[libunwind] [PAC][libunwind][AArch64] Keep LR signed when stored in context struct (PR #171717)
Daniil Kovalev via cfe-commits
cfe-commits at lists.llvm.org
Thu Dec 11 03:06:15 PST 2025
https://github.com/kovdan01 updated https://github.com/llvm/llvm-project/pull/171717
>From 71b2db94089b0e6e849349675f2f664a8a7653e4 Mon Sep 17 00:00:00 2001
From: Daniil Kovalev <dkovalev at accesssoftek.com>
Date: Mon, 8 Dec 2025 16:31:10 +0300
Subject: [PATCH] [PAC][libunwind][AArch64] Keep LR signed when stored in
context struct
There are two ways of return address signing: pac-ret (enabled via
`-mbranch-protection=pac-ret`) and ptrauth-returns (enabled as part of
Apple's arm64e or experimental pauthtest ABI on Linux).
Previously, signed LR was handled in libunwind as follows:
1. For pac-ret, the signed LR value was authenticated, and the resulting
unsigned LR value was stored in the context structure.
2. For ptrauth-returns (which is assumed to be a part of a full-fledged
PAuth ABI like arm64e or pauthtest), the signed LR value was
re-signed using the same key (IB) and address of the `__pc` field in
the context structure as a modifier.
This patch unifies the signed LR handling logic by keeping LR signed
for pac-ret similarly to ptrauth-returns. It makes LR substitution in
the context structure harder.
Note that LR signed state or signing scheme for pac-ret might differ between
stack frames. The behavior differs from ptrauth-returns, which has a fixed
signing scheme and is enabled as a part of bigger PAuth ABI which is either
present everywhere or not. In order to handle different signing schemes
across stack frames, new subfields `__state`, `__second_modifier` and
`__use_b_key` of the field `__ra_sign` in the context structure are used.
When stored in the context structure, the pointer is resigned with
maintaining original key and using the address of the `__pc` field in
the structure as a modifier.
---
libunwind/include/__libunwind_config.h | 4 +-
libunwind/include/libunwind.h | 6 +
libunwind/src/DwarfInstructions.hpp | 92 +++--------
libunwind/src/Registers.hpp | 207 +++++++++++++++++++++----
libunwind/src/UnwindCursor.hpp | 8 +-
libunwind/src/UnwindLevel1.c | 57 ++++++-
libunwind/src/UnwindRegistersRestore.S | 163 +++++++++++++++----
libunwind/src/UnwindRegistersSave.S | 104 ++++++++++---
libunwind/src/libunwind.cpp | 10 ++
9 files changed, 480 insertions(+), 171 deletions(-)
diff --git a/libunwind/include/__libunwind_config.h b/libunwind/include/__libunwind_config.h
index 980d11ef5d4f2..3327272c2a6bc 100644
--- a/libunwind/include/__libunwind_config.h
+++ b/libunwind/include/__libunwind_config.h
@@ -73,11 +73,11 @@
# define _LIBUNWIND_HIGHEST_DWARF_REGISTER _LIBUNWIND_HIGHEST_DWARF_REGISTER_PPC
# elif defined(__aarch64__)
# define _LIBUNWIND_TARGET_AARCH64 1
-#define _LIBUNWIND_CONTEXT_SIZE 67
+#define _LIBUNWIND_CONTEXT_SIZE 69
# if defined(__SEH__)
# define _LIBUNWIND_CURSOR_SIZE 164
# else
-#define _LIBUNWIND_CURSOR_SIZE 79
+#define _LIBUNWIND_CURSOR_SIZE 81
# endif
# define _LIBUNWIND_HIGHEST_DWARF_REGISTER _LIBUNWIND_HIGHEST_DWARF_REGISTER_ARM64
# elif defined(__arm__)
diff --git a/libunwind/include/libunwind.h b/libunwind/include/libunwind.h
index 56ca7110274a3..6a56548867642 100644
--- a/libunwind/include/libunwind.h
+++ b/libunwind/include/libunwind.h
@@ -642,6 +642,12 @@ enum {
// reserved block
UNW_AARCH64_RA_SIGN_STATE = 34,
+ // The following two registers are not real Dwarf registers and use numbers
+ // which are not occupied by real Dwarf registers according to
+ // https://github.com/ARM-software/abi-aa/blob/2025Q1/aadwarf64/aadwarf64.rst
+ UNW_AARCH64_RA_SIGN_SECOND_MODIFIER = 128,
+ UNW_AARCH64_RA_SIGN_USE_B_KEY = 129,
+
// FP/vector registers
UNW_AARCH64_V0 = 64,
UNW_AARCH64_V1 = 65,
diff --git a/libunwind/src/DwarfInstructions.hpp b/libunwind/src/DwarfInstructions.hpp
index d2822e8be29ef..ad1555db3abd2 100644
--- a/libunwind/src/DwarfInstructions.hpp
+++ b/libunwind/src/DwarfInstructions.hpp
@@ -75,10 +75,8 @@ class DwarfInstructions {
__builtin_unreachable();
}
#if defined(_LIBUNWIND_TARGET_AARCH64)
- static bool isReturnAddressSigned(A &addressSpace, R registers, pint_t cfa,
- PrologInfo &prolog);
- static bool isReturnAddressSignedWithPC(A &addressSpace, R registers,
- pint_t cfa, PrologInfo &prolog);
+ static pint_t getRASignState(A &addressSpace, const R ®isters, pint_t cfa,
+ const PrologInfo &prolog);
#endif
};
@@ -176,34 +174,13 @@ v128 DwarfInstructions<A, R>::getSavedVectorRegister(
}
#if defined(_LIBUNWIND_TARGET_AARCH64)
template <typename A, typename R>
-bool DwarfInstructions<A, R>::isReturnAddressSigned(A &addressSpace,
- R registers, pint_t cfa,
- PrologInfo &prolog) {
- pint_t raSignState;
- auto regloc = prolog.savedRegisters[UNW_AARCH64_RA_SIGN_STATE];
- if (regloc.location == CFI_Parser<A>::kRegisterUnused)
- raSignState = static_cast<pint_t>(regloc.value);
- else
- raSignState = getSavedRegister(addressSpace, registers, cfa, regloc);
-
- // Only bit[0] is meaningful.
