xnu-4570.71.2

Imported from https://opensource.apple.com/tarballs/xnu/xnu-4570.71.2.tar.gz
kkpan11 · Dec 10, 2018 · 24021fd · 24021fd
1 parent 26f3aa4
commit 24021fd
Show file tree

Hide file tree

Showing 47 changed files with 781 additions and 173 deletions.
diff --git a/bsd/dev/i386/sysctl.c b/bsd/dev/i386/sysctl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003-2011 Apple Inc. All rights reserved.
+ * Copyright (c) 2003-2018 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
@@ -970,4 +970,10 @@ extern int plctrace_enabled;
 SYSCTL_INT(_machdep, OID_AUTO, pltrace,
 		CTLFLAG_KERN | CTLFLAG_RW | CTLFLAG_LOCKED,
 		&plctrace_enabled, 0, "");
+
+extern int fpsimd_fault_popc;
+SYSCTL_INT(_machdep, OID_AUTO, fpsimd_fault_popc,
+		CTLFLAG_KERN | CTLFLAG_RW | CTLFLAG_LOCKED,
+		&fpsimd_fault_popc, 0, "");
+
 #endif /* DEVELOPMENT || DEBUG */
diff --git a/bsd/kern/kern_shutdown.c b/bsd/kern/kern_shutdown.c
@@ -83,7 +83,7 @@ static int  sd_openlog(vfs_context_t);
 static int  sd_closelog(vfs_context_t);
 static void sd_log(vfs_context_t, const char *, ...);
 static void proc_shutdown(void);
-static void kernel_hwm_panic_info(void);
+static void zprint_panic_info(void);
 extern void halt_log_enter(const char * what, const void * pc, uint64_t time);
 
 #if DEVELOPMENT || DEBUG
@@ -118,7 +118,7 @@ extern mach_memory_info_t *panic_kext_memory_info;
 extern vm_size_t panic_kext_memory_size;
 
 static void
-kernel_hwm_panic_info(void)
+zprint_panic_info(void)
 {
 	unsigned int  num_sites;
 	kern_return_t kr;
@@ -145,12 +145,25 @@ get_system_inshutdown()
 	return (system_inshutdown);
 }
 
+static void
+panic_kernel(int howto, char *message)
+{
+	if ((howto & RB_PANIC_ZPRINT) == RB_PANIC_ZPRINT) {
+		zprint_panic_info();
+	}
+	panic("userspace panic: %s", message);
+}
+
 int
 reboot_kernel(int howto, char *message)
 {
 	int hostboot_option=0;
 	uint64_t startTime;
 
+	if ((howto & (RB_PANIC | RB_QUICK)) == (RB_PANIC | RB_QUICK)) {
+		panic_kernel(howto, message);
+	}
+
 	if (!OSCompareAndSwap(0, 1, &system_inshutdown)) {
 		if ( (howto&RB_QUICK) == RB_QUICK)
 			goto force_reboot;
@@ -244,10 +257,7 @@ reboot_kernel(int howto, char *message)
 force_reboot:
 
 	if (howto & RB_PANIC) {
-		if (strncmp(message, "Kernel memory has exceeded limits", 33) == 0) {
-			kernel_hwm_panic_info();
-		}
-		panic ("userspace panic: %s", message);
+		panic_kernel(howto, message);
 	}
 
 	if (howto & RB_POWERDOWN)

