LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Adam Wallis <awallis@codeaurora.org>
To: Mark Rutland <mark.rutland@arm.com>,
	linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu,
	catalin.marinas@arm.com, christoffer.dall@arm.com,
	drjones@redhat.com, marc.zyngier@arm.com,
	ramana.radhakrishnan@arm.com, suzuki.poulose@arm.com,
	will.deacon@arm.com
Subject: Re: [PATCHv4 06/10] arm64: add basic pointer authentication support
Date: Tue, 22 May 2018 15:08:42 -0400	[thread overview]
Message-ID: <4b394038-ffd7-ef28-faaf-00f91febf54a@codeaurora.org> (raw)
In-Reply-To: <20180503132031.25705-7-mark.rutland@arm.com>

On 5/3/2018 9:20 AM, Mark Rutland wrote:
> This patch adds basic support for pointer authentication, allowing
> userspace to make use of APIAKey. The kernel maintains an APIAKey value
> for each process (shared by all threads within), which is initialised to
> a random value at exec() time.
> 
> To describe that address authentication instructions are available, the
> ID_AA64ISAR0.{APA,API} fields are exposed to userspace. A new hwcap,
> APIA, is added to describe that the kernel manages APIAKey.
> 
> Instructions using other keys (APIBKey, APDAKey, APDBKey) are disabled,
> and will behave as NOPs. These may be made use of in future patches.
> 
> No support is added for the generic key (APGAKey), though this cannot be
> trapped or made to behave as a NOP. Its presence is not advertised with
> a hwcap.
> 
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
> Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
> Cc: Will Deacon <will.deacon@arm.com>
> ---


Mark, I was able to verify that a buffer overflow exploit results in a segfault
with these PAC patches. When I compile the same binary without
"-msign-return-address=none", I am able to successfully overflow the stack and
execute malicious code.

Thanks
Adam

Tested-by: Adam Wallis <awallis@codeaurora.org>


-- 
Adam Wallis
Qualcomm Datacenter Technologies as an affiliate of Qualcomm Technologies, Inc.
Qualcomm Technologies, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.

  reply	other threads:[~2018-05-22 19:08 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-03 13:20 [PATCHv4 00/10] ARMv8.3 pointer authentication userspace support Mark Rutland
2018-05-03 13:20 ` [PATCHv4 01/10] arm64: add pointer authentication register bits Mark Rutland
2018-05-03 13:20 ` [PATCHv4 02/10] arm64/kvm: consistently handle host HCR_EL2 flags Mark Rutland
2018-05-03 13:20 ` [PATCHv4 03/10] arm64/kvm: hide ptrauth from guests Mark Rutland
2018-05-03 13:20 ` [PATCHv4 04/10] arm64: Don't trap host pointer auth use to EL2 Mark Rutland
2018-05-03 13:20 ` [PATCHv4 05/10] arm64/cpufeature: detect pointer authentication Mark Rutland
2018-05-23  8:48   ` Suzuki K Poulose
2018-05-25 10:01     ` Mark Rutland
2018-07-04 16:09       ` Will Deacon
2018-05-03 13:20 ` [PATCHv4 06/10] arm64: add basic pointer authentication support Mark Rutland
2018-05-22 19:08   ` Adam Wallis [this message]
2018-05-23  8:42   ` Suzuki K Poulose
2018-05-25 10:18     ` Mark Rutland
2018-06-08 13:11   ` Kristina Martsenko
2018-05-03 13:20 ` [PATCHv4 07/10] arm64: expose user PAC bit positions via ptrace Mark Rutland
2018-05-03 13:20 ` [PATCHv4 08/10] arm64: perf: strip PAC when unwinding userspace Mark Rutland
2018-05-03 13:20 ` [PATCHv4 09/10] arm64: enable pointer authentication Mark Rutland
2018-05-03 13:20 ` [PATCHv4 10/10] arm64: docs: document " Mark Rutland
2018-07-04 16:12 ` [PATCHv4 00/10] ARMv8.3 pointer authentication userspace support Will Deacon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4b394038-ffd7-ef28-faaf-00f91febf54a@codeaurora.org \
    --to=awallis@codeaurora.org \
    --cc=catalin.marinas@arm.com \
    --cc=christoffer.dall@arm.com \
    --cc=drjones@redhat.com \
    --cc=kvmarm@lists.cs.columbia.edu \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marc.zyngier@arm.com \
    --cc=mark.rutland@arm.com \
    --cc=ramana.radhakrishnan@arm.com \
    --cc=suzuki.poulose@arm.com \
    --cc=will.deacon@arm.com \
    --subject='Re: [PATCHv4 06/10] arm64: add basic pointer authentication support' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).