dev-libs/libffi: backport further patches (arm64 + BTI/PAC, ASAN)

I should've done this earlier in -r1 but I equivocated.

Signed-off-by: Sam James <sam@gentoo.org>

6 files changed, 611 insertions, 0 deletions

diff --git a/dev-libs/libffi/files/libffi-3.4.6-arm64-bti-spelling.patch b/dev-libs/libffi/files/libffi-3.4.6-arm64-bti-spelling.patch
new file mode 100644
index 000000000000..2a06292546d0
--- /dev/null
+++ b/dev-libs/libffi/files/libffi-3.4.6-arm64-bti-spelling.patch
@@ -0,0 +1,26 @@
+https://github.com/libffi/libffi/commit/38732240c125b6af9db66d940c0725a69292cc49
+
+From 38732240c125b6af9db66d940c0725a69292cc49 Mon Sep 17 00:00:00 2001
+From: Bill Roberts <152999275+billatarm@users.noreply.github.com>
+Date: Sat, 1 Jun 2024 12:33:28 -0500
+Subject: [PATCH] ffi: fix spelling mistake (#833)
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+---
+ src/aarch64/ffi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/aarch64/ffi.c b/src/aarch64/ffi.c
+index 8661a352..b13738e3 100644
+--- a/src/aarch64/ffi.c
++++ b/src/aarch64/ffi.c
+@@ -682,7 +682,7 @@ ffi_call_int (ffi_cif *cif, void (*fn)(void), void *orig_rvalue,
+   else if (flags & AARCH64_RET_NEED_COPY)
+     rsize = 16;
+ 
+-  /* Allocate consectutive stack for everything we'll need.
++  /* Allocate consecutive stack for everything we'll need.
+      The frame uses 40 bytes for: lr, fp, rvalue, flags, sp */
+   context = alloca (sizeof(struct call_context) + stack_bytes + 40 + rsize);
+   stack = context + 1;
+
diff --git a/dev-libs/libffi/files/libffi-3.4.6-arm64-bti.patch b/dev-libs/libffi/files/libffi-3.4.6-arm64-bti.patch
new file mode 100644
index 000000000000..66dc9f181b79
--- /dev/null
+++ b/dev-libs/libffi/files/libffi-3.4.6-arm64-bti.patch
@@ -0,0 +1,81 @@
+https://github.com/libffi/libffi/commit/f64141ee3f9e455a060bd09e9ab72b6c94653d7c
+
+From f64141ee3f9e455a060bd09e9ab72b6c94653d7c Mon Sep 17 00:00:00 2001
+From: Bill Roberts <152999275+billatarm@users.noreply.github.com>
+Date: Tue, 19 Mar 2024 11:44:55 -0500
+Subject: [PATCH] Fix bti support (#830)
+
+* bti: add identifier to ffi_closure_SYSV_V_alt
+
+This was missing BTI_C identifier.
+
+Old Code:
+ffi_closure_SYSV_V_alt:
+0000fffff7f70500:   ldr     x17, [sp, #8]
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+
+* testsuite: fix whitespace in Makefile.am
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+
+* aarch64: correct comment describing BTI
+
+The comment is incorrect, BTI is enabled per mapping via mprotect with
+PROT_BTI flag set, not per-process. When the loader loads the library,
+if the GNU Notes section is missing this, PROT_BTI will not be enabled
+for that mapping, but is independent of other mappings.
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+
+---------
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+---
+ src/aarch64/sysv.S    | 4 +++-
+ testsuite/Makefile.am | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/aarch64/sysv.S b/src/aarch64/sysv.S
+index fdd0e8b7..60cfa505 100644
+--- a/src/aarch64/sysv.S
++++ b/src/aarch64/sysv.S
+@@ -68,7 +68,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  */
+ #define BTI_J hint #36
+ /*
+  * The ELF Notes section needs to indicate if BTI is supported, as the first ELF loaded that doesn't
+- * declare this support disables it for the whole process.
++ * declare this support disables it for memory region containing the loaded library.
