Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S

stratakis · stratakis · commit fe6fb29ecca3 · 2025-03-12T15:23:44.000+01:00
The BTI flag must be applied in assembler sources for this class of attacks to be mitigated on newer aarch64 processors. See also: https://sourceware.org/annobin/annobin.html/Test-branch-protection.html and https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enabling-pac-and-bti-on-aarch64
diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S
@@ -20,10 +20,18 @@ _Py_trampoline_func_start:
 #if defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
     // ARM64 little endian, 64bit ABI
     // generate with aarch64-linux-gnu-gcc 12.1
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 || \
+    defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+    hint 25
+#endif
     stp     x29, x30, [sp, -16]!
     mov     x29, sp
     blr     x3
     ldp     x29, x30, [sp], 16
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 || \
+    defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+    hint 29
+#endif
     ret
 #endif
 #ifdef __riscv
@@ -55,3 +63,22 @@ _Py_trampoline_func_end:
     .align 8
 4:
 #endif // __x86_64__
+#if defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
+#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 || \
+  defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1
+    .pushsection    .note.gnu.property, "a"
+    .align  3
+    .word   2f - 1f
+    .word   4f - 3f
+    .word   5            /* NT_GNU_PROPERTY_TYPE_0 */
+1:  .asciz  "GNU"
+
+2:  .align  3
+3:  .word   0xc0000000   /* type: GNU_PROPERTY_AARCH64_FEATURE_1_AND */
+    .word   6f - 5f      /* size */
+5:  .word   3            /* value: GNU_PROPERTY_AARCH64_FEATURE_1_BTI */
+
+6:  .align  3
+4:  .popsection
+#endif
+#endif
diff --git a/Python/perf_jit_trampoline.c b/Python/perf_jit_trampoline.c
@@ -483,13 +483,21 @@ elf_init_ehframe(ELFObjectContext* ctx)
     /* Extra registers saved for JIT-compiled code. */
 #elif defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
                  DWRF_U8(DWRF_CFA_advance_loc | 1);
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 || \
+    defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+                 DWRF_U8(DWRF_CFA_advance_loc | 1);
+#endif
                  DWRF_U8(DWRF_CFA_def_cfa_offset); DWRF_UV(16);
                  DWRF_U8(DWRF_CFA_offset | 29); DWRF_UV(2);
                  DWRF_U8(DWRF_CFA_offset | 30); DWRF_UV(1);
                  DWRF_U8(DWRF_CFA_advance_loc | 3);
                  DWRF_U8(DWRF_CFA_offset | -(64 - 29));
                  DWRF_U8(DWRF_CFA_offset | -(64 - 30));
                  DWRF_U8(DWRF_CFA_def_cfa_offset);
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 || \
+    defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+                 DWRF_U8(DWRF_CFA_advance_loc | 1);
+#endif
                  DWRF_UV(0);
 #else
 #    error "Unsupported target architecture"
