[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bcfe9fd2-8832-f975-8462-18e6645ffec6@arm.com>
Date: Wed, 14 Nov 2018 15:54:43 +0000
From: Kristina Martsenko <kristina.martsenko@....com>
To: Kees Cook <keescook@...omium.org>
Cc: linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
Adam Wallis <awallis@...eaurora.org>,
Amit Kachhap <Amit.Kachhap@....com>,
Andrew Jones <drjones@...hat.com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Arnd Bergmann <arnd@...db.de>,
Catalin Marinas <catalin.marinas@....com>,
Christoffer Dall <christoffer.dall@....com>,
Dave P Martin <Dave.Martin@....com>,
Jacob Bramley <jacob.bramley@....com>,
Marc Zyngier <marc.zyngier@....com>,
Mark Rutland <mark.rutland@....com>,
Ramana Radhakrishnan <ramana.radhakrishnan@....com>,
"Suzuki K . Poulose" <suzuki.poulose@....com>,
Will Deacon <will.deacon@....com>,
kvmarm@...ts.cs.columbia.edu,
linux-arch <linux-arch@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 00/17] ARMv8.3 pointer authentication support
On 13/11/2018 23:09, Kees Cook wrote:
> On Tue, Nov 13, 2018 at 10:17 AM, Kristina Martsenko
> <kristina.martsenko@....com> wrote:
>> When the PAC authentication fails, it doesn't actually generate an
>> exception, it just flips a bit in the high-order bits of the pointer,
>> making the pointer invalid. Then when the pointer is dereferenced (e.g.
>> as a function return address), it generates the usual type of exception
>> for an invalid address.
>
> Ah! Okay, thanks. I missed that detail. :)
>
> What area of memory ends up being addressable with such bit flips?
> (i.e. is the kernel making sure nothing executable ends up there?)
The address will be in between the user and kernel address ranges, so
it's guaranteed to be invalid and not address any memory.
Specifically, assuming a 48-bit VA configuration, user addresses must
have bits [55:48] clear and kernel addresses must have bits [63:48] set.
When authentication fails it will set two bits in those ranges to "10"
or "01", ensuring that the address is no longer a valid user or kernel
address.
>> So when a function return fails in user mode, the exception is handled
>> in __do_user_fault and a forced SIGSEGV is delivered to the task. When a
>> function return fails in kernel mode, the exception is handled in
>> __do_kernel_fault and the task is killed.
>>
>> This is different from stack protector as we don't panic the kernel, we
>> just kill the task. It would be difficult to panic as we don't have a
>> reliable way of knowing that the exception was caused by a PAC
>> authentication failure (we just have an invalid pointer with a specific
>> bit flipped). We also don't print out any PAC-related warning.
>
> There are other "guesses" in __do_kernel_fault(), I think? Could a
> "PAC mismatch?" warning be included in the Oops if execution fails in
> the address range that PAC failures would resolve into?
Sounds reasonable to me, I'll add a warning.
Thanks,
Kristina
Powered by blists - more mailing lists