This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lldb/source/Plugins/DynamicLoader/Darwin-Kernel/
-
source/
-
Plugins/
-
DynamicLoader/
-
Darwin-Kernel/
3/10
DynamicLoaderDarwinKernel.cpp

Differential D147462

Use kernel's global variable indicating how many bits are used in addressing when loading Darwin xnu kernel
ClosedPublic

Authored by jasonmolenda on Apr 3 2023, 11:28 AM.

Download Raw Diff

Details

Reviewers

JDevlieghere

Commits

rG8b092714c304: Using global variable in xnu kernel, set # of addressable bits

Summary

The Darwin xnu kernel has a global variable which has the number of bits used for addressing in ptrauth code. The DynamicLoaderDarwinKernel already knows to look at xnu global variables to load kexts (solibs for a kernel); it's a natural place to find & use this information to set the number of bits correctly for the Process.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

jasonmolenda created this revision.Apr 3 2023, 11:28 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 3 2023, 11:28 AM

jasonmolenda requested review of this revision.Apr 3 2023, 11:28 AM

Herald added a subscriber: lldb-commits. · View Herald TranscriptApr 3 2023, 11:28 AM

Harbormaster completed remote builds in B223408: Diff 510572.Apr 3 2023, 11:31 AM

JDevlieghere added inline comments.Apr 3 2023, 12:46 PM

lldb/source/Plugins/DynamicLoader/Darwin-Kernel/DynamicLoaderDarwinKernel.cpp
1087	What does this check add? Should this be: if (symbol && symbol->GetByteSize() == wordsize ==8)
1090	Maybe make this `const` to make it clear nobody should modify this.
1093	Instead of changing the addressable bits for the process, should we modify `GetLoadAddress` to explicitly skip the stripping instead? This is probably purely theoretical, but what if another (host) thread tried to read memory in the meantime? Changing global state like this can lead to subtle bugs.
1101	You can probably just reuse `wordsize` here?
1111	Why is this singed? This should be a `uint32_t`.
1114	Is this actually necessary? Does that mean that you can't do `process->SetVirtualAddressableBits(process->GetVirtualAddressableBits())` in general?

jasonmolenda added inline comments.Apr 3 2023, 1:01 PM

lldb/source/Plugins/DynamicLoader/Darwin-Kernel/DynamicLoaderDarwinKernel.cpp
1093	Yes, I thought about touching the global state. At this point we've just attached to the remote device / corefile, and are loading the kernel binary. There aren't other threads operating on this at this time. We're also in a state where the number of addressable bits may default to a correct value, but is just as likely incorrect. As for a flag to do this, it's a bit tricky! It's actually the Target::ReadUnsignedIntegerFromMemory() call, which takes an Address object, which ends up mutating the address while constructing the load address. We could pipe a flag for ReadUnsignedIntegerFromMemory down a few layers to where that's happening, or add a flag to the Address object which indicates that it should not be mutated down the line. Target::ReadMemory needs to take an Address object to fall back to using the backing file if possible (important if the corefile doesn't include the binary contents), another alternative is to switch to Process::ReadMemory whcih takes an `addr_t` but won't fall back to the on-disk file.
1114	I didn't debug it through the layers, but setting the value to 0 to when the getter returns 0, did break this.

Update patch to address some of Jonas' comments. I was adding a check that the ptrsize of the architecture was 64-bit, but we don't work on 32-bit xnu kernels for a few years now; we can assume 64-bit safely. I am still forcing the addressable bits value to 55 globally inside lldb while I read & set the correct value.

Harbormaster completed remote builds in B223418: Diff 510586.Apr 3 2023, 1:38 PM

LGTM. I would still prefer to not change the global state, but after speaking to Jason offline, that might be better tackled when we unify the current Process/Target bifurcation.

lldb/source/Plugins/DynamicLoader/Darwin-Kernel/DynamicLoaderDarwinKernel.cpp
1094–1097	Why not use `symbol->GetByteSize()` too? Maybe add an `assert(symbol->GetByteSize() == 8)`

This revision is now accepted and ready to land.Apr 3 2023, 1:40 PM

Yeah, I agree that messing with the global setting of addressable bits here is not ideal, but at this point in time the fact that we probably have an un-set/invalid value means it won't make things worse.

