xnu-6153.141.1

Imported from https://opensource.apple.com/tarballs/xnu/xnu-6153.141.1.tar.gz
kkpan11 · Jan 11, 2021 · 2a1b271 · 2a1b271
1 parent 0430d98
commit 2a1b271
Show file tree

Hide file tree

Showing 100 changed files with 9,063 additions and 1,225 deletions.
diff --git a/bsd/kern/kern_aio.c b/bsd/kern/kern_aio.c
diff --git a/bsd/kern/kern_exec.c b/bsd/kern/kern_exec.c
@@ -3622,6 +3622,10 @@ posix_spawn(proc_t ap, struct posix_spawn_args *uap, int32_t *retval)
 		proc_legacy_footprint_entitled(p, new_task, __FUNCTION__);
 		proc_ios13extended_footprint_entitled(p, new_task, __FUNCTION__);
 #endif /* __arm64__ */
+
+#if __has_feature(ptrauth_calls)
+		task_set_pac_exception_fatal_flag(new_task);
+#endif /* __has_feature(ptrauth_calls) */
 	}
 
 	/* Inherit task role from old task to new task for exec */
@@ -4311,6 +4315,10 @@ __mac_execve(proc_t p, struct __mac_execve_args *uap, int32_t *retval)
 
 		task_set_main_thread_qos(new_task, main_thread);
 
+#if __has_feature(ptrauth_calls)
+		task_set_pac_exception_fatal_flag(new_task);
+#endif /* __has_feature(ptrauth_calls) */
+
 #if CONFIG_ARCADE
 		/*
 		 * Check to see if we need to trigger an arcade upcall AST now

diff --git a/bsd/kern/kern_exit.c b/bsd/kern/kern_exit.c
@@ -192,6 +192,12 @@ kern_return_t task_violated_guard(mach_exception_code_t, mach_exception_subcode_
 void    delay(int);
 void gather_rusage_info(proc_t p, rusage_info_current *ru, int flavor);
 
+#if __has_feature(ptrauth_calls)
+int exit_with_pac_exception(proc_t p, exception_type_t exception, mach_exception_code_t code,
+    mach_exception_subcode_t subcode);
+#endif /* __has_feature(ptrauth_calls) */
+
+
 /*
  * NOTE: Source and target may *NOT* overlap!
  * XXX Should share code with bsd/dev/ppc/unix_signal.c
@@ -2907,3 +2913,26 @@ kdp_wait4_find_process(thread_t thread, __unused event64_t wait_event, thread_wa
 	// See man wait4 for other valid wait4 arguments.
 	waitinfo->owner = args->pid;
 }
+
+#if __has_feature(ptrauth_calls)
+int
+exit_with_pac_exception(proc_t p, exception_type_t exception, mach_exception_code_t code,
+    mach_exception_subcode_t subcode)
+{
+	thread_t self = current_thread();
+	struct uthread *ut = get_bsdthread_info(self);
+
+	os_reason_t exception_reason = os_reason_create(OS_REASON_PAC_EXCEPTION, (uint64_t)code);
+	if (exception_reason == OS_REASON_NULL) {
+		printf("exit_with_pac_exception: failed to allocate exit reason\n");
+	} else {
+		exception_reason->osr_flags |= OS_REASON_FLAG_GENERATE_CRASH_REPORT;
+		ut->uu_exception = exception;
+		ut->uu_code = code;
+		ut->uu_subcode = subcode;
+	}
+
+	return exit_with_reason(p, W_EXITCODE(0, SIGKILL), (int *)NULL, TRUE, FALSE,
+	           0, exception_reason);
+}
+#endif /* __has_feature(ptrauth_calls) */
diff --git a/bsd/kern/kern_proc.c b/bsd/kern/kern_proc.c
@@ -3863,6 +3863,19 @@ proc_set_syscall_filter_mask(proc_t p, int which, unsigned char *maskptr, size_t
 	return KERN_SUCCESS;
 }
 
+bool
+proc_is_traced(proc_t p)
+{
+	bool ret = FALSE;
+	assert(p != PROC_NULL);
+	proc_lock(p);
+	if (p->p_lflag & P_LTRACED) {
+		ret = TRUE;
+	}
+	proc_unlock(p);
+	return ret;
+}
+
 #ifdef CONFIG_32BIT_TELEMETRY
 void
 proc_log_32bit_telemetry(proc_t p)

diff --git a/bsd/kern/kern_sysctl.c b/bsd/kern/kern_sysctl.c
@@ -1465,7 +1465,7 @@ sysctl_procargsx(int *name, u_int namelen, user_addr_t where,
 
 	if (vm_map_copy_overwrite(kernel_map,
 	    (vm_map_address_t)copy_start,
-	    tmp, FALSE) != KERN_SUCCESS) {
+	    tmp, (vm_map_size_t) arg_size, FALSE) != KERN_SUCCESS) {
 		kmem_free(kernel_map, copy_start,
 		    round_page(arg_size));
 		vm_map_copy_discard(tmp);

diff --git a/bsd/kern/mach_loader.c b/bsd/kern/mach_loader.c
@@ -353,6 +353,7 @@ load_machfile(
 	struct vnode            *vp = imgp->ip_vp;
 	off_t                   file_offset = imgp->ip_arch_offset;
 	off_t                   macho_size = imgp->ip_arch_size;
+	off_t                   total_size = 0;
 	off_t                   file_size = imgp->ip_vattr->va_data_size;
 	pmap_t                  pmap = 0;       /* protected by create_map */
 	vm_map_t                map;
@@ -368,7 +369,8 @@ load_machfile(
 	kern_return_t           kret;
 	unsigned int            pmap_flags = 0;
 
