1*0f4c859eSApple OSS Distributions /*
2*0f4c859eSApple OSS Distributions * Copyright (c) 2021 Apple Computer, Inc. All rights reserved.
3*0f4c859eSApple OSS Distributions *
4*0f4c859eSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*0f4c859eSApple OSS Distributions *
6*0f4c859eSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*0f4c859eSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*0f4c859eSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*0f4c859eSApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*0f4c859eSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*0f4c859eSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*0f4c859eSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*0f4c859eSApple OSS Distributions * terms of an Apple operating system software license agreement.
14*0f4c859eSApple OSS Distributions *
15*0f4c859eSApple OSS Distributions * Please obtain a copy of the License at
16*0f4c859eSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*0f4c859eSApple OSS Distributions *
18*0f4c859eSApple OSS Distributions * The Original Code and all software distributed under the License are
19*0f4c859eSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*0f4c859eSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*0f4c859eSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*0f4c859eSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*0f4c859eSApple OSS Distributions * Please see the License for the specific language governing rights and
24*0f4c859eSApple OSS Distributions * limitations under the License.
25*0f4c859eSApple OSS Distributions *
26*0f4c859eSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*0f4c859eSApple OSS Distributions */
28*0f4c859eSApple OSS Distributions
29*0f4c859eSApple OSS Distributions #include <darwintest.h>
30*0f4c859eSApple OSS Distributions #include <ptrauth.h>
31*0f4c859eSApple OSS Distributions #include <stdbool.h>
32*0f4c859eSApple OSS Distributions #include <stdlib.h>
33*0f4c859eSApple OSS Distributions #include <unistd.h>
34*0f4c859eSApple OSS Distributions #include <mach/mach.h>
35*0f4c859eSApple OSS Distributions #include <mach/exception.h>
36*0f4c859eSApple OSS Distributions #include <mach/thread_status.h>
37*0f4c859eSApple OSS Distributions #include <sys/types.h>
38*0f4c859eSApple OSS Distributions #include <TargetConditionals.h>
39*0f4c859eSApple OSS Distributions #include <mach/semaphore.h>
40*0f4c859eSApple OSS Distributions
41*0f4c859eSApple OSS Distributions #if __arm64__
42*0f4c859eSApple OSS Distributions #define EXCEPTION_THREAD_STATE ARM_THREAD_STATE64
43*0f4c859eSApple OSS Distributions #define EXCEPTION_THREAD_STATE_COUNT ARM_THREAD_STATE64_COUNT
44*0f4c859eSApple OSS Distributions #elif __arm__
45*0f4c859eSApple OSS Distributions #define EXCEPTION_THREAD_STATE ARM_THREAD_STATE
46*0f4c859eSApple OSS Distributions #define EXCEPTION_THREAD_STATE_COUNT ARM_THREAD_STATE_COUNT
47*0f4c859eSApple OSS Distributions #elif __x86_64__
48*0f4c859eSApple OSS Distributions #define EXCEPTION_THREAD_STATE x86_THREAD_STATE
49*0f4c859eSApple OSS Distributions #define EXCEPTION_THREAD_STATE_COUNT x86_THREAD_STATE_COUNT
50*0f4c859eSApple OSS Distributions #else
51*0f4c859eSApple OSS Distributions #error Unsupported architecture
52*0f4c859eSApple OSS Distributions #endif
53*0f4c859eSApple OSS Distributions
54*0f4c859eSApple OSS Distributions T_GLOBAL_META(
55*0f4c859eSApple OSS Distributions T_META_NAMESPACE("xnu.ipc"),
56*0f4c859eSApple OSS Distributions T_META_RADAR_COMPONENT_NAME("xnu"),
57*0f4c859eSApple OSS Distributions T_META_RADAR_COMPONENT_VERSION("IPC"),
58*0f4c859eSApple OSS Distributions T_META_RUN_CONCURRENTLY(true));
59*0f4c859eSApple OSS Distributions
60*0f4c859eSApple OSS Distributions /**
61*0f4c859eSApple OSS Distributions * mach_exc_server() is a MIG-generated function that verifies the message
62*0f4c859eSApple OSS Distributions * that was received is indeed a mach exception and then calls
63*0f4c859eSApple OSS Distributions * catch_mach_exception_raise_state() to handle the exception.
