Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646758 - Add Spectre v2 (CVE-2017-5715) mitigation flags to the hardened gcc specs
Summary: Add Spectre v2 (CVE-2017-5715) mitigation flags to the hardened gcc specs
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal with 4 votes (vote)
Assignee: The Gentoo Linux Hardened Team
Depends on:
Blocks: CVE-2017-5715
  Show dependency tree
Reported: 2018-02-06 12:23 UTC by Kerin Millar
Modified: 2020-06-09 01:26 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kerin Millar 2018-02-06 12:23:02 UTC
The release of gcc-7.3.0 supports the following flags which, as I understand it, would provide maximal generic protection against CVE-2017-5715 in userspace.

-mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register

It would be nice for these to make it into the hardened gcc specs.

In addition, I think that the toolchain team should be persuaded to whitelist these flags in flag-o-matic.eclass. I have monkey-patched the eclass to this end, and have not experienced any issues in utilising the above CFLAGS across the entirety of my userspace.
Comment 1 Kerin Millar 2018-02-06 13:41:52 UTC
Bug 646076 exists for the issue of these flags being filtered out.