[AArch64] When signing return addresses by default, using some Concurrency primitives can cause a crash #80059
Labels
bug
A deviation from expected or documented behavior. Also: expected but undesirable behavior.
triage needed
This issue needs more specific labels
Comments
3405691582
added
bug
|
This is mainly of relevance to the OpenBSD port but is not limited to it. |
3405691582
added a commit
to 3405691582/swift
that referenced
this issue
Mar 28, 2025
To work-around swiftlang#80059, we need to stop return address signing and opt-out of BTCFI enforcement via enabling a platform linker option. We don't want to completely undo the BTCFI work in the rare case that we later figure out how to properly address the above issue, or allow users who might want to benefit from BTCFI enforcement and won't use Concurrency. To do this, condition the existing BTCFI flag enforcement into a configuration option that defaults off for now. Because the new swift-driver needs to "know" whether the frontend is configured to opt-out or not, and since the new driver communicates with the frontend via the target info JSON to begin with, we add a field that emits the build flavor to signal the right behavior.
3405691582
added a commit
to 3405691582/swift-driver
that referenced
this issue
Mar 28, 2025
On the swift side, we added a new build flavor in swiftlang/swift#xxxxx to opt-out of BTCFI as a way of working around swiftlang/swift#80059. We communicate this to swift-driver via the frontend with FrontendTargetInfo.
3405691582
added a commit
to 3405691582/swift-driver
that referenced
this issue
Mar 28, 2025
On the swift side, we added a new build flavor in swiftlang/swift#xxxxx to opt-out of BTCFI as a way of working around swiftlang/swift#80059. We communicate this to swift-driver via the frontend with FrontendTargetInfo.
3405691582
added a commit
to 3405691582/swift
that referenced
this issue
Mar 28, 2025
To work-around swiftlang#80059, we need to stop return address signing and opt-out of BTCFI enforcement via enabling a platform linker option. We don't want to completely undo the BTCFI work in the rare case that we later figure out how to properly address the above issue, or allow users who might want to benefit from BTCFI enforcement and won't use Concurrency. To do this, condition the existing BTCFI flag enforcement into a configuration option that defaults off for now. Because the new swift-driver needs to "know" whether the frontend is configured to opt-out or not, and since the new driver communicates with the frontend via the target info JSON to begin with, we add a field that emits the build flavor to signal the right behavior.
3405691582
added a commit
to 3405691582/swift
that referenced
this issue
Mar 29, 2025
To work-around swiftlang#80059, we need to stop return address signing and opt-out of BTCFI enforcement via enabling a platform linker option. We don't want to completely undo the BTCFI work in the rare case that we later figure out how to properly address the above issue, or allow users who might want to benefit from BTCFI enforcement and won't use Concurrency. To do this, condition the existing BTCFI flag enforcement into a configuration option that defaults to off for now. Because the new swift-driver needs to "know" whether the frontend is configured to opt-out or not, and since the new driver communicates with the frontend via the target info JSON to begin with, we add a field that emits the build flavor to signal the right behavior.
3405691582
added a commit
to 3405691582/swift
that referenced
this issue
Mar 29, 2025
To work-around swiftlang#80059, we need to stop return address signing and opt-out of BTCFI enforcement via enabling a platform linker option. We don't want to completely undo the BTCFI work in the rare case that we later figure out how to properly address the above issue, or allow users who might want to benefit from BTCFI enforcement and won't use Concurrency. To do this, condition the existing BTCFI flag enforcement into a configuration option that defaults to off for now. Because the new swift-driver needs to "know" whether the frontend is configured to opt-out or not, and since the new driver communicates with the frontend via the target info JSON to begin with, we add a field that emits the build flavor to signal the right behavior.
3405691582
added a commit
to 3405691582/swift
that referenced
this issue
Mar 29, 2025
To work-around swiftlang#80059, we need to stop return address signing and opt-out of BTCFI enforcement via enabling a platform linker option. We don't want to completely undo the BTCFI work in the rare case that we later figure out how to properly address the above issue, or allow users who might want to benefit from BTCFI enforcement and won't use Concurrency. To do this, condition the existing BTCFI flag enforcement into a configuration option that defaults to off for now. Because the new swift-driver needs to "know" whether the frontend is configured to opt-out or not, and since the new driver communicates with the frontend via the target info JSON to begin with, we add a field that emits the build flavor to signal the right behavior.
3405691582
added a commit
to 3405691582/swift-driver
that referenced
this issue
Mar 29, 2025
On the swift side, we added a new build flavor in swiftlang/swift#80389 to opt-out of BTCFI as a way of working around swiftlang/swift#80059. We communicate this to swift-driver via the frontend with FrontendTargetInfo.
3405691582
added a commit
to 3405691582/swift-driver
that referenced
this issue
Apr 19, 2025
On the swift side, we added a new build flavor in swiftlang/swift#80389 to opt-out of BTCFI as a way of working around swiftlang/swift#80059. We communicate this to swift-driver via the frontend with FrontendTargetInfo.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Using
-msign-return-addressoptions (like in #78394 on OpenBSD) and Concurrency primitives likewithTaskGroupcan cause a PAC trap.The current understanding is that this is due to the fact that on ELF platforms,
swift_task_switchmay be called through a PLT stub which modifies the stack pointer, but afterswift_task_switchthe stack pointer is not equivalently adjusted, causing the stack signing to fault.Reproduction
Execute with
swiftc -parse-as-library -g bad.swift -Xcc -Xclang=-msign-return-address=non-leaf.Expected behavior
Code executes normally.
Environment
aarch64: swift 6.0.3 prebuilt on Linux, swift HEAD on OpenBSD.
Additional information
I don't believe this is posing a problem on Darwin/aarch64 since I am guessing (though have not verified) that Mach-O doesn't really have a concept of the PLT like on ELF platforms do. Return address signing through
-msign-return-addressappears to be optional on Linux, but turning it on will also highlights the problem. I suspect the stack pointer is not being restored correctly regardless of signing and thus stack would be "leaked" through repeatedswift_task_switchcalls through the PLT.On OpenBSD/aarch64, enforcement of indirect branch targets (including return address signing) is mandatory, unless explicitly opted out by informing the platform linker (with
-z nobtcfi). The platform compiler adds the flags-mbranch-target-enforce,-msign-return-address=non-leaf, and-msign-return-address-key=a_keyby default. When the latter two options are enabled, the compiler emitspaciaspandautiaspinstructions for PAC on the stack pointer. When there is a misbranch on OpenBSD, the binary will receive a SIGILL signal and codeILL_BTCFIto indicate a branch target issue. When executing the above code, the ESR indicates a pointer authentication fault.The text was updated successfully, but these errors were encountered: