fcf-protection -cā, we get an object file which has: Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature: IBT, SHSTK But also: 0000000000000000 <__x86_indirect_thunk_rdi>: 0: e8 07 00 00 00 callq c <__x86_indirect_thunk_rdi+0xc> 5: f3 90 pause 7: 0f ae e8 lfence a: eb f9 jmp 5 <__x86_indirect_thunk_rdi+0x5> c: 48 89 3c 24 mov %rdi,(%rsp) 10: c3 retq The retq will trap on CET-capable hardware because the shadow stack says it should return to address 7, and not to the address in %rdi. Seen with: xgcc (GCC) 9.0.0 20180924 (experimental) Suggested fix is to error out when both options are specified at the same time.