64*0f4c859eSApple OSS Distributions */
65*0f4c859eSApple OSS Distributions extern boolean_t mach_exc_server(mach_msg_header_t *, mach_msg_header_t *);
66*0f4c859eSApple OSS Distributions
67*0f4c859eSApple OSS Distributions extern kern_return_t
68*0f4c859eSApple OSS Distributions catch_mach_exception_raise(
69*0f4c859eSApple OSS Distributions mach_port_t exception_port,
70*0f4c859eSApple OSS Distributions mach_port_t thread,
71*0f4c859eSApple OSS Distributions mach_port_t task,
72*0f4c859eSApple OSS Distributions exception_type_t type,
73*0f4c859eSApple OSS Distributions exception_data_t codes,
74*0f4c859eSApple OSS Distributions mach_msg_type_number_t code_count);
75*0f4c859eSApple OSS Distributions
76*0f4c859eSApple OSS Distributions extern kern_return_t
77*0f4c859eSApple OSS Distributions catch_mach_exception_raise_state(
78*0f4c859eSApple OSS Distributions mach_port_t exception_port,
79*0f4c859eSApple OSS Distributions exception_type_t type,
80*0f4c859eSApple OSS Distributions exception_data_t codes,
81*0f4c859eSApple OSS Distributions mach_msg_type_number_t code_count,
82*0f4c859eSApple OSS Distributions int *flavor,
83*0f4c859eSApple OSS Distributions thread_state_t in_state,
84*0f4c859eSApple OSS Distributions mach_msg_type_number_t in_state_count,
85*0f4c859eSApple OSS Distributions thread_state_t out_state,
86*0f4c859eSApple OSS Distributions mach_msg_type_number_t *out_state_count);
87*0f4c859eSApple OSS Distributions
88*0f4c859eSApple OSS Distributions extern kern_return_t
89*0f4c859eSApple OSS Distributions catch_mach_exception_raise_state_identity(
90*0f4c859eSApple OSS Distributions mach_port_t exception_port,
91*0f4c859eSApple OSS Distributions mach_port_t thread,
92*0f4c859eSApple OSS Distributions mach_port_t task,
93*0f4c859eSApple OSS Distributions exception_type_t type,
94*0f4c859eSApple OSS Distributions exception_data_t codes,
95*0f4c859eSApple OSS Distributions mach_msg_type_number_t code_count,
96*0f4c859eSApple OSS Distributions int *flavor,
97*0f4c859eSApple OSS Distributions thread_state_t in_state,
98*0f4c859eSApple OSS Distributions mach_msg_type_number_t in_state_count,
99*0f4c859eSApple OSS Distributions thread_state_t out_state,
100*0f4c859eSApple OSS Distributions mach_msg_type_number_t *out_state_count);
101*0f4c859eSApple OSS Distributions
102*0f4c859eSApple OSS Distributions extern kern_return_t
103*0f4c859eSApple OSS Distributions catch_mach_exception_raise_identity_protected(
104*0f4c859eSApple OSS Distributions __unused mach_port_t exception_port,
105*0f4c859eSApple OSS Distributions uint64_t thread_id,
106*0f4c859eSApple OSS Distributions mach_port_t task_id_token,
107*0f4c859eSApple OSS Distributions exception_type_t exception,
108*0f4c859eSApple OSS Distributions mach_exception_data_t codes,
109*0f4c859eSApple OSS Distributions mach_msg_type_number_t codeCnt);
110*0f4c859eSApple OSS Distributions
111*0f4c859eSApple OSS Distributions /**
112*0f4c859eSApple OSS Distributions * This has to be defined for linking purposes, but it's unused.