+  */
+ # define GNU_PROPERTY_AARCH64_BTI (1 << 0)         /* Has Branch Target Identification */
+ 	.text
+@@ -527,6 +527,7 @@ L(do_closure):
+ #if defined(FFI_EXEC_STATIC_TRAMP)
+ 	.align 4
+ CNAME(ffi_closure_SYSV_V_alt):
++	BTI_C
+ 	/* See the comments above trampoline_code_table. */
+ 	ldr	x17, [sp, #8]			/* Load closure in x17 */
+ 	add	sp, sp, #16			/* Restore the stack */
+@@ -541,6 +542,7 @@ CNAME(ffi_closure_SYSV_V_alt):
+ 
+ 	.align 4
+ CNAME(ffi_closure_SYSV_alt):
++	BTI_C
+ 	/* See the comments above trampoline_code_table. */
+ 	ldr	x17, [sp, #8]			/* Load closure in x17 */
+ 	add	sp, sp, #16			/* Restore the stack */
+diff --git a/testsuite/Makefile.am b/testsuite/Makefile.am
+index d286cf7f..6ba98e12 100644
+--- a/testsuite/Makefile.am
++++ b/testsuite/Makefile.am
+@@ -8,7 +8,7 @@ CLEANFILES = *.exe core* *.log *.sum
+ 
+ EXTRA_DIST = config/default.exp emscripten/build.sh emscripten/conftest.py \
+ 	emscripten/node-tests.sh emscripten/test.html emscripten/test_libffi.py \
+-  emscripten/build-tests.sh lib/libffi.exp lib/target-libpath.exp \
++	emscripten/build-tests.sh lib/libffi.exp lib/target-libpath.exp \
+ 	lib/wrapper.exp libffi.bhaible/Makefile libffi.bhaible/README \
+ 	libffi.bhaible/alignof.h libffi.bhaible/bhaible.exp libffi.bhaible/test-call.c \
+ 	libffi.bhaible/test-callback.c libffi.bhaible/testcases.c libffi.call/align_mixed.c \
+
diff --git a/dev-libs/libffi/files/libffi-3.4.6-arm64-fix-build.patch b/dev-libs/libffi/files/libffi-3.4.6-arm64-fix-build.patch
new file mode 100644
index 000000000000..20eaf6a2d8cd
--- /dev/null
+++ b/dev-libs/libffi/files/libffi-3.4.6-arm64-fix-build.patch
@@ -0,0 +1,36 @@
+https://github.com/libffi/libffi/commit/9c9e8368e49804c4f7c35ac9f0d7c1d0d533308b
+
+From 9c9e8368e49804c4f7c35ac9f0d7c1d0d533308b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
+Date: Tue, 4 Jun 2024 14:13:08 +0300
+Subject: [PATCH] aarch64: Add a missing no-op define of SIGN_LR_LINUX_ONLY
+ (#838)
+
+This is needed at least if building for Linux, with a toolchain
+that doesn't default to having PAC enabled, fixing build errors
+since 45d284f2d066cc3a080c5be88e51b4d934349797.
