On Fri, Jun 05, 2026 at 06:47:11PM +0000, Richard Patel wrote: > The above sequence does not crash. > > With IBT, it should crash at the nop (because an endr64 is expected there). > The IBT state (WAIT_FOR_ENDBR in IA32_U_CET MSR) is not backed up to the > signal frame though. So, when userland does a sigreturn, the CPU has > forgotten that it was doing an indirect branch before the signal. > (This specifically only occurs with signal handlers that sigreturn.) > > This is because IA32_U_CET is part of XSAVE 'supervisor' state, so > regular XSAVE/XRSTOR can't access it. Doing a manual backup is tricky.
WAIT_FOR_ENDBR should be part of the exception frame with FRED, so if you're on FRED hardware, this should be fixed IIRC.
