Skip to content

asm_trampoline.S misses branch protection flags for x86_64 and aarch64 #128605

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
asm_trampoline.S misses branch protection flags for x86_64 and aarch64#128605
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)type-bugAn unexpected behavior, bug, or error
@stratakis

Description

@stratakis
stratakis
opened on Jan 8, 2025

Bug report

Bug description:

asm_trampoline.S added here 6d791a9 misses the branch protections offered for the latest x86-64 and aarch64 processors.

For C code the compiler takes care of that however for the assembler files the relevant instructions need to be added manually.

This was discovered by running the annobin-annocheck tool on a Fedora machine:

$ annocheck --hardened libpython3.14.so.1.0

Hardened: libpython3.14.so.1.0: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
Hardened: libpython3.14.so.1.0: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled

Relevant annobin documentation:
x86_64: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
aarch64: https://sourceware.org/annobin/annobin.html/Test-branch-protection.html

CPython versions tested on:

3.12, 3.13, 3.14, CPython main branch

Operating systems tested on:

Linux

Linked PRs

Metadata

Assignees

No one assigned

    Labels

    interpreter-core(Objects, Python, Grammar, and Parser dirs)type-bugAn unexpected behavior, bug, or error

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions