Reset PAC keys on thread creation instead of on zygote fork.

Resetting PAC keys on fork appears to lead to a number of problems. One
problem is that we are constrained in where we can run C++ code after
forking, and with ART those places are implementation-defined. For
example, in app zygotes, ART turns out to insert "interpreter frames"
in the stack trace. Returning into these interpreter frames may lead
to crashes due to failing the ROP protection check on return.

It seems better to reset keys on thread creation instead. We only need
to reset IA because only this key needs to be reset for reverse-edge
PAC, and resetting the other keys may be incompatible with future ABIs.

Chrome (and potentially other applications) has a sandbox that prevents
the use of the prctl, so we restrict its use to applications targeting
S and above.

Bug: 183024045

CRs-Fixed: 2918473
(cherry picked from commit 811d180e892f757d052cf9d6c6b7494a8c4a8c2f)

Change-Id: I1e6502a7d7df319d424e2b0f653aad9a343ae71b

1 files changed, 6 insertions, 0 deletions

diff --git a/libc/bionic/pthread_create.cpp b/libc/bionic/pthread_create.cpp
index 206d5fdeb..f3fee8805 100644
--- a/libc/bionic/pthread_create.cpp
+++ b/libc/bionic/pthread_create.cpp
@@ -344,6 +344,12 @@ static int __pthread_start(void* arg) {
   __set_stack_and_tls_vma_name(false);
   __init_additional_stacks(thread);
   __rt_sigprocmask(SIG_SETMASK, &thread->start_mask, nullptr, sizeof(thread->start_mask));
+#ifdef __aarch64__
+  // Chrome's sandbox prevents this prctl, so only reset IA if the target SDK level is high enough.
+  if (android_get_application_target_sdk_version() >= __ANDROID_API_S__) {
+    prctl(PR_PAC_RESET_KEYS, PR_PAC_APIAKEY, 0, 0, 0);
+  }
+#endif
 
   void* result = thread->start_routine(thread->start_routine_arg);
   pthread_exit(result);