Crashpad: Adding PAC bit stripping to stack sanitization.

Pointer Authentication works by adding a signature to the top bits of
an instruction or data pointer (only instruction pointers on the stack
are currently signed in Chromium). This can confuse range checks,
because they need to strip the top bits. Masking these bits during sanitization range checks prevents confusion.


Test: Testing was done manually on a device with pointer authentication enabled.
Bug: crashpad:364
Bug: 919548
Change-Id: I2e739cadb2844cfaf73a75596d664135aeb5faac
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4387271
Commit-Queue: Adam Walls <avvall@google.com>
Reviewed-by: Joshua Peraza <jperaza@chromium.org>
Reviewed-by: Ben Hamilton <benhamilton@google.com>
This commit is contained in:
avvall 2023-04-04 17:02:57 +00:00 committed by Crashpad LUCI CQ
parent c21292dd71
commit 4773a37f0a
5 changed files with 77 additions and 3 deletions

View File

@ -16,6 +16,8 @@
#include <string.h> #include <string.h>
#include "util/linux/pac_helper.h"
namespace crashpad { namespace crashpad {
namespace internal { namespace internal {
@ -62,8 +64,9 @@ class MemorySanitizer : public MemorySnapshot::Delegate {
auto words = auto words =
reinterpret_cast<Pointer*>(static_cast<char*>(data) + aligned_offset); reinterpret_cast<Pointer*>(static_cast<char*>(data) + aligned_offset);
for (size_t index = 0; index < word_count; ++index) { for (size_t index = 0; index < word_count; ++index) {
if (words[index] > MemorySnapshotSanitized::kSmallWordMax && auto word = StripPACBits(words[index]);
!ranges_->Contains(words[index])) { if (word > MemorySnapshotSanitized::kSmallWordMax &&
!ranges_->Contains(word)) {
words[index] = defaced; words[index] = defaced;
} }
} }

View File

@ -17,6 +17,7 @@
#include <stdint.h> #include <stdint.h>
#include "snapshot/cpu_context.h" #include "snapshot/cpu_context.h"
#include "util/linux/pac_helper.h"
#include "util/numeric/safe_assignment.h" #include "util/numeric/safe_assignment.h"
namespace crashpad { namespace crashpad {
@ -61,7 +62,8 @@ class StackReferencesAddressRange : public MemorySnapshot::Delegate {
aligned_sp_offset); aligned_sp_offset);
size_t word_count = (size - aligned_sp_offset) / sizeof(Pointer); size_t word_count = (size - aligned_sp_offset) / sizeof(Pointer);
for (size_t index = 0; index < word_count; ++index) { for (size_t index = 0; index < word_count; ++index) {
if (words[index] >= low_ && words[index] < high_) { auto word = StripPACBits(words[index]);
if (word >= low_ && word < high_) {
return true; return true;
} }
} }

View File

@ -432,6 +432,8 @@ crashpad_static_library("util") {
"linux/exception_information.h", "linux/exception_information.h",
"linux/memory_map.cc", "linux/memory_map.cc",
"linux/memory_map.h", "linux/memory_map.h",
"linux/pac_helper.cc",
"linux/pac_helper.h",
"linux/proc_stat_reader.cc", "linux/proc_stat_reader.cc",
"linux/proc_stat_reader.h", "linux/proc_stat_reader.h",
"linux/proc_task_reader.cc", "linux/proc_task_reader.cc",

38
util/linux/pac_helper.cc Normal file
View File

@ -0,0 +1,38 @@
// Copyright 2023 The Crashpad Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "util/linux/pac_helper.h"
#if __has_feature(ptrauth_intrinsics)
#include <ptrauth.h>
#endif
#include "util/misc/address_types.h"
namespace crashpad {
VMAddress StripPACBits(VMAddress address) {
#if __has_feature(ptrauth_intrinsics)
address = ptrauth_strip(address, ptrauth_key_function_pointer);
#elif defined(ARCH_CPU_ARM64)
// Strip any pointer authentication bits that are assigned to the address.
register uintptr_t x30 __asm("x30") = address;
asm("xpaclri" : "+r"(x30));
address = x30;
#endif
return address;
}
} // namespace crashpad

29
util/linux/pac_helper.h Normal file
View File

@ -0,0 +1,29 @@
// Copyright 2023 The Crashpad Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef CRASHPAD_UTIL_LINUX_PAC_HELPER_H_
#define CRASHPAD_UTIL_LINUX_PAC_HELPER_H_
#include "util/misc/address_types.h"
namespace crashpad {
//! \brief Strips PAC bits from an address
VMAddress StripPACBits(VMAddress address);
} // namespace crashpad
#endif // CRASHPAD_UTIL_LINUX_PAC_HELPER_H_