xnu-2782.10.72

Imported from https://opensource.apple.com/tarballs/xnu/xnu-2782.10.72.tar.gz
ikeh · Jun 4, 2017 · 01f5031 · 01f5031
1 parent 0e29ffd
commit 01f5031
Show file tree

Hide file tree

Showing 59 changed files with 1,163 additions and 208 deletions.
diff --git a/bsd/dev/i386/systemcalls.c b/bsd/dev/i386/systemcalls.c
@@ -69,6 +69,8 @@ extern void *find_user_regs(thread_t);
 /* dynamically generated at build time based on syscalls.master */
 extern const char *syscallnames[];
 
+#define code_is_kdebug_trace(code) (((code) == SYS_kdebug_trace) || ((code) == SYS_kdebug_trace64))
+
 /*
  * Function:	unix_syscall
  *
@@ -151,8 +153,8 @@ unix_syscall(x86_saved_state_t *state)
 			/* NOTREACHED */
 		}
 
-		if (__probable(code != 180)) {
-	        	int *ip = (int *)vt;
+		if (__probable(!code_is_kdebug_trace(code))) {
+			int *ip = (int *)vt;
 
 			KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE,
 				BSDDBG_CODE(DBG_BSD_EXCP_SC, code) | DBG_FUNC_START,
@@ -239,7 +241,7 @@ unix_syscall(x86_saved_state_t *state)
 		 */
 		throttle_lowpri_io(1);
 	}
-	if (__probable(code != 180))
+	if (__probable(!code_is_kdebug_trace(code)))
 		KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE, 
 			BSDDBG_CODE(DBG_BSD_EXCP_SC, code) | DBG_FUNC_END,
 			error, uthread->uu_rval[0], uthread->uu_rval[1], p->p_pid, 0);
@@ -320,7 +322,7 @@ unix_syscall64(x86_saved_state_t *state)
 		memcpy(vt, args_start_at_rdi ? &regs->rdi : &regs->rsi, args_in_regs * sizeof(syscall_arg_t));
 
 
-		if (code != 180) {
+		if (!code_is_kdebug_trace(code)) {
 			uint64_t *ip = (uint64_t *)vt;
 
 			KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE, 
@@ -432,7 +434,7 @@ unix_syscall64(x86_saved_state_t *state)
 		 */
 		throttle_lowpri_io(1);
 	}
-	if (__probable(code != 180))
+	if (__probable(!code_is_kdebug_trace(code)))
 		KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE, 
 			BSDDBG_CODE(DBG_BSD_EXCP_SC, code) | DBG_FUNC_END,
 			error, uthread->uu_rval[0], uthread->uu_rval[1], p->p_pid, 0);
@@ -559,7 +561,7 @@ unix_syscall_return(int error)
 		 */
 		throttle_lowpri_io(1);
 	}
-	if (code != 180)
+	if (!code_is_kdebug_trace(code))
 		KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE, 
 			BSDDBG_CODE(DBG_BSD_EXCP_SC, code) | DBG_FUNC_END,
 			error, uthread->uu_rval[0], uthread->uu_rval[1], p->p_pid, 0);

diff --git a/bsd/dev/munge.c b/bsd/dev/munge.c
@@ -220,6 +220,19 @@ munge_wlll(void *args)
 	out_args[0] = in_args[0];
 }
 
+void 
+munge_wllll(void *args)
+{
+	volatile uint64_t *out_args = (volatile uint64_t*)args;
+	volatile uint32_t *in_args = (volatile uint32_t*)args;
+
+	out_args[4] = *(uint64_t*)&in_args[7];
+	out_args[3] = *(uint64_t*)&in_args[5];
+	out_args[2] = *(uint64_t*)&in_args[3];
+	out_args[1] = *(uint64_t*)&in_args[1];
+	out_args[0] = in_args[0];
+}
+
 void
 munge_wllww(void *args)
 {

diff --git a/bsd/dev/x86_64/munge.s b/bsd/dev/x86_64/munge.s
diff --git a/bsd/kern/kdebug.c b/bsd/kern/kdebug.c
@@ -113,6 +113,7 @@ static kd_iop_t* kd_iops = NULL;
 /* XXX should have prototypes, but Mach does not provide one */
 void task_act_iterate_wth_args(task_t, void(*)(thread_t, void *), void *);
 int cpu_number(void);	/* XXX <machine/...> include path broken */
+void commpage_update_kdebug_enable(void); /* XXX sign */
 
 /* XXX should probably be static, but it's debugging code... */
 int kdbg_read(user_addr_t, size_t *, vnode_t, vfs_context_t);
@@ -396,10 +397,12 @@ kdbg_set_tracing_enabled(boolean_t enabled, uint32_t trace_type)
 		kdebug_enable |= trace_type;
 		kd_ctrl_page.kdebug_slowcheck &= ~SLOW_NOLOG;
 		kd_ctrl_page.enabled = 1;
+		commpage_update_kdebug_enable();
 	} else {
 		kdebug_enable &= ~(KDEBUG_ENABLE_TRACE|KDEBUG_ENABLE_PPT);
 		kd_ctrl_page.kdebug_slowcheck |= SLOW_NOLOG;
 		kd_ctrl_page.enabled = 0;
+		commpage_update_kdebug_enable();
 	}
 	lck_spin_unlock(kds_spin_lock);
 	ml_set_interrupts_enabled(s);
@@ -734,6 +737,7 @@ allocate_storage_unit(int cpu)
 		if (kdbp_vict == NULL) {
 			kdebug_enable = 0;
 			kd_ctrl_page.enabled = 0;
+			commpage_update_kdebug_enable();
 			retval = FALSE;
 			goto out;
 		}
@@ -952,16 +956,7 @@ kernel_debug_enter(
 
 
 
-void
-kernel_debug_internal(
-	uint32_t	debugid,
-	uintptr_t	arg1,
-	uintptr_t	arg2,
-	uintptr_t	arg3,
-	uintptr_t	arg4,
-	uintptr_t	arg5);
-
-__attribute__((always_inline)) void
+static void
 kernel_debug_internal(
 	uint32_t	debugid,
 	uintptr_t	arg1,
@@ -1255,20 +1250,48 @@ kernel_debug_early_end(void)
 }
 
 /*
- * Support syscall SYS_kdebug_trace
+ * Support syscall SYS_kdebug_trace. U64->K32 args may get truncated in kdebug_trace64
  */
 int
-kdebug_trace(__unused struct proc *p, struct kdebug_trace_args *uap, __unused int32_t *retval)
+kdebug_trace(struct proc *p, struct kdebug_trace_args *uap, int32_t *retval)
+{
+	struct kdebug_trace64_args uap64;
+
+	uap64.code = uap->code;
+	uap64.arg1 = uap->arg1;
+	uap64.arg2 = uap->arg2;
+	uap64.arg3 = uap->arg3;
+	uap64.arg4 = uap->arg4;
+
+	return kdebug_trace64(p, &uap64, retval);
+}
+
+/*
+ * Support syscall SYS_kdebug_trace64. 64-bit args on K32 will get truncated to fit in 32-bit record format.
+ */
+int kdebug_trace64(__unused struct proc *p, struct kdebug_trace64_args *uap, __unused int32_t *retval)
 {
+	uint8_t code_class;
+
+	/*
+	 * Not all class are supported for injection from userspace, especially ones used by the core
+	 * kernel tracing infrastructure.
+	 */
+	code_class = EXTRACT_CLASS(uap->code);
+
+	switch (code_class) {
+		case DBG_TRACE:
+			return EPERM;
+	}
+
 	if ( __probable(kdebug_enable == 0) )
-		return(0);
- 
-	kernel_debug_internal(uap->code, uap->arg1, uap->arg2, uap->arg3, uap->arg4, (uintptr_t)thread_tid(current_thread()));
+		return(0); 
+
+	kernel_debug_internal(uap->code, (uintptr_t)uap->arg1, (uintptr_t)uap->arg2, (uintptr_t)uap->arg3, (uintptr_t)uap->arg4, (uintptr_t)thread_tid(current_thread()));
 
 	return(0);
 }
 
-
 static void
 kdbg_lock_init(void)
 {
@@ -3140,13 +3163,15 @@ kdbg_dump_trace_to_file(const char *filename)
 			 */
 			kdebug_enable = 0;
 			kd_ctrl_page.enabled = 0;
+			commpage_update_kdebug_enable();
 			return;
 		}
 	}
 	KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_INFO, 0)) | DBG_FUNC_NONE, 0, 0, 0, 0, 0);
 
 	kdebug_enable = 0;
 	kd_ctrl_page.enabled = 0;
+	commpage_update_kdebug_enable();
 
 	ctx = vfs_context_kernel();
 

diff --git a/bsd/kern/kern_credential.c b/bsd/kern/kern_credential.c
@@ -619,9 +619,10 @@ identitysvc(__unused struct proc *p, struct identitysvc_args *uap, __unused int3
 	}
 
 	/*
-	 * Beyond this point, we must be the resolver process.
+	 * Beyond this point, we must be the resolver process. We verify this
+	 * by confirming the resolver credential and pid.
 	 */
-	if (current_proc()->p_pid != kauth_resolver_identity) {
+	if ((kauth_cred_getuid(kauth_cred_get()) != 0) || (current_proc()->p_pid != kauth_resolver_identity)) {
 		KAUTH_DEBUG("RESOLVER - call from bogus resolver %d\n", current_proc()->p_pid);
 		return(EPERM);
 	}
@@ -923,7 +924,7 @@ kauth_resolver_complete(user_addr_t message)
 	struct kauth_identity_extlookup	extl;
 	struct kauth_resolver_work *workp;
 	struct kauth_resolver_work *killp;
-	int error, result;
+	int error, result, request_flags;
 
 	/*
 	 * Copy in the mesage, including the extension field, since we are
@@ -1004,6 +1005,10 @@ kauth_resolver_complete(user_addr_t message)
 		TAILQ_FOREACH(workp, &kauth_resolver_submitted, kr_link) {
 			/* found it? */
 			if (workp->kr_seqno == extl.el_seqno) {
+				/*
+				 * Take a snapshot of the original request flags.
+				 */
+				request_flags = workp->kr_work.el_flags;
 
 				/*
 				 * Get the request of the submitted queue so
@@ -1041,13 +1046,21 @@ kauth_resolver_complete(user_addr_t message)
 				 * issue and is easily detectable by comparing
 				 * time to live on last response vs. time of
 				 * next request in the resolver logs.
+				 *
+				 * A malicious/faulty resolver could overwrite
+				 * part of a user's address space if they return
+				 * flags that mismatch the original request's flags.
 				 */
-				if (extl.el_flags & (KAUTH_EXTLOOKUP_VALID_PWNAM|KAUTH_EXTLOOKUP_VALID_GRNAM)) {
+				if ((extl.el_flags & request_flags) & (KAUTH_EXTLOOKUP_VALID_PWNAM|KAUTH_EXTLOOKUP_VALID_GRNAM)) {
 					size_t actual;	/* notused */
 
 					KAUTH_RESOLVER_UNLOCK();
 					error = copyinstr(extl.el_extend, CAST_DOWN(void *, workp->kr_extend), MAXPATHLEN, &actual);
 					KAUTH_RESOLVER_LOCK();
+				} else if (extl.el_flags &  (KAUTH_EXTLOOKUP_VALID_PWNAM|KAUTH_EXTLOOKUP_VALID_GRNAM)) {
+					error = EFAULT;
+					KAUTH_DEBUG("RESOLVER - resolver returned mismatching extension flags (%d), request contained (%d)",
+							extl.el_flags, request_flags);
 				}
 
 				/*
@@ -1117,7 +1130,7 @@ kauth_identity_init(void)
  * Parameters:	uid
  *
  * Returns:	NULL				Insufficient memory to satisfy
- *						the request
+ *						the request or bad parameters
  *		!NULL				A pointer to the allocated
  *						structure, filled in
  *
@@ -1146,8 +1159,16 @@ kauth_identity_alloc(uid_t uid, gid_t gid, guid_t *guidp, time_t guid_expiry,
 			kip->ki_valid = KI_VALID_UID;
 		}
 		if (supgrpcnt) {
+			/*
+			 * A malicious/faulty resolver could return bad values
+			 */
+			assert(supgrpcnt >= 0);
 			assert(supgrpcnt <= NGROUPS);
 			assert(supgrps != NULL);
+
+			if ((supgrpcnt < 0) || (supgrpcnt > NGROUPS) || (supgrps == NULL)) {
+				return NULL;
+			}
 			if (kip->ki_valid & KI_VALID_GID)
 				panic("can't allocate kauth identity with both gid and supplementary groups");
 			kip->ki_supgrpcnt = supgrpcnt;

