testing/kernel-cache-tests/kernel-vtable-patching-arm64e/test.py

   1 #!/usr/bin/python2.7
   2
   3 import os
   4 import KernelCollection
   5
   6 # This tests verifies that the vtable in bar.kext is patched
   7 # But also that this can be done against a subclass in the kernel, not just
   8
   9 # Note this is the same as kernel-vtable-patching but with a large base address and chained fixups
  10
  11 def findGlobalSymbolVMAddr(kernel_cache, dylib_index, symbol_name):
  12     for symbol_and_addr in kernel_cache.dictionary()["dylibs"][dylib_index]["global-symbols"]:
  13         if symbol_and_addr["name"] == symbol_name:
  14             return symbol_and_addr["vmAddr"]
  15     return None
  16
  17 def findFixupVMAddr(kernel_cache, fixup_name):
  18     for fixup_vmaddr, fixup_target in kernel_cache.dictionary()["fixups"].iteritems():
  19         if fixup_target == fixup_name:
  20             return fixup_vmaddr
  21     return None
  22
  23 def offsetVMAddr(vmAddr, offset):
  24     het_int = int(vmAddr, 16)
  25     het_int = het_int + offset
  26     return ''.join([ '0x', hex(het_int).upper()[2:] ])
  27
  28 def check(kernel_cache):
  29     enableLogging = False
  30     kernel_cache.buildKernelCollection("arm64e", "/kernel-vtable-patching-arm64e/main.kc", "/kernel-vtable-patching-arm64e/main.kernel", "/kernel-vtable-patching-arm64e/extensions", ["com.apple.bar"], [])
  31     kernel_cache.analyze("/kernel-vtable-patching-arm64e/main.kc", ["-layout", "-arch", "arm64e"])
  32
  33     assert len(kernel_cache.dictionary()["dylibs"]) == 2
  34     assert kernel_cache.dictionary()["dylibs"][0]["name"] == "com.apple.kernel"
  35     assert kernel_cache.dictionary()["dylibs"][1]["name"] == "com.apple.bar"
  36
  37     # Get the addresses for the symbols we are looking at.  This will make it easier to work out the fixup slots
  38     kernel_cache.analyze("/kernel-vtable-patching-arm64e/main.kc", ["-symbols", "-arch", "arm64e"])
  39
  40     # From foo, we want to know where the vtable is, and the foo() and fooUsed0() slots in that vtable
  41     # Foo::foo()
  42     fooClassFooVMAddr = findGlobalSymbolVMAddr(kernel_cache, 0, "__ZN3Foo3fooEv")
  43     if enableLogging:
  44         print "fooClassFooVMAddr: " + fooClassFooVMAddr
  45
  46     # Foo::fooUsed0()
  47     fooClassUsed0VMAddr = findGlobalSymbolVMAddr(kernel_cache, 0, "__ZN3Foo8fooUsed0Ev")
  48     if enableLogging:
  49         print "fooClassUsed0VMAddr: " + fooClassUsed0VMAddr
  50
  51     # From bar, find the vtable and its override of foo()
  52     # Bar::foo()
  53     barClassFooVMAddr = findGlobalSymbolVMAddr(kernel_cache, 1, "__ZN3Bar3fooEv")
  54     if enableLogging:
  55         print "barClassFooVMAddr: " + barClassFooVMAddr
  56
  57
  58     # Check the fixups
  59     kernel_cache.analyze("/kernel-vtable-patching-arm64e/main.kc", ["-fixups", "-arch", "arm64e"])
  60
  61     # foo.kext
  62     # In vtable for Foo, we match the entry for Foo::foo() by looking for its value on the RHS of the fixup
  63     fooFooFixupAddr = findFixupVMAddr(kernel_cache, "kc(0) + " + fooClassFooVMAddr + " auth(IA addr 49764)")
  64     if enableLogging:
  65         print "fooFooFixupAddr: " + fooFooFixupAddr
  66     # Then the following fixup should be to Foo::fooUsed0()
  67     fooFooNextFixupAddr = offsetVMAddr(fooFooFixupAddr, 8)
  68     if enableLogging:
  69         print "fooFooNextFixupAddr: " + fooFooNextFixupAddr
  70     assert kernel_cache.dictionary()["fixups"][fooFooNextFixupAddr] == "kc(0) + " + fooClassUsed0VMAddr + " auth(IA addr 61962)"
  71
  72     # bar.kext
  73     # Now in bar, again match the entry for its Bar::foo() symbol
  74     barFooFixupAddr = findFixupVMAddr(kernel_cache, "kc(0) + " + barClassFooVMAddr + " auth(IA addr 49764)")
  75     if enableLogging:
  76         print "barFooFixupAddr: " + barFooFixupAddr
  77     # And if the patching was correct, then following entry should be to Foo::fooUsed0()
  78     barFooNextFixupAddr = offsetVMAddr(barFooFixupAddr, 8)
  79     if enableLogging:
  80         print "barFooNextFixupAddr: " + barFooNextFixupAddr
  81     assert kernel_cache.dictionary()["fixups"][barFooNextFixupAddr] == "kc(0) + " + fooClassUsed0VMAddr + " auth(IA addr 61962)"
  82
  83 # [~]> xcrun -sdk iphoneos.internal cc -arch arm64e -Wl,-static -mkernel -nostdlib -Wl,-add_split_seg_info -Wl,-e,__start -Wl,-pie main.cpp foo.cpp -Wl,-pagezero_size,0x0 -Wl,-rename_section,__TEXT,__text,__TEXT_EXEC,__text -o main.kernel  -Wl,-install_name,/usr/lib/swift/split.seg.v2.hack -Wl,-image_base,0xfffffff000000000 -iwithsysroot /System/Library/Frameworks/Kernel.framework/Headers -Wl,-sectcreate,__LINKINFO,__symbolsets,SymbolSets.plist -Wl,-segprot,__LINKINFO,r--,r--  -DFOO_USED=1 -Wl,-kernel -Wl,-fixup_chains
  84 # [~]> xcrun -sdk iphoneos.internal cc -arch arm64e -Wl,-kext -mkernel -nostdlib -Wl,-add_split_seg_info -Wl,-no_data_const bar.cpp -o extensions/bar.kext/bar -iwithsysroot /System/Library/Frameworks/Kernel.framework/Headers -Wl,-fixup_chains
  85 # [~]> rm -r extensions/*.kext/*.ld
  86