Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6851242imu; Wed, 14 Nov 2018 07:55:31 -0800 (PST) X-Google-Smtp-Source: AJdET5ebl2mZQTxtYOCLZohQ8bIR8d9naO8keaZV33hzDue6LM4LwuHzi6KiOfKU3C75kS7cbBzF X-Received: by 2002:a62:d808:: with SMTP id e8mr2536228pfg.123.1542210931528; Wed, 14 Nov 2018 07:55:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542210931; cv=none; d=google.com; s=arc-20160816; b=gb+oL7eLN+7zD4QJUtLfMWcJMem5lGu/S0JEgB94Aoic3+EijCTX6SNniBWs3/mLHr 0xn2fnignh8I1G30wGvc4VxleIaYyAXGG7Q+cLLXehWPa0tWiu1Ls1fh3Vnz6PcYjdCW f8h174pNKAvT/n7GrYUDP45m5SLK4ZEj9TyCUZt8RtHDe8M/W6U11sjT9b4H8CG9FnPr N0fbDfBgPGXOh4J4IRN38JztKRz0ovuRFQBL2d9d5ZNh+8wHHZI2wN44cjIqrH6b/jAK qrQSGgsJl8gcHKzvG8ZheQpCYa7M7Ifrf6Mrs+AASaC7O3TjrLUSujOSCqL76nnP0ot2 CCbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=1KKE7iPlqd5HLAWzOL5p0en3V+BkV1TwMtjeBH8vGP8=; b=lwuQc8Gc0b/O5aKv+eJiN7L0PF82U7JTc1+VT3ozZ5IUjjS/9d2igtOcXh84j6OizQ 6RLRQtQJ8ntMgL/D/zW5KM5iIcliehgvXnVyS1515Yi5u9hNmlID9sm1MIK2VJotYeNq DWLBTXd665MELMb3zJNZSTYz4bErxAsxdc25wS1nZC38qSnQTejFecegmcCD/ThAnHia MJOc3qC2toFbfvTPXYszKMmtkuOLmkkivkKaiMNXefBfMZwCSVZ5+Oqeoy/cZvy8P3lr iGTboLyBpW/iN3FpaEDvoW+04yJXgXHax3uM6TyLuHyVNDwkC7ZPpJQo3C6raziarmXx 4bQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u91-v6si27195510plb.180.2018.11.14.07.55.15; Wed, 14 Nov 2018 07:55:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732527AbeKOB6g (ORCPT + 99 others); Wed, 14 Nov 2018 20:58:36 -0500 Received: from foss.arm.com ([217.140.101.70]:47144 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727789AbeKOB6g (ORCPT ); Wed, 14 Nov 2018 20:58:36 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4753280D; Wed, 14 Nov 2018 07:54:48 -0800 (PST) Received: from [10.1.197.21] (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4FC633F5A0; Wed, 14 Nov 2018 07:54:45 -0800 (PST) Subject: Re: [PATCH 00/17] ARMv8.3 pointer authentication support To: Kees Cook Cc: linux-arm-kernel , Adam Wallis , Amit Kachhap , Andrew Jones , Ard Biesheuvel , Arnd Bergmann , Catalin Marinas , Christoffer Dall , Dave P Martin , Jacob Bramley , Marc Zyngier , Mark Rutland , Ramana Radhakrishnan , "Suzuki K . Poulose" , Will Deacon , kvmarm@lists.cs.columbia.edu, linux-arch , LKML References: <20181005084754.20950-1-kristina.martsenko@arm.com> From: Kristina Martsenko Message-ID: Date: Wed, 14 Nov 2018 15:54:43 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/11/2018 23:09, Kees Cook wrote: > On Tue, Nov 13, 2018 at 10:17 AM, Kristina Martsenko > wrote: >> When the PAC authentication fails, it doesn't actually generate an >> exception, it just flips a bit in the high-order bits of the pointer, >> making the pointer invalid. Then when the pointer is dereferenced (e.g. >> as a function return address), it generates the usual type of exception >> for an invalid address. > > Ah! Okay, thanks. I missed that detail. :) > > What area of memory ends up being addressable with such bit flips? > (i.e. is the kernel making sure nothing executable ends up there?) The address will be in between the user and kernel address ranges, so it's guaranteed to be invalid and not address any memory. Specifically, assuming a 48-bit VA configuration, user addresses must have bits [55:48] clear and kernel addresses must have bits [63:48] set. When authentication fails it will set two bits in those ranges to "10" or "01", ensuring that the address is no longer a valid user or kernel address. >> So when a function return fails in user mode, the exception is handled >> in __do_user_fault and a forced SIGSEGV is delivered to the task. When a >> function return fails in kernel mode, the exception is handled in >> __do_kernel_fault and the task is killed. >> >> This is different from stack protector as we don't panic the kernel, we >> just kill the task. It would be difficult to panic as we don't have a >> reliable way of knowing that the exception was caused by a PAC >> authentication failure (we just have an invalid pointer with a specific >> bit flipped). We also don't print out any PAC-related warning. > > There are other "guesses" in __do_kernel_fault(), I think? Could a > "PAC mismatch?" warning be included in the Oops if execution fails in > the address range that PAC failures would resolve into? Sounds reasonable to me, I'll add a warning. Thanks, Kristina