commit: 2b36f3ad2ba0114eae1d32bae5e395e098b3714b Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Tue Dec 28 03:44:47 2021 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Tue Dec 28 03:55:44 2021 +0000 URL: https://gitweb.gentoo.org/proj/gcc-patches.git/commit/?id=2b36f3ad
11.3.0: fix CET patch Our patch was causing unhandled state to leak into the LTO metadata writer, it shouldn't have got that far though. Instead of messing about with GCC's option handling, use the macro they provide for purposes like this, which makes things far simpler (and less fragile). Bug: https://bugs.gentoo.org/828400 Bug: https://bugs.gentoo.org/822036 Thanks-to: Sergei Trofimovich <slyich <AT> gmail.com> (debugging help in #gentoo-toolchain) Thanks-to: Georgy Yakovlev <gyakovlev <AT> gentoo.org> (debugging) Reported-by: matoro <matoro <AT> airmail.cc> Signed-off-by: Sam James <sam <AT> gentoo.org> 11.3.0/gentoo/26_all_enable-cet.patch | 65 +++++------------------------------ 1 file changed, 9 insertions(+), 56 deletions(-) diff --git a/11.3.0/gentoo/26_all_enable-cet.patch b/11.3.0/gentoo/26_all_enable-cet.patch index f3d189d..f6a1dce 100644 --- a/11.3.0/gentoo/26_all_enable-cet.patch +++ b/11.3.0/gentoo/26_all_enable-cet.patch @@ -1,6 +1,6 @@ -From ed1d323dc821e906144f4fc4c39bc16695495f73 Mon Sep 17 00:00:00 2001 +From 83efc6ce009021f27b602c1dfcf65338f761b095 Mon Sep 17 00:00:00 2001 From: Sam James <s...@gentoo.org> -Date: Thu, 9 Dec 2021 02:39:19 +0000 +Date: Tue, 28 Dec 2021 03:42:53 +0000 Subject: [PATCH] Enable CET (-fcf-protection=full) by default Needs: @@ -9,42 +9,22 @@ Needs: for now to avoid accidentally enabling it on other arches. Only supported on amd64. + --- - gcc/common.opt | 2 +- - gcc/config/i386/i386-options.c | 8 ++++++++ + gcc/config/i386/i386-options.c | 3 +++ gcc/defaults.h | 13 +++++++++++++ - gcc/flag-types.h | 1 + - gcc/toplev.c | 4 +++- - 5 files changed, 26 insertions(+), 2 deletions(-) + 2 files changed, 16 insertions(+) -diff --git a/gcc/common.opt b/gcc/common.opt -index a88778b..4993a7e 100644 ---- a/gcc/common.opt -+++ b/gcc/common.opt -@@ -1783,7 +1783,7 @@ fcf-protection - Common RejectNegative Alias(fcf-protection=,full) - - fcf-protection= --Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_NONE) -+Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_UNSET) - -fcf-protection=[full|branch|return|none|check] Instrument functions with checks to verify jump/call/return control-flow transfer - instructions have valid targets. - diff --git a/gcc/config/i386/i386-options.c b/gcc/config/i386/i386-options.c -index 19632b5..8ee36fe 100644 +index 19632b5..fac61af 100644 --- a/gcc/config/i386/i386-options.c +++ b/gcc/config/i386/i386-options.c -@@ -3049,6 +3049,14 @@ ix86_option_override_internal (bool main_args_p, +@@ -3049,6 +3049,9 @@ ix86_option_override_internal (bool main_args_p, = build_target_option_node (opts, opts_set); } -+ if (opts->x_flag_cf_protection == CF_UNSET) -+ { -+ if (TARGET_64BIT && TARGET_CMOV) -+ opts->x_flag_cf_protection = DEFAULT_FLAG_CF; -+ else -+ opts->x_flag_cf_protection = CF_NONE; -+ } ++ if (TARGET_64BIT && TARGET_CMOV) ++ SET_OPTION_IF_UNSET (opts, opts_set, flag_cf_protection, DEFAULT_FLAG_CF); + if (opts->x_flag_cf_protection != CF_NONE) { @@ -73,33 +53,6 @@ index 0f6cd78..5694412 100644 /* By default, the C++ compiler will use function addresses in the vtable entries. Setting this nonzero tells the compiler to use function descriptors instead. The value of this macro says how -diff --git a/gcc/flag-types.h b/gcc/flag-types.h -index a038c8f..61be0b1 100644 ---- a/gcc/flag-types.h -+++ b/gcc/flag-types.h -@@ -389,6 +389,7 @@ enum gfc_convert - /* Control-Flow Protection values. */ - enum cf_protection_level - { -+ CF_UNSET = -1, - CF_NONE = 0, - CF_BRANCH = 1 << 0, - CF_RETURN = 1 << 1, -diff --git a/gcc/toplev.c b/gcc/toplev.c -index ea0a2a1..bac60eb 100644 ---- a/gcc/toplev.c -+++ b/gcc/toplev.c -@@ -1297,7 +1297,9 @@ process_options (void) - "%<-floop-nest-optimize%>, %<-floop-parallelize-all%>)"); - #endif - -- if (flag_cf_protection != CF_NONE -+ /* Gentoo: we add CF_UNSET here just to be safe, but we only patch the default -+ for amd64 + when CET is definitely enabled anyway. */ -+ if ((flag_cf_protection != CF_NONE) && (flag_cf_protection != CF_UNSET) - && !(flag_cf_protection & CF_SET)) - { - if (flag_cf_protection == CF_FULL) -- 2.34.1