- return raSignState & 0x01;
-}
-
-template <typename A, typename R>
-bool DwarfInstructions<A, R>::isReturnAddressSignedWithPC(A &addressSpace,
- R registers,
- pint_t cfa,
- PrologInfo &prolog) {
- pint_t raSignState;
+typename A::pint_t
+DwarfInstructions<A, R>::getRASignState(A &addressSpace, const R ®isters,
+ pint_t cfa, const PrologInfo &prolog) {
auto regloc = prolog.savedRegisters[UNW_AARCH64_RA_SIGN_STATE];
if (regloc.location == CFI_Parser<A>::kRegisterUnused)
- raSignState = static_cast<pint_t>(regloc.value);
- else
- raSignState = getSavedRegister(addressSpace, registers, cfa, regloc);
-
- // Only bit[1] is meaningful.
- return raSignState & 0x02;
+ return static_cast<pint_t>(regloc.value);
+ return getSavedRegister(addressSpace, registers, cfa, regloc);
}
#endif
@@ -302,54 +279,25 @@ int DwarfInstructions<A, R>::stepWithDwarf(A &addressSpace,
isSignalFrame = cieInfo.isSignalFrame;
-#if defined(_LIBUNWIND_TARGET_AARCH64) && \
- !defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
- // There are two ways of return address signing: pac-ret (enabled via
- // -mbranch-protection=pac-ret) and ptrauth-returns (enabled as part of
- // Apple's arm64e or experimental pauthtest ABI on Linux). The code
- // below handles signed RA for pac-ret, while ptrauth-returns uses
- // different logic.
- // TODO: unify logic for both cases, see
- // https://github.com/llvm/llvm-project/issues/160110
- //
+#if defined(_LIBUNWIND_TARGET_AARCH64)
// If the target is aarch64 then the return address may have been signed
- // using the v8.3 pointer authentication extensions. The original
- // return address needs to be authenticated before the return address is
- // restored. autia1716 is used instead of autia as autia1716 assembles
- // to a NOP on pre-v8.3a architectures.
- if ((R::getArch() == REGISTERS_ARM64) &&
- isReturnAddressSigned(addressSpace, registers, cfa, prolog) &&
+ // using the v8.3 pointer authentication extensions. In order to
+ // store signed return address in the registers context structure, we
+ // need to save the signing scheme for this address.
+ pint_t raSignState = getRASignState(addressSpace, registers, cfa, prolog);
+ bool isReturnAddressSigned = (raSignState & 1);
+ if ((R::getArch() == REGISTERS_ARM64) && isReturnAddressSigned &&
returnAddress != 0) {
#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
return UNW_ECROSSRASIGNING;
#else
- register unsigned long long x17 __asm("x17") = returnAddress;
- register unsigned long long x16 __asm("x16") = cfa;
-
- // We use the hint versions of the authentication instructions below to
- // ensure they're assembled by the compiler even for targets with no
- // FEAT_PAuth/FEAT_PAuth_LR support.
- if (isReturnAddressSignedWithPC(addressSpace, registers, cfa, prolog)) {
- register unsigned long long x15 __asm("x15") =
- prolog.ptrAuthDiversifier;
- if (cieInfo.addressesSignedWithBKey) {
- asm("hint 0x27\n\t" // pacm
- "hint 0xe"
- : "+r"(x17)
- : "r"(x16), "r"(x15)); // autib1716
- } else {
- asm("hint 0x27\n\t" // pacm
- "hint 0xc"
- : "+r"(x17)
- : "r"(x16), "r"(x15)); // autia1716
- }
- } else {
- if (cieInfo.addressesSignedWithBKey)
- asm("hint 0xe" : "+r"(x17) : "r"(x16)); // autib1716
- else
- asm("hint 0xc" : "+r"(x17) : "r"(x16)); // autia1716
+ newRegisters.setRegister(UNW_AARCH64_RA_SIGN_STATE, raSignState);
+ if (newRegisters.isReturnAddressSignedWithPC()) {
+ newRegisters.setRegister(UNW_AARCH64_RA_SIGN_SECOND_MODIFIER,
+ prolog.ptrAuthDiversifier);
}
- returnAddress = x17;
+ newRegisters.setRegister(UNW_AARCH64_RA_SIGN_USE_B_KEY,
+ cieInfo.addressesSignedWithBKey ? 1 : 0);
#endif
}
#endif
diff --git a/libunwind/src/Registers.hpp b/libunwind/src/Registers.hpp
index 45a2b0921ea3b..2245ccba61e4f 100644
--- a/libunwind/src/Registers.hpp
+++ b/libunwind/src/Registers.hpp
@@ -1877,49 +1877,179 @@ class _LIBUNWIND_HIDDEN Registers_arm64 {
uint64_t getSP() const { return _registers.__sp; }
void setSP(uint64_t value) { _registers.__sp = value; }
+
uint64_t getIP() const {
uint64_t value = _registers.__pc;
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
+
+ if (!isReturnAddressSigned())
+ return value;
+
+#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
+ abortCrossRASigning();
+#else
// Note the value of the PC was signed to its address in the register state
// but everyone else expects it to be sign by the SP, so convert on return.
