Skip to content

[3.12] gh-128605: Add branch protections for x86_64 in asm_trampolineS (#128606) #135094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 3.12
Choose a base branch
from
Open

[3.12] gh-128605: Add branch protections for x86_64 in asm_trampolineS (#128606) #135094

wants to merge 1 commit into from
+22 −0

Conversation

stratakis
Copy link
Contributor

@stratakis stratakis commented Jun 3, 2025
edited by bedevere-app bot
Loading

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html

@stratakis
[3.12] pythongh-128605: Add branch protections for x86_64 in asm_tram…
ec66179 
…poline.S (python#128606)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP)
and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
@bedevere-app bedevere-app bot mentioned this pull request Jun 3, 2025
Merged
@bedevere-app bedevere-app bot mentioned this pull request Jun 3, 2025
Open
vstinner
vstinner approved these changes Jun 3, 2025
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@encukou
Copy link
Member

encukou commented Jun 4, 2025

It looks like the 3.14 & 3.13 backports broke buildbots; please don't merge until that's investigated.

@ZeroIntensity
Copy link
Member

Wait, why is this being backported to 3.12?

@vstinner
Copy link
Member

vstinner commented Jun 5, 2025

Wait, why is this being backported to 3.12?

It's a securiy fix to harden Python binary.

@ZeroIntensity ZeroIntensity added the type-security A security issue label Jun 5, 2025
@vstinner
Copy link
Member

!buildbot AMD64 Fedora Stable

@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @vstinner for commit ec66179 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135094%2Fmerge

The command will test the builders whose names match following regular expression: AMD64 Fedora Stable

The builders matched are:

  • AMD64 Fedora Stable Refleaks PR
  • AMD64 Fedora Stable Clang Installed PR
  • AMD64 Fedora Stable LTO PR
  • AMD64 Fedora Stable PR
  • AMD64 Fedora Stable LTO + PGO PR
  • AMD64 Fedora Stable Clang PR

@vstinner
Copy link
Member

!buildbot AMD64 Fedora Stable

@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @vstinner for commit ec66179 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135094%2Fmerge

The command will test the builders whose names match following regular expression: AMD64 Fedora Stable

The builders matched are:

  • AMD64 Fedora Stable Refleaks PR
  • AMD64 Fedora Stable Clang Installed PR
  • AMD64 Fedora Stable LTO PR
  • AMD64 Fedora Stable PR
  • AMD64 Fedora Stable LTO + PGO PR
  • AMD64 Fedora Stable Clang PR

@vstinner
Copy link
Member

@encukou: I removed the DO-NOT-MERGE label since the change was merged (again) in 3.13 and 3.14 branches without breaking the buildbots. Moreover, I ran the buildbots on this PR and they pass successfully.

@encukou encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 13, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @encukou for commit ec66179 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135094%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 13, 2025
@encukou
Copy link
Member

encukou commented Jun 13, 2025

Thanks!
To me it looks more like a security feature than a fix, but, that's for the RM to decide :)

@vstinner
Copy link
Member

There are many buildbot failures, but all of them are unrelated.

buildbot/aarch64 Android PR
buildbot/AMD64 Android PR

Unrelated: FileNotFoundError: [Errno 2] No such file or directory: b'Android/android.py'

buildbot/aarch64 Ubuntu 22.04 BigMem PR
buildbot/AMD64 Windows11 Bigmem PR

Unrelated: regrtest.py: error: unrecognized arguments: --prioritize=test_bigmem,test_lzma,test_bz2,test_re,test_array

buildbot/AMD64 Windows PGO NoGIL PR
buildbot/AMD64 Windows Server 2022 NoGIL PR

Unrelated: MSBUILD : error MSB1001: Unknown switch. with Switch: --disable-gil

buildbot/ARM64 MacOS M1 Refleaks NoGIL PR

Unrelated: test_socket leaked [20, 20, 20] file descriptors, sum=60

buildbot/ARM64 Raspbian PR

Unrelated encodings/Unicode errors.

4 tests failed: test_httpservers test_pathlib test_urllib test_zipfile

Example: UnicodeEncodeError: 'latin-1' codec can't encode character '\ufffd' in position 112: ordinal not in range(256)
Example: FileNotFoundError: [Errno 2] No such file or directory: '@test_1628940_tmpæ'.

buildbot/ARM64 Windows Non-Debug PR

Unrelated: test_recursive_pickle (test.test_functools.TestPartialC.test_recursive_pickle) ... Windows fatal exception: stack overflow

buildbot/iOS ARM64 Simulator PR

Unrelated: Invalid configuration 'arm64-apple-ios-simulator': Kernel 'ios' not known to work with OS 'simulator'.

buildbot/wasm32-wasi PR

Unrelated: python3: can't open file '/home/buildbot/buildarea/pull_request.bcannon-wasi.wasi.debug/build/Tools/wasm/wasi.py': [Errno 2] No such file or directory

@vstinner
Copy link
Member

To me it looks more like a security feature than a fix, but, that's for the RM to decide :)

It's a regression compared to Python 3.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
awaiting merge skip news type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@stratakis @encukou @ZeroIntensity @vstinner @bedevere-bot