Unwinding registration for arm64e

Author: ifratric

macOS/debugger.cpp

@@ -220,7 +220,6 @@ uint64_t* Debugger::GetPointerToRegister(Register r) {
     case X26:
     case X27:
     case X28:
-    case X29:
       return &state->__x[r];
 #ifndef __arm64e__
     case PC:
@@ -229,6 +228,8 @@ uint64_t* Debugger::GetPointerToRegister(Register r) {
       return &state->__lr;
     case SP:
       return &state->__sp;
+    case FP:
+      return &state->__fp;
 #endif
     case CPSR:
       return (uint64_t*)&state->__cpsr;
@@ -288,6 +289,8 @@ size_t Debugger::GetRegister(Register r) {
       return (size_t)ptrauth_strip(state->__opaque_lr, ptrauth_key_function_pointer);
     case SP:
       return (size_t)ptrauth_strip((void *)state->__opaque_sp, ptrauth_key_process_independent_data);
+    case FP:
+      return (size_t)ptrauth_strip((void *)state->__opaque_fp, ptrauth_key_process_independent_data);
     default:
       break;
   }
@@ -320,6 +323,9 @@ void Debugger::SetRegister(Register r, size_t value) {
     case SP:
       arm_thread_state64_set_sp(*state, (void *)value);
       return;
+    case FP:
+      arm_thread_state64_set_fp(*state, (void *)value);
+      return;
   default:
     break;
   }
@@ -1591,9 +1597,19 @@ void Debugger::SaveRegisters(SavedRegisters *registers) {
 
   registers->gpr_count = *(mach_exception->new_state_cnt);
 
+#ifdef __arm64e__
+  ARCH_THREAD_STATE_T *at_state = (ARCH_THREAD_STATE_T*)(mach_exception->new_state);
+  memcpy(registers->gpr_registers.__x, at_state->__x, sizeof(registers->gpr_registers.__x));
+  registers->gpr_registers.__opaque_fp = (void *)GetRegister(FP);
+  registers->gpr_registers.__opaque_lr = (void *)GetRegister(LR);
+  registers->gpr_registers.__opaque_sp = (void *)GetRegister(SP);
+  registers->gpr_registers.__opaque_pc = (void *)GetRegister(PC);
+  registers->gpr_registers.__cpsr = (uint32_t)GetRegister(CPSR);
+#else
   memcpy(&registers->gpr_registers,
          mach_exception->new_state,
          registers->gpr_count * sizeof(natural_t));
+#endif
 
   registers->fpu_count = sizeof(ARCH_FPU_STATE_T) / sizeof(natural_t);
   kern_return_t ret = thread_get_state(mach_exception->thread_port,
@@ -1611,10 +1627,20 @@ void Debugger::RestoreRegisters(SavedRegisters *registers) {
     FATAL("Unexpected thread state size");
   }
 
+#ifdef __arm64e__
+  ARCH_THREAD_STATE_T *at_state = (ARCH_THREAD_STATE_T*)(mach_exception->new_state);
+  memcpy(at_state->__x, registers->gpr_registers.__x, sizeof(registers->gpr_registers.__x));
+  SetRegister(FP, (size_t)registers->gpr_registers.__opaque_fp);
+  SetRegister(LR, (size_t)registers->gpr_registers.__opaque_lr);
+  SetRegister(SP, (size_t)registers->gpr_registers.__opaque_sp);
+  SetRegister(PC, (size_t)registers->gpr_registers.__opaque_pc);
+  SetRegister(CPSR, (size_t)registers->gpr_registers.__cpsr);
+#else
   memcpy(mach_exception->new_state,
          &registers->gpr_registers,
          registers->gpr_count * sizeof(natural_t));
-  
+#endif
+
   kern_return_t ret = thread_set_state(mach_exception->thread_port,
                                        ARCH_FPU_STATE,
                                        (thread_state_t)&registers->fpu_registers,

macOS/unwindmacos.cpp

@@ -176,9 +176,10 @@ void UnwindGeneratorMacOS::OnReturnAddress(ModuleInfo *module,
     {original_address, personality};
 }
 
-size_t UnwindGeneratorMacOS::WriteCIE(ModuleInfo *module,
+size_t UnwindGeneratorMacOS::WriteCIE(size_t addr,
                                       const char *augmentation,
-                                      size_t personality_addr) {
+                                      size_t personality_addr,
+                                      size_t *personality_remote_ptr) {
 
   ByteStream cie;
   cie.PutValue<uint32_t>(0);                  // CIE id, must be zero
@@ -194,10 +195,13 @@ size_t UnwindGeneratorMacOS::WriteCIE(ModuleInfo *module,
 
   cie.PutValueFront<uint32_t>(cie.size());    // CIE length
 
-  size_t cie_address = tinyinst_.GetCurrentInstrumentedAddress(module);
-  tinyinst_.WriteCode(module, cie.data(), cie.size());
+  tinyinst_.RemoteWrite((void *)addr, cie.data(), cie.size());
+  
+  if(personality_remote_ptr) {
+    *personality_remote_ptr = addr + cie.size() - 8;
+  }
 
-  return cie_address;
+  return addr + cie.size();
 }
 
 void UnwindGeneratorMacOS::ExtractPersonalityArray(ModuleInfo *module) {
@@ -433,24 +437,22 @@ bool UnwindGeneratorMacOS::HandleBreakpoint(ModuleInfo* module, void *address) {
   return false;
 }
 
