On Tue, 19 May 2026 13:14:33 +0000
Richard Patel <[email protected]> wrote:
> On Tue, May 19, 2026 at 10:33:45AM +0100, David Laight wrote:
> > Isn't using 'notrack jmp *reg' for jump tables actually more secure?
> > If an attacker can write code it doesn't matter.
> > The jump table in is RO memory so can't be written.
> > But if there are ENDBR on all the jump table targets they become
> > possibly useful code addresses to arrange to write into some RW
> > function pointer table - which might be useful.
>
> You're right. I was worried about an invalid jump table index at first.
> Clang 22 happily optimizes away jump table index bounds checks. GCC 16
> seems to be more careful. We should probably patch LLVM to never
> optimize it away, e.g.:
>
> // funny.c
> // clang -c -fcf-protection=branch -O2 -o funny.o funny.c
> // objdump -d funny.o -M intel
> int t0(void), t1(void), t2(void), t3(void);
> int funny(unsigned long target) {
> __builtin_assume(target < 4);
If you use __builtin_assume() you get to clear up the mess.
I don't know if userspace ever cares about speculative array access.
If it does you need one of the mitigration - eg using cmp+cmov
to generate a jump table index that references the 'default'.
-- David
> switch (target) {
> case 0: return t0();
> case 1: return t1();
> case 2: return t2();
> case 3: return t3();
> }
> }
>
> // Clang 22
> 0000000000000000 <funny>:
> 0: f3 0f 1e fa endbr64
> 4: 55 push rbp
> 5: 48 89 e5 mov rbp, rsp
> 8: 3e ff 24 fd 00 00 00 00 notrack jmp qword ptr
> [rdi*8+0x0] // vulnerable
> 10: 5d pop rbp
> 11: e9 00 00 00 00 jmp 0x16 <funny+0x16>
> 16: 5d pop rbp
> 17: e9 00 00 00 00 jmp 0x1c <funny+0x1c>
> 1c: 5d pop rbp
> 1d: e9 00 00 00 00 jmp 0x22 <funny+0x22>
> 22: 5d pop rbp
> 23: e9 00 00 00 00 jmp 0x28 <funny+0x28>
>
> -Richard
