[v3,12/13] aarch64: redefine RETURN_ADDRESS to strip PAC

Message ID 07c221c020bfa0e03566e06e036ff5a923d6a324.1589552055.git.szabolcs.nagy@arm.com
State New
Headers show
Series
  • aarch64: branch protection support
Related show

Commit Message

Szabolcs Nagy May 15, 2020, 2:40 p.m.
RETURN_ADDRESS is used at several places in glibc to mean a valid
code address of the call site, but with pac-ret it has a pointer
authentication code (PAC), so its definition is adjusted.

strip_pac is omitted if glibc is bulit without pac-ret, but it could
be added unconditionally (that's just unnecessary operations).
Inline asm is used instead of __builtin_aarch64_xpaclri since that
is an undocumented builtin and not available in all supported gccs.

Note: such change indicates a problem in the pac-ret design: it
can break code that uses __builtin_return_address and the breakage
is only visible at runtime on a system with pac-ret enabled. It is
not ideal that users need target specific inline asm to fix this up.
For now we can recommend disabling pac-ret where this is a problem,
but gcc might need improvements in this are to make pac-ret usable.

TODO: __builtin_return_address handling with pac-ret:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94891
---
 sysdeps/aarch64/sysdep.h | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

-- 
2.17.1

Comments

Jakub Jelinek via Libc-alpha May 26, 2020, 11:29 a.m. | #1
On 15/05/2020 11:40, Szabolcs Nagy wrote:
> RETURN_ADDRESS is used at several places in glibc to mean a valid

> code address of the call site, but with pac-ret it has a pointer

> authentication code (PAC), so its definition is adjusted.

> 

> strip_pac is omitted if glibc is bulit without pac-ret, but it could


s/bulit/built

> be added unconditionally (that's just unnecessary operations).

> Inline asm is used instead of __builtin_aarch64_xpaclri since that

> is an undocumented builtin and not available in all supported gccs.

> 

> Note: such change indicates a problem in the pac-ret design: it

> can break code that uses __builtin_return_address and the breakage

> is only visible at runtime on a system with pac-ret enabled. It is

> not ideal that users need target specific inline asm to fix this up.

> For now we can recommend disabling pac-ret where this is a problem,

> but gcc might need improvements in this are to make pac-ret usable.

> 

> TODO: __builtin_return_address handling with pac-ret:

> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94891

LGTM, thanks.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>


> ---

>  sysdeps/aarch64/sysdep.h | 17 +++++++++++++++++

>  1 file changed, 17 insertions(+)

> 

> diff --git a/sysdeps/aarch64/sysdep.h b/sysdeps/aarch64/sysdep.h

> index c51572a690..7a70cf7a2b 100644

> --- a/sysdeps/aarch64/sysdep.h

> +++ b/sysdeps/aarch64/sysdep.h

> @@ -35,6 +35,23 @@

>  

>  #define PTR_SIZE	(1<<PTR_LOG_SIZE)

>  

> +#ifndef	__ASSEMBLER__

> +/* Strip pointer authentication code from pointer p.  */

> +static inline void *

> +strip_pac (void *p)

> +{

> +	register void *ra asm ("x30") = (p);

> +	asm ("hint 7 // xpaclri" : "+r"(ra));

> +	return ra;


Indentation seems off here (tab instead of double space).

> +}

> +

> +/* This is needed when glibc is built with -mbranch-protection=pac-ret.  */

> +# ifdef HAVE_AARCH64_PAC_RET

> +#  undef RETURN_ADDRESS

> +#  define RETURN_ADDRESS(n) strip_pac (__builtin_return_address (n))

> +# endif

> +#endif

> +

>  #ifdef	__ASSEMBLER__

>  

>  /* Syntactic details of assembler.  */

> 


Ok.

Patch

diff --git a/sysdeps/aarch64/sysdep.h b/sysdeps/aarch64/sysdep.h
index c51572a690..7a70cf7a2b 100644
--- a/sysdeps/aarch64/sysdep.h
+++ b/sysdeps/aarch64/sysdep.h
@@ -35,6 +35,23 @@ 
 
 #define PTR_SIZE	(1<<PTR_LOG_SIZE)
 
+#ifndef	__ASSEMBLER__
+/* Strip pointer authentication code from pointer p.  */
+static inline void *
+strip_pac (void *p)
+{
+	register void *ra asm ("x30") = (p);
+	asm ("hint 7 // xpaclri" : "+r"(ra));
+	return ra;
+}
+
+/* This is needed when glibc is built with -mbranch-protection=pac-ret.  */
+# ifdef HAVE_AARCH64_PAC_RET
+#  undef RETURN_ADDRESS
+#  define RETURN_ADDRESS(n) strip_pac (__builtin_return_address (n))
+# endif
+#endif
+
 #ifdef	__ASSEMBLER__
 
 /* Syntactic details of assembler.  */