Skip to content

[3.12] gh-128605: Add branch protections for x86_64 in asm_trampolineS (#128606) #135094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 3.12
Choose a base branch
from
Open

[3.12] gh-128605: Add branch protections for x86_64 in asm_trampolineS (#128606) #135094

wants to merge 1 commit into from
+22 −0

Conversation

stratakis
Copy link
Contributor

@stratakis stratakis commented Jun 3, 2025
edited by bedevere-app bot
Loading

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html

@stratakis
[3.12] pythongh-128605: Add branch protections for x86_64 in asm_tram…
ec66179 
…poline.S (python#128606)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
@bedevere-app bedevere-app bot mentioned this pull request Jun 3, 2025
Merged
@bedevere-app bedevere-app bot mentioned this pull request Jun 3, 2025
Open
vstinner
vstinner approved these changes Jun 3, 2025
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@encukou
Copy link
Member

encukou commented Jun 4, 2025

It looks like the 3.14 & 3.13 backports broke buildbots; please don't merge until that's investigated.

@ZeroIntensity
Copy link
Member

Wait, why is this being backported to 3.12?

@vstinner
Copy link
Member

vstinner commented Jun 5, 2025

Wait, why is this being backported to 3.12?

It's a securiy fix to harden Python binary.

@ZeroIntensity ZeroIntensity added the type-security A security issue label Jun 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
awaiting merge DO-NOT-MERGE skip news type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stratakis @encukou @ZeroIntensity @vstinner