Improved cxa_throw swapping (#1855)

* Improved cxa_throw swapping

* Updated changelog

---------

Co-authored-by: Robert Bartoszewski <robert.smartbear@gmail.com>

Author: robert-smartbear

Bugsnag.xcodeproj/project.pbxproj

@@ -0,0 +1,49 @@
+//
+//  KSPlatformSpecificDefines.h
+//
+//  Copyright (c) 2019 YANDEX LLC. All rights reserved.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall remain in place
+// in this source code.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+
+#ifndef KSPlatformSpecificDefines_h
+#define KSPlatformSpecificDefines_h
+
+#include <mach-o/loader.h>
+#include <mach-o/nlist.h>
+
+#ifdef __LP64__
+typedef struct mach_header_64 mach_header_t;
+typedef struct segment_command_64 segment_command_t;
+typedef struct section_64 section_t;
+typedef struct nlist_64 nlist_t;
+#define LC_SEGMENT_ARCH_DEPENDENT LC_SEGMENT_64
+#else /* __LP64__ */
+typedef struct mach_header mach_header_t;
+typedef struct segment_command segment_command_t;
+typedef struct section section_t;
+typedef struct nlist nlist_t;
+#define LC_SEGMENT_ARCH_DEPENDENT LC_SEGMENT
+#endif /* __LP64__ */
+
+#ifndef SEG_DATA_CONST
+#define SEG_DATA_CONST "__DATA_CONST"
+#endif /* SEG_DATA_CONST */
+
+#endif /* KSPlatformSpecificDefines_h */

Bugsnag/KSCrash/Source/KSCrash/Recording/BSG_KSPlatformSpecificDefines.h

@@ -30,6 +30,7 @@
 #include "BSG_KSCrashSentry_Private.h"
 #include "BSG_KSCrashStringConversion.h"
 #include "BSG_KSMach.h"
+#include "../Tools/BSG_KSCxaThrowSwapper.h"
 
 //#define BSG_KSLogger_LocalLevel TRACE
 #include "BSG_KSLogger.h"
@@ -84,10 +85,10 @@
 typedef void (*cxa_throw_type)(void *, std::type_info *, void (*)(void *));
 
 extern "C" {
-void __cxa_throw(void *thrown_exception, std::type_info *tinfo,
+void BSG__cxa_throw_override(void *thrown_exception, std::type_info *tinfo,
                  void (*dest)(void *)) __attribute__((weak));
 
-void __cxa_throw(void *thrown_exception, std::type_info *tinfo,
+void BSG__cxa_throw_override(void *thrown_exception, std::type_info *tinfo,
                  void (*dest)(void *)) {
     if (bsg_g_captureNextStackTrace) {
         bsg_g_stackTraceCount =
@@ -262,6 +263,7 @@ static void CPPExceptionTerminate(void) {
 
     bsg_g_originalTerminateHandler = std::set_terminate(CPPExceptionTerminate);
     bsg_g_captureNextStackTrace = true;
+    bsg_ksct_swap(BSG__cxa_throw_override);
     return true;
 }
 

Bugsnag/KSCrash/Source/KSCrash/Recording/Sentry/BSG_KSCrashSentry_CPPException.mm

