Mac x86_64: Mach exception support

src/trusted/service_runtime/osx/mach_exception_handler.c

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "native_client/src/trusted/service_runtime/osx/mach_exception_handler.h"
 
 #include <mach/mach.h>
 #include <mach/mach_vm.h>
 #include <mach/thread_status.h>
 #include <pthread.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 
 #include "native_client/src/include/nacl_macros.h"
 #include "native_client/src/include/portability.h"
 #include "native_client/src/shared/platform/nacl_check.h"
 #include "native_client/src/shared/platform/nacl_log.h"
 #include "native_client/src/trusted/service_runtime/arch/sel_ldr_arch.h"
 #include "native_client/src/trusted/service_runtime/nacl_app.h"
 #include "native_client/src/trusted/service_runtime/nacl_app_thread.h"
 #include "native_client/src/trusted/service_runtime/nacl_config.h"
 #include "native_client/src/trusted/service_runtime/nacl_exc.h"
 #include "native_client/src/trusted/service_runtime/nacl_exception.h"
 #include "native_client/src/trusted/service_runtime/nacl_globals.h"
 #include "native_client/src/trusted/service_runtime/nacl_switch_to_app.h"
+#include "native_client/src/trusted/service_runtime/nacl_tls.h"
+#include "native_client/src/trusted/service_runtime/osx/crash_filter.h"
+#include "native_client/src/trusted/service_runtime/osx/mach_thread_map.h"
 #include "native_client/src/trusted/service_runtime/sel_ldr.h"
 #include "native_client/src/trusted/service_runtime/sel_rt.h"
 
-/* Only handle x86_32 for now. */
-#if NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32
+#if NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86
 
 
 /*
  * MIG generated message pump from /usr/include/mach/exc.defs
  * Tweaked to place in an isolated namespace.
  */
 boolean_t nacl_exc_server(
     mach_msg_header_t *InHeadP,
     mach_msg_header_t *OutHeadP);
 
@@ skipping 36 matching lines @@
   }
 }
 
 static void FireDebugStubEvent(int pipe_fd) {
   char buf = 0;
   if (write(pipe_fd, &buf, sizeof(buf)) != sizeof(buf)) {
     NaClLog(LOG_FATAL, "FireDebugStubEvent: Can't send debug stub event\n");
   }
 }
 
+#if NACL_BUILD_SUBARCH == 32
+
+#define NATIVE_x86_THREAD_STATE x86_THREAD_STATE32
+#define X86_REG_BP(regs)    ((regs).uts.ts32.__ebp)
+#define X86_REG_SP(regs)    ((regs).uts.ts32.__esp)
+#define X86_REG_IP(regs)    ((regs).uts.ts32.__eip)
+#define X86_REG_FLAGS(regs) ((regs).uts.ts32.__eflags)
+
+#elif NACL_BUILD_SUBARCH == 64
+
+#define NATIVE_x86_THREAD_STATE x86_THREAD_STATE64
+#define X86_REG_BP(regs)    ((regs).uts.ts64.__rbp)
+#define X86_REG_SP(regs)    ((regs).uts.ts64.__rsp)
+#define X86_REG_IP(regs)    ((regs).uts.ts64.__rip)
+#define X86_REG_FLAGS(regs) ((regs).uts.ts64.__rflags)
+
+#endif  /* NACL_BUILD_SUBARCH */
+
 static int HandleException(mach_port_t thread_port,
                            exception_type_t exception, int *is_untrusted) {
   mach_msg_type_number_t size;
   x86_thread_state_t regs;
   kern_return_t result;
-  uint16_t trusted_cs = NaClGetGlobalCs();
-  uint16_t trusted_ds = NaClGetGlobalDs();
   uint32_t nacl_thread_index;
   struct NaClApp *nap;
   struct NaClAppThread *natp;
   struct NaClExceptionFrame frame;
-  uintptr_t frame_addr_user;
+  uint32_t frame_addr_user;
   uintptr_t frame_addr_sys;
+#if NACL_BUILD_SUBARCH == 32
+  uint16_t trusted_cs = NaClGetGlobalCs();
+  uint16_t trusted_ds = NaClGetGlobalDs();
+#endif
 
