From dfb58ee2be9dbc59b6d261eb5b754fe3d0b72500 Mon Sep 17 00:00:00 2001
From: Evgeny Leviant <eleviant@accesssoftek.com>
Date: Tue, 5 Sep 2023 13:29:33 +0300
Subject: [PATCH 01/16] [AArch64] Add initial support for PAC relocs

---
 arch/aarch64/reloc.h     |  11 ++++
 ldso/dynlink.c           |  13 +++++
 src/ldso/aarch64/reloc.c | 116 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 140 insertions(+)
 create mode 100644 src/ldso/aarch64/reloc.c

diff --git a/arch/aarch64/reloc.h b/arch/aarch64/reloc.h
index b1b68c725..1c529bf3e 100644
--- a/arch/aarch64/reloc.h
+++ b/arch/aarch64/reloc.h
@@ -22,3 +22,14 @@
 
 #define CRTJMP(pc,sp) __asm__ __volatile__( \
 	"mov sp,%1 ; br %0" : : "r"(pc), "r"(sp) : "memory" )
+
+#ifdef MUSL_EXPERIMENTAL_PAC
+#define TARGET_RELOCATE(dso, type, reladdr, sym, addend) \
+  do_target_reloc(dso, type, reladdr, sym, addend)
+#define DO_TARGET_RELR(dso, dyn) do_pauth_relr(dso, dyn)
+
+int do_target_reloc(int type, uint64_t* reladdr, uint64_t base,
+		    uint64_t symval, uint64_t addend);
+
+void do_pauth_relr(uint64_t base, uint64_t* dyn);
+#endif
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index ceca3c98a..f4232ad26 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -45,6 +45,14 @@ static void (*error)(const char *, ...) = error_noop;
 #define container_of(p,t,m) ((t*)((char *)(p)-offsetof(t,m)))
 #define countof(a) ((sizeof (a))/(sizeof (a)[0]))
 
+#ifndef TARGET_RELOCATE
+#define TARGET_RELOCATE(...) 0
+#endif
+
+#ifndef DO_TARGET_RELR
+#define DO_TARGET_RELR(...)
+#endif
+
 struct debug {
 	int ver;
 	void *head;
@@ -549,6 +557,8 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 #endif
 			break;
 		default:
+			if (TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend))
+				break;
 			error("Error relocating %s: unsupported relocation type %d",
 				dso->name, type);
 			if (runtime) longjmp(*rtld_fail, 1);
@@ -1419,6 +1429,9 @@ static void reloc_all(struct dso *p)
 		do_relocs(p, laddr(p, dyn[DT_RELA]), dyn[DT_RELASZ], 3);
 		if (!DL_FDPIC)
 			do_relr_relocs(p, laddr(p, dyn[DT_RELR]), dyn[DT_RELRSZ]);
+		if (p != &ldso) {
+			DO_TARGET_RELR((uint64_t)p->base, p->dynv);
+		}
 
 		if (head != &ldso && p->relro_start != p->relro_end) {
 			long ret = __syscall(SYS_mprotect, laddr(p, p->relro_start),
diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
new file mode 100644
index 000000000..7b741c365
--- /dev/null
+++ b/src/ldso/aarch64/reloc.c
@@ -0,0 +1,116 @@
+#ifdef MUSL_EXPERIMENTAL_PAC
+
+#include <stdint.h>
+#include "reloc.h"
+
+#define R_AARCH64_AUTH_ABS64 0xe100
+#define R_AARCH64_AUTH_RELATIVE 0xe200
+
+#define DT_AARCH64_AUTH_RELRSZ 0x70000011
+#define DT_AARCH64_AUTH_RELR 0x70000012
+#define DT_AARCH64_AUTH_RELRENT 0x70000013
+
+static uint64_t do_sign_ia(uint64_t modifier, uint64_t value)
+{
+	__asm__ ("pacia %0, %1" : "+r" (value) : "r" (modifier));
+	return value;
+}
+
+static uint64_t do_sign_ib(uint64_t modifier, uint64_t value)
+{
+	__asm__ ("pacib %0, %1" : "+r" (value) : "r" (modifier));
+	return value;
+}
+
+static uint64_t do_sign_da(uint64_t modifier, uint64_t value)
+{
+	__asm__ ("pacda %0, %1" : "+r" (value) : "r" (modifier));
+	return value;
+}
+
+static uint64_t do_sign_db(uint64_t modifier, uint64_t value)
+{
+	__asm__ ("pacdb %0, %1" : "+r" (value) : "r" (modifier));
+	return value;
+}
+
+static int do_pauth_reloc(uint64_t* reladdr, uint64_t value)
+{
+	uint64_t schema = *reladdr;
+	unsigned discrim = (schema >> 32) & 0xFFFF;
+	int addr_div = schema >> 63;
+	int key = (schema >> 60) & 0x3;
+	uint64_t modifier = discrim;
+	if (addr_div)
+		modifier = (modifier << 48) | (uint64_t)reladdr;
+
+	switch(key) {
+		default:
+			*reladdr = do_sign_ia(modifier, value);
+			break;
+		case 1:
+			*reladdr = do_sign_ib(modifier, value);
+			break;
+		case 2:
+			*reladdr = do_sign_da(modifier, value);
+			break;
+		case 3:
+			*reladdr = do_sign_db(modifier, value);
+			break;
+	}
+	return 1;
+}
+
+int do_target_reloc(int type, uint64_t* reladdr, uint64_t base,
+					uint64_t symval, uint64_t addend)
+{
+	switch(type)
+	{
+		case R_AARCH64_AUTH_ABS64:
+			return do_pauth_reloc(reladdr, symval + addend);
+		case R_AARCH64_AUTH_RELATIVE:
+			return do_pauth_reloc(reladdr, base + addend);
+		default:
+			return 0;
+	}
+}
+
+static uint64_t dyn_value(uint64_t* dyn, uint64_t tag)
+{
+	while(*dyn)
+	{
+		if (*dyn == tag)
+			return dyn[1];
+		else
+			dyn += 2;
+	}
+	return 0;
+}
+
+void do_pauth_relr(uint64_t base, uint64_t* dyn)
+{
+	uint64_t* relr = (uint64_t*)dyn_value(dyn, DT_AARCH64_AUTH_RELR);
+	if (relr == 0)
+		return;
+	uint64_t relr_size = dyn_value(dyn, DT_AARCH64_AUTH_RELRSZ);
+	uint64_t relr_ent = dyn_value(dyn, DT_AARCH64_AUTH_RELRENT);
+	if (relr_ent != sizeof(uint64_t))
+		return;
+	uint64_t *reloc_addr;
+	for (; relr_size; relr++, relr_size-=relr_ent)
+		if ((relr[0]&1) == 0) {
+			reloc_addr = (uint64_t*)(base + relr[0]);
+			do_pauth_reloc(reloc_addr, base + (*reloc_addr & 0xFFFFFFFF));
+			reloc_addr++;
+		} else {
+			int i = 0;
+			for (uint64_t bitmap=relr[0]; (bitmap>>=1); i++)
+				if (bitmap&1) {
+					uint64_t val = base + (reloc_addr[i] & 0xFFFFFFFF);
+					do_pauth_reloc(&reloc_addr[i], val);
+				}
+			reloc_addr += 8*sizeof(uint64_t)-1;
+		}
+}
+
+#endif

