arm64: strip PACs from link register values
Pointer authentication codes are used to validate pointers against
accidental or malicious modification by storing a hash of the address
and a secret value in the pointer's unused, upper bits. The exact
bits used may vary by implementation and depend on the size of the
virtual address space of the target system, and whether other tagged
pointer features are in use.
Apple has implemented PACs in the Apple A12.
https://developer.apple.com/documentation/security/preparing_your_app_to_work_with_pointer_authentication
The documented method of stripping PACs from a pointer is to call
ptrauth_strip(), which ultimately emits an `xpaci` instruction, but
this option isn't available to the Breakpad processor not running on
the device. Instead, this patch selects likely address bits from
link register values by examining the address range of loaded modules.
Change-Id: I054bd1a03605719937fc85dcc8d8b9fe927f44be
Reviewed-on: https://chromium-review.googlesource.com/c/breakpad/breakpad/+/1713650
Reviewed-by: Mark Mentovai <mark@chromium.org>
diff --git a/src/processor/stackwalker_arm64.cc b/src/processor/stackwalker_arm64.cc
index f966011..47e245e 100644
--- a/src/processor/stackwalker_arm64.cc
+++ b/src/processor/stackwalker_arm64.cc
@@ -54,8 +54,29 @@
StackFrameSymbolizer* resolver_helper)
: Stackwalker(system_info, memory, modules, resolver_helper),
context_(context),
- context_frame_validity_(StackFrameARM64::CONTEXT_VALID_ALL) { }
+ context_frame_validity_(StackFrameARM64::CONTEXT_VALID_ALL),
+ address_range_mask_(0xffffffffffffffff) {
+ if (modules && modules->module_count() > 0) {
+ // ARM64 supports storing pointer authentication codes in the upper bits of
+ // a pointer. Make a best guess at the range of valid addresses based on the
+ // range of loaded modules.
+ const CodeModule *high_module =
+ modules->GetModuleAtSequence(modules->module_count() - 1);
+ uint64_t mask = high_module->base_address() + high_module->size();
+ mask |= mask >> 1;
+ mask |= mask >> 2;
+ mask |= mask >> 4;
+ mask |= mask >> 8;
+ mask |= mask >> 16;
+ mask |= mask >> 32;
+ address_range_mask_ = mask;
+ }
+}
+uint64_t StackwalkerARM64::PtrauthStrip(uint64_t ptr) {
+ uint64_t stripped = ptr & address_range_mask_;
+ return modules_ && modules_->GetModuleForAddress(stripped) ? stripped : ptr;
+}
StackFrame* StackwalkerARM64::GetContextFrame() {
if (!context_) {
@@ -71,6 +92,8 @@
frame->context_validity = context_frame_validity_;
frame->trust = StackFrame::FRAME_TRUST_CONTEXT;
frame->instruction = frame->context.iregs[MD_CONTEXT_ARM64_REG_PC];
+ frame->context.iregs[MD_CONTEXT_ARM64_REG_LR] =
+ PtrauthStrip(frame->context.iregs[MD_CONTEXT_ARM64_REG_LR]);
return frame;
}
@@ -202,6 +225,8 @@
return NULL;
}
+ caller_lr = PtrauthStrip(caller_lr);
+
uint64_t caller_sp = last_fp ? last_fp + 16 :
last_frame->context.iregs[MD_CONTEXT_ARM64_REG_SP];
diff --git a/src/processor/stackwalker_arm64.h b/src/processor/stackwalker_arm64.h
index 121e824..241383e 100644
--- a/src/processor/stackwalker_arm64.h
+++ b/src/processor/stackwalker_arm64.h
@@ -68,6 +68,9 @@
}
private:
+ // Strip pointer authentication codes from an address.
+ uint64_t PtrauthStrip(uint64_t ptr);
+
// Implementation of Stackwalker, using arm64 context and stack conventions.
virtual StackFrame* GetContextFrame();
virtual StackFrame* GetCallerFrame(const CallStack* stack,
@@ -95,6 +98,10 @@
// CONTEXT_VALID_ALL in real use; it is only changeable for the sake of
// unit tests.
uint64_t context_frame_validity_;
+
+ // A mask of the valid address bits, determined from the address range of
+ // modules_.
+ uint64_t address_range_mask_;
};
