diff --git a/00459-apply-intel-control-flow-technology-for-x86-64.patch b/00459-apply-intel-control-flow-technology-for-x86-64.patch new file mode 100644 index 0000000..380856c --- /dev/null +++ b/00459-apply-intel-control-flow-technology-for-x86-64.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Wed, 8 Jan 2025 04:58:22 +0100 +Subject: 00459: Apply Intel Control-flow Technology for x86-64 + +Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks + +Proposed upstream: https://github.com/python/cpython/pull/128606 + +See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html +--- + Python/asm_trampoline.S | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S +index 460707717d..341d0bbe51 100644 +--- a/Python/asm_trampoline.S ++++ b/Python/asm_trampoline.S +@@ -9,6 +9,9 @@ + # } + _Py_trampoline_func_start: + #ifdef __x86_64__ ++#if defined(__CET__) && (__CET__ & 1) ++ endbr64 ++#endif + sub $8, %rsp + call *%rcx + add $8, %rsp +@@ -26,3 +29,22 @@ _Py_trampoline_func_start: + .globl _Py_trampoline_func_end + _Py_trampoline_func_end: + .section .note.GNU-stack,"",@progbits ++# Note for indicating the assembly code supports CET ++#if defined(__x86_64__) && defined(__CET__) && (__CET__ & 1) ++ .section .note.gnu.property,"a" ++ .align 8 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .string "GNU" ++1: ++ .align 8 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 0x3 ++3: ++ .align 8 ++4: ++#endif // __x86_64__ diff --git a/python3.12.spec b/python3.12.spec index a972e7a..c71f38d 100644 --- a/python3.12.spec +++ b/python3.12.spec @@ -20,7 +20,7 @@ URL: https://www.python.org/ #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 1%{?dist} +Release: 2%{?dist} License: Python-2.0.1 @@ -385,6 +385,16 @@ Patch397: 00397-tarfile-filter.patch # CVE-2023-52425. Future versions of Expat may be more reactive. Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch +# 00459 # 906f6692bd85034012c9554f2434627ccfc04c67 +# Apply Intel Control-flow Technology for x86-64 +# +# Required for mitigation against return-oriented programming (ROP) and Call or Jump Oriented Programming (COP/JOP) attacks +# +# Proposed upstream: https://github.com/python/cpython/pull/128606 +# +# See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html +Patch459: 00459-apply-intel-control-flow-technology-for-x86-64.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1699,6 +1709,10 @@ CheckPython optimized # ====================================================== %changelog +* Tue Apr 22 2025 Charalampos Stratakis - 3.12.10-2 +- Apply Intel's CET for mitigation against control-flow hijacking attacks +Resolves: RHEL-88326 + * Wed Apr 09 2025 Miro HronĨok - 3.12.10-1 - Update to 3.12.10 Resolves: RHEL-86887