'Retpoline' mitigation technique for Spectre (branch target injection) [CVE-2017-5715]: https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html https://support.google.com/faqs/answer/7625886 https://spectreattack.com/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 Patch copied from the 'retpoline-20180107' branch of upstream source repository (please add new / update existing patches when new 'retpoline-xxxxxxxx' branch appears): http://git.infradead.org/users/dwmw2/gcc-retpoline.git From ece041bc3083aabd00fab9de5ba409fbd7dcad8c Mon Sep 17 00:00:00 2001 From: "H.J. Lu" Date: Mon, 4 Dec 2017 12:58:20 -0800 Subject: [PATCH 05/17] Add tests for -mindirect-branch=thunk -fcheck-pointer-bounds -mmpx --- gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-1.c | 19 +++++++++++++++++++ gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-2.c | 20 ++++++++++++++++++++ gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-3.c | 18 ++++++++++++++++++ gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-4.c | 19 +++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-1.c create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-2.c create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-3.c create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-4.c diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-1.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-1.c new file mode 100644 index 00000000000..a5b1d38e061 --- /dev/null +++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-1.c @@ -0,0 +1,19 @@ +/* { dg-do compile { target { ! x32 } } } */ +/* { dg-options "-O2 -mindirect-branch=thunk -fcheck-pointer-bounds -mmpx -fno-pic" } */ + +void (*dispatch) (char *); +char buf[10]; + +void +foo (void) +{ + dispatch (buf); +} + +/* { dg-final { scan-assembler "push(?:l|q)\[ \t\]*_?dispatch" { target { ! x32 } } } } */ +/* { dg-final { scan-assembler "pushq\[ \t\]%rax" { target x32 } } } */ +/* { dg-final { scan-assembler "bnd jmp\[ \t\]*__x86.indirect_thunk_bnd" } } */ +/* { dg-final { scan-assembler "jmp\[ \t\]*\.LIND" } } */ +/* { dg-final { scan-assembler "bnd call\[ \t\]*\.LIND" } } */ +/* { dg-final { scan-assembler "bnd ret" } } */ +/* { dg-final { scan-assembler {\tlfence} } } */ diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-2.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-2.c new file mode 100644 index 00000000000..a42add209e2 --- /dev/null +++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-2.c @@ -0,0 +1,20 @@ +/* { dg-do compile { target { ! x32 } } } */ +/* { dg-options "-O2 -mindirect-branch=thunk -fcheck-pointer-bounds -mmpx -fno-pic" } */ + +void (*dispatch) (char *); +char buf[10]; + +int +foo (void) +{ + dispatch (buf); + return 0; +} + +/* { dg-final { scan-assembler "push(?:l|q)\[ \t\]*_?dispatch" { target { ! x32 } } } } */ +/* { dg-final { scan-assembler "pushq\[ \t\]%rax" { target x32 } } } */ +/* { dg-final { scan-assembler "bnd jmp\[ \t\]*__x86.indirect_thunk_bnd" } } */ +/* { dg-final { scan-assembler "bnd jmp\[ \t\]*\.LIND" } } */ +/* { dg-final { scan-assembler "bnd call\[ \t\]*\.LIND" } } */ +/* { dg-final { scan-assembler "bnd ret" } } */ +/* { dg-final { scan-assembler {\tlfence} } } */ diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-3.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-3.c new file mode 100644 index 00000000000..265e010a0fe --- /dev/null +++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-3.c @@ -0,0 +1,18 @@ +/* { dg-do compile { target { *-*-linux* && { ! x32 } } } } */ +/* { dg-options "-O2 -mindirect-branch=thunk -fcheck-pointer-bounds -mmpx -fpic -fno-plt" } */ + +void bar (char *); +char buf[10]; + +void +foo (void) +{ + bar (buf); +} + +/* { dg-final { scan-assembler "push(?:l|q)\[ \t\]*bar@GOT" } } */ +/* { dg-final { scan-assembler "bnd jmp\[ \t\]*__x86.indirect_thunk_bnd" } } */ +/* { dg-final { scan-assembler "jmp\[ \t\]*\.LIND" } } */ +/* { dg-final { scan-assembler "bnd call\[ \t\]*\.LIND" } } */ +/* { dg-final { scan-assembler "bnd ret" } } */ +/* { dg-final { scan-assembler {\tlfence} } } */ diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-4.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-4.c new file mode 100644 index 00000000000..1c01bcb7fc6 --- /dev/null +++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-bnd-4.c @@ -0,0 +1,19 @@ +/* { dg-do compile { target { *-*-linux* && { ! x32 } } } } */ +/* { dg-options "-O2 -mindirect-branch=thunk -fcheck-pointer-bounds -mmpx -fpic -fno-plt" } */ + +void bar (char *); +char buf[10]; + +int +foo (void) +{ + bar (buf); + return 0; +} + +/* { dg-final { scan-assembler "push(?:l|q)\[ \t\]*bar@GOT" } } */ +/* { dg-final { scan-assembler "bnd jmp\[ \t\]*__x86.indirect_thunk" } } */ +/* { dg-final { scan-assembler "bnd jmp\[ \t\]*\.LIND" } } */ +/* { dg-final { scan-assembler-times "bnd call\[ \t\]*\.LIND" 2 } } */ +/* { dg-final { scan-assembler "bnd ret" } } */ +/* { dg-final { scan-assembler {\tlfence} } } */ -- 2.15.1