From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 8C2B838F8611; Tue, 24 May 2022 18:12:19 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8C2B838F8611
From: "peterz at infradead dot org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/104816] -fcf-protection=branch should generate endbr
 instead of notrack jumps
Date: Tue, 24 May 2022 18:12:19 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: target
X-Bugzilla-Version: 12.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: enhancement
X-Bugzilla-Who: peterz at infradead dot org
X-Bugzilla-Status: WAITING
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-104816-4-EkZdda1g0p@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-104816-4@http.gcc.gnu.org/bugzilla/>
References: <bug-104816-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 18:12:19 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104816

--- Comment #12 from peterz at infradead dot org ---
On Tue, May 24, 2022 at 04:06:08PM +0000, cvs-commit at gcc dot gnu.org wro=
te:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104816
>=20
> --- Comment #11 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
> The master branch has been updated by H.J. Lu <hjl@gcc.gnu.org>:
>=20
> https://gcc.gnu.org/g:2f4f7de787e5844515d27b2269fc472f95a9916a
>=20
> commit r13-744-g2f4f7de787e5844515d27b2269fc472f95a9916a
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date:   Fri Mar 11 12:51:34 2022 -0800
>=20
>     x86: Document -mcet-switch
>=20
>     When -fcf-protection=3Dbranch is used, the compiler will generate jump
>     tables for switch statements where the indirect jump is prefixed with
>     the NOTRACK prefix, so it can jump to non-ENDBR targets.  Since the
>     indirect jump targets are generated by the compiler and stored in
>     read-only memory, this does not result in a direct loss of hardening.
>     But if the jump table index is attacker-controlled, the indirect jump
>     may not be constrained by CET.

Notrack indirect jumps are fully susceptible to speculation attacks.=