diff --git a/bsd/kern/kern_time.c b/bsd/kern/kern_time.c
@@ -899,3 +899,4 @@ time_zone_slock_init(void)
 	/* Allocate the spin lock */
 	tz_slock = lck_spin_alloc_init(tz_slock_grp, tz_slock_attr);
 }
+
diff --git a/bsd/kern/syscalls.master b/bsd/kern/syscalls.master
@@ -836,3 +836,5 @@
 527	AUE_NULL	ALL	{ int ntp_adjtime(struct timex *tp); }
 528	AUE_NULL	ALL	{ int ntp_gettime(struct ntptimeval *ntvp); }
 529	AUE_NULL	ALL	{ int os_fault_with_payload(uint32_t reason_namespace, uint64_t reason_code, void *payload, uint32_t payload_size, const char *reason_string, uint64_t reason_flags); }
+530	AUE_NULL	ALL	{ int enosys(void); }
+531	AUE_NULL	ALL	{ int enosys(void); }
diff --git a/bsd/kern/trace_codes b/bsd/kern/trace_codes
@@ -350,6 +350,9 @@
 0x1800008	MACH_CLOCK_BRIDGE_REMOTE_TIME
 0x180000c	MACH_CLOCK_BRIDGE_RESET_TS
 0x1800010	MACH_CLOCK_BRIDGE_TS_PARAMS
+0x1800014	MACH_CLOCK_BRIDGE_SKIP_TS
+0x1800018	MACH_CLOCK_BRIDGE_TS_MISMATCH
+0x180001c	MACH_CLOCK_BRIDGE_OBSV_RATE
 0x1900000	MP_TLB_FLUSH
 0x1900004	MP_CPUS_CALL
 0x1900008	MP_CPUS_CALL_LOCAL
@@ -1182,6 +1185,7 @@
 0x5310290	CPUPM_URGENCY
 0x5310294	CPUPM_IDLE_EXIT1
 0x5310298	CPUPM_PST_QOS_CONT
+0x531029C	CPUPM_MID
 0x5330000	HIBERNATE
 0x5330004	HIBERNATE_WRITE_IMAGE
 0x5330008	HIBERNATE_MACHINE_INIT

diff --git a/bsd/net/necp.c b/bsd/net/necp.c
@@ -42,6 +42,7 @@
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
+#include <sys/coalition.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/tcp.h>
@@ -393,6 +394,9 @@ static u_int32_t necp_create_string_to_id_mapping(struct necp_string_id_mapping_
 static bool necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
 static struct necp_string_id_mapping *necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id);
 
+static struct necp_kernel_socket_policy *necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id);
+static struct necp_kernel_ip_output_policy *necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id);
+
 static LIST_HEAD(_necp_kernel_service_list, necp_service_registration) necp_registered_service_list;
 
 static char *necp_create_trimmed_domain(char *string, size_t length);
@@ -421,6 +425,7 @@ static u_int32_t necp_create_route_rule(struct necp_route_rule_list *list, u_int
 static bool necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id);
 static bool necp_route_is_allowed(struct rtentry *route, ifnet_t interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied);
 static struct necp_route_rule *necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id);
+static inline void necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info);
 
 #define MAX_AGGREGATE_ROUTE_RULES 16
 struct necp_aggregate_route_rule {
@@ -4144,23 +4149,41 @@ necp_kernel_policy_get_new_id(bool socket_level)
 	LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
 	if (socket_level) {
-		necp_last_kernel_socket_policy_id++;
-		if (necp_last_kernel_socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET ||
-			necp_last_kernel_socket_policy_id >= NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
-			necp_last_kernel_socket_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET;
-		}
-		newid = necp_last_kernel_socket_policy_id;
+		bool wrapped = FALSE;
+		do {
+			necp_last_kernel_socket_policy_id++;
+			if (necp_last_kernel_socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET ||
+				necp_last_kernel_socket_policy_id >= NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
+				if (wrapped) {
+					// Already wrapped, give up
+					NECPLOG0(LOG_ERR, "Failed to find a free socket kernel policy ID.\n");
+					return (NECP_KERNEL_POLICY_ID_NONE);
+				}
+				necp_last_kernel_socket_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET;
+				wrapped = TRUE;
+			}
+			newid = necp_last_kernel_socket_policy_id;
+		} while (necp_kernel_socket_policy_find(newid) != NULL); // If already used, keep trying
 	} else {
-		necp_last_kernel_ip_policy_id++;
-		if (necp_last_kernel_ip_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
-			necp_last_kernel_ip_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_IP;
-		}
-		newid = necp_last_kernel_ip_policy_id;
+		bool wrapped = FALSE;
+		do {
+			necp_last_kernel_ip_policy_id++;
+			if (necp_last_kernel_ip_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
+				if (wrapped) {
+					// Already wrapped, give up
+					NECPLOG0(LOG_ERR, "Failed to find a free IP kernel policy ID.\n");
+					return (NECP_KERNEL_POLICY_ID_NONE);
+				}
+				necp_last_kernel_ip_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_IP;
+				wrapped = TRUE;
+			}
+			newid = necp_last_kernel_ip_policy_id;
+		} while (necp_kernel_ip_output_policy_find(newid) != NULL); // If already used, keep trying
 	}
 