+---
+ src/aarch64/internal.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/aarch64/internal.h b/src/aarch64/internal.h
+index c39f9cb2..50fa5c13 100644
+--- a/src/aarch64/internal.h
++++ b/src/aarch64/internal.h
+@@ -88,6 +88,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  */
+   #define AUTH_LR_AND_RET retab
+   #define AUTH_LR_WITH_REG(x) autib lr, x
+   #define BRANCH_AND_LINK_TO_REG blraaz
++  #define SIGN_LR_LINUX_ONLY
+   #define BRANCH_TO_REG braaz
+   #define PAC_CFI_WINDOW_SAVE
+   /* Linux PAC Support */
+@@ -136,6 +137,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  */
+     #define AUTH_LR_AND_RET ret
+     #define AUTH_LR_WITH_REG(x)
+     #define BRANCH_AND_LINK_TO_REG blr
++    #define SIGN_LR_LINUX_ONLY
+     #define BRANCH_TO_REG br
+     #define PAC_CFI_WINDOW_SAVE
+   #endif /* HAVE_ARM64E_PTRAUTH */
+
diff --git a/dev-libs/libffi/files/libffi-3.4.6-arm64-support-pac.patch b/dev-libs/libffi/files/libffi-3.4.6-arm64-support-pac.patch
new file mode 100644
index 000000000000..288533367499
--- /dev/null
+++ b/dev-libs/libffi/files/libffi-3.4.6-arm64-support-pac.patch
@@ -0,0 +1,332 @@
+https://github.com/libffi/libffi/commit/45d284f2d066cc3a080c5be88e51b4d934349797
+
+From 45d284f2d066cc3a080c5be88e51b4d934349797 Mon Sep 17 00:00:00 2001
+From: Bill Roberts <152999275+billatarm@users.noreply.github.com>
+Date: Sat, 1 Jun 2024 12:34:53 -0500
+Subject: [PATCH] aarch64: support pointer authentication (#834)
+
+* aarch64: fix callstack in ffi_call_SYSV
+
+The debug stack gets corrupted between the frame and stack pivots, update
+the CFI directives so the call stack stays correct in the debugger.
+
+str     x9, [x1, #32] // stack is ffi_call_SYSV() -> ffi_call_int() -> ffi_call_int() -> main() (good)
+mov     x29, x1       // stack is ffi_call_SYSV() -> ffi_call_int() -> ffi_call_int() -> ffi_call() -> main() (bad)
+mov     sp, x0        // stack is ffi_call_SYSV() -> ffi_call_int() -> ffi_call_int() -> main() (good)
+
+The CFA data needs to be updated around the pivots, after this patch the
+callstack stays correct.
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+
+* aarch64: remove uneeded CFI directive
+
+This directive doesn't actually set the CFA to anything valid, and
+during unwinding this isn't even used. Note that the PAC/Darwin usage
+is quite suspect as well, as the CFA is either x1 or x29 after the frame
+pivot, and the CFA address is what's used as the modifier when verifying
+the PAC. At least this is the behavior on Linux with PAC, I need to
+verify ARME ABI unwinding. So for now leave Darwin as is.
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+
+* ptrauth: rename define for clarity
+
+Rename the HAVE_PTRAUTH define for clarity that its associated with the
+ARM64E ABI and not the ARM64 ABI that can be supported on Linux and
+enabled with -mbranch-protection=standard.
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+
+* aarch64: add PAC support to ffi_call_SYSV
+
+Support AARCH64 Pointer Authentication Codes (PAC) within ffi_call_SYSV
+and support exception unwinding.
+
+The Linux ABI for PAC is to use paciasp/autiasp instructions which also
+have hint space equivelent instructions. They sign the LR (x30) with the
+A key and the current stack pointer as the salt. Note that this can also be
+configured to use the B key and will use pacibsp/autibsp hint instructions.
+
+The Linux ABI for exception frame data when PAC is enabled assumes that the
+Connonical Frame Address, or CFA is equal to the stack pointer. I.E sp is
+equal to x29 (fp). When the unwinder is invoked the cfa will point to
+the frame which will include the *signed* return address from the LR.
+This will then be passed to __builtin_aarch64_autia1716 where the CFA
+will be used as the salt and stored to register x16 and register x17
+will contain the signed address to demangle. This can be noted in:
+  - https://github.com/gcc-mirror/gcc/blob/d6d7afcdbc04adb0ec42a44b2d7e05600945af42/libgcc/config/aarch64/aarch64-unwind.h#L56
+
+The other required portion of this is to indicate to the unwinder that
+this is a signed address that needs to go the special demangle route in
+the unwinder. This is accomplished by using CFI directive "cfi_window_save"
+which marks that frame as being signed.
+
+Putting all of this together is a bit tricky, as the internals of
+ffi_call_SYSV the callee allocates its stack and frame and passes it in
+arg1 (x0) and arg2 (x1) to the called function, where that function
+pivots its stack, so care must be taken to get the sp == fp before
+paciasp is called and also restore that state before autiasp is called.