diff --git a/bsd/kern/kern_mib.c b/bsd/kern/kern_mib.c
@@ -447,6 +447,7 @@ SYSCTL_PROC(_hw_optional, OID_AUTO, bmi1,	CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_KER
 SYSCTL_PROC(_hw_optional, OID_AUTO, bmi2,	CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_KERN | CTLFLAG_LOCKED, (void *) kHasBMI2, 0, sysctl_cpu_capability, "I", "");
 SYSCTL_PROC(_hw_optional, OID_AUTO, rtm,	CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_KERN | CTLFLAG_LOCKED, (void *) kHasRTM, 0, sysctl_cpu_capability, "I", "");
 SYSCTL_PROC(_hw_optional, OID_AUTO, hle,	CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_KERN | CTLFLAG_LOCKED, (void *) kHasHLE, 0, sysctl_cpu_capability, "I", "");
+SYSCTL_PROC(_hw_optional, OID_AUTO, adx,	CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_KERN | CTLFLAG_LOCKED, (void *) kHasADX, 0, sysctl_cpu_capability, "I", "");
 #else
 #error Unsupported arch
 #endif /* !__i386__ && !__x86_64 && !__arm__ && ! __arm64__ */

diff --git a/bsd/kern/kern_proc.c b/bsd/kern/kern_proc.c
@@ -2080,7 +2080,8 @@ csops_internal(pid_t pid, int ops, user_addr_t uaddr, user_size_t usersize, user
 			    CS_KILL | CS_EXEC_SET_KILL |
 			    CS_RESTRICT |
 			    CS_REQUIRE_LV |
-			    CS_ENFORCEMENT | CS_EXEC_SET_ENFORCEMENT;
+			    CS_ENFORCEMENT | CS_EXEC_SET_ENFORCEMENT |
+			    CS_ENTITLEMENTS_VALIDATED;
 
 			proc_lock(pt);
 			if (pt->p_csflags & CS_VALID)

diff --git a/bsd/kern/pthread_shims.c b/bsd/kern/pthread_shims.c
@@ -172,15 +172,36 @@ static boolean_t proc_usynch_thread_qos_add_override(struct uthread *uth, uint64
 	task_t task = current_task();
 	thread_t thread = uth ? uth->uu_thread : THREAD_NULL;
 
-	return proc_thread_qos_add_override(task, thread, tid, override_qos, first_override_for_resource);
+	return proc_thread_qos_add_override(task, thread, tid, override_qos, first_override_for_resource, USER_ADDR_NULL, THREAD_QOS_OVERRIDE_TYPE_UNKNOWN);
 }
 
 static boolean_t proc_usynch_thread_qos_remove_override(struct uthread *uth, uint64_t tid)
 {
 	task_t task = current_task();
 	thread_t thread = uth ? uth->uu_thread : THREAD_NULL;
 
-	return proc_thread_qos_remove_override(task, thread, tid);
+	return proc_thread_qos_remove_override(task, thread, tid, USER_ADDR_NULL, THREAD_QOS_OVERRIDE_TYPE_UNKNOWN);
+}
+
+static boolean_t proc_usynch_thread_qos_add_override_for_resource(task_t task, struct uthread *uth, uint64_t tid, int override_qos, boolean_t first_override_for_resource, user_addr_t resource, int resource_type)
+{
+	thread_t thread = uth ? uth->uu_thread : THREAD_NULL;
+
+	return proc_thread_qos_add_override(task, thread, tid, override_qos, first_override_for_resource, resource, resource_type);
+}
+
+static boolean_t proc_usynch_thread_qos_remove_override_for_resource(task_t task, struct uthread *uth, uint64_t tid, user_addr_t resource, int resource_type)
+{
+	thread_t thread = uth ? uth->uu_thread : THREAD_NULL;
+
+	return proc_thread_qos_remove_override(task, thread, tid, resource, resource_type);
+}
+
+static boolean_t proc_usynch_thread_qos_reset_override_for_resource(task_t task, struct uthread *uth, uint64_t tid, user_addr_t resource, int resource_type)
+{
+	thread_t thread = uth ? uth->uu_thread : THREAD_NULL;
+
+	return proc_thread_qos_reset_override(task, thread, tid, resource, resource_type);
 }
 
