Author vstinner
Recipients Dormouse759, cstratak, ishcherb, pablogsal, serhiy.storchaka, vstinner
Date 2018-10-09.14:22:58
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1539094978.41.0.545547206417.issue32962@psf.upfronthosting.co.za>
In-reply-to
Content
More info about -fcf-protection=full -mcet:

"Enable control flow protection on x86-64 using -fcf-protection=full -mcet."
https://fedoraproject.org/wiki/Changes/HardeningFlags28

man gcc:

       -fcf-protection=[full|branch|return|none]
           Enable code instrumentation of control-flow transfers to increase
           program security by checking that target addresses of control-flow
           transfer instructions (such as indirect function call, function
           return, indirect jump) are valid.  This prevents diverting the flow
           of control to an unexpected target.  This is intended to protect
           against such threats as Return-oriented Programming (ROP), and
           similarly call/jmp-oriented programming (COP/JOP).

           The value "branch" tells the compiler to implement checking of
           validity of control-flow transfer at the point of indirect branch
           instructions, i.e. call/jmp instructions.  The value "return"
           implements checking of validity at the point of returning from a
           function.  The value "full" is an alias for specifying both
           "branch" and "return". The value "none" turns off instrumentation.

           The macro "__CET__" is defined when -fcf-protection is used.  The
           first bit of "__CET__" is set to 1 for the value "branch" and the
           second bit of "__CET__" is set to 1 for the "return".

           You can also use the "nocf_check" attribute to identify which
           functions and calls should be skipped from instrumentation.

           Currently the x86 GNU/Linux target provides an implementation based
           on Intel Control-flow Enforcement Technology (CET).
History
Date User Action Args
2018-10-09 14:22:58vstinnersetrecipients: + vstinner, serhiy.storchaka, cstratak, ishcherb, Dormouse759, pablogsal
2018-10-09 14:22:58vstinnersetmessageid: <1539094978.41.0.545547206417.issue32962@psf.upfronthosting.co.za>
2018-10-09 14:22:58vstinnerlinkissue32962 messages
2018-10-09 14:22:58vstinnercreate