113*0f4c859eSApple OSS Distributions */
114*0f4c859eSApple OSS Distributions kern_return_t
catch_mach_exception_raise(mach_port_t exception_port,mach_port_t thread,mach_port_t task,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count)115*0f4c859eSApple OSS Distributions catch_mach_exception_raise(
116*0f4c859eSApple OSS Distributions mach_port_t exception_port,
117*0f4c859eSApple OSS Distributions mach_port_t thread,
118*0f4c859eSApple OSS Distributions mach_port_t task,
119*0f4c859eSApple OSS Distributions exception_type_t type,
120*0f4c859eSApple OSS Distributions exception_data_t codes,
121*0f4c859eSApple OSS Distributions mach_msg_type_number_t code_count)
122*0f4c859eSApple OSS Distributions {
123*0f4c859eSApple OSS Distributions #pragma unused(exception_port, thread, task, type, codes, code_count)
124*0f4c859eSApple OSS Distributions T_FAIL("Triggered catch_mach_exception_raise() which shouldn't happen...");
125*0f4c859eSApple OSS Distributions __builtin_unreachable();
126*0f4c859eSApple OSS Distributions }
127*0f4c859eSApple OSS Distributions
128*0f4c859eSApple OSS Distributions kern_return_t
catch_mach_exception_raise_identity_protected(__unused mach_port_t exception_port,uint64_t thread_id,mach_port_t task_id_token,exception_type_t exception,mach_exception_data_t codes,mach_msg_type_number_t codeCnt)129*0f4c859eSApple OSS Distributions catch_mach_exception_raise_identity_protected(
130*0f4c859eSApple OSS Distributions __unused mach_port_t exception_port,
131*0f4c859eSApple OSS Distributions uint64_t thread_id,
132*0f4c859eSApple OSS Distributions mach_port_t task_id_token,
133*0f4c859eSApple OSS Distributions exception_type_t exception,
134*0f4c859eSApple OSS Distributions mach_exception_data_t codes,
135*0f4c859eSApple OSS Distributions mach_msg_type_number_t codeCnt)
136*0f4c859eSApple OSS Distributions {
137*0f4c859eSApple OSS Distributions #pragma unused(exception_port, thread_id, task_id_token, exception, codes, codeCnt)
138*0f4c859eSApple OSS Distributions T_FAIL("Triggered catch_mach_exception_raise_identity_protected() which shouldn't happen...");
139*0f4c859eSApple OSS Distributions __builtin_unreachable();
140*0f4c859eSApple OSS Distributions }
141*0f4c859eSApple OSS Distributions
142*0f4c859eSApple OSS Distributions /**
143*0f4c859eSApple OSS Distributions * This has to be defined for linking purposes, but it's unused.
144*0f4c859eSApple OSS Distributions */
145*0f4c859eSApple OSS Distributions kern_return_t
catch_mach_exception_raise_state(mach_port_t exception_port,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count,int * flavor,thread_state_t in_state,mach_msg_type_number_t in_state_count,thread_state_t out_state,mach_msg_type_number_t * out_state_count)146*0f4c859eSApple OSS Distributions catch_mach_exception_raise_state(
147*0f4c859eSApple OSS Distributions mach_port_t exception_port,
148*0f4c859eSApple OSS Distributions exception_type_t type,
149*0f4c859eSApple OSS Distributions exception_data_t codes,
150*0f4c859eSApple OSS Distributions mach_msg_type_number_t code_count,
151*0f4c859eSApple OSS Distributions int *flavor,
152*0f4c859eSApple OSS Distributions thread_state_t in_state,
153*0f4c859eSApple OSS Distributions mach_msg_type_number_t in_state_count,
154*0f4c859eSApple OSS Distributions thread_state_t out_state,
155*0f4c859eSApple OSS Distributions mach_msg_type_number_t *out_state_count)
156*0f4c859eSApple OSS Distributions {
157*0f4c859eSApple OSS Distributions #pragma unused(exception_port, type, codes, code_count, flavor, in_state, in_state_count, out_state, out_state_count)
158*0f4c859eSApple OSS Distributions T_FAIL("Triggered catch_mach_exception_raise_state() which shouldn't happen...");
159*0f4c859eSApple OSS Distributions __builtin_unreachable();
160*0f4c859eSApple OSS Distributions }
161*0f4c859eSApple OSS Distributions
162*0f4c859eSApple OSS Distributions static int exception_count = 0;
163*0f4c859eSApple OSS Distributions static int reset_diversifier = 0;
164*0f4c859eSApple OSS Distributions static semaphore_t semaphore;
165*0f4c859eSApple OSS Distributions
166*0f4c859eSApple OSS Distributions /*
167*0f4c859eSApple OSS Distributions * Since the test needs to change the opaque field in
168*0f4c859eSApple OSS Distributions * thread struct, the test redefines the thread struct
169*0f4c859eSApple OSS Distributions * here. This is just for test purposes, this should not
170*0f4c859eSApple OSS Distributions * be done anywhere else.
