symbolic icon indicating copy to clipboard operation
symbolic copied to clipboard
verified publisher icon getsentry

[Bug? or Feature request?] Fix CFI write with Pointer Authentication

Open splhack opened this issue 2 months ago • 4 comments

Environment

  • symbolic version 12.16.3
  • https://github.com/mozilla/dump_syms 2.3.5

Steps to Reproduce

  • Compile Android arm64 code with -mbranch-protection=pac-ret
  • dump_syms the-built-ELF > symfile

Expected Result

STACK CFI INIT 1c7c 58 .cfa: sp 0 + .ra: x30 STACK CFI 1c8c .cfa: x29 16 + .ra: .cfa -8 + ^ x29: .cfa -16 + ^

Actual Result

STACK CFI INIT 1c7c 58 .cfa: sp 0 +

Problem

STACK CFI INIT line does not contain .ra and probably because of that, STACK CFI line is not written.

I think https://github.com/gimli-rs/gimli probably parses Dwarf correctly and extracts Pointer Authentication instructions as UnknownCallFrameInstruction(DwCfa(45)).

splhack avatar Dec 02 '25 21:12 splhack

SYMBOL-17

linear[bot] avatar Dec 02 '25 21:12 linear[bot]

Hi, thank you for the report! Is there any chance that you can provide a DWARF file exhibiting the problem?

loewenheim avatar Dec 03 '25 08:12 loewenheim

sure, this is an example.

test.tgz

File Desc
libtest.so ELF/Dwarf
libtest.dis llvm-objdump -d output
libtest.breakpad.sym google breakpad dump_syms output
libtest.rust.sym rust dump_syms output
test.c source code
build.sh build script

Toolchain: https://developer.android.com/ndk/downloads android-ndk-r27d-linux.zip

Disassemble

00000000000016e0 <test_function>:
    16e0: d503233f      paciasp  # Pointer Authentication instruction
    16e4: a9be7bfd      stp     x29, x30, [sp, #-0x20]!
    16e8: f9000bf3      str     x19, [sp, #0x10]
    16ec: 910003fd      mov     x29, sp
    16f0: 2a0003f3      mov     w19, w0
    16f4: d503201f      nop
    16f8: 10ff73c0      adr     x0, 0x570 <printf+0x570>
    16fc: 2a1303e1      mov     w1, w19
    1700: 9400001c      bl      0x1770 <printf@plt>
    1704: 11000660      add     w0, w19, #0x1
    1708: f9400bf3      ldr     x19, [sp, #0x10]
    170c: a8c27bfd      ldp     x29, x30, [sp], #0x20
    1710: d50323bf      autiasp  # Pointer Authentication instruction
    1714: d65f03c0      ret

Google breakpad dump_syms result

STACK CFI INIT 16e0 38 .cfa: sp 0 + .ra: x30
STACK CFI 16e8 .cfa: sp 32 +
STACK CFI 16f0 .cfa: x29 32 + .ra: .cfa -24 + ^ x19: .cfa -16 + ^ x29: .cfa -32 + ^
STACK CFI 1708 .cfa: sp 32 +
STACK CFI 1710 .cfa: sp 0 +
STACK CFI 1714 .ra: .ra x19: x19 x29: x29

Rust dump_syms result

STACK CFI INIT 16e0 38 .cfa: sp 0 +

splhack avatar Dec 03 '25 15:12 splhack

Thank you, that is very comprehensive!

loewenheim avatar Dec 03 '25 15:12 loewenheim