- value = (uint64_t)ptrauth_auth_and_resign((void *)_registers.__pc,
- ptrauth_key_return_address,
- &_registers.__pc,
- ptrauth_key_return_address,
- getSP());
+ register uint64_t x17 __asm("x17") = value;
+ register uint64_t x16 __asm("x16") =
+ reinterpret_cast<uint64_t>(&_registers.__pc);
+ register uint64_t x14 __asm("x14") = getSP();
+ if (isReturnAddressSignedWithPC()) {
+ register uint64_t x15 __asm("x15") =
+ _registers.__ra_sign.__second_modifier;
+ if (isReturnAddressSignedWithBKey()) {
+ asm("hint 0xe \n\t" // autib1716
+ "mov x16, x14\n\t"
+ "hint 0x27 \n\t" // pacm
+ "hint 0xa " // pacib1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15), "r"(x14));
+ } else {
+ asm("hint 0xc \n\t" // autia1716
+ "mov x16, x14\n\t"
+ "hint 0x27 \n\t" // pacm
+ "hint 0x8 " // pacia1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15), "r"(x14));
+ }
+ } else {
+ if (isReturnAddressSignedWithBKey()) {
+ asm("hint 0xe \n\t" // autib1716
+ "mov x16, x14\n\t"
+ "hint 0xa " // pacib1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x14));
+ } else {
+ asm("hint 0xc \n\t" // autia1716
+ "mov x16, x14\n\t"
+ "hint 0x8 " // pacia1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x14));
+ }
+ }
+ return x17;
#endif
- return value;
}
+
void setIP(uint64_t value) {
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
+ if (!isReturnAddressSigned()) {
+ _registers.__pc = value;
+ return;
+ }
+
+#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
+ abortCrossRASigning();
+#else
// Note the value which was set should have been signed with the SP.
// We then resign with the slot we are being stored in to so that both SP
// and LR can't be spoofed at the same time.
- value = (uint64_t)ptrauth_auth_and_resign((void *)value,
- ptrauth_key_return_address,
- getSP(),
- ptrauth_key_return_address,
- &_registers.__pc);
+ register uint64_t x17 __asm("x17") = value;
+ register uint64_t x16 __asm("x16") = getSP();
+ register uint64_t x14 __asm("x14") =
+ reinterpret_cast<uint64_t>(&_registers.__pc);
+ if (isReturnAddressSignedWithPC()) {
+ register uint64_t x15 __asm("x15") =
+ _registers.__ra_sign.__second_modifier;
+ if (isReturnAddressSignedWithBKey()) {
+ asm("hint 0x27 \n\t" // pacm
+ "hint 0xe \n\t" // autib1716
+ "mov x16, x14\n\t"
+ "hint 0xa " // pacib1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15), "r"(x14));
+ } else {
+ asm("hint 0x27 \n\t" // pacm
+ "hint 0xc \n\t" // autia1716
+ "mov x16, x14\n\t"
+ "hint 0x8 " // pacia1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15), "r"(x14));
+ }
+ } else {
+ if (isReturnAddressSignedWithBKey()) {
+ asm("hint 0xe \n\t" // autib1716
+ "mov x16, x14\n\t"
+ "hint 0xa " // pacib1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x14));
+ } else {
+ asm("hint 0xc \n\t" // autia1716
+ "mov x16, x14\n\t"
+ "hint 0x8 " // pacia1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x14));
+ }
+ }
+ _registers.__pc = x17;
#endif
- _registers.__pc = value;
}
+
uint64_t getFP() const { return _registers.__fp; }
void setFP(uint64_t value) { _registers.__fp = value; }
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
+ // NOTE: For full-fledged PAuth ABIs like Apple's arm64e and Linux's
+ // pauthtest link_reg_t is __ptrauth-qualified. So, LR is re-signed with
+ // link_reg_t signing scheme after it is authenticated with this function.
+ // When just pac-ret is used, link_reg_t is not __ptrauth-qualified and LR
+ // remains unsigned after authentication.
