https://github.com/python/cpython/commit/9f3d99967c41527a6cf6cb2d63b62d851a637432 commit: 9f3d99967c41527a6cf6cb2d63b62d851a637432 branch: 3.13 author: Miss Islington (bot) <31488909+miss-isling...@users.noreply.github.com> committer: vstinner <vstin...@python.org> date: 2025-06-03T13:54:53Z summary:
[3.13] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (GH-128606) (GH-135077) (#135083) [3.14] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (GH-128606) (GH-135077) Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S. Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks. Manual application is required for the assembly files. See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html (cherry picked from commit 899cca6dbf76bf3e06a99f60a5f996ad6ba0761f) Co-authored-by: stratakis <cstra...@redhat.com> files: M Python/asm_trampoline.S M Python/perf_jit_trampoline.c diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S index 0a3265dfeee204..616752459ba4d9 100644 --- a/Python/asm_trampoline.S +++ b/Python/asm_trampoline.S @@ -9,6 +9,9 @@ # } _Py_trampoline_func_start: #ifdef __x86_64__ +#if defined(__CET__) && (__CET__ & 1) + endbr64 +#endif sub $8, %rsp call *%rcx add $8, %rsp @@ -34,3 +37,22 @@ _Py_trampoline_func_start: .globl _Py_trampoline_func_end _Py_trampoline_func_end: .section .note.GNU-stack,"",@progbits +# Note for indicating the assembly code supports CET +#if defined(__x86_64__) && defined(__CET__) && (__CET__ & 1) + .section .note.gnu.property,"a" + .align 8 + .long 1f - 0f + .long 4f - 1f + .long 5 +0: + .string "GNU" +1: + .align 8 + .long 0xc0000002 + .long 3f - 2f +2: + .long 0x3 +3: + .align 8 +4: +#endif // __x86_64__ diff --git a/Python/perf_jit_trampoline.c b/Python/perf_jit_trampoline.c index 0a8945958b4b3c..f65b2d487e0c45 100644 --- a/Python/perf_jit_trampoline.c +++ b/Python/perf_jit_trampoline.c @@ -472,6 +472,11 @@ elf_init_ehframe(ELFObjectContext* ctx) DWRF_U8(0); /* Augmentation data. */ /* Registers saved in CFRAME. */ #ifdef __x86_64__ +# if defined(__CET__) && (__CET__ & 1) + DWRF_U8(DWRF_CFA_advance_loc | 8); +# else + DWRF_U8(DWRF_CFA_advance_loc | 4); +# endif DWRF_U8(DWRF_CFA_advance_loc | 4); DWRF_U8(DWRF_CFA_def_cfa_offset); DWRF_UV(16); DWRF_U8(DWRF_CFA_advance_loc | 6); _______________________________________________ Python-checkins mailing list -- python-checkins@python.org To unsubscribe send an email to python-checkins-le...@python.org https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: arch...@mail-archive.com
