https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87412
Bug ID: 87412
Summary: -fcf-protection and -mindirect-branch=thunk are
incompatible on x86_64
Product: gcc
Version: 9.0
Status: UNCONFIRMED
Keywords: wrong-code
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: fw at gcc dot gnu.org
Target Milestone: ---
Target: x86_64
Consider this test program:
__attribute__ ((weak))
int
f1 (int (*f2) (void))
{
return f2 ();
}
int
f2 (void)
{
}
int
main (void)
{
f1 (f2);
}
Compiled with ā-O2 -mindirect-branch=thunk -fcf-protection -cā, we get an
object file which has:
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0
Properties: x86 feature: IBT, SHSTK
But also:
0000000000000000 <__x86_indirect_thunk_rdi>:
0: e8 07 00 00 00 callq c <__x86_indirect_thunk_rdi+0xc>
5: f3 90 pause
7: 0f ae e8 lfence
a: eb f9 jmp 5 <__x86_indirect_thunk_rdi+0x5>
c: 48 89 3c 24 mov %rdi,(%rsp)
10: c3 retq
The retq will trap on CET-capable hardware because the shadow stack says it
should return to address 7, and not to the address in %rdi.
Seen with: xgcc (GCC) 9.0.0 20180924 (experimental)
Suggested fix is to error out when both options are specified at the same time.