+ // TODO: avoid exposing unsigned LR in absence of full-fledged PAuth ABI.
void
loadAndAuthenticateLinkRegister(reg_t inplaceAuthedLinkRegister,
link_reg_t *referenceAuthedLinkRegister) {
- // If we are in an arm64/arm64e frame, then the PC should have been signed
- // with the SP
- *referenceAuthedLinkRegister =
- (uint64_t)ptrauth_auth_data((void *)inplaceAuthedLinkRegister,
- ptrauth_key_return_address,
- _registers.__sp);
- }
+ if (!isReturnAddressSigned()) {
+ *referenceAuthedLinkRegister = inplaceAuthedLinkRegister;
+ return;
+ }
+
+#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
+ abortCrossRASigning();
+#else
+ register reg_t x17 __asm("x17") = inplaceAuthedLinkRegister;
+ register reg_t x16 __asm("x16") = getSP();
+ if (isReturnAddressSignedWithPC()) {
+ register reg_t x15 __asm("x15") = _registers.__ra_sign.__second_modifier;
+ if (isReturnAddressSignedWithBKey()) {
+ asm("hint 0x27\n\t" // pacm
+ "hint 0xe " // autib1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15));
+ } else {
+ asm("hint 0x27\n\t" // pacm
+ "hint 0xc " // autia1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15));
+ }
+ } else {
+ if (isReturnAddressSignedWithBKey()) {
+ asm("hint 0xe" : "+r"(x17) : "r"(x16)); // autib1716
+ } else {
+ asm("hint 0xc" : "+r"(x17) : "r"(x16)); // autia1716
+ }
+ }
+ *referenceAuthedLinkRegister = x17;
#endif
+ }
+
+ bool isReturnAddressSigned() const {
+ return _registers.__ra_sign.__state & 1;
+ }
+ bool isReturnAddressSignedWithPC() const {
+ return _registers.__ra_sign.__state & 2;
+ }
+ bool isReturnAddressSignedWithBKey() const {
+ return _registers.__ra_sign.__use_b_key;
+ }
private:
+#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
+ void abortCrossRASigning() const {
+ // We should never go here since non-null RA signed state is either set
+ // by architecture-specific __unw_getcontext or by stepWithDwarf which
+ // already contains a corresponding check and should have already
+ // emitted the UNW_ECROSSRASIGNING error.
+ _LIBUNWIND_ABORT("UNW_ECROSSRASIGNING");
+ }
+#endif
+
uint64_t lazyGetVG() const;
void zaDisable() const {
@@ -1945,7 +2075,12 @@ class _LIBUNWIND_HIDDEN Registers_arm64 {
uint64_t __lr = 0; // Link register x30
uint64_t __sp = 0; // Stack pointer x31
uint64_t __pc = 0; // Program counter
- uint64_t __ra_sign_state = 0; // RA sign state register
+ struct RASign {
+ uint64_t __state = 0; // RA sign state register
+ uint64_t __second_modifier = 0; // Additional modifier used for RA
+ // signing with FEAT_PAuth_LR
+ uint64_t __use_b_key = 0; // 0 for IA key, 1 for IB key
+ } __ra_sign;
};
struct Misc {
@@ -1971,14 +2106,13 @@ inline Registers_arm64::Registers_arm64(const void *registers) {
static_assert((check_fit<Registers_arm64, unw_context_t>::does_fit),
"arm64 registers do not fit into unw_context_t");
memcpy(&_registers, registers, sizeof(_registers));
- static_assert(sizeof(GPRs) == 0x110,
- "expected VFP registers to be at offset 272");
+ static_assert(sizeof(GPRs) == 0x120,
+ "expected VFP registers to be at offset 288");
memcpy(_vectorHalfRegisters,
static_cast<const uint8_t *>(registers) + sizeof(GPRs),
sizeof(_vectorHalfRegisters));
_misc_registers.__vg = 0;
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
// We have to do some pointer authentication fixups after this copy,
// and as part of that we need to load the source pc without
// authenticating so that we maintain the signature for the resigning
@@ -1987,7 +2121,6 @@ inline Registers_arm64::Registers_arm64(const void *registers) {
memmove(&pcRegister, ((uint8_t *)&_registers) + offsetof(GPRs, __pc),
sizeof(pcRegister));
setIP(pcRegister);
-#endif
}
inline Registers_arm64::Registers_arm64(const Registers_arm64 &other) {
@@ -2008,12 +2141,16 @@ inline bool Registers_arm64::validRegister(int regNum) const {
return true;
if (regNum == UNW_REG_SP)
return true;
+ if (regNum == UNW_AARCH64_RA_SIGN_STATE)
+ return true;
+ if (regNum == UNW_AARCH64_RA_SIGN_SECOND_MODIFIER)
+ return true;
+ if (regNum == UNW_AARCH64_RA_SIGN_USE_B_KEY)
+ return true;
if (regNum < 0)
return false;
if (regNum > 95)
return false;
- if (regNum == UNW_AARCH64_RA_SIGN_STATE)
- return true;
if (regNum == UNW_AARCH64_VG)
return true;
if ((regNum > 32) && (regNum < 64))
@@ -2041,7 +2178,11 @@ inline uint64_t Registers_arm64::getRegister(int regNum) const {
if (regNum == UNW_REG_SP || regNum == UNW_AARCH64_SP)
return _registers.__sp;
if (regNum == UNW_AARCH64_RA_SIGN_STATE)
- return _registers.__ra_sign_state;
+ return _registers.__ra_sign.__state;
+ if (regNum == UNW_AARCH64_RA_SIGN_SECOND_MODIFIER)
+ return _registers.__ra_sign.__second_modifier;
+ if (regNum == UNW_AARCH64_RA_SIGN_USE_B_KEY)
+ return _registers.__ra_sign.__use_b_key;
if (regNum == UNW_AARCH64_FP)
return getFP();
if (regNum == UNW_AARCH64_LR)
@@ -2059,7 +2200,11 @@ inline void Registers_arm64::setRegister(int regNum, uint64_t value) {
else if (regNum == UNW_REG_SP || regNum == UNW_AARCH64_SP)
_registers.__sp = value;
else if (regNum == UNW_AARCH64_RA_SIGN_STATE)
- _registers.__ra_sign_state = value;
+ _registers.__ra_sign.__state = value;
+ else if (regNum == UNW_AARCH64_RA_SIGN_SECOND_MODIFIER)
+ _registers.__ra_sign.__second_modifier = value;
+ else if (regNum == UNW_AARCH64_RA_SIGN_USE_B_KEY)
+ _registers.__ra_sign.__use_b_key = value;
else if (regNum == UNW_AARCH64_FP)
setFP(value);
else if (regNum == UNW_AARCH64_LR)
diff --git a/libunwind/src/UnwindCursor.hpp b/libunwind/src/UnwindCursor.hpp
index 33fcd841b2ab0..39620b4b144d4 100644
--- a/libunwind/src/UnwindCursor.hpp
+++ b/libunwind/src/UnwindCursor.hpp
@@ -1064,7 +1064,7 @@ class UnwindCursor : public AbstractUnwindCursor{
const UnwindInfoSections §s,
uint32_t fdeSectionOffsetHint = 0);
int stepWithDwarfFDE(bool stage2) {
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
+#if defined(_LIBUNWIND_TARGET_AARCH64)
typename R::reg_t rawPC = this->getReg(UNW_REG_IP);
typename R::link_reg_t pc;
_registers.loadAndAuthenticateLinkRegister(rawPC, &pc);
@@ -2734,7 +2734,8 @@ void UnwindCursor<A, R>::setInfoBasedOnIPRegister(bool isReturnAddress) {
#endif
typename R::link_reg_t pc;
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
+#if defined(_LIBUNWIND_TARGET_AARCH64) && \
+ !(defined(_LIBUNWIND_SUPPORT_SEH_UNWIND) && defined(_WIN32))
_registers.loadAndAuthenticateLinkRegister(rawPC, &pc);
#else
pc = rawPC;
@@ -3304,7 +3305,8 @@ void UnwindCursor<A, R>::getInfo(unw_proc_info_t *info) {
template <typename A, typename R>
bool UnwindCursor<A, R>::getFunctionName(char *buf, size_t bufLen,
unw_word_t *offset) {
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
+#if defined(_LIBUNWIND_TARGET_AARCH64) && \
+ !(defined(_LIBUNWIND_SUPPORT_SEH_UNWIND) && defined(_WIN32))
typename R::reg_t rawPC = this->getReg(UNW_REG_IP);
typename R::link_reg_t pc;
_registers.loadAndAuthenticateLinkRegister(rawPC, &pc);
diff --git a/libunwind/src/UnwindLevel1.c b/libunwind/src/UnwindLevel1.c
index 73a27928e91d1..0774508be0428 100644
--- a/libunwind/src/UnwindLevel1.c
+++ b/libunwind/src/UnwindLevel1.c
@@ -616,14 +616,57 @@ _LIBUNWIND_EXPORT uintptr_t _Unwind_GetIP(struct _Unwind_Context *context) {
unw_word_t result;
__unw_get_reg(cursor, UNW_REG_IP, &result);
-#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
- // If we are in an arm64e frame, then the PC should have been signed with the
- // sp
+#if defined(_LIBUNWIND_TARGET_AARCH64)
{
- unw_word_t sp;
- __unw_get_reg(cursor, UNW_REG_SP, &sp);
- result = (unw_word_t)ptrauth_auth_data((void *)result,
- ptrauth_key_return_address, sp);
+ unw_word_t raSignState, raSignUseBKey;
+ __unw_get_reg(cursor, UNW_AARCH64_RA_SIGN_STATE, &raSignState);
+ __unw_get_reg(cursor, UNW_AARCH64_RA_SIGN_USE_B_KEY, &raSignUseBKey);
+
+ bool isReturnAddressSigned = (raSignState & 1);
+ bool isReturnAddressSignedWithPC = (raSignState & 2);
+
+ if (isReturnAddressSigned) {
+#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
+ // We should never go here since non-null RA signed state is either set
+ // by architecture-specific __unw_getcontext or by stepWithDwarf which
+ // already contains a corresponding check and should have already
+ // emitted the UNW_ECROSSRASIGNING error.
+ _LIBUNWIND_ABORT("UNW_ECROSSRASIGNING");
+#else
+ unw_word_t sp;
+ __unw_get_reg(cursor, UNW_REG_SP, &sp);
+
+ register uint64_t x17 __asm("x17") = result;
+ register uint64_t x16 __asm("x16") = sp;
+
+ if (isReturnAddressSignedWithPC) {
+ unw_word_t raSignSecondModifier;
+ __unw_get_reg(cursor, UNW_AARCH64_RA_SIGN_SECOND_MODIFIER,
+ &raSignSecondModifier);
+
+ register uint64_t x15 __asm("x15") = raSignSecondModifier;
+
+ if (raSignUseBKey) {
+ __asm__("hint 0x27\n\t" // pacm
+ "hint 0xe " // autib1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15));
+ } else {
+ __asm__("hint 0x27\n\t" // pacm
+ "hint 0xc " // autia1716
+ : "+r"(x17)
+ : "r"(x16), "r"(x15));
+ }
+ } else {
+ if (raSignUseBKey) {
+ __asm__("hint 0xe" : "+r"(x17) : "r"(x16)); // autib1716
+ } else {
+ __asm__("hint 0xc" : "+r"(x17) : "r"(x16)); // autia1716
+ }
+ }
+ result = x17;
+#endif
+ }
}
#endif
diff --git a/libunwind/src/UnwindRegistersRestore.S b/libunwind/src/UnwindRegistersRestore.S
index 76a80344034f7..a98b9cb85de3c 100644
--- a/libunwind/src/UnwindRegistersRestore.S
+++ b/libunwind/src/UnwindRegistersRestore.S
@@ -672,7 +672,8 @@ DEFINE_LIBUNWIND_FUNCTION(__libunwind_Registers_arm64_jumpto)
ldp x8, x9, [x0, #0x040]
ldp x10,x11, [x0, #0x050]
ldp x12,x13, [x0, #0x060]
- ldp x14,x15, [x0, #0x070]
+ // x14 and x15 are used as scratch registers in this function
+ // and will be restored later.