171*0f4c859eSApple OSS Distributions */
172*0f4c859eSApple OSS Distributions struct test_user_thread_state_64 {
173*0f4c859eSApple OSS Distributions __uint64_t __x[29]; /* General purpose registers x0-x28 */
174*0f4c859eSApple OSS Distributions void* __opaque_fp; /* Frame pointer x29 */
175*0f4c859eSApple OSS Distributions void* __opaque_lr; /* Link register x30 */
176*0f4c859eSApple OSS Distributions void* __opaque_sp; /* Stack pointer x31 */
177*0f4c859eSApple OSS Distributions void* __opaque_pc; /* Program counter */
178*0f4c859eSApple OSS Distributions __uint32_t __cpsr; /* Current program status register */
179*0f4c859eSApple OSS Distributions __uint32_t __opaque_flags; /* Flags describing structure format */
180*0f4c859eSApple OSS Distributions };
181*0f4c859eSApple OSS Distributions #define __TEST_USER_THREAD_STATE64_FLAGS_KERNEL_SIGNED_PC 0x4
182*0f4c859eSApple OSS Distributions
183*0f4c859eSApple OSS Distributions /**
184*0f4c859eSApple OSS Distributions * Called by mach_exc_server() to handle the exception.
185*0f4c859eSApple OSS Distributions * The first time this is called, it will modify the pc
186*0f4c859eSApple OSS Distributions * but keep the kernel signed bit. Next time this is called
187*0f4c859eSApple OSS Distributions * it will modify the pc and remove the kernel signed bit.
188*0f4c859eSApple OSS Distributions */
189*0f4c859eSApple OSS Distributions kern_return_t
catch_mach_exception_raise_state_identity(mach_port_t exception_port __unused,mach_port_t thread __unused,mach_port_t task __unused,exception_type_t type __unused,exception_data_t codes __unused,mach_msg_type_number_t code_count __unused,int * flavor,thread_state_t in_state,mach_msg_type_number_t in_state_count,thread_state_t out_state,mach_msg_type_number_t * out_state_count)190*0f4c859eSApple OSS Distributions catch_mach_exception_raise_state_identity(
191*0f4c859eSApple OSS Distributions mach_port_t exception_port __unused,
192*0f4c859eSApple OSS Distributions mach_port_t thread __unused,
193*0f4c859eSApple OSS Distributions mach_port_t task __unused,
194*0f4c859eSApple OSS Distributions exception_type_t type __unused,
195*0f4c859eSApple OSS Distributions exception_data_t codes __unused,
196*0f4c859eSApple OSS Distributions mach_msg_type_number_t code_count __unused,
197*0f4c859eSApple OSS Distributions int *flavor,
198*0f4c859eSApple OSS Distributions thread_state_t in_state,
199*0f4c859eSApple OSS Distributions mach_msg_type_number_t in_state_count,
200*0f4c859eSApple OSS Distributions thread_state_t out_state,
201*0f4c859eSApple OSS Distributions mach_msg_type_number_t *out_state_count)
202*0f4c859eSApple OSS Distributions {
203*0f4c859eSApple OSS Distributions T_LOG("Caught a mach exception %d!\n", type);
204*0f4c859eSApple OSS Distributions exception_count++;
205*0f4c859eSApple OSS Distributions
206*0f4c859eSApple OSS Distributions /* There should only be two code values. */
207*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_EQ(code_count, 2, "Two code values were provided with the mach exception");
208*0f4c859eSApple OSS Distributions
209*0f4c859eSApple OSS Distributions /**
210*0f4c859eSApple OSS Distributions * The code values should be 64-bit since MACH_EXCEPTION_CODES was specified
211*0f4c859eSApple OSS Distributions * when setting the exception port.
