1 /*
2 * Copyright (c) 2019 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include "exc_helpers.h"
30
31 #include <darwintest.h>
32 #include <ptrauth.h>
33 #include <stdbool.h>
34 #include <stdlib.h>
35
36 #if __arm64__
37 #define EXCEPTION_THREAD_STATE ARM_THREAD_STATE64
38 #define EXCEPTION_THREAD_STATE_COUNT ARM_THREAD_STATE64_COUNT
39 #elif __arm__
40 #define EXCEPTION_THREAD_STATE ARM_THREAD_STATE
41 #define EXCEPTION_THREAD_STATE_COUNT ARM_THREAD_STATE_COUNT
42 #elif __x86_64__
43 #define EXCEPTION_THREAD_STATE x86_THREAD_STATE
44 #define EXCEPTION_THREAD_STATE_COUNT x86_THREAD_STATE_COUNT
45 #else
46 #error Unsupported architecture
47 #endif
48
49 #define EXCEPTION_IDENTITY_PROTECTED 4
50
51 /**
52 * mach_exc_server() is a MIG-generated function that verifies the message
53 * that was received is indeed a mach exception and then calls
54 * catch_mach_exception_raise_state() to handle the exception.
55 */
56 extern boolean_t mach_exc_server(mach_msg_header_t *, mach_msg_header_t *);
57
58 extern kern_return_t
59 catch_mach_exception_raise(
60 mach_port_t exception_port,
61 mach_port_t thread,
62 mach_port_t task,
63 exception_type_t type,
64 exception_data_t codes,
65 mach_msg_type_number_t code_count);
66
67 extern kern_return_t
68 catch_mach_exception_raise_state(
69 mach_port_t exception_port,
70 exception_type_t type,
71 exception_data_t codes,
72 mach_msg_type_number_t code_count,
73 int *flavor,
74 thread_state_t in_state,
75 mach_msg_type_number_t in_state_count,
76 thread_state_t out_state,
77 mach_msg_type_number_t *out_state_count);
78
79 extern kern_return_t
80 catch_mach_exception_raise_state_identity(
81 mach_port_t exception_port,
82 mach_port_t thread,
83 mach_port_t task,
84 exception_type_t type,
85 exception_data_t codes,
86 mach_msg_type_number_t code_count,
87 int *flavor,
88 thread_state_t in_state,
89 mach_msg_type_number_t in_state_count,
90 thread_state_t out_state,
91 mach_msg_type_number_t *out_state_count);
92
93 static exc_handler_callback_t exc_handler_callback;
94 static exc_handler_protected_callback_t exc_handler_protected_callback;
95
96 /**
97 * This has to be defined for linking purposes, but it's unused.
98 */
99 kern_return_t
catch_mach_exception_raise(mach_port_t exception_port,mach_port_t thread,mach_port_t task,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count)100 catch_mach_exception_raise(
101 mach_port_t exception_port,
102 mach_port_t thread,
103 mach_port_t task,
104 exception_type_t type,
105 exception_data_t codes,
106 mach_msg_type_number_t code_count)
107 {
108 #pragma unused(exception_port, thread, task, type, codes, code_count)
109 T_FAIL("Triggered catch_mach_exception_raise() which shouldn't happen...");
110 __builtin_unreachable();
111 }
112
113 kern_return_t
catch_mach_exception_raise_identity_protected(__unused mach_port_t exception_port,uint64_t thread_id,mach_port_t task_id_token,exception_type_t exception,mach_exception_data_t codes,mach_msg_type_number_t codeCnt)114 catch_mach_exception_raise_identity_protected(
115 __unused mach_port_t exception_port,
116 uint64_t thread_id,
117 mach_port_t task_id_token,
118 exception_type_t exception,
119 mach_exception_data_t codes,
120 mach_msg_type_number_t codeCnt)
121 {
122 T_LOG("Caught a mach exception!\n");
123
124 /* There should only be two code values. */
125 T_QUIET; T_ASSERT_EQ(codeCnt, 2, "Two code values were provided with the mach exception");
126
127 /**
128 * The code values should be 64-bit since MACH_EXCEPTION_CODES was specified
129 * when setting the exception port.
130 */
131 mach_exception_data_t codes_64 = (mach_exception_data_t)(void *)codes;
132 T_LOG("Mach exception codes[0]: %#llx, codes[1]: %#llx\n", codes_64[0], codes_64[1]);
133
134 exc_handler_protected_callback(task_id_token, thread_id, exception, codes_64);
135
136 T_LOG("Assuming the thread state modification was done in the callback, skipping it");
137
138 /* Return KERN_SUCCESS to tell the kernel to keep running the victim thread. */
139 return KERN_SUCCESS;
140 }
141
142 /**
143 * This has to be defined for linking purposes, but it's unused.
