1 /*
2 * Copyright (c) 2019 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include "exc_helpers.h"
30
31 #include <darwintest.h>
32 #include <ptrauth.h>
33 #include <stdbool.h>
34 #include <stdlib.h>
35
36 #if __arm64__
37 #define EXCEPTION_THREAD_STATE ARM_THREAD_STATE64
38 #define EXCEPTION_THREAD_STATE_COUNT ARM_THREAD_STATE64_COUNT
39 #elif __x86_64__
40 #define EXCEPTION_THREAD_STATE x86_THREAD_STATE
41 #define EXCEPTION_THREAD_STATE_COUNT x86_THREAD_STATE_COUNT
42 #else
43 #error Unsupported architecture
44 #endif
45
46 #define EXCEPTION_IDENTITY_PROTECTED 4
47
48 /**
49 * mach_exc_server() is a MIG-generated function that verifies the message
50 * that was received is indeed a mach exception and then calls
51 * catch_mach_exception_raise_state() to handle the exception.
52 */
53 extern boolean_t mach_exc_server(mach_msg_header_t *, mach_msg_header_t *);
54
55 extern kern_return_t
56 catch_mach_exception_raise(
57 mach_port_t exception_port,
58 mach_port_t thread,
59 mach_port_t task,
60 exception_type_t type,
61 exception_data_t codes,
62 mach_msg_type_number_t code_count);
63
64 extern kern_return_t
65 catch_mach_exception_raise_identity_protected(
66 __unused mach_port_t exception_port,
67 uint64_t thread_id,
68 mach_port_t task_id_token,
69 exception_type_t exception,
70 mach_exception_data_t codes,
71 mach_msg_type_number_t codeCnt);
72
73 extern kern_return_t
74 catch_mach_exception_raise_backtrace(
75 __unused mach_port_t exception_port,
76 mach_port_t kcdata_object,
77 exception_type_t exception,
78 mach_exception_data_t codes,
79 __unused mach_msg_type_number_t codeCnt);
80
81 extern kern_return_t
82 catch_mach_exception_raise_state(
83 mach_port_t exception_port,
84 exception_type_t type,
85 exception_data_t codes,
86 mach_msg_type_number_t code_count,
87 int *flavor,
88 thread_state_t in_state,
89 mach_msg_type_number_t in_state_count,
90 thread_state_t out_state,
91 mach_msg_type_number_t *out_state_count);
92
93 extern kern_return_t
94 catch_mach_exception_raise_state_identity(
95 mach_port_t exception_port,
96 mach_port_t thread,
97 mach_port_t task,
98 exception_type_t type,
99 exception_data_t codes,
100 mach_msg_type_number_t code_count,
101 int *flavor,
102 thread_state_t in_state,
103 mach_msg_type_number_t in_state_count,
104 thread_state_t out_state,
105 mach_msg_type_number_t *out_state_count);
106
107 static exc_handler_callback_t exc_handler_callback;
108 static exc_handler_protected_callback_t exc_handler_protected_callback;
109 static exc_handler_state_protected_callback_t exc_handler_state_protected_callback;
110 static exc_handler_backtrace_callback_t exc_handler_backtrace_callback;
111
112 /**
113 * This has to be defined for linking purposes, but it's unused.
114 */
115 kern_return_t
catch_mach_exception_raise(mach_port_t exception_port,mach_port_t thread,mach_port_t task,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count)116 catch_mach_exception_raise(
117 mach_port_t exception_port,
118 mach_port_t thread,
119 mach_port_t task,
120 exception_type_t type,
121 exception_data_t codes,
122 mach_msg_type_number_t code_count)
123 {
124 #pragma unused(exception_port, thread, task, type, codes, code_count)
125 T_FAIL("Triggered catch_mach_exception_raise() which shouldn't happen...");
126 __builtin_unreachable();
127 }
128
129 kern_return_t
catch_mach_exception_raise_state_identity_protected(mach_port_t exception_port __unused,uint64_t thread_id,mach_port_t task_id_token,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count,int * flavor,thread_state_t in_state,mach_msg_type_number_t in_state_count,thread_state_t out_state,mach_msg_type_number_t * out_state_count)130 catch_mach_exception_raise_state_identity_protected(
131 mach_port_t exception_port __unused,
132 uint64_t thread_id,
133 mach_port_t task_id_token,
134 exception_type_t type,
135 exception_data_t codes,
136 mach_msg_type_number_t code_count,
137 int *flavor,
138 thread_state_t in_state,
139 mach_msg_type_number_t in_state_count,
140 thread_state_t out_state,
141 mach_msg_type_number_t *out_state_count)
142 {
143 T_LOG("Caught a mach exception!\n");
144 /* There should only be two code values. */
145 T_QUIET; T_ASSERT_EQ(code_count, 2, "Two code values were provided with the mach exception");
146
147 /**
148 * The code values should be 64-bit since MACH_EXCEPTION_CODES was specified
149 * when setting the exception port.