@@ -0,0 +1,274 @@
+//
+//  KSCxaThrowSwapper.cpp
+//
+//  Copyright (c) 2019 YANDEX LLC. All rights reserved.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall remain in place
+// in this source code.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//
+// Inspired by facebook/fishhook
+// https://github.com/facebook/fishhook
+//
+// Copyright (c) 2013, Facebook, Inc.
+// All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//   * Redistributions of source code must retain the above copyright notice,
+//     this list of conditions and the following disclaimer.
+//   * Redistributions in binary form must reproduce the above copyright notice,
+//     this list of conditions and the following disclaimer in the documentation
+//     and/or other materials provided with the distribution.
+//   * Neither the name Facebook nor the names of its contributors may be used to
+//     endorse or promote products derived from this software without specific
+//     prior written permission.
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "BSG_KSCxaThrowSwapper.h"
+
+#include <dlfcn.h>
+#include <errno.h>
+#include <execinfo.h>
+#include <mach-o/dyld.h>
+#include <mach-o/nlist.h>
+#include <mach/mach.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+
+#include "BSG_KSLogger.h"
+#include "BSG_KSMach-O.h"
+#include "BSG_KSPlatformSpecificDefines.h"
+
+typedef struct {
+    uintptr_t image;
+    uintptr_t function;
+} BSG_KSAddressPair;
+
+static cxa_throw_type g_cxa_throw_handler = NULL;
+static const char *const g_cxa_throw_name = "__cxa_throw";
+
+static BSG_KSAddressPair *g_cxa_originals = NULL;
+static size_t g_cxa_originals_capacity = 0;
+static size_t g_cxa_originals_count = 0;
+
+static void addPair(BSG_KSAddressPair pair)
+{
+    BSG_KSLOG_DEBUG("Adding address pair: image=%p, function=%p", (void *)pair.image, (void *)pair.function);
+
+    if (g_cxa_originals_count == g_cxa_originals_capacity) {
+        g_cxa_originals_capacity *= 2;
+        g_cxa_originals = (BSG_KSAddressPair *)realloc(g_cxa_originals, sizeof(BSG_KSAddressPair) * g_cxa_originals_capacity);
+        if (g_cxa_originals == NULL) {
+            BSG_KSLOG_ERROR("Failed to realloc memory for g_cxa_originals: %s", strerror(errno));
+            return;
+        }
+    }
+    memcpy(&g_cxa_originals[g_cxa_originals_count++], &pair, sizeof(BSG_KSAddressPair));
+}
+
+static uintptr_t findAddress(void *address)
+{
+    BSG_KSLOG_TRACE("Finding address for %p", address);
+
+    for (size_t i = 0; i < g_cxa_originals_count; i++) {
+        if (g_cxa_originals[i].image == (uintptr_t)address) {
+            return g_cxa_originals[i].function;
+        }
+    }
+    BSG_KSLOG_WARN("Address %p not found", address);
+    return (uintptr_t)NULL;
+}
+
+static void __cxa_throw_decorator(void *thrown_exception, void *tinfo, void (*dest)(void *))
+{
+#define REQUIRED_FRAMES 2
+
+    BSG_KSLOG_TRACE("Decorating __cxa_throw");
+
+    g_cxa_throw_handler(thrown_exception, tinfo, dest);
+
+    void *backtraceArr[REQUIRED_FRAMES];
+    int count = backtrace(backtraceArr, REQUIRED_FRAMES);
+
+    Dl_info info;
+    if (count >= REQUIRED_FRAMES) {
+        if (dladdr(backtraceArr[REQUIRED_FRAMES - 1], &info) != 0) {
+            uintptr_t function = findAddress(info.dli_fbase);
+            if (function != (uintptr_t)NULL) {
+                BSG_KSLOG_TRACE("Calling original __cxa_throw function at %p", (void *)function);
+                cxa_throw_type original = (cxa_throw_type)function;
+                original(thrown_exception, tinfo, dest);
+            }
