STINNER Victor <vstin...@redhat.com> added the comment:
More info about -fcf-protection=full -mcet: "Enable control flow protection on x86-64 using -fcf-protection=full -mcet." https://fedoraproject.org/wiki/Changes/HardeningFlags28 man gcc: -fcf-protection=[full|branch|return|none] Enable code instrumentation of control-flow transfers to increase program security by checking that target addresses of control-flow transfer instructions (such as indirect function call, function return, indirect jump) are valid. This prevents diverting the flow of control to an unexpected target. This is intended to protect against such threats as Return-oriented Programming (ROP), and similarly call/jmp-oriented programming (COP/JOP). The value "branch" tells the compiler to implement checking of validity of control-flow transfer at the point of indirect branch instructions, i.e. call/jmp instructions. The value "return" implements checking of validity at the point of returning from a function. The value "full" is an alias for specifying both "branch" and "return". The value "none" turns off instrumentation. The macro "__CET__" is defined when -fcf-protection is used. The first bit of "__CET__" is set to 1 for the value "branch" and the second bit of "__CET__" is set to 1 for the "return". You can also use the "nocf_check" attribute to identify which functions and calls should be skipped from instrumentation. Currently the x86 GNU/Linux target provides an implementation based on Intel Control-flow Enforcement Technology (CET). ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32962> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
