https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96350
Bug ID: 96350
Summary: [cet] For ENDBR immediate, the binary would include a
gadget that starts with a fake ENDBR64 opcode.
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: crazylht at gmail dot com
CC: hjl.tools at gmail dot com
Target Milestone: ---
Target: i386, x86-64
ENDBR32 and ENDBR64 have specific opcodes:
- ENDBR32: F3 0F 1E FB
- ENDBR64: F3 0F 1E FA
And we want that attackers won’t find unintended ENDBR32/64 opcode matches in
the binary
Here’s an example:
If the compiler had to generate asm for the following code:
a = 0xF30F1EFA
it could, for example, generate:
mov 0xF30F1EFA, dword ptr[a]
In such a case, the binary would include a gadget that starts with a fake
ENDBR64 opcode.
Therefore, the requirement from the compilers is to split such generation into
multiple operations, such that the explicit immediate never shows in the binary