+        }
+    }
+#undef REQUIRED_FRAMES
+}
+
+static void perform_rebinding_with_section(const section_t *dataSection, intptr_t slide, nlist_t *symtab, char *strtab,
+                                           uint32_t *indirect_symtab)
+{
+    BSG_KSLOG_TRACE("Performing rebinding with section %s,%s", dataSection->segname, dataSection->sectname);
+
+    const bool isDataConst = strcmp(dataSection->segname, SEG_DATA_CONST) == 0;
+    uint32_t *indirect_symbol_indices = indirect_symtab + dataSection->reserved1;
+    void **indirect_symbol_bindings = (void **)((uintptr_t)slide + dataSection->addr);
+    vm_prot_t oldProtection = VM_PROT_READ;
+    if (isDataConst) {
+        oldProtection = bsg_ksmacho_getSectionProtection(indirect_symbol_bindings);
+        if (mprotect(indirect_symbol_bindings, dataSection->size, PROT_READ | PROT_WRITE) != 0) {
+            BSG_KSLOG_DEBUG("mprotect failed to set PROT_READ | PROT_WRITE for section %s,%s: %s", dataSection->segname,
+                        dataSection->sectname, strerror(errno));
+            return;
+        }
+    }
+    for (uint i = 0; i < dataSection->size / sizeof(void *); i++) {
+        uint32_t symtab_index = indirect_symbol_indices[i];
+        if (symtab_index == INDIRECT_SYMBOL_ABS || symtab_index == INDIRECT_SYMBOL_LOCAL ||
+            symtab_index == (INDIRECT_SYMBOL_LOCAL | INDIRECT_SYMBOL_ABS)) {
+            continue;
+        }
+        uint32_t strtab_offset = symtab[symtab_index].n_un.n_strx;
+        char *symbol_name = strtab + strtab_offset;
+        bool symbol_name_longer_than_1 = symbol_name[0] && symbol_name[1];
+        if (symbol_name_longer_than_1 && strcmp(&symbol_name[1], g_cxa_throw_name) == 0) {
+            Dl_info info;
+            if (dladdr(dataSection, &info) != 0) {
+                BSG_KSAddressPair pair = { (uintptr_t)info.dli_fbase, (uintptr_t)indirect_symbol_bindings[i] };
+                addPair(pair);
+            }
+            indirect_symbol_bindings[i] = (void *)__cxa_throw_decorator;
+            continue;
+        }
+    }
+    if (isDataConst) {
+        int protection = 0;
+        if (oldProtection & VM_PROT_READ) {
+            protection |= PROT_READ;
+        }
+        if (oldProtection & VM_PROT_WRITE) {
+            protection |= PROT_WRITE;
+        }
+        if (oldProtection & VM_PROT_EXECUTE) {
+            protection |= PROT_EXEC;
+        }
+        if (mprotect(indirect_symbol_bindings, dataSection->size, protection) != 0) {
+            BSG_KSLOG_ERROR("mprotect failed to restore protection for section %s,%s: %s", dataSection->segname,
+                        dataSection->sectname, strerror(errno));
+        }
+    }
+}
+
+static void process_segment(const struct mach_header *header, intptr_t slide, const char *segname, nlist_t *symtab,
+                            char *strtab, uint32_t *indirect_symtab)
+{
+    BSG_KSLOG_DEBUG("Processing segment %s", segname);
+
+    const segment_command_t *segment = bsg_ksmacho_getSegmentByNameFromHeader((const mach_header_t *)header, segname);
+    if (segment != NULL) {
+        const section_t *lazy_sym_sect = bsg_ksmacho_getSectionByTypeFlagFromSegment(segment, S_LAZY_SYMBOL_POINTERS);
+        const section_t *non_lazy_sym_sect =
+            bsg_ksmacho_getSectionByTypeFlagFromSegment(segment, S_NON_LAZY_SYMBOL_POINTERS);
+
+        if (lazy_sym_sect != NULL) {
+            perform_rebinding_with_section(lazy_sym_sect, slide, symtab, strtab, indirect_symtab);
+        }
+        if (non_lazy_sym_sect != NULL) {