150 */
151 mach_exception_data_t codes_64 = (mach_exception_data_t)(void *)codes;
152 T_LOG("Mach exception codes[0]: %#llx, codes[1]: %#llx\n", codes_64[0], codes_64[1]);
153
154 /* Verify that we're receiving the expected thread state flavor. */
155 T_QUIET; T_ASSERT_EQ(*flavor, EXCEPTION_THREAD_STATE, "The thread state flavor is EXCEPTION_THREAD_STATE");
156 T_QUIET; T_ASSERT_EQ(in_state_count, EXCEPTION_THREAD_STATE_COUNT, "The thread state count is EXCEPTION_THREAD_STATE_COUNT");
157
158 *out_state_count = in_state_count; /* size of state object in 32-bit words */
159 memcpy((void*)out_state, (void*)in_state, in_state_count * 4);
160
161 exc_handler_state_protected_callback(task_id_token, thread_id, type, codes_64, in_state,
162 in_state_count, out_state, out_state_count);
163
164 /* Return KERN_SUCCESS to tell the kernel to keep running the victim thread. */
165 return KERN_SUCCESS;
166 }
167
168
169 kern_return_t
catch_mach_exception_raise_identity_protected(__unused mach_port_t exception_port,uint64_t thread_id,mach_port_t task_id_token,exception_type_t exception,mach_exception_data_t codes,mach_msg_type_number_t codeCnt)170 catch_mach_exception_raise_identity_protected(
171 __unused mach_port_t exception_port,
172 uint64_t thread_id,
173 mach_port_t task_id_token,
174 exception_type_t exception,
175 mach_exception_data_t codes,
176 mach_msg_type_number_t codeCnt)
177 {
178 T_LOG("Caught a mach exception!\n");
179
180 /* There should only be two code values. */
181 T_QUIET; T_ASSERT_EQ(codeCnt, 2, "Two code values were provided with the mach exception");
182
183 /**
184 * The code values should be 64-bit since MACH_EXCEPTION_CODES was specified
185 * when setting the exception port.
186 */
187 mach_exception_data_t codes_64 = (mach_exception_data_t)(void *)codes;
188 T_LOG("Mach exception codes[0]: %#llx, codes[1]: %#llx\n", codes_64[0], codes_64[1]);
189
190 exc_handler_protected_callback(task_id_token, thread_id, exception, codes_64);
191
192 T_LOG("Assuming the thread state modification was done in the callback, skipping it");
193
194 /* Return KERN_SUCCESS to tell the kernel to keep running the victim thread. */
195 return KERN_SUCCESS;
196 }
197
198 /**
199 * This has to be defined for linking purposes, but it's unused.
200 */
201 kern_return_t
catch_mach_exception_raise_state(mach_port_t exception_port,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count,int * flavor,thread_state_t in_state,mach_msg_type_number_t in_state_count,thread_state_t out_state,mach_msg_type_number_t * out_state_count)202 catch_mach_exception_raise_state(
203 mach_port_t exception_port,
204 exception_type_t type,
205 exception_data_t codes,
206 mach_msg_type_number_t code_count,
207 int *flavor,
208 thread_state_t in_state,
209 mach_msg_type_number_t in_state_count,
210 thread_state_t out_state,
211 mach_msg_type_number_t *out_state_count)
212 {
213 #pragma unused(exception_port, type, codes, code_count, flavor, in_state, in_state_count, out_state, out_state_count)
214 T_FAIL("Triggered catch_mach_exception_raise_state() which shouldn't happen...");
215 __builtin_unreachable();
216 }
217
218 /**
219 * Called by mach_exc_server() to handle the exception. This will call the
220 * test's exception-handler callback and will then modify
221 * the thread state to move to the next instruction.
222 */
223 kern_return_t
catch_mach_exception_raise_state_identity(mach_port_t exception_port __unused,mach_port_t thread,mach_port_t task,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count,int * flavor,thread_state_t in_state,mach_msg_type_number_t in_state_count,thread_state_t out_state,mach_msg_type_number_t * out_state_count)224 catch_mach_exception_raise_state_identity(
225 mach_port_t exception_port __unused,
226 mach_port_t thread,
227 mach_port_t task,
228 exception_type_t type,
229 exception_data_t codes,
230 mach_msg_type_number_t code_count,
231 int *flavor,
232 thread_state_t in_state,
233 mach_msg_type_number_t in_state_count,
234 thread_state_t out_state,
235 mach_msg_type_number_t *out_state_count)
236 {
237 T_LOG("Caught a mach exception!\n");
238
239 /* There should only be two code values. */
240 T_QUIET; T_ASSERT_EQ(code_count, 2, "Two code values were provided with the mach exception");
241
242 /**
243 * The code values should be 64-bit since MACH_EXCEPTION_CODES was specified
244 * when setting the exception port.
