@@ -, +, @@ --- 11.3.0/gentoo/26_all_enable-cet.patch | 65 ++++----------------------- 1 file changed, 9 insertions(+), 56 deletions(-) --- a/11.3.0/gentoo/26_all_enable-cet.patch +++ a/11.3.0/gentoo/26_all_enable-cet.patch @@ -1,6 +1,6 @@ -From ed1d323dc821e906144f4fc4c39bc16695495f73 Mon Sep 17 00:00:00 2001 +From 83efc6ce009021f27b602c1dfcf65338f761b095 Mon Sep 17 00:00:00 2001 From: Sam James -Date: Thu, 9 Dec 2021 02:39:19 +0000 +Date: Tue, 28 Dec 2021 03:42:53 +0000 Subject: [PATCH] Enable CET (-fcf-protection=full) by default Needs: @@ -9,42 +9,22 @@ Needs: for now to avoid accidentally enabling it on other arches. Only supported on amd64. + --- - gcc/common.opt | 2 +- - gcc/config/i386/i386-options.c | 8 ++++++++ + gcc/config/i386/i386-options.c | 3 +++ gcc/defaults.h | 13 +++++++++++++ - gcc/flag-types.h | 1 + - gcc/toplev.c | 4 +++- - 5 files changed, 26 insertions(+), 2 deletions(-) + 2 files changed, 16 insertions(+) -diff --git a/gcc/common.opt b/gcc/common.opt -index a88778b..4993a7e 100644 ---- a/gcc/common.opt -+++ b/gcc/common.opt -@@ -1783,7 +1783,7 @@ fcf-protection - Common RejectNegative Alias(fcf-protection=,full) - - fcf-protection= --Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_NONE) -+Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_UNSET) - -fcf-protection=[full|branch|return|none|check] Instrument functions with checks to verify jump/call/return control-flow transfer - instructions have valid targets. - diff --git a/gcc/config/i386/i386-options.c b/gcc/config/i386/i386-options.c -index 19632b5..8ee36fe 100644 +index 19632b5..fac61af 100644 --- a/gcc/config/i386/i386-options.c +++ b/gcc/config/i386/i386-options.c -@@ -3049,6 +3049,14 @@ ix86_option_override_internal (bool main_args_p, +@@ -3049,6 +3049,9 @@ ix86_option_override_internal (bool main_args_p, = build_target_option_node (opts, opts_set); } -+ if (opts->x_flag_cf_protection == CF_UNSET) -+ { -+ if (TARGET_64BIT && TARGET_CMOV) -+ opts->x_flag_cf_protection = DEFAULT_FLAG_CF; -+ else -+ opts->x_flag_cf_protection = CF_NONE; -+ } ++ if (TARGET_64BIT && TARGET_CMOV) ++ SET_OPTION_IF_UNSET (opts, opts_set, flag_cf_protection, DEFAULT_FLAG_CF); + if (opts->x_flag_cf_protection != CF_NONE) { @@ -73,33 +53,6 @@ index 0f6cd78..5694412 100644 /* By default, the C++ compiler will use function addresses in the vtable entries. Setting this nonzero tells the compiler to use function descriptors instead. The value of this macro says how -diff --git a/gcc/flag-types.h b/gcc/flag-types.h -index a038c8f..61be0b1 100644 ---- a/gcc/flag-types.h -+++ b/gcc/flag-types.h -@@ -389,6 +389,7 @@ enum gfc_convert - /* Control-Flow Protection values. */ - enum cf_protection_level - { -+ CF_UNSET = -1, - CF_NONE = 0, - CF_BRANCH = 1 << 0, - CF_RETURN = 1 << 1, -diff --git a/gcc/toplev.c b/gcc/toplev.c -index ea0a2a1..bac60eb 100644 ---- a/gcc/toplev.c -+++ b/gcc/toplev.c -@@ -1297,7 +1297,9 @@ process_options (void) - "%<-floop-nest-optimize%>, %<-floop-parallelize-all%>)"); - #endif - -- if (flag_cf_protection != CF_NONE -+ /* Gentoo: we add CF_UNSET here just to be safe, but we only patch the default -+ for amd64 + when CET is definitely enabled anyway. */ -+ if ((flag_cf_protection != CF_NONE) && (flag_cf_protection != CF_UNSET) - && !(flag_cf_protection & CF_SET)) - { - if (flag_cf_protection == CF_FULL) -- 2.34.1 --