Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5985678imu; Tue, 13 Nov 2018 15:10:58 -0800 (PST) X-Google-Smtp-Source: AJdET5drDLe3iG+qhRHAtitsCUhVjMdS4d7pZnFilaMfvnDsi8snVDvZR8RhbK3bVVyInICNZOf8 X-Received: by 2002:a17:902:201:: with SMTP id 1-v6mr7099642plc.307.1542150658786; Tue, 13 Nov 2018 15:10:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542150658; cv=none; d=google.com; s=arc-20160816; b=tK/JuBezX+uhCRseC3WaNAu2gXem2wtoFug7tipJUsMR4RCGd2qT3O7A6IvnKqLi17 vGN2W+0k17t1fNpPybIXimvh77ZZC+l1Uh1KUnRRm3mvvsVY7dygusJd+oQqD2cHDCsq XChOyZvf+Pl7Bz2wRZyCcy8MAnaJbuu8GLQUVkcbgkUZofkbn451g3kiO0jaGdusqsGc /48NIRByyu+USC2Vy3PnQ/UGt/DVxlHZMDrpuxo4d0PULltcRsVxkRmC+C+wz+XSDWGB 9w/0G7S1eeDRfmIXgaJSWAGuhDK4CAYmI/i7QGuJ8a+/gAy9QA3J6w/GZPzLz5Ohkj11 8yew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=dW23sJSqGZYEsGYacxeAXaAmZgYhN2aWDEZRMxrjOVw=; b=xO9dzy9WbcutxYcgZS+BB54EwFphLiWYZ0CikGoSBqHO6t4T+zu4CFWstwUs5O5WQB GxcPU1nnklHzBOWXY4Akrr4RzdXguS68OFOH+chd4aHS3o1HpsO5JmfC2s9KlwfFX7fk aj/Yc00RX6T+r3U8JB+1EAfaPskNuWnjllieCjNGXqVB/x2tSU9edJ4HI6GHprgJl8i+ iiG13U+G0rKvB3xNUTaegrqCL8C/5gp7mT3u8QJCJy20JWkb0T08mpRPS2xenwgp6pyn AUQttAM9zjuRv3uAVucL1V6LDPzsQaGuhB/VkVp0XXA4Tw6RAeXxV6Yo7LJVkMUzUSiT rG1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=aUZdqvP6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u69si3083116pfj.219.2018.11.13.15.10.43; Tue, 13 Nov 2018 15:10:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=aUZdqvP6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731629AbeKNJJc (ORCPT + 99 others); Wed, 14 Nov 2018 04:09:32 -0500 Received: from mail-yw1-f68.google.com ([209.85.161.68]:43114 "EHLO mail-yw1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726022AbeKNJJb (ORCPT ); Wed, 14 Nov 2018 04:09:31 -0500 Received: by mail-yw1-f68.google.com with SMTP id l200so938242ywe.10 for ; Tue, 13 Nov 2018 15:09:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dW23sJSqGZYEsGYacxeAXaAmZgYhN2aWDEZRMxrjOVw=; b=aUZdqvP618inSoKDtHR34x+9IFIVya2VE5pNpAjyueA8T9APDcIgOPAUkakkf+rFKG x38KZwz8wC6Z1pXaMoe3g2RvTn7BoQkMmcSc11gtTu2Ir6QumuHwAAemTz0CXnavKEhZ jyVRd4Ly3OY3FYCZsb4EWpStKoVXBlu7n13bo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dW23sJSqGZYEsGYacxeAXaAmZgYhN2aWDEZRMxrjOVw=; b=e3BcBleT8uE0bUWKib9FUxv/jHMhDPAuMd62sfd9SxArw2wa0zQgdTnLQK2CfamTCL lPlwiXkYf7o8UwuIqND0BQgz7kqGl0vXSIP4cY9ysLCkPRKqE2F+JqwJz4CYoZ/fjV3F p9gH2kjd6XVTO1NS1edamqDufKkeuVJELTGxKL5L5U6OKLBN69qGNMemC7A/luwbyTh5 bVPdegjdh9JaNQP2hV/HfOpoq2ODxAkOmiAvHkxHxsMHk+56F1IAFIOeCp53IyKLfjqi 9IloR2j/UeF4fjgL6ApPc1WKSwQ4s/7Pr2/pBRCPrr+/QEvlnlH36MHNzrqs+01qli39 xVlg== X-Gm-Message-State: AGRZ1gJ0tEOixew8aDqmIHQJdlpen/gw4Wzo+pPRJieCVh7PGeGRQ+Ye 69SjGYVw0rCVzzhtL/MtqQmisYcGJpg= X-Received: by 2002:a81:98cf:: with SMTP id p198-v6mr7010871ywg.353.1542150544077; Tue, 13 Nov 2018 15:09:04 -0800 (PST) Received: from mail-yw1-f52.google.com (mail-yw1-f52.google.com. [209.85.161.52]) by smtp.gmail.com with ESMTPSA id y16sm375511ywg.35.2018.11.13.15.09.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Nov 2018 15:09:02 -0800 (PST) Received: by mail-yw1-f52.google.com with SMTP id l200so938205ywe.10 for ; Tue, 13 Nov 2018 15:09:02 -0800 (PST) X-Received: by 2002:a0d:d302:: with SMTP id v2-v6mr7206345ywd.124.1542150541802; Tue, 13 Nov 2018 15:09:01 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a25:b906:0:0:0:0:0 with HTTP; Tue, 13 Nov 2018 15:09:00 -0800 (PST) In-Reply-To: References: <20181005084754.20950-1-kristina.martsenko@arm.com> From: Kees Cook Date: Tue, 13 Nov 2018 17:09:00 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 00/17] ARMv8.3 pointer authentication support To: Kristina Martsenko Cc: linux-arm-kernel , Adam Wallis , Amit Kachhap , Andrew Jones , Ard Biesheuvel , Arnd Bergmann , Catalin Marinas , Christoffer Dall , Dave P Martin , Jacob Bramley , Marc Zyngier , Mark Rutland , Ramana Radhakrishnan , "Suzuki K . Poulose" , Will Deacon , kvmarm@lists.cs.columbia.edu, linux-arch , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 13, 2018 at 10:17 AM, Kristina Martsenko wrote: > When the PAC authentication fails, it doesn't actually generate an > exception, it just flips a bit in the high-order bits of the pointer, > making the pointer invalid. Then when the pointer is dereferenced (e.g. > as a function return address), it generates the usual type of exception > for an invalid address. Ah! Okay, thanks. I missed that detail. :) What area of memory ends up being addressable with such bit flips? (i.e. is the kernel making sure nothing executable ends up there?) > So when a function return fails in user mode, the exception is handled > in __do_user_fault and a forced SIGSEGV is delivered to the task. When a > function return fails in kernel mode, the exception is handled in > __do_kernel_fault and the task is killed. > > This is different from stack protector as we don't panic the kernel, we > just kill the task. It would be difficult to panic as we don't have a > reliable way of knowing that the exception was caused by a PAC > authentication failure (we just have an invalid pointer with a specific > bit flipped). We also don't print out any PAC-related warning. There are other "guesses" in __do_kernel_fault(), I think? Could a "PAC mismatch?" warning be included in the Oops if execution fails in the address range that PAC failures would resolve into? -Kees -- Kees Cook