From mboxrd@z Thu Jan 1 00:00:00 1970 From: awallis@codeaurora.org (Adam Wallis) Date: Tue, 22 May 2018 15:08:42 -0400 Subject: [PATCHv4 06/10] arm64: add basic pointer authentication support In-Reply-To: <20180503132031.25705-7-mark.rutland@arm.com> References: <20180503132031.25705-1-mark.rutland@arm.com> <20180503132031.25705-7-mark.rutland@arm.com> Message-ID: <4b394038-ffd7-ef28-faaf-00f91febf54a@codeaurora.org> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On 5/3/2018 9:20 AM, Mark Rutland wrote: > This patch adds basic support for pointer authentication, allowing > userspace to make use of APIAKey. The kernel maintains an APIAKey value > for each process (shared by all threads within), which is initialised to > a random value at exec() time. > > To describe that address authentication instructions are available, the > ID_AA64ISAR0.{APA,API} fields are exposed to userspace. A new hwcap, > APIA, is added to describe that the kernel manages APIAKey. > > Instructions using other keys (APIBKey, APDAKey, APDBKey) are disabled, > and will behave as NOPs. These may be made use of in future patches. > > No support is added for the generic key (APGAKey), though this cannot be > trapped or made to behave as a NOP. Its presence is not advertised with > a hwcap. > > Signed-off-by: Mark Rutland > Cc: Catalin Marinas > Cc: Ramana Radhakrishnan > Cc: Suzuki K Poulose > Cc: Will Deacon > --- Mark, I was able to verify that a buffer overflow exploit results in a segfault with these PAC patches. When I compile the same binary without "-msign-return-address=none", I am able to successfully overflow the stack and execute malicious code. Thanks Adam Tested-by: Adam Wallis -- Adam Wallis Qualcomm Datacenter Technologies as an affiliate of Qualcomm Technologies, Inc. Qualcomm Technologies, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.