Apply Intel's CET for mitigation against control-flow hijacking attacks

Resolves: RHEL-88326
2025-04-23 01:24:08 +02:00 · 2025-04-23 01:24:08 +02:00 · 90ac5e8927
commit 90ac5e8927
parent 80b6f849a6
2 changed files with 66 additions and 1 deletions
--- a/00459-apply-intel-control-flow-technology-for-x86-64.patch
+++ b/00459-apply-intel-control-flow-technology-for-x86-64.patch
@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Wed, 8 Jan 2025 04:58:22 +0100
+Subject: 00459: Apply Intel Control-flow Technology for x86-64
+
+Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks
+
+Proposed upstream: https://github.com/python/cpython/pull/128606
+
+See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
+---
+ Python/asm_trampoline.S | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S
+index 460707717d..341d0bbe51 100644
+--- a/Python/asm_trampoline.S
+++ b/Python/asm_trampoline.S
+@@ -9,6 +9,9 @@
+ # }
+ _Py_trampoline_func_start:
+ #ifdef __x86_64__
+#if defined(__CET__) && (__CET__ & 1)
+    endbr64
+#endif
+     sub    $8, %rsp
+     call    *%rcx
+     add    $8, %rsp
+@@ -26,3 +29,22 @@ _Py_trampoline_func_start:
+     .globl	_Py_trampoline_func_end
+ _Py_trampoline_func_end:
+     .section        .note.GNU-stack,"",@progbits
+# Note for indicating the assembly code supports CET
+#if defined(__x86_64__) && defined(__CET__) && (__CET__ & 1)
+    .section    .note.gnu.property,"a"
+    .align 8
+    .long    1f - 0f
+    .long    4f - 1f
+    .long    5
+0:
+    .string  "GNU"
+1:
+    .align 8
+    .long    0xc0000002
+    .long    3f - 2f
+2:
+    .long    0x3
+3:
+    .align 8
+4:
+#endif // __x86_64__
--- a/python3.12.spec
+++ b/python3.12.spec
@ -20,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python-2.0.1


@ -385,6 +385,16 @@ Patch397: 00397-tarfile-filter.patch
 # CVE-2023-52425. Future versions of Expat may be more reactive.
 Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch

+# 00459 # 906f6692bd85034012c9554f2434627ccfc04c67
+# Apply Intel Control-flow Technology for x86-64
+#
+# Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks
+#
+# Proposed upstream: https://github.com/python/cpython/pull/128606
+#
+# See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
+Patch459: 00459-apply-intel-control-flow-technology-for-x86-64.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1699,6 +1709,10 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Tue Apr 22 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.12.10-2
+- Apply Intel's CET for mitigation against control-flow hijacking attacks
+Resolves: RHEL-88326
+
 * Wed Apr 09 2025 Miro Hrončok <mhroncok@redhat.com> - 3.12.10-1
 - Update to 3.12.10
 Resolves: RHEL-86887