From: "David Seifert" <soap@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/gcc-patches:master commit in: 11.3.0/gentoo/
Date: Thu, 2 Dec 2021 15:03:02 +0000 (UTC) [thread overview]
Message-ID: <1638041417.51a7ace358097005038a0d31350b0c6d3da34e00.soap@gentoo> (raw)
commit: 51a7ace358097005038a0d31350b0c6d3da34e00
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 27 19:30:17 2021 +0000
Commit: David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Sat Nov 27 19:30:17 2021 +0000
URL: https://gitweb.gentoo.org/proj/gcc-patches.git/commit/?id=51a7ace3
11.3.0: add patch to enable CET
Signed-off-by: David Seifert <soap <AT> gentoo.org>
11.3.0/gentoo/26_all_enable-cet.patch | 101 ++++++++++++++++++++++++++++++++++
11.3.0/gentoo/README.history | 1 +
2 files changed, 102 insertions(+)
diff --git a/11.3.0/gentoo/26_all_enable-cet.patch b/11.3.0/gentoo/26_all_enable-cet.patch
new file mode 100644
index 0000000..77678a9
--- /dev/null
+++ b/11.3.0/gentoo/26_all_enable-cet.patch
@@ -0,0 +1,101 @@
+From c1f37f6e3a4fcdefb6b3dfc3d84fc42920a70c00 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sat, 27 Nov 2021 19:16:02 +0000
+Subject: [PATCH] Enable CET (-fcf-protection=full) by default
+
+Needs:
+- CET to be enabled for GCC
+- -DEXTRA_OPTIONS_CF to be passed during build (via toolchain.eclass)
+ for now to avoid accidentally enabling it on other arches.
+
+ Only supported on amd64.
+---
+ gcc/common.opt | 2 +-
+ gcc/config/i386/i386-options.c | 5 +++++
+ gcc/defaults.h | 13 +++++++++++++
+ gcc/flag-types.h | 1 +
+ gcc/toplev.c | 4 +++-
+ 5 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/gcc/common.opt b/gcc/common.opt
+index a88778b4e..4993a7ec3 100644
+--- a/gcc/common.opt
++++ b/gcc/common.opt
+@@ -1783,7 +1783,7 @@ fcf-protection
+ Common RejectNegative Alias(fcf-protection=,full)
+
+ fcf-protection=
+-Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_NONE)
++Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_UNSET)
+ -fcf-protection=[full|branch|return|none|check] Instrument functions with checks to verify jump/call/return control-flow transfer
+ instructions have valid targets.
+
+diff --git a/gcc/config/i386/i386-options.c b/gcc/config/i386/i386-options.c
+index 18d2c0b9f..4fb76f2a1 100644
+--- a/gcc/config/i386/i386-options.c
++++ b/gcc/config/i386/i386-options.c
+@@ -3037,6 +3037,11 @@ ix86_option_override_internal (bool main_args_p,
+ = build_target_option_node (opts, opts_set);
+ }
+
++ if (flag_cf_protection == CF_UNSET)
++ {
++ flag_cf_protection = DEFAULT_FLAG_CF;
++ }
++
+ if (opts->x_flag_cf_protection != CF_NONE)
+ {
+ if ((opts->x_flag_cf_protection & CF_BRANCH) == CF_BRANCH
+diff --git a/gcc/defaults.h b/gcc/defaults.h
+index 0f6cd78c5..5694412b7 100644
+--- a/gcc/defaults.h
++++ b/gcc/defaults.h
+@@ -1463,6 +1463,19 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
+ #define DEFAULT_FLAG_SCP 0
+ #endif
+
++/* Default value for flag_cf_protection when flag_cf_protection is
++ initialized to CF_FULL.
++
++ We use a new option (EXTRA_OPTIONS_CF) here to avoid turning
++ this on accidentally for other arches. */
++#ifdef EXTRA_OPTIONS_CF
++#define DEFAULT_FLAG_CF CF_FULL
++#endif
++#ifndef DEFAULT_FLAG_CF
++#define DEFAULT_FLAG_CF CF_NONE
++#endif
++
++
+ /* By default, the C++ compiler will use function addresses in the
+ vtable entries. Setting this nonzero tells the compiler to use
+ function descriptors instead. The value of this macro says how
+diff --git a/gcc/flag-types.h b/gcc/flag-types.h
+index a038c8fb7..61be0b128 100644
+--- a/gcc/flag-types.h
++++ b/gcc/flag-types.h
+@@ -389,6 +389,7 @@ enum gfc_convert
+ /* Control-Flow Protection values. */
+ enum cf_protection_level
+ {
++ CF_UNSET = -1,
+ CF_NONE = 0,
+ CF_BRANCH = 1 << 0,
+ CF_RETURN = 1 << 1,
+diff --git a/gcc/toplev.c b/gcc/toplev.c
+index ea0a2a1b0..d110c84ee 100644
+--- a/gcc/toplev.c
++++ b/gcc/toplev.c
+@@ -1297,7 +1297,9 @@ process_options (void)
+ "%<-floop-nest-optimize%>, %<-floop-parallelize-all%>)");
+ #endif
+
+- if (flag_cf_protection != CF_NONE
++ /* Gentoo: we add CF_UNSET here just to be safe, but we only patch the default
++ for amd64 + when CET is definitely enabled anyway. */
++ if ((flag_cf_protection != CF_NONE) && (flag_cf_protection != CF_UNSET)
+ && !(flag_cf_protection & CF_SET))
+ {
+ if (flag_cf_protection == CF_FULL)
+--
+2.34.1
diff --git a/11.3.0/gentoo/README.history b/11.3.0/gentoo/README.history
index f12e753..2fe9c27 100644
--- a/11.3.0/gentoo/README.history
+++ b/11.3.0/gentoo/README.history
@@ -24,3 +24,4 @@
+ 23_all_EXTRA_OPTIONS-fstack-clash-protection.patch
+ 24_all_lto-intl-workaround-PR95194.patch
+ 25_all_plugin-objdump.patch
+ + 26_all_enable-cet.patch
next reply other threads:[~2021-12-02 15:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-02 15:03 David Seifert [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-08-22 2:14 [gentoo-commits] proj/gcc-patches:master commit in: 11.3.0/gentoo/ Sam James
2022-08-22 1:41 Sam James
2022-08-22 1:41 Sam James
2022-08-18 20:03 Sam James
2022-01-08 4:09 Sam James
2022-01-08 3:49 Sam James
2022-01-08 3:49 Sam James
2021-12-28 5:57 Sam James
2021-12-18 22:00 Sam James
2021-12-18 22:00 Sam James
2021-12-18 22:00 Sam James
2021-12-07 20:06 Sam James
2021-12-02 15:03 David Seifert
2021-12-02 15:03 David Seifert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1638041417.51a7ace358097005038a0d31350b0c6d3da34e00.soap@gentoo \
--to=soap@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox