[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1859713] Re: ARM v8.3a pauth not working
From: |
Richard Henderson |
Subject: |
[Bug 1859713] Re: ARM v8.3a pauth not working |
Date: |
Thu, 16 Jan 2020 22:43:44 -0000 |
Oops again. The test case has the parts of the key the wrong way around.
I'll submit the pair of patches to the mailing list.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1859713
Title:
ARM v8.3a pauth not working
Status in QEMU:
Confirmed
Bug description:
Host: Ubuntu 19.10 - x86_64 machine
QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master)
ARMV8.3 pauth is not working well.
With a test code containing two pauth instructions:
- paciasp that sign LR with A key and sp as context;
- autiasp that verify the signature.
Test:
- Run the program and corrupt LR just before autiasp (ex 0x3e00000400660
instead of 0x3e000000400664)
Expected:
- autiasp places an invalid pointer in LR
Result:
- autiasp successfully auth the pointer and places 0x0400660 in LR.
Further explanations:
Adding traces in qemu code shows that "pauth_computepac" is not robust
enough against truncating.
With 0x31000000400664 as input of pauth_auth, we obtain
"0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
With 0x310040008743ec as input of pauth (with same key), we obtain
"0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
Values of top_bit and bottom_bit are strictly the same and it should not.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1859713/+subscriptions