Bug 2356304

Summary: When compiling Python with systemtap support, the branch protections on aarch64 do not get applied
Product: [Fedora] Fedora Reporter: Charalampos Stratakis <cstratak>
Component: python3.9Assignee: Charalampos Stratakis <cstratak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: cstratak, mhroncok, python-maint, python-packagers-sig, thrnciar, torsava, vstinner
Target Milestone: ---   
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: python3.9-3.9.21-5.fc43 python3.9-3.9.21-5.fc40 python3.9-3.9.21-5.fc41 python3.9-3.9.21-5.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-04-01 13:40:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Charalampos Stratakis 2025-03-31 20:15:56 UTC 
This bug was initially created as a copy of Bug #2350935



When compiling Python with the --with-dtrace configure flag during RPM build on aarch64 with the -mbranch-protection=standard flag, for applying the Branch Target Identification(BTI) protections, the resulting object file (pydtrace.o) doesn't contain the protections and the associated elf note, resulting in the final shared library missing the note.

Using python3.11, as later versions contain assembly sources that interfere with the results.

Everything looks good when compiling on a non-rpmbuild environment:

./configure --with-dtrace && make -j

$ readelf -n libpython3.11.so.1.0
  Properties: AArch64 feature: BTI, PAC, GCS

$ objdump -d Python/pydtrace.o
  0000000000000000 <__dtrace>:
   0:	d503245f 	bti	c
   4:	d503201f 	nop
   8:	d65f03c0 	ret

However when building Python as an RPM the aarch64 protection flags are not there for libpython or pydtrace.o

$ objdump -d Python/pydtrace.o
0000000000000000 <__dtrace>:
   0:   d503201f        nop
   4:   d65f03c0        ret

I wasn't able to replicate the results by simulating the rpm build on the upstream sources, aka using all our configure options and CFLAGS.

The commands from the Makefile that initiate this:
/usr/bin/dtrace  -o Include/pydtrace_probes.h -h -s /builddir/build/BUILD/python3.11-3.11.11-build/Python-3.11.11/Include/pydtrace.d

sed 's/PYTHON_/PyDTrace_/' Include/pydtrace_probes.h > Include/pydtrace_probes.h.tmp

mv Include/pydtrace_probes.h.tmp Include/pydtrace_probes.h

/usr/bin/dtrace  -o Python/pydtrace.o -G -s /builddir/build/BUILD/python3.11-3.11.11-build/Python-3.11.11/Include/pydtrace.d Python/ceval.o Python/import.o Python/sysmodule.o Modules/gcmodule.o

At the same time the equivalent protection for x86_64 get applied properly for both rpm and non-rpm builds.

Filing for systemtap for now if folks have any insight on that.

Reproducible: Always
Comment 1 Charalampos Stratakis 2025-03-31 23:53:56 UTC 
PRs:
https://src.fedoraproject.org/rpms/python3.9/pull-request/192
https://src.fedoraproject.org/rpms/python3.9/pull-request/193
https://src.fedoraproject.org/rpms/python3.9/pull-request/194
https://src.fedoraproject.org/rpms/python3.9/pull-request/195
Comment 2 Fedora Update System 2025-04-01 09:24:46 UTC 
FEDORA-2025-6b253e5b4a (python3.9-3.9.21-5.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-6b253e5b4a
Comment 3 Fedora Update System 2025-04-01 09:26:29 UTC 
FEDORA-2025-7fc5f2c5d1 (python3.9-3.9.21-5.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-7fc5f2c5d1
Comment 4 Fedora Update System 2025-04-01 09:31:42 UTC 
FEDORA-2025-d486d25173 (python3.9-3.9.21-5.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-d486d25173
Comment 5 Fedora Update System 2025-04-01 09:32:02 UTC 
FEDORA-2025-6d4e787520 (python3.9-3.9.21-5.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-6d4e787520
Comment 6 Fedora Update System 2025-04-01 13:40:00 UTC 
FEDORA-2025-7fc5f2c5d1 (python3.9-3.9.21-5.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 7 Fedora Update System 2025-04-02 01:12:42 UTC 
FEDORA-2025-6b253e5b4a has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-6b253e5b4a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-6b253e5b4a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-04-02 02:29:59 UTC 
FEDORA-2025-6d4e787520 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-6d4e787520`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-6d4e787520

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2025-04-02 04:11:15 UTC 
FEDORA-2025-d486d25173 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d486d25173`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d486d25173

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2025-04-03 01:51:54 UTC 
FEDORA-2025-6d4e787520 (python3.9-3.9.21-5.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2025-04-10 04:30:20 UTC 
FEDORA-2025-d486d25173 (python3.9-3.9.21-5.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2025-04-11 18:26:13 UTC 
FEDORA-2025-6b253e5b4a (python3.9-3.9.21-5.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.