[3.14] gh-128605: Add branch protections for x86_64 in asm_trampoline.S (#128606) (#135077)

Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S. Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks. Manual application is required for the assembly files. See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
2025-07-24 11:44:31 +00:00 · 2025-06-03 15:31:06 +02:00 · 2025-06-03 15:31:06 +02:00 · 899cca6dbf
commit 899cca6dbf
parent 89df01bd27
2 changed files with 27 additions and 0 deletions
--- a/Python/perf_jit_trampoline.c
+++ b/Python/perf_jit_trampoline.c
@ -473,6 +473,11 @@ elf_init_ehframe(ELFObjectContext* ctx)
                 DWRF_U8(0); /* Augmentation data. */
    /* Registers saved in CFRAME. */
 #ifdef __x86_64__
+#  if defined(__CET__) && (__CET__ & 1)
+                 DWRF_U8(DWRF_CFA_advance_loc | 8);
+#  else
+                 DWRF_U8(DWRF_CFA_advance_loc | 4);
+#  endif
                 DWRF_U8(DWRF_CFA_advance_loc | 4);
                 DWRF_U8(DWRF_CFA_def_cfa_offset); DWRF_UV(16);
                 DWRF_U8(DWRF_CFA_advance_loc | 6);