   /* Assume untrusted crash until we know otherwise. */
   *is_untrusted = TRUE;
 
   /* Capture the register state of the 'excepting' thread. */
-  size = sizeof(regs) / sizeof(natural_t);
+  size = x86_THREAD_STATE_COUNT;
   result = thread_get_state(thread_port, x86_THREAD_STATE,
-                            (void *) &regs, &size);
+                            (thread_state_t) &regs, &size);
   if (result != KERN_SUCCESS) {
     return 0;
   }
+  CHECK(regs.tsh.flavor == NATIVE_x86_THREAD_STATE);
 
-  /*
-   * If trusted_cs is 0 (which is not a usable segment selector), the
-   * sandbox has not been initialised yet, so there can be no untrusted
-   * code running.
-   */
-  if (trusted_cs == 0) {
-    *is_untrusted = FALSE;
-    return 0;
-  }
-
-  /*
-   * If the current code segment is the trusted one, we aren't in the
-   * sandbox.
-   * TODO(bradnelson): This makes the potentially false assumption that cs is
-   *     the last thing to change when switching into untrusted code. We need
-   *     tests to vet this.
-   */
-  if (regs.uts.ts32.__cs == trusted_cs) {
-    /*
-     * If we are single-stepping, allow NaClSwitchRemainingRegsViaECX()
-     * to continue in order to restore control to untrusted code.
-     */
-    if (exception == EXC_BREAKPOINT &&
-        (regs.uts.ts32.__eflags & NACL_X86_TRAP_FLAG) != 0 &&
-        regs.uts.ts32.__eip >= (uintptr_t) NaClSwitchRemainingRegsViaECX &&
-        regs.uts.ts32.__eip < (uintptr_t) NaClSwitchRemainingRegsAsmEnd) {
-      return 1;
-    }
-    *is_untrusted = FALSE;
-    return 0;
-  }
-
+#if NACL_BUILD_SUBARCH == 32
   /*
    * We can get the thread index from the segment selector used for TLS
    * from %gs >> 3.
    * TODO(bradnelson): Migrate that knowledge to a single shared location.
    */
   nacl_thread_index = regs.uts.ts32.__gs >> 3;
+#elif NACL_BUILD_SUBARCH == 64
+  nacl_thread_index = NaClGetThreadIndexForMachThread(thread_port);
+#endif
+
+  if (nacl_thread_index == NACL_TLS_INDEX_INVALID) {

[Mark Seaborn, 2013/02/20 18:33:17]

This check should really go inside the "#elif NACL_BUILD_SUBARCH == 64" before. 
Otherwise you're assuming that trusted code doesn't run with %gs == 0, which
some future version of OS X might do (they might use %fs instead).  If %gs == 0,
the special cases later for single-stepping wouldn't get run.

+    *is_untrusted = FALSE;
+    return 0;
+  }
+
   natp = NaClAppThreadGetFromIndex(nacl_thread_index);
+  if (!natp) {

[Mark Seaborn, 2013/02/20 18:33:17]

Nit: NaCl style is "natp == NULL"

+    *is_untrusted = FALSE;
+    return 0;
+  }
   nap = natp->nap;
 
+  /*
+   * TODO(bradnelson): For x86_32, this makes the potentially false assumption
+   *     that cs is the last thing to change when switching into untrusted
+   *     code. We need tests to vet this.
+   */
+  *is_untrusted = NaClMachThreadStateIsInUntrusted(&regs, nacl_thread_index);
+
+#if NACL_BUILD_SUBARCH == 64

[Mark Seaborn, 2013/02/20 18:33:17]

This check can be unconditional -- it's not specific to x86-64.

+  /*
+   * If trusted code accidentally jumped to untrusted code, don't let the
+   * untrusted exception handler take over.
+   */
+  if (*is_untrusted &&
+      (natp->suspend_state & NACL_APP_THREAD_UNTRUSTED) == 0) {
+    *is_untrusted = 0;

[Mark Seaborn, 2013/02/20 18:33:17]

Adding an early return here would be an additional safeguard, since we don't
want the check for NaClSwitchRemainingRegsViaECX to allow the thread to continue
executing.

