[Python-ideas] SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register

Wes Turner wes.turner at gmail.com
Sun Sep 16 10:16:19 EDT 2018


On Sunday, September 16, 2018, Wes Turner <wes.turner at gmail.com> wrote:

> Should Python builds add `-mindirect-branch=thunk
> -mindirect-branch-register` to CFLAGS?
>
> Where would this be to be added in the build scripts with which
> architectures?
>
> /QSpectre is the MSVC build flag for Spectre Variant 1:
>
> > The /Qspectre option is available in Visual Studio 2017 version 15.7 and
> later.
>
> https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017
>
> security@ directed me to the issue tracker / lists,
> so I'm forwarding this to python-dev and python-ideas, as well.
>
> # Forwarded message
> From: *Wes Turner* <wes.turner at gmail.com>
> Date: Wednesday, September 12, 2018
> Subject: SEC: Spectre variant 2: GCC: -mindirect-branch=thunk
> -mindirect-branch-register
> To: distutils-sig <distutils-sig at python.org>
>
>
> Should C extensions that compile all add
> `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the
> risk of Spectre variant 2 (which does indeed affect user space applications
> as well as kernels)?
>
> [1] https://github.com/speed47/spectre-meltdown-checker/issues/
> 119#issuecomment-361432244
> [2] https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
> [3] https://en.wikipedia.org/wiki/Speculative_Store_Bypass#Specu
> lative_execution_exploit_variants
>
> On Wednesday, September 12, 2018, Wes Turner <wes.turner at gmail.com> wrote:
>>
>>> On Wednesday, September 12, 2018, Joni Orponen <j.orponen at 4teamwork.ch>
>>> wrote:
>>>
>>>> On Wed, Sep 12, 2018 at 8:48 PM Wes Turner <wes.turner at gmail.com>
>>>> wrote:
>>>>
>>>>> Should C extensions that compile all add
>>>>> `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate
>>>>> the risk of Spectre variant 2 (which does indeed affect user space
>>>>> applications as well as kernels)?
>>>>>
>>>>
>>>> Are those available on GCC <= 4.2.0 as per PEP 513?
>>>>
>>>
>>> AFAIU, only
>>> GCC 7.3 and 8 have the retpoline (indirect-branch=thunk) support enabled
>>> by the `-mindirect-branch=thunk -mindirect-branch-register` CFLAGS.
>>>
>>
>  On Wednesday, September 12, 2018, Wes Turner <wes.turner at gmail.com>
> wrote:
>
>> "What is a retpoline and how does it work?"
>> https://stackoverflow.com/questions/48089426/what-is-a-retpo
>> line-and-how-does-it-work
>>
>>
There's probably already been an ANN announce about this?

If not, someone with appropriate security posture and syntax could address:

Whether python.org binaries are already rebuilt

Whether OS package binaries are already rebuilt

Whether anaconda binaries are already rebuilt

Whether C extension binaries on pypi are already rebuilt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20180916/bccc0407/attachment-0001.html>


More information about the Python-ideas mailing list