systrap: Initialize stub threads in the same way on both x86 and ARM.

konstantin-s-bogom · gvisor-bot · commit 53489c2820a5 · 2025-05-20T15:23:58.000-07:00
Initializing threads via a custom Systrap entrypoint (as was done on x86 prior
to this CL) is incompatible with debuggers, because they set the single-step
flag. If a brand new stub thread managed to pick up an already existing context
with this flag set, it would immediately invoke the sighandler upon restoring
RFLAGS, which would corrupt the stack and instruction pointers.

PiperOrigin-RevId: 761250233
diff --git a/pkg/sentry/platform/systrap/subprocess.go b/pkg/sentry/platform/systrap/subprocess.go
@@ -1157,7 +1157,10 @@ func (s *subprocess) createSysmsgThread() error {
 	if err := p.setRegs(tregs); err != nil {
 		panic(fmt.Sprintf("ptrace set regs failed: %v", err))
 	}
-	archSpecificSysmsgThreadInit(sysThread)
+	// Send a fake event to stop the BPF process so that it enters the sighandler.
+	if e := hostsyscall.RawSyscallErrno(unix.SYS_TGKILL, uintptr(sysThread.thread.tgid), uintptr(sysThread.thread.tid), uintptr(unix.SIGSEGV)); e != 0 {
+		panic(fmt.Sprintf("tkill failed: %v", e))
+	}
 	// Skip SIGSTOP.
 	if e := hostsyscall.RawSyscallErrno(unix.SYS_TGKILL, uintptr(p.tgid), uintptr(p.tid), uintptr(unix.SIGCONT)); e != 0 {
 		panic(fmt.Sprintf("tkill failed: %v", e))
diff --git a/pkg/sentry/platform/systrap/subprocess_amd64.go b/pkg/sentry/platform/systrap/subprocess_amd64.go
@@ -211,10 +211,6 @@ func restoreArchSpecificState(ctx *sysmsg.ThreadContext, ac *arch.Context64) {
 }
 
 func setArchSpecificRegs(sysThread *sysmsgThread, regs *arch.Registers) {
-	// Set the start function and initial stack.
-	regs.PtraceRegs.Rip = uint64(stubSysmsgStart + uintptr(sysmsg.Sighandler_blob_offset____export_start))
-	regs.PtraceRegs.Rsp = uint64(sysmsg.StackAddrToSyshandlerStack(sysThread.sysmsgPerThreadMemAddr()))
-
 	// Set gs_base; this is the only time we set it and we don't expect it to ever
 	// change for any thread.
 	regs.Gs_base = sysThread.msg.Self
@@ -223,9 +219,6 @@ func setArchSpecificRegs(sysThread *sysmsgThread, regs *arch.Registers) {
 func retrieveArchSpecificState(ctx *sysmsg.ThreadContext, ac *arch.Context64) {
 }
 
-func archSpecificSysmsgThreadInit(sysThread *sysmsgThread) {
-}
-
 func sigErrorToAccessType(sigError uint64) hostarch.AccessType {
 	switch {
 	case sigError&linux.X86_PF_WRITE != 0:
diff --git a/pkg/sentry/platform/systrap/subprocess_arm64.go b/pkg/sentry/platform/systrap/subprocess_arm64.go
@@ -190,13 +190,6 @@ func retrieveArchSpecificState(ctx *sysmsg.ThreadContext, ac *arch.Context64) {
 	}
 }
 
