xnu-3248.30.4

Imported from https://opensource.apple.com/tarballs/xnu/xnu-3248.30.4.tar.gz
kkpan11 · Jun 4, 2017 · a9751ba · a9751ba
1 parent 30f610b
commit a9751ba
Show file tree

Hide file tree

Showing 8 changed files with 54 additions and 21 deletions.
diff --git a/bsd/kern/kern_descrip.c b/bsd/kern/kern_descrip.c
@@ -81,6 +81,7 @@
 #include <sys/kauth.h>
 #include <sys/file_internal.h>
 #include <sys/guarded.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/stat.h>
@@ -2018,7 +2019,11 @@ fcntl_nocancel(proc_t p, struct fcntl_nocancel_args *uap, int32_t *retval)
 		struct vnode *dst_vp = NULLVP;
 		/* We need to grab the 2nd FD out of the argments before moving on. */
 		int fd2 = CAST_DOWN_EXPLICIT(int32_t, uap->arg);
-
+
+		error = priv_check_cred(kauth_cred_get(), PRIV_VFS_MOVE_DATA_EXTENTS, 0);
+		if (error)
+			goto out;
+
 		if (fp->f_type != DTYPE_VNODE) {
 			error = EBADF;
 			goto out;

diff --git a/bsd/sys/priv.h b/bsd/sys/priv.h
@@ -113,7 +113,8 @@
 /*
  * VFS privileges
  */
-#define PRIV_VFS_OPEN_BY_ID	14000 	/*Allow calling openbyid_np()*/
+#define PRIV_VFS_OPEN_BY_ID		14000 	/* Allow calling openbyid_np() */
+#define PRIV_VFS_MOVE_DATA_EXTENTS	14001   /* Allow F_MOVEDATAEXTENTS fcntl */
 
 #ifdef KERNEL
 /*

diff --git a/config/MasterVersion b/config/MasterVersion
@@ -1,4 +1,4 @@
-15.2.0
+15.3.0
 
 # The first line of this file contains the master version number for the kernel.
 # All other instances of the kernel version in xnu are derived from this file.

diff --git a/iokit/IOKit/IOUserClient.h b/iokit/IOKit/IOUserClient.h
@@ -207,7 +207,8 @@ class IOUserClient : public IOService
 #endif
     OSSet * mappings;
     UInt8   sharedInstance;
-    UInt8   __reservedA[3];
+    UInt8   closed;
+    UInt8   __reservedA[2];
     void  * __reserved[7];
 
 public:

diff --git a/iokit/Kernel/IOBufferMemoryDescriptor.cpp b/iokit/Kernel/IOBufferMemoryDescriptor.cpp
@@ -554,6 +554,7 @@ vm_size_t IOBufferMemoryDescriptor::getCapacity() const
 void IOBufferMemoryDescriptor::setLength(vm_size_t length)
 {
     assert(length <= _capacity);
+    if (length > _capacity) return;
 
     _length = length;
     _ranges.v64->length = length;

diff --git a/iokit/Kernel/IOMemoryDescriptor.cpp b/iokit/Kernel/IOMemoryDescriptor.cpp
@@ -1571,27 +1571,29 @@ IOGeneralMemoryDescriptor::initWithOptions(void *	buffers,
 
 	// Find starting address within the vector of ranges
 	Ranges vec = _ranges;
-	UInt32 length = 0;
-	UInt32 pages = 0;
-	for (unsigned ind = 0; ind < count;  ind++) {
+	mach_vm_size_t totalLength = 0;
+	unsigned int ind, pages = 0;
+	for (ind = 0; ind < count; ind++) {
 	    mach_vm_address_t addr;
 	    mach_vm_size_t len;
 
 	    // addr & len are returned by this function
 	    getAddrLenForInd(addr, len, type, vec, ind);
+	    if ((addr + len + PAGE_MASK) < addr) break;			/* overflow */
 	    pages += (atop_64(addr + len + PAGE_MASK) - atop_64(addr));
-	    len += length;
-	    assert(len >= length);	// Check for 32 bit wrap around
-	    length = len;
-
+	    totalLength += len;
+	    if (totalLength < len) break;				/* overflow */
 	    if ((kIOMemoryTypePhysical == type) || (kIOMemoryTypePhysical64 == type))
 	    {
 		ppnum_t highPage = atop_64(addr + len - 1);
 		if (highPage > _highestPage)
 		    _highestPage = highPage;
 	    }
 	} 
-	_length      = length;
+	if ((ind < count)
+	 || (totalLength != ((IOByteCount) totalLength))) return (false); /* overflow */
+
+	_length      = totalLength;
 	_pages       = pages;
 	_rangesCount = count;
 