From e245acecb2bac30b11d251bb64756f0110d12af6 Mon Sep 17 00:00:00 2001
From: Evgeny Leviant <eleviant@accesssoftek.com>
Date: Fri, 29 Sep 2023 09:56:54 +0300
Subject: [PATCH 02/16] Check PAuth ABI compatibility when loading DSO

TODO: do we need this to be done for vDSO as well?
---
 ldso/dynlink.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index f4232ad26..3d3132ea0 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -119,6 +119,7 @@ struct dso {
 		size_t *got;
 	} *funcdescs;
 	size_t *got;
+	size_t* pauth;
 	char buf[];
 };
 
@@ -707,6 +708,7 @@ static void *map_library(int fd, struct dso *dso)
 	unsigned char *map=MAP_FAILED, *base;
 	size_t dyn=0;
 	size_t tls_image=0;
+	size_t notes[8] = {};
 	size_t i;
 
 	ssize_t l = read(fd, buf, sizeof buf);
@@ -747,6 +749,13 @@ static void *map_library(int fd, struct dso *dso)
 					ph->p_memsz < DEFAULT_STACK_MAX ?
 					ph->p_memsz : DEFAULT_STACK_MAX;
 			}
+		} else if (ph->p_type == PT_NOTE && ph->p_memsz >= 32) {
+			for (unsigned in = 0; in < sizeof(notes)/sizeof(notes[0]); ++in) {
+				if (notes[in] == 0) {
+					notes[in] = ph->p_vaddr;
+					break;
+				}
+			}
 		}
 		if (ph->p_type != PT_LOAD) continue;
 		nsegs++;
@@ -868,6 +877,13 @@ static void *map_library(int fd, struct dso *dso)
 	dso->base = base;
 	dso->dynv = laddr(dso, dyn);
 	if (dso->tls.size) dso->tls.image = laddr(dso, tls_image);
+	for (unsigned in = 0; in < sizeof(notes)/sizeof(notes[0]) && notes[in]; ++in) {
+		uint32_t* pnote = laddr(dso, notes[in]);
+		if (pnote[2] == NT_GNU_ABI_TAG && !strncmp((char*)&pnote[3], "ARM", 4)) {
+			dso->pauth = (size_t*)&pnote[4];
+			break;
+		}
+	}
 	free(allocated_buf);
 	return map;
 noexec:
@@ -1060,6 +1076,16 @@ static void makefuncdescs(struct dso *p)
 	}
 }
 
+static int check_pauth_abi_compatible(struct dso* first, struct dso* second)
+{
+	if (first->pauth == second->pauth)
+		return 1;
+	if (first->pauth == 0 || second->pauth == 0)
+		return 0;
+	return first->pauth[0] == second->pauth[0] &&
+			first->pauth[1] == second->pauth[1];
+}
+
 static struct dso *load_library(const char *name, struct dso *needed_by)
 {
 	char buf[2*NAME_MAX+2];
@@ -1192,6 +1218,11 @@ static struct dso *load_library(const char *name, struct dso *needed_by)
 	close(fd);
 	if (!map) return 0;
 
+	if (!check_pauth_abi_compatible(head, &temp_dso)) {
+		dprintf(2, "incompatible PAuth ABI between %s and %s\n", head->name, name);
+		return 0;
+	}
+
 	/* Avoid the danger of getting two versions of libc mapped into the
 	 * same process when an absolute pathname was used. The symbols
 	 * checked are chosen to catch both musl and glibc, and to avoid

From 30c2c61a82eaf31daba69eb185d2b1348570455f Mon Sep 17 00:00:00 2001
From: Evgeny Leviant <eleviant@accesssoftek.com>
Date: Thu, 19 Oct 2023 16:00:42 +0300
Subject: [PATCH 03/16] Some fixes required to run llvm-testsuite with PAC
 enabled

- Do not check pointer signature before we are relocated
  as this might be a pointer to global.
- Sign function pointers returned from __vdsosym.
- Do not apply PAC relocs in __dls2, because we may need
  to do this second time in __dls3. We can't do this as
  we overwrite authentication scheme when applying relocs.
---
 arch/aarch64/reloc.h       | 14 +++++++++++---
 ldso/dynlink.c             | 14 +++++++++-----
 src/internal/vdso.c        |  9 ++++++++-
 src/ldso/aarch64/reloc.c   |  5 ++++-
 src/thread/aarch64/clone.s |  4 ++++
 5 files changed, 36 insertions(+), 10 deletions(-)

diff --git a/arch/aarch64/reloc.h b/arch/aarch64/reloc.h
index 1c529bf3e..a50a80281 100644
--- a/arch/aarch64/reloc.h
+++ b/arch/aarch64/reloc.h
@@ -24,12 +24,20 @@
 	"mov sp,%1 ; br %0" : : "r"(pc), "r"(sp) : "memory" )
 
