[v2,13/13] aarch64: redefine RETURN_ADDRESS to strip PAC

Message ID 87577148c5eef249758478888556a3aeeb505d97.1589277641.git.szabolcs.nagy@arm.com
State Superseded
Headers show
  • aarch64: branch protection support
Related show

Commit Message

Szabolcs Nagy May 12, 2020, 10:14 a.m.
RETURN_ADDRESS is used at several places in glibc to mean a valid
code address of the call site, but with pac-ret it has a pointer
authentication code (PAC), so its definition is adjusted.

strip_pac is omitted if glibc is bulit without pac-ret, but it could
be added unconditionally (that's just unnecessary operations).

Inline asm is used instead of __builtin_aarch64_xpaclri since that
is an undocumented builtin and not available in all supported gccs.

Note: such change indicates a problem in the pac-ret design: it
can break code that uses __builtin_return_address and the breakage
is only visible at runtime on a system with pac-ret enabled. It is
not ideal that users need target specific inline asm to fix this up.
For now we can recommend disabling pac-ret where this is a problem,
but gcc might need improvements in this are to make pac-ret usable.

TODO: __builtin_return_address handling with pac-ret:
 sysdeps/aarch64/sysdep.h | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)



diff --git a/sysdeps/aarch64/sysdep.h b/sysdeps/aarch64/sysdep.h
index d8a5445b7e..2c12aa902f 100644
--- a/sysdeps/aarch64/sysdep.h
+++ b/sysdeps/aarch64/sysdep.h
@@ -35,6 +35,23 @@ 
 #define PTR_SIZE	(1<<PTR_LOG_SIZE)
+#ifndef	__ASSEMBLER__
+/* Strip pointer authentication code from pointer p.  */
+static inline void *
+strip_pac (void *p)
+	register void *ra asm ("x30") = (p);
+	asm ("hint 7 // xpaclri" : "+r"(ra));
+	return ra;
+/* This is needed when glibc is built with -mbranch-protection=pac-ret.  */
+#  define RETURN_ADDRESS(n) strip_pac (__builtin_return_address (n))
+# endif
 #ifdef	__ASSEMBLER__
 /* Syntactic details of assembler.  */