Re: [MacPorts] #66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new security features

MacPorts noreply at macports.org
Tue Nov 5 18:08:27 UTC 2024 

#66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new
security features
-------------------------+------------------------------------------
  Reporter:  reneeotten  |      Owner:  Clemens Lang <neverpanic@…>
      Type:  defect      |     Status:  reopened
  Priority:  Normal      |  Milestone:
 Component:  base        |    Version:
Resolution:              |   Keywords:  arm64 ventura sonoma sequoia
      Port:              |
-------------------------+------------------------------------------

Comment (by markmentovai):

 Replying to [comment:66 neverpanic]:
 > Looking for testers of this PR on macOS 14; it works fine for me on
 macOS 15.1, but in CI on macOS 14, I see
 >
 > {{{
 > dyld[20831]: bad bind opcode 0x1E
 > …
 > Killed by signal: 6
 > }}}
 >
 > Now, that error message is completely unhelpful, because the code that
 prints it (https://github.com/opensource-
 apple/dyld/blob/master/src/ImageLoaderMachOCompressed.cpp#L1027-L1028)
 does so after moving the pointer that it prints (https://github.com
 /opensource-
 apple/dyld/blob/master/src/ImageLoaderMachOCompressed.cpp#L955). I'd still
 like to know if this happens in regular usage on macOS 14, or whether it's
 just a corner case I am triggering with my test.

 The message you’re quoting from the source (`bad bind opcode %d in bind
 info`) doesn’t even match the error you’re seeing (`dyld[20831]: bad bind
 opcode 0x1E`). You’re looking at super-old dyld source from an unofficial
 dump of Apple’s old opensource site ([https://github.com/opensource-apple/
 github opensource-apple]), from before Apple pushed source to GitHub
 directly. It’s showing dyld-360.18 from 10.11.2 (2015-12-08), and it
 hasn’t been current since 10.11.3 (2016-01-19). I recommend that everyone
 purge that unmaintained opensource-apple dump from their bookmarks and
 workflow, and never consult it for any purpose. It’s outdated and
 misleading.

 Current Apple open-source drops are at ([https://github.com/apple-oss-
 distributions github apple-oss-distributions]), and dyld in particular is
 https://github.com/apple-oss-distributions/dyld. You can look at source
 specific to the macOS version you’re interested in, ranging from
 [https://github.com/apple-oss-distributions/dyld/tree/dyld-1122.1
 dyld-1222.1 from 14.0 (2023-09-26)] through [https://github.com/apple-oss-
 distributions/dyld/tree/dyld-1165.3 from 14.6 (2024-07-29)].

 Now, that doesn’t change the fact that, even 9 years later, the loop is
 still structured such that “bad bind opcode” still references the opcode
 that follows the one it’s actually complaining about. But given the proper
 current source, and the fact that there are 8 different loops that might
 result in `bad bind opcode 0x%02X`, you may find a loop that’s used for
 non-arm64e that’s missing handling for an opcode that the arm64e
 equivalent does handle.

  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOAnalyzer.cpp#L1535
 common/MachOAnalyzer.cpp:1535 in dyld3::MachOAnalyzer::forEachBind],
 handles 13 cases
  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOAnalyzer.cpp#L1700
 common/MachOAnalyzer.cpp:1700 in dyld3::MachOAnalyzer::forEachBind],
 handles 13 cases
  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOAnalyzer.cpp#L2170
 common/MachOAnalyzer.cpp:2170 in
 dyld3::MachOAnalyzer::parseOrgArm64eChainedFixups], handles 10 cases
  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOAnalyzer.cpp#L5070
 common/MachOAnalyzer.cpp:5070 in
 dyld3::MachOAnalyzer::forEachBind_OpcodesWeak], handles 13 cases
  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOAnalyzer.cpp#L5179
 common/MachOAnalyzer.cpp:5179 in
 dyld3::MachOAnalyzer::forEachBind_OpcodesRegular], handles 13 cases
  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOLayout.cpp#L603
 common/MachOLayout.cpp:603 in
 mach_o::Fixups::parseOrgArm64eChainedFixups], handles 10 cases
  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOLayout.cpp#L1062
 common/MachOLayout.cpp:1062 in mach_o::Fixups::forEachBind_OpcodesWeak],
 handles 13 cases
  - [https://github.com/apple-oss-
 distributions/dyld/blob/dyld-1165.3/common/MachOLayout.cpp#L1171
 common/MachOLayout.cpp:1171 in
 mach_o::Fixups::forEachBind_OpcodesRegular], handles 13 cases

 [https://github.com/apple-oss-
 distributions/xnu/blob/xnu-10063.141.1/EXTERNAL_HEADERS/mach-o/loader.h#L1442
 The full suite of opcodes] is defined in `<mach-o/loader.h>`, the 14
 `#defines` beginning with the terminator `BIND_OPCODE_DONE`:

 {{{
 #define BIND_OPCODE_DONE                                        0x00
 #define BIND_OPCODE_SET_DYLIB_ORDINAL_IMM                       0x10
 #define BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB                      0x20
 #define BIND_OPCODE_SET_DYLIB_SPECIAL_IMM                       0x30
 #define BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM               0x40
 #define BIND_OPCODE_SET_TYPE_IMM                                0x50
 #define BIND_OPCODE_SET_ADDEND_SLEB                             0x60
 #define BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB                 0x70
 #define BIND_OPCODE_ADD_ADDR_ULEB                               0x80
 #define BIND_OPCODE_DO_BIND                                     0x90
 #define BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB                       0xA0
 #define BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED                 0xB0
 #define BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB            0xC0
 #define BIND_OPCODE_THREADED                                    0xD0
 }}}

 The ones that handle 13 cases omit `BIND_OPCODE_THREADED`. The ones that
 handle 10 cases omit `BIND_OPCODE_ADD_ADDR_ULEB`,
 `BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB`,
 `BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED`, and
 `BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB`.

 Given that we’re potentially putting an arm64e executable through a non-
 arm64e path, I’d first suspect a use of `BIND_OPCODE_THREADED`.

 `BIND_OPCODE_THREADED` was for an earlier form of chained fixups (“old
 arm64e”), while the newer form just uses `LC_DYLD_CHAINED_FIXUPS` and is
 available beyond just arm64e. With additional effort, it may be possible
 to apply further translations to chained fixups in this format to make
 them work more broadly.

 Your log message is too truncated to dig deeper. Do you have a link? What
 executable is your test operating on when you observe this failure? What
 specific OS version?

-- 
Ticket URL: <https://trac.macports.org/ticket/66358#comment:67>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list