Page MenuHomePhabricator

[AArch64] Unwinding support for return address signing

Authored by LukeCheeseman on Aug 29 2018, 8:42 AM.


  • When return address signing is enabled, the LR may be signed on function entry
  • When an exception is thrown the return address is inspected used to unwind the call stack
  • Before this happens, the return address must be correctly authenticated to avoid causing an abort by dereferencing the signed pointer

Diff Detail


Event Timeline

LukeCheeseman created this revision.Aug 29 2018, 8:42 AM
olista01 added inline comments.
210 ↗(On Diff #163099)

I don't think this will work for cross-unwinding builds: for them, _LIBUNWIND_TARGET_AARCH64 is defined even when the compilation target is not AArch64, so this instruction won't exist.

Fully supporting cross-unwinding looks non-trivial: we'd need to either provide some way to ask the client to authenticate a pointer on the target, or strip the high bits of the pointer (which requires knowing the virtual address size of the target). For now, I think it's OK to not support cross-unwinding.

1835 ↗(On Diff #163099)

When regNum == UNW_ARM64_RA_SIGN_STATE, the index into __x is out of range. We'll need to add new storage to hold this value, I'd suggest replacing the current padding value in the GPRs struct, as that will avoid changing the layout expected by the context save/restore functions.

1845 ↗(On Diff #163099)


LukeCheeseman added inline comments.Sep 17 2018, 8:02 AM
1835 ↗(On Diff #163099)

Good catch. Thanks, I didn't check the struct definition.

return an error code when trying to sign return addresses and cross unwinding

olista01 accepted this revision.Sep 20 2018, 2:52 AM

LGTM, thanks!

This revision is now accepted and ready to land.Sep 20 2018, 2:52 AM
emaste added a subscriber: emaste.Sep 24 2018, 8:19 AM
This revision was automatically updated to reflect the committed changes.