[Bug 1960863] Re: armv8 paca: poly1305 users see segfaults when pointer authentication in use on AWS Graviton 3 instances

Matthew Ruffell 1960863 at bugs.launchpad.net
Thu Feb 24 03:33:06 UTC 2022 

Performing verification for openssl on Focal.

An affected user performed the verification, due to c7g instance types
being in "Preview" state on Amazon AWS, and not generally accessible.

The user started a c7g instance, and checked they had openssl
1.1.1f-1ubuntu2.10 from -updates.

They attempted to use the poly1035 MAC downloading the file from the
testcase:

$ curl https://services.gradle.org/distributions/gradle-7.2-bin.zip --output gradle-7.2.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Segmentation fault (core dumped)

They can reproduce the issue.

They then enabled -proposed from ports.ubuntu.com mirror, and installed
openssl 1.1.1f-1ubuntu2.11.

They again tried downloading the file:

$ curl https://services.gradle.org/distributions/gradle-7.2-bin.zip --output gradle-7.2.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  
(note the file doesn't actually download due to curl not automatically following 301 redirects):

$ curl https://services.gradle.org/distributions/gradle-7.2-bin.zip --output gradle-7.2.bin --verbose
...
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
...
< HTTP/1.1 301 Moved Permanently
< Location: https://downloads.gradle-dn.com/distributions/gradle-7.2-bin.zip
...

curl does not segfault, and exits successfully. The package in -proposed
fixes the issue. Happy to mark as verified.

** Tags removed: sts-sponsor verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1960863

Title:
  armv8 paca: poly1305 users see segfaults when pointer authentication
  in use on AWS Graviton 3 instances

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  Fix Committed

Bug description:
  [Impact]

  Support for hardware pointer authentication for armv8 systems was
  merged in openssl 1.1.1f, but it contains a bug in the implementation
  for poly1305 message authenticated code routines, which causes the
  calling program to fail pointer authentication, which causes the
  program to crash with a segmentation fault.

  You can easily test it by accessing any website that uses poly1305.
  There is no workaround except use a different MAC.

  [Testcase]

  This bug applies to armv8 systems which support pointer
  authentication. Start an armv8 instance, such as a c7g graviton 3
  instance on AWS, and make sure the paca flag is present in lscpu:

  $ grep paca /proc/cpuinfo
  Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm ssbs paca pacg dcpodp svei8mm svebf16 i8mm bf16 dgh rng

  Next, attempt to connect to any website that uses poly1305 MAC.

  $ curl https://services.gradle.org/distributions/gradle-7.2-bin.zip --output gradle-7.2.bin
  % Total % Received % Xferd Average Speed Time Time Time Current
  Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Segmentation fault (core dumped)

  There is a test package available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf327917-test

  Install it, and poly1305 operations will no longer segfault.

  [Where problems could occur]

  The patch changes the order of operations for loading the SP and
  checking the AUTIASP against it, from checking the AUTIASP against
  nothing then loading the correct SP to check with, to the correct
  loading the SP and then checking the AUTIASP against the SP.

  This only changes one code path for armv8 systems, and other
  architectures are not affected. This is also only limited to poly1305
  MAC.

  If a regression were to occur, it would only affect users of poly1035
  MAC on armv8 with pacs support.

  [Other info]

  The fix landed upstream in openssl 1.1.1i with the following commit:

  commit 5795acffd8706e1cb584284ee5bb3a30986d0e75
  Author: Ard Biesheuvel <ard.biesheuvel at arm.com>
  Date:   Tue Oct 27 18:02:40 2020 +0100
  Subject: crypto/poly1305/asm: fix armv8 pointer authentication
  Link: https://github.com/openssl/openssl/commit/5795acffd8706e1cb584284ee5bb3a30986d0e75

  This commit is already present in Impish onward. Only Focal needs the
  fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960863/+subscriptions

More information about the foundations-bugs mailing list