-	if (macho_size > file_size) {
+	if (os_add_overflow(file_offset, macho_size, &total_size) ||
+	    total_size > file_size) {
 		return LOAD_BADMACHO;
 	}
 
@@ -2579,6 +2581,10 @@ load_threadstack(
 	int             flavor;
 	uint32_t        stack_size;
 
+	if (total_size == 0) {
+		return LOAD_BADMACHO;
+	}
+
 	while (total_size > 0) {
 		flavor = *ts++;
 		size = *ts++;
@@ -2896,6 +2902,7 @@ load_code_signature(
 	    &blob)) {
 		if (addr) {
 			ubc_cs_blob_deallocate(addr, blob_size);
+			addr = 0;
 		}
 		ret = LOAD_FAILURE;
 		goto out;

diff --git a/bsd/kern/uipc_usrreq.c b/bsd/kern/uipc_usrreq.c
@@ -468,6 +468,7 @@ uipc_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
 			}
 			error = unp_connect(so, nam, p);
 			if (error) {
+				so->so_state &= ~SS_ISCONNECTING;
 				break;
 			}
 		} else {
@@ -529,6 +530,7 @@ uipc_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
 			if (nam) {
 				error = unp_connect(so, nam, p);
 				if (error) {
+					so->so_state &= ~SS_ISCONNECTING;
 					break;  /* XXX */
 				}
 			} else {
@@ -1180,6 +1182,9 @@ unp_connect(struct socket *so, struct sockaddr *nam, __unused proc_t p)
 	if (len >= SOCK_MAXADDRLEN) {
 		return EINVAL;
 	}
+
+	soisconnecting(so);
+
 	bcopy(soun->sun_path, buf, len);
 	buf[len] = 0;
 

diff --git a/bsd/net/content_filter.c b/bsd/net/content_filter.c
@@ -2891,10 +2891,10 @@ cfil_sock_attach(struct socket *so, struct sockaddr *local, struct sockaddr *rem
 	 * Save passed addresses for attach event msg (in case resend
 	 * is needed.
 	 */
-	if (remote != NULL) {
+	if (remote != NULL && (remote->sa_len <= sizeof(union sockaddr_in_4_6))) {
 		memcpy(&so->so_cfil->cfi_so_attach_faddr, remote, remote->sa_len);
 	}
-	if (local != NULL) {
+	if (local != NULL && (local->sa_len <= sizeof(union sockaddr_in_4_6))) {
 		memcpy(&so->so_cfil->cfi_so_attach_laddr, local, local->sa_len);
 	}
 

diff --git a/bsd/net/if.c b/bsd/net/if.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000-2019 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2020 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
@@ -890,7 +890,7 @@ ifa_foraddr6_scoped(struct in6_addr *addr6, unsigned int scope)
 	struct in6_ifaddr *ia = NULL;
 
 	lck_rw_lock_shared(&in6_ifaddr_rwlock);
-	for (ia = in6_ifaddrs; ia; ia = ia->ia_next) {
+	TAILQ_FOREACH(ia, IN6ADDR_HASH(addr6), ia6_hash) {
 		IFA_LOCK(&ia->ia_ifa);
 		if (IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, addr6) &&
 		    (scope == IFSCOPE_NONE || ia->ia_ifp->if_index == scope)) {

diff --git a/bsd/net/if_gif.c b/bsd/net/if_gif.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000-2018 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2020 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
@@ -618,6 +618,12 @@ gif_output(
 
 	/* XXX should we check if our outer source is legal? */
 
+	/*
+	 * Save the length as m may be free by the output functions
+	 * as they call m_pullup
+	 */
+	u_int32_t bytes_out = m->m_pkthdr.len;
+
 	/* dispatch to output logic based on outer AF */
 	switch (sc->gif_psrc->sa_family) {
 #if INET
@@ -641,7 +647,7 @@ gif_output(
 		/* the mbuf was freed either by in_gif_output or in here */
 		ifnet_stat_increment_out(ifp, 0, 0, 1);
 	} else {
-		ifnet_stat_increment_out(ifp, 1, m->m_pkthdr.len, 0);
+		ifnet_stat_increment_out(ifp, 1, bytes_out, 0);
 	}
 	if (error == 0) {
 		error = EJUSTRETURN; /* if no error, packet got sent already */

diff --git a/bsd/net/if_stf.c b/bsd/net/if_stf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000-2018 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2020 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
@@ -571,6 +571,7 @@ stf_pre_output(
 			IFA_REMREF(&ia6->ia_ifa);
 			return ENOBUFS;
 		}
+		*m0 = m;
 	}
 	ip6 = mtod(m, struct ip6_hdr *);
 	tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
@@ -604,6 +605,8 @@ stf_pre_output(
 		IFA_REMREF(&ia6->ia_ifa);
 		return ENOBUFS;
 	}
+
+	*m0 = m;
 	ip = mtod(m, struct ip *);
 
 	bzero(ip, sizeof(*ip));

diff --git a/bsd/net/kpi_interface.c b/bsd/net/kpi_interface.c
@@ -641,6 +641,7 @@ ifnet_set_eflags(ifnet_t interface, u_int32_t new_flags, u_int32_t mask)
 	 */
 	if ((((new_flags & mask) & IFEF_ADV_REPORT) != 0) &&
 	    ((interface->if_eflags & IFEF_SKYWALK_NATIVE) == 0)) {
+		ifnet_lock_done(interface);
 		return EINVAL;
 	}
 	oeflags = interface->if_eflags;