Description
Bug report
Bug description:
asm_trampoline.S added here 6d791a9 misses the branch protections offered for the latest x86-64 and aarch64 processors.
For C code the compiler takes care of that however for the assembler files the relevant instructions need to be added manually.
This was discovered by running the annobin-annocheck tool on a Fedora machine:
$ annocheck --hardened libpython3.14.so.1.0
Hardened: libpython3.14.so.1.0: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
Hardened: libpython3.14.so.1.0: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled
Relevant annobin documentation:
x86_64: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
aarch64: https://sourceware.org/annobin/annobin.html/Test-branch-protection.html
CPython versions tested on:
3.12, 3.13, 3.14, CPython main branch
Operating systems tested on:
Linux
Linked PRs
- gh-128605: Add branch protections for x86_64 in asm_trampoline.S #128606
- [DRAFT] gh-128605: Add branch protections for aarch64 in asm_trampoline.S #130864
- [3.14] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (#128606) #135077
- [3.13] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (GH-128606) (GH-135077) #135083
- [3.12] gh-128605: Add branch protections for x86_64 in asm_trampolineS (#128606) #135094
- [3.14] gh-128605: Revert "Add branch protections for x86_64 in asm_tr…ampoline.S (#128606) (#135077)" #135175
- [3.13] gh-128605: Revert "Add branch protections for x86_64 in asm_tr…ampoline.S (GH-128606) (GH-135077)" (GH-135175) #135203
- [3.14] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (#128606) #135345
- [3.13] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (#128606) #135353