summary refs log tree commit diff stats
path: root/results/classifier/118/architecture-arm/1859713
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/architecture-arm/1859713')
-rw-r--r--results/classifier/118/architecture-arm/1859713117
1 files changed, 117 insertions, 0 deletions
diff --git a/results/classifier/118/architecture-arm/1859713 b/results/classifier/118/architecture-arm/1859713
new file mode 100644
index 000000000..e9269bcdc
--- /dev/null
+++ b/results/classifier/118/architecture-arm/1859713
@@ -0,0 +1,117 @@
+architecture: 0.953
+arm: 0.937
+mistranslation: 0.936
+x86: 0.915
+kernel: 0.817
+graphic: 0.786
+device: 0.777
+peripherals: 0.741
+socket: 0.702
+semantic: 0.698
+performance: 0.667
+ppc: 0.637
+permissions: 0.623
+hypervisor: 0.606
+user-level: 0.604
+assembly: 0.600
+PID: 0.596
+network: 0.552
+risc-v: 0.543
+VMM: 0.517
+i386: 0.509
+KVM: 0.504
+debug: 0.492
+register: 0.485
+boot: 0.480
+TCG: 0.474
+files: 0.440
+vnc: 0.336
+virtual: 0.126
+--------------------
+arm: 0.986
+debug: 0.501
+assembly: 0.299
+kernel: 0.104
+hypervisor: 0.076
+register: 0.062
+architecture: 0.045
+files: 0.030
+TCG: 0.025
+PID: 0.020
+virtual: 0.012
+device: 0.011
+peripherals: 0.009
+semantic: 0.004
+user-level: 0.004
+permissions: 0.004
+socket: 0.004
+performance: 0.003
+VMM: 0.003
+network: 0.002
+vnc: 0.002
+x86: 0.002
+boot: 0.002
+risc-v: 0.002
+graphic: 0.002
+KVM: 0.001
+ppc: 0.001
+mistranslation: 0.001
+i386: 0.000
+
+ARM v8.3a pauth not working
+
+Host: Ubuntu 19.10 - x86_64 machine
+QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master)
+
+ARMV8.3 pauth is not working well.
+
+With a test code containing two pauth instructions:
+    - paciasp that sign LR with A key and sp as context;
+    - autiasp that verify the signature.
+
+Test:
+    - Run the program and corrupt LR just before autiasp (ex 0x3e00000400660 instead of 0x3e000000400664)
+
+Expected:
+    - autiasp places an invalid pointer in LR
+
+Result:
+    - autiasp successfully auth the pointer and places 0x0400660 in LR.
+
+Further explanations:
+    Adding traces in qemu code shows that "pauth_computepac" is not robust enough against truncating.
+    With 0x31000000400664 as input of pauth_auth, we obtain "0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
+    With 0x310040008743ec as input of pauth (with same key), we obtain "0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit.
+    Values of top_bit and bottom_bit are strictly the same and it should not.
+
+Hi,
+
+Here is a patch for this bug. The sbox function was using "b+=16" instead of "b+=4".
+
+Also, you check test vector using :
+
+```c
+    uint64_t P = 0xfb623599da6e8127ull;
+    uint64_t T = 0x477d469dec0b8762ull;
+    uint64_t w0 = 0x84be85ce9804e94bull;
+    uint64_t k0 = 0xec2802d4e0a488e9ull;
+    ARMPACKey key = { .hi = w0, .lo = k0 };
+    uint64_t C5 = pauth_computepac(P, T, key);
+    /* C5 should be 0xc003b93999b33765 */
+```
+
+Ooof.  Good catch on the sbox error.
+
+That said, how did you test pauth_computepac?
+I still do not get the C5 result above, but 0x99d88f4472f3be39.
+
+The following test case sets up the parameters.
+
+Oops again.  The test case has the parts of the key the wrong way around.
+I'll submit the pair of patches to the mailing list.
+
+Now upstream as commit de0b1bae6461f67243282555475f88b2384a1eb9.
+
+Apparently this fixed bug is the official CVE-2020-10702:
+https://security-tracker.debian.org/tracker/CVE-2020-10702
+