212*0f4c859eSApple OSS Distributions */
213*0f4c859eSApple OSS Distributions mach_exception_data_t codes_64 = (mach_exception_data_t)(void *)codes;
214*0f4c859eSApple OSS Distributions T_LOG("Mach exception codes[0]: %#llx, codes[1]: %#llx\n", codes_64[0], codes_64[1]);
215*0f4c859eSApple OSS Distributions
216*0f4c859eSApple OSS Distributions if (type == EXC_CRASH) {
217*0f4c859eSApple OSS Distributions T_LOG("Received a crash notification, signaling main thread and returning\n");
218*0f4c859eSApple OSS Distributions T_ASSERT_MACH_SUCCESS(semaphore_signal(semaphore), "semaphore_signal");
219*0f4c859eSApple OSS Distributions return KERN_SUCCESS;
220*0f4c859eSApple OSS Distributions }
221*0f4c859eSApple OSS Distributions
222*0f4c859eSApple OSS Distributions /* Verify that we're receiving the expected thread state flavor. */
223*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_EQ(*flavor, EXCEPTION_THREAD_STATE, "The thread state flavor is EXCEPTION_THREAD_STATE");
224*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_EQ(in_state_count, EXCEPTION_THREAD_STATE_COUNT, "The thread state count is EXCEPTION_THREAD_STATE_COUNT");
225*0f4c859eSApple OSS Distributions
226*0f4c859eSApple OSS Distributions /**
227*0f4c859eSApple OSS Distributions * Increment the PC by the 4 so the thread doesn't cause
228*0f4c859eSApple OSS Distributions * another exception when it resumes.
229*0f4c859eSApple OSS Distributions */
230*0f4c859eSApple OSS Distributions *out_state_count = in_state_count; /* size of state object in 32-bit words */
231*0f4c859eSApple OSS Distributions memcpy((void*)out_state, (void*)in_state, in_state_count * 4);
232*0f4c859eSApple OSS Distributions
233*0f4c859eSApple OSS Distributions #if __arm64__
234*0f4c859eSApple OSS Distributions arm_thread_state64_t *state = (arm_thread_state64_t*)(void *)out_state;
235*0f4c859eSApple OSS Distributions struct test_user_thread_state_64 *test_state = (struct test_user_thread_state_64 *)(void *)out_state;
236*0f4c859eSApple OSS Distributions uint32_t userland_diversifier = test_state->__opaque_flags & 0xff000000;
237*0f4c859eSApple OSS Distributions
238*0f4c859eSApple OSS Distributions void *pc = (void*)(arm_thread_state64_get_pc(*state) + 4);
239*0f4c859eSApple OSS Distributions /* Have to sign the new PC value when pointer authentication is enabled. */
240*0f4c859eSApple OSS Distributions T_LOG("Userland diversifier for thread state is 0x%x\n", userland_diversifier);
241*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_NE(userland_diversifier, 0, "Userland diversifier is non zero");
242*0f4c859eSApple OSS Distributions
243*0f4c859eSApple OSS Distributions pc = ptrauth_sign_unauthenticated(pc, ptrauth_key_function_pointer, 0);
244*0f4c859eSApple OSS Distributions arm_thread_state64_set_pc_fptr(*state, pc);
245*0f4c859eSApple OSS Distributions
246*0f4c859eSApple OSS Distributions /* Use the set and get lr, fp and sp function to make sure it compiles */
247*0f4c859eSApple OSS Distributions arm_thread_state64_set_lr_fptr(*state, arm_thread_state64_get_lr_fptr(*state));
248*0f4c859eSApple OSS Distributions arm_thread_state64_set_sp(*state, arm_thread_state64_get_sp(*state));
249*0f4c859eSApple OSS Distributions arm_thread_state64_set_fp(*state, arm_thread_state64_get_fp(*state));
250*0f4c859eSApple OSS Distributions #endif
251*0f4c859eSApple OSS Distributions
252*0f4c859eSApple OSS Distributions if (reset_diversifier == 0) {
253*0f4c859eSApple OSS Distributions if (exception_count == 1) {
254*0f4c859eSApple OSS Distributions #if __arm64__