 #ifdef MUSL_EXPERIMENTAL_PAC
-#define TARGET_RELOCATE(dso, type, reladdr, sym, addend) \
-  do_target_reloc(dso, type, reladdr, sym, addend)
+#define TARGET_RELOCATE(dso, type, reladdr, sym, addend, is_phase_2) \
+  do_target_reloc(dso, type, reladdr, sym, addend, is_phase_2)
 #define DO_TARGET_RELR(dso, dyn) do_pauth_relr(dso, dyn)
 
 int do_target_reloc(int type, uint64_t* reladdr, uint64_t base,
-		    uint64_t symval, uint64_t addend);
+		    uint64_t symval, uint64_t addend, int is_phase_2);
 
 void do_pauth_relr(uint64_t base, uint64_t* dyn);
+
+#define GETFUNCSYM(fp, sym, got) do { \
+	hidden void sym(); \
+	*(fp) = sym; } while(0)
+
+#define FPTR_CAST(fty, p) \
+  ((fty)__builtin_ptrauth_sign_unauthenticated((void*)(p), 0, 0))
+
 #endif
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 3d3132ea0..5f9c9196e 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -53,6 +53,10 @@ static void (*error)(const char *, ...) = error_noop;
 #define DO_TARGET_RELR(...)
 #endif
 
+#ifndef FPTR_CAST
+#define FPTR_CAST(fty, p) ((fty)(p))
+#endif
+
 struct debug {
 	int ver;
 	void *head;
@@ -558,7 +562,7 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 #endif
 			break;
 		default:
-			if (TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend))
+			if (TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso))
 				break;
 			error("Error relocating %s: unsupported relocation type %d",
 				dso->name, type);
@@ -1529,7 +1533,7 @@ void __libc_exit_fini()
 		if (dyn[0] & (1<<DT_FINI_ARRAY)) {
 			size_t n = dyn[DT_FINI_ARRAYSZ]/sizeof(size_t);
 			size_t *fn = (size_t *)laddr(p, dyn[DT_FINI_ARRAY])+n;
-			while (n--) ((void (*)(void))*--fn)();
+			while (n--) FPTR_CAST(void (*)(void), (void*)*(--fn))();
 		}
 #ifndef NO_LEGACY_INITFINI
 		if ((dyn[0] & (1<<DT_FINI)) && dyn[DT_FINI])
@@ -1647,7 +1651,7 @@ static void do_init_fini(struct dso **queue)
 		if (dyn[0] & (1<<DT_INIT_ARRAY)) {
 			size_t n = dyn[DT_INIT_ARRAYSZ]/sizeof(size_t);
 			size_t *fn = laddr(p, dyn[DT_INIT_ARRAY]);
-			while (n--) ((void (*)(void))*fn++)();
+			while (n--) FPTR_CAST(void (*)(void), (void*)*fn++)();
 		}
 
 		pthread_mutex_lock(&init_fini_lock);
@@ -1806,7 +1810,7 @@ hidden void __dls2(unsigned char *base, size_t *sp)
 	 * load across the above relocation processing. */
 	struct symdef dls2b_def = find_sym(&ldso, "__dls2b", 0);
 	if (DL_FDPIC) ((stage3_func)&ldso.funcdescs[dls2b_def.sym-ldso.syms])(sp, auxv);
-	else ((stage3_func)laddr(&ldso, dls2b_def.sym->st_value))(sp, auxv);
+	else FPTR_CAST(stage3_func, laddr(&ldso, dls2b_def.sym->st_value))(sp, auxv);
 }
 
 /* Stage 2b sets up a valid thread pointer, which requires relocations
@@ -1830,7 +1834,7 @@ void __dls2b(size_t *sp, size_t *auxv)
 
 	struct symdef dls3_def = find_sym(&ldso, "__dls3", 0);
 	if (DL_FDPIC) ((stage3_func)&ldso.funcdescs[dls3_def.sym-ldso.syms])(sp, auxv);
-	else ((stage3_func)laddr(&ldso, dls3_def.sym->st_value))(sp, auxv);
+	else FPTR_CAST(stage3_func, laddr(&ldso, dls3_def.sym->st_value))(sp, auxv);
 }
 
 /* Stage 3 of the dynamic linker is called with the dynamic linker/libc
diff --git a/src/internal/vdso.c b/src/internal/vdso.c
index d46d32281..3e7ae7114 100644
--- a/src/internal/vdso.c
+++ b/src/internal/vdso.c
@@ -5,6 +5,7 @@
 #include <string.h>
 #include "libc.h"
 #include "syscall.h"
+#include "reloc.h"
 
 #ifdef VDSO_USEFUL
 
@@ -22,6 +23,10 @@ typedef Elf64_Verdef Verdef;
 typedef Elf64_Verdaux Verdaux;
 #endif
 
+#ifndef FPTR_CAST
+#define FPTR_CAST(fty, p) ((fty)(p))
+#endif
+
 static int checkver(Verdef *def, int vsym, const char *vername, char *strings)
 {
 	vsym &= 0x7fff;
@@ -84,7 +89,9 @@ void *__vdsosym(const char *vername, const char *name)
 		if (strcmp(name, strings+syms[i].st_name)) continue;
 		if (versym && !checkver(verdef, versym[i], vername, strings))
 			continue;
-		return (void *)(base + syms[i].st_value);
+		return (syms[i].st_info & 0xF) == STT_FUNC ?
+				FPTR_CAST(void*, base + syms[i].st_value) :
+				(void *)(base + syms[i].st_value);
 	}
 
 	return 0;
diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
index 7b741c365..c4e042a12 100644
--- a/src/ldso/aarch64/reloc.c
+++ b/src/ldso/aarch64/reloc.c
@@ -62,8 +62,11 @@ static int do_pauth_reloc(uint64_t* reladdr, uint64_t value)
 }
 
 int do_target_reloc(int type, uint64_t* reladdr, uint64_t base,
-					uint64_t symval, uint64_t addend)
+					uint64_t symval, uint64_t addend, int is_phase_2)
 {
+	// We don't process auth relocs until we load all dependencies
+	if (is_phase_2)
+		return 1;
 	switch(type)
 	{
 		case R_AARCH64_AUTH_ABS64:
diff --git a/src/thread/aarch64/clone.s b/src/thread/aarch64/clone.s
index e3c83395c..45102f8c1 100644
--- a/src/thread/aarch64/clone.s
+++ b/src/thread/aarch64/clone.s
@@ -25,6 +25,10 @@ __clone:
 	ret
 	// child
 1:	ldp x1,x0,[sp],#16
+#if MUSL_EXPERIMENTAL_PAC
+	blraaz x1
+#else
 	blr x1
+#endif
 	mov x8,#93 // SYS_exit
 	svc #0

