AArch64: Block PAuth key access attempts

For AArch64 a restricted ptrace call will result in an error when trying to access PAC keys. Malicious code could derive the key via the system call and potentially defeat any PAC control-flow integrity checks. The ptrace call to set registers, PTRACE_SETREGSET, is already blocked, so they cannot be changed. Change-Id: I6954e3b038912871a964d413a305c69f8a57d543 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2438130Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Commit-Queue: Richard Townsend <richard.townsend@arm.com> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#813031}

AArch64: Block PAuth key access attempts
For AArch64 a restricted ptrace call will result in an error when trying to access PAC keys. Malicious code could derive the key via the system call and potentially defeat any PAC control-flow integrity checks. The ptrace call to set registers, PTRACE_SETREGSET, is already blocked, so they cannot be changed. Change-Id: I6954e3b038912871a964d413a305c69f8a57d543 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2438130Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Commit-Queue: Richard Townsend <richard.townsend@arm.com> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#813031}
02f29ab6 · Andrew Beggs · Commit Bot · 1fbba037 · 02f29ab6 · 02f29ab6
Commit 02f29ab6 authored Oct 02, 2020 by Andrew Beggs Committed by Commit Bot Oct 02, 2020
4 changed files
--- a/sandbox/linux/BUILD.gn
+++ b/sandbox/linux/BUILD.gn
@@ -434,6 +434,7 @@ source_set("sandbox_services_headers") {
    "system_headers/linux_filter.h",
    "system_headers/linux_futex.h",
    "system_headers/linux_prctl.h",
+    "system_headers/linux_ptrace.h",
    "system_headers/linux_seccomp.h",
    "system_headers/linux_signal.h",
    "system_headers/linux_syscalls.h",

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -29,6 +29,7 @@
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/system_headers/linux_futex.h"
 #include "sandbox/linux/system_headers/linux_prctl.h"
+#include "sandbox/linux/system_headers/linux_ptrace.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 #include "sandbox/linux/system_headers/linux_time.h"
@@ -405,20 +406,26 @@ ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid) {
 #if !defined(OS_NACL_NONSFI)
 ResultExpr RestrictPtrace() {
  const Arg<int> request(0);
-  return Switch(request).CASES((
+#if defined(__aarch64__)
+  const Arg<uintptr_t> addr(2);
+#endif
+  return Switch(request)
+      .CASES((
 #if !defined(__aarch64__)
-        PTRACE_GETREGS,
+                 PTRACE_GETREGS, PTRACE_GETFPREGS, PTRACE_GET_THREAD_AREA,
-        PTRACE_GETFPREGS,
+                 PTRACE_GETREGSET,
-        PTRACE_GET_THREAD_AREA,
 #endif
 #if defined(__arm__)
-        PTRACE_GETVFPREGS,
+                 PTRACE_GETVFPREGS,
+#endif
+                 PTRACE_PEEKDATA, PTRACE_ATTACH, PTRACE_DETACH),
+             Allow())
+#if defined(__aarch64__)
+      .Case(
+          PTRACE_GETREGSET,
+          If(AllOf(addr != NT_ARM_PACA_KEYS, addr != NT_ARM_PACG_KEYS), Allow())
+              .Else(CrashSIGSYSPtrace()))
 #endif
-        PTRACE_GETREGSET,
-        PTRACE_PEEKDATA,
-        PTRACE_ATTACH,
-        PTRACE_DETACH),
-      Allow())
      .Default(CrashSIGSYSPtrace());
 }
 #endif  // defined(OS_NACL_NONSFI)

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc
@@ -32,6 +32,7 @@
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
+#include "sandbox/linux/system_headers/linux_ptrace.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 #include "sandbox/linux/system_headers/linux_time.h"
 #include "sandbox/linux/tests/unit_tests.h"
@@ -341,6 +342,36 @@ BPF_DEATH_TEST_C(
         &iov);
 }
+#if defined(__aarch64__)
+BPF_DEATH_TEST_C(
+    ParameterRestrictions,
+    ptrace_getregs_nt_arm_paca_keys_blocked,
+    DEATH_SEGV_MESSAGE(sandbox::GetPtraceErrorMessageContentForTests()),
+    RestrictPtracePolicy) {
+  user_regs_struct regs{};
+  iovec iov;
+  iov.iov_base = &regs;
+  iov.iov_len = sizeof(regs);
+  errno = 0;
+  ptrace(PTRACE_GETREGSET, getpid(), reinterpret_cast<void*>(NT_ARM_PACA_KEYS),
+         &iov);
+}
+BPF_DEATH_TEST_C(
+    ParameterRestrictions,
+    ptrace_getregs_nt_arm_pacg_keys_blocked,
+    DEATH_SEGV_MESSAGE(sandbox::GetPtraceErrorMessageContentForTests()),
+    RestrictPtracePolicy) {
+  user_regs_struct regs{};
+  iovec iov;
+  iov.iov_base = &regs;
+  iov.iov_len = sizeof(regs);
+  errno = 0;
+  ptrace(PTRACE_GETREGSET, getpid(), reinterpret_cast<void*>(NT_ARM_PACG_KEYS),
+         &iov);
+}
+#endif
 }  // namespace
 }  // namespace sandbox
--- a/sandbox/linux/system_headers/linux_ptrace.h
+++ b/sandbox/linux/system_headers/linux_ptrace.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_
+#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_
+#if !defined(NT_ARM_PACA_KEYS)
+#define NT_ARM_PACA_KEYS 0x407 /* Arm pointer authentication address keys */
+#define NT_ARM_PACG_KEYS 0x408 /* Arm pointer authentication generic key */
+#endif
+#endif  // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_