This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lldb/tools/debugserver/source/
-
tools/
-
debugserver/
-
source/
-
DNB.h
1
DNB.cpp
-
MacOSX/arm64/
-
arm64/
1
DNBArchImplARM64.cpp
-
RNBRemote.cpp

Differential D136620

Change how debugserver clears auth bits from pc/fp/sp/lr with thread_get_state on Darwin
ClosedPublic

Authored by jasonmolenda on Oct 24 2022, 10:02 AM.

Download Raw Diff

Details

Reviewers

JDevlieghere

Commits

rG256c16e8f4e4: Change debugserver to clear PAC auth bits manually

Summary

When debugserver thread_get_state/thread_set_state's registers from an inferior, if the inferior is arm64e, debugserver must also be built arm64e, and debugserver passes the values through a series of macros provided by the kernel to authorize & clear auth bits off of the values that thread_get_state provides. When the inferior process has crashed -- jumping through an improperly signed function pointer, or jumped to invalid memory, the pc value will fail to authenticate in these kernel macros. On M2 era Mac hardware, this auth failure results in debugserver crashing.

We don't need to authenticate sp/pc/fp/lr, we only need to clear the auth bits from the address values. This patch replaces the kernel macro accesses after thread_get_state to do that. The macros like __darwin_arm_thread_state64_get_pc() are gated on __has_feature(ptrauth_calls) && defined(__LP64__), and in the case where we have ptrauth_calls, the register context structure in <mach/arm/_structs.h> are void * instead of uint64_t, so I needed to add a reinterpret cast of those values before clearing them.

It would probably be better to move my checks of __has_feature(ptrauth_calls) && defined(__LP64__) into this clear_pac_bits() function and call it unconditionally, instead of testing at all of the caller sites. (these two tests are distinguishing between arm64_32 v. arm64 v. arm64e)

In the case of thread_set_state, we will still use the kernel provided macros -- in this case, we are passing unsigned addresses and the signing will never fail.

With this patch, we still trigger the warning that the program has halted because of a PAC auth failure and show the most relevant pc value to explain it; no change in behavior there.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

jasonmolenda created this revision.Oct 24 2022, 10:02 AM

Herald added a project: Restricted Project. · View Herald TranscriptOct 24 2022, 10:02 AM

Herald added a subscriber: kristof.beyls. · View Herald Transcript

jasonmolenda requested review of this revision.Oct 24 2022, 10:02 AM

Herald added a subscriber: lldb-commits. · View Herald TranscriptOct 24 2022, 10:02 AM

Harbormaster completed remote builds in B193972: Diff 470197.Oct 24 2022, 10:05 AM

JDevlieghere added inline comments.Oct 24 2022, 10:28 AM

lldb/tools/debugserver/source/DNB.cpp
1830–1837	A more C++ and thread safe way of doing this is: static std::once_flag g_once_flag; std::call_once(g_once_flag, [&](){ size_t len = sizeof(uint32_t); if (::sysctlbyname("machdep.virtual_address_size", &g_addressing_bits, &len, NULL, 0) != 0) { g_addressing_bits = 0; } }
1840–1843	return g_addressing_bits > 0
lldb/tools/debugserver/source/MacOSX/arm64/DNBArchImplARM64.cpp
98–100	Doesn't `DNBGetAddressingBits` already cover the case of `addressing_bits` being `0`? Why not have `DNBGetAddressingBits` return the addressing bits and do the check here?

Update patch to address Jonas' comments -- using a std::call_once to initialize the number of addressing bits, and making the return clearer.

Harbormaster completed remote builds in B194038: Diff 470298.Oct 24 2022, 3:02 PM

LGTM

This revision is now accepted and ready to land.Oct 25 2022, 8:25 AM

Closed by commit rG256c16e8f4e4: Change debugserver to clear PAC auth bits manually (authored by jasonmolenda). · Explain WhyOct 25 2022, 1:49 PM

This revision was automatically updated to reflect the committed changes.

jasonmolenda added a commit: rG256c16e8f4e4: Change debugserver to clear PAC auth bits manually.

jasonmolenda mentioned this in D140067: Fix an ASAN bug I introduced in debugserver, accessing off the end of an array intentionally.Dec 14 2022, 4:21 PM

