#include "xnu_debug.h"
#include "xnu_threads.h"

Functions
RZ_IPI bool	xnu_restore_exception_ports (int pid)

static void	encode_reply (mig_reply_error_t reply, mach_msg_header_t hdr, int code)

static bool	validate_mach_message (RzDebug dbg, exc_msg msg)

static bool	handle_dead_notify (RzDebug dbg, exc_msg msg)

static int	handle_exception_message (RzDebug dbg, exc_msg msg, int *ret_code, bool quiet_signal)

RZ_IPI RzDebugReasonType	xnu_wait_for_exception (RzDebug *dbg, int pid, ut32 timeout_ms, bool quiet_signal)

RZ_IPI bool	xnu_create_exception_thread (RzDebug *dbg)

Variables
static xnu_exception_info	ex = { { 0 } }

Function Documentation

◆ encode_reply()

static void encode_reply	(	mig_reply_error_t *	reply,
		mach_msg_header_t *	hdr,
		int	code
	)

static

Definition at line 249 of file xnu_excthreads.c.

                                                                                      {
     mach_msg_header_t *rh = &reply->Head;
     rh->msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REMOTE(hdr->msgh_bits), 0);
     rh->msgh_remote_port = hdr->msgh_remote_port;
     rh->msgh_size = (mach_msg_size_t)sizeof(mig_reply_error_t);
     rh->msgh_local_port = MACH_PORT_NULL;
     rh->msgh_id = hdr->msgh_id + 100;
     reply->NDR = NDR_record;
     reply->RetCode = code;
 }

References code.

Referenced by xnu_wait_for_exception().

◆ handle_dead_notify()

static bool handle_dead_notify	(	RzDebug *	dbg,
		exc_msg *	msg
	)

static

Definition at line 314 of file xnu_excthreads.c.

                                                            {
     if (msg->hdr.msgh_id == 0x48) {
         dbg->pid = -1;
         return true;
     }
     return false;
 }

References dbg, msg, and rz_debug_t::pid.

Referenced by xnu_wait_for_exception().

◆ handle_exception_message()

static int handle_exception_message	(	RzDebug *	dbg,
		exc_msg *	msg,
		int *	ret_code,
		bool	quiet_signal
	)

static

Definition at line 322 of file xnu_excthreads.c.

                                                                                                   {
     int ret = RZ_DEBUG_REASON_UNKNOWN;
     kern_return_t kr;
     *ret_code = KERN_SUCCESS;
     ut64 code = (ut64)msg->code[0] | ((ut64)msg->code[1] << 32);
     ut64 subcode = (ut64)msg->code[2] | ((ut64)msg->code[3] << 32);
     switch (msg->exception) {
     case EXC_BAD_ACCESS:
         ret = RZ_DEBUG_REASON_SEGFAULT;
         *ret_code = KERN_FAILURE;
         kr = task_suspend(msg->task.name);
         if (kr != KERN_SUCCESS) {
             eprintf("failed to suspend task bad access\n");
         }
         eprintf("EXC_BAD_ACCESS\n");
         break;
     case EXC_BAD_INSTRUCTION:
         ret = RZ_DEBUG_REASON_ILLEGAL;
         *ret_code = KERN_FAILURE;
         kr = task_suspend(msg->task.name);
         if (kr != KERN_SUCCESS) {
             eprintf("failed to suspend task bad instruction\n");
         }
         eprintf("EXC_BAD_INSTRUCTION\n");
         break;
     case EXC_ARITHMETIC:
         eprintf("EXC_ARITHMETIC\n");
         break;
     case EXC_EMULATION:
         eprintf("EXC_EMULATION\n");
         break;
     case EXC_SOFTWARE:
         // TODO: make these eprintfs RZ_LOG_INFO
         // Right now we can't because the default log level is < info and the info about the
         // signal is important to the user.
         if (!quiet_signal) {
             eprintf("EXC_SOFTWARE: ");
         }
         if (code == EXC_SOFT_SIGNAL) {
             // standard unix signal
             ret = RZ_DEBUG_REASON_SIGNAL;
             dbg->reason.signum = subcode;
             if (!quiet_signal) {
                 eprintf(" EXC_SOFT_SIGNAL %" PFMT64u, subcode);
                 const char *signame = rz_signal_to_string((int)subcode);
                 if (signame) {
                     eprintf(" = %s", signame);
                 }
                 eprintf("\n");
             }
         } else {
             eprintf("code = 0x%" PFMT64u ", subcode = 0x%" PFMT64u "\n", code, subcode);
         }
         // We want to stop and examine when getting signals
         kr = task_suspend(msg->task.name);
         if (kr != KERN_SUCCESS) {
             RZ_LOG_ERROR("Failed to suspend after EXC_SOFTWARE");
         }
         break;
     case EXC_BREAKPOINT:
         kr = task_suspend(msg->task.name);
         if (kr != KERN_SUCCESS) {
             eprintf("failed to suspend task breakpoint\n");
         }
         ret = RZ_DEBUG_REASON_BREAKPOINT;
         break;
     default:
         eprintf("UNKNOWN\n");
         break;
     }
     kr = mach_port_deallocate(mach_task_self(), msg->task.name);
     if (kr != KERN_SUCCESS) {
         eprintf("failed to deallocate task port\n");
     }
     kr = mach_port_deallocate(mach_task_self(), msg->thread.name);
     if (kr != KERN_SUCCESS) {
         eprintf("failed to deallocated task port\n");
     }
     return ret;
 }

