From: Adrien Grassein <1859713@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1859713] [NEW] ARM v8.3a pauth not working
Date: Tue, 14 Jan 2020 21:19:46 -0000 [thread overview]
Message-ID: <157903678645.2454.11578772527064917210.malonedeb@soybean.canonical.com> (raw)
Public bug reported:
Host: Ubuntu 19.10 - x86_64 machine
QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master)
ARMV8.3 pauth is not working well.
With a test code containing two pauth instructions:
- paciasp that sign LR with A key and sp as context;
- autiasp that verify the signature.
Test:
- Run the program and corrupt LR just before autiasp (ex 0x3e00000400660 instead of 0x3e000000400664)
Expected:
- autiasp places an invalid pointer in LR
Result:
- autiasp successfully auth the pointer and places 0x0400660 in LR.
Further explanations:
Adding traces in qemu code shows that "pauth_computepac" is not robust enough against truncating.
With 0x31000000400664 as input of pauth_auth, we obtain "0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
With 0x310040008743ec as input of pauth (with same key), we obtain "0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
Values of top_bit and bottom_bit are strictly the same and it should not.
** Affects: qemu
Importance: Undecided
Status: New
** Tags: arm
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1859713
Title:
ARM v8.3a pauth not working
Status in QEMU:
New
Bug description:
Host: Ubuntu 19.10 - x86_64 machine
QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master)
ARMV8.3 pauth is not working well.
With a test code containing two pauth instructions:
- paciasp that sign LR with A key and sp as context;
- autiasp that verify the signature.
Test:
- Run the program and corrupt LR just before autiasp (ex 0x3e00000400660 instead of 0x3e000000400664)
Expected:
- autiasp places an invalid pointer in LR
Result:
- autiasp successfully auth the pointer and places 0x0400660 in LR.
Further explanations:
Adding traces in qemu code shows that "pauth_computepac" is not robust enough against truncating.
With 0x31000000400664 as input of pauth_auth, we obtain "0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
With 0x310040008743ec as input of pauth (with same key), we obtain "0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
Values of top_bit and bottom_bit are strictly the same and it should not.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1859713/+subscriptions
next reply other threads:[~2020-01-14 21:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 21:19 Adrien Grassein [this message]
2020-01-14 22:58 ` [Bug 1859713] Re: ARM v8.3a pauth not working Richard Henderson
2020-01-16 20:47 ` Vincent Dehors
2020-01-16 22:04 ` Richard Henderson
2020-01-16 22:43 ` Richard Henderson
2020-01-23 21:56 ` Richard Henderson
2020-04-30 13:28 ` Laurent Vivier
2020-05-23 20:07 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=157903678645.2454.11578772527064917210.malonedeb@soybean.canonical.com \
--to=1859713@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).