https://github.com/python/cpython/commit/aaca85949ae471b568b6beea00b3380e553ccf39 commit: aaca85949ae471b568b6beea00b3380e553ccf39 branch: 3.12 author: stratakis <cstra...@redhat.com> committer: pablogsal <pablog...@gmail.com> date: 2025-07-10T11:22:14+01:00 summary:
[3.12] gh-128605: Add branch protections for x86_64 in asm_trampolineS (#128606) (#135094) [3.12] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (#128606) Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S. Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks. Manual application is required for the assembly files. See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html files: M Python/asm_trampoline.S diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S index 460707717df003..341d0bbe51f344 100644 --- a/Python/asm_trampoline.S +++ b/Python/asm_trampoline.S @@ -9,6 +9,9 @@ # } _Py_trampoline_func_start: #ifdef __x86_64__ +#if defined(__CET__) && (__CET__ & 1) + endbr64 +#endif sub $8, %rsp call *%rcx add $8, %rsp @@ -26,3 +29,22 @@ _Py_trampoline_func_start: .globl _Py_trampoline_func_end _Py_trampoline_func_end: .section .note.GNU-stack,"",@progbits +# Note for indicating the assembly code supports CET +#if defined(__x86_64__) && defined(__CET__) && (__CET__ & 1) + .section .note.gnu.property,"a" + .align 8 + .long 1f - 0f + .long 4f - 1f + .long 5 +0: + .string "GNU" +1: + .align 8 + .long 0xc0000002 + .long 3f - 2f +2: + .long 0x3 +3: + .align 8 +4: +#endif // __x86_64__ _______________________________________________ Python-checkins mailing list -- python-checkins@python.org To unsubscribe send an email to python-checkins-le...@python.org https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: arch...@mail-archive.com