144 */
145 kern_return_t
catch_mach_exception_raise_state(mach_port_t exception_port,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count,int * flavor,thread_state_t in_state,mach_msg_type_number_t in_state_count,thread_state_t out_state,mach_msg_type_number_t * out_state_count)146 catch_mach_exception_raise_state(
147 mach_port_t exception_port,
148 exception_type_t type,
149 exception_data_t codes,
150 mach_msg_type_number_t code_count,
151 int *flavor,
152 thread_state_t in_state,
153 mach_msg_type_number_t in_state_count,
154 thread_state_t out_state,
155 mach_msg_type_number_t *out_state_count)
156 {
157 #pragma unused(exception_port, type, codes, code_count, flavor, in_state, in_state_count, out_state, out_state_count)
158 T_FAIL("Triggered catch_mach_exception_raise_state() which shouldn't happen...");
159 __builtin_unreachable();
160 }
161
162 /**
163 * Called by mach_exc_server() to handle the exception. This will call the
164 * test's exception-handler callback and will then modify
165 * the thread state to move to the next instruction.
166 */
167 kern_return_t
catch_mach_exception_raise_state_identity(mach_port_t exception_port __unused,mach_port_t thread,mach_port_t task,exception_type_t type,exception_data_t codes,mach_msg_type_number_t code_count,int * flavor,thread_state_t in_state,mach_msg_type_number_t in_state_count,thread_state_t out_state,mach_msg_type_number_t * out_state_count)168 catch_mach_exception_raise_state_identity(
169 mach_port_t exception_port __unused,
170 mach_port_t thread,
171 mach_port_t task,
172 exception_type_t type,
173 exception_data_t codes,
174 mach_msg_type_number_t code_count,
175 int *flavor,
176 thread_state_t in_state,
177 mach_msg_type_number_t in_state_count,
178 thread_state_t out_state,
179 mach_msg_type_number_t *out_state_count)
180 {
181 T_LOG("Caught a mach exception!\n");
182
183 /* There should only be two code values. */
184 T_QUIET; T_ASSERT_EQ(code_count, 2, "Two code values were provided with the mach exception");
185
186 /**
187 * The code values should be 64-bit since MACH_EXCEPTION_CODES was specified
188 * when setting the exception port.
189 */
190 mach_exception_data_t codes_64 = (mach_exception_data_t)(void *)codes;
191 T_LOG("Mach exception codes[0]: %#llx, codes[1]: %#llx\n", codes_64[0], codes_64[1]);
192
193 /* Verify that we're receiving the expected thread state flavor. */
194 T_QUIET; T_ASSERT_EQ(*flavor, EXCEPTION_THREAD_STATE, "The thread state flavor is EXCEPTION_THREAD_STATE");
195 T_QUIET; T_ASSERT_EQ(in_state_count, EXCEPTION_THREAD_STATE_COUNT, "The thread state count is EXCEPTION_THREAD_STATE_COUNT");
196
197 size_t advance_pc = exc_handler_callback(task, thread, type, codes_64);
198
199 /**
200 * Increment the PC by the requested amount so the thread doesn't cause
201 * another exception when it resumes.
202 */
203 *out_state_count = in_state_count; /* size of state object in 32-bit words */
204 memcpy((void*)out_state, (void*)in_state, in_state_count * 4);
205
206 #if __arm64__
207 arm_thread_state64_t *state = (arm_thread_state64_t*)(void *)out_state;
208
209 void *pc = (void*)(arm_thread_state64_get_pc(*state) + advance_pc);
210 /* Have to sign the new PC value when pointer authentication is enabled. */
211 pc = ptrauth_sign_unauthenticated(pc, ptrauth_key_function_pointer, 0);
212 arm_thread_state64_set_pc_fptr(*state, pc);
213 #else
214 (void)advance_pc;
215 T_FAIL("catch_mach_exception_raise_state() not fully implemented on this architecture");
216 __builtin_unreachable();
217 #endif
218
219 /* Return KERN_SUCCESS to tell the kernel to keep running the victim thread. */
220 return KERN_SUCCESS;
221 }
222
223 mach_port_t
create_exception_port(exception_mask_t exception_mask)224 create_exception_port(exception_mask_t exception_mask)
225 {
226 return create_exception_port_behavior64(exception_mask, EXCEPTION_STATE_IDENTITY);
227 }
228
229 mach_port_t
create_exception_port_behavior64(exception_mask_t exception_mask,exception_behavior_t behavior)230 create_exception_port_behavior64(exception_mask_t exception_mask, exception_behavior_t behavior)
231 {
232 mach_port_t exc_port = MACH_PORT_NULL;
233 mach_port_t task = mach_task_self();
234 mach_port_t thread = mach_thread_self();
235 kern_return_t kr = KERN_SUCCESS;
236
237 if (behavior != EXCEPTION_STATE_IDENTITY && behavior != EXCEPTION_IDENTITY_PROTECTED) {
238 T_FAIL("Currently only EXCEPTION_STATE_IDENTITY and EXCEPTION_IDENTITY_PROTECTED are implemented");
239 }
240
241 /* Create the mach port the exception messages will be sent to. */
242 kr = mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE, &exc_port);
243 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Allocated mach exception port");
244
245 /**
246 * Insert a send right into the exception port that the kernel will use to
247 * send the exception thread the exception messages.
