[Bug gdb/28947] New: GDB does not remove AArch64 pointer signatures before doing memory accesses

["david.spickett at linaro dot org" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=28947

            Bug ID: 28947
           Summary: GDB does not remove AArch64 pointer signatures before
                    doing memory accesses
           Product: gdb
           Version: HEAD
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: david.spickett at linaro dot org
  Target Milestone: ---

I'm using a somewhat recent build from source:
```
$ ./gdb --version
GNU gdb (GDB) 12.0.50.20220208-git
```

binutils @ 481153777e278b71e694fd2db6b897f7a9e3dcb8

Compile the following:
```
#include <stddef.h>

int main(int argc, char const *argv[]) {
  char* buf[16];

#define sign_ptr(ptr) \
  __asm__ __volatile__("pacdza %0" \
                       : "=r"(ptr) \
                       : "r"(ptr))

  // Set top byte including where memory tag bits would go.
  char *buf_with_non_address = (char *)((size_t)buf | (size_t)0xff << 56);
  sign_ptr(buf_with_non_address);
  // Address is now:
  // <4 bit user tag><4 bit memory tag><pointer signature><virtual address>

  return 0; // Set break point at this line.
}
```

With:
```
aarch64-unknown-linux-gnu-gcc -march=armv8.3-a main.c -o prog -g
```

Then run it on an AArch64 machine that has pointer authentication enabled.
Break at the indicated line where main returns.

Expected behaviour: GDB would know that pointer signatures are "non-address
bits" (not part of the virtual address) and remove them before attempting to do
a memory access on a signed pointer.

Actual behaviour: GDB does not remove these bits so it attempts to read a
completely different memory location. (one cannot be mapped in any case)

```
(gdb) p &buf
$4 = (char *(*)[16]) 0xfffffffff268
(gdb) p buf_with_non_address
$5 = 0xff75fffffffff268 <error: Cannot access memory at address
0xff75fffffffff268>
(gdb) x buf
0xfffffffff268: 0x00000000
(gdb) x buf_with_non_address
0xff75fffffffff268:     Cannot access memory at address 0xff75fffffffff268
```

I've been looking at this issue for lldb and it seems that other non-address
bits like the top byte can be left in when giving ptrace a virtual address.
Probably because the hardware ignores it for us. (this behaviour isn't
guaranteed by the kernel though as far as I know)

With pointer authentication, running code is expected to "auth" the pointer
before use. This would remove the signature bits if successful. So a memory
read/write with a signature still attached is always going to be a failure of
some kind.

GDB or GDB server should remove these signature bits before it gets to ptrace
so that the user doesn't have to manually auth these pointers.

For what it's worth, for lldb I'm looking at doing this in lldb not
lldb-server. Keeps the server simple and fixes some other things like our
memory caching along the way. Same approach might work for GDB as well.

-- 
You are receiving this mail because:
You are on the CC list for the bug.