On Thu, May 19, 2022 at 1:49 PM Florian Weimer <fwei...@redhat.com> wrote: > > * H. J. Lu: > > > How about this? > > > > @item -mcet-switch > > @opindex mcet-switch > > By default, CET instrumentation is turned off on switch statements that > > use a jump table and indirect branch track is disabled. > > Maybe add here: “Since jump tables are stored in read-only memory, this > does not result in a direct loss of hardening. But if the jump table > index is attacker-controlled, the indirect jump may not be constrained > by CET.” > > > This option turns on CET instrumentation to enable indirect branch > > track for switch statements with jump tables. > > “This results in a loss of hardening because the jump targets are mow > reachable via all indirect jumps.”
Like this? @item -mcet-switch @opindex mcet-switch By default, CET instrumentation is turned off on switch statements that use a jump table and indirect branch track is disabled. Since jump tables are stored in read-only memory, this does not result in a direct loss of hardening. But if the jump table index is attacker-controlled, the indirect jump may not be constrained by CET. This option turns on CET instrumentation to enable indirect branch track for switch statements with jump tables which leads to the jump targets reachable via any indirect jumps. > Maybe GCC should just emit a forced (unoptimized) bounds check for jump > tables in CET mode … > > Thanks, > Florian > -- H.J.
