Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / ccae7efeed6a9b0d50f681736c5acb6a9bd2386f^1..ccae7efeed6a9b0d50f681736c5acb6a9bd2386f / .
commitccae7efeed6a9b0d50f681736c5acb6a9bd2386f[log] [tgz]
authorPeter Collingbourne <pcc@google.com>Mon Jan 24 21:17:30 2022 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Mon Jan 24 21:17:30 2022 +0000
tree041dafd6fcb207483703848a8d88aeeff294761c
parentb838fbda2a91955404f41e5ca2a7671f69b38f4e [diff]
parentbf52e885967c2f34d988005f6258824082829faf [diff]
Merge "Disable pointer authentication in app processes."
diff --git a/libc/bionic/pthread_create.cpp b/libc/bionic/pthread_create.cpp
index 121b26f..08fb187 100644
--- a/libc/bionic/pthread_create.cpp
+++ b/libc/bionic/pthread_create.cpp

@@ -45,6 +45,7 @@
 #include "private/bionic_defs.h"
 #include "private/bionic_globals.h"
 #include "platform/bionic/macros.h"
+#include "platform/bionic/pac.h"
 #include "private/bionic_ssp.h"
 #include "private/bionic_systrace.h"
 #include "private/bionic_tls.h"
@@ -331,11 +332,9 @@
 extern "C" int __rt_sigprocmask(int, const sigset64_t*, sigset64_t*, size_t);
 
 __attribute__((no_sanitize("hwaddress")))
-#ifdef __aarch64__
 // This function doesn't return, but it does appear in stack traces. Avoid using return PAC in this
 // function because we may end up resetting IA, which may confuse unwinders due to mismatching keys.
-__attribute__((target("branch-protection=bti")))
-#endif
+__BIONIC_DISABLE_PAUTH
 static int __pthread_start(void* arg) {
   pthread_internal_t* thread = reinterpret_cast<pthread_internal_t*>(arg);
 

diff --git a/libc/platform/bionic/pac.h b/libc/platform/bionic/pac.h
index 34efc48..c311651 100644
--- a/libc/platform/bionic/pac.h
+++ b/libc/platform/bionic/pac.h

@@ -29,6 +29,7 @@
 #pragma once
 
 #include <stddef.h>
+#include <sys/prctl.h>
 
 inline uintptr_t __bionic_clear_pac_bits(uintptr_t ptr) {
 #if defined(__aarch64__)
@@ -40,3 +41,39 @@
   return ptr;
 #endif
 }
+
+#ifdef __aarch64__
+// The default setting for branch-protection enables both PAC and BTI, so by
+// overriding it to only enable BTI we disable PAC.
+#define __BIONIC_DISABLE_PAUTH __attribute__((target("branch-protection=bti")))
+#else
+#define __BIONIC_DISABLE_PAUTH
+#endif
+
+#ifdef __aarch64__
+// Disable PAC (i.e. make the signing and authentication instructions into no-ops) for the lifetime
+// of this object.
+class ScopedDisablePAC {
+  int prev_enabled_keys_;
+
+ public:
+  // Disabling IA will invalidate the return address in this function if it is signed, so we need to
+  // make sure that this function does not sign its return address. Likewise for the destructor.
+  __BIONIC_DISABLE_PAUTH
+  ScopedDisablePAC() {
+    // These prctls will fail (resulting in a no-op, the intended behavior) if PAC is not supported.
+    prev_enabled_keys_ = prctl(PR_PAC_GET_ENABLED_KEYS, 0, 0, 0, 0);
+    prctl(PR_PAC_SET_ENABLED_KEYS, prev_enabled_keys_, 0, 0, 0);
+  }
+
+  __BIONIC_DISABLE_PAUTH
+  ~ScopedDisablePAC() {
+    prctl(PR_PAC_SET_ENABLED_KEYS, prev_enabled_keys_, prev_enabled_keys_, 0, 0);
+  }
+};
+#else
+struct ScopedDisablePAC {
+  // Silence unused variable warnings in non-aarch64 builds.
+  ScopedDisablePAC() {}
+};
+#endif