From de66a6f7d00c72e1adb5655ea2d80a29b604a3e8 Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Mon, 30 Oct 2023 01:16:10 +0300
Subject: [PATCH 04/16] Do not sign zero pointers when resolving relocations

---
 src/ldso/aarch64/reloc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
index c4e042a12..9482322bf 100644
--- a/src/ldso/aarch64/reloc.c
+++ b/src/ldso/aarch64/reloc.c
@@ -36,6 +36,10 @@ static uint64_t do_sign_db(uint64_t modifier, uint64_t value)
 
 static int do_pauth_reloc(uint64_t* reladdr, uint64_t value)
 {
+	if (value == 0) {
+		*reladdr = 0;
+		return 1;
+	}
 	uint64_t schema = *reladdr;
 	unsigned discrim = (schema >> 32) & 0xFFFF;
 	int addr_div = schema >> 63;

From 31a20557f174d922cf78a930f54040a07359b49c Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Mon, 30 Oct 2023 01:21:47 +0300
Subject: [PATCH 05/16] Support signed function pointers in init/fini arrays

---
 ldso/dynlink.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 5f9c9196e..6928041e8 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -19,6 +19,9 @@
 #include <dlfcn.h>
 #include <semaphore.h>
 #include <sys/membarrier.h>
+#ifdef MUSL_EXPERIMENTAL_PAC_INIT_FINI
+#include <ptrauth.h>
+#endif
 #include "pthread_impl.h"
 #include "fork_impl.h"
 #include "dynlink.h"
@@ -1533,7 +1536,16 @@ void __libc_exit_fini()
 		if (dyn[0] & (1<<DT_FINI_ARRAY)) {
 			size_t n = dyn[DT_FINI_ARRAYSZ]/sizeof(size_t);
 			size_t *fn = (size_t *)laddr(p, dyn[DT_FINI_ARRAY])+n;
+#ifdef MUSL_EXPERIMENTAL_PAC_INIT_FINI
+			while (n--) {
+				ptrauth_auth_function(
+					(void (*)(void))*--fn,
+					ptrauth_key_asia,
+					__ptrauth_init_fini_discriminator)();
+			}
+#else
 			while (n--) FPTR_CAST(void (*)(void), (void*)*(--fn))();
+#endif
 		}
 #ifndef NO_LEGACY_INITFINI
 		if ((dyn[0] & (1<<DT_FINI)) && dyn[DT_FINI])
@@ -1651,7 +1663,16 @@ static void do_init_fini(struct dso **queue)
 		if (dyn[0] & (1<<DT_INIT_ARRAY)) {
 			size_t n = dyn[DT_INIT_ARRAYSZ]/sizeof(size_t);
 			size_t *fn = laddr(p, dyn[DT_INIT_ARRAY]);
+#ifdef MUSL_EXPERIMENTAL_PAC_INIT_FINI
+			while (n--) {
+				ptrauth_auth_function(
+					(void (*)(void))*fn++,
+					ptrauth_key_asia,
+					__ptrauth_init_fini_discriminator)();
+			}
+#else
 			while (n--) FPTR_CAST(void (*)(void), (void*)*fn++)();
+#endif
 		}
 
 		pthread_mutex_lock(&init_fini_lock);

From 51e94468e6642373e20201faab138a056863a686 Mon Sep 17 00:00:00 2001
From: Evgeny Leviant <eleviant@accesssoftek.com>
Date: Tue, 7 Nov 2023 16:22:39 +0300
Subject: [PATCH 06/16] Change ptrauth dynamic reloc values

See https://github.com/ARM-software/abi-aa/pull/227/commits/27491c9e63fd2054f829990376e6d782931a2f6f
---
 conf.sh                  | 6 ++++++
 src/ldso/aarch64/reloc.c | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100755 conf.sh

diff --git a/conf.sh b/conf.sh
new file mode 100755
index 000000000..bb5bdb584
--- /dev/null
+++ b/conf.sh
@@ -0,0 +1,6 @@
+export CC=/usr/bin/clang
+
+TARGET=aarch64-linux-gnu
+export CFLAGS="-O0 --target=$TARGET -mcpu=cortex-a78c  -DMUSL_EXPERIMENTAL_PAC"
+export LDFLAGS="--target=$TARGET -fuse-ld=lld"
+./configure --enable-debug --host=$TARGET
diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
index 9482322bf..90284497f 100644
--- a/src/ldso/aarch64/reloc.c
+++ b/src/ldso/aarch64/reloc.c
@@ -3,8 +3,8 @@
 #include <stdint.h>
 #include "reloc.h"
 
-#define R_AARCH64_AUTH_ABS64 0xe100
-#define R_AARCH64_AUTH_RELATIVE 0xe200
+#define R_AARCH64_AUTH_ABS64 0x410
+#define R_AARCH64_AUTH_RELATIVE 0x411
 
 #define DT_AARCH64_AUTH_RELRSZ 0x70000011
 #define DT_AARCH64_AUTH_RELR 0x70000012

From 99df7d211fe1ccabbe527b98a9fecd7cead3abaa Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Thu, 9 Nov 2023 03:15:10 +0300
Subject: [PATCH 07/16] [PAC] Use `__has_feature` macro instead of custom ones

---
 arch/aarch64/reloc.h       | 2 +-
 ldso/dynlink.c             | 6 +++---
 src/ldso/aarch64/reloc.c   | 2 +-
 src/thread/aarch64/clone.s | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/aarch64/reloc.h b/arch/aarch64/reloc.h
index a50a80281..f910c9325 100644
--- a/arch/aarch64/reloc.h
+++ b/arch/aarch64/reloc.h
@@ -23,7 +23,7 @@
 #define CRTJMP(pc,sp) __asm__ __volatile__( \
 	"mov sp,%1 ; br %0" : : "r"(pc), "r"(sp) : "memory" )
 
