From 1457ca8725ed4b2243ae5e62536b5691f061f6e3 Mon Sep 17 00:00:00 2001 From: deraadt Date: Tue, 4 Jun 2024 15:14:44 +0000 Subject: [PATCH] enable -fret-clean on amd64, for libc libcrypto ld.so kernel, and all the ssh tools. The dynamic objects are entirely ret-clean, static binaries will contain a blend of cleaning and non-cleaning callers. --- lib/libc/arch/amd64/Makefile.inc | 4 +++- lib/libcrypto/arch/amd64/Makefile.inc | 4 +++- libexec/ld.so/amd64/Makefile.inc | 3 ++- sys/arch/amd64/conf/Makefile.amd64 | 3 ++- usr.bin/ssh/Makefile.inc | 5 ++++- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/lib/libc/arch/amd64/Makefile.inc b/lib/libc/arch/amd64/Makefile.inc index 8b5442a43ae..a84eb110c54 100644 --- a/lib/libc/arch/amd64/Makefile.inc +++ b/lib/libc/arch/amd64/Makefile.inc @@ -1 +1,3 @@ -# $OpenBSD: Makefile.inc,v 1.5 2014/06/09 20:47:10 miod Exp $ +# $OpenBSD: Makefile.inc,v 1.6 2024/06/04 15:14:44 deraadt Exp $ + +CFLAGS+=-fret-clean diff --git a/lib/libcrypto/arch/amd64/Makefile.inc b/lib/libcrypto/arch/amd64/Makefile.inc index a3541058226..0cf212b1869 100644 --- a/lib/libcrypto/arch/amd64/Makefile.inc +++ b/lib/libcrypto/arch/amd64/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.27 2024/03/29 11:00:57 jsing Exp $ +# $OpenBSD: Makefile.inc,v 1.28 2024/06/04 15:14:45 deraadt Exp $ # amd64-specific libcrypto build rules @@ -83,3 +83,5 @@ GENERATED+=x86_64cpuid.S x86_64cpuid.S: ${LCRYPTO_SRC}/x86_64cpuid.pl ${EXTRA_PL} (cd ${LCRYPTO_SRC}/${dir} ; \ /usr/bin/perl ./x86_64cpuid.pl) > ${.TARGET} + +CFLAGS+=-fret-clean diff --git a/libexec/ld.so/amd64/Makefile.inc b/libexec/ld.so/amd64/Makefile.inc index 3181b632d65..2211d1a9e80 100644 --- a/libexec/ld.so/amd64/Makefile.inc +++ b/libexec/ld.so/amd64/Makefile.inc @@ -1,6 +1,7 @@ -# $OpenBSD: Makefile.inc,v 1.7 2019/10/20 03:44:49 guenther Exp $ +# $OpenBSD: Makefile.inc,v 1.8 2024/06/04 15:14:45 deraadt Exp $ CFLAGS += -fPIC -mno-sse2 -mno-sse -mno-3dnow -mno-mmx +CFLAGS +=-fret-clean AFLAGS += -fpic LD_SCRIPT = ${.CURDIR}/${MACHINE_CPU}/ld.script diff --git a/sys/arch/amd64/conf/Makefile.amd64 b/sys/arch/amd64/conf/Makefile.amd64 index 8183af31b2d..b369f9476d6 100644 --- a/sys/arch/amd64/conf/Makefile.amd64 +++ b/sys/arch/amd64/conf/Makefile.amd64 @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.amd64,v 1.134 2023/09/06 01:47:36 jsg Exp $ +# $OpenBSD: Makefile.amd64,v 1.135 2024/06/04 15:14:45 deraadt Exp $ # For instructions on building kernels consult the config(8) and options(4) # manual pages. @@ -73,6 +73,7 @@ CMACHFLAGS+= -mno-retpoline -fcf-protection=none .endif .else CMACHFLAGS+= -mretpoline-external-thunk -fcf-protection=branch +CMACHFLAGS+= -fret-clean .endif .if ${COMPILER_VERSION:Mclang} NO_INTEGR_AS= -no-integrated-as diff --git a/usr.bin/ssh/Makefile.inc b/usr.bin/ssh/Makefile.inc index 7c350905e44..5e4cb3856b6 100644 --- a/usr.bin/ssh/Makefile.inc +++ b/usr.bin/ssh/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.92 2024/05/22 15:24:55 naddy Exp $ +# $OpenBSD: Makefile.inc,v 1.93 2024/06/04 15:14:45 deraadt Exp $ .include @@ -6,6 +6,9 @@ CFLAGS+= -I${.CURDIR}/.. .if ${MACHINE} != "hppa" CFLAGS+= -fstack-protector-all .endif +.if ${MACHINE} == "amd64" +CFLAGS+= -fret-clean +.endif CDIAGFLAGS= -Wall CDIAGFLAGS+= -Wextra -- 2.20.1