https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94891
--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The releases/gcc-10 branch has been updated by Szabolcs Nagy <n...@gcc.gnu.org>: https://gcc.gnu.org/g:eb41624df3bfee5dd4183738f57e1cf54a2a32eb commit r10-8485-geb41624df3bfee5dd4183738f57e1cf54a2a32eb Author: Szabolcs Nagy <szabolcs.n...@arm.com> Date: Thu Jun 4 13:42:16 2020 +0100 aarch64: fix __builtin_eh_return with pac-ret [PR94891] Currently __builtin_eh_return takes a signed return address, which can cause ABI and API issues: 1) pointer representation problems if the address is passed around before eh return, 2) the source code needs pac-ret specific changes and needs to know if pac-ret is used in the current frame, 3) signed address may not be representible as void * (with ilp32 abi). Using address signing to protect eh return is ineffective because the instruction sequence in the unwinder that starts from the address signing and ends with a ret can be used as a return to anywhere gadget. Using indirect branch istead of ret with bti j landing pads at the target can reduce the potential of such gadget, which also implies that __builtin_eh_return should not take a signed address. This is a big hammer fix to the ABI and API issues: it turns pac-ret off for the caller completely (not just on the eh return path). To harden the caller against ROP attacks, it should use indirect branch instead of ret, this is not attempted so the patch remains small and backportable. 2020-07-13 Szabolcs Nagy <szabolcs.n...@arm.com> gcc/ChangeLog: PR target/94891 * config/aarch64/aarch64.c (aarch64_return_address_signing_enabled): Disable return address signing if __builtin_eh_return is used. gcc/testsuite/ChangeLog: PR target/94891 * gcc.target/aarch64/return_address_sign_1.c: Update test. * gcc.target/aarch64/return_address_sign_b_1.c: Likewise. (cherry picked from commit 2bc95be3bb8c8138e2e87c1c11c84bfede989d61)