-#ifdef MUSL_EXPERIMENTAL_PAC
+#if __has_feature(ptrauth_calls)
 #define TARGET_RELOCATE(dso, type, reladdr, sym, addend, is_phase_2) \
   do_target_reloc(dso, type, reladdr, sym, addend, is_phase_2)
 #define DO_TARGET_RELR(dso, dyn) do_pauth_relr(dso, dyn)
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 6928041e8..7590c9c55 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -19,7 +19,7 @@
 #include <dlfcn.h>
 #include <semaphore.h>
 #include <sys/membarrier.h>
-#ifdef MUSL_EXPERIMENTAL_PAC_INIT_FINI
+#if __has_feature(ptrauth_init_fini)
 #include <ptrauth.h>
 #endif
 #include "pthread_impl.h"
@@ -1536,7 +1536,7 @@ void __libc_exit_fini()
 		if (dyn[0] & (1<<DT_FINI_ARRAY)) {
 			size_t n = dyn[DT_FINI_ARRAYSZ]/sizeof(size_t);
 			size_t *fn = (size_t *)laddr(p, dyn[DT_FINI_ARRAY])+n;
-#ifdef MUSL_EXPERIMENTAL_PAC_INIT_FINI
+#if __has_feature(ptrauth_init_fini)
 			while (n--) {
 				ptrauth_auth_function(
 					(void (*)(void))*--fn,
@@ -1663,7 +1663,7 @@ static void do_init_fini(struct dso **queue)
 		if (dyn[0] & (1<<DT_INIT_ARRAY)) {
 			size_t n = dyn[DT_INIT_ARRAYSZ]/sizeof(size_t);
 			size_t *fn = laddr(p, dyn[DT_INIT_ARRAY]);
-#ifdef MUSL_EXPERIMENTAL_PAC_INIT_FINI
+#if __has_feature(ptrauth_init_fini)
 			while (n--) {
 				ptrauth_auth_function(
 					(void (*)(void))*fn++,
diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
index 90284497f..525658ba4 100644
--- a/src/ldso/aarch64/reloc.c
+++ b/src/ldso/aarch64/reloc.c
@@ -1,4 +1,4 @@
-#ifdef MUSL_EXPERIMENTAL_PAC
+#if __has_feature(ptrauth_calls)
 
 #include <stdint.h>
 #include "reloc.h"
diff --git a/src/thread/aarch64/clone.s b/src/thread/aarch64/clone.s
index 45102f8c1..f094612cd 100644
--- a/src/thread/aarch64/clone.s
+++ b/src/thread/aarch64/clone.s
@@ -25,7 +25,7 @@ __clone:
 	ret
 	// child
 1:	ldp x1,x0,[sp],#16
-#if MUSL_EXPERIMENTAL_PAC
+#if __has_feature(ptrauth_calls)
 	blraaz x1
 #else
 	blr x1

From 2cb2d9f00cc3ac9aa913abcb1d8689c896f5b38f Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Thu, 9 Nov 2023 03:15:45 +0300
Subject: [PATCH 08/16] [PAC] Update R_AARCH64_AUTH_ABS64 reloc ID

---
 src/ldso/aarch64/reloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
index 525658ba4..240f5f652 100644
--- a/src/ldso/aarch64/reloc.c
+++ b/src/ldso/aarch64/reloc.c
@@ -3,7 +3,7 @@
 #include <stdint.h>
 #include "reloc.h"
 
-#define R_AARCH64_AUTH_ABS64 0x410
+#define R_AARCH64_AUTH_ABS64 0x244
 #define R_AARCH64_AUTH_RELATIVE 0x411
 
 #define DT_AARCH64_AUTH_RELRSZ 0x70000011

From 77e7b7fa65eea7406ca04e9b78cb4744d0d55fdd Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Sun, 14 Apr 2024 23:10:46 +0300
Subject: [PATCH 09/16] [PAC] Support signed GOT and PLT GOT

---
 arch/aarch64/reloc.h     |  8 ++++----
 ldso/dynlink.c           |  3 ++-
 src/ldso/aarch64/reloc.c | 20 +++++++++++++++++++-
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/arch/aarch64/reloc.h b/arch/aarch64/reloc.h
index f910c9325..b931cf82d 100644
--- a/arch/aarch64/reloc.h
+++ b/arch/aarch64/reloc.h
@@ -24,12 +24,12 @@
 	"mov sp,%1 ; br %0" : : "r"(pc), "r"(sp) : "memory" )
 
 #if __has_feature(ptrauth_calls)
-#define TARGET_RELOCATE(dso, type, reladdr, sym, addend, is_phase_2) \
-  do_target_reloc(dso, type, reladdr, sym, addend, is_phase_2)
+#define TARGET_RELOCATE(dso, type, reladdr, sym, addend, is_phase_2, error_sym) \
+  do_target_reloc(dso, type, reladdr, sym, addend, is_phase_2, error_sym)
 #define DO_TARGET_RELR(dso, dyn) do_pauth_relr(dso, dyn)
 
-int do_target_reloc(int type, uint64_t* reladdr, uint64_t base,
-		    uint64_t symval, uint64_t addend, int is_phase_2);
+int do_target_reloc(int type, uint64_t* reladdr, uint64_t base, uint64_t symval,
+                    uint64_t addend, int is_phase_2, uint64_t error_sym);
 
 void do_pauth_relr(uint64_t base, uint64_t* dyn);
 
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 7590c9c55..7bdd02978 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -485,6 +485,7 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 		case REL_GOT:
 		case REL_PLT:
 			*reloc_addr = sym_val + addend;
+			TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso, (uint64_t)error);
 			break;
 		case REL_USYMBOLIC:
 			memcpy(reloc_addr, &(size_t){sym_val + addend}, sizeof(size_t));
@@ -565,7 +566,7 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 #endif
 			break;
 		default:
-			if (TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso))
+			if (TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso, (uint64_t)error))
 				break;
 			error("Error relocating %s: unsupported relocation type %d",
 				dso->name, type);
diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
index 240f5f652..47af5474a 100644
--- a/src/ldso/aarch64/reloc.c
+++ b/src/ldso/aarch64/reloc.c
@@ -4,8 +4,12 @@
 #include "reloc.h"
 
