From 8a6e6b4bbd18fbe8ae8e2c4a98645259db2c75b5 Mon Sep 17 00:00:00 2001
From: stratakis <cstratak@redhat.com>
Date: Tue, 3 Jun 2025 15:31:06 +0200
Subject: [PATCH] [3.14] gh-128605: Add branch protections for x86_64 in
 asm_trampoline.S (GH-128606) (GH-135077)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
(cherry picked from commit 899cca6dbf76bf3e06a99f60a5f996ad6ba0761f)

Co-authored-by: stratakis <cstratak@redhat.com>
---
 Python/asm_trampoline.S      | 22 ++++++++++++++++++++++
 Python/perf_jit_trampoline.c |  5 +++++
 2 files changed, 27 insertions(+)

diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S
index 0a3265dfeee204..616752459ba4d9 100644
--- a/Python/asm_trampoline.S
+++ b/Python/asm_trampoline.S
@@ -9,6 +9,9 @@
 # }
 _Py_trampoline_func_start:
 #ifdef __x86_64__
+#if defined(__CET__) && (__CET__ & 1)
+    endbr64
+#endif
     sub    $8, %rsp
     call    *%rcx
     add    $8, %rsp
@@ -34,3 +37,22 @@ _Py_trampoline_func_start:
     .globl	_Py_trampoline_func_end
 _Py_trampoline_func_end:
     .section        .note.GNU-stack,"",@progbits
+# Note for indicating the assembly code supports CET
+#if defined(__x86_64__) && defined(__CET__) && (__CET__ & 1)
+    .section    .note.gnu.property,"a"
+    .align 8
+    .long    1f - 0f
+    .long    4f - 1f
+    .long    5
+0:
+    .string  "GNU"
+1:
+    .align 8
+    .long    0xc0000002
+    .long    3f - 2f
+2:
+    .long    0x3
+3:
+    .align 8
+4:
+#endif // __x86_64__
diff --git a/Python/perf_jit_trampoline.c b/Python/perf_jit_trampoline.c
index 0a8945958b4b3c..f65b2d487e0c45 100644
--- a/Python/perf_jit_trampoline.c
+++ b/Python/perf_jit_trampoline.c
@@ -472,6 +472,11 @@ elf_init_ehframe(ELFObjectContext* ctx)
                  DWRF_U8(0); /* Augmentation data. */
     /* Registers saved in CFRAME. */
 #ifdef __x86_64__
+#  if defined(__CET__) && (__CET__ & 1)
+                 DWRF_U8(DWRF_CFA_advance_loc | 8);
+#  else
+                 DWRF_U8(DWRF_CFA_advance_loc | 4);
+#  endif
                  DWRF_U8(DWRF_CFA_advance_loc | 4);
                  DWRF_U8(DWRF_CFA_def_cfa_offset); DWRF_UV(16);
                  DWRF_U8(DWRF_CFA_advance_loc | 6);