References dbg, eprintf, msg, PFMT64u, rz_debug_t::reason, RZ_DEBUG_REASON_BREAKPOINT, RZ_DEBUG_REASON_ILLEGAL, RZ_DEBUG_REASON_SEGFAULT, RZ_DEBUG_REASON_SIGNAL, RZ_DEBUG_REASON_UNKNOWN, RZ_LOG_ERROR, rz_signal_to_string(), rz_debug_reason_t::signum, and ut64().

Referenced by xnu_wait_for_exception().

◆ validate_mach_message()

static bool validate_mach_message	(	RzDebug *	dbg,
		exc_msg *	msg
	)

static

Definition at line 260 of file xnu_excthreads.c.

                                                               {
     kern_return_t kr;
 #if __POWERPC__
     return false;
 #else
     /*check if the message is for us*/
     if (msg->hdr.msgh_local_port != ex.exception_port) {
         return false;
     }
     /*gdb from apple check this so why not us*/
     if (!(msg->hdr.msgh_bits & MACH_MSGH_BITS_COMPLEX)) {
         return false;
     }
     /*Mach exception we are interested*/
     // XXX for i386 this id seems to be different
     if (msg->hdr.msgh_id > 2405 || msg->hdr.msgh_id < 2401) {
         return false;
     }
     /* check descriptors.  */
     if (msg->hdr.msgh_size <
         sizeof(mach_msg_header_t) + sizeof(mach_msg_body_t) +
             2 * sizeof(mach_msg_port_descriptor_t) +
             sizeof(NDR_record_t) + sizeof(exception_type_t) +
             sizeof(mach_msg_type_number_t) +
             sizeof(mach_exception_data_t))
         return false;
     /* check data representation.  */
     if (msg->NDR.mig_vers != NDR_PROTOCOL_2_0 ||
         msg->NDR.if_vers != NDR_PROTOCOL_2_0 ||
         msg->NDR.mig_encoding != NDR_record.mig_encoding ||
         msg->NDR.int_rep != NDR_record.int_rep ||
         msg->NDR.char_rep != NDR_record.char_rep ||
         msg->NDR.float_rep != NDR_record.float_rep) {
         return false;
     }
     if (pid_to_task(dbg->pid) != msg->task.name) {
         // we receive a exception from an unknown process this could
         // happen if the child fork, as the created process will inherit
         // its exception port
         /*we got new rights to the task, get rid of it.*/
         kr = mach_port_deallocate(mach_task_self(), msg->task.name);
         if (kr != KERN_SUCCESS) {
             eprintf("validate_mach_message: failed to deallocate task port\n");
         }
         kr = mach_port_deallocate(mach_task_self(), msg->thread.name);
         if (kr != KERN_SUCCESS) {
             eprintf("validate_mach_message2: failed to deallocated task port\n");
         }
         return false;
     }
     return true;
 #endif
 }

