[3.12] gh-128605: Add branch protections for x86_64 in asm_trampolineS (#128606) by stratakis · Pull Request #135094 · python/cpython

stratakis · 2025-06-03T14:43:42Z

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S.

Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks.

Manual application is required for the assembly files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html

Issue: asm_trampoline.S misses branch protection flags for x86_64 #128605

…poline.S (python#128606) Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S. Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks. Manual application is required for the assembly files. See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html

vstinner

LGTM

encukou · 2025-06-04T07:42:38Z

It looks like the 3.14 & 3.13 backports broke buildbots; please don't merge until that's investigated.

ZeroIntensity · 2025-06-05T09:34:52Z

Wait, why is this being backported to 3.12?

vstinner · 2025-06-05T10:34:16Z

Wait, why is this being backported to 3.12?

It's a securiy fix to harden Python binary.

vstinner · 2025-06-11T12:16:57Z

!buildbot AMD64 Fedora Stable

bedevere-bot · 2025-06-11T12:17:00Z

🤖 New build scheduled with the buildbot fleet by @vstinner for commit ec66179 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135094%2Fmerge

The command will test the builders whose names match following regular expression: AMD64 Fedora Stable

The builders matched are:

AMD64 Fedora Stable Refleaks PR
AMD64 Fedora Stable Clang Installed PR
AMD64 Fedora Stable LTO PR
AMD64 Fedora Stable PR
AMD64 Fedora Stable LTO + PGO PR
AMD64 Fedora Stable Clang PR

vstinner · 2025-06-11T15:22:44Z

!buildbot AMD64 Fedora Stable

bedevere-bot · 2025-06-11T15:22:46Z

🤖 New build scheduled with the buildbot fleet by @vstinner for commit ec66179 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135094%2Fmerge

The command will test the builders whose names match following regular expression: AMD64 Fedora Stable

The builders matched are:

AMD64 Fedora Stable Refleaks PR
AMD64 Fedora Stable Clang Installed PR
AMD64 Fedora Stable LTO PR
AMD64 Fedora Stable PR
AMD64 Fedora Stable LTO + PGO PR
AMD64 Fedora Stable Clang PR

vstinner · 2025-06-12T16:23:20Z

@encukou: I removed the DO-NOT-MERGE label since the change was merged (again) in 3.13 and 3.14 branches without breaking the buildbots. Moreover, I ran the buildbots on this PR and they pass successfully.

bedevere-bot · 2025-06-13T06:57:25Z

🤖 New build scheduled with the buildbot fleet by @encukou for commit ec66179 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135094%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

encukou · 2025-06-13T06:58:13Z

Thanks!
To me it looks more like a security feature than a fix, but, that's for the RM to decide :)

vstinner · 2025-06-13T11:46:32Z

There are many buildbot failures, but all of them are unrelated.

buildbot/aarch64 Android PR
buildbot/AMD64 Android PR

Unrelated: FileNotFoundError: [Errno 2] No such file or directory: b'Android/android.py'

buildbot/aarch64 Ubuntu 22.04 BigMem PR
buildbot/AMD64 Windows11 Bigmem PR

Unrelated: regrtest.py: error: unrecognized arguments: --prioritize=test_bigmem,test_lzma,test_bz2,test_re,test_array

buildbot/AMD64 Windows PGO NoGIL PR
buildbot/AMD64 Windows Server 2022 NoGIL PR

Unrelated: MSBUILD : error MSB1001: Unknown switch. with Switch: --disable-gil

buildbot/ARM64 MacOS M1 Refleaks NoGIL PR

Unrelated: test_socket leaked [20, 20, 20] file descriptors, sum=60

buildbot/ARM64 Raspbian PR

Unrelated encodings/Unicode errors.

4 tests failed: test_httpservers test_pathlib test_urllib test_zipfile

Example: UnicodeEncodeError: 'latin-1' codec can't encode character '\ufffd' in position 112: ordinal not in range(256)
Example: FileNotFoundError: [Errno 2] No such file or directory: '@test_1628940_tmpÃ¦'.

buildbot/ARM64 Windows Non-Debug PR

Unrelated: test_recursive_pickle (test.test_functools.TestPartialC.test_recursive_pickle) ... Windows fatal exception: stack overflow

buildbot/iOS ARM64 Simulator PR

Unrelated: Invalid configuration 'arm64-apple-ios-simulator': Kernel 'ios' not known to work with OS 'simulator'.

buildbot/wasm32-wasi PR

Unrelated: python3: can't open file '/home/buildbot/buildarea/pull_request.bcannon-wasi.wasi.debug/build/Tools/wasm/wasi.py': [Errno 2] No such file or directory

vstinner · 2025-06-13T11:49:26Z

To me it looks more like a security feature than a fix, but, that's for the RM to decide :)

It's a regression compared to Python 3.11.

vstinner · 2025-07-10T11:13:16Z

Thanks for the merge @pablogsal.

bedevere-app Bot added the awaiting review label Jun 3, 2025

bedevere-app Bot mentioned this pull request Jun 3, 2025

gh-128605: Add branch protections for x86_64 in asm_trampoline.S #128606

Merged

bedevere-app Bot added the skip news label Jun 3, 2025

bedevere-app Bot mentioned this pull request Jun 3, 2025

asm_trampoline.S misses branch protection flags for x86_64 #128605

Closed

vstinner approved these changes Jun 3, 2025

View reviewed changes

bedevere-app Bot added awaiting merge and removed awaiting review labels Jun 3, 2025

encukou added the DO-NOT-MERGE label Jun 4, 2025

ZeroIntensity added the type-security A security issue label Jun 5, 2025

vstinner removed the DO-NOT-MERGE label Jun 12, 2025

encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 13, 2025

bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 13, 2025

pablogsal merged commit aaca859 into python:3.12 Jul 10, 2025
104 of 117 checks passed

bedevere-app Bot removed the awaiting merge label Jul 10, 2025

encukou mentioned this pull request Aug 15, 2025

[3.14] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (#128606) #135077

Merged

Uh oh!

Conversation

stratakis commented Jun 3, 2025 • edited by bedevere-app Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vstinner left a comment

Choose a reason for hiding this comment

Uh oh!

encukou commented Jun 4, 2025

Uh oh!

ZeroIntensity commented Jun 5, 2025

Uh oh!

vstinner commented Jun 5, 2025

Uh oh!

vstinner commented Jun 11, 2025

Uh oh!

bedevere-bot commented Jun 11, 2025

Uh oh!

vstinner commented Jun 11, 2025

Uh oh!

bedevere-bot commented Jun 11, 2025

Uh oh!

vstinner commented Jun 12, 2025

Uh oh!

bedevere-bot commented Jun 13, 2025

Uh oh!

encukou commented Jun 13, 2025

Uh oh!

vstinner commented Jun 13, 2025

Uh oh!

vstinner commented Jun 13, 2025

Uh oh!

Uh oh!

vstinner commented Jul 10, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

stratakis commented Jun 3, 2025 •

edited by bedevere-app Bot

Loading