A flaw was found in QEMU Pointer Authentication (PAuth) support for ARM introduced in version 4.0.
Specifically, a general failure of the signature generation process causes every PAuth-enforced pointer to be signed with the same signature, resulting in weaker encryption than advertised by the design of the PAuth technique.
An attacker can easily obtain the signature of the protected pointer, and bypass PAuth through brute force guessing or information disclosure vulnerabilities, and all programs running on QEMU will lose protection from PAuth.
(In reply to Mauro Matteo Cascella from comment #1)
> This flaw did not affect the versions of `qemu-kvm-ma` as shipped with Red
> Hat Enterprise Linux for ARM 64 7 as they did not include support for
> Pointer Authentication. The same is true for the versions of `qemu-kvm` as
> shipped with Red Hat Enterprise Linux 6, 7 and 8.
qemu-kvm-av (Advanced Virtualization) is based on QEMU 4.2 for RHEL 8.2, so it does contain PAuth support. However, we don't generally support the use of QEMU as an emulator. We only support its use with KVM. Additionally, the RHEL 8 guest kernel (which is the only supported guest kernel) already has ARM64_USER_VA_BITS_52 enabled, so nobody should be counting on PAuth with that.
I agree with keeping the priority/severity of this bug low.
Several packages are unaffected because they do not include support for Pointer Authentication. These include:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux for ARM 64 7
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8
* `qemu-kvm-rhev` as shipped with Red Hat OpenStack Platform 10 and 13
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1820234]
Name: Xingman Chen, Yuan Li (NISL, Tsinghua University)