// x16 and x17 were clobbered by the call into the unwinder, so no point in
// restoring them.
ldp x18,x19, [x0, #0x090]
@@ -683,42 +684,143 @@ DEFINE_LIBUNWIND_FUNCTION(__libunwind_Registers_arm64_jumpto)
ldp x28,x29, [x0, #0x0E0]
#if defined(__ARM_FP) && __ARM_FP != 0
- ldp d0, d1, [x0, #0x110]
- ldp d2, d3, [x0, #0x120]
- ldp d4, d5, [x0, #0x130]
- ldp d6, d7, [x0, #0x140]
- ldp d8, d9, [x0, #0x150]
- ldp d10,d11, [x0, #0x160]
- ldp d12,d13, [x0, #0x170]
- ldp d14,d15, [x0, #0x180]
- ldp d16,d17, [x0, #0x190]
- ldp d18,d19, [x0, #0x1A0]
- ldp d20,d21, [x0, #0x1B0]
- ldp d22,d23, [x0, #0x1C0]
- ldp d24,d25, [x0, #0x1D0]
- ldp d26,d27, [x0, #0x1E0]
- ldp d28,d29, [x0, #0x1F0]
- ldr d30, [x0, #0x200]
- ldr d31, [x0, #0x208]
+ ldp d0, d1, [x0, #0x120]
+ ldp d2, d3, [x0, #0x130]
+ ldp d4, d5, [x0, #0x140]
+ ldp d6, d7, [x0, #0x150]
+ ldp d8, d9, [x0, #0x160]
+ ldp d10,d11, [x0, #0x170]
+ ldp d12,d13, [x0, #0x180]
+ ldp d14,d15, [x0, #0x190]
+ ldp d16,d17, [x0, #0x1A0]
+ ldp d18,d19, [x0, #0x1B0]
+ ldp d20,d21, [x0, #0x1C0]
+ ldp d22,d23, [x0, #0x1D0]
+ ldp d24,d25, [x0, #0x1E0]
+ ldp d26,d27, [x0, #0x1F0]
+ ldr d28, [x0, #0x200]
+ ldr d29, [x0, #0x208]
+ ldr d30, [x0, #0x210]
+ ldr d31, [x0, #0x218]
#endif
+
+ // The lr value stored in __pc might be signed with IA/IB key (as described
+ // by __ra_sign.__use_b_key field) and &__pc address as a modifier.
+ // If the lr value is signed, re-sign that with the corresponding key
+ // and initial signing scheme using __sp as a modifier and potentially
+ // involving a second modifier (as described by (__ra_sign.__state & 2)).
+
+ ldr x14, [x0, #0x0F8] // x14 = __sp
+ ldr x15, [x0, #0x110] // x15 = __ra_sign.__second_modifier
+ add x16, x0, #0x100 // x16 = &__pc
+ ldr x17, [x0, #0x100] // x17 = __pc
+
+ ldr x1, [x0, #0x108] // x1 = __ra_sign.__state
+ and x1, x1, #1
+ cbz x1, .Lresign_end
+
+ // lr needs resign
+ ldr x1, [x0, #0x108] // x1 = __ra_sign.__state
+ and x1, x1, #2
+ cbnz x1, .Lresign_with_pc
+
+ // lr needs resign without pc as a second modifier
+ ldr x1, [x0, #0x118] // x1 = __ra_sign.__use_b_key
+ cbnz x1, .Lresign_with_b_key
+
+ // lr needs resign with A key and without pc as a second modifier
+ hint 0xc // autia1716
+ mov x16, x14 // x16 = __sp
+ hint 0x8 // pacia1716
+ b .Lresign_end
+
+.Lresign_with_b_key:
+ // lr needs resign with B key and without pc as a second modifier
+ hint 0xe // autib1716
+ mov x16, x14 // x16 = __sp
+ hint 0xa // pacib1716
+ b .Lresign_end
+
+.Lresign_with_pc:
+ // lr needs resign with pc as a second modifier
+ ldr x1, [x0, #0x118] // x1 = __ra_sign.__use_b_key
+ cbnz x1, .Lresign_with_pc_b_key
+
+ // lr needs resign with A key and pc as a second modifier
+ hint 0xc // autia1716
+ mov x16, x14 // x16 = __sp
+ hint 0x27 // pacm
+ hint 0x8 // pacia1716
+ b .Lresign_end
+
+.Lresign_with_pc_b_key:
+ // lr needs resign with B key and pc as a second modifier
+ hint 0xe // autib1716
+ mov x16, x14 // x16 = __sp
+ hint 0x27 // pacm
+ hint 0xa // pacib1716
+ b .Lresign_end
+
+.Lresign_end:
+ mov lr, x17 // assign final lr value
+ ldp x14,x15, [x0, #0x070] // restore x14,x15
+ ldr x16, [x0, #0x110] // second modifier for auti{a|b}sp with PACM
+
// Finally, restore sp. This must be done after the last read from the
// context struct, because it is allocated on the stack, and an exception
// could clobber the de-allocated portion of the stack after sp has been
// restored.
