Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7224442imu; Wed, 14 Nov 2018 13:48:10 -0800 (PST) X-Google-Smtp-Source: AJdET5eOD5oTNFeHmo2g8KUX4+QlkU4HDA8iTyPLV5V3d4MWkgeuGwI0yYZL5+LG4xKYpjwOH5S+ X-Received: by 2002:a62:54c4:: with SMTP id i187-v6mr3692959pfb.155.1542232090183; Wed, 14 Nov 2018 13:48:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542232090; cv=none; d=google.com; s=arc-20160816; b=q2evkIPyKDv1ov/bOYeANnyfaLDGul9rKslPxJOKXfQQSzhVlefSxOjgfPxZzRpe3D fcRBiYtSlLPDYs5uS5+C38qRJ9A0K0/9RJbAhCUrNE6EeUsiXsmeSxWggtjhXZ5KNDr8 ktJWBPT56X/8tHndyuAByQa/cKJh389AqzoEBYAxGyKzyyvx+vAYHpxfubCnvy8Yym9r hO3Tdw83TR7c3bHpt7Eg0Nfn+gC+zxGWEIE5oSx5FStva4CvxW1sXAQ5ekXkOathZ5XR gmwLEz/tq65ae34X0Dp6XgEbvSzt1LQXaox4xX4f9VDt9xeuxxjmpRa7F3YjRC8cMtQ7 apDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Na2BGSXpRSjZ3fF6LRhxny++BPRp1PEoHNuTuZ1kr1A=; b=02DvUBRZ3ix91EhaLRLuSYAX3xL7XGaigUlsCHBqcrOsN17GtlOoOddnnvRahCMs7e dUZA3Ik1UB+hPPnwnwQ8ygjY0DjRJIgc7fNUVB/m65BPNOwa1oDNCiOxe7fueaoiE0gz r3PAYT5ACgBrwpngguPUL4NDtCdxhZOw3xU8RIWdZyWuNcRabHVN2cNylKdxn5OTbitQ uGt38Py6qclxyTVKHHfCd5yIKDwp7bMOjwkXl1OYbARJdNVMRmucIxs2QvVBpQWn3Unt UYSNuaFgWNqi8tcmFiAPBC+STjQqq770zFhCyXgc5bfyO2fhvaQUygPMUXsxNBUKSDpq abJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d187-v6si27567749pfa.68.2018.11.14.13.47.55; Wed, 14 Nov 2018 13:48:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728198AbeKOHwD (ORCPT + 99 others); Thu, 15 Nov 2018 02:52:03 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:51512 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725756AbeKOHwC (ORCPT ); Thu, 15 Nov 2018 02:52:02 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A9A8D80D; Wed, 14 Nov 2018 13:47:04 -0800 (PST) Received: from blommer (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0CBAA3F5A0; Wed, 14 Nov 2018 13:47:04 -0800 (PST) Date: Wed, 14 Nov 2018 21:47:02 +0000 From: Mark Rutland To: Kees Cook Cc: Kristina Martsenko , linux-arm-kernel , Adam Wallis , Amit Kachhap , Andrew Jones , Ard Biesheuvel , Arnd Bergmann , Catalin Marinas , Christoffer Dall , Dave P Martin , Jacob Bramley , Marc Zyngier , Ramana Radhakrishnan , "Suzuki K . Poulose" , Will Deacon , kvmarm@lists.cs.columbia.edu, linux-arch , LKML Subject: Re: [PATCH 00/17] ARMv8.3 pointer authentication support Message-ID: <20181114214701.gdnrznakwtm76jlt@blommer> References: <20181005084754.20950-1-kristina.martsenko@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 13, 2018 at 05:09:00PM -0600, Kees Cook wrote: > On Tue, Nov 13, 2018 at 10:17 AM, Kristina Martsenko > wrote: > > When the PAC authentication fails, it doesn't actually generate an > > exception, it just flips a bit in the high-order bits of the pointer, > > making the pointer invalid. Then when the pointer is dereferenced (e.g. > > as a function return address), it generates the usual type of exception > > for an invalid address. > > Ah! Okay, thanks. I missed that detail. :) > > What area of memory ends up being addressable with such bit flips? > (i.e. is the kernel making sure nothing executable ends up there?) > > > So when a function return fails in user mode, the exception is handled > > in __do_user_fault and a forced SIGSEGV is delivered to the task. When a > > function return fails in kernel mode, the exception is handled in > > __do_kernel_fault and the task is killed. > > > > This is different from stack protector as we don't panic the kernel, we > > just kill the task. It would be difficult to panic as we don't have a > > reliable way of knowing that the exception was caused by a PAC > > authentication failure (we just have an invalid pointer with a specific > > bit flipped). We also don't print out any PAC-related warning. > > There are other "guesses" in __do_kernel_fault(), I think? Could a > "PAC mismatch?" warning be included in the Oops if execution fails in > the address range that PAC failures would resolve into? I'd personally prefer that we didn't try to guess if a fault is due to a failed AUT*, even for logging. Presently, it's not possible to distinguish between a fault resulting from a failed AUT* and a fault which happens to have hte same bits/clear, so there are false positives. The architecture may also change the precise details of the faulting address, and we'd have false negatives in that case. Given that, I think suggesting that a fault is due to a failed AUT* is liable to make things more confusing. Thanks, Mark.