 #define R_AARCH64_AUTH_ABS64 0x244
+// Define R_AARCH64_JUMP_SLOT manually to avoid including elf.h
+#define R_AARCH64_JUMP_SLOT 0x402
 #define R_AARCH64_AUTH_RELATIVE 0x411
+#define R_AARCH64_AUTH_GLOB_DAT 0xe201
 
+#define DT_AARCH64_PAC_PLT 0x70000003
 #define DT_AARCH64_AUTH_RELRSZ 0x70000011
 #define DT_AARCH64_AUTH_RELR 0x70000012
 #define DT_AARCH64_AUTH_RELRENT 0x70000013
@@ -66,11 +70,25 @@ static int do_pauth_reloc(uint64_t* reladdr, uint64_t value)
 }
 
 int do_target_reloc(int type, uint64_t* reladdr, uint64_t base,
-					uint64_t symval, uint64_t addend, int is_phase_2)
+                    uint64_t symval, uint64_t addend, int is_phase_2, uint64_t error_sym)
 {
+	if (type == R_AARCH64_JUMP_SLOT) {
+		*reladdr = do_sign_ia((uint64_t)reladdr, *reladdr);
+		return 1;
+	}
+	if (type == R_AARCH64_AUTH_GLOB_DAT) {
+		// is_phase_2 is not applicable here
+		// FIXME: number of bits for address might be different
+		if ((*reladdr & 0xffffffffffffull) == 0)
+			return do_pauth_reloc(reladdr, symval + addend);
+		return 1;
+	}
 	// We don't process auth relocs until we load all dependencies
 	if (is_phase_2)
 		return 1;
+	// FIXME a horrible hack; we set error = error_impl in __dls3 manually
+	if (*reladdr == error_sym)
+		return 1;
 	switch(type)
 	{
 		case R_AARCH64_AUTH_ABS64:

From a32e4deaa53500bb71837ac57315c1f01364e9be Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Mon, 22 Jul 2024 20:38:11 +0300
Subject: [PATCH 10/16] [PAC] Support addr discr for init/fini pointers

---
 ldso/dynlink.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 7bdd02978..223b5bc07 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -1542,7 +1542,11 @@ void __libc_exit_fini()
 				ptrauth_auth_function(
 					(void (*)(void))*--fn,
 					ptrauth_key_asia,
+#if __has_feature(ptrauth_init_fini_address_discrimination)
+					ptrauth_blend_discriminator(fn, __ptrauth_init_fini_discriminator))();
+#else
 					__ptrauth_init_fini_discriminator)();
+#endif
 			}
 #else
 			while (n--) FPTR_CAST(void (*)(void), (void*)*(--fn))();
@@ -1667,9 +1671,14 @@ static void do_init_fini(struct dso **queue)
 #if __has_feature(ptrauth_init_fini)
 			while (n--) {
 				ptrauth_auth_function(
-					(void (*)(void))*fn++,
+					(void (*)(void))*fn,
 					ptrauth_key_asia,
+#if __has_feature(ptrauth_init_fini_address_discrimination)
+					ptrauth_blend_discriminator(fn, __ptrauth_init_fini_discriminator))();
+#else
 					__ptrauth_init_fini_discriminator)();
+#endif
+				++fn;
 			}
 #else
 			while (n--) FPTR_CAST(void (*)(void), (void*)*fn++)();

From 7d7e4e70c7cd36a594e8656c45f4e8f92deb1491 Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Mon, 29 Jul 2024 16:13:53 +0300
Subject: [PATCH 11/16] [PAC] Support R_AARCH64_AUTH_TLSDESC reloc

---
 arch/aarch64/reloc.h                      |  6 ++++++
 ldso/dynlink.c                            |  7 ++++++
 src/ldso/aarch64/{tlsdesc.s => tlsdesc.S} | 26 +++++++++++++++++++++++
 3 files changed, 39 insertions(+)
 rename src/ldso/aarch64/{tlsdesc.s => tlsdesc.S} (65%)

diff --git a/arch/aarch64/reloc.h b/arch/aarch64/reloc.h
index b931cf82d..3eb1ac331 100644
--- a/arch/aarch64/reloc.h
+++ b/arch/aarch64/reloc.h
@@ -18,7 +18,13 @@
 #define REL_DTPMOD      R_AARCH64_TLS_DTPMOD64
 #define REL_DTPOFF      R_AARCH64_TLS_DTPREL64
 #define REL_TPOFF       R_AARCH64_TLS_TPREL64
+
+#if __has_feature(ptrauth_elf_got)
+#define R_AARCH64_AUTH_TLSDESC 0xe202
+#define REL_TLSDESC     R_AARCH64_AUTH_TLSDESC
+#else
 #define REL_TLSDESC     R_AARCH64_TLSDESC
+#endif
 