255*0f4c859eSApple OSS Distributions /* Set the kernel signed bit, so kernel ignores the new PC */
256*0f4c859eSApple OSS Distributions test_state->__opaque_flags |= __TEST_USER_THREAD_STATE64_FLAGS_KERNEL_SIGNED_PC;
257*0f4c859eSApple OSS Distributions T_LOG("Set the kernel signed flag on the thread state");
258*0f4c859eSApple OSS Distributions #else
259*0f4c859eSApple OSS Distributions T_LOG("Not on arm64, Not doing anything");
260*0f4c859eSApple OSS Distributions #endif
261*0f4c859eSApple OSS Distributions } else if (exception_count == 2) {
262*0f4c859eSApple OSS Distributions T_LOG("Not clearing the kernel signed bit, this should be the last exception");
263*0f4c859eSApple OSS Distributions } else {
264*0f4c859eSApple OSS Distributions T_FAIL("Received more than 2 exceptions, failing the test");
265*0f4c859eSApple OSS Distributions }
266*0f4c859eSApple OSS Distributions } else {
267*0f4c859eSApple OSS Distributions if (exception_count == 1) {
268*0f4c859eSApple OSS Distributions #if __arm64__
269*0f4c859eSApple OSS Distributions /* Set the user diversifier to zero and resign the pc */
270*0f4c859eSApple OSS Distributions test_state->__opaque_flags &= 0x00ffffff;
271*0f4c859eSApple OSS Distributions arm_thread_state64_set_pc_fptr(*state, pc);
272*0f4c859eSApple OSS Distributions T_LOG("Set the diversifier to zero and signed the pc, this should crash on return");
273*0f4c859eSApple OSS Distributions #else
274*0f4c859eSApple OSS Distributions T_LOG("Not on arm64, Not doing anything");
275*0f4c859eSApple OSS Distributions #endif
276*0f4c859eSApple OSS Distributions } else {
277*0f4c859eSApple OSS Distributions T_FAIL("Received more than 2 exceptions, failing the test");
278*0f4c859eSApple OSS Distributions }
279*0f4c859eSApple OSS Distributions }
280*0f4c859eSApple OSS Distributions
281*0f4c859eSApple OSS Distributions /* Return KERN_SUCCESS to tell the kernel to keep running the victim thread. */
282*0f4c859eSApple OSS Distributions return KERN_SUCCESS;
283*0f4c859eSApple OSS Distributions }
284*0f4c859eSApple OSS Distributions
285*0f4c859eSApple OSS Distributions static mach_port_t
create_exception_port_behavior64(exception_mask_t exception_mask,exception_behavior_t behavior)286*0f4c859eSApple OSS Distributions create_exception_port_behavior64(exception_mask_t exception_mask, exception_behavior_t behavior)
287*0f4c859eSApple OSS Distributions {
288*0f4c859eSApple OSS Distributions mach_port_t exc_port = MACH_PORT_NULL;
289*0f4c859eSApple OSS Distributions mach_port_t task = mach_task_self();
290*0f4c859eSApple OSS Distributions kern_return_t kr = KERN_SUCCESS;
291*0f4c859eSApple OSS Distributions
292*0f4c859eSApple OSS Distributions if (behavior != EXCEPTION_STATE_IDENTITY && behavior != EXCEPTION_IDENTITY_PROTECTED) {
293*0f4c859eSApple OSS Distributions T_FAIL("Currently only EXCEPTION_STATE_IDENTITY and EXCEPTION_IDENTITY_PROTECTED are implemented");
294*0f4c859eSApple OSS Distributions }
295*0f4c859eSApple OSS Distributions
296*0f4c859eSApple OSS Distributions /* Create the mach port the exception messages will be sent to. */
297*0f4c859eSApple OSS Distributions kr = mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE, &exc_port);
298*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Allocated mach exception port");
299*0f4c859eSApple OSS Distributions
300*0f4c859eSApple OSS Distributions /**
301*0f4c859eSApple OSS Distributions * Insert a send right into the exception port that the kernel will use to
302*0f4c859eSApple OSS Distributions * send the exception thread the exception messages.
