runtime/objc-ptrauth.h

   1 /*
   2  * Copyright (c) 2017 Apple Inc.  All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #ifndef _OBJC_PTRAUTH_H_
  25 #define _OBJC_PTRAUTH_H_
  26
  27 #include <objc/objc.h>
  28
  29 // On some architectures, method lists and method caches store signed IMPs.
  30
  31 // fixme simply include ptrauth.h once all build trains have it
  32 #if __has_include (<ptrauth.h>)
  33 #include <ptrauth.h>
  34 #else
  35 #define ptrauth_strip(__value, __key) __value
  36 #define ptrauth_blend_discriminator(__pointer, __integer) ((uintptr_t)0)
  37 #define ptrauth_sign_constant(__value, __key, __data) __value
  38 #define ptrauth_sign_unauthenticated(__value, __key, __data) __value
  39 #define ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, __new_data) __value
  40 #define ptrauth_auth_function(__value, __old_key, __old_data) __value
  41 #define ptrauth_auth_data(__value, __old_key, __old_data) __value
  42 #define ptrauth_string_discriminator(__string) ((int)0)
  43 #define ptrauth_sign_generic_data(__value, __data) ((ptrauth_generic_signature_t)0)
  44
  45 #define __ptrauth_function_pointer
  46 #define __ptrauth_return_address
  47 #define __ptrauth_block_invocation_pointer
  48 #define __ptrauth_block_copy_helper
  49 #define __ptrauth_block_destroy_helper
  50 #define __ptrauth_block_byref_copy_helper
  51 #define __ptrauth_block_byref_destroy_helper
  52 #define __ptrauth_objc_method_list_imp
  53 #define __ptrauth_cxx_vtable_pointer
  54 #define __ptrauth_cxx_vtt_vtable_pointer
  55 #define __ptrauth_swift_heap_object_destructor
  56 #define __ptrauth_cxx_virtual_function_pointer(__declkey)
  57 #define __ptrauth_swift_function_pointer(__typekey)
  58 #define __ptrauth_swift_class_method_pointer(__declkey)
  59 #define __ptrauth_swift_protocol_witness_function_pointer(__declkey)
  60 #define __ptrauth_swift_value_witness_function_pointer(__key)
  61 #endif
  62
  63
  64 #if __has_feature(ptrauth_calls)
  65
  66 #if !__arm64__
  67 #error ptrauth other than arm64e is unimplemented
  68 #endif
  69
  70 // Method lists use process-independent signature for compatibility.
  71 using MethodListIMP = IMP __ptrauth_objc_method_list_imp;
  72
  73 #else
  74
  75 using MethodListIMP = IMP;
  76
  77 #endif
  78
  79 // A struct that wraps a pointer using the provided template.
  80 // The provided Auth parameter is used to sign and authenticate
  81 // the pointer as it is read and written.
  82 template<typename T, typename Auth>
  83 struct WrappedPtr {
  84 private:
  85     T *ptr;
  86
  87 public:
  88     WrappedPtr(T *p) {
  89         *this = p;
  90     }
  91
  92     WrappedPtr(const WrappedPtr<T, Auth> &p) {
  93         *this = p;
  94     }
  95
  96     WrappedPtr<T, Auth> &operator =(T *p) {
  97         ptr = Auth::sign(p, &ptr);
  98         return *this;
  99     }
 100
 101     WrappedPtr<T, Auth> &operator =(const WrappedPtr<T, Auth> &p) {
 102         *this = (T *)p;
 103         return *this;
 104     }
 105
 106     operator T*() const { return get(); }
 107     T *operator->() const { return get(); }
 108
 109     T *get() const { return Auth::auth(ptr, &ptr); }
 110
 111     // When asserts are enabled, ensure that we can read a byte from
 112     // the underlying pointer. This can be used to catch ptrauth
 113     // errors early for easier debugging.
 114     void validate() const {
 115 #if !NDEBUG
 116         char *p = (char *)get();
 117         char dummy;
 118         memset_s(&dummy, 1, *p, 1);
 119         ASSERT(dummy == *p);
 120 #endif
 121     }
 122 };
 123
 124 // A "ptrauth" struct that just passes pointers through unchanged.
 125 struct PtrauthRaw {
 126     template <typename T>
 127     static T *sign(T *ptr, const void *address) {
 128         return ptr;
 129     }
 130
 131     template <typename T>
 132     static T *auth(T *ptr, const void *address) {
 133         return ptr;
 134     }
 135 };
 136
 137 // A ptrauth struct that stores pointers raw, and strips ptrauth
 138 // when reading.
 139 struct PtrauthStrip {
 140     template <typename T>
 141     static T *sign(T *ptr, const void *address) {
 142         return ptr;
 143     }
 144
 145     template <typename T>
 146     static T *auth(T *ptr, const void *address) {
 147         return ptrauth_strip(ptr, ptrauth_key_process_dependent_data);
 148     }
 149 };
 150
 151 // A ptrauth struct that signs and authenticates pointers using the
 152 // DB key with the given discriminator and address diversification.
 153 template <unsigned discriminator>
 154 struct Ptrauth {
 155     template <typename T>
 156     static T *sign(T *ptr, const void *address) {
 157         if (!ptr)
 158             return nullptr;
 159         return ptrauth_sign_unauthenticated(ptr, ptrauth_key_process_dependent_data, ptrauth_blend_discriminator(address, discriminator));
 160     }
 161
 162     template <typename T>
 163     static T *auth(T *ptr, const void *address) {
 164         if (!ptr)
 165             return nullptr;
 166         return ptrauth_auth_data(ptr, ptrauth_key_process_dependent_data, ptrauth_blend_discriminator(address, discriminator));
 167     }
 168 };
 169
 170 // A template that produces a WrappedPtr to the given type using a
 171 // plain unauthenticated pointer.
 172 template <typename T> using RawPtr = WrappedPtr<T, PtrauthRaw>;
 173
 174 #if __has_feature(ptrauth_calls)
 175 // Get a ptrauth type that uses a string discriminator.
 176 #define PTRAUTH_STR(name) Ptrauth<ptrauth_string_discriminator(#name)>
 177
 178 // When ptrauth is available, declare a template that wraps a type
 179 // in a WrappedPtr that uses an authenticated pointer using the
 180 // process-dependent data key, address diversification, and a
 181 // discriminator based on the name passed in.
 182 //
 183 // When ptrauth is not available, equivalent to RawPtr.
 184 #define DECLARE_AUTHED_PTR_TEMPLATE(name)                      \
 185     template <typename T> using name ## _authed_ptr            \
 186         = WrappedPtr<T, PTRAUTH_STR(name)>;
 187 #else
 188 #define PTRAUTH_STR(name) PtrauthRaw
 189 #define DECLARE_AUTHED_PTR_TEMPLATE(name)                      \
 190     template <typename T> using name ## _authed_ptr = RawPtr<T>;
 191 #endif
 192
 193 // _OBJC_PTRAUTH_H_
 194 #endif