245 */
246 mach_exception_data_t codes_64 = (mach_exception_data_t)(void *)codes;
247 T_LOG("Mach exception codes[0]: %#llx, codes[1]: %#llx\n", codes_64[0], codes_64[1]);
248
249 /* Verify that we're receiving the expected thread state flavor. */
250 T_QUIET; T_ASSERT_EQ(*flavor, EXCEPTION_THREAD_STATE, "The thread state flavor is EXCEPTION_THREAD_STATE");
251 T_QUIET; T_ASSERT_EQ(in_state_count, EXCEPTION_THREAD_STATE_COUNT, "The thread state count is EXCEPTION_THREAD_STATE_COUNT");
252
253 size_t advance_pc = exc_handler_callback(task, thread, type, codes_64);
254
255 /**
256 * Increment the PC by the requested amount so the thread doesn't cause
257 * another exception when it resumes.
258 */
259 *out_state_count = in_state_count; /* size of state object in 32-bit words */
260 memcpy((void*)out_state, (void*)in_state, in_state_count * 4);
261
262 #if __arm64__
263 arm_thread_state64_t *state = (arm_thread_state64_t*)(void *)out_state;
264
265 void *pc = (void*)(arm_thread_state64_get_pc(*state) + advance_pc);
266 /* Have to sign the new PC value when pointer authentication is enabled. */
267 pc = ptrauth_sign_unauthenticated(pc, ptrauth_key_function_pointer, 0);
268 arm_thread_state64_set_pc_fptr(*state, pc);
269 #else
270 (void)advance_pc;
271 T_FAIL("catch_mach_exception_raise_state() not fully implemented on this architecture");
272 __builtin_unreachable();
273 #endif
274
275 /* Return KERN_SUCCESS to tell the kernel to keep running the victim thread. */
276 return KERN_SUCCESS;
277 }
278
279 kern_return_t
catch_mach_exception_raise_backtrace(__unused mach_port_t exception_port,mach_port_t kcdata_object,exception_type_t exception,mach_exception_data_t codes,__unused mach_msg_type_number_t codeCnt)280 catch_mach_exception_raise_backtrace(
281 __unused mach_port_t exception_port,
282 mach_port_t kcdata_object,
283 exception_type_t exception,
284 mach_exception_data_t codes,
285 __unused mach_msg_type_number_t codeCnt)
286 {
287 return exc_handler_backtrace_callback(kcdata_object, exception, codes);
288 }
289
290 mach_port_t
create_exception_port(exception_mask_t exception_mask)291 create_exception_port(exception_mask_t exception_mask)
292 {
293 return create_exception_port_behavior64(exception_mask, EXCEPTION_STATE_IDENTITY);
294 }
295
296 mach_port_t
create_exception_port_behavior64(exception_mask_t exception_mask,exception_behavior_t behavior)297 create_exception_port_behavior64(exception_mask_t exception_mask, exception_behavior_t behavior)
298 {
299 mach_port_t exc_port = MACH_PORT_NULL;
300 mach_port_t task = mach_task_self();
301 mach_port_t thread = mach_thread_self();
302 kern_return_t kr = KERN_SUCCESS;
303
304 if (((unsigned int)behavior & ~MACH_EXCEPTION_MASK) != EXCEPTION_STATE_IDENTITY &&
305 ((unsigned int)behavior & ~MACH_EXCEPTION_MASK) != EXCEPTION_IDENTITY_PROTECTED) {
306 T_FAIL("Passed behavior (%d) is not supported by exc_helpers.", behavior);
307 }
308
309 behavior |= MACH_EXCEPTION_CODES;
310
311 /* Create the mach port the exception messages will be sent to. */
312 kr = mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE, &exc_port);
313 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Allocated mach exception port");
314
315 /**
316 * Insert a send right into the exception port that the kernel will use to
317 * send the exception thread the exception messages.
318 */
319 kr = mach_port_insert_right(task, exc_port, exc_port, MACH_MSG_TYPE_MAKE_SEND);
320 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Inserted a SEND right into the exception port");
321
322 /* Tell the kernel what port to send exceptions to. */
323 kr = thread_set_exception_ports(
324 thread,
325 exception_mask,
326 exc_port,
327 (exception_behavior_t)((unsigned int)behavior),
328 EXCEPTION_THREAD_STATE);
329 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Set the exception port to my custom handler");
330
331 return exc_port;
332 }
333
334 struct thread_params {
335 mach_port_t exc_port;
336 bool run_once;
337 };
338
339 /**
340 * Thread to handle the mach exception.
341 *
342 * @param arg The exception port to wait for a message on.
343 */
344 static void *
exc_server_thread(void * arg)345 exc_server_thread(void *arg)
346 {
347 struct thread_params *params = arg;
348 mach_port_t exc_port = params->exc_port;
349 bool run_once = params->run_once;
350 free(params);
351
352 /**
353 * mach_msg_server_once is a helper function provided by libsyscall that
354 * handles creating mach messages, blocks waiting for a message on the
355 * exception port, calls mach_exc_server() to handle the exception, and
356 * sends a reply based on the return value of mach_exc_server().
357 */
358 #define MACH_MSG_REPLY_SIZE 4096
359 kern_return_t kr;
360 if (run_once) {
361 kr = mach_msg_server_once(mach_exc_server, MACH_MSG_REPLY_SIZE, exc_port, 0);
362 } else {
363 kr = mach_msg_server(mach_exc_server, MACH_MSG_REPLY_SIZE, exc_port, 0);
364 }
365 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Received mach exception message");
366
367 pthread_exit((void*)0);
368 __builtin_unreachable();
369 }
370
371 static void
_run_exception_handler(mach_port_t exc_port,void * preferred_callback,void * callback,bool run_once,exception_behavior_t behavior)372 _run_exception_handler(mach_port_t exc_port, void *preferred_callback, void *callback, bool run_once, exception_behavior_t behavior)
373 {
374 if (behavior & MACH_EXCEPTION_BACKTRACE_PREFERRED) {
375 T_QUIET; T_ASSERT_NE(NULL, preferred_callback, "Require a preferred callback");
376 exc_handler_backtrace_callback = (exc_handler_backtrace_callback_t)preferred_callback;
377 }
378
379 behavior &= ~MACH_EXCEPTION_MASK;
380
381 switch (behavior) {
382 case EXCEPTION_STATE_IDENTITY:
383 exc_handler_callback = (exc_handler_callback_t)callback;
384 break;
385 case EXCEPTION_STATE_IDENTITY_PROTECTED:
386 exc_handler_state_protected_callback = (exc_handler_state_protected_callback_t)callback;
387 break;
388 case EXCEPTION_IDENTITY_PROTECTED:
389 exc_handler_protected_callback = (exc_handler_protected_callback_t)callback;
390 break;
391 default:
392 T_FAIL("Unsupported behavior");
393 break;
394 }
395
396 pthread_t exc_thread;
397
398 /* Spawn the exception server's thread. */
399 struct thread_params *params = malloc(sizeof(*params));
400 params->exc_port = exc_port;
401 params->run_once = run_once;
402 int err = pthread_create(&exc_thread, (pthread_attr_t*)0, exc_server_thread, params);
403 T_QUIET; T_ASSERT_POSIX_ZERO(err, "Spawned exception server thread");
404
405 /* No need to wait for the exception server to be joined when it exits. */
406 pthread_detach(exc_thread);
407 }
408
409 void
run_exception_handler(mach_port_t exc_port,exc_handler_callback_t callback)410 run_exception_handler(mach_port_t exc_port, exc_handler_callback_t callback)
411 {
412 run_exception_handler_behavior64(exc_port, NULL, (void *)callback, EXCEPTION_STATE_IDENTITY, true);
413 }
414
415 void
run_exception_handler_behavior64(mach_port_t exc_port,void * preferred_callback,void * callback,exception_behavior_t behavior,bool run_once)416 run_exception_handler_behavior64(mach_port_t exc_port, void *preferred_callback,
417 void *callback, exception_behavior_t behavior, bool run_once)
418 {
419 if (((unsigned int)behavior & ~MACH_EXCEPTION_MASK) != EXCEPTION_STATE_IDENTITY &&
420 ((unsigned int)behavior & ~MACH_EXCEPTION_MASK) != EXCEPTION_IDENTITY_PROTECTED &&
421 ((unsigned int)behavior & ~MACH_EXCEPTION_MASK) != EXCEPTION_STATE_IDENTITY_PROTECTED) {
422 T_FAIL("Passed behavior (%d) is not supported by exc_helpers.", behavior);
423 }
424
425 _run_exception_handler(exc_port, (void *)preferred_callback, (void *)callback, run_once, behavior);
426 }
427
428 void
repeat_exception_handler(mach_port_t exc_port,exc_handler_callback_t callback)429 repeat_exception_handler(mach_port_t exc_port, exc_handler_callback_t callback)
430 {
431 _run_exception_handler(exc_port, NULL, (void *)callback, false, EXCEPTION_STATE_IDENTITY);
432 }
433