x86: Add endbranch to indirect branch targets for Intel CET

To support Intel CET, all indirect branch targets must start with
endbranch.  Here is a patch to add endbranch to all function entries
in x86 assembly codes which are indirect branch targets as discovered
by running openssl testsuite on Intel CET machine and visual inspection.

Since x86 cbc.pl uses indirect branch with a jump table, we also need
to add endbranch to all jump targets.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10984)

diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
index 8aefefb6966c2fa2191264b39290ab67a7c0dc28..44a60eb7622d5bb6577f2db5f2da93595202c4e1 100644 (file)
--- a/crypto/perlasm/cbc.pl
+++ b/crypto/perlasm/cbc.pl
@@ -165,21 +165,28 @@ sub cbc
        &jmp_ptr($count);
 
 &set_label("ej7");
+       &endbranch()
        &movb(&HB("edx"),       &BP(6,$in,"",0));
        &shl("edx",8);
 &set_label("ej6");
+       &endbranch()
        &movb(&HB("edx"),       &BP(5,$in,"",0));
 &set_label("ej5");
+       &endbranch()
        &movb(&LB("edx"),       &BP(4,$in,"",0));
 &set_label("ej4");
+       &endbranch()
        &mov("ecx",             &DWP(0,$in,"",0));
        &jmp(&label("ejend"));
 &set_label("ej3");
+       &endbranch()
        &movb(&HB("ecx"),       &BP(2,$in,"",0));
        &shl("ecx",8);
 &set_label("ej2");
+       &endbranch()
        &movb(&HB("ecx"),       &BP(1,$in,"",0));
 &set_label("ej1");
+       &endbranch()
        &movb(&LB("ecx"),       &BP(0,$in,"",0));
 &set_label("ejend");
 

diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl
index 728c1a6da515fcf4973663fb9577689cbf0938e6..25d1c16aacfe183201322f135c81bab774458301 100644 (file)
--- a/crypto/perlasm/x86gas.pl
+++ b/crypto/perlasm/x86gas.pl
@@ -124,6 +124,7 @@ sub ::function_begin_B
     push(@out,".align\t$align\n");
     push(@out,"$func:\n");
     push(@out,"$begin:\n")             if ($global);
+    &::endbranch();
     $::stack=4;
 }