Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77625

PAC/BTI for gnutls

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • gnutls
    • None
    • None
    • rhel-security-crypto-spades
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide
      • libgnutls.so .note.gnu.property indicates both PAC and BTI
        [implemented in /CoreOS/Sanity/gnutls/aarch64-pac-bti]
      • Return address overwriting (ROP attack) is attempted and thwarted
        for a program loading gnutls and built with -mbranch-protection=pac-ret
        [implemented in /CoreOS/Sanity/gnutls/aarch64-pac-bti, requires hardware support]
      • _dl_bti_protect@/usr/lib/ld-linux-aarch64.so.1 calls are observed
        on shared library loading of gnutls, libtasn1 and p11-kit
        (nettle and gmp are bundled)
        [implemented in /CoreOS/Sanity/gnutls/aarch64-pac-bti, requires hardware support]
      Show
      libgnutls.so .note.gnu.property indicates both PAC and BTI [implemented in /CoreOS/Sanity/gnutls/aarch64-pac-bti] Return address overwriting (ROP attack) is attempted and thwarted for a program loading gnutls and built with -mbranch-protection=pac-ret [implemented in /CoreOS/Sanity/gnutls/aarch64-pac-bti, requires hardware support] _dl_bti_protect@/usr/lib/ld-linux-aarch64.so.1 calls are observed on shared library loading of gnutls, libtasn1 and p11-kit (nettle and gmp are bundled) [implemented in /CoreOS/Sanity/gnutls/aarch64-pac-bti, requires hardware support]
    • None
    • None
    • aarch64
    • None

      PAC and BTI are two branch protection technique for aarch64 not unlike what CET is on Intel.
      Upstream GnuTLS has https://gitlab.com/gnutls/gnutls/-/merge_requests/1843,
      yet gnutls-3.8.8-1.el10 /usr/lib64/libgnutls.so.30
      does not have "Properties: AArch64 feature: BTI, PAC" in the readelf -n output
      (the rest of the binaries/libraries do),
      suggesting that more work is needed to bring this feature into RHEL.

              dueno@redhat.com Daiki Ueno
              asosedki@redhat.com Alexander Sosedkin
              Daiki Ueno Daiki Ueno
              Alexander Sosedkin Alexander Sosedkin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: