https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94891

--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Szabolcs Nagy <n...@gcc.gnu.org>:

https://gcc.gnu.org/g:eb41624df3bfee5dd4183738f57e1cf54a2a32eb

commit r10-8485-geb41624df3bfee5dd4183738f57e1cf54a2a32eb
Author: Szabolcs Nagy <szabolcs.n...@arm.com>
Date:   Thu Jun 4 13:42:16 2020 +0100

    aarch64: fix __builtin_eh_return with pac-ret [PR94891]

    Currently __builtin_eh_return takes a signed return address, which can
    cause ABI and API issues: 1) pointer representation problems if the
    address is passed around before eh return, 2) the source code needs
    pac-ret specific changes and needs to know if pac-ret is used in the
    current frame, 3) signed address may not be representible as void *
    (with ilp32 abi).

    Using address signing to protect eh return is ineffective because the
    instruction sequence in the unwinder that starts from the address
    signing and ends with a ret can be used as a return to anywhere gadget.
    Using indirect branch istead of ret with bti j landing pads at the
    target can reduce the potential of such gadget, which also implies
    that __builtin_eh_return should not take a signed address.

    This is a big hammer fix to the ABI and API issues: it turns pac-ret
    off for the caller completely (not just on the eh return path).  To
    harden the caller against ROP attacks, it should use indirect branch
    instead of ret, this is not attempted so the patch remains small and
    backportable.

    2020-07-13  Szabolcs Nagy  <szabolcs.n...@arm.com>

    gcc/ChangeLog:

            PR target/94891
            * config/aarch64/aarch64.c
(aarch64_return_address_signing_enabled):
            Disable return address signing if __builtin_eh_return is used.

    gcc/testsuite/ChangeLog:

            PR target/94891
            * gcc.target/aarch64/return_address_sign_1.c: Update test.
            * gcc.target/aarch64/return_address_sign_b_1.c: Likewise.

    (cherry picked from commit 2bc95be3bb8c8138e2e87c1c11c84bfede989d61)

Reply via email to