classification
Title: Allow enabling control flow guard in Windows build
Type: security Stage: resolved
Components: Build, Windows Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: steve.dower Nosy List: miss-islington, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2021-06-10 17:07 by steve.dower, last changed 2021-06-11 21:39 by steve.dower. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 26645 merged steve.dower, 2021-06-10 17:10
PR 26681 merged miss-islington, 2021-06-11 20:35
PR 26682 merged miss-islington, 2021-06-11 20:36
Messages (5)
msg395556 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-10 17:07
Currently we don't enable CFG (which is runtime protection against code injection into tables), because it likely has a performance impact and the kind of attack is outside our scope.

However, we should make it easier to build CPython with CFG enabled, so that third-parties who do want to include it in their scope can do so.
msg395557 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-10 17:12
FWIW, I don't actually know what the performance impact is. I'm not set up for running the perf benchmarks, and I don't know if anyone else is (on Windows), but if someone would like to then it'll be easier once the environment option to enable it is in there.
msg395661 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-11 20:35
New changeset 5af56c6f2a0d11df37fed7ecaaf321cf6926ba13 by Steve Dower in branch 'main':
bpo-44381: Windows build now allows enabling control flow guard (GH-26645)
https://github.com/python/cpython/commit/5af56c6f2a0d11df37fed7ecaaf321cf6926ba13
msg395662 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-11 21:17
New changeset 9580d3894ad158ae909e7573a02dcd087de0b673 by Miss Islington (bot) in branch '3.9':
bpo-44381: Windows build now allows enabling control flow guard (GH-26645)
https://github.com/python/cpython/commit/9580d3894ad158ae909e7573a02dcd087de0b673
msg395663 - (view) Author: miss-islington (miss-islington) Date: 2021-06-11 21:21
New changeset 42612db10792dd069149063f67a3b1db700bc7ee by Miss Islington (bot) in branch '3.10':
bpo-44381: Windows build now allows enabling control flow guard (GH-26645)
https://github.com/python/cpython/commit/42612db10792dd069149063f67a3b1db700bc7ee
History
Date User Action Args
2021-06-11 21:39:25steve.dowersetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2021-06-11 21:21:18miss-islingtonsetmessages: + msg395663
2021-06-11 21:17:14steve.dowersetmessages: + msg395662
2021-06-11 20:36:03miss-islingtonsetpull_requests: + pull_request25269
2021-06-11 20:35:57miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request25268
2021-06-11 20:35:48steve.dowersetmessages: + msg395661
2021-06-10 17:12:44steve.dowersetmessages: + msg395557
2021-06-10 17:10:58steve.dowersetkeywords: + patch
stage: patch review
pull_requests: + pull_request25231
2021-06-10 17:07:15steve.dowercreate