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+
+---------
+
+Signed-off-by: Bill Roberts <bill.roberts@arm.com>
+---
+ configure.ac           |  6 ++--
+ include/ffi_cfi.h      |  2 ++
+ src/aarch64/ffi.c      |  4 +--
+ src/aarch64/internal.h | 76 ++++++++++++++++++++++++++++++++----------
+ src/aarch64/sysv.S     | 20 ++++++-----
+ src/closures.c         |  6 ++--
+ 6 files changed, 81 insertions(+), 33 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 816bfd666..b35a999fb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -189,17 +189,17 @@ AC_CACHE_CHECK([whether compiler supports pointer authentication],
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[
+ #ifdef __clang__
+ # if __has_feature(ptrauth_calls)
+-#  define HAVE_PTRAUTH 1
++#  define HAVE_ARM64E_PTRAUTH 1
+ # endif
+ #endif
+ 
+-#ifndef HAVE_PTRAUTH
++#ifndef HAVE_ARM64E_PTRAUTH
+ # error Pointer authentication not supported
+ #endif
+ 		   ]])],[libffi_cv_as_ptrauth=yes],[libffi_cv_as_ptrauth=no])
+ ])
+ if test "x$libffi_cv_as_ptrauth" = xyes; then
+-    AC_DEFINE(HAVE_PTRAUTH, 1,
++    AC_DEFINE(HAVE_ARM64E_PTRAUTH, 1,
+ 	      [Define if your compiler supports pointer authentication.])
+ fi
+ 
+diff --git a/include/ffi_cfi.h b/include/ffi_cfi.h
+index f4c292d00..856566324 100644
+--- a/include/ffi_cfi.h
++++ b/include/ffi_cfi.h
+@@ -49,6 +49,7 @@
+ # define cfi_personality(enc, exp)	.cfi_personality enc, exp
+ # define cfi_lsda(enc, exp)		.cfi_lsda enc, exp
+ # define cfi_escape(...)		.cfi_escape __VA_ARGS__
++# define cfi_window_save		.cfi_window_save
+ 
+ #else
+ 
+@@ -71,6 +72,7 @@
+ # define cfi_personality(enc, exp)
+ # define cfi_lsda(enc, exp)
+ # define cfi_escape(...)
++# define cfi_window_save
+ 
+ #endif /* HAVE_AS_CFI_PSEUDO_OP */
+ #endif /* FFI_CFI_H */
+diff --git a/src/aarch64/ffi.c b/src/aarch64/ffi.c
+index b13738e38..964934dfb 100644
+--- a/src/aarch64/ffi.c
++++ b/src/aarch64/ffi.c
+@@ -63,7 +63,7 @@ struct call_context
+ #if FFI_EXEC_TRAMPOLINE_TABLE
+ 
+ #ifdef __MACH__
+-#ifdef HAVE_PTRAUTH
++#ifdef HAVE_ARM64E_PTRAUTH
+ #include <ptrauth.h>
+ #endif
+ #include <mach/vm_param.h>
+@@ -877,7 +877,7 @@ ffi_prep_closure_loc (ffi_closure *closure,
+ 
+ #if FFI_EXEC_TRAMPOLINE_TABLE
+ # ifdef __MACH__
+-#  ifdef HAVE_PTRAUTH
++#  ifdef HAVE_ARM64E_PTRAUTH
+   codeloc = ptrauth_auth_data(codeloc, ptrauth_key_function_pointer, 0);
+ #  endif
+   void **config = (void **)((uint8_t *)codeloc - PAGE_MAX_SIZE);
+diff --git a/src/aarch64/internal.h b/src/aarch64/internal.h
+index b5d102b4a..c39f9cb22 100644
+--- a/src/aarch64/internal.h
++++ b/src/aarch64/internal.h
+@@ -81,20 +81,62 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  */
+ /* Helpers for writing assembly compatible with arm ptr auth */
+ #ifdef LIBFFI_ASM
+ 
+-#ifdef HAVE_PTRAUTH
+-#define SIGN_LR pacibsp
+-#define SIGN_LR_WITH_REG(x) pacib lr, x
+-#define AUTH_LR_AND_RET retab
+-#define AUTH_LR_WITH_REG(x) autib lr, x
+-#define BRANCH_AND_LINK_TO_REG blraaz
