[all-commits] [llvm/llvm-project] b7961f: [lldb] [debugserver] Preserve signing bits on lr i...

Jason Molenda via All-commits all-commits at lists.llvm.org
Mon Sep 25 17:02:39 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: b7961f2cb97556bfc50f7828d5f869d96ab9352e
      https://github.com/llvm/llvm-project/commit/b7961f2cb97556bfc50f7828d5f869d96ab9352e
  Author: Jason Molenda <jmolenda at apple.com>
  Date:   2023-09-25 (Mon, 25 Sep 2023)

  Changed paths:
    M lldb/tools/debugserver/source/MacOSX/arm64/DNBArchImplARM64.cpp

  Log Message:
  -----------
  [lldb] [debugserver] Preserve signing bits on lr in debugserver (#67384)

In https://reviews.llvm.org/D136620 I changed debugserver to stop using
the kernel-provided functions
arm_thread_state64_get_{pc,lr,sp,fp} to postprocess those four registers
on aarch64 systems after we thread_get_state() them. The kernel stores
these four registers with signing internally, either from the inferior
process' actual signing, or its own.

When a program had crashed by doing an authenticated BL to an address
with improper signing, the inferior process would crash and that
improperly signed pc would be given to debugserver via thread_get_state.
debugserver would run that through arm_thread_state64_get_pc() and then
debugserver would crash when authenticating & stripping the value, on
newer Mac hardware.

To avoid debugserver crashing on a crashed inferior process, I switched
from using these system functions to strip the values, to simply
clearing the bits outright in debugserver.

However, lr is a special case where the inferior may have signed this
value (against the stack pointer value at the time). Or it may not yet
have any authentication bits, right after a BL. In the latter case, the
kernel will add its own auth bits for while it is stored inside the
kernel. In the case of a user lr value, we cannot authenticate it in
debugserver without knowing the sp value it was signed against (and the
way it is signed is not specified by the ABI) so an "improperly" signed
lr (whatever that means) won't cause debugserver to crash.

debugserver can thread_get_state the inferior's lr, run it through
arm_thread_state64_get_lr(), and get the actual signed 64-bit value that
the inferior process is using. And the specifics of how that lr is
signed may be important for debugging the process, instead of how I am
currently clearing the auth bits outright.

This patch reverts that change for lr only, and also adds a new logging
to debugserver specifically for the four sp/fp/lr/pc values that
thread_get_state hands to us, before we process them at all.

More information about the All-commits mailing list