+            perform_rebinding_with_section(non_lazy_sym_sect, slide, symtab, strtab, indirect_symtab);
+        }
+    } else {
+        BSG_KSLOG_WARN("Segment %s not found", segname);
+    }
+}
+
+static void rebind_symbols_for_image(const struct mach_header *header, intptr_t slide)
+{
+    BSG_KSLOG_TRACE("Rebinding symbols for image with slide %p", (void *)slide);
+
+    Dl_info info;
+    if (dladdr(header, &info) == 0) {
+        BSG_KSLOG_WARN("dladdr failed");
+        return;
+    }
+    BSG_KSLOG_TRACE("Image name: %s", info.dli_fname);
+    if (slide == 0) {
+        BSG_KSLOG_TRACE("Zero slide, can't do anything with it");
+        return;
+    }
+
+    const struct symtab_command *symtab_cmd =
+        (const struct symtab_command *)bsg_ksmacho_getCommandByTypeFromHeader((const mach_header_t *)header, LC_SYMTAB);
+    const struct dysymtab_command *dysymtab_cmd =
+        (const struct dysymtab_command *)bsg_ksmacho_getCommandByTypeFromHeader((const mach_header_t *)header, LC_DYSYMTAB);
+    const segment_command_t *linkedit_segment =
+        bsg_ksmacho_getSegmentByNameFromHeader((const mach_header_t *)header, SEG_LINKEDIT);
+
+    if (symtab_cmd == NULL || dysymtab_cmd == NULL || linkedit_segment == NULL) {
+        BSG_KSLOG_WARN("Required commands or segments not found");
+        return;
+    }
+
+    // Find base symbol/string table addresses
+    uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;
+    nlist_t *symtab = (nlist_t *)(linkedit_base + symtab_cmd->symoff);
+    char *strtab = (char *)(linkedit_base + symtab_cmd->stroff);
+
+    // Get indirect symbol table (array of uint32_t indices into symbol table)
+    uint32_t *indirect_symtab = (uint32_t *)(linkedit_base + dysymtab_cmd->indirectsymoff);
+
+    process_segment(header, slide, SEG_DATA, symtab, strtab, indirect_symtab);
+    process_segment(header, slide, SEG_DATA_CONST, symtab, strtab, indirect_symtab);
+}
+
+int bsg_ksct_swap(const cxa_throw_type handler)
+{
+    BSG_KSLOG_DEBUG("Swapping __cxa_throw handler");
+
+    if (g_cxa_originals == NULL) {
+        g_cxa_originals_capacity = 25;
+        g_cxa_originals = (BSG_KSAddressPair *)malloc(sizeof(BSG_KSAddressPair) * g_cxa_originals_capacity);
+        if (g_cxa_originals == NULL) {
+            BSG_KSLOG_ERROR("Failed to allocate memory for g_cxa_originals: %s", strerror(errno));
+            return -1;
+        }
+    }
+    g_cxa_originals_count = 0;
+
+    if (g_cxa_throw_handler == NULL) {
+        g_cxa_throw_handler = handler;
+        _dyld_register_func_for_add_image(rebind_symbols_for_image);
+    } else {
+        g_cxa_throw_handler = handler;
+        uint32_t c = _dyld_image_count();
+        for (uint32_t i = 0; i < c; i++) {
+            rebind_symbols_for_image(_dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i));
+        }
+    }
+    return 0;
+}

Bugsnag/KSCrash/Source/KSCrash/Recording/Tools/BSG_KSCxaThrowSwapper.c

@@ -0,0 +1,45 @@
+//
+//  KSCxaThrowSwapper.h
+//
+//  Copyright (c) 2019 YANDEX LLC. All rights reserved.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall remain in place
+// in this source code.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+
+#ifndef KSCxaThrowSwapper_h
+#define KSCxaThrowSwapper_h
+
+#ifdef __cplusplus
+
+#include <typeinfo>
+
+extern "C" {
+
+typedef void (*cxa_throw_type)(void *, std::type_info *, void (*)(void *));
+#else
+typedef void (*cxa_throw_type)(void *, void *, void (*)(void *));
+#endif
+
+int bsg_ksct_swap(const cxa_throw_type handler);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* KSCxaThrowSwapper_h */