GitHub <noreply@github.com> mentioned this in rGb7961f2cb975: [lldb] [debugserver] Preserve signing bits on lr in debugserver (#67384).Sep 25 2023, 5:02 PM

Revision Contents

Path

Size

lldb/

tools/

debugserver/

source/

DNB.h

2 lines

DNB.cpp

16 lines

MacOSX/

arm64/

DNBArchImplARM64.cpp

76 lines

RNBRemote.cpp

20 lines

Diff 470609

lldb/tools/debugserver/source/DNB.h

Show First 20 Lines • Show All 239 Lines • ▼ Show 20 Lines	nub_bool_t DNBResolveExecutablePath(const char path, char resolved_path,
size_t resolved_path_size);		size_t resolved_path_size);
bool DNBGetOSVersionNumbers(uint64_t major, uint64_t minor, uint64_t *patch);		bool DNBGetOSVersionNumbers(uint64_t major, uint64_t minor, uint64_t *patch);
/// \return the iOSSupportVersion of the host OS.		/// \return the iOSSupportVersion of the host OS.
std::string DNBGetMacCatalystVersionString();		std::string DNBGetMacCatalystVersionString();

/// \return true if debugserver is running in translation		/// \return true if debugserver is running in translation
/// (is an x86_64 process on arm64)		/// (is an x86_64 process on arm64)
bool DNBDebugserverIsTranslated();		bool DNBDebugserverIsTranslated();

		bool DNBGetAddressingBits(uint32_t &addressing_bits);
#endif		#endif

lldb/tools/debugserver/source/DNB.cpp

	Show First 20 Lines • Show All 1,818 Lines • ▼ Show 20 Lines

	bool DNBDebugserverIsTranslated() {			bool DNBDebugserverIsTranslated() {
	int ret = 0;			int ret = 0;
	size_t size = sizeof(ret);			size_t size = sizeof(ret);
	if (sysctlbyname("sysctl.proc_translated", &ret, &size, NULL, 0) == -1)			if (sysctlbyname("sysctl.proc_translated", &ret, &size, NULL, 0) == -1)
	return false;			return false;
	return ret == 1;			return ret == 1;
	}			}

				bool DNBGetAddressingBits(uint32_t &addressing_bits) {
				static uint32_t g_addressing_bits = 0;
				static std::once_flag g_once_flag;
				std::call_once(g_once_flag, [&](){
				size_t len = sizeof(uint32_t);
				if (::sysctlbyname("machdep.virtual_address_size", &g_addressing_bits, &len,
				NULL, 0) != 0) {
				g_addressing_bits = 0;
				}
				}
				JDevlieghereUnsubmitted Not Done Reply Inline Actions A more C++ and thread safe way of doing this is: static std::once_flag g_once_flag; std::call_once(g_once_flag, [&](){ size_t len = sizeof(uint32_t); if (::sysctlbyname("machdep.virtual_address_size", &g_addressing_bits, &len, NULL, 0) != 0) { g_addressing_bits = 0; } } JDevlieghere: A more C++ and thread safe way of doing this is: ``` static std::once_flag g_once_flag; std…

				addressing_bits = g_addressing_bits;

				return addressing_bits > 0;
				}

lldb/tools/debugserver/source/MacOSX/arm64/DNBArchImplARM64.cpp

Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines

const uint8_t *		const uint8_t *
DNBArchMachARM64::SoftwareBreakpointOpcode(nub_size_t byte_size) {		DNBArchMachARM64::SoftwareBreakpointOpcode(nub_size_t byte_size) {
return g_arm64_breakpoint_opcode;		return g_arm64_breakpoint_opcode;
}		}

uint32_t DNBArchMachARM64::GetCPUType() { return CPU_TYPE_ARM64; }		uint32_t DNBArchMachARM64::GetCPUType() { return CPU_TYPE_ARM64; }

		static uint64_t clear_pac_bits(uint64_t value) {
		uint32_t addressing_bits = 0;
		if (!DNBGetAddressingBits(addressing_bits))
		return value;
		JDevlieghereUnsubmitted Not Done Reply Inline Actions Doesn't `DNBGetAddressingBits` already cover the case of `addressing_bits` being `0`? Why not have `DNBGetAddressingBits` return the addressing bits and do the check here? JDevlieghere: Doesn't `DNBGetAddressingBits` already cover the case of `addressing_bits` being `0`? Why not…

