[Bug 1859713] [NEW] ARM v8.3a pauth not working

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1859713] [NEW] ARM v8.3a pauth not working

From:	Adrien Grassein
Subject:	[Bug 1859713] [NEW] ARM v8.3a pauth not working
Date:	Tue, 14 Jan 2020 21:19:46 -0000

Public bug reported:

Host: Ubuntu 19.10 - x86_64 machine
QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master)

ARMV8.3 pauth is not working well.

With a test code containing two pauth instructions:
    - paciasp that sign LR with A key and sp as context;
    - autiasp that verify the signature.

Test:
    - Run the program and corrupt LR just before autiasp (ex 0x3e00000400660 
instead of 0x3e000000400664)

Expected:
    - autiasp places an invalid pointer in LR

Result:
    - autiasp successfully auth the pointer and places 0x0400660 in LR.

Further explanations:
    Adding traces in qemu code shows that "pauth_computepac" is not robust 
enough against truncating.
    With 0x31000000400664 as input of pauth_auth, we obtain 
"0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
    With 0x310040008743ec as input of pauth (with same key), we obtain 
"0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
    Values of top_bit and bottom_bit are strictly the same and it should not.

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: arm

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1859713

Title:
  ARM v8.3a pauth not working

Status in QEMU:
  New

Bug description:
  Host: Ubuntu 19.10 - x86_64 machine
  QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master)

  ARMV8.3 pauth is not working well.

  With a test code containing two pauth instructions:
      - paciasp that sign LR with A key and sp as context;
      - autiasp that verify the signature.

  Test:
      - Run the program and corrupt LR just before autiasp (ex 0x3e00000400660 
instead of 0x3e000000400664)

  Expected:
      - autiasp places an invalid pointer in LR

  Result:
      - autiasp successfully auth the pointer and places 0x0400660 in LR.

  Further explanations:
      Adding traces in qemu code shows that "pauth_computepac" is not robust 
enough against truncating.
      With 0x31000000400664 as input of pauth_auth, we obtain 
"0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
      With 0x310040008743ec as input of pauth (with same key), we obtain 
"0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
      Values of top_bit and bottom_bit are strictly the same and it should not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1859713/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1859713] [NEW] ARM v8.3a pauth not working, Adrien Grassein <=
- [Bug 1859713] Re: ARM v8.3a pauth not working, Richard Henderson, 2020/01/14
- [Bug 1859713] Re: ARM v8.3a pauth not working, Vincent Dehors, 2020/01/16
- [Bug 1859713] Re: ARM v8.3a pauth not working, Richard Henderson, 2020/01/16
- [Bug 1859713] Re: ARM v8.3a pauth not working, Richard Henderson, 2020/01/16
- [Bug 1859713] Re: ARM v8.3a pauth not working, Richard Henderson, 2020/01/23

Prev by Date: Re: [PATCH 00/13] LUKS: encryption slot management using amend interface
Next by Date: Re: [PATCH] qcow2: Use a GString in report_unsupported_feature()
Previous by thread: [PATCH 0/3] linux-user: Implement x86_64 vsyscalls
Next by thread: [Bug 1859713] Re: ARM v8.3a pauth not working
Index(es):
- Date
- Thread