+  }
+#endif
+
+  if (!*is_untrusted) {
+#if NACL_BUILD_SUBARCH == 32
+    /*
+     * If we are single-stepping, allow NaClSwitchRemainingRegsViaECX()
+     * to continue in order to restore control to untrusted code.
+     */
+    if (exception == EXC_BREAKPOINT &&
+        (X86_REG_FLAGS(regs) & NACL_X86_TRAP_FLAG) != 0 &&
+        X86_REG_IP(regs) >= (uintptr_t) NaClSwitchRemainingRegsViaECX &&
+        X86_REG_IP(regs) < (uintptr_t) NaClSwitchRemainingRegsAsmEnd) {
+      return 1;
+    }
+#endif
+    return 0;
+  }
+
   if (nap->enable_faulted_thread_queue) {
+#if NACL_BUILD_SUBARCH == 32
     /*
      * If we are single-stepping, step through until we reach untrusted code.
      */
     if (exception == EXC_BREAKPOINT &&
-        (regs.uts.ts32.__eflags & NACL_X86_TRAP_FLAG) != 0) {
-      if (regs.uts.ts32.__eip >= nap->all_regs_springboard.start_addr &&
-          regs.uts.ts32.__eip < nap->all_regs_springboard.end_addr) {
+        (X86_REG_FLAGS(regs) & NACL_X86_TRAP_FLAG) != 0) {
+      if (X86_REG_IP(regs) >= nap->all_regs_springboard.start_addr &&
+          X86_REG_IP(regs) < nap->all_regs_springboard.end_addr) {
         return 1;
       }
       /*
        * Step through the instruction we have been asked to restore
        * control to.
        */
-      if (regs.uts.ts32.__eip == natp->user.gs_segment.new_prog_ctr) {
+      if (X86_REG_IP(regs) == natp->user.gs_segment.new_prog_ctr) {
         return 1;
       }
     }
+#endif
 
     /*
      * Increment the kernel's thread suspension count so that the
      * thread remains suspended after we return.
      */
     result = thread_suspend(thread_port);
     if (result != KERN_SUCCESS) {
       NaClLog(LOG_FATAL, "HandleException: thread_suspend() call failed\n");
     }
     /*
@@ skipping 12 matching lines @@
    * Ignore all but bad accesses for now.
    * TODO(bradnelson): eventually consider these too:
    *     EXC_BAD_INSTRUCTION
    *     EXC_ARITHMETIC
    *     EXC_BREAKPOINT
    */
   if (exception != EXC_BAD_ACCESS) {
     return 0;
   }
 
+  /* Don't handle if no exception handler is set. */

[Mark Seaborn, 2013/02/20 18:33:17]

Can you note this change in the commit message, please?

+  if (nap->exception_handler == 0) {
+    return 0;
+  }
+
   /* Don't handle it if the exception flag is set. */
   if (natp->exception_flag) {
     return 0;
   }
   /* Set the flag. */
   natp->exception_flag = 1;
 
-  /* Don't handle if no exception handler is set. */
-  if (nap->exception_handler == 0) {
-    return 0;
-  }
-
   /* Get location of exception stack frame. */
   if (natp->exception_stack) {
     frame_addr_user = natp->exception_stack;
   } else {
     /* If not set default to user stack. */
-    frame_addr_user = regs.uts.ts32.__esp;
+    frame_addr_user = X86_REG_SP(regs) - NACL_STACK_RED_ZONE;
   }
 
   /* Align stack frame properly. */
   frame_addr_user -=
       sizeof(struct NaClExceptionFrame) - NACL_STACK_PAD_BELOW_ALIGN;
   frame_addr_user &= ~NACL_STACK_ALIGN_MASK;
   frame_addr_user -= NACL_STACK_PAD_BELOW_ALIGN;
 
   /* Convert from user to system space. */
   frame_addr_sys = NaClUserToSysAddrRange(
       nap, frame_addr_user, sizeof(struct NaClExceptionFrame));
   if (frame_addr_sys == kNaClBadAddress) {
     return 0;
   }
 