+-#define BRANCH_TO_REG braaz
+-#else
+-#define SIGN_LR
+-#define SIGN_LR_WITH_REG(x)
+-#define AUTH_LR_AND_RET ret
+-#define AUTH_LR_WITH_REG(x)
+-#define BRANCH_AND_LINK_TO_REG blr
+-#define BRANCH_TO_REG br
+-#endif
+-
+-#endif
++  #if defined(HAVE_ARM64E_PTRAUTH)
++  /* ARM64E ABI For Darwin */
++  #define SIGN_LR pacibsp
++  #define SIGN_LR_WITH_REG(x) pacib lr, x
++  #define AUTH_LR_AND_RET retab
++  #define AUTH_LR_WITH_REG(x) autib lr, x
++  #define BRANCH_AND_LINK_TO_REG blraaz
++  #define BRANCH_TO_REG braaz
++  #define PAC_CFI_WINDOW_SAVE
++  /* Linux PAC Support */
++  #elif defined(__ARM_FEATURE_PAC_DEFAULT)
++    #define GNU_PROPERTY_AARCH64_POINTER_AUTH (1 << 1)
++    #define PAC_CFI_WINDOW_SAVE cfi_window_save
++    #define TMP_REG x9
++    #define BRANCH_TO_REG br
++    #define BRANCH_AND_LINK_TO_REG blr
++	#define SIGN_LR_LINUX_ONLY SIGN_LR
++    /* Which key to sign with? */
++    #if (__ARM_FEATURE_PAC_DEFAULT & 1) == 1
++      /* Signed with A-key */
++      #define SIGN_LR            hint #25  /* paciasp */
++      #define AUTH_LR            hint #29  /* autiasp */
++    #else
++      /* Signed with B-key */
++      #define SIGN_LR            hint #27  /* pacibsp */
++      #define AUTH_LR            hint #31  /* autibsp */
++    #endif /* __ARM_FEATURE_PAC_DEFAULT */
++    #define AUTH_LR_WITH_REG(x) _auth_lr_with_reg x
++.macro _auth_lr_with_reg modifier
++    mov TMP_REG, sp
++    mov sp, \modifier
++    AUTH_LR
++    mov sp, TMP_REG
++.endm
++  #define SIGN_LR_WITH_REG(x) _sign_lr_with_reg x
++.macro _sign_lr_with_reg modifier
++    mov TMP_REG, sp
++    mov sp, \modifier
++    SIGN_LR
++    mov sp, TMP_REG
++.endm
++  #define AUTH_LR_AND_RET _auth_lr_and_ret modifier
++.macro _auth_lr_and_ret modifier
++    AUTH_LR
++    ret
++.endm
++  #undef TMP_REG
++
++  /* No Pointer Auth */
++  #else
++    #define SIGN_LR
++    #define SIGN_LR_WITH_REG(x)
++    #define AUTH_LR_AND_RET ret
++    #define AUTH_LR_WITH_REG(x)
++    #define BRANCH_AND_LINK_TO_REG blr
++    #define BRANCH_TO_REG br
++    #define PAC_CFI_WINDOW_SAVE
++  #endif /* HAVE_ARM64E_PTRAUTH */
++#endif /* LIBFFI_ASM */
+diff --git a/src/aarch64/sysv.S b/src/aarch64/sysv.S
+index 60cfa505b..6a9a5611f 100644
+--- a/src/aarch64/sysv.S
++++ b/src/aarch64/sysv.S
+@@ -92,27 +92,27 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  */
+ 	cfi_startproc
+ CNAME(ffi_call_SYSV):
+ 	BTI_C
+-	/* Sign the lr with x1 since that is where it will be stored */
++	PAC_CFI_WINDOW_SAVE
++	/* Sign the lr with x1 since that is the CFA which is the modifer used in auth instructions */
+ 	SIGN_LR_WITH_REG(x1)
+ 
+-	/* Use a stack frame allocated by our caller.  */
+-#if defined(HAVE_PTRAUTH) && defined(__APPLE__)
++#if defined(HAVE_ARM64E_PTRAUTH) && defined(__APPLE__)
+ 	/* darwin's libunwind assumes that the cfa is the sp and that's the data
+ 	 * used to sign the lr.  In order to allow unwinding through this
+ 	 * function it is necessary to point the cfa at the signing register.