@@ -1601,7 +1603,8 @@ IOGeneralMemoryDescriptor::initWithOptions(void *	buffers,
             _wireCount++;	// Physical MDs are, by definition, wired
         else { /* kIOMemoryTypeVirtual | kIOMemoryTypeVirtual64 | kIOMemoryTypeUIO */
             ioGMDData *dataP;
-            unsigned dataSize = computeDataSize(_pages, /* upls */ count * 2);
+            mach_vm_size_t dataSize = computeDataSize(_pages, /* upls */ count * 2);
+	    if (dataSize != ((unsigned) dataSize)) return false;         /* overflow */
 
             if (!initMemoryEntries(dataSize, mapper)) return false;
             dataP = getDataP(_memoryEntries);
@@ -1758,7 +1761,8 @@ IOByteCount IOMemoryDescriptor::readBytes
     // Assert that this entire I/O is withing the available range
     assert(offset <= _length);
     assert(offset + length <= _length);
-    if (offset >= _length) {
+    if ((offset >= _length)
+     || ((offset + length) > _length)) {
         return 0;
     }
 
@@ -1807,7 +1811,9 @@ IOByteCount IOMemoryDescriptor::writeBytes
 
     assert( !(kIOMemoryPreparedReadOnly & _flags) );
 
-    if ( (kIOMemoryPreparedReadOnly & _flags) || offset >= _length) {
+    if ( (kIOMemoryPreparedReadOnly & _flags)
+     || (offset >= _length)
+     || ((offset + length) > _length)) {
         return 0;
     }
 

diff --git a/iokit/Kernel/IOUserClient.cpp b/iokit/Kernel/IOUserClient.cpp
@@ -1299,7 +1299,14 @@ void IOUserClient::free()
 
 IOReturn IOUserClient::clientDied( void )
 {
-    return( clientClose());
+    IOReturn ret = kIOReturnNotReady;
+
+    if (sharedInstance || OSCompareAndSwap8(0, 1, &closed)) 
+    {
+	ret = clientClose();
+    }
+
+    return (ret);
 }
 
 IOReturn IOUserClient::clientClose( void )
@@ -1930,6 +1937,8 @@ kern_return_t is_io_service_get_matching_services_ool(
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
+        // and mig will copy out objects on success
+        *existing = 0;
 	*result = internal_io_service_get_matching_services(master_port,
 			(const char *) data, matchingCnt, existing);
 	vm_deallocate( kernel_map, data, matchingCnt );
@@ -2002,6 +2011,8 @@ kern_return_t is_io_service_get_matching_service_ool(
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
+        // and mig will copy out objects on success
+        *service = 0;
 	*result = internal_io_service_get_matching_service(master_port,
 			(const char *) data, matchingCnt, service );
 	vm_deallocate( kernel_map, data, matchingCnt );
@@ -2188,6 +2199,8 @@ static kern_return_t internal_io_service_add_notification_ool(
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
+        // and mig will copy out objects on success
+        *notification = 0;
 	*result = internal_io_service_add_notification( master_port, notification_type,
 			(char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification );
 	vm_deallocate( kernel_map, data, matchingCnt );
@@ -3257,6 +3270,7 @@ kern_return_t is_io_service_open_extended(
 		break;
 	    }
 	    client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
+	    client->closed = false;
 	    OSString * creatorName = IOCopyLogNameForPID(proc_selfpid());
 	    if (creatorName)
 	    {
@@ -3285,7 +3299,16 @@ kern_return_t is_io_service_close(
     CHECK( IOUserClient, connection, client );
 
     IOStatisticsClientCall();
-    client->clientClose();
+
+    if (client->sharedInstance || OSCompareAndSwap8(0, 1, &client->closed)) 
+    {
+	client->clientClose();
+    }
+    else
+    {
+	IOLog("ignored is_io_service_close(0x%qx,%s)\n", 
+		client->getRegistryEntryID(), client->getName());
+    }
 
     return( kIOReturnSuccess );
 }

diff --git a/libkern/libkern/Makefile b/libkern/libkern/Makefile
@@ -75,11 +75,7 @@ EXPORT_MI_LIST = \
 	kxld_types.h           \
 	stack_protector.h
 
-INSTALL_KF_MI_LCL_LIST +=          \
-	section_keywords.h
 
-EXPORT_MI_LIST +=          \
-	section_keywords.h
 
 EXPORT_MI_GEN_LIST = version.h