		// On arm64_32, no ptrauth bits to clear
		#if !defined(__LP64__)
		return value;
		#endif

		uint64_t mask = ((1ULL << addressing_bits) - 1);

		// Normally PAC bit clearing needs to check b55 and either set the
		// non-addressing bits, or clear them. But the register values we
		// get from thread_get_state on an arm64e process don't follow this
		// convention?, at least when there's been a PAC auth failure in
		// the inferior.
		// Userland processes are always in low memory, so this
		// hardcoding b55 == 0 PAC stripping behavior here.

		return value & mask; // high bits cleared to 0
		}

uint64_t DNBArchMachARM64::GetPC(uint64_t failValue) {		uint64_t DNBArchMachARM64::GetPC(uint64_t failValue) {
// Get program counter		// Get program counter
if (GetGPRState(false) == KERN_SUCCESS)		if (GetGPRState(false) == KERN_SUCCESS)
#if defined(__LP64__)		#if __has_feature(ptrauth_calls) && defined(__LP64__)
return arm_thread_state64_get_pc(m_state.context.gpr);		return clear_pac_bits(
		reinterpret_cast<uint64_t>(m_state.context.gpr.__opaque_pc));
#else		#else
return m_state.context.gpr.__pc;		return m_state.context.gpr.__pc;
#endif		#endif
return failValue;		return failValue;
}		}

kern_return_t DNBArchMachARM64::SetPC(uint64_t value) {		kern_return_t DNBArchMachARM64::SetPC(uint64_t value) {
// Get program counter		// Get program counter
Show All 13 Lines	#endif
err = SetGPRState();		err = SetGPRState();
}		}
return err == KERN_SUCCESS;		return err == KERN_SUCCESS;
}		}

uint64_t DNBArchMachARM64::GetSP(uint64_t failValue) {		uint64_t DNBArchMachARM64::GetSP(uint64_t failValue) {
// Get stack pointer		// Get stack pointer
if (GetGPRState(false) == KERN_SUCCESS)		if (GetGPRState(false) == KERN_SUCCESS)
#if defined(__LP64__)		#if __has_feature(ptrauth_calls) && defined(__LP64__)
return arm_thread_state64_get_sp(m_state.context.gpr);		return clear_pac_bits(
		reinterpret_cast<uint64_t>(m_state.context.gpr.__opaque_sp));
#else		#else
return m_state.context.gpr.__sp;		return m_state.context.gpr.__sp;
#endif		#endif
return failValue;		return failValue;
}		}

kern_return_t DNBArchMachARM64::GetGPRState(bool force) {		kern_return_t DNBArchMachARM64::GetGPRState(bool force) {
int set = e_regSetGPR;		int set = e_regSetGPR;
// Check if we have valid cached registers		// Check if we have valid cached registers
if (!force && m_state.GetError(set, Read) == KERN_SUCCESS)		if (!force && m_state.GetError(set, Read) == KERN_SUCCESS)
return KERN_SUCCESS;		return KERN_SUCCESS;

// Read the registers from our thread		// Read the registers from our thread
mach_msg_type_number_t count = e_regSetGPRCount;		mach_msg_type_number_t count = e_regSetGPRCount;
kern_return_t kret =		kern_return_t kret =
::thread_get_state(m_thread->MachPortNumber(), ARM_THREAD_STATE64,		::thread_get_state(m_thread->MachPortNumber(), ARM_THREAD_STATE64,
(thread_state_t)&m_state.context.gpr, &count);		(thread_state_t)&m_state.context.gpr, &count);
if (DNBLogEnabledForAny(LOG_THREAD)) {		if (DNBLogEnabledForAny(LOG_THREAD)) {
uint64_t *x = &m_state.context.gpr.__x[0];		uint64_t *x = &m_state.context.gpr.__x[0];