303*0f4c859eSApple OSS Distributions */
304*0f4c859eSApple OSS Distributions kr = mach_port_insert_right(task, exc_port, exc_port, MACH_MSG_TYPE_MAKE_SEND);
305*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Inserted a SEND right into the exception port");
306*0f4c859eSApple OSS Distributions
307*0f4c859eSApple OSS Distributions /* Tell the kernel what port to send exceptions to. */
308*0f4c859eSApple OSS Distributions kr = task_set_exception_ports(
309*0f4c859eSApple OSS Distributions task,
310*0f4c859eSApple OSS Distributions exception_mask,
311*0f4c859eSApple OSS Distributions exc_port,
312*0f4c859eSApple OSS Distributions (exception_behavior_t)(behavior | (exception_behavior_t)MACH_EXCEPTION_CODES),
313*0f4c859eSApple OSS Distributions EXCEPTION_THREAD_STATE);
314*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Set the exception port to my custom handler");
315*0f4c859eSApple OSS Distributions
316*0f4c859eSApple OSS Distributions return exc_port;
317*0f4c859eSApple OSS Distributions }
318*0f4c859eSApple OSS Distributions
319*0f4c859eSApple OSS Distributions static mach_port_t __unused
create_exception_port(exception_mask_t exception_mask)320*0f4c859eSApple OSS Distributions create_exception_port(exception_mask_t exception_mask)
321*0f4c859eSApple OSS Distributions {
322*0f4c859eSApple OSS Distributions return create_exception_port_behavior64(exception_mask, EXCEPTION_STATE_IDENTITY);
323*0f4c859eSApple OSS Distributions }
324*0f4c859eSApple OSS Distributions
325*0f4c859eSApple OSS Distributions /**
326*0f4c859eSApple OSS Distributions * Thread to handle the mach exception.
327*0f4c859eSApple OSS Distributions *
328*0f4c859eSApple OSS Distributions * @param arg The exception port to wait for a message on.
329*0f4c859eSApple OSS Distributions */
330*0f4c859eSApple OSS Distributions static void *
exc_server_thread(void * arg)331*0f4c859eSApple OSS Distributions exc_server_thread(void *arg)
332*0f4c859eSApple OSS Distributions {
333*0f4c859eSApple OSS Distributions mach_port_t exc_port = (mach_port_t)arg;
334*0f4c859eSApple OSS Distributions kern_return_t kr;
335*0f4c859eSApple OSS Distributions
336*0f4c859eSApple OSS Distributions /**
337*0f4c859eSApple OSS Distributions * mach_msg_server_once is a helper function provided by libsyscall that
338*0f4c859eSApple OSS Distributions * handles creating mach messages, blocks waiting for a message on the
339*0f4c859eSApple OSS Distributions * exception port, calls mach_exc_server() to handle the exception, and
340*0f4c859eSApple OSS Distributions * sends a reply based on the return value of mach_exc_server().
341*0f4c859eSApple OSS Distributions */
342*0f4c859eSApple OSS Distributions #define MACH_MSG_REPLY_SIZE 4096
343*0f4c859eSApple OSS Distributions kr = mach_msg_server(mach_exc_server, MACH_MSG_REPLY_SIZE, exc_port, 0);
344*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Received mach exception message");
345*0f4c859eSApple OSS Distributions
346*0f4c859eSApple OSS Distributions pthread_exit((void*)0);
347*0f4c859eSApple OSS Distributions __builtin_unreachable();
348*0f4c859eSApple OSS Distributions }
349*0f4c859eSApple OSS Distributions
350*0f4c859eSApple OSS Distributions static void __unused
run_exception_handler(mach_port_t exc_port)351*0f4c859eSApple OSS Distributions run_exception_handler(mach_port_t exc_port)
352*0f4c859eSApple OSS Distributions {
353*0f4c859eSApple OSS Distributions pthread_t exc_thread;
354*0f4c859eSApple OSS Distributions
355*0f4c859eSApple OSS Distributions /* Spawn the exception server's thread. */
356*0f4c859eSApple OSS Distributions int err = pthread_create(&exc_thread, (pthread_attr_t*)0, exc_server_thread, (void *)(unsigned long long)exc_port);
357*0f4c859eSApple OSS Distributions T_QUIET; T_ASSERT_POSIX_ZERO(err, "Spawned exception server thread");