 #define CRTJMP(pc,sp) __asm__ __volatile__( \
 	"mov sp,%1 ; br %0" : : "r"(pc), "r"(sp) : "memory" )
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 223b5bc07..6d9d38b88 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -563,6 +563,13 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 			size_t tmp = reloc_addr[0];
 			reloc_addr[0] = reloc_addr[1];
 			reloc_addr[1] = tmp;
+#endif
+#if __has_feature(ptrauth_elf_got)
+			/* FIXME: actually, signing scheme is written in-place, and we should read and use that.
+			 * However, the scheme is known (IA key + addr div for function and DA key + addr div for data).
+			 * So, we just hard-code that. */
+			reloc_addr[0] = (size_t)(__builtin_ptrauth_auth_and_resign((void*)(reloc_addr[0]), 0, 0, 0, (size_t)(reloc_addr)));
+			reloc_addr[1] = (size_t)(__builtin_ptrauth_sign_unauthenticated((void*)(reloc_addr[1]), 2, (size_t)(reloc_addr) + 8));
 #endif
 			break;
 		default:
diff --git a/src/ldso/aarch64/tlsdesc.s b/src/ldso/aarch64/tlsdesc.S
similarity index 65%
rename from src/ldso/aarch64/tlsdesc.s
rename to src/ldso/aarch64/tlsdesc.S
index c6c685b3d..890503f34 100644
--- a/src/ldso/aarch64/tlsdesc.s
+++ b/src/ldso/aarch64/tlsdesc.S
@@ -6,7 +6,20 @@
 .hidden __tlsdesc_static
 .type __tlsdesc_static,@function
 __tlsdesc_static:
+#if __has_feature(ptrauth_elf_got)
+	add   x17,x0,8
+	ldr   x16,[x17]
+	autda x16,x17
+	mov   x17,x16
+	xpacd x17
+	cmp   x16,x17
+	b.eq  .Lauth_success_0
+	brk   #0xc472
+.Lauth_success_0:
+	mov   x0,x16
+#else
 	ldr x0,[x0,#8]
+#endif
 	ret
 
 // size_t __tlsdesc_dynamic(size_t *a)
@@ -21,7 +34,20 @@ __tlsdesc_static:
 __tlsdesc_dynamic:
 	stp x1,x2,[sp,#-16]!
 	mrs x1,tpidr_el0      // tp
+#if __has_feature(ptrauth_elf_got)
+	add   x17,x0,8
+	ldr   x16,[x17]
+	autda x16,x17
+	mov   x17,x16
+	xpacd x17
+	cmp   x16,x17
+	b.eq  .Lauth_success_1
+	brk   #0xc472
+.Lauth_success_1:
+	mov   x0,x16
+#else
 	ldr x0,[x0,#8]        // p
+#endif
 	ldp x0,x2,[x0]        // p->modidx, p->off
 	sub x2,x2,x1          // p->off - tp
 	ldr x1,[x1,#-8]       // dtv

From 9525be8f32f66d631106bf917c3b224c9cc87070 Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Thu, 12 Sep 2024 19:27:51 +0300
Subject: [PATCH 12/16] [PAC] Rename src/thread/aarch64/clone.s to clone.S to
 allow preprocessing

We use `#if __has_feature(ptrauth_calls)` there.
---
 src/thread/aarch64/{clone.s => clone.S} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename src/thread/aarch64/{clone.s => clone.S} (100%)

diff --git a/src/thread/aarch64/clone.s b/src/thread/aarch64/clone.S
similarity index 100%
rename from src/thread/aarch64/clone.s
rename to src/thread/aarch64/clone.S

From 04447ad4b92f664a636abb62d1663d81f16b28a4 Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Thu, 26 Sep 2024 16:55:08 +0300
Subject: [PATCH 13/16] [AArch64] Handle TLSDESC relocs against undefined weak
 symbols properly

---
 ldso/dynlink.c             | 6 ++++++
 src/internal/dynlink.h     | 2 +-
 src/ldso/aarch64/tlsdesc.S | 9 +++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 6d9d38b88..efd1f96b5 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -533,6 +533,12 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 #endif
 		case REL_TLSDESC:
 			if (stride<3) addend = reloc_addr[1];
+#ifdef __aarch64__
+			if (sym && sym->st_info>>4 == STB_WEAK && sym->st_shndx == SHN_UNDEF) {
+				reloc_addr[0] = (size_t)__tlsdesc_undef_weak;
+				reloc_addr[1] = 0;
+			} else
+#endif
 			if (def.dso->tls_id > static_tls_cnt) {
 				struct td_index *new = malloc(sizeof *new);
 				if (!new) {
diff --git a/src/internal/dynlink.h b/src/internal/dynlink.h
index 06f41d098..a24df809e 100644
--- a/src/internal/dynlink.h
+++ b/src/internal/dynlink.h
@@ -107,7 +107,7 @@ hidden void __dl_seterr(const char *, ...);
 hidden int __dl_invalid_handle(void *);
 hidden void __dl_vseterr(const char *, va_list);
 
-hidden ptrdiff_t __tlsdesc_static(), __tlsdesc_dynamic();
+hidden ptrdiff_t __tlsdesc_static(), __tlsdesc_dynamic(), __tlsdesc_undef_weak();
 
 hidden extern int __malloc_replaced;
 hidden extern int __aligned_alloc_replaced;
diff --git a/src/ldso/aarch64/tlsdesc.S b/src/ldso/aarch64/tlsdesc.S
index 890503f34..02c959c8d 100644
--- a/src/ldso/aarch64/tlsdesc.S
+++ b/src/ldso/aarch64/tlsdesc.S
@@ -55,3 +55,12 @@ __tlsdesc_dynamic:
 	add x0,x1,x2          // dtv[p->modidx] + p->off - tp
 	ldp x1,x2,[sp],#16
 	ret
+
+.global __tlsdesc_undef_weak
+.hidden __tlsdesc_undef_weak
+.type __tlsdesc_undef_weak,@function
+__tlsdesc_undef_weak:
+	mov x0, #0
+	mrs x8, TPIDR_EL0
+	sub x0, x0, x8
+	ret

From 7035b34cdee3a6547930dcfbdff05fe5f1af010c Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Mon, 7 Oct 2024 07:24:15 +0300
Subject: [PATCH 14/16] [PAC] Fix passing control flow to restore function
 after signal handler

Previously, the pointer was signed two times, and authenticated only
once.
---
 src/signal/sigaction.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/signal/sigaction.c b/src/signal/sigaction.c
index e45308fae..e598a7a3d 100644
--- a/src/signal/sigaction.c
+++ b/src/signal/sigaction.c
@@ -48,6 +48,9 @@ int __libc_sigaction(int sig, const struct sigaction *restrict sa, struct sigact
 #ifdef SA_RESTORER
 		ksa.flags |= SA_RESTORER;
 		ksa.restorer = (sa->sa_flags & SA_SIGINFO) ? __restore_rt : __restore;
+#if __has_feature(ptrauth_calls)
+		ksa.restorer = __builtin_ptrauth_strip(ksa.restorer, 0);
+#endif
 #endif
 		memcpy(&ksa.mask, &sa->sa_mask, _NSIG/8);
 	}

From ac023bf0dedaa74c8cd9b594460a2bae9197888d Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <daniil@kovalev.website>
Date: Tue, 25 Mar 2025 20:07:56 +0300
Subject: [PATCH 15/16] Sign result of `R_AARCH64_JUMP_SLOT` only when
 `DT_AARCH64_PAC_PLT` present

Previously, it was signed unconditionally w/o taking the dynamic tag into
account (only `__has_feature(ptrauth_calls)` was checked by preprocessor).