 /* kernel (core) to kext shims */
@@ -493,6 +514,10 @@ static struct pthread_callbacks_s pthread_callbacks = {
 	.proc_usynch_thread_qos_remove_override = proc_usynch_thread_qos_remove_override,
 
 	.qos_main_thread_active = qos_main_thread_active,
+
+	.proc_usynch_thread_qos_add_override_for_resource = proc_usynch_thread_qos_add_override_for_resource,
+	.proc_usynch_thread_qos_remove_override_for_resource = proc_usynch_thread_qos_remove_override_for_resource,
+	.proc_usynch_thread_qos_reset_override_for_resource = proc_usynch_thread_qos_reset_override_for_resource,
 };
 
 pthread_callbacks_t pthread_kern = &pthread_callbacks;

diff --git a/bsd/kern/syscalls.master b/bsd/kern/syscalls.master
@@ -267,8 +267,8 @@
 176	AUE_NULL	ALL	{ int nosys(void); }   { old add_profil }
 177	AUE_NULL	ALL	{ int nosys(void); } 
 178	AUE_NULL	ALL	{ int nosys(void); } 
-179	AUE_NULL	ALL	{ int nosys(void); } 
-180	AUE_KDEBUGTRACE	ALL 	{ int kdebug_trace(int code, int arg1, int arg2, int arg3, int arg4, int arg5) NO_SYSCALL_STUB; } 
+179	AUE_KDEBUGTRACE	ALL 	{ int kdebug_trace64(uint32_t code, uint64_t arg1, uint64_t arg2, uint64_t arg3, uint64_t arg4) NO_SYSCALL_STUB; } 
+180	AUE_KDEBUGTRACE	ALL 	{ int kdebug_trace(uint32_t code, u_long arg1, u_long arg2, u_long arg3, u_long arg4) NO_SYSCALL_STUB; } 
 181	AUE_SETGID	ALL	{ int setgid(gid_t gid); } 
 182	AUE_SETEGID	ALL	{ int setegid(gid_t egid); } 
 183	AUE_SETEUID	ALL	{ int seteuid(uid_t euid); } 

diff --git a/bsd/kern/trace.codes b/bsd/kern/trace.codes
@@ -996,7 +996,7 @@
 0x40c02c0	BSC_add_profil
 0x40c02c4	BSC_#177
 0x40c02c8	BSC_#178
-0x40c02cc	BSC_#179
+0x40c02cc	BSC_kdebug_trace64
 0x40c02d0	BSC_kdebug_trace
 0x40c02d4	BSC_setgid
 0x40c02d8	BSC_setegid
@@ -1290,7 +1290,7 @@
 0x40c0780	BSC_recvmsg_x
 0x40c0784	BSC_sendmsg_x
 0x40c0788	BSC_thread_selfusage
-0x40c07a4	BSC_mremap_extended
+0x40c07a4	BSC_mremap_encrypted
 0x40e0104	BSC_msync_extended_info
 0x40e0264	BSC_pread_extended_info
 0x40e0268	BSC_pwrite_extended_info
@@ -1549,6 +1549,7 @@
 0x5310274	CPUPM_PST_QOS_SWITCH2
 0x5310278	CPUPM_PST_UIB
 0x531027C	CPUPM_PST_PLIMIT_UIB
+0x5310280	CPUPM_IO
 0x5330000	HIBERNATE
 0x5330004	HIBERNATE_WRITE_IMAGE
 0x5330008	HIBERNATE_MACHINE_INIT

diff --git a/bsd/miscfs/devfs/devfs.h b/bsd/miscfs/devfs/devfs.h
@@ -148,6 +148,7 @@ __END_DECLS
 #define	GID_BIN		7
 #define	GID_GAMES	13
 #define	GID_DIALER	68
+#define GID_WINDOWSERVER 88
 #endif /* __APPLE_API_PRIVATE */
 
 #endif /* !_MISCFS_DEVFS_DEVFS_H_ */