* Michael Clark via Gcc: > On 8/23/24 15:57, Michael Clark wrote: >> On 8/23/24 15:46, Michael Clark wrote: >>> one more thing. it doesn't require PT_GNU_STACK or writable stacks >>> like GCC nested functions. 🙂 so I think it is safer but it does >>> have safety issues, mostly related to stack overflows but its going >>> to need some careful analysis with respect to ROP. >> brain isn't working. of course it needs writable stacks. it doesn't >> need executable stacks. starting to think about [[allocareturn]] >> ROP... > > if you loaded the return address from the fixed frame in the epilogue > into a temporary during restore of callee save registers which usually > unwinds the dynamic offset, you could translate the return instruction > into an indirect branch.
It poisons the return branch predictor, so it's really bad for performance and not just incompatible with shadow stacks. For architectures without a link register, it's probably better to copy the return address to an elevated position on the stack and use a regular return instruction. Thanks, Florian
