From 4773a37f0a95fbbfbd6e7698ee5dc1a1371f6e2f Mon Sep 17 00:00:00 2001 From: avvall Date: Tue, 4 Apr 2023 17:02:57 +0000 Subject: [PATCH] Crashpad: Adding PAC bit stripping to stack sanitization. Pointer Authentication works by adding a signature to the top bits of an instruction or data pointer (only instruction pointers on the stack are currently signed in Chromium). This can confuse range checks, because they need to strip the top bits. Masking these bits during sanitization range checks prevents confusion. Test: Testing was done manually on a device with pointer authentication enabled. Bug: crashpad:364 Bug: 919548 Change-Id: I2e739cadb2844cfaf73a75596d664135aeb5faac Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4387271 Commit-Queue: Adam Walls Reviewed-by: Joshua Peraza Reviewed-by: Ben Hamilton --- .../sanitized/memory_snapshot_sanitized.cc | 7 +++- .../sanitized/process_snapshot_sanitized.cc | 4 +- util/BUILD.gn | 2 + util/linux/pac_helper.cc | 38 +++++++++++++++++++ util/linux/pac_helper.h | 29 ++++++++++++++ 5 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 util/linux/pac_helper.cc create mode 100644 util/linux/pac_helper.h diff --git a/snapshot/sanitized/memory_snapshot_sanitized.cc b/snapshot/sanitized/memory_snapshot_sanitized.cc index b4f9ba42..58bcdde4 100644 --- a/snapshot/sanitized/memory_snapshot_sanitized.cc +++ b/snapshot/sanitized/memory_snapshot_sanitized.cc @@ -16,6 +16,8 @@ #include +#include "util/linux/pac_helper.h" + namespace crashpad { namespace internal { @@ -62,8 +64,9 @@ class MemorySanitizer : public MemorySnapshot::Delegate { auto words = reinterpret_cast(static_cast(data) + aligned_offset); for (size_t index = 0; index < word_count; ++index) { - if (words[index] > MemorySnapshotSanitized::kSmallWordMax && - !ranges_->Contains(words[index])) { + auto word = StripPACBits(words[index]); + if (word > MemorySnapshotSanitized::kSmallWordMax && + !ranges_->Contains(word)) { words[index] = defaced; } } diff --git a/snapshot/sanitized/process_snapshot_sanitized.cc b/snapshot/sanitized/process_snapshot_sanitized.cc index 1e003706..afa1c9f8 100644 --- a/snapshot/sanitized/process_snapshot_sanitized.cc +++ b/snapshot/sanitized/process_snapshot_sanitized.cc @@ -17,6 +17,7 @@ #include #include "snapshot/cpu_context.h" +#include "util/linux/pac_helper.h" #include "util/numeric/safe_assignment.h" namespace crashpad { @@ -61,7 +62,8 @@ class StackReferencesAddressRange : public MemorySnapshot::Delegate { aligned_sp_offset); size_t word_count = (size - aligned_sp_offset) / sizeof(Pointer); for (size_t index = 0; index < word_count; ++index) { - if (words[index] >= low_ && words[index] < high_) { + auto word = StripPACBits(words[index]); + if (word >= low_ && word < high_) { return true; } } diff --git a/util/BUILD.gn b/util/BUILD.gn index b84a251a..4a828a6a 100644 --- a/util/BUILD.gn +++ b/util/BUILD.gn @@ -432,6 +432,8 @@ crashpad_static_library("util") { "linux/exception_information.h", "linux/memory_map.cc", "linux/memory_map.h", + "linux/pac_helper.cc", + "linux/pac_helper.h", "linux/proc_stat_reader.cc", "linux/proc_stat_reader.h", "linux/proc_task_reader.cc", diff --git a/util/linux/pac_helper.cc b/util/linux/pac_helper.cc new file mode 100644 index 00000000..742d366e --- /dev/null +++ b/util/linux/pac_helper.cc @@ -0,0 +1,38 @@ +// Copyright 2023 The Crashpad Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include "util/linux/pac_helper.h" + +#if __has_feature(ptrauth_intrinsics) +#include +#endif + +#include "util/misc/address_types.h" + +namespace crashpad { + +VMAddress StripPACBits(VMAddress address) { +#if __has_feature(ptrauth_intrinsics) + address = ptrauth_strip(address, ptrauth_key_function_pointer); +#elif defined(ARCH_CPU_ARM64) + // Strip any pointer authentication bits that are assigned to the address. + register uintptr_t x30 __asm("x30") = address; + asm("xpaclri" : "+r"(x30)); + address = x30; +#endif + return address; +} + +} // namespace crashpad + diff --git a/util/linux/pac_helper.h b/util/linux/pac_helper.h new file mode 100644 index 00000000..6fcea652 --- /dev/null +++ b/util/linux/pac_helper.h @@ -0,0 +1,29 @@ +// Copyright 2023 The Crashpad Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef CRASHPAD_UTIL_LINUX_PAC_HELPER_H_ +#define CRASHPAD_UTIL_LINUX_PAC_HELPER_H_ + +#include "util/misc/address_types.h" + +namespace crashpad { + +//! \brief Strips PAC bits from an address +VMAddress StripPACBits(VMAddress address); + +} // namespace crashpad + + +#endif // CRASHPAD_UTIL_LINUX_PAC_HELPER_H_ +