[Python-ideas] SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register

Wes Turner wes.turner at gmail.com
Sun Sep 16 20:29:06 EDT 2018

Are all current Python builds and C extensions vulnerable to Spectre
variants {1, 2, *}?

There are now multiple threads:

"SEC: Spectre variant 2: GCC: -mindirect-branch=thunk
- https://mail.python.org/pipermail/python-ideas/2018-September/053473.html
- https://mail.python.org/pipermail/python-dev/2018-September/155199.html

Original thread (that I forwarded to security@):
"[Python-ideas] Executable space protection: NX bit,"
> ~ Do trampolines / nested functions in C extensions switch off the NX bit?

On Sunday, September 16, 2018, Nathaniel Smith <njs at pobox.com> wrote:

> On Wed, Sep 12, 2018, 12:29 Joni Orponen <j.orponen at 4teamwork.ch> wrote:
>> On Wed, Sep 12, 2018 at 8:48 PM Wes Turner <wes.turner at gmail.com> wrote:
>>> Should C extensions that compile all add
>>> `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the
>>> risk of Spectre variant 2 (which does indeed affect user space applications
>>> as well as kernels)?
>> Are those available on GCC <= 4.2.0 as per PEP 513?
> Pretty sure no manylinux1 compiler is ever going to get these mitigations.
> For manylinux2010 on x86-64, we can easily use a much newer compiler: RH
> maintains a recent compiler, currently gcc 7.3, or if that doesn't work for
> some reason then the conda folks have be apparently figured out how to
> build the equivalent from gcc upstream releases.

Are there different CFLAGS and/or gcc compatibility flags in conda builds
of Python and C extensions?

Where are those set in conda builds?

What's the best way to set CFLAGS in Python builds and C extensions?

export CFLAGS="-mindirect-branch=thunk -mindirect-branch-register"


Why are we supposed to use an old version of GCC that doesn't have the
retpoline patches that only mitigate Spectre variant 2?

> Unfortunately, the manylinux2010 infrastructure is not quite ready... I'm
> pretty sure it needs some volunteers to push it to the finish line, though
> unfortunately I haven't had enough time to keep track.

"PEP 571 -- The manylinux2010 Platform Tag"

"Tracking issue for manylinux2010 rollout"

Are all current Python builds and C extensions vulnerable to Spectre
variants {1, 2, *}?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20180916/d3d0cdc9/attachment-0001.html>

More information about the Python-ideas mailing list