+ ldr x17, [x0, #0x0F8] // load sp into scratch
- ldr x16, [x0, #0x0F8] // load sp into scratch
- ldr lr, [x0, #0x100] // restore pc into lr
+ ldr x1, [x0, #0x108] // x1 = __ra_sign.__state
+ and x1, x1, #1
+ cbz x1, .Lauth_end
-#if __has_feature(ptrauth_calls)
- // The LR is signed with its address inside the register state. Time
- // to resign to be a regular ROP protected signed pointer
- add x1, x0, #0x100
- autib lr, x1
- pacib lr, x16 // signed the scratch register for sp
-#endif
+ // lr is signed
+ ldr x1, [x0, #0x108] // x1 = __ra_sign.__state
+ and x1, x1, #2
+ cbnz x1, .Lauth_with_pc
+
+ // lr is signed without pc as a second modifier
+ ldr x1, [x0, #0x118] // x1 = __ra_sign.__use_b_key
+ cbnz x1, .Lauth_with_b_key
+
+ // lr is signed with A key and without pc as a second modifier
+ ldp x0, x1, [x0, #0x000] // restore x0,x1
+ mov sp,x17 // restore sp
+ hint 0x1d // autiasp
+ ret x30
+
+.Lauth_with_b_key:
+ // lr is signed with B key and without pc as a second modifier
+ ldp x0, x1, [x0, #0x000] // restore x0,x1
+ mov sp,x17 // restore sp
+ hint 0x1f // autibsp
+ ret x30
+.Lauth_with_pc:
+ // lr is signed with pc as a second modifier
+ ldr x1, [x0, #0x118] // x1 = __ra_sign.__use_b_key
+ cbnz x1, .Lauth_with_pc_b_key
+
+ // lr is signed with A key and pc as a second modifier
+ ldp x0, x1, [x0, #0x000] // restore x0,x1
+ mov sp,x17 // restore sp
+ hint 0x27 // pacm
+ hint 0x1d // autiasp
+ ret x30
+
+.Lauth_with_pc_b_key:
+ // lr is signed with B key and pc as a second modifier
+ ldp x0, x1, [x0, #0x000] // restore x0,x1
+ mov sp,x17 // restore sp
+ hint 0x27 // pacm
+ hint 0x1f // autibsp
+ ret x30
+
+.Lauth_end:
ldp x0, x1, [x0, #0x000] // restore x0,x1
- mov sp,x16 // restore sp
+ mov sp,x17 // restore sp
#if defined(__ARM_FEATURE_GCS_DEFAULT)
// If GCS is enabled we need to push the address we're returning to onto the
// GCS stack. We can't just return using br, as there won't be a BTI landing
@@ -729,12 +831,7 @@ DEFINE_LIBUNWIND_FUNCTION(__libunwind_Registers_arm64_jumpto)
gcspushm x30
Lnogcs:
#endif
-
-#if __has_feature(ptrauth_calls)
- retab
-#else
ret x30 // jump to pc
-#endif
#elif defined(__arm__) && !defined(__APPLE__)
diff --git a/libunwind/src/UnwindRegistersSave.S b/libunwind/src/UnwindRegistersSave.S
index f988fd461def1..252353b7861f7 100644
--- a/libunwind/src/UnwindRegistersSave.S
+++ b/libunwind/src/UnwindRegistersSave.S
@@ -769,6 +769,20 @@ LnoR2Fix:
#define __has_feature(__feature) 0
#endif
+#ifdef __ARM_FEATURE_PAC_DEFAULT
+# define UNW_ARM_FEATURE_PAC_DEFAULT __ARM_FEATURE_PAC_DEFAULT
+#else
+# if __has_feature(ptrauth_returns)
+# define UNW_ARM_FEATURE_PAC_DEFAULT 2
+# else
+# define UNW_ARM_FEATURE_PAC_DEFAULT 0
+# endif
+#endif
+
+#define UNW_RA_SIGNED ((UNW_ARM_FEATURE_PAC_DEFAULT & 3) != 0)
+#define UNW_RA_SIGNED_WITH_B_KEY ((UNW_ARM_FEATURE_PAC_DEFAULT & 2) != 0)
+#define UNW_RA_SIGNED_WITH_PC ((UNW_ARM_FEATURE_PAC_DEFAULT & 8) != 0)
+
//
// extern int __unw_getcontext(unw_context_t* thread_state)
//
@@ -778,8 +792,16 @@ LnoR2Fix:
.p2align 2
DEFINE_LIBUNWIND_FUNCTION(__unw_getcontext)
-#if __has_feature(ptrauth_calls)
- pacibsp
+#if UNW_RA_SIGNED
+# if UNW_RA_SIGNED_WITH_PC
+ hint 0x27 // pacm
+.L__unw_getcontext_start:
+# endif
+# if UNW_RA_SIGNED_WITH_B_KEY
+ hint 0x1b // pacibsp
+# else
+ hint 0x19 // paciasp
+# endif
#endif
stp x0, x1, [x0, #0x000]
