Enable additional security mitigations on binaries produced by MSVC#1814
Merged
Conversation
Intel CET uses a shadow stack to protect against ROP attacks by terminating the process if a shadow stack violation is detected in a module that has marked itself as CET-compatible with the /CETCOMPAT linker flag (and the process itself has CET enabled).
Exception handling continuation metadata further hardens control flow by ensuring NtContinue() or RtlRestoreContext() cannot be exploited to redirect exception handling to a target that is not a valid exception handler.
|
Author cgutman not on autobuild list. Waiting for curator authorization before starting CI build. |
1 similar comment
|
Author cgutman not on autobuild list. Waiting for curator authorization before starting CI build. |
|
|
|
CI Vulkan-Loader build queued with queue ID 587162. |
charles-lunarg
approved these changes
Nov 25, 2025
|
CI Vulkan-Loader build # 3297 running. |
|
CI Vulkan-Loader build # 3297 passed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR enables
/cetcompatand/guard:ehcontmitigations for all compatible targets (x86/x64 for CET and x64/ARM64 for EHCont). More information on these mitigations can be found in Microsoft's blog post.The resulting x86 and x64 binaries and tests were executed on a CET-compatible platform (AMD Ryzen 7950X) and loaded into a CET-enabled Vulkan application to verify compatibility. The ARM64 build of
vulkan-1.dllwas also tested successfully in a Vulkan application on a Snapdragon X Elite system.