tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 803b433de9ce925fe78fa9bd4d4e2e5dcff5b328
parent 15248b85cf6520bcc0b1eeec761a6d64810c973e
Author: Greg Stoll <gstoll@mozilla.com>
Date:   Thu, 30 Oct 2025 14:57:15 +0000

Bug 1906827 part 1 - correctly handle BR instructions for patching in ARM64 r=yjuglaret,win-reviewers

The previous check was overly broad and would detect BR instructions, which
are an unconditional branch and aren't PC-relative.

I think it was trying to detect BLR instructions, which do an unconditional
branch but also set a register to a value that depends on PC. We should be
detecting these.

Based on the ARM64 documentation:
- BR: https://developer.arm.com/documentation/ddi0602/2025-03/Base-Instructions/BR--Branch-to-register-?lang=en
- BLR: https://developer.arm.com/documentation/ddi0602/2025-03/Base-Instructions/BLR--Branch-with-link-to-register-
- indexed by encoding: https://developer.arm.com/documentation/ddi0602/2025-03/Index-by-Encoding/Branches--Exception-Generating-and-System-instructions?lang=en#iclass-branch_reg

I think this condition should properly catch BLR family instructions but
not BR family instructions.

Differential Revision: https://phabricator.services.mozilla.com/D268938

Diffstat:

Mtoolkit/xre/dllservices/mozglue/interceptor/Arm64.cpp | 2+-


1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/toolkit/xre/dllservices/mozglue/interceptor/Arm64.cpp b/toolkit/xre/dllservices/mozglue/interceptor/Arm64.cpp
@@ -50,6 +50,7 @@ MFBT_API LoadOrBranch BUncondImmDecode(const uintptr_t aPC,
 // Order is important here; more specific encoding tests must be placed before
 // less specific encoding tests.
 static const PCRelativeLoadTest gPCRelTests[] = {
+    {0xFEFF0000, 0xD63F0000, nullptr},      // BLR branch w/ link (reg)
     {0x9F000000, 0x10000000, nullptr},      // ADR
     {0x9F000000, 0x90000000, &ADRPDecode},  // ADRP
     {0xFF000000, 0x58000000, nullptr},      // LDR (literal) 64-bit GPR
@@ -58,7 +59,6 @@ static const PCRelativeLoadTest gPCRelTests[] = {
     {0xFE000000, 0x54000000, nullptr},      // B.Cond
     {0x7E000000, 0x34000000, nullptr},      // Compare and branch (imm)
     {0x7E000000, 0x36000000, nullptr},      // Test and branch (imm)
-    {0xFE000000, 0xD6000000, nullptr}       // Unconditional branch (reg)
 };
 
 /**