lldb/source/Plugins/DynamicLoader/Darwin-Kernel/DynamicLoaderDarwinKernel.cpp
1094–1097	We're trying to handle the case (it has happened in the past) where we have an inaccurate byte size because lldb is running on a stripped kernel binary, this is specifically working around the case where the symbol byte size is not 8. (Symbols synthesize their size by looking at the next nearest symbol, so when you have a stripped binary you may have sizes that are larger than reality when some symbols have been stripped)

Closed by commit rG8b092714c304: Using global variable in xnu kernel, set # of addressable bits (authored by jasonmolenda). · Explain WhyApr 3 2023, 1:51 PM

This revision was automatically updated to reflect the committed changes.

jasonmolenda added a commit: rG8b092714c304: Using global variable in xnu kernel, set # of addressable bits.

Revision Contents

Path

Size

lldb/

source/

Plugins/

DynamicLoader/

Darwin-Kernel/

DynamicLoaderDarwinKernel.cpp

31 lines

Diff 510586

lldb/source/Plugins/DynamicLoader/Darwin-Kernel/DynamicLoaderDarwinKernel.cpp

	Show First 20 Lines • Show All 292 Lines • ▼ Show 20 Lines
	// The operating system plugin gets loaded and initialized in			// The operating system plugin gets loaded and initialized in
	// LoadImageUsingMemoryModule when we discover the kernel dSYM. For a core			// LoadImageUsingMemoryModule when we discover the kernel dSYM. For a core
	// file in particular, that's the wrong place to do this, since we haven't			// file in particular, that's the wrong place to do this, since we haven't
	// fixed up the section addresses yet. So let's redo it here.			// fixed up the section addresses yet. So let's redo it here.
	LoadOperatingSystemPlugin(false);			LoadOperatingSystemPlugin(false);

