macOS unhandled exception

[andyzekan]

Hello,

I am running litecov on macOS 14.6.1 running under UTM (host is an M3).

When I try it using a simple test program I wrote, it works well:

sudo /Users/and/Desktop/TinyInst-master/build/Release/litecov -trace_debug_events  -instrument_module simple  -coverage_file coverage.txt -- /Users/and/Desktop/simple/simple
Additionally added modules to align to pages:
Debugger: Mach exception (5) @ address 0x102928b70
Debugger: Process created or attached
Debugger: Loaded module dyld at 0x102924000
Debugger: Loaded module simple at 0x102624000
Debugger: Loaded module libSystem.B.dylib at 0x18d0cd000
Debugger: Loaded module libcache.dylib at 0x18d0c7000
Debugger: Loaded module libcommonCrypto.dylib at 0x18d081000
Debugger: Loaded module libcompiler_rt.dylib at 0x18d0ad000
Debugger: Loaded module libcopyfile.dylib at 0x18d0a3000
Debugger: Loaded module libcorecrypto.dylib at 0x1801ae000
Debugger: Loaded module libdispatch.dylib at 0x180295000
Debugger: Loaded module libdyld.dylib at 0x180450000
Debugger: Loaded module libkeymgr.dylib at 0x18d0bd000
Debugger: Loaded module libmacho.dylib at 0x18d059000
Debugger: Loaded module libquarantine.dylib at 0x18c539000
Debugger: Loaded module libremovefile.dylib at 0x18d0ba000
Debugger: Loaded module libsystem_asl.dylib at 0x185bcd000
Debugger: Loaded module libsystem_blocks.dylib at 0x180143000
Debugger: Loaded module libsystem_c.dylib at 0x1802e0000
Debugger: Loaded module libsystem_collections.dylib at 0x18d0b1000
Debugger: Loaded module libsystem_configuration.dylib at 0x18b711000
Debugger: Loaded module libsystem_containermanager.dylib at 0x18a74d000
Debugger: Loaded module libsystem_coreservices.dylib at 0x18ccf0000
Debugger: Loaded module libsystem_darwin.dylib at 0x18386e000
Debugger: Loaded module libsystem_darwindirectory.dylib at 0x247fc1000
Debugger: Loaded module libsystem_dnssd.dylib at 0x18d0be000
Debugger: Loaded module libsystem_eligibility.dylib at 0x247fc5000
Debugger: Loaded module libsystem_featureflags.dylib at 0x1802dd000
Debugger: Loaded module libsystem_info.dylib at 0x18047e000
Debugger: Loaded module libsystem_m.dylib at 0x18d01e000
Debugger: Loaded module libsystem_malloc.dylib at 0x180258000
Debugger: Loaded module libsystem_networkextension.dylib at 0x185b3a000
Debugger: Loaded module libsystem_notify.dylib at 0x183ce4000
Debugger: Loaded module libsystem_sandbox.dylib at 0x18b716000
Debugger: Loaded module libsystem_sanitizers.dylib at 0x247fc9000
Debugger: Loaded module libsystem_secinit.dylib at 0x18d0b6000
Debugger: Loaded module libsystem_kernel.dylib at 0x180408000
Debugger: Loaded module libsystem_platform.dylib at 0x180476000
Debugger: Loaded module libsystem_pthread.dylib at 0x180443000
Debugger: Loaded module libsystem_symptoms.dylib at 0x1875bf000
Debugger: Loaded module libsystem_trace.dylib at 0x180193000
Debugger: Loaded module libunwind.dylib at 0x18d08f000
Debugger: Loaded module libxpc.dylib at 0x180148000
Debugger: Loaded module libc++abi.dylib at 0x1803ec000
Debugger: Loaded module libobjc.A.dylib at 0x180068000
Debugger: Loaded module liboah.dylib at 0x18d09b000
Debugger: Loaded module libc++.1.dylib at 0x18035f000
Debugger: Process entrypoint reached
Instrumented module simple, code size: 16384
Debugger: Process exit
Process finished normally
Found 4 new offsets in simple

But I get error when running using programs in e.g. sbin or bin ...:

sudo /Users/and/Desktop/TinyInst-master/build/Release/litecov -trace_debug_events  -instrument_module ping  -coverage_file coverage.txt -- /sbin/ping                  
Additionally added modules to align to pages:
Debugger: Mach exception (5) @ address 0x6b800100414b70
Debugger: Process created or attached
Debugger: Loaded module dyld at 0x100410000
Debugger: Mach exception (6) @ address 0xee14800100411e20
[!] WARNING: Unhandled breakpoint

Debugger: Mach exception (5) @ address 0xee14800100411e20
[!] WARNING: Debugger: Unhandled exception, mach exception_type 5 at address 0xee14800100411e20

Debugger: Process exit
Process finished normally

Can you please provide a hint how to solve it?

[ifratric]

Hey, thanks for reporting! Just a quick note to let you know this is on my radar, but I'm out of office at the moment without access to the Apple hardware so can't look into it at the moment. In the meantime, can you maybe check if you get the same issues on the host or is this something that's UTM specific?

[andyzekan]

Hello @ifratric
Thanks for reply.
litecov needs privileged access, which sadly I do not have on my host. But I tried this on an intel macOS running under VMWare and surprisingly this problem is not present!

On more thing regarding the issue:
it appears the program sets a break point on 0x100411e20, but when exception is caught it check for 0xee14800100411e20 (upper bytes of address (PAC?) is not wiped out) which is not in breakpoints list and it warns about unhandled breakpoint. As I do not expect any unhandled breakpoint during a normal run of ping I tried to patch the code by masking out the upper bytes & "SetRegister(ARCH_PC, GetRegister(LR));". But then the program entered an infinite loop while handling image load (just "dyld" and "ping" are loaded and there are no other images [all_image_infos.infoArrayCount is zero every time]).

I hope we can solve this problem. I appreciate your time in advance.

[ifratric]

I can try it on Apple Silicon host once I'm back in the office (next week, hopefully).

One thing you can try is remove the PAC bits in exception->ip in https://github.com/googleprojectzero/TinyInst/blob/master/macOS/debugger.cpp#L152, but I'd still like to understand

• who exactly sets this breakpoint and
• how exception->ip ends up with those bits set (AFAIK this is read from the PC register and it shouldn't have the PAC bits set)

[ifratric]

FYI: I'm back and looking into this. You are correct that the PC (and some other register values) read from the thread context are PAC-signed when the target is an arm64e (as opposed to arm64) binary. While we can strip the PAC signature when reading these values, this is not sufficient because we also need to sign the values when writing into these registers. Unfortunately, this doesn't appear possible from an arm64 binary (which TinyInst currently compiles as). While we can call pac-signing instructions such as PACIZA, they simply do nothing in arm64 mode. So TinyInst would need to be compiled as arm64e binary first and then we can start to work on this issue and possibly other issues related to arm64e mode. Stay tuned.

[ifratric]

There has been some progress in 23e026a, but while this works for my own arm64e programs (assuming TinyInst was built with -DCMAKE_OSX_ARCHITECTURES=arm64e), it still doesn't work on Apple binaries. Possibly an issue with different PAC keys.