358*0f4c859eSApple OSS Distributions
359*0f4c859eSApple OSS Distributions /* No need to wait for the exception server to be joined when it exits. */
360*0f4c859eSApple OSS Distributions pthread_detach(exc_thread);
361*0f4c859eSApple OSS Distributions }
362*0f4c859eSApple OSS Distributions
363*0f4c859eSApple OSS Distributions T_DECL(kernel_signed_pac_thread_state, "Test that kernel signed thread state given to exception ignores the pc")
364*0f4c859eSApple OSS Distributions {
365*0f4c859eSApple OSS Distributions #if !__arm64e__
366*0f4c859eSApple OSS Distributions T_SKIP("Running on non-arm64e target, skipping...");
367*0f4c859eSApple OSS Distributions #else
368*0f4c859eSApple OSS Distributions mach_port_t exc_port = create_exception_port(EXC_MASK_BAD_ACCESS);
369*0f4c859eSApple OSS Distributions
370*0f4c859eSApple OSS Distributions int expected_exception = 2;
371*0f4c859eSApple OSS Distributions
372*0f4c859eSApple OSS Distributions run_exception_handler(exc_port);
373*0f4c859eSApple OSS Distributions *(void *volatile*)0 = 0;
374*0f4c859eSApple OSS Distributions
375*0f4c859eSApple OSS Distributions if (exception_count != expected_exception) {
376*0f4c859eSApple OSS Distributions T_FAIL("Expected %d exceptions, received %d", expected_exception, exception_count);
377*0f4c859eSApple OSS Distributions } else {
378*0f4c859eSApple OSS Distributions T_LOG("TEST PASSED");
379*0f4c859eSApple OSS Distributions }
380*0f4c859eSApple OSS Distributions T_END;
381*0f4c859eSApple OSS Distributions #endif
382*0f4c859eSApple OSS Distributions }
383*0f4c859eSApple OSS Distributions
384*0f4c859eSApple OSS Distributions T_DECL(user_signed_pac_thread_state, "Test that user signed thread state given to exception works with correct diversifier")
385*0f4c859eSApple OSS Distributions {
386*0f4c859eSApple OSS Distributions #if !__arm64e__
387*0f4c859eSApple OSS Distributions T_SKIP("Running on non-arm64e target, skipping...");
388*0f4c859eSApple OSS Distributions #else
389*0f4c859eSApple OSS Distributions mach_port_t exc_port = create_exception_port(EXC_MASK_BAD_ACCESS | EXC_MASK_CRASH);
390*0f4c859eSApple OSS Distributions T_ASSERT_MACH_SUCCESS(semaphore_create(mach_task_self(), &semaphore,
391*0f4c859eSApple OSS Distributions SYNC_POLICY_FIFO, 0), "semaphore_create");
392*0f4c859eSApple OSS Distributions
393*0f4c859eSApple OSS Distributions exception_count = 0;
394*0f4c859eSApple OSS Distributions int expected_exception = 2;
395*0f4c859eSApple OSS Distributions
396*0f4c859eSApple OSS Distributions run_exception_handler(exc_port);
397*0f4c859eSApple OSS Distributions
398*0f4c859eSApple OSS Distributions /* Set the reset diversifier variable */
399*0f4c859eSApple OSS Distributions reset_diversifier = 1;
400*0f4c859eSApple OSS Distributions pid_t child_pid = fork();
401*0f4c859eSApple OSS Distributions
402*0f4c859eSApple OSS Distributions if (child_pid == 0) {
403*0f4c859eSApple OSS Distributions *(void *volatile*)0 = 0;
404*0f4c859eSApple OSS Distributions T_FAIL("Child should have been terminated, but it did not");
405*0f4c859eSApple OSS Distributions }
406*0f4c859eSApple OSS Distributions
407*0f4c859eSApple OSS Distributions T_ASSERT_MACH_SUCCESS(semaphore_wait(semaphore), "semaphore_wait");
408*0f4c859eSApple OSS Distributions
409*0f4c859eSApple OSS Distributions if (exception_count != expected_exception) {
410*0f4c859eSApple OSS Distributions T_FAIL("Expected %d exceptions, received %d", expected_exception, exception_count);
411*0f4c859eSApple OSS Distributions } else {
412*0f4c859eSApple OSS Distributions T_LOG("TEST PASSED");
413*0f4c859eSApple OSS Distributions }
414*0f4c859eSApple OSS Distributions T_END;
415*0f4c859eSApple OSS Distributions #endif
416*0f4c859eSApple OSS Distributions }
417