+ 	 */
+ 	cfi_def_cfa(x1, 0);
+-#else
+-	cfi_def_cfa(x1, 40);
+ #endif
++	/* Use a stack frame allocated by our caller.  */
+ 	stp	x29, x30, [x1]
++	cfi_def_cfa_register(x1)
++	cfi_rel_offset (x29, 0)
++	cfi_rel_offset (x30, 8)
+ 	mov	x9, sp
+ 	str	x9, [x1, #32]
+ 	mov	x29, x1
+-	mov	sp, x0
+ 	cfi_def_cfa_register(x29)
+-	cfi_rel_offset (x29, 0)
+-	cfi_rel_offset (x30, 8)
++	mov	sp, x0
+ 
+ 	mov	x9, x2			/* save fn */
+ 	mov	x8, x3			/* install structure return */
+@@ -326,6 +326,7 @@ CNAME(ffi_closure_SYSV_V):
+ 	cfi_startproc
+ 	BTI_C
+ 	SIGN_LR
++	PAC_CFI_WINDOW_SAVE
+ 	stp     x29, x30, [sp, #-ffi_closure_SYSV_FS]!
+ 	cfi_adjust_cfa_offset (ffi_closure_SYSV_FS)
+ 	cfi_rel_offset (x29, 0)
+@@ -351,6 +352,7 @@ CNAME(ffi_closure_SYSV_V):
+ CNAME(ffi_closure_SYSV):
+ 	BTI_C
+ 	SIGN_LR
++	PAC_CFI_WINDOW_SAVE
+ 	stp     x29, x30, [sp, #-ffi_closure_SYSV_FS]!
+ 	cfi_adjust_cfa_offset (ffi_closure_SYSV_FS)
+ 	cfi_rel_offset (x29, 0)
+@@ -648,6 +650,8 @@ CNAME(ffi_go_closure_SYSV_V):
+ 	cfi_startproc
+ CNAME(ffi_go_closure_SYSV):
+ 	BTI_C
++	SIGN_LR_LINUX_ONLY
++	PAC_CFI_WINDOW_SAVE
+ 	stp     x29, x30, [sp, #-ffi_closure_SYSV_FS]!
+ 	cfi_adjust_cfa_offset (ffi_closure_SYSV_FS)
+ 	cfi_rel_offset (x29, 0)
+diff --git a/src/closures.c b/src/closures.c
+index 67a94a822..02cf78fa2 100644
+--- a/src/closures.c
++++ b/src/closures.c
+@@ -164,7 +164,7 @@ ffi_tramp_is_present (__attribute__((unused)) void *ptr)
+ 
+ #include <mach/mach.h>
+ #include <pthread.h>
+-#ifdef HAVE_PTRAUTH
++#ifdef HAVE_ARM64E_PTRAUTH
+ #include <ptrauth.h>
+ #endif
+ #include <stdio.h>
+@@ -223,7 +223,7 @@ ffi_trampoline_table_alloc (void)
+   /* Remap the trampoline table on top of the placeholder page */
+   trampoline_page = config_page + PAGE_MAX_SIZE;
+ 
+-#ifdef HAVE_PTRAUTH
++#ifdef HAVE_ARM64E_PTRAUTH
+   trampoline_page_template = (vm_address_t)(uintptr_t)ptrauth_auth_data((void *)&ffi_closure_trampoline_table_page, ptrauth_key_function_pointer, 0);
+ #else
+   trampoline_page_template = (vm_address_t)&ffi_closure_trampoline_table_page;
+@@ -268,7 +268,7 @@ ffi_trampoline_table_alloc (void)
+       ffi_trampoline_table_entry *entry = &table->free_list_pool[i];
+       entry->trampoline =
+ 	(void *) (trampoline_page + (i * FFI_TRAMPOLINE_SIZE));
+-#ifdef HAVE_PTRAUTH
++#ifdef HAVE_ARM64E_PTRAUTH