-func archSpecificSysmsgThreadInit(sysThread *sysmsgThread) {
-	// Send a fake event to stop the BPF process so that it enters the sighandler.
-	if e := hostsyscall.RawSyscallErrno(unix.SYS_TGKILL, uintptr(sysThread.thread.tgid), uintptr(sysThread.thread.tid), uintptr(unix.SIGSEGV)); e != 0 {
-		panic(fmt.Sprintf("tkill failed: %v", e))
-	}
-}
-
 func sigErrorToAccessType(sigError uint64) hostarch.AccessType {
 	return hostarch.ESRAccessType(sigError)
 }
diff --git a/pkg/sentry/platform/systrap/sysmsg/sighandler_amd64.c b/pkg/sentry/platform/systrap/sysmsg/sighandler_amd64.c
@@ -206,12 +206,17 @@ void __export_sighandler(int signo, siginfo_t *siginfo, void *_ucontext) {
 
   if (sysmsg != sysmsg->self) panic(STUB_ERROR_BAD_SYSMSG, 0);
   int32_t thread_state = atomic_load(&sysmsg->state);
+  struct thread_context *ctx = NULL;
+  enum context_state ctx_state = CONTEXT_STATE_INVALID;
+  long fs_base = 0;
+
   if (thread_state == THREAD_STATE_INITIALIZING) {
-    // This thread was interrupted before it even had a context.
-    return;
+    // Find a new context and exit to restore it.
+    init_new_thread();
+    goto init;
   }
 
-  struct thread_context *ctx = sysmsg->context;
+  ctx = sysmsg->context;
 
   // If the current thread is in syshandler, an interrupt has to be postponed,
   // because sysmsg can't be changed.
@@ -226,7 +231,7 @@ void __export_sighandler(int signo, siginfo_t *siginfo, void *_ucontext) {
     return;
   }
 
-  long fs_base = get_fsbase();
+  fs_base = get_fsbase();
 
   ctx->signo = signo;
   ctx->siginfo = *siginfo;
@@ -242,8 +247,6 @@ void __export_sighandler(int signo, siginfo_t *siginfo, void *_ucontext) {
            __export_arch_state.fp_len);
   }
 
-  enum context_state ctx_state = CONTEXT_STATE_INVALID;
-
   switch (signo) {
     case SIGSYS: {
       ctx_state = CONTEXT_STATE_SYSCALL;
@@ -331,6 +334,8 @@ void __export_sighandler(int signo, siginfo_t *siginfo, void *_ucontext) {
   }
 
   atomic_store(&ctx->fpstate_changed, 0);
+
+init:
   ctx = switch_context_amd64(sysmsg, ctx, ctx_state);
   if (fs_base != ctx->ptregs.fs_base) {
     set_fsbase(ctx->ptregs.fs_base);
@@ -375,20 +380,6 @@ void __syshandler() {
   }
 }
 
-void __export_start(struct sysmsg *sysmsg, void *_ucontext) {
-  init_new_thread();
-
-  asm volatile("movq %%gs:0, %0\n" : "=r"(sysmsg) : :);
-  if (sysmsg->self != sysmsg) {
-    panic(STUB_ERROR_BAD_SYSMSG, 0);
-  }
-
-  struct thread_context *ctx =
-      switch_context_amd64(sysmsg, NULL, CONTEXT_STATE_INVALID);
-
-  restore_state(sysmsg, ctx, _ucontext);
-}
-
 // asm_restore_state is implemented in syshandler_amd64.S
 void asm_restore_state();
 

Original file line number	Diff line number	Diff line change
`@@ -190,13 +190,6 @@ func retrieveArchSpecificState(ctx sysmsg.ThreadContext, ac arch.Context64) {`
`190`	`190`	`}`
`191`	`191`	`}`
`192`	`192`
`193`		`-func archSpecificSysmsgThreadInit(sysThread *sysmsgThread) {`
`194`		`- // Send a fake event to stop the BPF process so that it enters the sighandler.`
`195`		`- if e := hostsyscall.RawSyscallErrno(unix.SYS_TGKILL, uintptr(sysThread.thread.tgid), uintptr(sysThread.thread.tid), uintptr(unix.SIGSEGV)); e != 0 {`
`196`		`- panic(fmt.Sprintf("tkill failed: %v", e))`
`197`		`- }`
`198`		`-}`
`199`		`-`
`200`	`193`	`func sigErrorToAccessType(sigError uint64) hostarch.AccessType {`
`201`	`194`	`return hostarch.ESRAccessType(sigError)`
`202`	`195`	`}`