GCC adds Zicfilp landing pad protection for setjmp and indirect returns
GCC now inserts Zicfilp landing pad protection at call sites for `setjmp` and functions with an `indirect_return` attribute, preventing control-flow manipulati…
This update enhances Control-Flow Integrity (CFI) for the RISC-V Zicfilp extension by adding landing pad (LPAD) protection. It specifically targets setjmp and functions marked with a new indirect_return attribute, which may return to unexpected addresses. The compiler now emits a special instruction sequence at these call sites to safeguard against malicious modifications of the return address, though indirect calls to such functions remain unprotected.
In Details
The RISC-V Zicfilp extension provides hardware-assisted Control-Flow Integrity (CFI). This commit extends Zicfilp's protection by addressing specific scenarios where control flow can be diverted, namely setjmp/longjmp calls and functions marked with the new indirect_return attribute. The riscv_call_needs_lpad_p function, evaluated at expand time, determines if a call requires an LPAD. When needed, call_internal_cfi and call_value_internal_cfi instruction patterns are used to emit a multi-instruction sequence (.p2align 2, .option push/norelax/norvc, call, .option pop, `lpad 0…
For Context
Compilers generate machine code for your programs. Sometimes, certain operations, like setjmp (which allows a program to jump back to a previously saved point) or functions that might return to an unpredictable location, can be exploited by attackers to hijack the program's execution flow. The RISC-V Zicfilp extension is a hardware feature designed to prevent such attacks by ensuring that programs only jump to valid return addresses. This update teaches the GCC compiler to use Zicfilp's protection mechanisms more broadly. Specifically, it instructs the compiler to insert special 'landing pads' at the sites of calls to setjmp and any function explicitly marked as capable of an 'indirect return.' These landing pads act as a security measure, verifying the integrity of the return address and preventing an attacker from diverting the program to an unintended location.