Skip to content

Comments

Strip ARM64 TBI tag byte from addresses before pread on /proc/<pid>/mem#124709

Open
steveisok wants to merge 2 commits intodotnet:mainfrom
steveisok:fix/arm64-strip-tbi-tags-pread
Open

Strip ARM64 TBI tag byte from addresses before pread on /proc/<pid>/mem#124709
steveisok wants to merge 2 commits intodotnet:mainfrom
steveisok:fix/arm64-strip-tbi-tags-pread

Conversation

@steveisok
Copy link
Member

@steveisok steveisok commented Feb 21, 2026

Android's scudo heap allocator uses ARM64 Top-Byte Ignore (TBI) to tag heap pointers with a non-zero top byte (e.g., 0xB4). While the CPU ignores this byte during memory access, pread on /proc//mem treats the offset as a file position where TBI does not apply, causing EINVAL.

Strip the top byte before pread in PAL_ReadProcessMemory and createdump's ReadProcessMemory. This is a no-op on non-Android ARM64 Linux today, but guards against future TBI/MTE adoption on other distributions.

See https://www.kernel.org/doc/html/latest/arch/arm64/tagged-address-abi.html

@steveisok
Strip ARM64 TBI tag byte from addresses before pread on /proc/<pid>/mem
ecd9ac7 
Android's scudo heap allocator uses ARM64 Top-Byte Ignore (TBI) to tag
heap pointers with a non-zero top byte (e.g., 0xB4). While the CPU
ignores this byte during memory access, pread on /proc/<pid>/mem treats
the offset as a file position where TBI does not apply, causing EINVAL.

Strip the top byte before pread in PAL_ReadProcessMemory and createdump's
ReadProcessMemory. This is a no-op on non-Android ARM64 Linux today, but
guards against future TBI/MTE adoption on other distributions.

See https://www.kernel.org/doc/html/latest/arch/arm64/tagged-address-abi.html
Copilot AI review requested due to automatic review settings February 21, 2026 19:49
@steveisok steveisok requested a review from a team February 21, 2026 19:49
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Feb 21, 2026

Tagging subscribers to this area: @steveisok, @tommcdon, @dotnet/dotnet-diag
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses an issue with Android's scudo heap allocator, which uses ARM64 Top-Byte Ignore (TBI) to tag heap pointers. When reading process memory via pread on /proc/<pid>/mem, the kernel treats the offset as a file position rather than a virtual address, causing EINVAL errors for TBI-tagged pointers. The fix strips the top byte from addresses before calling pread.

Changes:

  • Added TBI tag byte stripping in PAL_ReadProcessMemory for non-Apple platforms
  • Added TBI tag byte stripping in createdump's ReadProcessMemory before pread calls
  • Comprehensive comments explaining the Android scudo allocator issue and future-proofing for ARM MTE

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/coreclr/pal/src/debug/debug.cpp Strips TBI tag byte from addresses before pread in PAL_ReadProcessMemory for non-Apple platforms
src/coreclr/debug/createdump/crashinfounix.cpp Strips TBI tag byte from addresses before pread in crash dump memory reading, guarded by TARGET_ARM64

This was referenced Feb 22, 2026
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@steveisok steveisok

Labels

area-Diagnostics-coreclr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@steveisok