@@ -801,33 +823,69 @@ DEFINE_LIBUNWIND_FUNCTION(__unw_getcontext)
mov x1,sp
str x1, [x0, #0x0F8]
str x30, [x0, #0x100] // store return address as pc
+
+ // Fill subfields of __ra_sign field
+#if UNW_RA_SIGNED
+# if UNW_RA_SIGNED_WITH_PC
+ adrp x16, .L__unw_getcontext_start
+ add x16, x16, :lo12:.L__unw_getcontext_start
+ str x16, [x0, #0x110] // __second_modifier = x16
+# else
+ str xzr, [x0, #0x110] // __second_modifier = 0
+# endif
+
+ mov x16, #1
+ str x16, [x0, #0x108] // __state = 1
+
+# if UNW_RA_SIGNED_WITH_B_KEY
+ str x16, [x0, #0x118] // __use_b_key = 1
+# else
+ str xzr, [x0, #0x118] // __use_b_key = 0
+# endif
+
+ ldr x16, [x0, #0x080] // restore x16 after clobber
+#else
+ str xzr, [x0, #0x108] // __state = 0
+ str xzr, [x0, #0x110] // __second_modifier = 0
+ str xzr, [x0, #0x118] // __use_b_key = 0
+#endif
+
// skip cpsr
#if defined(__ARM_FP) && __ARM_FP != 0
- stp d0, d1, [x0, #0x110]
- stp d2, d3, [x0, #0x120]
- stp d4, d5, [x0, #0x130]
- stp d6, d7, [x0, #0x140]
- stp d8, d9, [x0, #0x150]
- stp d10,d11, [x0, #0x160]
- stp d12,d13, [x0, #0x170]
- stp d14,d15, [x0, #0x180]
- stp d16,d17, [x0, #0x190]
- stp d18,d19, [x0, #0x1A0]
- stp d20,d21, [x0, #0x1B0]
- stp d22,d23, [x0, #0x1C0]
- stp d24,d25, [x0, #0x1D0]
- stp d26,d27, [x0, #0x1E0]
- stp d28,d29, [x0, #0x1F0]
- str d30, [x0, #0x200]
- str d31, [x0, #0x208]
+ stp d0, d1, [x0, #0x120]
+ stp d2, d3, [x0, #0x130]
+ stp d4, d5, [x0, #0x140]
+ stp d6, d7, [x0, #0x150]
+ stp d8, d9, [x0, #0x160]
+ stp d10,d11, [x0, #0x170]
+ stp d12,d13, [x0, #0x180]
+ stp d14,d15, [x0, #0x190]
+ stp d16,d17, [x0, #0x1A0]
+ stp d18,d19, [x0, #0x1B0]
+ stp d20,d21, [x0, #0x1C0]
+ stp d22,d23, [x0, #0x1D0]
+ stp d24,d25, [x0, #0x1E0]
+ stp d26,d27, [x0, #0x1F0]
+ str d28, [x0, #0x200]
+ str d29, [x0, #0x208]
+ str d30, [x0, #0x210]
+ str d31, [x0, #0x218]
#endif
mov x0, #0 // return UNW_ESUCCESS
-#if __has_feature(ptrauth_calls)
- retab
-#else
- ret
+#if UNW_RA_SIGNED
+# if UNW_RA_SIGNED_WITH_PC
+ adrp x16, .L__unw_getcontext_start
+ add x16, x16, :lo12:.L__unw_getcontext_start
+ hint 0x27 // pacm
+# endif
+# if UNW_RA_SIGNED_WITH_B_KEY
+ hint 0x1f // autibsp
+# else
+ hint 0x1d // autiasp
+# endif
#endif
+ ret
//
// extern "C" int64_t __libunwind_Registers_arm64_za_disable()
diff --git a/libunwind/src/libunwind.cpp b/libunwind/src/libunwind.cpp
index b3036396c379d..c74a52c4e3468 100644
--- a/libunwind/src/libunwind.cpp
+++ b/libunwind/src/libunwind.cpp
@@ -162,6 +162,16 @@ _LIBUNWIND_HIDDEN int __unw_set_reg(unw_cursor_t *cursor, unw_regnum_t regNum,
_LIBUNWIND_ABORT("Bad unwind through arm64e");
}
}
+#elif defined(_LIBUNWIND_TARGET_AARCH64)
+ // We expect IP register value to be signed only for a full-fledged
+ // PAuth ABI such as Apple's arm64e or Linux's pauthtest. Otherwise,
+ // the value to be assigned to the IP register is an unsigned pointer,
+ // so we need to update RA sign info and mark the pointer as unsigned.
+ // This prevents attempts of unsigned pointer authentication in case
+ // if previously a signed RA was stored in the IP register field.
+ co->setReg(UNW_AARCH64_RA_SIGN_STATE, 0);
+ co->setReg(UNW_AARCH64_RA_SIGN_SECOND_MODIFIER, 0);
+ co->setReg(UNW_AARCH64_RA_SIGN_USE_B_KEY, 0);
#endif
// If the original call expects stack adjustment, perform this now.
More information about the cfe-commits
mailing list