#if defined(__LP64__)		#if __has_feature(ptrauth_calls) && defined(__LP64__)
uint64_t log_fp = arm_thread_state64_get_fp(m_state.context.gpr);		uint64_t log_fp = clear_pac_bits(
uint64_t log_lr = arm_thread_state64_get_lr(m_state.context.gpr);		reinterpret_cast<uint64_t>(m_state.context.gpr.__opaque_fp));
uint64_t log_sp = arm_thread_state64_get_sp(m_state.context.gpr);		uint64_t log_lr = clear_pac_bits(
uint64_t log_pc = arm_thread_state64_get_pc(m_state.context.gpr);		reinterpret_cast<uint64_t>(m_state.context.gpr.__opaque_lr));
		uint64_t log_sp = clear_pac_bits(
		reinterpret_cast<uint64_t>(m_state.context.gpr.__opaque_sp));
		uint64_t log_pc = clear_pac_bits(
		reinterpret_cast<uint64_t>(m_state.context.gpr.__opaque_pc));
#else		#else
uint64_t log_fp = m_state.context.gpr.__fp;		uint64_t log_fp = m_state.context.gpr.__fp;
uint64_t log_lr = m_state.context.gpr.__lr;		uint64_t log_lr = m_state.context.gpr.__lr;
uint64_t log_sp = m_state.context.gpr.__sp;		uint64_t log_sp = m_state.context.gpr.__sp;
uint64_t log_pc = m_state.context.gpr.__pc;		uint64_t log_pc = m_state.context.gpr.__pc;
#endif		#endif
DNBLogThreaded(		DNBLogThreaded(
"thread_get_state(0x%4.4x, %u, &gpr, %u) => 0x%8.8x (count = %u) regs"		"thread_get_state(0x%4.4x, %u, &gpr, %u) => 0x%8.8x (count = %u) regs"
"\n x0=%16.16llx"		"\n x0=%16.16llx"
"\n x1=%16.16llx"		"\n x1=%16.16llx"
"\n x2=%16.16llx"		"\n x2=%16.16llx"
"\n x3=%16.16llx"		"\n x3=%16.16llx"
"\n x4=%16.16llx"		"\n x4=%16.16llx"
▲ Show 20 Lines • Show All 441 Lines • ▼ Show 20 Lines	kern_return_t DNBArchMachARM64::EnableHardwareSingleStep(bool enable) {

err = GetDBGState(false);		err = GetDBGState(false);

if (err.Fail()) {		if (err.Fail()) {
err.LogThreaded("%s: failed to read the DBG registers", __FUNCTION__);		err.LogThreaded("%s: failed to read the DBG registers", __FUNCTION__);
return err.Status();		return err.Status();
}		}

#if defined(__LP64__)		#if __has_feature(ptrauth_calls) && defined(__LP64__)
uint64_t pc = arm_thread_state64_get_pc (m_state.context.gpr);		uint64_t pc = clear_pac_bits(
		reinterpret_cast<uint64_t>(m_state.context.gpr.__opaque_pc));
#else		#else
uint64_t pc = m_state.context.gpr.__pc;		uint64_t pc = m_state.context.gpr.__pc;
#endif		#endif

if (enable) {		if (enable) {
DNBLogThreadedIf(LOG_STEP,		DNBLogThreadedIf(LOG_STEP,
"%s: Setting MDSCR_EL1 Single Step bit at pc 0x%llx",		"%s: Setting MDSCR_EL1 Single Step bit at pc 0x%llx",
__FUNCTION__, pc);		__FUNCTION__, pc);
▲ Show 20 Lines • Show All 1,357 Lines • ▼ Show 20 Lines	if (GetRegisterState(set, false) != KERN_SUCCESS)
return false;		return false;

const DNBRegisterInfo *regInfo = m_thread->GetRegisterInfo(set, reg);		const DNBRegisterInfo *regInfo = m_thread->GetRegisterInfo(set, reg);
if (regInfo) {		if (regInfo) {
value->info = *regInfo;		value->info = *regInfo;
switch (set) {		switch (set) {
case e_regSetGPR:		case e_regSetGPR:
if (reg <= gpr_pc) {		if (reg <= gpr_pc) {
#if defined(__LP64__)		if (reg == gpr_pc \|\| reg == gpr_lr \|\| reg == gpr_sp \|\| reg == gpr_fp)
if (reg == gpr_pc)		value->value.uint64 = clear_pac_bits(m_state.context.gpr.__x[reg]);
value->value.uint64 = arm_thread_state64_get_pc (m_state.context.gpr);
else if (reg == gpr_lr)
value->value.uint64 = arm_thread_state64_get_lr (m_state.context.gpr);
else if (reg == gpr_sp)
value->value.uint64 = arm_thread_state64_get_sp (m_state.context.gpr);
else if (reg == gpr_fp)
value->value.uint64 = arm_thread_state64_get_fp (m_state.context.gpr);
else		else
value->value.uint64 = m_state.context.gpr.__x[reg];		value->value.uint64 = m_state.context.gpr.__x[reg];
#else
value->value.uint64 = m_state.context.gpr.__x[reg];
#endif
return true;		return true;
} else if (reg == gpr_cpsr) {		} else if (reg == gpr_cpsr) {
value->value.uint32 = m_state.context.gpr.__cpsr;		value->value.uint32 = m_state.context.gpr.__cpsr;
return true;		return true;
}		}
break;		break;