   /* Set up the stack frame for the handler invocation. */
   frame.return_addr = 0;
+  frame.context.prog_ctr = X86_REG_IP(regs);
+  frame.context.stack_ptr = X86_REG_SP(regs);
+  frame.context.frame_ptr = X86_REG_BP(regs);
+#if NACL_BUILD_SUBARCH == 32
   frame.context_ptr = frame_addr_user +
                       offsetof(struct NaClExceptionFrame, context);
-  frame.context.prog_ctr = regs.uts.ts32.__eip;
-  frame.context.stack_ptr = regs.uts.ts32.__esp;
-  frame.context.frame_ptr = regs.uts.ts32.__ebp;
+#endif
 
   /*
    * Write the stack frame into untrusted address space.  We do not
    * write to the memory directly because that will fault if the
    * destination location is not writable.  Faulting is OK for NaCl
    * syscalls, but here we do not want to trigger an exception while
    * in the exception handler.  The overhead of using a Mach system
    * call to write to memory is acceptable here.
    */
   result = mach_vm_write(mach_task_self(), frame_addr_sys,
                          (uintptr_t) &frame, sizeof(frame));
   if (result != KERN_SUCCESS) {
     return 0;
   }
 
   /* Set up thread context to resume at handler. */
-  natp->user.new_prog_ctr = nap->exception_handler;
-  natp->user.stack_ptr = frame_addr_user;
   /* TODO(bradnelson): put all registers in some default state. */
-
+#if NACL_BUILD_SUBARCH == 32
   /*
    * Put registers in right place to land at NaClSwitchNoSSEViaECX
    * This is required because:
    *   - For an unknown reason thread_set_state resets %cs to the default
    *     value, even when set to something else, in current XNU versions.
    *   - An examination of the XNU sources indicates
    *     that setting the code which state the thread state resets
    *     %cs, %ds, %es, %ss to their default values in some early versions.
    *     (For instance: xnu-792.6.22/osfmk/i386/pcb.c:616)
    * This precludes going directly to the untrusted handler.
    * Instead we call a variant of NaClSwitchNoSSE which takes a pointer
    * to the thread user context in %ecx.
    */
-  regs.uts.ts32.__eip = (uint32_t) &NaClSwitchNoSSEViaECX;
+  natp->user.new_prog_ctr = nap->exception_handler;
+  natp->user.stack_ptr = frame_addr_user;
+  X86_REG_IP(regs) = (uint32_t) &NaClSwitchNoSSEViaECX;
   regs.uts.ts32.__cs = trusted_cs;
   regs.uts.ts32.__ecx = (uint32_t) &natp->user;
   regs.uts.ts32.__ds = trusted_ds;
   regs.uts.ts32.__es = trusted_ds;  /* just for good measure */
   regs.uts.ts32.__ss = trusted_ds;  /* just for good measure */
-  regs.uts.ts32.__eflags &= ~NACL_X86_DIRECTION_FLAG;
+#elif NACL_BUILD_SUBARCH == 64
+  X86_REG_IP(regs) = NaClUserToSys(nap, nap->exception_handler);
+  X86_REG_SP(regs) = frame_addr_sys;
+  X86_REG_BP(regs) = nap->mem_start;
+
+  /* Argument 1 */
+  regs.uts.ts64.__rdi = frame_addr_user +
+                        offsetof(struct NaClExceptionFrame, context);
+#endif
+  X86_REG_FLAGS(regs) &= ~NACL_X86_DIRECTION_FLAG;
   result = thread_set_state(thread_port, x86_THREAD_STATE,
-                            (void *) &regs, size);
+                            (thread_state_t) &regs, size);
   if (result != KERN_SUCCESS) {
     return 0;
   }
 
   /* Return success, and resume the thread. */
   return 1;
 }
 
 
 static kern_return_t ForwardException(
@@ skipping 265 matching lines @@
 failure:
   if (data) {
     if (MACH_PORT_NULL != data->exception_port) {
       mach_port_deallocate(current_task, data->exception_port);
     }
     free(data);
   }
   return FALSE;
 }
 
-#else  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32 */
-
-int NaClInterceptMachExceptions(void) {
-  return FALSE;
-}
-
-#endif  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 && NACL_BUILD_SUBARCH == 32 */
+#endif  /* NACL_ARCH(NACL_BUILD_ARCH) == NACL_x86 */