 	if (newid == NECP_KERNEL_POLICY_ID_NONE) {
-		NECPLOG0(LOG_DEBUG, "Allocate kernel policy id failed.\n");
-		return (0);
+		NECPLOG0(LOG_ERR, "Allocate kernel policy id failed.\n");
+		return (NECP_KERNEL_POLICY_ID_NONE);
 	}
 
 	return (newid);
@@ -6051,6 +6074,35 @@ necp_copy_string(char *string, size_t length)
 	return (copied_string);
 }
 
+static inline void
+necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info)
+{
+	task_t task = proc_task(proc ? proc : current_proc());
+	coalition_t coal = COALITION_NULL;
+	Boolean is_leader = coalition_is_leader(task, COALITION_TYPE_JETSAM, &coal);
+
+	if (is_leader == TRUE) {
+		// No parent, nothing to do
+		return;
+	}
+
+	if (coal != NULL) {
+		task_t lead_task = coalition_get_leader(coal);
+		if (lead_task != NULL) {
+			proc_t lead_proc = get_bsdtask_info(lead_task);
+			if (lead_proc != NULL) {
+				kauth_cred_t lead_cred = kauth_cred_proc_ref(lead_proc);
+				if (lead_cred != NULL) {
+					errno_t cred_result = priv_check_cred(lead_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+					kauth_cred_unref(&lead_cred);
+					info->cred_result = cred_result;
+				}
+			}
+			task_deallocate(lead_task);
+		}
+	}
+}
+
 #define	NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX)
 static void
 necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, proc_t proc, struct necp_socket_info *info)
@@ -6065,6 +6117,10 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
 
 	if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT && proc != NULL) {
 		info->cred_result = priv_check_cred(proc_ucred(proc), PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+		if (info->cred_result != 0) {
+			// Process does not have entitlement, check the parent process
+			necp_get_parent_cred_result(proc, info);
+		}
 	}
 
 	if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(application_uuid)) {
@@ -6965,6 +7021,10 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
 
 		if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
 			info->cred_result = priv_check_cred(so->so_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+			if (info->cred_result != 0) {
+				// Process does not have entitlement, check the parent process
+				necp_get_parent_cred_result(NULL, info);
+			}
 		}
 	}
 

diff --git a/bsd/netinet/mptcp_subr.c b/bsd/netinet/mptcp_subr.c
@@ -1102,7 +1102,6 @@ void
 mptcp_sopt_insert(struct mptses *mpte, struct mptopt *mpo)
 {
 	mpte_lock_assert_held(mpte);	/* same as MP socket lock */
-	VERIFY(!(mpo->mpo_flags & MPOF_ATTACHED));
 	mpo->mpo_flags |= MPOF_ATTACHED;
 	TAILQ_INSERT_TAIL(&mpte->mpte_sopts, mpo, mpo_entry);
 }
@@ -1134,8 +1133,6 @@ mptcp_sopt_find(struct mptses *mpte, struct sockopt *sopt)
 		    mpo->mpo_name == sopt->sopt_name)
 			break;
 	}
-	VERIFY(mpo == NULL || sopt->sopt_valsize == sizeof (int));
-
 	return (mpo);
 }
 

diff --git a/bsd/netinet/mptcp_usrreq.c b/bsd/netinet/mptcp_usrreq.c
@@ -78,8 +78,6 @@ static int mptcp_usr_shutdown(struct socket *);
 static int mptcp_usr_sosend(struct socket *, struct sockaddr *, struct uio *,
     struct mbuf *, struct mbuf *, int);
 static int mptcp_usr_socheckopt(struct socket *, struct sockopt *);
-static int mptcp_setopt(struct mptses *, struct sockopt *);
-static int mptcp_getopt(struct mptses *, struct sockopt *);
 static int mptcp_default_tcp_optval(struct mptses *, struct sockopt *, int *);
 static int mptcp_usr_preconnect(struct socket *so);
 