248 */
249 kr = mach_port_insert_right(task, exc_port, exc_port, MACH_MSG_TYPE_MAKE_SEND);
250 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Inserted a SEND right into the exception port");
251
252 /* Tell the kernel what port to send exceptions to. */
253 kr = thread_set_exception_ports(
254 thread,
255 exception_mask,
256 exc_port,
257 (exception_behavior_t)(behavior | MACH_EXCEPTION_CODES),
258 EXCEPTION_THREAD_STATE);
259 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Set the exception port to my custom handler");
260
261 return exc_port;
262 }
263
264 struct thread_params {
265 mach_port_t exc_port;
266 bool run_once;
267 };
268
269 /**
270 * Thread to handle the mach exception.
271 *
272 * @param arg The exception port to wait for a message on.
273 */
274 static void *
exc_server_thread(void * arg)275 exc_server_thread(void *arg)
276 {
277 struct thread_params *params = arg;
278 mach_port_t exc_port = params->exc_port;
279 bool run_once = params->run_once;
280 free(params);
281
282 /**
283 * mach_msg_server_once is a helper function provided by libsyscall that
284 * handles creating mach messages, blocks waiting for a message on the
285 * exception port, calls mach_exc_server() to handle the exception, and
286 * sends a reply based on the return value of mach_exc_server().
287 */
288 #define MACH_MSG_REPLY_SIZE 4096
289 kern_return_t kr;
290 if (run_once) {
291 kr = mach_msg_server_once(mach_exc_server, MACH_MSG_REPLY_SIZE, exc_port, 0);
292 } else {
293 kr = mach_msg_server(mach_exc_server, MACH_MSG_REPLY_SIZE, exc_port, 0);
294 }
295 T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "Received mach exception message");
296
297 pthread_exit((void*)0);
298 __builtin_unreachable();
299 }
300
301 static void
_run_exception_handler(mach_port_t exc_port,void * callback,bool run_once,exception_behavior_t behavior)302 _run_exception_handler(mach_port_t exc_port, void *callback, bool run_once, exception_behavior_t behavior)
303 {
304 switch (behavior) {
305 case EXCEPTION_STATE_IDENTITY:
306 exc_handler_callback = (exc_handler_callback_t)callback;
307 break;
308 case EXCEPTION_IDENTITY_PROTECTED:
309 exc_handler_protected_callback = (exc_handler_protected_callback_t)callback;
310 break;
311 default:
312 T_FAIL("Unsupported behavior");
313 break;
314 }
315
316 pthread_t exc_thread;
317
318 /* Spawn the exception server's thread. */
319 struct thread_params *params = malloc(sizeof(*params));
320 params->exc_port = exc_port;
321 params->run_once = run_once;
322 int err = pthread_create(&exc_thread, (pthread_attr_t*)0, exc_server_thread, params);
323 T_QUIET; T_ASSERT_POSIX_ZERO(err, "Spawned exception server thread");
324
325 /* No need to wait for the exception server to be joined when it exits. */
326 pthread_detach(exc_thread);
327 }
328
329 void
run_exception_handler(mach_port_t exc_port,exc_handler_callback_t callback)330 run_exception_handler(mach_port_t exc_port, exc_handler_callback_t callback)
331 {
332 run_exception_handler_behavior64(exc_port, callback, EXCEPTION_STATE_IDENTITY);
333 }
334
335 void
run_exception_handler_behavior64(mach_port_t exc_port,void * callback,exception_behavior_t behavior)336 run_exception_handler_behavior64(mach_port_t exc_port, void *callback, exception_behavior_t behavior)
337 {
338 if (behavior != EXCEPTION_STATE_IDENTITY && behavior != EXCEPTION_IDENTITY_PROTECTED) {
339 T_FAIL("Currently only EXCEPTION_STATE_IDENTITY and EXCEPTION_IDENTITY_PROTECTED are implemented");
340 }
341
342 _run_exception_handler(exc_port, callback, true, behavior);
343 }
344
345 void
repeat_exception_handler(mach_port_t exc_port,exc_handler_callback_t callback)346 repeat_exception_handler(mach_port_t exc_port, exc_handler_callback_t callback)
347 {
348 _run_exception_handler(exc_port, callback, false, EXCEPTION_STATE_IDENTITY);
349 }
350