From: "Philippe Mathieu-Daudé" <1859713@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1859713] Re: ARM v8.3a pauth not working
Date: Sat, 23 May 2020 20:07:06 -0000
Message-ID: <159026442652.31110.10279101733280794677.malone@wampee.canonical.com> (raw)
In-Reply-To: <157903678645.2454.11578772527064917210.malonedeb@soybean.canonical.com>
Apparently this fixed bug is the official CVE-2020-10702:
https://security-tracker.debian.org/tracker/CVE-2020-10702
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10702
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1859713
Title:
ARM v8.3a pauth not working
Status in QEMU:
Fix Released
Bug description:
Host: Ubuntu 19.10 - x86_64 machine
QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master)
ARMV8.3 pauth is not working well.
With a test code containing two pauth instructions:
- paciasp that sign LR with A key and sp as context;
- autiasp that verify the signature.
Test:
- Run the program and corrupt LR just before autiasp (ex 0x3e00000400660 instead of 0x3e000000400664)
Expected:
- autiasp places an invalid pointer in LR
Result:
- autiasp successfully auth the pointer and places 0x0400660 in LR.
Further explanations:
Adding traces in qemu code shows that "pauth_computepac" is not robust enough against truncating.
With 0x31000000400664 as input of pauth_auth, we obtain "0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
With 0x310040008743ec as input of pauth (with same key), we obtain "0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
Values of top_bit and bottom_bit are strictly the same and it should not.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1859713/+subscriptions
prev parent reply index
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 21:19 [Bug 1859713] [NEW] " Adrien Grassein
2020-01-14 22:58 ` [Bug 1859713] " Richard Henderson
2020-01-16 20:47 ` Vincent Dehors
2020-01-16 22:04 ` Richard Henderson
2020-01-16 22:43 ` Richard Henderson
2020-01-23 21:56 ` Richard Henderson
2020-04-30 13:28 ` Laurent Vivier
2020-05-23 20:07 ` Philippe Mathieu-Daudé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=159026442652.31110.10279101733280794677.malone@wampee.canonical.com \
--to=1859713@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
QEMU-Devel Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/qemu-devel/0 qemu-devel/git/0.git
git clone --mirror https://lore.kernel.org/qemu-devel/1 qemu-devel/git/1.git
git clone --mirror https://lore.kernel.org/qemu-devel/2 qemu-devel/git/2.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 qemu-devel qemu-devel/ https://lore.kernel.org/qemu-devel \
qemu-devel@nongnu.org
public-inbox-index qemu-devel
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.nongnu.qemu-devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git