@@ -1357,9 +1355,6 @@ mptcp_setopt(struct mptses *mpte, struct sockopt *sopt)
 	level = sopt->sopt_level;
 	optname = sopt->sopt_name;
 
-	VERIFY(sopt->sopt_dir == SOPT_SET);
-	VERIFY(level == SOL_SOCKET || level == IPPROTO_TCP);
-	mpte_lock_assert_held(mpte);	/* same as MP socket lock */
 	mp_so = mptetoso(mpte);
 
 	/*
@@ -1524,7 +1519,6 @@ mptcp_setopt(struct mptses *mpte, struct sockopt *sopt)
 				mpo->mpo_name = optname;
 				mptcp_sopt_insert(mpte, mpo);
 			}
-			VERIFY(mpo->mpo_flags & MPOF_ATTACHED);
 			/* this can be issued on the subflow socket */
 			mpo->mpo_flags |= MPOF_SUBFLOW_OK;
 		}
@@ -1536,7 +1530,6 @@ mptcp_setopt(struct mptses *mpte, struct sockopt *sopt)
 		mpo->mpo_name = optname;
 		mpo->mpo_intval = optval;
 	}
-	VERIFY(mpo == NULL || error == 0);
 
 	/* issue this socket option on existing subflows */
 	if (error == 0) {
@@ -1574,9 +1567,6 @@ mptcp_getopt(struct mptses *mpte, struct sockopt *sopt)
 {
 	int error = 0, optval = 0;
 
-	VERIFY(sopt->sopt_dir == SOPT_GET);
-	mpte_lock_assert_held(mpte);	/* same as MP socket lock */
-
 	/*
 	 * We only handle SOPT_GET for TCP level socket options; we should
 	 * not get here for socket level options since they are already

diff --git a/bsd/nfs/nfs4_subs.c b/bsd/nfs/nfs4_subs.c
@@ -1831,6 +1831,9 @@ nfs4_parsefattr(
 	}
 	if (NFS_BITMAP_ISSET(bitmap, NFS_FATTR_FILEHANDLE)) {
 		nfsm_chain_get_32(error, nmc, val);
+		if (error == 0 && val > NFS_MAX_FH_SIZE)
+			error = EBADRPC;
+		nfsmout_if(error);
 		if (fhp) {
 			fhp->fh_len = val;
 			nfsm_chain_get_opaque(error, nmc, nfsm_rndup(val), fhp->fh_data);

diff --git a/bsd/nfs/nfs4_vnops.c b/bsd/nfs/nfs4_vnops.c
@@ -1193,6 +1193,9 @@ nfs4_lookup_rpc_async_finish(
 	nfsmout_if(error || !fhp || !nvap);
 	nfsm_chain_op_check(error, &nmrep, NFS_OP_GETFH);
 	nfsm_chain_get_32(error, &nmrep, fhp->fh_len);
+	if (error == 0 && fhp->fh_len > sizeof(fhp->fh_data))
+		error = EBADRPC;
+	nfsmout_if(error);
 	nfsm_chain_get_opaque(error, &nmrep, fhp->fh_len, fhp->fh_data);
 	nfsm_chain_op_check(error, &nmrep, NFS_OP_GETATTR);
 	if ((error == NFSERR_MOVED) || (error == NFSERR_INVAL)) {

