Open
Description
Version and Platform (required):
- Binary Ninja Version: 5.0.7284-dev (e7d42d95)
- OS: macOS 15.4.1
- CPU Architecture: arm64
Bug Description:
When PAC is enabled, arm64 functions that end with a tail call rather than returning often explicitly validate lr prior to branching.
19c01be2c 0 ff2303d5 autibsp
19c01be30 0 d0071eca eor x16, x30, x30, lsl #0x1
19c01be34 0 5000f0b6 tbz x16, #0x3e, 0x19c01be3c
19c01be38 0 208e38d4 brk #0xc471
19c01be3c 0 a1450014 b 0x19c02d4c0
This validation ends up in HLIL in an incomplete/broken form:
19c01be34 int64_t x30
19c01be34
19c01be34 if (((x30 ^ x30 << 1) & 0x40000000) == 0)
19c02d4d4 return _objc_msgSend(x0_2, "instrument:", &cfstr_MLMediaLibrary) __tailcall
These patterns make it harder to follow the control flow of the function and should be detected and suppressed.
Steps To Reproduce:
- Open a Mac shared cache
- Load MediaLibrary.framework
- Navigate to
+[MLMediaLibrary initialize]
Additional Information:
There's a few different patterns for these explicit checks that LLVM can emit per https://github.com/llvm/llvm-project/blob/0014b49482c0862c140149c650d653b4e41fa9b4/llvm/lib/Target/AArch64/AArch64PointerAuth.h#L44-L86 The HighBitsNoTBI pattern is what I've seen on Apple platforms.