[PATCH] D155485: Retain all jump table range checks when using BTI.
Fangrui Song via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Wed Jul 26 00:21:05 PDT 2023
MaskRay added a comment.
In D155485#4506823 <https://reviews.llvm.org/D155485#4506823>, @peter.smith wrote:
> I can confirm that this is Arm's preferred way of fixing this. The alternative is to always use a BTI setting indirect branch, but this requires adding `BTI j` in front of every valid target of the branch, which bloats code-size and leaves more targets for an attacker to indirectly jump to.
I see that the AArch64 equivalent (by changing `llvm.arm.space` to `llvm.aarch64.space`) has `bti j` in front of every valid target of the branch, therefore bloating code size.
But how does this leave more targets for an attacker to indirectly jump to? Do you mean that these `bti j` can be the target of a malicious indirect jump from elsewhere?
However, isn't this as unsafe as jumping to the default basic block (in this test case, the end of the function, after the RET) for an out-of-range branch value in the current `switch` instruction?
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D155485/new/
https://reviews.llvm.org/D155485
More information about the llvm-commits
mailing list