[3.13] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864) (GH-150189) by miss-islington · Pull Request #150194 · python/cpython

miss-islington · 2026-05-21T16:42:09Z

gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864)

Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S.

The BTI flag must be applied in assembler sources for this class
of attacks to be mitigated on newer aarch64 processors.

See also:
https://sourceware.org/annobin/annobin.html/Test-branch-protection.html
and
https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enabling-pac-and-bti-on-aarch64

The 3.14 backport makes Python/jit_unwind.c changes in
Python/perf_jit_trampoline.c.

(cherry picked from commit da8477b)
(cherry picked from commit c863e96)

Co-authored-by: Victor Stinner vstinner@python.org
Co-authored-by: stratakis cstratak@redhat.com

…mpoline.S (pythonGH-130864) (pythonGH-150189) pythongh-139808: Add branch protections for aarch64 in asm_trampoline.S (pythonGH-130864) Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S. The BTI flag must be applied in assembler sources for this class of attacks to be mitigated on newer aarch64 processors. See also: https://sourceware.org/annobin/annobin.html/Test-branch-protection.html and https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enabling-pac-and-bti-on-aarch64 The 3.14 backport makes Python/jit_unwind.c changes in Python/perf_jit_trampoline.c. (cherry picked from commit da8477b) (cherry picked from commit c863e96) Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: stratakis <cstratak@redhat.com>

read-the-docs-community · 2026-05-21T16:56:45Z

Documentation build overview

📚 cpython-previews | 🛠️ Build #32797532 | 📁 Comparing 5983345 against main (32104a1)

🔍 Preview build

454 files changed · ± 416 modified · - 38 deleted

± Modified

- Deleted

vstinner · 2026-05-21T16:58:57Z

I tested this change on Fedora 43 AArch64 with commands:

./configure --enable-shared CFLAGS="-mbranch-protection=standard -fplugin=annobin -fstack-protector-strong -fstack-clash-protection -D_FORTIFY_SOURCE=3" LDFLAGS="-Wl,-z,now" --with-lto
make -j24
readelf -n ./python | grep Properties

Output:

readelf: Warning: Gap in build notes detected from 0x40087d to 0x400897
      Properties: AArch64 feature: BTI, PAC, GCS

The BTI and PAC protections are present as expected.

vstinner · 2026-05-21T16:59:27Z

@stratakis: Here is an automated backport to 3.13 of PR gh-150189 fix.

stratakis · 2026-05-21T17:05:47Z

Unfortunately this is a bit trickier here. While I found everything working, except the case with frame pointers and mbranch protection for the dwarf unwinding path. Although quite niche, other issues might be here, I think this should go on 3.13 only if @pablogsal would think that 5535482 is also cherry-pickable for 3.13.

stratakis · 2026-05-21T17:07:26Z

I think cherry-picking the trampoline fixes before this would be the right move, but it's not for me to decide.

stratakis · 2026-05-21T17:11:32Z

Unfortunately this is a bit trickier here. While I found everything working, except the case with frame pointers and mbranch protection for the dwarf unwinding path. Although quite niche, other issues might be here, I think this should go on 3.13 only if @pablogsal would think that 5535482 is also cherry-pickable for 3.13.

Ah wait, this commit IS on 3.13. Then I'm not sure what the issue is here.

vstinner · 2026-05-21T17:15:14Z

While I found everything working, except the case with frame pointers and mbranch protection for the dwarf unwinding path.

Would you mind to elaborate on the issue? Like explain how to reproduce it?

stratakis · 2026-05-21T17:25:01Z

While I found everything working, except the case with frame pointers and mbranch protection for the dwarf unwinding path.

Would you mind to elaborate on the issue? Like explain how to reproduce it?

Actually everything works, forgot the clear the stale perf /tmp/jitted*.so files from the previous test run so something got messy there.

This was referenced May 21, 2026

asm_trampoline.S misses BTI/PAC protection flags for aarch64 #139808

Closed

[3.14] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (#130864) #150189

Merged

bedevere-app Bot added the awaiting review label May 21, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[3.13] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864) (GH-150189)#150194

[3.13] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864) (GH-150189)#150194
miss-islington wants to merge 1 commit into
python:3.13from
miss-islington:backport-c863e96-3.13

miss-islington commented May 21, 2026

Uh oh!

read-the-docs-community Bot commented May 21, 2026

Uh oh!

vstinner commented May 21, 2026

Uh oh!

vstinner commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

vstinner commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

miss-islington commented May 21, 2026

Uh oh!

read-the-docs-community Bot commented May 21, 2026

Documentation build overview

Uh oh!

vstinner commented May 21, 2026

Uh oh!

vstinner commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

vstinner commented May 21, 2026

Uh oh!

stratakis commented May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants