[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1055711: gcc-13: Please build gcc with -mbranch-protection=standard to fix PAC/BTI support on arm64

Package: gcc-13
Version: 13.2.0-6
Severity: normal

Dear Maintainer,

On arm64 dpkg-dev adds -mbranch-protection=standard to the default build
flags since version 1.22.0. However, the flag is not used in Debian and
Ubuntu when building GCC. This means that the feature does not work as
intended when building programs. A simple test case to check for
functioning gcc support is:

 printf '#include <stdio.h>\n\nint main() {}' > /tmp/test.c
 gcc -mbranch-protection=standard -z force-bti /tmp/test.c

On systems where PAC/BTI support in GCC is working as intended, the
following output is produced:

  [root@eniac ~]# gcc -mbranch-protection=standard -z force-bti /tmp/test.c

  [root@eniac ~]# readelf -n a.out 2>/dev/null | grep Properties
        Properties: AArch64 feature: BTI, PAC

  [root@eniac ~]# gcc --version | head -1 
  gcc (GCC) 13.2.1 20231011 (Red Hat 13.2.1-4)

In Sid the following happens instead:

  (sid-arm64)root@eniac:~# gcc -mbranch-protection=standard -z force-bti /tmp/test.c
  /usr/bin/ld: /usr/lib/gcc/aarch64-linux-gnu/13/../../../aarch64-linux-gnu/Scrt1.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
  /usr/bin/ld: /usr/lib/gcc/aarch64-linux-gnu/13/../../../aarch64-linux-gnu/crti.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
  /usr/bin/ld: /usr/lib/gcc/aarch64-linux-gnu/13/crtbeginS.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
  /usr/bin/ld: /usr/lib/gcc/aarch64-linux-gnu/13/crtendS.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
  /usr/bin/ld: /usr/lib/gcc/aarch64-linux-gnu/13/../../../aarch64-linux-gnu/crtn.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.

  (sid-arm64)root@eniac:~# readelf -n a.out 2>/dev/null | grep Properties
        Properties: AArch64 feature: BTI

  (sid-arm64)root@eniac:~# gcc --version | head -1
  gcc (Debian 13.2.0-6) 13.2.0

It seems that Ubuntu Mantic is affected as well:

  (ubuntu-arm64)root@eniac:/home/ema# gcc -mbranch-protection=standard -z force-bti /tmp/test.c
  /usr/bin/ld: /usr/lib/gcc/aarch64-linux-gnu/13/../../../aarch64-linux-gnu/Scrt1.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
  [...]

  (ubuntu-arm64)root@eniac:/home/ema# gcc --version | head -1
  gcc (Ubuntu 13.2.0-4ubuntu3) 13.2.0

On Debian amd64, GCC is built with the -fcf-protection flag on:

  x86_64-linux-gnu-gcc-12 -c -DHAVE_CONFIG_H -g  -I. -I../../src/libiberty/../include  -W -Wall -Wwrite-strings -Wc++-compat -Wstrict-prototypes -Wshadow=local -pedantic  -D_GNU_SOURCE -fcf-protection -fpic ../../src/libiberty/dyn-string.c -o pic/dyn-string.o; \

Analogously, on arm64 it should be built with -mbranch-protection=standard.

Thanks,
  Emanuele
Reply to: