Crashpad: Adding PAC bit stripping to stack sanitization.

Pointer Authentication works by adding a signature to the top bits of an instruction or data pointer (only instruction pointers on the stack are currently signed in Chromium). This can confuse range checks, because they need to strip the top bits. Masking these bits during sanitization range checks prevents confusion. Test: Testing was done manually on a device with pointer authentication enabled. Bug: crashpad:364 Bug: 919548 Change-Id: I2e739cadb2844cfaf73a75596d664135aeb5faac Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4387271 Commit-Queue: Adam Walls <avvall@google.com> Reviewed-by: Joshua Peraza <jperaza@chromium.org> Reviewed-by: Ben Hamilton <benhamilton@google.com>
2024-12-26 06:31:50 +08:00 · 2023-04-04 17:02:57 +00:00 · 2023-04-04 17:02:57 +00:00 · 4773a37f0a
commit 4773a37f0a
parent c21292dd71
5 changed files with 77 additions and 3 deletions
--- a/snapshot/sanitized/memory_snapshot_sanitized.cc
+++ b/snapshot/sanitized/memory_snapshot_sanitized.cc
@ -16,6 +16,8 @@

 #include <string.h>

+#include "util/linux/pac_helper.h"
+
 namespace crashpad {
 namespace internal {

@ -62,8 +64,9 @@ class MemorySanitizer : public MemorySnapshot::Delegate {
    auto words =
        reinterpret_cast<Pointer*>(static_cast<char*>(data) + aligned_offset);
    for (size_t index = 0; index < word_count; ++index) {
-      if (words[index] > MemorySnapshotSanitized::kSmallWordMax &&
-          !ranges_->Contains(words[index])) {
+      auto word = StripPACBits(words[index]);
+      if (word > MemorySnapshotSanitized::kSmallWordMax &&
+          !ranges_->Contains(word)) {
        words[index] = defaced;
      }
    }
--- a/snapshot/sanitized/process_snapshot_sanitized.cc
+++ b/snapshot/sanitized/process_snapshot_sanitized.cc
@ -17,6 +17,7 @@
 #include <stdint.h>

 #include "snapshot/cpu_context.h"
+#include "util/linux/pac_helper.h"
 #include "util/numeric/safe_assignment.h"

 namespace crashpad {
@ -61,7 +62,8 @@ class StackReferencesAddressRange : public MemorySnapshot::Delegate {
                                            aligned_sp_offset);
    size_t word_count = (size - aligned_sp_offset) / sizeof(Pointer);
    for (size_t index = 0; index < word_count; ++index) {
-      if (words[index] >= low_ && words[index] < high_) {
+      auto word = StripPACBits(words[index]);
+      if (word >= low_ && word < high_) {
        return true;
      }
    }
--- a/util/BUILD.gn
+++ b/util/BUILD.gn
@ -432,6 +432,8 @@ crashpad_static_library("util") {
      "linux/exception_information.h",
      "linux/memory_map.cc",
      "linux/memory_map.h",
+      "linux/pac_helper.cc",
+      "linux/pac_helper.h",
      "linux/proc_stat_reader.cc",
      "linux/proc_stat_reader.h",
      "linux/proc_task_reader.cc",
--- a/util/linux/pac_helper.cc
+++ b/util/linux/pac_helper.cc
@ -0,0 +1,38 @@
+// Copyright 2023 The Crashpad Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "util/linux/pac_helper.h"
+
+#if __has_feature(ptrauth_intrinsics)
+#include <ptrauth.h>
+#endif
+
+#include "util/misc/address_types.h"
+
+namespace crashpad {
+
+VMAddress StripPACBits(VMAddress address) {
+#if __has_feature(ptrauth_intrinsics)
+    address = ptrauth_strip(address, ptrauth_key_function_pointer);
+#elif defined(ARCH_CPU_ARM64)
+    // Strip any pointer authentication bits that are assigned to the address.
+    register uintptr_t x30 __asm("x30") = address;
+    asm("xpaclri" : "+r"(x30));
+    address = x30;
+#endif
+    return address;
+}
+
+}  // namespace crashpad
+
--- a/util/linux/pac_helper.h
+++ b/util/linux/pac_helper.h
@ -0,0 +1,29 @@
+// Copyright 2023 The Crashpad Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef CRASHPAD_UTIL_LINUX_PAC_HELPER_H_
+#define CRASHPAD_UTIL_LINUX_PAC_HELPER_H_
+
+#include "util/misc/address_types.h"
+
+namespace crashpad {
+
+//! \brief Strips PAC bits from an address
+VMAddress StripPACBits(VMAddress address);
+
+}  // namespace crashpad
+
+
+#endif  // CRASHPAD_UTIL_LINUX_PAC_HELPER_H_
+