References dbg, eprintf, ex, _exception_info::exception_port, msg, rz_debug_t::pid, and pid_to_task().

Referenced by xnu_wait_for_exception().

◆ xnu_create_exception_thread()

RZ_IPI bool xnu_create_exception_thread ( RzDebug * dbg )

Definition at line 479 of file xnu_excthreads.c.

                                                       {
 #if __POWERPC__
     return false;
 #else
     kern_return_t kr;
     mach_port_t exception_port = MACH_PORT_NULL;
     mach_port_t req_port;
     // Got the Mach port for the current process
     mach_port_t task_self = mach_task_self();
     task_t task = pid_to_task(dbg->pid);
     if (!task) {
         eprintf("error to get task for the debuggee process"
             " xnu_start_exception_thread\n");
         return false;
     }
     if (!MACH_PORT_VALID(task_self)) {
         eprintf("error to get the task for the current process"
             " xnu_start_exception_thread\n");
         return false;
     }
     // Allocate an exception port that we will use to track our child process
     kr = mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE,
         &exception_port);
     RETURN_ON_MACH_ERROR("error to allocate mach_port exception\n", false);
     // Add the ability to send messages on the new exception port
     kr = mach_port_insert_right(task_self, exception_port, exception_port,
         MACH_MSG_TYPE_MAKE_SEND);
     RETURN_ON_MACH_ERROR("error to allocate insert right\n", false);
     // Atomically swap out (and save) the child process's exception ports
     // for the one we just created. We'll want to receive all exceptions.
     ex.count = (sizeof(ex.ports) / sizeof(*ex.ports));
     kr = task_swap_exception_ports(task, EXC_MASK_ALL, exception_port,
         EXCEPTION_DEFAULT | MACH_EXCEPTION_CODES, THREAD_STATE_NONE,
         ex.masks, &ex.count, ex.ports, ex.behaviors, ex.flavors);
     RETURN_ON_MACH_ERROR("failed to swap exception ports\n", false);
     // get notification when process die
     kr = mach_port_request_notification(task_self, task, MACH_NOTIFY_DEAD_NAME,
         0, exception_port, MACH_MSG_TYPE_MAKE_SEND_ONCE, &req_port);
     if (kr != KERN_SUCCESS) {
         eprintf("Termination notification request failed\n");
     }
     ex.exception_port = exception_port;
     return true;
 #endif
 }

References _exception_info::behaviors, _exception_info::count, dbg, eprintf, ex, _exception_info::exception_port, _exception_info::flavors, _exception_info::masks, rz_debug_t::pid, pid_to_task(), _exception_info::ports, and RETURN_ON_MACH_ERROR.

Referenced by xnu_attach().

◆ xnu_restore_exception_ports()

RZ_IPI bool xnu_restore_exception_ports ( int pid )

Definition at line 226 of file xnu_excthreads.c.

                                                  {
     kern_return_t kr;
     int i;
     task_t task = pid_to_task(pid);
     if (!task)
         return false;
     for (i = 0; i < ex.count; i++) {
         kr = task_set_exception_ports(task, ex.masks[i], ex.ports[i],
             ex.behaviors[i], ex.flavors[i]);
         if (kr != KERN_SUCCESS) {
             eprintf("fail to restore exception ports\n");
             return false;
         }
     }
     kr = mach_port_deallocate(mach_task_self(), ex.exception_port);
     if (kr != KERN_SUCCESS) {
         eprintf("failed to deallocate exception port\n");
         return false;
     }
     return true;
 }

References _exception_info::behaviors, _exception_info::count, eprintf, ex, _exception_info::exception_port, _exception_info::flavors, i, _exception_info::masks, pid, pid_to_task(), and _exception_info::ports.

