Skip to content

asm_trampoline.S misses branch protection flags for x86_64 and aarch64 #128605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stratakis opened this issue Jan 8, 2025 · 5 comments
Open

asm_trampoline.S misses branch protection flags for x86_64 and aarch64 #128605

stratakis opened this issue Jan 8, 2025 · 5 comments
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue

Comments

@stratakis
Copy link
Contributor

stratakis commented Jan 8, 2025
edited by bedevere-app bot
Loading

Bug report

Bug description:

asm_trampoline.S added here 6d791a9 misses the branch protections offered for the latest x86-64 and aarch64 processors.

For C code the compiler takes care of that however for the assembler files the relevant instructions need to be added manually.

This was discovered by running the annobin-annocheck tool on a Fedora machine:

$ annocheck --hardened libpython3.14.so.1.0

Hardened: libpython3.14.so.1.0: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
Hardened: libpython3.14.so.1.0: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled

Relevant annobin documentation:
x86_64: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
aarch64: https://sourceware.org/annobin/annobin.html/Test-branch-protection.html

CPython versions tested on:

3.12, 3.13, 3.14, CPython main branch

Operating systems tested on:

Linux

Linked PRs
@stratakis stratakis added the type-bug An unexpected behavior, bug, or error label Jan 8, 2025
@bedevere-app bedevere-app bot mentioned this issue Jan 8, 2025
Merged
@picnixz picnixz added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label Jan 10, 2025
@bedevere-app bedevere-app bot mentioned this issue Mar 5, 2025
Open
vstinner pushed a commit that referenced this issue Jun 3, 2025
@stratakis
gh-128605: Add branch protections for x86_64 in asm_trampoline.S (#12…
485b499 
…8606)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
stratakis added a commit to stratakis/cpython that referenced this issue Jun 3, 2025
@stratakis
pythongh-128605: Add branch protections for x86_64 in asm_trampoline.S (
3cf8f4a 
python#128606)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
stratakis added a commit to stratakis/cpython that referenced this issue Jun 3, 2025
@stratakis
[3.14] pythongh-128605: Add branch protections for x86_64 in asm_tram…
e4f6f09 
…poline.S (python#128606)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
vstinner pushed a commit that referenced this issue Jun 3, 2025
@stratakis
[3.14] gh-128605: Add branch protections for x86_64 in asm_trampoline…
899cca6 
….S (#128606) (#135077)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 3, 2025
@stratakis @miss-islington
[3.14] pythongh-128605: Add branch protections for x86_64 in asm_tram…
8a6e6b4 
…poline.S (pythonGH-128606) (pythonGH-135077)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
(cherry picked from commit 899cca6)

Co-authored-by: stratakis <cstratak@redhat.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
vstinner pushed a commit that referenced this issue Jun 3, 2025
@miss-islington @stratakis
[3.13] gh-128605: Add branch protections for x86_64 in asm_trampoline…
9f3d999 
….S (GH-128606) (GH-135077) (#135083)

[3.14] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (GH-128606) (GH-135077)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
(cherry picked from commit 899cca6)

Co-authored-by: stratakis <cstratak@redhat.com>
stratakis added a commit to stratakis/cpython that referenced this issue Jun 3, 2025
@stratakis
[3.12] pythongh-128605: Add branch protections for x86_64 in asm_tram…
ec66179 
…poline.S (python#128606)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Open
@encukou
Copy link
Member

encukou commented Jun 4, 2025

It looks like the backports broke buildbots,see for example:

@stratakis
Copy link
Contributor Author

Isn't it the same failure as #131038 ?

@ZeroIntensity ZeroIntensity added type-security A security issue and removed type-bug An unexpected behavior, bug, or error labels Jun 5, 2025
encukou added a commit to encukou/cpython that referenced this issue Jun 5, 2025
@encukou
Revert "[3.14] pythongh-128605: Add branch protections for x86_64 in …
3577065 
…asm_trampoline.S (python#128606) (python#135077)"

This reverts commit 899cca6,
which broke buildbots.
@bedevere-app bedevere-app bot mentioned this issue Jun 5, 2025
Merged
@encukou
Copy link
Member

encukou commented Jun 5, 2025

Maybe!
This one always fails though, and for Tier 1 platforms, the policy is to revert and then investigate (unless we have a quick fix). Keeping the buildbots green allows them to catch other bugs.

encukou added a commit that referenced this issue Jun 6, 2025
@encukou
[3.14] gh-128605: Revert "Add branch protections for x86_64 in asm_tr…
b477e21 
……ampoline.S (#128606) (#135077)" (GH-135175)

This reverts commit 899cca6,
which broke buildbots.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 6, 2025
@encukou @miss-islington
[3.14] pythongh-128605: Revert "Add branch protections for x86_64 in …
e1273d6 
…asm_tr…ampoline.S (pythonGH-128606) (pythonGH-135077)" (pythonGH-135175)

This reverts commit 899cca6,
which broke buildbots.
(cherry picked from commit b477e21)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 6, 2025
Merged
encukou added a commit that referenced this issue Jun 6, 2025
@miss-islington @encukou
[3.13] gh-128605: Revert "Add branch protections for x86_64 in asm_tr…
f9c18ba 
……ampoline.S (GH-128606) (GH-135077)" (GH-135175) (GH-135203)

[3.14] gh-128605: Revert "Add branch protections for x86_64 in asm_tr…ampoline.S (GH-128606) (GH-135077)" (GH-135175)

This reverts commit 899cca6,
which broke buildbots.
(cherry picked from commit b477e21)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
@stratakis
Copy link
Contributor Author

It looks that this commit fixes it 7b1a700. Not sure why though.

@zware
Copy link
Member

zware commented Jun 9, 2025

Not sure why though.

The addition of #include <elf.h> (and what looks like removal of manually copied constants?) and changes to GetElfMachineArchitecture look most interesting to my quick look through the diff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@encukou @zware @picnixz @stratakis @ZeroIntensity