Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 7309177235b883b6042cb2a3a969b6af5e9cc786^! / .
commit7309177235b883b6042cb2a3a969b6af5e9cc786[log] [tgz]
authorElliott Hughes <enh@google.com>Thu Mar 10 18:01:04 2022 +0000
committerElliott Hughes <enh@google.com>Thu Mar 10 18:01:04 2022 +0000
tree84209445d29bc975ef9bf8858f60c9a613e3dcad
parentbf52e885967c2f34d988005f6258824082829faf [diff]
Revert "Disable pointer authentication in app processes."

Revert submission 1954983-master-I3030c47be9d02a27505bd4775c1982a20755758c

Reason for revert: PAC has shipped with S, and we're going with app compat outreach rather than regressing security.
Reverted Changes:
I3030c47be:Disable pointer authentication in app processes.
I3030c47be:Disable pointer authentication in app processes.

Change-Id: I8761f08ddbd9077ff98b1a9a0c323de968792778

diff --git a/libc/bionic/pthread_create.cpp b/libc/bionic/pthread_create.cpp
index 08fb187..121b26f 100644
--- a/libc/bionic/pthread_create.cpp
+++ b/libc/bionic/pthread_create.cpp

@@ -45,7 +45,6 @@
 #include "private/bionic_defs.h"
 #include "private/bionic_globals.h"
 #include "platform/bionic/macros.h"
-#include "platform/bionic/pac.h"
 #include "private/bionic_ssp.h"
 #include "private/bionic_systrace.h"
 #include "private/bionic_tls.h"
@@ -332,9 +331,11 @@
 extern "C" int __rt_sigprocmask(int, const sigset64_t*, sigset64_t*, size_t);
 
 __attribute__((no_sanitize("hwaddress")))
+#ifdef __aarch64__
 // This function doesn't return, but it does appear in stack traces. Avoid using return PAC in this
 // function because we may end up resetting IA, which may confuse unwinders due to mismatching keys.
-__BIONIC_DISABLE_PAUTH
+__attribute__((target("branch-protection=bti")))
+#endif
 static int __pthread_start(void* arg) {
   pthread_internal_t* thread = reinterpret_cast<pthread_internal_t*>(arg);
 

diff --git a/libc/platform/bionic/pac.h b/libc/platform/bionic/pac.h
index c311651..34efc48 100644
--- a/libc/platform/bionic/pac.h
+++ b/libc/platform/bionic/pac.h

@@ -29,7 +29,6 @@
 #pragma once
 
 #include <stddef.h>
-#include <sys/prctl.h>
 
 inline uintptr_t __bionic_clear_pac_bits(uintptr_t ptr) {
 #if defined(__aarch64__)
@@ -41,39 +40,3 @@
   return ptr;
 #endif
 }
-
-#ifdef __aarch64__
-// The default setting for branch-protection enables both PAC and BTI, so by
-// overriding it to only enable BTI we disable PAC.
-#define __BIONIC_DISABLE_PAUTH __attribute__((target("branch-protection=bti")))
-#else
-#define __BIONIC_DISABLE_PAUTH
-#endif
-
-#ifdef __aarch64__
-// Disable PAC (i.e. make the signing and authentication instructions into no-ops) for the lifetime
-// of this object.
-class ScopedDisablePAC {
-  int prev_enabled_keys_;
-
- public:
-  // Disabling IA will invalidate the return address in this function if it is signed, so we need to
-  // make sure that this function does not sign its return address. Likewise for the destructor.
-  __BIONIC_DISABLE_PAUTH
-  ScopedDisablePAC() {
-    // These prctls will fail (resulting in a no-op, the intended behavior) if PAC is not supported.
-    prev_enabled_keys_ = prctl(PR_PAC_GET_ENABLED_KEYS, 0, 0, 0, 0);
-    prctl(PR_PAC_SET_ENABLED_KEYS, prev_enabled_keys_, 0, 0, 0);
-  }
-
-  __BIONIC_DISABLE_PAUTH
-  ~ScopedDisablePAC() {
-    prctl(PR_PAC_SET_ENABLED_KEYS, prev_enabled_keys_, prev_enabled_keys_, 0, 0);
-  }
-};
-#else
-struct ScopedDisablePAC {
-  // Silence unused variable warnings in non-aarch64 builds.
-  ScopedDisablePAC() {}
-};
-#endif