See also specification:
https://github.com/ARM-software/abi-aa/blob/main/pauthabielf64/pauthabielf64.rst#recording-a-signed-plt-got-in-the-elf-file
---
 arch/aarch64/reloc.h     |  6 +++---
 ldso/dynlink.c           |  4 ++--
 src/ldso/aarch64/reloc.c | 17 +++++++++++++++--
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/arch/aarch64/reloc.h b/arch/aarch64/reloc.h
index 3eb1ac331..a1760abe5 100644
--- a/arch/aarch64/reloc.h
+++ b/arch/aarch64/reloc.h
@@ -30,12 +30,12 @@
 	"mov sp,%1 ; br %0" : : "r"(pc), "r"(sp) : "memory" )
 
 #if __has_feature(ptrauth_calls)
-#define TARGET_RELOCATE(dso, type, reladdr, sym, addend, is_phase_2, error_sym) \
-  do_target_reloc(dso, type, reladdr, sym, addend, is_phase_2, error_sym)
+#define TARGET_RELOCATE(dso, type, reladdr, sym, addend, is_phase_2, dyn, error_sym) \
+  do_target_reloc(dso, type, reladdr, sym, addend, is_phase_2, dyn, error_sym)
 #define DO_TARGET_RELR(dso, dyn) do_pauth_relr(dso, dyn)
 
 int do_target_reloc(int type, uint64_t* reladdr, uint64_t base, uint64_t symval,
-                    uint64_t addend, int is_phase_2, uint64_t error_sym);
+                    uint64_t addend, int is_phase_2, uint64_t* dyn, uint64_t error_sym);
 
 void do_pauth_relr(uint64_t base, uint64_t* dyn);
 
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index efd1f96b5..b6541eddf 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -485,7 +485,7 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 		case REL_GOT:
 		case REL_PLT:
 			*reloc_addr = sym_val + addend;
-			TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso, (uint64_t)error);
+			TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso, dso->dynv, (uint64_t)error);
 			break;
 		case REL_USYMBOLIC:
 			memcpy(reloc_addr, &(size_t){sym_val + addend}, sizeof(size_t));
@@ -579,7 +579,7 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
 #endif
 			break;
 		default:
-			if (TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso, (uint64_t)error))
+			if (TARGET_RELOCATE(type, reloc_addr, (size_t)base, sym_val, addend, head == &ldso, dso->dynv, (uint64_t)error))
 				break;
 			error("Error relocating %s: unsupported relocation type %d",
 				dso->name, type);
diff --git a/src/ldso/aarch64/reloc.c b/src/ldso/aarch64/reloc.c
index 47af5474a..dd216d96e 100644
--- a/src/ldso/aarch64/reloc.c
+++ b/src/ldso/aarch64/reloc.c
@@ -69,10 +69,23 @@ static int do_pauth_reloc(uint64_t* reladdr, uint64_t value)
 	return 1;
 }
 
+static int has_dyn_tag(uint64_t* dyn, uint64_t tag)
+{
+	while(*dyn)
+	{
+		if (*dyn == tag)
+			return 1;
+		else
+			dyn += 2;
+	}
+	return 0;
+}
+
 int do_target_reloc(int type, uint64_t* reladdr, uint64_t base,
-                    uint64_t symval, uint64_t addend, int is_phase_2, uint64_t error_sym)
+                    uint64_t symval, uint64_t addend, int is_phase_2,
+                    uint64_t* dyn, uint64_t error_sym)
 {
-	if (type == R_AARCH64_JUMP_SLOT) {
+	if (type == R_AARCH64_JUMP_SLOT && has_dyn_tag(dyn, DT_AARCH64_PAC_PLT)) {
 		*reladdr = do_sign_ia((uint64_t)reladdr, *reladdr);
 		return 1;
 	}

From 5d84f20e3234b98c1053cb439f71af686a38f11f Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Date: Thu, 26 Jun 2025 14:52:45 +0300
Subject: [PATCH 16/16] Add pac-ret hardening to _init and _fini (#4)

Ideally, this should be conditional on whether ptrauth_returns is
requested and which key is used, but this patch still should be safe as
PACIASP and AUTIASP are encoded as HINT and both prologue and epilogue
use the same IA key.

Note that even if .init_array and .fini_array are actually used,
_init and _fini functions are statically linked into every executable,
thus this patch is a natural way to silence multiple warnings reported
by PAuth gadget scanner for every executable.
---
 crt/aarch64/crti.s | 2 ++
 crt/aarch64/crtn.s | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/crt/aarch64/crti.s b/crt/aarch64/crti.s
index 775df0ac0..5c16d50ba 100644
--- a/crt/aarch64/crti.s
+++ b/crt/aarch64/crti.s
@@ -2,6 +2,7 @@
 .global _init
 .type _init,%function
 _init:
+	paciasp
 	stp x29,x30,[sp,-16]!
 	mov x29,sp
 
@@ -9,5 +10,6 @@ _init:
 .global _fini
 .type _fini,%function
 _fini:
+	paciasp
 	stp x29,x30,[sp,-16]!
 	mov x29,sp
diff --git a/crt/aarch64/crtn.s b/crt/aarch64/crtn.s
index 73cab6926..4da1882ac 100644
--- a/crt/aarch64/crtn.s
+++ b/crt/aarch64/crtn.s
@@ -1,7 +1,9 @@
 .section .init
 	ldp x29,x30,[sp],#16
+	autiasp
 	ret
 
 .section .fini
 	ldp x29,x30,[sp],#16
+	autiasp
 	ret