[lldb] Add process launch --memory-tagging option

For debugging and bug-finding workflows, support
launching processes with MTE for binaries that are
not MTE entitled.

Author: JDevlieghere

lldb/include/lldb/lldb-enumerations.h

@@ -130,6 +130,8 @@ FLAGS_ENUM(LaunchFlags){
     eLaunchFlagInheritTCCFromParent =
         (1u << 12), ///< Don't make the inferior responsible for its own TCC
                     ///< permissions but instead inherit them from its parent.
+    eLaunchFlagMemoryTagging =
+        (1u << 13), ///< Launch with memory tagging (MTE).
 };
 
 /// Thread Run Modes.

lldb/source/Commands/CommandObjectProcess.cpp

@@ -181,6 +181,9 @@ class CommandObjectProcessLaunch : public CommandObjectProcessLaunchOrAttach {
       disable_aslr = target->GetDisableASLR();
     }
 
+    if (m_options.memory_tagging == eLazyBoolYes)
+      m_options.launch_info.GetFlags().Set(eLaunchFlagMemoryTagging);
+
     if (!m_class_options.GetName().empty()) {
       m_options.launch_info.SetProcessPluginName("ScriptedProcess");
       ScriptedMetadataSP metadata_sp = std::make_shared<ScriptedMetadata>(

lldb/source/Commands/CommandOptionsProcessLaunch.cpp

@@ -127,6 +127,10 @@ Status CommandOptionsProcessLaunch::SetOptionValue(
     break;
   }
 
+  case 'M':
+    memory_tagging = true;
+    break;
+
   case 'c':
     if (!option_arg.empty())
       launch_info.SetShell(FileSpec(option_arg));

lldb/source/Commands/CommandOptionsProcessLaunch.h

@@ -34,6 +34,7 @@ class CommandOptionsProcessLaunch : public lldb_private::OptionGroup {
       lldb_private::ExecutionContext *execution_context) override {
     launch_info.Clear();
     disable_aslr = lldb_private::eLazyBoolCalculate;
+    memory_tagging = false;
   }
 
   llvm::ArrayRef<lldb_private::OptionDefinition> GetDefinitions() override;
@@ -42,6 +43,7 @@ class CommandOptionsProcessLaunch : public lldb_private::OptionGroup {
 
   lldb_private::ProcessLaunchInfo launch_info;
   lldb_private::LazyBool disable_aslr;
+  bool memory_tagging;
 }; // CommandOptionsProcessLaunch
 
 } // namespace lldb_private

lldb/source/Commands/Options.td

@@ -1173,6 +1173,10 @@ let Command = "process launch" in {
         Arg<"Boolean">,
         Desc<"Set whether to shell expand arguments to the process when "
              "launching.">;
+  def process_launch_memory_tagging
+      : Option<"memory-tagging", "M">,
+        Desc<"Set whether to enable memory tagging (MTE) when launching the "
+             "process.">;
 }
 
 let Command = "process attach" in {

lldb/source/Host/macosx/objcxx/Host.mm

@@ -1210,6 +1210,33 @@ static Status LaunchProcessPosixSpawn(const char *exe_path,
     }
   }
 
+  if (launch_info.GetFlags().Test(eLaunchFlagMemoryTagging)) {
+    typedef int (*posix_spawnattr_set_use_sec_transition_shims_np_t)(
+        posix_spawnattr_t *attr, uint32_t flags);
+    posix_spawnattr_set_use_sec_transition_shims_np_t
+        posix_spawnattr_set_use_sec_transition_shims_np_fn =
+            (posix_spawnattr_set_use_sec_transition_shims_np_t)dlsym(
+                RTLD_DEFAULT,
+                "posix_spawnattr_set_use_sec_transition_shims_np");
+    if (posix_spawnattr_set_use_sec_transition_shims_np_fn) {
+      error =
+          Status(posix_spawnattr_set_use_sec_transition_shims_np_fn(&attr, 0),
+                 eErrorTypePOSIX);
+      if (error.Fail()) {
+        LLDB_LOG(log,
+                 "error: {0}, "
+                 "posix_spawnattr_set_use_sec_transition_shims_np(&attr, 0)",
+                 error);
+        return error;
+      }
+    } else {
+      LLDB_LOG(log,
+               "error: posix_spawnattr_set_use_sec_transition_shims_np not "
+               "available",
+               error);
+    }
+  }
+
   // Don't set the binpref if a shell was provided. After all, that's only
   // going to affect what version of the shell is launched, not what fork of
   // the binary is launched.  We insert "arch --arch <ARCH> as part of the

lldb/test/API/macosx/mte/Makefile

@@ -1,12 +1,15 @@
 C_SOURCES := main.c
 
-EXE := uaf_mte
+EXE := uaf
 
-all: uaf_mte sign
+binary-plain:    uaf
+binary-entitled: uaf sign
+
+all: binary-entitled
 
 include Makefile.rules
 
-sign: mte-entitlements.plist uaf_mte
+sign: mte-entitlements.plist uaf
 ifeq ($(OS),Darwin)
 	codesign -s - -f --entitlements $^
 endif

lldb/test/API/macosx/mte/TestDarwinMTE.py

@@ -7,12 +7,24 @@
 from lldbsuite.test import lldbutil
 import lldbsuite.test.cpu_feature as cpu_feature
 
-exe_name = "uaf_mte"  # Must match Makefile
+exe_name = "uaf"  # Must match Makefile
 
 
 class TestDarwinMTE(TestBase):
     NO_DEBUG_INFO_TESTCASE = True
 
+    @skipUnlessFeature(cpu_feature.AArch64.MTE)
+    def test_process_launch_memory_tagging(self):
+        self.build(make_targets=["binary-plain"])
+        self.createTestTarget(self.getBuildArtifact(exe_name))
+
+        self.expect("process launch", substrs=["exited with status = 0"])
+
+        self.expect(
+            "process launch --memory-tagging",
+            substrs=["stopped", "stop reason = EXC_ARM_MTE_TAG_FAULT"],
+        )
+
     @skipUnlessFeature(cpu_feature.AArch64.MTE)
     def test_tag_fault(self):
         self.build()
@@ -47,7 +59,7 @@ def test_memory_region(self):
         self.expect("memory region ptr", substrs=["memory tagging: enabled"])
 
     @skipUnlessFeature(cpu_feature.AArch64.MTE)
-    def test_memory_read_with_tags(self):
+    def test_memory_read_show_tags(self):
         self.build()
         lldbutil.run_to_source_breakpoint(
             self, "// before free", lldb.SBFileSpec("main.c"), exe_name=exe_name