Crashes with EXC_BAD_ACCESS on Apple Silicon mac when compiled as arm64e

[briankendall]

Compiling an arm64e macOS app on an M1 Mac Mini in macOS 11.6. When a hooked function gets called, the app crashes with EXC_BAD_ACCESS. The following code when compiled as arm64e will crash on the second (hooked) call to malloc:

#include <stdio.h>
#include <stdlib.h>
#include "fishhook.h"

void * (*originalMalloc)(size_t);

static void * overrideMalloc(size_t size) {
    void * result = originalMalloc(size);
    printf("calling overrideMalloc!\n");
    return result;
}

int main(int argc, const char * argv[]) {
    void *data;

    printf("Calling malloc before\n");
    data = malloc(10);
    free(data);

    int result = rebind_symbols((struct rebinding[2]){{"malloc", overrideMalloc, (void *)&originalMalloc}}, 1);

    if (result != 0) {
        printf("rebind_symbols failed with result: %d ... cannot proceed", result);
        return 0;
    }

    printf("Calling malloc after\n");
    data = malloc(10);
    free(data);

    return 0;
}

Note that in order to run arm64e code on macOS, you must disable system integrity protection and set the following boot parameter: sudo nvram boot-args=-arm64e_preview_abi

[jevinskie]

You will need to resign the function pointer that fishhook is writing using the asia key discriminated with the address that fishhook is writing to. An incomplete example:

void *__memcpy_chk_fptr_resigned = ptrauth_sign_unauthenticated(
    ptrauth_strip((void *)__memcpy_chk, ptrauth_key_asia), ptrauth_key_asia,
    (void *)0x0000000100004020 + _dyld_get_image_slide(&__dso_handle));
struct rebinding rebindings[] = {
    {"__memcpy_chk", __memcpy_chk_fptr_resigned, NULL},
};

In the above example, 0x0000000100004020 is the address of the binding that fishhook is writing to.

See this page for more info: https://github.com/apple/llvm-project/blob/next/clang/docs/PointerAuthentication.rst