[sanitizer] Fix prctl interceptor causing PAC authentication failure #153081
Conversation
|
Thank you for submitting a Pull Request (PR) to the LLVM Project! This PR will be automatically labeled and the relevant teams will be notified. If you wish to, you can add reviewers by using the "Reviewers" section on this page. If this is not working for you, it is probably because you do not have write permissions for the repository. In which case you can instead tag reviewers by name in a comment by using If you have received no comments on your PR for a week, you can request a review by "ping"ing the PR by adding a comment “Ping”. The common courtesy "ping" rate is once a week. Please remember that you are asking for valuable time from other developers. If you have further questions, they may be answered by the LLVM GitHub User Guide. You can also ask questions in a comment on this PR, on the LLVM Discord or on the forums. |
|
@llvm/pr-subscribers-compiler-rt-sanitizer Author: Fei Peng (airpfei) ChangesThe root cause of this crash is that prctl(PR_PAC_RESET_KEYS) generates a new PAC key. As a result, paciasp and autiasp use different keys, leading to the crash. The solution is: if prctl's option is PR_PAC_RESET_KEYS, call real_prctl directly. This is implemented in assembly, so there are no PAC instructions involved. Related issue: android/ndk#1848 Full diff: https://github.com/llvm/llvm-project/pull/153081.diff 1 Files Affected:
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
index 2d6cf7fc3282f..b177fdc62293f 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -1285,7 +1285,54 @@ INTERCEPTOR(int, puts, char *s) {
#endif
#if SANITIZER_INTERCEPT_PRCTL
-INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
+
+#if defined(__aarch64__)
+// https://llvm.org/docs/PointerAuth.html
+// AArch64 is currently the only architecture with full support for PAC. If
+// other architectures add support for PAC, similar logic should be implemented.
+// Because after resetting the PAC key, WRAP(prctl) will continue to perform
+// authentication using the old key, the authentication will fail. The solution
+// is to call REAL(prctl) directly when the prctl option is PR_PAC_RESET_KEYS.
+
+#define PR_PAC_RESET_KEYS 54
+
+#define PRCTL_INTERCEPTOR(ret_type, func, ...) \
+ DEFINE_REAL(ret_type, func, __VA_ARGS__) \
+ extern "C" ret_type func(__VA_ARGS__); \
+ extern "C" ret_type TRAMPOLINE(func)(__VA_ARGS__); \
+ extern "C" ret_type __interceptor_##func(__VA_ARGS__) \
+ INTERCEPTOR_ATTRIBUTE __attribute__((weak)) ALIAS(WRAP(func)); \
+ extern "C" INTERCEPTOR_ATTRIBUTE ret_type WRAP(func)(__VA_ARGS__)
+
+asm(
+ ".text\n"
+ ".weak prctl\n"
+ ".set prctl, " SANITIZER_STRINGIFY(TRAMPOLINE(prctl)) "\n"
+ ".global " SANITIZER_STRINGIFY(TRAMPOLINE(prctl)) "\n"
+ ".type " SANITIZER_STRINGIFY(TRAMPOLINE(prctl)) ", "
+ ASM_TYPE_FUNCTION_STR "\n"
+ SANITIZER_STRINGIFY(TRAMPOLINE(prctl)) ":\n"
+ C_ASM_STARTPROC "\n"
+ "cmp w0, #" SANITIZER_STRINGIFY(PR_PAC_RESET_KEYS) "\n"
+ "bne .L_wrap_prctl\n"
+ // tail jump to libc prctl
+ "adrp x6, :got:_ZN14__interception10real_prctlE\n"
+ "ldr x6, [x6, #:got_lo12:_ZN14__interception10real_prctlE]\n"
+ "ldr x6, [x6]\n"
+ "br x6\n"
+ ".L_wrap_prctl:"
+ C_ASM_TAIL_CALL(SANITIZER_STRINGIFY(TRAMPOLINE(prctl)),
+ "__interceptor_"
+ SANITIZER_STRINGIFY(ASM_PREEMPTIBLE_SYM(prctl))) "\n"
+ C_ASM_ENDPROC "\n"
+ ".size " SANITIZER_STRINGIFY(TRAMPOLINE(prctl)) ", "
+ ".-" SANITIZER_STRINGIFY(TRAMPOLINE(prctl)) "\n"
+);
+#else
+#define PRCTL_INTERCEPTOR INTERCEPTOR
+#endif
+
+PRCTL_INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5) {
void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, prctl, option, arg2, arg3, arg4, arg5);
|
|
We could avoid adding PAC instructions by just adding some function attributes. |
airpfei
force-pushed
the
fix_prctl_interceptor
branch
2 times, most recently
from
77b2232 to
5a22b88
Compare
@DanielKristofKiss just updated the change following this suggestion |
|
@pcc Could you please review this change when you have time? |
airpfei
force-pushed
the
fix_prctl_interceptor
branch
from
ba4e966 to
96db681
Compare
|
Hi @pcc, I reformatted the code as suggested. Could you please approve the workflows |
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
…after PAC key reset
airpfei
force-pushed
the
fix_prctl_interceptor
branch
from
96db681 to
f54025d
Compare
|
Hi @pcc, could you please approve the workflows again? I fixed the format issues. |
|
@pcc @DanielKristofKiss |
|
@airpfei Congratulations on having your first Pull Request (PR) merged into the LLVM Project! Your changes will be combined with recent changes from other authors, then tested by our build bots. If there is a problem with a build, you may receive a report in an email or a comment on this PR. Please check whether problems have been caused by your change specifically, as the builds can include changes from many authors. It is not uncommon for your change to be included in a build that fails due to someone else's changes, or infrastructure issues. How to do this, and the rest of the post-merge process, is covered in detail here. If your change does cause a problem, it may be reverted, or you can revert it yourself. This is a normal part of LLVM development. You can fix your changes and open a new PR to merge them again. If you don't get any reports, no action is required from you. Your changes are working as expected, well done! |
4 participants
The root cause of this crash is that prctl(PR_PAC_RESET_KEYS) generates a new PAC key. As a result, paciasp and autiasp use different keys, leading to the crash.
The solution is: if prctl's option is PR_PAC_RESET_KEYS, call real_prctl directly. This is implemented in assembly, so there are no PAC instructions involved.
Related issue: android/ndk#1848