+       entry->trampoline = ptrauth_sign_unauthenticated(entry->trampoline, ptrauth_key_function_pointer, 0);
+ #endif
+ 
+
diff --git a/dev-libs/libffi/files/libffi-3.4.6-asan.patch b/dev-libs/libffi/files/libffi-3.4.6-asan.patch
new file mode 100644
index 000000000000..4c62f970a3c9
--- /dev/null
+++ b/dev-libs/libffi/files/libffi-3.4.6-asan.patch
@@ -0,0 +1,88 @@
+https://github.com/libffi/libffi/commit/01db744b4af8665f9b7494d00cc2a1cc45ee9636
+
+From 01db744b4af8665f9b7494d00cc2a1cc45ee9636 Mon Sep 17 00:00:00 2001
+From: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>
+Date: Fri, 20 Sep 2024 20:00:49 +1000
+Subject: [PATCH] Disable ASAN in ffi_call_int functions (#858)
+
+The pattern for several of the architectures is for ffi_call_int to
+stack-allocate some arguments + the registers, and then
+ffi_call_$ARCH will pop the top of that structure into registers, and
+then adjust the stack pointer such that the alloca'd buffer _becomes_
+the stack-passed arguments for the function being called.
+
+If libffi is compiled with ASAN, then there will be a redzone inserted
+after the alloca'd buffer which is marked as poisoned. This redzone
+appears beyond the end of $sp upon entry to the called function.
+
+If the called function does anything to use this stack memory, ASAN will
+notice that it's poisoned and report an error.
+
+This commit fixes the situation (on the architectures that I have access
+to) disabling instrumentation for ffi_call_int; that means there will be
+no alloca redzone left on the shadow-stack.
+--- a/include/ffi_common.h
++++ b/include/ffi_common.h
+@@ -83,6 +83,23 @@ char *alloca ();
+ #include <stdio.h>
+ #endif
+ 
++#ifndef __SANITIZE_ADDRESS__
++# ifdef __clang__
++#  if __has_feature(address_sanitizer)
++#   define FFI_ASAN
++#  endif
++# endif
++#endif
++#ifdef __SANITIZE_ADDRESS__
++#define FFI_ASAN
++#endif
++
++#ifdef FFI_ASAN
++#define FFI_ASAN_NO_SANITIZE __attribute__((no_sanitize_address))
++#else
++#define FFI_ASAN_NO_SANITIZE
++#endif
++
+ #ifdef FFI_DEBUG
+ NORETURN void ffi_assert(const char *expr, const char *file, int line);
+ void ffi_stop_here(void);
+--- a/src/aarch64/ffi.c
++++ b/src/aarch64/ffi.c
+@@ -645,7 +645,10 @@ extern void ffi_call_SYSV (struct call_context *context, void *frame,
+ 			   void *closure) FFI_HIDDEN;
+ 
+ /* Call a function with the provided arguments and capture the return
+-   value.  */
++   value.
