[PATCH 00/17] ARMv8.3 pointer authentication support

[PATCH 00/17] ARMv8.3 pointer authentication support · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 01/17] arm64: add pointer authentication register bits · Kristina Martsenko <hidden> · 2018-10-05
Re: [PATCH v5 01/17] arm64: add pointer authentication register bits · Will Deacon <hidden> · 2018-10-11
Re: [PATCH v5 01/17] arm64: add pointer authentication register bits · Mark Rutland <mark.rutland@arm.com> · 2018-10-12
Re: [PATCH v5 01/17] arm64: add pointer authentication register bits · Will Deacon <hidden> · 2018-10-12
Re: [PATCH v5 01/17] arm64: add pointer authentication register bits · Mark Rutland <mark.rutland@arm.com> · 2018-10-12
[PATCH v5 02/17] arm64/kvm: consistently handle host HCR_EL2 flags · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 03/17] arm64/kvm: hide ptrauth from guests · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 04/17] arm64: Don't trap host pointer auth use to EL2 · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 05/17] arm64/cpufeature: detect pointer authentication · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 06/17] asm-generic: mm_hooks: allow hooks to be overridden individually · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 07/17] arm64: add basic pointer authentication support · Kristina Martsenko <hidden> · 2018-10-05
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Suzuki K Poulose <suzuki.poulose@arm.com> · 2018-10-11
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Catalin Marinas <catalin.marinas@arm.com> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Will Deacon <hidden> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Kees Cook <hidden> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Will Deacon <hidden> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Kees Cook <hidden> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Will Deacon <hidden> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Mark Rutland <mark.rutland@arm.com> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Cyrill Gorcunov <hidden> · 2018-10-19
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Will Deacon <hidden> · 2018-11-14
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Dave Martin <Dave.Martin@arm.com> · 2018-11-15
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Ramana Radhakrishnan <hidden> · 2018-10-23
Re: [PATCH v5 07/17] arm64: add basic pointer authentication support · Will Deacon <hidden> · 2018-10-23
[PATCH v5 08/17] arm64: expose user PAC bit positions via ptrace · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 09/17] arm64: perf: strip PAC when unwinding userspace · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 10/17] arm64: enable pointer authentication · Kristina Martsenko <hidden> · 2018-10-05
[PATCH v5 11/17] arm64: docs: document pointer authentication · Kristina Martsenko <hidden> · 2018-10-05
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Ramana Radhakrishnan <hidden> · 2018-10-05
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Kristina Martsenko <hidden> · 2018-10-16
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Catalin Marinas <catalin.marinas@arm.com> · 2018-10-19
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Marc Zyngier <hidden> · 2018-10-19
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Will Deacon <hidden> · 2018-10-19
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Kristina Martsenko <hidden> · 2018-10-19
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Catalin Marinas <catalin.marinas@arm.com> · 2018-10-19
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Will Deacon <hidden> · 2018-10-19
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Jon Masters <hidden> · 2018-11-02
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Ramana Radhakrishnan <hidden> · 2018-10-24
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Kees Cook <hidden> · 2018-10-15
Re: [PATCH v5 11/17] arm64: docs: document pointer authentication · Ramana Radhakrishnan <hidden> · 2018-11-02
[RFC 12/17] arm64: move ptrauth keys to thread_info · Kristina Martsenko <hidden> · 2018-10-05
Re: [RFC 12/17] arm64: move ptrauth keys to thread_info · Catalin Marinas <catalin.marinas@arm.com> · 2018-10-19
[RFC 13/17] arm64: install user ptrauth keys at kernel exit time · Kristina Martsenko <hidden> · 2018-10-05
[RFC 14/17] arm64: unwind: strip PAC from kernel addresses · Kristina Martsenko <hidden> · 2018-10-05
[RFC 15/17] arm64: enable ptrauth earlier · Kristina Martsenko <hidden> · 2018-10-05
Re: [RFC 15/17] arm64: enable ptrauth earlier · Amit Kachhap <hidden> · 2018-10-06
[RFC 16/17] arm64: initialize and switch ptrauth kernel keys · Kristina Martsenko <hidden> · 2018-10-05
Re: [RFC 16/17] arm64: initialize and switch ptrauth kernel keys · Amit Kachhap <hidden> · 2018-10-06
[RFC 17/17] arm64: compile the kernel with ptrauth -msign-return-address · Kristina Martsenko <hidden> · 2018-10-05
Re: [RFC 17/17] arm64: compile the kernel with ptrauth -msign-return-address · Ramana Radhakrishnan <hidden> · 2018-10-05
Re: [RFC 17/17] arm64: compile the kernel with ptrauth -msign-return-address · Kristina Martsenko <hidden> · 2018-10-11
Re: [RFC 17/17] arm64: compile the kernel with ptrauth -msign-return-address · Vladimir Murzin <hidden> · 2018-10-11
Re: [RFC 17/17] arm64: compile the kernel with ptrauth -msign-return-address · Kees Cook <hidden> · 2018-10-15
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Kees Cook <hidden> · 2018-10-15
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Kristina Martsenko <hidden> · 2018-11-13
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Kees Cook <hidden> · 2018-11-13
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Kristina Martsenko <hidden> · 2018-11-14
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Mark Rutland <mark.rutland@arm.com> · 2018-11-14
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Kees Cook <hidden> · 2018-11-14
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Will Deacon <hidden> · 2018-10-19
Re: [PATCH 00/17] ARMv8.3 pointer authentication support · Ramana Radhakrishnan <hidden> · 2018-10-23

From: Kees Cook <hidden>
Date: 2018-11-14 22:48:19
Also in: kvmarm, linux-arch, lkml

On Wed, Nov 14, 2018 at 3:47 PM, Mark Rutland [off-list ref] wrote:

On Tue, Nov 13, 2018 at 05:09:00PM -0600, Kees Cook wrote:

quoted

On Tue, Nov 13, 2018 at 10:17 AM, Kristina Martsenko
[off-list ref] wrote:

quoted

When the PAC authentication fails, it doesn't actually generate an
exception, it just flips a bit in the high-order bits of the pointer,
making the pointer invalid. Then when the pointer is dereferenced (e.g.
as a function return address), it generates the usual type of exception
for an invalid address.

Ah! Okay, thanks. I missed that detail. :)

What area of memory ends up being addressable with such bit flips?
(i.e. is the kernel making sure nothing executable ends up there?)

quoted

So when a function return fails in user mode, the exception is handled
in __do_user_fault and a forced SIGSEGV is delivered to the task. When a
function return fails in kernel mode, the exception is handled in
__do_kernel_fault and the task is killed.

This is different from stack protector as we don't panic the kernel, we
just kill the task. It would be difficult to panic as we don't have a
reliable way of knowing that the exception was caused by a PAC
authentication failure (we just have an invalid pointer with a specific
bit flipped). We also don't print out any PAC-related warning.

There are other "guesses" in __do_kernel_fault(), I think? Could a
"PAC mismatch?" warning be included in the Oops if execution fails in
the address range that PAC failures would resolve into?

I'd personally prefer that we didn't try to guess if a fault is due to a failed
AUT*, even for logging.

Presently, it's not possible to distinguish between a fault resulting from a
failed AUT* and a fault which happens to have hte same bits/clear, so there are
false positives. The architecture may also change the precise details of the
faulting address, and we'd have false negatives in that case.

Given that, I think suggesting that a fault is due to a failed AUT* is liable
to make things more confusing.

Okay, no worries. It should be pretty clear from the back trace anyway. :)

As long as there isn't any way for the pointer bit flips to result in
an addressable range, I'm happy. :)

-Kees

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help