Apparently this fixed bug is the official CVE-2020-10702: https://security-tracker.debian.org/tracker/CVE-2020-10702
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10702 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1859713 Title: ARM v8.3a pauth not working Status in QEMU: Fix Released Bug description: Host: Ubuntu 19.10 - x86_64 machine QEMU version: 3a63b24a1bbf166e6f455fe43a6bbd8dea413d92 (master) ARMV8.3 pauth is not working well. With a test code containing two pauth instructions: - paciasp that sign LR with A key and sp as context; - autiasp that verify the signature. Test: - Run the program and corrupt LR just before autiasp (ex 0x3e00000400660 instead of 0x3e000000400664) Expected: - autiasp places an invalid pointer in LR Result: - autiasp successfully auth the pointer and places 0x0400660 in LR. Further explanations: Adding traces in qemu code shows that "pauth_computepac" is not robust enough against truncating. With 0x31000000400664 as input of pauth_auth, we obtain "0x55b1d65b2c138e14" for PAC, "0x30" for bot_bit and "0x38" for top_bit. With 0x310040008743ec as input of pauth (with same key), we obtain "0x55b1d65b2c138ef4" for PAC, "0x30" for bot_bit and "0x38" for top_bit. Values of top_bit and bottom_bit are strictly the same and it should not. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1859713/+subscriptions