case e_regSetVFP:		case e_regSetVFP:
▲ Show 20 Lines • Show All 345 Lines • Show Last 20 Lines

lldb/tools/debugserver/source/RNBRemote.cpp

Show First 20 Lines • Show All 4,775 Lines • ▼ Show 20 Lines	#endif

cputype = g_host_cputype;		cputype = g_host_cputype;
cpusubtype = g_host_cpusubtype;		cpusubtype = g_host_cpusubtype;
is_64_bit_capable = g_is_64_bit_capable;		is_64_bit_capable = g_is_64_bit_capable;
promoted_to_64 = g_promoted_to_64;		promoted_to_64 = g_promoted_to_64;
return g_host_cputype != 0;		return g_host_cputype != 0;
}		}

static bool GetAddressingBits(uint32_t &addressing_bits) {
static uint32_t g_addressing_bits = 0;
static bool g_tried_addressing_bits_syscall = false;
if (g_tried_addressing_bits_syscall == false) {
size_t len = sizeof (uint32_t);
if (::sysctlbyname("machdep.virtual_address_size",
&g_addressing_bits, &len, NULL, 0) != 0) {
g_addressing_bits = 0;
}
}
g_tried_addressing_bits_syscall = true;
addressing_bits = g_addressing_bits;
if (addressing_bits > 0)
return true;
else
return false;
}

rnb_err_t RNBRemote::HandlePacket_qHostInfo(const char *p) {		rnb_err_t RNBRemote::HandlePacket_qHostInfo(const char *p) {
std::ostringstream strm;		std::ostringstream strm;

uint32_t cputype = 0;		uint32_t cputype = 0;
uint32_t cpusubtype = 0;		uint32_t cpusubtype = 0;
uint32_t is_64_bit_capable = 0;		uint32_t is_64_bit_capable = 0;
bool promoted_to_64 = false;		bool promoted_to_64 = false;
if (GetHostCPUType(cputype, cpusubtype, is_64_bit_capable, promoted_to_64)) {		if (GetHostCPUType(cputype, cpusubtype, is_64_bit_capable, promoted_to_64)) {
strm << "cputype:" << std::dec << cputype << ';';		strm << "cputype:" << std::dec << cputype << ';';
strm << "cpusubtype:" << std::dec << cpusubtype << ';';		strm << "cpusubtype:" << std::dec << cpusubtype << ';';
}		}

uint32_t addressing_bits = 0;		uint32_t addressing_bits = 0;
if (GetAddressingBits(addressing_bits)) {		if (DNBGetAddressingBits(addressing_bits)) {
strm << "addressing_bits:" << std::dec << addressing_bits << ';';		strm << "addressing_bits:" << std::dec << addressing_bits << ';';
}		}

// The OS in the triple should be "ios" or "macosx" which doesn't match our		// The OS in the triple should be "ios" or "macosx" which doesn't match our
// "Darwin" which gets returned from "kern.ostype", so we need to hardcode		// "Darwin" which gets returned from "kern.ostype", so we need to hardcode
// this for now.		// this for now.
if (cputype == CPU_TYPE_ARM \|\| cputype == CPU_TYPE_ARM64		if (cputype == CPU_TYPE_ARM \|\| cputype == CPU_TYPE_ARM64
\|\| cputype == CPU_TYPE_ARM64_32) {		\|\| cputype == CPU_TYPE_ARM64_32) {
▲ Show 20 Lines • Show All 1,632 Lines • Show Last 20 Lines