++   n.b. ffi_call_SYSV will steal the alloca'd `stack` variable here for use
++   _as its own stack_ - so we need to compile this function without ASAN */
++FFI_ASAN_NO_SANITIZE
+ static void
+ ffi_call_int (ffi_cif *cif, void (*fn)(void), void *orig_rvalue,
+ 	      void **avalue, void *closure)
+--- a/src/x86/ffi.c
++++ b/src/x86/ffi.c
+@@ -270,6 +270,9 @@ extern void FFI_DECLARE_FASTCALL ffi_call_i386(struct call_frame *, char *) FFI_
+ #if defined(_MSC_VER)
+ #pragma runtime_checks("s", off)
+ #endif
++/* n.b. ffi_call_unix64 will steal the alloca'd `stack` variable here for use
++   _as its own stack_ - so we need to compile this function without ASAN */
++FFI_ASAN_NO_SANITIZE
+ static void
+ ffi_call_int (ffi_cif *cif, void (*fn)(void), void *rvalue,
+ 	      void **avalue, void *closure)
+--- a/src/x86/ffi64.c
++++ b/src/x86/ffi64.c
+@@ -557,6 +557,9 @@ ffi_prep_cif_machdep (ffi_cif *cif)
+   return FFI_OK;
+ }
+ 
++/* n.b. ffi_call_unix64 will steal the alloca'd `stack` variable here for use
++   _as its own stack_ - so we need to compile this function without ASAN */
++FFI_ASAN_NO_SANITIZE
+ static void
+ ffi_call_int (ffi_cif *cif, void (*fn)(void), void *rvalue,
+ 	      void **avalue, void *closure)
+
diff --git a/dev-libs/libffi/files/libffi-3.4.6-regenerate-autotools.patch b/dev-libs/libffi/files/libffi-3.4.6-regenerate-autotools.patch
new file mode 100644
index 000000000000..81fe671f509c
--- /dev/null
+++ b/dev-libs/libffi/files/libffi-3.4.6-regenerate-autotools.patch
@@ -0,0 +1,48 @@
+The arm64 patches we backported to 3.4.6 mean we need to autoreconf ourselves,
+apply this patch to avoid needing to do it in the ebuild b/c of deps.
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -330,8 +330,8 @@ am__define_uniq_tagged_files = \
+   done | $(am__uniquify_input)`
+ DIST_SUBDIRS = include testsuite man doc
+ am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/fficonfig.h.in \
+-	$(srcdir)/libffi.pc.in README.md compile config.guess \
+-	config.sub depcomp install-sh ltmain.sh missing
++	$(srcdir)/libffi.pc.in ChangeLog README.md compile \
++	config.guess config.sub depcomp install-sh ltmain.sh missing
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ distdir = $(PACKAGE)-$(VERSION)
+ top_distdir = $(distdir)
+--- a/fficonfig.h.in
++++ b/fficonfig.h.in
+@@ -31,6 +31,9 @@
+ /* Define to 1 if you have the <alloca.h> header file. */
+ #undef HAVE_ALLOCA_H
+ 
++/* Define if your compiler supports pointer authentication. */
++#undef HAVE_ARM64E_PTRAUTH
++
+ /* Define if your assembler supports .cfi_* directives. */
+ #undef HAVE_AS_CFI_PSEUDO_OP
+ 
+@@ -71,9 +74,6 @@
+ /* Define to 1 if you have the `memfd_create' function. */
+ #undef HAVE_MEMFD_CREATE
+ 
+-/* Define if your compiler supports pointer authentication. */
+-#undef HAVE_PTRAUTH
+-
+ /* Define if .eh_frame sections should be read-only. */
+ #undef HAVE_RO_EH_FRAME
+ 
+--- a/testsuite/Makefile.in
++++ b/testsuite/Makefile.in
+@@ -292,7 +292,7 @@ EXTRA_DEJAGNU_SITE_CONFIG = ../local.exp
+ CLEANFILES = *.exe core* *.log *.sum
+ EXTRA_DIST = config/default.exp emscripten/build.sh emscripten/conftest.py \
+ 	emscripten/node-tests.sh emscripten/test.html emscripten/test_libffi.py \
+-  emscripten/build-tests.sh lib/libffi.exp lib/target-libpath.exp \
++	emscripten/build-tests.sh lib/libffi.exp lib/target-libpath.exp \
+ 	lib/wrapper.exp libffi.bhaible/Makefile libffi.bhaible/README \
+ 	libffi.bhaible/alignof.h libffi.bhaible/bhaible.exp libffi.bhaible/test-call.c \
+ 	libffi.bhaible/test-callback.c libffi.bhaible/testcases.c libffi.call/align_mixed.c \