-size_t UnwindGeneratorMacOS::WriteFDE(ModuleInfo *module,
+size_t UnwindGeneratorMacOS::WriteFDE(size_t addr,
                                       size_t cie_address,
                                       size_t min_address,
                                       size_t max_address)
 {
-  UnwindDataMacOS *unwind_data = (UnwindDataMacOS *)module->unwind_data;
-  size_t fde_address = tinyinst_.GetCurrentInstrumentedAddress(module);
-
   ByteStream fde;
-  fde.PutValue<uint32_t>(fde_address - cie_address + 4); // CIE pointer
+  fde.PutValue<uint32_t>(addr - cie_address + 4); // CIE pointer
   fde.PutValue<uint64_t>(min_address);                   // PC start
   fde.PutValue<uint64_t>(max_address - min_address);     // PC range
   fde.PutULEB128Value(0);                                // aug length
 
   fde.PutValueFront<uint32_t>(fde.size());               // length
 
-  tinyinst_.WriteCode(module, fde.data(), fde.size());
-  return fde_address;
+  tinyinst_.RemoteWrite((void *)addr, fde.data(), fde.size());
+  
+  return addr + fde.size();
 }
 
 size_t UnwindGeneratorMacOS::MaybeRedirectExecution(ModuleInfo* module, size_t IP) {
@@ -478,13 +480,16 @@ size_t UnwindGeneratorMacOS::MaybeRedirectExecution(ModuleInfo* module, size_t I
 #endif
 
   size_t personality = WriteCustomPersonality(module);
-  size_t cie_address = WriteCIE(module, "zP", personality);
+    
+  size_t cie_address = (size_t)tinyinst_.RemoteAllocate(4096, MemoryProtection::READWRITE);
+  size_t personality_remote_ptr = 0;
+  size_t fde_address = WriteCIE(cie_address, "zP", personality, &personality_remote_ptr);
 
   std::vector<size_t> fde_addresses;
-  size_t fde_address = WriteFDE(module, cie_address,
-                                (size_t)module->instrumented_code_remote,
-                                (size_t)module->instrumented_code_remote +
-                                module->instrumented_code_size);
+  WriteFDE(fde_address, cie_address,
+           (size_t)module->instrumented_code_remote,
+           (size_t)module->instrumented_code_remote +
+           module->instrumented_code_size);
   fde_addresses.push_back(fde_address);
 
   size_t fde_array_start = tinyinst_.GetCurrentInstrumentedAddress(module);
@@ -517,6 +522,11 @@ size_t UnwindGeneratorMacOS::MaybeRedirectExecution(ModuleInfo* module, size_t I
 
   // fill out the missing pieces in the assembly snippet
 #ifdef ARM64
+  tinyinst_.WritePointerAtOffset(module,
+                                 personality_remote_ptr,
+                                 assembly_offset +
+                                 register_assembly_arm64_personality_offset);
+
   size_t register_assembly_data_offset = register_assembly_arm64_data_offset;
 #else
   size_t register_assembly_data_offset = register_assembly_x86_data_offset;
@@ -911,4 +921,4 @@ void UnwindGeneratorMacOS::AlignCodeMemory(ModuleInfo *module) {
     tinyinst_.WriteCode(module, (void*)&padding, 4 - ls2b);
   }
 }
-#endif
+#endif

macOS/unwindmacos.h

@@ -203,10 +203,11 @@ class UnwindGeneratorMacOS : public UnwindGenerator {
 
   void ExtractPersonalityArray(ModuleInfo *module);
 
-  size_t WriteCIE(ModuleInfo *module,
+  size_t WriteCIE(size_t addr,
                   const char *augmentation,
-                  size_t personality_addr);
-  size_t WriteFDE(ModuleInfo *module,
+                  size_t personality_addr,
+                  size_t *personality_remote_ptr);
+  size_t WriteFDE(size_t addr,
                   size_t cie_address,
                   size_t min_address,
                   size_t max_address);
@@ -245,10 +246,18 @@ class UnwindGeneratorMacOS : public UnwindGenerator {
       0x40, 0x00, 0x00, 0xb4, // cbz x0, skip_alignment
       0xff, 0x23, 0x00, 0xd1, // sub sp, sp, #8
     // skip_alignment:
+    // pac sign the personality
+      0xb4, 0x00, 0x00, 0x58, // ldr x20, #20;
+      0x93, 0x02, 0x40, 0xf9, // ldr x19, [x20]
+      0x93, 0x02, 0xc1, 0xda, // pacia x19, x20
+      0x93, 0x02, 0x00, 0xf9, // str x19, [x20]
+      0x03, 0x00, 0x00, 0x14, // b #12; loop
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // address of personaliy ptr goes here
+    // load array params
       0x93, 0x00, 0x00, 0x58, // ldr x19, #16; x19 becomes the current array pointer
       0xb4, 0x00, 0x00, 0x58, // ldr x20, #20; x20 becomes the end array pointer
       0xd5, 0x00, 0x00, 0x58, // ldr x21, #24; x21 becomes __register_frame address
-      0x09, 0x00, 0x00, 0x14, // b #36; loop
+      0x07, 0x00, 0x00, 0x14, // b #28; loop
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // array start addr goes here
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // array end addr goes here
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // __register_frame addr goes here
@@ -266,7 +275,8 @@ class UnwindGeneratorMacOS : public UnwindGenerator {
       0xe0, 0x4f, 0x42, 0xa9, // ldp x0, x19, [sp, #32]
       0xff, 0xc3, 0x00, 0x91, // add sp, sp, #48
   };
-  static const size_t register_assembly_arm64_data_offset = 48;
+  static const size_t register_assembly_arm64_personality_offset = 52;
+  static const size_t register_assembly_arm64_data_offset = 76;
 #else
   static constexpr unsigned char register_assembly_x86[] = {
     // save registers