Referenced by xnu_detach().

◆ xnu_wait_for_exception()

RZ_IPI RzDebugReasonType xnu_wait_for_exception	(	RzDebug *	dbg,
		int	pid,
		ut32	timeout_ms,
		bool	quiet_signal
	)

Wait for a Mach exception, reply to it and handle it.

Parameters

timeout_ms	if zero, wait infinitely, otherwise specifies a timeout for receiving
quiet_signal	don't print when receiving a standard unix signal

Definition at line 409 of file xnu_excthreads.c.

                                                                                                            {
     rz_return_val_if_fail(dbg, RZ_DEBUG_REASON_ERROR);
     kern_return_t kr;
     int ret_code;
     RzDebugReasonType reason = RZ_DEBUG_REASON_UNKNOWN;
     mig_reply_error_t reply;
     bool ret;
     exc_msg msg = { 0 };
     if (!dbg) {
         return reason;
     }
     msg.hdr.msgh_local_port = ex.exception_port;
     msg.hdr.msgh_size = sizeof(exc_msg);
     for (;;) {
         kr = mach_msg(
             &msg.hdr,
             MACH_RCV_MSG | MACH_RCV_INTERRUPT | (timeout_ms ? MACH_RCV_TIMEOUT : 0), 0,
             sizeof(exc_msg), ex.exception_port,
             timeout_ms ? timeout_ms : MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
         if (kr == MACH_RCV_INTERRUPTED) {
             reason = RZ_DEBUG_REASON_MACH_RCV_INTERRUPTED;
             break;
         } else if (kr == MACH_RCV_TIMED_OUT) {
             RZ_LOG_ERROR("Waiting for Mach exception timed out");
             reason = RZ_DEBUG_REASON_UNKNOWN;
             break;
         } else if (kr != MACH_MSG_SUCCESS) {
             RZ_LOG_ERROR("message didn't succeeded\n");
             break;
         }
         ret = validate_mach_message(dbg, &msg);
         if (!ret) {
             ret = handle_dead_notify(dbg, &msg);
             if (ret) {
                 reason = RZ_DEBUG_REASON_DEAD;
                 break;
             }
         }
         if (!ret) {
             encode_reply(&reply, &msg.hdr, KERN_FAILURE);
             kr = mach_msg(&reply.Head, MACH_SEND_MSG | MACH_SEND_INTERRUPT,
                 reply.Head.msgh_size, 0,
                 MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE,
                 MACH_PORT_NULL);
             if (reply.Head.msgh_remote_port != 0 && kr != MACH_MSG_SUCCESS) {
                 kr = mach_port_deallocate(mach_task_self(), reply.Head.msgh_remote_port);
                 if (kr != KERN_SUCCESS) {
                     eprintf("failed to deallocate reply port\n");
                 }
             }
             continue;
         }
  
         reason = handle_exception_message(dbg, &msg, &ret_code, quiet_signal);
         encode_reply(&reply, &msg.hdr, ret_code);
         kr = mach_msg(&reply.Head, MACH_SEND_MSG | MACH_SEND_INTERRUPT,
             reply.Head.msgh_size, 0,
             MACH_PORT_NULL, 0,
             MACH_PORT_NULL);
         if (reply.Head.msgh_remote_port != 0 && kr != MACH_MSG_SUCCESS) {
             kr = mach_port_deallocate(mach_task_self(), reply.Head.msgh_remote_port);
             if (kr != KERN_SUCCESS)
                 eprintf("failed to deallocate reply port\n");
         }
         break; // to avoid infinite loops
     }
     dbg->stopaddr = rz_debug_reg_get(dbg, "PC");
     return reason;
 }