From 310ae7916aafd6a37de475fbd5a28f46ced1efc9 Mon Sep 17 00:00:00 2001 From: Sam James Date: Tue, 28 Dec 2021 03:44:47 +0000 Subject: [PATCH] 11.3.0: fix CET patch Our patch was causing unhandled state to leak into the LTO metadata writer, it shouldn't have got that far though. Instead of messing about with GCC's option handling, use the macro they provide for purposes like this, which makes things far simpler (and less fragile). Bug: https://bugs.gentoo.org/828400 Thanks-to: Sergei Trofimovich (debugging help in #gentoo-toolchain) Thanks-to: Georgy Yakovlev (debugging) Reported-by: matoro Signed-off-by: Sam James --- 11.3.0/gentoo/26_all_enable-cet.patch | 65 ++++----------------------- 1 file changed, 9 insertions(+), 56 deletions(-) diff --git a/11.3.0/gentoo/26_all_enable-cet.patch b/11.3.0/gentoo/26_all_enable-cet.patch index f3d189d..f6a1dce 100644 --- a/11.3.0/gentoo/26_all_enable-cet.patch +++ b/11.3.0/gentoo/26_all_enable-cet.patch @@ -1,6 +1,6 @@ -From ed1d323dc821e906144f4fc4c39bc16695495f73 Mon Sep 17 00:00:00 2001 +From 83efc6ce009021f27b602c1dfcf65338f761b095 Mon Sep 17 00:00:00 2001 From: Sam James -Date: Thu, 9 Dec 2021 02:39:19 +0000 +Date: Tue, 28 Dec 2021 03:42:53 +0000 Subject: [PATCH] Enable CET (-fcf-protection=full) by default Needs: @@ -9,42 +9,22 @@ Needs: for now to avoid accidentally enabling it on other arches. Only supported on amd64. + --- - gcc/common.opt | 2 +- - gcc/config/i386/i386-options.c | 8 ++++++++ + gcc/config/i386/i386-options.c | 3 +++ gcc/defaults.h | 13 +++++++++++++ - gcc/flag-types.h | 1 + - gcc/toplev.c | 4 +++- - 5 files changed, 26 insertions(+), 2 deletions(-) + 2 files changed, 16 insertions(+) -diff --git a/gcc/common.opt b/gcc/common.opt -index a88778b..4993a7e 100644 ---- a/gcc/common.opt -+++ b/gcc/common.opt -@@ -1783,7 +1783,7 @@ fcf-protection - Common RejectNegative Alias(fcf-protection=,full) - - fcf-protection= --Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_NONE) -+Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_UNSET) - -fcf-protection=[full|branch|return|none|check] Instrument functions with checks to verify jump/call/return control-flow transfer - instructions have valid targets. - diff --git a/gcc/config/i386/i386-options.c b/gcc/config/i386/i386-options.c -index 19632b5..8ee36fe 100644 +index 19632b5..fac61af 100644 --- a/gcc/config/i386/i386-options.c +++ b/gcc/config/i386/i386-options.c -@@ -3049,6 +3049,14 @@ ix86_option_override_internal (bool main_args_p, +@@ -3049,6 +3049,9 @@ ix86_option_override_internal (bool main_args_p, = build_target_option_node (opts, opts_set); } -+ if (opts->x_flag_cf_protection == CF_UNSET) -+ { -+ if (TARGET_64BIT && TARGET_CMOV) -+ opts->x_flag_cf_protection = DEFAULT_FLAG_CF; -+ else -+ opts->x_flag_cf_protection = CF_NONE; -+ } ++ if (TARGET_64BIT && TARGET_CMOV) ++ SET_OPTION_IF_UNSET (opts, opts_set, flag_cf_protection, DEFAULT_FLAG_CF); + if (opts->x_flag_cf_protection != CF_NONE) { @@ -73,33 +53,6 @@ index 0f6cd78..5694412 100644 /* By default, the C++ compiler will use function addresses in the vtable entries. Setting this nonzero tells the compiler to use function descriptors instead. The value of this macro says how -diff --git a/gcc/flag-types.h b/gcc/flag-types.h -index a038c8f..61be0b1 100644 ---- a/gcc/flag-types.h -+++ b/gcc/flag-types.h -@@ -389,6 +389,7 @@ enum gfc_convert - /* Control-Flow Protection values. */ - enum cf_protection_level - { -+ CF_UNSET = -1, - CF_NONE = 0, - CF_BRANCH = 1 << 0, - CF_RETURN = 1 << 1, -diff --git a/gcc/toplev.c b/gcc/toplev.c -index ea0a2a1..bac60eb 100644 ---- a/gcc/toplev.c -+++ b/gcc/toplev.c -@@ -1297,7 +1297,9 @@ process_options (void) - "%<-floop-nest-optimize%>, %<-floop-parallelize-all%>)"); - #endif - -- if (flag_cf_protection != CF_NONE -+ /* Gentoo: we add CF_UNSET here just to be safe, but we only patch the default -+ for amd64 + when CET is definitely enabled anyway. */ -+ if ((flag_cf_protection != CF_NONE) && (flag_cf_protection != CF_UNSET) - && !(flag_cf_protection & CF_SET)) - { - if (flag_cf_protection == CF_FULL) -- 2.34.1 -- 2.34.1