diff --git a/bsd/nfs/nfs_gss.c b/bsd/nfs/nfs_gss.c
@@ -1066,6 +1066,8 @@ nfs_gss_clnt_verf_get(
 	 * the context is complete.
 	 */
 	if (!(cp->gss_clnt_flags & GSS_CTX_COMPLETE)) {
+		if (verflen > KRB5_MAX_MIC_SIZE)
+			return (EBADRPC);
 		MALLOC(cp->gss_clnt_verf, u_char *, verflen, M_TEMP, M_WAITOK|M_ZERO);
 		if (cp->gss_clnt_verf == NULL)
 			return (ENOMEM);
@@ -1144,6 +1146,10 @@ nfs_gss_clnt_verf_get(
 		nmc_tmp = *nmc;
 		nfsm_chain_adv(error, &nmc_tmp, reslen);	// skip over the results
 		nfsm_chain_get_32(error, &nmc_tmp,  cksum.length);
+		if (cksum.length > KRB5_MAX_MIC_SIZE) {
+			error = EBADRPC;
+			goto nfsmout;
+		}
 		MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
 		nfsm_chain_get_opaque(error, &nmc_tmp, cksum.length, cksum.value);
 		//XXX chop offf the cksum?
@@ -2998,8 +3004,10 @@ nfs_gss_svc_cred_get(struct nfsrv_descript *nd, struct nfsm_chain *nmc)
 			goto nfsmout;
 		if (flavor != RPCSEC_GSS || cksum.length > KRB5_MAX_MIC_SIZE)
 			error = NFSERR_AUTHERR | AUTH_BADVERF;
-		MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
-		nfsm_chain_get_opaque(error, nmc, cksum.length, cksum.value);
+		else {
+			MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
+			nfsm_chain_get_opaque(error, nmc, cksum.length, cksum.value);
+		}
 		if (error)
 			goto nfsmout;
 

diff --git a/bsd/nfs/nfs_socket.c b/bsd/nfs/nfs_socket.c
@@ -5345,7 +5345,8 @@ nfs_portmap_lookup(
 	struct sockaddr *saddr = (struct sockaddr*)&ss;
 	struct nfsm_chain nmreq, nmrep;
 	mbuf_t mreq;
-	int error = 0, ip, pmprog, pmvers, pmproc, ualen = 0;
+	int error = 0, ip, pmprog, pmvers, pmproc;
+	uint32_t ualen = 0;
 	uint32_t port;
 	uint64_t xid = 0;
 	char uaddr[MAX_IPv6_STR_LEN+16];
@@ -5406,7 +5407,7 @@ nfs_portmap_lookup(
 		/* get uaddr string and convert to sockaddr */
 		nfsm_chain_get_32(error, &nmrep, ualen);
 		if (!error) {
-			if (ualen > ((int)sizeof(uaddr)-1))
+			if (ualen > (sizeof(uaddr)-1))
 				error = EIO;
 			if (ualen < 1) {
 				/* program is not available, just return a zero port */

diff --git a/bsd/nfs/nfs_vfsops.c b/bsd/nfs/nfs_vfsops.c
@@ -2328,6 +2328,9 @@ nfs4_mount(
 		nfsmout_if(error);
 		nfsm_chain_op_check(error, &nmrep, NFS_OP_GETFH);
 		nfsm_chain_get_32(error, &nmrep, fh.fh_len);
+		if (fh.fh_len > sizeof(fh.fh_data))
+			error = EBADRPC;
+		nfsmout_if(error);
 		nfsm_chain_get_opaque(error, &nmrep, fh.fh_len, fh.fh_data);
 		nfsm_chain_op_check(error, &nmrep, NFS_OP_GETATTR);
 		if (!error) {
@@ -3030,8 +3033,7 @@ mountnfs(
 			error = ENOMEM;
 		xb_get_32(error, &xb, nmp->nm_fh->fh_len);
 		nfsmerr_if(error);
-		if (nmp->nm_fh->fh_len < 0 ||
-		    (size_t)nmp->nm_fh->fh_len > sizeof(nmp->nm_fh->fh_data))
+		if ((size_t)nmp->nm_fh->fh_len > sizeof(nmp->nm_fh->fh_data))
 			error = EINVAL;
 		else
 			error = xb_get_bytes(&xb, (char*)&nmp->nm_fh->fh_data[0], nmp->nm_fh->fh_len, 0);
Original file line number	Diff line number	Diff line change
Expand Up		@@ -899,3 +899,4 @@ time_zone_slock_init(void)
		/* Allocate the spin lock */
		tz_slock = lck_spin_alloc_init(tz_slock_grp, tz_slock_attr);
		}