	if (m_kernel.IsLoaded() && m_kernel.GetModule()) {			if (m_kernel.IsLoaded() && m_kernel.GetModule()) {
	static ConstString kext_summary_symbol("gLoadedKextSummaries");			static ConstString kext_summary_symbol("gLoadedKextSummaries");
				static ConstString arm64_T1Sz_value("gT1Sz");
	const Symbol *symbol =			const Symbol *symbol =
	m_kernel.GetModule()->FindFirstSymbolWithNameAndType(			m_kernel.GetModule()->FindFirstSymbolWithNameAndType(
	kext_summary_symbol, eSymbolTypeData);			kext_summary_symbol, eSymbolTypeData);
	if (symbol) {			if (symbol) {
	m_kext_summary_header_ptr_addr = symbol->GetAddress();			m_kext_summary_header_ptr_addr = symbol->GetAddress();
	// Update all image infos			// Update all image infos
	ReadAllKextSummaries();			ReadAllKextSummaries();
	}			}
				// If the kernel global with the T1Sz setting is available,
				// update the target.process.virtual-addressable-bits to be correct.
				symbol = m_kernel.GetModule()->FindFirstSymbolWithNameAndType(
				arm64_T1Sz_value, eSymbolTypeData);
				if (symbol) {
				const uint32_t orig_bits_value = m_process->GetVirtualAddressableBits();
				// Mark all bits as addressable so we don't strip any from our
				// memory read below, with an incorrect default value.
				JDevlieghereUnsubmitted Not Done Reply Inline Actions What does this check add? Should this be: if (symbol && symbol->GetByteSize() == wordsize ==8) JDevlieghere: What does this check add? Should this be: ``` if (symbol && symbol->GetByteSize() == wordsize…
				// b55 is the sign extension bit with PAC, b56:63 are TBI,
				// don't mark those as addressable.
				m_process->SetVirtualAddressableBits(55);
				JDevlieghereUnsubmitted Not Done Reply Inline Actions Maybe make this `const` to make it clear nobody should modify this. JDevlieghere: Maybe make this `const` to make it clear nobody should modify this.
				Status error;
				// gT1Sz is 8 bytes. We may run on a stripped kernel binary
				// where we can't get the size accurately. Hardcode it.
				JDevlieghereUnsubmitted Not Done Reply Inline Actions Instead of changing the addressable bits for the process, should we modify `GetLoadAddress` to explicitly skip the stripping instead? This is probably purely theoretical, but what if another (host) thread tried to read memory in the meantime? Changing global state like this can lead to subtle bugs. JDevlieghere: Instead of changing the addressable bits for the process, should we modify `GetLoadAddress` to…
				jasonmolendaAuthorUnsubmitted Done Reply Inline Actions Yes, I thought about touching the global state. At this point we've just attached to the remote device / corefile, and are loading the kernel binary. There aren't other threads operating on this at this time. We're also in a state where the number of addressable bits may default to a correct value, but is just as likely incorrect. As for a flag to do this, it's a bit tricky! It's actually the Target::ReadUnsignedIntegerFromMemory() call, which takes an Address object, which ends up mutating the address while constructing the load address. We could pipe a flag for ReadUnsignedIntegerFromMemory down a few layers to where that's happening, or add a flag to the Address object which indicates that it should not be mutated down the line. Target::ReadMemory needs to take an Address object to fall back to using the backing file if possible (important if the corefile doesn't include the binary contents), another alternative is to switch to Process::ReadMemory whcih takes an `addr_t` but won't fall back to the on-disk file. jasonmolenda: Yes, I thought about touching the global state. At this point we've just attached to the…
				const size_t sym_bytesize = 8; // size of gT1Sz value
				uint64_t sym_value =
				m_process->GetTarget().ReadUnsignedIntegerFromMemory(
				symbol->GetAddress(), sym_bytesize, 0, error);
				JDevlieghereUnsubmitted Not Done Reply Inline Actions Why not use `symbol->GetByteSize()` too? Maybe add an `assert(symbol->GetByteSize() == 8)` JDevlieghere: Why not use `symbol->GetByteSize()` too? Maybe add an `assert(symbol->GetByteSize() == 8)`
				jasonmolendaAuthorUnsubmitted Done Reply Inline Actions We're trying to handle the case (it has happened in the past) where we have an inaccurate byte size because lldb is running on a stripped kernel binary, this is specifically working around the case where the symbol byte size is not 8. (Symbols synthesize their size by looking at the next nearest symbol, so when you have a stripped binary you may have sizes that are larger than reality when some symbols have been stripped) jasonmolenda: We're trying to handle the case (it has happened in the past) where we have an inaccurate byte…
				if (error.Success()) {
				// 64 - T1Sz is the highest bit used for auth.
				// The value we pass in to SetVirtualAddressableBits is
				// the number of bits used for addressing, so if
				JDevlieghereUnsubmitted Not Done Reply Inline Actions You can probably just reuse `wordsize` here? JDevlieghere: You can probably just reuse `wordsize` here?
				// T1Sz is 25, then 64-25 == 39, bits 0..38 are used for
				// addressing, bits 39..63 are used for PAC/TBI or whatever.
				uint32_t virt_addr_bits = 64 - sym_value;
				m_process->SetVirtualAddressableBits(virt_addr_bits);
				} else {
				m_process->SetVirtualAddressableBits(orig_bits_value);
				}
				}
	} else {			} else {
	m_kernel.Clear();			m_kernel.Clear();
				JDevlieghereUnsubmitted Not Done Reply Inline Actions Why is this singed? This should be a `uint32_t`. JDevlieghere: Why is this singed? This should be a `uint32_t`.
	}			}
	}			}
	}			}
				JDevlieghereUnsubmitted Not Done Reply Inline Actions Is this actually necessary? Does that mean that you can't do `process->SetVirtualAddressableBits(process->GetVirtualAddressableBits())` in general? JDevlieghere: Is this actually necessary? Does that mean that you can't do `process…
				jasonmolendaAuthorUnsubmitted Done Reply Inline Actions I didn't debug it through the layers, but setting the value to 0 to when the getter returns 0, did break this. jasonmolenda: I didn't debug it through the layers, but setting the value to 0 to when the getter returns 0…

	// Static callback function that gets called when our DYLD notification			// Static callback function that gets called when our DYLD notification
	// breakpoint gets hit. We update all of our image infos and then let our super			// breakpoint gets hit. We update all of our image infos and then let our super
	// class DynamicLoader class decide if we should stop or not (based on global			// class DynamicLoader class decide if we should stop or not (based on global
	// preference).			// preference).
	bool DynamicLoaderDarwinKernel::BreakpointHitCallback(			bool DynamicLoaderDarwinKernel::BreakpointHitCallback(
	void baton, StoppointCallbackContext context, user_id_t break_id,			void baton, StoppointCallbackContext context, user_id_t break_id,
	user_id_t break_loc_id) {			user_id_t break_loc_id) {
	▲ Show 20 Lines • Show All 287 Lines • Show Last 20 Lines