Add MachO support for kext and bundle file types

[adamdoupe]

Summary

• Adds support for loading MH_KEXT_BUNDLE (filetype 11) and MH_BUNDLE (filetype 8) Mach-O binaries, enabling CLE to load macOS kernel extensions from KDKs.
• Fixes the dyld chained fixups chain walker to use the correct next bitfield and stride per pointer format — the old code always used generic64.rebase.next (12 bits at bit 52), which reads garbage for Arm64e formats like DYLD_CHAINED_PTR_ARM64E_KERNEL where next is 11 bits at bit 51.
• Handles file-offset-to-vaddr shift in segments where vmaddr != fileoff (common in kexts' __DATA_CONST), which previously crashed with an assertion that only __ETC segments could have this.
• Adds missing _fields_ to dyld_chained_ptr_arm64e_bind24 struct and adds defensive bounds checks for chain walks.
• Fixes PIC detection from buggy filetype & MH_DYLIB (bitwise AND of ints) to proper filetype in (...).
• Universal2: when no arch= is specified, load only the first slice (with a warning) for the main binary, and pick the slice matching the main binary's arch when loaded as a dependency. Avoids address collisions and downstream breakage from multiple is_main_bin objects.

Test binary lives in angr/binaries#166. The macOS and Windows workflows in this PR pick up a same-named branch from angr/binaries when present (falling back to master); the linux CI uses the body reference above.

Test plan

• All 27 MachO/Universal2 unit tests pass (10 new kext tests, helper test, 8 macho tests, 9 universal2 tests)
• Successfully loads all 907 kext binaries in KDK_26.4.1_25E253.kdk/System/Library/Extensions/
• Successfully loads 699/699 Mach-O binaries in macOS /bin + /usr/bin
• Successfully loads 88/90 Mach-O binaries from an extracted iPhone filesystem (2 remaining: dyld itself which is filetype 7, and a dangling symlink to a shared-cache-only dylib)
• Pre-commit hooks pass

🤖 Generated with Claude Code

[angr-bot]

Corpus decompilation diffs can be found at angr/dec-snapshots@master...angr/cle_674

[rhelmot]

Wrt the "only load the first slice" commit, it looks like you've found an issue that I found before and have been procrastinating on fixing. Can you make sure your fix aligns with the fix I describe here?

[adamdoupe]

Thanks @rhelmot — pushed f49c805 aligning with your design:

• Main binary: pick a single arch (first slice by default, overridable via arch=), with a warning when there's ambiguity.
• Loaded as a dependency: pick the slice matching the main binary's arch (via the new _filter_slices_by_arch helper), falling back to the first slice only if there's no main object yet.

Added a unit test for the filter helper. There's a separate pre-existing issue where loading a fat binary containing MH_EXECUTE slices as a dependency hits an is_main_bin assertion in the MachO backend — that's orthogonal to this change and would affect normal fat-dylib dependency loading the same way regardless. Happy to address it in a follow-up if you'd like.

[rhelmot]

@fmagin I don't seem to be able to request a review from you, but can you take a look at this?

[fmagin]

Doesn't look wrong in any way that I noticed by reading it. I can run this on a larger dataset at work next week to catch regressions on the data that I care about

[adamdoupe]

I tested on all kexts in KDK 26.4 and a bunch of user space binaries, they all at least load. Also added test case kext that I wrote to binaries.

[fmagin]

FWIW I'm fine with merging this now, it does look good to me.
I'm updating the angr version we use at work currently anyway, and as part of that I am running acceptance tests for a dataset of a few thousand apps. So that would catch things like some symbol address changing, symbols disappearing or appearing, etc

[rhelmot]

It looks like your edits to the workflows just didn't work at all, so I've merged the binaries branch. Please remove those lines and we'll see what CI says.